Succinct Zero-Knowledge Batch Proofs for Set Accumulators

Cryptographic accumulators are a common solution to proving information about a large set $S$. They allow one to compute a short digest of $S$ and short certificates of some of its basic properties, notably membership of an element. Accumulators also allow one to track set updates: a new accumulator is obtained by inserting/deleting a given element. In this work we consider the problem of generating membership and update proofs for {\em batches} of elements so that we can succinctly prove additional properties of the elements (i.e., proofs are of constant size regardless of the batch size), and we can preserve privacy. Solving this problem would allow obtaining blockchain systems with improved privacy and scalability. The state-of-the-art approach to achieve this goal is to combine accumulators (typically Merkle trees) with zkSNARKs. This solution is however expensive for provers and does not scale for large batches of elements. In particular, there is no scalable solution for proving batch membership proofs when we require zero-knowledge (a standard definition of privacy-preserving protocols). In this work we propose new techniques to efficiently use zkSNARKs with RSA accumulators. We design and implement two main schemes: 1) \harisa, which proves batch membership in zero-knowledge; 2) \insarisa, which proves batch updates. For batch membership, the prover in \harisa is orders of magnitude faster than existing approaches based on Merkle trees (depending on the hash function). For batch updates we get similar cost savings compared to approaches based on Merkle trees; we also improve over the recent solution of Ozdemir et al. [USENIX\u2720]

Transparency Logs via Append-only Authenticated Dictionaries

Transparency logs allow users to audit a potentially malicious service, paving the way towards a more accountable Internet. For example, Certificate Transparency (CT) enables domain owners to audit Certificate Authorities (CAs) and detect impersonation attacks. Yet, to achieve their full potential, transparency logs must be bandwidth-efficient when queried by users. Specifically, everyone should be able to efficiently look up log entries by their key and efficiently verify that the log remains append-only. Unfortunately, without additional trust assumptions, current transparency logs cannot provide both small-sized lookup proofs and small-sized append-only proofs. In fact, one of the proofs always requires bandwidth linear in the size of the log, making it expensive for everyone to query the log. In this paper, we address this gap with a new primitive called an append-only authenticated dictionary (AAD). Our construction is the first to achieve (poly)logarithmic size for both proof types and helps reduce bandwidth consumption in transparency logs. This comes at the cost of increased append times and high memory usage, both of which remain to be improved to make practical deployment possible

New Applications Of Public Ledgers

The last decade and a half has seen the rise of a new class of systems loosely categorized as public ledgers. Public ledgers guarantee that all posted information is permanently available to the entire public. Common realizations of public ledgers include public blockchains and centralized logs. In this work we investigate novel applications of public ledgers. We begin by describing enclave ledger interaction, a computational method that allows the execution of trusted execution environments or cryptographically obfuscated programs to be conditioned on the contents of the ledger. We then show how this conditional execution paradigm can be used to achieve fairness in dishonest majority secure multiparty computation, which is impossible in the plain model. Finally, we show how conditional execution can be used to build systems that facilitate law enforcement access to ciphertext while ensuring robust transparency and accountability mechanisms

Ticket to ride: an investigation into the use of blockchain technology in the rail industry

The rail industry in Great Britain is undergoing a renaissance. Rising passenger numbers, a steady freight industry, and numerous planned projects make this an exciting time to be involved. Nonetheless, the network relies upon many legacy systems that impede progress. This stifling of progress is noticeable in the digital domain in particular, where a cluster of impractical formats and systems leave swathes of data with untapped potential. The search for interoperability in the industry is not a new one; many have conducted investigations and projects, to no avail. Blockchains are an exciting new avenue of technology and are beginning to disrupt various industries. Despite this, few investigations exist into the potential use of the technology in the rail industry. From a purely technical perspective, the distributed nature of the technology has the potential to overcome the issues of data centralisation and the lack of trust amongst stakeholders. Nevertheless, as a new technology, it is not yet fully understood by those in the industry. This lack of understanding is a barrier to adoption and is as essential to consider as the technical implications. This thesis proposes a new model to aid the decision-making process of those seeking to use blockchain. We validate this model by utilising it for two rail-specific use cases. The first is to build a marketisable data-sharing platform for rail industry data. Within this project, we investigate both classical and post-quantum cryptographic approaches to the platform. The second is a brand new approach digital ticketing for the GB rail network, to initiate the process of replacing the legacy ticketing systems still in operation. We use blockchain technology as the core data store to achieve this. We demonstrate the viability of both use cases, supporting the appropriate deployment of blockchain technology in the rail industry

Foundations of Data Availability Sampling

Towards building more scalable blockchains, an approach known as data availability sampling (DAS) has emerged over the past few years. Even large blockchains like Ethereum are planning to eventually deploy DAS to improve their scalability. In a nutshell, DAS allows the participants of a network to ensure the full availability of some data without any one participant downloading it entirely. Despite the significant practical interest that DAS has received, there are currently no formal definitions for this primitive, no security notions, and no security proofs for any candidate constructions. For a cryptographic primitive that may end up being widely deployed in large real-world systems, this is a rather unsatisfactory state of affairs. In this work, we initiate a cryptographic study of data availability sampling. To this end, we define data availability sampling precisely as a clean cryptographic primitive. Then, we show how data availability sampling relates to erasure codes. We do so by defining a new type of commitment schemes which naturally generalizes vector commitments and polynomial commitments. Using our framework, we analyze existing constructions and prove them secure. In addition, we give new constructions which are based on weaker assumptions, computationally more efficient, and do not rely on a trusted setup, at the cost of slightly larger communication complexity. Finally, we evaluate the trade-offs of the different constructions

Malleable zero-knowledge proofs and applications

In recent years, the field of privacy-preserving technologies has experienced considerable expansion, with zero-knowledge proofs (ZKPs) playing one of the most prominent roles. Although ZKPs have been a well-established theoretical construct for three decades, recent efficiency improvements and novel privacy applications within decentralized finance have become the main drivers behind the surge of interest and investment in this area. This momentum has subsequently sparked unprecedented technical advances. Non-interactive ZKPs (NIZKs) are now regularly implemented across a variety of domains, encompassing, but not limited to, privacy-enabling cryptocurrencies, credential systems, voting, mixing, secure multi-party computation, and other cryptographic protocols. This thesis, although covering several areas of ZKP technologies and their application, focuses on one important aspect of NIZKs, namely their malleability. Malleability is a quality of a proof system that describes the potential for altering an already generated proof. Different properties may be desired in different application contexts. On the one end of the spectrum, non-malleability ensures proof immutability, an important requirement in scenarios such as prevention of replay attacks in anonymous cryptocurrencies. At the other end, some NIZKs enable proof updatability, recursively and directly, a feature that is integral for a variety of contexts, such as private smart contracts, compact blockchains, ZK rollups, ZK virtual machines, and MPC protocols generally. This work starts with a detailed analysis of the malleability and overarching security of a popular NIZK, known as Groth16. Here we adopt a more definitional approach, studying certain properties of the proof system, and its setup ceremony, that are crucial for its precise modelling within bigger systems. Subsequently, the work explores the malleability of transactions within a private cryptocurrency variant, where we show that relaxing non-malleability assumptions enables a functionality, specifically an atomic asset swap, that is useful for cryptocurrency applications. The work culminates with a study of a less general, algebraic NIZK, and particularly its updatability properties, whose applicability we present within the context of ensuring privacy for regulatory compliance purposes

On the foundations of proof-of-work based blockchain protocols

Proof-of-work (PoW) based blockchain protocols, are protocols that organize data into blocks, connected through the use of a hash function to form chains, and which make use of PoW to reach agreement, i.e., proofs that require spending some amount of computational power to be generated. This type of protocols rose into prominence with the advent of Bitcoin, the first protocol that provably implements a distributed transaction ledger against an adversary that controls less than half of the total computational power in the network, in a setting where protocol participants join and leave dynamically without the need for a registration service. Protocols in this class were also the first to be shown sufficient to solve consensus under similar conditions, a problem of fundamental importance in distributed computing. In this thesis, we explore foundational issues of PoW-based blockchain protocols that mainly have to do with the assumptions required to ensure their safe operation. We start by examining whether a common random string that is shared at the start of the protocol execution among the protocol participants is required to efficiently run such protocols. Bitcoin's security is based on the existence of such a string, called the genesis block. On the other hand, protocols found in previous works that do not assume such a setup are inefficient, in the sense that their round complexity strongly depends on the number of protocol participants. Our first contribution is the construction of efficient PoW-based blockchain protocols that provably implement a distributed ledger and consensus without such setup. Next, we turn our attention to the PoW primitive. All previous analyses model PoW using a random oracle. While satisfactory as a sanity check, the random oracle methodology has received significant criticism and shown not to be sound. We make progress by introducing a non-idealized security model and appropriate computational assumptions that are sufficient to implement a distributed ledger or consensus when combined with the right PoW-based protocol. Finally, we analyze GHOST, a recently proposed blockchain protocol, and prove its security against a byzantine adversary under similar assumptions as Bitcoin. Previous works only considered specific attacks

Unclonable Secret Keys

We propose a novel concept of securing cryptographic keys which we call “Unclonable Secret Keys,” where any cryptographic object is modified so that its secret key is an unclonable quantum bit-string whereas all other parameters such as messages, public keys, ciphertexts, signatures, etc., remain classical. We study this model in the authentication and encryption setting giving a plethora of definitions and positive results as well as several applications that are impossible in a purely classical setting. In the authentication setting, we define the notion of one-shot signatures, a fundamental element in building unclonable keys, where the signing key not only is unclonable, but also is restricted to signing only one message even in the paradoxical scenario where it is generated dishonestly. We propose a construction relative to a classical oracle and prove its unconditional security. Moreover, we provide numerous applications including a signature scheme where an adversary can sign as many messages as it wants and yet it cannot generate two signing keys for the same public key. We show that one-shot signatures are sufficient to build a proof-of-work-based decentralized cryptocurrency with several ideal properties: it does not make use of a blockchain, it allows sending money over insecure classical channels and it admits several smart contracts. Moreover, we demonstrate that a weaker version of one-shot signatures, namely privately verifiable tokens for signatures, are sufficient to reduce any classically queried stateful oracle to a stateless one. This effectively eliminates, in a provable manner, resetting attacks to hardware devices (modeled as oracles). In the encryption setting, we study different forms of unclonable decryption keys. We give constructions that vary on their security guarantees and their flexibility. We start with the simplest setting of secret key encryption with honestly generated keys and show that it exists in the quantum random oracle model. We provide a range of extensions, such as public key encryption with dishonestly generated keys, predicate encryption, broadcast encryption and more

Foundations of decentralised privacy

Distributed ledgers, and specifically blockchains, have been an immensely popular investment in the past few years. The heart of their popularity is due to their novel approach toward financial assets: They replace the need for central, trusted institutions such as banks with cryptography, ensuring no one entity has authority over the system. In the light of record distrust in many established institutions, this is attractive both as a method to combat institutional control and to demonstrate transparency. What better way to manage distrust than to embrace it? While distributed ledgers have achieved great things in removing the need to trust institutions, most notably the creation of fully decentralised assets, their practice falls short of the idealistic goals often seen in the field. One of their greatest shortcomings lies in a fundamental conflict with privacy. Distributed ledgers and surrounding technologies rely heavily on the transparent replication of data, a practice which makes keeping anything hidden very difficult. This thesis makes use of the powerful cryptography of succinct non-interactive zero-knowledge proofs to provide a foundation for re-establishing privacy in the decentralised setting. It discusses the security assumptions and requirements of succinct zero-knowledge proofs atlength, establishing a new framework for handling security proofs about them, and reducing the setup required to that already present in commonly used distributed ledgers. It further demonstrates the possibility of privacy-preserving proof-of-stake, removing the need for costly proofs-of-work for a privacy-focused distributed ledger. Finally, it lays out a solid foundation for a smart contract system supporting privacy – putting into the hands of contract authors the tools necessary to innovate and introduce new privacy features

The Blockchain Of Oz : Specifying Blockchain Failures for Scalable Protocols Offering Unprecedented Safety and Decentralization

Blockchains have starred an outstanding increase in interest from both business and research since Nakamoto’s 2008 Bitcoin. Unfortunately, many questions in terms of results that establish upper-bounds, and of proposals that approach these bounds. Furthermore, the sudden hype surrounding the blockchain world has led to several proposals that are either only partially public, informal, or not proven correct. The main contribution of this dissertation is to build upon works that steer clear of blockchain puffery, following research methodology. The works of this dissertation converge towards a blockchain that for the first time formally proves and empirically shows deterministic guarantees in the presence of classical Byzantine adversaries, while at the same time pragmatically resolves unlucky cases in which the adversary corrupts an unprecedented percentage of the system. This blockchain is decentralized and scalable, and needs no strong assumptions like synchrony. For this purpose, we build upon previous work and propose a novel attack of synchronous offchain protocols. We then introduce Platypus, an offchain protocol without synchrony. Secondly, we present Trap, a Byzantine fault-tolerant consensus protocol for blockchains that also tolerates up to less than half of the processes deviating. Thirdly, we present Basilic, a class of protocols that solves consensus both against a resilient-optimal Byzantine adversary and against an adversary controlling up to less than 2/3 of combined liveness and safety faults. Then, we use Basilic to present Zero-loss Blockchain (ZLB), a blockchain that tolerates less than 2/3 of safety faults of which less than 1/3 can be Byzantine. Finally, we present two random beacon protocols for committee sortition: Kleroterion and Kleroterion+ , that improve previous works in terms of communication complexity and in the number of faults tolerated, respectively