Square Span Programs with Applications to Succinct NIZK Arguments

We use SSPs to construct succinct non-interactive zero-knowledge arguments of knowledge. For performance, our proof system is defined over Type III bilinear groups; proofs consist of just 4 group elements, verified in just 6 pairings. Concretely, using the Pinocchio libraries, we estimate that proofs will consist of 160 bytes verified in less than 6 ms

Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs

We construct a pairing based simulation-extractable SNARK (SE-SNARK) that consists of only 3 group elements and has highly efficient verification. By formally linking SE-SNARKs to signatures of knowledge, we then obtain a succinct signature of knowledge consisting of only 3 group elements. SE-SNARKs enable a prover to give a proof that they know a witness to an instance in a manner which is: (1) succinct - proofs are short and verifier computation is small; (2) zero-knowledge - proofs do not reveal the witness; (3) simulation-extractable - it is only possible to prove instances to which you know a witness, even when you have already seen a number of simulated proofs. We also prove that any pairing based signature of knowledge or SE-NIZK argument must have at least 3 group elements and 2 verification equations. Since our constructions match these lower bounds, we have the smallest size signature of knowledge and the smallest size SE-SNARK possible

On the Size of Pairing-Based Non-interactive Arguments

Non-interactive arguments enable a prover to convince a verifier that a statement is true. Recently there has been a lot of progress both in theory and practice on constructing highly efficient non-interactive arguments with small size and low verification complexity, so-called succinct non-interactive arguments (SNARGs) and succinct non-interactive arguments of knowledge (SNARKs). Many constructions of SNARGs rely on pairing-based cryptography. In these constructions a proof consists of a number of group elements and the verification consists of checking a number of pairing product equations. The question we address in this article is how efficient pairing-based SNARGs can be. Our first contribution is a pairing-based (preprocessing) SNARK for arithmetic circuit satisfiability, which is an NP-complete language. In our SNARK we work with asymmetric pairings for higher efficiency, a proof is only 3 group elements, and verification consists of checking a single pairing product equations using 3 pairings in total. Our SNARK is zero-knowledge and does not reveal anything about the witness the prover uses to make the proof. As our second contribution we answer an open question of Bitansky, Chiesa, Ishai, Ostrovsky and Paneth (TCC 2013) by showing that linear interactive proofs cannot have a linear decision procedure. It follows from this that SNARGs where the prover and verifier use generic asymmetric bilinear group operations cannot consist of a single group element. This gives the first lower bound for pairing-based SNARGs. It remains an intriguing open problem whether this lower bound can be extended to rule out 2 group element SNARGs, which would prove optimality of our 3 element construction

Efektiivsed mitteinteraktiivsed nullteadmusprotokollid referentssõne mudelis

Väitekirja elektrooniline versioon ei sisalda publikatsioone.Koos digitaalse ajastu võidukäiguga on interneti vahendusel võimalik sooritada üha ulmelisemana näivaid tegevusi. Täielikule krüpteeringule ehitatud mobiilsed rakendused, nagu näiteks WhatsApp, suudavad tagada, et kõne või sõnum jõuaksid üksnes õige adressaadini. Enamik pangasüsteeme garanteerivad TLS protokolli kasutades, et arvete maksmisel ja ülekannete tegemisel poleks nende andmeid kellelgi võimalik lugeda ega muuta. Mõned riigid pakuvad võimalust elektroonilisel teel hääletada (näiteks Eesti) või referendumeid läbi viia (näiteks Šveits), tagades sealjuures traditsioonilise paberhääletuse tasemel turvalisuse kriteeriumid. Kõik eelnevalt kirjeldatud tegevused vajavad kasutajate turvalisuse tagamiseks krüptograafilist protokolli. Tegelikkuses ei saa me kunagi eeldada, et kõik protokolli osapooled järgivad protokolli spetsifikatsiooni. Reaalses elus peab protokolli turvalisuseks iga osapool tõestama, et ta seda järgis ilma privaatsuse ohverdamiseta. Üks viis seda teha on nullteadmusprotokolli abil. Nullteadmusprotokoll on tõestus, mis ei lekita mingit informatsiooni peale selle, et väide on tõene. Tihti tahame, et nullteadmusprotokoll oleks mitteinteraktiivne. Sellisel juhul piisab, kui tõestus on arvutatud ainult ühe korra ning verifitseerijatel on igal ajal võimalik seda kontrollida. On kaks peamist mudelit, mis võimaldavad mitteinteraktiivsete nullteadmusprotokollide loomist: juhusliku oraakli (JO) mudel ja referentssõne mudel. JO mudeli protokollid on väga efektiivsed, kuid mõningate piirangute tõttu eelistame referentssõne mudelit. Selles töös esitleme kolme stsenaariumit, milles mitteinteraktiivne nullteadmus on asjakohane: verifitseeritav arvutamine, autoriseerimine ja elektrooniline hääletamine. Igas stsenaariumis pakume välja nullteadmusprotokolli referentssõne mudelis, mis on seni efektiivseim ning võrreldava efektiivsusega protokollidega JO mudelis.In the current digital era, we can do increasingly astonishing activities remotely using only our electronic devices. Using mobile applications such as WhatsApp, we can contact someone with the guarantee, using an end-to-end encryption protocol, that only the recipient can know the conversation's contents. Most banking systems enable us to pay our bills and perform other financial transactions, and use the TLS protocol to guarantee that no one can read or modify the transaction data. Some countries provide an option to vote electronically in an election (e.g. Estonia) or referendum (e.g. Switzerland) with similar privacy guarantees to traditional paper voting. In all these activities, a cryptographic protocol is required to ensure users' privacy. In reality, some parties participating in a protocol might not act according to what was agreed in the protocol specification. Hence, for a real world protocol to be secure, we also need each party to prove that it behaves honestly, but without sacrificing privacy of its inputs. This can be done using a zero-knowledge argument: a proof by a polynomial-time prover that gives nothing else away besides its correctness. In many cases, we want a zero-knowledge argument to be non-interactive and transferable, so that it is computed only once, but can be verified by many verifiers at any future time. There are two main models that enable transferable non-interactive zero-knowledge (NIZK) arguments: the random oracle (RO) model and the common reference string (CRS) model. Protocols in the RO model are very efficient, but due to some of its limitations, we prefer working in the CRS model. In this work we provide three scenarios where NIZK arguments are relevant: verifiable computation, authorization, and electronic voting. In each scenario, we propose NIZK arguments in the CRS model that are more efficient than existing ones, and are comparable in efficiency to the best known NIZK arguments in the RO model

Usalduse vähendamine ja turvalisuse parandamine zk-SNARK-ides ja kinnitusskeemides

Väitekirja elektrooniline versioon ei sisalda publikatsioonezk-SNARK-id on tõhusad ja praktilised mitteinteraktiivsed tõestussüsteemid, mis on konstrueeritud viitestringi mudelis ning tänu kompaktsetele tõestustele ja väga tõhusale verifitseeritavusele on need laialdaselt kasutusele võetud suuremahulistes praktilistes rakendustes. Selles töös uurime zk-SNARK-e kahest vaatenurgast: nende usalduse vähendamine ja turvalisuse tugevdamine. Esimeses suunas uurime kui palju saab vähendada usaldust paaristuspõhiste zk-SNARK-ide puhul ilma nende tõhusust ohverdamata niiviisi, et kasutajad saavad teatud turvataseme ka siis kui seadistusfaas tehti pahatahtlikult või kui avalikustati seadistusfaasi salajane teave. Me pakume välja mõned tõhusad konstruktsioonid, mis suudavad takistada zk-SNARK-i seadistusfaasi ründeid ja mis saavutavad senisest tugevama turvataseme. Näitame ka seda, et sarnased tehnikad võimaldavad leevendada usaldust tagauksega kinnitusskeemides, mis on krüptograafiliste primitiivide veel üks silmapaistev perekond ja mis samuti nõub usaldatud seadistusfaasi. Teises suunas esitame mõned tõhusad konstruktsioonid, mis tagavad parema turvalisuse minimaalsete lisakuludega. Mõned esitatud konstruktsioonidest võimaldavad lihtsustada praegusi TK-turvalisi protokolle, nimelt privaatsust säilitavate nutilepingusüsteemide Hawk ja Gyges konstruktsiooni, ja parandada nende tõhusust. Uusi konstruktsioone saab aga otse kasutada uutes protokollides, mis soovivad kasutada zk-SNARK-e. Osa väljapakutud zk-SNARK-e on implementeeritud teegis Libsnark ja empiirilised tulemused kinnitavad, et usalduse vähendamiseks või suurema turvalisuse saavutamiseks on arvutuslikud lisakulud väikesed.Zero-knowledge Succinct Non-interactive ARguments of Knowledge (zk-SNARKs) are an efficient family of NIZK proof systems that are constructed in the Common Reference String (CRS) model and due to their succinct proofs and very efficient verification, they are widely adopted in large-scale practical applications. In this thesis, we study zk-SNARKs from two perspectives, namely reducing trust and improving security in them. In the first direction, we investigate how much one can mitigate trust in pairing-based zk-SNARKs without sacrificing their efficiency. In such constructions, the parties of protocol will obtain a certain level of security even if the setup phase was done maliciously or the secret information of the setup phase was revealed. As a result of this direction, we present some efficient constructions that can resist against subverting of the setup phase of zk-SNARKs and achieve a certain level of security which is stronger than before. We also show that similar techniques will allow us to mitigate the trust in the trapdoor commitment schemes that are another prominent family of cryptographic primitives that require a trusted setup phase. In the second direction, we present some efficient constructions that achieve more security with minimal overhead. Some of the presented constructions allow to simplify the construction of current UC-secure protocols and improve their efficiency. New constructions can be directly deployed in any novel protocols that aim to use zk-SNARKs. Some of the proposed zk-SNARKs are implemented in Libsnark, the state-of-the-art library for zk-SNARKs, and empirical experiences confirm that the computational cost to mitigate the trust or to achieve more security is practical.https://www.ester.ee/record=b535927

Snarky Signatures: \\ Minimal Signatures of Knowledge from Simulation-Extractable SNARKs

We construct a pairing-based simulation-extractable succinct non-interactive argument of knowledge (SE-SNARK) that consists of only 3 group elements and has highly efficient verification. By formally linking SE-SNARKs to signatures of knowledge, we then obtain a succinct signature of knowledge consisting of only 3 group elements. SE-SNARKs enable a prover to give a proof that they know a witness to an instance in a manner which is: (1) \textit{succinct} - proofs are short and verifier computation is small; (2) \textit{zero-knowledge} - proofs do not reveal the witness; (3) \textit{simulation-extractable} - it is only possible to prove instances to which you know a witness, even when you have already seen a number of simulated proofs. We also prove that any pairing-based signature of knowledge or SE-SNARK must have at least 3 group elements and 2 verification equations. Since our constructions match these lower bounds, we have the smallest size signature of knowledge and the smallest size SE-SNARK possible

Lattice-Based zk-SNARKs from Square Span Programs

Zero-knowledge SNARKs (zk-SNARKs) are non-interactive proof systems with short (i.e., independent of the size of the witness) and efficiently verifiable proofs. They elegantly resolve the juxtaposition of individual privacy and public trust, by providing an efficient way of demonstrating knowledge of secret information without actually revealing it. To this day, zk-SNARKs are widely deployed all over the planet and are used to keep alive a system worth billion of euros, namely the cryptocurrency Zcash. However, all current SNARKs implementations rely on so-called pre-quantum assumptions and, for this reason, are not expected to withstand cryptanalitic efforts over the next few decades. In this work, we introduce a new zk-SNARK that can be instantiated from lattice-based assumptions, and which is thus believed to be post-quantum secure. We provide a generalization in the spirit of Gennaro et al. (Eurocrypt'13) to the SNARK of Danezis et al. (Asiacrypt'14) that is based on Square Span Programs (SSP) and relies on weaker computational assumptions. We focus on designated-verifier proofs and propose a protocol in which a proof consists of just 5 LWE encodings. We provide a concrete choice of parameters, showing that our construction is practically instantiable

Mitte-interaktiivsed nullteadmusprotokollid nõrgemate usalduseeldustega

Väitekirja elektrooniline versioon ei sisalda publikatsiooneTäieliku koosluskindlusega (TK) kinnitusskeemid ja nullteadmustõestused on ühed põhilisemad krüptograafilised primitiivid, millel on hulgaliselt päriselulisi rakendusi. (TK) Kinnitusskeem võimaldab osapoolel arvutada salajasest sõnumist kinnituse ja hiljem see verifitseeritaval viisil avada. Täieliku koosluskindlusega protokolle saab vabalt kombineerida teiste täieliku koosluskindlusega protokollidega ilma, et see mõjutaks nende turvalisust. Nullteadmustõestus on protokoll tõestaja ja verifitseerija vahel, mis võimaldab tõestajal veenda verifitseerijat mingi väite paikapidavuses ilma rohkema informatsiooni lekitamiseta. Nullteadmustõestused pakuvad suurt huvi ka praktilistes rakendustes, siinkohal on olulisemateks näideteks krüptorahad ja hajusandmebaasid üldisemalt. Siin on eriti asjakohased just lühidad mitteinteraktiivsed nullteadmustõestused (SNARKid) ning kvaasiadaptiivsed mitteinteraktiivsed nullteadmustõestused (QA-NIZKid). Mitteinteraktiivsetel nullteadmustõestustel juures on kaks suuremat praktilist nõrkust. Esiteks on tarvis usaldatud seadistusfaasi osapoolte ühisstringi genereerimiseks ja teiseks on tarvis täielikku koosluskindlust. Käesolevas doktoritöös me uurime neid probleeme ja pakume välja konkreetseid konstruktsioone nende leevendamiseks. Esmalt uurime me õõnestuskindlaid SNARKe juhu jaoks, kus seadistusfaasi ühisstring on õõnestatud. Me konstrueerime õõnestuskindla versiooni seni kõige tõhusamast SNARKist. Samuti uurime me QA-NIZKide õõnestuskindlust ja konstrueerime kõige efektiivsemate QA-NIZKide õõnestuskindla versiooni. Mis puutub teise uurimissuunda, nimelt täielikku koosluskindlusesse, siis sel suunal kasutame me pidevaid projektiivseid räsifunktsioone. Me pakume välja uue primitiivi, kus eelmainitud räsifunktsioonid on avalikult verifitseeritavad. Nende abil me konstrueerime seni kõige tõhusama mitteinteraktiivse koosluskindla kinnitusskeemi. Lõpetuseks me töötame välja uue võtte koosluskindlate kinnitusskeemide jaoks, mis võimaldab ühisarvutuse abil luua nullteadmustõestuste ühisstringe.Quite central primitives in cryptographic protocols are (Universally composable (UC)) commitment schemes and zero-knowledge proofs that getting frequently employed in real-world applications. A (UC) commitment scheme enables a committer to compute a commitment to a secret message, and later open it in a verifiable manner (UC protocols can seamlessly be combined with other UC protocols and primitives while the entire protocol remains secure). A zero-knowledge proof is a protocol usually between a prover and a verifier that allows the prover to convince the verifier of the legality of a statement without disclosing any more information. Zero-knowledge proofs and in particular Succinct non-interactive zero-knowledge proofs (SNARKs) and quasi adaptive NIZK (QA-NIZK) are of particular interest in the real-world applications, with cryptocurrencies or more generally distributed ledger technologies being the prime examples. The two serious issues and the main drawbacks of the practical usage of NIZKs are (i) the demand for a trusted setup for generating the common reference string (CRS) and (ii) providing the UC security. In this thesis, we essentially investigate the aforementioned issues and propose concrete constructions for them. We first investigate subversion SNARKs (Sub zk-SNARKs) when the CRS is subverted. In particular, we build a subversion of the most efficient SNARKs. Then we initiate the study of subversion QA-NIZK (Sub-QA-NIZK) and construct subversion of the most efficient QA-NIZKs. For the second issue, providing UC-security, we first using hash proof systems or smooth projective hash functions (SPHFs), we introduce a new cryptographic primitive called publicly computable SPHFs (PC-SPHFs) and construct the currently most efficient non-interactive UC-secure commitment. Finally, we develop a new technique for constructing UC-secure commitments schemes that enables one to generate CRS of NIZKs by using MPC in a UC-secure mannerhttps://www.ester.ee/record=b535926

Practical Zero-Knowledge Arguments from Structured Reference Strings

Zero-knowledge proofs have become an important tool for addressing privacy and scalability concerns in cryptographic protocols. For zero-knowledge proofs used in blockchain applications, it is desirable to have small proof sizes and fast verification. Yet by design, existing constructions with these properties such as zk-SNARKs also have a secret trapdoor embedded in a relation dependent structured reference string (SRS). Knowledge of this trapdoor suffices to break the security of these proofs. The SRSs required by zero-knowledge proofs are usually constructed with multiparty computation protocols, but the resulting parameters are specific to each individual circuit. In this thesis, we propose a model for constructing zero-knowledge arguments (i.e. zero-knowledge proofs with computational soundness) in which the generation of the SRS is directly considered in the security analysis. In our model the same SRS can be used across multiple applications. Further, the model is updatable i.e. users can update the universal SRS and the SRS is considered secure provided at least one of these users is honest. We propose two zero-knowledge arguments with updatable and universal SRSs, as well as a third which is neither updatable nor universal, but which through similar techniques achieves simulation extractability. The proposed arguments are practical, with proof sizes never more than a constant number of group elements. Verification for two of our constructions consist of a small number of pairing operations. For our other construction, which has the desirable property of a linear sized updatable and universal SRS, we describe efficient batching techniques so that verification is fast in the amortised setting

On a New, Efficient Framework for Falsifiable Non-interactive Zero-Knowledge Arguments

Et kunnskapsløst bevis er en protokoll mellom en bevisfører og en attestant. Bevisføreren har som mål å overbevise attestanten om at visse utsagn er korrekte, som besittelse av kortnummeret til et gyldig kredittkort, uten å avsløre noen private opplysninger, som for eksempel kortnummeret selv. I mange anvendelser er det ønskelig å bruke IIK-bevis (Ikke-interaktive kunnskapsløse bevis), der bevisføreren produserer kun en enkelt melding som kan bekreftes av mange attestanter. En ulempe er at sikre IIK-bevis for ikke-trivielle språk kun kan eksistere ved tilstedeværelsen av en pålitelig tredjepart som beregner en felles referansestreng som blir gjort tilgjengelig for både bevisføreren og attestanten. Når ingen slik part eksisterer liter man av og til på ikke-interaktiv vitne-uskillbarhet, en svakere form for personvern. Studiet av effektive og sikre IIK-bevis er en kritisk del av kryptografi som har blomstret opp i det siste grunnet anvendelser i blokkjeder. I den første artikkelen konstruerer vi et nytt IIK-bevis for språkene som består av alle felles nullpunkter for en endelig mengde polynomer over en endelig kropp. Vi demonstrerer nytteverdien av beviset ved flerfoldige eksempler på anvendelser. Særlig verdt å merke seg er at det er mulig å gå nesten automatisk fra en beskrivelse av et språk på et høyt nivå til definisjonen av IIK-beviset, som minsker behovet for dedikert kryptografisk ekspertise. I den andre artikkelen konstruerer vi et IIV-bevis ved å bruke en ny kompilator. Vi utforsker begrepet Kunnskapslydighet (et sterkere sikkerhetsbegrep enn lydighet) for noen konstruksjoner av IIK-bevis. I den tredje artikkelen utvider vi arbeidet fra den første artikkelen ved å konstruere et nytt IIK-bevis for mengde-medlemskap som lar oss bevise at et element ligger, eller ikke ligger, i den gitte mengden. Flere nye konstruksjoner har bedre effektivitet sammenlignet med allerede kjente konstruksjoner.A zero-knowledge proof is a protocol between a prover, and a verifier. The prover aims to convince the verifier of the truth of some statement, such as possessing credentials for a valid credit card, without revealing any private information, such as the credentials themselves. In many applications, it is desirable to use NIZKs (Non-Interactive Zero Knowledge) proofs, where the prover sends outputs only a single message that can be verified by many verifiers. As a drawback, secure NIZKs for non-trivial languages can only exist in the presence of a trusted third party that computes a common reference string and makes it available to both the prover and verifier. When no such party exists, one sometimes relies on non interactive witness indistinguishability (NIWI), a weaker notion of privacy. The study of efficient and secure NIZKs is a crucial part of cryptography that has been thriving recently due to blockchain applications. In the first paper, we construct a new NIZK for the language of common zeros of a finite set of polynomials over a finite field. We demonstrate its usefulness by giving a large number of example applications. Notably, it is possible to go from a high-level language description to the definition of the NIZK almost automatically, lessening the need for dedicated cryptographic expertise. In the second paper, we construct a NIWI using a new compiler. We explore the notion of Knowledge Soundness (a security notion stronger than soundness) of some NIZK constructions. In the third paper, we extended the first paper’s work by constructing a new set (non-)membership NIZK that allows us to prove that an element belongs or does not belong to the given set. Many new constructions have better efficiency compared to already-known constructions.Doktorgradsavhandlin