Verifiable Elections That Scale for Free

In order to guarantee a fair and transparent voting process, electronic voting schemes must be verifiable. Most of the time, however, it is important that elections also be anonymous. The notion of a verifiable shuffle describes how to satisfy both properties at the same time: ballots are submitted to a public bulletin board in encrypted form, verifiably shuffled by several mix servers (thus guaranteeing anonymity), and then verifiably decrypted by an appropriate threshold decryption mechanism. To guarantee transparency, the intermediate shuffles and decryption results, together with proofs of their correctness, are posted on the bulletin board throughout this process. In this paper, we present a verifiable shuffle and threshold decryption scheme in which, for security parameter k, L voters, M mix servers, and N decryption servers, the proof that the end tally corresponds to the original encrypted ballots is only O(k(L + M + N)) bits long. Previous verifiable shuffle constructions had proofs of size O(kLM + kLN), which, for elections with thousands of voters, mix servers, and decryption servers, meant that verifying an election on an ordinary computer in a reasonable amount of time was out of the question. The linchpin of each construction is a controlled-malleable proof (cm-NIZK), which allows each server, in turn, to take a current set of ciphertexts and a proof that the computation done by other servers has proceeded correctly so far. After shuffling or partially decrypting these ciphertexts, the server can also update the proof of correctness, obtaining as a result a cumulative proof that the computation is correct so far. In order to verify the end result, it is therefore sufficient to verify just the proof produced by the last server

Malleable zero-knowledge proofs and applications

In recent years, the field of privacy-preserving technologies has experienced considerable expansion, with zero-knowledge proofs (ZKPs) playing one of the most prominent roles. Although ZKPs have been a well-established theoretical construct for three decades, recent efficiency improvements and novel privacy applications within decentralized finance have become the main drivers behind the surge of interest and investment in this area. This momentum has subsequently sparked unprecedented technical advances. Non-interactive ZKPs (NIZKs) are now regularly implemented across a variety of domains, encompassing, but not limited to, privacy-enabling cryptocurrencies, credential systems, voting, mixing, secure multi-party computation, and other cryptographic protocols. This thesis, although covering several areas of ZKP technologies and their application, focuses on one important aspect of NIZKs, namely their malleability. Malleability is a quality of a proof system that describes the potential for altering an already generated proof. Different properties may be desired in different application contexts. On the one end of the spectrum, non-malleability ensures proof immutability, an important requirement in scenarios such as prevention of replay attacks in anonymous cryptocurrencies. At the other end, some NIZKs enable proof updatability, recursively and directly, a feature that is integral for a variety of contexts, such as private smart contracts, compact blockchains, ZK rollups, ZK virtual machines, and MPC protocols generally. This work starts with a detailed analysis of the malleability and overarching security of a popular NIZK, known as Groth16. Here we adopt a more definitional approach, studying certain properties of the proof system, and its setup ceremony, that are crucial for its precise modelling within bigger systems. Subsequently, the work explores the malleability of transactions within a private cryptocurrency variant, where we show that relaxing non-malleability assumptions enables a functionality, specifically an atomic asset swap, that is useful for cryptocurrency applications. The work culminates with a study of a less general, algebraic NIZK, and particularly its updatability properties, whose applicability we present within the context of ensuring privacy for regulatory compliance purposes

Geppetto: Versatile Verifiable Computation

Cloud computing sparked interest in Verifiable Computation protocols, which allow a weak client to securely outsource computations to remote parties. Recent work has dramatically reduced the client’s cost to verify the correctness of results, but the overhead to produce proofs largely remains impractical. Geppetto introduces complementary techniques for reducing prover overhead and increasing prover flexibility. With Multi-QAPs, Geppetto reduces the cost of sharing state between computations (e.g., for MapReduce) or within a single computation by up to two orders of magnitude. Via a careful instantiation of cryptographic primitives, Geppetto also brings down the cost of verifying outsourced cryptographic computations (e.g., verifiably computing on signed data); together with Geppetto’s notion of bounded proof bootstrapping, Geppetto improves on prior bootstrapped systems by five orders of magnitude, albeit at some cost in universality. Geppetto also supports qualitatively new properties like verifying the correct execution of proprietary (i.e., secret) algorithms. Finally, Geppetto’s use of energy-saving circuits brings the prover’s costs more in line with the program’s actual (rather than worst-case) execution time. Geppetto is implemented in a full-fledged, scalable compiler that consumes LLVM code generated from a variety of apps, as well as a large cryptographic library

Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings

Ever since their introduction, zero-knowledge proofs have become an important tool for addressing privacy and scalability concerns in a variety of applications. In many systems each client downloads and verifies every new proof, and so proofs must be small and cheap to verify. The most practical schemes require either a trusted setup, as in (pre-processing) zk-SNARKs, or verification complexity that scales linearly with the complexity of the relation, as in Bulletproofs. The structured reference strings required by most zk-SNARK schemes can be constructed with multi-party computation protocols, but the resulting parameters are specific to an individual relation. Groth et al. discovered a zk-SNARK protocol with a universal structured reference string that is also updatable, but the string scales quadratically in the size of the supported relations. Here we describe a zero-knowledge SNARK, Sonic, which supports a universal and continually updatable structured reference string that scales linearly in size. We also describe a generally useful technique in which untrusted "helpers" can compute advice that allows batches of proofs to be verified more efficiently. Sonic proofs are constant size, and in the "helped" batch verification context the marginal cost of verification is comparable with the most efficient SNARKs in the literature