Folding Schemes with Selective Verification

In settings such as delegation of computation where a prover is doing computation as a service for many verifiers, it is important to amortize the prover’s costs without increasing those of the verifier. We introduce folding schemes with selective verification. Such a scheme allows a prover to aggregate m NP statements $x_i\in \mathcal{L}$ in a single statement $x\in\mathcal{L}$. Knowledge of a witness for $x$ implies knowledge of witnesses for all $m$ statements. Furthermore, each statement can be individually verified by asserting the validity of the aggregated statement and an individual proof $\pi$ with size sublinear in the number of aggregated statements. In particular, verification of statement $x_i$ does not require reading (or even knowing) all the statements aggregated. We demonstrate natural folding schemes for various languages: inner product relations, vector and polynomial commitment openings and relaxed R1CS of NOVA. All these constructions incur a minimal overhead for the prover, comparable to simply reading the statements

Conditional Blind Signatures

We propose a novel cryptographic primitive called conditional blind signatures. Our primitive allows a user to request blind signatures on messages of her choice. The signer has a secret Boolean input which determines if the supplied signature is valid or not. The user should not be able to distinguish between valid and invalid signatures. A designated verifier, however, can tell which signatures verify correctly, and is in fact the only entity who can learn the secret input associated with the (unblinded) signed message. We instantiate our primitive as an extension of the Okamoto-Schnorr blind signature scheme and provide variations to fit different usage scenarios. Finally, we analyze and prove the security properties of the new scheme and explore potential application

Security models for everlasting privacy

We propose security models for everlasting privacy, a property that protects the content of the votes cast in electronic elections against future and powerful adversaries. Initially everlasting privacy was treated synonymously with information theoretic privacy and did not take advantage of the information available to the adversary and his behavior during or after the election. More recent works provided variations of the concept, limiting the view of the future adversary to publicly available data. We consider an adversary that potentially has insider access to private election data as well. We formally express our adversarial model in game based definitions build on top of a generic voting scheme. This allows us to define a stronger version of everlasting privacy and contrast the two main proposals to achieve it, namely perfectly hiding commitment schemes and anonymous channels

Updateable Inner Product Argument with Logarithmic Verifier and Applications

We propose an improvement for the inner product argument of Bootle et al. (EUROCRYPT’16). The new argument replaces the unstructured common reference string (the commitment key) by a structured one. We give two instantiations of this argument, for two different distributions of the CRS. In the designated verifier setting, this structure can be used to reduce verification from linear to logarithmic in the circuit size. The argument can be compiled to the publicly verifiable setting in asymmetric bilinear groups. The new common reference string can easily be updateable. The argument can be directly used to improve verification of Bulletproofs range proofs (IEEE SP’18). On the other hand, to use the improved argument to prove circuit satisfiability with logarithmic verification, we adapt recent techniques from Sonic (ACM CCS’19) to work with the new common reference string. The resulting argument is secure under standard assumptions (in the Random Oracle Model), in contrast with Sonic and recent works that improve its efficiency (Plonk, Marlin, AuroraLight), which, apart from the Random Oracle Model, need either the Algebraic Group Model or Knowledge Type assumptions

Integrated Reverse Engineering Strategy for Large-Scale Mechanical Systems: Application to a Steam Turbine Rotor

An integrated reverse engineering methodology is proposed for a large-scale fully operational steam turbine rotor, considering issues that include developing the CAD and FE model of the structure, as well as the applicability of model updating techniques based on experimental modal analysis procedures. First, using an integrated reverse engineering strategy, the digital shape of the three sections of a steam turbine rotor was designed and the final parametric CAD model was developed. The finite element model of the turbine was developed using tetrahedral solid elements resulting in fifty-five million DOFs. Imposing impulsive loading in a free-free state, measured acceleration time histories were used to obtain the dynamic responses and identify the modal characteristics of each section of the complete steam turbine. Experimentally identified modal modes and modal frequencies compared to the FE model predicted ones constitute the actual measure of fit. CMA-ES optimization algorithm is then implemented in order to finely tune material parameters, such as modulus of elasticity and density, in order to best match experimental and numerical data. Comparing numerical and experimental results verified the reliability and accuracy of the applied methodology. The identified finite element model is representative of the initial structural condition of the turbine and is used to develop a simplified finite element model, which then used for the turbine rotordynamic analysis. Accumulated knowledge of the dynamic behavior of the specific steam turbine system, could be implemented in order to evaluate stability or instability states, fatigue growth in the turbine blades, changes in the damping of the bearing system and perform necessary scheduled optimal and cost-effective maintenance strategies. Additionally, upon a series of scheduled experimental data collection, a permanent output-only vibration SHM system could be installed and even a proper dynamic balancing could be investigated and designed

Mutual Accountability Layer: Accountable Anonymity within Accountable Trust

Anonymous cryptographic primitives reduce the traces left by the users when interacting over a digital platform. However, they also prevent a platform owner to hold users accountable in case of malicious behaviour. Revocable anonymity offers a compromise by allowing only the manager (and not the other users) of the digital platform to de-anonymize user\u27s activities when necessary. However, such de-anonymization power can be abused too, as a misbehaving manager can de-anonymize all the activities without user\u27s awareness. Previous work propose to mitigate this issue by distributing the de-anonymization power across several entities. However, there is no comprehensive and formal treatment where both accountability and non-frameability (i.e., the inability to falsely accuse a party of misbehavior) for both the user and the manager are explicitly defined and provably achieved. In this paper we formally define mutual accountability: a user can be held accountable for her otherwise anonymous digital actions and a manager is held accountable for every de-anonymization attempt; plus, no honest party can be framed -- regardless of what malicious parties do. Instead of distributing the de-anonymization power across entities, instead, we decouple the power of de-anonymization from the power of monitoring de-anonymization attempts. This allows for greater flexibility, particularly in the choice of the monitoring entities. We show that our framework can be instantiated generically from threshold encryption schemes and succinct non-interactive zero-knowledge. We also show that the highly-efficient threshold group signature scheme by Camenisch et al.(SCN\u2720) can be modified and extended to instantiate our framework

Linear-map Vector Commitments and their Practical Applications

Vector commitments (VC) are a cryptographic primitive that allow one to commit to a vector and then “open” some of its positions efficiently. Vector commitments are increasingly recognized as a central tool to scale highly decentralized networks of large size and whose content is dynamic. In this work, we examine the demands on the properties that an ideal vector commitment should satisfy in the light of the emerging plethora of practical applications and propose new constructions that improve the state-of-the-art in several dimensions and offer new tradeoffs. We also propose a unifying framework that captures several constructions and show how to generically achieve some properties from more basic ones. On the practical side, we focus on building efficient schemes that do not require new trusted setup (we can reuse existing ceremonies for pairing-based “powers of tau” run by real-world systems such as ZCash or Filecoin). Our (in-progress) implementation demonstrates that our work over-performs in efficiency prior schemes with same properties

Non-blood medical care in gynecologic oncology: a review and update of blood conservation management schemes

This review attempts to outline the alternative measures and interventions used in bloodless surgery in the field of gynecologic oncology and demonstrate their effectiveness. Nowadays, as increasingly more patients are expressing their fears concerning the potential risks accompanying allogenic transfusion of blood products, putting the theory of bloodless surgery into practice seems to gaining greater acceptance. An increasing number of institutions appear to be successfully adopting approaches that minimize blood usage for all patients treated for gynecologic malignancies. Preoperative, intraoperative and postoperative measures are required, such as optimization of red blood cell mass, adequate preoperative plan and invasive hemostatic procedures, assisting anesthetic techniques, individualization of anemia tolerance, autologous blood donation, normovolemic hemodilution, intraoperative cell salvage and pharmacologic agents for controlling blood loss. An individualised management plan of experienced personnel adopting a multidisciplinary team approach should be available to establish non-blood management strategies, and not only on demand of the patient, in the field of gynecologic oncology with the use of drugs, devices and surgical-medical techniques

Succinct arguments: efficiency, assumptions and trade-offs

Succinct non-interactive arguments (snarks) are cryptographic constructions that allow a prover to convince a verifier about the validity of a statement regarding some computation. We consider these objects from the perspectives of efficiency and assumptions. We modify the folding technique of Bootle et al. (Eurocrypt 16) to exponentially reduce the verifier’s complexity at the expense of an updatable setup instead of a transparent one. Next, we construct a delegation scheme –which is a snark for efficiently decidable languages– using simple and well understood cryptographic assumptions. On the verification side, the construction competes in efficiency constructions that use “non-standard” assumptions. Furthermore, we consider other cryptographic constructions that are relevant to snarks. First, we explore vector commitments and consider combinatorial techniques to construct them. One of our constructions allows flexible time/memory tradeoffs. Second, we introduce folding schemes with selective verification which allows a prover to amortize the cost of producing multiple proofs addressed to different verifiers.Los argumentos sucintos no interactivos (snarks por sus siglas en Inglés) son construcciones criptográficas que permiten a un probador convencer un verificador sobre la validez de una declaración con respecto a algún cálculo. Consideramos estos objetos desde el punto de vista de la eficiencia y los problemas que se asumen intractables. Modificamos la técnica de plegado de Bootle et al. (Eurocrypt 16) para reducir exponencialmente la complejidad del verificador a expensas de la seguridad en generación de parámetros públicos: en lugar de ser transparentes, serán actualizables. A continuación, construimos un esquema de delegación –que es un snark para lenguajes eficientemente decidibles– usando suposiciones criptográficas simples y bien entendidas. Por el lado de la verificación, la eficiencia de nuestra construcción compite con la de aquellas que usan asunciones “no estándares”. Además, consideramos otras construcciones criptográficas que son relevantes para los snarks. Primero, exploramos compromisos a vectores y consideramos técnicas combinatorias para construirlos. Una de nuestras construcciones permite concesiones flexibles entre tiempo y memoria. En segundo lugar, introducimos esquemas de plegado con verificación selectiva que le permite a un probador amortizar el costo de producir múltiples pruebas dirigidas a diferentes verificadores

Fully-succinct Publicly Verifiable Delegation from Constant-Size Assumptions

International audienceWe construct a publicly verifiable, non-interactive delegation scheme for any polynomial size arithmetic circuit with proof-size and verification complexity comparable to those of pairing based zk-SNARKS. Concretely, the proof consists of O(1) group elements and verification requires O(1) pairings and n group exponentiations, where n is the size of the input. While known SNARK-based constructions rely on non-falsifiable assumptions, our construction can be proven sound under any constant size (k ≥ 2) k-Matrix Diffie-Hellman (k-MDDH) assumption. However, the size of the reference string as well as the prover's complexity are quadratic in the size of the circuit. This result demonstrates that we can construct delegation from very simple and well-understood assumptions. We consider this work a first step towards achieving practical delegation from standard, falsifiable assumptions.Our main technical contributions are first, the introduction and construction of what we call "no-signaling, somewhere statistically binding commitment schemes". These commitments are extractable for any small part of an opening , where S⊆ [n] is of size at most K. Here n is the dimension of x and x_S= (x_i)_{i ∈ S}. Importantly, for any S' ⊆ S , extracting x_S′ can be done independently of S\S ′. Second, we use these commitments to construct more efficient "quasi-arguments" with no-signaling extraction, introduced by Paneth and Rothblum (TCC 17). These arguments allow extracting parts of the witness of a statement and checking it against some local constraints without revealing which part is checked. We construct pairing-based quasi arguments for linear and quadratic constraints and combine them with the low-depth delegation result of González et. al. (Asiacrypt 19) to construct the final delegation scheme