Fractal: Post-Quantum and Transparent Recursive Proofs from Holography

We present a new methodology to efficiently realize recursive composition of succinct non-interactive arguments of knowledge (SNARKs). Prior to this work, the only known methodology relied on pairing-based SNARKs instantiated on cycles of pairing-friendly elliptic curves, an expensive algebraic object. Our methodology does not rely on any special algebraic objects and, moreover, achieves new desirable properties: it is *post-quantum* and it is *transparent* (the setup is public coin). We exploit the fact that recursive composition is simpler for SNARKs with *preprocessing*, and the core of our work is obtaining a preprocessing zkSNARK for rank-1 constraint satisfiability (R1CS) that is post-quantum and transparent. We obtain this latter by establishing a connection between holography and preprocessing in the random oracle model, and then constructing a holographic proof for R1CS. We experimentally validate our methodology, demonstrating feasibility in practice

Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings

Ever since their introduction, zero-knowledge proofs have become an important tool for addressing privacy and scalability concerns in a variety of applications. In many systems each client downloads and verifies every new proof, and so proofs must be small and cheap to verify. The most practical schemes require either a trusted setup, as in (pre-processing) zk-SNARKs, or verification complexity that scales linearly with the complexity of the relation, as in Bulletproofs. The structured reference strings required by most zk-SNARK schemes can be constructed with multi-party computation protocols, but the resulting parameters are specific to an individual relation. Groth et al. discovered a zk-SNARK protocol with a universal structured reference string that is also updatable, but the string scales quadratically in the size of the supported relations. Here we describe a zero-knowledge SNARK, Sonic, which supports a universal and continually updatable structured reference string that scales linearly in size. We also describe a generally useful technique in which untrusted "helpers" can compute advice that allows batches of proofs to be verified more efficiently. Sonic proofs are constant size, and in the "helped" batch verification context the marginal cost of verification is comparable with the most efficient SNARKs in the literature

Desalination and Reuse of High-Salinity Shale Gas Produced Water: Drivers, Technologies, and Future Directions

In the rapidly developing shale gas industry, managing produced water is a major challenge for maintaining the profitability of shale gas extraction while protecting public health and the environment. We review the current state of practice for produced water management across the United States and discuss the interrelated regulatory, infrastructure, and economic drivers for produced water reuse. Within this framework, we examine the Marcellus shale play, a region in the eastern United States where produced water is currently reused without desalination. In the Marcellus region, and in other shale plays worldwide with similar constraints, contraction of current reuse opportunities within the shale gas industry and growing restrictions on produced water disposal will provide strong incentives for produced water desalination for reuse outside the industry. The most challenging scenarios for the selection of desalination for reuse over other management strategies will be those involving high-salinity produced water, which must be desalinated with thermal separation processes. We explore desalination technologies for treatment of high-salinity shale gas produced water, and we critically review mechanical vapor compression (MVC), membrane distillation (MD), and forward osmosis (FO) as the technologies best suited for desalination of high-salinity produced water for reuse outside the shale gas industry. The advantages and challenges of applying MVC, MD, and FO technologies to produced water desalination are discussed, and directions for future research and development are identified. We find that desalination for reuse of produced water is technically feasible and can be economically relevant. However, because produced water management is primarily an economic decision, expanding desalination for reuse is dependent on process and material improvements to reduce capital and operating costs

Aurora: Transparent Succinct Arguments for R1CS

We design, implement, and evaluate a zkSNARK for Rank-1 Constraint Satisfaction (R1CS), a widely-deployed NP-complete language that is undergoing standardization. Our construction uses a transparent setup, is plausibly post-quantum secure, and uses lightweight cryptography. A proof attesting to the satisfiability of n constraints has size $O(\log^2 n)$; it can be produced with $O(n \log n)$ field operations and verified with $O(n)$. At 128 bits of security, proofs are less than 130kB even for several million constraints, more than 20x shorter than prior zkSNARK with similar features. A key ingredient of our construction is a new Interactive Oracle Proof (IOP) for solving a *univariate* analogue of the classical sumcheck problem [LFKN92], originally studied for *multivariate* polynomials. Our protocol verifies the sum of entries of a Reed--Solomon codeword over any subgroup of a field. We also provide libiop, an open-source library for writing IOP-based arguments, in which a toolchain of transformations enables programmers to write new arguments by writing simple IOP sub-components. We have used this library to specify our construction and prior ones

Subvector Commitments with Application to Succinct Arguments

We put forward the notion of subvector commitments (SVC): An SVC allows one to open a committed vector at a set of positions, where the opening size is independent of length of the committed vector and the number of positions to be opened. We propose two constructions under variants of the root assumption and the CDH assumption, respectively. We further generalize SVC to a notion called linear map commitments (LMC), which allows one to open a committed vector to its images under linear maps with a single short message, and propose a construction over pairing groups. Equipped with these newly developed tools, we revisit the ``CS proofs\u27\u27 paradigm [Micali, FOCS 1994] which turns any arguments with public-coin verifiers into non-interactive arguments using the Fiat-Shamir transform in the random oracle model. We propose a compiler that turns any (linear, resp.) PCP into a non-interactive argument, using exclusively SVCs (LMCs, resp.). For an approximate $80$ bits of soundness, we highlight the following new implications: - There exists a succinct non-interactive argument of knowledge (SNARK) with public-coin setup with proofs of size 5360 bits, under the adaptive root assumption over class groups of imaginary quadratic orders against adversaries with runtime $2^{128}$. At the time of writing, this is the shortest SNARK with public-coin setup. - There exists a non-interactive argument with private-coin setup, where proofs consist of 2 group elements and 3 field elements, in the generic bilinear group model

A Subversion-Resistant SNARK

While succinct non-interactive zero-knowledge arguments of knowledge (zk-SNARKs) are widely studied, the question of what happens when the CRS has been subverted has received little attention. In ASIACRYPT 2016, Bellare, Fuchsbauer and Scafuro showed the first negative and positive results in this direction, proving also that it is impossible to achieve subversion soundness and (even non-subversion) zero knowledge at the same time. On the positive side, they constructed an involved sound and subversion zero-knowledge argument system for NP. We show that Groth\u27s zk-SNARK for \textsc{Circuit-SAT} from EUROCRYPT 2016 can be made computationally knowledge-sound and perfectly composable Sub-ZK with minimal changes. We just require the CRS trapdoor to be extractable and the CRS to be publicly verifiable. To achieve the latter, we add some new elements to the CRS and construct an efficient CRS verification algorithm. We also provide a definitional framework for sound and Sub-ZK SNARKs and describe implementation results of the new Sub-ZK SNARK

No-signaling Linear PCPs

In this paper, we give a no-signaling linear probabilistically checkable proof (PCP) system for polynomial-time deterministic computation, i.e., a PCP system for P such that (1) the honest PCP oracle is a linear function and (2) the soundness holds against any (computational) no-signaling cheating prover, who is allowed to answer each query according to a distribution that depends on the entire query set in a certain way. To the best of our knowledge, our construction is the first PCP system that satisfies these two properties simultaneously. As an application of our PCP system, we obtain a 2-message delegating computation scheme by using a known transformation. Compared with the existing 2-message delegating computation schemes that are based on standard cryptographic assumptions, our scheme requires preprocessing but has a simpler structure and makes use of different (possibly cheaper) standard cryptographic primitives, namely additive/multiplicative homomorphic encryption schemes

Minimising Communication in Honest-Majority MPC by Batchwise Multiplication Verification

In this paper, we present two new and very communication-efficient protocols for maliciously secure multi-party computation over fields in the honest-majority setting with abort. Our first protocol improves a recent protocol by Lindell and Nof. Using the so far overlooked tool of batchwise multiplication verification, we speed up their technique for checking correctness of multiplications (with some other improvements), reducing communication by 2x to 7x. In particular, in the 3PC setting, each party sends only two field elements per multiplication. We also show how to achieve fairness, which Lindell and Nof left as an open problem. Our second protocol again applies batchwise multiplication verification, this time to perform 3PC by letting two parties perform the SPDZ protocol using triples generated by a third party and verified batchwise. In this protocol, each party sends only 4/3 field elements during the online phase and 5/3 field elements during the preprocessing phase

TUNEL – an efficient prognosis predictor of salivary malignancies

Biological markers are necessary for predicting prognosis of salivary malignancies and better understanding the pathogenesis of salivary cancer. We analysed terminal deoxynucleotidyl transferase (TdT)-mediated biotinylated deoxyuridine-triphosphate (dUTP)-biotin nick-end labelling (TUNEL), p53 and Ki67 expression in 66 patients with malignant salivary tumours by immonohistochemistry, and correlated the data with survival, disease-free survival, tumour grade, stage, and local and distant metastasis. TUNEL efficiently predicted poor prognosis in salivary malignancies. The 5-year (5Y) survival probability dropped significantly with the level of TUNEL staining (from 83% in negatively stained tumours to 57 and 24% in TUNEL positively stained levels 1 and 2, respectively), (P=0.042). Extensive Ki67 staining (in addition to TUNEL) reduced the 5Y-survival rate even further and addition of positively stained p53 dropped the 5Y-survival rate to 0. The correlation rates between TUNEL and Ki67 was 58% (P=0.0001), and between TUNEL and p53 it was 50% (P=0.035). Concurrently, TUNEL correlated with metastasis, extracapsular spread, grade and stage. The correlation between TUNEL, p53 and Ki67 staining and survival probabilities, and the pathological grade, stage and metastasis spread of salivary malignancies makes this a highly effective tool in patient follow-up and prognosis

Non-Interactive Zero-Knowledge Proofs for Composite Statements

The two most common ways to design non-interactive zero-knowledge (NIZK) proofs are based on Sigma protocols and QAP-based SNARKs. The former is highly efficient for proving algebraic statements while the latter is superior for arithmetic representations. Motivated by applications such as privacy-preserving credentials and privacy-preserving audits in cryptocurrencies, we study the design of NIZKs for composite statements that compose algebraic and arithmetic statements in arbitrary ways. Specifically, we provide a framework for proving statements that consist of ANDs, ORs and function compositions of a mix of algebraic and arithmetic components. This allows us to explore the full spectrum of trade-offs between proof size, prover cost, and CRS size/generation cost. This leads to proofs for statements of the form: knowledge of $x$ such that $SHA(g^x)=y$ for some public $y$ where the prover\u27s work is 500 times fewer exponentiations compared to a QAP-based SNARK at the cost of increasing the proof size to 2404 group and field elements. In application to anonymous credentials, our techniques result in 8 times fewer exponentiations for the prover at the cost of increasing the proof size to 298 elements