Linear-Time Arguments with Sublinear Verification from Tensor Codes

Minimizing the computational cost of the prover is a central goal in the area of succinct arguments. In particular, it remains a challenging open problem to construct a succinct argument where the prover runs in linear time and the verifier runs in polylogarithmic time. We make progress towards this goal by presenting a new linear-time probabilistic proof. For any fixed $\epsilon > 0$, we construct an interactive oracle proof (IOP) that, when used for the satisfiability of an $N$-gate arithmetic circuit, has a prover that uses $O(N)$ field operations and a verifier that uses $O(N^{\epsilon})$ field operations. The sublinear verifier time is achieved in the holographic setting for every circuit (the verifier has oracle access to a linear-size encoding of the circuit that is computable in linear time). When combined with a linear-time collision-resistant hash function, our IOP immediately leads to an argument system where the prover performs $O(N)$ field operations and hash computations, and the verifier performs $O(N^{\epsilon})$ field operations and hash computations (given a short digest of the $N$-gate circuit)

Phase I and pharmacokinetic study of the polyamine synthesis inhibitor SAM486A in combination with 5-fluorouracil/leucovorin in metastatic colorectal cancer

Purpose: The purpose of our study was to determine the maximum-tolerated dose, dose-limiting toxicity, safety profile, and pharmacokinetics of the polyamine synthesis inhibitor SAM486A given in combination with 5-fluorouracil/leucovorin (5-FU/LV) in cancer patients.Experimental Design: Patients with advanced colorectal cancer were treated with 5-FU [bolus (400 mg/m(2)) followed by a 22-h infusion (600 mg/m(2))] and LV (200 mg/m(2)) and escalating doses of SAM486A, 1-3-h infusion daily for 3 days. Plasma sampling was performed to characterize the pharmacokinetics and pharmacodynamics of the combination.Results: Twenty-seven patients with metastatic colorectal cancer and 1 with pseudomyxoma peritonei were treated. Twenty-six patients received SAM486A in the combination at doses ranging from 25 to 150 mg/m(2)/day. Dose-limiting toxicity consisting of fatigue grade 3 was seen at 150 mg/m(2)/day. Other adverse events included neutropenia, hand and foot syndrome, nausea, vomiting, diarrhea, and constipation. Fifteen of 26 patients evaluable for best response according to the Southwest Oncology Group criteria achieved a partial response [8 (30%) of 26] or stable disease [9 (35%) of 26]. SAM486A did not influence the pharmacolkinetics of 5-FU, and SAM486A clearance was similar to that when used as a single agent.Conclusions: The novel molecular agent SAM486A is tolerable and safe in combination with a standard 5-FU regimen in patients with advanced colorectal cancer. The dose of SAM486A recommended for additional studies with this combination is 125 mg/m(2)/day. A disease-directed evaluation of SAM486A using this regimen is warranted

Phase I and pharmacokinetic study of the polyamine synthesis inhibitor SAM486A in combination with 5-fluorouracil/leucovorin in metastatic colorectal cancer

PURPOSE: The purpose of our study was to determine the maximum-tolerated\n dose, dose-limiting toxicity, safety profile, and pharmacokinetics of the\n polyamine synthesis inhibitor SAM486A given in combination with\n 5-fluorouracil/leucovorin (5-FU/LV) in cancer patients. EXPERIMENTAL\n DESIGN: Patients with advanced colorectal cancer were treated with 5-FU\n [bolus (400 mg/m(2)) followed by a 22-h infusion (600 mg/m(2))] and LV\n (200 mg/m(2)) and escalating doses of SAM486A, 1-3-h infusion daily for 3\n days. Plasma sampling was performed to characterize the pharmacokinetics\n and pharmacodynamics of the combination RESULTS: Twenty-seven patients\n with metastatic colorectal cancer and 1 with pseudomyxoma peritonei were\n treated. Twenty-six patients received SAM486A in the combination at doses\n ranging from 25 to 150 mg/m(2)/day. Dose-limiting toxicity consisting of\n fatigue grade 3 was seen at 150 mg/m(2)/day. Other adverse events included\n neutropenia, hand and foot syndrome, nausea, vomiting, diarrhea, and\n constipation. Fifteen of 26 patients evaluable for best response according\n to the Southwest Oncology Group criteria achieved a partial response [8\n (30%) of 26] or stable disease [9 (35%) of 26]. SAM486A did not influence\n the pharmacokinetics of 5-FU, and SAM486A clearance was similar to that\n when used as a single agent. CONCLUSIONS: The novel molecular agent\n SAM486A is tolerable and safe in combination with a standard 5-FU regimen\n in patients with advanced colorectal cancer. The dose of SAM486A\n recommended for additional studies with this combination is 125\n mg/m(2)/day. A disease-directed evaluation of SAM486A using this regimen\n is warranted

Lattice-based Zero-Knowledge Proofs: New Techniques for Shorter and Faster Constructions and Applications

We devise new techniques for design and analysis of efficient lattice-based zero-knowledge proofs (ZKP). First, we introduce one-shot proof techniques for non-linear polynomial relations of degree $k\ge 2$, where the protocol achieves a negligible soundness error in a single execution, and thus performs significantly better in both computation and communication compared to prior protocols requiring multiple repetitions. Such proofs with degree $k\ge 2$ have been crucial ingredients for important privacy-preserving protocols in the discrete logarithm setting, such as Bulletproofs (IEEE S&P \u2718) and arithmetic circuit arguments (EUROCRYPT \u2716). In contrast, one-shot proofs in lattice-based cryptography have previously only been shown for the linear case ($k=1$) and a very specific quadratic case ($k=2$), which are obtained as a special case of our technique. Moreover, we introduce two speedup techniques for lattice-based ZKPs: a CRT-packing technique supporting ``inter-slot\u27\u27 operations, and ``NTT-friendly\u27\u27 tools that permit the use of fully-splitting rings. The former technique comes at almost no cost to the proof length, and the latter one barely increases it, which can be compensated for by tweaking the rejection sampling parameters while still having faster computation overall. To illustrate the utility of our techniques, we show how to use them to build efficient relaxed proofs for important relations, namely proof of commitment to bits, one-out-of-many proof, range proof and set membership proof. Despite their relaxed nature, we further show how our proof systems can be used as building blocks for advanced cryptographic tools such as ring signatures. Our ring signature achieves a dramatic improvement in length over all the existing proposals from lattices at the same security level. The computational evaluation also shows that our construction is highly likely to outperform all the relevant works in running times. Being efficient in both aspects, our ring signature is particularly suitable for both small-scale and large-scale applications such as cryptocurrencies and e-voting systems. No trusted setup is required for any of our proposals

A New Approach to Modelling Centralised Reputation Systems

A reputation system assigns a user or item a reputation value which can be used to evaluate trustworthiness. Blömer, Juhnke and Kolb in 2015, and Kaafarani, Katsumata and Solomon in 2018, gave formal models for \mathit{centralised} reputation systems, which rely on a central server and are widely used by service providers such as AirBnB, Uber and Amazon. In these models, reputation values are given to items, instead of users. We advocate a need for shift in how reputation systems are modelled, whereby reputation values are given to users, instead of items, and each user has unlinkable items that other users can give feedback on, contributing to their reputation value. This setting is not captured by the previous models, and we argue it captures more realistically the functionality and security requirements of a reputation system. We provide definitions for this new model, and give a construction from standard primitives, proving it satisfies these security requirements. We show that there is a low efficiency cost for this new functionality

Accountable Tracing Signatures from Lattices

Group signatures allow users of a group to sign messages anonymously in the name of the group, while incorporating a tracing mechanism to revoke anonymity and identify the signer of any message. Since its introduction by Chaum and van Heyst (EUROCRYPT 1991), numerous proposals have been put forward, yielding various improvements on security, efficiency and functionality. However, a drawback of traditional group signatures is that the opening authority is given too much power, i.e., he can indiscriminately revoke anonymity and there is no mechanism to keep him accountable. To overcome this problem, Kohlweiss and Miers (PoPET 2015) introduced the notion of accountable tracing signatures (ATS) - an enhanced group signature variant in which the opening authority is kept accountable for his actions. Kohlweiss and Miers demonstrated a generic construction of ATS and put forward a concrete instantiation based on number-theoretic assumptions. To the best of our knowledge, no other ATS scheme has been known, and the problem of instantiating ATS under post-quantum assumptions, e.g., lattices, remains open to date. In this work, we provide the first lattice-based accountable tracing signature scheme. The scheme satisfies the security requirements suggested by Kohlweiss and Miers, assuming the hardness of the Ring Short Integer Solution (RSIS) and the Ring Learning With Errors (RLWE) problems. At the heart of our construction are a lattice-based key-oblivious encryption scheme and a zero-knowledge argument system allowing to prove that a given ciphertext is a valid RLWE encryption under some hidden yet certified key. These technical building blocks may be of independent interest, e.g., they can be useful for the design of other lattice-based privacy-preserving protocols.Comment: CT-RSA 201

Oblivious PRF on Committed Vector Inputs and Application to Deduplication of Encrypted Data

Ensuring secure deduplication of encrypted data is a very active topic of research because deduplication is effective at reducing storage costs. Schemes supporting deduplication of encrypted data that are not vulnerable to content guessing attacks (such as Message Locked Encryption) have been proposed recently [Bellare et al. 2013, Li et al. 2015]. However in all these schemes, there is a key derivation phase that solely depends on a short hash of the data and not the data itself. Therefore, a file specofic key can be obtained by anyone possessing the hash. Since hash values are usually not meant to be secret, a desired solution will be a more robust oblivious key generation protocol where file hashes need not be kept private. Motivated by this use-case, we propose a new primitive for oblivious pseudorandom function (OPRF) on committed vector inputs in the universal composable (UC) framework. We formalize this functionality as $\mathcal{F}_\mathsf{OOPRF}$, where $\mathsf{OOPRF}$ stands for Ownership-based Oblivious PRF. $\mathcal{F}_\mathsf{OOPRF}$ produces a unique random key on input a vector digest provided the client proves knowledge of a (parametrisable) number of random positions of the input vector. To construct an efficient $\mathsf{OOPRF}$ protocol, we carefully combine a hiding vector commitment scheme, a variant of the PRF scheme of Dodis- Yampolskiy [Dodis et al. 2005] and a homomorphic encryption scheme glued together with concrete, efficient instantiations of proofs of knowledge. To the best of our knowledge, our work shows for the first time how these primitives can be combined in a secure, efficient and useful way. We also propose a new vector commitment scheme with constant sized public parameters but $(\log n)$ size witnesses where n is the length of the committed vector. This can be of independent interest

A non-PCP Approach to Succinct Quantum-Safe Zero-Knowledge

Today\u27s most compact zero-knowledge arguments are based on the hardness of the discrete logarithm problem and related classical assumptions. If one is interested in quantum-safe solutions, then all of the known techniques stem from the PCP-based framework of Kilian (STOC 92) which can be instantiated based on the hardness of any collision-resistant hash function. Both approaches produce asymptotically logarithmic sized arguments but, by exploiting extra algebraic structure, the discrete logarithm arguments are a few orders of magnitude more compact in practice than the generic constructions. In this work, we present the first (poly)-logarithmic, potentially post-quantum zero-knowledge arguments that deviate from the PCP approach. At the core of succinct zero-knowledge proofs are succinct commitment schemes (in which the commitment and the opening proof are sub-linear in the message size), and we propose two such constructions based on the hardness of the (Ring)-Short Integer Solution (Ring-SIS) problem, each having certain trade-offs. For commitments to $N$ secret values, the communication complexity of our first scheme is $\tilde{O}(N^{1/c})$ for any positive integer $c$, and $O(\log^2 N)$ for the second. Both of these are a significant theoretical improvement over the previously best lattice construction by Bootle et al. (CRYPTO 2018) which gave $O(\sqrt{N})$-sized proofs

Highly-Efficient Fully-Anonymous Dynamic Group Signatures

Group signatures are a central tool in privacy-enhancing cryptography, which allow members of a group to anonymously produce signatures on behalf of the group. Consequently, they are an attractive means to implement privacy-friendly authentication mechanisms. Ideally, group signatures are dynamic and thus allow to dynamically and concurrently enroll new members to a group. For such schemes, Bellare et al. (CT-RSA\u2705) proposed the currently strongest security model (BSZ model). This model, in particular, ensures desirable anonymity guarantees. Given the prevalence of the resource asymmetry in current computing scenarios, i.e., a multitude of (highly) resource-constrained devices are communicating with powerful (cloud-powered) services, it is of utmost importance to have group signatures that are highly-efficient and can be deployed in such scenarios. Satisfying these requirements in particular means that the signing (client) operations are lightweight. We propose a novel, generic approach to construct dynamic group signature schemes, being provably secure in the BSZ model and particularly suitable for resource-constrained devices. Our results are interesting for various reasons: We can prove our construction secure without requiring random oracles. Moreover, when opting for an instantiation in the random oracle model (ROM) the so obtained scheme is extremely efficient and outperforms the fastest constructions providing anonymity in the BSZ model - which also rely on the ROM - known to date. Regarding constructions providing a weaker anonymity notion than BSZ, we surprisingly outperform the popular short BBS group signature scheme (CRYPTO\u2704; also proven secure in the ROM) and thereby even obtain shorter signatures. We provide a rigorous comparison with existing schemes that highlights the benefits of our scheme. On a more theoretical side, we provide the first construction following the without encryption paradigm introduced by Bichsel et al. (SCN\u2710) in the strong BSZ model