An Algebraic Framework for Universal and Updatable SNARKs

We introduce Checkable Subspace Sampling Arguments, a new information theoretic interactive proof system in which the prover shows that a vector has been sampled in a subspace according to the verifier\u27s coins. We show that this primitive provides a unifying view that explains the technical core of most of the constructions of universal and updatable pairing-based (zk)SNARKs. This characterization is extended to a fully algebraic framework for designing such SNARKs in a modular way. We propose new constructions of CSS arguments that lead to SNARKs with different performance trade-offs. Our most efficient construction, Basilisk, seems to have the smallest proof size in the literature, although it pays a price in terms of structure reference string for the number of multiplicative gates whose fan-out exceeds a certain bound

Folding Schemes with Selective Verification

In settings such as delegation of computation where a prover is doing computation as a service for many verifiers, it is important to amortize the prover’s costs without increasing those of the verifier. We introduce folding schemes with selective verification. Such a scheme allows a prover to aggregate m NP statements $x_i\in \mathcal{L}$ in a single statement $x\in\mathcal{L}$. Knowledge of a witness for $x$ implies knowledge of witnesses for all $m$ statements. Furthermore, each statement can be individually verified by asserting the validity of the aggregated statement and an individual proof $\pi$ with size sublinear in the number of aggregated statements. In particular, verification of statement $x_i$ does not require reading (or even knowing) all the statements aggregated. We demonstrate natural folding schemes for various languages: inner product relations, vector and polynomial commitment openings and relaxed R1CS of NOVA. All these constructions incur a minimal overhead for the prover, comparable to simply reading the statements

Certificate-Based Encryption Without Random Oracles

We present a certificate-based encryption scheme which is fully secure in the standard model. Our scheme is based on the identity-based encryption scheme of Waters \cite{W05}. Although some generic constructions from IBE to CBE has been previously proposed, they use the Random Oracle heuristic or provide less practical schemes than ours. Finally, we point out that one of the existing generic constructions going from IBE to CBE is flawed

DEMOS-2:scalable E2E verifiable elections without random oracles

Recently, Kiayias, Zacharias and Zhang-proposed a new E2E verifiable e-voting system called 'DEMOS' that for the first time provides E2E verifiability without relying on external sources of randomness or the random oracle model; the main advantage of such system is in the fact that election auditors need only the election transcript and the feedback from the voters to pronounce the election process unequivocally valid. Unfortunately, DEMOS comes with a huge performance and storage penalty for the election authority (EA) compared to other e-voting systems such as Helios. The main reason is that due to the way the EA forms the proof of the tally result, it is required to {\em precompute} a number of ciphertexts for each voter and each possible choice of the voter. This approach clearly does not scale to elections that have a complex ballot and voters have an exponential number of ways to vote in the number of candidates. The performance penalty on the EA appears to be intrinsic to the approach: voters cannot compute an enciphered ballot themselves because there seems to be no way for them to prove that it is a valid ciphertext. In contrast to the above, in this work, we construct a new e-voting system that retains the strong E2E characteristics of DEMOS (but against computational adversaries) while completely eliminating the performance and storage penalty of the EA. We achieve this via a new cryptographic construction that has the EA produce and prove, using voters' coins, the security of a common reference string (CRS) that voters subsequently can use to affix non-interactive zero-knowledge (NIZK) proofs to their ciphertexts. The EA itself uses the CRS to prove via a NIZK the tally correctness at the end. Our construction has similar performance to Helios and is practical. The privacy of our construction relies on the SXDH assumption over bilinear groups via complexity leveraging

Baloo: Nearly Optimal Lookup Arguments

We present Baloo, the first protocol for lookup tables where the prover work is linear on the amount of lookups and independent of the size of the table. Baloo is built over the lookup arguments of Caulk and Caulk+, and the framework for linear relations of Rafols and Zapico. Our protocol supports commit-and-prove expansions: the prover selects the subtable containing the elements used in the lookup, that is unknown to the verifier, commits to it and later prove relation with the committed element. This feature makes Baloo especially suitable for prover input-ouput relations on hash functions, and in particular to instantiate the Ethereum Virtual Machine (EVM)

Linear-map Vector Commitments and their Practical Applications

Vector commitments (VC) are a cryptographic primitive that allow one to commit to a vector and then “open” some of its positions efficiently. Vector commitments are increasingly recognized as a central tool to scale highly decentralized networks of large size and whose content is dynamic. In this work, we examine the demands on the properties that an ideal vector commitment should satisfy in the light of the emerging plethora of practical applications and propose new constructions that improve the state-of-the-art in several dimensions and offer new tradeoffs. We also propose a unifying framework that captures several constructions and show how to generically achieve some properties from more basic ones. On the practical side, we focus on building efficient schemes that do not require new trusted setup (we can reuse existing ceremonies for pairing-based “powers of tau” run by real-world systems such as ZCash or Filecoin). Our (in-progress) implementation demonstrates that our work over-performs in efficiency prior schemes with same properties

Matrix computational assumptions in multilinear groups

We put forward a new family of computational assumptions, the Kernel Matrix Di e- Hellman Assumption. Given some matrix A sampled from some distribution D `;k , the kernel as- sumption says that it is hard to nd \in the exponentPreprin

Avaluació externa de 9 models col·laboratius d’atenció social i sanitària a Catalunya

Models col·laboratius d'atenció social; Avaluació externa; CatalunyaModelos colaborativos de atención social; Evaluación externa; CataluñaCollaborative models of social care; External evaluation; CataloniaDurant el 2013 s’inicien diversos projectes demostratius territorials que pretenen millorar la continuïtat i la integració assistencial de les persones amb necessitats sanitàries i socials, com potenciar un model d’atenció centrat en les persones i aprofundir en la interacció entre els agents implicats. En aquests models col·laboratius s’hi vinculen de manera principal els serveis socials bàsics (que depenen dels ajuntaments locals i/o consells comarcals) i els equips d’atenció primària de salut (que depenen de l’Institut Català de la Salut i/o d’altres proveïdors). S’encarrega a l’Agència de Qualitat i Avaluació Sanitàries de Catalunya (AQuAS)a l’avaluació externa de 9 models col·laboratius d’atenció social i sanitària. En aquest projecte, s’ha utilitzat un abordatge qualitatiu de casos que descriu i explora algunes experiències integrades d’atenció social i sanitària a Catalunya i pretén compendre i descriure el fenomen d’estudi (els models col·laboratius i els seus beneficis/resultats) a partir de les experiències i opinions dels professionals implicats. Vol contribuir també a identificar trets comuns i de millor pràctica d’aquestes experiències i aprofundir en les necessitats en les distintes fases de desplegament de cada model. Cal tenir present que aquest projecte incorpora tant l’avaluació d’aspectes relacionats amb l’organització i la gestió, com l’atenció social i sanitària dels models col·laboratius, amb els següents objectius: a) Descriure l’organització i el funcionament de les experiències identificades (principalment la col·laboració formal entre els serveis socials bàsics i l’atenció primària de salut) i identificar les millors pràctiques. b) Identificar les barreres i els facilitadors d’aquests models col·laboratius. c) Identificar els beneficis i els resultats esperats i les àrees de millora dels models col·laboratius. d) Proposar un model conceptual d’avaluació i un grup mínim comú d’indicadors.Durante el año 2013 se iniciaron diversos proyectos demostrativos territoriales con el objetivo de mejorar la continuidad e integración asistencial de las personas con necesidades sanitarias y sociales, potenciar un modelo de atención centrado en las personas, así como profundizar en la interacción entre los agentes implicados. En estos modelos colaborativos se vinculan principalmente los servicios sociales básicos (que dependen de los ayuntamientos locales y/o consejos comarcales) y los equipos de atención primaria de salud (que dependen del Institut Català de la Salut y/o otros proveedores). Se encargó a la Agència de Qualitat i Avaluació Sanitàries de Catalunya (AQuAS) la evaluación externa de 9 modelos colaborativos de atención social y sanitaria. En este proyecto, se ha utilizado un abordaje cualitativo de casos que describe y explora algunas experiencias integradas de atención social y sanitaria en Cataluña, así como comprender y describir el fenómeno de estudio (los modelos colaborativos y sus beneficios/resultados) a partir de las experiencias y opiniones de los profesionales implicados. Quiere contribuir también a identificar rasgos comunes y de mejor práctica de estas experiencias y profundizar en las necesidades en las distintas fases de desarrollo de cada modelo. Hay que tener presente que este proyecto incorpora tanto la evaluación de aspectos relacionados con la organización y gestión, como la atención social y sanitaria de los modelos colaborativos, con los objetivos siguientes: a) describir la organización y funcionamiento de las experiencias identificadas (principalmente la colaboración formal entre los servicios sociales básicos y la atención primaria de salud) e identificar las mejores prácticas b) identificar las barreras y los facilitadores de estos modelos colaborativos c) identificar los beneficios y resultados esperados y áreas de mejora de los modelos colaborativos d) proponer un modelo conceptual de evaluación y un grupo mínimo común de indicadoresIn 2013 several regional pilot projects were set up aiming to improve continuity and integration of care in people with health and social needs, to promote a patient-centred model of care and to forge stronger bonds between the principal stakeholders involved. Within these cooperative models the principal connection is made between basic social services (which depend on local town and/or county councils) and the primary health care (which depend on the Catalan Institute of Health and/or other service providers). The Agency of Health Quality and Assessment of Catalonia (AQuAS as per the Catalan acronym) was responsible for the independent evaluation of the 9 collaborative social and health care models. This project includes a qualitative approach based on case studies to describe and explore integrated health and social care initiatives in Catalonia and seeks to understand and describe the issue under investigation (collaborative models and their benefits/results) based on the experience and feedback from the professionals involved. The objective was also to help identify common features and best practices from these experiences and acquire a more in-depth understanding of the needs at different stages of development of each model. It is important to bear in mind that this project incorporates both the evaluation of aspects related to the organization and management as well as the social and health care provision of collaborative models, with the following objectives: a) to describe the organization and operation of the initiatives identified (principally, the formal collaboration between basic social services and primary health care) and identify best practices b) to identify the barriers and facilitators of these collaborative models c) to identify the benefits, expected results and areas for improvement of these collaborative models d) to propose a conceptual model and a shared minimum group of indicator

Stretching Groth-Sahai: NIZK proofs of partial satisfiability

Comunicació presentada a: 12th Theory of Cryptography Conference, TCC 2015, celebrada del 23 al 25 de març de 2015 a Varsòvia, Polònia.Groth, Ostrovsky and Sahai constructed a non-interactive Zap for NP-languages by observing that the common reference string of their proof system for circuit satisfiability admits what they call correlated key generation. The latter means that it is possible to create from scratch two common reference strings in such a way that it can be publicly verified that at least one of them guarantees perfect soundness while it is computationally infeasible to tell which one. Their technique also implies that it is possible to have NIWI Groth-Sahai proofs for certain types of equations over bilinear groups in the plain model. We extend the result of Groth, Ostrovsky and Sahai in several directions. Given as input some predicate P computable by some monotone span program over a finite field, we show how to generate a set of common reference strings in such a way that it can be publicly verified that the subset of them which guarantees perfect soundness is accepted by the span program. We give several different avors of the technique suitable for different applications scenarios and different equation types. We use this to stretch the expressivity of Groth-Sahai proofs and construct NIZK proofs of partial satisfiability of sets of equations in a bilinear group and more efficient Groth-Sahai NIWI proofs without common reference string for a larger class of equation types. Finally, we apply our results to significantly reduce the size of the signatures of the ring signature scheme of Chandran, Groth and Sahai or to have a more efficient proof in the standard model that a commitment opens to an element of a public list