LegoSNARK: Modular Design and Composition of Succinct Zero-Knowledge Proofs

We study the problem of building SNARKs modularly by linking small specialized “proof gadgets SNARKs in a lightweight manner. Our motivation is both theoretical and practical. On the theoretical side, modular SNARK designs would be flexible and reusable. In practice, specialized SNARKs have the potential to be more efficient than general-purpose schemes, on which most existing works have focused. If a computation naturally presents different “components (e.g. one arithmetic circuit and one boolean circuit), a general-purpose scheme would homogenize them to a single representation with a subsequent cost in performance. Through a modular approach one could instead exploit the nuances of a computation and choose the best gadget for each component. Our contribution is LegoSNARK, a toolbox (or framework) for commit-and-prove zkSNARKs (CP-SNARKs) that includes: 1) General composition tools: build new CP-SNARKs from proof gadgets for basic relations $\mathit{simply}$. 2) A lifting tool: add commit-and-prove capabilities to a broad class of existing zkSNARKs $\mathit{efficiently}$. This makes them interoperable (linkable) within the same computation. For example, one QAP-based scheme can be used prove one component; another GKR-based scheme can be used to prove another. 3) A collection of succinct proof gadgets for a variety of relations. Additionally, through our framework and gadgets, we are able to obtain new succinct proof systems. Notably: – $\mathsf{LegoGro16}$, a commit-and-prove version of Groth16 zkSNARK, that operates over data committed with a classical Pedersen vector commitment, and that achieves a 5000$\times$ speed in proving time. – $\mathsf{LegoUAC}$, a pairing-based SNARK for arithmetic circuits that has a universal, circuit-independent, CRS, and proving time linear in the number of circuit gates (vs. the recent scheme of Groth et al. (CRYPTO\u2718) with quadratic CRS and quasilinear proving time). – CP-SNARKs for matrix multiplication that achieve optimal proving complexity. 4) A codebase written in C$\mathsf{++}$ for highly composable zkSNARKs with commit-and-prove capabilities$^*$. _______________ $^*$ Available at https://github.com/imdea-software/legosnark

Witness Encryption for Succinct Functional Commitments and Applications

Witness encryption (WE), introduced by Garg, Gentry, Sahai, and Waters (STOC 2013) allows one to encrypt a message to a statement $\mathsf{x}$ for some NP language $\mathcal{L}$, such that any user holding a witness for $\mathsf{x} \in \mathcal{L}$ can decrypt the ciphertext. The extreme power of this primitive comes at the cost of its elusiveness: a practical construction from established cryptographic assumptions is currently out of reach. In this work we introduce and construct a new notion of encryption that has a strong flavor of WE and that, crucially, we can build from well-studied assumptions (based on bilinear pairings) for interesting classes of computation. Our new notion, witness encryption for (succinct) functional commitment, takes inspiration from a prior weakening of witness encryption introduced by Benhamouda and Lin (TCC 2020). In a nutshell, theirs is a WE where: the encryption statement consists of a (non compressible) commitment $\mathsf{cm}$, a function $G$ and a value $y$; the decryption witness consists of a (non succinct) NIZK proof about the fact that $\mathsf{cm}$ opens to $v$ such that $y=G(v)$. Benhamouda and Lin showed how to apply this primitive to obtain MPC with non-interactive and reusability properties---dubbed mrNISC---replacing the requirement of WE in existing round-collapsing techniques. Our new WE-like notion is motivated by supporting both commitments of a fixed size and fixed decryption complexity, independent $|v|$---in contrast to the work by Benhamouda and Lin where this complexity is linear. As a byproduct, our efficiency profile substantially improves the offline stage of mrNISC protocols. Our work solves the additional challenges that arise from relying on computationally binding commitments and computational soundness (of functional commitments), as opposed to statistical binding and unconditional soundness (of NIZKs), used in Benhamouda and Lin\u27s work. To tackle them, we not only modify their basic blueprint, but also model and instantiate different types of projective hash functions as building blocks. Furthermore, as one of our main contributions, we show the first pairing-based construction of functional commitments for NC1 circuits with linear verification. Our techniques are of independent interest and may highlight new avenues to design practical variants of witness encryption. As an additional contribution, we show that our new WE-flavored primitive and its efficiency properties are versatile: we discuss its further applications and show how to extend this primitive to better suit these settings

Lookup Arguments: Improvements, Extensions and Applications to Zero-Knowledge Decision Trees

Lookup arguments allow to prove that the elements of a committed vector come from a (bigger) committed table. They enable novel approaches to reduce the prover complexity of general-purpose zkSNARKs, implementing “non-arithmetic operations” such as range checks, XOR and AND more efficiently. We extend the notion of lookup arguments along two directions and improve their efficiency: (1) we extend vector lookups to matrix lookups (where we can prove that a committed matrix is a submatrix of a committed table). (2) We consider the notion of zero-knowledge lookup argument that keeps the privacy of both the sub-vector/sub-matrix and the table. (3) We present new zero-knowledge lookup arguments, dubbed cq+, zkcq+ and cq++, more efficient than the state of art, namely the recent work by Eagen, Fiore and Gabizon named cq. Finally, we give a novel application of zero-knowledge matrix lookup argument to the domain of zero-knowledge decision tree where the model provider releases a commitment to a decision tree and can prove in zero-knowledge statistics over the committed data structure. Our scheme based on lookup arguments has succinct verification, prover’s time complexity asymptotically better than the state of the art, and is secure in a strong security model where the commitment to the decision tree can be malicious

Lunar: a Toolbox for More Efficient Universal and Updatable zkSNARKs and Commit-and-Prove Extensions

We address the problem of constructing zkSNARKs whose SRS is $\mathit{universal}$ – valid for all relations within a size-bound – and $\mathit{updatable}$ – a dynamic set of participants can add secret randomness to it indefinitely thus increasing confidence in the setup. We investigate formal frameworks and techniques to design efficient universal updatable zkSNARKs with linear-size SRS and their commit-and-prove variants. We achieve a collection of zkSNARKs with different tradeoffs. One of our constructions achieves the smallest proof size and proving time compared to the state of art for proofs for arithmetic circuits. The language supported by this scheme is a variant of R1CS, called R1CS-lite, introduced by this work. Another of our constructions supports directly standard R1CS and improves on previous work achieving the fastest proving time for this type of constraint systems. We achieve this result via the combination of different contributions: (1) a new algebraically-flavored variant of IOPs that we call $\mathit{Polynomial}$ $\mathit{Holographic}$ $\mathit{IOPs}$ (PHPs), (2) a new compiler that combines our PHPs with $\mathit{commit}$-$\mathit{and}$-$\mathit{prove}$ $\mathit{\ zkSNARKs}$ for committed polynomials, (3) pairing-based realizations of these CP-SNARKs for polynomials, (4) constructions of PHPs for R1CS and R1CS-lite, (5) a variant of the compiler that yields a commit-and-prove universal zkSNARK

Zero-Knowledge Proofs for Set Membership: Efficient, Succinct, Modular

We consider the problem of proving in zero knowledge that an element of a public set satisfies a given property without disclosing the element, i.e., for some $u$, ``$u \in S$ and $P(u)$ holds\u27\u27. This problem arises in many applications (anonymous cryptocurrencies, credentials or whitelists) where, for privacy or anonymity reasons, it is crucial to hide certain data while ensuring properties of such data. We design new \textit{modular} and \textit{efficient} constructions for this problem through new \textit{commit-and-prove zero-knowledge systems for set membership}, i.e. schemes proving $u \in S$ for a value $u$ that is in a public commitment $c_u$. We also extend our results to support {\em non-membership proofs}, i.e. proving $u \notin S$. Being commit-and-prove, our solutions can act as plug-and-play modules in statements of the form ``$u \in S$ and $P(u)$ holds\u27\u27 by combining our set (non-)membership systems with any other commit-and-prove scheme for $P(u)$. Also, they work with Pedersen commitments over prime order groups which makes them compatible with popular systems such as Bulletproofs or Groth16. We implemented our schemes as a software library, and tested experimentally their performance. Compared to previous work that achieves similar properties---the clever techniques combining zkSNARKs and Merkle Trees in Zcash---our solutions offer more flexibility, shorter public parameters and $3.7 \times$--$30\times$ faster proving time for a set of size $2^{64}$

Succinct Zero-Knowledge Batch Proofs for Set Accumulators

Cryptographic accumulators are a common solution to proving information about a large set $S$. They allow one to compute a short digest of $S$ and short certificates of some of its basic properties, notably membership of an element. Accumulators also allow one to track set updates: a new accumulator is obtained by inserting/deleting a given element. In this work we consider the problem of generating membership and update proofs for {\em batches} of elements so that we can succinctly prove additional properties of the elements (i.e., proofs are of constant size regardless of the batch size), and we can preserve privacy. Solving this problem would allow obtaining blockchain systems with improved privacy and scalability. The state-of-the-art approach to achieve this goal is to combine accumulators (typically Merkle trees) with zkSNARKs. This solution is however expensive for provers and does not scale for large batches of elements. In particular, there is no scalable solution for proving batch membership proofs when we require zero-knowledge (a standard definition of privacy-preserving protocols). In this work we propose new techniques to efficiently use zkSNARKs with RSA accumulators. We design and implement two main schemes: 1) \harisa, which proves batch membership in zero-knowledge; 2) \insarisa, which proves batch updates. For batch membership, the prover in \harisa is orders of magnitude faster than existing approaches based on Merkle trees (depending on the hash function). For batch updates we get similar cost savings compared to approaches based on Merkle trees; we also improve over the recent solution of Ozdemir et al. [USENIX\u2720]

The LIFE TRIAD of emergency general surgery

Emergency General Surgery (EGS) was identified as multidisciplinary surgery performed for traumatic and non-traumatic acute conditions during the same admission in the hospital by general emergency surgeons and other specialists. It is the most diffused surgical discipline in the world. To live and grow strong EGS necessitates three fundamental parts: emergency and elective continuous surgical practice, evidence generation through clinical registries and data accrual, and indications and guidelines production: the LIFE TRIAD.Peer reviewe

Management of acute diverticulitis with pericolic free gas (ADIFAS). an international multicenter observational study

Background: There are no specific recommendations regarding the optimal management of this group of patients. The World Society of Emergency Surgery suggested a nonoperative strategy with antibiotic therapy, but this was a weak recommendation. This study aims to identify the optimal management of patients with acute diverticulitis (AD) presenting with pericolic free air with or without pericolic fluid. Methods: A multicenter, prospective, international study of patients diagnosed with AD and pericolic-free air with or without pericolic free fluid at a computed tomography (CT) scan between May 2020 and June 2021 was included. Patients were excluded if they had intra-abdominal distant free air, an abscess, generalized peritonitis, or less than a 1-year follow-up. The primary outcome was the rate of failure of nonoperative management within the index admission. Secondary outcomes included the rate of failure of nonoperative management within the first year and risk factors for failure. Results: A total of 810 patients were recruited across 69 European and South American centers; 744 patients (92%) were treated nonoperatively, and 66 (8%) underwent immediate surgery. Baseline characteristics were similar between groups. Hinchey II-IV on diagnostic imaging was the only independent risk factor for surgical intervention during index admission (odds ratios: 12.5, 95% CI: 2.4-64, P =0.003). Among patients treated nonoperatively, at index admission, 697 (94%) patients were discharged without any complications, 35 (4.7%) required emergency surgery, and 12 (1.6%) percutaneous drainage. Free pericolic fluid on CT scan was associated with a higher risk of failure of nonoperative management (odds ratios: 4.9, 95% CI: 1.2-19.9, P =0.023), with 88% of success compared to 96% without free fluid ( P <0.001). The rate of treatment failure with nonoperative management during the first year of follow-up was 16.5%. Conclusion: Patients with AD presenting with pericolic free gas can be successfully managed nonoperatively in the vast majority of cases. Patients with both free pericolic gas and free pericolic fluid on a CT scan are at a higher risk of failing nonoperative management and require closer observation

Evolving trends in the management of acute appendicitis during COVID-19 waves. The ACIE appy II study

Background: In 2020, ACIE Appy study showed that COVID-19 pandemic heavily affected the management of patients with acute appendicitis (AA) worldwide, with an increased rate of non-operative management (NOM) strategies and a trend toward open surgery due to concern of virus transmission by laparoscopy and controversial recommendations on this issue. The aim of this study was to survey again the same group of surgeons to assess if any difference in management attitudes of AA had occurred in the later stages of the outbreak. Methods: From August 15 to September 30, 2021, an online questionnaire was sent to all 709 participants of the ACIE Appy study. The questionnaire included questions on personal protective equipment (PPE), local policies and screening for SARS-CoV-2 infection, NOM, surgical approach and disease presentations in 2021. The results were compared with the results from the previous study. Results: A total of 476 answers were collected (response rate 67.1%). Screening policies were significatively improved with most patients screened regardless of symptoms (89.5% vs. 37.4%) with PCR and antigenic test as the preferred test (74.1% vs. 26.3%). More patients tested positive before surgery and commercial systems were the preferred ones to filter smoke plumes during laparoscopy. Laparoscopic appendicectomy was the first option in the treatment of AA, with a declined use of NOM. Conclusion: Management of AA has improved in the last waves of pandemic. Increased evidence regarding SARS-COV-2 infection along with a timely healthcare systems response has been translated into tailored attitudes and a better care for patients with AA worldwide