34 research outputs found

    Hadamard Product Argument from Lagrange-Based Univariate Polynomials

    Get PDF
    Hadamard product is a point-wise product for two vectors. This paper presents a new scheme to prove Hadamard-product relation as a sub-protocol for SNARKs based on univariate polynomials. Prover uses linear cryptographic operations to generate the proof containing logarithmic field elements. The verification takes logarithmic cryptographic operations with constant numbers of pairings in bilinear group. The construction of the scheme is based on the Lagrange-based KZG commitments (Kate, Zaverucha, and Goldberg at Asiacrypt 2010) and the folding technique. We construct an inner-product protocol from folding technique on univariate polynomials in Lagrange form, and by carefully choosing the random polynomials suitable for folding technique, we construct a Hadamard-product protocol from the inner-product protocol, giving an alternative to prove linear algebra relations in linear time, and the protocol has a better concrete proof size than previous works

    Ghostor: Toward a Secure Data-Sharing System from Decentralized Trust

    Get PDF
    Data-sharing systems are often used to store sensitive data. Both academia and industry have proposed numerous solutions to protect user privacy and data integrity from a compromised server. Practical state-of-the-art solutions, however, use weak threat models based on centralized trust—they assume that part of the server will remain uncompromised, or that the adversary will not perform active attacks. We propose Ghostor, a data-sharing system that, using only decentralized trust, (1) hides user identities from the server, and (2) allows users to detect server-side integrity violations. To achieve (1), Ghostor avoids keeping any per-user state at the server, requiring us to redesign the system to avoid common paradigms like per-user authentication and user-specific mailboxes. To achieve (2), Ghostor develops a technique called verifiable anonymous history. Ghostor leverages a blockchain rarely, publishing only a single hash to the blockchain for the entire system once every epoch. We measured that Ghostor incurs a 4–5x throughput overhead compared to an insecure baseline. Although significant, Ghostor\u27s overhead may be worth it for security- and privacy-sensitive applications

    A Succinct Range Proof for Polynomial-based Vector Commitment

    Get PDF
    A range proof serves as a protocol for the prover to prove to the verifier that a committed number lies in a specified range, such as [0,2n)[0,2^n), without disclosing the actual value. Range proofs find extensive application in various domains. However, the efficiency of many existing schemes diminishes significantly when confronted with batch proofs encompassing multiple elements. To improve the scalability and efficiency, we propose MissileProof, a vector range proof scheme, proving that every element in the committed vector is within [0,2n)[0,2^n). We first reduce this argument to a bi-to-univariate SumCheck problem and a bivariate polynomial ZeroTest problem. Then generalizing the idea of univariate SumCheck PIOP, we design a bi-to-univariate SumCheck PIOP. By introducing a random polynomial, we construct the bivariate polynomial ZeroTest using a univariate polynomial ZeroTest and a univariate polynomial SumCheck PIOP. Finally, combining the PIOP for vector range proof, a KZG-based polynomial commitment scheme and the Fiat-Shamir transformation, we get a zero-knowledge succinct non-interactive vector range proof. Compared with existing schemes, our scheme has the optimal proof size (O(1)O(1)), the optimal commitment length (O(1)O(1)), and the optimal verification time (O(1)O(1)), at the expense of slightly sacrificing proof time (O(lloglnlogn)O(l\log l\cdot n\log n) operations on the prime field for FFT and O(ln)O(ln) group exponentiations in G\mathbb{G}). Moreover, we implemented an anti-money-laundering stateless blockchain based on the MissileProof. The gas consumption of the verification smart contract is reduced by 85%

    Non-Interactive Differentially Anonymous Router

    Get PDF
    A recent work by Shi and Wu (Eurocrypt\u2721) sugested a new, non-interactive abstraction for anonymous routing, coined Non-Interactive Anonymous Router (\NIAR). They show how to construct a \NIAR scheme with succinct communication from bilinear groups. Unfortunately, the router needs to perform quadratic computation (in the number of senders/receivers) to perform each routing. In this paper, we show that if one is willing to relax the security notion to (ϵ,δ)(\epsilon, \delta)-differential privacy, henceforth also called (ϵ,δ)(\epsilon, \delta)-differential anonymity, then, a non-interactive construction exists with subquadratic router computation, also assuming standard hardness assumptions in bilinear groups. Morever, even when 1-1/\poly\log n fraction of the senders are corrupt, we can attain strong privacy parameters where \epsilon = O(1/\poly\log n) and \delta = \negl(n)

    Ceno: Non-uniform, Segment and Parallel Zero-knowledge Virtual Machine

    Get PDF
    In this paper, we explore a novel Zero-knowledge Virtual Machine (zkVM) framework leveraging succinct, non-interactive zero-knowledge proofs for verifiable computation over any code. Our approach divides program execution proof into two stages. In the first stage, the process breaks down program execution into segments, identifying and grouping identical sections. These segments are then proved through data-parallel circuits that allow for varying amounts of duplication. In the subsequent stage, the verifier examines these segment proofs, reconstructing the program\u27s control and data flow based on the segments\u27 duplication number and the original program. The second stage can be further attested by a uniform recursive proof. We propose two specific designs of this concept, where segmentation and parallelization happen at two levels: opcode and basic block. Both designs try to minimize control flow that affects the circuit size and support dynamic copy numbers, ensuring that computational costs directly correlate with the actual code executed (i.e., you only pay as much as you use). In our second design, in particular, by proposing an innovative data-flow reconstruction technique in the second stage, we can drastically cut down on the stack operations even compared to the original program execution. Note that the two designs are complementary rather than mutually exclusive. Integrating both approaches in the same zkVM could unlock more significant potential for accommodating diverse program patterns. We present an asymmetric GKR scheme to implement our designs, pairing a non-uniform prover and a uniform verifier to generate proofs for dynamic-length data-parallel circuits. The use of a GKR prover also significantly reduces the size of the commitment: GKR allows us to commit only the circuit\u27s input and output, whereas in Plonkish-based solutions, the prover needs to commit to all the witnesses

    Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS

    Get PDF
    We present a methodology to construct preprocessing zkSNARKs where the structured reference string (SRS) is universal and updatable. This exploits a novel use of *holography* [Babai et al., STOC 1991], where fast verification is achieved provided the statement being checked is given in encoded form. We use our methodology to obtain a preprocessing zkSNARK where the SRS has linear size and arguments have constant size. Our construction improves on Sonic [Maller et al., CCS 2019], the prior state of the art in this setting, in all efficiency parameters: proving is an order of magnitude faster and verification is thrice as fast, even with smaller SRS size and argument size. Our construction is most efficient when instantiated in the algebraic group model (also used by Sonic), but we also demonstrate how to realize it under concrete knowledge assumptions. We implement and evaluate our construction. The core of our preprocessing zkSNARK is an efficient *algebraic holographic proof* (AHP) for rank-1 constraint satisfiability (R1CS) that achieves linear proof length and constant query complexity

    Merkle^2: A Low-Latency Transparency Log System

    Get PDF
    Transparency logs are designed to help users audit untrusted servers. For example, Certificate Transparency (CT) enables users to detect when a compromised Certificate Authority (CA) has issued a fake certificate. Practical state-of-the-art transparency log systems, however, suffer from high monitoring costs when used for low-latency applications. To reduce monitoring costs, such systems often require users to wait an hour or more for their updates to take effect, inhibiting low-latency applications. We propose Merkle2\text{Merkle}^2, a transparency log system that supports both efficient monitoring and low-latency updates. To achieve this goal, we construct a new multi-dimensional, authenticated data structure that nests two types of Merkle trees, hence the name of our system, Merkle2\text{Merkle}^2. Using this data structure, we then design a transparency log system with efficient monitoring and lookup protocols that enables low-latency updates. In particular, all the operations in Merkle2\text{Merkle}^2 are independent of update intervals and are (poly)logarithmic to the number of entries in the log. Merkle2\text{Merkle}^2 not only has excellent asymptotics when compared to prior work, but is also efficient in practice. Our evaluation shows that Merkle2\text{Merkle}^2 propagates updates in as little as 1 second and can support 100× more users than state-of-the-art transparency logs

    Identification of the Genes Involved in Riemerella anatipestifer Biofilm Formation by Random Transposon Mutagenesis

    Get PDF
    Riemerella anatipestifer causes epizootics of infectious disease in poultry that result in serious economic losses to the duck industry. Our previous studies have shown that some strains of R. anatipestifer can form a biofilm, and this may explain the intriguing persistence of R. anatipestifer on duck farms post infection. In this study we used strain CH3, a strong producer of biofilm, to construct a library of random Tn4351 transposon mutants in order to investigate the genetic basis of biofilm formation by R. anatipestifer on abiotic surfaces. A total of 2,520 mutants were obtained and 39 of them showed a reduction in biofilm formation of 47%–98% using crystal violet staining. Genetic characterization of the mutants led to the identification of 33 genes. Of these, 29 genes are associated with information storage and processing, as well as basic cellular processes and metabolism; the function of the other four genes is currently unknown. In addition, a mutant strain BF19, in which biofilm formation was reduced by 98% following insertion of the Tn4351 transposon at the dihydrodipicolinate synthase (dhdps) gene, was complemented with a shuttle plasmid pCP-dhdps. The complemented mutant strain was restored to give 92.6% of the biofilm formation of the wild-type strain CH3, which indicates that the dhdp gene is associated with biofilm formation. It is inferred that such complementation applies also to other mutant strains. Furthermore, some biological characteristics of biofilm-defective mutants were investigated, indicating that the genes deleted in the mutant strains function in the biofilm formation of R. anatipestifer. Deletion of either gene will stall the biofilm formation at a specific stage thus preventing further biofilm development. In addition, the tested biofilm-defective mutants had different adherence capacity to Vero cells. This study will help us to understand the molecular mechanisms of biofilm development by R. anatipestifer and to study the pathogenesis of R. anatipestifer further
    corecore