Efficient Batch Zero-Knowledge Arguments for Low Degree Polynomials

Bootle et al. (EUROCRYPT 2016) construct an extremely efficient zero-knowledge argument for arithmetic circuit satisfiability in the discrete logarithm setting. However, the argument does not treat relations involving commitments, and furthermore, for simple polynomial relations, the complex machinery employed is unnecessary. In this work, we give a framework for expressing simple relations between commitments and field elements, and present a zero-knowledge argument which, by contrast with Bootle et al., is constant-round and uses fewer group operations, in the case where the polynomials in the relation have low degree. Our method also directly yields a batch protocol, which allows many copies of the same relation to be proved and verified in a single argument more efficiently with only a square-root communication overhead in the number of copies. We instantiate our protocol with concrete polynomial relations to construct zero-knowledge arguments for membership proofs, polynomial evaluation proofs, and range proofs. Our work can be seen as a unified explanation of the underlying ideas of these protocols. In the instantiations of membership proofs and polynomial evaluation proofs, we also achieve better efficiency than the state of the art

Foundations of Fully Dynamic Group Signatures

Group signatures are a central cryptographic primitive that has received a considerable amount of attention from the cryptographic community. They allow members of a group to anonymously sign on behalf of the group. Membership is overseen by a designated group manager. There is also a tracing authority that can revoke anonymity by revealing the identity of the signer if and when needed, to enforce accountability and deter abuse. For the primitive to be applicable in practice, it needs to support fully dynamic groups, i.e. users can join and leave at any time. In this work we take a close look at existing security definitions for fully dynamic group signatures. We identify a number of shortcomings in existing security definitions and fill the gap by providing a formal rigorous security model for the primitive. Our model is general and is not tailored towards a specific design paradigm and can therefore, as we show, be used to argue about the security of different existing constructions following different design paradigms. Our definitions are stringent and when possible incorporate protection against maliciously chosen keys. In the process, we identify a subtle issue inherent to one design paradigm, where new members might try to implicate older ones by means of back-dated signatures. This is not captured by existing models. We propose some inexpensive fixes for some existing constructions to avoid the issue

Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability

We give computationally efficient zero-knowledge proofs of knowledge for arithmetic circuit satisfiability over a large field. For a circuit with N addition and multiplication gates, the prover only uses O(N)O(N) multiplications and the verifier only uses O(N)O(N) additions in the field. If the commitments we use are statistically binding, our zero-knowledge proofs have unconditional soundness, while if the commitments are statistically hiding we get computational soundness. Our zero-knowledge proofs also have sub-linear communication if the commitment scheme is compact. Our construction proceeds in three steps. First, we give a zero-knowledge proof for arithmetic circuit satisfiability in an ideal linear commitment model where the prover may commit to secret vectors of field elements, and the verifier can receive certified linear combinations of those vectors. Second, we show that the ideal linear commitment proof can be instantiated using error-correcting codes and non-interactive commitments. Finally, by choosing efficient instantiations of the primitives we obtain linear-time zero-knowledge proofs

Foundations of Fully Dynamic Group Signatures

Group signatures allow members of a group to anonymously sign on behalf of the group. Membership is administered by a designated group manager. The group manager can also reveal the identity of a signer if and when needed to enforce accountability and deter abuse. For group signatures to be applicable in practice, they need to support fully dynamic groups, i.e., users may join and leave at any time. Existing security definitions for fully dynamic group signatures are informal, have shortcomings, and are mutually incompatible. We fill the gap by providing a formal rigorous security model for fully dynamic group signatures. Our model is general and is not tailored toward a specific design paradigm and can therefore, as we show, be used to argue about the security of different existing constructions following different design paradigms. Our definitions are stringent and when possible incorporate protection against maliciously chosen keys. We consider both the case where the group management and tracing signatures are administered by the same authority, i.e., a single group manager, and also the case where those roles are administered by two separate authorities, i.e., a group manager and an opening authority. We also show that a specialization of our model captures existing models for static and partially dynamic schemes. In the process, we identify a subtle gap in the security achieved by group signatures using revocation lists. We show that in such schemes new members achieve a slightly weaker notion of traceability. The flexibility of our security model allows to capture such relaxation of traceability

RingCT 3.0 for Blockchain Confidential Transaction: Shorter Size and Stronger Security

In this paper, we propose the most competent blockchain ring confidential transaction protocol (RingCT3.0) for protecting the privacy of the sender\u27s identity, the recipient\u27s identity and the confidentiality of the transaction amount. For a typical 2-input transaction with a ring size of 1024, the ring signature size of our RingCT3.0 protocol is 98% less than the ring signature size of the original RingCT1.0 protocol used in Monero. Taking the advantage of our compact RingCT3.0 transcript size, privacy-preserving cryptocurrencies can enjoy a much lower transaction fee which will have a significant impact to the crypto-economy. Our implementation result shows that our protocol outperforms existing solutions, in terms of efficiency and security. In addition to the significant improvement in terms of efficiency, our scheme is proven secure in a stronger security model. We remove the trusted setup assumption used in RingCT2.0. Our scheme is anonymous against ring insider (non-signing users who are included in the ring), while we show that the RingCT1.0 is not secure in this strong model. Our RingCT3.0 protocol relies on our brand new designed ring signature scheme as an underlying primitive, which is believed to be the most efficient ring signature scheme up-to-date (in terms of signature size) without trusted setup. Our ring signature scheme is derived from our novel design of an efficient set membership proof of n public keys, with the proof size of O(log n). It is the first set membership proof without trusted setup for public keys in the base group, instead of in the exponent. These two primitives are of independent interest

Linear-Time Arguments with Sublinear Verification from Tensor Codes

Minimizing the computational cost of the prover is a central goal in the area of succinct arguments. In particular, it remains a challenging open problem to construct a succinct argument where the prover runs in linear time and the verifier runs in polylogarithmic time. We make progress towards this goal by presenting a new linear-time probabilistic proof. For any fixed $\epsilon > 0$, we construct an interactive oracle proof (IOP) that, when used for the satisfiability of an $N$-gate arithmetic circuit, has a prover that uses $O(N)$ field operations and a verifier that uses $O(N^{\epsilon})$ field operations. The sublinear verifier time is achieved in the holographic setting for every circuit (the verifier has oracle access to a linear-size encoding of the circuit that is computable in linear time). When combined with a linear-time collision-resistant hash function, our IOP immediately leads to an argument system where the prover performs $O(N)$ field operations and hash computations, and the verifier performs $O(N^{\epsilon})$ field operations and hash computations (given a short digest of the $N$-gate circuit)

Arya: Nearly linear-time zero-knowledge proofs for correct program execution

There have been tremendous advances in reducing interaction, communication and verification time in zero-knowledge proofs but it remains an important challenge to make the prover efficient. We construct the first zero-knowledge proof of knowledge for the correct execution of a program on public and private inputs where the prover computation is nearly linear time. This saves a polylogarithmic factor in asymptotic performance compared to current state of the art proof systems. We use the TinyRAM model to capture general purpose processor computation. An instance consists of a TinyRAM program and public inputs. The witness consists of additional private inputs to the program. The prover can use our proof system to convince the verifier that the program terminates with the intended answer within given time and memory bounds. Our proof system has perfect completeness, statistical special honest verifier zero-knowledge, and computational knowledge soundness assuming linear-time computable collision-resistant hash functions exist. The main advantage of our new proof system is asymptotically efficient prover computation. The prover’s running time is only a superconstant factor larger than the program’s running time in an apples-to-apples comparison where the prover uses the same TinyRAM model. Our proof system is also efficient on the other performance parameters; the verifier’s running time and the communication are sublinear in the execution time of the program and we only use a log-logarithmic number of rounds

Phase I and pharmacokinetic study of the polyamine synthesis inhibitor SAM486A in combination with 5-fluorouracil/leucovorin in metastatic colorectal cancer

Purpose: The purpose of our study was to determine the maximum-tolerated dose, dose-limiting toxicity, safety profile, and pharmacokinetics of the polyamine synthesis inhibitor SAM486A given in combination with 5-fluorouracil/leucovorin (5-FU/LV) in cancer patients.Experimental Design: Patients with advanced colorectal cancer were treated with 5-FU [bolus (400 mg/m(2)) followed by a 22-h infusion (600 mg/m(2))] and LV (200 mg/m(2)) and escalating doses of SAM486A, 1-3-h infusion daily for 3 days. Plasma sampling was performed to characterize the pharmacokinetics and pharmacodynamics of the combination.Results: Twenty-seven patients with metastatic colorectal cancer and 1 with pseudomyxoma peritonei were treated. Twenty-six patients received SAM486A in the combination at doses ranging from 25 to 150 mg/m(2)/day. Dose-limiting toxicity consisting of fatigue grade 3 was seen at 150 mg/m(2)/day. Other adverse events included neutropenia, hand and foot syndrome, nausea, vomiting, diarrhea, and constipation. Fifteen of 26 patients evaluable for best response according to the Southwest Oncology Group criteria achieved a partial response [8 (30%) of 26] or stable disease [9 (35%) of 26]. SAM486A did not influence the pharmacolkinetics of 5-FU, and SAM486A clearance was similar to that when used as a single agent.Conclusions: The novel molecular agent SAM486A is tolerable and safe in combination with a standard 5-FU regimen in patients with advanced colorectal cancer. The dose of SAM486A recommended for additional studies with this combination is 125 mg/m(2)/day. A disease-directed evaluation of SAM486A using this regimen is warranted

Phase I and pharmacokinetic study of the polyamine synthesis inhibitor SAM486A in combination with 5-fluorouracil/leucovorin in metastatic colorectal cancer

PURPOSE: The purpose of our study was to determine the maximum-tolerated\n dose, dose-limiting toxicity, safety profile, and pharmacokinetics of the\n polyamine synthesis inhibitor SAM486A given in combination with\n 5-fluorouracil/leucovorin (5-FU/LV) in cancer patients. EXPERIMENTAL\n DESIGN: Patients with advanced colorectal cancer were treated with 5-FU\n [bolus (400 mg/m(2)) followed by a 22-h infusion (600 mg/m(2))] and LV\n (200 mg/m(2)) and escalating doses of SAM486A, 1-3-h infusion daily for 3\n days. Plasma sampling was performed to characterize the pharmacokinetics\n and pharmacodynamics of the combination RESULTS: Twenty-seven patients\n with metastatic colorectal cancer and 1 with pseudomyxoma peritonei were\n treated. Twenty-six patients received SAM486A in the combination at doses\n ranging from 25 to 150 mg/m(2)/day. Dose-limiting toxicity consisting of\n fatigue grade 3 was seen at 150 mg/m(2)/day. Other adverse events included\n neutropenia, hand and foot syndrome, nausea, vomiting, diarrhea, and\n constipation. Fifteen of 26 patients evaluable for best response according\n to the Southwest Oncology Group criteria achieved a partial response [8\n (30%) of 26] or stable disease [9 (35%) of 26]. SAM486A did not influence\n the pharmacokinetics of 5-FU, and SAM486A clearance was similar to that\n when used as a single agent. CONCLUSIONS: The novel molecular agent\n SAM486A is tolerable and safe in combination with a standard 5-FU regimen\n in patients with advanced colorectal cancer. The dose of SAM486A\n recommended for additional studies with this combination is 125\n mg/m(2)/day. A disease-directed evaluation of SAM486A using this regimen\n is warranted

Short Lattice-based One-out-of-Many Proofs and Applications to Ring Signatures

In this work, we construct a short one-out-of-many proof from (module) lattices, allowing one to prove knowledge of a secret associated with one of the public values in a set. The proof system builds on a combination of ideas from the efficient proposals in the discrete logarithm setting by Groth and Kohlweiss (EUROCRYPT \u2715) and Bootle et al. (ESORICS \u2715), can have logarithmic communication complexity in the set size and does not require a trusted setup. Our work resolves an open problem mentioned by Libert et al. (EUROCRYPT \u2716) of how to efficiently extend the above discrete logarithm proof techniques to the lattice setting. To achieve our result, we introduce new technical tools for design and analysis of algebraic lattice-based zero-knowledge proofs, which may be of independent interest. Using our proof system as a building block, we design a short ring signature scheme, whose security relies on ``post-quantum\u27\u27 lattice assumptions. Even for a very large ring size such as 1 billion, our ring signature size is only 3 MB for 128-bit security level compared to 216 MB in the best existing lattice-based result by Libert et al. (EUROCRYPT \u2716)