Memoizing a monadic mixin DSL

Modular extensibility is a highly desirable property of a domain-specific language (DSL): the ability to add new features without affecting the implementation of existing features. Functional mixins (also known as open recursion) are very suitable for this purpose. We study the use of mixins in Haskell for a modular DSL for search heuristics used in systematic solvers for combinatorial problems, that generate optimized C++ code from a high-level specification. We show how to apply memoization techniques to tackle performance issues and code explosion due to the high recursion inherent to the semantics of combinatorial search. As such heuristics are conventionally implemented as highly entangled imperative algorithms, our Haskell mixins are monadic. Memoization of monadic components causes further complications for us to deal with

MuSig-DN: Schnorr Multi-Signatures with Verifiably Deterministic Nonces

MuSig is a multi-signature scheme for Schnorr signatures, which supports key aggregation and is secure in the plain public key model. Standard derandomization techniques for discrete logarithm-based signatures such as RFC 6979, which make the signing procedure immune to catastrophic failures in the randomness generation, are not applicable to multi-signatures as an attacker could trick an honest user into producing two different partial signatures with the same randomness, which would reveal the user\u27s secret key. In this paper, we propose a variant of MuSig in which signers generate their nonce deterministically as a pseudorandom function of the message and all signers\u27 public keys and prove that they did so by providing a non-interactive zero-knowledge proof to their cosigners. The resulting scheme, which we call MuSig-DN, is the first Schnorr multi-signature scheme with deterministic signing. Therefore its signing protocol is robust against failures in the randomness generation as well as attacks trying to exploit the statefulness of the signing procedure, e.g., virtual machine rewinding attacks. As an additional benefit, a signing session in MuSig-DN requires only two rounds instead of three as required by all previous Schnorr multi-signatures including MuSig. To instantiate our construction, we identify a suitable algebraic pseudorandom function and provide an efficient implementation of this function as an arithmetic circuit. This makes it possible to realize MuSig-DN efficiently using zero-knowledge proof frameworks for arithmetic circuits which support inputs given in Pedersen commitments, e.g., Bulletproofs. We demonstrate the practicality of our technique by implementing it for the secp256k1 elliptic curve used in Bitcoin

Simple Schnorr Multi-Signatures with Applications to Bitcoin

We describe a new Schnorr-based multi-signature scheme (i.e., a protocol which allows a group of signers to produce a short, joint signature on a common message) called MuSig, provably secure in the plain public-key model (meaning that signers are only required to have a public key, but do not have to prove knowledge of the private key corresponding to their public key to some certification authority or to other signers before engaging the protocol), which improves over the state-of-art scheme of Bellare and Neven (ACM-CCS 2006) and its variants by Bagherzandi et al. (ACM-CCS 2008) and Ma et al. (Des. Codes Cryptogr., 2010) in two respects: (i) it is simple and efficient, having the same key and signature size as standard Schnorr signatures; (ii) it allows key aggregation, which informally means that the joint signature can be verified exactly as a standard Schnorr signature with respect to a single ``aggregated\u27\u27 public key which can be computed from the individual public keys of the signers. To the best of our knowledge, this is the first multi-signature scheme provably secure in the plain public-key model which allows key aggregation. As an application, we explain how our new multi-signature scheme could improve both performance and user privacy in Bitcoin

Bulletproofs: Short Proofs for Confidential Transactions and More

We propose Bulletproofs, a new non-interactive zero-knowledge proof protocol with very short proofs and without a trusted setup; the proof size is only logarithmic in the witness size. Bulletproofs are especially well suited for efficient range proofs on committed values: they enable proving that a committed value is in a range using only $2\log_2(n)+9$ group and field elements, where $n$ is the bit length of the range. Proof generation and verification times are linear in $n$. Bulletproofs greatly improve on the linear (in $n$) sized range proofs in existing proposals for confidential transactions in Bitcoin and other cryptocurrencies. Moreover, Bulletproofs supports aggregation of range proofs, so that a party can prove that $m$ commitments lie in a given range by providing only an additive $O(\log(m))$ group elements over the length of a single proof. To aggregate proofs from multiple parties, we enable the parties to generate a single proof without revealing their inputs to each other via a simple multi-party computation (MPC) protocol for constructing Bulletproofs. This MPC protocol uses either a constant number of rounds and linear communication, or a logarithmic number of rounds and logarithmic communication. We show that verification time, while asymptotically linear, is very efficient in practice. Moreover, the verification of multiple Bulletproofs can be batched for further speed-up. Concretely, the marginal time to verify an aggregation of 16 range proofs is about the same as the time to verify 16 ECDSA signatures. Bulletproofs build on the techniques of Bootle et al. (EUROCRYPT 2016). Beyond range proofs, Bulletproofs provide short zero-knowledge proofs for general arithmetic circuits while only relying on the discrete logarithm assumption and without requiring a trusted setup. We discuss many applications that would benefit from Bulletproofs, primarily in the area of cryptocurrencies. The efficiency of Bulletproofs is particularly well suited for the distributed and trustless nature of blockchains

Functional programming abstractions for CP modeling

The field of Constraint Programming (CP) provides problem-independent technology for solving combinatorial problems. The programmer describes his problem in a model, which is processed by a problem-independent solver to produce a so- lution. Solver implementations are an active topic of research, and many efficient solvers exist. Specific languages were created that provide CP modeling facilities, but these domain-specific languages (DSL) run behind on features and abstractions, compared to modern general purpose languages. On the other hand, using CP libraries in such a language requires boilerplate code, and is often far less declarative in nature. Functional Programming (FP) is a programming paradigm that is based on the concept of functions as they are defined in mathematics, i.e., without side effects beyond their return value. Functional languages are declarative, offer very high level abstractions, and are easy to analyze. Furthermore, they can be used for general purposes. The existing Monadic Constraint Programming (MCP) framework offers interesting high-level abstractions for CP in the state-of-the-art functional programming language Haskell. In the first part of this thesis, we study how to build upon it to create a practical, concise, and declarative modeling DSL for constraint problems. Our language allows Finite Domain (FD) problems to be written using high-level expressions, while the underlying framework performs optimized translation to specific solver back-ends. Implemented back-ends include a proof-of-concept solver in Haskell, and bindings to the constraint solving library Gecode. For solving with low overhead, an extra mode is provided that generates C++ code for performing the solving at a later stage. In the second part, we provide declarative modeling of search. Controlling the search heuristic employed by a constraint solver is often essential for good performance, but existing systems are either limited in possibilities or imperative in nature. Again, we choose to provide a DSL to do better. The Search Combinators language is declarative, concise and captures many advanced search heuristics. We implement an efficient code generator for these search heuristics, avoiding the pitfalls encountered

Monadic Constraint Programming with Gecode

This paper presents FD-MCP, a finite domain modeling language on top of the Monadic Constraint Programming framework for Haskell. FD-MCP leverages Haskell's rich static type system and powerful abstraction mechanisms for implementing syntactic sugar, model transformations and compilation to solver backends. Two backends are provided: a basic Haskell solver and a Gecode code generator. Our benchmarks establish that FD-MCP models are much more concise than hand-coded Gecode programs, more so when using disjunction, without sacrificing performance.status: publishe