Line-Point Zero Knowledge and Its Applications

We introduce and study a simple kind of proof system called line-point zero knowledge (LPZK). In an LPZK proof, the prover encodes the witness as an affine line $\mathbf{v}(t) := \mathbf{a}t + \mathbf{b}$ in a vector space $\mathbb{F}^n$, and the verifier queries the line at a single random point $t=\alpha$. LPZK is motivated by recent practical protocols for vector oblivious linear evaluation (VOLE), which can be used to compile LPZK proof systems into lightweight designated-verifier NIZK protocols. We construct LPZK systems for proving satisfiability of arithmetic circuits with attractive efficiency features. These give rise to designated-verifier NIZK protocols that require only 2-5 times the computation of evaluating the circuit in the clear (following an input-independent preprocessing phase), and where the prover communicates roughly 2 field elements per multiplication gate, or roughly 1 element in the random oracle model with a modestly higher computation cost. On the theoretical side, our LPZK systems give rise to the first linear interactive proofs (Bitansky et al., TCC 2013) that are zero knowledge against a malicious verifier. We then apply LPZK towards simplifying and improving recent constructions of reusable non-interactive secure computation (NISC) from VOLE (Chase et al., Crypto 2019). As an application, we give concretely efficient and reusable NISC protocols over VOLE for bounded inner product, where the sender\u27s input vector should have a bounded $L_2$-norm

Improving Line-Point Zero Knowledge: Two Multiplications for the Price of One

Recent advances in fast protocols for \textit{vector oblivious linear evaluation} (VOLE) have inspired a family of new VOLE-based lightweight designated-verifier NIZK protocols (Weng et al., S\&P 2021, Baum et al., Crypto 2021, Dittmer et al., ITC 2021, Yang et al., CCS 2021). In particular, the Line-Point Zero Knowledge (LPZK) protocol of Dittmer et al.\ has the advantage of being entirely non-cryptographic given a single instance of a random VOLE correlation. We present improvements to LPZK through the introduction of additional structure to the correlated randomness. Using an efficiently realizable variant of the VOLE correlation, we reduce the online proof size of LPZK by roughly 2x: from roughly 2 field elements per multiplication gate, or 1 element in the random oracle variant, to only 1 or $\tfrac{1}{2}$ elements respectively. In particular, we get the first practical VOLE-based NIZK that breaks the 1-element-per-multiplication barrier. We implemented an optimized version of our protocol and compared it with other recent VOLE-based NIZK protocols. In the typical case where communication is the bottleneck, we get at least 2x performance improvement over all previous VOLE-based protocols. When prover computation is the bottleneck, we outperform all non-LPZK protocols by at least $2$-$3$x and (our optimized implementation of) LPZK by roughly 30%, obtaining a $2$-$3$x slowdown factor compared to plain circuit evaluation

Authenticated Garbling from Simple Correlations

We revisit the problem of constant-round malicious secure two-party computation by considering the use of simple correlations, namely sources of correlated randomness that can be securely generated with sublinear communication complexity and good concrete efficiency. The current state-of-the-art protocol of Katz et al. (Crypto 2018) achieves malicious security by realizing a variant of the authenticated garbling functionality of Wang et al. (CCS 2017). Given oblivious transfer correlations, the communication cost of this protocol (with 40 bits of statistical security) is comparable to roughly $10$ garbled circuits (GCs). This protocol inherently requires more than 2 rounds of interaction. In this work, we use other kinds of simple correlations to realize the authenticated garbling functionality with better efficiency. Concretely, we get the following reduced costs in the random oracle model: - Using variants of both vector oblivious linear evaluation (VOLE) and multiplication triples (MT), we reduce the cost to $1.31$ GCs. - Using only variants of VOLE, we reduce the cost to $2.25$ GCs. - Using only variants of MT, we obtain a non-interactive (i.e., 2-message) protocol with cost comparable to $8$ GCs. Finally, we show that by using recent constructions of pseudorandom correlation generators (Boyle et al., CCS 2018, Crypto 2019, 2020), the simple correlations consumed by our protocols can be securely realized without forming an efficiency bottleneck

SoK: Vector OLE-Based Zero-Knowledge Protocols

A zero-knowledge proof is a cryptographic protocol where a prover can convince a verifier that a statement is true, without revealing any further information except for the truth of the statement. More precisely, if $x$ is a statement from an NP language verified by an efficient machine $M$, then a zero-knowledge proof aims to prove to the verifier that there exists a witness $w$ such that $M(x,w)=1$, without revealing any further information about $w$. The proof is a proof of knowledge, if the prover additionally convinces the verifier that it knows the witness $w$, rather than just of its existence. This article is a survey of recent developments in building practical systems for zero-knowledge proofs of knowledge using vector oblivious linear evaluation (VOLE), a tool from secure two-party computation

Secure Merge in Linear Time and O(log log N) Rounds

Secure merge considers the problem of combining two sorted lists (which are either held separately by two parties, or held by two parties in some privacy-preserving manner, e.g. via secret-sharing), and outputting a single merged (sorted) list in a privacy-preserving manner (typically the final list is encrypted or secret-shared amongst the original two parties). Just as algorithms for \textit{insecure} merge are faster than comparison-based sorting ($\Theta(n)$ versus $\Theta(n \log n)$ for lists of size $n$), we explore protocols for performing a \textit{secure} merge that are more performant than simply invoking a secure sort protocol. Namely, we construct a semi-honest protocol that requires $O(n)$ communication and computation and $O(\log \log n)$ rounds of communication. This matches the metrics of the insecure merge for communication and computation, although it does not match the $O(1)$ round-complexity of insecure merge. Our protocol relies only on black-box use of basic secure primitives, like secure comparison and shuffle. Our protocol improves on previous work of [FNO22], which gave a $O(n)$ communication and $O(n)$ round complexity protocol, and other ``naive\u27\u27 approaches, such as the shuffle-sort paradigm, which has $O(n \log n)$ communication and $O(\log n)$ round complexity. It is also more efficient for most practical applications than either a garbled circuit or fully-homomorphic encryption (FHE) approach, which each require $O(n \log n)$ communication or computation and have $O(1)$ round complexity. There are several applications that stand to benefit from our result, including secure sort (in cases where two or more parties have access to their own list of data, secure sort reduces to secure merge since the parties can first sort their own data locally), which in-turn has implications for more efficient private set intersection (PSI) protocols; as well as secure mutable database storage and search, whereby secure merge can be used to insert new rows into an existing database. In building our secure merge protocol, we develop several subprotocols that may be of independent interest. For example, we develop a protocol for secure asymmetric merge (where one list is much larger than the other), which matches theoretic lower-bounds for all three metrics (assuming the ratio of list sizes is small enough)

Boosting the Performance of High-Assurance Cryptography: Parallel Execution and Optimizing Memory Access in Formally-Verified Line-Point Zero-Knowledge

Despite the notable advances in the development of high-assurance, verified implementations of cryptographic protocols, such implementations typically face significant performance overheads, particularly due to the penalties induced by formal verification and automated extraction of executable code. In this paper, we address some core performance challenges facing computer-aided cryptography by presenting a formal treatment for accelerating such verified implementations based on multiple generic optimizations covering parallelism and memory access. We illustrate our techniques for addressing such performance bottlenecks using the Line-Point Zero-Knowledge (LPZK) protocol as a case study. Our starting point is a new verified implementation of LPZK that we formalize and synthesize using EasyCrypt; our first implementation is developed to reduce the proof effort and without considering the performance of the extracted executable code. We then show how such (automatically) extracted code can be optimized in three different ways to obtain a 3000x speedup and thus matching the performance of the manual implementation of LPZK. We obtain such performance gains by first modifying the algorithmic specifications, then by adopting a provably secure parallel execution model, and finally by optimizing the memory access structures. All optimizations are first formally verified inside EasyCrypt, and then executable code is automatically synthesized from each step of the formalization. For each optimization, we analyze performance gains resulting from it and also address challenges facing the computer-aided security proofs thereof, and challenges facing automated synthesis of executable code with such an optimization

Function Secret Sharing for PSI-CA: With Applications to Private Contact Tracing

In this work we describe a token-based solution to Contact Tracing via Distributed Point Functions (DPF) and, more generally, Function Secret Sharing (FSS). The key idea behind the solution is that FSS natively supports secure keyword search on raw sets of keywords without a need for processing the keyword sets via a data structure for set membership. Furthermore, the FSS functionality enables adding up numerical payloads associated with multiple matches without additional interaction. These features make FSS an attractive tool for lightweight privacy-preserving searching on a database of tokens belonging to infected individuals

Macaque models of human infectious disease.

Macaques have served as models for more than 70 human infectious diseases of diverse etiologies, including a multitude of agents-bacteria, viruses, fungi, parasites, prions. The remarkable diversity of human infectious diseases that have been modeled in the macaque includes global, childhood, and tropical diseases as well as newly emergent, sexually transmitted, oncogenic, degenerative neurologic, potential bioterrorism, and miscellaneous other diseases. Historically, macaques played a major role in establishing the etiology of yellow fever, polio, and prion diseases. With rare exceptions (Chagas disease, bartonellosis), all of the infectious diseases in this review are of Old World origin. Perhaps most surprising is the large number of tropical (16), newly emergent (7), and bioterrorism diseases (9) that have been modeled in macaques. Many of these human diseases (e.g., AIDS, hepatitis E, bartonellosis) are a consequence of zoonotic infection. However, infectious agents of certain diseases, including measles and tuberculosis, can sometimes go both ways, and thus several human pathogens are threats to nonhuman primates including macaques. Through experimental studies in macaques, researchers have gained insight into pathogenic mechanisms and novel treatment and vaccine approaches for many human infectious diseases, most notably acquired immunodeficiency syndrome (AIDS), which is caused by infection with human immunodeficiency virus (HIV). Other infectious agents for which macaques have been a uniquely valuable resource for biomedical research, and particularly vaccinology, include influenza virus, paramyxoviruses, flaviviruses, arenaviruses, hepatitis E virus, papillomavirus, smallpox virus, Mycobacteria, Bacillus anthracis, Helicobacter pylori, Yersinia pestis, and Plasmodium species. This review summarizes the extensive past and present research on macaque models of human infectious disease

Murine Gamma-herpesvirus Immortalization of Fetal Liver-Derived B Cells Requires both the Viral Cyclin D Homolog and Latency-Associated Nuclear Antigen

Human gammaherpesviruses are associated with the development of lymphoproliferative diseases and B cell lymphomas, particularly in immunosuppressed hosts. Understanding the molecular mechanisms by which human gammaherpesviruses cause disease is hampered by the lack of convenient small animal models to study them. However, infection of laboratory strains of mice with the rodent virus murine gammaherpesvirus 68 (MHV68) has been useful in gaining insights into how gammaherpesviruses contribute to the genesis and progression of lymphoproliferative lesions. In this report we make the novel observation that MHV68 infection of murine day 15 fetal liver cells results in their immortalization and differentiation into B plasmablasts that can be propagated indefinitely in vitro, and can establish metastasizing lymphomas in mice lacking normal immune competence. The phenotype of the MHV68 immortalized B cell lines is similar to that observed in lymphomas caused by KSHV and resembles the favored phenotype observed during MHV68 infection in vivo. All established cell lines maintained the MHV68 genome, with limited viral gene expression and little or no detectable virus production - although virus reactivation could be induced upon crosslinking surface Ig. Notably, transcription of the genes encoding the MHV68 viral cyclin D homolog (v-cyclin) and the homolog of the KSHV latency-associated nuclear antigen (LANA), both of which are conserved among characterized γ2-herpesviruses, could consistently be detected in the established B cell lines. Furthermore, we show that the v-cyclin and LANA homologs are required for MHV68 immortalization of murine B cells. In contrast the M2 gene, which is unique to MHV68 and plays a role in latency and virus reactivation in vivo, was dispensable for B cell immortalization. This new model of gammaherpesvirus-driven B cell immortalization and differentiation in a small animal model establishes an experimental system for detailed investigation of the role of gammaherpesvirus gene products and host responses in the genesis and progression of gammaherpesvirus-associated lymphomas, and presents a convenient system to evaluate therapeutic modalities