All Partial Information Shaft Goldwasser * and Silvio Micali ** Computer Science Department University of California - Berkeley I. Introduction This paper proposes an Encryption Scheme that possess the following property: An adversary, who knows the encryption algorithm and is given the cyphertext, can- not obtain any information about the clear- text. Any implementation of a Public Key Cryptosys- tem, as proposed by Diffie and Hellman in [8], should possess this property. Our Encryption Scheme follows the ideas in the number theoretic implementations of a Public Key Cryptosystem due to Rivest, Shamir and Adleman [13], and Rabin [12]. Security is based on Complexity Theory and the intractability of some problems in number theory such as factoring, index finding and deciding whether numbers are quadratic resi- dues with respect to composite mvduli is assumed. In this context, impossibility means computational infeasibility and proving that a problem is hard means to show it equivalent to one of the above mentioned problems. The key idea in both the RSA scheme and the Rabin scheme is the selection of an appropriate trapdoor function; an easy to evaluate function f such that x is not easily computable from f(x), unless some extra information is known. To encrypt a message m, one simply evaluates f (m). Thin research was supported by * NSF Grant MCS-79-037667 ** fellowship from Consiglio Nazionale delle Ricerche - Italy and in part by NSF Grant MCS-79-037667 We would like to point out two basic weaknesses of this approach: 1) The fact that f is a trapdoor function does not rule out the possibility of computing x from ff (x) when x is of a special form. Usually messages do not consist of numbers chosen at random but possess more struc- ture. Such structural information may help in decoding. For example, a function f, which is hard to invert on a generic input, could conceivably be easy to invert on the ASCII representations of English sentences. 2) The fact that f is a trapdoor function does not rule out the possibility of easily com- puting some partial information about z (even every other bit of x) from f (z). The danger in the case that z is the ASCII representation of an English sentence is self evident. Encrypting messages in a way that ensures the secrecy of all partial infor- mation is an extremely important goal in Cryptography. The importance of this point of view is particularly apparent if we want to use encryption to play card games over the telephone. If the suit or color of a card could be compromised the whole game could be invalid. Though no one knows how to break the RSA or the Rabin scheme, in none of these schemes is it proved that decoding is hard without any assumptions made on the message space. Rabin shows that, in his scheme, decoding is hard for an adversary if the set of possible messages has some density property. The novelty of our contribution consists of 1. The notion of Trapdoor Functions is replaced by Probabilistic Encryption. To encrypt each message we make use of a fair coin. The encoding of each message will depend on the message plus the result of a
x is not easily , unless some extra To encrypt a message f (m). by Nazionale delle Ricerche - t MCS-79-037667 or part of this material is granted de or distributed for direct opyright notice and the title of the d notice is given that copying is by omputing Machinery. To copy a fee and/or specific permission. 7-2/82/005/0365 $00.75 Though no one knows how to break the RSA or the Rabin scheme, in none of these schemes is it proved that decoding is hard without any assumptions made on the message space. Rabin shows that, in his scheme, decoding is hard for an adversary if the set of possible messages has some density property. The novelty of our contribution consists of 1. The notion of Trapdoor Functions is replaced by Probabilistic Encryption. To encrypt each message we make use of a fair coin. The encoding of each message will depend on the message plus the result of a sequence of coin tosses. Consequently, there are many possible encodings for each message, llowever, messages are always uniquely decodable. ~ IProbabilistic Encryption is completely different from the technique of apl~eDcling random bits to a message as suggested in U?.] and [16]. 365 works like public-key cryptography
message, but provably hard for an adver- sary. Therefore the spirit of a trapdoor function is maintained. In addition, in our scheme, without imposing any restrictions on the message space, we can prove that decoding is equivalent to deciding qua- dratic residuosity modulo composite numbers. 3. No Partial Information about an encrypted ingenious pa space, A, B, message. Le tion, which decryption for all m e M is placed in private. D A knowing onl takes E A fro and sends th
by Diffie and Hellman in [8], should possess this property. Our Encryption Scheme follows the ideas in the number theoretic implementations of a Public Key Cryptosystem due to Rivest, Shamir and Adleman [13], and Rabin [12]. Security is based on Complexity Theory and the intractability of some problems in number theory such as factoring, index finding and deciding whether numbers are quadratic resi- dues with respect to composite mvduli is assumed. In this context, impossibility means computational infeasibility and proving that a problem is hard means to show it equivalent to one of the above mentioned problems. The key idea in both the RSA scheme and the Rabin scheme is the selection of an appropriate trapdoor function; an easy to evaluate function f such that x is not easily computable from f(x), unless some extra information is known. To encrypt a message m, one simply evaluates f (m). in decoding. For ex which is hard to inve could conceivably be ASCII representations 2) The fact that f is a t not rule out the pos puting some partial (even every other bit danger in the case representation of an self evident. Encrypti that ensures the secre mation is an extreme Cryptography. The im of view is particularly to use encryption to the telephone. If the could be compromis could be invalid. Though no one knows how the Rabin scheme, in non it proved that decoding assumptions made on the shows that, in his scheme, an adversary if the set of some density property.
contained in a proof is developed. Zero-knowledge proofs are deﬁned as those proofs that convey no additional knowledge other than the correctness of the proposition in question.
University Rudapt~st Hungary II-1088 Abstract. la a previous paper [BS] we proved, using the elements of the Clwory of nilyotenf yroupu, that some of the /undamcn- la1 computational problems in mat& proup, belong to NP. These problems were also ahown to belong to CONP, assuming an unproven hypofhedi.9 concerning finilc simple Q’ oup,. The aim of this paper is t.o replace most of the (proven and unproven) group theory of IBS] by elementary com- binatorial argumenls. The rev& we prove is that relative to a random oracle f3, tbc meutioned matrix group prob- lems belong to (NPncoNP)L! Thr problems we consider arr membership in and order of a matrix group given by a list of gnrrntors. These prob- trms can bc vicwrd as m~lt~idimcnsio~r;lI vemiorm of a closr rrldivr of t.hc disrrct,r logarilhm prob1c.m. I tencc A’ltiro.VI’ might be the lowrst natural romplcxity rla.us t bry may ii1 in. Wr remark that the resutt,s remain valid for blark boz groupa where group operations are prrformcd by an oracle. Thcb tools we inlroduce seem interesting in their own right. \Ve define a new hierarchy of complexit)y ctesscs A.4Ak) “just above NP’, introduring Arthur ud. Merlin games, the bonnded-away version of Pnpadimitriou’s Games against Nature. We prove th:rt. in spite of their analogy with the polynomial time hierarchy, the finite lev- rls of this hierarchy collapse t,o Afsf=Ah42). Using a com- binatorial lemma on finite groups [IIE], we construct a game by whirh t.he nondeterministic player (Merlin) is able to coavlnre the random player (Arthur) about the rctation ICj=N provided Arthur trusts conclusions based on st,a- tisticnl rvidrnce (such as a Solovay-Strassen type “proof” of primatit,y ). One can prove that AM consists precisely of t&ose langungrs which belong to iV@ for almost every oracle 13. Our hirrarchy has an intrrcsjdng, still unclarified reta- tion to imother hierarchy, obt,ained by rcnloving the cen- t.rat ingrrdirnt from the l&r ~a. Ezpcrl games of (;otctwassrr, Mirati and Rarkoff. permission 10 copy without fee all or part ot this material is granted provided that the copies arc not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. Q 1985 ACM 0-89791-ISI-2/85/005/0421 $00.75 Dept. Computer Science I Jnivrrsity of Chicago I 100 E 58th St. (Chicago, II, 60637 1. Introduction 1.1. Randomness vs. mathematical intractabil- ity: a tradeoff l’aul E&k has taught us that randomness can do miracles as tong as we don’t insist on explicit con- structions. If we do, quite often much heavier mathrmatics has to be invoked - if there is any help at all. The few citSes where randomness has SUCCCSS- futiy hccn eliminated, like for expanding graphs, point to the tIiITiiculty (cf. [Pin], [PipJ vs. [Mar], [CC]). A ra.ndom st.ring can sometimes replace the most forrnidahle msthelrtotical hypothesis. The Solovay- Strnsscn bf(JntC? Carlo primality test [SS] vs. Gary Mittrr’s det.erministic primality test, based on the Extended ltirmann Hypothesis [Mill, is one of the famous examples. The objective of this paper is to introduce some new random tools to replace an unproven group theoretic hypothesis. 1.2. Matrix groups Lly far the most common wrry to represent groups is by matrices. This is almost the only way groups are being thought of in science. The term “ltcprceentation Theory” refers to matrix representa- tions, a central tool in the theory of finite groups, har- monic analysis, quantum mechanics and other fields. It s.ppears that the main reason why compn+a- tional group theory has so far mainly concentrated on permutation groups is that while many of the basic problems in permutation groups are solvable in poly- nomial time (cf.[Sinr], (FHL], (BKL]), even the sim- plrst questions on matrix groups seem computation- ally infr.asiblc. The membership problem (does a given matrix belong to a group given by a list of generators?) is undecida6le for 4 by 4 integral matrices (hlih]. It seems therefore wise to r&rict our attention to malrix groups over finite fields. Here the basic problems (membership, order) are at least finite and in fact easily seen to belong to PSPACE, On the other ha.nd, finding a polynomial time algorithm seems hopclcss even in the one-dimensional (number theoretic) case. Concerning the place of these 421
Monte Carlo primality compIexity class AA4 n of NP in the same Our main result is and order of matrix AM~IcoAM. this result in Section necessary complexity ted in detail in Sec- for later use, let us FE]. They ssscrt that s to NP and so does er an inheger divides 2. A hierarchy of coxnplexity classes 2.1. Convincing a distrustful party King Arthur recognizes the supernatural intcllec- tual abilit.ies of Merlin but doesn’t trust him. How should Merlin convince the intelligent but impatient King that a string zr belongs to a given language I., ? If &NP, Merlin will be able to present a u~ilneas which hthur can check in polynomial time. We shalt define a hierarchy of complexity classes “just above NP’ which still allow Merlin to convince Arthur about membership provided Arthur accepts stat.ist.ical evidence. We define these relatively low complexity classes in terms of a combinatorial game played by Merlin and Arthur. 2.2. Combinatorial games The general definition of combinatorial games will be given in 3.1.
Oded Goldreich Shafi Goldwasser Johan Hhtad Joe Kilian Silvio Micali Phillip Rogaway Technion - Israel Institute of Technology M.I.T. Laboratory for Computer Science Royal Institute of Technology, Sweden M.I.T. Laboratory for Computer Science M.I.T. Laboratory for Computer Science M.I.T. Laboratory for Computer Science Abstract Assuming the existence of a secure probabilistic encryption scheme, we show that every language that admits an interactive proof admits a (computational) zero-knowledge interactive proof. This result extends the result of Goldreich, MiCali and Wigderson, that, under the same assumption, all of NP admits zero-knowledge interactive proofs. Assuming envelopes for bit commitment, we show tht every language that admits an interactive proof admits a perfect zero-knowledge interactive proof. 1. Introduction Suppose Bob is polynomially time-bounded, but Alice has unlimited computational resources. If q 5 is a satisfiable boolean formula, Alice can certainly convince Bob of this fact; she could send Bob a message y describing a satisfying truth assignment for 4, and Bob could check that y does indeed specify a satisfying truth assignment. In other words, the language L of satisfiable boolean formulas is in NP. The interaction between Alice and Bob in this example is very simple: Alice sends a single message to Bob, and no other messages are sent between the two. If q5 is satisfiable, there is some message y that Alice might send which will convince Bob to accept. But if q5 is not satisfiable, then no message that Alice might send w i l l convince Bob to accept. In the paper of Goldwasser, Micdi, and Rackoff [GMR], the authors extend the scenario above in two ways, to arrive at the notion of an interactive proof for the language L. First, the interaction between Alice and Bob is allowed to be more complicated, with Alice and Bob exchanging multiple messages. Secondly, Alice and Bob are taken to be probabilistic, and Bob may occasionally accept or reject erroneously. It is required that if an input is in L, then Alice can behave in such a way that Bob will almost always accept; but if an input is n o t in L, then, no mater what messages Alice sends, Bob will almost certainly reject. A different notion of provability “beyond NP” was independently proposed by Babai [Bab]. This notion is called an Arthur-Merlin protocol. Babai’s model is similar to that of [GMR], but is seemingly more limited, because the verifier is required to reveal to the prover all of his coin flips (right after making them). Though this loss of privacy seems an important restriction, Goldwasser and Sipser [GSJ show that, in fact, the models are equivalent with respect to language recognition. Let IP be the class of languages that admit interactive proofs. Clearly N P 5 I P , for an NP-interaction is a special type of IF‘-interaction, in which the prover (Alice) sends the one and only message, and the verifier (Bob) never errs. However, IP may be a much larger class of languages. For example, there is an interactive proof known for graph nonisomorphism, even though there are not known to be succinct certificates for establishing that a pair of graphs are not isomorphic.
ARORA Princeton University, Princeton, New Jersey AND SHMUEL SAFRA Tel-Aviv University, Tel-Aviv, Israel Abstract. We give a new characterization of NP: the class NP contains exactly those languages L for which membership proofs (a proof that an input x is in L) can be verified probabilistically in polynomial time using logarithmic number of random bits and by reading sublogarithmic number of bits from the proof. We discuss implications of this characterization; specifically, we show that approximating Clique and Independent Set, even in a very weak sense, is NP-hard. Categories and Subject Descriptors: F.1.2 [Computation by Abstract Devices]: Modes of Computa- tion; F.1.3 [Computation by Abstract Devices]: Complexity Classes; F.2.1 [Analysis of Algorithms and Problem Complexity]: Numerical Algorithms and Problems; F.2.2 [Analysis of Algorithms and Problem Complexity]: Numerical Algorithms and Problems; F.4.1 [Mathematical Logic and Formal Languages]: Mathematical Logic General Terms: Algorithms, Theory, Verification Additional Key Words and Phrases: Approximation algorithms, complexity hierarchies, computations on polynomials and finite fields, error-correcting codes, hardness of approximations, interactive computation, NP-completeness, probabilistic computation, proof checking, reducibility and complete- ness, trade-offs/relations among complexity measures A preliminary version of this paper was published as in Proceedings of the 33rd IEEE Symposium on Foundations of Computer Science. IEEE, New York, 1992, pp. 2–12. This work was done while S. Arora was at CS Division, UC Berkeley, under support from NSF PYI Grant CCR 88-96202 and an IBM graduate fellowship.
Joe Kilian NEC Research Institute Princeton, NJ 08540 Abstract In this note, we present new zero-knowledge interac- tive proofs and arguments for languages in NP. To show that z G L, with an error probability of at most 2-k, our zero-knowledge proof system requires O(lzlc’) + O(lg” l~l)k ideal bit commitments, where c1 and cz depend only on L. This construction is the first in the ideal bit commitment model that achieves large values of k more efficiently than by running k indepen- dent iterations of the base interactive proof system. Un- der suitable complexity assumptions, we exhibit a zer~ knowledge arguments that require O(lg’ Izl)ki bits of communication, where c depends only on L, and 1 is the security parameter for the prover.l This is the first construction in which the total amount of communica- tion can be less than that needed to transmit the NP witness. Our protocols are based on efficiently checkable proofs for NP [4]. ~l–&lly~ 1is the size of some problem the poly-time bounded prover is assumed to be unable to solve. 1 Introduction. 1.1 The problem of efficient security amplification. The standard definition of interactive proofs[7] requires that the verifier accept a correct proof and reject an in- correct assertion with probability at least #. As there are few applications where a 1/3 error probability is ac- ceptable, one usually tries to obtain an error probability less than 2-h, where k is some easily adjustable secu- rity parameter. The most obvious way of achieving this security amplification is take a protocol with a 1/3 er- ror probability, run it O(k) times, and have the verifier accept or reject by majority vote. 2 Are there any more efficient ways of achieving security than by this simple technique? As we will show, the answer is yes, for a wide variety of languages, in a well known model for which no other amplification technique was previously known. The work of Boyar, Brasserd end Peralta. Our work is inspired by Boyar, Brassard and Peralta’s zerc+knowledge protocol for circuit satisjiabilii!y,g which for the first time achieved a more efficient security amplification than by the naive approach [1]. Their protocol achieved a 2-k error probability using only
of Technology Cambridge, MA 02139, USA silvio@theory.lcs.mit.edu Abstract. This paper puts forward a new notion of a proof based on computational complexity, and explores its implications to computation at large. Computationally-sound proofs provide, in a novel and meaningful frame- work, answers to old and new questions in complexity theory. In partic- ular, given a random oracle or a new complexity assumption, they allow us to prove that verifying is easier than deciding; to provide a quite effec- tive way to prove membership in computationally hard languages (such as Co-ÀÀP-complete ones); and to show that every computation possesses a short certificate vouching its correctness. 1 Introduction A new notion. Proofs are fundamental to our lives, and as for all things fundamental we should expect that answering the question of what a proof is will always be an on-going process. Indeed, we wish to put forward the new notion of a computationally-sound proof (CS proof for brevity) which achieves new and important goals, not attained or even addressed by previous notions. Informally, a CS proof of a statement S consists of a short string Û, very easy to verify and as easy to find as possible, offering a strong computational guarantee about the verity of S. By "very easy to verify" we mean that the time necessary to inspect a CS Proof of a statement S is poly-logarithmically shorter than that required to decide S. By "as easy to find as possible" we mean that a CS proof of a true statement (i.e., for the purposes of this paper, derivable in a given axiomatic theory) can be computed in a time essentially comparable to that needed to decide the statement. Finally, by saying that the guarantee offered by a CS proof is "computational" we mean that false statements either do not have any CS proofs, or such "proofs" are practically impossible to find. Implementations of CS proofs. The value of a new notion, of course, cru- cially depends on whether it can be sufficiently exemplified. We provide two
a short certificate vouching its correctness. 1 Introduction A new notion. Proofs are fundamental to our lives, and as for all things fundamental we should expect that answering the question of what a proof is will always be an on-going process. Indeed, we wish to put forward the new notion of a computationally-sound proof (CS proof for brevity) which achieves new and important goals, not attained or even addressed by previous notions. Informally, a CS proof of a statement S consists of a short string Û, very easy to verify and as easy to find as possible, offering a strong computational guarantee about the verity of S. By "very easy to verify" we mean that the time necessary to inspect a CS Proof of a statement S is poly-logarithmically shorter than that required to decide S. By "as easy to find as possible" we mean that a CS proof of a true statement (i.e., for the purposes of this paper, derivable in a given axiomatic theory) can be computed in a time essentially comparable to that needed to decide the statement. Finally, by saying that the guarantee offered by a CS proof is "computational" we mean that false statements either
Abstract We propose a new security measure for commitment protocols, called Universally Composable (UC) Commitment. The measure guarantees that commitment protocols behave like an “ideal commitment service,” even when concurrently composed with an arbitrary set of protocols. This is a strong guarantee: it implies that security is maintained even when an unbounded number of copies of the scheme are running concurrently, it implies non-malleability (not only with respect to other copies of the same protocol but even with respect to other protocols), it provides resilience to selective decommitment, and more. Unfortunately two-party uc commitment protocols do not exist in the plain model. However, we construct two-party uc commitment protocols, based on general complexity assumptions, in the common reference string model where all parties have access to a common string taken from a predetermined distribution. The protocols are non-interactive, in the sense that both the commitment and the opening phases consist of a single message from the committer to the receiver. Keywords: Commitment schemes, concurrent composition, non-malleability, security analysis of
Valiant Submitted to the Department of Electrical Engineering and Computer Science on February 2, 2007, in partial fulfillment of the requirements for the degree of Master of Science in Computer Science and Engineering Abstract The probabilistically checkable proof (PCP) system enables proofs to be verified in time polylogarithmic in the length of a classical proof. Computationally sound (CS) proofs improve upon PCPs by additionally shortening the length of the transmitted proof to be polylogarithmic in the length of the classical proof. In this thesis we explore the ultimate limits of non-interactive proof systems with respect to time/space efficiency and the new criterion of composability. We deduce the existence of our proposed proof system by way of a natural new assumption about proofs of knowledge. In fact, a main contribution of our result is showing that knowledge can be "traded" for time and space efficiency in noninterac- tive proof systems. Thesis Supervisor: Silvio Micali Title: Professor of Computer Science
Eli Ben-Sasson eli@cs.technion.ac.il Technion Alessandro Chiesa alexch@mit.edu MIT Eran Tromer tromer@cs.tau.ac.il Tel Aviv University Madars Virza madars@mit.edu MIT April 28, 2015 Abstract Non-interactive zero-knowledge proofs of knowledge for general NP statements are a powerful cryptographic primitive, both in theory and in practical applications. Recently, much research has focused on achieving an additional property, succinctness, requiring the proof to be very short and easy to verify. Such proof systems are known as zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARKs), and are desired when communication is expensive, or the veriﬁer is computationally weak. Existing zk-SNARK implementations have severe scalability limitations, in terms of space complexity as a function of the size of the computation being proved (e.g., running time of the NP statement’s decision program). First, the size of the proving key is quasilinear in the upper bound on the computation size. Second, producing a proof requires “writing down” all intermediate values of the entire computation, and then conducting global operations such as FFTs. The bootstrapping technique of Bitansky et al. (STOC ’13), following Valiant (TCC ’08), offers an approach to scalability, by recursively composing proofs: proving statements about acceptance of the proof system’s own veriﬁer (and correctness of the program’s latest step). Alas, recursive composition of known zk-SNARKs has never been realized in practice, due to enormous computational cost. Using new elliptic-curve cryptographic techniques, and methods for exploiting the proof systems’ ﬁeld structure and nondeterminism, we achieve the ﬁrst zk-SNARK implementation that practically achieves recursive proof composition. Our zk-SNARK implementation runs random-access machine programs and produces proofs of their correct execution, on today’s hardware, for any program running time. It takes constant time to generate the keys that support all computation sizes. Subsequently, the proving process only incurs a constant multiplicative overhead compared to the original computation’s time, and an essentially-constant additive overhead in memory. Thus, our zk-SNARK implementation is the ﬁrst to have a well-deﬁned, albeit low, clock rate of “veriﬁed instructions per second”. Keywords: computationally-sound proofs, proof-carrying data, zero knowledge, elliptic curves
unz⇤1, Jonathan Bootle†2, Dan Boneh‡1, Andrew Poelstra§3, Pieter Wuille¶3, and Greg Maxwellk 1Stanford University 2University College London 3Blockstream Full Version⇤⇤ Abstract We propose Bulletproofs, a new non-interactive zero-knowledge proof protocol with very short proofs and without a trusted setup; the proof size is only logarithmic in the witness size. Bulletproofs are especially well suited for e cient range proofs on committed values: they enable proving that a committed value is in a range using only 2 log2 pnq ` 9 group and ﬁeld elements, where n is the bit length of the range. Proof generation and veriﬁcation times are linear in n. Bulletproofs greatly improve on the linear (in n) sized range proofs in existing proposals for conﬁdential transactions in Bitcoin and other cryptocurrencies. Moreover, Bulletproofs supports aggregation of range proofs, so that a party can prove that m commitments lie in a given range by providing only an additive Oplogpmqq group elements over the length of a single proof. To aggregate proofs from multiple parties, we enable the parties to generate a single proof without revealing their inputs to each other via a simple multi-party computation (MPC) protocol for constructing Bulletproofs. This MPC protocol uses either a constant number of rounds and linear communication, or a logarithmic number of rounds and logarithmic communication. We show that veriﬁcation time, while asymptotically linear, is very e cient in practice. Moreover, the veriﬁcation of multiple Bulletproofs can be batched for further speed-up. Concretely, the marginal time to verify an aggregation of 16 range proofs is about the same as the time to verify 16 ECDSA signatures. Bulletproofs build on the techniques of Bootle et al. (EUROCRYPT 2016). Beyond range proofs, Bulletproofs provide short zero-knowledge proofs for general arithmetic circuits while only relying on the discrete logarithm assumption and without requiring a trusted setup. We discuss many applications that would beneﬁt from Bulletproofs, primarily in the area of cryp- tocurrencies. The e ciency of Bulletproofs is particularly well suited for the distributed and trustless nature of blockchains. ⇤ benedikt@cs.stanford.edu † jonathan.bootle.14@ucl.ac.uk ‡ dabo@cs.stanford.edu § apoelstra@blockstream.io ¶ pieter@blockstream.com k
Bentov† Yinon Horesh* Michael Riabzev* March 6, 2018 Abstract Human dignity demands that personal information, like medical and forensic data, be hidden from the public. But veils of secrecy designed to preserve privacy may also be abused to cover up lies and deceit by institutions entrusted with Data, unjustly harming citizens and eroding trust in central institutions. Zero knowledge (ZK) proof systems are an ingenious cryptographic solution to this tension between the ideals of personal privacy and institutional integrity, enforcing the latter in a way that does not compromise the former. Public trust demands transparency from ZK systems, meaning they be set up with no reliance on any trusted party, and have no trapdoors that could be exploited by powerful parties to bear false witness. For ZK systems to be used with Big Data, it is imperative that the public veriﬁcation process scale sublinearly in data size. Transparent ZK proofs that can be veriﬁed exponentially faster than data size were ﬁrst described in the 1990s but early constructions were impractical, and no ZK system realized thus far in code (including that used by crypto-currencies like Zcash™) has achieved both transparency and exponential veriﬁcation speedup, simultaneously, for general computations. Here we report the ﬁrst realization of a transparent ZK system (ZK-STARK) in which veriﬁcation scales exponentially faster than database size, and moreover, this exponential speedup in veriﬁcation is observed concretely for meaningful and sequential computations, described next. Our system uses several recent advances on interactive oracle proofs (IOP), such as a “fast” (linear time) IOP system for error correcting codes. Our proof-of-concept system allows the Police to prove to the public that the DNA proﬁle of a Presidential Candidate does not appear in the forensic DNA proﬁle database maintained by the Police. The proof, which is generated by the Police, relies on no external trusted party, and reveals no further information about the contents of the database, nor about the candidate’s proﬁle. In particular, no DNA information is disclosed to any party outside the Police. The proof is shorter than the size of the DNA database, and veriﬁed faster than the time needed to examine that database na¨ ıvely.
• No trusted setup: eliminates CRS with techniques similar to erasure codes • Uses "Algebraic Intermediate Representation" (AIR) instead of R1CS • Complex mathematics - no "production quality" implementation yet • Being developed at Eli Ben-Sasson's company Starkware
Alessandro Chiesa alexch@berkeley.edu UC Berkeley Matthew Green mgreen@cs.jhu.edu Johns Hopkins University Ian Miers imiers@cs.jhu.edu Cornell Tech Pratyush Mishra pratyush@berkeley.edu UC Berkeley Howard Wu howardwu@berkeley.edu UC Berkeley February 21, 2019 Abstract Ledger-based systems that support rich applications often su er from two limitations. First, validating a transaction requires re-executing the state transition that it attests to. Second, transactions not only reveal which application had a state transition but also reveal the application’s internal state. We design, implement, and evaluate Z , a ledger-based system where users can execute o ine computations and subsequently produce transactions, attesting to the correctness of these computations, that satisfy two main properties. First, transactions hide all information about the o ine computations. Second, transactions can be validated in constant time by anyone, regardless of the o ine computation. The core of Z is a construction for a new cryptographic primitive that we introduce, decentralized private computation (DPC) schemes. In order to achieve an e cient implementation of our construction, we leverage tools in the area of cryptographic proofs, including succinct zero knowledge proofs and recursive proof composition. Overall, transactions in Z are 968 bytes regardless of the o ine computation, and generating them takes less than a minute plus a time that grows with the o ine computation. We demonstrate how to use Z to realize privacy-preserving analogues of popular applications: private decentralized exchanges for user-deﬁned fungible assets and regulation-friendly private stablecoins. Keywords: decentralized computation; zero knowledge proofs; succinct arguments
Microsoft Research Abstract This paper describes a new public coin, succinct interactive zero-knowledge argument for NP under standard cryptographic hardness assumptions—without requiring a trusted setup. In particular, our argument enables a prover to prove the satisﬁability of arithmetic circuits over a large ﬁnite ﬁeld (an NP-complete language for which there exist efﬁcient reductions from high-level programs of practical interest) to a veriﬁer. We construct this argument through a novel synthesis of techniques from prior work on short PCPs, MIPs, and doubly-efﬁcient IPs. Speciﬁcally, our interactive argument is a succinct variant of the sum-check protocol where the protocol is run with a carefully-constructed low-degree polynomial that encodes a given circuit satisﬁability instance. Since our interactive argument is public coin, we make it non-interactive in the random oracle model, thereby obtaining a zero-knowledge succinct non-interactive argument of knowledge (zkSNARK), which we call Spartan. Spartan is the ﬁrst zkSNARK without trusted setup (i.e., a “transparent” zkSNARK) where verifying a proof incurs sub-linear costs without requiring data parallelism (or other homogeneity) in the structure of an arithmetic circuit for which a proof is produced. To achieve this, Spartan introduces a notion of computation commitments—a primitive to create a short cryptographic commitment to a mathematical description of an arithmetic circuit. Finally, Spartan is asymptotically efﬁcient with small constants: the prover performs O(n) cryptographic operations to produce a proof of size O(n1/c) that can be veriﬁed in O(n1 1/c) time (after a one-time, public preprocessing of the circuit to create a computation commitment that takes O(n) time), where n denotes the size of an arithmetic circuit and c 2 (Spartan can produce O(log n)-sized proofs, but the veriﬁer incurs O(n) costs). 1 Introduction We revisit the problem of designing succinct zero-knowledge arguments for a general class of applications. In particular, we are interested in arguments for the complexity class NP [32, 66, 73]: they enable a computationally-bounded prover to convince the membership of a problem instance in an NP language without revealing anything besides the validity of
sean@electriccoin.co Electric Coin Company Jack Grigg jack@electriccoin.co Electric Coin Company Daira Hopwood daira@electriccoin.co Electric Coin Company Abstract Non-interactive proofs of knowledge allow us to publicly demonstrate the faithful execution of arbitrary computations. SNARKs have the additional property of succinctness, meaning that the proofs are short and fast to verify even when the computations involved are large. This property raises the prospect of recursive proof composition: proofs that verify other proofs. All previously known realizations of recursive proof composition have required a trusted setup and cycles of expensive pairing-friendly elliptic curves. We obtain the ﬁrst practical example of recursive proof composition without a trusted setup, using only ordinary cycles of elliptic curves. Our primary contribution is a novel technique for amortizing away expensive veriﬁcation procedures from within the proof veriﬁcation cycle so that we could obtain recursion using a composition of existing protocols and techniques. We devise a technique for amortizing the cost of verifying multiple inner product arguments which may be of independent interest. 1 Introduction Proofs of knowledge [GMR89], introduced by Goldwasser, Micali and Racko↵,