Ihyun Nam

2023-06-21

Abstract:A commitment scheme is a cryptographic tool that allows one to commit to a hidden value, with the option to open it later at requested places without revealing the secret itself. Commitment schemes have important applications in zero-knowledge proofs and secure multi-party computation, just to name a few. This survey introduces a few multivariate polynomial commitment schemes that are built from a variety of mathematical structures. We study how Orion is constructed using hash functions; Dory, Bulletproofs, and Vampire using the inner-product argument; Signatures of Correct Computation using polynomial factoring; DARK and Dew using groups of unknown order; and Orion+ using a CP-SNARK. For each protocol, we prove its completeness and state its security assumptions.

Cryptography and Security

Claude Crépeau,John Stuart

2023-04-20

Abstract:A Zero-Knowledge Protocol (ZKP) allows one party to convince another party of a fact without disclosing any extra knowledge except the validity of the fact. For example, it could be used to allow a customer to prove their identity to a potentially malicious bank machine without giving away private information such as a personal identification number. This way, any knowledge gained by a malicious bank machine during an interaction cannot be used later to compromise the client's banking account. An important tool in many ZKPs is bit commitment, which is essentially a digital way for a sender to put a message in a lock-box, lock it, and send it to the receiver. Later, the key is sent for the receiver to open the lock box and read the message. This way, the message is hidden from the receiver until they receive the key, and the sender is unable to change their mind after sending the lock box. In this paper, the homomorphic properties of a particular multi-party commitment scheme are exploited to allow the receiver to perform operations on commitments, resulting in polynomial time ZKPs for two NP-Complete problems: the Subset Sum Problem and 3SAT. These ZKPs are secure with no computational restrictions on the provers, even with shared quantum entanglement. In terms of efficiency, the Subset Sum ZKP is competitive with other practical quantum-secure ZKPs in the literature, with less rounds required, and fewer computations.

Quantum Physics,Cryptography and Security

Tohru Kohrita,Patrick Towa

DOI: https://doi.org/10.1007/s00145-024-09519-0

2024-10-10

Journal of Cryptology

Abstract:A multilinear polynomial is a multivariate polynomial of degree at most one in each variable. This paper introduces a new scheme to commit to multilinear polynomials and to later prove evaluations thereof. The scheme exponentially improves on the added prover costs for evaluation proofs to be zero-knowledge. The construction of the scheme is generic and relies only on the additive homomorphic property of any scheme to commit to univariate polynomials, and on a protocol to prove that committed polynomials satisfy public degree bounds. As the construction requires to check that several committed univariate polynomials do not exceed given, separate bounds, the paper also gives a method to batch executions of any degree-check protocol on homomorphic commitments. For an n -linear polynomial, the instantiation of the scheme with a hiding version of KZG commitments (Kate et al. in: Abe (ed) ASIACRYPT 2010. LNCS, vol 6477, pp 177–194, Springer, Heidelberg, 2010. https://doi.org/10.1007/978-3-642-17373-8_11) leads to a scheme with an evaluation prover that performs only extra (i.e., compared to the variant of the same scheme that is not zero-knowledge) first-group operations to achieve the zero-knowledge property. In contrast, previous constructions require an extra multi-scalar multiplication. The instantiation does so without any concessions on the other performance measures compared to the state of the art.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Hidde Lycklama,Alexander Viand,Nikolay Avramov,Nicolas Küchler,Anwar Hithnawi

2024-09-18

Abstract:The widespread adoption of machine learning (ML) in various critical applications, from healthcare to autonomous systems, has raised significant concerns about privacy, accountability, and trustworthiness. To address these concerns, recent research has focused on developing zero-knowledge machine learning (zkML) techniques that enable the verification of various aspects of ML models without revealing sensitive information. Recent advances in zkML have substantially improved efficiency; however, these efforts have primarily optimized the process of proving ML computations correct, often overlooking the substantial overhead associated with verifying the necessary commitments to the model and data. To address this gap, this paper introduces two new Commit-and-Prove SNARK (CP-SNARK) constructions (Apollo and Artemis) that effectively address the emerging challenge of commitment verification in zkML pipelines. Apollo operates on KZG commitments and requires white-box use of the underlying proof system, whereas Artemis is compatible with any homomorphic polynomial commitment and only makes black-box use of the proof system. As a result, Artemis is compatible with state-of-the-art proof systems without trusted setup. We present the first implementation of these CP-SNARKs, evaluate their performance on a diverse set of ML models, and show substantial improvements over existing methods, achieving significant reductions in prover costs and maintaining efficiency even for large-scale models. For example, for the VGG model, we reduce the overhead associated with commitment checks from 11.5x to 1.2x. Our results suggest that these contributions can move zkML towards practical deployment, particularly in scenarios involving large and complex ML models.

Cryptography and Security

Prastudy Fauzi,Helger Lipmaa,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-662-45472-5_14

2014-01-01

Abstract:We propose a non-interactive zero knowledge pairwise multiset sum equality test (PMSET) argument of knowledge in the common reference string (CRS) model that allows a prover to show that the given committed multisets A(j) for j is an element of {1, 2, 3, 4} satisfy A(1) (sic) A(2) = A(3) (sic) A(4), i. e., every element is contained in A(1) and A(2) exactly as many times as in A3 and A(4). As a corollary to the PMSET argument, we present arguments that enable to efficiently verify the correctness of various (multi) set operations, for example, that one committed set is the intersection or union of two other committed sets. The new arguments have constant communication and verification complexity (in group elements and group operations, respectively), whereas the CRS length and the prover's computational complexity are both proportional to the cardinality of the (multi) sets. We show that one can shorten the CRS length at the cost of a small increase of the communication and the verifier's computation.

Tao Lu,Chengkun Wei,Ruijing Yu,Chaochao Chen,Wenjing Fang,Lei Wang,Zeke Wang,Wenzhi Chen

DOI: https://doi.org/10.46586/tches.v2023.i3.194-220

2023-01-01

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:Zero-knowledge proof is a critical cryptographic primitive. Its most practical type, called zero-knowledge Succinct Non-interactive ARgument of Knowledge (zkSNARK), has been deployed in various privacy-preserving applications such as cryptocurrencies and verifiable machine learning. Unfortunately, zkSNARK like Groth16 has a high overhead on its proof generation step, which consists of several time-consuming operations, including large-scale matrix-vector multiplication (MUL), number-theoretic transform (NTT), and multi-scalar multiplication (MSM). Therefore, this paper presents cuZK, an efficient GPU implementation of zkSNARK with the following three techniques to achieve high performance. First, we propose a new parallel MSM algorithm. This MSM algorithm achieves nearly perfect linear speedup over the Pippenger algorithm, a well-known serial MSM algorithm. Second, we parallelize the MUL operation. Along with our self-designed MSM scheme and well-studied NTT scheme, cuZK achieves the parallelization of all operations in the proof generation step. Third, cuZK reduces the latency overhead caused by CPU-GPU data transfer by 1) reducing redundant data transfer and 2) overlapping data transfer and device computation. The evaluation results show that our MSM module provides over 2.08x (up to 2.94x) speedup versus the state-of-the-art GPU implementation. cuZK achieves over 2.65x (up to 4.86x) speedup on standard benchmarks and 2.18× speedup on a GPU-accelerated cryptocurrency application, Filecoin.

Ling Ren,Sourav Das,Atsuki Momose

DOI: https://doi.org/10.1145/3576915.3623127

2023-11-15

Abstract:The constant-sized polynomial commitment scheme by Kate, Zaverucha, and Goldberg (Asiscrypt 2010), also known as the KZG commitment, is an essential component in designing bandwidth-efficient verifiable secret-sharing (VSS) protocols. We point out, however, that the KZG commitment is missing two important properties that are crucial for VSS protocols. First, the KZG commitment has not been proven to be degree binding in the standard adversary model without idealized group assumptions. In other words, the committed polynomial is not guaranteed to have the claimed degree, which is supposed to be the reconstruction threshold of VSS. Without this property, shareholders in VSS may end up reconstructing different secrets depending on which shares are used. Second, the KZG commitment does not support polynomials with different degrees at once with a single setup. If the reconstruction threshold of the underlying VSS protocol changes, the protocol must redo the setup, which involves an expensive multi-party computation known as the powers of tau setup. In this work, we augment the KZG commitment to address both of these limitations. Our scheme is degree-binding in the standard model under the strong Diffie-Hellman (SDH) assumption. It supports any degree 0 < d ≤ m under a powers-of-tau common reference string with m+ 1 group elements generated by a one-time setup.

Computer Science

Saeid Sahraei,Salman Avestimehr,Ramy E. Ali

DOI: https://doi.org/10.48550/arXiv.2002.00559

2022-03-23

Abstract:We introduce Info-Commit, an information-theoretic protocol for polynomial commitment and verification. With the help of a trusted initializer, a succinct commitment to a private polynomial $f$ is provided to the user. The user then queries the server to obtain evaluations of $f$ at several inputs chosen by the user. The server provides the evaluations along with proofs of correctness which the user can verify against the initial commitment. Info-Commit has four main features. Firstly, the user is able to detect, with high probability, if the server has responded with evaluations of the same polynomial initially committed to. Secondly, Info-Commit provides rigorous privacy guarantees for the server: upon observing the initial commitment and the response provided by the server to $m$ evaluation queries, the user only learns $O(m^2)$ symbols about the coefficients of $f$. Thirdly, the verifiability and the privacy guarantees are unconditional regardless of the computational power of the two parties. Lastly, Info-Commit is doubly-efficient in the sense that in the evaluation phase, the user runs in $O(\sqrt{d})$ time and the server runs in $ O(d)$ time, where $d-1$ is the degree of the polynomial $f$.

Information Theory,Cryptography and Security

Jiaheng Zhang,Tiancheng Xie,Yupeng Zhang,Dawn Song

DOI: https://doi.org/10.1109/sp40000.2020.00052

2020-05-01

Abstract:We present a new succinct zero knowledge argument scheme for layered arithmetic circuits without trusted setup. The prover time is O(C + nlogn) and the proof size is O(D logC +log2 n) for a D-depth circuit with n inputs and C gates. The verification time is also succinct, O(D logC + log2 n), if the circuit is structured. Our scheme only uses lightweight cryptographic primitives such as collision-resistant hash functions and is plausibly post-quantum secure. We implement a zero knowledge argument system, Virgo, based on our new scheme and compare its performance to existing schemes. Experiments show that it only takes 53 seconds to generate a proof for a circuit computing a Merkle tree with 256 leaves, at least an order of magnitude faster than all other succinct zero knowledge argument schemes. The verification time is 50ms, and the proof size is 253KB, both competitive to existing systems. Underlying Virgo is a new transparent zero knowledge verifiable polynomial delegation scheme with logarithmic proof size and verification time. The scheme is in the interactive oracle proof model and may be of independent interest.

Kieran Mastel,William Slofstra

2024-07-30

Abstract:The recent MIP*=RE theorem of Ji, Natarajan, Vidick, Wright, and Yuen shows that the complexity class MIP* of multiprover proof systems with entangled provers contains all recursively enumerable languages. Prior work of Grilo, Slofstra, and Yuen [FOCS '19] further shows (via a technique called simulatable codes) that every language in MIP* has a perfect zero knowledge (PZK) MIP* protocol. The MIP*=RE theorem uses two-prover one-round proof systems, and hence such systems are complete for MIP*. However, the construction in Grilo, Slofstra, and Yuen uses six provers, and there is no obvious way to get perfect zero knowledge with two provers via simulatable codes. This leads to a natural question: are there two-prover PZK-MIP* protocols for all of MIP*? In this paper, we show that every language in MIP* has a two-prover one-round PZK-MIP* protocol, answering the question in the affirmative. For the proof, we use a new method based on a key consequence of the MIP*=RE theorem, which is that every MIP* protocol can be turned into a family of boolean constraint system (BCS) nonlocal games. This makes it possible to work with MIP* protocols as boolean constraint systems, and in particular allows us to use a variant of a construction due to Dwork, Feige, Kilian, Naor, and Safra [Crypto '92] which gives a classical MIP protocol for 3SAT with perfect zero knowledge. To show quantum soundness of this classical construction, we develop a toolkit for analyzing quantum soundness of reductions between BCS games, which we expect to be useful more broadly. This toolkit also applies to commuting operator strategies, and our argument shows that every language with a commuting operator BCS protocol has a two prover PZK commuting operator protocol.

Quantum Physics,Computational Complexity

Wei Liu,Jian Weng,Bingsheng Zhang,Kai He,Junjie Huang

DOI: https://doi.org/10.1016/j.ins.2022.09.026

IF: 8.1

2022-01-01

Information Sciences

Abstract:Non-interactive zero-knowledge (NIZK) proof systems are very useful for statement verification without interaction in cryptography; they entail just one message, called the proof, that convinces the verifier of the truth of the statement without leaking any extra information. Many NIZK proof systems are related to quadratic residuosity languages and follow three main steps. First, the prover and the verifier sample a common reference string (CRS) in some particular form. Second, the prover proves that n is a Blum integer (BL , n = p 1 t 1 · p 2 t 2, where p 1 and p 2 are different primes both congruent to 3 modulo 4, and t 1 and t 2 are odd). Third, various statements (e.g., NQR n , OR n , AND n , T ( k , t ), and 3 SAT) can be proven by the prover based on the properties of BL . In this study, we improve the NIZK proof system for n ∈ BL based on the special distribution of the square roots modulo n and embed this proof in the third step. Moreover, we show that the CRS can be sampled more efficiently using the improved process.

Gennaro Avitabile,Vincenzo Botta,Daniele Friolo,Daniele Venturi,Ivan Visconti

DOI: https://doi.org/10.1007/s00145-024-09532-3

2024-11-28

Journal of Cryptology

Abstract:At CRYPTO '94, Cramer, Damgård, and Schoenmakers introduced a general technique for constructing honest-verifier zero-knowledge proofs of partial knowledge (PPK), where a prover Alice wants to prove to a verifier Bob she knows witnesses for claims out of claims without revealing the indices of those claims. Their solution starts from a base honest-verifier zero-knowledge proof of knowledge and requires to run in parallel execution of the base protocol, giving a complexity of , where is the communication complexity of the base protocol. However, modern practical scenarios require communication-efficient zero-knowledge proofs tailored to handle partial knowledge in specific application-dependent formats. In this paper, we propose a technique to compose a large class of -protocols for atomic statements into -protocols for PPK over formulae in conjunctive normal form (CNF) that overlap, in the sense that there is a common subset of literals among all clauses of the formula. In such formulae, the statement is expressed as a conjunction of clauses, each of which consists of a disjunction of literals (i.e., each literal is an atomic statement) and literals are shared among clauses. The prover, for a threshold parameter , proves knowledge of at least witnesses for distinct literals in each clause. At the core of our protocol, there is a new technique to compose -protocols for regular CNF relations (i.e., when ) that exploits the overlap among clauses and that we then generalize to formulae where providing improvements over state-of-the-art constructions.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Marcel Keller

DOI: https://doi.org/10.1145/3372297.3417872

2020-10-30

Abstract:Multi-Protocol SPDZ (MP-SPDZ) is a fork of SPDZ-2 (Keller et al., CCS &#x27;13), an implementation of the multi-party computation (MPC) protocol called SPDZ (Damgård et al., Crypto &#x27;12). MP-SPDZ extends SPDZ-2 to 30 MPC protocol variants, all of which can be used with the same high-level programming interface based on Python. This considerably simplifies comparing the cost of different protocols and security models. The protocols cover all commonly used security models (honest/dishonest majority and semi-honest/malicious corruption) as well as computation of binary and arithmetic circuits (the latter modulo primes and powers of two). The underlying primitives employed include secret sharing, oblivious transfer, homomorphic encryption, and garbled circuits. The breadth of implemented protocols coupled with an accessible high-level interface makes it suitable to benchmark the cost of computation in various security models for researchers both with and without a background in secure computation This paper aims to outline the variety of protocols implemented and the design choices made in the development of MP-SPDZ as well as the capabilities of the programming interface.

ZhenHua Chen,WeiGuo Zhang,ShunDong Li,DaoShun Wang,Qiong Huang

DOI: https://doi.org/10.3969/j.issn.0372-2112.2017.05.013

2017-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:Secure multiparty computation of set membership is significant to privacy-preserving data mining,data query,etc.In this paper,we first transform the original problem into the one-time evaluation problem for polynomial,and then construct four protocols.We design the trivial protocol 1 using homomorphic encryption and construct the efficient protocol 2 using discrete logarithm instead of encryption,which is very concise.Lastly,according to the different application scenarios,we also propose protocol 3 and protocol 4:the former can be used to outsource computation in cloud computing environment;the latter can be used for public secure computation against repudiation.The analysis and comparison show that our protocols are more efficient and concise than previously known.

Mohammed Alghazwi,Tariq Bontekoe,Leon Visscher,Fatih Turkmen

2024-07-27

Abstract:Non-interactive zero-knowledge (NIZK) proofs of knowledge have proven to be highly relevant for securely realizing a wide array of applications that rely on both privacy and correctness. They enable a prover to convince any party of the correctness of a public statement for a secret witness. However, most NIZKs do not natively support proving knowledge of a secret witness that is distributed over multiple provers. Previously, collaborative proofs [51] have been proposed to overcome this limitation. We investigate the notion of composability in this setting, following the Commit-and-Prove design of LegoSNARK [17]. Composability allows users to combine different, specialized NIZKs (e.g., one arithmetic circuit, one boolean circuit, and one for range proofs) with the aim of reducing the prove generation time. Moreover, it opens the door to efficient realizations of many applications in the collaborative setting such as mutually exclusive prover groups, combining collaborative and single-party proofs and efficiently implementing publicly auditable MPC (PA-MPC). We present the first, general definition for collaborative commit-and-prove NIZK (CP-NIZK) proofs of knowledge and construct distributed protocols to enable their realization. We implement our protocols for two commonly used NIZKs, Groth16 and Bulletproofs, and evaluate their practicality in a variety of computational settings. Our findings indicate that composability adds only minor overhead, especially for large circuits. We experimented with our construction in an application setting, and when compared to prior works, our protocols reduce latency by 18-55x while requiring only a fraction (0.2%) of the communication.

Cryptography and Security

Chengdong Tao,Hong Xiang,Albrecht Petzoldt,Jintai Ding

DOI: https://doi.org/10.1016/j.ffa.2015.06.001

IF: 1.655

2015-01-01

Finite Fields and Their Applications

Abstract:Multivariate cryptography is one of the main candidates to guarantee the security of communication in the presence of quantum computers. While there exist a large number of secure and efficient multivariate signature schemes, the number of practical multivariate encryption schemes is somewhat limited. In this paper we present our results on creating a new multivariate encryption scheme, which is an extension of the original Simple Matrix encryption scheme of PQCrypto 2013. Our scheme allows fast en- and decryption and resists all known attacks against multivariate cryptosystems. Furthermore, we present a new idea to solve the decryption failure problem of the original Simple Matrix encryption scheme. (C) 2015 Elsevier Inc. All rights reserved.

Xiao Mingjun,Huang Liusheng,Liu An,Han Kai

IF: 1.019

2007-01-01

Chinese Journal of Electronics

Abstract:Oblivious polynomial evaluation protocol is one of the fundamental protocols in secure multi-party computation domain. The existing oblivious polynomial evaluation protocol, only handling the univariate polynomial evaluation problems, is not enough to meet the demands in practice. In this paper, we propose a multivariate oblivious polynomial evaluation protocol depending on secure two-party scalar product protocol and homomorphic encryption scheme. To the best of our knowledge, this protocol is the first one to cope with both the univariate and multivariate oblivious polynomial evaluation problems. When we use our protocol and the existing one to solve the univariate oblivious polynomial evaluation problem, the performance analysis shows that at a same security level, the communication and computational overheads of our protocol are approximate O(1/root vertical bar N vertical bar log vertical bar N vertical bar) times of those of the existing protocol, where vertical bar N vertical bar is the number of bits of the modulus N of the public key encryption schemes used in the two protocols.

Weiliang Ma,Qian Xiong,Xuanhua Shi,Xiaosong Ma,Hai Jin,Haozhao Kuang,Mingyu Gao,Ye Zhang,Haichen Shen,Weifang Hu

DOI: https://doi.org/10.1145/3575693.3575711

2023-01-01

Abstract:Zero-knowledge proof (ZKP) is a cryptographic protocol that allows one party to prove the correctness of a statement to another party without revealing any information beyond the correctness of the statement itself. It guarantees computation integrity and confidentiality, and is therefore increasingly adopted in industry for a variety of privacy-preserving applications, such as verifiable outsource computing and digital currency. A significant obstacle in using ZKP for online applications is the performance overhead of its proof generation. We develop GZKP, a GPU accelerated zero-knowledge proof system that supports different levels of security requirements and brings significant speedup toward making ZKP truly usable. For polynomial computation over a large finite field, GZKP promotes a cache-friendly memory access pattern while eliminating the costly external shuffle in existing solutions. For multi-scalar multiplication, GZKP adopts a new parallelization strategy, which aggressively combines integer elliptic curve point operations and exploits fine-grained task parallelism with load balancing for sparse integer distribution. GZKP outperforms the state-of-the-art ZKP systems by an order of magnitude, achieving up to 48.1x and 17.6x speedup with standard cryptographic benchmarks and a real-world application workload, respectively.

Sanket Kanjalkar,Ye Zhang,Shreyas Gandlur,Andrew Miller

DOI: https://doi.org/10.48550/arXiv.2107.04248

2021-07-09

Abstract:In recent years, multiparty computation as a service (MPCaaS) has gained popularity as a way to build distributed privacy-preserving systems. We argue that for many such applications, we should also require that the MPC protocol is publicly auditable, meaning that anyone can check the given computation is carried out correctly -- even if the server nodes carrying out the computation are all corrupt. In a nutshell, the way to make an MPC protocol auditable is to combine an underlying MPC protocol with verifiable computing proof (in particular, a SNARK). Building a general-purpose MPCaaS from existing constructions would require us to perform a costly "trusted setup" every time we wish to run a new or modified application. To address this, we provide the first efficient construction for auditable MPC that has a one-time universal setup. Despite improving the trusted setup, we match the state-of-the-art in asymptotic performance: the server nodes incur a linear computation overhead and constant round communication overhead compared to the underlying MPC, and the audit size and verification are logarithmic in the application circuit size. We also provide an implementation and benchmarks that support our asymptotic analysis in example applications. Furthermore, compared with existing auditable MPC protocols, besides offering a universal setup our construction also has a 3x smaller proof, 3x faster verification time and comparable prover time.

Cryptography and Security