From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again

Bitansky, Nir; Canetti, Ran; Chiesa, Alessandro; Tromer, Eran

doi:10.1145/2090236.2090263

Cited by 343 publications

(249 citation statements)

References 79 publications

Supporting

Mentioning

247

Contrasting

Order By: Relevance

“…This construction closely follows the intuition above (which is itself inspired by the "targeted malleability" construction of Boneh et al [6]): malleability is achieved by proving knowledge of either a fresh witness or a previous instance and proof, and a transformation from that instance to the current one. As observed by Bitansky et al [3,4], care must be taken with this kind of recursive composition of SNARGs, as the size of the extractor can quickly blow up as we continue to extract proofs from other proofs; we can therefore construct t-tiered malleable SNARGs (i.e., SNARGs malleable with respect to the class of all t-tiered transformations) for only constant t. Furthermore, a formal treatment of our particular recursive technique reveals that a stronger notion of extraction, in which the extractor gets to see not only the random tape but also the code for the adversary, is necessary for both our construction and the original one of Boneh et al…”

Section: Introductionsupporting

confidence: 53%

“…Proofs of this kind were first shown to exist by Micali in 2000 [26], who used the Fiat-Shamir heuristic [15] to eliminate the interaction in previous succinct arguments. More recently, Groth provided a construction using pairings [22] which was improved by Lipmaa [25], Bitansky et al [3] constructed designated-verifier SNARGs using the new notion of extractable collision-resistant hash functions, and Gennaro et al [17] constructed constant-sized SNARGs with a relatively short common reference string. Our definition is based primarily on that of Boneh et al [6], although for the succinctness property we incorporate the definition of Gentry and Wichs [19] as well.…”

Section: Succinct Non-interactive Arguments Of Knowledgementioning

confidence: 99%

See 1 more Smart Citation

Succinct Malleable NIZKs and an Application to Compact Shuffles

Chase

Kohlweiss

Lysyanskaya

et al. 2013

Theory of Cryptography

View full text Add to dashboard Cite

Abstract. Depending on the application, malleability in cryptography can be viewed as either a flaw or -especially if sufficiently understood and restricted -a feature. In this vein, Chase, Kohlweiss, Lysyanskaya, and Meiklejohn recently defined malleable zero-knowledge proofs, and showed how to control the set of allowable transformations on proofs.As an application, they construct the first compact verifiable shuffle, in which one such controlled-malleable proof suffices to prove the correctness of an entire multi-step shuffle.Despite these initial steps, a number of natural problems remained: (1) their construction of controlled-malleable proofs relies on the inherent malleability of Groth-Sahai proofs and is thus not based on generic primitives; (2) the classes of allowable transformations they can support are somewhat restrictive.In this paper, we address these issues by providing a generic construction of controlled-malleable proofs using succinct non-interactive arguments of knowledge, or SNARGs for short. Our construction can support very general classes of transformations, as we no longer rely on the transformations that Groth-Sahai proofs can support.

show abstract

Section: Introductionsupporting

confidence: 53%

Section: Succinct Non-interactive Arguments Of Knowledgementioning

confidence: 99%

Succinct Malleable NIZKs and an Application to Compact Shuffles

Chase

Kohlweiss

Lysyanskaya

et al. 2013

Theory of Cryptography

View full text Add to dashboard Cite

show abstract

“…However, in the fully malicious setting, we would also require P * to prove that the resulting ciphertext is the correct one, using a computationally-sound proof system with a fixed polynomial (in the security parameter) verification complexity. Such non-interactive proofs are known to exist in the random-oracle model or under strong assumptions [27,7,20,14].…”

Section: Variants and Optimizationsmentioning

confidence: 99%

“…Moreover, the protocol consists of only two rounds of interaction, which is optimal (matching [34]). 7 MPC via Threshold FHE. Since FHE solves the secure computation problem for two semi-honest parties, it is natural to ask whether we can extend the above template to the general case of many fully malicious parties.…”

Section: Introductionmentioning

confidence: 99%

Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE

Asharov

Jain

López-Alt

et al. 2012

Lecture Notes in Computer Science

Self Cite

320

184

View full text Add to dashboard Cite

Abstract. Fully homomorphic encryption (FHE) enables secure computation over the encrypted data of a single party. We explore how to extend this to multiple parties, using threshold fully homomorphic encryption (TFHE). In such scheme, the parties jointly generate a common FHE public key along with a secret key that is shared among them; they can later cooperatively decrypt ciphertexts without learning anything but the plaintext. We show how to instantiate this approach efficiently, by extending the recent FHE schemes of Brakerski, Gentry and Vaikuntanathan (CRYPTO '11, FOCS '11, ITCS '12) based on the (ring) learning with errors assumption. Our main tool is to exploit the property that such schemes are additively homomorphic over their keys. Using TFHE, we construct simple multiparty computation protocols secure against fully malicious attackers, tolerating any number of corruptions, and providing security in the universal composability framework. Our protocols have the following properties: Low interaction: 3 rounds of interaction given a common random string, or 2 rounds with a public-key infrastructure. Low communication: independent of the function being computed (proportional to just input and output sizes). Cloud-assisted computation: the bulk of the computation can be efficiently outsourced to an external entity (e.g. a cloud service) so that the computation of all other parties is independent of the complexity of the evaluated function.

show abstract

“…Our SCC model is strongly related to the model of computationallysound proofs, introduced by Micali in 1994 [29], and to the subsequent works on succinct non-interactive arguments (SNARGs) by Groth [23], Bitansky et al [4,5] and Gennaro et al [16]. The main connection is that both SCC and SNARGs models are non-interactive and publicly verifiable (CS proofs can also be non-interactive in the random oracle model), i.e., a publicly verifiable proof can be computed independently from (and with no communication with) the verifier.…”

Section: Related Workmentioning

confidence: 99%

Signatures of Correct Computation

Papamanthou

Shi

Tamassia

2013

Lecture Notes in Computer Science

131

View full text Add to dashboard Cite

We introduce Signatures of Correct Computation (SCC), a new model for verifying dynamic computations in cloud settings. In the SCC model, a trusted source outsources a function f to an untrusted server, along with a public key for that function (to be used during verification). The server can then produce a succinct signature σ vouching for the correctness of the computation of f , i.e., that some result v is indeed the correct outcome of the function f evaluated on some point a. There are two crucial performance properties that we want to guarantee in an SCC construction: (1) verifying the signature should take asymptotically less time than evaluating the function f ; and (2) the public key should be efficiently updated whenever the function changes.We construct SCC schemes (satisfying the above two properties) supporting expressive manipulations over multivariate polynomials, such as polynomial evaluation and differentiation. Our constructions are adaptively secure in the random oracle model and achieve optimal updates, i.e., the function's public key can be updated in time proportional to the number of updated coefficients, without performing a linear-time computation (in the size of the polynomial).We also show that signatures of correct computation imply Publicly Verifiable Computation (PVC), a model recently introduced in several concurrent and independent works. Roughly speaking, in the SCC model, any client can verify the signature σ and be convinced of some computation result, whereas in the PVC model only the client that issued a query (or anyone who trusts this client) can verify that the server returned a valid signature (proof) for the answer to the query. Our techniques can be readily adapted to construct PVC schemes with adaptive security, efficient updates and without the random oracle model.

show abstract

From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again

Cited by 343 publications

References 79 publications

Succinct Malleable NIZKs and an Application to Compact Shuffles

Succinct Malleable NIZKs and an Application to Compact Shuffles

Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE

Signatures of Correct Computation

Contact Info

Product

Resources

About