IA Scholar Query: Fiat-Shamir for Highly Sound Protocols is Instantiable.
https://scholar.archive.org/
Internet Archive Scholar query results feedeninfo@archive.orgSun, 18 Sep 2022 00:00:00 GMTfatcat-scholarhttps://scholar.archive.org/help1440Proofs of Proof-of-Stake with Sublinear Complexity
https://scholar.archive.org/work/zhqqyy4qwvcmpg745x5l6vjnuu
Popular Ethereum wallets (e.g., MetaMask) entrust centralized infrastructure providers (e.g., Infura) to run the consensus client logic on their behalf. As a result, these wallets are light-weight and high-performant, but come with security risks. A malicious provider can completely mislead the wallet, e.g., fake payments and balances, or censor transactions. On the other hand, light clients, which are not in popular use today, allow decentralization, but at inefficient linear bootstrapping complexity. This poses a dilemma between decentralization and performance. In this paper, we design, implement, and evaluate a new proof-of-stake (PoS) superlight client with logarithmic bootstrapping complexity. Our key insight is to leverage the standard existential honesty assumption, i.e., that the verifier (client) is connected to at least one honest prover (full node). The proofs of PoS take the form of a Merkle tree of PoS epochs. The verifier enrolls the provers in a bisection game, in which the honest prover is destined to win once an adversarial Merkle tree is challenged at sufficient depth. We implement a complete client that is compatible with mainnet PoS Ethereum to evaluate our construction: compared to the current light client construction proposed for PoS Ethereum, our client improves time-to-completion by 9x, communication by 180x, and energy usage by 30x. We prove our construction secure and show how to employ it for other proof-of-stake systems such as Cardano, Algorand, and Snow White.Shresth Agrawal, Joachim Neu, Ertem Nusret Tas, Dionysis Zindroswork_zhqqyy4qwvcmpg745x5l6vjnuuSun, 18 Sep 2022 00:00:00 GMTFiat-Shamir for Proofs Lacks a Proof Even in the Presence of Shared Entanglement
https://scholar.archive.org/work/jztthakf7rbz5lvfrtvj7ytlpy
We explore the cryptographic power of arbitrary shared physical resources. The most general such resource is access to a fresh entangled quantum state at the outset of each protocol execution. We call this the Common Reference Quantum State (CRQS) model, in analogy to the well-known Common Reference String (CRS). The CRQS model is a natural generalization of the CRS model but appears to be more powerful: in the two-party setting, a CRQS can sometimes exhibit properties associated with a Random Oracle queried once by measuring a maximally entangled state in one of many mutually unbiased bases. We formalize this notion as a Weak One-Time Random Oracle (WOTRO), where we only ask of the m–bit output to have some randomness when conditioned on the n–bit input. We show that when n-m∈ω( n), any protocol for WOTRO in the CRQS model can be attacked by an (inefficient) adversary. Moreover, our adversary is efficiently simulatable, which rules out the possibility of proving the computational security of a scheme by a black-box reduction to a cryptographic game assumption. On the other hand, we introduce a non-game quantum assumption for hash functions that implies WOTRO in the CRQ$ model (where the CRQS consists only of EPR pairs). We first build a statistically secure WOTRO protocol where m=n, then hash the output. The impossibility of WOTRO has the following consequences. First, we show the black-box impossibility of a quantum Fiat-Shamir transform, extending the impossibility result of Bitansky et al. (TCC '13) to the CRQS model. Second, we show a black-box impossibility result for a strenghtened version of quantum lightning (Zhandry, Eurocrypt '19) where quantum bolts have an additional parameter that cannot be changed without generating new bolts.Frédéric Dupuis, Philippe Lamontagne, Louis Salvailwork_jztthakf7rbz5lvfrtvj7ytlpyMon, 12 Sep 2022 00:00:00 GMTLIPIcs, Volume 230, ITC 2022, Complete Volume
https://scholar.archive.org/work/x5cobg6anzbgjazexwg7mkanie
LIPIcs, Volume 230, ITC 2022, Complete VolumeDana Dachman-Soledwork_x5cobg6anzbgjazexwg7mkanieThu, 30 Jun 2022 00:00:00 GMTAccountable Private Set Cardinality for Distributed Measurement
https://scholar.archive.org/work/p6yktwnj6basbi2r3qsorpanwq
We introduce cryptographic protocols for securely and efficiently computing the cardinality of set union and set intersection. Our private set-cardinality protocols (PSC) are designed for the setting in which a large set of parties in a distributed system makes observations, and a small set of parties with more resources and higher reliability aggregates the observations. PSC allows for secure and useful statistics gathering in privacy-preserving distributed systems. For example, it allows operators of anonymity networks such as Tor to securely answer the questions: "How many unique users are using the network?" and "How many hidden services are being accessed?". We prove the correctness and security of PSC in the Universal Composability framework against an active adversary that compromises all but one of the aggregating parties. Although successful output cannot be guaranteed in this setting, PSC either succeeds or terminates with an abort, and we furthermore make the adversary accountable for causing an abort by blaming at least one malicious party. We also show that PSC prevents adaptive corruption of the data parties from revealing past observations, which prevents them from being victims of targeted compromise, and we ensure safe measurements by making outputs differentially private. We present a proof-of-concept implementation of PSC and use it to demonstrate that PSC operates with low computational overhead and reasonable bandwidth. It can count tens of thousands of unique observations from tens to hundreds of data-collecting parties while completing within hours. PSC is thus suitable for daily measurements in a distributed system.Ellis Fenske, Akshaya Mani, Aaron Johnson, Micah Sherrwork_p6yktwnj6basbi2r3qsorpanwqThu, 30 Jun 2022 00:00:00 GMTVerifiable Quantum Advantage without Structure
https://scholar.archive.org/work/lm5w3p62lvawpclekske5xvjq4
We show the following hold, unconditionally unless otherwise stated, relative to a random oracle with probability 1: - There are NP search problems solvable by BQP machines but not BPP machines. - There exist functions that are one-way, and even collision resistant, against classical adversaries but are easily inverted quantumly. Similar separations hold for digital signatures and CPA-secure public key encryption (the latter requiring the assumption of a classically CPA-secure encryption scheme). Interestingly, the separation does not necessarily extend to the case of other cryptographic objects such as PRGs. - There are unconditional publicly verifiable proofs of quantumness with the minimal rounds of interaction: for uniform adversaries, the proofs are non-interactive, whereas for non-uniform adversaries the proofs are two message public coin. - Our results do not appear to contradict the Aaronson-Ambanis conjecture. Assuming this conjecture, there exist publicly verifiable certifiable randomness, again with the minimal rounds of interaction. By replacing the random oracle with a concrete cryptographic hash function such as SHA2, we obtain plausible Minicrypt instantiations of the above results. Previous analogous results all required substantial structure, either in terms of highly structured oracles and/or algebraic assumptions in Cryptomania and beyond.Takashi Yamakawa, Mark Zhandrywork_lm5w3p62lvawpclekske5xvjq4Fri, 17 Jun 2022 00:00:00 GMTSecure authentication and key agreement via abstract multi-agent interaction
https://scholar.archive.org/work/wgr4y3q6l5fmxdz6fgmpp5ox2q
Authentication and key agreement are the foundation for secure communication over the Internet. Authenticated Key Exchange (AKE) protocols provide methods for communicating parties to authenticate each other, and establish a shared session key by which they can encrypt messages in the session. Within the category of AKE protocols, symmetric AKE protocols rely on pre-shared master keys for both services. These master keys can be transformed after each session in a key-evolving scheme to provide the property of forward secrecy, whereby the compromise of master keys does not allow for the compromise of past session keys. This thesis contributes a symmetric AKE protocol named AMI (Authentication via Multi-Agent Interaction). The AMI protocol is a novel formulation of authentication and key agreement as a multi-agent system, where communicating parties are treated as autonomous agents whose behavior within the protocol is governed by private agent models used as the master keys. Parties interact repeatedly using their behavioral models for authentication and for agreeing upon a unique session key per communication session. These models are evolved after each session to provide forward secrecy. The security of the multi-agent interaction process rests upon the difficulty of modeling an agent's decisions from limited observations about its behavior, a long-standing problem in AI research known as opponent modeling. We conjecture that it is difficult to efficiently solve even by a quantum computer, since the problem is fundamentally one of missing information rather than computational hardness. We show empirically that the AMI protocol achieves high accuracy in correctly identifying legitimate agents while rejecting different adversarial strategies from the security literature. We demonstrate the protocol's resistance to adversarial agents which utilize random, replay, and maximum-likelihood estimation (MLE) strategies to bypass the authentication test. The random strategy chooses actions randomly without attempting to m [...]Ibrahim Hassan Ahmed, University Of Edinburgh, Stefano Albrecht, Tariq Elahiwork_wgr4y3q6l5fmxdz6fgmpp5ox2qFri, 17 Jun 2022 00:00:00 GMTTopos: A Secure, Trustless, and Decentralized Interoperability Protocol
https://scholar.archive.org/work/ybjdyb2xnbgyxjgczqg62oboqu
Topos is an open interoperability protocol designed to reduce as much as possible trust assumptions by replacing them with cryptographic constructions and decentralization while exhibiting massive scalability. The protocol does not make use of a central blockchain, nor uses consensus to ensure consistent delivery of messages across a heterogeneous ecosystem of public and private blockchains, named subnets, but instead relies on a weak causal reliable broadcast implemented by a distributed network which we call Transmission Control Engine (TCE). The validity of cross-subnet messages is ensured by the Universal Certificate Interface (UCI) and stems from zkSTARK proofs asserting the validity of subnets' state transitions executed by the Topos zkVM. Such proofs of computational integrity are publicly verifiable by any other participants in and out the protocol such as other subnets or audit companies. The interface between the TCE and subnets leverages the ICE-FROST protocol, an innovative threshold signature scheme, whose static public key allows for uniquely identifying subnets after they register in the protocol. The Topos protocol is designed to provide uniform security to the ecosystem and to handle any type of subnets (e.g., permissioned, permissionless) in order to fit any business use cases and pave the way for global adoption and a new standard for the Internet base layer.Théo Gauthier, Sébastien Dan, Monir Hadji, Antonella Del Pozzo, Yackolley Amoussou-Guenouwork_ybjdyb2xnbgyxjgczqg62oboquTue, 07 Jun 2022 00:00:00 GMTPost-quantum Privacy-Preserving Primitives Constructed with Symmetric Primitives
https://scholar.archive.org/work/zqftwputurcgbmgbecnhqjxi7u
With digital privacy being one of society's main concerns, this thesis focuses on designing privacy-preserving primitives to meet future quantum computer security demands. In particular, we focus on group and ring signatures, which allow to anonymously sign messages on behalf of a group. This thesis designs new post-quantum group and ring signatures based exclusively on symmetric primitives to provide post-quantum security, which leads to four major contributions: the design of three different fully dynamic group signatures and the development of a new generic construction for an ID-based ring signature. This thesis also demonstrates the importance of symmetric-based primitives to face the democratization of quantum computers.Maxime Buserwork_zqftwputurcgbmgbecnhqjxi7uThu, 28 Apr 2022 00:00:00 GMTBlockchain-based Federated Learning with Data Verification through Zero-Knowledge Proofs
https://scholar.archive.org/work/5imhwh3eerd2vbvnkl4iquomfu
Das Internet der Dinge dehnt sich rasant aus und generiert immer mehr Daten, wodurch moderne künstliche Intelligenz mit den notwendigen Datenressourcen ausgestattet wird, um präzise Vorhersagen treffen zu könnnen. Hochmoderne verteilte Lernsysteme nutzen diese Daten und trainieren ihre Modelle konventionell in einer zentralisierten Cloud, die sehr großen Mengen an Rechenleistung bereitstellt, um alle Daten zu verarbeiten.Bedenken hinsichtlich Datenschutz und Zentralisierung dieser Art von Systemen haben in letzter Zeit zugenommen. Daten, die von Geräten im Internet der Dinge generiert werden, enthalten oft hochsensible Informationen und sind daher anfällig für Angriffe, entweder während der Übertragung der Daten oder auf den Cloud-Servern selbst. Um dieses Problem zu lösen, wurde föderiertes Lernen entwickelt, das sicherstellt, dass sensible Daten die Geräte nicht verlassen müssen, was ein hohes Maß an Privatsphäre verspricht. Darüber hinaus ist die Branche der Cloud-Anbieter überaus konsolidiert, was dazu führt, dass Geräte des Internets der Dinge, die am föderierten Lernen teilnehmen, nur wenige Optionen zur Auswahl haben, wenn es um die Wahl des Cloud Anbieters geht, der das Aggregieren der lokal Model Updates übernimmt. Betrügerisches, böswilliges oder einfach fahrlässiges Verhalten von Cloud-Anbietern kann zur Ausbeutung der Benutzer dieser Geräte führen. Verstärkt wird diese Problematik dadurch, dass das Vorgehen der Cloud, nach dem das föderierte Lernmodell trainiert wird, in der Regel für die Öffentlichkeit nicht transparent ist. Daher haben Benutzer, die die Daten zum Trainieren des Modells bereitstellen, keinen Einblick, wofür ihre Daten verwendet werden. Ein Blockchain-basiertes föderiertes Lernmodell löst dieses Problem der Intransparenz, indem es Smart Contracts zur Ausführung des förderierten Lernens verwendet. Diese sind naturgemäß der Öffentlichkeit bekannt da sie auf der Blockchain einsehbar sind.Allerdings hat ein Blockchain-basierter föderierter Lernansatz noch Schwächen, wenn es darum geht, di [...]Nikolas Haimerl, Stefan Schultework_5imhwh3eerd2vbvnkl4iquomfuFri, 01 Apr 2022 00:00:00 GMTEfficient Set Membership Proofs using MPC-in-the-Head
https://scholar.archive.org/work/db3amuobcfeq5emdkijmbezsam
Set membership proofs are an invaluable part of privacy preserving systems. These proofs allow a prover to demonstrate knowledge of a witness w corresponding to a secret element x of a public set, such that they jointly satisfy a given NP relation, i.e. ℛ(w, x) = 1 and x is a member of a public set {x 1, . . . , x𝓁}. This allows the identity of the prover to remain hidden, eg. ring signatures and confidential transactions in cryptocurrencies. In this work, we develop a new technique for efficiently adding logarithmic-sized set membership proofs to any MPC-in-the-head based zero-knowledge protocol (Ishai et al. [STOC'07]). We integrate our technique into an open source implementation of the state-of-the-art, post quantum secure zero-knowledge protocol of Katz et al. [CCS'18].We find that using our techniques to construct ring signatures results in signatures (based only on symmetric key primitives) that are between 5 and 10 times smaller than state-of-the-art techniques based on the same assumptions. We also show that our techniques can be used to efficiently construct post-quantum secure RingCT from only symmetric key primitives.Aarushi Goel, Matthew Green, Mathias Hall-Andersen, Gabriel Kaptchukwork_db3amuobcfeq5emdkijmbezsamThu, 03 Mar 2022 00:00:00 GMTFoundations of decentralised privacy
https://scholar.archive.org/work/bid4o2gkj5alxbwjmzc3s426ge
Distributed ledgers, and specifically blockchains, have been an immensely popular investment in the past few years. The heart of their popularity is due to their novel approach toward financial assets: They replace the need for central, trusted institutions such as banks with cryptography, ensuring no one entity has authority over the system. In the light of record distrust in many established institutions, this is attractive both as a method to combat institutional control and to demonstrate transparency. What better way to manage distrust than to embrace it? While distributed ledgers have achieved great things in removing the need to trust institutions, most notably the creation of fully decentralised assets, their practice falls short of the idealistic goals often seen in the field. One of their greatest shortcomings lies in a fundamental conflict with privacy. Distributed ledgers and surrounding technologies rely heavily on the transparent replication of data, a practice which makes keeping anything hidden very difficult. This thesis makes use of the powerful cryptography of succinct non-interactive zero-knowledge proofs to provide a foundation for re-establishing privacy in the decentralised setting. It discusses the security assumptions and requirements of succinct zero-knowledge proofs atlength, establishing a new framework for handling security proofs about them, and reducing the setup required to that already present in commonly used distributed ledgers. It further demonstrates the possibility of privacy-preserving proof-of-stake, removing the need for costly proofs-of-work for a privacy-focused distributed ledger. Finally, it lays out a solid foundation for a smart contract system supporting privacy – putting into the hands of contract authors the tools necessary to innovate and introduce new privacy features.Thomas Kerber, University Of Edinburgh, Aggelos Kiayias, Markulf Kohlweisswork_bid4o2gkj5alxbwjmzc3s426geTue, 01 Feb 2022 00:00:00 GMTPCPs and Instance Compression from a Cryptographic Lens
https://scholar.archive.org/work/i5uxstb5mnexbiypampzsslhnm
Modern cryptography fundamentally relies on the assumption that the adversary trying to break the scheme is computationally bounded. This assumption lets us construct cryptographic protocols and primitives that are known to be impossible otherwise. In this work we explore the effect of bounding the adversary's power in other information theoretic proof-systems and show how to use this assumption to bypass impossibility results. We first consider the question of constructing succinct PCPs. These are PCPs whose length is polynomial only in the length of the original NP witness (in contrast to standard PCPs whose length is proportional to the non-deterministic verification time). Unfortunately, succinct PCPs are known to be impossible to construct under standard complexity assumptions. Assuming the sub-exponential hardness of the learning with errors (LWE) problem, we construct succinct probabilistically checkable arguments or PCAs (Kalai and Raz 2009), which are PCPs in which soundness is guaranteed against efficiently generated false proofs. Our PCA construction is for every NP relation that can be verified by a small-depth circuit (e.g., SAT, clique, TSP, etc.) and in contrast to prior work is publicly verifiable and has constant query complexity. Curiously, we also show, as a proof-of-concept, that such publicly-verifiable PCAs can be used to derive hardness of approximation results. Second, we consider the notion of Instance Compression (Harnik and Naor, 2006). An instance compression scheme lets one compress, for example, a CNF formula φ on m variables and n ≫ m clauses to a new formula φ' with only poly(m) clauses, so that φ is satisfiable if and only if φ' is satisfiable. Instance compression has been shown to be closely related to succinct PCPs and is similarly highly unlikely to exist. We introduce a computational analog of instance compression in which we require that if φ is unsatisfiable then φ' is effectively unsatisfiable, in the sense that it is computationally infeasible to find a satisfying a [...]Liron Bronfman, Ron D. Rothblum, Mark Bravermanwork_i5uxstb5mnexbiypampzsslhnmTue, 25 Jan 2022 00:00:00 GMTDecentralized, Privacy-Preserving, Single Sign-On
https://scholar.archive.org/work/bsxopj5c3bgldavsgh3io6uc44
In current single sign-on authentication schemes on the web, users are required to interact with identity providers securely to set up authentication data during a registration phase and receive a token (credential) for future access to services and applications. This type of interaction can make authentication schemes challenging in terms of security and availability. From a security perspective, a main threat is theft of authentication reference data stored with identity providers. An adversary could easily abuse such data to mount an offline dictionary attack for obtaining the underlying password or biometric. From a privacy perspective, identity providers are able to track user activity and control sensitive user data. In terms of availability, users rely on trusted third-party servers that need to be available during authentication. We propose a novel decentralized privacy-preserving single sign-on scheme through the Decentralized Anonymous Multi-Factor Authentication (DAMFA), a new authentication scheme where identity providers no longer require sensitive user data and can no longer track individual user activity. Moreover, our protocol eliminates dependence on an always-on identity provider during user authentication, allowing service providers to authenticate users at any time without interacting with the identity provider. Our approach builds on threshold oblivious pseudorandom functions (TOPRF) to improve resistance against offline attacks and uses a distributed transaction ledger to improve availability. We prove the security of DAMFA in the universal composibility (UC) model by defining a UC definition (ideal functionality) for DAMFA and formally proving the security of our scheme via ideal-real simulation. Finally, we demonstrate the practicability of our proposed scheme through a prototype implementation.Omid Mir, Michael Roland, René Mayrhofer, David Meghiaswork_bsxopj5c3bgldavsgh3io6uc44Sat, 22 Jan 2022 00:00:00 GMTEfficient NIZKs from LWE via Polynomial Reconstruction and "MPC in the Head"
https://scholar.archive.org/work/z4e7d6guqfdcjafubkykbiqhxa
All existing methods of building non-interactive zero-knowledge (NIZK) arguments for NP from the Learning With Errors (LWE) assumption have relied on instantiating the Fiat-Shamir paradigm on a parallel repetition of an underlying honest-verifier zero knowledge (HVZK) Σ protocol, via an appropriately built correlation-intractable (CI) hash function from LWE. This technique has inherent efficiency losses that arise from parallel repetition. In this work, we build the first NIZK argument for NP from the LWE assumption that does not rely on parallel repetition. Instead, we show how to make use of the more efficient "MPC in the Head" technique for building an underlying honest-verifier protocol upon which to apply the Fiat-Shamir paradigm. The key to making this possible is a new construction of CI hash functions from LWE, using efficient algorithms for polynomial reconstruction as the main technical tool. We stress that our work provides a new and more efficient "base construction" for building LWE-based NIZK arguments for NP. Our protocol can be the building block around which other efficiency-focused bootstrapping techniques can be applied, such as the bootstrapping technique of Gentry et al. (Journal of Cryptology 2015).Riddhi Ghosal, Paul Lou, Amit Sahaiwork_z4e7d6guqfdcjafubkykbiqhxaZero Knowledge Proofs of Elliptic Curve Inner Products from Principal Divisors and Weil Reciprocity
https://scholar.archive.org/work/vlo6aqdg7fdmdmgfd3q4zuf3gq
Zero Knowledge proofs of Elliptic Curve Inner Products (ECIPs) and elliptic curve operations more generally are an increasingly important part of zero knowledge protocols and a significant bottle neck in recursive proof composition over amicable cycles of elliptic curves. To prove ECIPs more efficiently, I represent a collection of points that sum to zero using a polynomial element of the function field and evaluate this function at a random principal divisor. By Weil reciprocity, this is equal to the function interpolating the random divisor evaluated at the original points. Taking the logarithmic derivative of both expressions allows the prover to use a similar technique to the Bulletproofs++ permutation argument and take linear combinations logarithmic derivatives of divisor witnesses and collect terms for the same basis point by adding the multiplicities. The linear combination can be random or can be structured to cancel intermediate points in computing the sum. Since the multiplicities are field elements, this system can prove ECIP relations in zero knowledge with respect to the linear combination, the curve points, or both. Compared to existing techniques, the witness size is reduced by up to a factor of 10 and the number of multiplications by a factor of about 100 with significantly more flexibility in the organization of the protocol. The specific improvement will depend on the instantiating proof system, number of curve points, and which information is zero knowledge. This technique also works, with small modification, for proving multiexponentiations in the multiplicative group of the field.Liam Eagenwork_vlo6aqdg7fdmdmgfd3q4zuf3gqAntMan: Interactive Zero-Knowledge Proofs with Sublinear Communication
https://scholar.archive.org/work/j5ffb3svlnaadjqg3zwwk5jw6a
Recent works on interactive zero-knowledge (ZK) protocols provide a new paradigm with high efficiency and scalability. However, these protocols suffer from high communication overhead, often linear to the circuit size. In this paper, we proposed two new ZK protocols with communication sublinear to the circuit size, while maintaining a similar level of computational efficiency. 1. We designed a ZK protocol that can prove B executions of any circuit C in communication O(B + |C|) field elements (with free addition gates), while the best prior work requires a communication of O(B|C|) field elements. Our protocol is enabled by a new tool called as information-theoretic polynomial authentication code, which may be of independent interest. 2. We developed an optimized implementation of this protocol which shows high practicality. For example, with B = 2048, |C| = 2 20 , and under 50 Mbps bandwidth and 16 threads, QuickSilver, a state-of-the-art ZK protocol based on vector oblivious linear evaluation (VOLE), can only prove 0.78 million MULT gates per second (mgps) and send one field element per gate; our protocol can prove 14 mgps (18× improvement) and send 0.0064 field elements per gate (156× improvement) under the same hardware configuration. 3. Extending the above idea, we constructed a ZK protocol that can prove a single execution of any circuit C in communication O(|C| 3/4 ). This is the first ZK protocol with sublinear communication for an arbitrary circuit in the VOLE-based ZK family. * "Heroes don't get any bigger" (in communication).Chenkai Weng, Kang Yang, Zhaomin Yang, Xiang Xie, Xiao Wangwork_j5ffb3svlnaadjqg3zwwk5jw6aImproved Straight-Line Extraction in the Random Oracle Model With Applications to Signature Aggregation
https://scholar.archive.org/work/llihi2ypszfulglslndm5vufau
The goal of this paper is to improve the efficiency and applicability of straightline extraction techniques in the random oracle model. Straightline extraction in the random oracle model refers to the existence of an extractor, which given the random oracle queries made by a prover P * (x) on some theorem x, is able to produce a witness w for x with roughly the same probability that P * produces a verifying proof. This notion applies to both zero-knowledge protocols and verifiable computation where the goal is compressing a proof. Pass (CRYPTO '03) first showed how to achieve this property for NP using a cut-and-choose technique which incurred a λ 2 -bit overhead in communication where λ is a security parameter. Fischlin (CRYPTO '05) presented a more efficient technique based on "proofs of work" that sheds this λ 2 cost, but only applies to a limited class of Sigma Protocols with a "quasi-unique response" property, which for example, does not necessarily include the standard OR composition for Sigma protocols. With Schnorr/EdDSA signature aggregation as a motivating application, we develop new techniques to improve the computation cost of straight-line extractable proofs. Our improvements to the state of the art range from 70×-200× for the best compression parameters. This is due to a uniquely suited polynomial evaluation algorithm, and the insight that a proof-of-work that relies on multicollisions and the birthday paradox is faster to solve than inverting a fixed target. Our collision based proof-of-work more generally improves the Prover's random oracle query complexity when applied in the NIZK setting as well. In addition to reducing the query complexity of Fischlin's Prover, for a special class of Sigma protocols we can for the first time closely match a new lower bound we present. Finally we extend Fischlin's technique so that it applies to a more general class of strongly-sound Sigma protocols, which includes the OR composition. We achieve this by carefully randomizing Fischlin's technique-we show that its current deterministic nature prevents its application to certain multiwitness languages.Yashvanth Kondi, Abhi Shelatwork_llihi2ypszfulglslndm5vufauPractical Delegatable Anonymous Credentials From Equivalence Class Signatures
https://scholar.archive.org/work/244ttqgcmzeehbtqjlrkuv2lfm
Anonymous credentials systems (ACs) are a powerful cryptographic tool for privacy-preserving applications and provide strong user privacy guarantees for authentication and access control. ACs allow users to prove possession of attributes encoded in a credential without revealing any information beyond them. A delegatable AC (DAC) system is an enhanced AC system that allows the owners of credentials to delegate the obtained credential to other users. This allows to model hierarchies as usually encountered within public-key infrastructures (PKIs). DACs also provide stronger privacy guarantees than traditional AC systems since the identities of issuers and delegators are also hidden. A credential issuer's identity may convey information about a user's identity even when all other information about the user is protected. We present a novel delegatable anonymous credential scheme that supports attributes, provides anonymity for delegations, allows the delegators to restrict further delegations, and also comes with an efficient construction. In particular, our DAC credentials do not grow with delegations, i.e., are of constant size. Our approach builds on a new primitive that we call structure-preserving signatures on equivalence classes on updatable commitments (SPSEQ-UC). The high-level idea is to use a special signature scheme that can sign vectors of set commitments which can be extended by additional set commitments. Signatures additionally include a user's public key, which can be switched. This allows us to efficiently realize delegation in the DAC. Similar to conventional SPSEQ signatures, the signatures and messages can be publicly randomized and thus allow unlinkable showings in the DAC system. We present further optimizations such as cross-set commitment aggregation that, in combination, enable selective, efficient showings in the DAC without using costly zero-knowledge proofs. We present an efficient instantiation that is proven to be secure in the generic group model and finally demonstrate the practical efficiency of our DAC by presenting performance benchmarks based on an implementation.Omid Mir, Daniel Slamanig, Balthazar Bauer, René Mayrhoferwork_244ttqgcmzeehbtqjlrkuv2lfmPublicly Accountable Robust Multi-Party Computation
https://scholar.archive.org/work/f75mif45s5h4pejddqffamzuhq
In recent years, lattice-based secure multi-party computation (MPC) has seen a rise in popularity and is used more and more in large scale applications like privacy-preserving cloud computing, electronic voting, or auctions. Many of these applications come with the following high security requirements: a computation result should be publicly verifiable, with everyone being able to identify a malicious party and hold it accountable, and a malicious party should not be able to corrupt the computation, force a protocol restart, or block honest parties or an honest third-party (client) that provided private inputs from receiving a correct result. The protocol should guarantee verifiability and accountability even if all protocol parties are malicious. While some protocols address one or two of these often essential security features, we present the first publicly verifiable and accountable, and (up to a threshold) robust SPDZ-like MPC protocol without restart. We propose protocols for accountable and robust online, offline, and setup computations. We adapt and partly extend the lattice-based commitment scheme by Baum et al. (SCN 2018) as well as other primitives like ZKPs. For the underlying commitment scheme and the underlying BGV encryption scheme we determine ideal parameters. We give a performance evaluation of our protocols and compare them to state-of-the-art protocols both with and without our target security features: public accountability, public verifiability and robustness.Marc Rivinius, Pascal Reisert, Daniel Rausch, Ralf Küsterswork_f75mif45s5h4pejddqffamzuhqTitanium: A Metadata-Hiding File-Sharing System with Malicious Security
https://scholar.archive.org/work/fmc4nrc7sregvonepvpuk6aume
End-to-end encrypted file-sharing systems enable users to share files without revealing the file contents to the storage servers. However, the servers still learn metadata, including user identities and access patterns. Prior work tried to remove such leakage but relied on strong assumptions. Metal (NDSS '20) is not secure against malicious servers. MCORAM (ASIACRYPT '20) provides confidentiality against malicious servers, but not integrity. Titanium is a metadata-hiding file-sharing system that offers confidentiality and integrity against malicious users and servers. Compared with MCORAM, which offers confidentiality against malicious servers, Titanium also offers integrity. Experiments show that Titanium is 5× to 200× faster or more than MCORAM. 1 Malicious security ensures security against adversaries who can behave arbitrarily to compromise privacy and integrity of the system. This is in contrast to semi-honest security, where adversaries will follow the protocol faithfully. Network and Distributed Systems Security (NDSS) Symposium 2022Weikeng Chen, Thang Hoang, Jorge Guajardo, Attila A. Yavuzwork_fmc4nrc7sregvonepvpuk6aume