Efficient Zero-Knowledge Proofs of Non-algebraic Statements with Sublinear Amortized Cost.

In particular, the cost per proof in many applications is sublinear in |M |. ... We describe a zero-knowledge proof system in which a prover holds a large dataset M and can repeatedly prove NP relations about that dataset. ... This is particularly powerful for proving non-algebraic statements, e.g., proving knowledge of x such that y = Sha256(x) for a public value y. ...

doi:10.1007/978-3-662-48000-7_8 fatcat:jc4rroobbva53l5ebsluu3svgi

We further devise an efficient access control mechanism, built upon a novel and generally applicable realization of plaintext equivalence proofs for ciphertext vectors. ... We implemented our scheme and conducted an experimental evaluation, demonstrating the feasibility of our approach. * An extended abstract of this work will appear at ACNS'17 [40] ... Another drawback of the flush algorithm is the cost of the integrity (zero-knowledge) proofs. ...

doi:10.1007/978-3-319-61204-1_32 fatcat:hlav2s5wtjditpmcojqw6lmp4y

Darlin addresses recursive proofs by integrating the amortization technique from Halo (IACR eprint 2019/099) for the non-succinct parts of the dlog verifier, and we adapt their strategy for bivariate circuit ... This document describes Darlin, a succinct zero-knowledge argument of knowledge based on the Marlin SNARK (Chiesa et al., Eurocrypt 2020) and the 'dlog' polynomial commitment scheme from Bootle et al. ... The main advantage of the coboundary approach is that the algebraic oracle proof for equation (4) allows a more lightweight zero-knowledge randomization than that of equation (1) : Since no reduced form ...

arXiv:2107.04315v2 fatcat:halbog6jt5girhq7att3rxceia

Multiple Versions

A key component of our construction is a surprisingly simple zero-knowledge proof for pre-images of linear relations whose amortized communication complexity depends only logarithmically on the number ... We propose the first zero-knowledge argument with sublinear communication complexity for arithmetic circuit satisfiability over a prime p whose security is based on the hardness of the short integer solution ... Combined with the proof of knowledge, this gives an arithmetic circuit argument with the stated efficiency. ...

doi:10.1007/978-3-319-96881-0_23 fatcat:ico53lgysjeodg4v3c5b37juwe

We address the problem of authenticating the hash table operations, where the goal is to design protocols capable of verifying the correctness of queries and updates performed by the server, thus ensuring ... the integrity of the remotely stored data across its entire update history. ... Dynamic accumulators (along with protocols for zero-knowledge proofs) were introduced in [11] , where their security is based on the strong RSA assumption. ...

doi:10.1007/s00453-014-9968-3 fatcat:jk7pywcuq5g6pko2g4grviv7xa

Non-black-box techniques require parties to prove in zero-knowledge, statements that involve the computation of the underlying primitives. ... The only exception in this framework is the compiler of [25] based on sublinear-communication zero-knowledge techniques such as [20] , which preserves the communication complexity of the original semi-honest ... If this is not the case a zero-knowledge proof of this fact must be added to the protocol. ...

doi:10.1007/978-3-642-13708-2_15 fatcat:zrp7qxsdgbdsxmzmylxhfzdzum

k-out-of-n OT from black-box use of 1-out-of-2 OT, (2) separable accountable ring signatures, (3) more efficient preprocessing for the TinyTable secure two-party computation protocol, (4) mixing with ... The proof has unconditional soundness and is very compact: It has size independent of the length of the committed string, and for large fields, it has size corresponding to a constant number of commitments ... Groth [25] gives zero-knowledge arguments for algebraic statements about matrices from a list of committed matrices with sublinear communication complexity. ...

doi:10.1007/978-3-319-76581-5_18 fatcat:x5ubojvqyjefdax4nhi3bhnrqy

We suggest two new methodologies for the design of efficient secure protocols, that differ with respect to their underlying computational models. ... We show many applications of these new methodologies resulting in protocols efficient either in communication or in computation. ... Acknowledgments We thank Madhu Sudan for a discussion of the reversibility of PCP constructions and pointing [33] , Yehuda Lindell for discussions regarding handling malicious parties, and Yuval Ishai ...

arXiv:cs/0109011v1 fatcat:fs2of35xenbyxhlpjabcmfwroe

In a nutshell, the way to make an MPC protocol auditable is to combine an underlying MPC protocol with verifiable computing proof (in particular, a SNARK). ... Furthermore, compared with existing auditable MPC protocols, besides offering a universal setup our construction also has a 3x smaller proof, 3x faster verification time and comparable prover time. ... Additionally, statement x must be kept zero knowledge. ...

arXiv:2107.04248v1 fatcat:p47kn7fotnekhjiojgghkoeu4i

Open Access

Interestingly, we can get a similar sublinear cost per iteration but avoid preprocessing initial weights or input data points. ... The classical training method requires paying Ω(mnd) cost for both forward computation and backward computation, where m is the width of the neural network, and we are given n training points in d-dimensional ... One drawback of this approach is that the quantum linear algebra computation incurs some non-negligible errors. ...

arXiv:2110.04622v1 fatcat:mcw5eewvunacthfwhyvbgfpxki

As a side result, we demonstrate the usefulness of algebraic PRFs for various search functionalities, such as keyword search and oblivious transfer with adaptive queries. ... Our starting point is the [BGV11] technique (CRYPTO 2011) for verifiable delegation of polynomial evaluations, using algebraic PRFs. ... Proof: We prove security for each corruption case separately. We assume that the simulator is given m X and m Y as part of its auxiliary input. ...

doi:10.1007/978-3-662-46497-7_4 fatcat:qxra4n7m25hf7kkklepqsce3ua

As a side result, we demonstrate the usefulness of algebraic PRFs for various search functionalities, such as keyword search and oblivious transfer with adaptive queries. ... Our starting point is the [BGV11] technique (CRYPTO 2011) for verifiable delegation of polynomial evaluations, using algebraic PRFs. ... Proof: We prove security for each corruption case separately. We assume that the simulator is given m X and m Y as part of its auxiliary input. ...

doi:10.1007/s00145-017-9263-y fatcat:6ozcdk355zdd5l4yb5pvbuahhu

This results in the first oblivious transfer protocol with sublinear communication and active security, which does not require any non-black-box use of cryptographic primitives. ... We first use this to construct a protocol for a large batch of 1-out-of-n OTs on random inputs, with amortized o(1) communication. ... I would like to thank Claudio Orlandi for the observation that an XOR-homomorphic PRG would imply non-interactive OT extension, which inspired this work. ...

doi:10.1007/978-3-319-76578-5_19 fatcat:dqrf37o2lrgxjarbhc47w2dvm4

At the core, our approach is to combine algebraic distance maintenance data structures with near-additive emulator constructions. ... This also leads to novel dynamic algorithms for maintaining (1+ϵ, β)-emulators that improve upon the state of the art, which might be of independent interest. ... Acknowledgement Jan van den Brand is funded by ONR BRC grant N00014-18-1-2562 and by the Simons Institute for the Theory of Computing through a Simons-Berkeley Postdoctoral Fellowship. ...

arXiv:2111.03361v2 fatcat:qzxfmf2znzcjhlsfckrxispe5i

Open Access Multiple Versions

In addition to the many non-cryptographic applications of delegating high degree polynomials, we use our verifiable computation scheme to obtain new solutions for verifiable keyword search, and proofs ... We generalize our result for PRFs with other types of closed form efficiency, which yield efficient and secure delegation protocols not only for single-variable polynomials of degree d, but also for multivariate ... Now fix such a value for x i 's and y i 's that happens in the experiment with non-zero probability. ...

doi:10.1007/978-3-642-22792-9_7 fatcat:qqwpxqvan5hj7phqk7zrk2h76e

Efficient Zero-Knowledge Proofs of Non-algebraic Statements with Sublinear Amortized Cost [chapter]

Preserved Fulltext

Maliciously Secure Multi-Client ORAM [chapter]

Preserved Fulltext

Darlin: Recursive Proofs using Marlin [article]

Preserved Fulltext

Other Versions

Sub-linear Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits [chapter]

Preserved Fulltext

Authenticated Hash Tables Based on Cryptographic Accumulators

Preserved Fulltext

Efficient and Secure Evaluation of Multivariate Polynomials and Applications [chapter]

Preserved Fulltext

Compact Zero-Knowledge Proofs of Small Hamming Weight [chapter]

Preserved Fulltext

Communication Complexity and Secure Function Evaluation [article]

Preserved Fulltext

Publicly Auditable MPC-as-a-Service with succinct verification and universal setup [article]

Preserved Fulltext

Does Preprocessing Help Training Over-parameterized Neural Networks? [article]

Preserved Fulltext

Oblivious Polynomial Evaluation and Secure Set-Intersection from Algebraic PRFs [chapter]

Preserved Fulltext

Oblivious Polynomial Evaluation and Secure Set-Intersection from Algebraic PRFs

Preserved Fulltext

Extending Oblivious Transfer with Low Communication via Key-Homomorphic PRFs [chapter]

Preserved Fulltext

Fast Deterministic Fully Dynamic Distance Approximation [article]

Preserved Fulltext

Other Versions

Verifiable Delegation of Computation over Large Datasets [chapter]

Preserved Fulltext