Dates are inconsistent

Dates are inconsistent

91 results sorted by ID

Possible spell-corrected query: zk-snarks
2024/1902 (PDF) Last updated: 2024-11-22
ZK-SNARKs for Ballot Validity: A Feasibility Study
Nicolas Huber, Ralf Kuesters, Julian Liedtke, Daniel Rausch
Cryptographic protocols

Electronic voting (e-voting) systems have become more prevalent in recent years, but security concerns have also increased, especially regarding the privacy and verifiability of votes. As an essential ingredient for constructing secure e-voting systems, designers often employ zero-knowledge proofs (ZKPs), allowing voters to prove their votes are valid without revealing them. Invalid votes can then be discarded to protect verifiability without compromising the privacy of valid...

2024/1775 (PDF) Last updated: 2024-10-31
zkMarket : Privacy-preserving Digital Data Trade System via Blockchain
Seungwoo Kim, Semin Han, Seongho Park, Kyeongtae Lee, Jihye Kim, Hyunok Oh
Applications

In this paper, we introduce zkMarket, a privacy-preserving fair trade system on the blockchain. zkMarket addresses the challenges of transaction privacy and computational efficiency. To ensure transaction privacy, zkMarket is built upon an anonymous transfer protocol. By combining encryption with zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARK), both the seller and the buyer are enabled to trade fairly. Furthermore, by encrypting the decryption key, we make the data...

2024/1671 (PDF) Last updated: 2024-12-18
Multi-party Setup Ceremony for Generating Tokamak zk-SNARK Parameters
Muhammed Ali Bingol
Cryptographic protocols

This document provides a specification guide for the Multi-party Computation (MPC) setup ceremony for the Tokamak zk-SNARK scheme. It begins by revisiting the MMORPG protocol proposed in BGM17 for Groth16 setup generation, which leverages a random beacon to ensure public randomness. Additionally, it explores the alternative design approach presented in the ``Snarky Ceremonies" paper KMSV21, which removes the need for a random beacon. The document includes a detailed pseudocode and workflow...

2024/1595 (PDF) Last updated: 2024-10-08
DeepFold: Efficient Multilinear Polynomial Commitment from Reed-Solomon Code and Its Application to Zero-knowledge Proofs
Yanpei Guo, Xuanming Liu, Kexi Huang, Wenjie Qu, Tianyang Tao, Jiaheng Zhang
Cryptographic protocols

This work presents Deepfold, a novel multilinear polynomial commitment scheme (PCS) based on Reed-Solomon code that offers optimal prover time and a more concise proof size. For the first time, Deepfold adapts the FRI-based multilinear PCS to the list decoding radius setting, requiring significantly fewer query repetitions and thereby achieving a 3× reduction in proof size compared to Basefold (Crypto'24), while preserving its advantages in prover time. Compared with PolyFRIM (USENIX...

2024/1566 (PDF) Last updated: 2024-10-04
Dynamic zk-SNARKs
Weijie Wang, Charalampos Papamanthou, Shravan Srinivasan, Dimitrios Papadopoulos
Cryptographic protocols

In this work, we put forth the notion of dynamic zk-SNARKs. A dynamic zk-SNARK is a zk-SNARK that has an additional update algorithm. The update algorithm takes as input a valid source statement-witness pair $(x,w)\in \mathcal{L}$ along with a verifying proof $\pi$, and a valid target statement-witness pair $(x',w')\in \mathcal{L}$. It outputs a verifying proof $\pi'$ for $(x',w')$ in sublinear time (for $(x,w)$ and $(x',w')$ with small Hamming distance) potentially with the help of a data...

2024/1544 (PDF) Last updated: 2024-10-02
PoUDR: Proof of Unified Data Retrieval in Decentralized Storage Networks
Zonglun Li, Shuhao Zheng, Junliang Luo, Ziyue Xin, Dun Yuan, Shang Gao, Sichao Yang, Bin Xiao, Xue Liu
Applications

Decentralized storage networks, including IPFS and Filecoin, have created a marketplace where individuals exchange storage space for profit. These networks employ protocols that reliably ensure data storage providers accurately store data without alterations, safeguarding the interests of storage purchasers. However, these protocols lack an effective and equitable payment mechanism for data retrieval, particularly when multiple data queriers are involved. This necessitates a protocol that...

2024/1405 (PDF) Last updated: 2024-09-09
Lego-DLC: batching module for commit-carrying SNARK under Pedersen Engines
Byeongjun Jang, Gweonho Jeong, Hyuktae Kwon, Hyunok Oh, Jihye Kim
Cryptographic protocols

The synergy of commitments and zk-SNARKs is widely used in various applications, particularly in fields like blockchain, to ensure data privacy and integrity without revealing secret information. However, proving multiple commitments in a batch imposes a large overhead on a zk-SNARK system. One solution to alleviate the burden is the use of commit-and-prove SNARK (CP-SNARK) approach. LegoSNARK defines a new notion called commit-carrying SNARK (cc-SNARK), a special- ized form of...

2024/1303 (PDF) Last updated: 2024-08-21
Efficient Zero-Knowledge Arguments for Paillier Cryptosystem
Borui GONG, Wang Fat Lau, Man Ho Au, Rupeng Yang, Haiyang Xue, Lichun Li
Cryptographic protocols

We present an efficient zero-knowledge argument of knowledge system customized for the Paillier cryptosystem. Our system enjoys sublinear proof size, low verification cost, and acceptable proof generation effort, while also supporting batch proof generation/verification. Existing works specialized for Paillier cryptosystem feature linear proof size and verification time. Using existing sublinear argument systems for generic statements (e.g., zk-SNARK) results in unaffordable proof generation...

2024/1281 (PDF) Last updated: 2024-08-29
Stackproofs: Private proofs of stack and contract execution using Protogalaxy
Liam Eagen, Ariel Gabizon, Marek Sefranek, Patrick Towa, Zachary J. Williamson

The goal of this note is to describe and analyze a simplified variant of the zk-SNARK construction used in the Aztec protocol. Taking inspiration from the popular notion of Incrementally Verifiable Computation[Val09] (IVC) we define a related notion of $\textrm{Repeated Computation with Global state}$ (RCG). As opposed to IVC, in RCG we assume the computation terminates before proving starts, and in addition to the local transitions some global consistency checks of the whole computation...

2024/1164 (PDF) Last updated: 2024-10-03
A Crack in the Firmament: Restoring Soundness of the Orion Proof System and More
Thomas den Hollander, Daniel Slamanig
Cryptographic protocols

Orion (Xie et al. CRYPTO'22) is a recent plausibly post-quantum zero-knowledge argument system with a linear time prover. It improves over Brakedown (Golovnev et al. ePrint'21 and CRYPTO'23) by reducing the proof size and verifier complexity to be polylogarithmic and additionally adds the zero-knowledge property. The argument system is demonstrated to be concretely efficient with a prover time being the fastest among all existing succinct proof systems and a proof size that is an order of...

2024/1153 (PDF) Last updated: 2024-07-16
Designated-Verifier zk-SNARKs Made Easy
Chen Li, Fangguo Zhang
Cryptographic protocols

Zero-knowledge succinct non-interactive argument of knowledge (zk-SNARK) is a kind of proof system that enables a prover to convince a verifier that an NP statement is true efficiently. In the last decade, various studies made a lot of progress in constructing more efficient and secure zk-SNARKs. Our research focuses on designated-verifier zk-SNARKs, where only the verifier knowing some secret verification state can be convinced by the proof. A natural idea of getting a designated-verifier...

2024/940 (PDF) Last updated: 2024-06-12
Scalable Collaborative zk-SNARK and Its Application to Efficient Proof Outsourcing
Xuanming Liu, Zhelei Zhou, Yinghao Wang, Jinye He, Bingsheng Zhang, Xiaohu Yang, Jiaheng Zhang
Cryptographic protocols

Collaborative zk-SNARK (USENIX'22) allows multiple parties to jointly create a zk-SNARK proof over distributed secrets (also known as the witness). It provides a promising approach to proof outsourcing, where a client wishes to delegate the tedious task of proof generation to many servers from different locations, while ensuring no corrupted server can learn its witness (USENIX'23). Unfortunately, existing work remains a significant efficiency problem, as the protocols rely heavily on a...

2024/916 (PDF) Last updated: 2024-06-08
Polymath: Groth16 Is Not The Limit
Helger Lipmaa
Cryptographic protocols

Shortening the argument (three group elements or 1536 / 3072 bits over the BLS12-381/BLS24-509 curves) of the Groth16 zk-SNARK for R1CS is a long-standing open problem. We propose a zk-SNARK Polymath for the Square Arithmetic Programming constraint system using the KZG polynomial commitment scheme. Polymath has a shorter argument (1408 / 1792 bits over the same curves) than Groth16. At 192-bit security, Polymath's argument is nearly half the size, making it highly competitive for...

2024/848 (PDF) Last updated: 2024-05-30
How (Not) to Simulate PLONK
Marek Sefranek
Cryptographic protocols

PLONK is a zk-SNARK system by Gabizon, Williamson, and Ciobotaru with proofs of constant size (0.5 KB) and sublinear verification time. Its setup is circuit-independent supporting proofs of arbitrary statements up to a certain size bound. Although deployed in several real-world applications, PLONK's zero-knowledge property had only been argued informally. Consequently, we were able to find and fix a vulnerability in its original specification, leading to an update of PLONK in eprint...

2024/750 (PDF) Last updated: 2024-12-12
Speeding Up Multi-Scalar Multiplications for Pairing-Based zkSNARKs
Xinxin Fan, Veronika Kuchta, Francesco Sica, Lei Xu
Implementation

Multi-scalar multiplication (MSM) is one of the core components of many zero-knowledge proof systems, and a primary performance bottleneck for proof generation in these schemes. One major strategy to accelerate MSM is utilizing precomputation. Several algorithms (e.g., Pippenger and BGMW) and their variants have been proposed in this direction. In this paper, we revisit the recent precomputation-based MSM calculation method proposed by Luo, Fu and Gong at CHES 2023 and generalize their...

2024/261 (PDF) Last updated: 2024-02-16
Election Eligibility with OpenID: Turning Authentication into Transferable Proof of Eligibility
Véronique Cortier, Alexandre Debant, Anselme Goetschmann, Lucca Hirschi
Cryptographic protocols

Eligibility checks are often abstracted away or omitted in voting protocols, leading to situations where the voting server can easily stuff the ballot box. One reason for this is the difficulty of bootstraping the authentication material for voters without relying on trusting the voting server. In this paper, we propose a new protocol that solves this problem by building on OpenID, a widely deployed authentication protocol. Instead of using it as a standard authentication means, we turn it...

2024/227 (PDF) Last updated: 2024-04-01
Adaptively Sound Zero-Knowledge SNARKs for UP
Surya Mathialagan, Spencer Peters, Vinod Vaikuntanathan

We study succinct non-interactive arguments (SNARGs) and succinct non-interactive arguments of knowledge (SNARKs) for the class $\mathsf{UP}$ in the reusable designated verifier model. $\mathsf{UP}$ is an expressive subclass of $\mathsf{NP}$ consisting of all $\mathsf{NP}$ languages where each instance has at most one witness; a designated verifier SNARG (dvSNARG) is one where verification of the SNARG proof requires a private verification key; and such a dvSNARG is reusable if soundness...

2024/161 (PDF) Last updated: 2024-02-07
zkMatrix: Batched Short Proof for Committed Matrix Multiplication
Mingshu Cong, Tsz Hon Yuen, Siu Ming Yiu
Cryptographic protocols

Matrix multiplication is a common operation in applications like machine learning and data analytics. To demonstrate the correctness of such an operation in a privacy-preserving manner, we propose zkMatrix, a zero-knowledge proof for the multiplication of committed matrices. Among the succinct non-interactive zero-knowledge protocols that have an $O(\log n)$ transcript size and $O(\log n)$ verifier time, zkMatrix stands out as the first to achieve $O(n^2)$ prover time and $O(n^2)$ RAM usage...

2024/143 (PDF) Last updated: 2024-06-12
Scalable Collaborative zk-SNARK: Fully Distributed Proof Generation and Malicious Security
Xuanming Liu, Zhelei Zhou, Yinghao Wang, Bingsheng Zhang, Xiaohu Yang
Cryptographic protocols

The notion of collaborative zk-SNARK is introduced by Ozdemir and Boneh (USENIX 2022), which allows multiple parties to jointly create a zk-SNARK proof over distributed secrets (also known as the witness). This approach ensures the privacy of the witness, as no corrupted servers involved in the proof generation can learn anything about the honest servers' witness. Later, Garg et al. continued the study, focusing on how to achieve faster proof generation (USENIX 2023). However, their...

2024/099 (PDF) Last updated: 2024-01-22
Snarktor: A Decentralized Protocol for Scaling SNARKs Verification in Blockchains
Alberto Garoffolo, Dmytro Kaidalov, Roman Oliynykov
Applications

The use of zero-knowledge Succinct Non-Interactive Arguments of Knowledge (zk-SNARK) and similar types of proofs has become increasingly popular as a solution for improving scalability, privacy, and interoperability of blockchain systems. However, even with the most advanced proving systems, verifying a single SNARK proof can require a significant amount of computational resources making it expensive to be performed on-chain. This becomes a noticeable bottleneck in scaling SNARK-based...

2023/1868 (PDF) Last updated: 2023-12-05
COMMON: Order Book with Privacy
Albert Garreta, Adam Gągol, Aikaterini-Panagiota Stouka, Damian Straszak, Michal Zajac
Cryptographic protocols

Decentralized Finance (DeFi) has witnessed remarkable growth and innovation, with Decentralized Exchanges (DEXes) playing a pivotal role in shaping this ecosystem. As numerous DEX designs emerge, challenges such as price inefficiency and lack of user privacy continue to prevail. This paper introduces a novel DEX design, termed COMMON, that addresses these two predominant challenges. COMMON operates as an order book, natively integrated with a shielded token pool, thus providing anonymity to...

2023/1858 (PDF) Last updated: 2023-12-04
A Novel Power-Sum PRG with Applications to Lattice-Based zkSNARKs
Charanjit S Jutla, Eamonn W. Postlethwaite, Arnab Roy
Cryptographic protocols

zkSNARK is a cryptographic primitive that allows a prover to prove to a resource constrained verifier, that it has indeed performed a specified non-deterministic computation correctly, while hiding private witnesses. In this work we focus on lattice based zkSNARK, as this serves two important design goals. Firstly, we get post-quantum zkSNARK schemes with $O(\log (\mbox{Circuit size}))$ sized proofs (without random oracles) and secondly, the easy verifier circuit allows further...

2023/1806 (PDF) Last updated: 2024-01-23
Fast and Designated-verifier Friendly zkSNARKs in the BPK Model
Xudong Zhu, Xuyang Song, Yi Deng
Cryptographic protocols

After the pioneering results proposed by Bellare et al in ASIACRYPT 2016, there have been lots of efforts to construct zero-knowledge succinct non-interactive arguments of knowledge protocols (zk-SNARKs) that satisfy subversion zero knowledge (S-ZK) and standard soundness from the zk-SNARK in the common reference string (CRS) model. The various constructions could be regarded secure in the bare public key (BPK) model because of the equivalence between S-ZK in the CRS model, and uniform...

2023/1416 (PDF) Last updated: 2023-09-20
On Black-Box Knowledge-Sound Commit-And-Prove SNARKs
Helger Lipmaa
Cryptographic protocols

Gentry and Wichs proved that adaptively sound SNARGs for hard languages need non-falsifiable assumptions. Lipmaa and Pavlyk claimed Gentry-Wichs is tight by constructing a non-adaptively sound zk-SNARG FANA for NP from falsifiable assumptions. We show that FANA is flawed. We define and construct a fully algebraic $F$-position-binding vector commitment scheme VCF. We construct a concretely efficient commit-and-prove zk-SNARK Punic, a version of FANA with an additional VCF commitment to the...

2023/1411 (PDF) Last updated: 2023-09-19
zk-SNARKs from Codes with Rank Metrics
Xuan-Thanh Do, Dang-Truong Mac, Quoc-Huy Vu
Cryptographic protocols

Succinct non-interactive zero-knowledge arguments of knowledge (zk-SNARKs) are a type of non-interactive proof system enabling efficient privacy-preserving proofs of membership for NP languages. A great deal of works has studied candidate constructions that are secure against quantum attackers, which are based on either lattice assumptions, or post-quantum collision-resistant hash functions. In this paper, we propose a code-based zk-SNARK scheme, whose security is based on the rank support...

2023/1410 (PDF) Last updated: 2023-10-06
Two Algorithms for Fast GPU Implementation of NTT
Ali Şah Özcan, Erkay Savaş
Implementation

The number theoretic transform (NTT) permits a very efficient method to perform multiplication of very large degree polynomials, which is the most time-consuming operation in fully homomorphic encryption (FHE) schemes and a class of non-interactive succinct zero-knowledge proof systems such as zk-SNARK. Efficient modular arithmetic plays an important role in the performance of NTT, and therefore it is studied extensively. The access pattern to the memory, on the other hand, may play much...

2023/741 (PDF) Last updated: 2023-05-25
The Referendum Problem in Anonymous Voting for Decentralized Autonomous Organizations
Artem Grigor, Vincenzo Iovino, Giuseppe Visconti
Applications

A natural approach to anonymous voting over Ethereum assumes that there is an off-chain aggregator that performs the following task. The aggregator receives valid signatures of YES/NO preferences from eligible voters and uses them to compute a zk-SNARK proof of the fact that the majority of voters have cast a preference for YES or NO. Then, the aggregator sends to the smart contract the zk-SNARK proof, the smart contract verifies the proof and can trigger an action (e.g., a transfer of...

2023/144 (PDF) Last updated: 2023-02-07
Aegis: Privacy-Preserving Market for Non-Fungible Tokens
Hisham S. Galal, Amr M. Youssef
Cryptographic protocols

Non-fungible tokens (NFTs) are unique non-interchangeable digital assets verified and stored using blockchain technology. Quite recently, there has been a surging interest and adoption of NFTs, with sales exceeding \$10 billion in the third quarter of 2021. Given the public state of Blockchain, NFTs owners face a privacy problem. More precisely, an observer can trivially learn the whole NFT collections owned by an address. For some categories of NFTs like arts and game collectibles, owners...

2023/097 (PDF) Last updated: 2024-02-16
Circuit-Succinct Universally-Composable NIZKs with Updatable CRS
Behzad Abdolmaleki, Noemi Glaeser, Sebastian Ramacher, Daniel Slamanig
Cryptographic protocols

Non-interactive zero-knowledge proofs (NIZKs) and in particular succinct NIZK arguments of knowledge (zk-SNARKs) increasingly see real-world adoption in large and complex systems. Many zk-SNARKs require a trusted setup, i.e., a common reference string (CRS), and for practical use it is desirable to reduce the trust in the CRS generation. The latter can be achieved via the notions of subversion or updatable CRS. Another important property when deployed in large systems is the ability to...

2022/1756 (PDF) Last updated: 2022-12-22
CRS-Updatable Asymmetric Quasi-Adaptive NIZK Arguments
Behzad Abdolmaleki, Daniel Slamanig
Cryptographic protocols

A critical aspect for the practical use of non-interactive zero-knowledge (NIZK) arguments in the common reference string (CRS) model is the demand for a trusted setup, i.e., a trusted generation of the CRS. Recently, motivated by its increased use in real-world applications, there has been a growing interest in concepts that allow to reduce the trust in this setup. In particular one demands that the zero-knowledge and ideally also the soundness property hold even when the CRS generation is...

2022/1690 (PDF) Last updated: 2024-06-05
LUNA: Quasi-Optimally Succinct Designated-Verifier Zero-Knowledge Arguments from Lattices
Ron Steinfeld, Amin Sakzad, Muhammed F. Esgin, Veronika Kuchta, Mert Yassi, Raymond K. Zhao
Cryptographic protocols

We introduce the first candidate Lattice-based designated verifier (DV) zero knowledge sUccinct Non-interactive Argument (ZK-SNARG) protocol, LUNA, with quasi-optimal proof length (quasi-linear in the security/privacy parameter). By simply relying on mildly stronger security assumptions, LUNA is also a candidate ZK-SNARK (i.e. argument of knowledge). LUNA achieves significant improvements in concrete proof sizes, reaching below 6 KB (compared to >32 KB in prior work) for 128-bit...

2022/1634 (PDF) Last updated: 2023-12-22
Division of Regulatory Power: Collaborative Regulation for Privacy-Preserving Blockchains
Tianyu Zhaolu, Zhiguo Wan, Huaqun Wang
Applications

Decentralized anonymous payment schemes may be exploited for illicit activities, such as money laundering, bribery and blackmail. To address this issue, several regulatory friendly decentralized anonymous payment schemes have been proposed. However, most of these solutions lack restrictions on the regulator’s authority, which could potentially result in power abuse and privacy breaches. In this paper, we present a decentralized anonymous payment scheme with collaborative regulation (DAPCR)....

2022/1487 (PDF) Last updated: 2023-10-07
An efficient verifiable state for zk-EVM and beyond from the Anemoi hash function
Jianwei Liu, Harshad Patil, Akhil Sai Peddireddy, Kevin Singh, Haifeng Sun, Huachuang Sun, Weikeng Chen
Applications

In our survey of the various zk-EVM constructions, it becomes apparent that verifiable storage of the EVM state starts to be one of the dominating costs. This is not surprising because a big differentiator of EVM from UTXO is exactly the ability to carry states and, most importantly, their transitions; i.e., EVM is a **state** machine. In other words, to build an efficient zk-EVM, one must first build an efficient verifiable state. The common approach, which has been used in...

2022/1447 (PDF) Last updated: 2024-04-22
flookup: Fractional decomposition-based lookups in quasi-linear time independent of table size
Ariel Gabizon, Dmitry Khovratovich
Cryptographic protocols

We present a protocol for checking the values of a committed polynomial $\phi(X)$ over a multiplicative subgroup $H\subset \mathbb{F}$ of size $m$ are contained in a table $T\in \mathbb{F}^N$. After an $O(N \log^2 N)$ preprocessing step, the prover algorithm runs in *quasilinear* time $O(m\log ^2 m)$. We improve upon the recent breakthrough results Caulk[ZBK+22] and Caulk+[PK22], which were the first to achieve the complexity sublinear in the full table size $N$ with prover time being...

2022/1352 (PDF) Last updated: 2022-11-10
aPlonK : Aggregated PlonK from Multi-Polynomial Commitment Schemes
Miguel Ambrona, Marc Beunardeau, Anne-Laure Schmitt, Raphaël R. Toledo
Cryptographic protocols

PlonK is a prominent universal and updatable zk-SNARK for general circuit satisfiability. We present aPlonK, a variant of PlonK that reduces the proof size and verification time when multiple statements are proven in a batch. Both the aggregated proof size and the verification complexity of aPlonK are logarithmic in the number of aggregated statements. Our main building block, inspired by the techniques developed in SnarkPack (Gailly, Maller, Nitulescu, FC 2022), is a multi-polynomial...

2022/1132 (PDF) Last updated: 2022-08-31
Kryvos: Publicly Tally-Hiding Verifiable E-Voting
Nicolas Huber, Ralf Kuesters, Toomas Krips, Julian Liedtke, Johannes Mueller, Daniel Rausch, Pascal Reisert, Andreas Vogt
Cryptographic protocols

Elections are an important corner stone of democratic processes. In addition to publishing the final result (e.g., the overall winner), elections typically publish the full tally consisting of all (aggregated) individual votes. This causes several issues, including loss of privacy for both voters and election candidates as well as so-called Italian attacks that allow for easily coercing voters. Several e-voting systems have been proposed to address these issues by hiding (parts of) the...

2022/1003 (PDF) Last updated: 2022-08-10
Orbis Specification Language: a type theory for zk-SNARK programming
Morgan Thomas
Applications

Orbis Specification Language (OSL) is a language for writing statements to be proven by zk-SNARKs. zk-SNARK theories allow for proving wide classes of statements. They usually require the statement to be proven to be expressed as a constraint system, called an arithmetic circuit, which can take various forms depending on the theory. It is difficult to express complex statements in the form of arithmetic circuits. OSL is a language of statements which is similar to type theories used in proof...

2022/1002 (PDF) Last updated: 2022-08-04
Zswap: zk-SNARK Based Non-Interactive Multi-Asset Swaps
Felix Engelmann, Thomas Kerber, Markulf Kohlweiss, Mikhail Volkhov
Cryptographic protocols

Privacy-oriented cryptocurrencies, like Zcash or Monero, provide fair transaction anonymity and confidentiality but lack important features compared to fully public systems, like Ethereum. Specifically, supporting assets of multiple types and providing a mechanism to atomically exchange them, which is critical for e.g. decentralized finance (DeFi), is challenging in the private setting. By combining insights and security properties from Zcash and SwapCT (PETS 21, an atomic swap system for...

2022/985 (PDF) Last updated: 2022-08-02
Privacy when Everyone is Watching: An SOK on Anonymity on the Blockchain
Roy Rinberg, Nilaksh Agarwal
Applications

Blockchain technologies rely on a public ledger, where typically all transactions are pseudoanonymous and fully traceable. This poses a major flaw in its large scale adoption of cryptocurrencies, the primary application of blockchain technologies, as most individuals do not want to disclose their finances to the pub- lic. Motivated by the explosive growth in private-Blockchain research, this Statement-of-Knowledge (SOK) explores the ways to obtain privacy in this public ledger ecosystem....

2022/670 (PDF) Last updated: 2022-07-22
Practical UC-Secure Zero-Knowledge Smart Contracts
Jayamine Alupotha, Xavier Boyen
Cryptographic protocols

Zero-knowledge defines that verifier(s) learns nothing but predefined statement(s); e.g., verifiers learn nothing except the program's path for the respective transaction in a zero-knowledge contract program. Intra-Privacy or insiders' zero-knowledge --- ability to maintain a secret in a multi-party computation --- is an essential security property for smart contracts of Confidential Transactions (CT). Otherwise, the users have to reveal their confidential coin amounts to each other even if...

2022/462 (PDF) Last updated: 2022-04-22
New optimization techniques for PlonK’s arithmetization
Miguel Ambrona, Anne-Laure Schmitt, Raphael R. Toledo, Danny Willems
Public-key cryptography

PlonK is a universal and updatable zk-SNARK for general circuit satisfiability that allows a verifier to check the validity of a certain NP statement very efficiently, optionally in zero-knowledge. PlonK requires that the NP relation of interest be expressed as a system of so-called PlonK constraints. Such conversion is complex and can be implemented in various ways, having a great impact on the prover complexity (which is typically linearithmic in the number of PlonK constraints). We...

2022/406 (PDF) Last updated: 2022-06-23
Counting Vampires: From Univariate Sumcheck to Updatable ZK-SNARK
Helger Lipmaa, Janno Siim, Michal Zajac
Cryptographic protocols

We propose a univariate sumcheck argument $\mathfrak{Count}$ of essentially optimal communication efficiency of one group element. While the previously most efficient univariate sumcheck argument of Aurora is based on polynomial commitments, $\mathfrak{Count}$ is based on inner-product commitments. We use $\mathfrak{Count}$ to construct a new pairing-based updatable and universal zk-SNARK $\mathfrak{Vampire}$ with the shortest known argument length (four group and two finite field...

2022/310 (PDF) Last updated: 2022-03-07
Dispute-free Scalable Open Vote Network using zk-SNARKs
Muhammad ElSheikh, Amr M. Youssef
Applications

The Open Vote Network is a self-tallying decentralized e-voting protocol suitable for boardroom elections. Currently, it has two Ethereum-based implementations: the first, by McCorry et al., has a scalability issue since all the computations are performed on-chain. The second implementation, by Seifelnasr et al., solves this issue partially by assigning a part of the heavy computations to an off-chain untrusted administrator in a verifiable manner. As a side effect, this second...

2022/086 (PDF) Last updated: 2022-03-12
PlonKup: Reconciling PlonK with plookup
Luke Pearson, Joshua Fitzgerald, Héctor Masip, Marta Bellés-Muñoz, Jose Luis Muñoz-Tapia
Cryptographic protocols

In 2019, Gabizon, Williamson, and Ciobotaru introduced PlonK – a fast and flexible ZK-SNARK with an updatable and universal structured reference string. PlonK uses a grand product argument to check permutations of wire values, and exploits convenient interactions between multiplicative subgroups and Lagrange bases. The following year, Gabizon and Williamson used similar techniques to develop plookup – a ZK-SNARK that can verify that each element from a list of queries can be found in a...

2022/037 (PDF) Last updated: 2023-02-05
Subgroup membership testing on elliptic curves via the Tate pairing
Dmitrii Koshelev
Implementation

This note explains how to guarantee the membership of a point in the prime-order subgroup of an elliptic curve (over a finite field) satisfying some moderate conditions. For this purpose, we apply the Tate pairing on the curve, however it is not required to be pairing-friendly. Whenever the cofactor is small, the new subgroup test is much more efficient than other known ones, because it needs to compute at most two $n$-th power residue symbols (with small $n$) in the basic field. More...

2021/1700 (PDF) Last updated: 2021-12-30
A Unified Framework for Non-Universal SNARKs
Helger Lipmaa
Cryptographic protocols

We propose a general framework for non-universal SNARKs. It contains (1) knowledge-sound and non-black-box any-simulation-extractable (ASE), (2) zero-knowledge and subversion-zero knowledge SNARKs for the well-known QAP, SAP, QSP, and QSP constraint languages that all by design have \emph{relatively} simple security proofs. The knowledge-sound zero-knowledge SNARK is similar to Groth's SNARK from EUROCRYPT 2016, except having fewer trapdoors, while the ASE subversion-zero knowledge SNARK...

2021/1530 (PDF) Last updated: 2022-07-16
Experimenting with Collaborative zk-SNARKs: Zero-Knowledge Proofs for Distributed Secrets
Alex Ozdemir, Dan Boneh
Cryptographic protocols

A zk-SNARK is a powerful cryptographic primitive that provides a succinct and efficiently checkable argument that the prover has a witness to a public NP statement, without revealing the witness. However, in their native form, zk-SNARKs only apply to a secret witness held by a single party. In practice, a collection of parties often need to prove a statement where the secret witness is distributed or shared among them. We implement and experiment with *collaborative zk-SNARKs*:...

2021/1342 (PDF) Last updated: 2022-02-28
Efficient Functional Commitments: How to Commit to a Private Function
Dan Boneh, Wilson Nguyen, Alex Ozdemir
Cryptographic protocols

We construct efficient (function hiding) functional commitments for arithmetic circuits of polynomial size. A (function hiding) functional commitment scheme enables a \textit{committer} to commit to a secret function $f$ and later prove that $y = f(x)$ for public $x$ and $y$ without revealing any other information about $f$. As such, functional commitments allow the operator of a secret process to prove that the process is being applied uniformly to everyone. For example, one can commit to...

2021/1167 (PDF) Last updated: 2021-11-01
fflonk: a Fast-Fourier inspired verifier efficient version of PlonK
Ariel Gabizon, Zachary J. Williamson
Cryptographic protocols

We present a variant of the Kate, Zaverucha and Goldberg polynomial commitment scheme [KZG] where $d$ polynomials can be opened at a point that is a $d$'th power, such that the amount of verifier group operations does not depend on $d$. Our method works by reducing opening multiple polynomials at a single point $x$, to opening a single polynomial at many points via an ``FFT-like identity''. As an application we present a version of the PlonK zk-SNARK[GWC] with significantly improved...

2021/567 (PDF) Last updated: 2021-05-07
Forward-secure Multi-user Aggregate Signatures based on zk-SNARKs
Jeonghyuk Lee, Jihye Kim, Hyunok Oh
Cryptographic protocols

As a solution to mitigate the key exposure problems in the digital signature, forward security has been proposed. The forward security guarantees the integrity of the messages generated in the past despite leaks of a current time period secret key by evolving a secret key on each time period. However, there is no forward secure signature scheme whose all metrics have constant complexities. Furthermore, existing works do not support multi-user aggregation of signatures. In this paper, we...

2021/219 (PDF) Last updated: 2021-09-21
Snarky Ceremonies
Markulf Kohlweiss, Mary Maller, Janno Siim, Mikhail Volkhov
Cryptographic protocols

Succinct non-interactive arguments of knowledge (SNARKs) have found numerous applications in the blockchain setting and elsewhere. The most efficient SNARKs require a distributed ceremony protocol to generate public parameters, also known as a structured reference string (SRS). Our contributions are two-fold: 1. We give a security framework for non-interactive zero-knowledge arguments with a ceremony protocol. 2. We revisit the ceremony protocol of Groth's SNARK [Bowe et al., 2017]. We show...

2021/165 (PDF) Last updated: 2021-02-17
Composition with Knowledge Assumptions
Thomas Kerber, Aggelos Kiayias, Markulf Kohlweiss
Foundations

Zero-knowledge succinct non-interactive arguments (zk-SNARKs) rely on knowledge assumptions for their security. Meanwhile, as the complexity and scale of cryptographic systems continues to grow, the composition of secure protocols is of vital importance. The current gold standards of composable security, the Universal Composability and Constructive Cryptography frameworks cannot capture knowledge assumptions, as their core proofs of composition prohibit white-box extraction. In this paper,...

2021/127 (PDF) Last updated: 2021-05-07
Cuproof: A Novel Range Proof with Constant Size
Cong Deng, Xianghong Tang, Lin You, Gengran Hu, Shuhong Gao
Cryptographic protocols

Zero-knowledge proof is widely used in blockchains. For example, zk-SNARK is used by Zcash as its core technology in identifying transactions. Up to now, various range proofs have been proposed, and their efficiency and range-flexibility are enhanced. Bootle et al. used inner product method and recursion to make an efficient zero-knowledge proof. Then, Benediky Bünz et al. came up with an efficient zero-knowledge proof scheme called Bulletproofs which can convince the verifier that a secret...

2020/1579 (PDF) Last updated: 2021-06-02
Efficient Verifiable Image Redacting based on zk-SNARKs
Hankyung Ko, Ingeun Lee, Seunghwa Lee, Jihye Kim, Hyunok Oh
Cryptographic protocols

Image is a visual representation of a certain fact and can be used as proof of events. As the utilization of the image increases, it is required to prove its authenticity with the protection of its sensitive personal information. In this paper, we propose a new efficient verifiable image redacting scheme based on zk-SNARKs, a commitment, and a digital signature scheme. We adopt a commit-and-prove SNARK scheme which takes commitments as inputs, in which the authenticity can be quickly...

2020/1306 (PDF) Last updated: 2023-08-10
Simulation Extractable Versions of Groth’s zk-SNARK Revisited
Oussama Amine, Karim Baghery, Zaira Pindado, Carla Ràfols
Cryptographic protocols

Zero-knowledge Succinct Non-interactive Arguments of Knowledge (zk-SNARKs) are the most efficient proof systems in terms of proof size and verification. Currently, Groth's scheme from EUROCRYPT 2016, $\textsf{Groth16}$, is the state-of-the-art and is widely deployed in practice. $\mathsf{Groth16}$ is originally proven to achieve knowledge soundness, which does not guarantee the non-malleability of proofs. There has been considerable progress in presenting new zk-SNARKs or modifying...

2020/811 (PDF) Last updated: 2020-10-06
Another Look at Extraction and Randomization of Groth's zk-SNARK
Karim Baghery, Markulf Kohlweiss, Janno Siim, Mikhail Volkhov
Cryptographic protocols

Due to the simplicity and performance of zk-SNARKs they are widely used in real-world cryptographic protocols, including blockchain and smart contract systems. Simulation Extractability (SE) is a necessary security property for a NIZK argument to achieve Universal Composability (UC), a common requirement for such protocols. Most of the works that investigated SE focus on its strong variant which implies proof non-malleability. In this work we investigate a relaxed weaker notion, that allows...

2020/668 (PDF) Last updated: 2020-06-05
On Subversion-Resistant SNARKs
Behzad Abdolmaleki, Helger Lipmaa, Janno Siim, Michał Zając
Cryptographic protocols

While NIZK arguments in the CRS model are widely studied, the question of what happens when the CRS was subverted has received little attention. In ASIACRYPT 2016, Bellare, Fuchsbauer, and Scafuro showed the first negative and positive results in the case of NIZK, proving also that it is impossible to achieve subversion soundness and (even non-subversion) zero-knowledge at the same time. On the positive side, they constructed an involved sound and subversion-zero-knowledge (Sub-ZK)...

2020/584 (PDF) Last updated: 2020-12-18
vCNN: Verifiable Convolutional Neural Network based on zk-SNARKs
Seunghwa Lee, Hankyung Ko, Jihye Kim, Hyunok Oh
Cryptographic protocols

With the development of AI systems, services using them expand to various applications. The widespread adoption of AI systems relies substantially on the ability to trust their output. Therefore, it is becoming important for a client to be able to check whether the AI inference services have been correctly calculated. Since the weight value in a CNN model is an asset of service providers, the client should be able to check the correctness of the result without the weight value. Furthermore,...

2020/474 (PDF) Last updated: 2021-09-28
Tiramisu: Black-Box Simulation Extractable NIZKs in the Updatable CRS Model
Karim Baghery, Mahdi Sedaghat
Cryptographic protocols

Zk-SNARKs, as the most efficient NIZK arguments in terms of proof size and verification, are ubiquitously deployed in practice. In applications like Hawk [S&P'16], Gyges [CCS'16], Ouroboros Crypsinous [S&P'19], the underlying zk-SNARK is lifted to achieve Black-Box Simulation Extractability (BB-SE) under a trusted setup phase. To mitigate the trust in such systems, we propose $\texttt{Tiramisu}$, as a construction to build NIZK arguments that can achieve $\textit{updatable BB-SE}$, which we...

2020/315 (PDF) Last updated: 2020-11-20
plookup: A simplified polynomial protocol for lookup tables
Ariel Gabizon, Zachary J. Williamson

We present a protocol for checking the values of a committed polynomial $f\in \mathbb{F}_{<n}[X]$ over a multiplicative subgroup $H\subset \mathbb{F}$ of size $n$, are contained in the values of a table $t\in \mathbb{F}^d$. Our protocol can be viewed as a simplification of one from Bootle et. al [BCGJM, ASIACRYPT 2018] for a similar problem, with potential efficiency improvements when $d\leq n$. In particular, [BCGJM]'s protocol requires comitting to several auxiliary polynomials of degree...

2020/278 (PDF) Last updated: 2020-08-24
MIRAGE: Succinct Arguments for Randomized Algorithms with Applications to Universal zk-SNARKs
Ahmed Kosba, Dimitrios Papadopoulos, Charalampos Papamanthou, Dawn Song
Cryptographic protocols

The last few years have witnessed increasing interest in the deployment of zero-knowledge proof systems, in particular ones with succinct proofs and efficient verification (zk-SNARKs). One of the main challenges facing the wide deployment of zk-SNARKs is the requirement of a trusted key generation phase per different computation to achieve practical proving performance. Existing zero-knowledge proof systems that do not require trusted setup or have a single trusted preprocessing phase suffer...

2020/156 (PDF) Last updated: 2020-02-16
Phantom: An Efficient Privacy Protocol Using zk-SNARKs Based on Smart Contracts
Xing Li, Yi Zheng, Kunxian Xia, Tongcheng Sun, John Beyler
Cryptographic protocols

Privacy is a critical issue for blockchains and decentralized applications. Currently, there are several blockchains featured for privacy. For example, Zcash uses zk-SNARKs to hide the transaction data, where addresses and amounts are not visible to the public. The zk-SNARK technology is secure and has been running stably in Zcash for several years. However, it cannot support smart contracts, which means people are not able to build decentralized applications on Zcash. To solve this...

2020/123 (PDF) Last updated: 2024-01-22
Zendoo: a zk-SNARK Verifiable Cross-Chain Transfer Protocol Enabling Decoupled and Decentralized Sidechains
Alberto Garoffolo, Dmytro Kaidalov, Roman Oliynykov
Cryptographic protocols

Sidechains are an appealing innovation devised to enable blockchain scalability and extensibility. The basic idea is simple yet powerful: construct a parallel chain - sidechain - with desired features, and provide a way to transfer coins between the mainchain and the sidechain. In this paper, we introduce Zendoo, a construction for Bitcoin-like blockchain systems that allows the creation and communication with sidechains of different types without knowing their internal structure. We...

2020/062 (PDF) Last updated: 2020-08-24
Lift-and-Shift: Obtaining Simulation Extractable Subversion and Updatable SNARKs Generically
Behzad Abdolmaleki, Sebastian Ramacher, Daniel Slamanig
Cryptographic protocols

Zero-knowledge proofs and in particular succinct non-interactive zero-knowledge proofs (so called zk-SNARKs) are getting increasingly used in real-world applications, with cryptocurrencies being the prime example. Simulation extractability (SE) is a strong security notion of zk-SNARKs which informally ensures non-malleability of proofs. This property is acknowledged as being highly important by leading companies in this field such as Zcash and supported by various attacks against the...

2019/1354 (PDF) Last updated: 2020-05-25
BlockMaze: An Efficient Privacy-Preserving Account-Model Blockchain Based on zk-SNARKs
Zhangshuang Guan, Zhiguo Wan, Yang Yang, Yan Zhou, Butian Huang
Applications

The disruptive blockchain technology is expected to have broad applications in many areas due to its advantages of transparency, fault tolerance, and decentralization, but the open nature of blockchain also introduces severe privacy issues. Since anyone can deduce private information about relevant accounts, different privacy-preserving techniques have been proposed for cryptocurrencies under the UTXO model, e.g., Zerocash and Monero. However, it is more challenging to protect privacy for...

2019/1270 (PDF) Last updated: 2020-12-29
SAVER: SNARK-friendly, Additively-homomorphic, and Verifiable Encryption and decryption with Rerandomization
Jiwon Lee, Jaekyoung Choi, Jihye Kim, Hyunok Oh
Cryptographic protocols

In the pairing-based zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARK), there often exists a requirement for the proof system to be combined with encryption. As a typical example, a blockchain-based voting system requires the vote to be confidential (using encryption), while verifying voting validity (using zk-SNARKs). In these combined applications, a typical solution is to extend the zk-SNARK circuit to include the encryption code. However, complex cryptographic...

2019/1241 (PDF) Last updated: 2019-10-23
SIMS : Self Sovereign Identity Management System with Preserving Privacy in Blockchain
Jeonghyuk Lee, Jungyeon Hwang, Jaekyung Choi, Hyunok Oh, Jihye Kim
Applications

Blockchain, which is a useful tool for providing data integrity, has emerged as an alternative to centralized servers. Concentrating on the integrity of the blockchain, many applications have been developed. Specifically, a blockchain can be utilized in proving the user's identity using its strong integrity. However, since all data in the blockchain is publicly available, it can cause privacy problems if the user's identity is stored in the blockchain unencrypted. Although the encryption of...

2019/1229 (PDF) Last updated: 2022-06-29
Transparent SNARKs from DARK Compilers
Benedikt Bünz, Ben Fisch, Alan Szepieniec
Cryptographic protocols

We construct a new polynomial commitment scheme for univariate and multivariate polynomials over finite fields, with logarithmic size evaluation proofs and verification time, measured in the number of coefficients of the polynomial. The underlying technique is a Diophantine Argument of Knowledge (DARK), leveraging integer representations of polynomials and groups of unknown order. Security is shown from the strong RSA and the adaptive root assumptions. Moreover, the scheme does not require a...

2019/1162 (PDF) Last updated: 2019-10-07
Subversion-Resistant Simulation (Knowledge) Sound NIZKs
Karim Baghery
Cryptographic protocols

In ASIACRYPT 2016, Bellare, Fuchsbauer, and Scafuro studied the security of non-interactive zero-knowledge (NIZK) arguments in the face of parameter subversion. They showed that achieving subversion soundness (soundness without trusting to the third party) and standard zero-knowledge is impossible at the same time. On the positive side, in the best case, they showed that one can achieve subversion zero-knowledge (zero-knowledge without trusting to the third party) and soundness at the same...

2019/953 (PDF) Last updated: 2024-02-23
PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge
Ariel Gabizon, Zachary J. Williamson, Oana Ciobotaru

zk-SNARK constructions that utilize an updatable universal structured reference string remove one of the main obstacles in deploying zk-SNARKs [GKMMM, Crypto 2018]. The important work of Maller et al. [MBKM, CCS 2019] presented $\mathsf{Sonic}$ - the first potentially practical zk-SNARK with fully succinct verification for general arithmetic circuits with such an SRS. However, the version of $\mathsf{Sonic}$ enabling fully succinct verification still requires relatively high proof...

2019/641 (PDF) Last updated: 2019-08-21
Simulation Extractability in Groth's zk-SNARK
Shahla Atapoor, Karim Baghery
Cryptographic protocols

A Simulation Extractable (SE) zk-SNARK enables a prover to prove that she knows a witness for an instance in a way that the proof: (1) is succinct and can be verified very efficiently; (2) does not leak information about the witness; (3) is simulation-extractable -an adversary cannot come out with a new valid proof unless it knows a witness, even if it has already seen arbitrary number of simulated proofs. Non-malleable succinct proofs and very efficient verification make SE zk-SNARKs an...

2019/601 (PDF) Last updated: 2019-08-13
AuroraLight: Improved prover efficiency and SRS size in a Sonic-like system
Ariel Gabizon

Using ideas from the recent Aurora zk-STARK of Ben-Sasson et al. [BCRSVW, Eurocrypt 2019], we present a zk-SNARK with a universal and updatable SRS similar to the recent construction of Maller et al. [MBKM, 2019], called $\mathsf{Sonic}$. Compared to $\mathsf{Sonic}$, our construction achieves significantly better prover run time (less than half) and smaller SRS size (one sixth). However, we only achieve amortized succinct verification time for batches of proofs, either when the proofs are...

2019/586 (PDF) Last updated: 2022-11-06
Simulation-Extractable zk-SNARK with a Single Verification
Jihye Kim, Jiwon Lee, Hyunok Oh
Cryptographic protocols

This revised paper improves the previous simulation-extractable zk-SNARK (SE-SNARK) in terms of performance efficiency and the security. It removes the G_2 operation in verification, without degrading performance and size, and analyze the security of the nested hash collision more deeply to strengthen the security. The simulation-extractable zk-SNARK (SE-SNARK) introduces a security notion of non-malleability. The existing pairing-based zk-SNARKs designed from linear encoding are known...

2019/480 (PDF) Last updated: 2019-07-15
On the Efficiency of Privacy-Preserving Smart Contract Systems
Karim Baghery
Applications

Along with blockchain technology, smart contracts have found intense interest in lots of practical applications. A smart contract is a mechanism involving digital assets and some parties, where the parties deposit assets into the contract and the contract redistributes the assets among the parties based on provisions of the smart contract and inputs of the parties. Recently, several smart contract systems are constructed that use zk-SNARKs to provide privacy-preserving payments and...

2019/471 (PDF) Last updated: 2019-05-10
UC-Secure CRS Generation for SNARKs
Behzad Abdolmaleki, Karim Baghery, Helger Lipmaa, Janno Siim, Michal Zajac

Zero-knowledge SNARKs (zk-SNARKs) have recently found various applications in verifiable computation and blockchain applications (Zerocash), but unfortunately they rely on a common reference string (CRS) that has to be generated by a trusted party. A standard suggestion, pursued by Ben Sasson et al. [IEEE S&P, 2015], is to generate CRS via a multi-party protocol. We enhance their CRS-generation protocol to achieve UC-security. This allows to safely compose the CRS-generation protocol with...

2019/148 (PDF) Last updated: 2019-03-18
On the efficiency of pairing-based proofs under the d-PKE
Ariel Gabizon
Cryptographic protocols

We investigate the minimal number of group elements and prover running time in a zk-SNARK when using only a symmetric ``linear'' knowledge assumption, like the $d$-Power Knowledge of Exponent assumption, rather than a ``quadratic'' one as implicitly happens in the most efficient known construction by Groth [Groth16]. The proofs of [Groth16] contain only 3 group elements. We present 4 element proofs for quadratic arithmetic programs/rank 1 constraint systems under the $d$-PKE with very...

2019/119 (PDF) Last updated: 2019-02-13
On the security of the BCTV Pinocchio zk-SNARK variant
Ariel Gabizon
Cryptographic protocols

The main result of this note is a severe flaw in the description of the zk-SNARK in [BCTV14]. The flaw stems from including redundant elements in the CRS, as compared to that of the original Pinocchio protocol [PHGR16], which are vital not to expose. The flaw enables creating a proof of knowledge for *any* public input given a valid proof for *some* public input. We also provide a proof of security for the [BCTV14] zk-SNARK in the generic group model, when these elements are excluded from...

2019/099 (PDF) Last updated: 2019-07-08
Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings
Mary Maller, Sean Bowe, Markulf Kohlweiss, Sarah Meiklejohn
Public-key cryptography

Zero-knowledge proofs have become an important tool for addressing privacy and scalability concerns in cryptocurrencies and other applications. In many systems each client downloads and verifies every new proof, and so proofs must be small and cheap to verify. The most practical schemes require either a trusted setup, as in (pre-processing) zk-SNARKs, or verification complexity that scales linearly with the complexity of the relation, as in Bulletproofs. The structured reference strings...

2018/280 (PDF) Last updated: 2018-06-22
Updatable and Universal Common Reference Strings with Applications to zk-SNARKs
Jens Groth, Markulf Kohlweiss, Mary Maller, Sarah Meiklejohn, Ian Miers
Public-key cryptography

By design, existing (pre-processing) zk-SNARKs embed a secret trapdoor in a relation-dependent common reference strings (CRS). The trapdoor is exploited by a (hypothetical) simulator to prove the scheme is zero knowledge, and the secret-dependent structure facilitates a linear-size CRS and linear-time prover computation. If known by a real party, however, the trapdoor can be used to subvert the security of the system. The structured CRS that makes zk-SNARKs practical also makes deploying...

2018/275 (PDF) Last updated: 2018-10-15
Lattice-Based zk-SNARKs from Square Span Programs
Rosario Gennaro, Michele Minelli, Anca Nitulescu, Michele Orrù
Public-key cryptography

Zero-knowledge SNARKs (zk-SNARKs) are non-interactive proof systems with short (i.e., independent of the size of the witness) and efficiently verifiable proofs. They elegantly resolve the juxtaposition of individual privacy and public trust, by providing an efficient way of demonstrating knowledge of secret information without actually revealing it. To this day, zk-SNARKs are widely deployed all over the planet and are used to keep alive a system worth billion of euros, namely the...

2018/187 (PDF) Last updated: 2018-02-21
Making Groth's zk-SNARK Simulation Extractable in the Random Oracle Model
Sean Bowe, Ariel Gabizon

We describe a variant of Groth's zk-SNARK [Groth, Eurocrypt 2016] that satisfies simulation extractability, which is a strong form of adaptive non-malleability. The proving time is almost identical to [Groth] and requires only two additional group operations. Our proof consists of 5 group elements rather than 3 as in [Groth], and the security proof requires the random oracle model.

2018/176 (PDF) Last updated: 2018-02-14
Fine-Tuning Decentralized Anonymous Payment Systems based on Arguments for Arithmetic Circuit Satisfiability
Kamil Kluczniak, Man Ho Au
Cryptographic protocols

Digital currencies like Bitcoin and other blockchain based systems provide means to record monetary transfers between accounts. In Bitcoin like systems transactions are published on a decentralized ledger and reveal the sender, receiver and amount of a transfer, hence such systems give only moderate anonymity guarantees. Payment systems like ZCash attempt to offer much stronger anonymity by hiding the origin, destination and value of a payment. The ZCash system is able to offer strong...

2017/1050 (PDF) Last updated: 2019-09-03
Scalable Multi-party Computation for zk-SNARK Parameters in the Random Beacon Model
Sean Bowe, Ariel Gabizon, Ian Miers
Cryptographic protocols

Zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARKs) have emerged as a valuable tool for verifiable computation and privacy preserving protocols. Currently practical schemes require a common reference string (CRS) to be constructed in a one-time setup for each statement. Ben-Sasson, Chiesa, Green, Tromer and Virza devised a multi-party protocol to securely compute such a CRS, and an adaptation of this protocol was used to construct the CRS for the Zcash cryptocurrency....

2017/684 (PDF) Last updated: 2018-04-16
Z-Channel: Scalable and Efficient Scheme in Zerocash
Yuncong Zhang, Yu Long, Zhen Liu, Zhiqiang Liu, Dawu Gu

Decentralized ledger-based cryptocurrencies like Bitcoin present a way to construct payment systems without trusted banks. However, the anonymity of Bitcoin is fragile. Many altcoins and protocols are designed to improve Bitcoin on this issue, among which Zerocash is the first full-fledged anonymous ledger-based currency, using zero-knowledge proof, specifically zk-SNARK, to protect privacy. However, Zerocash suffers two problems: poor scalability and low efficiency. In this paper, we...

2017/602 (PDF) Last updated: 2017-06-25
A multi-party protocol for constructing the public parameters of the Pinocchio zk-SNARK
Sean Bowe, Ariel Gabizon, Matthew D. Green

Recent efficient constructions of zero-knowledge Succinct Non-interactive Arguments of Knowledge (zk-SNARKs), require a setup phase in which a common-reference string (CRS) with a certain structure is generated. This CRS is sometimes referred to as the public parameters of the system, and is used for constructing and verifying proofs. A drawback of these constructions is that whomever runs the setup phase subsequently possesses trapdoor information enabling them to produce fraudulent...

2017/599 (PDF) Last updated: 2017-06-21
A Subversion-Resistant SNARK
Behzad Abdolmaleki, Karim Baghery, Helger Lipmaa, Michal Zajac
Cryptographic protocols

While succinct non-interactive zero-knowledge arguments of knowledge (zk-SNARKs) are widely studied, the question of what happens when the CRS has been subverted has received little attention. In ASIACRYPT 2016, Bellare, Fuchsbauer and Scafuro showed the first negative and positive results in this direction, proving also that it is impossible to achieve subversion soundness and (even non-subversion) zero knowledge at the same time. On the positive side, they constructed an involved sound and...

2017/013 (PDF) Last updated: 2017-06-21
Pinocchio-Based Adaptive zk-SNARKs and Secure/Correct Adaptive Function Evaluation
Meilof Veeningen
Cryptographic protocols

Pinocchio is a practical zk-SNARK that allows a prover to perform cryptographically verifiable computations with verification effort sometimes less than performing the computation itself. A recent proposal showed how to make Pinocchio adaptive (or ``hash-and-prove''), i.e., to enable proofs with respect to computation-independent commitments. This enables computations to be chosen after the commitments have been produced, and for data to be shared in different computations in a flexible way....

2016/834 (PDF) Last updated: 2018-11-02
Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption
Russell W. F. Lai, Raymond K. H. Tai, Harry W. H. Wong, Sherman S. M. Chow

Homomorphic signatures (HS) allows the derivation of the signature of the message-function pair $(m, g)$, where $m = g(m_1, \ldots, m_K)$, given the signatures of each of the input messages $m_k$ signed under the same key. Multi-key HS (M-HS) introduced by Fiore et al. (ASIACRYPT'16) further enhances the utility by allowing evaluation of signatures under different keys. While the unforgeability of existing M-HS notions unrealistically assumes that all signers are honest, we consider the...

2014/595 (PDF) Last updated: 2020-06-18
Scalable Zero Knowledge via Cycles of Elliptic Curves
Eli Ben-Sasson, Alessandro Chiesa, Eran Tromer, Madars Virza
Cryptographic protocols

Non-interactive zero-knowledge proofs of knowledge for general NP statements are a powerful cryptographic primitive, both in theory and in practical applications. Recently, much research has focused on achieving an additional property, succinctness, requiring the proof to be very short and easy to verify. Such proof systems are known as zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARKs), and are desired when communication is expensive, or the verifier is...

2014/396 (PDF) Last updated: 2020-04-23
Prover-Efficient Commit-And-Prove Zero-Knowledge SNARKs
Helger Lipmaa
Cryptographic protocols

Zk-SNARKs (succinct non-interactive zero-knowledge arguments of knowledge) are needed in many applications. Unfortunately, all previous zk-SNARKs for interesting languages are either inefficient for the prover, or are non-adaptive and based on a commitment scheme that depends both on the prover's input and on the language, i.e., they are not commit-and-prove (CaP) SNARKs. We propose a proof-friendly extractable commitment scheme, and use it to construct prover-efficient adaptive CaP...

2013/507 (PDF) Last updated: 2013-10-07
SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge
Eli Ben-Sasson, Alessandro Chiesa, Daniel Genkin, Eran Tromer, Madars Virza
Cryptographic protocols

An argument system for NP is a proof system that allows efficient verification of NP statements, given proofs produced by an untrusted yet computationally-bounded prover. Such a system is non-interactive and publicly-verifiable if, after a trusted party publishes a proving key and a verification key, anyone can use the proving key to generate non-interactive proofs for adaptively-chosen NP statements, and proofs can be verified by anyone by using the verification key. We present an...

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.