Malleable Proof Systems and Applications

Chase, Melissa; Kohlweiss, Markulf; Lysyanskaya, Anna; Meiklejohn, Sarah

doi:10.1007/978-3-642-29011-4_18

Cited by 72 publications

(86 citation statements)

References 41 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Proof systems for NP that satisfy the zero knowledge and proof of knowledge properties are a powerful tool that enables a party to prove that he or she "knows" a secret satisfying certain properties, without revealing anything about the secret itself. Such proofs are important building blocks of many cryptographic tools, including secure computation [GMW87,BGW88], group signatures [BW06,Gro06], malleable proof systems [CKLM12], anonymous credentials [BCKL08], delegatable credentials [BCC + 09], electronic voting [KMO01, Gro05,Lip11], and many others. Known constructions of zero-knowledge proofs of knowledge are practical only when proving statements of special form that avoid generic NP reductions (e.g., proving pairing-product equations [Gro06]).…”

Section: Introductionmentioning

confidence: 99%

SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge

Ben–Sasson

Chiesa²,

Genkin

et al. 2013

Lecture Notes in Computer Science

404

259

View full text Add to dashboard Cite

Abstract. An argument system for NP is a proof system that allows efficient verification of NP statements, given proofs produced by an untrusted yet computationally-bounded prover. Such a system is non-interactive and publiclyverifiable if, after a trusted party publishes a proving key and a verification key, anyone can use the proving key to generate non-interactive proofs for adaptivelychosen NP statements, and proofs can be verified by anyone by using the verification key.We present an implementation of a publicly-verifiable non-interactive argument system for NP. The system, moreover, is a zero-knowledge proof-ofknowledge. It directly proves correct executions of programs on TinyRAM, a nondeterministic random-access machine tailored for efficient verification. Given a program P and time bound T , the system allows for proving correct execution of P , on any input x, for up to T steps, after a one-time setup requiringÕ(|P |·T ) cryptographic operations. An honest prover requiresÕ(|P |·T ) cryptographic operations to generate such a proof, while proof verification can be performed with only O(|x|) cryptographic operations. This system can be used to prove the correct execution of C programs, using our TinyRAM port of the GCC compiler.This yields a zero-knowledge Succinct Non-interactive ARgument of Knowledge (zk-SNARK) for program executions, in the preprocessing model -a powerful solution for delegating NP computations, with several features not achieved by previously-implemented primitives.Our approach builds on recent theoretical progress in the area. We present efficiency improvements and implementations of two main ingredients: 1. Given a C program, we produce a circuit whose satisfiability encodes the correctness of execution of the program. Leveraging nondeterminism, the generated circuit's size is merely quasilinear in the size of the computation. In particular, we efficiently handle arbitrary and data-dependent loops, control flow, and memory accesses. This is in contrast with existing "circuit generators", which in the general case produce circuits of quadratic size. 2. Given a linear PCP for verifying satisfiability of circuits, we produce a corresponding SNARK. We construct such a linear PCP (which, moreover, is zero-knowledge and very efficient) by building and improving on recent work on quadratic arithmetic programs.

show abstract

Section: Introductionmentioning

confidence: 99%

SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge

Ben–Sasson

Chiesa²,

Genkin

et al. 2013

Lecture Notes in Computer Science

404

259

View full text Add to dashboard Cite

show abstract

“…Note that HCCA does not handle the homomorphic property and CCA2 security simultaneously, since anyone can perform the homomorphic operation. Chase et al [12] showed that controlled-malleable non-interactive zero-knowledge can be used as a general tool for achieving RCCA and HCCA security.…”

Section: Related Workmentioning

confidence: 99%

Chosen Ciphertext Secure Keyed-Homomorphic Public-Key Encryption

Emura

Hanaoka

Ohtake

et al. 2013

Public-Key Cryptography – PKC 2013

View full text Add to dashboard Cite

In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed. In addition, the property that anyone can "freely" perform the operation inevitably means that ciphertexts are malleable, and it is well-known that adaptive chosen ciphertext (CCA) security and the homomorphic property can never be achieved simultaneously. In this paper, we show that CCA security and the homomorphic property can be simultaneously handled in situations that the user(s) who can perform homomorphic operations on encrypted data should be controlled/limited, and propose a new concept of homomorphic publickey encryption, which we call keyed-homomorphic public-key encryption (KH-PKE). By introducing a secret key for homomorphic operations, we can control who is allowed to perform the homomorphic operation. To construct KH-PKE schemes, we introduce a new concept, transitional universal property, and present a practical KH-PKE scheme with multiplicative homomorphic operations from the decisional Diffie-Hellman (DDH) assumption. For ℓ-bit security, our DDH-based KH-PKE scheme yields only ℓ-bit longer ciphertext size than that of the Cramer-Shoup PKE scheme. Finally, we consider an identitybased analogue of KH-PKE, called keyed-homomorphic identity-based encryption (KH-IBE) and give its concrete construction from the Gentry IBE scheme.

show abstract

“…[BCKL08,BCC + 09] exploited rerandomization properties of Groth-Sahai proofs, which they used in anonymous credentials. Recently, [CKLM12] introduced a new notion of malleable proof systems, which can be built from Groth-Sahai proofs. While there has been significant research effort devoted to pairing-based NIZK proofs, Groth-Sahai proofs still remain the most efficient NIZK proofs that are based on standard intractability assumptions and there has not been any progress in reducing their size or the prover's computation.…”

Section: Introductionmentioning

confidence: 99%

Fine-Tuning Groth-Sahai Proofs

Escala

Groth

2014

Public-Key Cryptography – PKC 2014

View full text Add to dashboard Cite

Abstract. Groth-Sahai proofs are efficient non-interactive zero-knowledge proofs that have found widespread use in pairingbased cryptography. We propose efficiency improvements of Groth-Sahai proofs in the SXDH setting, which is the one that yields the most efficient non-interactive zero-knowledge proofs.-We replace some of the commitments with ElGamal encryptions, which reduces the prover's computation and for some types of equations reduces the proof size. -Groth-Sahai proofs are zero-knowledge when no public elements are paired to each other. We observe that they are also zero-knowledge when base elements for the groups are paired to public constants. -The prover's computation can be reduced by letting her pick her own common reference string. By giving a proof she has picked a valid common reference string this does not compromise soundness. -We define a type-based commit-and-prove scheme, which allows commitments to be reused in many different proofs.

show abstract

Malleable Proof Systems and Applications

Cited by 72 publications

References 41 publications

SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge

SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge

Chosen Ciphertext Secure Keyed-Homomorphic Public-Key Encryption

Fine-Tuning Groth-Sahai Proofs

Contact Info

Product

Resources

About