Cryptographic Proof Systems

A proof system is a protocol between a prover and a verifier, where the goal of the prover is to convince the verifier that some statement is true. In this project, we study and construct new proof systems that satisfy special properties such as zero-knowledge (where we require that the proof does not reveal anything more about the statement other than its truth) and succinctness (where proofs are short and can be verified quickly). I have also worked on the related notion of (succinct) functional commitments which can be viewed as succinct proofs on committed data.

A Hidden-Bits Approach to Black-Box Statistical ZAPs from LWE

Eli Bradley, George Lu, Shafik Nassar, Brent Waters, and David J. Wu

Abstract:

We give a new approach for constructing statistical ZAP arguments (a two-message public-coin statistically witness indistinguishable argument) from quasi-polynomial hardness of the learning with errors (LWE) assumption with a polynomial modulus-to-noise ratio. Previously, all ZAP arguments from lattice-based assumptions relied on correlation-intractable hash functions. In this work, we present the first construction of a ZAP from LWE via the classic hidden-bits paradigm. Our construction matches previous lattice-based schemes by being public-coin and satisfying statistical witness indistinguishability. Moreover, our construction is the first lattice-based ZAP that is fully black-box in the use of cryptography. Previous lattice-based ZAPs based on correlation-intractable hash functions all made non-black-box use of cryptography.

Resources:

BibTeX:
@misc{BLNWW24,
  author    = {Eli Bradley and George Lu and Shafik Nassar and Brent Waters and David J. Wu},
  title     = {A Hidden-Bits Approach to Black-Box Statistical {ZAPs} from {LWE}},
  misc      = {Full version available at \url{https://eprint.iacr.org/2024/1663}},
  year      = {2024}
}

New Techniques for Preimage Sampling: Improved NIZKs and More from LWE

Brent Waters, Hoeteck Wee, and David J. Wu

Abstract:

Recent constructions of vector commitments and non-interactive zero-knowledge (NIZK) proofs from LWE implicitly solve the following shifted multi-preimage sampling problem: given matrices \( \mathbf{A}_1, \ldots, \mathbf{A}_\ell \in \mathbb{Z}_q^{n \times m} \) and targets \( \mathbf{t}_1, \ldots, \mathbf{t}_\ell \in \mathbb{Z}_q^n \), sample a shift \( \mathbf{c} \in \mathbb{Z}_q^n \) and short preimages \( \boldsymbol{\pi}_1, \ldots, \boldsymbol{\pi}_\ell \in \mathbb{Z}_q^m \) such that \( \mathbf{A}_i \boldsymbol{\pi}_i = \mathbf{t}_i + \mathbf{c} \) for all \( i \in [\ell] \). In this work, we introduce a new technique for sampling \( \mathbf{A}_1, \ldots, \mathbf{A}_\ell \) together with a succinct public trapdoor for solving the multi-preimage sampling problem with respect to \( \mathbf{A}_1, \ldots, \mathbf{A}_\ell \). This enables the following applications:

  • We provide a dual-mode instantiation of the hidden-bits model (and by correspondence, a dual-mode NIZK proof for \( \mathsf{NP} \)) with (1) a linear-size common reference string (CRS); (2) a transparent setup in hiding mode (which yields statistical NIZK arguments); and (3) hardness from LWE with a polynomial modulus-to-noise ratio. This improves upon the work of Waters (STOC 2024) which required a quadratic-size structured reference string (in both modes) and LWE with a super-polynomial modulus-to-noise ratio.

  • We give a statistically-hiding vector commitment with transparent setup and polylogarithmic-size CRS, commitments, and openings from SIS. This simultaneously improves upon the vector commitment schemes of de Castro and Peikert (EUROCRYPT 2023) as well as Wee and Wu (EUROCRYPT 2023).

At a conceptual level, our work provides a unified view of recent lattice-based vector commitments and hidden-bits model NIZKs through the lens of the shifted multi-preimage sampling problem.

Resources:

BibTeX:
@misc{WWW24,
  author    = {Brent Waters and Hoeteck Wee and David J. Wu},
  title     = {New Techniques for Preimage Sampling: Improved {NIZKs} and More from {LWE}},
  misc      = {Full version available at \url{https://eprint.iacr.org/2024/1401}},
  year      = {2024}
}

Monotone Policy BARGs from BARGs and Additively Homomorphic Encryption

Shafik Nassar, Brent Waters, and David J. Wu

Abstract:

A monotone policy batch \( \mathsf{NP} \) language \( \mathcal{L}_{\mathcal{R}, P} \) is parameterized by a monotone policy \( P \colon \{0,1\}^k \to \{0,1\} \) and an \( \mathsf{NP} \) relation \( \mathcal{R} \). A statement \( (x_1, \ldots, x_k) \) is a yes instance if there exists \( w_1, \ldots, w_k \) where \( P(\mathcal{R}(x_1, w_1), \ldots, \mathcal{R}(x_k, w_k)) = 1 \). For example, we might say that an instance \( (x_1, \ldots, x_k) \) is a yes instance if a majority of the statements are true. A monotone policy batch argument (BARG) for \( \mathsf{NP} \) allows a prover to prove that \( (x_1, \ldots, x_k) \in \mathcal{L}_{\mathcal{R}, P} \) with a proof of size \( \mathsf{poly}(\lambda, |\mathcal{R}|, \log k) \), where \( \lambda \) is the security parameter, \( |\mathcal{R}| \) is the size of the Boolean circuit that computes \( \mathcal{R} \), and \( k \) is the number of instances. Recently, Brakerski, Brodsky, Kalai, Lombardi, and Paneth (CRYPTO 2023) gave the first monotone policy BARG for \( \mathsf{NP} \) from the learning with errors (LWE) assumption.

In this work, we describe a generic approach for constructing monotone policy BARGs from any BARG for \( \mathsf{NP} \) together with an additively homomorphic encryption scheme. This yields the first constructions of monotone policy BARGs from the \( k \)-Lin assumption in prime-order pairing groups as well as the (subexponential) DDH assumption in pairing-free groups. Central to our construction is a notion of a zero-fixing hash function, which is a relaxed version of a predicate-extractable hash function from the work of Brakerski et al. Our relaxation enables a direct realization of zero-fixing hash functions from BARGs for \( \mathsf{NP} \) and additively homomorphic encryption, whereas the previous notion relied on leveled homomorphic encryption, and by extension, the LWE assumption.

Resources:

BibTeX:
@inproceedings{NWW24,
  author    = {Shafik Nassar and Brent Waters and David J. Wu},
  title     = {Monotone Policy {BARGs} from {BARGs} and Additively Homomorphic Encryption},
  booktitle = {{TCC}},
  year      = {2024}
}

Batching Adaptively-Sound SNARGs for NP

Lalita Devadas, Brent Waters, and David J. Wu

Abstract:

A succinct non-interactive argument (SNARG) for NP allows a prover to convince a verifier that an NP statement \( x \) is true with a proof whose size is sublinear in the length of the traditional NP witness. Moreover, a SNARG is adaptively sound if the adversary can choose the statement it wants to prove after seeing the scheme parameters. Very recently, Waters and Wu (STOC 2024) showed how to construct adaptively-sound SNARGs for NP in the plain model from falsifiable assumptions (specifically, sub-exponentially-secure indistinguishability obfuscation, sub-exponentially-secure one-way functions, and polynomial hardness of discrete log).

We consider the batch setting where the prover wants to prove a collection of \( T \) statements \( x_1, \ldots, x_T \) and its goal is to construct a proof whose size is sublinear in both the size of a single witness and the number of instances \( T \). In this setting, existing constructions either require the size of the public parameters to scale linearly with \( T \) (and thus, can only support an a priori bounded number of instances), or only provide non-adaptive soundness, or have proof size that scales linearly with the size of a single NP witness. In this work, we give two approaches for batching adaptively-sound SNARGs for NP, and in particular, show that under the same set of assumptions as those underlying the Waters-Wu adaptively-sound SNARG, we can obtain an adaptively-sound SNARG for batch NP where the size of the proof is \( \mathsf{poly}(\lambda) \) and the size of the CRS is \( \mathsf{poly}(\lambda + |C|) \), where \( \lambda \) is a security parameter and \( |C| \) is the size of the circuit that computes the associated NP relation.

Our first approach builds directly on top of the Waters-Wu construction and relies on indistinguishability obfuscation and a homomorphic re-randomizable one-way function. Our second approach shows how to combine ideas from the Waters-Wu SNARG with the chaining-based approach by Garg, Sheridan, Waters, and Wu (TCC 2022) to obtain a SNARG for batch NP.

Resources:

BibTeX:
@inproceedings{DWW24,
  author    = {Lalita Devadas and Brent Waters and David J. Wu},
  title     = {Batching Adaptively-Sound {SNARGs} for {NP}},
  booktitle = {{TCC}},
  year      = {2024}
}

Batch Arguments to NIZKs from One-Way Functions

Eli Bradley, Brent Waters, and David J. Wu

Abstract:

Succinctness and zero-knowledge are two fundamental properties in the study of cryptographic proof systems. Several recent works have formalized the connections between these two notions by showing how to realize non-interactive zero-knowledge (NIZK) arguments from succinct non-interactive arguments. Specifically, Champion and Wu (CRYPTO 2023) as well as Bitansky, Kamath, Paneth, Rothblum, and Vasudevan (ePrint 2023) recently showed how to construct a NIZK argument for NP from a (somewhere-sound) non-interactive batch argument (BARG) and a dual-mode commitment scheme (and in the case of the Champion-Wu construction, a local pseudorandom generator). The main open question is whether a BARG suffices for a NIZK (just assuming one-way functions).

In this work, we first show that an adaptively-sound BARG for NP together with an one-way function imply a computational NIZK argument for NP. We then show that the weaker notion of somewhere soundness achieved by existing BARGs from standard algebraic assumptions are also adaptively sound if we assume sub-exponential security. This transformation may also be of independent interest. Taken together, we obtain a NIZK argument for NP from one-way functions and a sub-exponentially-secure somewhere-sound BARG for NP.

If we instead assume plain public-key encryption, we show that a standard polynomially-secure somewhere-sound batch argument for NP suffices for the same implication. As a corollary, this means a somewhere-sound BARG can be used to generically upgrade any semantically-secure public-key encryption scheme into one secure against chosen-ciphertext attacks. More broadly, our results demonstrate that constructing non-interactive batch arguments for NP is essentially no easier than constructing NIZK arguments for NP. is essentially no easier than constructing NIZK arguments for NP.

Resources:

BibTeX:
@inproceedings{BWW24,
  author    = {Eli Bradley and Brent Waters and David J. Wu},
  title     = {Batch Arguments to {NIZKs} from One-Way Functions},
  booktitle = {{TCC}},
  year      = {2024}
}

Dot-Product Proofs and Their Applications

Nir Bitansky, Prahladh Harsha, Yuval Ishai, Ron D. Rothblum, and David J. Wu

Abstract:

A dot-product proof (DPP) is a simple probabilistic proof system in which the input statement \( \mathbf{x} \) and the proof \( \boldsymbol{\pi} \) are vectors over a finite field \( \mathbb{F} \), and the proof is verified by making a single dot-product query \( \langle \mathbf{q}, (\mathbf{x} \| \boldsymbol{\pi}) \rangle \) jointly to \( \mathbf{x} \) and \( \boldsymbol{\pi} \). A DPP can be viewed as a 1-query fully linear PCP. We study the feasibility and efficiency of DPPs, obtaining the following results:

  • Small-field DPP. For any finite field \( \mathbb{F} \) and Boolean circuit \( C \) of size \( S \), there is a DPP for proving that there exists \( \mathbf{w} \) such that \( C(\mathbf{x}, \mathbf{w})=1 \) with a proof \( \boldsymbol{\pi} \) of length \( S\cdot\mathsf{poly}(|\mathbb{F}|) \) and soundness error \( \varepsilon=O(1 / \sqrt{|\mathbb{F}|}) \). We show this error to be asymptotically optimal. In particular, and in contrast to the best known PCPs, there exist strictly linear-length DPPs over constant-size fields.

  • Large-field DPP. If \( |\mathbb{F}|\ge\mathsf{poly}(S / \varepsilon) \), there is a similar DPP with soundness error \( \varepsilon \) and proof length \( O(S) \) (in field elements).

The above results do not rely on the PCP theorem and their proofs are considerably simpler. We apply our DPP constructions toward two kinds of applications.

  • Hardness of approximation. We obtain a simple proof for the NP-hardness of approximating MAXLIN (with dense instances) over any finite field \( \mathbb{F} \) up to some constant factor \( c\gt1 \), independent of \( \mathbb{F} \). Unlike previous PCP-based proofs, our proof yields exponential-time hardness under the exponential time hypothesis (ETH).

  • Succinct arguments. We improve the concrete efficiency of succinct interactive arguments in the generic group model using input-independent preprocessing. In particular, the communication is comparable to sending two group elements and the verifier's computation is dominated by a single group exponentiation. We also show how to use DPPs together with linear-only encryption to construct succinct commit-and-prove arguments.

Resources:

BibTeX:
@inproceedings{BHIRW24,
  author    = {Nir Bitansky and Prahladh Harsha and Yuval Ishai and Ron D. Rothblum and David J. Wu},
  title     = {Dot-Product Proofs and Their Applications},
  booktitle = {{FOCS}},
  year      = {2024}
}

A Pure Indistinguishability Obfuscation Approach to Adaptively-Sound SNARGs for NP

Brent Waters and David J. Wu

Abstract:

We construct an adaptively-sound succinct non-interactive argument (SNARG) for \( \mathsf{NP} \) in the CRS model from sub-exponentially-secure indistinguishability obfuscation (\( i\mathcal{O} \)) and sub-exponentially-secure one-way functions. Previously, Waters and Wu (STOC 2024), and subsequently, Waters and Zhandry (CRYPTO 2024) showed how to construct adaptively-sound SNARGs for NP by relying on sub-exponentially-secure indistinguishability obfuscation, one-way functions, and an additional algebraic assumption (i.e., discrete log, factoring, or learning with errors). In this work, we show that no additional algebraic assumption is needed and vanilla (sub-exponentially-secure) one-way functions already suffice in combination with \( i\mathcal{O} \).

Resources:

BibTeX:
@misc{WW24,
  author    = {Brent Waters and David J. Wu},
  title     = {A Pure Indistinguishability Obfuscation Approach to Adaptively-Sound {SNARGs} for {NP}},
  misc      = {Full version available at \url{https://eprint.iacr.org/2024/933}},
  year      = {2024}
}

Adaptively-Sound Succinct Arguments for NP from Indistinguishability Obfuscation

Brent Waters and David J. Wu

Abstract:

A succinct non-interactive argument (SNARG) for \( \mathsf{NP} \) allows a prover to convince a verifier that an \( \mathsf{NP} \) statement \( x \) is true with a proof of size \( o(|x| + |w|) \), where \( w \) is the associated \( \mathsf{NP} \) witness. A SNARG satisfies adaptive soundness if the malicious prover can choose the statement to prove after seeing the scheme parameters. In this work, we provide the first adaptively-sound SNARG for \( \mathsf{NP} \) in the plain model assuming sub-exponentially-hard indistinguishability obfuscation, sub-exponentially-hard one-way functions, and either the (polynomial) hardness of the discrete log assumption or the (polynomial) hardness of factoring. This gives the first adaptively-sound SNARG for \( \mathsf{NP} \) from falsifiable assumptions. All previous SNARGs for \( \mathsf{NP} \) in the plain model either relied on non-falsifiable cryptographic assumptions or satisfied a weak notion of non-adaptive soundness (where the adversary has to choose the statement it proves before seeing the scheme parameters).

Resources:

BibTeX:
@inproceedings{WW24,
  author    = {Brent Waters and David J. Wu},
  title     = {Adaptively-Sound Succinct Arguments for {NP} from Indistinguishability Obfuscation},
  booktitle = {{STOC}},
  year      = {2024}
}

Succinct Functional Commitments for Circuits from k-Lin

Hoeteck Wee and David J. Wu

Abstract:

A functional commitment allows a user to commit to an input \( \mathbf{x} \) and later, open the commitment to an arbitrary function \( \mathbf{y} = f(\mathbf{x}) \). The size of the commitment and the opening should be sublinear in \( |\mathbf{x}| \) and \( |f| \).

In this work, we give the first pairing-based functional commitment for arbitrary circuits where the size of the commitment and the size of the opening consist of a constant number of group elements. Security relies on the standard bilateral \( k \)-\( \mathsf{Lin} \) assumption. This is the first scheme with this level of succinctness from falsifiable bilinear map assumptions (previous approaches required SNARKs for \( \mathsf{NP} \)). This is also the first functional commitment scheme for general circuits with \( \mathsf{poly}(\lambda) \)-size commitments and openings from any assumption that makes fully black-box use of cryptographic primitives and algorithms. As an immediate consequence, we also obtain a succinct non-interactive argument for arithmetic circuits (i.e., a SNARG for \( \mathsf{P}/\mathsf{poly} \)) with a universal setup and where the proofs consist of a constant number of group elements. In particular, the CRS in our SNARG only depends on the size of the arithmetic circuit \( |C| \) rather than the circuit \( C \) itself; the same CRS can be used to verify computations with respect to different circuits. Our construction relies on a new notion of projective chainable commitments which may be of independent interest.

Resources:

BibTeX:
@inproceedings{WW24,
  author    = {Hoeteck Wee and David J. Wu},
  title     = {Succinct Functional Commitments for Circuits from k-Lin},
  booktitle = {{EUROCRYPT}},
  year      = {2024}
}

Lattice-Based Functional Commitments: Fast Verification and Cryptanalysis

Hoeteck Wee and David J. Wu

Abstract:

A functional commitment allows a user to commit to an input \( \mathbf{x} \in \{0,1\}^\ell \) and later open up the commitment to a value \( y = f(\mathbf{x}) \) with respect to some function \( f \). In this work, we focus on schemes that support fast verification. Specifically, after a preprocessing step that depends only on \( f \), the verification time as well as the size of the commitment and opening should be sublinear in the input length \( \ell \), We also consider the dual setting where the user commits to the function \( f \) and later, opens up the commitment at an input \( \mathbf{x} \).

In this work, we develop two (non-interactive) functional commitments that support fast verification. The first construction supports openings to constant-degree polynomials and has a shorter CRS for a broad range of settings compared to previous constructions. Our second construction is a dual functional commitment for arbitrary bounded-depth Boolean circuits. Both schemes are lattice-based and avoid non-black-box use of cryptographic primitives or lattice sampling algorithms. Security of both constructions rely on the \( \ell \)-succinct short integer solutions (SIS) assumption, a falsifiable \( q \)-type generalization of the SIS assumption (Preprint 2023).

In addition, we study the challenges of extending lattice-based functional commitments to extractable functional commitments, a notion that is equivalent to succinct non-interactive arguments (when considering openings to quadratic relations). We describe a general methodology that heuristically breaks the extractability of our construction and provides evidence for the implausibility of the knowledge \( k \)-\( R \)-\( \mathsf{ISIS} \) assumption of Albrecht et al. (CRYPTO 2022) that was used in several constructions of lattice-based succinct arguments. If we additionally assume hardness of the standard inhomogeneous SIS assumption, we obtain a direct attack on a variant of the extractable linear functional commitment of Albrecht et al.

Resources:

BibTeX:
@inproceedings{WW23,
  author    = {Hoeteck Wee and David J. Wu},
  title     = {Lattice-Based Functional Commitments: Fast Verification and Cryptanalysis},
  booktitle = {{ASIACRYPT}},
  year      = {2023}
}

Non-Interactive Zero-Knowledge from Non-Interactive Batch Arguments

Jeffrey Champion and David J. Wu

Abstract:

Zero-knowledge and succinctness are two important properties that arise in the study of non-interactive arguments. Previously, Kitagawa et al. (TCC 2020) showed how to obtain a non-interactive zero-knowledge (NIZK) argument for NP from a succinct non-interactive argument (SNARG) for NP. In particular, their work demonstrates how to leverage the succinctness property from an argument system and transform it into a zero-knowledge property.

In this work, we study a similar question of leveraging succinctness for zero-knowledge. Our starting point is a batch argument for NP, a primitive that allows a prover to convince a verifier of \( T \) NP statements \( x_1, \ldots, x_T \) with a proof whose size scales sublinearly with \( T \). Unlike SNARGs for NP, batch arguments for NP can be built from group-based assumptions in both pairing and pairing-free groups and from lattice-based assumptions. The challenge with batch arguments is that the proof size is only amortized over the number of instances, but can still encode full information about the witness to a small number of instances.

We show how to combine a batch argument for NP with a local pseudorandom generator (i.e., a pseudorandom generator where each output bit only depends on a small number of input bits) and a dual-mode commitment scheme to obtain a NIZK for NP. Our work provides a new generic approach of realizing zero-knowledge from succinctness and highlights a new connection between succinctness and zero-knowledge.

Resources:

BibTeX:
@inproceedings{CW23,
  author     = {Jeffrey Champion and David J. Wu},
  title      = {Non-Interactive Zero-Knowledge from Non-Interactive Batch Arguments},
  booktitle  = {{CRYPTO}},
  year       = {2023}
}

Succinct Vector, Polynomial, and Functional Commitments from Lattices

Hoeteck Wee and David J. Wu

Abstract:

Vector commitment schemes allow a user to commit to a vector of values \( \mathbf{x} \in \{0, 1\}^\ell \) and later, open up the commitment to a specific set of positions. Both the size of the commitment and the size of the opening should be succinct (i.e., polylogarithmic in the length \( \ell \) of the vector). Vector commitments and their generalizations to polynomial commitments and functional commitments are key building blocks for many cryptographic protocols.

We introduce a new framework for constructing non-interactive lattice-based vector commitments and their generalizations. A simple instantiation of our framework yields a new vector commitment scheme from the standard short integer solution (SIS) assumption that supports private openings and large messages. We then show how to use our framework to obtain the first succinct functional commitment scheme that supports openings with respect to arbitrary bounded-depth Boolean circuits. In this scheme, a user commits to a vector \( \mathbf{x} \in \{0, 1\}^\ell \), and later on, open the commitment to any function \( f(\mathbf{x}) \). Both the commitment and the opening are non-interactive and succinct: namely, they have size \( \mathsf{poly}(\lambda, d, \log \ell) \), where \( \lambda \) is the security parameter and \( d \) is the depth of the Boolean circuit computing \( f \). Previous constructions of functional commitments could only support constant-degree polynomials, or require a trusted online authority, or rely on non-falsifiable assumptions. The security of our functional commitment scheme is based on a new falsifiable family of “basis-augmented” SIS assumptions (\( \textsf{BASIS} \)) we introduce in this work.

We also show how to use our vector commitment framework to obtain (1) a polynomial commitment scheme where the user can commit to a polynomial \( f \in \mathbb{Z}_q[x] \) and subsequently open the commitment to an evaluation \( f(x) \in \mathbb{Z}_q \); and (2) an aggregatable vector (resp., functional) commitment where a user can take a set of openings to multiple indices (resp., function evaluations) and aggregate them into a single short opening. Both of these extensions rely on the same \( \textsf{BASIS} \) assumption we use to obtain our succinct functional commitment scheme.

Resources:

BibTeX:
@inproceedings{WW23,
  author    = {Hoeteck Wee and David J. Wu},
  title     = {Succinct Vector, Polynomial, and Functional Commitments from Lattices},
  booktitle = {{EUROCRYPT}},
  year      = {2023}
}

Fully Succinct Batch Arguments for NP from Indistinguishability Obfuscation

Rachit Garg, Kristin Sheridan, Brent Waters, and David J. Wu

Abstract:

Non-interactive batch arguments for \( \mathsf{NP} \) provide a way to amortize the cost of \( \mathsf{NP} \) verification across multiple instances. In particular, they allow a prover to convince a verifier of multiple \( \mathsf{NP} \) statements with communication that scales sublinearly in the number of instances.

In this work, we study fully succinct batch arguments for \( \mathsf{NP} \) in the common reference string (CRS) model where the length of the proof scales not only sublinearly in the number of instances \( T \), but also sublinearly with the size of the \( \mathsf{NP} \) relation. Batch arguments with these properties are special cases of succinct non-interactive arguments (SNARGs); however, existing constructions of SNARGs either rely on idealized models or strong non-falsifiable assumptions. The one exception is the Sahai-Waters SNARG based on indistinguishability obfuscation. However, when applied to the setting of batch arguments, we must impose an a priori bound on the number of instances. Moreover, the size of the common reference string scales linearly with the number of instances.

In this work, we give a direct construction of a fully succinct batch argument for \( \mathsf{NP} \) that supports an unbounded number of statements from indistinguishability obfuscation and one-way functions. Then, by additionally relying on a somewhere statistically binding (SSB) hash function, we show how to extend our construction to obtain a fully succinct and updatable batch argument. In the updatable setting, a prover can take a proof \( \pi \) on \( T \) statements \( (x_1, \ldots, x_T) \) and “update” it to obtain a proof \( \pi' \) on \( (x_1, \ldots, x_T, x_{T + 1}) \). Notably, the update procedure only requires knowledge of a (short) proof for \( (x_1, \ldots, x_T) \) along with a single witness \( w_{T + 1} \) for the new instance \( x_{T + 1} \). Importantly, the update does not require knowledge of witnesses for \( x_1, \ldots, x_T \).

Resources:

BibTeX:
@inproceedings{GSWW22,
  author    = {Rachit Garg and Kristin Sheridan and Brent Waters and David J. Wu},
  title     = {Fully Succinct Batch Arguments for {NP} from Indistinguishability Obfuscation},
  booktitle = {{TCC}},
  year      = {2022}
}

Batch Arguments for NP and More from Standard Bilinear Group Assumptions

Brent Waters and David J. Wu

Abstract:

Non-interactive batch arguments for NP provide a way to amortize the cost of NP verification across multiple instances. They enable a prover to convince a verifier of multiple NP statements with communication much smaller than the total witness length and verification time much smaller than individually checking each instance.

In this work, we give the first construction of a non-interactive batch argument for NP from standard assumptions on groups with bilinear maps (specifically, from either the subgroup decision assumption in composite-order groups or from the \( k \)-Lin assumption in prime-order groups for any \( k \ge 1 \)). Previously, batch arguments for NP were only known from LWE, or a combination of multiple assumptions, or from non-standard/non-falsifiable assumptions. Moreover, our work introduces a new direct approach for batch verification and avoids heavy tools like correlation-intractable hash functions or probabilistically-checkable proofs common to previous approaches.

As corollaries to our main construction, we obtain the first publicly-verifiable non-interactive delegation scheme for RAM programs (i.e., a succinct non-interactive argument (SNARG) for P) with a CRS of sublinear size (in the running time of the RAM program), as well as the first aggregate signature scheme (supporting bounded aggregation) from standard assumptions on bilinear maps.

Resources:

BibTeX:
@inproceedings{WW22,
  author     = {Brent Waters and David J. Wu},
  title      = {Batch Arguments for {NP} and More from Standard Bilinear Group Assumptions},
  booktitle  = {{CRYPTO}},
  year       = {2022}
}

Shorter and Faster Post-Quantum Designated-Verifier zkSNARKs from Lattices

Yuval Ishai, Hang Su, and David J. Wu

Abstract:

Zero-knowledge succinct arguments of knowledge (zkSNARKs) enable efficient privacy-preserving proofs of membership for general \( \mathsf{NP} \) languages. Our focus in this work is on post-quantum zkSNARKs, with a focus on minimizing proof size. Currently, there is a \( 1000\times \) gap in the proof size between the best pre-quantum constructions and the best post-quantum ones. Here, we develop and implement new lattice-based zkSNARKs in the designated-verifier preprocessing model. With our construction, after an initial preprocessing step, a proof for an \( \mathsf{NP} \) relation of size \( 2^{20} \) is just over 16 KB. Our proofs are \( 10.3\times \) shorter than previous post-quantum zkSNARKs for general \( \mathsf{NP} \) languages. Compared to previous lattice-based zkSNARKs (also in the designated-verifier preprocessing model), we obtain a \( 42\times \) reduction in proof size and a \( 60\times \) reduction in the prover's running time, all while achieving a much higher level of soundness. Compared to the shortest pre-quantum zkSNARKs by Groth (Eurocrypt 2016), the proof size in our lattice-based construction is \( 131\times \) longer, but both the prover and the verifier are faster (by \( 1.2\times \) and \( 2.8\times \), respectively).

Our construction follows the general blueprint of Bitansky et al. (TCC 2013) and Boneh et al. (Eurocrypt 2017) of combining a linear probabilistically checkable proof (linear PCP) together with a linear-only vector encryption scheme. We develop a concretely-efficient lattice-based instantiation of this compiler by considering quadratic extension fields of moderate characteristic and using linear-only vector encryption over rank-2 module lattices.

Resources:

BibTeX:
@inproceedings{ISW21,
  author    = {Yuval Ishai and Hang Su and David J. Wu},
  title     = {Shorter and Faster Post-Quantum Designated-Verifier zkSNARKs from Lattices},
  booktitle = {ACM Conference on Computer and Communications Security ({ACM} {CCS})},
  year      = {2021}
}

On Succinct Arguments and Witness Encryption from Groups

Ohad Barta, Yuval Ishai, Rafail Ostrovsky, and David J. Wu

Abstract:

Succinct non-interactive arguments (SNARGs) enable proofs of NP statements with very low communication. Recently, there has been significant work in both theory and practice on constructing SNARGs with very short proofs. Currently, the state-of-the-art in succinctness is due to Groth (Eurocrypt 2016) who constructed a SNARG from bilinear maps where the proof consists of just 3 group elements.

In this work, we first construct a concretely-efficient designated-verifier (preprocessing) SNARG with inverse polynomial soundness, where the proof consists of just 2 group elements in a standard (generic) group. This leads to a 50% reduction in concrete proof size compared to Groth's construction. We follow the approach of Bitansky et al. (TCC 2013) who describe a compiler from linear PCPs to SNARGs in the preprocessing model. Our improvement is based on a new linear PCP packing technique that allows us to construct 1-query linear PCPs which can then be compiled into a SNARG (using ElGamal encryption over a generic group). An appealing feature of our new SNARG is that the verifier can precompute a statement-independent lookup table in an offline phase; verifying proofs then only requires 2 exponentiations and a single table lookup. This makes our new designated-verifier SNARG appealing in settings that demand fast verification and minimal communication.

We then turn to the question of constructing arguments where the proof consists of a single group element. Here, we first show that any (possibly interactive) argument for a language \( \mathcal{L} \) where the verification algorithm is “generic” (i.e., only performs generic group operations) and the proof consists of a single group element, implies a witness encryption scheme for \( \mathcal{L} \). We then show that under a yet-unproven, but highly plausible, hypothesis on the hardness of approximating the minimal distance of linear codes, we can construct a 2-message laconic argument for NP where the proof consists of a single group element. Under the same hypothesis, we obtain a witness encryption scheme for NP in the generic group model. Along the way, we show that under a conceptually-similar but proven hardness of approximation result, there is a 2-message laconic argument for NP with negligible soundness error where the prover's message consists of just 2 group elements. In both settings, we obtain laconic arguments (and linear PCPs) with linear decision procedures. Our constructions circumvent a previous lower bound by Groth on such argument systems with linear decision procedures by relying on imperfect completeness. Namely, our constructions have vanishing but not negligible completeness error, while the lower bound of Groth implicitly assumes negligible completeness error of the underlying argument. Our techniques thus highlight new avenues for designing linear PCPs, succinct arguments, and witness encryption schemes.

Resources:

BibTeX:
@inproceedings{BIOW20,
  author     = {Ohad Barta and Yuval Ishai and Rafail Ostrovsky and David J. Wu},
  title      = {On Succinct Arguments and Witness Encryption from Groups},
  booktitle  = {{CRYPTO}},
  year       = {2020}
}

New Constructions of Statistical NIZKs: Dual-Mode DV-NIZKs and More

Benoît Libert, Alain Passelègue, Hoeteck Wee, and David J. Wu

Abstract:

Non-interactive zero-knowledge proofs (NIZKs) are important primitives in cryptography. A major challenge since the early works on NIZKs has been to construct NIZKs with a statistical zero-knowledge guarantee against unbounded verifiers. In the common reference string (CRS) model, such “statistical NIZK arguments” are currently known from k-Lin in a pairing-group and from LWE. In the (reusable) designated-verifier model (DV-NIZK), where a trusted setup algorithm generates a reusable verification key for checking proofs, we also have a construction from DCR. If we relax our requirements to computational zero-knowledge, we additionally have NIZKs from factoring and CDH in a pairing group in the CRS model, and from nearly all assumptions that imply public-key encryption (e.g., CDH, LPN, LWE) in the designated-verifier model. Thus, there still remains a gap in our understanding of statistical NIZKs in both the CRS and the designated-verifier models.

In this work, we develop new techniques for constructing statistical NIZK arguments. First, we construct statistical DV-NIZK arguments from the k-Lin assumption in pairing-free groups, the QR assumption, and the DCR assumption. These are the first constructions in pairing-free groups and from QR that satisfy statistical zero-knowledge. All of our constructions are secure even if the verification key is chosen maliciously (i.e., they are “malicious-designated-verifier” NIZKs), and moreover, they satisfy a “dual-mode” property where the CRS can be sampled from two computationally indistinguishable distributions: one distribution yields statistical DV-NIZK arguments while the other yields computational DV-NIZK proofs. We then show how to adapt our k-Lin construction in a pairing group to obtain new publicly-verifiable statistical NIZK arguments from pairings with a qualitatively weaker assumption than existing constructions of pairing-based statistical NIZKs.

Our constructions follow the classic paradigm of Feige, Lapidot, and Shamir (FLS). While the FLS framework has traditionally been used to construct computational (DV)-NIZK proofs, we newly show that the same framework can be leveraged to construct dual-mode (DV)-NIZKs.

Resources:

BibTeX:
@inproceedings{LPWW20,
  author     = {Beno{\^{i}}t Libert and Alain Passel{\`{e}}gue and Hoeteck Wee and David J. Wu},
  title      = {New Constructions of Statistical {NIZKs}: Dual-Mode {DV-NIZKs} and More},
  booktitle  = {{EUROCRYPT}},
  year       = {2020}
}

New Constructions of Reusable Designated-Verifier NIZKs

Alex Lombardi, Willy Quach, Ron D. Rothblum, Daniel Wichs, and David J. Wu

Abstract:

Non-interactive zero-knowledge arguments (NIZKs) for NP are an important cryptographic primitive, but we currently only have instantiations under a few specific assumptions. Notably, we are missing constructions from the learning with errors (LWE) assumption, the Diffie-Hellman (CDH/DDH) assumption, and the learning parity with noise (LPN) assumption.

In this paper, we study a relaxation of NIZKs to the designated-verifier setting (DV-NIZK), where a trusted setup generates a common reference string together with a secret key for the verifier. We want reusable schemes, which allow the verifier to reuse the secret key to verify many different proofs, and soundness should hold even if the malicious prover learns whether various proofs are accepted or rejected. Such reusable DV-NIZKs were recently constructed under the CDH assumption, but it was open whether they can also be constructed under LWE or LPN.

We also consider an extension of reusable DV-NIZKs to the malicious designated-verifier setting (MDV-NIZK). In this setting, the only trusted setup consists of a common random string. However, there is also an additional untrusted setup in which the verifier chooses a public/secret key needed to generate/verify proofs, respectively. We require that zero-knowledge holds even if the public key is chosen maliciously by the verifier. Such reusable MDV-NIZKs were recently constructed under the “one-more CDH” assumption, but constructions under CDH/LWE/LPN remained open.

In this work, we give new constructions of (reusable) DV-NIZKs and MDV-NIZKs using generic primitives that can be instantiated under CDH, LWE, or LPN.

Resources:

BibTeX:
@inproceedings{LQRWW19,
  author     = {Alex Lombardi and Willy Quach and Ron D. Rothblum and Daniel Wichs and David J. Wu},
  title      = {New Constructions of Reusable Designated-Verifier {NIZKs}},
  booktitle  = {{CRYPTO}},
  year       = {2019}
}

Multi-Theorem Preprocessing NIZKs from Lattices

Sam Kim and David J. Wu

Abstract:

Non-interactive zero-knowledge (NIZK) proofs are fundamental to modern cryptography. Numerous NIZK constructions are known in both the random oracle and the common reference string (CRS) models. In the CRS model, there exist constructions from several classes of cryptographic assumptions such as trapdoor permutations, pairings, and indistinguishability obfuscation. Notably absent from this list, however, are constructions from standard lattice assumptions. While there has been partial progress in realizing NIZKs from lattices for specific languages, constructing NIZK proofs (and arguments) for all of NP from standard lattice assumptions remains open.

In this work, we make progress on this problem by giving the first construction of a multi-theorem NIZK for NP from standard lattice assumptions in the preprocessing model. In the preprocessing model, a (trusted) setup algorithm generates proving and verification keys. The proving key is needed to construct proofs and the verification key is needed to check proofs. In the multi-theorem setting, the proving and verification keys should be reusable for an unbounded number of theorems without compromising soundness or zero- knowledge. Existing constructions of NIZKs in the preprocessing model (or even the designated-verifier model) that rely on weaker assumptions like one-way functions or oblivious transfer are only secure in a single-theorem setting. Thus, constructing multi-theorem NIZKs in the preprocessing model does not seem to be inherently easier than constructing them in the CRS model.

We begin by constructing a multi-theorem preprocessing NIZK directly from context-hiding homomorphic signatures. Then, we show how to efficiently implement the preprocessing step using a new cryptographic primitive called blind homomorphic signatures. This primitive may be of independent interest. Finally, we show how to leverage our new lattice-based preprocessing NIZKs to obtain new malicious-secure MPC protocols purely from standard lattice assumptions.

Resources:

BibTeX (Conference):
@inproceedings{KW18,
  author     = {Sam Kim and David J. Wu},
  title      = {Multi-Theorem Preprocessing {NIZKs} from Lattices},
  booktitle  = {{CRYPTO}},
  year       = {2018}
}
BibTeX (Journal):
@article{KW20,
  author     = {Sam Kim and David J. Wu},
  title      = {Multi-Theorem Preprocessing {NIZKs} from Lattices},
  journal    = {J. Cryptology},
  volume     = {33},
  number     = {3},
  pages      = {619--702},
  year       = {2020}
}

Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs

Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu

Abstract:

Succinct non-interactive arguments (SNARGs) enable verifying NP computations with significantly less complexity than that required for classical NP verification. In this work, we focus on simultaneously minimizing the proof size and the prover complexity of SNARGs. Concretely, for a security parameter \( \lambda \), we measure the asymptotic cost of achieving soundness error \( 2^{-\lambda} \) against provers of size \( 2^\lambda \). We say a SNARG is quasi-optimally succinct if its proof length is \( \tilde{O}(\lambda) \), and that it is quasi-optimal, if moreover, its prover complexity is only polylogarithmically greater than the running time of the classical NP prover. We show that this definition is the best we could hope for assuming that NP does not have succinct proofs. Our definition strictly strengthens the previous notion of quasi-optimality introduced in the work of Boneh et al. (Eurocrypt 2017).

This work gives the first quasi-optimal SNARG for Boolean circuit satisfiability from a concrete cryptographic assumption. Our construction takes a two-step approach. The first is an information-theoretic construction of a quasi-optimal linear multi-prover interactive proof (linear MIP) for circuit satisfiability. Then, we describe a generic cryptographic compiler that transforms our quasi-optimal linear MIP into a quasi-optimal SNARG by relying on the notion of linear-only vector encryption over rings introduced by Boneh et al. Combining these two primitives yields the first quasi-optimal SNARG based on linear-only vector encryption. Moreover, our linear MIP construction leverages a new robust circuit decomposition primitive that allows us to decompose a circuit satisfiability instance into several smaller circuit satisfiability instances. This primitive may be of independent interest.

Finally, we consider (designated-verifier) SNARGs that provide optimal succinctness for a non-negligible soundness error. Concretely, we put forward the notion of “1-bit SNARGs” that achieve soundness error 1/2 with only one bit of proof. We first show how to build 1-bit SNARGs from indistinguishability obfuscation, and then show that 1-bit SNARGs also suffice for realizing a form of witness encryption. The latter result highlights a two-way connection between the soundness of very succinct argument systems and powerful forms of encryption.

Resources:

BibTeX:
@inproceedings{BISW18,
  author     = {Dan Boneh and Yuval Ishai and Amit Sahai and David J. Wu},
  title      = {Quasi-Optimal {SNARGs} via Linear Multi-Prover Interactive Proofs},
  booktitle  = {{EUROCRYPT}},
  year       = {2018}
}

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation

Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu

Abstract:

Succinct non-interactive arguments (SNARGs) enable verifying NP computations with substantially lower complexity than that required for classical NP verification. In this work, we first construct a lattice-based SNARG candidate with quasi-optimal succinctness (where the argument size is quasilinear in the security parameter). Further extension of our methods yields the first SNARG (from any assumption) that is quasi-optimal in terms of both prover overhead (polylogarithmic in the security parameter) as well as succinctness. Moreover, because our constructions are lattice-based, they plausibly resist quantum attacks. Central to our construction is a new notion of linear-only vector encryption which is a generalization of the notion of linear-only encryption introduced by Bitansky et al. (TCC 2013). We conjecture that variants of Regev encryption satisfy our new linear-only definition. Then, together with new information-theoretic approaches for building statistically-sound linear PCPs over small finite fields, we obtain the first quasi-optimal SNARGs.

We then show a surprising connection between our new lattice-based SNARGs and the concrete efficiency of program obfuscation. All existing obfuscation candidates currently rely on multilinear maps. Among the constructions that make black-box use of the multilinear map, obfuscating a circuit of even moderate depth (say, 100) requires a multilinear map with multilinearity degree in excess of 2100. In this work, we show that an ideal obfuscation of both the decryption function in a fully homomorphic encryption scheme and a variant of the verification algorithm of our new lattice-based SNARG yields a general-purpose obfuscator for all circuits. Finally, we give some concrete estimates needed to obfuscate this “obfuscation-complete” primitive. We estimate that at 80-bits of security, a (black-box) multilinear map with ≈212 levels of multilinearity suffices. This is over 280 times more efficient than existing candidates, and thus, represents an important milestone towards implementable program obfuscation for all circuits.

Resources:

BibTeX:
@inproceedings{BISW17,
  author     = {Dan Boneh and Yuval Ishai and Amit Sahai and David J. Wu},
  title      = {Lattice-Based {SNARGs} and Their Application to More Efficient Obfuscation},
  booktitle  = {{EUROCRYPT}},
  year       = {2017}
}