We derive a tight upper bound on the probability over x = (x1, . . . , xμ) ∈ Z uniformly distribu... more We derive a tight upper bound on the probability over x = (x1, . . . , xμ) ∈ Z uniformly distributed in [0, m) that f(x) = 0 mod N for any μ-linear polynomial f ∈ Z[X1, . . . , Xμ] coprime toN . We show that forN = p1 1 , ..., p rl l this probability is bounded by μ m + ∏l i=1 I 1 pi (ri, μ) where I is the regularized beta function. Furthermore, we provide an inverse result that for any target parameter λ bounds the minimum size of N for which the probability that f(x) ≡ 0 mod N is at most 2 + μ m . For μ = 1 this is simply N ≥ 2. For μ ≥ 2, log2(N) ≥ 8μ + log2(2μ) ·λ the probability that f(x) ≡ 0 mod N is bounded by 2 + μ m . We also present a computational method that derives tighter bounds for specific values of μ and λ. For example, our analysis shows that for μ = 20, λ = 120 (values typical in cryptography applications), and log2(N) ≥ 416 the probability is bounded by 2 + 20 m . We provide a table of computational bounds for a large set of μ and λ values.
We present NeuroSAT, a message passing neural network that learns to solve SAT problems after onl... more We present NeuroSAT, a message passing neural network that learns to solve SAT problems after only being trained as a classifier to predict satisfiability. Although it is not competitive with state-of-the-art SAT solvers, NeuroSAT can solve problems that are substantially larger and more difficult than it ever saw during training by simply running for more iterations. Moreover, NeuroSAT generalizes to novel distributions; after training only on random SAT problems, at test time it can solve SAT problems encoding graph coloring, clique detection, dominating set, and vertex cover problems, all on a range of distributions over small random graphs.
Proceedings of the AAAI Conference on Artificial Intelligence
Computing prices in core-selecting combinatorial auctions is a computationally hard problem. Auct... more Computing prices in core-selecting combinatorial auctions is a computationally hard problem. Auctions with many bids can only be solved using a recently proposed core constraint generation (CCG) algorithm, which may still take days on hard instances. In this paper, we present a new algorithm that significantly outperforms the current state of the art. Towards this end, we first provide an alternative definition of the set of core constraints, where each constraint is weakly stronger, and prove that together these constraints define the identical polytope to the previous definition. Using these new theoretical insights we develop two new algorithmic techniques which generate additional constraints in each iteration of the CCG algorithm by 1) exploiting separability in allocative conflicts between participants in the auction, and 2) by leveraging non-optimal solutions. We show experimentally that our new algorithm leads to significant speed-ups on a variety of large combinatorial auct...
We derive a tight upper bound on the probability over x = ( x 1 , . . . , x µ ) ∈ Z µ uniformly d... more We derive a tight upper bound on the probability over x = ( x 1 , . . . , x µ ) ∈ Z µ uniformly distributed in [0 , m ) µ that f ( x ) = 0 mod N for any µ -linear polynomial f ∈ Z [ X 1 , . . . , X µ ] coprime to N . We show that for N = p r 1 1 , ..., p r ℓ ℓ this probability is bounded by µm + µ where I is the regularized beta function. Furthermore, we provide an inverse result that for any target parameter λ bounds the minimum size of N for which the probability that f ( x ) ≡ 0 mod N is at most 2 − λ + µm . For µ = 1 this is simply N ≥ 2 λ . For µ ≥ 2, log 2 ( N ) ≥ 8 µ 2 +log 2 (2 µ ) · λ the probability that f ( x ) ≡ 0 mod N is bounded by 2 − λ + µm . We also present a computational method that derives tighter bounds for specific values of µ and λ . For example, our analysis shows that for µ = 20, λ = 120 (values typical in cryptography applications), and log 2 ( N ) ≥ 416 the probability is bounded by 2 − 120 + 20 m . We provide a table of computational bounds for a large set...
A recent work by Shi and Wu (Eurocrypt’21) suggested a new, non-interactive abstraction for anony... more A recent work by Shi and Wu (Eurocrypt’21) suggested a new, non-interactive abstraction for anonymous routing, coined Non-Interactive Anonymous Router (NIAR). They show how to construct a NIAR scheme with succinct communication from bilinear groups. Unfortunately, the router needs to perform quadratic computation (in the number of senders/receivers) to perform each routing. In this paper, we show that if one is willing to relax the security notion to ( , δ)-differential privacy, henceforth also called ( , δ)-differential anonymity, then, a non-interactive construction exists with subquadratic router computation, also assuming standard hardness assumptions in bilinear groups. Morever, even when 1− 1/poly log n fraction of the senders are corrupt, we can attain strong privacy parameters where = O(1/poly log n) and δ = negl(n).
In this paper we explore whether or not deep neural architectures can learn to classify Boolean s... more In this paper we explore whether or not deep neural architectures can learn to classify Boolean satisfiability (SAT). We devote considerable time to discussing the theoretical properties of SAT. Then, we define a graph representation for Boolean formulas in conjunctive normal form, and train neural classifiers over general graph structures called Graph Neural Networks, or GNNs, to recognize features of satisfiability. To the best of our knowledge this has never been tried before. Our preliminary findings are potentially profound. In a weakly-supervised setting, that is, without problem specific feature engineering, Graph Neural Networks can learn features of satisfiability.
We present a generalized inner product argument and demonstrate its applications to pairing-based... more We present a generalized inner product argument and demonstrate its applications to pairing-based languages. We apply our generalized argument to proving that an inner pairing product is correctly evaluated with respect to committed vectors of n source group elements. With a structured reference string (SRS), we achieve a logarithmic-time verifier whose work is dominated by 6 log n target group exponentiations. Proofs are of size 6 log n target group elements, computed using 6n pairings and 4n exponentiations in each source group. We apply our inner product arguments to build the first polynomial commitment scheme with succinct (logarithmic) verification, O(√ d) prover complexity for degree d polynomials (not including the cost to evaluate the polynomial), and a CRS of size O(√ d). Concretely, this means that for d = 2 28 , producing an evaluation proof in our protocol is 76× faster than doing so in the KZG [KZG10] commitment scheme, and the CRS in our protocol is 1, 000× smaller: 13MB vs 13GB for KZG. This gap only grows as the degree increases. Our polynomial commitment scheme is applicable to both univariate and bivariate polynomials. As a second application, we introduce an argument for aggregating n Groth16 zkSNARKs into an O(log n) sized proof. Our protocol is significantly more efficient than aggregating these SNARKs via recursive composition [BCGMMW20]: we can aggregate about 130, 000 proofs in 25min, while in the same time recursive composition aggregates just 90 proofs. Finally, we show how to apply our aggregation protocol to construct a low-memory SNARK for machine computations. For a computation that requires time T and space S, our SNARK produces proofs in spaceÕ(S + T), which is significantly more space efficient than a monolithic SNARK, which requires spaceÕ(S • T).
We present two new protocols for proving correct computation of a product of n bilinear pairings.... more We present two new protocols for proving correct computation of a product of n bilinear pairings. The first protocol is a statistically sound proof with 2 log(n) communication, requiring the verifier compute only a single pairing and 2(n + log(n)) exponentiations. We show how this statistical inner pairing product (SIPP) can be used to create a new aggregate signature scheme based on BLS with logarithmic signature size and verification time that while still linear is concretely faster than previous results. This is because the verifier time of SIPP is linear only in source group exponentiations, which when computed as multi-exponentiations take significantly less time than computing the Miller loops that dominate the pairing product computation directly. The second protocol proves that the inner pairing product was evaluated correctly on committed vectors of source group elements, supporting logarithmic aggregation of pairing-based proofs, signatures, etc. without the need for expen...
A verifiable delay function (VDF) is an important tool used for adding delay in decentralized app... more A verifiable delay function (VDF) is an important tool used for adding delay in decentralized applications. This short note briefly surveys and compares two recent beautiful Verifiable Delay Functions (VDFs), one due to Pietrzak and the other due to Wesolowski. We also provide a new computational proof of security for one of them, and compare the complexity assumptions needed for both schemes. 1 What is a Verifiable Delay Function? A verifiable delay function (VDF) [12, 3] is a function f : X → Y that takes a prescribed time to compute, even on a parallel computer. However once computed, the output can be quickly verified by anyone. Moreover, every input x ∈ X must have a unique valid output y ∈ Y. In more detail, a VDF that implements a function X → Y is a tuple of three algorithms: • Setup(λ, T ) → pp is a randomized algorithm that takes a security parameter λ and a time bound T , and outputs public parameters pp, • Eval(pp, x)→ (y, π) takes an input x ∈ X and outputs a y ∈ Y and ...
Recursive proof composition has been shown to lead to powerful primitives such as incrementallyve... more Recursive proof composition has been shown to lead to powerful primitives such as incrementallyverifiable computation (IVC) and proof-carrying data (PCD). All existing approaches to recursive composition take a succinct non-interactive argument of knowledge (SNARK) and use it to prove a statement about its own verifier. This technique requires that the verifier run in time sublinear in the size of the statement it is checking, a strong requirement that restricts the class of SNARKs from which PCD can be built. This in turn restricts the efficiency and security properties of the resulting scheme. Bowe, Grigg, and Hopwood (ePrint 2019/1021) outlined a novel approach to recursive composition, and applied it to a particular SNARK construction which does not have a sublinear-time verifier. However, they omit details about this approach and do not prove that it satisfies any security property. Nonetheless, schemes based on their ideas have already been implemented in software. In this wor...
Blockchains generated using a proofof-work consensus protocol, such as Bitcoin or Ethereum, are p... more Blockchains generated using a proofof-work consensus protocol, such as Bitcoin or Ethereum, are promising sources of public randomness. However, the randomness is subject to manipulation by the miners generating the blockchain. A general defense is to apply a delay function, preventing malicious miners from computing the random output until it is too late to manipulate it. Ideally, this delay function can provide a short proofof-delay that is efficient enough to be verified within a smart contract, enabling the randomness source to be directly by smart contracts. In this paper we describe the challenges of solving this problem given the extremely limited computational capacity available in Ethereum, the most popular generalpurpose smart contract framework to date. We introduce a novel multi-round protocol for verifying delay functions using a refereed delegation model. We provide a prototype Ethereum implementation to analyze performance and find that it is feasible in terms of gas ...
2020 IEEE Symposium on Security and Privacy (SP), 2020
To validate transactions, cryptocurrencies such as Bitcoin and Ethereum require nodes to verify t... more To validate transactions, cryptocurrencies such as Bitcoin and Ethereum require nodes to verify that a blockchain is valid. This entails downloading and verifying all blocks, taking hours and requiring gigabytes of bandwidth and storage. Hence, clients with limited resources cannot verify transactions independently without trusting full nodes. Bitcoin and Ethereum offer light clients known as simplified payment verification (SPV) clients, that can verify the chain by downloading only the block headers. Unfortunately, the storage and bandwidth requirements of SPV clients still increase linearly with the chain length. For example, as of July 2019, an SPV client in Ethereum needs to download and store about 4 GB of data. Recently, Kiayias et al. proposed a solution known as noninteractive proofs of proof-of-work (NIPoPoW) that allows a light client to download and store only a polylogarithmic number of block headers in expectation. Unfortunately, NIPoPoWs are succinct only as long as no adversary influences the honest chain, and can only be used in chains with fixed block difficulty, contrary to most cryptocurrencies which adjust block difficulty frequently according to the network hashrate. We introduce FlyClient, a novel transaction verification light client for chains of variable difficulty. FlyClient is efficient both asymptotically and practically and requires downloading only a logarithmic number of block headers while storing only a single block header between executions. Using an optimal probabilistic block sampling protocol and Merkle Mountain Range (MMR) commitments, FlyClient overcomes the limitations of NIPoPoWs and generates shorter proofs over all measured parameters. In Ethereum, FlyClient achieves a synchronization proof size of less than 500 KB which is roughly 6,600x smaller than SPV proofs. We finally discuss how FlyClient can be deployed with minimal changes to the existing cryptocurrencies via an uncontentious velvet fork.
We study the problem of building a verifiable delay function (VDF). A VDFrequires a specified num... more We study the problem of building a verifiable delay function (VDF). A VDFrequires a specified number of sequential steps to evaluate, yet produces a unique output that can be efficiently and publicly verified. VDFs have many applications in decentralized systems, including public randomness beacons, leader election in consensus protocols, and proofs of replication. We formalize the requirements for VDFs and present new candidate constructions that are the first to achieve an exponential gap between evaluation and verification time.
Blockchain-based smart contract platforms like Ethereum have become quite popular as a way to rem... more Blockchain-based smart contract platforms like Ethereum have become quite popular as a way to remove trust and add transparency to distributed applications. While different types of important applications can be easily built on such platforms, there does not seem to be an easy way to add a meaningful level of privacy to them. In this paper, we propose Zether, a fully-decentralized, confidential payment mechanism that is compatible with Ethereum and other smart contract platforms. We take an account-based approach similar to Ethereum for efficiency and usability. We design a new smart contract that keeps the account balances encrypted and exposes methods to deposit, transfer and withdraw funds to/from accounts through cryptographic proofs. We describe techniques to protect Zether against replay attacks and front-running situations. We also develop a mechanism to enable interoperability with arbitrary smart contracts. This helps to make several popular applications like auctions, payment channels, voting, etc. confidential. As a part of our protocol, we propose Σ-Bullets, an improvement of the existing zero-knowledge proof system, Bulletproofs. Σ-Bullets make Bulletproofs more inter-operable with Sigma protocols, which is of general interest. We implement Zether as an Ethereum smart contract and show the practicality of our design by measuring the amount of gas used by the Zether contract. A Zether confidential transaction costs about 0.014 ETH or approximately $1.51 (as of early Feb, 2019). We discuss how small changes to Ethereum, which are already being discussed independently of Zether, would drastically reduce this cost. on the users. Some powerful general-purpose cryptographic solutions have also been proposed to run arbitrary smart contracts in a privacy-preserving way [53, 25], but they are not fully decentralized and/or too expensive for simple contracts. Indeed, the quest for confidentiality is not limited to auctions. Payment channels are widely seen as a central technology to increase the throughput of crypto-currencies. On a powerful platform like Ethereum, payment channels can be easily set up too [44, 6]-but, could we make such channels confidential just as easily? Confidential transfers. If there was a way to send ether confidentially on Ethereum, perhaps we could leverage it to add confidentiality to important applications like auctions and payment channels. Unfortunately, almost all known ways to transfer confidentially [59, 67, 64, 30, 3] are in the unspenttransaction-output (UTXO) model (popularized by Bitcoin), where the inputs to a new transaction are the unspent outputs of previous transactions. UTXOs are not well-suited for applications that need to maintain some state [19], so smart-contract platforms like Ethereum operate in the account-based model. Another drawback of UTXO-based mechanisms is that though they have been proposed to fix privacy issues with Bitcoin, they actually require major changes to Bitcoin's design and have spun off into separate crypto-currencies. An important benefit of powerful platforms like Ethereum is that the platform's core capability itself can be enhanced by deploying new applications. Payment channels, for instance, can be deployed to improve throughput. So perhaps we can deploy a new payment application to improve confidentiality of not just payments but potentially other applications too. It is still conceivable that one of the UTXO-based mechanisms could be implemented over a contract. However, this approach suffers from multiple issues including storage cost, lower confidentiality, interoperability with other contracts, and adoption. We discuss the issues in depth in Appendix A. common part of the EVM state is changed by two or more transactions [56]. The low computational power, along with the asynchronous transactional nature of the Ethereum network make programming complicated smart contracts a delicate endeavor. 3 Overview of Zether In this section, we provide an overview of the Zether payment mechanism, its use in other applications, and the new ZK-proof system. Commitment vs encryption. Several proposals for making transactions confidential use homomorphic commitments, such as Pedersen commitments [69]. Though they are simple and efficient, the opening of these commitments must be transferred to the receiver, say Bob, so that he can spend the money later. This randomness could be stored on-chain in some encrypted manner or sent directly to Bob through a separate channel. In the UTXO model, if Bob is unable to recover the randomness (an incorrect value was encrypted/sent, nothing sent at all, etc.), then it cannot spend the UTXO later. However, other UTXOs controlled by Bob are not affected at all and could still be spent. On the other hand, with an account-based model, since all the incoming transfers go into the same account, failure to recover the randomness for even a single transfer could render the whole account unusable. One could require senders to encrypt the randomness under receivers' public key, and prove that the commitment indeed uses the randomness encrypted. We take a more direct and simpler approach here using ElGamal encryption with messages in the exponent [27]. The encryption scheme has linear encoding properties, i.e., it is homomorphic, which we utilize to create efficient ZK-proofs of correct encryption. We describe the encryption scheme in Section 4. 3.1 Building Zether Zether strives not just to make transfers confidential but also to prevent accidental loss of funds. We first discuss a simplistic version of Zether with the core functionality. We then describe some shortcomings and how to overcome them. A simplistic Zether. The Zether smart contract (ZSC) works with Zether tokens (ZTH). Zether accounts are identified with ElGamal public keys, which are stored in ZSC's internal state. To fund an account with public key y with b ZTH, one can send b ETH to the smart contract. ZSC generates an ElGamal encryption of b with randomness 0 (since b is anyway part of the transaction) and adds it to the encrypted balance associated with y. 1 One can convert ZTH back to ETH by revealing the current balance b and providing a ZK-proof that y's ciphertext (i.e., the ciphertext associated with y on the smart contract) indeed encrypts b. In order to transfer some b amount of ZTH to a public key y without revealing b itself, one can encrypt b under both y and y. A ZK-proof is provided to show that the two ciphertexts are well-formed, they encrypt the same positive value, and the remaining balance associated with y is positive. In our implementation, we use a new ZK-proof system, called Σ-Bullets to efficiently prove the statements over the encrypted transfer balance and the new sender balance. Front-running. The very first problem with the simplistic version of Zether is that the ZK-proofs are generated w.r.t. a certain state of the contract. For example, the ZK-proof in a transfer transaction needs to show that the remaining balance is positive. A user Alice generates this proof w.r.t. to her current account balance, stored in an encrypted form on the contract. However, if another user Bob transfers some ZTH to Alice, and Bob's transaction gets processed first, then Alice's transaction will be rejected because the proof will not be valid anymore. Note that Bob may be a totally benign user yet Alice loses the fees she paid to process her transaction. We refer to this situation as the front-running problem. Burn transactions have a similar problem too: a proof that a ciphertext encrypts a certain value becomes invalid if the ciphertext changes.
We construct a new polynomial commitment scheme for univariate and multivariate polynomials over ... more We construct a new polynomial commitment scheme for univariate and multivariate polynomials over finite fields, with logarithmic size evaluation proofs and verification time, measured in the number of coefficients of the polynomial. The underlying technique is a Diophantine Argument of Knowledge (DARK), leveraging integer representations of polynomials and groups of unknown order. Security is shown from the strong RSA and the adaptive root assumptions. Moreover, the scheme does not require a trusted setup if instantiated with class groups. We apply this new cryptographic compiler to a restricted class of algebraic linear IOPs, which we call Polynomial IOPs, to obtain doubly-efficient public-coin interactive arguments of knowledge for any NP relation with succinct communication. With linear preprocessing, the online verifier's work is logarithmic in the circuit complexity of the relation. There are many existing examples of Polynomial IOPs (PIOPs) dating back to the first PCP (BFLS, STOC'91). We present a generic compilation of any PIOP using our DARK polynomial commitment scheme. In particular, compiling the PIOP from PLONK (GWC, ePrint'19), an improvement on Sonic (MBKM, CCS'19), yields a public-coin interactive argument with quasi-linear preprocessing, quasi-linear (online) prover time, logarithmic communication, and logarithmic (online) verification time in the circuit size. Applying Fiat-Shamir results in a SNARK, which we call Supersonic. Supersonic is also concretely efficient with 10KB proofs and under 100ms verification time for circuits with 1 million gates (estimated for 120-bit security). Most importantly, this SNARK is transparent: it does not require a trusted setup. We obtain zk-SNARKs by applying a hiding variant of our polynomial commitment scheme with zero-knowledge evaluations. Supersonic is the first complete zk-SNARK system that has both a practical prover time as well as asymptotically logarithmic proof size and verification time. 2 This observation was also implicit in the paper by Ben-Sasson et al. introducing the system Aurora [BCR + 19]. 3 Lai and Malavota [LM19] provide a n-dimensional linear-map commitment based on bilinear pairings, extending techniques in functional commitments [LRY16], but verifying claimed evaluations of the committed function on query points takes O(n).
2018 IEEE Symposium on Security and Privacy (SP), 2018
We propose Bulletproofs, a new non-interactive zeroknowledge proof protocol with very short proof... more We propose Bulletproofs, a new non-interactive zeroknowledge proof protocol with very short proofs and without a trusted setup; the proof size is only logarithmic in the witness size. Bulletproofs are especially well suited for efficient range proofs on committed values: they enable proving that a committed value is in a range using only 2 log 2 pnq`9 group and field elements, where n is the bit length of the range. Proof generation and verification times are linear in n. Bulletproofs greatly improve on the linear (in n) sized range proofs in existing proposals for confidential transactions in Bitcoin and other cryptocurrencies. Moreover, Bulletproofs supports aggregation of range proofs, so that a party can prove that m commitments lie in a given range by providing only an additive Oplogpmqq group elements over the length of a single proof. To aggregate proofs from multiple parties, we enable the parties to generate a single proof without revealing their inputs to each other via a simple multi-party computation (MPC) protocol for constructing Bulletproofs. This MPC protocol uses either a constant number of rounds and linear communication, or a logarithmic number of rounds and logarithmic communication. We show that verification time, while asymptotically linear, is very efficient in practice. The marginal cost of batch verifying 32 aggregated range proofs is less than the cost of verifying 32 ECDSA signatures. Bulletproofs build on the techniques of Bootle et al. (EUROCRYPT 2016). Beyond range proofs, Bulletproofs provide short zero-knowledge proofs for general arithmetic circuits while only relying on the discrete logarithm assumption and without requiring a trusted setup. We discuss many applications that would benefit from Bulletproofs, primarily in the area of cryptocurrencies. The efficiency of Bulletproofs is particularly well suited for the distributed and trustless nature of blockchains. The full version of this article is available at [1]. 1.1. Our Contributions We present Bulletproofs, a new zero-knowledge argument of knowledge 1 system, to prove that a secret committed 1. Proof systems with computational soundness like Bulletproofs are sometimes called argument systems. We will use the terms proof and argument interchangeably.
We present batching techniques for cryptographic accumulators and vector commitments in groups of... more We present batching techniques for cryptographic accumulators and vector commitments in groups of unknown order. Our techniques are tailored for distributed settings where no trusted accumulator manager exists and updates to the accumulator are processed in batches. We develop techniques for non-interactively aggregating membership proofs that can be verified with a constant number of group operations. We also provide a constant sized batch non-membership proof for a large number of elements. These proofs can be used to build the first positional vector commitment (VC) with constant sized openings and constant sized public parameters. As a core building block for our batching techniques we develop several succinct proof systems in groups of unknown order. These extend a recent construction of a succinct proof of correct exponentiation, and include a succinct proof of knowledge of an integer discrete logarithm between two group elements. We circumvent an impossibility result for Sigma-protocols in these groups by using a short trapdoor-free CRS. We use these new accumulator and vector commitment constructions to design a stateless blockchain, where nodes only need a constant amount of storage in order to participate in consensus. Further, we show how to use these techniques to reduce the size of IOP instantiations, such as STARKs.
We derive a tight upper bound on the probability over x = (x1, . . . , xμ) ∈ Z uniformly distribu... more We derive a tight upper bound on the probability over x = (x1, . . . , xμ) ∈ Z uniformly distributed in [0, m) that f(x) = 0 mod N for any μ-linear polynomial f ∈ Z[X1, . . . , Xμ] coprime toN . We show that forN = p1 1 , ..., p rl l this probability is bounded by μ m + ∏l i=1 I 1 pi (ri, μ) where I is the regularized beta function. Furthermore, we provide an inverse result that for any target parameter λ bounds the minimum size of N for which the probability that f(x) ≡ 0 mod N is at most 2 + μ m . For μ = 1 this is simply N ≥ 2. For μ ≥ 2, log2(N) ≥ 8μ + log2(2μ) ·λ the probability that f(x) ≡ 0 mod N is bounded by 2 + μ m . We also present a computational method that derives tighter bounds for specific values of μ and λ. For example, our analysis shows that for μ = 20, λ = 120 (values typical in cryptography applications), and log2(N) ≥ 416 the probability is bounded by 2 + 20 m . We provide a table of computational bounds for a large set of μ and λ values.
We present NeuroSAT, a message passing neural network that learns to solve SAT problems after onl... more We present NeuroSAT, a message passing neural network that learns to solve SAT problems after only being trained as a classifier to predict satisfiability. Although it is not competitive with state-of-the-art SAT solvers, NeuroSAT can solve problems that are substantially larger and more difficult than it ever saw during training by simply running for more iterations. Moreover, NeuroSAT generalizes to novel distributions; after training only on random SAT problems, at test time it can solve SAT problems encoding graph coloring, clique detection, dominating set, and vertex cover problems, all on a range of distributions over small random graphs.
Proceedings of the AAAI Conference on Artificial Intelligence
Computing prices in core-selecting combinatorial auctions is a computationally hard problem. Auct... more Computing prices in core-selecting combinatorial auctions is a computationally hard problem. Auctions with many bids can only be solved using a recently proposed core constraint generation (CCG) algorithm, which may still take days on hard instances. In this paper, we present a new algorithm that significantly outperforms the current state of the art. Towards this end, we first provide an alternative definition of the set of core constraints, where each constraint is weakly stronger, and prove that together these constraints define the identical polytope to the previous definition. Using these new theoretical insights we develop two new algorithmic techniques which generate additional constraints in each iteration of the CCG algorithm by 1) exploiting separability in allocative conflicts between participants in the auction, and 2) by leveraging non-optimal solutions. We show experimentally that our new algorithm leads to significant speed-ups on a variety of large combinatorial auct...
We derive a tight upper bound on the probability over x = ( x 1 , . . . , x µ ) ∈ Z µ uniformly d... more We derive a tight upper bound on the probability over x = ( x 1 , . . . , x µ ) ∈ Z µ uniformly distributed in [0 , m ) µ that f ( x ) = 0 mod N for any µ -linear polynomial f ∈ Z [ X 1 , . . . , X µ ] coprime to N . We show that for N = p r 1 1 , ..., p r ℓ ℓ this probability is bounded by µm + µ where I is the regularized beta function. Furthermore, we provide an inverse result that for any target parameter λ bounds the minimum size of N for which the probability that f ( x ) ≡ 0 mod N is at most 2 − λ + µm . For µ = 1 this is simply N ≥ 2 λ . For µ ≥ 2, log 2 ( N ) ≥ 8 µ 2 +log 2 (2 µ ) · λ the probability that f ( x ) ≡ 0 mod N is bounded by 2 − λ + µm . We also present a computational method that derives tighter bounds for specific values of µ and λ . For example, our analysis shows that for µ = 20, λ = 120 (values typical in cryptography applications), and log 2 ( N ) ≥ 416 the probability is bounded by 2 − 120 + 20 m . We provide a table of computational bounds for a large set...
A recent work by Shi and Wu (Eurocrypt’21) suggested a new, non-interactive abstraction for anony... more A recent work by Shi and Wu (Eurocrypt’21) suggested a new, non-interactive abstraction for anonymous routing, coined Non-Interactive Anonymous Router (NIAR). They show how to construct a NIAR scheme with succinct communication from bilinear groups. Unfortunately, the router needs to perform quadratic computation (in the number of senders/receivers) to perform each routing. In this paper, we show that if one is willing to relax the security notion to ( , δ)-differential privacy, henceforth also called ( , δ)-differential anonymity, then, a non-interactive construction exists with subquadratic router computation, also assuming standard hardness assumptions in bilinear groups. Morever, even when 1− 1/poly log n fraction of the senders are corrupt, we can attain strong privacy parameters where = O(1/poly log n) and δ = negl(n).
In this paper we explore whether or not deep neural architectures can learn to classify Boolean s... more In this paper we explore whether or not deep neural architectures can learn to classify Boolean satisfiability (SAT). We devote considerable time to discussing the theoretical properties of SAT. Then, we define a graph representation for Boolean formulas in conjunctive normal form, and train neural classifiers over general graph structures called Graph Neural Networks, or GNNs, to recognize features of satisfiability. To the best of our knowledge this has never been tried before. Our preliminary findings are potentially profound. In a weakly-supervised setting, that is, without problem specific feature engineering, Graph Neural Networks can learn features of satisfiability.
We present a generalized inner product argument and demonstrate its applications to pairing-based... more We present a generalized inner product argument and demonstrate its applications to pairing-based languages. We apply our generalized argument to proving that an inner pairing product is correctly evaluated with respect to committed vectors of n source group elements. With a structured reference string (SRS), we achieve a logarithmic-time verifier whose work is dominated by 6 log n target group exponentiations. Proofs are of size 6 log n target group elements, computed using 6n pairings and 4n exponentiations in each source group. We apply our inner product arguments to build the first polynomial commitment scheme with succinct (logarithmic) verification, O(√ d) prover complexity for degree d polynomials (not including the cost to evaluate the polynomial), and a CRS of size O(√ d). Concretely, this means that for d = 2 28 , producing an evaluation proof in our protocol is 76× faster than doing so in the KZG [KZG10] commitment scheme, and the CRS in our protocol is 1, 000× smaller: 13MB vs 13GB for KZG. This gap only grows as the degree increases. Our polynomial commitment scheme is applicable to both univariate and bivariate polynomials. As a second application, we introduce an argument for aggregating n Groth16 zkSNARKs into an O(log n) sized proof. Our protocol is significantly more efficient than aggregating these SNARKs via recursive composition [BCGMMW20]: we can aggregate about 130, 000 proofs in 25min, while in the same time recursive composition aggregates just 90 proofs. Finally, we show how to apply our aggregation protocol to construct a low-memory SNARK for machine computations. For a computation that requires time T and space S, our SNARK produces proofs in spaceÕ(S + T), which is significantly more space efficient than a monolithic SNARK, which requires spaceÕ(S • T).
We present two new protocols for proving correct computation of a product of n bilinear pairings.... more We present two new protocols for proving correct computation of a product of n bilinear pairings. The first protocol is a statistically sound proof with 2 log(n) communication, requiring the verifier compute only a single pairing and 2(n + log(n)) exponentiations. We show how this statistical inner pairing product (SIPP) can be used to create a new aggregate signature scheme based on BLS with logarithmic signature size and verification time that while still linear is concretely faster than previous results. This is because the verifier time of SIPP is linear only in source group exponentiations, which when computed as multi-exponentiations take significantly less time than computing the Miller loops that dominate the pairing product computation directly. The second protocol proves that the inner pairing product was evaluated correctly on committed vectors of source group elements, supporting logarithmic aggregation of pairing-based proofs, signatures, etc. without the need for expen...
A verifiable delay function (VDF) is an important tool used for adding delay in decentralized app... more A verifiable delay function (VDF) is an important tool used for adding delay in decentralized applications. This short note briefly surveys and compares two recent beautiful Verifiable Delay Functions (VDFs), one due to Pietrzak and the other due to Wesolowski. We also provide a new computational proof of security for one of them, and compare the complexity assumptions needed for both schemes. 1 What is a Verifiable Delay Function? A verifiable delay function (VDF) [12, 3] is a function f : X → Y that takes a prescribed time to compute, even on a parallel computer. However once computed, the output can be quickly verified by anyone. Moreover, every input x ∈ X must have a unique valid output y ∈ Y. In more detail, a VDF that implements a function X → Y is a tuple of three algorithms: • Setup(λ, T ) → pp is a randomized algorithm that takes a security parameter λ and a time bound T , and outputs public parameters pp, • Eval(pp, x)→ (y, π) takes an input x ∈ X and outputs a y ∈ Y and ...
Recursive proof composition has been shown to lead to powerful primitives such as incrementallyve... more Recursive proof composition has been shown to lead to powerful primitives such as incrementallyverifiable computation (IVC) and proof-carrying data (PCD). All existing approaches to recursive composition take a succinct non-interactive argument of knowledge (SNARK) and use it to prove a statement about its own verifier. This technique requires that the verifier run in time sublinear in the size of the statement it is checking, a strong requirement that restricts the class of SNARKs from which PCD can be built. This in turn restricts the efficiency and security properties of the resulting scheme. Bowe, Grigg, and Hopwood (ePrint 2019/1021) outlined a novel approach to recursive composition, and applied it to a particular SNARK construction which does not have a sublinear-time verifier. However, they omit details about this approach and do not prove that it satisfies any security property. Nonetheless, schemes based on their ideas have already been implemented in software. In this wor...
Blockchains generated using a proofof-work consensus protocol, such as Bitcoin or Ethereum, are p... more Blockchains generated using a proofof-work consensus protocol, such as Bitcoin or Ethereum, are promising sources of public randomness. However, the randomness is subject to manipulation by the miners generating the blockchain. A general defense is to apply a delay function, preventing malicious miners from computing the random output until it is too late to manipulate it. Ideally, this delay function can provide a short proofof-delay that is efficient enough to be verified within a smart contract, enabling the randomness source to be directly by smart contracts. In this paper we describe the challenges of solving this problem given the extremely limited computational capacity available in Ethereum, the most popular generalpurpose smart contract framework to date. We introduce a novel multi-round protocol for verifying delay functions using a refereed delegation model. We provide a prototype Ethereum implementation to analyze performance and find that it is feasible in terms of gas ...
2020 IEEE Symposium on Security and Privacy (SP), 2020
To validate transactions, cryptocurrencies such as Bitcoin and Ethereum require nodes to verify t... more To validate transactions, cryptocurrencies such as Bitcoin and Ethereum require nodes to verify that a blockchain is valid. This entails downloading and verifying all blocks, taking hours and requiring gigabytes of bandwidth and storage. Hence, clients with limited resources cannot verify transactions independently without trusting full nodes. Bitcoin and Ethereum offer light clients known as simplified payment verification (SPV) clients, that can verify the chain by downloading only the block headers. Unfortunately, the storage and bandwidth requirements of SPV clients still increase linearly with the chain length. For example, as of July 2019, an SPV client in Ethereum needs to download and store about 4 GB of data. Recently, Kiayias et al. proposed a solution known as noninteractive proofs of proof-of-work (NIPoPoW) that allows a light client to download and store only a polylogarithmic number of block headers in expectation. Unfortunately, NIPoPoWs are succinct only as long as no adversary influences the honest chain, and can only be used in chains with fixed block difficulty, contrary to most cryptocurrencies which adjust block difficulty frequently according to the network hashrate. We introduce FlyClient, a novel transaction verification light client for chains of variable difficulty. FlyClient is efficient both asymptotically and practically and requires downloading only a logarithmic number of block headers while storing only a single block header between executions. Using an optimal probabilistic block sampling protocol and Merkle Mountain Range (MMR) commitments, FlyClient overcomes the limitations of NIPoPoWs and generates shorter proofs over all measured parameters. In Ethereum, FlyClient achieves a synchronization proof size of less than 500 KB which is roughly 6,600x smaller than SPV proofs. We finally discuss how FlyClient can be deployed with minimal changes to the existing cryptocurrencies via an uncontentious velvet fork.
We study the problem of building a verifiable delay function (VDF). A VDFrequires a specified num... more We study the problem of building a verifiable delay function (VDF). A VDFrequires a specified number of sequential steps to evaluate, yet produces a unique output that can be efficiently and publicly verified. VDFs have many applications in decentralized systems, including public randomness beacons, leader election in consensus protocols, and proofs of replication. We formalize the requirements for VDFs and present new candidate constructions that are the first to achieve an exponential gap between evaluation and verification time.
Blockchain-based smart contract platforms like Ethereum have become quite popular as a way to rem... more Blockchain-based smart contract platforms like Ethereum have become quite popular as a way to remove trust and add transparency to distributed applications. While different types of important applications can be easily built on such platforms, there does not seem to be an easy way to add a meaningful level of privacy to them. In this paper, we propose Zether, a fully-decentralized, confidential payment mechanism that is compatible with Ethereum and other smart contract platforms. We take an account-based approach similar to Ethereum for efficiency and usability. We design a new smart contract that keeps the account balances encrypted and exposes methods to deposit, transfer and withdraw funds to/from accounts through cryptographic proofs. We describe techniques to protect Zether against replay attacks and front-running situations. We also develop a mechanism to enable interoperability with arbitrary smart contracts. This helps to make several popular applications like auctions, payment channels, voting, etc. confidential. As a part of our protocol, we propose Σ-Bullets, an improvement of the existing zero-knowledge proof system, Bulletproofs. Σ-Bullets make Bulletproofs more inter-operable with Sigma protocols, which is of general interest. We implement Zether as an Ethereum smart contract and show the practicality of our design by measuring the amount of gas used by the Zether contract. A Zether confidential transaction costs about 0.014 ETH or approximately $1.51 (as of early Feb, 2019). We discuss how small changes to Ethereum, which are already being discussed independently of Zether, would drastically reduce this cost. on the users. Some powerful general-purpose cryptographic solutions have also been proposed to run arbitrary smart contracts in a privacy-preserving way [53, 25], but they are not fully decentralized and/or too expensive for simple contracts. Indeed, the quest for confidentiality is not limited to auctions. Payment channels are widely seen as a central technology to increase the throughput of crypto-currencies. On a powerful platform like Ethereum, payment channels can be easily set up too [44, 6]-but, could we make such channels confidential just as easily? Confidential transfers. If there was a way to send ether confidentially on Ethereum, perhaps we could leverage it to add confidentiality to important applications like auctions and payment channels. Unfortunately, almost all known ways to transfer confidentially [59, 67, 64, 30, 3] are in the unspenttransaction-output (UTXO) model (popularized by Bitcoin), where the inputs to a new transaction are the unspent outputs of previous transactions. UTXOs are not well-suited for applications that need to maintain some state [19], so smart-contract platforms like Ethereum operate in the account-based model. Another drawback of UTXO-based mechanisms is that though they have been proposed to fix privacy issues with Bitcoin, they actually require major changes to Bitcoin's design and have spun off into separate crypto-currencies. An important benefit of powerful platforms like Ethereum is that the platform's core capability itself can be enhanced by deploying new applications. Payment channels, for instance, can be deployed to improve throughput. So perhaps we can deploy a new payment application to improve confidentiality of not just payments but potentially other applications too. It is still conceivable that one of the UTXO-based mechanisms could be implemented over a contract. However, this approach suffers from multiple issues including storage cost, lower confidentiality, interoperability with other contracts, and adoption. We discuss the issues in depth in Appendix A. common part of the EVM state is changed by two or more transactions [56]. The low computational power, along with the asynchronous transactional nature of the Ethereum network make programming complicated smart contracts a delicate endeavor. 3 Overview of Zether In this section, we provide an overview of the Zether payment mechanism, its use in other applications, and the new ZK-proof system. Commitment vs encryption. Several proposals for making transactions confidential use homomorphic commitments, such as Pedersen commitments [69]. Though they are simple and efficient, the opening of these commitments must be transferred to the receiver, say Bob, so that he can spend the money later. This randomness could be stored on-chain in some encrypted manner or sent directly to Bob through a separate channel. In the UTXO model, if Bob is unable to recover the randomness (an incorrect value was encrypted/sent, nothing sent at all, etc.), then it cannot spend the UTXO later. However, other UTXOs controlled by Bob are not affected at all and could still be spent. On the other hand, with an account-based model, since all the incoming transfers go into the same account, failure to recover the randomness for even a single transfer could render the whole account unusable. One could require senders to encrypt the randomness under receivers' public key, and prove that the commitment indeed uses the randomness encrypted. We take a more direct and simpler approach here using ElGamal encryption with messages in the exponent [27]. The encryption scheme has linear encoding properties, i.e., it is homomorphic, which we utilize to create efficient ZK-proofs of correct encryption. We describe the encryption scheme in Section 4. 3.1 Building Zether Zether strives not just to make transfers confidential but also to prevent accidental loss of funds. We first discuss a simplistic version of Zether with the core functionality. We then describe some shortcomings and how to overcome them. A simplistic Zether. The Zether smart contract (ZSC) works with Zether tokens (ZTH). Zether accounts are identified with ElGamal public keys, which are stored in ZSC's internal state. To fund an account with public key y with b ZTH, one can send b ETH to the smart contract. ZSC generates an ElGamal encryption of b with randomness 0 (since b is anyway part of the transaction) and adds it to the encrypted balance associated with y. 1 One can convert ZTH back to ETH by revealing the current balance b and providing a ZK-proof that y's ciphertext (i.e., the ciphertext associated with y on the smart contract) indeed encrypts b. In order to transfer some b amount of ZTH to a public key y without revealing b itself, one can encrypt b under both y and y. A ZK-proof is provided to show that the two ciphertexts are well-formed, they encrypt the same positive value, and the remaining balance associated with y is positive. In our implementation, we use a new ZK-proof system, called Σ-Bullets to efficiently prove the statements over the encrypted transfer balance and the new sender balance. Front-running. The very first problem with the simplistic version of Zether is that the ZK-proofs are generated w.r.t. a certain state of the contract. For example, the ZK-proof in a transfer transaction needs to show that the remaining balance is positive. A user Alice generates this proof w.r.t. to her current account balance, stored in an encrypted form on the contract. However, if another user Bob transfers some ZTH to Alice, and Bob's transaction gets processed first, then Alice's transaction will be rejected because the proof will not be valid anymore. Note that Bob may be a totally benign user yet Alice loses the fees she paid to process her transaction. We refer to this situation as the front-running problem. Burn transactions have a similar problem too: a proof that a ciphertext encrypts a certain value becomes invalid if the ciphertext changes.
We construct a new polynomial commitment scheme for univariate and multivariate polynomials over ... more We construct a new polynomial commitment scheme for univariate and multivariate polynomials over finite fields, with logarithmic size evaluation proofs and verification time, measured in the number of coefficients of the polynomial. The underlying technique is a Diophantine Argument of Knowledge (DARK), leveraging integer representations of polynomials and groups of unknown order. Security is shown from the strong RSA and the adaptive root assumptions. Moreover, the scheme does not require a trusted setup if instantiated with class groups. We apply this new cryptographic compiler to a restricted class of algebraic linear IOPs, which we call Polynomial IOPs, to obtain doubly-efficient public-coin interactive arguments of knowledge for any NP relation with succinct communication. With linear preprocessing, the online verifier's work is logarithmic in the circuit complexity of the relation. There are many existing examples of Polynomial IOPs (PIOPs) dating back to the first PCP (BFLS, STOC'91). We present a generic compilation of any PIOP using our DARK polynomial commitment scheme. In particular, compiling the PIOP from PLONK (GWC, ePrint'19), an improvement on Sonic (MBKM, CCS'19), yields a public-coin interactive argument with quasi-linear preprocessing, quasi-linear (online) prover time, logarithmic communication, and logarithmic (online) verification time in the circuit size. Applying Fiat-Shamir results in a SNARK, which we call Supersonic. Supersonic is also concretely efficient with 10KB proofs and under 100ms verification time for circuits with 1 million gates (estimated for 120-bit security). Most importantly, this SNARK is transparent: it does not require a trusted setup. We obtain zk-SNARKs by applying a hiding variant of our polynomial commitment scheme with zero-knowledge evaluations. Supersonic is the first complete zk-SNARK system that has both a practical prover time as well as asymptotically logarithmic proof size and verification time. 2 This observation was also implicit in the paper by Ben-Sasson et al. introducing the system Aurora [BCR + 19]. 3 Lai and Malavota [LM19] provide a n-dimensional linear-map commitment based on bilinear pairings, extending techniques in functional commitments [LRY16], but verifying claimed evaluations of the committed function on query points takes O(n).
2018 IEEE Symposium on Security and Privacy (SP), 2018
We propose Bulletproofs, a new non-interactive zeroknowledge proof protocol with very short proof... more We propose Bulletproofs, a new non-interactive zeroknowledge proof protocol with very short proofs and without a trusted setup; the proof size is only logarithmic in the witness size. Bulletproofs are especially well suited for efficient range proofs on committed values: they enable proving that a committed value is in a range using only 2 log 2 pnq`9 group and field elements, where n is the bit length of the range. Proof generation and verification times are linear in n. Bulletproofs greatly improve on the linear (in n) sized range proofs in existing proposals for confidential transactions in Bitcoin and other cryptocurrencies. Moreover, Bulletproofs supports aggregation of range proofs, so that a party can prove that m commitments lie in a given range by providing only an additive Oplogpmqq group elements over the length of a single proof. To aggregate proofs from multiple parties, we enable the parties to generate a single proof without revealing their inputs to each other via a simple multi-party computation (MPC) protocol for constructing Bulletproofs. This MPC protocol uses either a constant number of rounds and linear communication, or a logarithmic number of rounds and logarithmic communication. We show that verification time, while asymptotically linear, is very efficient in practice. The marginal cost of batch verifying 32 aggregated range proofs is less than the cost of verifying 32 ECDSA signatures. Bulletproofs build on the techniques of Bootle et al. (EUROCRYPT 2016). Beyond range proofs, Bulletproofs provide short zero-knowledge proofs for general arithmetic circuits while only relying on the discrete logarithm assumption and without requiring a trusted setup. We discuss many applications that would benefit from Bulletproofs, primarily in the area of cryptocurrencies. The efficiency of Bulletproofs is particularly well suited for the distributed and trustless nature of blockchains. The full version of this article is available at [1]. 1.1. Our Contributions We present Bulletproofs, a new zero-knowledge argument of knowledge 1 system, to prove that a secret committed 1. Proof systems with computational soundness like Bulletproofs are sometimes called argument systems. We will use the terms proof and argument interchangeably.
We present batching techniques for cryptographic accumulators and vector commitments in groups of... more We present batching techniques for cryptographic accumulators and vector commitments in groups of unknown order. Our techniques are tailored for distributed settings where no trusted accumulator manager exists and updates to the accumulator are processed in batches. We develop techniques for non-interactively aggregating membership proofs that can be verified with a constant number of group operations. We also provide a constant sized batch non-membership proof for a large number of elements. These proofs can be used to build the first positional vector commitment (VC) with constant sized openings and constant sized public parameters. As a core building block for our batching techniques we develop several succinct proof systems in groups of unknown order. These extend a recent construction of a succinct proof of correct exponentiation, and include a succinct proof of knowledge of an integer discrete logarithm between two group elements. We circumvent an impossibility result for Sigma-protocols in these groups by using a short trapdoor-free CRS. We use these new accumulator and vector commitment constructions to design a stateless blockchain, where nodes only need a constant amount of storage in order to participate in consensus. Further, we show how to use these techniques to reduce the size of IOP instantiations, such as STARKs.
Uploads
Papers by Benedikt Bünz