Results

**11 - 13**of**13**### A Note on the Unsoundness of vnTinyRAM’s SNARK

"... Gennaro, Gentry, Parno, and Raykova (GGPR) introduced Quadratic Arithmetic Programs (QAPs) as a way of repre-senting arithmetic circuits in a form amendable to highly effi-cient cryptographic protocols [11], particularly for verifiable computation and succinct non-interactive arguments [12]. Subsequ ..."

Abstract
- Add to MetaCart

(Show Context)
Gennaro, Gentry, Parno, and Raykova (GGPR) introduced Quadratic Arithmetic Programs (QAPs) as a way of repre-senting arithmetic circuits in a form amendable to highly effi-cient cryptographic protocols [11], particularly for verifiable computation and succinct non-interactive arguments [12]. Subsequently, Parno, Gentry, Howell, and Raykova intro-duced an improved cryptographic protocol (and implemen-tation), which they dubbed Pinocchio [13]. Ben-Sasson et al. [5] then introduced a lightly modified version of the Pinocchio protocol and implemented it as part of their libsnark distribution. Later work by the same au-thors employed this protocol [2–4, 10], as did a few works by others [1, 14]. Many of these works cite the version of the paper which was published at USENIX Security [6]. How-

### How to Use SNARKs in Universally Composable Protocols

"... The past several years have seen tremendous advances in practical, general-purpose, non-interactive proof systems called SNARKs. These building blocks are efficient and convenient, with multiple publicly available implementations, including tools to compile high-level code (e.g., written in C) to ar ..."

Abstract
- Add to MetaCart

(Show Context)
The past several years have seen tremendous advances in practical, general-purpose, non-interactive proof systems called SNARKs. These building blocks are efficient and convenient, with multiple publicly available implementations, including tools to compile high-level code (e.g., written in C) to arithmetic circuits, the native representation used by SNARK construc-tions. However, while we would like to use these primitives in UC-secure protocols—which are provably-secure even when composed with other arbitrary concurrently-executing protocols— the SNARK definition is not directly compatible with this framework, due to its use of non black-box knowledge extraction. We show several constructions to transform SNARKs into UC-secure NIZKs, along with benchmarks and an end-to-end application example showing that the added overhead is tolerable. Our constructions rely on embedding cryptographic algorithms into the SNARK proof sys-tem. Ordinarily, cryptographic constructions are chosen and tuned for implementation on CPUs or in hardware, not as arithmetic circuits. We therefore also explore SNARK-friendly cryptog-raphy, describing several protocol parameterizations, implementations, and performance com-parisons for encryption, commitments, and other tasks. This is also of independent interest for use in other SNARK-based applications. 1

### Bivariate Polynomials Modulo Composites and their Applications

, 2014

"... We investigate the hardness of finding solutions to bivariate polynomial congruences modulo RSA composites. We establish necessary conditions for a bivariate polynomial to be one-way, second preimage re-sistant, and collision resistant based on arithmetic properties of the poly-nomial. From these ..."

Abstract
- Add to MetaCart

(Show Context)
We investigate the hardness of finding solutions to bivariate polynomial congruences modulo RSA composites. We establish necessary conditions for a bivariate polynomial to be one-way, second preimage re-sistant, and collision resistant based on arithmetic properties of the poly-nomial. From these conditions we deduce a new computational assump-tion that implies an efficient algebraic collision-resistant hash function. We explore the assumption and relate it to known computational prob-lems. The assumption leads to (i) a new statistically hiding commitment scheme that composes well with Pedersen commitments, (ii) a conceptu-ally simple cryptographic accumulator, and (iii) an efficient chameleon hash function.