This paper revisits a classic question: how can a machine specify a computation to another one and then, without executing the computation, check that the other machine carried it out correctly? The applications of such a primitive

We put forward the notion of targeted malleability: given a homomorphic encryption scheme, in various scenarios we would like to restrict the homomorphic computations one can perform on encrypted data. We introduce a precise framework, generalizing the foundational notion of non-malleability introduced by Dolev, Dwork, and Naor (SICOMP ’00), ensuring that the malleability of a scheme is targeted only at a specific set of “allowable ” functions. In this setting we are mainly interested in the efficiency of such schemes as a function of the number of repeated homomorphic operations. Whereas constructing a scheme whose ciphertext grows linearly with the number of such operations is straightforward, obtaining more realistic (or merely non-trivial) length guarantees is significantly more challenging. We present two constructions that transform any homomorphic encryption scheme into one that offers targeted malleability. Our constructions rely on standard cryptographic tools and on succinct non-interactive arguments, which are currently known to exist in the standard model based on variants of the knowledge-of-exponent assumption. The two constructions offer somewhat different efficiency guarantees, each of which may be preferable depending on the underlying building blocks. Keywords: Homomorphic encryption, Non-malleable encryption.

Succinct non-interactive arguments of knowledge (SNARKs), and their generalization to distributed computations by proof-carrying data (PCD), are powerful tools for enforcing the correctness of computations in dynamic networks with multiple mutually-untrusting parties, with essentially minimal computational overhead. Current constructions achieve only variants with expensive setup, restricted functionality, or oracles. We present recursive composition and bootstrapping techniques that: 1. Transform any SNARK with an expensive preprocessing phase into a SNARK without such a phase. 2. Transform any SNARK into a PCD system for constant-depth distributed computations. 3. Transform any PCD system for constant-depth distributed computations into a PCD system for distributed computation over paths of fixed polynomial length. Our transformations apply to both the public and private verification settings, and assume the existence of CRHs (and FHE, for the private-verification setting). By plugging into our transformations the NIZKs of [Groth, ASIACRYPT ’10], whose security is based on a Knowledge of Exponent assumption in bilinear groups, we obtain the first publicly-verifiable

Succinct arguments for NP are proof systems that allow a weak verifier to retroactively check computation done by a more powerful prover. These protocols prove membership in languages (consisting of succinctlyrepresented very large constraint satisfaction problems) that, alas, are unnatural in the sense that the problems that arise in practice are not in such form. For general computation tasks, the most natural and efficient representation is typically as random-access machine (RAM) algorithms, because such a representation can be obtained very efficiently by applying a compiler to code written in a high-level programming language. We thus study efficient reductions from RAM to other problem representations for which succinct arguments are known. Specifically, we construct reductions from the correctness of computation of a T-step non-deterministic random-access machine to: 1. (succinct) circuit satisfiability with O(log T) overhead, and 2. (succinct) algebraic constraint satisfaction with O(log 2 T) overhead. On the latter problem representation, the best known Probabilistically Checkable Proofs can be directly invoked. Our constructions are explicit and do not hide large constants. To attain these, we develop a set of tools (both unconditional and leveraging computational assumptions) for generically and efficiently structuring and arithmetizing the computation of random-access machines.

the conflict between generality and plausibility in

Succinct arguments of knowledge are computationally-sound proofs of knowledge for NP where the verifier’s running time is independent of the time complexity t of the nondeterministic NP machine M that decides the given language. Existing succinct argument constructions are, typically, based on techniques that combine cryptographic hashing and probabilistically-checkable proofs (PCPs). Yet, even when instantiating these constructions with state-of-the-art PCPs, the prover needs Ω(t) space in order to run in quasilinear time (i.e., time t · poly(k)), regardless of the space complexity s of the machine M. We say that a succinct argument is complexity preserving if the prover runs in time t · poly(k) and space s · poly(k) and the verifier runs in time |x | · poly(k) when proving and verifying that a t-time s-space random-access machine nondeterministically accepts an input x. Do complexity-preserving succinct arguments exist? To study this question, we investigate the alternative approach of constructing succinct arguments based on multi-prover interactive proofs (MIPs) and stronger cryptographic techniques: (1) We construct a one-round succinct MIP of knowledge, where each prover runs in time t · polylog(t) and space s · polylog(t) and the verifier runs in time |x | · polylog(t). (2) We show how to transform any one-round MIP protocol to a succinct four-message argument (with

Succinct non-interactive arguments of knowledge (SNARKs), and their generalization to distributed computations by proof-carrying data (PCD), are powerful tools for enforcing the correctness of dynamically evolving computations among multiple mutually-untrusting parties. We present recursive composition and bootstrapping techniques that: 1. Transform any SNARK with an expensive preprocessing phase into a SNARK without such a phase. 2. Transform any SNARK into a PCD system for constant-depth distributed computations. 3. Transform any PCD system for constant-depth distributed computations into a PCD system for distributed computation over paths of fixed polynomial length. Our transformations apply to both the public- and private-verification settings, and assume the existence of CRHs; for the private-verification setting, we additionally assume FHE. By applying our transformations to the NIZKs of [Groth, ASIACRYPT ’10], whose security is based on a Knowledge of Exponent assumption in bilinear groups, we obtain the first publicly-verifiable SNARKs and PCD without preprocessing in the plain model. (Previous constructions were either in the randomoracle model [Micali, FOCS ’94] or in a signature oracle model [Chiesa and Tromer, ICS ’10].) Interestingly,