###### tags: `Reading sessions` [toc] --- # 2024 <https://www.sigsac.org/ccs/CCS2024/> ## [A Succinct Range Proof for Polynomial-based Vector Commitments](https://eprint.iacr.org/2024/1016) - Rui Gao, Zhiguo Wan, Yuncong Hu, Huaqun Wang - A zero-knowledge proof (ZKP) allows the prover to convince the verifier that he knows a secret witness satisfying the certain relation without revealing the witness itself. A range proof is a type of ZKPs that allows a prover to convince a verifier that for a commitment 𝐶, he knows the committed value 𝑣, and 𝑣 is in a certain range. Range proofs have found numerous applications, such as anonymous credentials, e-voting, e-cash, electronic auctions, and cryptocurrencies. - The existing range proof schemes mostly focus on proving the commitment to a single element. Sometimes the prover will need to prove that multiple elements are in a certain range. In this case, every element is committed to a public commitment. The prove uses some batching techniques to batch the proof and verification, to make them independent of or sublinear in the number of elements. However, there are still linear number of commitments to be sent. - This paper introduces MissileProof, a range proof for a vector commitments. The vector commitment will commit several values to a single commitment. Given this commitment, the prover could prove that every element underlying this commitment is in the same certain range. - By using KZG commitment, achieve O(1) commitment length, proof size, verification time, with a tradeoff in the prover time, which is quasi-linear and requires FFTs. - Implemented an anti-money-laundering stateless blockchain based on the MissileProof. The gas consumption of the verification smart contract is reduced by 85%. ###### tags: `ZKP` `Range proof` # 2023 <https://www.sigsac.org/ccs/CCS2023/program.html> ## [Ou: Automating the Parallelization of Zero-Knowledge Protocols](https://eprint.iacr.org/2023/657.pdf) * Yuyang Sang, Ning Luo, Samuel Judson, Ben Chaimberg, Timos Antonopoulos, Xiao Wang, Ruzica Piskac, Zhong Shao * [LH] The paper proposes two new tools (called *Ou* and *Lian*) for parallelising large ZKPs. The key contribution is that the tools focus on breaking down one large ZK statement into several smaller substatements which can be produced and verified in parallel. * The Ou compiler has two special compilation phases after parsing and typechecking to automatically break down a ZK statement. * Shallow simulation uses live variable analysis to compute costs of each instruction in a ZK statement. The costs are modelled as a DAG and partitioned using pseudo-Boolean optimisation (PBO) or integer linear programming (ILP). Resultant ZK substatements are compiled to a chosen backend protocol for distribution as programs to participating servers. * Deep simulation uses the prover's private inputs to compute values of the witnesses and public variables. * A novel idea incorporated into their tools is the combination of security levels with type information. There are three levels: $K_0$ for values known at compile time, $K_1$ for values known at distribution time, and $K_2$ for values known at runtime. This allows for expressions to be annotated with their security level and for these levels to be inferred. * Ou and Lian use an *atomic* annotation to condense functions during shallow simulation. This reduces the size of DAGs and makes optimisation more practical. * The tools are evaluated in terms of their compile time, execution time and effective ratio (quotient of sequential cost by the distributed cost). These metrics are measured for two programs: Gradient Descent (GD) and Merkle Tree (MT). ###### tags: `ZKP` `Parallelism` ## [AntiFake: Using Adversarial Audio to Prevent Unauthorized Speech Synthesis](https://dl.acm.org/doi/pdf/10.1145/3576915.3623209) * Zhiyuan Yu, Shixuan Zhai, Ning Zhang * The paper introduces a preventative approach called "AntiFake". AntiFake aims to proactively defend against unauthorized speech synthesis. * The objectiveness of Anti-fake is: * Audible Difference in Synthesized Speech: To ensure that speech synthesized using the adversarially perturbed audio is audibly different from the original user's voice. * Imperceptible Perturbations to Human Perception: Make the perturbations introduced by AntiFake imperceptible to human perception. * AntiFake has the following stages: 1. Speech Upload and Embedding Extraction: Users upload their speech; the uploaded audio will undergo preprocessing, and subsequently, the audio features will be extracted. 2. Target Selection with Analytic Hierarchy Process (AHP): Antifake identifies potential targets, computes speaker embeddings, and performs ranking based on embedding. Following this, it conducts user evaluations and utilizes AHP for decision-making. 3. Optimization and User Perceptual Validation: Antifake carries out optimization, generates the desired voice, and collects user feedback for perceptual validation. * Antifake applies two schemes of optimization * Threshold-Based Approach: In AntiFake, the strength of protection is directly regulated by a specified threshold, denoted as T. The objective is to control the permissible level of deviation in speaker identity. * Target-Based Approach: Guides the optimization towards a known speaker embedding with an entirely different identity. - Efficiency Enhancement and Imperceptibility - Improve Robustness via Ensembled Encoders - Improve Effectiveness via Weighted Segment Loss Adaptation - Improve Imperceptibility via Frequency Pena ###### tags: `deepfake` `speech synthesis` ## [Demystifying DeFi MEV Activities in Flashbots Bundle](https://dl.acm.org/doi/10.1145/3576915.3616590) * Zihao Li, Jianfeng Li, Zheyuan He, Xiapu Luo, Ting Wang, Xiaoze Ni, Wenwu Yang, Xi Chen, Ting Chen * [MN]the paper makes the first systematic analysis of DeFi MEV activities in bundles, providing a novel approach for identifying DeFi actions and discovering bundle MEV activities. * ActLifter (identifyinhg DeFi actions) achieves nearly 100% precision and recall in identifying DeFi actions, outperforming existing techniques. * ActCluster (discovering bundle activities using representation learning) facilitates the discovery of 17 new kinds of DeFi MEV activities with much less manual effort. * The new approach usages: enhancing relays’ MEV countermeasures, evaluating forking and reorg risks caused by bundle MEV activities, and evaluating the impact of bundle MEV activities on blockchain users’ economic security. * The findings highlight the prevalence and evolution of DeFi MEV activities in Flashbots bundle, emphasizing the need for further research and mitigation strategies to address their impact on blockchain security and efficiency. ###### tags: `DeFi`,`MEV`, `Flashbots` ## [Evaluating the Security Posture of Real-World FIDO2 Deployments](https://dl.acm.org/doi/10.1145/3576915.3623063) * CCS 2023 * Dhruv Kuchhal, Muhammad Saad, Adam Oest and Frank Li This paper is a kind of survey -- where they observe that many real world applications do not follow the recommended mitigation mechanisms given by FIDO2. FIDO2 authentication protocol enables passwordless authentication which combines users' biometric and some public key cryptography techqniques. This protocol assumes benign behavior of the client-side protocol components. However, this may not be the case in real world deployments -- for example when the client side implementation is subject to malware attack. FIDO2 does recommend mitigation mechanism for such scenarios. However, till date there is no systematic sudy has been made to check whether the real world deployments follow these mitigation mechanisms. The contribution of this works are 1) systematizing the threats to FIDO2 deployments when assumptions about the client-side protocol components do not hold, 2) empirically evaluating the security posture of real-world FIDO2 deployments across the Tranco Top 1K websites, considering both the server-side and client-side perspectives, and 3) synthesizing the mitigations that the ecosystem can adopt to further strengthen the practical security provided by FIDO2. The threat model is that the client is subject to malware attack where the malware enables an attacker to bypass a FIDO2 authentication attempt. For example, they show that how a malicious browser extension could trick the user into transferring funds from Paypal to the attacker’s wallet instead of eBay wallet. This results are kind of survey -- where they observe that many real world applications do not follow the recommended mitigation mechanisms. They found that 96% of authenticators metadata present in FIDO Alliance’s Metadata Service (MDS) are not certified to be malware-resistant, so a significant population of existing authenticators could potentially be compromised by a motivated attacker. There are several key recommendation given by FIDO which are found to not be followed by many servers. # 2022 <https://www.sigsac.org/ccs/CCS2022/program/accepted-papers.html> ## [Chaghri - an FHE-friendly Block Cipher](https://eprint.iacr.org/2022/592.pdf) * Tomer Ashur, Mohammad Mahzoun and Dilara Toprakhisar * [SS] This paper presents CHAGHRI which is an FHE-friendly block cipher mainly focused on transciphering* BGV type leveled FHE schemes. Their HElib implementation of FHE achieves a throughput of 0.28 seconds-per-bit which is 63% faster than AES in the same setting. The authors already have proposed a framework for such symmetric cipher, called Marvelous design where a state is actually a vector of elements coming from a extension field (not binary which is mostly the case usually). A round function has two different layers of nonlinear functions. Here they have presented an instance of that which works better than the AES. The most critical part of their block cipher design is the nonlinear layer (S-box). They used a 2-dgree well known function over a field S: F_{2^63} -> F_{2^63} defined by S(x) = x^{2^32+1}, followed by a linear operation. The state size is of the form (s0, s1, s2) where each s_i \in F_{2^63}. Treating input state in such a manner helping them to get higher throughput. In BGV setup, it offers higher throughput (128 bit vs 189 bit) and lower runtime (97 sec vs 54 sec), however, at the cost of higher security level in BGV(141 bit vs 172 bit). They have shown the bound of some basic attacks, however, a rigorous analysis is missing. \* Transciphering is the method where the input m is not sent to the cloud using FHE(m) by the client, rather a SymEnc_SK(m) is sent, the server has FHE(SK), using that it can obtain the FHE(m). It saves the communication bandwidth. * [BB] Short rview by BB ###### tags: `` `` ## [Empirical Analysis of EIP-1559:Transaction Fees, Waiting Times, and Consensus Security](https://dl.acm.org/doi/pdf/10.1145/3548606.3559341) * By Yulin Liu ,Yuxuan Lu, Kartik Nayak, Fan Zhang, Luyao Zhang and Yinhong Zhao * [MN] Empirical analysis of EIP-1559 TFM and analyzes its impact on transaction fees, waiting times, and consensus security. * Enhanced user experience: Tx fee predictability, lower waitig time * Finds MEV becomes a much larger share of miner revenue under EIP-1559, mainly because the base fees are burnt. * * [BB] Short rview by BB ###### tags: `TFM` `EIP-1559` `Empirical Analysis` --- # 2019 <https://sigsac.org/ccs/CCS2019/index.php/program/> ## [LegoSNARK: Modular Design and Composition of Succinct Zero-Knowledge Proofs](https://eprint.iacr.org/2019/142) * Matteo Campanelli, Dario Fiore, Anaïs Querol * Background: * zkSNARKs, zero-knowledge Succinct Non-interactive Argument of Knowledge have short and efficiently verifiable proofs. The last years have seen remarkable progress in the construction of zkSNARKs. To achieve generality, these constructions abstract specific features of computation by assuming one single unifying representation, and this abstraction is often a source of overhead, for two main reasons: * general-purpose zk-SNARKs may miss opportunities for significant optimizations by not exploiting the nuances of a computation; * computation tends to be heterogeneous, often consisting of several subroutines of different nature. * Contributions: * LegoSNARK, a framework for commit-and-prove zkSNARKs (CP-SNARKs) that includes: * Definitions that formalize CP-SNARKs and their variants; * Composition recipes that show how to use different CP-SNARKs in a generic and secure way for handling conjunction, disjunction and sequential composition of relations; * A generic construction to efficiently turn a broad class of zk-SNARKs into CP-SNARKs that can be composed together. * LegoSNARK Gadgets for several basic relations, including $\mathsf{CP_{link}}$, $\mathsf{CP_{lin}}$, $\mathsf{CP_{had}}$, $\mathsf{CP_{sfprm}}$, $\mathsf{CP_{mm}}$. * Limitations: * trusted setup * SNRAKS are old, their efficiency is not as well as the state-of-the-art SNARKs ###### tags: `CP-SNARKs`