Try โ€‚โ€‰HackMD

Sealstack modeling

Syntax and notiation for sealing/unsealing

NB: We always assume that sealing and unsealing have access to a random oracle

Hsalt where
salt=(sid||digD) where
sid is some session id and
digD is a digest of the data
D (for example the root of the Merkle Tree computed on the data
D). We keep these parameters implicit when obvious from the context.

  • Seal(D)โ†’R    : sealing data
    D     computes a replica
    R
  • Unseal(R)โ†’D    : unsealing a replica
    R     allows to recompute the data

We define

Tseal as the (parallel) time required to run seal.
We consider the setting of asymmetric constructions where the time to seal and unseal may be different. We describe the ratio between sealing and unsealing time through a constant
kโˆˆN so that the time to unseal is
Tsealk.

We also consider the time

Tchal "allowed for responding to a challenge". This time is always such that
Tseal>Tchal. Later in this note we will consider the ratio
Tseal/Tchal.

A sealstacking adversary

Here we model an adversary running a single stack (we could model a bundle of stacks as a generalization later).

The adversary:

  • Claims to store some easy dummy data
    D1
  • Sets
    R1โ†Seal(D1)
  • Claims to store
    D2:=R1
  • Sets
    R2โ†Seal(D2)
  • โ€ฆ
  • Claims to store
    Dn:=Rn
  • Sets
    Rnโ†Seal(Dn)
  • Deletes all data except for
    Rn

When challenged on data instance

jโˆˆ[n]:

  • runs
    Unseal(Unseal(...(Unseal(Rn))...))
  • (this is unsealing run
    nโˆ’j     times)

Space complexity of this adversary

It stores only

1|R| as opposed to
n|R|, the storage of the honest adversary.

Time complexity of this adversary

It is

Tโ€ฒ=(nโˆ’1)Tunseal=(nโˆ’1)kTseal. (in the worst case)

Notice that the the adversary is successful if it is able to answer in time

Tโ€ฒ<Tchal, that is if
nโˆ’1kTseal<Tchal.
This occurs when
TsealTchal<knโˆ’1

As an intuition, if sealing time is 3x the challenge time,. then the adversary can successfully respond to challenges for a stack of size up to

nโ‰ˆk/3.

Last changed by 
โ€‰
Matteo Campanelli
0
122

Read more

SnarkPack Audit---Matteo Campanelli

\newcommand{\pair}{\mathcal{e}} \newcommand{\Gone}{\mathbb{G}_1} \newcommand{\Gtwo}{\mathbb{G}_2} \newcommand{\Gt}{\mathbb{G}_t} \newcommand{\SP}{SnarkPack} \newcommand{\vA}{\mathbf{A}} \newcommand{\vB}{\mathbf{B}} \newcommand{\vC}{\mathbf{C}}

Nov 15, 2023
zkTree Matrix representations

$\def\RR{{\bf R}}$ $\def\bold#1{{\bf #1}}$ $\def\pL{{{\mathbf{p}}^{(i)}{\leftarrow}}}$ $\def\bold#1{{\bf #1}}$ $\def\pLm{{{\mathbf{P}}{\leftarrow}}}$ $\def\pR{{{\mathbf{p}}^{(i)}{\rightarrow}}}$ $\def\pRm{{{\mathbf{P}}{\rightarrow}}}$ $\def\fLm{{{\mathbf{F}}{\leftarrow}}}$ $\def\fRm{{{\mathbf{F}}{\rightarrow}}}$ $\def\Nint{{N_{int}}}$ $\def\sparse#1{{\bbox[1px, border: 1.5px solid red]{\bold{#1}}}}$ $\def\vstack#1#2{{\overset{#1}{\underset{#2}{=}}}}$

Apr 5, 2023
Lookup Arguments for Mad Scientists and Busy People

The setting for lookups When proving a relation (think in a SNARK), standard arithmetic gates can be an awkward way to express what you want to prove. For example, byte-to-byte XOR (ubiquitous, e.g., in hashing) requires several arithmetic gates to be expressed. A more compact way to express this and other constraints is a lookup table:precompute all possible values of the table and store them in a commitment at proving time, just prove you know a row in that table. This is tantamount to of showing that you know, say, A,B,C such that A XOR B = C. A building block for this setting can be composed with other SNARKs and get a significantly more efficient prover. Useful, but how do we build this? If you ignore that a table is actually composed of &quot;multiple columns&quot;[^col], then this sounds like a vector commitment problem: just lookup, say, XOR outputs, by proving some values are inside a precommitted vector. This is what a vector commitment does! [^vc] Except, that we actually have a few more problems to solve (explained below) This is why vector commitments are inadequate for the job. We need a better primitive!

Feb 23, 2023
Untitled

This is a draft of the proof Current proof for pUT: Claim of security is: assume a sUT for distribution D(z) defined as follows: let T = z sample epk-s return $F^{resh}_{T,epk-s}$ then the pUT built with that sUT is secure.

May 23, 2021
Read more from Matteo Campanelli
Published on HackMD