## CryptoDB

### Dan Boneh

#### Publications

**Year**

**Venue**

**Title**

2024

CIC

A Survey of Two Verifiable Delay Functions Using Proof of Exponentiation
Abstract

<p>A verifiable delay function (VDF) is an important tool used for adding delay in decentralized applications. This paper surveys and compares two beautiful verifiable delay functions, one due to Pietrzak, and the other due to Wesolowski, In addition, we provide a new computational proof of security for one of them, present an attack on an incorrect implementation of the other, and compare the complexity assumptions needed for both schemes. </p>

2024

CRYPTO

Traceable Secret Sharing: Strong Security and Efficient Constructions
Abstract

Suppose Alice uses a $t$-out-of-$n$ secret sharing to store her secret key on $n$ servers. Her secret key is protected as long as $t$ of them do not collude. However, what if a less-than-$t$ subset of the servers decides to offer the shares they have for sale? In this case, Alice should be able to hold them accountable, or else nothing prevents them from selling her shares. With this motivation in mind, Goyal, Song, and Srinivasan (CRYPTO 21) introduced the concept of {\em traceable secret sharing}. In such schemes, it is possible to provably trace the leaked secret shares back to the servers who leaked them. Goyal et al.~presented the first construction of a traceable secret sharing scheme. However, secret shares in their construction are quadratic in the secret size, and their tracing algorithm is quite involved as it relies on Goldreich-Levin decoding.
In this work, we put forth new definitions and practical constructions for traceable secret sharing. In our model, some $f < t$ servers output a reconstruction box~$R$ that may arbitrarily depend on their shares. Given additional $t-f$ shares, $R$ reconstructs and outputs the secret.
The task is to trace $R$ back to the corrupted servers given
black-box access to $R$.
Unlike Goyal et al., we do not assume that the tracing algorithm has any information on how the corrupted servers constructed~$R$ from the shares in their possession.
We then present two very efficient constructions of traceable secret sharing based on two classic secret sharing schemes.
In both of our schemes, shares are only twice as large as the secret, improving over the quadratic overhead of Goyal et al.
Our first scheme is obtained by presenting a new practical tracing algorithm for the widely-used Shamir secret sharing scheme.
Our second construction is based on an extension of Blakley's secret sharing scheme. Tracing in this scheme is optimally efficient, and requires just one successful query to $R$.
We believe that our constructions are an important step towards bringing traceable secret-sharing schemes to practice.
This work also raises several interesting open problems that we describe
in the paper.

2024

CRYPTO

Accountability in Threshold Decryption via Threshold Traitor Tracing
Abstract

A $t$-out-of-$n$ threshold decryption system assigns key shares to $n$ parties so that any $t$ of them can decrypt a well-formed ciphertext.
Existing threshold decryption systems are not secure when these parties are rational actors:
an adversary can offer to pay the parties for their key shares.
The problem is that a quorum of $t$~parties, working together, can sell the adversary a decryption key that reveals nothing about the identity of the traitor parties.
This provides a risk-free profit for the parties since there is no accountability for their misbehavior --- the information they sell to the adversary reveals nothing about their identity.
This behavior can result in a complete break in many applications of threshold decryption,
such as encrypted mempools, private voting, and sealed-bid auctions.
In this work we propose a solution to this problem.
Suppose a quorum of~$t$ or more parties construct a decoder algorithm~$D(\cdot)$ that takes as input a ciphertext and outputs the corresponding plaintext or $\bot$. They sell~$D$ to the adversary.
Our threshold decryption systems are equipped with a tracing algorithm that can trace~$D$ to members of the quorum that created it.
The tracing algorithm is only given blackbox access to~$D$ and will identify some members of the misbehaving quorum.
The parties can then be held accountable, which may discourage them from selling the decoder~$D$ in the first place.
Our starting point is standard (non-threshold) traitor tracing, where $n$ parties each holds a secret key.
Every party can decrypt a well-formed ciphertext on its own.
However, if a subset of parties ${\cal J} \subseteq [n]$ collude to create a pirate decoder $D(\cdot)$ that can decrypt well-formed ciphertexts, then it is possible to trace $D$ to at least one member of ${\cal J}$ using only blackbox access to the decoder~$D$.
In this work we develop the theory of traitor tracing for threshold decryption, where now only a subset ${\cal J} \subseteq [n]$ of~$t$ or more parties can collude to create a pirate decoder $D(\cdot)$.
This problem has recently become quite important due to the real-world deployment of threshold decryption in encrypted mempools, as we explain in the paper.
While there are several non-threshold traitor tracing schemes that we can leverage, adapting these constructions to the threshold decryption settings requires new cryptographic techniques.
A $t$-out-of-$n$ threshold decryption system assigns key shares to $n$ parties
so that any $t$ of them can decrypt a well-formed ciphertext.
Existing threshold decryption systems are {\em not secure}
when these parties are rational actors:
an adversary can offer to pay the parties for their key shares.
The problem is that a quorum of $t$~parties, working together,
can sell the adversary a decryption key
that reveals nothing about the identity of the traitor parties.
This provides a risk-free profit for the parties
since there is no accountability for their misbehavior ---
the information they sell to the adversary
reveals nothing about their identity.
This behavior can result in a complete break
in many applications of threshold decryption,
such as encrypted mempools, private voting, and sealed-bid auctions.
In this work we propose a solution to this problem.
Suppose a quorum of~$t$ or more parties construct a
decoder algorithm~$D(\cdot)$ that takes as input a ciphertext
and outputs the corresponding plaintext or $\bot$.
They sell~$D$ to the adversary.
Our threshold decryption systems are equipped with a tracing algorithm
that can trace~$D$ to members of the quorum that created it.
The tracing algorithm is only given blackbox access to~$D$ and will
identify some members of the misbehaving quorum.
The parties can then be held accountable,
which may discourage them from selling the decoder~$D$ in the first place.
Our starting point is standard (non-threshold) traitor tracing,
where $n$ parties each holds a secret key.
Every party can decrypt a well-formed ciphertext on its own.
However, if a subset of parties ${\cal J} \subseteq [n]$ collude to create a
pirate decoder $D(\cdot)$ that can decrypt well-formed ciphertexts,
then it is possible to trace $D$ to at least one member of ${\cal J}$
using only blackbox access to the decoder~$D$.
In this work we develop the theory of traitor tracing
for threshold decryption,
where now only a subset ${\cal J} \subseteq [n]$ of~$t$ or more parties
can collude to create a pirate decoder $D(\cdot)$.
This problem has recently become quite important
due to the real-world deployment of threshold decryption in encrypted mempools,
as we explain in the paper.
While there are several non-threshold traitor tracing schemes
that we can leverage,
adapting these constructions to the threshold decryption settings requires new cryptographic techniques.
We present a number of constructions for traitor tracing for threshold decryption,
and note that much work remains to explore the large design space.

2024

CRYPTO

Mangrove: A Scalable Framework for Folding-based SNARKs
Abstract

We present a framework for building efficient folding-based SNARKs. First we develop a new ``uniformizing'' compiler for NP statements that converts any poly-time computation to a sequence of identical simple steps. The resulting uniform computation is especially well-suited to be processed by a folding-based IVC scheme. Second, we develop two optimizations to folding-based IVC. The first reduces the recursive overhead of the IVC by restructuring the relation to which folding is applied. The second employs a ``commit-and-fold'' strategy to further simplify the relation. Together, these optimizations result in a folding-based SNARK that has a number of attractive features. First, the scheme uses a constant-size transparent common reference string (CRS). Second, the prover has (i) low memory footprint, (ii) makes only two passes over the data, (iii) is highly parallelizable, and (iv) is concretely efficient. Proving time is comparable to leading monolithic SNARKs, and is significantly faster than other streaming SNARKs. For example, for proving $2^{24}$ constraints, we estimate that a Mangrove prover takes about $64$ seconds, $10$ times faster than Spartan SNARK, while using less than 160MB of memory.

2023

EUROCRYPT

A Lower Bound on the Length of Signatures Based on Group Actions and Generic Isogenies
Abstract

We give the first black box lower bound for signature protocols that can be described as group actions, which include many based on isogenies. We show that, for a large class of signature schemes making black box use of a (potentially non-abelian) group action, the signature length must be $\Omega(\lambda^2/\log\lambda)$. Our class of signatures generalizes all known signatures that derive security exclusively from the group action, and our lower bound matches the state of the art, showing that the signature length cannot be improved without deviating from the group action framework.

2023

EUROCRYPT

HyperPlonk: Plonk with Linear-Time Prover and High-Degree Custom Gates
Abstract

Plonk is a widely used succinct non-interactive proof system
that uses univariate polynomial commitments.
Plonk is quite flexible:
it supports circuits with low-degree ``custom'' gates
as well as circuits with lookup gates (a lookup gates ensures that its
input is contained in a predefined table).
For large circuits, the bottleneck in generating a Plonk proof
is the need for computing a large FFT.
We present HyperPlonk, an adaptation of Plonk to the boolean hypercube,
using multilinear polynomial commitments.
HyperPlonk retains the flexibility of Plonk,
but provides a number of additional benefits.
First, it avoids the need for an FFT during proof generation.
Second, and more importantly, it supports custom gates of much
higher degree than Plonk, without harming the running time of the prover.
Both of these can dramatically speed-up the prover's running time.
Since HyperPlonk relies on multilinear polynomial commitments,
we revisit two elegant constructions:
one from Orion and one from Virgo.
We show how to reduce the Orion opening proof size to less than 10kb (an almost factor 1000 improvement), and show how to make the Virgo FRI-based
opening proof simpler and shorter.

2023

CRYPTO

Arithmetic Sketching
Abstract

This paper introduces arithmetic sketching, an abstraction of a primitive that several previous works use to achieve lightweight, low-communication zero-knowledge verification of secret-shared vectors. An arithmetic sketching scheme for a language L ⊆ F^n consists of (1) a randomized linear function compressing a long input x to a short “sketch,” and (2) a small arithmetic circuit that accepts the sketch if and only if x ∈ L, up to some small error. If the language L has an arithmetic sketching scheme with short sketches, then it is possible to test membership in L using an arithmetic circuit with few multiplication gates. Since multiplications are the dominant cost in protocols for computation on secret-shared, encrypted, and committed data, arithmetic sketching schemes give rise to lightweight protocols in each of these settings.
In addition to the formalization of arithmetic sketching, our contributions are:
– A general framework for constructing arithmetic sketching schemes from algebraic varieties. This framework unifies schemes from prior work and gives rise to schemes for useful new languages and with improved soundness error.
– The first arithmetic sketching schemes for languages of sparse vectors: vectors with bounded Hamming weight, bounded L1 norm, and vectors whose few non-zero values satisfy a given predicate.
– A method for “compiling” any arithmetic sketching scheme for a language L into a low-communication malicious-secure multi-server protocol for securely testing that a client-provided secret-shared vector is in L.
We also prove the first nontrivial lower bounds showing limits on the sketch size for certain languages (e.g., vectors of Hamming-weight one) and proving the non-existence of arithmetic sketching schemes for others
(e.g., the language of all vectors that contain a specific value).

2022

CRYPTO

Threshold Signatures with Private Accountability
📺
Abstract

Existing threshold signature schemes come in two flavors:
(i) fully private, where the signature reveals nothing about the set of signers that generated the signature, and
(ii) accountable, where the signature completely identifies the set of signers.
In this paper we propose a new type of threshold signature, called TAPS,
that is a hybrid of privacy and accountability.
A TAPS signature is fully private from the public's point of view.
However, an entity that has a secret tracing key can trace a signature to the threshold of signers that generated it.
A TAPS makes it possible for an organization to keep its inner workings private,
while ensuring that signers are accountable for their actions.
We construct a number of TAPS schemes.
First, we present a generic construction that builds a TAPS from any accountable threshold signature.
This generic construction is not efficient, and we next focus on efficient schemes
based on standard assumptions.
We build two efficient TAPS schemes (in the random oracle model) based on the Schnorr signature scheme.
We conclude with a number of open problems relating to efficient TAPS

2021

CRYPTO

Halo Infinite: Proof-Carrying Data from Additive Polynomial Commitments
📺
Abstract

Polynomial commitment schemes (PCS) have recently been in the spotlight for their key role in building SNARKs. A PCS provides the ability to commit to a polynomial over a finite field and prove its evaluation at points. A *succinct* PCS has commitment size and evaluation proof size sublinear in the degree of the polynomial. An *efficient* PCS has sublinear proof verification. Any efficient and succinct PCS can be used to construct a SNARK with similar security and efficiency characteristics (in the random oracle model).
Proof-carrying data (PCD) enables a set of parties to carry out an indefinitely long distributed computation where every step along the way is accompanied by a proof of correctness. It generalizes *incrementally verifiable computation* and can even be used to construct SNARKs.
Until recently, however, the only known method for constructing PCD required expensive SNARK recursion. A system called *Halo* first demonstrated a new methodology for building PCD without SNARKs, exploiting an aggregation property of the *Bulletproofs* inner-product argument.
The construction was *heuristic* because it makes non-black-box use of a concrete instantiation of the Fiat-Shamir transform. We expand upon this methodology to show that PCD can be (heuristically) built from any homomorphic polynomial commitment scheme (PCS), even if the PCS evaluation proofs are neither succinct nor efficient. In fact, the Halo methodology extends to any PCS that has an even more general property, namely the ability to aggregate linear combinations of commitments into a new succinct commitment that can later be opened to this linear combination. Our results thus imply new constructions of SNARKs and PCD that were not previously described in the literature and serve as a blueprint for future constructions as well.

2020

ASIACRYPT

Improving Speed and Security in Updatable Encryption Schemes
📺
Abstract

Periodic key rotation is a common practice designed to limit the long-term power of cryptographic keys. Key rotation refers to the process of re-encrypting encrypted content under a fresh key, and overwriting the old ciphertext with the new one. When encrypted data is stored in the cloud, key rotation can be very costly: it may require downloading the entire encrypted content from the cloud, re-encrypting it on the client's machine, and uploading the new ciphertext back to the cloud.
An updatable encryption scheme is a symmetric-key encryption scheme designed to support efficient key rotation in the cloud. The data owner sends a short update token to the cloud. This update token lets the cloud rotate the ciphertext from the old key to the new key, without learning any information about the plaintext. Recent work on updatable encryption has led to several security definitions and proposed constructions. However, existing constructions are not yet efficient enough for practical adoption, and the existing security definitions can be strengthened.
In this work we make three contributions. First, we introduce stronger security definitions for updatable encryption (in the ciphertext-dependent setting) that capture desirable security properties not covered in prior work. Second, we construct two new updatable encryption schemes. The first construction relies only on symmetric cryptographic primitives, but only supports a bounded number of key rotations. The second construction supports a (nearly) unbounded number of updates, and is built from the Ring Learning with Errors (RLWE) assumption. Due to complexities of using RLWE, this scheme achieves a slightly weaker notion of integrity compared to the first. Finally, we implement both constructions and compare their performance to prior work. Our RLWE-based construction is 200x faster than a prior proposal for an updatable encryption scheme based on the hardness of elliptic curve DDH. Our first construction, based entirely on symmetric primitives, has the highest encryption throughput, approaching the performance of AES, and the highest decryption throughput on ciphertexts that were re-encrypted fewer than fifty times. For ciphertexts re-encrypted over fifty times, the RLWE construction dominates it in decryption speed.

2020

ASIACRYPT

Oblivious Pseudorandom Functions from Isogenies
📺
Abstract

An oblivious PRF, or OPRF, is a protocol between a client and a server, where the server has a key $k$ for a secure pseudorandom function $F$, and the client has an input $x$ for the function. At the end of the protocol the client learns $F(k,x)$, and nothing else, and the server learns nothing. An OPRF is verifiable if the client is convinced that the server has evaluated the PRF correctly with respect to a prior commitment to $k$. OPRFs and verifiable OPRFs have numerous applications, such as private-set-intersection protocols, password-based key-exchange protocols, and defense against denial-of-service attacks. Existing OPRF constructions use RSA-, Diffie-Hellman-, and lattice-type assumptions. The first two are not post-quantum secure.
In this paper we construct OPRFs and verifiable OPRFs from isogenies. Our main construction uses isogenies of supersingular elliptic curves over $\Fpp$ and tries to adapt the Diffie-Hellman OPRF to that setting. However, a recent attack on supersingular-isogeny
systems due to Galbraith~et~al.~[ASIACRYPT 2016] makes this approach difficult to secure. To overcome this attack, and to validate the server's response, we develop two new zero-knowledge protocols that convince each party that its peer has sent valid messages. With these protocols in place, we obtain an OPRF in the SIDH setting and prove its security in the UC framework.
Our second construction is an adaptation of the Naor-Reingold PRF to commutative group actions. Combining it with recent constructions of oblivious transfer from isogenies, we obtain an OPRF in the CSIDH setting.

2019

TCHES

Fast and simple constant-time hashing to the BLS12-381 elliptic curve
📺
Abstract

Pairing-friendly elliptic curves in the Barreto-Lynn-Scott family are seeing a resurgence in popularity because of the recent result of Kim and Barbulescu that improves attacks against other pairing-friendly curve families. One particular Barreto-Lynn-Scott curve, called BLS12-381, is the locus of significant development and deployment effort, especially in blockchain applications. This effort has sparked interest in using the BLS12-381 curve for BLS signatures, which requires hashing to one of the groups of the bilinear pairing defined by BLS12-381.While there is a substantial body of literature on the problem of hashing to elliptic curves, much of this work does not apply to Barreto-Lynn-Scott curves. Moreover, the work that does apply has the unfortunate property that fast implementations are complex, while simple implementations are slow.In this work, we address these issues. First, we show a straightforward way of adapting the “simplified SWU” map of Brier et al. to BLS12-381. Second, we describe optimizations to this map that both simplify its implementation and improve its performance; these optimizations may be of interest in other contexts. Third, we implement and evaluate. We find that our work yields constant-time hash functions that are simple to implement, yet perform within 9% of the fastest, non–constant-time alternatives, which require much more complex implementations.

2019

CRYPTO

Batching Techniques for Accumulators with Applications to IOPs and Stateless Blockchains
📺
Abstract

We present batching techniques for cryptographic accumulators and vector commitments in groups of unknown order. Our techniques are tailored for distributed settings where no trusted accumulator manager exists and updates to the accumulator are processed in batches. We develop techniques for non-interactively aggregating membership proofs that can be verified with a constant number of group operations. We also provide a constant sized batch non-membership proof for a large number of elements. These proofs can be used to build the first positional vector commitment (VC) with constant sized openings and constant sized public parameters. As a core building block for our batching techniques we develop several succinct proof systems in groups of unknown order. These extend a recent construction of a succinct proof of correct exponentiation, and include a succinct proof of knowledge of an integer discrete logarithm between two group elements. We circumvent an impossibility result for Sigma-protocols in these groups by using a short trapdoor-free CRS. We use these new accumulator and vector commitment constructions to design a stateless blockchain, where nodes only need a constant amount of storage in order to participate in consensus. Further, we show how to use these techniques to reduce the size of IOP instantiations, such as STARKs. The full version of the paper is available online [BBF18b].

2019

CRYPTO

Zero-Knowledge Proofs on Secret-Shared Data via Fully Linear PCPs
📺
Abstract

We introduce and study the notion of fully linear probabilistically checkable proof systems. In such a proof system, the verifier can make a small number of linear queries that apply jointly to the input and a proof vector.Our new type of proof system is motivated by applications in which the input statement is not fully available to any single verifier, but can still be efficiently accessed via linear queries. This situation arises in scenarios where the input is partitioned or secret-shared between two or more parties, or alternatively is encoded using an additively homomorphic encryption or commitment scheme. This setting appears in the context of secure messaging platforms, verifiable outsourced computation, PIR writing, private computation of aggregate statistics, and secure multiparty computation (MPC). In all these applications, there is a need for fully linear proof systems with short proofs.While several efficient constructions of fully linear proof systems are implicit in the interactive proofs literature, many questions about their complexity are open. We present several new constructions of fully linear zero-knowledge proof systems with sublinear proof size for “simple” or “structured” languages. For example, in the non-interactive setting of fully linear PCPs, we show how to prove that an input vector $$x\in {\mathbb {F}}^n$$, for a finite field $${\mathbb {F}}$$, satisfies a single degree-2 equation with a proof of size $$O(\sqrt{n})$$ and $$O(\sqrt{n})$$ linear queries, which we show to be optimal. More generally, for languages that can be recognized by systems of constant-degree equations, we can reduce the proof size to $$O(\log n)$$ at the cost of $$O(\log n)$$ rounds of interaction.We use our new proof systems to construct new short zero-knowledge proofs on distributed and secret-shared data. These proofs can be used to improve the performance of the example systems mentioned above.Finally, we observe that zero-knowledge proofs on distributed data provide a general-purpose tool for protecting MPC protocols against malicious parties. Applying our short fully linear PCPs to “natural” MPC protocols in the honest-majority setting, we can achieve unconditional protection against malicious parties with sublinear additive communication cost. We use this to improve the communication complexity of recent honest-majority MPC protocols. For instance, using any pseudorandom generator, we obtain a 3-party protocol for Boolean circuits in which the amortized communication cost is only one bit per AND gate per party (compared to 10 bits in the best previous protocol), matching the best known protocols for semi-honest parties.

2018

CRYPTO

Verifiable Delay Functions
📺
Abstract

We study the problem of building a verifiable delay function (VDF). A $$\text {VDF}$$VDFrequires a specified number of sequential steps to evaluate, yet produces a unique output that can be efficiently and publicly verified. $$\text {VDF}$$VDFs have many applications in decentralized systems, including public randomness beacons, leader election in consensus protocols, and proofs of replication. We formalize the requirements for $$\text {VDF}$$VDFs and present new candidate constructions that are the first to achieve an exponential gap between evaluation and verification time.

2018

CRYPTO

Threshold Cryptosystems from Threshold Fully Homomorphic Encryption
📺
Abstract

We develop a general approach to adding a threshold functionality to a large class of (non-threshold) cryptographic schemes. A threshold functionality enables a secret key to be split into a number of shares, so that only a threshold of parties can use the key, without reconstructing the key. We begin by constructing a threshold fully-homomorphic encryption scheme (ThFHE) from the learning with errors (LWE) problem. We next introduce a new concept, called a universal thresholdizer, from which many threshold systems are possible. We show how to construct a universal thresholdizer from our ThFHE. A universal thresholdizer can be used to add threshold functionality to many systems, such as CCA-secure public-key encryption (PKE), signature schemes, pseudorandom functions, and others primitives. In particular, by applying this paradigm to a (non-threshold) lattice signature system, we obtain the first single-round threshold signature scheme from LWE.

2018

TCC

Exploring Crypto Dark Matter:
Abstract

Pseudorandom functions (PRFs) are one of the fundamental building blocks in cryptography. Traditionally, there have been two main approaches for PRF design: the “practitioner’s approach” of building concretely-efficient constructions based on known heuristics and prior experience, and the “theoretician’s approach” of proposing constructions and reducing their security to a previously-studied hardness assumption. While both approaches have their merits, the resulting PRF candidates vary greatly in terms of concrete efficiency and design complexity.In this work, we depart from these traditional approaches by exploring a new space of plausible PRF candidates. Our guiding principle is to maximize simplicity while optimizing complexity measures that are relevant to cryptographic applications. Our primary focus is on weak PRFs computable by very simple circuits—specifically, depth-2$$\mathsf {ACC}^0$$ circuits. Concretely, our main weak PRF candidate is a “piecewise-linear” function that first applies a secret mod-2 linear mapping to the input, and then a public mod-3 linear mapping to the result. We also put forward a similar depth-3 strong PRF candidate.The advantage of our approach is twofold. On the theoretical side, the simplicity of our candidates enables us to draw many natural connections between their hardness and questions in complexity theory or learning theory (e.g., learnability of $$\mathsf {ACC}^0$$ and width-3 branching programs, interpolation and property testing for sparse polynomials, and new natural proof barriers for showing super-linear circuit lower bounds). On the applied side, the piecewise-linear structure of our candidates lends itself nicely to applications in secure multiparty computation (MPC). Using our PRF candidates, we construct protocols for distributed PRF evaluation that achieve better round complexity and/or communication complexity (often both) compared to protocols obtained by combining standard MPC protocols with PRFs like AES, LowMC, or Rasta (the latter two are specialized MPC-friendly PRFs).Finally, we introduce a new primitive we call an encoded-input PRF, which can be viewed as an interpolation between weak PRFs and standard (strong) PRFs. As we demonstrate, an encoded-input PRF can often be used as a drop-in replacement for a strong PRF, combining the efficiency benefits of weak PRFs and the security benefits of strong PRFs. We conclude by showing that our main weak PRF candidate can plausibly be boosted to an encoded-input PRF by leveraging standard error-correcting codes.

2018

ASIACRYPT

Compact Multi-signatures for Smaller Blockchains
Abstract

We construct new multi-signature schemes that provide new functionality. Our schemes are designed to reduce the size of the Bitcoin blockchain, but are useful in many other settings where multi-signatures are needed. All our constructions support both signature compression and public-key aggregation. Hence, to verify that a number of parties signed a common message m, the verifier only needs a short multi-signature, a short aggregation of their public keys, and the message m. We give new constructions that are derived from Schnorr signatures and from BLS signatures. Our constructions are in the plain public key model, meaning that users do not need to prove knowledge or possession of their secret key.In addition, we construct the first short accountable-subgroup multi-signature (ASM) scheme. An ASM scheme enables any subset $$ S $$ of a set of n parties to sign a message m so that a valid signature discloses which subset generated the signature (hence the subset $$ S $$ is accountable for signing m). We construct the first ASM scheme where signature size is only $$O(\kappa )$$ bits over the description of $$ S $$, where $$\kappa $$ is the security parameter. Similarly, the aggregate public key is only $$O(\kappa )$$ bits, independent of n. The signing process is non-interactive. Our ASM scheme is very practical and well suited for compressing the data needed to spend funds from a t-of-n Multisig Bitcoin address, for any (polynomial size) t and n.

2016

ASIACRYPT

2015

EUROCRYPT

2014

CRYPTO

2014

EUROCRYPT

2013

CRYPTO

2011

PKC

1996

CRYPTO

1996

CRYPTO

#### Program Committees

- Crypto 2023
- Crypto 2017
- Crypto 2012
- Crypto 2011
- Eurocrypt 2010
- Crypto 2009
- Crypto 2003 (Program chair)
- Eurocrypt 2002
- Eurocrypt 2000
- Asiacrypt 2000
- Crypto 2000
- Eurocrypt 1999
- Crypto 1998

#### Coauthors

- Martín Abadi (1)
- Shweta Agrawal (3)
- Jae Hyun Ahn (2)
- Dan Boneh (90)
- Joseph Bonneau (1)
- Xavier Boyen (11)
- Elette Boyle (2)
- Benedikt Bünz (4)
- Jan Camenisch (2)
- Binyi Chen (2)
- Henry Corrigan-Gibbs (4)
- Giovanni Di Crescenzo (1)
- Özgür Dagdelen (1)
- Trisha Datta (1)
- Richard A. DeMillo (2)
- Justin Drake (1)
- Manu Drijvers (1)
- Glenn Durfee (4)
- Saba Eskandarian (1)
- Ben Fisch (4)
- Marc Fischlin (1)
- Yair Frankel (1)
- Matthew K. Franklin (4)
- David Freeman (4)
- Ariel Gabizon (1)
- Rosario Gennaro (1)
- Craig Gentry (3)
- Niv Gilboa (2)
- Eu-Jin Goh (2)
- Steven Goldfeder (1)
- Philippe Golle (1)
- Sergey Gorbunov (1)
- Jiaxin Guan (1)
- Divya Gupta (1)
- Shai Halevi (3)
- Mike Hamburg (2)
- Susan Hohenberger (2)
- Nick Howgrave-Graham (2)
- William E. Skeith III (1)
- Yuval Ishai (5)
- Aayush Jain (1)
- Markus Jakobsson (1)
- Antoine Joux (1)
- Ari Juels (1)
- Jonathan Katz (1)
- Sam Kim (4)
- Dmitry Kogan (1)
- Chelsea Komlo (1)
- Eyal Kushilevitz (1)
- Anja Lehmann (1)
- Kevin Lewi (3)
- Richard J. Lipton (4)
- Ben Lynn (3)
- Ilya Mironov (2)
- Hart William Montgomery (2)
- Moni Naor (1)
- Gregory Neven (1)
- Wilson Nguyen (1)
- Phong Q. Nguyen (1)
- Valeria Nikolaenko (1)
- Kobbi Nissim (1)
- Rafail Ostrovsky (3)
- Aditi Partap (2)
- Alain Passelègue (1)
- Giuseppe Persiano (1)
- Ananth Raghunathan (4)
- Peter M. R. Rasmussen (1)
- Mariana Raykova (1)
- Lior Rotem (2)
- Amit Sahai (8)
- Christian Schaffner (1)
- Stuart E. Schechter (1)
- Gil Segev (4)
- Hovav Shacham (4)
- James Shaw (1)
- Abhi Shelat (2)
- Emily Shen (1)
- Maurice Shih (1)
- Igor E. Shparlinski (1)
- Nirvan Tyagi (1)
- Vinod Vaikuntanathan (1)
- Ramarathnam Venkatesan (2)
- Dhinakaran Vinayagamurthy (1)
- Riad S. Wahby (1)
- Brent Waters (10)
- Katharine Woo (1)
- David J. Wu (5)
- Mark Zhandry (7)
- Zhenfei Zhang (1)
- Sheng Zhong (1)
- Joe Zimmerman (1)