30.2CRMar 21
Protocols for Univariate SumcheckMalcom Mohamed
Three candidate approaches for univariate sumcheck over roots of unity are presented. The first takes the form of a multilinear evaluation protocol, which can be combined with the standard multivariate sumcheck protocol. The other two are reductions from univariate domain identity and univariate sumcheck to multivariate evaluation, respectively, and each can be combined with Gemini (Bootle et al., Eurocrypt 2022). Optionally, natural round reductions from $m$ to $\log(m)$ or $O(\sqrt{m})$ are supported, while retaining linear prover time.
39.1CRMar 13
Mitigating Collusion in Proofs of LiabilitiesMalcom Mohamed, Ghassan Karame
Cryptocurrency exchanges use proofs of liabilities (PoLs) to prove to their customers their liabilities committed on-chain, thereby enhancing their trust in the service. Unfortunately, a close examination of currently deployed and academic PoLs reveals significant shortcomings in their designs. For instance, existing schemes cannot resist realistic attack scenarios in which the provider colludes with an existing user. In this paper, we propose a new model, dubbed permissioned PoL, that addresses this gap by not requiring cooperation from users to detect a dishonest provider's potential misbehavior. At the core of our proposal lies a novel primitive, which we call Permissioned Vector Commitment (PVC), to ensure that a committed vector only contains values that users have explicitly signed. We provide an efficient PVC and PoL construction that carefully combines homomorphic properties of KZG commitments and BLS-based signatures. Our prototype implementation shows that, despite the stronger security, our proposal also improves server performance (by up to $10\times$) compared to prior PoLs.