Sri AravindaKrishnan Thyagarajan’s research while affiliated with NTT and other places

In scenarios where a seller holds sensitive data x, like patient records, and a buyer seeks to obtain an evaluation of a function f on x, solutions in trustless environments like blockchain fall into two categories: (1) Smart contract-powered solutions and (2) cryptographic solutions using tools such as adaptor signatures. The former offers atomic transactions where the buyer learns f(x) upon payment. However, this approach is inefficient, costly, lacks privacy for the seller's data, and is incompatible with blockchains such as bitcoin. In contrast, the adaptor signature-based approach addresses all of the above issues but comes with an "all-or-nothing" guarantee, where the buyer fully extracts x and does not support extracting f(x). In this work, we bridge the gap between these approaches, developing a solution that enables fair functional sales while offering all the above properties like adaptor signatures. Towards this, we propose functional adaptor signatures (FAS), a novel cryptographic primitive and show how it can be used to enable functional sales. We formalize the security properties of FAS, among which is a new notion called witness privacy to capture seller's privacy, which ensures the buyer does not learn anything beyond f(x). We present multiple variants of witness privacy, namely, witness hiding, witness indistinguishability, and zero-knowledge. We introduce two efficient constructions of FAS supporting linear functions based on groups of prime-order and lattices, that satisfy the strongest notion of witness privacy. A central conceptual contribution of our work lies in revealing a surprising connection between functional encryption and adaptor signatures. We implement our FAS construction for Schnorr signatures and show that for reasonably sized seller witnesses, all operations are quite efficient even for commodity hardware.

Time-lock puzzles (TLP) are a fascinating type of cryptographic problem that is easy to generate, but takes a certain time to solve, even when arbitrary parallel speedup is allowed. TLPs have wide-ranging applications including fairness, round efficient computation, and more. To reduce the effort needed to solve large numbers of TLPs, prior work has proposed batching techniques to reduce the cost of solving. However, these proposals either require: (1) a trusted setup or (2) the puzzle size be linear in the maximum batch size, which implies setting an a priori bound on the maximum size of the batch. Any of these limitations restrict the utility of TLPs in decentralized and dynamic settings like permissionless blockchains. In this work, we demonstrate the feasibility and usefulness of a TLP that overcomes all the above limitations using indistinguishability obfuscation to show that there are no fundamental barriers to achieving such a TLP construction.As a main application of our TLP, we show how to improve the resilience of consensus protocols toward network-level adversaries in the following settings: (1) We show a generic compiler that boosts the resilience of a Byzantine broadcast protocol $\varPi$ as follows: if $\varPi$ is secure against $t<n$ weakly adaptive corruptions, then the compiled protocol is secure against $t<n$ strongly adaptive corruptions. Here, ‘strong’ refers to adaptively corrupting a party and deleting messages that it sent while still honest. Our compiler is round and communication preserving, and gives the first expected constant-round Byzantine broadcast protocol against a strongly adaptive adversary for the dishonest majority setting. (2) We adapt the Nakamoto consensus protocol to a weak model of synchrony where the adversary can adaptively create minority partitions in the network. Unlike prior works, we do not assume that all honest messages are delivered within a known upper bound on the message delay. This is the first work to show that it is possible to achieve consensus in the permissionless setting even after relaxing the standard synchrony assumption.KeywordsTime-lock puzzlesBatch solvingDistributed consensusByzantine broadcastMobile-sluggish faults

A succinct non-interactive argument of knowledge (SNARK) allows a prover to produce a short proof that certifies the veracity of a certain NP-statement. In the last decade, a large body of work has studied candidate constructions that are secure against quantum attackers. Unfortunately, no known candidate matches the efficiency and desirable features of (pre-quantum) constructions based on bilinear pairings. In this work, we make progress on this question. We propose the first lattice-based SNARK that simultaneously satisfies many desirable properties: It (i) is tentatively post-quantum secure, (ii) is publicly-verifiable, (iii) has a logarithmic-time verifier and (iv) has a purely algebraic structure making it amenable to efficient recursive composition. Our construction stems from a general technical toolkit that we develop to translate pairing-based schemes to lattice-based ones. At the heart of our SNARK is a new lattice-based vector commitment (VC) scheme supporting openings to constant-degree multivariate polynomial maps, which is a candidate solution for the open problem of constructing VC schemes with openings to beyond linear functions. However, the security of our constructions is based on a new family of lattice-based computational assumptions which naturally generalises the standard Short Integer Solution (SIS) assumption.

Decentralized cryptocurrencies still suffer from three interrelated weaknesses: Low transaction rates, high transaction fees, and long confirmation times. Payment Channels promise to be a solution to these issues, and many constructions for cryptocurrencies, such as Bitcoin and Ethereuem, are known. Somewhat surprisingly, no solution is known for Monero, the largest privacy-preserving cryptocurrency, without requiring system-wide changes like a hard-fork of its blockchain like prior solutions. In this work, we close this gap for Monero by presenting the first provably secure payment channel protocol that is fully compatible with Monero’s transaction scheme. Notably, the payment channel related transactions are identical to standard transactions in Monero, therefore not hampering the coins’ fungibility. With standard techniques, our payment channels can be extended to support atomic swap of tokens in Monero with tokens of several other major currencies like Bitcoin, Ethereum, Ripple, etc., in a fungible and privacy-preserving manner. Our main technical contribution is a new cryptographic tool called verifiable timed linkable ring signatures (VTLRS), where linkable ring signatures can be hidden for a pre-determined amount of time in a verifiable way. We present a practically efficient construction of VTLRS which is fully compatible with the transaction scheme of Monero, and allows for users to make timed payments to the future which might be of independent interest to develop other applications on Monero. Our implementation results show that even with high network latency and with a single CPU core, two regular users can perform up to 93500 payments over 2 min (the block production rate of Monero). This is approximately five orders of magnitude improvement over the current payment rate of Monero.