Decentralised Functional Signatures

With the rapid development of the Internet of Things (IoT) a lot of critical information is shared however without having guarantees about the origin and integrity of the information. Digital signatures can provide important integrity guarantees to prevent illegal users from getting access to private and sensitive data in various IoT applications. Functional signatures, introduced by Boyle, Goldwasser and Ivan (PKC 2014) as signatures with a finegrained access control, allow an authority to generate signing keys corresponding to various functions such that a user with a signing key for a function f, can sign the image of the function f on a message mi.e., can sign f(m). Okamoto and Takashima (PKC 2013) firstly proposed the notion of a decentralized multi-authority functional signature (DMA-FS) scheme, which supports non-monotone access structures combined with inner-product relations. In this paper, we generalise the definition of DMA-FS proposed by Okamoto et al. (PKC13) for even more general policy functions, which support any polynomial-size boolean predicates other than the inner product relation and allow modifications of the original message. In our multi-authority functional signature (MAFS), there are multiple authorities and each one is able to certify a specific function and issue a corresponding functional signing key for each individual with some property, rendering them very useful in application settings such smart homes, smart cities, smart health care etc. We also provide a general transformation from a standard signature scheme to a MAFS scheme. Moreover, we present a way to build a function private MAFS from a FS without function privacy together with SNARKs.


Introduction
With the rapid development of the Internet of Things (IoT) in various application settings (e.g., smart homes [6,7], smart cities [4,8], and smart health-care [1]), ensuring the communication integrity and authenticity of information shared between IoT devices becomes a major concern, since millions of devices sense and communicate large volumes of private and sensitive data. Digital signatures is one of simplest and more reliable approaches, that can be employed to achieve the integrity and authentication properties and thus, prevent illegal users from getting access to private and sensitive data.
Bei Liang lbei@chalmers.se Aikaterini Mitrokotsa aikmitr@chalmers.se 1 Chalmers University of Technology, Gothenburg, Sweden A digital signature on a message, originally introduced by Diffie and Hellman [5], produces information that allows the receiver to verify that the original message was indeed signed by the claimed signer (sender). Boyle, Goldwasser and Ivan [2] have recently introduced a new type of signatures, called functional signatures. In a functional signature scheme, a trusted authority holds a master secret key known only to the authority. Given a description of a function f , the authority using the master secret key can generate a functional signing key sk f associated with the function f . Anyone that has access to the functional signing key sk f and a message m can compute f (m) as well as a functional signature σ of f (m). Such fine-grained generation of signatures is extremely useful in multiple applications such as authentication and trust-negotiation. For instance, we can consider the case where a document (message m) has some fields to be filled in, i.e., the initial document m needs to be modified by applying a function on it f (m) and then subsequently signed. Thus, it is required to produce a signature σ that corresponds to f (m). In that case, a function f could be associated with the fields of the document that need to be filled in, as well as the type of the information (e.g., calendar date). Then, by generating a signing key sk f for this specific function f , we can guarantee which documents have been filled in and signed by an individual.
In this paper, we go beyond standard functional signatures and we re-explore the existing concept: decentralised or multi-authority functional signatures for general policy functions, which aids for smart projects such for smart home, smart city, smart health care etc.
Decentralised functional signatures Although functional signatures (FS) are a very powerful primitive, the basic concept of FS has a serious challenge since it requires that a single authority issues for all users their secret signing keys associated with different functions. This definitely contradicts the distributed public key infrastructure that allows having multiple certification authorities with different levels of trust. When considering realistic applications of functional signatures, it is hard to imagine that a single central authority will be trusted by everyone and will manage all credentials and generate functional signing keys for different functions for all individuals. Inspired by the practical demand for the distributed trust, we explore the model for multi-authority functional signatures (MAFS).
Okamoto et al. [12] firstly proposed the concept of a decentralised multi-authority functional signature (DMA-FS) scheme, which supports non-monotone access structures combined with inner-product relations [11]. Intuitively, the non-monotone access structures combined with inner-product relations [11]  is the componentwise inner-product relations for property vector components, e.g., {u i · v i = 0 or not} i∈{1,...,N} that are taken as input to a span programM, and the property vector u satisfies the policy F iff the truth-value vector of ((u 1 ·v 1 = 0), . . . , (u N · v N = 0)) is accepted by the span programM. In their DMA-FS setting, there are multiple authorities and each authority is able to generate a secret key associated with a sort of attributes u i , i.e., a user obtains several secret keys w.r.t. the attributes it has, u := (u 1 , . . . , u N ), each of which is issued by corresponding authority. A user with secret keys w.r.t. the attributes u := (u 1 , . . . , u N ) is able to sign the message iff u s.t. ((u 1 · v 1 = 0), . . . , (u N · v N = 0)) is accepted by the span programM.
Contrary to Okamoto et al. [12] work, in this paper we consider whether it is possible to extend the DMA-FS with respect to even more general policy functions, which are not limited to inner-product predicates [11] but support any polynomial sized boolean predicate. Furthermore, we allow one to sign a message that is in the range of a function f , which can be considered as to make some operations on the original message first and then to sign the new resulting message.
A motivating example of using MAFS in the IoT setting Before we describe our generalized multi-authority FS (MAFS) scheme in more detail, let us consider a motivating example in the IoT setting. In order to allow both businesses and customers greater visibility and tracking of their products and parcels than ever before, every shipment or parcel can be equipped with an inexpensive small device or sensor which would continuously monitor and record every information from the position of a parcel to the temperature and light conditions-meaning that those sending and receiving the parcels can see both where their items are and how they are being handled on route and whether they have been opened or not. For instance, a headphone made by a company in Germany is ordered to be delivered to China by a logistics company. A rather challenging task is keeping and updating the records of all transactions during the delivery where multiple authorities (such as country of origin, logistics company, insurance company) might be involved, while ensuring that the users are able to verify all the transactions that occurred. The concept of multi-authority functional signature properly addresses this type of problems. For example, a headphone from Country A might be ordered to be delivered to Country B by a specific logistics company X with a insurance company. The transaction messages may be updated with info about the luminous intensity and the current location of the parcel should be signed through a MAFS with a policy such that ((Original country = Country A OR B) AND (Logistics = Company X OR Y) AND (Luminous Intensity ≤ 0.2lx)). In a MAFS scheme, a user obtains several secret keys associated with multiple properties, each of which is issued by a different authority. A sensor embedded in the parcel receives a secret key (for the country of origin A) from the producer S, a secret key for the logistics company X, and a secret key for a luminous intensity from the insurance company T, where the country of origin A, the logistics company X and the insurance company T are all individual authorities.. The sensor while the parcel in on route, updates the properties information of the parcel and signs the updated messages. A user can then verify that the signed transactions (depicted in Fig. 1) indeed occurred.
Our results Our main results and contributions can be summarised as follows: (i) we introduce for the definition of multi-authority functional signatures (MAFSs) for general policy functions; (ii) we provide a general transformation from a standard signature scheme to a MAFS scheme and a corresponding construction; (iii) given a non-function- Fig. 1 An example of using the multi-authority functional signature scheme in the IoT setting private FS scheme and a SNARK we provide a way to build a function private MAFS scheme.
In a MAFS scheme, multiple authorities can independently generate their master secret and master public verification keys. Any authority i should be able to generate a functional signing key for a user with identity UID and property U i along with a policy F over various authorities. A user UID, with signing keys for a policy function F and different property U i from the authority i ∈ [N], is allowed to generate a signature for the new message F (U 1 , . . . , U n , m) only if his property set {U i } i∈ [N] satisfies the policy, while anyone using the N authorities' master verification keys should be able to verify the validity of the message-signature pair. An important requirement for MAFS is the security (unforgeability) against collusion attacks, which states that colluding users e.g., whose identities are UID 1 with property U 1 and UID 2 with property U 2 (even if they collude with some corrupted authorities) should not be able to forge a signature endorsed by a user UID 1 with properties U 1 and U 2 . Another desirable property of MAFS is function privacy, which implies that the signature should reveal neither the function F that the functional signing key used in the signing process corresponds to, nor the message m that F was applied to. In particular, the notion of MAFS generalizes that of multi-authority attribute based signature [12].
In this paper, we first give a construction of MAFS that is not function private, based on any standard signature scheme. Then, assuming the existence of succinct noninteractive arguments of knowledge (SNARKS) for NP languages, we propose a function-private MAFS scheme from a non-function-private FS scheme. The resulting function-private MAFS scheme is defined in the common reference string model, which means that we allow all algorithms (and the adversary) to get as input also a public uniformly distributed common reference string [9,10]. Below we describe in an informal way, highlights of our results and the approaches we employ.
Theorem 1 (Informal) Assuming the existence of an existentially unforgeable signature scheme, then there exists a multi-authority functional signature scheme satisfying the unforgeability requirement but not function privacy.
Overview of the approach The master signing and verification key for each authority i ∈ [N] will correspond to a key pair, (msk i , mvk i ), in an underlying (standard) signature scheme. To generate a signing key for a user with UID and property U for a function F , the authority i does the following. First, it samples a fresh signing and verification key pair (sk i , vk i ) in the underlying signature scheme, and then signs the concatenation UID U F vk i using msk i . The signing key consists of this certificate (signature) together with sk i . Given N signing keys, a user can sign any message [N] , m) by signing m using each sk i , and outputting these N signatures, together with N certificates of UID U F vk i . Theorem 2 (Informal) Assuming the existence of SNARKs and a functional signature scheme that is unforgeable, then there exists a multi-authority functional signature scheme in the common reference string model satisfying the unforgeability requirement and function privacy.
Overview of the approach The setup algorithm generates a common reference string crs. The authority setup and key generation algorithms are the same as those of the construction in Theorem 2. Given N signing keys, a user does the following. First, it signs m using each sk f i , and then it generates a zero-knowledge SNARK for the following statement: ∀i ∈ [N], ∃σ i such that σ i is a valid signature of m * = f (m) under mvk i in the functional signature scheme. The final signature consists of the proof together with N certificates of UID U F vk i .

Related work
Multi-authority functional encryption Inspired by the distributed trust offered by public-key encryption, Chandran et al. [3] introduced a new primitive that is called Multi-Authority Functional Encryption (MAFE) as a generalization of both Functional Encryption and Multi-Authority Attribute-Based Encryption (MA-ABE). Based on subexponentially secure indistinguishability obfuscation and injective one-way functions they show how to obtain MAFE for arbitrary polynomial-size circuits, namely F ({U id } id∈S , m) which is a |S| + 1 variate policy function (each component is in {0, 1} k ) in MAFE that takes as input up to |S| properties and a message and outputs a value. In this paper, we generalise the definition of DMA-FS in [12] for even more general policy functions, which supports any polynomial sized boolean predicates other than the inner product relation and allows modifications of the original message. Such a generalisation is not straightforward. To achieve that we take advantage of the method that Chandran et al. [3] used to define the function policy in a multi-authority setting.
Multi-authority attribute based signature The concept of multi-authority attribute based signature (MA-ABS) was introduced by Okamoto et al. [9,10]. In a MA-ABS model, there are multiple authorities and each authority is responsible for issuing a secret key associated with a category of attributes. But a central trustee is required in addition to multiple authorities. Okamoto et al. [12] showed that if the central authority is corrupted in MA-ABS, the security (unforgeability) of the system will be totally broken. Thus, in [12] they proposed the first MA-ABS scheme with no central authority, which supports more general predicates, non-monotone access structures in which no central authority exists and no global coordination is required except for the setting of a parameter for a prime order bilinear group and hash functions under a standard assumption, the DLIN assumption in the random oracle model. They also proposed a more general signature scheme, DMA-FS scheme, which supports nonmonotone access structures combined with inner-product relations [11], and prove that the proposed DMA-FS scheme is fully secure (adaptive-predicate unforgeable and perfect private in the DMA security model) under the DLIN assumption in the random oracle model.
From the point of view of the class of functions that multi-authority FS supports, the DMA-FS scheme proposed by Okamoto et al. [12] is a special case of our generalized MAFS scheme, where the underlying predicate is specialized to be the inner product relation. Okamoto et al.'s DMA-FS scheme is fully secure (adaptive-predicate unforgeable and perfect private in the DMA security model) under the DLIN assumption in the random oracle model, while our MAFS scheme is secure in the common reference string model satisfying the unforgeability requirement and function privacy. Moreover, the notion of MA-ABS proposed by Okamoto et al. [12] is a specific case of our generalized MAFS for general policy functions since the policy function in MA-ABS can be considered as the special case of our MAFS where the policy function F always outputs the message m if the properties satisfy F . We require it to satisfy the following conditions:

Preliminaries
Unforgeability The scheme is unforgeable if the advantage of any PPT algorithm A in the following game is negligible: -The challenger generates (msk, mvk) ← FS.Setup(1 λ ), and gives mvk to A; -The adversary is allowed to query a key generation oracle O key , and a signing oracle O sign , that share a dictionary indexed by tuples (f, i) ∈ F × N, whose entries are signing keys: sk f i ← FS.KeyGen(msk, f ). This dictionary keeps track of the keys that have been previously generated during the unforgeability game. The oracles are defined as follows: • If there exists an entry for the key (f, i) in the dictionary, then output the corresponding value, sk i f . • Otherwise, sample a fresh key • If there exists an entry for the key (f, i) in the dictionary, then generate a signature on f (m) using this key:

Multi-authority functional signature
We describe syntax and security notions of a multi-authority functional signature scheme.
Definition 2 (Multi-Authority FS (MAFS)) A decentralized multi-authority FS scheme is composed of the following algorithms: Each authority id ∈ I runs the authority setup algorithm to generate its own public verification key and secret key pair, : When an authority id who wishes to issue a user, whose identity is UID, a secret key associated with a property U and a policy function F , it runs the key generation algorithm that outputs a secret key K UID,U id,F . The authority gives only if the user has obtained a set of secret keys {K } from the authorities such that all properties included in are satisfied by the policy function. Then, the user outputs the value F ({(id, U id )} (id,U id )∈ , m) and a signature of F ({(id, U id )} (id,U id )∈ , m). F takes as input up to | | properties and a message and outputs a value.
To verify a signature σ on a message m * , using a set of public keys for relevant authorities {MVK id } id∈ , a user runs the verification algorithm which outputs a boolean value accept := 1 or reject := 0.
← KeyGen(MSK id , UID, U id , F ) assigned by the authority id for the user UID with property U id and policy function F , and (F ( for a set of authorities ⊂ I, if it satisfies the following condition: The attacker selects a policy F and wishes to get the user UID's signature. to the dictionary. Run [N] , m), σ ) and return it back.
-At the end, A outputs (m * , σ * ). We say the adversary succeeds, if has never been sent as a query to the oracle O sign for any F * andm such that [N] , m) where for any i ∈S, (UID, i, U i , F * ) has been sent as a query to the oracle O key and the user UID's property set {(i, U i )} i∈ [N] is accepted by F * .

Remark 2
Since the predicate circuit Predic contained in the policy function F * is specified over N properties (i, U i ), we say that F * does not accept UID which means that when the properties corresponding to any authority i ∈S are taken from UID no matter what the leftover |S| properties of the user UID are, F * never accepts it.

Remark 3
The policy functions F 0 and F 1 should contain the same predicates, which means F 0 = Predic f 0 and F 1 = Predic f 1 .
Definition 6 (MAFS with CRS) We say that (ASetup, KeyGen, Sign, Verify) is a MAFS scheme with CRS if Definition 2 is satisfied except that we allow all algorithm (and the adversary) to get as input also a public uniformly distributed common random string.

MAFS from standard signatures
In this section, we provide a construction of a MAFS scheme based on any standard signature scheme (i.e., existentially unforgeable under chosen-message attacks). Our resulted MAFS scheme is proved to be unforgeable as the Definition 4, but not function private. The main ideas of our construction are as follows. The master signing and public keys for each authority i (MSK i , MVK i ) will simply be a standard key pair for the underlying signature scheme. The signing key generated by the authority i for a user's identity UID, a property U and a function F consists of a fresh key pair (sk, vk) for the underlying signature scheme, and a signature (with respect to MVK i ) on the user's identity UID, a property U and a function F together with vk. We can regard this signature as a certificate authenticating that the owner of key vk is allowed to sign values resulted from the policy function F .
Let λ denote the security parameter and N denote the bound on the number of authorities used, while signing the message. Let Sig=(Sig.Setup, Sig.Sign, Sig.V-erify) be a signature scheme that is existentially unforgeable. We propose a MAFS scheme as follows: -Sample a signing and verification key pair for signature scheme (sk i , vk i ) ← Sig.Setup(1 λ ).

Remark 4 When {(i, U i )} i∈[N]
is rejected by Predic the output of the policy function F will be ⊥, and the corresponding signature should also be ⊥.
to the oracle O key such that the user's UID property set {(i, U i )} i∈ [N] is accepted by F * and m * is in the range of the function F * .
Assume there are N − 1 authorities that are corrupted, while the uncorrupted one's identity is i * . There are two cases for such a forgery m * , σ * = (m, {c -Type I forgery: The tuples (vk i * , UID, U i * , F * ) satisfy that UID U i * F * vk i * has not been signed under mvk i * for the queries of A MA to both the oracle O sign and O key . -Type II forgery: The tuples (vk i * , UID, U i * , F * ) satisfy that UID U i * F * vk i * has been signed under mvk i * during the queries of A MA to both the oracle O sign and O key .
Here we assume that all the queries of A MA send to the oracles O sign are proceeded by the oracle O key to generate a signing key as intermediate steps.
We now describe the signature adversary B Sig . In the unforgeability game for the standard signature scheme, given the verification key vk Sig , and access to a signing oracle O Reg sig , B Sig wins the unforgeability game if he successfully outputs a forgery, i.e., a signature for a message that was not queried to O Reg sig . In order to play the role of the challenger interacting with A MA in the security game for MAFS, B Sig must simulate the O key and O sign oracles. B Sig flips a coin b, and proceeds as following.
Case 1: b = 1 B Sig guesses that A MA will produce a Type I forgery: First B Sig sets vk Sig as the master verification key for the authority i * in the MAFS security game, namely mvk i * := vk Sig and sends it to A MA . For all of the other corrupted authorities, B Sig behaves honestly. To simulate the O key and O sign oracles, B Sig maintains a dictionary indexed by the tuples (UID, i * , U j i * , F ), whose entries are signing keys that are generated by the authority i * for the user UID with property U j i * and policy function F . B Sig answers the queries issued by A MA as follows: , add it to the dictionary, and output it. Eventually, A MA outputs a message signature forgery m * , σ * = (m, {c . Since the forgery satisfies Sig.Verify(mvk as its message-forgery pair in the security game for the standard signature scheme.
Case 2: b = 0 B Sig guesses that A MA will produce a Type II forgery: For each authority i ∈ [N], B Sig generates Sig.Setup (1 λ ) → (msk i , mvk i ) and sets MSK i = msk i and MVK i = mvk i . B Sig forwards mvk i of all the authorities together with {msk i } for a specified set S = {i : i ∈ [N]\i * } of corrupted authorities to A MA . B Sig chooses a random value q * between 1 and Q(λ) as the index of MAFS's signing queries which the challenge verification key will be positioned on. We use numkeys to denote the number of signing keys that has been generated. We initialize numkeys= 0. As before, B Sig maintains a dictionary indexed by the tuples (UID, i * , U j i * , F ), whose entries are signing keys that are generated by the authority i * for the user UID with property   } i∈ [N] , {σ i } i∈ [N] ), then output (m * , σ ). numkeys is then incremented.
-If there is no {UID, i * , U i * , F } entry in the dictionary and numkeys = q * , or if the {UID, i * , U i * , F } entry in the dictionary is set to Chal, then B Sig sets vk i * := vk Sig , signs UID U i * F vk Sig under msk i * : σ vk i * ← Sig.Sign(msk i * , UID U i * F vk Sig ), and queries its oracle for a signature of m under vk Sig , [N] ), then output (m * , σ ). If there is no {UID, i * , U i * , F } entry in the dictionary, B Sig sets it to Chal. And numkeys is then incremented.
If B Sig does not abort, A MA will output a signature as its forgery for the standard signature scheme under vk Sig .
We will now argue that if A MA forges in the MAFS scheme with non-negligible probability then B Sig wins the unforgeability game for the standard signature scheme with non-negligible probability. We note that as long as A MA doesn't query the O key oracle for the secret key corresponding to the embedded vk Sig challenge, then B Sig perfectly simulates the O key and O sign oracle. Now, if A MA produces a Type I forgery, then this forgery must consist of a signature on a new message UID U i * F * vk i * that was not ever signed under the i * authority's master verification key mvk i * during the queries of A MA to both the oracle O key and O sign , which means that A MA produces a forgery on a new message UID U i * F * vk i * that B Sig did not query to his signature oracle, which yields a forgery for the standard signature scheme.
If A MA produces a Type II forgery, by definition the corresponding UID U i * F * vk i * should already have been signed under the i * authority's master verification key mvk i * during the queries of A MA to both the oracle O key and O sign . We declare that the tuple (UID, i * , U i * , F * ) cannot be queried to O key by A MA , since if it is then given the responded signing key, producing a signature under this signing key is not a valid forgery in the MAFS scheme. Therefore, the tuple (UID, i * , U i * , F * ) must then have been issued as a query to O sign . Namely, the verification key vk i * must be freshly generated for a query of form O sign ({UID, i * , U i * , F * }, {K UID,U i i,F * } i∈[N]\i * , m) for which no entry under index (UID, i * , U i * , F * ) previously existed, and then the pair UID U i * F * vk i * was signed under the master signing key of identity i * . Note that if A MA produces a Type II forgery and B Sig correctly guessed q * where his challenge is embedded in as well as B Sig does not abort, the forgery produced by A MA must consist of a signature on a new messagem under vk Sig , for am that B Sig has not queried from his own signing oracle, and therefore such a signature also constitutes a forgery for the standard signature scheme.
We note that, if B Sig does abort, it only can occur when B Sig did not guess the correct q * , since another possible condition of abort occurrence is when A MA made a query as O key (UID, i * , U i * , F * ), which is not allowed since if the adversary has queried the O key (UID, i * , U i * , F * ), no message in the range of F * would be considered a forgery in the MAFS game.
Thus, if A MA produces a forgery in MAFS scheme with non-negligible probability 1 P oly(λ) , then B Sig successfully forges in the underlying signature scheme with nonnegligible probability 1 2Q(λ)P oly(λ) , which contradicts with the assumption that Sig is existentially unforgeable. We conclude that the MAFS scheme as specified above is unforgeable as defined in Section 4.

Function-private MAFS from SNARKs
While the construction of MAFS above does not provide function privacy property, in this section we show how to obtain a MAFS scheme satisfying function privacy in the common reference string (CRS) model by employing the building blocks of a FS without function privacy guarantee and a succinct non-interactive argument of knowledge (SNARK). In the CRS model there is an additional setup algorithm, which takes as input the security parameter and outputs the CRS for the system.
As mentioned in the Remark 1, we considered the policy function F consisting of a predicate Predic which is to indicate the set of properties are accepted or not, and a deterministic function f which is to work on the input message.
where L is defined as above.

Hybrid 1
The same game as Hybrid 0 except that the proof in the challenge signature is generated in the simulated manner. Namely, the CRS is generated using the simulator algorithm (crs, trap) ← S crs (1 λ ). The challenger then uses the simulator to generate the proof π ← S Proof ((crs, trap), (m * , {mvk i } i∈ [N] )), where m * = f 0 (m 0 ) = f 1 (m 1 ).
Following directly from the zero knowledge property of the ZK-SNARK system, the difference between the advantage of the adversary A priv in guessing the bit b in Hybrid 0 and Hybrid 1 is negligible. Note that the view of A priv in Hybrid 1 is independent with the bit b, hence any PPT adversary cannot correctly guess the bit b with non-negligible advantage.

Conclusion
The emergence of the IoT, has led to millions of sensors and smart devices sending sensitive data across communication networks. Thus, it is of utmost importance to address the challenge of guaranteeing the integrity and authentication of the transmitted information. To achieve that we propose a generalized signature scheme with a fine grained access control, that can provide significant advantages to the digital world, in application settings where the authenticity of shared information is crucial e.g., smart healthcare, smart homes, smart cities. In this paper, we introduce the definition of multi-authority functional signatures (MAFSs) for general policy functions, and provide a general transformation from a standard signature scheme to a MAFS scheme satisfying unforgeability property but not function privacy. Given a non-function-private functional signature and a SNARK we provide a way to build a function private MAFS scheme.
Our MAFS can properly solve the problem we depicted in the IoT related delivery operation world and successfully provides both businesses and customers greater visibility and trackability of their products and parcels than ever before. In particular, by using our MAFS the records of all transactions during the en-route of delivery is able to be kept and renewed. Moreover, we allow the multiple authorities to be involved in the execution of the transactions, meanwhile ensuring that the users are able to verify all the transactions occurred in the network. We believe our MAFS can be applied to other IoT related application scenarios.

Definition 8
= (Gen, Prove, Verify) is a succinct nonintera-ctive argument for a language L ∈ NP with witness relation R if it satisfies the following properties: -Completeness: For all x, w such that R(x, w) = 1, and for all strings crs ← Gen(1 k ), Verify(crs, x, Prove(x, w, crs)) = 1. -Adaptive Soundness: There exists a negligible function μ(k), such that, for all PPT adversaries A, if crs ← Gen(1 k ) is sampled uniformly at random, then the probability that A(crs) will output a pair (x, π ) such that x / ∈ L and yet Verify(crs, x, π) = 1, is at most μ(k).
-Succinctness: There exists an universal polynomial p(k) that does not depend on the relation R, such that ∀x, w s.tR(x, w) = 1, crs ← Gen(1 k ), π ← Prove(x, w, crs), where R denotes the runtime of the relation associated with language L.
Definition 9 A SNARG = (Gen, Prove, Verify) is a succinct non-interactive argument of knowledge(SNARK) for a language L ∈ NP with witness relation R if there exists a negligible function μ(·) such that, for all PPT provers P * , there exists a PPT algorithm E P * = (E 1 P * , E 2 P * ) such that for every adversary A, where the probabilities are taken over (crs, trap) ← E 1 P * (1 k ), and over the random coin tosses of the extractor algorithm E 2 P * .
Definition 10 A SNARK = (Gen, Prove, Verify) is a zero-knowledge SNARK for a language L ∈ NP with witness relation R if there exist PPT algorithms S = (S crs , S Proof ) satisfying the following property: where S (crs, trap, x, w) = S Proof (crs, trap, x).