Sune K. Jakobsen

Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability

We give computationally efficient zero-knowledge proofs of knowledge for arithmetic circuit satisfiability over a large field. For a circuit with N addition and multiplication gates, the prover only uses O(N) multiplications and the verifier only uses O(N) additions in the field. If the commitments we use are statistically binding, our zero-knowledge proofs have unconditional soundness, while if the commitments are statistically hiding we get computational soundness. Our zero-knowledge proofs also have sub-linear communication if the commitment scheme is compact. Our construction proceeds in three steps. First, we give a zero-knowledge proof for arithmetic circuit satisfiability in an ideal linear commitment model where the prover may commit to secret vectors of field elements, and the verifier can receive certified linear combinations of those vectors. Second, we show that the ideal linear commitment proof can be instantiated using error-correcting codes and non-interactive commitments. Finally, by choosing efficient instantiations of the primitives we obtain linear-time zero-knowledge proofs.

Mutual Information Matrices Are Not Always Positive Semidefinite

For discrete random variables X₁, ..., X_n we construct an n by n matrix. In the (i, j)-entry we put the mutual information I(X_i ; X_j) between X_i and X_j. In particular, in the (i, i)-entry we put the entropy H(X_i) = I(X_i; X_i) of X_i. This matrix, called the mutual information matrix of (X₁, ..., X_n), has been conjectured to be positive semidefinite. In this paper, we give counterexamples to the conjecture, and show that the conjecture holds for up to three random variables.

Information Theoretical Cryptogenography.

We consider problems where n people are communicating and a random subset of them is trying to leak information, without making it clear who are leaking the information. We introduce a measure of suspicion and show that the amount of leaked information will always be bounded by the expected increase in suspicion, and that this bound is tight. Suppose a large number of people have some information they want to leak, but they want to ensure that after the communication, an observer will assign probability at most c to the events that each of them is trying to leak the information. How much information can they reliably leak, per person who is leaking? We show that the answer is

Timeability of Extensive-Form Games

\left( \frac{-\log (1-c)}{c}-\log (e)\right)

Some Remarks on Real Numbers Induced by First-Order Spectra

-log(1-c)c-log(e) bits.

Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution.

We ask whether it is possible to anonymously communicate a large amount of data using only public (non-anonymous) communication together with a small anonymous channel. We think this is a central question in the theory of anonymous communication and to the best of our knowledge this is the first formal study in this direction. Towards this goal, we introduce the novel concept of anonymous steganography: think of a leaker Lea who wants to leak a large document to Joe the journalist. Using anonymous steganography Lea can embed this document in innocent looking communication on some popular website (such as cat videos on YouTube or funny memes on 9GAG). Then Lea provides Joe with a short decoding key dk which, when applied to the entire website, recovers the document while hiding the identity of Lea among the large number of users of the website. Our contributions include: Introducing and formally defining anonymous steganography, A construction showing that anonymous steganography is possible (which uses recent results in circuits obfuscation), A lower bound on the number of bits which are needed to bootstrap anonymous communication.

Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability.

Extensive-form games constitute the standard representation scheme for games with a temporal component. But do all extensive-form games correspond to protocols that we can implement in the real world? We often rule out games with imperfect recall, which prescribe that an agent forget something that she knew before. In this paper, we show that even some games with perfect recall can be problematic to implement. Specifically, we show that if the agents have a sense of time passing (say, access to a clock), then some extensive-form games can no longer be implemented; no matter how we attempt to time the game, some information will leak to the agents that they are not supposed to have. We say such a game is not exactly timeable. We provide easy-to-check necessary and sufficient conditions for a game to be exactly timeable. Most of the technical depth of the paper concerns how to approximately time games, which we show can always be done, though it may require large amounts of time. Specifically, we show that some games require time proportional to the power tower of height proportional to the number of players, which in practice would make them untimeable. We hope to convince the reader that timeability should be a standard assumption, just as perfect recall is today. Besides the conceptual contribution to game theory, we show that timeability has implications for onion routing protocols.

How to Bootstrap Anonymous Communication.

Is there a joint distribution of n random variables over the natural numbers, such that they always form an increasing sequence and whenever you take two subsets of the set of random variables of the same cardinality, their distribution is almost the same?