Skip to main content
SpringerLink
Log in

Efficient Range Proofs with Transparent Setup from Bounded Integer Commitments

  • Conference paper
  • First Online:
Advances in Cryptology – EUROCRYPT 2021 (EUROCRYPT 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12698))

Abstract

We introduce a new approach for constructing range proofs. Our approach is modular, and leads to highly competitive range proofs under standard assumption, using less communication and (much) less computation than the state of the art methods, and without relying on a trusted setup. Our range proofs can be used as a drop-in replacement in a variety of protocols such as distributed ledgers, anonymous transaction systems, and many more, leading to significant reductions in communication and computation for these applications.

At the heart of our result is a new method to transform any commitment over a finite field into a commitment scheme which allows to commit to and efficiently prove relations about bounded integers. Combining these new commitments with a classical approach for range proofs based on square decomposition, we obtain several new instantiations of a paradigm which was previously limited to RSA-based range proofs (with high communication and computation, and trusted setup). More specifically, we get:

  • Under the discrete logarithm assumption, we obtain the most compact and efficient range proof among all existing candidates (with or without trusted setup). Our proofs are \(12\%\) to \(20\%\) shorter than the state of the art Bulletproof (Bootle et al., CRYPTO’18) for standard choices of range size and security parameter, and are more efficient (both for the prover and the verifier) by more than an order of magnitude.

  • Under the LWE assumption, we obtain range proofs that improve over the state of the art in a batch setting when at least a few dozen range proofs are required. The amortized communication of our range proofs improves by up to two orders of magnitudes over the state of the art when the number of required range proofs grows.

  • Eventually, under standard class group assumptions, we obtain the first concretely efficient standard integer commitment scheme (without bounds on the size of the committed integer) which does not assume trusted setup.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://web.getmonero.org/resources/moneropedia/bulletproofs.html.

  2. 2.

    https://github.com/BeamMW/beam.

  3. 3.

    https://cointelegraph.com/news/cryptocurrency-grin-follows-through-with-anticipated-july-17-mainnet-hardfork.

  4. 4.

    There have been several recent follow up works [HKR19, AC20] to Bulletproof, which expand the set of relations captured by the framework, but do not translate into concrete improvements on the size of the range proofs produced by this framework.

  5. 5.

    While it is theoretically possible to use a very large random integer as RSA modulus, without relying on a trusted party to compute a product of safe primes, this approach is completely impractical due to the very large group size and amount of computation, see the discussion on RSA-UFO in [LM19].

  6. 6.

    https://z.cash/technology/paramgen/.

  7. 7.

    Since our bounded integer commitment scheme requires the committed values to remain into a bounded range, we actually require slightly larger group size compared to Bulletproof to achieve the same security level; this is accounted for in our concrete comparison and will be covered in details in the technical overview.

  8. 8.

    Note that the distinction between structured and unstructured random strings is crucial in real-world applications: the former unavoidably requires either a trusted third party, or a secure distributed setup. However, the latter can be instantiated in the real-world using standard heuristic ’nothing-up-my-sleeve’ methods.

  9. 9.

    In fact, masking and hence zero-knowledge degrades gracefully in the size of x.

  10. 10.

    The optimization of the Pedersen commitment scheme with short exponents relies on the \(\mathsf {SEI}\), which for relevant ranges is equivalent to \(\mathsf {DLSE}\).

  11. 11.

    In the scheme, we use a hash function to avoid having to send the mask commitments to the verifier to save space.

  12. 12.

    For more details on the technique and the proof of security, we refer to the range proof in the lattice setting of the full version. It uses rejection sampling for masking the randomness of the commitment scheme.

References

  1. Attema, T., Cramer, R.: Compressed \(\varSigma \)-protocol theory and practical application to plug & play secure algorithmics. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part III. LNCS, vol. 12172, pp. 513–543. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_18

    Chapter  Google Scholar 

  2. Bünz, B., Agrawal, S., Zamani, M., Boneh, D.: Zether: towards privacy in a smart contract world. In: Bonneau, J., Heninger, N. (eds.) FC 2020. LNCS, vol. 12059, pp. 423–443. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51280-4_23

    Chapter  Google Scholar 

  3. Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334. IEEE Computer Society Press, May 2018

    Google Scholar 

  4. Blömer, J., Bobolz, J., Diemert, D., Eidens, F.: Updatable anonymous credentials and applications to incentive systems. In: ACM CCS 2019, pp. 1671–1685. ACM Press, November 2019

    Google Scholar 

  5. Brickell, E.F., Chaum, D., Damgård, I., van de Graaf, J.: Gradual and verifiable release of a secret (extended abstract). In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 156–166. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_11

    Chapter  Google Scholar 

  6. Benhamouda, F., Camenisch, J., Krenn, S., Lyubashevsky, V., Neven, G.: Better zero-knowledge proofs for lattice encryption and their application to group signatures. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 551–572. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_29

    Chapter  Google Scholar 

  7. Benarroch, D.: Diving into the zk-SNARKs setup phase. https://medium.com/qed-it/diving-into-the-snarks-setup-phase-b7660242a0d7

  8. Bootle, J., Lehmann, A., Lyubashevsky, V., Seiler, G.: Compact privacy protocols from post-quantum and timed classical assumptions. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 226–246. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_13

    Chapter  Google Scholar 

  9. Boudot, F.: Efficient proofs that a committed number lies in an interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_31

    Chapter  MATH  Google Scholar 

  10. Camenisch, J., Chaabouni, R., Shelat, A.: Efficient protocols for set membership and range proofs. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 234–252. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7_15

  11. Croman, K., et al.: On scaling decentralized blockchains. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 106–125. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53357-4_8

    Chapter  Google Scholar 

  12. Chaum, D.: Showing credentials without identification transferring signatures between unconditionally unlinkable pseudonyms. In: Seberry, J., Pieprzyk, J. (eds.) AUSCRYPT 1990. LNCS, vol. 453, pp. 245–264. Springer, Heidelberg (1990). https://doi.org/10.1007/BFb0030366

    Chapter  Google Scholar 

  13. Chung, H., Han, K., Ju, C., Kim, M., Seo, J.H.: Bulletproofs+: shorter proofs for privacy-enhanced distributed ledger. Cryptology ePrint Archive, Report 2020/735 (2020). https://eprint.iacr.org/2020/735

  14. Camenisch, J., Hohenberger, S., Lysyanskaya, A.: Compact E-cash. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 302–321. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_18

    Chapter  Google Scholar 

  15. Couteau, G., Peters, T., Pointcheval, D.: Removing the strong RSA assumption from arguments over the integers. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 321–350. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_11

    Chapter  Google Scholar 

  16. Cecchetti, E., Zhang, F., Ji, Y., Kosba, A., Juels, A., Shi, E.: Solidus: confidential distributed ledger transactions via pvorm. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 701–717 (2017)

    Google Scholar 

  17. Damgård, I., Fujisaki, E.: A statistically-hiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_8

    Chapter  Google Scholar 

  18. Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052225

    Chapter  Google Scholar 

  19. Fouque, P.-A., Stern, J., Wackers, G.-J.: Cryptocomputing with rationals. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357, pp. 136–146. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36504-4_10

    Chapter  Google Scholar 

  20. Groth, J., Ishai, Y.: Sub-linear zero-knowledge argument for correctness of a shuffle. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 379–396. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_22

    Chapter  Google Scholar 

  21. Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)

    Article  MathSciNet  Google Scholar 

  22. Groth, J.: Non-interactive zero-knowledge arguments for voting. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 467–482. Springer, Heidelberg (2005). https://doi.org/10.1007/11496137_32

    Chapter  Google Scholar 

  23. Groth, J.: Efficient zero-knowledge arguments from two-tiered homomorphic commitments. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 431–448. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_23

    Chapter  Google Scholar 

  24. Hoffmann, M., Klooß, M., Rupp, A.: Efficient zero-knowledge arguments in the discrete log setting, revisited. In: ACM CCS 2019, pp. 2093–2110. ACM Press, November 2019

    Google Scholar 

  25. Hoffmann, M., Klooß, M., Raiber, M., Rupp, A.: Black-box wallets: fast anonymous two-way payments for constrained devices. PoPETs 2020(1), 165–194 (2020)

    Google Scholar 

  26. Hoffstein, J., Pipher, J., Whyte, W., Zhang, Z.: A signature scheme from learning with truncation. Cryptology ePrint Archive, Report 2017/995 (2017). http://eprint.iacr.org/2017/995

  27. Koshiba, T., Kurosawa, K.: Short exponent Diffie-Hellman problems. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 173–186. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24632-9_13

    Chapter  Google Scholar 

  28. Lindell, Y.: Parallel coin-tossing and constant-round secure two-party computation. J. Cryptol. 16(3), 143–184 (2003)

    Article  MathSciNet  Google Scholar 

  29. Lipmaa, H.: On diophantine complexity and statistical zero-knowledge arguments. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 398–415. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40061-5_26

    Chapter  Google Scholar 

  30. Lai, R.W.F., Malavolta, G.: Subvector commitments with application to succinct arguments. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part I. LNCS, vol. 11692, pp. 530–560. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_19

    Chapter  Google Scholar 

  31. Lyubashevsky, V., Neven, G.: One-shot verifiable encryption from lattices. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 293–323. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_11

    Chapter  Google Scholar 

  32. Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_43

    Chapter  Google Scholar 

  33. Miola, A.: Addressing privacy and fungibility issues in bitcoin: confidential transactions (2018)

    Google Scholar 

  34. Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9

    Chapter  Google Scholar 

  35. Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_33

    Chapter  Google Scholar 

  36. Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)

    Article  Google Scholar 

  37. Pollack, P., Schorn, P.: Dirichlet’s proof of the three-square theorem: an algorithmic perspective. Math. Comput. 88(316), 1007–1019 (2019)

    Article  MathSciNet  Google Scholar 

  38. Rabin, M.O., Shallit, J.O.: Randomized algorithms in number theory, pp. S239–S256 (1986)

    Google Scholar 

  39. Slepak, G.: How to compromise zcash and take over the world. https://blog.okturtles.org/2016/09/how-to-compromise-zcash-and-take-over-the-world/

  40. Yang, R., Au, M.H., Zhang, Z., Xu, Q., Yu, Z., Whyte, W.: Efficient lattice-based zero-knowledge arguments with standard soundness: construction and applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part I. LNCS, vol. 11692, pp. 147–175. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_6

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. CNRS, IRIF, Université de Paris, Paris, France

    Geoffroy Couteau

  2. Karlsruhe Institute for Technology, Karlsruhe, Germany

    Michael Klooß

  3. Mercury’s Wing and Suterusu Project, Beijing, China

    Huang Lin

  4. DIENS, École normale supérieure, CNRS, PSL University, 75005, Paris, France

    Michael Reichle

  5. Inria, Paris, France

    Michael Reichle

Authors
  1. Geoffroy Couteau
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael Klooß
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Huang Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Michael Reichle
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Michael Reichle .

Editor information

Editors and Affiliations

  1. Inria, Paris, France

    Anne Canteaut

  2. UCLouvain, Louvain-la-Neuve, Belgium

    François-Xavier Standaert

Rights and permissions

Reprints and permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Couteau, G., Klooß, M., Lin, H., Reichle, M. (2021). Efficient Range Proofs with Transparent Setup from Bounded Integer Commitments. In: Canteaut, A., Standaert, FX. (eds) Advances in Cryptology – EUROCRYPT 2021. EUROCRYPT 2021. Lecture Notes in Computer Science(), vol 12698. Springer, Cham. https://doi.org/10.1007/978-3-030-77883-5_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-77883-5_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-77882-8

  • Online ISBN: 978-3-030-77883-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation