Skip to main content

Compressed \(\varSigma \)-Protocols for Bilinear Group Arithmetic Circuits and Application to Logarithmic Transparent Threshold Signatures

Part of the Lecture Notes in Computer Science book series (LNSC,volume 13093)

Abstract

Lai et al. (CCS 2019) have shown how Bulletproof’s arithmetic circuit zero-knowledge protocol (Bootle et al., EUROCRYPT 2016 and Bünz et al., S&P 2018) can be generalized to work for bilinear group arithmetic circuits directly, i.e., without requiring these circuits to be translated into arithmetic circuits.

In a nutshell, a bilinear group arithmetic circuit is a standard arithmetic circuit augmented with special gates capturing group exponentiations or pairings. Such circuits are highly relevant, e.g., in the context of zero-knowledge statements over pairing-based languages. As expressing these special gates in terms of a standard arithmetic circuit results in a significant overhead in circuit size, an approach to zero-knowledge via standard arithmetic circuits may incur substantial additional costs. The approach due to Lai et al. shows how to avoid this by integrating additional zero-knowledge techniques into the Bulletproof framework so as to handle the special gates very efficiently.

We take a different approach by generalizing Compressed \(\varSigma \)-Protocol Theory (CRYPTO 2020) from arithmetic circuit relations to bilinear group arithmetic circuit relations. Besides its conceptual simplicity, our approach has the practical advantage of reducing the communication costs of Lai et al.’s protocol by roughly a multiplicative factor 3.

Finally, we show an application of our results which may be of independent interest. We construct the first k-out-of-n threshold signature scheme (TSS) that allows for transparent setup and that yields threshold signatures of size logarithmic in n. The threshold signature hides the identities of the k signers and the threshold k can be dynamically chosen at aggregation time.

Keywords

  • Zero-knowledge
  • Bilinear groups
  • Pairings
  • Compressed \(\varSigma \)-Protocol Theory
  • Threshold signature schemes

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-92068-5_18
  • Chapter length: 31 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-92068-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)

Notes

  1. 1.

    This is perhaps not immediate from the paper [35], but it has been confirmed by the authors. See also Sect. 6.3.

References

  1. Full version of this paper. IACR ePrint 2020/1147

    Google Scholar 

  2. Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structure-preserving signatures and commitments to group elements. J. Cryptol. 29(2), 363–421 (2015). https://doi.org/10.1007/s00145-014-9196-7

    MathSciNet  CrossRef  MATH  Google Scholar 

  3. Ateniese, G., Camenisch, J., Hohenberger, S., de Medeiros, B.: Practical group signatures without random oracles. IACR ePrint 2005/385 (2005)

    Google Scholar 

  4. Attema, T., Cramer, R.: Compressed \(\Sigma \)-protocol theory and practical application to plug & play secure algorithmics. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 513–543. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_18

    CrossRef  Google Scholar 

  5. Attema, T., Cramer, R., Fehr, S.: Compressing proofs of \(k\)-out-of-\(n\)-partial knowledge. IACR ePrint 2020/753 (2020)

    Google Scholar 

  6. Attema, T., Cramer, R., Kohl, L.: A compressed \(\Sigma \)-protocol theory for lattices. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12826, pp. 549–579. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_19

    CrossRef  Google Scholar 

  7. Ballard, L., Green, M., de Medeiros, B., Monrose, F.: Correlation-resistant storage via keyword-searchable encryption. IACR ePrint 2005/417 (2005)

    Google Scholar 

  8. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: ACM CCS 1993 (1993)

    Google Scholar 

  9. Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the gap-Diffie-Hellman-group signature scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_3

    CrossRef  Google Scholar 

  10. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_30

    CrossRef  Google Scholar 

  11. Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12

    CrossRef  MATH  Google Scholar 

  12. Boyle, E., Cohen, R., Goel, A.: Breaking the \(O(\sqrt{n})\)-bits barrier: balanced byzantine agreement with polylog bits per-party. In: To Appear in ACM PODC (2021)

    Google Scholar 

  13. Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: IEEE S&P (2018)

    Google Scholar 

  14. Bünz, B., Maller, M., Mishra, P., Vesely, N.: Proofs for inner pairing products and applications. IACR ePrint 2019/1177 (2019)

    Google Scholar 

  15. Cachin, C., Kursawe, K., Shoup, V.: Random oracles in Constantinople: practical asynchronous byzantine agreement using cryptography. J. Cryptol. 18(3), 219–246 (2005). https://doi.org/10.1007/s00145-005-0318-0

    MathSciNet  CrossRef  MATH  Google Scholar 

  16. Canetti, R.: Universally composable signature, certification, and authentication. In: IEEE Computer Security Foundations Workshop 2004 (2004)

    Google Scholar 

  17. Cramer, R.: Modular design of secure yet practical cryptographic protocols. Ph.D. thesis, CWI and University of Amsterdam (1996)

    Google Scholar 

  18. Cramer, R., Damgård, I.: Zero-knowledge proofs for finite field arithmetic, or: can zero-knowledge be for free? In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 424–441. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055745

    CrossRef  Google Scholar 

  19. Cramer, R., Damgård, I., Pastro, V.: On the amortized complexity of zero knowledge protocols for multiplicative relations. In: Smith, A. (ed.) ICITS 2012. LNCS, vol. 7412, pp. 62–79. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32284-6_4

    CrossRef  Google Scholar 

  20. Desmedt, Y., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_28

    CrossRef  Google Scholar 

  21. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12

    CrossRef  Google Scholar 

  22. Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discret. Appl. Math 156, 3113–3121 (2008)

    MathSciNet  CrossRef  Google Scholar 

  23. ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_2

    CrossRef  Google Scholar 

  24. Gennaro, R., Goldfeder, S.: One round threshold ECDSA with identifiable abort. IACR ePrint 2020/540 (2020)

    Google Scholar 

  25. Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust threshold DSS signatures. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 354–371. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_31

    CrossRef  Google Scholar 

  26. Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure applications of Pedersen’s distributed key generation protocol. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 373–390. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36563-X_26

    CrossRef  Google Scholar 

  27. Ghoshal, A., Tessaro, S.: Tight state-restoration soundness in the algebraic group model. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12827, pp. 64–93. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_3

    CrossRef  Google Scholar 

  28. Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_24

    CrossRef  Google Scholar 

  29. Haque, A., Krenn, S., Slamanig, D., Striecks, C.: Logarithmic-size (linkable) threshold ring signatures in the plain model. IACR ePrint 2020/683 (2020)

    Google Scholar 

  30. Harchol, Y., Abraham, I., Pinkas, B.: Distributed SSH key management with proactive RSA threshold signatures. In: Preneel, B., Vercauteren, F. (eds.) ACNS 2018. LNCS, vol. 10892, pp. 22–43. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93387-0_2

    CrossRef  Google Scholar 

  31. Hoffmann, M., Klooß, M., Rupp, A.: Efficient zero-knowledge arguments in the discrete log setting, revisited. In: ACM CCS 2019 (2019)

    Google Scholar 

  32. Hopwood, D., Bowe, S., Hornby, T., Wilcox, N.: Zcash Protocol Specication - Version 2020.1.7 (2020)

    Google Scholar 

  33. Kokoris-Kogias, E., Spiegelman, A., Malkhi, D.: Asynchronous distributed key generation for computationally-secure randomness, consensus, and threshold signatures. In: ACM CCS 2020 (2020)

    Google Scholar 

  34. Komlo, C., Goldberg, I.: FROST: flexible round-optimized Schnorr threshold signatures. In: SAC 2020, pp. 34–65 (2020)

    Google Scholar 

  35. Lai, R.W.F., Malavolta, G., Ronge, V.: Succinct arguments for bilinear group arithmetic: practical structure-preserving cryptography. In: ACM CCS 2019, pp. 2057–2074 (2019)

    Google Scholar 

  36. Libert, B., Joye, M., Yung, M.: Born and raised distributively: fully distributed non-interactive adaptively-secure threshold signatures with short shares. Theor. Comput. Sci. 645, 1–24 (2016)

    MathSciNet  CrossRef  Google Scholar 

  37. Libra Team: State machine replication in the LibraBlockchain, version 2019–10-24 (2019)

    Google Scholar 

  38. Lindell, Y.: Parallel coin-tossing and constant-round secure two-party computation. J. Cryptol. 16(3), 143–184 (2003). https://doi.org/10.1007/s00145-002-0143-7

    MathSciNet  CrossRef  MATH  Google Scholar 

  39. Nayak, K., Ren, L., Shi, E., Vaidya, N.H., Xiang, Z.: Improved extension protocols for byzantine broadcast and agreement. In: DISC 2020, pp. 28:1–28:17 (2020)

    Google Scholar 

  40. Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9

    CrossRef  Google Scholar 

  41. Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27

    CrossRef  Google Scholar 

  42. Shamir, A.: How to share a secret. Commun. ACM 22, 612–613 (1979)

    MathSciNet  CrossRef  Google Scholar 

  43. Shoup, V.: Practical threshold signatures. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 207–220. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_15

    CrossRef  Google Scholar 

Download references

Acknowledgments

We are grateful for the constructive and encouraging comments from Hieu Phan. We also thank Thijs Veugen for numerous helpful editorial comments. We thank Russell Lai for answering some relevant questions regarding his prior work [35] and for explaining their techniques. Thomas Attema has been supported by the Vraaggestuurd Programma Veilige Maatschappij, supervised by the Innovation Team of the Dutch Ministry of Justice and Security, and the Vraaggestuurd Programma Cyber Security, part of the Dutch Top Sector High Tech Systems and Materials programme. Ronald Cramer has been supported by ERC ADG project No 74079 (ALGSTRONGCRYPTO) and by the NWO Gravitation Programme (QSC).

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Thomas Attema , Ronald Cramer or Matthieu Rambaud .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Attema, T., Cramer, R., Rambaud, M. (2021). Compressed \(\varSigma \)-Protocols for Bilinear Group Arithmetic Circuits and Application to Logarithmic Transparent Threshold Signatures. In: Tibouchi, M., Wang, H. (eds) Advances in Cryptology – ASIACRYPT 2021. ASIACRYPT 2021. Lecture Notes in Computer Science(), vol 13093. Springer, Cham. https://doi.org/10.1007/978-3-030-92068-5_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-92068-5_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-92067-8

  • Online ISBN: 978-3-030-92068-5

  • eBook Packages: Computer ScienceComputer Science (R0)