Advertisement

Efficient Batch Zero-Knowledge Arguments for Low Degree Polynomials

  • Jonathan Bootle
  • Jens Groth
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10770)

Abstract

Bootle et al. (EUROCRYPT 2016) construct an extremely efficient zero-knowledge argument for arithmetic circuit satisfiability in the discrete logarithm setting. However, the argument does not treat relations involving commitments, and furthermore, for simple polynomial relations, the complex machinery employed is unnecessary.

In this work, we give a framework for expressing simple relations between commitments and field elements, and present a zero-knowledge argument which, by contrast with Bootle et al., is constant-round and uses fewer group operations, in the case where the polynomials in the relation have low degree. Our method also directly yields a batch protocol, which allows many copies of the same relation to be proved and verified in a single argument more efficiently with only a square-root communication overhead in the number of copies.

We instantiate our protocol with concrete polynomial relations to construct zero-knowledge arguments for membership proofs, polynomial evaluation proofs, and range proofs. Our work can be seen as a unified explanation of the underlying ideas of these protocols. In the instantiations of membership proofs and polynomial evaluation proofs, we also achieve better efficiency than the state of the art.

Keywords

Sigma-protocol Zero-knowledge argument Batch-verification Discrete logarithm assumption 

References

  1. 1.
    Bayer, S.: Practical zero-knowledge protocols based on the discrete logarithm assumption. Ph.D. thesis, University College London (2014)Google Scholar
  2. 2.
    Bayer, S., Groth, J.: Zero-knowledge argument for polynomial evaluation with application to blacklists. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 646–663. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38348-9_38 CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Garay, J.A., Rabin, T.: Batch verification with applications to cryptography and checking. In: EUROCRYPT, pp. 236–250 (1998)Google Scholar
  4. 4.
    Benaloh, J., de Mare, M.: One-way accumulators: a decentralized alternative to digital signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48285-7_24 Google Scholar
  5. 5.
    Bootle, J., Cerulli, A., Chaidos, P., Ghadafi, E., Groth, J.: Foundations of fully dynamic group signatures. In: Manulis, M., Sadeghi, A.R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 117–136. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-39555-5_7 Google Scholar
  6. 6.
    Bootle, J., Cerulli, A., Chaidos, P., Ghadafi, E., Groth, J., Petit, C.: Short accountable ring signatures based on DDH. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 243–265. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-24174-6_13 CrossRefGoogle Scholar
  7. 7.
    Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49896-5_12 CrossRefGoogle Scholar
  8. 8.
    Bootle, J., Cerulli, A., Ghadafi, E., Groth, J., Hajiabadi, M., Jakobsen, S.K.: Linear-time zero-knowledge proofs for arithmetic circuit satisfiability. Cryptology ePrint Archive, Report 2017/872 (2017). http://eprint.iacr.org/2017/872
  9. 9.
    Boudot, F.: Efficient proofs that a committed number lies in an interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-45539-6_31 CrossRefGoogle Scholar
  10. 10.
    Brands, S., Demuynck, L., De Decker, B.: A practical system for globally revoking the unlinkable pseudonyms of unknown users. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 400–415. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-73458-1_29 CrossRefGoogle Scholar
  11. 11.
    Bresson, E., Stern, J.: Efficient revocation in group signatures. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 190–206. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44586-2_15 CrossRefGoogle Scholar
  12. 12.
    Camenisch, J., Chaabouni, R., Shelat, A.: Efficient protocols for set membership and range proofs. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 234–252. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-89255-7_15 CrossRefGoogle Scholar
  13. 13.
    Camenisch, J., Kohlweiss, M., Soriente, C.: An accumulator based on bilinear maps and efficient revocation for anonymous credentials. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 481–500. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-00468-1_27 CrossRefGoogle Scholar
  14. 14.
    Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45708-9_5 CrossRefGoogle Scholar
  15. 15.
    Camenisch, J., Stadler, M.: Proof systems for general statements about discrete logarithms. Technical report 260. ETH Zurich (1997)Google Scholar
  16. 16.
    Chaabouni, R., Lipmaa, H., Shelat, A.: Additive combinatorics and discrete logarithm based range protocols. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 336–351. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14081-5_21 CrossRefGoogle Scholar
  17. 17.
    Couteau, G., Peters, T., Pointcheval, D.: Removing the strong RSA assumption from arguments over the integers. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 321–350. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56614-6_11 CrossRefGoogle Scholar
  18. 18.
    Cramer, R., Damgård, I.: Zero-knowledge proofs for finite field arithmetic, or: can zero-knowledge be for free? In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 424–441. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0055745 Google Scholar
  19. 19.
    Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48658-5_19 Google Scholar
  20. 20.
    Damgård, I.: Efficient concurrent zero-knowledge in the auxiliary string model. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 418–430. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-45539-6_30 CrossRefGoogle Scholar
  21. 21.
    Damgård, I., Triandopoulos, N.: Supporting non-membership proofs with bilinear-map accumulators. IACR ePrint archive report 538 (2008)Google Scholar
  22. 22.
    Fauzi, P., Lipmaa, H., Zhang, B.: Efficient non-interactive zero knowledge arguments for set operations. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 216–233. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45472-5_14 Google Scholar
  23. 23.
    Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997).  https://doi.org/10.1007/BFb0052225 Google Scholar
  24. 24.
    Garay, J.A., MacKenzie, P., Yang, K.: Strengthening zero-knowledge protocols using signatures. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 177–194. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-39200-9_11 CrossRefGoogle Scholar
  25. 25.
    Gennaro, R., Leigh, D., Sundaram, R., Yerazunis, W.: Batching schnorr identification scheme with applications to privacy-preserving authorization and low-bandwidth communication devices. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 276–292. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-30539-2_20 CrossRefGoogle Scholar
  26. 26.
    Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38348-9_37 CrossRefGoogle Scholar
  27. 27.
    Groth, J.: Honest verifier zero-knowledge arguments applied. Ph.D. thesis, Aarhus University (2004)Google Scholar
  28. 28.
    Groth, J., Kohlweiss, M.: One-out-of-many proofs: or how to leak a secret and spend a coin. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 253–280. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46803-6_9 Google Scholar
  29. 29.
    Henry, R., Goldberg, I.: Batch proofs of partial knowledge. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 502–517. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38980-1_32 CrossRefGoogle Scholar
  30. 30.
    Herranz, J.: Attribute-based versions of schnorr and elgamal. Appl. Algebra Eng. Commun. Comput. 27(1), 17–57 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Jutla, C.S., Roy, A.: Shorter quasi-adaptive NIZK proofs for linear subspaces. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 1–20. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-42033-7_1 CrossRefGoogle Scholar
  32. 32.
    Jutla, C.S., Roy, A.: Switching lemma for bilinear tests and constant-size NIZK proofs for linear subspaces. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 295–312. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44381-1_17 CrossRefGoogle Scholar
  33. 33.
    Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 177–194. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-17373-8_11 CrossRefGoogle Scholar
  34. 34.
    Kilian, J.: A note on efficient zero-knowledge proofs and arguments. In: STOC, pp. 723–732 (1992)Google Scholar
  35. 35.
    Kiltz, E., Wee, H.: Quasi-adaptive NIZK for linear subspaces revisited. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 101–128. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46803-6_4 Google Scholar
  36. 36.
    Li, J., Li, N., Xue, R.: Universal accumulators with efficient nonmembership proofs. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 253–269. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-72738-5_17 CrossRefGoogle Scholar
  37. 37.
    Libert, B., Ramanna, S.C., Yung, M.: Functional commitment schemes: from polynomial commitments to pairing-based accumulators from simple assumptions. In: 43rd International Colloquium on Automata, Languages, and Programming, ICALP 2016, 11–15 July 2016, Rome, Italy, pp. 30:1–30:14 (2016)Google Scholar
  38. 38.
    Lipmaa, H.: On diophantine complexity and statistical zero-knowledge arguments. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 398–415. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-40061-5_26 CrossRefGoogle Scholar
  39. 39.
    Micali, S., Rabin, M.O., Kilian, J.: Zero-knowledge sets. In: FOCS, pp. 80–91 (2003)Google Scholar
  40. 40.
    Nguyen, L.: Accumulators from Bilinear pairings and applications. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 275–292. Springer, Heidelberg (2005).  https://doi.org/10.1007/978-3-540-30574-3_19 CrossRefGoogle Scholar
  41. 41.
    Papamanthou, C., Shi, E., Tamassia, R.: Signatures of correct computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 222–242. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-36594-2_13 CrossRefGoogle Scholar
  42. 42.
    Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992).  https://doi.org/10.1007/3-540-46766-1_9 Google Scholar
  43. 43.
    Peng, K.: A General, flexible and efficient proof of inclusion and exclusion. In: Chen, L., Yung, M., Zhu, L. (eds.) INTRUST 2011. LNCS, vol. 7222, pp. 168–183. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32298-3_12 CrossRefGoogle Scholar
  44. 44.
    Peng, K., Bao, F.: Batch ZK proof and verification of OR logic. In: Yung, M., Liu, P., Lin, D. (eds.) Inscrypt 2008. LNCS, vol. 5487, pp. 141–156. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-01440-6_13 CrossRefGoogle Scholar
  45. 45.
    Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)MathSciNetCrossRefzbMATHGoogle Scholar
  46. 46.
    Zhang, Y., Genkin, D., Katz, J., Papadopoulos, D., Papamanthou, C.: vSQL: verifying arbitrary SQL queries over dynamic outsourced databases. In: 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, 22–26 May 2017, pp. 863–880 (2017)Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.University College LondonLondonUK

Personalised recommendations