One-Shot Fiat-Shamir-Based NIZK Arguments of Composite Residuosity and Logarithmic-Size Ring Signatures in the Standard Model

Abstract: The standard model security of the Fiat-Shamir transform has been an active research area for many years. In breakthrough results, Canetti et al. (STOC'19) and showed that, under the Learning-With-Errors (LWE) assumption, it provides soundness by applying correlation-intractable (CI) hash functions to so-called trapdoor Σ-protocols. In order to be compatible with CI hash functions based on standard LWE assumptions with polynomial approximation factors, all known such protocols have been obtained via parallel… Show more

“…However, since the transformation of [23] only applies to Σprotocols with small challenge space, it has to be repeated O(λ) times in parallel to achieve negligible soundness error. In contrast, we achieve soundness without parallel repetitions as in [51]. Moreover, applying [23] to build a non-interactive variant of [24] would still require to fix the maximal cardinality of ranges ahead of time.…”

“…Correlation intractability for a relation R requires the infeasibility of finding x such that (x, H k (x)) ∈ R given a random hashing key k. It guarantees soundness by preventing a cheating prover's first message a from being hashed into a challenge Chall = H k (a) admitting a valid response z. Canetti et al [19] showed that CI hash functions for efficiently searchable relations suffice when Fiat-Shamir is applied to trapdoor Σ-protocols. These are Σ-protocols that assume a CRS and where an efficiently computable function BadChallenge can identify (on input of a trapdoor τ Σ , the false statement x and the prover's first message a) the only challenge Chall such that an accepting transcript (a, Chall, z) exists for some z. Libert et al [51] (based on earlier observations from [21,54]) showed that the group structure of Paillier allows BadChallenge to identify bad challenges within an exponentially large challenge space, thus eliminating the need for parallel repetitions to ensure soundness.…”

“…We recall a standard Σ-protocol that allows proving that an element of Z * N ζ+1 is a N ζ -th residue. In [51], it was shown that the latter protocol is a trapdoor…”

“…In order to obtain a BadChallenge function that identifies bad challenges for elements x ̸ ∈ L DCR , [51] uses an observation from Lipmaa [54], which shows that the factorization of N allows computing bad challenges even if gcd(x, N ) > 1.…”

“…In [51], it is shown that the above construction is a trapdoor Σ-protocol with large challenge space. By applying [61], this implies compact NIZK arguments (i.e., without using parallel repetitions to achieve negligible soundness error) for the language L DCR assuming that the LWE assumption holds.…”

Rational Modular Encoding in the DCR Setting: Non-interactive Range Proofs and Paillier-Based Naor-Yung in the Standard Model

“…However, since the transformation of [23] only applies to Σprotocols with small challenge space, it has to be repeated O(λ) times in parallel to achieve negligible soundness error. In contrast, we achieve soundness without parallel repetitions as in [51]. Moreover, applying [23] to build a non-interactive variant of [24] would still require to fix the maximal cardinality of ranges ahead of time.…”

“…Correlation intractability for a relation R requires the infeasibility of finding x such that (x, H k (x)) ∈ R given a random hashing key k. It guarantees soundness by preventing a cheating prover's first message a from being hashed into a challenge Chall = H k (a) admitting a valid response z. Canetti et al [19] showed that CI hash functions for efficiently searchable relations suffice when Fiat-Shamir is applied to trapdoor Σ-protocols. These are Σ-protocols that assume a CRS and where an efficiently computable function BadChallenge can identify (on input of a trapdoor τ Σ , the false statement x and the prover's first message a) the only challenge Chall such that an accepting transcript (a, Chall, z) exists for some z. Libert et al [51] (based on earlier observations from [21,54]) showed that the group structure of Paillier allows BadChallenge to identify bad challenges within an exponentially large challenge space, thus eliminating the need for parallel repetitions to ensure soundness.…”

“…We recall a standard Σ-protocol that allows proving that an element of Z * N ζ+1 is a N ζ -th residue. In [51], it was shown that the latter protocol is a trapdoor…”

“…In order to obtain a BadChallenge function that identifies bad challenges for elements x ̸ ∈ L DCR , [51] uses an observation from Lipmaa [54], which shows that the factorization of N allows computing bad challenges even if gcd(x, N ) > 1.…”

“…In [51], it is shown that the above construction is a trapdoor Σ-protocol with large challenge space. By applying [61], this implies compact NIZK arguments (i.e., without using parallel repetitions to achieve negligible soundness error) for the language L DCR assuming that the LWE assumption holds.…”

Rational Modular Encoding in the DCR Setting: Non-interactive Range Proofs and Paillier-Based Naor-Yung in the Standard Model

Simple, Fast, Efficient, and Tightly-Secure Non-malleable Non-interactive Timed Commitments

Multi-Theorem Fiat-Shamir Transform from Correlation-Intractable Hash Functions