Shorter Non-interactive Zero-Knowledge Arguments and ZAPs for Algebraic Languages

Couteau, Geoffroy; Hartmann, Dominik

doi:10.1007/978-3-030-56877-1_27

Cited by 25 publications

(36 citation statements)

References 76 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is one of the main techniques for proving quadratic equations in Z p in bilinear groups (in the CRS model and under standard assumptions), and any efficiency improvement in the same opening step (4) would have a direct impact on the overall efficiency. We note that there is another construction, introduced very recently in [9], that proves that a commitment over G 1 opens to either 0 or 1. Their approach consists of using a pairing to compile interactive arguments into non-interactive ones, and they manage to prove that a commitment opens to a bit with 7 group elements.…”

Section: Introductionmentioning

confidence: 95%

See 1 more Smart Citation

QA-NIZK Arguments of Same Opening for Bilateral Commitments

Ràfols

Silva

2020

Progress in Cryptology - AFRICACRYPT 2020

View full text Add to dashboard Cite

Zero-knowledge proofs of satisfiability of linear equations over a group are often used as a building block of more complex protocols. In particular, in an asymmetric bilinear group we often have two commitments in different sides of the pairing, and we want to prove that they open to the same value. This problem was tackled by González, Hevia and Ràfols (ASIACRYPT 2015), who presented an aggregated proof, in the QA-NIZK setting, consisting of only four group elements. In this work, we present a more efficient proof, which is based on the same assumptions and consists of three group elements. We argue that our construction is optimal in terms of proof size.

show abstract

Section: Introductionmentioning

confidence: 95%

“…For comparison, the Groth-Sahai approach requires 10 group elements using our approach. Groth-Sahai proofs still seem better for proving that n commitments to a bit: in [9] the proof scales linearly, whereas if we use the aggregated version of our scheme, n proofs require 6n + 3 elements.…”

Section: Introductionmentioning

confidence: 99%

QA-NIZK Arguments of Same Opening for Bilateral Commitments

Ràfols

Silva

2020

Progress in Cryptology - AFRICACRYPT 2020

View full text Add to dashboard Cite

show abstract

“…We then construct a NIZK. We implicitly use the CH-compiler but in a way, different from [CH20]. We focus on the important set-ting of commit-and-prove NIZK argument systems [Lip16,KOS18,Kiy20], i.e.…”

Section: Our Contributionmentioning

confidence: 99%

“…The argument of Couteau and Hartmann [CH20] improves over (even optimized variants of) the standard Groth-Sahai approach on essentially all known algebraic languages. Couteau and Hartmann illustrated this by providing shorter proofs for linear languages (Diffie-Hellman tuples, membership in a linear subspace) and OR proofs (and more generally, membership in t out of n possibly different linear languages), two settings with numerous important applications (to structure-preserving signatures, tightly-secure simulation-sound NIZKs, tightly-mCCA-secure cryptosystems, ring signatures...).…”

Section: Efficiency Generality and Security Of Our Nizksmentioning

confidence: 99%

“…The Couteau-Hartmann argument system. Very recently, Couteau and Hartmann put forth a new framework for constructing pairing based NIZKs [CH20]. At a high level, their approach compiles a specific interactive zero-knowledge proof into a NIZK (as does Fiat-Shamir), by embedding the challenge in the exponent of a group equipped with an asymmetric pairing.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Efficient NIZKs for Algebraic Sets

Couteau¹,

Lipmaa²,

Parisella³

et al. 2021

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Significantly extending the framework of (Couteau and Hartmann, Crypto 2020), we propose a general methodology to construct NIZKs for showing that an encrypted vector χ belongs to an algebraic set, i.e., is in the zero locus of an ideal I of a polynomial ring. In the case where I is principal, i.e., generated by a single polynomial F , we first construct a matrix that is a "quasideterminantal representation" of F and then a NIZK argument to show that F (χ) = 0. This leads to compact NIZKs for general computational structures, such as polynomial-size algebraic branching programs. We extend the framework to the case where I is non-principal, obtaining efficient NIZKs for R1CS, arithmetic constraint satisfaction systems, and thus for NP. As an independent result, we explicitly describe the corresponding language of ciphertexts as an algebraic language, with smaller parameters than in previous constructions that were based on the disjunction of algebraic languages. This results in an efficient GL-SPHF for algebraic branching programs.

show abstract

Shorter Non-interactive Zero-Knowledge Arguments and ZAPs for Algebraic Languages

Couteau

Hartmann

2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

We put forth a new framework for building pairing-based non-interactive zeroknowledge (NIZK) arguments for a wide class of algebraic languages, which are an extension of linear languages, containing disjunctions of linear languages and more. Our approach differs from the Groth-Sahai methodology, in that we rely on pairings to compile a Σ-protocol into a NIZK. Our framework enjoys a number of interesting features:conceptual simplicity, parameters derive from the Σ-protocol; proofs as short as resulting from the Fiat-Shamir heuristic applied to the underlying Σprotocol; fully adaptive soundness and perfect zero-knowledge in the common random string model with a single random group element as CRS; yields simple and efficient two-round, public coin, publicly-verifiable perfect witness-indistinguishable (WI) arguments(ZAPs) in the plain model. To our knowledge, this is the first construction of two-rounds statistical witness-indistinguishable arguments from pairing assumptions. Our proof system relies on a new (static, falsifiable) assumption over pairing groups which generalizes the standard kernel Diffie-Hellman assumption in a natural way and holds in the generic group model (GGM) and in the algebraic group model (AGM). Replacing Groth-Sahai NIZKs with our new proof system allows to improve several important cryptographic primitives. In particular, we obtain the shortest tightly-secure structurepreserving signature scheme (which are a core component in anonymous credentials), the shortest tightly-secure quasi-adaptive NIZK with unbounded simulation soundness (which in turns implies the shortest tightly-mCCA-secure cryptosystem), and shorter ring signatures.

show abstract

Shorter Non-interactive Zero-Knowledge Arguments and ZAPs for Algebraic Languages

Cited by 25 publications

References 76 publications

QA-NIZK Arguments of Same Opening for Bilateral Commitments

QA-NIZK Arguments of Same Opening for Bilateral Commitments

Efficient NIZKs for Algebraic Sets

Shorter Non-interactive Zero-Knowledge Arguments and ZAPs for Algebraic Languages

Contact Info

Product

Resources

About