Shorter Quadratic QA-NIZK Proofs

Daza, Vanesa; González, Alonso; Pindado, Zaira; Ràfols, Carla; Silva, Javier

doi:10.1007/978-3-030-17253-4_11

Cited by 16 publications

(8 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For instance, a natural strategy would be to commit to wires with shrinking commitments and use any constant-size QA-NIZK argument of membership in linear spaces (e.g. [26]) to give an aggregated proof that the affine constraints hold and use "aggregated" variants of GS Proofs [19] such as [14,2] for the quadratic constraints.…”

Section: Our Techniquesmentioning

confidence: 99%

“…The cost of giving the committed secret inputs and a proof that they open to {0, 1} using the GS proof system is (6(n 0 − n pub ), 6(n 0 − n pub )) group elements. It can be reduced to (2(n 0 − n pub ) + 10, 10) group elements under standard assumptions using the results of González and Ràfols [14], but at the price of having a crs quadratic in n 0 and to (2n 0 +4, 6) with a linear crs under a non-standard (falsifiable) (n 0 −n pub )assumption similar to the q-Target Strong Diffie-Hellman Assumption using the results of Daza et al [2].…”

Section: A New Argument For Correct Boolean Circuit Evaluationmentioning

confidence: 99%

See 1 more Smart Citation

Shorter Pairing-Based Arguments Under Standard Assumptions

González

Ràfols

2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

This paper constructs efficient non-interactive arguments for correct evaluation of arithmetic and boolean circuits with proof size O(d) group elements, where d is the multiplicative depth of the circuit, under falsifiable assumptions. This is achieved by combining techniques from SNARKs and QA-NIZK arguments of membership in linear spaces. The first construction is very efficient (the proof size is ≈ 4d group elements and the verification cost is ≈ 4d pairings and O(n + n + d) exponentiations, where n is the size of the input and n of the output) but one type of attack can only be ruled out assuming the knowledge soundness of QA-NIZK arguments of membership in linear spaces. We give an alternative construction which replaces this assumption with a decisional assumption in bilinear groups at the cost of approximately doubling the proof size. The construction for boolean circuits can be made zero-knowledge with Groth-Sahai proofs, resulting in a NIZK argument for circuit satisfiability based on falsifiable assumptions in bilinear groups of proof size O(n + d).Our main technical tool is what we call an "argument of knowledge transfer". Given a commitment C1 and an opening x, such an argument allows to prove that some other commitment C2 opens to f (x), for some function f , even if C2 is not extractable. We construct very short, constant-size, pairing-based arguments of knowledge transfer with constant-time verification for any linear function and also for Hadamard products. These allow to transfer the knowledge of the input to lower levels of the circuit.

show abstract

Section: Our Techniquesmentioning

confidence: 99%

Section: A New Argument For Correct Boolean Circuit Evaluationmentioning

confidence: 99%

Shorter Pairing-Based Arguments Under Standard Assumptions

González

Ràfols

2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…The observation that to add unbounded simulation soundness to NIZK arguments which prove both quadratic and linear equations it suffices to have USS in the linear part can have other applications. For example, a direct application is to give USS to the construction of Daza et al [7], which gives a compact proof that a set of perfectly binding commitments open to 0 or 1. Second, we observe that the advantage of our approach is that to get tight security we only need to construct a tight USS for promise problems in bilateral linear spaces, which we leave for future work.…”

Section: Our Contributionmentioning

confidence: 99%

“…For the scheme described above, one can take as Input, and Π Q the same building blocks as [11], namely the bitstring argument of Daza et al [7] and the argument described in Sect. 2.3.…”

Section: Concrete Uses Qa-nizk For Boolean Circuitsatmentioning

confidence: 99%

“…Then, the building blocks (1), (2) of our instantiation are exactly the same as in González and Ràfols [11]. The cost of committing to the input plus proving it is boolean with the argument of [7] is (2n s + 4)|G 1 | + 6|G 2 |. We take the same quadratic constraints proof from [11] with Zero-Knowledge that is 12d|G 1 | + 4d|G 2 | for the commitments and 8d|G 1 | + 4d|G 2 | for the GS proofs.…”

Section: Concrete Uses Qa-nizk For Boolean Circuitsatmentioning

confidence: 99%

See 1 more Smart Citation

Signatures of Knowledge for Boolean Circuits Under Standard Assumptions

Baghery

González

Pindado

et al. 2020

Progress in Cryptology - AFRICACRYPT 2020

Self Cite

View full text Add to dashboard Cite

This paper constructs unbounded simulation sound proofs for boolean circuit satisfiability under standard assumptions with proof size O(n + d) bilinear group elements, where d is the depth and n is the input size of the circuit. Our technical contribution is to add unbounded simulation soundness to a recent NIZK of González and Ràfols (ASI-ACRYPT'19) with very small overhead. Our new scheme can be used to construct the most efficient Signature-of-Knowledge based on standard assumptions that also can be composed universally with other cryptographic protocols/primitives.

show abstract