Compact NIZKs from Standard Assumptions on Bilinear Maps

IF 2.3 3区计算机科学 Q2 COMPUTER SCIENCE, THEORY & METHODS

Journal of Cryptology Pub Date : 2024-05-13 DOI:10.1007/s00145-024-09503-8

Shuichi Katsumata, Ryo Nishimaki, Shota Yamada, Takashi Yamakawa

{"title":"Compact NIZKs from Standard Assumptions on Bilinear Maps","authors":"Shuichi Katsumata, Ryo Nishimaki, Shota Yamada, Takashi Yamakawa","doi":"10.1007/s00145-024-09503-8","DOIUrl":null,"url":null,"abstract":"A non-interactive zero-knowledge (NIZK) protocol enables a prover to convince a verifier of the truth of a statement without leaking any other information by sending a single message. The main focus of this work is on exploring short pairing-based NIZKs for all \\({{\\textbf {NP}}}\\) languages based on standard assumptions. In this regime, the seminal work of Groth, Ostrovsky, and Sahai (J.ACM’12) (GOS-NIZK) is still considered to be the state-of-the-art. Although fairly efficient, one drawback of GOS-NIZK is that the proof size is multiplicative in the circuit size computing the \\({{\\textbf {NP}}}\\) relation. That is, the proof size grows by \\(O(|C|\\kappa )\\), where C is the circuit for the \\({{\\textbf {NP}}}\\) relation and \\(\\kappa \\) is the security parameter. By now, there have been numerous follow-up works focusing on shortening the proof size of pairing-based NIZKs, however, thus far, all works come at the cost of relying either on a non-standard knowledge-type assumption or a non-static q-type assumption. Specifically, improving the proof size of the original GOS-NIZK under the same standard assumption has remained as an open problem. Our main result is a construction of a pairing-based NIZK for all of \\({{\\textbf {NP}}}\\) whose proof size is additive in |C|, that is, the proof size only grows by \\(|C| +\\textsf{poly}(\\kappa )\\), based on the computational Diffie-Hellman assumption over specific pairing-free groups and decisional linear (DLIN) assumption. As by-products of our main result, we also obtain the following two results: (1) We construct a perfectly zero-knowledge NIZK (NIPZK) for \\({{\\textbf {NP}}}\\) relations computable in \\({{\\textbf {NC}}}^1\\) with proof size \\(|w| \\cdot \\textsf{poly}(\\kappa )\\) where |w| is the witness length based on the DLIN assumption. This is the first pairing-based NIPZK for a non-trivial class of \\({{\\textbf {NP}}}\\) languages whose proof size is independent of |C| based on a standard assumption. (2) We construct a universally composable (UC) NIZK for \\({{\\textbf {NP}}}\\) relations computable in \\({{\\textbf {NC}}}^1\\) in the erasure-free adaptive setting whose proof size is \\(|w| \\cdot \\textsf{poly}(\\kappa )\\) from the DLIN assumption. This is an improvement over the recent result of Katsumata, Nishimaki, Yamada, and Yamakawa (CRYPTO’19), which gave a similar result based on a non-static q-type assumption. The main building block for all of our NIZKs is a constrained signature scheme with decomposable online-offline efficiency. This is a property which we newly introduce in this paper and construct from the DLIN assumption. We believe this construction is of an independent interest.","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"43 1","pages":""},"PeriodicalIF":2.3000,"publicationDate":"2024-05-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Cryptology","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s00145-024-09503-8","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 0

Abstract

A non-interactive zero-knowledge (NIZK) protocol enables a prover to convince a verifier of the truth of a statement without leaking any other information by sending a single message. The main focus of this work is on exploring short pairing-based NIZKs for all \({{\textbf {NP}}}\) languages based on standard assumptions. In this regime, the seminal work of Groth, Ostrovsky, and Sahai (J.ACM’12) (GOS-NIZK) is still considered to be the state-of-the-art. Although fairly efficient, one drawback of GOS-NIZK is that the proof size is multiplicative in the circuit size computing the \({{\textbf {NP}}}\) relation. That is, the proof size grows by \(O(|C|\kappa )\), where C is the circuit for the \({{\textbf {NP}}}\) relation and \(\kappa \) is the security parameter. By now, there have been numerous follow-up works focusing on shortening the proof size of pairing-based NIZKs, however, thus far, all works come at the cost of relying either on a non-standard knowledge-type assumption or a non-static q-type assumption. Specifically, improving the proof size of the original GOS-NIZK under the same standard assumption has remained as an open problem. Our main result is a construction of a pairing-based NIZK for all of \({{\textbf {NP}}}\) whose proof size is additive in |C|, that is, the proof size only grows by \(|C| +\textsf{poly}(\kappa )\), based on the computational Diffie-Hellman assumption over specific pairing-free groups and decisional linear (DLIN) assumption. As by-products of our main result, we also obtain the following two results: (1) We construct a perfectly zero-knowledge NIZK (NIPZK) for \({{\textbf {NP}}}\) relations computable in \({{\textbf {NC}}}^1\) with proof size \(|w| \cdot \textsf{poly}(\kappa )\) where |w| is the witness length based on the DLIN assumption. This is the first pairing-based NIPZK for a non-trivial class of \({{\textbf {NP}}}\) languages whose proof size is independent of |C| based on a standard assumption. (2) We construct a universally composable (UC) NIZK for \({{\textbf {NP}}}\) relations computable in \({{\textbf {NC}}}^1\) in the erasure-free adaptive setting whose proof size is \(|w| \cdot \textsf{poly}(\kappa )\) from the DLIN assumption. This is an improvement over the recent result of Katsumata, Nishimaki, Yamada, and Yamakawa (CRYPTO’19), which gave a similar result based on a non-static q-type assumption. The main building block for all of our NIZKs is a constrained signature scheme with decomposable online-offline efficiency. This is a property which we newly introduce in this paper and construct from the DLIN assumption. We believe this construction is of an independent interest.

Abstract Image

查看原文本刊更多论文

从双线性地图的标准假设出发的紧凑 NIZK

非交互式零知识（NIZK）协议使证明者只需发送一条信息，就能让验证者相信语句的真实性，而无需泄露任何其他信息。这项工作的重点是探索基于标准假设的所有 \({{textbf {NP}}\) 语言的基于配对的简短 NIZK。在这一领域，Groth、Ostrovsky 和 Sahai（J.ACM'12）的开创性工作（GOS-NIZK）仍被认为是最先进的。虽然 GOS-NIZK 相当高效，但它的一个缺点是证明大小是计算 \({{text\bf {NP}}\) 关系的电路大小的乘法。也就是说，证明大小的增长为(O(|C|kappa )\)，其中C是计算\({{textbf {NP}}\) 关系的电路，\(\kappa \)是安全参数。到目前为止，已经有许多后续工作专注于缩短基于配对的 NIZK 的证明规模，然而，迄今为止，所有工作都以依赖非标准知识型假设或非静态 q 型假设为代价。具体来说，在相同的标准假设下改进原始 GOS-NIZK 的证明规模仍然是一个悬而未决的问题。我们的主要成果是基于特定无配对组上的计算迪菲-赫尔曼假设和决策线性（DLIN）假设，为所有\({\textbf {NP}}}\) 构造了一个基于配对的 NIZK，它的证明规模在|C|中是可加的，即证明规模只增长\(|C| +\textsf{poly}(\kappa )\) 。作为主结果的副产品，我们还得到了以下两个结果：（1）我们为\({{\textbf {NP}}}\)关系构造了一个可在\({{\textbf {NC}}^1\) 中计算的完全零知识NIZK（NIPZK），其证明大小为\(|w| \cdot \textsf{poly}(\kappa )\) ，其中|w|是基于DLIN假设的见证长度。这是第一个基于配对的 NIPZK，它适用于基于标准假设的证明大小与 |C| 无关的一类 \({{textbf {NP}}) 语言。(2) 根据 DLIN 假设，我们在无擦除自适应设置中为 \({{textbf {NC}}^1\) 关系构造了一个普遍可压缩（UC）NIZK，其证明大小为 \(|w| \cdot \textsf{poly}(\kappa )\) 。这是对 Katsumata、Nishimaki、Yamada 和 Yamakawa（CRYPTO'19）最近的结果的改进，后者基于非静态 q 型假设给出了类似的结果。我们所有 NIZK 的主要构件都是具有可分解在线离线效率的受限签名方案。这是我们在本文中新引入并根据 DLIN 假设构建的属性。我们认为这种构造具有独立的意义。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Cryptology 工程技术-工程：电子与电气

CiteScore

7.10

自引率

3.30%

发文量

审稿时长

18 months

期刊介绍： The Journal of Cryptology is a forum for original results in all areas of modern information security. Both cryptography and cryptanalysis are covered, including information theoretic and complexity theoretic perspectives as well as implementation, application, and standards issues. Coverage includes such topics as public key and conventional algorithms and their implementations, cryptanalytic attacks, pseudo-random sequences, computational number theory, cryptographic protocols, untraceability, privacy, authentication, key management and quantum cryptography. In addition to full-length technical, survey, and historical articles, the journal publishes short notes.