Acyclicity Programming for Sigma-Protocols

Cramer, Damg̊ard, and Schoenmakers (CDS) built a proof system to demonstrate the possession of subsets of witnesses for a given collection of statements that belong to a prescribed access structure P by composing so-called sigma-protocols for each atomic statement. Their verifier complexity is linear in the size of the monotone span program representation of P. We propose an alternative method for combining sigma-protocols into a single non-interactive system for a compound statement in the random oracle model. In contrast to CDS, our verifier complexity is linear in the size of the acyclicity program representation of P, a complete model of monotone computation introduced in this work. We show that the acyclicity program size of a predicate is never larger than its de Morgan formula size and it is polynomially incomparable to its monotone span program size. We additionally present an extension of our proof system, with verifier complexity linear in the monotone circuit size of P, in the common reference string model. Finally, considering the types of statement that naturally reduce to acyclicity programming, we discuss several applications of our new methods to protecting privacy in cryptocurrency and social networks.

[1]  Apoorvaa Deshpande,et al.  Proofs of Ignorance and Applications to 2-Message Witness Hiding , 2018, IACR Cryptol. ePrint Arch..

[2]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[3]  Dario Fiore,et al.  LegoSNARK: Modular Design and Composition of Succinct Zero-Knowledge Proofs , 2019, IACR Cryptol. ePrint Arch..

[4]  Toniann Pitassi,et al.  Lifting Nullstellensatz to monotone span programs over any field , 2018, Electron. Colloquium Comput. Complex..

[5]  Miguel Ambrona,et al.  Non-interactive Composition of Sigma-Protocols via Share-then-Hash , 2020, ASIACRYPT.

[6]  M. Sipser,et al.  Monotone complexity , 1992 .

[7]  Éva Tardos,et al.  The gap between monotone and non-monotone circuit complexity is exponential , 1988, Comb..

[8]  LegoSNARK , 2019, Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security.

[9]  Yehuda Lindell,et al.  An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-programmable Random Oracle , 2015, TCC.

[10]  Eli Ben-Sasson,et al.  Aurora: Transparent Succinct Arguments for R1CS , 2019, IACR Cryptol. ePrint Arch..

[11]  Marc Fischlin,et al.  Signatures from Sequential-OR Proofs , 2020, IACR Cryptol. ePrint Arch..

[12]  Huaxiong Wang,et al.  Zero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash , 2017, ASIACRYPT.

[13]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[14]  Jens Groth,et al.  Short Accountable Ring Signatures Based on DDH , 2015, ESORICS.

[15]  Yael Tauman Kalai,et al.  How to Leak a Secret: Theory and Applications of Ring Signatures , 2001, Essays in Memory of Shimon Even.

[16]  Jacques Stern,et al.  A new paradigm for public key identification , 1996, IEEE Trans. Inf. Theory.

[17]  A. Razborov Lower bounds on monotone complexity of the logical permanent , 1985 .

[18]  Avi Wigderson,et al.  On span programs , 1993, [1993] Proceedings of the Eigth Annual Structure in Complexity Theory Conference.

[19]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[20]  Ivan Damgård,et al.  Efficient Zero-Knowledge Proofs of Knowledge Without Intractability Assumptions , 2000, Public Key Cryptography.

[21]  Ivan Visconti,et al.  A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles , 2016, IACR Cryptol. ePrint Arch..

[22]  Jens Groth,et al.  Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability , 2017, IACR Cryptol. ePrint Arch..

[23]  Mihir Bellare,et al.  Separate Your Domains: NIST PQC KEMs, Oracle Cloning and Read-Only Indifferentiability , 2020, IACR Cryptol. ePrint Arch..

[24]  Giulio Malavolta,et al.  Succinct Arguments for Bilinear Group Arithmetic: Practical Structure-Preserving Cryptography , 2019, IACR Cryptol. ePrint Arch..

[25]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[26]  Mihir Bellare,et al.  Multi-signatures in the plain public-Key model and a general forking lemma , 2006, CCS '06.

[27]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[28]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[29]  Bogdan Warinschi,et al.  Advances in Cryptology - Asiacrypt 2008 , 2008 .

[30]  Avi Wigderson,et al.  Superpolynomial Lower Bounds for Monotone Span Programs , 1996, Comb..

[31]  Ronald Cramer,et al.  Modular Design of Secure yet Practical Cryptographic Protocols , 1997 .

[32]  Adi Shamir,et al.  Multiple non-interactive zero knowledge proofs based on a single random string , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[33]  Masayuki Abe,et al.  1-out-of-n Signatures from a Variety of Keys , 2002, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[34]  Huaxiong Wang,et al.  Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures Without Trapdoors , 2016, Journal of Cryptology.

[35]  Jianwei Liu,et al.  Traceable Ring Signatures with Post-quantum Security , 2020, CT-RSA.

[36]  Jacques Stern,et al.  Threshold Ring Signatures and Applications to Ad-hoc Groups , 2002, CRYPTO.

[37]  Markulf Kohlweiss,et al.  Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updatable Structured Reference Strings , 2019, IACR Cryptol. ePrint Arch..

[38]  Silvio Micali,et al.  Proofs that yield nothing but their validity and a methodology of cryptographic protocol design , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[39]  Sonic , 2019, Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security.

[40]  Jesper Buus Nielsen,et al.  Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case , 2002, CRYPTO.

[41]  Yuval Ishai,et al.  Ligero: Lightweight Sublinear Arguments Without a Trusted Setup , 2017, Designs, Codes and Cryptography.

[42]  Huaxiong Wang,et al.  New Code-Based Privacy-Preserving Cryptographic Constructions , 2019, IACR Cryptol. ePrint Arch..

[43]  Noga Alon,et al.  The monotone circuit complexity of boolean functions , 1987, Comb..

[44]  Jens Groth,et al.  On the Size of Pairing-Based Non-interactive Arguments , 2016, EUROCRYPT.

[45]  Markulf Kohlweiss,et al.  Updatable and Universal Common Reference Strings with Applications to zk-SNARKs , 2018, IACR Cryptol. ePrint Arch..

[46]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[47]  Silvio Micali,et al.  Non-Interactive Oblivious Transfer and Applications , 1989, CRYPTO.