Succinct Arguments for Bilinear Group Arithmetic: Practical Structure-Preserving Cryptography

In their celebrated work, Groth and Sahai [EUROCRYPT'08, SICOMP' 12] constructed non-interactive zero-knowledge (NIZK) proofs for general bilinear group arithmetic relations, which spawned the entire subfield of structure-preserving cryptography. This branch of the theory of cryptography focuses on modular design of advanced cryptographic primitives. Although the proof systems of Groth and Sahai are a powerful toolkit, their efficiency hits a barrier when the size of the witness is large, as the proof size is linear in that of the witness. In this work, we revisit the problem of proving knowledge of general bilinear group arithmetic relations in zero-knowledge. Specifically, we construct a succinct zero-knowledge argument for such relations, where the communication complexity is logarithmic in the integer and source group components of the witness. Our argument has public-coin setup and verifier and can therefore be turned non-interactive using the Fiat-Shamir transformation in the random oracle model. For the special case of non-bilinear group arithmetic relations with only integer unknowns, our system can be instantiated in non-bilinear groups. In many applications, our argument system can serve as a drop-in replacement of Groth-Sahai proofs, turning existing advanced primitives in the vast literature of structure-preserving cryptography into practically efficient systems with short proofs.

[1]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[2]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[3]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[4]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[5]  Giulio Malavolta,et al.  Subvector Commitments with Application to Succinct Arguments , 2019, CRYPTO.

[6]  Georg Fuchsbauer,et al.  Structure-Preserving Signatures and Commitments to Group Elements , 2010, CRYPTO.

[7]  Aurore Guillevic,et al.  Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves , 2013, ACNS.

[8]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[9]  Eli Ben-Sasson,et al.  Interactive Oracle Proofs , 2016, TCC.

[10]  Jonathan Katz,et al.  Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products , 2008, Journal of Cryptology.

[11]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[12]  Bogdan Warinschi,et al.  Groth-Sahai proofs revisited , 2010, IACR Cryptol. ePrint Arch..

[13]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, STOC '11.

[14]  Joe Kilian,et al.  A note on efficient zero-knowledge proofs and arguments (extended abstract) , 1992, STOC '92.

[15]  Jens Groth,et al.  On the Size of Pairing-Based Non-interactive Arguments , 2016, EUROCRYPT.

[16]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[17]  Jens Groth,et al.  Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting , 2016, EUROCRYPT.

[18]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[19]  Manuel Blum,et al.  Non-Interactive Zero-Knowledge and Its Applications (Extended Abstract) , 1988, STOC 1988.

[20]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[21]  Vincent Naessens,et al.  Structure Preserving CCA Secure Encryption and Applications , 2011, ASIACRYPT.

[22]  Manoj Prabhakaran,et al.  Attribute-Based Signatures , 2011, CT-RSA.

[23]  Amit Sahai,et al.  Efficient Noninteractive Proof Systems for Bilinear Groups , 2008, SIAM J. Comput..

[24]  Jens Groth,et al.  Efficient Zero-Knowledge Arguments from Two-Tiered Homomorphic Commitments , 2011, ASIACRYPT.

[25]  Georg Fuchsbauer,et al.  Commuting Signatures and Verifiable Encryption , 2011, EUROCRYPT.

[26]  Abhi Shelat,et al.  Doubly-Efficient zkSNARKs Without Trusted Setup , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[27]  Moti Yung,et al.  Linearly homomorphic structure-preserving signatures and their applications , 2013, Designs, Codes and Cryptography.

[28]  Silvio Micali,et al.  CS Proofs (Extended Abstracts) , 1994, FOCS 1994.

[29]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[30]  Masayuki Abe,et al.  Group to Group Commitments Do Not Shrink , 2012, EUROCRYPT.

[31]  Yuval Ishai,et al.  Ligero: Lightweight Sublinear Arguments Without a Trusted Setup , 2017, Designs, Codes and Cryptography.

[32]  Silvio Micali,et al.  Computationally Sound Proofs , 2000, SIAM J. Comput..

[33]  Yuval Ishai,et al.  Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle , 2008, EUROCRYPT.

[34]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[35]  Eli Ben-Sasson,et al.  Scalable, transparent, and post-quantum secure computational integrity , 2018, IACR Cryptol. ePrint Arch..

[36]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[37]  Yehuda Lindell Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation , 2001, CRYPTO.

[38]  Moti Yung,et al.  Short Group Signatures via Structure-Preserving Signatures: Standard Model Security from Simple Assumptions , 2015, CRYPTO.

[39]  Moti Yung,et al.  Group Encryption: Non-interactive Realization in the Standard Model , 2009, ASIACRYPT.

[40]  Jens Groth,et al.  Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures , 2006, ASIACRYPT.

[41]  Eli Ben-Sasson,et al.  Aurora: Transparent Succinct Arguments for R1CS , 2019, IACR Cryptol. ePrint Arch..

[42]  Amit Sahai,et al.  On the Practical Security of Inner Product Functional Encryption , 2015, Public Key Cryptography.

[43]  Rafail Ostrovsky,et al.  Perfect Non-Interactive Zero Knowledge for NP , 2006, IACR Cryptol. ePrint Arch..

[44]  Christian Hanser,et al.  Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials , 2014, IACR Cryptol. ePrint Arch..