Zero-Knowledge Proofs for Set Membership: Efficient, Succinct, Modular

We consider the problem of proving in zero knowledge that an element of a public set satisfies a given property without disclosing the element, i.e. that for some u, “u ∈ S and P (u) holds”. This problem arises in many applications (anonymous cryptocurrencies, credentials or whitelists) where, for privacy or anonymity reasons, it is crucial to hide certain data while ensuring properties of such data. We design new modular and efficient constructions for this problem through new commit-andprove zero-knowledge systems for set membership, i.e. schemes proving u ∈ S for a value u that is in a public commitment cu. Being commit-and-prove, our solutions can act as plug-and-play modules in statements of the form “u ∈ S and P (u) holds” (by combining our set membership system with any other commit-and-prove scheme for P (u)). Also, they work with Pedersen commitments over prime order groups which makes them compatible with popular systems such as Bulletproofs or Groth16. Both public parameters and proofs in our solutions have constant-size (i.e., independent of the size of the sets). Compared to previous work that achieves similar properties—Camenisch and Lysyanskaya (CRYPTO 2002) and the clever techniques combining zkSNARKs and Merkle Trees in Zcash—our protocols offer more flexibility and 2.5× faster proving time for a set of size 2.

[1]  Nelly Fazio,et al.  Cryptographic Accumulators: Definitions, Constructions and Applications , 2002 .

[2]  Johannes Buchmann,et al.  A Survey on {IQ} Cryptography , 2001 .

[3]  Cédric Fournet,et al.  Hash First, Argue Later: Adaptive Verifiable Computations on Outsourced Data , 2016, CCS.

[4]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[5]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[6]  Ninghui Li,et al.  Universal Accumulators with Efficient Nonmembership Proofs , 2007, ACNS.

[7]  Benjamin Wesolowski,et al.  Efficient Verifiable Delay Functions , 2019, Journal of Cryptology.

[8]  Silvio Micali,et al.  Computationally Private Information Retrieval with Polylogarithmic Communication , 1999, EUROCRYPT.

[9]  Elaine Shi,et al.  Signatures of Correct Computation , 2013, TCC.

[10]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, STOC '11.

[11]  Jens Groth,et al.  Fine-Tuning Groth-Sahai Proofs , 2014, IACR Cryptol. ePrint Arch..

[12]  Dan Boneh,et al.  Scaling Verifiable Computation Using Efficient Set Accumulators , 2019, IACR Cryptol. ePrint Arch..

[13]  Jonathan Katz,et al.  A Zero-Knowledge Version of vSQL , 2017, IACR Cryptol. ePrint Arch..

[14]  Shai Halevi,et al.  Secure Hash-and-Sign Signatures Without the Random Oracle , 1999, EUROCRYPT.

[15]  Charalampos Papamanthou,et al.  Edrax: A Cryptocurrency with Stateless Transaction Validation , 2018, IACR Cryptol. ePrint Arch..

[16]  Jonathan Lee,et al.  The security of Groups of Unknown Order based on Jacobians of Hyperelliptic Curves , 2020, IACR Cryptol. ePrint Arch..

[17]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, IEEE Symposium on Security and Privacy.

[18]  Roel Peeters,et al.  Efficient Sparse Merkle Trees - Caching Strategies and Secure (Non-)Membership Proofs , 2016, NordSec.

[19]  Mehdi Tibouchi,et al.  Close to Uniform Prime Number Generation With Fewer Random Bits , 2014, IEEE Transactions on Information Theory.

[20]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[21]  Ivan Damgård,et al.  Supporting Non-membership Proofs with Bilinear-map Accumulators , 2008, IACR Cryptol. ePrint Arch..

[22]  David Pointcheval,et al.  Removing the Strong RSA Assumption from Arguments over the Integers , 2017, IACR Cryptol. ePrint Arch..

[23]  Shashank Agrawal,et al.  Non-Interactive Zero-Knowledge Proofs for Composite Statements , 2018, IACR Cryptol. ePrint Arch..

[24]  Dario Fiore,et al.  Vector Commitments and Their Applications , 2013, Public Key Cryptography.

[25]  Elaine Shi,et al.  Streaming Authenticated Data Structures , 2013, EUROCRYPT.

[26]  Dan Boneh,et al.  Batching Techniques for Accumulators with Applications to IOPs and Stateless Blockchains , 2019, IACR Cryptol. ePrint Arch..

[27]  Steven D. Galbraith,et al.  Trustless Groups of Unknown Order with Hyperelliptic Curves , 2020, IACR Cryptol. ePrint Arch..

[28]  Matthew Green,et al.  Zerocoin: Anonymous Distributed E-Cash from Bitcoin , 2013, 2013 IEEE Symposium on Security and Privacy.

[29]  Huaxiong Wang,et al.  Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures Without Trapdoors , 2016, Journal of Cryptology.

[30]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[31]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[32]  Lan Nguyen,et al.  Accumulators from Bilinear Pairings and Applications , 2005, CT-RSA.

[33]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[34]  Josh Benaloh,et al.  One-Way Accumulators: A Decentralized Alternative to Digital Sinatures (Extended Abstract) , 1994, EUROCRYPT.

[35]  Helger Lipmaa,et al.  Secure Accumulators from Euclidean Rings without Trusted Setup , 2012, ACNS.

[36]  Jonathan Katz,et al.  An Expressive (Zero-Knowledge) Set Accumulator , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[37]  Moti Yung,et al.  Concise Mercurial Vector Commitments and Independent Zero-Knowledge Sets with Short Proofs , 2010, TCC.

[38]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[39]  Birgit Pfitzmann,et al.  Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees , 1997, EUROCRYPT.

[40]  Dario Fiore,et al.  LegoSNARK: Modular Design and Composition of Succinct Zero-Knowledge Proofs , 2019, IACR Cryptol. ePrint Arch..

[41]  Paul Valiant,et al.  Incrementally Verifiable Computation or Proofs of Knowledge Imply Time/Space Efficiency , 2008, TCC.

[42]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[43]  Jonathan Katz Signature Schemes Based on the (Strong) RSA Assumption , 2010 .

[44]  Ivan Damgård,et al.  A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order , 2002, ASIACRYPT.

[45]  Claudio Soriente,et al.  An Accumulator Based on Bilinear Maps and Efficient Revocation for Anonymous Credentials , 2009, IACR Cryptol. ePrint Arch..

[46]  Jens Groth,et al.  On the Size of Pairing-Based Non-interactive Arguments , 2016, EUROCRYPT.

[47]  Dan Boneh,et al.  A Survey of Two Verifiable Delay Functions , 2018, IACR Cryptol. ePrint Arch..

[48]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).