4 research outputs found
Proofs of Knowledge with Several Challenge Values
In this paper we consider the problem of increasing
the number of possible challenge values from 2 to
in various zero-knowledge cut and choose protocols.
First we discuss doing this for graph isomorphism protocol.
Then we show how increasing this number improves efficiency
of protocols for double discrete logarithm
and -th root of discrete logarithm which are potentially very useful
tools for constructing complex cryptographic protocols.
The practical improvement given by our paper is 2-4 times in terms
of both time complexity and transcript size
A Unified Framework for Non-Universal SNARKs
We propose a general framework for non-universal SNARKs. It contains (1) knowledge-sound and non-black-box any-simulation-extractable (ASE), (2) zero-knowledge and subversion-zero knowledge SNARKs for the well-known QAP, SAP, QSP, and QSP constraint languages that all by design have \emph{relatively} simple security proofs. The knowledge-sound zero-knowledge SNARK is similar to Groth\u27s SNARK from EUROCRYPT 2016, except having fewer trapdoors, while the ASE subversion-zero knowledge SNARK relies on few additional conditions. We prove security in a weaker, more realistic version of the algebraic group model. We characterize SAP, SSP, and QSP in terms of QAP; this allows one to use a SNARK for QAP directly for other languages. Our results allow us to construct a family of SNARKs for different languages and with different security properties following the same proof template. Some of the new SNARKs are more efficient than prior ones. In other cases, the new SNARKs cover gaps in the landscape, e.g., there was no previous ASE or Sub-ZK SNARK for SSP or QSP
Polymath: Groth16 Is Not The Limit
Shortening the argument (three group elements or 1536 / 3072 bits over the BLS12-381/BLS24-509 curves) of the Groth16 zk-SNARK for R1CS is a long-standing open problem. We propose a zk-SNARK Polymath for the Square Arithmetic Programming constraint system using the KZG polynomial commitment scheme. Polymath has a shorter argument (1408 / 1792 bits over the same curves) than Groth16. At 192-bit security, Polymath\u27s argument is nearly half the size, making it highly competitive for high-security future applications. Notably, we handle public inputs in a simple way. We optimized Polymath\u27s prover through an exhaustive parameter search. Polymath\u27s prover does not output elements, aiding in batch verification, SNARK aggregation, and recursion. Polymath\u27s properties make it highly suitable to be the final SNARK in SNARK compositions