Switching Lemma for Bilinear Tests and Constant-size NIZK Proofs for Linear Subspaces

We state a switching lemma for tests on adversarial inputs involving bilinear pairings in hard groups, where the tester can effectively switch the randomness used in the test from being given to the adversary at the outset to being chosen after the adversary commits its input. The switching lemma can be based on any $k$-linear hardness assumptions on one of the groups. In particular, this enables convenient information theoretic arguments in the construction of sequence of games proving security of cryptographic schemes, mimicking proofs and constructions in the random oracle model. As an immediate application, we show that the quasi-adaptive NIZK proofs of Jutla and Roy [AsiaCrypt 2013] for linear subspaces can be further shortened to \emph{constant}-size proofs, independent of the number of witnesses and equations. In particular, under the XDH assumption, a length $n$ vector of group elements can be proven to belong to a subspace of rank $t$ with a quasi-adaptive NIZK proof consisting of just a single group element. Similar quasi-adaptive aggregation of proofs is also shown for Groth-Sahai NIZK proofs of linear multi-scalar multiplication equations, as well as linear pairing-product equations (equations without any quadratic terms)

Efficient Batch Zero-Knowledge Arguments for Low Degree Polynomials

Bootle et al. (EUROCRYPT 2016) construct an extremely efficient zero-knowledge argument for arithmetic circuit satisfiability in the discrete logarithm setting. However, the argument does not treat relations involving commitments, and furthermore, for simple polynomial relations, the complex machinery employed is unnecessary. In this work, we give a framework for expressing simple relations between commitments and field elements, and present a zero-knowledge argument which, by contrast with Bootle et al., is constant-round and uses fewer group operations, in the case where the polynomials in the relation have low degree. Our method also directly yields a batch protocol, which allows many copies of the same relation to be proved and verified in a single argument more efficiently with only a square-root communication overhead in the number of copies. We instantiate our protocol with concrete polynomial relations to construct zero-knowledge arguments for membership proofs, polynomial evaluation proofs, and range proofs. Our work can be seen as a unified explanation of the underlying ideas of these protocols. In the instantiations of membership proofs and polynomial evaluation proofs, we also achieve better efficiency than the state of the art

From Rerandomizability to Sequential Aggregation: Efficient Signature Schemes Based on SXDH Assumption

An aggregate signature allows one to generate a short aggregate of signatures from different signers on different messages. A sequential aggregate signature (SeqAS) scheme allows the signers to aggregate their individual signatures in a sequential manner. All existing SeqAS schemes that do not use the random oracle assumption either require a large public key or the security depends upon some non-standard interactive/static assumptions. In this paper, we present an efficient SeqAS scheme with constant-size public key under the SXDH assumption. In the process, we first obtain an optimized (and more efficient) variant of Libert et al\u27s randomizable signature scheme. While both the schemes are more efficient than the currently best ones that rely on some static assumption, they are only slightly costlier than the most efficient ones based on some interactive assumption

Efficient Batch Zero-Knowledge Arguments for Low Degree Polynomials

The work of Bootle et al. (EUROCRYPT 2016) constructs an extremely efficient zero-knowledge argument for arithmetic circuit satisfiability in the discrete logarithm setting. However, the argument does not treat relations involving commitments, and furthermore, for simple polynomial relations, the complex machinery employed is unnecessary. In this work, we give a framework for expressing simple relations between commitments and field elements, and present a zero-knowledge argument which is considerably more efficient than Bootle et al. in the case where the polynomials in the relation have low degree. Our method also directly yields a batch protocol, which allows many copies of the same relation to be more efficiently proved and verified in a single argument. We instantiate our protocol with concrete polynomial relations to construct zero-knowledge arguments for membership proofs, polynomial evaluation proofs, and range proofs. Our work can be seen as a unified explanation of the underlying ideas of these protocols. In some of these instantiations we also achieve better efficiency than the state of the art

Quasi-Adaptive NIZK for Linear Subspaces Revisited

Non-interactive zero-knowledge (NIZK) proofs for algebraic relations in a group, such as the Groth-Sahai proofs, are an extremely powerful tool in pairing-based cryptography. A series of recent works focused on obtaining very efficient NIZK proofs for linear spaces in a weaker quasi-adaptive model. We revisit recent quasi-adaptive NIZK constructions, providing clean, simple, and improved constructions via a conceptually different approach inspired by recent developments in identity-based encryption. We then extend our techniques also to linearly homomorphic structure-preserving signatures, an object both of independent interest and with many applications

Subversion-Resistant Quasi-Adaptive NIZK and Applications to Modular zk-SNARKs

Quasi-adaptive non-interactive zero-knowledge (QA-NIZK) arguments are NIZK arguments where the common reference string (CRS) is allowed to depend on the language and they can be very efficient for specific languages. Thus, they are for instance used within the modular LegoSNARK toolbox by Campanelli et al. (ACM CCS\u2719) as succinct NIZKs (aka zkSNARKs) for linear subspace languages. Such modular frameworks are interesting, as they provide gadgets for a flexible design of privacy-preserving blockchain applications. Recently, there has been an increasing interest to reduce the trust required in the generator of the CRS. One important line of work in this direction is subversion zero-knowledge by Bellare et al. (ASIACRYPT\u2716), where the zero-knowledge property even holds when the CRS is generated maliciously. In this paper, we firstly analyze the security of the most efficient QA-NIZK constructions of Kiltz and Wee (EUROCRYPT\u2715) and the asymmetric QA-NIZKs by Gonzalez et al. (ASIACRYPT\u2715) when the CRS is subverted and propose subversion versions of them. Secondly, for the first time, we construct unbounded (strong) true-simulation extractable (tSE) variants of them. Thirdly, we show how to integrate our subversion QA-NIZKs into the LegoSNARK toolbox, which so far does not consider subversion resistance. Our results together with existing results on (SE) subversion zk-SNARKS represent an important step towards a subversion variant of the LegoSNARK toolbox

Updatable Trapdoor SPHFs: Modular Construction of Updatable Zero-Knowledge Arguments and More

Recently, motivated by its increased use in real-world applications, there has been a growing interest on the reduction of trust in the generation of the common reference string (CRS) for zero-knowledge (ZK) proofs. This line of research was initiated by the introduction of subversion non-interactive ZK (NIZK) proofs by Bellare et al. (ASIACRYPT\u2716). Here, the zero-knowledge property needs to hold even in case of a malicious generation of the CRS. Groth et al. (CRYPTO\u2718) then introduced the notion of updatable zk-SNARKS, later adopted by Lipmaa (SCN\u2720) to updatable quasi-adaptive NIZK (QA-NIZK) proofs. In contrast to the subversion setting, in the updatable setting one can achieve stronger soundness guarantees at the cost of reintroducing some trust, resulting in a model in between the fully trusted CRS generation and the subversion setting. It is a promising concept, but all previous updatable constructions are ad-hoc and tailored to particular instances of proof systems. Consequently, it is an interesting question whether it is possible to construct updatable ZK primitives in a more modular way from simpler building blocks. In this work we revisit the notion of trapdoor smooth projective hash functions (TSPHFs) in the light of an updatable CRS. TSPHFs have been introduced by Benhamouda et al. (CRYPTO\u2713) and can be seen as a special type of a 2-round ZK proof system. In doing so, we first present a framework called lighter TSPHFs (L-TSPHFs). Building upon it, we introduce updatable L-TSPHFs as well as instantiations in bilinear groups. We then show how one can generically construct updatable quasi-adaptive zero-knowledge arguments from updatable L-TSPHFs. Our instantiations are generic and more efficient than existing ones. Finally, we discuss applications of (updatable) L-TSPHFs to efficient (updatable) 2-round ZK arguments as well as updatable password-authenticated key-exchange (uPAKE)

Matrix computational assumptions in multilinear groups

We put forward a new family of computational assumptions, the Kernel Matrix Di e- Hellman Assumption. Given some matrix A sampled from some distribution D `;k , the kernel as- sumption says that it is hard to nd \in the exponentPreprin

Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces

We define a novel notion of quasi-adaptive non-interactive zero knowledge (NIZK) proofs for probability distributions on parametrized languages. It is quasi-adaptive in the sense that the common reference string (CRS) generator can generate the CRS depending on the language parameters. However, the simulation is required to be uniform, i.e., a single efficient simulator should work for the whole class of parametrized languages. For distributions on languages that are linear subspaces of vector spaces over bilinear groups, we give quasi-adaptive computationally sound NIZKs that are shorter and more efficient than Groth-Sahai NIZKs. For many cryptographic applications quasi-adaptive NIZKs suffice, and our constructions can lead to significant improvements in the standard model. Our construction can be based on any k-linear assumption, and in particular under the eXternal Diffie Hellman (XDH) assumption our proofs are even competitive with Random-Oracle based Sigma-protocol NIZK proofs. We also show that our system can be extended to include integer tags in the defining equations, where the tags are provided adaptively by the adversary. This leads to applicability of our system to many applications that use tags, e.g. applications using Cramer-Shoup projective hash proofs. Our techniques also lead to the shortest known (ciphertext) fully secure identity based encryption (IBE) scheme under standard static assumptions (SXDH). Further, we also get a short publicly-verifiable CCA2-secure IBE scheme