Compact NIZKs from Standard Assumptions on Bilinear Maps

A non-interactive zero-knowledge (NIZK) protocol enables a prover to convince a verifier of the truth of a statement without leaking any other information by sending a single message. The main focus of this work is on exploring short pairing-based NIZKs for all NP languages based on standard assumpt...

Full description

Saved in:
Bibliographic Details
Published in:Journal of cryptology 2024-07, Vol.37 (3), Article 23
Main Authors: Katsumata, Shuichi, Nishimaki, Ryo, Yamada, Shota, Yamakawa, Takashi
Format: Article
Language:English
Subjects:
Coding and Information Theory
Combinatorics
Communications Engineering
Computational Mathematics and Numerical Analysis
Computer Science
Languages
Networks
Probability Theory and Stochastic Processes
Research Article
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:A non-interactive zero-knowledge (NIZK) protocol enables a prover to convince a verifier of the truth of a statement without leaking any other information by sending a single message. The main focus of this work is on exploring short pairing-based NIZKs for all NP languages based on standard assumptions. In this regime, the seminal work of Groth, Ostrovsky, and Sahai (J.ACM’12) (GOS-NIZK) is still considered to be the state-of-the-art. Although fairly efficient, one drawback of GOS-NIZK is that the proof size is multiplicative in the circuit size computing the NP relation. That is, the proof size grows by O ( | C | κ ) , where C is the circuit for the NP relation and κ is the security parameter. By now, there have been numerous follow-up works focusing on shortening the proof size of pairing-based NIZKs, however, thus far, all works come at the cost of relying either on a non-standard knowledge-type assumption or a non-static q -type assumption. Specifically, improving the proof size of the original GOS-NIZK under the same standard assumption has remained as an open problem. Our main result is a construction of a pairing-based NIZK for all of NP whose proof size is additive in | C |, that is, the proof size only grows by | C | + poly ( κ ) , based on the computational Diffie-Hellman assumption over specific pairing-free groups and decisional linear (DLIN) assumption. As by-products of our main result, we also obtain the following two results: (1) We construct a perfectly zero-knowledge NIZK (NIPZK) for NP relations computable in NC 1 with proof size | w | · poly ( κ ) where | w | is the witness length based on the DLIN assumption. This is the first pairing-based NIPZK for a non-trivial class of NP languages whose proof size is independent of | C | based on a standard assumption. (2) We construct a universally composable (UC) NIZK for NP relations computable in NC 1 in the erasure-free adaptive setting whose proof size is | w | · poly ( κ ) from the DLIN assumption. This is an improvement over the recent result of Katsumata, Nishimaki, Yamada, and Yamakawa (CRYPTO’19), which gave a similar result based on a non-static q -type assumption. The main building block for all of our NIZKs is a constrained signature scheme with decomposable online-offline efficiency . This is a property which we newly introduce in this paper and construct from the DLIN assumption. We believe this construction is of an independent interest.
ISSN:0933-2790
1432-1378
DOI:10.1007/s00145-024-09503-8