Papers tagged as NIZK
  1. Improved Non-Interactive Zero Knowledge with Applications to Post-Quantum Signatures 2018 CCS NIZK eprint.iacr.org
    Jonathan Katz, Vladimir Kolesnikov, and Xiao Wang

    Recent work, including ZKBoo, ZKB++, and Ligero, has developed efficient non-interactive zero-knowledge proofs of knowledge (NIZKPoKs) for arbitrary Boolean circuits based on symmetric- key primitives alone using the “MPC-in-the-head” paradigm of Ishai et al. We show how to instantiate this paradigm with MPC protocols in the preprocessing model; once optimized, this results in an NIZKPoK with shorter proofs (and comparable computation) as in prior work for circuits containing roughly 300–100,000 AND gates. In contrast to prior work, our NIZKPoK also supports witness-independent preprocessing, which allows the prover to move most of its work to an offline phase before the witness is known.


    We use our NIZKPoK to construct a signature scheme based only on symmetric-key primitives (and hence with “post-quantum” security). The resulting scheme has shorter signatures than the scheme built using ZKB++ (with comparable signing/verification time), and is even competitive with hash-based signature schemes.


    To further highlight the flexibility and power of our NIZKPoK, we also use it to build efficient ring and group signatures based on symmetric-key primitives alone. To our knowledge, the resulting schemes are the most efficient constructions of these primitives that offer post-quantum security.

  2. Optimally Sound Sigma Protocols Under DCRA 2017 FinancialCryptography NIZK ZK fc17.ifca.ai
    Helger Lipmaa

    Given a well-chosen additively homomorphic cryptosystem and a Σ protocol with a linear answer, Damgård, Fazio, and Nicolosi proposed a non-interactive designated-verifier zero knowledge argument in the registered public key model that is sound under non-standard complexity-leveraging assumptions. In 2015, Chaidos and Groth showed how to achieve the weaker yet reasonable culpable soundness notion under standard assumptions but only if the plaintext space order is prime. It makes use of Σ protocols that satisfy what we call the \emph{optimal culpable soundness}. Unfortunately, most of the known additively homomorphic cryptosystems (like the Paillier Elgamal cryptosystem that is secure under the standard Decisional Composite Residuosity Assumption) have composite-order plaintext space. We construct optimally culpable sound Σ protocols and thus culpably sound non-interactive designated-verifier zero knowledge protocols for NP under standard assumptions given that the least prime divisor of the plaintext space order is large.

  3. An Efficient Pairing-Based Shuffle Argument 2017 Asiacrypt NIZK Pairings eprint.iacr.org
    Prastudy Fauzi and Helger Lipmaa and Janno Siim and Michal Zajac

    We construct the most efficient known pairing-based NIZK shuffle argument. It consists of three subarguments that were carefully chosen to obtain optimal efficiency of the shuffle argument:




    • A same-message argument based on the linear subspace QANIZK argument of Kiltz and Wee,




    • A (simplified) permutation matrix argument of Fauzi, Lipmaa, and Zając,




    • A (simplified) consistency argument of Groth and Lu.




    We prove the knowledge-soundness of the first two subarguments in the generic bilinear group model, and the culpable soundness of the third subargument under a KerMDH assumption. This proves the soundness of the shuffle argument. We also discuss our partially optimized implementation that allows one to prove a shuffle of 100000
    ciphertexts in less than a minute and verify it in less than 1.5 minutes.