New Constructions of Statistical NIZKs: Dual-Mode DV-NIZKs and More - - PowerPoint PPT Presentation

New Constructions of Statistical NIZKs: Dual-Mode DV-NIZKs and More

Benoît Libert, Alain Passelègue, Hoeteck Wee, and David J. Wu May 2020

Non-Interactive Zero-Knowledge (NIZK)

NP language ℒ ⊆ 0,1 ∗

prover verifier

𝑦 ∈ 0,1 ∗ accept if 𝑦 ∈ ℒ

Completeness: ∀𝑦 ∈ ℒ ∶ Pr 𝑄, 𝑊 (𝑦) = accept = 1 “Honest prover convinces honest verifier of true statements” Soundness: ∀𝑦 ∉ ℒ, ∀𝑄∗ ∶ Pr 𝑄∗, 𝑊 𝑦 = accept ≤ 𝜁 “No prover can convince honest verifier of false statement” [BFM88]

𝜌

can consider both computational and statistical variants

Non-Interactive Zero-Knowledge (NIZK)

𝜌 real distribution

𝒯(𝑦)

ideal distribution

≈𝑑 NP language ℒ

[BFM88] Zero-Knowledge: for all efficient verifiers 𝑊∗, there exists an efficient simulator 𝒯 where

∀𝑦 ∈ ℒ ∶ 𝑄, 𝑊∗ 𝑦 ≈ 𝒯(𝑦)

can consider both computational and statistical variants

Designated-Verifier NIZKs

This work: focus primarily on the designated-verifier model

𝜏 𝑙𝑊

prover verifier

public CRS secret verification key

trusted setup

Designated-Verifier NIZKs

This work: focus primarily on the designated-verifier model

𝜌 = Prove(𝜏, 𝑦, 𝑥)

prover verifier Requirement: soundness should hold even if the prover has access to the verification oracle

𝜏 𝑙𝑊

publicly-verifiable

The Landscape of (DV)-NIZKs

Construction Assumption Soundness Zero-Knowledge

[FLS90] factoring computational statistical [GOS06] 𝑙-Lin (pairing group) stat. comp. stat. comp. [CHK03] CDH (pairing group) computational statistical [PS19] LWE stat. comp. stat. comp. [SW14] iO + OWFs statistical computational [QRW19, CH19, KNYY19] CDH computational statistical [LQRWW19] CDH/LWE/LPN computational computational [CDIKLOV19] DCR stat. comp. stat. comp.

malicious designated-verifier

The Landscape of (DV)-NIZKs

publicly-verifiable

Construction Assumption Soundness Zero-Knowledge

[GOS06] 𝑙-Lin (pairing group) stat. comp. stat. comp. [PS19] LWE stat. comp. stat. comp. [SW14] iO + OWFs statistical computational [CDIKLOV19] DCR stat. comp. stat. comp.

malicious designated-verifier

Statistical zero-knowledge seems more difficult to achieve

This Work: Statistical NIZKs

𝜌

𝒯(𝑦)

≈𝑡

Statistical ZK provides everlasting privacy This work: Compiling NIZKs in the hidden-bits model to statistical (DV)-NIZKs

• Statistical DV-NIZKs from DDH in pairing-free groups / QR / DCR

This Work: Statistical NIZKs

𝜌

𝒯(𝑦)

≈𝑡

Statistical ZK provides everlasting privacy This work: Compiling NIZKs in the hidden-bits model to statistical (DV)-NIZKs

• Statistical DV-NIZKs from DDH in pairing-free groups / QR / DCR

More precisely: DV-NIZKs are “dual-mode” and maliciously secure

This Work: Statistical NIZKs

𝜌

𝒯(𝑦)

≈𝑡

Statistical ZK provides everlasting privacy This work: Compiling NIZKs in the hidden-bits model to statistical (DV)-NIZKs

• Statistical DV-NIZKs from DDH in pairing-free groups / QR / DCR
• Statistical NIZKs from 𝑙-Lin (𝔿1) + 𝑙-KerLin (𝔿2) in a pairing group

Weaker assumption compared to [GOS06] which required 𝑙-Lin in both groups (𝑙-KerLin is a search assumption implied by 𝑙-Lin)

publicly-verifiable

The Landscape of (DV)-NIZKs

Construction Assumption Soundness Zero-Knowledge

[FLS90] factoring computational statistical [GOS06] 𝑙-Lin (𝔿1, 𝔿2) stat. comp. stat. comp. [CHK03] CDH (pairing group) computational statistical [PS19] LWE stat. comp. stat. comp. [SW14] iO + OWFs statistical computational [QRW19, CH19, KNYY19] CDH computational statistical [LQRWW19] CDH/LWE/LPN computational computational [CDIKLOV19] DCR stat. comp. stat. comp. This work DDH/QR/DCR stat. comp. stat. comp. This work 𝒍-Lin (𝔿𝟐), 𝒍-KerLin (𝔿𝟑) computational statistical

malicious designated-verifier

NIZKs in the Hidden Bits Model

1 1 1 1 1 1

prover

prover has access to uniformly random bit string of length 𝑜 𝑜 bits long

[FLS90]

NIZKs in the Hidden Bits Model

1 1 1 1 1 1

prover

prover has access to uniformly random bit string of length 𝑜

𝐽 ⊆ [𝑜], 𝜌

𝑜 bits long prover outputs a subset 𝐽 ⊆ [𝑜] and a proof 𝜌

[FLS90]

NIZKs in the Hidden Bits Model

1

verifier only sees the subset of the bits in 𝐽 and proof 𝜌

𝐽 ⊆ [𝑜], 𝜌

𝑜 bits long

verifier prover

prover outputs a subset 𝐽 ⊆ [𝑜] and a proof 𝜌

[FLS90]

NIZKs in the Hidden Bits Model

1

verifier only sees the subset of the bits in 𝐽 and proof 𝜌

𝐽 ⊆ [𝑜], 𝜌

𝑜 bits long

verifier prover

prover outputs a subset 𝐽 ⊆ [𝑜] and a proof 𝜌

[FLS90]: There exists a perfect NIZK proof for any NP language in the hidden-bits model

[FLS90]

The FLS Compiler

NIZKs in the hidden-bits model NIZKs in the CRS model cryptographic compiler

CRS

𝑐1 𝑐2 ⋯ 𝑐𝑜

hidden-bits string “commitment” 𝜏 Prover can selectively open 𝜏 to 𝑗, 𝑐𝑗 for indices 𝑗 of its choosing

[FLS90]

The FLS Compiler

CRS

𝑐1 𝑐2 ⋯ 𝑐𝑜

hidden-bits string “commitment” 𝜏 Prover can selectively open 𝜏 to 𝑗, 𝑐𝑗 for indices 𝑗 of its choosing

Main properties:

• Binding: Can only open 𝜏 to a single bit

for each position

• Hiding: Unopened bits should be hidden
• Succinctness: 𝜏 ≪ 𝑜

Soundness: If 𝜏 ≪ 𝑜 and there are not too many “bad” hidden-bits strings ⇒ prover cannot find a “bad” 𝜏 that fools verifier Zero-Knowledge: Unopened bits hidden to verifier

[FLS90]

The FLS Compiler

NIZKs in the hidden-bits model NIZKs in the CRS model cryptographic compiler

CRS

𝑐1 𝑐2 ⋯ 𝑐𝑜

hidden-bits string “commitment” 𝜏

Instantiations: [FLS90]: trapdoor permutations (computational NIZK proofs) [CHK03]:CDH over a pairing group (computational NIZK proofs) [QRW19, CH19, KNYY19]:hidden-bits generators from CDH (computational DV-NIZK proofs)

[FLS90]

The FLS Compiler

NIZKs in the hidden-bits model NIZKs in the CRS model cryptographic compiler

CRS

𝑐1 𝑐2 ⋯ 𝑐𝑜

hidden-bits string “commitment” 𝜏 Possible to instantiate FLS to obtain statistical ZK?

[FLS90]

Instantiations: [FLS90]: trapdoor permutations (computational NIZK proofs) [CHK03]:CDH over a pairing group (computational NIZK proofs) [QRW19, CH19, KNYY19]:hidden-bits generators from CDH (computational DV-NIZK proofs)

The FLS Compiler

NIZKs in the hidden-bits model NIZKs in the CRS model

cryptographic compiler

[FLS90]: trapdoor permutations (computational NIZK proofs) [CHK03]: CDH over a pairing group (computational NIZK proofs) [QRW19, CH19, KNYY19]: computational hidden-bits generators from CDH (computational DV-NIZK arguments)

This work: dual-mode hidden bits generator

• “Binding mode:” computational DV-NIZK proofs
• “Hiding mode:” statistical DV-NIZK arguments

[FLS90]

Warm-Up: The FLS Compiler from CDH

[CHK03, QRW19, CH19, KNYY19]

CRS: 𝑕, ℎ1 = 𝑕𝑥1, … , ℎ𝑜 = 𝑕𝑥𝑜 ∈ 𝔿

Each exponent 𝑧 ∈ ℤ𝑞 defines a hidden bits string

𝑐1 𝑐2 ⋯ 𝑐𝑜

𝑐𝑗 ≔ hc ℎ𝑗

𝑧

hard-core bit

Ingredient: let 𝔿 be a prime-group of order 𝑞 with generator 𝑕

𝑥1, … , 𝑥𝑜 ← ℤ𝑞

Prover samples 𝑧 ← ℤ𝑞 and commits to hidden bits string with 𝜏 = 𝑕𝑧 ∈ 𝔿 Committing to a hidden-bits string: [CHK03]: Use a pairing: 𝑓 𝑕𝑧, ℎ𝑗 = 𝑓 𝑕, ℎ𝑗

𝑧

Opening 𝝉 to a bit 𝒄𝒋: reveal ℎ𝑗

𝑧 and prove that 𝑕, 𝑕𝑧, ℎ𝑗, ℎ𝑗 𝑧 is a DDH tuple

[QRW19, CH19, KNYY19]: Use Cramer-Shoup hash-proof system [CS98, CS02, CKS08] publicly-verifiable designated-verifier

Warm-Up: The FLS Compiler from CDH

[CHK03, QRW19, CH19, KNYY19]

CRS: 𝑕, ℎ1 = 𝑕𝑥1, … , ℎ𝑜 = 𝑕𝑥𝑜 ∈ 𝔿

Each exponent 𝑧 ∈ ℤ𝑞 defines a hidden bits string

𝑐1 𝑐2 ⋯ 𝑐𝑜

𝑐𝑗 ≔ hc ℎ𝑗

𝑧

hard-core bit

Ingredient: let 𝔿 be a prime-group of order 𝑞 with generator 𝑕

𝑥1, … , 𝑥𝑜 ← ℤ𝑞 Statistical binding: choice of 𝜏 (with ℎ1, … , ℎ𝑜) completely defines 𝑐1, … , 𝑐𝑜

Prover samples 𝑧 ← ℤ𝑞 and commits to hidden bits string with 𝜏 = 𝑕𝑧 ∈ 𝔿 Committing to a hidden-bits string:

Resulting NIZK satisfies statistical soundness

Warm-Up: The FLS Compiler from CDH

[CHK03, QRW19, CH19, KNYY19]

CRS: 𝑕, ℎ1 = 𝑕𝑥1, … , ℎ𝑜 = 𝑕𝑥𝑜 ∈ 𝔿

Each exponent 𝑧 ∈ ℤ𝑞 defines a hidden bits string

𝑐1 𝑐2 ⋯ 𝑐𝑜

𝑐𝑗 ≔ hc ℎ𝑗

𝑧

hard-core bit

Ingredient: let 𝔿 be a prime-group of order 𝑞 with generator 𝑕

𝑥1, … , 𝑥𝑜 ← ℤ𝑞 Computational hiding: unopened bits computationally hidden since hc is hard-core Resulting NIZK satisfies computational zero-knowledge

Prover samples 𝑧 ← ℤ𝑞 and commits to hidden bits string with 𝜏 = 𝑕𝑧 ∈ 𝔿 Committing to a hidden-bits string: Need to compute 𝑕𝑥𝑗𝑧 from 𝑕𝑥𝑗 and 𝑕𝑧 which is precisely CDH

Dual-Mode Instantiation from DDH

CRS: 𝒘 , 𝒙1 , … , [𝒙𝑜] where 𝒘, 𝒙1, … , 𝒙𝑜 ∈ ℤ𝑞

𝑜+1

Ingredient: let 𝔿 be a prime-group of order 𝑞 with generator 𝑕 Notation: for a vector 𝒘 ∈ ℤ𝑞

𝑜, we write 𝒘 ≔ 𝑕𝑤1, … , 𝑕𝑤𝑜 [𝒘] plays the role of the family 𝑕 𝒙1 , … , 𝒙𝑜 play the role

• f 𝑕𝑥1, … , 𝑕𝑥𝑜

𝒘 ← ℤ𝑞

𝑜+1 Two distributions for 𝒙𝑗:

• Binding mode: 𝒙𝑗 ← 𝑡𝑗𝒘 where 𝑡𝑗 ← ℤ𝑞
• Hiding mode: 𝒙𝑗 ← ℤ𝑞

𝑜+1

Key idea: replace scalars in the CRS with vectors

Dual-Mode Instantiation from DDH

CRS: 𝒘 , 𝒙1 , … , [𝒙𝑜] where 𝒘, 𝒙1, … , 𝒙𝑜 ∈ ℤ𝑞

𝑜+1

Ingredient: let 𝔿 be a prime-group of order 𝑞 with generator 𝑕 Notation: for a vector 𝒘 ∈ ℤ𝑞

𝑜, we write 𝒘 ≔ 𝑕𝑤1, … , 𝑕𝑤𝑜

𝒘 ← ℤ𝑞

𝑜+1 Two distributions for 𝒙𝑗:

• Binding mode: 𝒙𝑗 ← 𝑡𝑗𝒘 where 𝑡𝑗 ← ℤ𝑞
• Hiding mode: 𝒙𝑗 ← ℤ𝑞

𝑜+1

Observation: under DDH, these two distributions for 𝒙𝑗 are computationally indistinguishable

similar principle as used to construct lossy PKE from DDH [HJR16] [𝒘] plays the role of the generator 𝑕 𝒙1 , … , 𝒙𝑜 play the role

• f 𝑕𝑥1, … , 𝑕𝑥𝑜

Each vector 𝒛 ∈ ℤ𝑞

𝑜+1

defines a hidden bits string

Dual-Mode Instantiation from DDH

CRS: 𝒘 , 𝒙1 , … , [𝒙𝑜] where 𝒘, 𝒙1, … , 𝒙𝑜 ∈ ℤ𝑞

𝑜+1

Ingredient: let 𝔿 be a prime-group of order 𝑞 with generator 𝑕 𝒘 ← ℤ𝑞

𝑜+1 Two distributions for 𝒙𝑗:

• Binding mode: 𝒙𝑗 ← 𝑡𝑗𝒘 where 𝑡𝑗 ← ℤ𝑞
• Hiding mode: 𝒙𝑗 ← ℤ𝑞

𝑜+1

𝑐1 𝑐2 ⋯ 𝑐𝑜

𝑐𝑗 ≔ 𝐼 𝒛𝑈𝒙𝑗 Prover’s commitment: 𝜏 = 𝒛𝑈𝒘 ∈ 𝔿 Statistically binding in binding mode: choice of 𝜏 (and CRS) completely defines 𝑐1, … , 𝑐𝑜 𝒛𝑈𝒙𝑗 = 𝑡𝑗𝒛𝑈𝒘 = 𝑡𝑗𝜏

𝐼: 𝔿 → 0,1 is universal hash

Each vector 𝒛 ∈ ℤ𝑞

𝑜+1

defines a hidden bits string

Dual-Mode Instantiation from DDH

CRS: 𝒘 , 𝒙1 , … , [𝒙𝑜] where 𝒘, 𝒙1, … , 𝒙𝑜 ∈ ℤ𝑞

𝑜+1

Ingredient: let 𝔿 be a prime-group of order 𝑞 with generator 𝑕 𝒘 ← ℤ𝑞

𝑜+1 Two distributions for 𝒙𝑗:

• Binding mode: 𝒙𝑗 ← 𝑡𝑗𝒘 where 𝑡𝑗 ← ℤ𝑞
• Hiding mode: 𝒙𝑗 ← ℤ𝑞

𝑜+1

𝑐1 𝑐2 ⋯ 𝑐𝑜

𝑐𝑗 ≔ 𝐼 𝒛𝑈𝒙𝑗 Prover’s commitment: 𝜏 = 𝒛𝑈𝒘 ∈ 𝔿 Statistically hiding in hiding mode: choice of 𝜏 (and CRS) completely hides 𝑐1, … , 𝑐𝑜

if 𝒘, 𝒙1, … , 𝒙𝑜 ∈ ℤ𝑞

𝑜+1 are linearly independent and 𝒛 ← ℤ𝑞 𝑜+1, 𝒛𝑈𝒙𝑗 is uniform given 𝒛𝑈𝒘, 𝒛𝑈𝒙𝑘 for 𝑘 ≠ 𝑗

𝐼: 𝔿 → 0,1 is universal hash

Each vector 𝒛 ∈ ℤ𝑞

𝑜+1

defines a hidden bits string

Dual-Mode Instantiation from DDH

CRS: 𝒘 , 𝒙1 , … , [𝒙𝑜] where 𝒘, 𝒙1, … , 𝒙𝑜 ∈ ℤ𝑞

𝑜+1

Ingredient: let 𝔿 be a prime-group of order 𝑞 with generator 𝑕 𝒘 ← ℤ𝑞

𝑜+1 Two distributions for 𝒙𝑗:

• Binding mode: 𝒙𝑗 ← 𝑡𝑗𝒘 where 𝑡𝑗 ← ℤ𝑞
• Hiding mode: 𝒙𝑗 ← ℤ𝑞

𝑜+1

𝑐1 𝑐2 ⋯ 𝑐𝑜

𝑐𝑗 ≔ 𝐼 𝒛𝑈𝒙𝑗 Prover’s commitment: 𝜏 = 𝒛𝑈𝒘 ∈ 𝔿 Binding mode ⇒ statistically-binding hidden bits ⇒ statistical soundness Hiding mode ⇒ statistically-hiding hidden bits ⇒ statistical zero-knowledge

𝐼: 𝔿 → 0,1 is universal hash

Each vector 𝒛 ∈ ℤ𝑞

𝑜+1

defines a hidden bits string

Dual-Mode Instantiation from DDH

CRS: 𝒘 , 𝒙1 , … , [𝒙𝑜] where 𝒘, 𝒙1, … , 𝒙𝑜 ∈ ℤ𝑞

𝑜+1

Ingredient: let 𝔿 be a prime-group of order 𝑞 with generator 𝑕 𝒘 ← ℤ𝑞

𝑜+1 Two distributions for 𝒙𝑗:

• Binding mode: 𝒙𝑗 ← 𝑡𝑗𝒘 where 𝑡𝑗 ← ℤ𝑞
• Hiding mode: 𝒙𝑗 ← ℤ𝑞

𝑜+1

𝑐1 𝑐2 ⋯ 𝑐𝑜

𝑐𝑗 ≔ 𝐼 𝒛𝑈𝒙𝑗 Prover’s commitment: 𝜏 = 𝒛𝑈𝒘 ∈ 𝔿 Remaining ingredient: need a way for prover to open commitments to hidden bits

To open the commitment 𝜏 to value 𝑐𝑗, prover sends 𝑢𝑗 = 𝒛𝑈𝒙𝑗 together with a proof that ∃𝒛 ∈ ℤ𝑞

𝑜+1 such that 𝜏 = [𝒛𝑈𝒘] and 𝑢𝑗 = 𝒛𝑈𝒙𝑗

𝐼: 𝔿 → 0,1 is universal hash

Each vector 𝒛 ∈ ℤ𝑞

𝑜+1

defines a hidden bits string

Dual-Mode Instantiation from DDH

CRS: 𝒘 , 𝒙1 , … , [𝒙𝑜] where 𝒘, 𝒙1, … , 𝒙𝑜 ∈ ℤ𝑞

𝑜+1

Ingredient: let 𝔿 be a prime-group of order 𝑞 with generator 𝑕 𝒘 ← ℤ𝑞

𝑜+1 Two distributions for 𝒙𝑗:

• Binding mode: 𝒙𝑗 ← 𝑡𝑗𝒘 where 𝑡𝑗 ← ℤ𝑞
• Hiding mode: 𝒙𝑗 ← ℤ𝑞

𝑜+1

𝑐1 𝑐2 ⋯ 𝑐𝑜

𝑐𝑗 ≔ 𝐼 𝒛𝑈𝒙𝑗 Prover’s commitment: 𝜏 = 𝒛𝑈𝒘 ∈ 𝔿 Remaining ingredient: need a way for prover to open commitments to hidden bits

To open the commitment 𝜏 to value 𝑐𝑗, prover sends 𝑢𝑗 = 𝒛𝑈𝒙𝑗 together with a proof that ∃𝒛 ∈ ℤ𝑞

𝑜+1 such that 𝜏 = [𝒛𝑈𝒘] and 𝑢𝑗 = 𝒛𝑈𝒙𝑗

Can use Cramer-Shoup techniques

𝐼: 𝔿 → 0,1 is universal hash

Each vector 𝒛 ∈ ℤ𝑞

𝑜+1

defines a hidden bits string

Dual-Mode Instantiation from DDH

CRS: 𝒘 , 𝒙1 , … , [𝒙𝑜] where 𝒘, 𝒙1, … , 𝒙𝑜 ∈ ℤ𝑞

𝑜+1

Ingredient: let 𝔿 be a prime-group of order 𝑞 with generator 𝑕 𝒘 ← ℤ𝑞

𝑜+1 Two distributions for 𝒙𝑗:

• Binding mode: 𝒙𝑗 ← 𝑡𝑗𝒘 where 𝑡𝑗 ← ℤ𝑞
• Hiding mode: 𝒙𝑗 ← ℤ𝑞

𝑜+1

𝑐1 𝑐2 ⋯ 𝑐𝑜

𝑐𝑗 ≔ 𝐼 𝒛𝑈𝒙𝑗 Prover’s commitment: 𝜏 = 𝒛𝑈𝒘 ∈ 𝔿 Prover’s opening: 𝑢𝑗 = 𝒛𝑈𝒙𝑗 proof that ∃𝒛 ∈ ℤ𝑞

𝑜+1 ∶

𝜏 = [𝒛𝑈𝒘] and 𝑢𝑗 = 𝒛𝑈𝒙𝑗

Implication: dual-mode DV-NIZK from DDH

• Binding mode: computational NIZK proofs
• Hiding mode: statistical NIZK arguments

Each vector 𝒛 ∈ ℤ𝑞

𝑜+1

defines a hidden bits string

Dual-Mode Instantiation from DDH

CRS: 𝒘 , 𝒙1 , … , [𝒙𝑜] where 𝒘, 𝒙1, … , 𝒙𝑜 ∈ ℤ𝑞

𝑜+1

Ingredient: let 𝔿 be a prime-group of order 𝑞 with generator 𝑕 𝒘 ← ℤ𝑞

𝑜+1 Two distributions for 𝒙𝑗:

• Binding mode: 𝒙𝑗 ← 𝑡𝑗𝒘 where 𝑡𝑗 ← ℤ𝑞
• Hiding mode: 𝒙𝑗 ← ℤ𝑞

𝑜+1

𝑐1 𝑐2 ⋯ 𝑐𝑜

𝑐𝑗 ≔ 𝐼 𝒛𝑈𝒙𝑗 Extensions:

• Replace DDH with 𝑙-Lin family of assumptions (for any 𝑙 ≥ 1)
• Replace DDH with subgroup indistinguishability assumptions (e.g., QR/DCR)
• Use a pairing to publicly implement verification
• Yields statistical NIZK argument (not dual-mode) from 𝑙-Lin (𝔿1) and 𝑙-KerLin (𝔿2)

Malicious Designated-Verifier Security

11101001101111100110110000001 common random string 𝜌1 𝜌4 𝜌2 𝜌3

• nly

trusted setup

vk1 vk2 vk3 vk4

verifiers can choose their own verification key; zero-knowledge should hold even if vk𝑗 chosen maliciously

[QRW19]

Malicious Designated-Verifier Security

11101001101111100110110000001 common random string 𝜌1 𝜌4 𝜌2 𝜌3

• nly

trusted setup

vk1 vk2 vk3 vk4

verifiers can choose their own verification key; zero-knowledge should hold even if vk𝑗 chosen maliciously

[QRW19]

All of our DV-NIZK constructions easily adapted to satisfy malicious security (MDV-NIZKs)

• Technique similar to [QRW19], but relies on a linear independence

argument rather than a rewinding argument

• [QRW19]: computational MDV-NIZK proofs from “one-more CDH”
• This work: dual-mode MDV-NIZKs from DDH (or 𝑙-Lin) / QR / DCR

[see paper for details]

Summary

NIZKs in the hidden-bits model NIZKs in the CRS model

cryptographic compiler

This work: Leverage the FLS compiler to achieve statistical zero-knowledge

• Dual-mode malicious DV-NIZKs from 𝑙-Lin in pairing-free groups / QR / DCR
• Statistical NIZKs from 𝑙-Lin (𝔿1) + 𝑙-KerLin (𝔿2) in a pairing group

Open Questions

NIZKs in the hidden-bits model NIZKs in the CRS model Other assumptions: Statistical (DV)-NIZKs from LPN? from CDH? Statistical NIZK arguments from factoring?

• [FLS90]: computational NIZK proofs from factoring
• This work: dual-mode malicious DV-NIZKs from QR / DCR

The Landscape of (DV)-NIZKs

publicly-verifiable

Construction Assumption Soundness Zero-Knowledge [FLS90] factoring computational statistical [GOS06] 𝑙-Lin (𝔿1, 𝔿2) stat. comp. stat. comp. [CHK03] CDH (pairing group) computational statistical [PS19] LWE stat. comp. stat. comp. [SW14] iO + OWFs statistical computational [QRW19, CH19, KNYY19] CDH computational statistical [LQRWW19] CDH/LWE/LPN computational computational [CDIKLOV19] DCR stat. comp. stat. comp. This work DDH/QR/DCR stat. comp. stat. comp. This work 𝒍-Lin (𝔿𝟐), 𝒍-KerLin (𝔿𝟑) computational statistical

malicious designated-verifier

Thank you!

https://eprint.iacr.org/2020/265