eprint.iacr.org will be offline for approximately an hour for routine maintenance at 11pm UTC on Tuesday, April 16. We lost some data between April 12 and April 14, and some authors have been notified that they need to resubmit their papers.

Paper 2022/393

Improved Straight-Line Extraction in the Random Oracle Model With Applications to Signature Aggregation

Yashvanth Kondi and abhi shelat

Abstract

The goal of this paper is to improve the efficiency and applicability of straightline extraction techniques in the random oracle model. Straightline extraction in the random oracle model refers to the existence of an extractor, which given the random oracle queries made by a prover $P^*(x)$ on some theorem $x$, is able to produce a witness $w$ for $x$ with roughly the same probability that $P^*$ produces a verifying proof. This notion applies to both zero-knowledge protocols and verifiable computation where the goal is compressing a proof. Pass (CRYPTO '03) first showed how to achieve this property for NP using a cut-and-choose technique which incurred a $\lambda^2$-bit overhead in communication where $\lambda$ is a security parameter. Fischlin (CRYPTO '05) presented a more efficient technique based on ``proofs of work'' that sheds this $\lambda^2$ cost, but only applies to a limited class of Sigma Protocols with a ``quasi-unique response'' property, which for example, does not necessarily include the standard OR composition for Sigma protocols. With Schnorr/EdDSA signature aggregation as a motivating application, we develop new techniques to improve the computation cost of straight-line extractable proofs. Our improvements to the state of the art range from 70X--200X for the best compression parameters. This is due to a uniquely suited polynomial evaluation algorithm, and the insight that a proof-of-work that relies on multicollisions and the birthday paradox is faster to solve than inverting a fixed target. Our collision based proof-of-work more generally improves the Prover's random oracle query complexity when applied in the NIZK setting as well. In addition to reducing the query complexity of Fischlin's Prover, for a special class of Sigma protocols we can for the first time closely match a new lower bound we present. Finally we extend Fischlin's technique so that it applies to a more general class of strongly-sound Sigma protocols, which includes the OR composition. We achieve this by carefully randomizing Fischlin's technique---we show that its current deterministic nature prevents its application to certain multi-witness languages.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint. MINOR revision.
Keywords
zero-knowledgestraight-line extractionnizk
Contact author(s)
ykondi @ ccs neu edu
History
2022-04-01: revised
2022-03-28: received
See all versions
Short URL
https://ia.cr/2022/393
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2022/393,
      author = {Yashvanth Kondi and abhi shelat},
      title = {Improved Straight-Line Extraction in the Random Oracle Model With Applications to Signature Aggregation},
      howpublished = {Cryptology ePrint Archive, Paper 2022/393},
      year = {2022},
      note = {\url{https://eprint.iacr.org/2022/393}},
      url = {https://eprint.iacr.org/2022/393}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.