[Resource Topic] 2022/1214: Updatable NIZKs from Non-Interactive Zaps

system · September 14, 2022, 1:00am

Welcome to the resource topic for 2022/1214

Title:
Updatable NIZKs from Non-Interactive Zaps

Authors: Karim Baghery, Navid Ghaedi Bardeh

Abstract:

In ASIACRYPT 2016, Bellare, Fuchsbauer, and Scafuro studied the security of NIZK arguments under subverted Structured Reference String (SRS) and presented some positive and negative results. In their best positive result, they showed that by defining an SRS as a tuple of knowledge assumption in bilinear groups (e.g. g^a, g^b, g^{ab}), and then using a Non-Interactive (NI) zap to prove that either there is a witness for the statement \mathsf{x} or one knows the trapdoor of SRS (e.g. a or b), one can build NIZK arguments that can achieve soundness and \textit{subversion zero-knowledge} (zero-knowledge without trusting a third party; Sub-ZK). In this paper, we expand their idea and use NI zaps (of knowledge) to build NIZK arguments (of knowledge) with \textit{updatable}, \textit{universal}, and \textit{succinct} SRS. To this end, we first show that their proposed sound and Sub-ZK NIZK argument can also achieve \textit{updatable} soundness, which is a more desired notion than the plain soundness. Updatable soundness allows the verifier to update the SRS one time and bypass the need for a trusted third party. Then, we show that using a similar OR language, given a NI zap (of knowledge) and a \textit{key-updatable} signature scheme, one can build NIZK arguments that can achieve Sub-ZK and \textit{updatable} simulation soundness (resp. \textit{updatable} simulation extractability). The proposed constructions are the first NIZK arguments that have updatable and succinct SRS, and do not require a random oracle. Our instantiations show that in the resulting NIZK arguments the computational cost for the parties to verify/update the SRS is negligible, namely, a few exponentiations and pairing checks. The run times of the prover and verifier, as well as the size of the proof, are asymptotically the same as those of the underlying NI zap.

ePrint: https://eprint.iacr.org/2022/1214

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .