[Resource Topic] 2024/1654: Compressed $\Sigma$-protocol Theory from Sum-check

Resource Cryptographic protocols
#1

Welcome to the resource topic for 2024/1654

Title:
Compressed \Sigma-protocol Theory from Sum-check

Authors: Shang Gao, Chen Qian, Tianyu Zheng, Yu Guo, Bin Xiao

Abstract:

The compressed \Sigma-protocol theory [AC20, ACF21] presents a standard framework for constructing efficient \Sigma-protocols. This approach primarily consists of two phases: amortization to fold multiple instances satisfying a homomorphic relation into one, and Bulletproofs compression [BBB+18] to reduce the communication overhead to a logarithmic scale when verifying the folded instance. For high-degree polynomial (non-homomorphic) relations, a circuit-based linearization technique is employed to convert each instance into a linear relation, resulting in a protocol with at least linear complexity.

In this paper, we provide a direct method to extend the compressed \Sigma-protocol theory to polynomial relations. One major objective is to avoid the linear cost of linearization. To achieve this, we employ a sum-check during the amortization phase to ensure a logarithmic communication cost. To the best of our knowledge, this is the first work to achieve a logarithmic amortization for polynomial relations. Nevertheless, without linearization, the amortized relation may not be linear, which hinders us from using Bulletproofs compression. To overcome this problem, we employ another sum-check during the compression phase to effectively manage high-degree relations. This allows us to extend the compressed \Sigma-protocol framework to polynomial relations. Furthermore, we introduce several variants of our techniques and adapt them for arithmetic circuit relations. We conclude by showcasing the practicality of our compressed \Sigma-protocol theory through applications such as binary proofs, range proofs, and partial knowledge proofs. Our basic protocols are initially based on the Discrete Logarithm (DL) assumption. We have also extended them to incorporate the Strong-RSA assumption and the Generalized Discrete Logarithm Representation (GDLR) assumption. Our work expands the scope of compressed \Sigma-protocol theory and provides a robust foundation for real-world cryptographic applications.

ePrint: https://eprint.iacr.org/2024/1654

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .