Cryptology ePrint Archive: Report 2015/770

A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles

Michele Ciampi and Giuseppe Persiano and Luisa Siniscalchi and Ivan Visconti

Abstract: The Fiat-Shamir (FS) transform uses a hash function to generate, without any further overhead, non-interactive zero-knowledge (NIZK) argument systems from constant-round public-coin honest-verifier zero-knowledge (public-coin HVZK) proof systems. In the proof of zero knowledge, the hash function is modeled as a programmable random oracle (PRO).

In TCC 2015, Lindell embarked on the challenging task of obtaining a similar transform with improved heuristic security. Lindell showed that, for several interesting and practical languages, there exists an efficient transform in the non-programmable random oracle (NPRO) model that also uses a common reference string (CRS). A major contribution of Lindell's transform is that zero knowledge is proved without random oracles and this is an important step towards achieving efficient NIZK arguments in the CRS model without random oracles.

In this work, we analyze the efficiency and generality of Lindell's transform and notice a significant gap when compared with the FS transform. We then propose a new transform that aims at filling this gap. Indeed our transform is almost as efficient as the FS transform and can be applied to a broad class of public-coin HVZK proof systems. Our transform requires a CRS and an NPRO in the proof of soundness, similarly to Lindell's transform.

Category / Keywords: cryptographic protocols / NIZK, Fiat-Shamir Transform, NPRO, Sigma Protocols

Original Publication (with minor differences): IACR-TCC-2016

Date: received 2 Aug 2015, last revised 20 Apr 2016

Contact author: ivan visconti at gmail com

Available format(s): PDF | BibTeX Citation

Note: This paper will appear in TCC 2016-A.

Version: 20160420:233324 (All versions of this report)

Short URL: ia.cr/2015/770

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]