Unfortunately, the CDS OR-composition technique works only if both statements are fixed before the proof starts. This limitation restricts its usability in those protocols where the theorems to be proved are defined at different stages of the protocol, but, in order to save rounds of communication, the proof must start even if not all theorems are available. Many round-optimal protocols ([KO04,DPV04,YZ07,SV12]) crucially need such property to achieve round-optimality, and, due to the inapplicability of CDS's technique, are currently implemented using proof systems that requires expensive NP reductions, but that allow the proof to start even if no statement is defined a.k.a., LS proofs from Lapidot-Shamir [LS90]).
In this paper we show an improved OR-composition technique for Sigma-protocols, that requires only one statement to be fixed when the proof starts, while the other statement can be defined in the last round. This seemingly weaker property is sufficient for the applications, where typically one of the theorems is fixed before the proof starts. Concretely, we show how our new OR-composition technique can directly improve the round complexity of the efficient perfect quasi-polynomial time simulatable argument system of Pass [Pass03] (from four to three rounds) and of efficient resettable WI arguments (from five to four rounds).
Category / Keywords: cryptographic protocols / Sigma protocols, round efficiency Original Publication (with minor differences): IACR-TCC-2016 Date: received 14 Aug 2015, last revised 16 Dec 2015 Contact author: ivan visconti at gmail com Available format(s): PDF | BibTeX Citation Note: Part of the results of this paper will appear in TCC 2016-A. Version: 20151217:023326 (All versions of this report) Short URL: ia.cr/2015/810