Cryptology ePrint Archive: Report 2019/1255

Zero-Knowledge Proofs for Set Membership: Efficient, Succinct, Modular

Daniel Benarroch and Matteo Campanelli and Dario Fiore and Dimitris Kolonelos

Abstract: We consider the problem of proving in zero knowledge that an element of a public set satisfies a given property without disclosing the element, i.e. that for some $u$, "$u \in S$ and $P(u)$ holds''. This problem arises in many applications (anonymous cryptocurrencies, credentials or whitelists) where, for privacy or anonymity reasons, it is crucial to hide certain data while ensuring properties of such data. We design new modular and efficient constructions for this problem through new commit-and-prove zero-knowledge systems for set membership, i.e. schemes proving $u \in S$ for a value $u$ that is in a public commitment $c_u$. Being commit-and-prove, our solutions can act as plug-and-play modules in statements of the form "$u \in S$ and $P(u)$ holds'' (by combining our set membership system with any other commit-and-prove scheme for $P(u)$). Also, they work with Pedersen commitments over prime order groups which makes them compatible with popular systems such as Bulletproofs or Groth16. Both public parameters and proofs in our solutions have constant-size (i.e., independent of the size of the sets). Compared to previous work that achieves similar properties---Camenisch and Lysyanskaya (CRYPTO 2002) and the clever techniques combining zkSNARKs and Merkle Trees in Zcash---our protocols offer more flexibility and $2.5 \times$ faster proving time for a set of size $2^{60}$.

Category / Keywords: cryptographic protocols / public-key cryptography, zero knowledge, applications

Date: received 27 Oct 2019, last revised 29 Oct 2019

Contact author: matteo campanelli at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20191029:150938 (All versions of this report)

Short URL: ia.cr/2019/1255


[ Cryptology ePrint archive ]