Cryptology ePrint Archive: Report 2020/1334

One-Shot Fiat-Shamir-based NIZK Arguments of Composite Residuosity in the Standard Model

Benoît Libert and Khoa Nguyen and Thomas Peters and Moti Yung

Abstract: The standard model security of the Fiat-Shamir transform has been an active research area for many years. In breakthrough results, Canetti {\it et al.} (STOC'19) and Peikert-Shiehian (Crypto'19) showed that, under the Learning-With-Errors (LWE) assumption, it provides soundness by applying correlation-intractable (CI) hash functions to so-called {\it trapdoor} $\Sigma$-protocols. In order to be compatible with CI hash functions based on standard LWE assumptions with polynomial approximation factors, all known such protocols have been obtained via parallel repetitions of a basic protocol with binary challenges. In this paper, we consider languages related to Paillier's composite residuosity assumption (DCR) for which we give the first trapdoor $\Sigma$-protocols providing soundness in one shot, via exponentially large challenge spaces. This improvement is analogous to the one enabled by Schnorr over the original Fiat-Shamir protocol in the random oracle model. Using the correlation-intractable hash function paradigm, we then obtain simulation-sound NIZK arguments showing that an element of $\mathbb{Z}_{N^2}^\ast$ is a composite residue, which opens the door to space-efficient applications in the standard model. As a concrete example, we build logarithmic-size ring signatures (assuming a common reference string) with the shortest signature length among schemes based on standard assumptions in the standard model. We prove security under the DCR and LWE assumptions, while keeping the signature size comparable with that of random-oracle-based schemes.

Category / Keywords: public-key cryptography / NIZK arguments, compactness, simulation-soundness, composite residuosity, Fiat-Shamir, ring signatures, standard model

Date: received 23 Oct 2020, last revised 24 Feb 2021

Contact author: benoit libert at ens-lyon fr,khoantt@ntu edu sg,thomas peters@uclouvain be,motiyung@gmail com

Available format(s): PDF | BibTeX Citation

Version: 20210224:172551 (All versions of this report)

Short URL: ia.cr/2020/1334


[ Cryptology ePrint archive ]