In this work, we focus on the specific case of zero-knowledge proofs for disjunctive statements. We design a general framework that compiles a large class of unmodified $\Sigma$-protocols, each for an individual statement, into a new $\Sigma$-protocol that proves a disjunction of these statements. Our framework can be used both when each clause is proved with the same $\Sigma$-protocol and when different $\Sigma$-protocols are used for different clauses. The resulting $\Sigma$-protocol is concretely efficient and has communication complexity proportional to the communication required by the largest clause, with additive terms that are only logarithmic in the number of clauses.
We show that our compiler can be applied to many well-known $\Sigma$-protocols, including classical protocols (e.g. Schnorr and Guillou-Quisquater) and modern MPC-in-the-head protocols such as the recent work of Katz, Kolesnikov and Wang and the Ligero protocol of Ames et al. Finally, since all of the protocols in our class can be made non-interactive in the random oracle model using the Fiat-Shamir transform, our result yields the first non-interactive zero-knowledge protocol for disjunctions where the communication only depends on the size of the largest clause.
Category / Keywords: cryptographic protocols / Zero-knowledge, Sigma protocols, Disjunctions, interactive proofs Date: received 30 Mar 2021, last revised 30 Mar 2021 Contact author: aarushig at cs jhu edu, mgreen@cs jhu edu, ma@cs au dk, kaptchuk@bu edu Available format(s): PDF | BibTeX Citation Version: 20210331:183502 (All versions of this report) Short URL: ia.cr/2021/422