Paper 2024/1654

Compressed $\Sigma$-protocol Theory from Sum-check

Shang Gao, The Hong Kong Polytechnic University
Chen Qian, The Hong Kong Polytechnic University
Tianyu Zheng, The Hong Kong Polytechnic University
Yu Guo, SECBIT Labs
Bin Xiao, The Hong Kong Polytechnic University
Abstract

The compressed $\Sigma$-protocol theory [AC20, ACF21] presents a standard framework for constructing efficient $\Sigma$-protocols. This approach primarily consists of two phases: amortization to fold multiple instances satisfying a homomorphic relation into one, and Bulletproofs compression [BBB+18] to reduce the communication overhead to a logarithmic scale when verifying the folded instance. For high-degree polynomial (non-homomorphic) relations, a circuit-based linearization technique is employed to convert each instance into a linear relation, resulting in a protocol with at least linear complexity. In this paper, we provide a direct method to extend the compressed $\Sigma$-protocol theory to polynomial relations. One major objective is to avoid the linear cost of linearization. To achieve this, we employ a sum-check during the amortization phase to ensure a logarithmic communication cost. To the best of our knowledge, this is the first work to achieve a logarithmic amortization for polynomial relations. Nevertheless, without linearization, the amortized relation may not be linear, which hinders us from using Bulletproofs compression. To overcome this problem, we employ another sum-check during the compression phase to effectively manage high-degree relations. This allows us to extend the compressed $\Sigma$-protocol framework to polynomial relations. Furthermore, we introduce several variants of our techniques and adapt them for arithmetic circuit relations. We conclude by showcasing the practicality of our compressed $\Sigma$-protocol theory through applications such as binary proofs, range proofs, and partial knowledge proofs. Our basic protocols are initially based on the Discrete Logarithm (DL) assumption. We have also extended them to incorporate the Strong-RSA assumption and the Generalized Discrete Logarithm Representation (GDLR) assumption. Our work expands the scope of compressed $\Sigma$-protocol theory and provides a robust foundation for real-world cryptographic applications.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
Sigma-ProtocolsCompressed Σ-protocol theorySum-check protocolsArithmetic circuit satisfiability
Contact author(s)
shanggao @ polyu edu hk
chenqian qian @ connect polyu hk
tian-yu zheng @ connect polyu hk
yu guo @ secbit io
b xiao @ polyu edu hk
History
2024-10-19: last of 2 revisions
2024-10-14: received
See all versions
Short URL
https://ia.cr/2024/1654
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/1654,
      author = {Shang Gao and Chen Qian and Tianyu Zheng and Yu Guo and Bin Xiao},
      title = {Compressed $\Sigma$-protocol Theory from Sum-check},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1654},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1654}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.