Efficient Set Membership Proofs using MPC-in-the-Head

Goel, Aarushi; Green, Matthew; Hall-Andersen, Mathias; Kaptchuk, Gabriel

doi:10.2478/popets-2022-0047

Cited by 5 publications

(4 citation statements)

References 43 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In a work concurrent to ours, Goel et al [27] provided a membership proof protocol towards building a ring signature, which is equivalent to our observation discussed above (i.e. restructuring a disjunctive proof statement to a disjunction of equalities).…”

Section: Related Workmentioning

confidence: 75%

“…In addition, Mac'n'cheese can handle only Boolean or arithmetic circuits, therefore as an example, a mixed statement in the form of SHA256(g x ) = y would need around 250 million gates (as shown in Appendix B), while gOTzilla is compatible with techniques combining algebraic and non-algebraic statements similar to the work by Chase et al [19] as discussed in Section 5, and therefore we don't need to covert between circuit types. Finally, in comparison to the concurrent work of [27], and based on their reported numbers our protocol ¶ These estimates were provided by Mac'n'cheese [10] authors assuming cost per gate is 120ns. is roughly 6x more efficient in computational costs (assuming the reported runtime t in Table 2 of [27] only takes the prover's or the verifier's costs into account, but not both simultaneously as we do), namely for 2 13 elements our total runtime for 256 bits of statistical security (which implies a parameter τ = 80) is 644ms while the total runtime for [27] in an equivalent system would be 3960ms.…”

Section: Discussionmentioning

confidence: 99%

“…Finally, in comparison to the concurrent work of [27], and based on their reported numbers our protocol ¶ These estimates were provided by Mac'n'cheese [10] authors assuming cost per gate is 120ns. is roughly 6x more efficient in computational costs (assuming the reported runtime t in Table 2 of [27] only takes the prover's or the verifier's costs into account, but not both simultaneously as we do), namely for 2 13 elements our total runtime for 256 bits of statistical security (which implies a parameter τ = 80) is 644ms while the total runtime for [27] in an equivalent system would be 3960ms. However, our protocol has higher communication costs, primarily because of the required proof of bounded Ring-LWE noise.…”

Section: Discussionmentioning

confidence: 99%

“…There is no available implementation of Stacking Sigmas [28] for a direct comparison, however Stacking sigmas is expected to be more expensive than Mac'n'Cheese concretely due to its underlying techniques (Stacking sigmas relies on commitments with elliptic curve operations which are more expensive than VOLE used in Mac'n'cheese). Also, there is no available implementation for Goel et al [27] therefore our comparison is based on their evaluation. We note that a caveat of our approach is that we generally have larger memory requirements as opposed to Mac'n'Cheese where the prover and verifier are not required to store the entire proof statement in memory.…”

Section: Related Workmentioning

confidence: 99%

See 3 more Smart Citations

gOTzilla: Efficient Disjunctive Zero-Knowledge Proofs from MPC in the Head, with Application to Proofs of Assets in Cryptocurrencies

Baldimtsi

Chatzigiannis

Gordon

et al. 2022

PoPETs

View full text Add to dashboard Cite

We present gOTzilla, a protocol for interactive zero-knowledge proofs for very large disjunctive statements of the following format: given publicly known circuit C, and set of values Y = {y1 , . . . , yn }, prove knowledge of a witness x such that C(x) = y1 ∨ C(x) = y2 ∨ · · · ∨ C(x) = yn . These type of statements are extremely important for the proof of assets (PoA) problem in cryptocurrencies where a prover wants to prove the knowledge of a secret key sk that associates with the hash of a public key H(pk) posted on the ledger. We note that the size of n in popular cryptocurrencies, such as Bitcoin, is estimated to 80 million. For the construction of gOTzilla, we start by observing that if we restructure the proof statement to an equivalent of proving knowledge of (x, y) such that (C(x) = y) ∧ (y = y1 ∨ · · · ∨ y = yn )), then we can reduce the disjunction of equalities to 1-out-of-N oblivious transfer (OT). Our overall protocol is based on the MPC in the head (MPCitH) paradigm. We additionally provide a concrete, efficient extension of our protocol for the case where C combines algebraic and non-algebraic statements (which is the case in the PoA application). We achieve an asymptotic communication cost of O(log n) plus the proof size of the underlying MPCitH protocol. While related work has similar asymptotic complexity, our approach results in concrete performance improvements. We implement our protocol and provide benchmarks. Concretely, for a set of size 1 million entries, the total run-time of our protocol is 14.89 seconds using 48 threads, with 6.18 MB total communication, which is about 4x faster compared to the state of the art when considering a disjunctive statement with algebraic and non-algebraic elements.

show abstract

Section: Related Workmentioning

confidence: 75%