An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-programmable Random Oracle [chapter]

Yehuda Lindell
2015 Lecture Notes in Computer Science  
In this short paper, we present a Fiat-Shamir type transform that takes any Sigma protocol for a relation R and outputs a non-interactive zero-knowledge proof (not of knowledge) for the associated language L R , in the common reference string model. As in the Fiat-Shamir transform, we use a hash function H. However, zero-knowledge is achieved under standard assumptions in the common reference string model (without any random oracle), and soundness is achieved in the non-programmable random
more » ... e model. The concrete computational complexity of the transform is only slightly higher than the original Fiat-Shamir transform. We denote by P 1 , P 2 the prover algorithms for a Sigma protocol for the relation R. Thus, a proof of common statement x with witness w (for (x, w) ∈ R) is run by the prover sending the verifier the first message a = P 1 (x, w), the verifier sending a random query e ← {0, 1} t , and the prover replying with z = P 2 (x, w, e). We denote the verification algorithm by V Σ (x, a, e, z). PROTOCOL 4.1 (NIZK from Sigma Protocol for Relation R) • Inputs: common statement x; the prover also has a witness w such that (x, w) ∈ R • Common reference string: the (regular) CRS ρ of a dual-mode commitment scheme, and a key s for a hash function family H. • Auxiliary input: 1 n , where n ∈ N is the security parameter • The prover algorithm P (x, w, ρ):
doi:10.1007/978-3-662-46494-6_5 fatcat:m5mjutpn7nda7efl3tb3yporua