Batch Arguments for NP and More from Standard Bilinear Group Assumptions [article]

Brent Waters, David J. Wu
2022 IACR Cryptology ePrint Archive  
A non-interactive batch argument for NP provides a way to amortize the cost of NP veri cation across multiple instances. They enable a prover to convince a veri er of multiple NP statements with communication much smaller than the total witness length and veri cation time much smaller than individually checking each instance. In this work, we give the rst construction of a non-interactive batch argument for NP from standard assumptions on groups with bilinear maps (speci cally, from either the
more » ... ubgroup decision assumption in composite-order groups or from the -Lin assumption in prime-order groups for any ≥ 1). Previously, batch arguments for NP were only known from LWE, or a combination of multiple assumptions, or from non-standard/non-falsi able assumptions. Moreover, our work introduces a new direct approach for batch veri cation and avoids heavy tools like correlationintractable hash functions or probabilistically-checkable proofs common to previous approaches. As corollaries to our main construction, we also obtain the rst publicly-veri able non-interactive delegation scheme for RAM programs with a CRS of sublinear size (in the running time of the RAM program), as well as the rst aggregate signature scheme (supporting bounded aggregation) from standard assumptions on bilinear maps. * associated with instance * with * ← * ∈ G. Critically, * is now in the full group rather than the order-subgroup G . The encodings associated with instances ≠ * are still sampled from G . We can construct the cross terms , in a similar manner as before: the components for , ≠ * are una ected and we set * , = , * = * ∈ G. The trapdoor CRS is computationally indistinguishable from the normal CRS by the subgroup decision assumption [BGN05]. Consider the wire consistency checks and gate consistency checks: * top , base = 1 with probability 1 − negl( ). Otherwise, we have an adversary that breaks somewhere extractability of Π (0) BARG . By de nition of top , this means BARG 0 .OnlineVerify vk * * top , , base = 1. Claim 5.7. If Π (0) BARG is a somewhere extractable argument of knowledge, then there exists a negligible function negl(•) such that for all ∈ N, Pr[ (x * , w Proof. This follows from the fact that (crs base , td base ) is sampled using BARG 0 .TrapSetup with index * base . By Claim 5.6, with probability 1 − negl( ), BARG 0 .OnlineVerify vk * * top , , base = 1, where vk * * top
dblp:journals/iacr/WatersW22 fatcat:rvtiizzhizfsxebsafr6sprg2e