Monotone Policy BARGs from BARGs and Additively Homomorphic Encryption

Nassar, Shafik; Waters, Brent; Wu, David J.

doi:10.1007/978-3-031-78017-2_14

Shafik Nassar⁹,
Brent Waters^9,10 &
David J. Wu⁹

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 15365))

Included in the following conference series:

Theory of Cryptography Conference

78 Accesses

Abstract

A monotone policy batch $\textsf{NP} $ language $\mathcal {L}_{\mathcal {R}, P}$ is parameterized by a monotone policy $P :\{0,1\}^k \rightarrow \{0,1\}$ and an $\textsf{NP} $ relation $\mathcal {R}$. A statement $(x_1, \ldots , x_k)$ is a yes instance if there exists $w_1, \ldots , w_k$ where $P(\mathcal {R}(x_1, w_1), \ldots , \mathcal {R}(x_k, w_k)) = 1$. For example, we might say that an instance $(x_1, \ldots , x_k)$ is a yes instance if a majority of the statements are true. A monotone policy batch argument (BARG) for $\textsf{NP} $ allows a prover to prove that $(x_1, \ldots , x_k) \in \mathcal {L}_{\mathcal {R}, P}$ with a proof of size $\textsf{poly}(\lambda , |\mathcal {R}|, \log k)$, where $\lambda $ is the security parameter, $|\mathcal {R}|$ is the size of the Boolean circuit that computes $\mathcal {R}$, and k is the number of instances. Recently, Brakerski, Brodsky, Kalai, Lombardi, and Paneth (CRYPTO 2023) gave the first monotone policy BARG for $\textsf{NP} $ from the learning with errors (LWE) assumption.

In this work, we describe a generic approach for constructing monotone policy BARGs from any BARG for $\textsf{NP} $ together with an additively homomorphic encryption scheme. This yields the first constructions of monotone policy BARGs from the k-$\textsf{Lin}$ assumption in prime-order pairing groups as well as the (subexponential) DDH assumption in pairing-free groups. Central to our construction is a notion of a zero-fixing hash function, which is a relaxed version of a predicate-extractable hash function from the work of Brakerski et al. Our relaxation enables a direct realization of zero-fixing hash functions from BARGs for $\textsf{NP} $ and additively homomorphic encryption, whereas the previous notion relied on leveled homomorphic encryption, and by extension, the LWE assumption.

As an application, we also show how to combine a monotone policy BARG with a puncturable signature scheme to obtain a monotone policy aggregate signature scheme. Our work yields the first (statically-secure) monotone policy aggregate signatures that supports general monotone Boolean circuits from standard pairing-based assumptions. Previously, this was only known from LWE.

You have full access to this open access chapter, Download conference paper PDF

mrNISC from LWE with Polynomial Modulus

Fine-Grained Cryptography Revisited

Article 24 May 2021

Sublinear-Communication Secure Multiparty Computation Does Not Require FHE

1 Introduction

A non-interactive batch argument (BARG) for $\textsf{NP}$ allows a prover to convince a verifier that a collection of k statements $x_1, \ldots , x_k$ is true with a proof whose size scales sublinearly with k. Beyond the immediate application to amortizing the communication cost of $\textsf{NP}$ verification, batch arguments for $\textsf{NP}$ also play a key role in constructing delegation for RAM programs (also known as a succinct non-interactive argument (SNARG) for $\textsf{P}$) [KVZ21, CJJ21b, KLVW23] and incrementally verifiable computation [DGKV22, PP22]. These objects have received extensive study recently, and to date, we have constructions from most standard algebraic assumptions in cryptography such as the learning with errors (LWE) assumption [CJJ21b], the k-$\textsf{Lin}$ assumption on groups with bilinear maps [WW22], the (sub-exponential) decisional Diffie-Hellman (DDH) assumption in pairing-free groups [CGJ+23], or combinations of quadratic residuosity and (sub-exponential) DDH in pairing-free groups [CJJ21a, HJKS22].

Beyond batch $\textsf{NP}$ and $\textsf{P}$. The recent successes in constructing succinct arguments for batch $\textsf{NP}$ and for $\textsf{P}$ from standard cryptographic assumptions has motivated the study of other (sub)-classes of $\textsf{NP}$ for which we can build succinct non-interactive arguments from standard (falsifiable) assumptions. Very recently, Brakerski, Brodsky, Kalai, Lombardi, and Paneth [BBK+23] showed how to construct SNARGs for monotone policy batch $\textsf{NP}$. At a high level, the monotone policy batch $\textsf{NP}$ language $\mathcal {L}_{\mathcal {R}, P}$ is defined with respect to an $\textsf{NP}$ relation $\mathcal {R}$ together with a monotone policy $P :\{0,1\}^k \rightarrow \{0,1\}$ as follows:

$$\begin{aligned} \mathcal {L}_{\mathcal {R}, P} = \left\{ (x_1, \ldots , x_k) \mid \exists (w_1, \ldots , w_k) : P(\mathcal {R}(x_1, w_1), \ldots , \mathcal {R}(x_k, w_k)) = 1 \right\} . \end{aligned}$$

In words, an instance $(x_1, \ldots , x_k)$ is true as long as an acceptable subset of the statements are true (as determined by the policy P). Such “monotone policy batch arguments” capture policies like majority, general thresholds, and more. The standard batch argument corresponds to the special case where the policy P is a simple conjunction.

Brakerski et al. [BBK+23] provided two constructions of monotone policy BARGs for $\textsf{NP}$. The first construction only relies on standard (somewhere extractable) BARGs and collision-resistant hash functions, but could only support monotone policies of logarithmic depth (i.e., monotone $\textsf{NC}^1$). To extend to monotone policies of arbitrary polynomial depth, they combine standard BARGs with a new notion of a predicate-extractable hash function, which they then build from the LWE assumption (specifically, they rely on leveled homomorphic encryption). This yields a monotone policy batch argument for arbitrary monotone policies from the LWE assumption. Due to the current reliance on leveled homomorphic encryption to construct the predicate-extractable hash function, instantiations of monotone policy BARGs for arbitrary-depth policies rely on the LWE assumption.

1.1 Our Results

Our main result in this work is showing how to construct BARGs for monotone policies by combining a (standard) BARG with an additively homomorphic encryption scheme (which can in turn be built from most number-theoretic assumptions [Gam84, Pai99, Reg05]). Combined with the recent progress on constructing BARGs from pairing-based groups [WW22] and pairing-free groups [CGJ+23], we obtain the first monotone policy BARGs for $\textsf{NP}$ from the k-$\textsf{Lin}$ assumption over pairing groups and from the (sub-exponentially) DDH assumption in pairing-free groups. We provide an overview of our techniques in Sect. 1.2 and summarize our main results in the following theorem:

Theorem 1

(Informal). Assuming any of (1) the plain LWE assumption, (2) the k-$\textsf{Lin}$ assumption over pairing groups for any constant $k \in \mathbb {N}$, or (3) the (sub-exponential) DDH assumption in pairing-free groups, there exists a monotone policy BARG for all polynomial-size monotone circuit policies. The monotone policy BARG satisfies non-adaptive soundness and the proof size is $\textsf{poly}(\lambda + |C| + \log |P|)$, where |C| denotes the size of the Boolean circuit computing the $\textsf{NP}$ relation, and |P| is the size of the monotone policy.

Monotone Policy Aggregate Signatures. A key difference between Theorem 1 and the previous LWE-based construction [BBK+23] is that we obtain a non-adaptively-sound BARG for monotone circuit policies whereas the [BBK+23] construction satisfied a stronger “somewhere extractability” notion. That is, in [BBK+23], the common reference string (CRS) can be sampled in a trapdoor mode and the trapdoor can be used to recover a witness for some $x_i$ given a valid proof on statements $(x_1, \ldots , x_k)$. While extractability is often useful to have in a cryptographic primitive, it is not always essential.

As an illustrative example, we show how to use monotone policy BARGs in conjunction with (puncturable) signatures [GVW19] to construct a monotone policy aggregate multi-signature scheme. In an aggregate multi-signature scheme, there is a set of k signers, each with a signing/verification key-pair $(\textsf{sk}_i, \textsf{vk}_i)$. Given a policy P and a set of signatures $\sigma _i$ for $i \in S$ (where $\sigma _i$ verifies with respect to $\textsf{vk}_i$) on a common message m, if the set S satisfies the policy P, then it is possible to aggregate $\left\{ \sigma _i \right\} _{i \in S}$ into a single short signature whose size is sublinear in |S|. For instance, P might encode a “threshold” policy that accepts all sets of size at least t. Crucially, static security of our monotone policy aggregate signature scheme only relies on non-adaptive soundness of the monotone policy BARG and security of the puncturable signature scheme. There is no need for an explicit extraction requirement. Very briefly, a puncturable signature scheme allows one to sample a “punctured” verification key $\textsf{vk}$ (and associated signing key) for some message $m^*$. The punctured verification key is computationally indistinguishable from a normal verification key, but has the property that there does not exist any signatures on the punctured message $m^*$ with respect to the punctured key. As shown in [GVW19], puncturable (or “all-but-one signatures”) can be constructed from many standard number-theoretic assumptions. We summarize this result in the following theorem:

Theorem 2

(Informal). Assuming the existence of a non-adaptively sound monotone BARG and a puncturable signature scheme, there exists a monotone policy aggregate multi-signature scheme. The scheme satisfies static unforgeability and the size of the aggregate signature is $\textsf{poly}(\lambda + \log |P|)$, where |P| denotes the size of the circuit computing the monotone policy.

Theorem 2 shows that in combination with puncturable signatures, soundness alone is sufficient for building aggregate signatures for general monotone policies. Notably, Theorem 2 also provides the first monotone policy aggregate signature from pairing-based assumptions (in the plain model). Previous work have shown how to build vanilla aggregate signatures using (vanilla) non-interactive batch arguments [WW22, DGKV22]. In an independent and concurrent work, [BCJP24] also show how to construct a monotone policy aggregate multi-signature. Their work provides two constructions of monotone policy aggregate (multi)-signatures. The first scheme supports monotone policies that can be implemented by a read-once, bounded-space Turing machine and is also adaptively secure. This scheme relies on somewhere extractable BARGs and a verifiable private information retrieval scheme [BKP22], and can be instantiated from standard pairing-based or lattice-based assumptions. The second scheme supports policies implemented by an arbitrary monotone Boolean circuit, but achieves a weaker security definition (closer to static security) and also relies on fully homomorphic encryption (which to date, is not known from pairing-based assumptions). Theorem 2 gives a statically-secure monotone policy aggregate signature scheme that supports all monotone Boolean circuits, and does not rely on fully homomorphic encryption. This enables a new instantiation from pairings.

Soundness vs. Extraction. While Theorem 2 shows that extraction is unnecessary for all applications of monotone policy BARGs, our proof strategy for arguing soundness can nonetheless be extended to achieve a notion of extractability (see the full version [NWW23, Section 8]). The notion we achieve is similar to the somewhere extractability notion from [BBK+23], where for every monotone policy P, they define a notion of a “necessary set” associated with P (i.e., a set with the property that for every satisfying input $(x_1, \ldots , x_n)$ to P, there exists $i \in S$ where $x_i = 1$). The somewhere extractability notion from [BBK+23] programs S into the common reference string, and asserts that whenever the prover comes up with an accepting proof for statements $(x_1, \ldots , x_k)$ for an $\textsf{NP}$ relation $\mathcal {R}$ and policy P, then the extractor will output $w_i$ for $i \in S$ where $\mathcal {R}(x_i, w_i) = 1$. Our construction satisfies a looser variant of this property where the success probability of the extractor is smaller by a factor of 1/k. We refer to this notion as semi-somewhere extractability. While our construction does achieve this notion of extraction with essentially no modification (see the full version [NWW23, Section 8]), we choose to focus on the simpler notion of non-adaptive soundness in the core part of this paper. Our rationale is twofold:

First, there is a lack of consensus on what the “right” notion of extraction is when it comes to the setting of monotone policy BARGs. Notably, the recent and concurrent work of [BCJP24] that builds monotone policy aggregate signatures highlighted the inadequacy of the somewhere extractability notion from [BBK+23] for their particular application to constructing monotone policy aggregate signatures. Indeed, the work of [BCJP24] propose two different and seemingly incomparable notions of extraction for their application. This illustrates that the most useful or desirable notion of extraction for monotone policy BARGs may be application-dependent.
Second, while it is straightforward to show that our construction satisfies some notion of extractability, proving this property does not appear to confer additional capabilities. For the main application to statically-secure aggregate signatures, we showed above that non-adaptive soundness already suffices. There is no need for extraction if this is the end goal. The main advantage of having some kind of extractability definition is we can apply this construction to compile any digital signature scheme into a monotone policy aggregate signature scheme, as opposed to restricting ourselves to puncturable signatures (and we show this in the full version of this paper [NWW23]). While there is a qualitative benefit to this, we do not view it as strong evidence that semi-somewhere extractability is a clearly more powerful or more useful notion than non-adaptive soundness.

A New Application: general-policy BARGs for $\textsf{NP} \cap \textsf{coNP} $. We also highlight a simple application of BARGs for monotone policy batch $\textsf{NP}$ to constructing a BARG that supports arbitrary policies over languages in $\textsf{NP} \cap \textsf{coNP} $. Our observation essentially follows the similar strategy of extending monotone closure of $\textsf{SZK}$ to non-monotone closure [Vad06]. Specifically, for a language $\mathcal {X}\in \textsf{NP} \cap \textsf{coNP} $ and an arbitrary policy $P :\{0,1\}^k \rightarrow \{0,1\}$, we define the language

$$\begin{aligned} \mathcal {L}_{\mathcal {X}, P} = \left\{ (x_1, \ldots , x_k) \mid P(b_1, \ldots , b_k) = 1 \text { where } b_i = \mathbbm {1}\left\{ x_i \in \mathcal {X} \right\} \right\} , \end{aligned}$$

where $\mathbbm {1}\left\{ x_i \in \mathcal {X} \right\} $ is the indicator function that outputs 1 if $x_i \in \mathcal {X}$ and 0 otherwise. Importantly, in this context, we allow P to be any arbitrary (possibly non-monotone) Boolean circuit. It is not difficult to see that a BARG for monotone policy batch $\textsf{NP}$ immediately implies a BARG for $\mathcal {L}_{\mathcal {X}, P}$. Namely, we first re-express the circuit P on k inputs $b_1, \ldots , b_k$ as a new monotone circuit $P'$ on 2k inputs corresponding to the original input bits $b_1, \ldots , b_k$ as well as their negations $\bar{b}_1, \ldots , \bar{b}_k$. We can then apply a BARG for monotone policy batch $\textsf{NP}$ on the set of 2k inputs with the policy $P'$. For this transformation to work, it is important that for each statement $x_i$, the prover can either provide a proof of membership $x_i \in \mathcal {X}$ (which sets $b_i = 1$) or a proof of non-membership $x_i \notin \mathcal {X}$ (which sets $\bar{b}_i = 1$).

1.2 Technical Overview

The starting point of our BARG construction is the “canonical protocol” from [BBK+23, §2.1]. We recall this below. In our description, we will consider the $\textsf{NP}$ relation of Boolean circuit satisfiability.

Given a Boolean circuit $C :\{0,1\}^n \times \{0,1\}^h \rightarrow \{0,1\}$, a monotone policy $P :\{0,1\}^k \rightarrow \{0,1\}$, statements $x_1, \ldots , x_k \in \{0,1\}^n$, witnesses $w_1, \ldots , w_k \in \{0,1\}^h$, the prover first computes $b_i \leftarrow C(x_i, w_i)$ for all $i \in [k]$.
The prover then evaluates the circuit $P(b_1, \ldots , b_k)$. The prover commits to all of the wire values in $P(b_1, \ldots , b_k)$ using a succinct commitment $\textsf{com}$ that supports local openings. We index the input wires with the integers $1, \ldots , k$, the output wire by s (where s is the number of wires in P), and the intermediate wires with $k + 1, \ldots , s - 1$.
The prover uses a batch argument to prove the following statements with respect to the commitment $\textsf{com}$:
- Input wires: For every input wire $j \in [k]$, it proves that there exists a local opening of $\textsf{com}$ to a value $b_j \in \{0,1\}$ at index j, and moreover, $b_j = C(x_j, w_j)$.
- Gate computation: For every gate g in P with input wires $j_{ \textsc {l}}, j_{ \textsc {r}}$ and output wire j, it proves that there exists a local opening of $\textsf{com}$ to wire values $b_{j_{ \textsc {l}}}, b_{j_{ \textsc {r}}}, b_i \in \{0,1\}$ at indices $j_{ \textsc {l}}, j_{ \textsc {r}}, j \in [s]$, respectively, and moreover, $b_j = g(b_{j_{ \textsc {l}}}, b_{j_{ \textsc {r}}})$.
- Output wire: It proves that there exists a local opening to the value 1 at index s for $\textsf{com}$.
The proof consists of the commitment $\textsf{com}$ together with the batch argument $\pi $.

When the policy circuit P has logarithmic depth, the authors of [BBK+23] describe a simple inductive argument to argue the security of this construction by relying on somewhere extractability of the underlying BARG. Somewhere extractability says that the common reference string of the BARG can be programmed at a small number of (hidden) indices $i_1, \ldots , i_\ell $. Given a valid proof $\pi $ for $(x_1, \ldots , x_n)$ along with a trapdoor, one can extract witnesses for $x_{i_1}, \ldots , x_{i_\ell }$. However, when P has super-logarithmic depth, the basic inductive argument no longer suffices (specifically, the security loss of the reduction decays exponentially in the depth of P).

Predicate-Extractable Hash Functions for Bit-Fixing Constraints. To construct monotone policy BARGs for policies P of arbitrary depth, the authors of [BBK+23] replace the Merkle hash of the wire values with a more sophisticated “predicate-extractable” hash function for bit-fixing constraints.^{Footnote 1}

A predicate-extractable hash function for bit-fixing predicates is a hash function where the hash key can be programmed in one of two computationally indistinguishable modes: (1) a normal mode and (2) a bit-fixing mode. In bit-fixing mode, the setup algorithm takes as input a set of indices $S \subseteq [n]$ along with a collection of bits $\{ (i, y_i) \}_{i \in S}$, where n is the input length. It outputs a hash key $\textsf{hk}$ and an extraction trapdoor $\textsf{td}$. The correctness requirement says that if $\textsf{dig}= \textsf{Hash}(\textsf{hk}, \textbf{x})$ for an input $\textbf{x}$ where $x_i = y_i$ for all $i \in S$, then $\textsf{Extract}(\textsf{td}, \textsf{dig}) = \textsf{Matching} $. Alternatively, if $\textsf{dig}$ is a digest for an input $\textbf{x}$ where $x_i \ne y_i$ for some $i \in S$, then $\textsf{Extract}(\textsf{td}, \textsf{dig})$ should output $(\textsf{NotMatching}, {i^*})$ where ${i^*}\in S$ is an index where $x_{{i^*}} \ne y_{{i^*}}$. Essentially, the extractor is deciding whether $\textsf{dig}$ corresponds to the hash of an input that is consistent with $\left\{ (i, y_i) \right\} _{i \in S}$. If the hash is declared inconsistent, the extractor outputs one of the inconsistent indices. Finally, the hash function supports succinct local openings to individual bits of an input. The two key security properties are as follows:

For a hash digest $\textsf{dig}$ where $\textsf{Extract}(\textsf{td}, \textsf{dig}) = \textsf{Matching} $, then it should be computationally difficult to construct an opening for $\textsf{dig}$ to a value $x_i \ne y_i$ for any $i \in S$.
For a hash digest $\textsf{dig}$ where $\textsf{Extract}(\textsf{td}, \textsf{dig}) = (\textsf{NotMatching}, {i^*})$, then it should be computationally difficult for the adversary to open index ${i^*}$ to the value $y_{{i^*}}$.

In the monotone BARG construction, the prover takes the Boolean circuit C, the policy P, the statements $(x_1, \ldots , x_k)$ and the witnesses $(w_1, \ldots , w_k)$, and computes $b_i \leftarrow C(x_i, w_i)$ and $P(b_1, \ldots , b_k)$. Let $(b_1, \ldots , b_s)$ be the complete set of wire values in $P(b_1, \ldots , b_k)$, arranged in topological order. The prover hashes the wire values $(b_1, \ldots , b_s)$ using the predicate-extractable hash function. In fact, the prover computes two independent hashes $\textsf{dig}_1, \textsf{dig}_2$ of the wire values, and the BARG will check validity of the openings against both hashes. To argue non-adaptive soundness, the authors of [BBK+23] first define the zero-set J associated with a circuit C, policy P, and statement $(x_1, \ldots , x_k)$:

For each $i \in [k]$, let $\beta ^*_i = 1$ if there exists $w_i$ such that $C(x_i, w_i) = 1$ and let $\beta ^*_i = 0$ otherwise.
Let $\beta ^*_1, \ldots , \beta ^*_s = P(\beta ^*_1, \ldots , \beta ^*_k)$ be the wire values in $P(\beta ^*_1, \ldots , \beta ^*_s)$, where the wires are ordered topologically.
Let $J = \left\{ i \in [k] : \beta ^*_i = 0 \right\} $. For a layer index t, define $J_t \subseteq J$ to just contain the indices of wires in layer t of P.

The proof of non-adaptive soundness now proceeds as follows:^{Footnote 2}

Take any circuit C, monotone policy P, and statements $x_1, \ldots , x_k$. The invariant they use roughly says the following: if $\textsf{hk}_0, \textsf{hk}_1$ are programmed to bind to the all-zeroes string on the zero-sets $J_i, J_{i - 1}$ for layers i and $i - 1$ of P, and the digest associated with the upper layer is $\textsf{NotMatching} $, then the digest associated with the lower layer is also $\textsf{NotMatching} $.
To establish this invariant, the proof critically relies on BARG security and security of the predicate-extractable hash function. Namely, if the extractor declares an index $j \in J_i$ in the upper layer to be $\textsf{NotMatching} $ and the BARG is set to be extracting on wire j, then that means the adversary must have opened one of the input wires $j'$ (to the gate computing wire j) to a 1 where $j' \in J_{i - 1}$ (since the policy P is monotone). Security of the hash function then says that the extractor must declare the digest associated with the lower layer to be $\textsf{NotMatching} $.
To complete the proof, they argue that the output layer must be $\textsf{NotMatching} $ (by programming the BARG to be extracting on the output wire). By propagating the invariant to the input wires, they conclude that the input layer must be $\textsf{NotMatching} $ (when one of the hash keys is programmed to bind on the input layer). In this case, programming the BARG to be extracting on the wire identified by the $\textsf{NotMatching} $ input (output by the extractor for the hash function) yields a contradiction (in this case, the BARG extractor would need to output a witness for a false $\textsf{NP}$ statement).

The authors of [BBK+23] then show how to construct a predicate-extractable hash function for bit-fixing predicates using the learning with errors (LWE) assumption. Their construction specifically relies on leveled homomorphic encryption (similar to the construction of somewhere statistically binding hash functions [HW15]). In conjunction with BARGs for $\textsf{NP}$ based on LWE [CJJ21b], this yields a monotone policy BARG for $\textsf{NP}$ from LWE.

This Work: Zero-Fixing Hash Functions. The starting point of our work is a relaxation of a predicate-extractable hash function for bit-fixing predicates we call a zero-fixing hash function. Like the predicate-extractable hash function, the zero-fixing hash function supports succinct local openings and moreover, the hash key for a zero-fixing hash function can be sampled in one of two computationally-indistinguishable modes: (1) a normal mode and (2) a zero-fixing mode. In zero-fixing mode, the setup algorithm takes as input a set $S \subseteq [n]$ of indices (that should be zero) and outputs a hash key $\textsf{hk}$ along with a trapdoor $\textsf{td}$. There is also an extract algorithm $\textsf{Extract}$ that takes as input the hash key $\textsf{hk}$ and a digest $\textsf{dig}$, and outputs either $\textsf{Matching} $ or $\textsf{NotMatching} $. The key distinction with predicate-extractable hash functions is that $\textsf{Extract}$ only outputs the flag; it does not output an index when it declares a digest $\textsf{NotMatching} $. Correspondingly, the zero-fixing security requirement only imposes a requirement for matching digests:

Zero-fixing: Suppose $(\textsf{hk}, \textsf{td})$ are sampled in zero-fixing mode for a set S. Then, for any digest $\textsf{dig}$ where $\textsf{Extract}(\textsf{td}, \textsf{dig})$ outputs $\textsf{Matching} $, it should be hard to find an opening to an index $i \in S$ to the value 1.

While this distinction of having the extractor output a mismatching index j or not might seem like a small difference, it has two significant implications:

Simpler to construct: By only requiring the zero-fixing hash function declare whether a digest is $\textsf{Matching}$ or $\textsf{NotMatching}$, we significantly simplify the construction of the hash function. Whereas computing and propagating an index of a “mismatching bit” (as in [BBK+23]) relies heavily on (leveled) homomorphic encryption, checking whether there exists a mismatching index or not can be realized from simpler tools. As we show in this work (and describe later on), we can construct zero-fixing hash functions generically from BARGs for $\textsf{NP}$ together with any additively homomorphic encryption scheme (Section 5). If we prefer to avoid non-black-box techniques altogether, we also describe a direct algebraic construction using composite-order pairing groups (the full version [NWW23, Section 6]). This is the critical distinction that allows us to obtain monotone policy BARGs from group-based assumptions (which give additively homomorphic encryption [Gam84] but not leveled homomorphic encryption).
Sufficient for monotone policy BARGs: A second important fact is that our notion of zero-fixing hash function still suffices to build monotone policy BARGs. As noted in the preceding sketch, the soundness analysis from [BBK+23] critically relied on the hash function extractor outputting an index of a mismatching bit. This is so that when the BARG is programmed to bind on the wire associated with the mismatching index, the $\textsf{NotMatching}$ invariant propagates from the output layer to the input layer. In our setting, the zero-fixing extractor only outputs $\textsf{Matching}$ or $\textsf{NotMatching}$, and in the case where the extractor outputs $\textsf{NotMatching}$, we cannot definitively declare an index to be “mismatching.” This requires a new proof strategy as well as imposing additional security requirements on the zero-fixing hash function. We describe these properties as well as our new proof strategy in more detail below.

Monotone Policy BARGs from Zero-Fixing Hash Functions. Our main construction is similar to the canonical protocol from [BBK+23] sketched above, except the prover commits to all of the wires of the policy circuit P using two zero-fixing hash functions (with hash keys $\textsf{hk}_1$ and $\textsf{hk}_2$). Our security analysis takes a different bottom-up approach rather than the previous top-down approach. The bottom-up approach is more natural when using our zero-fixing hash function. Here, we provide a sketch of our non-adaptive soundness analysis.

To argue non-adaptive soundness, fix a Boolean circuit C, a monotone policy P (assumed to be a layered Boolean circuit), and a false statement $(x_1, \ldots , x_k)$. Similar to [BBK+23], we define the zero-set J associated with C, P, and $(x_1, \ldots , x_k)$. The zero-set J contains the indices of the wires with value 0 in the computation $P(\beta ^*_1, \ldots , \beta ^*_k)$ where $\beta ^*_i = 1$ if there exists $w_i$ where $C(x_i, w_i) = 1$ and 0 otherwise. Since P is monotone, for all $w_1, \ldots , w_k$, the wire values of $P(C(x_1, w_1), \ldots , C(x_k, w_k))$ on the set J will be zero. As before, let $J_i \subset J$ be the subset of wires in layer i of P.

Our soundness argument proceeds layer-by-layer, starting from the input layer (i.e., layer 1) and progressing to the output layer (i.e., layer d, where d is the depth of P). Our goal establishes the following invariant: if the hash keys $\textsf{hk}_1$ and $\textsf{hk}_2$ are zero-fixing on $J_i$ and $J_{i + 1}$ and the digest associated with the lower layer (i.e., layer i) is $\textsf{Matching}$, then the digest associated with the upper layer (i.e., layer $i + 1$) is also $\textsf{Matching}$. We provide a sketch of this step. For ease of exposition, suppose $\textsf{hk}_1$ is zero-fixing on $J_i$ and the digest $\textsf{dig}_1$ is $\textsf{Matching} $. The goal is to show that $\textsf{hk}_2$ is zero-fixing on $J_{i + 1}$, then the digest $\textsf{dig}_2$ is also $\textsf{Matching} $:^{Footnote 3}

Initially, we set $\textsf{hk}_2$ to be binding on the empty set. We require in this case that $\textsf{dig}_2$ is always $\textsf{Matching}$. We refer to this property as an extractor validity property on the zero-fixing hash function.
We now iteratively build up $\textsf{hk}_2$. Let $J_{i + 1}[1]$ be the first element of $J_{i + 1}$. We set $\textsf{hk}_2$ to be binding on the set $\left\{ J_{i + 1}[1] \right\} $. Our goal is to argue that $\textsf{dig}_2$ is still $\textsf{Matching}$. While it might seem like this property should follow assuming a basic index hiding property on the zero-fixing hash function (i.e., that the hash key $\textsf{hk}$ hides which set it is binding on), this is insufficient. The reason is that when $\textsf{hk}_2$ is binding on $\varnothing $, the adversary might output a $\textsf{Matching}$ digest $\textsf{dig}_2$, but if $\textsf{hk}_2$ is binding on $\left\{ J_{i + 1}[1] \right\} $, the output digest $\textsf{dig}_2$ might be $\textsf{NotMatching}$. We cannot use such an adversary to construct an index hiding distinguisher, because in the index hiding security game, the distinguisher does not have the extraction trapdoor. As such, an attempted reduction algorithm cannot efficiently decide whether the adversary was successful or not. Indeed, this is a fundamental issue since knowledge of the extraction trapdoor would trivially break index hiding.
To advance the proof, we introduce a stronger notion of index hiding security for zero-fixing hash functions, which essentially requires that no efficient adversary can output a digest $\textsf{dig}$ that causes the output of $\textsf{Extract}$ to differ depending on whether the hash key is binding on a set S or a set $S \setminus \left\{ i \right\} $.^{Footnote 4} Of course, this is only meaningful when the digest is computed over an input that is 0 on index i.^{Footnote 5} Thus, we require this stronger index hiding with extracted guess property to hold only for digests $\textsf{dig}$ where the adversary can provide an opening to index 0 for the target index i. We define this property formally in Definition 6.
To leverage the index hiding with extracted guess property, we need to enforce the fact that $\textsf{dig}_2$ opens to a 0 on index $J_{i + 1}[1]$. We ensure this by appealing to the somewhere extractability of the BARG along with zero-fixing security of the hash function. Specifically, suppose that the BARG is binding on wire $J_{i + 1}[1]$. The BARG extractor then produces openings to the wire $J_{i + 1}[1]$ with respect to $\textsf{dig}_2$ as well as opening to the wires $j_{ \textsc {l}}, j_{ \textsc {r}}$ with respect to $\textsf{dig}_1$ (corresponding to the input wires for the gate computing $J_{i + 1}[1]$). Since $\textsf{dig}_1$ is zero-fixing on $J_i$ and $\textsf{dig}_1$ is also $\textsf{Matching}$, if either $j_{ \textsc {l}}, j_{ \textsc {r}}\in J_i$, then the extracted openings must be openings to 0 (otherwise, we break zero-fixing of the hash function). But by monotonicity of P, this means the value of the output wire $J_{i + 1}[1]$ must also be 0, and thus the BARG extractor produces an opening to 0 for wire $J_{i + 1}[1]$. Now, by the index hiding with extracted guess property, we conclude that programming $\textsf{hk}_2$ to zero-fix on set $\left\{ J_{i + 1}[1] \right\} $ will still cause $\textsf{dig}_2$ to be $\textsf{Matching}$ (except with a negligible loss in probability).
We can now iteratively apply the argument and build up $\textsf{hk}_2$ until it is binding on all of $J_{i + 1}$.

To complete the proof, we consider the input and output layers for P:

Handling the input layers: The base case in our analysis is to show that if $\textsf{hk}_1$ is binding on $J_1$ (the input layer), then it is $\textsf{Matching} $. This follows using the same layer-wise strategy sketched above for proving our invariance, except for each index $J_1[i]$, we rely on the fact that the associated statement $x_i$ is false (i.e., no witness exists) to argue that the only valid opening for $\textsf{dig}_1$ on index i is 0. Otherwise, we either break somewhere extractability of the BARG (i.e., extracting an invalid witness for index i) or the index hiding with extracted guess property.
Output layer: Starting from the input layer, we now iteratively apply our basic invariant to argue that when the hash keys are binding to $J_d$ (the output layer), the associated digests are also $\textsf{Matching}$. Now, if we have a valid proof, and the BARG is set to extract on the output layer, then the BARG extractor outputs an opening of the output wire to 1 with respect to the hash digests. However, since the output wire is contained in $J_d$ (since the statement is false), and the digest is matching, this breaks zero-fixing security of the hash function.

Thus, the above analysis suffices to show non-adaptive soundness of our construction. The critical security requirement we require on our zero-fixing hash function is the strengthened index hiding with extracted guess property. This property allows us to complete the proof via an iterative approach without needing to rely on the extractor outputting a mismatching index as in previous work [BBK+23]. As we discuss below, this is an easier property to realize than full-fledged index extraction. We refer to Section 3 for the formal definition of zero-fixing hash functions and Section 4 for our construction of monotone policy BARGs.

Constructing Zero-Fixing Hash Functions. Our second contribution in this work is a generic construction of zero-fixing hash functions from vanilla BARGs together with an additively homomorphic encryption scheme. We start with a basic construction that captures the key ideas underlying our construction and refer to Section 5 for the formal description and analysis:

Let $n \in \mathbb {N}$ be the input length. For ease of exposition, we assume that $n = 2^k$ is a power-of-two. Suppose we want to zero-fix on a (possibly-empty) set $S \subseteq [n]$. The setup algorithm first samples a public/secret key-pair $(\textsf{pk}, \textsf{sk})$ for an additively homomorphic encryption scheme. For each $i \in [n]$, the setup algorithm construct an encryption $\textsf{ct}_i \leftarrow \textsf{Enc}(\textsf{pk}, 1)$ of 1 if $i \in S$ and an encryption of $\textsf{ct}_i \leftarrow \textsf{Enc}(\textsf{pk}, 0)$ of 0 if $i \notin S$. It also constructs an encryption $\textsf{ct}_\textsf{zero}\leftarrow \textsf{Enc}(\textsf{pk}, 0)$ of 0. Finally, it constructs a commitment $\textsf{com}_\textsf{hk}$ to the ciphertexts $(\textsf{ct}_1, \ldots , \textsf{ct}_n)$. The hash key is then $\textsf{hk}= (\textsf{pk}, \textsf{ct}_\textsf{zero}, \textsf{ct}_1, \ldots , \textsf{ct}_n, \textsf{com}_\textsf{hk})$, and the extraction trapdoor is the decryption key $\textsf{sk}$.
To hash an input $x \in \{0,1\}^n$, the user constructs a complete binary tree where each of the n leaves is associated with a ciphertext. If $x_i = 1$, then the user associates leaf i with $\textsf{ct}_i$, and if $x_i = 0$, then the user associates leaf i with $\textsf{ct}_\textsf{zero}$. The value of each internal node in the binary tree is defined to be the sum of the ciphertexts associated with its two children. By construction, the value of the root node is an encryption of the sum of the values associated with the n leaf nodes. We refer to the tree of ciphertexts as the “ciphertext-evaluation tree.” The digest $\textsf{dig}$ then consists of the ciphertext $\textsf{ct}_\textsf{root}$ associated with the root node along with a commitment $\textsf{com}_\textsf{ct}$ to all of the ciphertexts in the ciphertext-evaluation tree.
A local opening for index ${i^*}$ and value $b_{{i^*}} \in \{0,1\}$ for the digest $\textsf{dig}= (\textsf{ct}_\textsf{root}, \textsf{com}_\textsf{ct})$ is a BARG proof. The BARG statements correspond to the indices of the nodes in the ciphertext-evaluation tree. The associated relation is parameterized by the target index ${i^*}$, the root ciphertext $\textsf{ct}_\textsf{root}$, the encryption $\textsf{ct}_\textsf{zero}$ of 0 from the hash key, and the commitment to the input ciphertexts $\textsf{com}_\textsf{hk}$. The BARG relation then checks the following:
- Leaf nodes: For each leaf node i, $\textsf{com}_\textsf{ct}$ opens to either $\textsf{ct}_\textsf{zero}$ or $\textsf{ct}_i$ at index i. For the particular index ${i^*}$, it checks that $\textsf{com}_\textsf{ct}$ opens to $\textsf{ct}_\textsf{zero}$ if $b_{{i^*}} = 0$ and $\textsf{com}_\textsf{ct}$ opens to $\textsf{ct}_{{i^*}}$ if $b_{{i^*}} = 1$. Since the BARG relation only has $\textsf{com}_\textsf{hk}$ and not $\textsf{ct}_i$ itself, the prover provides $\textsf{ct}_i$ as part of its witness along with a proof of opening for $\textsf{ct}_i$ with respect to $\textsf{com}_\textsf{hk}$. The proof of opening ensures that the correct $\textsf{ct}_i$ is provided.
- Internal nodes: For an internal node i (with children indexed $j_{ \textsc {l}}, j_{ \textsc {r}}$), the BARG checks that $\textsf{com}_\textsf{ct}$ opens to ciphertexts $\textsf{ct}_i$, $\textsf{ct}_{j_{{ \textsc {l}}}}$, $\textsf{ct}_{j_{{ \textsc {r}}}}$ where $\textsf{ct}_i$ is the sum of ciphertexts $\textsf{ct}_{j_{{ \textsc {l}}}}$ and $\textsf{ct}_{j_{{ \textsc {r}}}}$.
- Root node: For the root node, the BARG checks that $\textsf{com}_\textsf{ct}$ opens to $\textsf{ct}_{\textsf{root}}$.
To test whether a digest $\textsf{dig}= (\textsf{ct}_\textsf{root}, \textsf{com}_\textsf{ct})$ is matching or not, the $\textsf{Extract}$ algorithm outputs $\textsf{Matching} $ if $\textsf{ct}_\textsf{root}$ decrypts to 0 and $\textsf{NotMatching} $ otherwise.

By definition, the ciphertext $\textsf{ct}_\textsf{root}$ in any (honestly-generated) hash digest is the sum of the ciphertexts associated with the leaves of the ciphertext-evaluation tree. On an input x, if $x_i = 0$, then the associated ciphertext is an encryption of 0 and does not contribute to the sum. If $x_i = 1$, then the ciphertext associated with the leaf is an encryption of 1 if $i \in S$ and encryption of 0 otherwise. Thus, the sum is only incremented if $x_i = 1$ for some $i \in S$. This is precisely when $\textsf{Extract}$ outputs $\textsf{NotMatching} $ (i.e., the digest is for an input x where $x_i = 1$ for $i \in S$).

To argue that it is hard to open a $\textsf{Matching}$, but possibly-malformed digest to a 1 at an index $i \in S$, we appeal to soundness of the BARG. In this case, the root ciphertext $\textsf{ct}_\textsf{root}$ in $\textsf{dig}$ decrypts to a non-zero value, and yet the user constructed a valid BARG proof of opening for an index $i \in S$. The key observation is that the structure of the BARG used in the above construction is very similar to the structure of the canonical protocol from [BBK+23] described at the beginning of Section 1.2 for demonstrating correct evaluation of a monotone circuit. Moreover, because the ciphertext-evaluation tree is perfectly balanced, it has depth $\log n$, where $n = \textsf{poly}(\lambda )$ is the input length. As such, we are able to adapt the proof strategy for arguing soundness of the monotone policy BARGs for log-depth circuits to directly argue zero-fixing security of our hash function. Specifically, we rely on BARG security to ensure that if the adversary uses an encryption of 1 as one of the leaves to the ciphertext (which it must if it opens an index $i \in S$ to a 1), then the root ciphertext necessarily is an encryption of a non-zero value. We provide the full details in the full version [NWW23, Section 5].

While the core construction described here satisfies zero-fixing security, we need to augment the construction to satisfy the additional security requirements we impose on a zero-fixing hash function. We summarize these here, and defer to the technical sections (see Section 5 and the full version of this paper [NWW23]) for the full details:

Extractor validity: Recall that this property says that when the hash function is zero-fixing on the empty set, it should be hard for an adversary to come up with a “valid” digest that is $\textsf{NotMatching}$. To satisfy this property, we simply include a BARG proof of validity to the digest, where the BARG proof of validity simply checks that the ciphertext-evaluation tree was correctly constructed. When the hash key is binding to the empty set, all of the ciphertexts $\textsf{ct}_i$ are an encryption of 0, so the root of a properly computed ciphertext-evaluation tree will also be an encryption of 0. We provide the details in the full version [NWW23, Section 5].
Index hiding with extracted guess: Recall that this property says that the adversary cannot produce a digest $\textsf{dig}$ where the extractor output disagrees depending on whether the hash key is zero-fixing on a set S or a set $S \setminus \left\{ i \right\} $ (provided that the adversary provides an opening to 0 for index i). The only difference between the hash keys in these two cases is $\textsf{ct}_i$ in the CRS changes from an encryption of 0 to an encryption of 1, which we could in principle show using semantic security. However, the reduction algorithm would have no way of checking whether a digest $\textsf{dig}$ output by the adversary is $\textsf{Matching} $ or $\textsf{NotMatching} $ (since it does not and cannot know the decryption key). Thus, to argue this we adopt a Naor-Yung type of strategy [NY90] and encrypt twice. Namely, we introduce two parallel copies of the scheme (i.e., two independent public keys and two independent sets of ciphertexts). The digest now consists of two ciphertexts $\textsf{ct}_\textsf{root}^{(0)}, \textsf{ct}_\textsf{root}^{(1)}$ for the roots of the two ciphertext-evaluation trees. The same BARG would validate both roots. The key idea now is we can switch $\textsf{ct}_i^{(0)}$ from an encryption of 0 (i.e., zero-fixing at $S \setminus \left\{ i \right\} $) to an encryption of 1 (i.e., zero-fixing at S) while being able to decrypt (i.e., extract) for the parallel encryption scheme. We can leverage soundness of the BARG to argue that for a valid digest/opening, both $\textsf{ct}_\textsf{root}^{(0)}$ and $\textsf{ct}_\textsf{root}^{(1)}$ encrypt identical values. This allows us to leverage semantic security to switch the ciphertexts for one scheme while being able to detect whether the output of $\textsf{Extract}$ changed or not (using knowledge of the secret key for the parallel scheme). We provide the full details in the full version [NWW23, Section 5].

Taken together, we obtain a zero-fixing hash function from any standard BARG together with an additively-homomorphic encryption scheme. By instantiating with BARGs from the k-Lin assumption over pairing groups [WW22] or the (sub-exponential) DDH assumption over pairing-free groups [CGJ+23], we obtain zero-fixing hash functions from the same underlying assumptions. In conjunction with our generic construction from above, this yields Theorem 1.

An Algebraic Construction of Zero-Fixing Hash Functions. As another contribution, we also describe an algebraic approach to construct zero-fixing hash functions directly from (composite-order) bilinear maps. This construction has the advantage that it only makes black-box use of cryptography. We give a brief sketch of the construction here, but defer the details to the full version [NWW23, Section 6]. The basic version is an adaptation of the Catalano-Fiore vector commitment [CF13]:

Let $\mathcal {G}= (\mathbb {G}, \mathbb {G}_T, N, g, e)$ be a composite-order bilinear group of order N, generator g, and an efficiently-computable non-degenerate bilinear map $e :\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T$. In the actual construction, we will require that N be a product of six primes. In the description here, we will just describe the basic scheme that operates primarily in just two subgroups. Let $g_1$ and $g_2$ be generators of two orthogonal subgroups of $\mathbb {G}$.
To sample a hash key for a set $S \subseteq [n]$, the setup algorithm samples exponents . If $i \in S$, it sets $A_i \leftarrow (g_1 g_2)^{\alpha _i}$ and if $i \notin S$, it sets $A_i \leftarrow g_1^{\alpha _i}$. It sets $B_i \leftarrow g_1^{\beta _i}$ and for $i \ne j$, it computes the cross term $C_{i, j} \leftarrow g_1^{\alpha _i \beta _j}$. The hash key then contains $A_i, B_i$ for $i \in [n]$ and $C_{i, j}$ for all $i \ne j$.
The hash of an input $x \in \{0,1\}^n$ is then $\textsf{dig}= \prod _{i \in [n]} A_i^{x_i}$. The opening to an index i is $V = \prod _{j \ne i} C_{j, i}^{x_j}$. To verify an opening to a bit b at index i, the verifier checks
$$\begin{aligned} e(\textsf{dig}, B_i) = e(A_i, B_i)^b \cdot e(g_1, V). \end{aligned}$$
To check whether a digest $\textsf{dig}$ is $\textsf{Matching}$ or not, the extraction algorithm output $\textsf{Matching} $ if $e(\textsf{dig}, g_2) = 1$ and $\textsf{NotMatching} $ otherwise.

The basic principle is to move the “encoding elements” $A_i$ for $i \in S$ to have a component in the span of $g_2$. The components $A_i$ for $i \notin S$ are only in the span of $g_1$. Then, any digest that includes an index $i \in S$ will contain a non-zero element in the span of $g_2$, and thus, be declared $\textsf{NotMatching} $. Arguing the security of this scheme is more delicate and will require introducing a number of additional randomizing components (and subgroups). We refer to the full version [NWW23, Section 6] for the details.

Constructing Monotone Policy Aggregate Multi-Signatures. Our final contribution is a construction of monotone policy aggregate multi-signatures. While previous construction of aggregate signatures relied on extractable BARGs [WW22, DGKV22], a similar implication is possible by combining a non-adaptively-sound BARG together with a “puncturable signature” scheme (also called an all-but-one signature scheme) [GVW19]. We sketch our construction below, and provide the full details in the full version [NWW23, Section 7].

In a puncturable signature scheme, it is possible to puncture a verification key on a message $m^*$. The property is that there does not exist signatures on $m^*$ that verify with respect to the punctured verification key. Moreover, a punctured verification key is computationally indistinguishable from an honestly-generated verification key, even if the adversary is able to see signatures on arbitrary messages $m \ne m^*$. Goyal, Vusirikala, and Waters [GVW19] showed how to construct puncturable signatures from most standard number-theoretic assumptions (e.g., RSA, pairing-based assumptions, and LWE). We can use a non-adaptively-sound monotone policy BARG together with a puncturable signature scheme to construct a (statically-secure)^{Footnote 6} aggregate multi-signature scheme for any policy computed by a monotone Boolean circuit. We provide a sketch below:

Setup: Consider a scheme with k signers. Each signer $i \in [k]$ has a signing key $\textsf{sk}_i$ and a verification key $\textsf{vk}_i$ for the punctured signature scheme. The public parameters of the aggregation scheme contain the common reference string for a monotone policy BARG.
Signing: To sign a message m, each user signs with their individual signing key.
Aggregation: Given a set of signatures $\left\{ \sigma _i \right\} _{i \in S}$ on the same message m and a (monotone) aggregation policy P, a user can aggregate the signatures by giving a monotone policy BARG proof for the policy P with respect to the natural relation $\mathcal {R}[m] = \left\{ (\textsf{vk},\sigma ) : \textsf{Verify}(\textsf{vk},m,\sigma ) \right\} $. The aggregate signature is simply the BARG proof for the statements $(\textsf{vk}_1,\ldots ,\textsf{vk}_k)$ with the witness $(\sigma _1,\ldots ,\sigma _k)$.
Verification: To verify an aggregate multi-signature with respect to a policy P, the verifier just checks the BARG proof.

Note that one could also construct an aggregate multi-signature by sending the set S where $P(S) = 1$ and then use a vanilla BARG to prove knowledge of a signature $\sigma _i$ for every $i \in S$. However, this approach would require communicating the set S as part of the aggregate signature. Using monotone policy BARGs, the aggregate signature only consists of the BARG proof, and thus has size, $\textsf{poly}(\lambda , \log |P|)$. It is straightforward to prove static security of the above multi-signature scheme just assuming non-adaptive-soundness on the underlying BARG. We sketch the reduction below:

In the static security game, the adversary has to pre-commit to the message $m^*$ it wants to forge on, the set of verification keys $(\textsf{vk}_1^*, \ldots , \textsf{vk}_k^*)$ it wants to use (which can be a mix of honest verification keys chosen by the challenger and verification keys chosen adversarially), and the aggregation policy P before seeing the aggregation parameters.
Let $S \subseteq [k]$ be the set of indices i where the chosen key $\textsf{vk}_i^*$ is uncorrupted (i.e., chosen by the challenger). The admissibility requirement is that $P(b_1, \ldots , b_k) = 0$ where $b_i = 0$ if $i \in S$ and $b_i = 1$ otherwise; this is saying that the adversary cannot satisfy the policy P just by providing signatures under keys it controls.
In the security reduction, we first puncture the honest users’ verification keys $\textsf{vk}_i$ on the challenge message $m^*$. This means that there does not exist valid signatures on the challenge message $m^*$ with respect to the honest users’ verification keys $\textsf{vk}_i$
Consider the relation $\mathcal {R}[m^*]$ used for verification. By definition of the set S and the fact that the honest verification keys are punctured at $m^*$, the statement $(\textsf{vk}_1^*, \ldots , \textsf{vk}_k^*)$ is false for the policy P with respect to the relation $\mathcal {R}[m^*]$. By non-adaptive soundness of the monotone policy BARG, the probability that the adversary can produce a valid aggregate signature (i.e., a valid proof on a false statement) is negligible.

Observe that in the above sketch, the verification time is linear in k. However, using a RAM delegation scheme, we can achieve fast verification. We refer to the full version [NWW23, Remark 7.8] for additional details.

2 Preliminaries

Throughout this work, we write $\lambda $ to denote the security parameter. For $n \in \mathbb {N}$, we write [n] to denote the set $\left\{ 1, \ldots , n \right\} $. For $a, b \in \mathbb {N}$ we write [a, b] to denote the set $\left\{ a, a + 1, \ldots , b \right\} $. We write $\textsf{poly}(\lambda )$ to denote a function that is bounded by a fixed polynomial in $\lambda $, and $\textsf{negl}(\lambda )$ to denote a function that is $o(\lambda ^{-c})$ for all $c \in \mathbb {N}$. For a finite set S, we write to denote that x is a uniformly random element of S. For a distribution $\mathcal {D}$ we write $x \leftarrow \mathcal {D}$ to denote that x is a random draw from $\mathcal {D}$.

We say an algorithm is efficient if it runs in probabilistic polynomial time in the length of its input. A non-uniform algorithm $\mathcal {A}$ consists of a pair of algorithms $(\mathcal {A}_1,\mathcal {A}_2)$ where $\mathcal {A}_1$ is a (possibly-unbounded) algorithm that takes as input $1^\lambda $ and outputs an advice string $\rho _\lambda $ of $\textsf{poly}(\lambda )$ size. Algorithm $\mathcal {A}_2$ is an efficient algorithm. The output of $\mathcal {A}$ on an input $x \in \{0,1\}^\lambda $ is defined as first computing the advice string $\rho _\lambda \leftarrow \mathcal {A}_1(1^\lambda )$ and then outputting $\mathcal {A}_2(x, \rho _\lambda )$. We say two ensembles of distributions $\mathcal {D}_1 = \left\{ \mathcal {D}_{1, \lambda } \right\} _{\lambda \in \mathbb {N}}$ and $\mathcal {D}_2 = \left\{ \mathcal {D}_{2, \lambda } \right\} _{\lambda \in \mathbb {N}}$ are computationally indistinguishable if no efficient adversary can distinguish them with non-negligible probability. We say they are statistically indistinguishable if their statistical distance is bounded by $\textsf{negl}(\lambda )$.

2.1 Batch Arguments for $\textsf{NP}$

In this section, we recall the notion of a non-interactive batch argument (BARG) for $\textsf{NP} $, the special case of a BARG for index languages and the notion of a BARG for monotone policy batch NP [BBK+23].

Batch Arguments for $\textsf{NP}$ . We begin with the notion of a somewhere extractable batch argument for $\textsf{NP}$. Our presentation is adapted from [CJJ21b, WW22]. Here, we provide a more general syntax where the batch arguments supports extraction on up to $\ell $ indices.

Definition 1

(Boolean Circuit Satisfiability). We define the circuit satisfiability language $\mathcal {L}_\textsf{CSAT}$ as

$$\begin{aligned} \mathcal {L}_\textsf{CSAT}= \left\{ (C, x) \Bigm | \begin{array}{c} C :\{0,1\}^n \times \{0,1\}^h \rightarrow \{0,1\}, x \in \{0,1\}^n \\ \exists w \in \{0,1\}^*: C(x, w) = 1 \end{array} \right\} . \end{aligned}$$

Definition 2

(Non-Interactive Batch Argument). A somewhere extractable non-interactive batch argument (BARG) for Boolean circuit satisfiability is a tuple of efficient algorithms $\varPi _{\textsf{BARG}}= (\textsf{Gen}, \textsf{Prove}, \textsf{Verify}, \textsf{TrapGen}, \textsf{Extract})$ with the following syntax:

$\textsf{Gen}(1^\lambda , 1^k, 1^n, 1^s, 1^\ell ) \rightarrow (\textsf{crs},\textsf{vk})$: On input the security parameter $\lambda \in \mathbb {N}$, the number of instances $k \in \mathbb {N}$, the instance length $n \in \mathbb {N}$, a bound on the size of the Boolean circuit $s \in \mathbb {N}$, and a bound on the size of the extraction set $\ell \in \mathbb {N}$, the generator algorithm outputs a common reference string $\textsf{crs}$ and a verification key $\textsf{vk}$.
$\textsf{Prove}(\textsf{crs}, C, (x_1,\dots ,x_k), (w_1,\dots ,w_k)) \rightarrow \pi $: On input the common reference string $\textsf{crs}$, a Boolean circuit $C :\{0,1\}^n \times \{0,1\}^h \rightarrow \{0,1\}$, statements $x_1, \ldots , x_k \in \{0,1\}^k$, and witnesses $w_1,\dots ,w_k \in \{0,1\}^h$, the prove algorithm outputs a proof $\pi $.
$\textsf{Verify}(\textsf{vk},C, (x_1,\dots ,x_k), \pi ) \rightarrow b$: On input the verification key $\textsf{vk}$, a Boolean circuit $C :\{0,1\}^n \times \{0,1\}^h \rightarrow \{0,1\}$, statements $x_1,\dots ,x_k \in \{0,1\}^n$ and a proof $\pi $, the verification algorithm outputs a bit $b \in \{0,1\}$.
$\textsf{TrapGen}(1^\lambda , 1^k, 1^n, 1^s, 1^\ell , S) \rightarrow (\textsf{crs}, \textsf{vk}, \textsf{td})$: On input the security parameter $\lambda \in \mathbb {N}$, the number of instances $k \in \mathbb {N}$, the instance size $n \in \mathbb {N}$, a bound on the size of the Boolean circuit $s \in \mathbb {N}$, a bound on the size of the extraction set $\ell \in \mathbb {N}$, and a set $S \subseteq [k]$ of size at most $\ell $, the trapdoor generator algorithm outputs a common reference string $\textsf{crs}$, a verification key $\textsf{vk}$ and an extraction trapdoor $\textsf{td}$.
$\textsf{Extract}(\textsf{td}, C, (x_1, \ldots , x_k), \pi , i) \rightarrow w$. On input the trapdoor $\textsf{td}$, a Boolean circuit $C :\{0,1\}^n \times \{0,1\}^h \rightarrow \{0,1\}$, a collection of statements $x_1, \ldots , x_k \in \{0,1\}^n$, a proof $\pi $ and an index $i \in [k]$, the extraction algorithm outputs a witness w.

For notational convenience, when $\ell =1$, we omit the final input $1^\ell $ and instead, write $\textsf{Gen}(1^\lambda , 1^k, 1^n, 1^s)$ to denote $\textsf{Gen}(1^\lambda , 1^k, 1^n, 1^s, 1^1)$. Similarly, we write $\textsf{TrapGen}(1^\lambda , 1^k, 1^n, 1^s, i)$ to denote $\textsf{TrapGen}(1^\lambda , 1^k, 1^n, 1^s, 1^1, \left\{ i \right\} )$. Finally, we require that $\varPi _{\textsf{BARG}}$ satisfy the following properties:

Completeness: For all $\lambda , k, n, s, \ell \in \mathbb {N}$, all Boolean circuits $C :\{0,1\}^n \times \{0,1\}^h \rightarrow \{0,1\}$ of size at most s, all statements $x=(x_1,\dots ,x_k) \in \{0,1\}^{kn}$ and witnesses $w=(w_1,\dots ,w_k) \in \{0,1\}^{kh}$ where $C(x_i,w_i) = 1$ for all $i \in [k]$,
$$ \Pr \left[ \textsf{Verify}(\textsf{vk},C, (x_1, \ldots , x_k), \pi ) = 1 : \begin{array}{c} (\textsf{crs},\textsf{vk}) \leftarrow \textsf{Gen}(1^\lambda ,1^k, 1^n, 1^s, 1^\ell ) \\ \pi \leftarrow \textsf{Prove}(\textsf{crs},C,x, w) \\ \end{array} \right] =~\hbox {1} $$
Set hiding: For an adversary $\mathcal {A}$ and a bit $b \in \{0,1\}$, define the set hiding experiment $\textsf{ExptSH}_\mathcal {A}(\lambda , b)$ as follows:
1. 1.
  On input the security parameter $1^\lambda $, algorithm $\mathcal {A}$ starts by outputting the number of instances $1^k$, the instance size $1^n$, the bound on the circuit size $1^s$, the bound on the size of the extraction set $1^\ell $, and a set $S \subseteq [k]$ of size at most $\ell $.
2. 2.
  If $b = 0$, the challenger gives $(\textsf{crs},\textsf{vk}) \leftarrow \textsf{Gen}(1^\lambda , 1^k, 1^n, 1^s, 1^\ell )$ to $\mathcal {A}$. If $b = 1$, the challenger samples $(\textsf{crs}, \textsf{vk}, \textsf{td}) \leftarrow \textsf{TrapGen}(1^\lambda , 1^k, 1^n, 1^s, 1^\ell , S)$ and gives $(\textsf{crs},\textsf{vk})$ to $\mathcal {A}$.
3. 3.
  Algorithm $\mathcal {A}$ outputs a bit $b' \in \{0,1\}$, which is the output of the experiment.
Then, $\varPi _{\textsf{BARG}}$ satisfies set hiding if for every efficient adversary $\mathcal {A}$, there exists a negligible function $\textsf{negl}(\cdot )$ such that
$$ {\left| \Pr [\textsf{ExptSH}_{\mathcal {A}}(\lambda , 0) = 1] - \Pr [\textsf{ExptSH}_{\mathcal {A}}(\lambda , 1) = 1] \right| } = \textsf{negl}(\lambda ). $$
When $\ell =1$, we might refer to this property as index hiding.
Somewhere extractable in trapdoor mode: For an adversary $\mathcal {A}$, define the somewhere extractable security game as follows:
1. 1.
  On input the security parameter $1^\lambda $, algorithm $\mathcal {A}$ starts by outputting the number of instances $1^k$, the instance size $1^n$, the bound on the circuit size $1^s$, a bound on the size of the extraction set $1^\ell $, and a nonempty set $S \subseteq [k]$ of size at most $\ell $.
2. 2.
  The challenger samples $(\textsf{crs}, \textsf{vk}, \textsf{td}) \leftarrow \textsf{TrapGen}(1^\lambda , 1^k, 1^n, 1^s, 1^\ell , S)$ and gives $(\textsf{crs},\textsf{vk})$ to $\mathcal {A}$.
3. 3.
  Algorithm $\mathcal {A}$ outputs a Boolean circuit $C :\{0,1\}^n \times \{0,1\}^h \rightarrow \{0,1\}$ of size at most s, statements $x_1, \ldots , x_m \in \{0,1\}^n$, and a proof $\pi $.
4. 4.
  The output of the game is $b = 1$ if $\textsf{Verify}(\textsf{vk}, C, (x_1, \ldots , x_m), \pi ) = 1$ and there exists an index $i \in S$ for which $C(x_i, w_i) \ne 1$ where $w_i \leftarrow \textsf{Extract}(\textsf{td}, C, (x_1, \ldots , x_k), \pi , i)$. Otherwise, the output is $b = 0$.
Then $\varPi _{\textsf{BARG}}$ is somewhere extractable in trapdoor mode if for every adversary $\mathcal {A}$, there exists a negligible function $\textsf{negl}(\cdot )$ such that $\Pr [b = 1] = \textsf{negl}(\lambda )$ in the somewhere extractable game.
Succinctness: There exists a fixed polynomial $\textsf{poly}(\cdot )$ such that for all $\lambda , k, n, s, \ell \in \mathbb {N}$, all $\textsf{crs}$ in the support of $\textsf{Gen}(1^\lambda , 1^k, 1^n, 1^s, 1^\ell )$, and all Boolean circuits $C :\{0,1\}^n \times \{0,1\}^h \rightarrow \{0,1\}$ of size at most s, the following properties hold:
- Succinct proofs: The proof $\pi $ output by $\textsf{Prove}(\textsf{crs}, C, \cdot , \cdot )$ satisfies ${\left| \pi \right| } \le \textsf{poly}(\lambda + \log k + s + \ell )$.
- Succinct CRS: ${\left| \textsf{crs} \right| } \le \textsf{poly}(\lambda + k + n + \ell ) + \textsf{poly}(\lambda + \log k + s + \ell )$.
- Succinct verification key: ${\left| \textsf{vk} \right| } \le \textsf{poly}(\lambda + \log k + s + \ell )$.

Fact 3

(BARGs for $\textsf{NP}$ [CJJ21b, WW22, KLVW23, CGJ+23]). Assuming any of (1) the plain LWE assumption, (2) the k-$\textsf{Lin}$ assumption over pairing groups for any constant $k \in \mathbb {N}$, or (3) the (sub-exponential) DDH assumption in pairing-free groups, there exists a non-interactive batch argument for $\textsf{NP}$.

Set Hiding with Extraction. For our main construction (Section 5), we require a slight strengthening of the somewhere extractability property from Definition 2. Our stronger set-hiding property essentially says that if the extraction key is programmed to extract either on $S_0 \subseteq [k]$ or $S_1 \subseteq [k]$, then the extracted witness on “common indices” ${i^*}\in S_0 \cap S_1$ is computationally indistinguishable in the two cases. This type of property is often referred to as a “no-signaling” extraction property [PR17, KPY19, GZ21, KVZ21, CJJ21b] (see the full version of this paper [NWW23]).

Index BARGs. An index BARG [CJJ21b] is a batch argument for the batch index language where the instance is always the tuple $(1, \ldots , k)$. Since the statements are the integers, they have a succinct description, so we can impose a stronger requirement on the running time of the $\textsf{Verify}$ algorithm. We define this below:

Definition 3

(Index BARG [CJJ21b]). An index BARG is a special case of a BARG where the instances $(x_1, \ldots , x_k)$ are restricted to the integers $(1, \ldots , k)$. In this setting, the $\textsf{Gen}$ algorithm to the index BARG does not separately take in the instance length n as a separate input. Moreover, instead of providing $x_1, \ldots , x_k$ as input to the $\textsf{Prove}$, $\textsf{Verify}$, and $\textsf{Extract}$ algorithms, we just give the single index k (in binary). Moreover, we require the additional succinctness property on the running time of $\textsf{Verify}$:

Succinct verification time: There exists a fixed polynomial $\textsf{poly}(\cdot )$ such that for all $\lambda , k, n, s, \ell \in \mathbb {N}$, all $(\textsf{crs}, \textsf{vk})$ in the support of $\textsf{Gen}(1^\lambda , 1^k, 1^n, 1^s, 1^\ell )$ and all Boolean circuits $C :\{0,1\}^n \times \{0,1\}^h \rightarrow \{0,1\}$ of size at most s, the running time of $\textsf{Verify}(\textsf{vk}, C, k, \cdot )$ is bounded by $\textsf{poly}(\lambda + \log k + s + \ell )$.

Monotone Policy BARG. Next, we recall the notion of a SNARG for monotone policy $\textsf{BatchNP}$ [BBK+23], which we refer to more succinctly as a “monotone policy BARG.” In this work, we just focus on the simplest notion of non-adaptive soundness.

Definition 4

(Monotone Policy $\textsf{BatchNP}$). A Boolean circuit $P :\{0,1\}^k \rightarrow \{0,1\}$ is a monotone Boolean policy if P is a Boolean circuit comprised entirely of and and or gates. Let $C :\{0,1\}^n \times \{0,1\}^h \rightarrow \{0,1\}$ be a Boolean circuit and $P :\{0,1\}^k \rightarrow \{0,1\}$ be a monotone Boolean policy. We define the monotone policy $\textsf{BatchNP}$ language $\mathcal {L}_{\textsf{MP}\text {-}\textsf{CSAT}}$ to be

$$\begin{aligned} \mathcal {L}_{\textsf{MP}\text {-}\textsf{CSAT}}= \left\{ (C,P,x_1, \ldots , x_k) \Bigm | \begin{array}{c} \exists w_1, \ldots , w_k \in \{0,1\}^h : \\ P\big ( C(x_1, w_1), \ldots , C(x_k, w_k) \big ) = 1 \end{array} \right\} . \end{aligned}$$

Definition 5

(Monotone Policy BARG [BBK+23, adapted]). A monotone policy BARG is a tuple $\varPi _{\textsf{MP}\text {-}\textsf{BARG}}= (\textsf{Gen}, \textsf{Prove}, \textsf{Verify})$ of efficient algorithms with the following syntax:

$\textsf{Gen}(1^\lambda , 1^n, 1^{s_c}, 1^{s_p}) \rightarrow \textsf{crs}$: On input the security parameter $\lambda \in \mathbb {N}$, the instance size $n \in \mathbb {N}$, a bound on the size of the Boolean circuit $s_c \in \mathbb {N}$, and a bound on the size of the policy $s_p \in \mathbb {N}$, the generator algorithm outputs a common reference string $\textsf{crs}$.
$\textsf{Prove}(\textsf{crs}, C, P, (x_1,\dots ,x_k), (w_1,\dots ,w_k)) \rightarrow \pi $: On input the common reference string $\textsf{crs}$, a Boolean circuit $C :\{0,1\}^n \times \{0,1\}^h \rightarrow \{0,1\}$, a monotone Boolean policy $P :\{0,1\}^k \rightarrow \{0,1\}$, statements $x_1, \dots , x_k \in \{0,1\}^n$, and witnesses $w_1,\dots ,w_k \in \{0,1\}^h$, the prove algorithm outputs a proof $\pi $.
$\textsf{Verify}(\textsf{crs}, C, P, (x_1,\dots ,x_k), \pi ) \rightarrow b$: On input the common reference string $\textsf{crs}$, a Boolean circuit $C :\{0,1\}^n \times \{0,1\}^h \rightarrow \{0,1\}$, a monotone Boolean policy $P :\{0,1\}^k \rightarrow \{0,1\}$, statements $x_1,\dots ,x_k \in \{0,1\}^n$, and a proof $\pi $, the verification algorithm outputs a bit $b \in \{0,1\}$.

Moreover, $\varPi _{\textsf{MP}\text {-}\textsf{BARG}}$ should satisfy the following properties:

Completeness: For all $\lambda , n, s_c, s_p \in \mathbb {N}$, Boolean circuits $C :\{0,1\}^n \times \{0,1\}^h \rightarrow \{0,1\}$ of size at most $s_c$, monotone Boolean policies $P :\{0,1\}^k \rightarrow \{0,1\}$ of size at most $s_p$, statements $x=(x_1, \dots , x_k) \in \{0,1\}^{kn}$ and witnesses $w=(w_1, \ldots , w_k) \in \{0,1\}^{kh}$ where $P(C(x_1, w_1), \ldots , C(x_k, w_k)) = 1$, it holds that
$$ \Pr \left[ \textsf{Verify}(\textsf{crs}, C, P, (x_1, \ldots , x_k), \pi ) = 1 : \begin{array}{c} \textsf{crs}\leftarrow \textsf{Gen}(1^\lambda , 1^n, 1^{s_c}, 1^{s_p}) \\ \pi \leftarrow \textsf{Prove}(\textsf{crs}, C, P, x, w) \\ \end{array} \right] = 1. $$
Non-adaptive soundness: For any adversary $ \mathcal {A}$, define the non-adaptive soundness game as follows:
1. 1.
  On input the security parameter $1^\lambda $, algorithm $\mathcal {A}$ starts by outputting the instance size $1^n$, the bound on the size of the $\textsf{NP}$ relation $1^{s_c}$, the bound on the size of the policy $1^{s_p}$, a Boolean circuit $C :\{0,1\}^n \times \{0,1\}^h \rightarrow \{0,1\}$ of size at most $s_c$, a monotone Boolean circuit $P :\{0,1\}^k \rightarrow \{0,1\}$ of size at most $s_p$, and statements $x_1, \ldots , x_k \in \{0,1\}^{n}$.
2. 2.
  The challenger samples $\textsf{crs}\leftarrow \textsf{Gen}(1^\lambda , 1^n, 1^{s_c},1^{s_p})$ and gives it to $\mathcal {A}$.
3. 3.
  Algorithm $\mathcal {A}$ outputs a proof $\pi $.
4. 4.
  The output of the game is $b=1$ if $\textsf{Verify}(\textsf{crs},C,P,(x_1, \ldots , x_k),\pi )=1$ and $(C,P, (x_1, \ldots , x_k)) \notin \mathcal {L}_{\textsf{MP}\text {-}\textsf{CSAT}}$.
We say that $\varPi _{\textsf{MP}\text {-}\textsf{BARG}}$ is non-adaptively sound if for every efficient adversary $\mathcal {A}$, there exists a negligible function $\textsf{negl}(\cdot )$ such that $\Pr [b=1]=\textsf{negl}(\lambda )$ in the non-adaptive soundness game.
Succinctness: There exists a fixed polynomial $\textsf{poly}(\cdot )$ such that for all $\lambda , n, s_c, s_p \in \mathbb {N}$, all $\textsf{crs}$ in the support of $\textsf{Gen}(1^\lambda , 1^n, 1^{s_c}, 1^{s_p})$, all Boolean circuits $C :\{0,1\}^n \times \{0,1\}^h \rightarrow \{0,1\}$ of size at most $s_c$, and all monotone Boolean policies $P :\{0,1\}^k \rightarrow \{0,1\}$ of size $|P| \le s_p$, the following properties hold:
- Slightly succinct proofs: The proof $\pi $ output by $\textsf{Prove}(\textsf{crs}, C, P, \cdot , \cdot )$ satisfies ${\left| \pi \right| } \le \textsf{poly}(\lambda + s_c + \log s_p)$.
- Succinct proofs: The proof $\pi $ output by $\textsf{Prove}(\textsf{crs}, C, P, \cdot , \cdot )$ satisfies ${\left| \pi \right| } \le \textsf{poly}(\lambda + s_c + \log |P|)$.

We provide additional discussion about monotone policy BARGs in the full version of this paper [NWW23].

3 Zero-Fixing Hash Functions

In this section, we formally introduce the notion of a zero-fixing hash function. As we show in Section 4, we can combine a zero-fixing hash function with a vanilla BARG to obtain a monotone policy BARG. Recall from Section 1.2 that a zero-fixing hash function is a keyed hash function that supports succinct local openings. Moreover, the hash key is associated with a set of indices $S \subseteq [n]$, where n is the input length. Moreover, there is a trapdoor $\textsf{td}$ associated with the hash key $\textsf{hk}$ that can be used to decide whether a hash digest $\textsf{dig}$ is $\textsf{Matching}$ or $\textsf{NotMatching}$ on the set S. The zero-fixing security requirement then says that if the extractor outputs $\textsf{Matching} $ for a digest $\textsf{dig}$, it must be computationally hard to open $\textsf{dig}$ to a 1 on any index $i \in S$.

As discussed in Section 1.2, our zero-fixing hash function is similar to the predicate-extractable hash function for bit-fixing predicates from [BBK+23]. A key distinction is that when the extraction algorithm outputs $\textsf{NotMatching} $, the predicate-extractable hash function also outputs an index $i \in [n]$ where it is computationally infeasible to open the digest to a 1. In contrast, with our zero-fixing hash function, the extraction algorithm only outputs a single $\textsf{Matching} $ or $\textsf{NotMatching} $ flag. At the same time, we require our zero-fixing hash functions to satisfy additional security requirements that were not required in [BBK+23]. These additional security properties are necessary for our construction of monotone policy BARGs (Section 4). We now give the formal definition:

Definition 6

(Zero-Fixing Hash Function). A zero-fixing hash function is a tuple of polynomial-time algorithms $\varPi _{\textsf{H}}= (\textsf{Setup}, \textsf{Hash}, \textsf{ProveOpen}, \textsf{VerOpen}, \textsf{Extract}, \textsf{ValidateDigest})$ with the following syntax:

$\textsf{Setup}(1^\lambda , 1^n, S) \rightarrow (\textsf{hk}, \textsf{vk}, \textsf{td})$: On input a security parameter $\lambda $, an input length n, and a set $S \subseteq [n]$, the setup algorithm outputs a hash key $\textsf{hk}$, a verification key $\textsf{vk}$ and a trapdoor $\textsf{td}$. We implicitly assume that $\textsf{hk}$ includes $\lambda $ and n.
$\textsf{Hash}(\textsf{hk},x) \rightarrow \textsf{dig}$: On input a hash key $\textsf{hk}$ and a string $x \in \{0,1\}^n$, the hash algorithm outputs a digest $\textsf{dig}$. This algorithm is deterministic.
$\textsf{ValidateDigest}(\textsf{vk},\textsf{dig}) \rightarrow b$: On input a hash key $\textsf{vk}$ and a digest $\textsf{dig}$, the digest validation algorithm outputs a bit $b \in \{0,1\}$. This algorithm is deterministic.
$\textsf{ProveOpen}(\textsf{hk},x,i) \rightarrow \sigma $: On input a hash key $\textsf{hk}$, a string $x \in \{0,1\}^n$ and an index $i \in [n]$, the prove algorithm outputs an opening $\sigma $.
$\textsf{VerOpen}(\textsf{vk},\textsf{dig},i,b,\sigma ) \rightarrow b'$: On input a hash key $\textsf{vk}$, a digest $\textsf{dig}$, an index $i \in [n]$, a bit $b \in \{0,1\}$ and an opening $\sigma $, the verification algorithm outputs a bit $b' \in \{0,1\}$. The verification algorithm is deterministic.
$\textsf{Extract}(\textsf{td},\textsf{dig}) \rightarrow m$: On input a trapdoor $\textsf{td}$ and a digest $\textsf{dig}$, the extraction algorithm outputs a value $m \in \left\{ \textsf{Matching}, \textsf{NotMatching} \right\} $. This algorithm is deterministic.

We require $\varPi _{\textsf{H}}$ satisfy the following efficiency and correctness properties:

Succinctness: There exists a universal polynomial $\textsf{poly}(\cdot )$ such that for all parameters $\lambda , n \in \mathbb {N}$, all $(\textsf{hk}, \textsf{vk}, \textsf{td})$ in the support of $\textsf{Setup}(1^\lambda , 1^n, \cdot )$, all inputs $x \in \{0,1\}^n$ and all indices $i \in [n]$, the following properties hold:
- Succinct verification key: ${\left| \textsf{vk} \right| } \le \textsf{poly}(\lambda + \log n)$.
- Succinct digest: The digest $\textsf{dig}$ output by $\textsf{Hash}(\textsf{hk}, x)$ satisfies ${\left| \textsf{dig} \right| } \le \textsf{poly}(\lambda + \log n)$.
- Succinct openings: The opening $\sigma $ output by $\textsf{ProveOpen}(\textsf{hk}, x, i)$ satisfies ${\left| \sigma \right| } \le \textsf{poly}(\lambda + \log n)$.
- Succinct verification: The running time of $\textsf{VerOpen}(\textsf{vk}, \cdot )$ is $\textsf{poly}(\lambda + \log n)$.
Correctness: For all $\lambda , n \in \mathbb {N}$, every $x \in \{0,1\}^n$, and every $i \in [n]$, the following properties hold:
- Opening correctness:
  $$ \Pr \left[ \begin{array}{c} \textsf{VerOpen}(\textsf{vk},\textsf{dig},i,x_i,\sigma ) = 1 \end{array} : \begin{array}{c} (\textsf{hk}, \textsf{vk}, \textsf{td}) \leftarrow \textsf{Setup}( 1^\lambda , 1^n, \varnothing ) \\ \textsf{dig}\leftarrow \textsf{Hash}(\textsf{hk},x) \\ \sigma \leftarrow \textsf{ProveOpen}(\textsf{hk},x,i) \end{array} \right] = 1. $$
- Digest correctness:
  $$ \Pr \left[ \textsf{ValidateDigest}(\textsf{vk},\textsf{dig})=1 : \begin{array}{c} (\textsf{hk}, \textsf{vk}, \textsf{td}) \leftarrow \textsf{Setup}( 1^\lambda , 1^n, \varnothing ) \\ \textsf{dig}\leftarrow \textsf{Hash}(\textsf{hk},x) \end{array} \right] = 1. $$

We additionally require the following security properties:

Set hiding: For a bit $b \in \{0,1\}$ and an adversary $\mathcal {A}$, we define the set hiding game $\textsf{ExptSH}_\mathcal {A}(\lambda ,b)$ as follows:
1. 1.
  On input $1^\lambda $, the adversary $\mathcal {A}$ outputs $1^n$ and a set $S \subseteq [n]$.
2. 2.
  If $b = 0$, the challenger samples $(\textsf{hk}, \textsf{vk}, \textsf{td}) \leftarrow \textsf{Setup}( 1^\lambda , 1^n, \varnothing )$ and if $b = 1$, the challenger samples $(\textsf{hk}, \textsf{vk}, \textsf{td}) \leftarrow \textsf{Setup}( 1^\lambda , 1^n , S )$. It gives $(\textsf{hk}, \textsf{vk})$ to $\mathcal {A}$.
3. 3.
  Algorithm $\mathcal {A}$ outputs a bit $b'$ which is the output of the experiment.
The hash function satisfies set binding if for all efficient adversaries $\mathcal {A}$, there exists a negligible function $\textsf{negl}(\cdot )$ such that
$$ {\left| \Pr [\textsf{ExptSH}_{\mathcal {A}}(\lambda , 0) = 1] - \Pr [\textsf{ExptSH}_{\mathcal {A}}(\lambda , 1) = 1] \right| } = \textsf{negl}(\lambda ). $$
One-Sided Index hiding with extracted guess: For an adversary $\mathcal {A}$ and a bit $b \in \{0,1\}$, we define the index hiding with extracted guess game $\textsf{ExptIHE}_\mathcal {A}(\lambda , b)$ as follows:
1. 1.
  On input $1^\lambda $, algorithm $\mathcal {A}$ outputs $1^n$, a set $S \subseteq [n]$, and an index ${i^*}\in S$.
2. 2.
  If $b = 0$, the challenger samples $(\textsf{hk}, \textsf{vk}, \textsf{td}) \leftarrow \textsf{Setup}(1^\lambda , 1^n, S \setminus \left\{ {i^*} \right\} )$. Otherwise, it samples $(\textsf{hk}, \textsf{vk}, \textsf{td}) \leftarrow \textsf{Setup}(1^\lambda , 1^n, S)$. The challenger sends $(\textsf{hk}, \textsf{vk})$ to $\mathcal {A}$.
3. 3.
  Algorithm $\mathcal {A}$ outputs a digest $\textsf{dig}$ and an opening $\sigma $.
4. 4.
  The output of the experiment is 1 if $\textsf{VerOpen}(\textsf{hk}, \textsf{dig}, {i^*}, 0, \sigma ) = 1$ and $\textsf{Extract}(\textsf{td}, \textsf{dig})$ outputs $\textsf{Matching} $. Otherwise, the output is 0.
The hash function satisfies index hiding with extracted guess if for all efficient adversaries $\mathcal {A}$, there exists a negligible function $\textsf{negl}(\cdot )$ such that
$$\begin{aligned} \Pr [\textsf{ExptIHE}_{\mathcal {A}}(\lambda , 1) = 1] \ge \Pr [\textsf{ExptIHE}_{\mathcal {A}}(\lambda , 0) = 1] - \textsf{negl}(\lambda ). \end{aligned}$$
Zero fixing: For an adversary $\mathcal {A}$, we define the adaptive zero-fixing game $\textsf{ExptZF}_\mathcal {A}(\lambda )$ as follows:
1. 1.
  On input $1^\lambda $, algorithm $\mathcal {A}$ outputs $1^n$ and a set $S \subseteq [n]$.
2. 2.
  The challenger samples $(\textsf{hk}, \textsf{vk}, \textsf{td}) \leftarrow \textsf{Setup}( 1^\lambda , 1^n, S )$ and gives $(\textsf{hk}, \textsf{vk})$ to $\mathcal {A}$.
3. 3.
  Algorithm $\mathcal {A}$ outputs a digest $\textsf{dig}$, an index $i \in S$ and an opening $\sigma $.
4. 4.
  The output of the experiment is 1 if ${\textsf{VerOpen}(\textsf{hk}, \textsf{dig}, i, 1, \sigma )=1}$ and $\textsf{Extract}(\textsf{td}, \textsf{dig})$ outputs $\textsf{Matching} $. Otherwise, the output is 0.
The hash function satisfies zero-fixing if for all efficient adversaries $\mathcal {A}$, there exists a negligible function $\textsf{negl}(\cdot )$ such that $\Pr [\textsf{ExptZF}_{\mathcal {A}}(\lambda ) = 1] = \textsf{negl}(\lambda )$.
Extractor validity: For an adversary $\mathcal {A}$, we define the extractor validity game $\textsf{ExptEV}_\mathcal {A}(\lambda )$ as follows:
1. 1.
  On input $1^\lambda $, the adversary $\mathcal {A}$ outputs $1^n$.
2. 2.
  The challenger samples $(\textsf{hk}, \textsf{vk}, \textsf{td}) \leftarrow \textsf{Setup}(1^\lambda ,1^n,\varnothing )$ and sends $(\textsf{hk}, \textsf{vk})$ to the adversary.
3. 3.
  Algorithm $\mathcal {A}$ outputs a digest $\textsf{dig}$.
4. 4.
  The output of the experiment is 1 if $\textsf{ValidateDigest}(\textsf{hk},\textsf{dig})=1$ and $\textsf{Extract}(\textsf{td},\textsf{dig})$ outputs $\textsf{NotMatching} $. Otherwise, the output is 0.
The hash function satisfies the extractor validity property if for every efficient adversary $\mathcal {A}$, there exists a negligible function $\textsf{negl}(\cdot )$ such that
$$\begin{aligned} \Pr [\textsf{ExptEV}_\mathcal {A}(\lambda ) = 1] = \textsf{negl}(\lambda ). \end{aligned}$$

4 Constructing Monotone Policy BARGs

In this section, we describe how to construct monotone policy BARGs from a standard batch argument for $\textsf{NP}$ together with a zero-fixing hash function. We start by defining the conventions we use for describing Boolean circuits.

Definition 7

(Monotone Circuit Wire Indexing). Let $P :\{0,1\}^k \rightarrow \{0,1\}$ be a monotone Boolean circuit consisting exclusively of and and or gates with fan-in two. Let s be the size of P (i.e., the number of wires in P). A topological indexing of the wires of C is an assignment of an index $i \in [s]$ to each wire in P with the following properties:

Input wire: For $i \in [k]$, the $i^{\textrm{th}}$ input to P is associated with the index i.
Output wire: The output wire is associated with the index s.
Intermediate wires: The intermediate wires are associated with an index $i \in \left\{ k + 1, \ldots , s - 1 \right\} $ with the property that the value of index i is completely determined by the values of the wires with indices $j_{i, 1}, j_{i, 2} \in \left\{ 1, \ldots , i - 1 \right\} $.

Every monotone circuit P has a canonical topological indexing that can be computed efficiently (e.g., by applying a deterministic topological sort to the wires of P).

Definition 8

(Layered Monotone Circuit). Let $P :\{0,1\}^k \rightarrow \{0,1\}$ be a (monotone) Boolean circuit of size s. We denote by $L_P(i)$ the layer of the wire i and define it as follows:

If $i \in [k]$ (i.e., an input wire), then $L_P(i)=1$.
If $i > k$ then $L_P(i)=1 + \max \{L_P(j_{i, 1}), L_P(j_{i, 2})\}$, where $j_{i, 1}, j_{i, 2} $ are the indices of the input wires to the gate that computes the value of wire i.

The depth of the circuit is defined to be the layer associated with the output wire: $d = L_P(s)$. A circuit is layered if for every $i \in \{k+1,\ldots ,s\}$, it holds that $L_P(j_{i, 1})=L_P(j_{i, 2})$. For a layer index $\ell \in [d]$, we define $\textsf{layer}_\ell (P) = \{ i\in [s] : L_P(i)=\ell \}$ to be the set of wire indices in layer $\ell $ of the circuit.

Remark 1

(Layered Monotone Circuit). Every monotone circuit $P :\{0,1\}^k \rightarrow \{0,1\}$ of size s can be converted into a layered monotone circuit of size $\textsf{poly}(s)$. Thus, without loss of generality, we exclusively consider layered monotone circuits in the remainder of this work.

4.1 Monotone Policy BARG Construction

We now describe our construction of a monotone policy BARG for $\textsf{NP}$.

Construction 4

(Monotone Policy BARG). Let $\varPi _{\textsf{BARG}}' = (\textsf{Gen}', \textsf{Prove}', \textsf{Verify}', \textsf{TrapGen}', \textsf{Extract}')$ be a somewhere extractable BARG for Boolean circuit satisfiability. Let $\varPi _{\textsf{H}}= (\textsf{H}.\textsf{Setup}, \textsf{H}.\textsf{Hash}, \textsf{H}.\textsf{ProveOpen}, \textsf{H}.\textsf{VerOpen}, \textsf{H}.\textsf{Extract}, \textsf{H}.\textsf{ValidateDigest})$ be a zero-fixing hash function. We construct a monotone policy BARG $\varPi _{\textsf{MP}\text {-}\textsf{BARG}}= (\textsf{Gen}, \textsf{Prove}, \textsf{Verify})$ as follows:

$\textsf{Gen}(1^\lambda , 1^n, 1^{s_c}, 1^{s_p})$: On input the security parameter $\lambda $, the input length n, the bound on the size of the Boolean circuit $s_c$, and the bound on the size of the monotone policy $s_p$, the setup algorithm proceeds as follows:
- Sample two hash keys
  $$\begin{aligned} (\textsf{hk}_0,\textsf{vk}_0,\textsf{td}_0) &\leftarrow \textsf{H}.\textsf{Setup}(1^\lambda , 1^{s_p}, \varnothing ) \\ (\textsf{hk}_1,\textsf{vk}_1,\textsf{td}_1) &\leftarrow \textsf{H}.\textsf{Setup}(1^\lambda , 1^{s_p}, \varnothing ). \end{aligned}$$
- Let $s'$ be a bound on the size of the circuit that computes the relation $\mathcal {R}[C, k, s_p, \textsf{vk}_0, \textsf{vk}_1, \textsf{dig}_0, \textsf{dig}_1]$ from Fig. 1 when instantiated with an arbitrary Boolean circuit C of size at most $s_c$, an input length $k \le s_p$ and digests $\textsf{dig}_0, \textsf{dig}_1$ associated with the hash and verification keys $(\textsf{hk}_0,\textsf{vk}_0)$ and $(\textsf{hk}_1,\textsf{vk}_1)$. Let $n' = 3 \cdot \lceil \log s_p \rceil + 1$ be the bound on the statement length. Sample $(\textsf{crs}_{\textsf{BARG}},\textsf{vk}_\textsf{BARG}) \leftarrow \textsf{Gen}'(1^\lambda , 1^{s_p}, 1^{n'}, 1^{s'})$.^{Footnote 7}
It outputs $\textsf{crs}= (\textsf{crs}_\textsf{BARG},\textsf{vk}_\textsf{BARG}, \textsf{hk}_0,\textsf{hk}_1,\textsf{vk}_0,\textsf{vk}_1)$.
$\textsf{Prove}(\textsf{crs}, C, P, (x_1, \ldots , x_k), (w_1, \ldots , w_k))$: On input $\textsf{crs}= (\textsf{crs}_\textsf{BARG},\textsf{vk}_\textsf{BARG},\textsf{hk}_0,\textsf{hk}_1,\textsf{vk}_0,\textsf{vk}_1)$, a circuit $C :\{0,1\}^n \times \{0,1\}^h \rightarrow \{0,1\}$, a monotone layered Boolean policy circuit $P :\{0,1\}^k \rightarrow \{0,1\}$, statements $x_1, \ldots , x_k \in \{0,1\}^n$, and witnesses $w_1, \ldots , w_k \in \{0,1\}^h$, the prove algorithm does the following:
- Let s be the size of P. Index the wires of P under a canonical topological ordering (Definition 7). For each wire $i \in \left\{ k + 1, \ldots , s \right\} $, let $g_i \in \left\{ \textsc {and}, \textsc {or} \right\} $ be its type. Let $j_{i, 1}, j_{i, 2} \in \left\{ 1, \ldots , i - 1 \right\} $ be the indices of the input wires to the gate i.
- For each $i \in [s]$, let $\beta _i \in \{0,1\}$ be the value of wire i in the evaluation of P on input $(C(x_1, w_1), \ldots , C(x_k, w_k))$. For $i \in \left\{ s + 1, \ldots , s_p \right\} $, let $\beta _i = 0$. (This corresponds to “padding” the $s_p-s$ unused slots).
- Compute the digest $\textsf{dig}_0 \leftarrow \textsf{H}.\textsf{Hash}(\textsf{hk}_0, (\beta _1, \ldots , \beta _{s_p}))$ and the digest $\textsf{dig}_1 \leftarrow \textsf{H}.\textsf{Hash}(\textsf{hk}_1, (\beta _1, \ldots , \beta _{s_p}))$.
- For each $i \in [s]$ and each $b \in \{0,1\}$, compute
  $$\begin{aligned} \sigma ^{(b)}_i \leftarrow \textsf{H}.\textsf{ProveOpen}(\textsf{hk}_b,(\beta _1, \ldots , \beta _{s_p}),i). \end{aligned}$$
- Let $C_\textsf{aug}$ be the circuit that computes $\mathcal {R}[C, k, s,\textsf{vk}_0,\textsf{vk}_1,\textsf{dig}_0,\textsf{dig}_1]$ shown in Fig. 1.
- For each $i \in [s_p]$, construct the statement $\hat{x}_i$ and witness $\hat{w}_i$ as follows:
  $*$:
  
  If $i \in [k]$, let $\hat{x}_i = (i, x_i)$ and $\hat{w}_i = \big ( \beta _i, \sigma ^{(0)}_i,\sigma ^{(1)}_i, w_i \big )$.
  
  $*$:
  
  If $i \in [k + 1, s]$, let $\hat{x}_i = (i, (g_i, j_{i, 1}, j_{i, 2}))$ and
  $$ \hat{w}_i = \big ( \beta _i, \sigma ^{(0)}_i, \sigma ^{(1)}_i, \big ( \beta _{j_{i, 1}}, \sigma ^{(0)}_{j_{i, 1}}, \sigma ^{(1)}_{j_{i, 1}}, \beta _{j_{i, 2}}, \sigma ^{(0)}_{j_{i, 2}}, \sigma ^{(1)}_{j_{i, 2}} \big ) \big ). $$
  
  $*$:
  
  If $i > s$, let $\hat{x}_i = \bot $ and $\hat{w}_i = \bot $.
  
  Essentially, there is an instance $\hat{x}_i$ associated with each wire i of P.
- Compute the BARG proof
  $$\begin{aligned} \pi _\textsf{BARG}\leftarrow \textsf{Prove}'(\textsf{crs}_\textsf{BARG}, C_\textsf{aug}, (\hat{x}_1, \ldots , \hat{x}_{s_p}), (\hat{w}_1, \ldots , \hat{w}_{s_p})) \end{aligned}$$
  and output $\pi = (\textsf{dig}_0,\textsf{dig}_1,\pi _\textsf{BARG})$.
$\textsf{Verify}(\textsf{crs}, C, P, (x_1, \ldots , x_k), \pi )$: On input a common reference string $\textsf{crs}= (\textsf{crs}_\textsf{BARG},\textsf{vk}_\textsf{BARG}, \textsf{hk}_0,\textsf{hk}_1,\textsf{vk}_0,\textsf{vk}_1)$, a Boolean circuit $C :\{0,1\}^n \times \{0,1\}^h \rightarrow \{0,1\}$, a layered monotone Boolean policy $P :\{0,1\}^k \rightarrow \{0,1\}$, statements $x_1, \ldots , x_k \in \{0,1\}^n$, and a proof $\pi = (\textsf{dig}_0, \textsf{dig}_1, \pi _\textsf{BARG})$, the verification algorithm does the following:
- If $\textsf{H}.\textsf{ValidateDigest}(\textsf{vk}_0,\textsf{dig}_0)=0$ or $\textsf{H}.\textsf{ValidateDigest}(\textsf{vk}_1,\textsf{dig}_1)=0$, then output 0.
- Let s be the size of P. Index the wires of P under a canonical topological ordering (Definition 7). For each wire $i \in \left\{ k + 1, \ldots , s \right\} $, let $j_{i, 1}, j_{i, 2} \in \left\{ 1, \ldots , i - 1 \right\} $ be the indices of the input wires of the gate $g_i \in \left\{ \textsc {and}, \textsc {or} \right\} $ that computes wire i. For each $i \in [s_p]$, construct the statement $\hat{x}_i$ as follows:
  $*$:
  
  If $i \in [k]$, let $\hat{x}_i = (i, x_i)$.
  
  $*$:
  
  If $i \in \left\{ k + 1, \ldots , s \right\} $, let $\hat{x}_i = (i, (g_i, j_{i, 1}, j_{i, 2}))$.
  
  $*$:
  
  If $i > s$, let $\hat{x}_i = \bot $.
- Let $C_\textsf{aug}$ be the circuit that computes $\mathcal {R}[C, k, s, \textsf{vk}_0,\textsf{vk}_1,\textsf{dig}_0,\textsf{dig}_1]$ from Fig. 1.
- Output $\textsf{Verify}'(\textsf{vk}_\textsf{BARG}, C_\textsf{aug}, (\hat{x}_1, \ldots , \hat{x}_{s_p}), \pi _\textsf{BARG})$.

We defer the formal correctness and security proofs to the full version of this paper [NWW23].

5 Generic Construction of Zero-Fixing Hash Functions

In this section, we show how to construct a zero-fixing hash function by combining an index BARG (Definition 3), an additively homomorphic encryption scheme with bounded support , and a vector encryption scheme with succinct local openings .

Binary Tree Indexing. In the following construction, we will work with complete binary trees. We will use the following procedure to associate a unique index with each node in the binary tree:

Definition 9

(Binary Tree Indexing). Let $\mathcal {T}$ be a complete binary tree with $n = 2^k$ leaves. Then $\mathcal {T}$ contains exactly $2 n - 1$ nodes. We associate a unique index $i \in [2 n - 1]$ via the following procedure:

First, associate the value $v = 1$ to the root node.
If v is the value associated with a node, then associate values 2v and $2v + 1$ with its left and right child. Recursively apply this process to assign a value to every node in the tree.
The index i associated with a node is defined to be $2 n - v$, where v is the value associated with the node.

By design, Definition 9 has the following properties:

The leaf nodes are indexed 1 through n and the root node is indexed $2n - 1$.
The index of every non-leaf node is greater than the index of its children.
Given the index of any non-leaf node, we can efficiently compute the indices of its left and right child.

Construction 5

(Zero-Fixing Hash Function). Our construction will rely on the following building blocks:

Let $\varPi _{\textsf{BARG}}' = (\textsf{Gen}', \textsf{Prove}', \textsf{Verify}', \textsf{TrapGen}', \textsf{Extract}')$ be a somewhere extractable index BARG (Definition 3).
Let $\varPi _\textsf{HE}= (\textsf{HE}.\textsf{Gen}, \textsf{HE}.\textsf{Enc}, \textsf{HE}.\textsf{Dec}, \textsf{HE}.\textsf{Add})$ be an additively homomorphic encryption scheme with bounded support . Let $\ell _\textsf{ct}(\lambda , n)$ be a bound on the length of the ciphertexts output by either $\textsf{HE}.\textsf{Enc}(\textsf{pk}, \cdot )$ or $\textsf{HE}.\textsf{Add}(\textsf{pk}, \cdot , \cdot )$ for any $(\textsf{sk}, \textsf{pk})$ in the support of $\textsf{HE}.\textsf{Gen}(1^\lambda , 1^n)$.
Let $\varPi _{\textsf{Com}}= (\textsf{Com}.\textsf{Setup}, \textsf{Com}.\textsf{Commit}, \textsf{Com}.\textsf{Verify})$ be a vector commitment scheme with succinct local openings .

We construct a zero-fixing hash $\varPi _{\textsf{H}}= (\textsf{Setup}, \textsf{Hash}, \textsf{ProveOpen}, \textsf{VerOpen}, \textsf{Extract}, \textsf{ValidateDigest})$. In the following description, we assume without loss of generality that the bound on the input length $n \in \mathbb {N}$ is a power of two (i.e., $n = 2^k$ for some integer $k \in \mathbb {N}$). Next, we define the following $\textsf{NP}$ relation which we will be using in our construction:

We describe our construction below:

$\textsf{Setup}(1^\lambda , 1^n, S)$: On input a security parameter $\lambda $, the input length $n = 2^k$, and a set $S \subseteq [n]$, the setup algorithm starts by sampling the following:
- Sample two key pairs: $(\textsf{sk}_0,\textsf{pk}_0) \leftarrow \textsf{HE}.\textsf{Gen}(1^\lambda , 1^n)$ and $(\textsf{sk}_1,\textsf{pk}_1) \leftarrow \textsf{HE}.\textsf{Gen}(1^\lambda , 1^n)$.
- Sample the CRS for the commitment scheme with block length $\ell _\textsf{ct}(\lambda , n)$ and up to $2 n - 1$ blocks: $\textsf{crs}_\textsf{Com}\leftarrow \textsf{Com}.\textsf{Setup}(1^\lambda , 1^{\ell _\textsf{ct}(\lambda , n)}, {2n - 1})$.
- Sample the CRS for a BARG: $(\textsf{crs}_\textsf{BARG},\textsf{vk}_\textsf{BARG}) \leftarrow \textsf{Gen}'(1^\lambda ,1^{2n - 1},1^{s},1^3)$, where s is a bound on the size of the circuit computing the index relation from Fig. 2. Here, the CRS is extractable on up to 3 positions. Note that since $\varPi _{\textsf{BARG}}$ is an index BARG, $\textsf{Gen}'$ does not separately take the statement length as input (Definition 3).
Next, for each $b \in \{0,1\}$, construct an encryption of 0: $\textsf{ct}^{(b)}_{\textsf{zero}} \leftarrow \textsf{HE}.\textsf{Enc}(\textsf{pk}_b,0)$. Next, for each $i \in S$ and $b \in \{0,1\}$, construct the hash key ciphertexts as follows:
- If $i \in S$, compute $\textsf{ct}^{(b)}_i \leftarrow \textsf{HE}.\textsf{Enc}(\textsf{pk}_b,1)$.
- If $i \notin S$, compute $\textsf{ct}^{(b)}_i \leftarrow \textsf{HE}.\textsf{Enc}(\textsf{pk}_b,0)$.
Next, the setup algorithm constructs a commitment to the ciphertexts associated with the hash key. Specifically, for each $b \in \{0,1\}$, it computes
$$ \big ( \textsf{com}_\textsf{hk}^{(b)}, \sigma ^{(b)}_{\textsf{hk},1},\ldots ,\sigma ^{(b)}_{\textsf{hk},n} \big ) \leftarrow \textsf{Com}.\textsf{Commit}\big ( \textsf{crs}_\textsf{Com}, (\textsf{ct}^{(b)}_1,\ldots ,\textsf{ct}^{(b)}_n) \big ). $$
Finally, the setup algorithm constructs the hash key $\textsf{hk}$, the verification key $\textsf{vk}$, and the trapdoor $\textsf{td}$ as follows:
$$\begin{aligned} \textsf{hk}&= \Big ( \textsf{crs}_\textsf{Com}, \textsf{crs}_\textsf{BARG}, \big \{\textsf{pk}_b, \textsf{ct}_\textsf{zero}^{(b)}, \textsf{ct}_1^{(b)}, \ldots , \textsf{ct}_n^{(b)}, \sigma _{\textsf{hk},1}^{(b)}, \ldots , \sigma _{\textsf{hk}, n}^{(b)} \big \}_{b \in \{0,1\}} \Big ) \end{aligned}$$
(5.1)

$$\begin{aligned} \textsf{vk}&= \big ( \textsf{crs}_\textsf{Com}, \textsf{vk}_\textsf{BARG}, \textsf{pk}_0, \textsf{pk}_1, \textsf{ct}^{(0)}_{\textsf{zero}}, \textsf{ct}^{(1)}_{\textsf{zero}}, \textsf{com}_\textsf{hk}^{(0)}, \textsf{com}_\textsf{hk}^{(1)} \big ) \end{aligned}$$
(5.2)

$$\begin{aligned} \textsf{td}&= (\textsf{sk}_0,\textsf{sk}_1). \end{aligned}$$
(5.3)
$\textsf{Hash}(\textsf{hk},x)$: On input a hash key $\textsf{hk}$ (parsed as in Eq. (5.1)) and a string $x \in \{0,1\}^n$, the hashing algorithm proceeds as follows:
- Construct two complete binary trees $\mathcal {T}_0, \mathcal {T}_1$, each with n leaves. For each tree $\mathcal {T}_b$, we assign a ciphertext $v_i^{(b)}$ to each node $i \in [2s - 1]$ in the tree as follows (where the nodes are indexed using Definition 9):
  $*$:
  
  If $i \in [n]$, let $v_i^{(b)} \leftarrow \textsf{ct}_\textsf{zero}^{(b)}$ if $x_i = 0$ and $v_i^{(b)} \leftarrow \textsf{ct}_i^{(b)}$ if $x_i = 1$.
  
  $*$:
  
  For each internal node $i \in [n + 1, 2n - 1]$, compute the ciphertext $v_i^{(b)} \leftarrow \textsf{HE}.\textsf{Add}\big ( \textsf{pk}_b, v_{i_{ \textsc {l}}}^{(b)}, v_{i_{ \textsc {r}}}^{(b)} \big )$, where $i_{ \textsc {l}}$ and $i_{ \textsc {r}}$ are the indices associated with the left and right child of node i under the canonical tree indexing scheme (Definition 9).
- For $b \in \{0,1\}$, construct commitments
  $$\begin{aligned} (\textsf{com}_b, \sigma _1^{(b)},\ldots ,\sigma _{2n-1}^{(b)}) \leftarrow \textsf{Com}.\textsf{Commit}(\textsf{crs}_\textsf{Com},(v^{(b)}_1,\ldots ,v^{(b)}_{2n-1})) \end{aligned}$$
  to the ciphertexts associated with $\mathcal {T}_b$.
- For $b \in \{0,1\}$, let $\textsf{ct}_\textsf{root}^{(b)} = v^{(b)}_{2n - 1}$ (i.e., the ciphertext associated with the root of $\mathcal {T}_b$). Let $C_\bot $ be the circuit that computes the following instantiation of the relation from Fig. 2:
  $$\begin{aligned} \mathcal {R}\left[ \textsf{crs}_\textsf{Com}, \big \{\textsf{pk}_b, \textsf{com}_\textsf{hk}^{(b)}, \textsf{com}_b, \textsf{ct}_\textsf{zero}^{(b)}, \textsf{ct}_\textsf{root}^{(b)} \big \}_{b \in \{0,1\}}, \bot , \bot \right] . \end{aligned}$$
- For each $i \in [2n-1]$, let $\tau _i = \big ( v_i^{(0)}, v_i^{(1)},\sigma _i^{(0)},\sigma _i^{(1)} \big )$ be the opening for the ciphertexts associated with node i in $\mathcal {T}_0$ and $\mathcal {T}_1$. Then, for each $i \in [2s - 1]$, define the auxiliary witness $\tilde{w}_i$ to be
  $*$:
  
  If $i \in [n]$ then $\tilde{w}_i = \big ( \textsf{ct}^{(0)}_i,\textsf{ct}^{(1)}_i,\sigma _{\textsf{hk},i}^{(0)},\sigma _{\textsf{hk},i}^{(1)} \big )$.
  
  $*$:
  
  If $i \in [n+1,2n-1]$ then $\tilde{w}_i=(\tau _{i_{ \textsc {l}}}, \tau _{i_{ \textsc {r}}})$ where $i_{ \textsc {l}},i_{ \textsc {r}}$ are the indices of the left and right child of node i, respectively.
  
  Finally, let $w_i = (\tau _i, \tilde{w}_i)$ for each $i \in [2n - 1]$. Compute the BARG proof $\pi _\textsf{dig}\leftarrow \textsf{Prove}'(\textsf{crs}_\textsf{BARG},C_\bot , 2n-1, (w_1, \ldots , w_{2n-1}))$.
- Output the digest
  $$\begin{aligned} \textsf{dig}= \left( \textsf{ct}_\textsf{root}^{(0)}, \textsf{ct}_\textsf{root}^{(1)}, \textsf{com}_0, \textsf{com}_1, \pi _\textsf{dig}\right) . \end{aligned}$$
$\textsf{ProveOpen}(\textsf{hk},x,{i^*})$: On input a hash key $\textsf{hk}$ (parsed as in Eq. (5.1)), a string $x \in \{0,1\}^n$ and an index ${i^*}\in [n]$, the opening algorithm proceeds as follows:
- Let $C_{{i^*},x_{i^*}}$ be the circuit that computes the following instantiation of the relation from Fig. 2:
  $$\begin{aligned} \mathcal {R}\big [ \textsf{crs}_\textsf{Com}, \big \{\textsf{pk}_b, \textsf{com}_\textsf{hk}^{(b)}, \textsf{com}_b, \textsf{ct}_\textsf{zero}^{(b)}, \textsf{ct}_\textsf{root}^{(b)} \big \}_{b \in \{0,1\}}, {i^*}, x_{{i^*}} \big ]. \end{aligned}$$
- Compute the witnesses $w_i$ for each $i \in [2n-1]$ using the same procedure as in the $\textsf{Hash}$ algorithm.
- Output the opening $\sigma \leftarrow \textsf{Prove}'(\textsf{crs}_\textsf{BARG},C_{{i^*},x_{i^*}}, 2n-1, (w_1,\ldots ,w_{2n-1}))$
$\textsf{VerOpen}(\textsf{vk},\textsf{dig},i,b, \sigma )$: On input the verification key $\textsf{vk}$ (parsed according to Eq. (5.2)), a digest $\textsf{dig}= \big ( \textsf{ct}_\textsf{root}^{(0)}, \textsf{ct}_\textsf{root}^{(1)}, \textsf{com}_0, \textsf{com}_1, \pi _\textsf{dig}\big )$, an index ${i^*}\in [n]$, a bit $b \in \{0,1\}$ and an opening $\sigma $, the verification algorithm outputs $\textsf{Verify}'(\textsf{vk}_\textsf{BARG},C_{{i^*}, b}, 2n - 1, \sigma )$ where $C_{{i^*}, b}$ is the circuit computing the following relation from Fig. 2:
$$\begin{aligned} \mathcal {R}\big [ \textsf{crs}_\textsf{Com}, \big \{\textsf{pk}_b, \textsf{com}_\textsf{hk}^{(b)}, \textsf{com}_b, \textsf{ct}_\textsf{zero}^{(b)}, \textsf{ct}_\textsf{root}^{(b)} \big \}_{b \in \{0,1\}}, {i^*}, b \big ]. \end{aligned}$$
$\textsf{Extract}(\textsf{td},\textsf{dig})$: On input a trapdoor $\textsf{td}= (\textsf{sk}_0,\textsf{sk}_1)$ and a digest $\textsf{dig}= \big ( \textsf{ct}_\textsf{root}^{(0)}, \textsf{ct}_\textsf{root}^{(1)}, \textsf{com}_0, \textsf{com}_1, \pi _\textsf{dig}\big )$, the extraction algorithm outputs $\textsf{Matching} $ if $\textsf{HE}.\textsf{Dec}(\textsf{sk}_0, \textsf{ct}_\textsf{root}^{(0)})=0$. Otherwise, the algorithm outputs $\textsf{NotMatching} $.
$\textsf{ValidateDigest}(\textsf{vk},\textsf{dig})$: On input the verification key $\textsf{vk}$ (parsed according to Eq. (5.2)) and a digest $\textsf{dig}= \big ( \textsf{ct}_\textsf{root}^{(0)}, \textsf{ct}_\textsf{root}^{(1)}, \textsf{com}_0, \textsf{com}_1, \pi _\textsf{dig}\big )$, the digest-validation algorithm outputs $\textsf{Verify}'(\textsf{vk}_\textsf{BARG},C_{\bot },2n-1,\pi _\textsf{dig})$ where $C_\bot $ is the circuit computing the following relation from Fig. 2:
$$\begin{aligned} \mathcal {R}\big [ \textsf{crs}_\textsf{Com}, \big \{\textsf{pk}_b, \textsf{com}_\textsf{hk}^{(b)}, \textsf{com}_b, \textsf{ct}_\textsf{zero}^{(b)}, \textsf{ct}_\textsf{root}^{(b)} \big \}_{b \in \{0,1\}}, \bot , \bot \big ]. \end{aligned}$$

Correctness and Security Analysis. Due to space limitations, we defer the correctness and security analysis of Construction 5 to the full version of this paper [NWW23].

Corollary 1

(Zero-Fixing Hash Functions). Assuming any of (1) the plain LWE assumption, (2) the k-$\textsf{Lin}$ assumption over pairing groups for any constant k, or (3) the (sub-exponential) DDH assumption in pairing-free groups, there exists a zero-fixing hash function.

Theorem 1 now follows in conjunction with our generic construction (Construction 4). Due to space limitations, we defer the security analysis of Construction 4 to the full version of this paper [NWW23].

Notes

1.
This is conceptually similar to the notion of function-binding hash functions introduced concurrently in [FWW23].
2.
With a suitable strengthening of the notion of predicate-extractable hash functions, the authors of [BBK+23] also show how to obtain a somewhere extractable monotone policy BARG. In this work, we focus on achieving the core notion of non-adaptive soundness.
3.
This step is straightforward if we had a predicate-extractable hash function where the extractor outputs a mismatching index. Namely, if the upper layer digest is $\textsf{NotMatching}$, then the extractor outputs an index $j \in J_{i + 1}$ that is mismatching (i.e., cannot be opened to a 0). This means the efficient adversary can only open wire j to the value 1. Now, if the BARG is extracting on the statement associated with wire j, then we either (1) obtain the opening of some index $j' \in J_{i}$ to a 1, which breaks security of the hash function (since the lower layer digest is $\textsf{Matching}$); or (2) the value of wire j is inconsistent with the input wires associated with the gate computing wire j, which breaks security of the BARG.
4.
This type of property where the output of the extractor does not change for different choices of the CRS is often referred to as a “no-signaling” extraction property [PR17, KPY19, GZ21, KVZ21, CJJ21b].
5.
Otherwise, an honest digest on the input that is 1 at index i (and 0 everywhere else) would be declared $\textsf{Matching}$ if the hash key was zero-fixing on a set S that contains i and $\textsf{NotMatching}$ if the hash key was zero-fixing on the set $S \setminus \left\{ i \right\} $.
6.
In the static security model, we require that the adversary declare the set of corrupted verification keys, its challenge message, and the aggregation policy at the beginning of the security game.
7.
Recall that when the bound on the extraction set parameter $\ell $ is not given, it defaults to the value 1.

References

Brakerski, Z., Brodsky, M.F., Kalai, Y.T., Lombardi, A., Paneth, O.: SNARGs for monotone policy batch NP. In: CRYPTO, pp. 252–283 (2023)
Google Scholar
Brodsky, M.F., Choudhuri, A.R., Jain, A., Paneth, O.: Monotone-policy aggregate signatures. In: EUROCRYPT (2024). https://doi.org/10.1007/978-3-031-58737-5_7
Ben-David, S., Kalai, Y.T., Paneth, O.: Verifiable private information retrieval. In: TCC, pp. 3–32 (2022)
Google Scholar
Catalano, D., Fiore, D.: Vector commitments and their applications. In: PKC, pp. 55–72 (2013)
Google Scholar
Choudhuri, A.R., Garg, S., Jain, A., Jin, Z., Zhang, J.: Correlation intractability and SNARGs from sub-exponential DDH. In: CRYPTO, pp. 635–668 (2023)
Google Scholar
Choudhuri, A.R., Jain, A., Jin, Z.: Non-interactive batch arguments for NP from standard assumptions. In: CRYPTO, pp. 394–423 (2021)
Google Scholar
Choudhuri, A.R., Jain, A., Jin, Z.: SNARGs for P from LWE. In: FOCS, pp. 68–79 (2021)
Google Scholar
Devadas, L., Goyal, R., Kalai, Y., Vaikuntanathan, V.: Rate-1 non-interactive arguments for batch-NP and applications. In: FOCS, pp. 1057–1068 (2022)
Google Scholar
Freitag, C., Waters, B., Wu, D.J.: How to use (plain) witness encryption: registered ABE, flexible broadcast, and more. In: CRYPTO, pp. 498–531 (2023)
Google Scholar
El Gamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: CRYPTO, pp. 10–18 (1984)
Google Scholar
Goyal, R., Vusirikala, S., Waters, B.: Collusion resistant broadcast and trace from positional witness encryption. In: PKC, pp. 3–33 (2019)
Google Scholar
González, A., Zacharakis, A.: Succinct publicly verifiable computation. IACR Cryptol. ePrint Arch., p. 353 (2021)
Google Scholar
Hulett, J., Jawale, R., Khurana, D., Srinivasan, A.: SNARGs for P from sub-exponential DDH and QR. In: EUROCRYPT, pp. 520–549 (2022)
Google Scholar
Hubacek, P., Wichs, D.: On the communication complexity of secure function evaluation with long output. In: ITCS, pp. 163–172 (2015)
Google Scholar
Kalai, Y., Lombardi, A., Vaikuntanathan, V., Wichs, D.: Boosting batch arguments and RAM delegation. In: STOC, pp. 1545–1552 (2023)
Google Scholar
Kalai, Y.T., Paneth, O., Yang, L.: How to delegate computations publicly. In: STOC, pp. 1115–1124 (2019)
Google Scholar
Kalai, Y.T., Vaikuntanathan, V., Zhang, R.Y.: Somewhere statistical soundness, post-quantum security, and SNARGs. In: TCC, pp. 330–368 (2021)
Google Scholar
Nassar, S., Waters, B., Wu, D.J.: Monotone policy Bargs from Bargs and additively homomorphic encryption. IACR Cryptol. ePrint Arch. (2023)
Google Scholar
Naor, M., Yung, M.: 1 Public-key cryptosystems provably secure against chosen ciphertext attacks. In: STOC, pp. 427–437 (1990)
Google Scholar
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: EUROCRYPT, pp. 223–238 (1999)
Google Scholar
Paneth, O., Pass, R.: Incrementally verifiable computation via rate-1 batch arguments. In: FOCS, pp. 1045–1056 (2022)
Google Scholar
Paneth, O., Rothblum, G.N.: On zero-testable homomorphic encryption and publicly verifiable non-interactive arguments. In: TCC, pp. 283–315 (2017)
Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93 (2005)
Google Scholar
Vadhan, S.P.: An unconditional study of computational zero knowledge. SIAM J. Comput. 36(4), 1160–1214 (2006)
Article MathSciNet Google Scholar
Waters, B., Wu, D.J.: Batch arguments for NP and more from standard bilinear group assumptions. In: CRYPTO, pp. 433–463 (2022)
Google Scholar

Download references

Acknowledgments

We thank Yuval Ishai for helpful pointers on batch arguments. Brent Waters is supported by NSF CNS-1908611, CNS-2318701, and a Simons Investigator award. David J. Wu is supported by NSF CNS-2151131, CNS-2140975, CNS-2318701, a Microsoft Research Faculty Fellowship, and a Google Research Scholar award.

Author information

Authors and Affiliations

UT Austin, Austin, TX, USA
Shafik Nassar, Brent Waters & David J. Wu
NTT Research, Sunnyvale, CA, USA
Brent Waters

Authors

Shafik Nassar
View author publications
You can also search for this author in PubMed Google Scholar
Brent Waters
View author publications
You can also search for this author in PubMed Google Scholar
David J. Wu
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shafik Nassar .

Editor information

Editors and Affiliations

NTT Research, Sunnyvale, CA, USA
Elette Boyle
University of Virginia, Charlottesville, VA, USA
Mohammad Mahmoody

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Nassar, S., Waters, B., Wu, D.J. (2025). Monotone Policy BARGs from BARGs and Additively Homomorphic Encryption. In: Boyle, E., Mahmoody, M. (eds) Theory of Cryptography. TCC 2024. Lecture Notes in Computer Science, vol 15365. Springer, Cham. https://doi.org/10.1007/978-3-031-78017-2_14

Download citation

DOI: https://doi.org/10.1007/978-3-031-78017-2_14
Published: 28 November 2024
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-78016-5
Online ISBN: 978-3-031-78017-2
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Monotone Policy BARGs from BARGs and Additively Homomorphic Encryption