Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Paper 2024/1303

Efficient Zero-Knowledge Arguments for Paillier Cryptosystem

Borui GONG, The Hong Kong Polytechnic University
Wang Fat Lau, The Hong Kong Polytechnic University
Man Ho Au, The Hong Kong Polytechnic University
Rupeng Yang, University of Wollongong
Haiyang Xue, Singapore Management University
Lichun Li, Ant Group
Abstract

We present an efficient zero-knowledge argument of knowledge system customized for the Paillier cryptosystem. Our system enjoys sublinear proof size, low verification cost, and acceptable proof generation effort, while also supporting batch proof generation/verification. Existing works specialized for Paillier cryptosystem feature linear proof size and verification time. Using existing sublinear argument systems for generic statements (e.g., zk-SNARK) results in unaffordable proof generation cost since it involves translating the relations to be proven into an inhibitive large Boolean or arithmetic circuit over a prime order field. Our system does not suffer from these limitations. The core of our argument systems is a constraint system defined over the ring of residue classes modulo a composite number, together with novel techniques tailored for arguing binary values in this setting. We then adapt the approach from Bootle et al. (EUROCRYPT 2016) to compile the constraint system into a sublinear argument system. Our constraint system is generic and can be used to express typical relations in Paillier cryptosystems including range proof, correctness proof, relationships between bits of plaintext, relationships of plaintexts among multiple ciphertexts, and more. Our argument supports batch proof generation and verification, with the amortized cost outperforming state-of-the-art protocol specialized for Paillier when the number of Paillier ciphertext is in the order of hundreds. We report an end-to-end prototype and conduct comprehensive experiments across multiple scenarios. Scenario 1 is Paillier with packing. When we pack 25.6K bits into 400 ciphertexts, a proof that all these ciphertexts are correctly computed is 17 times smaller and is 3 times faster to verify compared with the naive implementation: using 25.6K OR-proofs without packing. Furthermore, we can prove additional statements almost for free, e.g., one can prove that the sum of a subset of the witness bits is less than a threshold t. Another scenario is range proof. To prove that each plaintext in 200 Paillier ciphertexts is of size 256 bits, our proof size is 10 times smaller than the state-of-the-art. Our analysis suggests that our system is asymptotically more efficient than existing protocols, and is highly suitable for scenarios involving a large number (more than 100) of Paillier ciphertexts, which is often the case for data analytics applications.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. IEEE Symposium on Security and Privacy 2024
Keywords
zero-knowledge argumentsPaillier
Contact author(s)
raegongbr @ gmail com
wf-franky lau @ connect polyu hk
mhaau @ polyu edu hk
orbbyrp @ gmail com
haiyangxc @ gmail com
lichun llc @ antgroup com
History
2024-08-23: approved
2024-08-21: received
See all versions
Short URL
https://ia.cr/2024/1303
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/1303,
      author = {Borui GONG and Wang Fat Lau and Man Ho Au and Rupeng Yang and Haiyang Xue and Lichun Li},
      title = {Efficient Zero-Knowledge Arguments for Paillier Cryptosystem},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1303},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1303}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.