 Hello, my name is Somzatma and I will be presenting our work on compressing proofs of k out of n partial knowledge This is joint work with my co-authors Ronald Kramer and Sarah Sphere Improves of partial knowledge a proofer claims to know k secret solutions out of n public problem instances It wishes to convince a verifier that it does Without the verifier learning which k out of n secrets the proofer knows This problem was introduced by Kramer, Damgard and Schoenmakers at crypto 94 some examples are Proving knowledge of k out of n discrete logarithms or proving knowledge of the openings of k out of n commitments or Proving knowledge of k out of n pre-images with respect to some hash function h of bit strings y1 up to yn Proofs of partial knowledge have found numerous applications In particular the case k equals 1 so 1 out of n proofs of partial knowledge some examples are threshold and ring signature schemes E voting protocols and confidential transaction systems on the other end we have the the very Generic circuit serial knowledge protocols in a circuit serial knowledge protocol the the proofer wishes to prove Knowledge of a secret vector x that satisfies the constraint c of x equals zero captured by some arithmetic circuit c So recently we've seen many advances in circuit serial knowledge protocols snark starks blue improves compress sigma protocol theory Different lines of work achieving logarithmic or even constant communication complexity For the circuit serial knowledge problem Circuit serial knowledge protocols also immediately give a solution For the proofs of partial knowledge Problem what we can do. Namely is we can capture the proof of partial knowledge relation by an arithmetic circuit So for example for the one out of n case we could construct an arithmetic circuit that evaluates to zero If and only if the inputs x to this arithmetic circuit is the discrete logarithm of one of the public problem instances vi if we capture this proof of partial knowledge relation by an arithmetic circuit then we can apply a circuit serial knowledge protocol in a black box matter and obtain a proof of partial knowledge So this is a somewhat indirect approach in which we first capture the proof of partial knowledge relation by an arithmetic circuit. This is a quite a quite a strong Approach because it works for arbitrary k and n and you can achieve logarithmic or even constant communication complexity depending on the circuit serial Knowledge protocol that you use However, there are some clear disadvantages of the circuit serial knowledge approach First it is conceptually superfluous The arithmetic circuits that Result in this this approach are quite complicated And and and they're really tailored to a specific instantiation So for example, if we want to prove discrete logarithms in another group then we would require another arithmetic circuit capturing the relation So this is Unnecessarily complicated in that sense Moreover This approach is asymptotically efficient as we already mentioned we can achieve communication complexity that is logarithmic or even constant But these large or complicated arithmetic circuit I can cause a practical over at And also notes that you have to generate store and process all these large arithmetic circuits So this is an practical overhead that we want to avoid So the goal of this work is to develop a direct approach avoiding the overhead of large arithmetic circuits and Our approach should work for arbitrary k and n and we aim to achieve a logarithmic communication complexity There has been prior work on proofs of partial knowledge However, for different reasons prior work does not achieve our goal So we already mentioned proofs of partial knowledge introduced by Kramer Damgart and Schumacher's in 1994 so The ingredients of their approved partial knowledge are a basic sigma protocol a special honest Verifier zero knowledge simulator and a linear secret sharing scheme Their approach works for arbitrary k and n and also for a broad class of sigma protocols So not just for the sigma protocol For proving knowledge of a discrete logarithmic for for many other sigma protocols However, their approach is a linear communication complexity. So linear in and on the other end We have a much more recent approach for one out of many proofs of partial knowledge introduced by code and goal wise in 2015 This there their protocol focuses on the special case k equals one so really one out of and a proofs of partial knowledge And it does not generalize well to arbitrary k So informally their approach is basically to commit to the bits of the index of the known secret And then they use a sigma protocol for for proving the desired relations Because they only commit to the to the bits of the index of the known secret they achieve a logarithmic communication complexity This approach has also been instantiated for for a lattice assumption in 2019 of course this lattice assumption or this instantiation required some adaptations that were Worked out by the authors of this this paper So prior works either achieve a linear communication complexity or they are tailored to the specific case k equals one So we aim to construct a protocol that works for arbitrary k and n and achieves a logarithmic communication complexity We will be using techniques from the proofs of partial knowledge Approach of CDS 94 But we will also building on the techniques from compress sigma protocol theory introduced at crypto 2020 So compress sigma protocol theory What they basically do is they develop a compression mechanism for a basic sigma protocol for linear statements So they start with a basic sigma protocol that has linear communication complexity and they develop a compression mechanism that Reduces the communication complexity of this basic sigma protocol from linear down to logarithmic So then they also show how to use this Compressed sigma protocol for linear statements to develop a circuit serial knowledge protocol for arbitrary Adderbatic circuit relations. So also for non-linear relations and that key Technique is a linearization Technique based on arithmetic secret sharing They have shown how to instantiate this theory from a variety of hardness assumptions. So for example ring SIS assumption the speed logarithm assumption and the strong RSA assumption or the knowledge of experiment assumption So given this compressed sigma protocol theory a natural question that arises is whether we can compress the proof of partial knowledge Sigma protocol of CDS 94 to reduce the communication complexity of their approach from from linear down to logarithmic So in our work, we basically show that yes, we can do that. We can compress the proofs of partial knowledge approach of CDS 94 but it does require some adaptations and some twists to the original protocols So first we need to develop a novel twist on the basic compressed sigma protocol for proving linear statements From AC 20 What we have to do is we have to show that we can open arbitrary homomorphisms instead of Only linear forms. So basically the the crypto 2020 paper was focused or Was respected to opening linear forms on committed factors And now what we want to do is we want to open arbitrary homomorphisms So this is a first generalization that is required for our techniques And second, we also have to adapt the CDS 94 approach Basically the the sigma protocol in the original paper in the 1994 paper is not compressible So it's not amenable to the compression mechanism of compress sigma protocol theory So what we do is we basically adapt the sigma protocol to make sure that we can apply compression altogether we We derived at the following main result. So there exists a protocol for proving knowledge of KF and discrete logarithms And its communication costs will prove it to verify are indeed logarithmic and This approach works for arbitrary K and M Besides our main result. We also have a number of extensions to our main proof of partial knowledge protocol First we show how to reduce the communication complexity further With a factor 2 by using a parent-based commitment scheme Second our main protocol is for proving knowledge of KF and discrete logarithms This functionality has a natural extension to multi-exponentations and proving knowledge of K out of N a vector commitment openings Also these techniques are compatible with with circuit share knowledge protocols So it's basically uses the plug-and-play nature of compress sigma protocol theory What we can do is we can for example prove that Not only that we know K out of N secrets But that also these K out of N secrets satisfy some arbitrary constraint captured by an arithmetic circuit C A first application in was was presented in a follow-up paper Succeeding threshold signature schemes with a transparent setup So these were the first threshold signature schemes without a trusted setup for which the threshold signatures have size logarithmic in N and Also a lattice instantiation should be possible. So recently Also at crypto 2021 Compressed sigma protocol theory was instantiated from lattice assumptions and using these techniques. It should be possible to To instantiate our proofs of partial knowledge protocols from the lattice assumption so you've already seen that our proofs of partial knowledge protocol achieves a logarithmic communication complexity But also the concrete communication Costs are comparable or competitive with with other approaches. So for example our Communication costs are competitive comparable with the dedicated solutions for the case K equals one So we achieve the same constants even for these approaches if we instantiate our generic solution for the case K equals one And if K is in the order of omega and divided by log N Then we achieve an asymptotic improvement over the indirect circuit zero knowledge approach Before we explain our techniques, we recalled crypto 94 proof of partial knowledge protocol We consider the following scenario There are N public group elements P1 up to PN and for K out of N indices I The proofer knows the discrete logarithms These indices are captured by a secret subset S and discrete logarithms are captured by a secret factor X Moreover, we will use a basic sigma protocol pi for proving knowledge of a single discrete logarithm Together with its special honest verifier zero knowledge simulator Informally for the discrete logarithms that it knows the proofer runs K honest instances of sigma protocol pi And for the n minus K discrete logarithms that it does not know it runs the simulator Moreover the proof we will use a linear secret sharing scheme to make sure the verifier does not know for which instances the protocol was run Honestly, and for which instances the protocol uses the or the proof we uses the special honest verifier zero knowledge simulator Moreover the linear secret sharing scheme makes sure that the proofer must evaluate the protocol honestly for at least K problem instances So it must know at least K discrete logarithms So in more details The first step the proofer computes K first messages honestly and simulates n minus K transcripts The second message the verifier samples a single challenge for all n problem instances And sends it to the fair or to the proofer In the third step the proofer computes an n minus K plus 1 comma n secret sharing C1 up to Cn of C Such that the n minus K challenges simulated in the first step Corresponds to the secret shares Parameters of the secret sharing scheme are such that the proofer can control at most n minus K entries of the secret sharing For the other K instances the proofer must compute the final response honestly because it cannot control the challenge corresponding to that problem instance So the proofer sends the secret sharing and all final response to the verifier who verifies all n transcripts and the secret sharing Let us now discuss our twist on a compressed Sigma protocol a Central protocol of AC 20 shows how to open arbitrary linear forms on compactly committed factors This protocol has a logarithmic communication complexity More precisely what this protocol does and it allows a proofer to prove knowledge of a commitment opening X Such that L of X equals Y for some linear form L So what we show in our paper is that this functionality extends to opening arbitrary homomorphisms, so instead of having Codomain ZQ we now have a homomorphism for which the codomain is an arbitrary group G So this extension comes at a cost as it increases the communication costs By a factor 2 Next we note that even with our generalization Of the compression mechanism of AC 20 the CDS 94 Sigma protocol is not compressible And the reason is basically that first of all the first message of the CDS 94 Sigma protocol Has already sized linear in n so we have to send first messages for all n instances And also the final message Contains this secret sharing C1 up to Cn this secret sharing is not compressible So basically we cannot apply the compression mechanism to the CDS 94 Sigma protocol For this reason we develop a novel technical approach to CDS 94 and The approaches as follows so we first reduce the k out of n case to the n out of n case Where the proofer knows all discrete logarithms and We do this by eliminating the exponents that the proofer does not know and we use an elimination factor as one up to SM With si equals to zero for all i not in s so for all indices i for which the proofer does not know a discrete logarithm Then instead of proving knowledge of the discrete logarithms p i We are going to prove knowledge of the discrete logarithms of qi Which is p i to the power s i and Note that the proofer knows the discrete logarithms of all qi Because for i in s the discrete logarithm is simply the product of si and xi And for i not in s the discrete logarithm is simply zero so by using this elimination factor we We allow the proofer to eliminate the The group elements for which it does not know a discrete logarithm So the proofer is free to choose the elimination factor s as long as it satisfies certain properties So for example the factor s can contain at most n minus k zeros if it contains more zeros and the proofer will only prove Proof knowledge of less than k Secret elements so that's not what we want. So to this end. We will be using the protocol for opening homomorphisms and we will define the following homomorphisms and We will also define the following factor y so the factor y contains the elimination factor s And it also contains the discrete logarithms of the group elements qi So si xi is the group is the discrete logarithm of qi for all i between one and n Now note that if we evaluate the homomorphism fi The point or in the vector y then it will map to the identity element. This is basically by construction And also what we can show is that if this is acting deep the case Then the proofer must indeed know a discrete logarithm of qi So what we will be doing is we will Ask the proofer to commit to this long vector y and prove that it satisfies This relation this homomorphism relation for all i of one up to n So what remains is for the proofer to show that the elimination factor s contains at most n minus k zeros We do this by enforcing s to be an n minus k plus 1 comma n secret sharing of one Such a secret sharing can namely contain at most n minus k zeros So this somewhat resembles the use of the linear secret sharing scheme in the original CDS 94 approach So such a secret sharing can be defined by a polynomial of degree at most n minus k So a polynomial px that Evaluates to one in zero and has degree at most n minus k so we adapt the the protocol by instead of Committing to the long factor y that contains this elimination factor directly we We commit to the somewhat shorter factor Y with the coefficients of this polynomial px defining the secret sharing We also have to adapt your morphisms and because Because an evaluation of px is always a linear combination of the coefficients ai to which the proofer is now committed The adapted homomorphisms are are still homomorphisms. They are still linear functions So all together our proofs of k out of n partial knowledge protocol takes this form in the first step the proofer computes this secret sharing polynomial px That evaluates to one in zero and it evaluates to a zero in all for all i Not in s so for all i for which the proofer does not know a discrete logarithm and then it commits to this long factor y Containing the coefficients of this polynomial px and the discrete logarithms of these elements qi Then it sends this commitment to this long factor y to the verifier and then we use our compressed sigma protocol for opening homomorphisms to prove that this committed factor Satisfies the appropriate homomorphism relations So if we analyze the communication cost of our approach, we see that we still have to open any different homomorphisms So if we do this naively then the communication cost would still be linear in that However, the communication cost of opening animal morphisms can be amortized Resulting in a communication complexity that is roughly the same as opening only one homomorphism And if we apply this amortization technique, we see that we obtain a communication costs of roughly four log n items Finally, we come back to an extension mentioned before on reducing the communication costs by an additional factor two This can be achieved by using a parent-based commitment Scheme using an adaptation of a technique from compressed sigma protocol theory AC 20 in their crypto 2020 paper, they managed to reduce the communication cost by a factor two by committing to a secret factor and its linear form evaluation in a single compact commitment That is the linear form evaluation L of X was incorporated into the commitment To apply this technique to our generalization of opening homomorphisms instead of linear forms We need a compact commitment scheme for mixed factors with coefficients in the field set Q and in some group G So some of its coefficients are in the field set Q and other coefficients are group elements There exists parent-based commitment schemes with these desired properties allowing us to reduce the communication costs Thanks for your attention. If you have questions feel free to contact me or join our live presentation on August 19