 Hello, my name is Thomas Rathma, and I will be presenting our work on compressed sigma protocols for bi-linear group arithmetic circuits, with an application to threshold signature schemes. This is a joint work with my co-authors Ronald Kramer and Marceau Rambeau. So let me introduce the setting of this work, general constraint zero knowledge. Our goal is to construct a protocol for proof in knowledge of a commitment opening X, such that f of X equals zero for some arbitrary constraint function f. And we want to do this in zero knowledge, hence the protocol execution should not reveal any additional information besides the ferocity of the claim. And in general, our goal is to minimize the communication complexity of these protocols. And typically, these functions f, these constraints f, are captured or expressed by an arithmetic circuit. Hence, the computation model is the arithmetic circuit model. However, sometimes another circuit model is more natural. So let us dive into this computation model a bit more. Arithmetic circuits are defined over a finite field. That means that all the input values, output values, and also the intermediate values are finite field elements. Moreover, the elementary operations, so the gates in such a circuit, are either addition or multiplication gates. Arithmetic circuits capture a very broad class of functions, since every computable function can be expressed as an arithmetic circuit. An alternative computation model is that of the bilinear group arithmetic circuits. These are not defined over a finite field, but over a bilinear group. Bilinear group contains this prime Q and three groups, G1, G2, and Gt, of order Q. Moreover, these groups are connected by a pairing, mapping the product of G1 and G2 to Gt. So this is a bilinear map, this pairing. All the wire values, so all the input values, output values, and intermediate values in such a bilinear group arithmetic circuits, are elements, either in the finite field set Q, or in one of the three group elements. So we can have different types of wire elements. Also, there's a much broader class of gates present in bilinear group arithmetic circuits. So we can have, of course, the typical arithmetic operations, addition and multiplication gates between field elements, but we can also have, for example, explanation gates, taking as input a group element and a field element, and we can have pairing gates. So there's a much broader class of gates present in this computation model. There is a very strong connection between these two computation models. So clearly, every arithmetic circuit is also a bilinear group arithmetic circuit. But also, every bilinear group arithmetic circuit can be expressed as an arithmetic circuit. We namely know that every computable function can be expressed as an arithmetic circuit. However, this requires all the wire values, so all the group elements in the bilinear group arithmetic circuit, to be represented as factors of field elements, because all the wire values in arithmetic circuits are field elements. Moreover, the explanation and pairing gates in the bilinear group arithmetic circuits should be expressed in terms of arithmetic operations, so additions and multiplications of field elements. This means that reducing a bilinear circuit to an arithmetic circuit may increase its size significantly. So, for example, a single group element may have to be represented by a long list of field elements. And also, a single pairing gate may involve the evaluation of many arithmetic operations. And also, these reductions are different for all bilinear groups, so there's not one canonical approach to reduce a bilinear circuit to an arithmetic circuit. We do note that this blow-up is a constant factor. This means that the asymptotic complexities of the zero-knowledge proof systems are preserved. So for example, if we have a zero-knowledge proof system for arithmetic circuit relations with logarithmic communication complexity, then via this reduction we also have a zero-knowledge proof system with the same asymptotic communication complexity for bilinear group arithmetic circuits. However, this constant can be very large, so significantly influencing the concrete efficiency of protocols. So, for example, if we take a single group exponentiation in a very optimized group of approximately 2 to the power 256, then we already see that this requires about 800 field operations, so field multiplications. So there we can see that this blow-up can be quite large influencing the concrete efficiency of the zero-knowledge proofs. For this reason, we develop a direct approach for communication efficient zero-knowledge proof systems for bilinear group arithmetic circuits. So our approach avoids this reduction from bilinear group arithmetic circuits to arithmetic circuits, which gives us conceptual simplicity and also an improved concrete efficiency by avoiding this blow-up associated to the reduction. And as an application of our work, we construct the first transparent and succinct threshold signature scheme. There are many zero-knowledge proof systems for general constraints captured by arithmetic circuits, but we will be focusing on ones with logarithmic communication complexity. The first one of interest to us is the bulletproof framework. At the core of bulletproofs is a recursive proof of knowledge for certain quadratic relations, certain inner product relations. And bulletproofs were actually presented as a replacement for the well-established sigma-protocol theory and improved the communication complexity from linear down-to-logarithmic when you compare it to these sigma-protocols. Then in 2020, compressed sigma-protocol theory was introduced as a reconciliation of bulletproofs and sigma-protocols. We will be following this compressed sigma-protocol framework. So if we now look at signal-proof systems for bilinear group arithmetic circuits, so directly without involving this reduction to arithmetic circuits, then we have an approach introduced in 2019 by Ly et al. And this is actually a generalization of bulletproofs. So bulletproofs is a signal-proof system in the arithmetic computation model. And Ly et al. generalized this computation model to the bilinear group arithmetic circuit model. It is a direct approach, so it does not require a reduction to arithmetic circuits. However, it is only applicable to a certain subclass of bilinear group arithmetic circuits. So our direct approach for constructing a zero-knowledge proof system for bilinear group arithmetic circuits is to generalize compressed sigma-protocols. So we generalize the computation model from arithmetic circuits to these bilinear circuits. And compared to this other direct approach by Ly et al., we achieve conceptual simplicity. So instead of a quadratic basic building block, we have a linear basic building block. Moreover, our approach works for arbitrary bilinear group arithmetic circuits. So we don't have to restrict ourselves to a certain subclass of bilinear group arithmetic circuits. And also we improve the communication efficiency by roughly a factor of three. Since we will be generalizing compressed sigma-protocol theory, let us take a closer look at it. The high-level paradigm of this theory is to solve linear instances first and then linearize the nonlinear ones. This is a very natural problem-solving strategy in mathematics. So the starting point is a natural sigma-protocol for linear constraints. So here we see such a protocol that allows you to, for example, prove that you know the secret opening to some commitment, x, such that it satisfies a certain linear constraint. The communication complexity of the sigma-protocols linear in the dimension of the secret input factor, x. And it is also known how to use this protocol to get general constraint zero knowledge with communication complexity that is linear in the size of the circuit, c. So then an observation that was made in this work is that the bulletproof proof of knowledge can be adapted to form a compression mechanism for these sigma-protocols. So basically the adaptation of bulletproofs that was introduced at crypto 2020 allows you to reduce the linear communication complexity of this basic sigma-protocol down to logarithmic. So together this gives you a compressed sigma-protocol for proving that a committed value satisfies a linear constraint with only a logarithmic communication complexity. This shows how to handle linear constraints. To handle nonlinear ones, a compressed sigma-protocol theory shows how to apply an arithmatic secret sharing-based linearization strategy. After the linearization, the compressed sigma-protocols described before can be applied in a black box manner. Together this results in a zero knowledge proof system for arbitrary constraints with communication complexity logarithmic in the size of the arithmatic circuit, c. Compressed sigma-protocol theory has been instantiated from a variety of cryptographic hardness assumptions. So for example to get logarithmic communication complexity it can be instantiated from the discrete log or strong RSA assumption. If you instantiate it from the knowledge of exponent assumption then you get even constant communication complexity and you can also instantiate it from the lattice-based assumption, the ring SIS assumption, to get polylog-rib and communication complexity. However the computation model that is considered in compressed sigma-protocol theory is the arithmatic circuit model. That means that all the constraints, linear ones and nonlinear ones, should be expressed in terms of an arithmatic circuit c. And this is precisely what we want to generalize. We want to allow the constraints fx equals zero to be expressible also by linear circuits. So let us proceed with this generalization. To do this we first make the following observation and that is namely that the compressed sigma-protocols for linear constraints can also be viewed as proving knowledge of the pre-image of a specific homomorphism. A homomorphism was the following form, mapping n-dimensional factors of group elements to another group element. And the communication costs of these compressed sigma-protocols then contain a logarithmic number of h elements. So logarithmic number of target group elements. So if we look at the compressed sigma-protocols for arithmatic circuit relations we see that this homomorphism psi takes the following form. So it is basically the concatenation of a commitment scheme and a linear form l. And if you prove knowledge of a pre-image for this homomorphism psi then you're basically proving knowledge of a commitment opening x that satisfies a certain linear constraint. So that's exactly the functionality that we are aiming for. Note here that because we consider the arithmatic circuit model the only thing that we need to commit to are factors of field elements. For compressed sigma-protocol theory it is crucial that this commitment scheme is homomorphic which is often satisfied by commitment schemes and that it is compact. So a single commitment, the size of a single commitment should not depend on the dimension of the committed factor x. If we don't have this compactness property then we cannot hope to achieve a logarithmic communication complexity. So with this observation in mind we see that all that we actually need to generalize all of this to the bilinear circuit model is a homomorphic and compact commitment scheme for factors for which the coefficients are not only field elements but can also be group elements so for these bilinear group factors. Let us now proceed in finding this homomorphic and compact commitment scheme for bilinear group factors. Recall that we have this bilinear group with a pairing e mapping the product of g1 and g2 to gt. The starting point of this commitment scheme is a pairing based generalization of the Peterson commitment scheme. Recall that the Peterson commitment scheme allows you to commit to a single field element and now this generalization allows you to commit to the combination of a field element x and a group element y. So the commitment scheme, the commitment function is described over here and you can see that the first part of this commitment function is exactly the Peterson commitment scheme and it is just appended with the sparing operation allowing you to commit also to a group element y. We know that the Peterson commitment scheme can be extended to allow a proofer to commit to large factors of field elements rather than single field elements. Similarly, this commitment scheme can also be extended to allow a proofer to commit to large factors with coefficients in the field set q or in the group g1. This extended commitment scheme is homomorphic and also it is compact. A commitment is namely always one gt element, hence the size of a commitment is independent of the dimension of the committed factor or the dimensions I should say n0 and n1. Moreover, this commitment scheme can also be extended to allow a proofer to commit to factors that contain not only coefficients in the set q and g1 but also coefficients in g2. We have to be a little bit careful to preserve the binding property. More precisely what we see is that the commitment scheme is still compact, however a commitment will be two gt elements instead of one and this is to preserve the binding property of the commitment scheme and the homomorphic property is automatically preserved. The generalized commitment scheme already gives you compressed sigma protocols for proving linear relations about committed factors with coefficients in zq, g1 and g2. However, we have not shown how to handle gt coefficients or how to handle nonlinear relations. So, the parent-based generalization of the Peterson factor commitment scheme does not allow a proofer to commit to gt coefficients. For this reason we apply an L-Gamal-based commitment scheme. This commitment scheme allows a proofer to also commit to the gt coefficients in these bilinear group factors. We see here, however, that this L-Gamal-based commitment scheme has commitments which are of size linear in the dimension of the committed factor nt. So, this commitment scheme is not compact, however it is homomorphic and we can combine it with the previous commitment scheme to get a commitment scheme for bilinear group factors with coefficients in zq, g1, g2 and gt. Note, however, that the commitment size is linear in nt, so this commitment scheme is only partially compact. It is compact in the dimensions n0, n1 and n2, but it is not compact in the dimension nt. All together this gives us a compressed sigma protocol for bilinear group factors. The communication costs of this compressed sigma protocol are logarithmic in n0, n1 and n2 because the commitment scheme is compact in those dimensions, however the communication costs are linear in nt. This far we have seen how to handle linear relations defined over a bilinear group. In compressed sigma protocol theory it is shown how to handle nonlinear arithmatic circuit relations by an arithmatic sequence sharing based linearization strategy. And if we look at these arithmatic circuits there is only one type of nonlinearity present in these circuits, namely the multiplication gates. If we now look at bilinear group arithmatic circuits then there are different nonlinear gates present, or they can be present in these bilinear group arithmatic circuits. We can still have these field multiplications, but we can also have group exponentiation or pairing gates and all these types of nonlinear gates have to be linearized in one way or another. To this end we make the following observation, namely all these nonlinear gates are actually bilinear mappings and it turns out that this bilinearity is precisely the property that we need for the linearization techniques of AC20 to work. That means that the linearization techniques are generalizable to bilinear gates. And altogether this gives us a compressed sigma protocol theory for the factors with coefficients in zq, g1, g2 and gt satisfying arbitrary, so not necessarily linear constraints defined over bilinear group arithmatic circuits. The communication costs of these compressed sigma protocols are logarithmic in n0, n1, n2 and also logarithmic in a number of nonlinear gates with zq, g1 or g2 outputs. However the communication costs are linear in nt and also linear in the number of nonlinear gates with gt outputs. So these linear communication costs are due to the fact that the commitment scheme that we are using is not compact in the gt part of the committed factor. As an application of our zero-knowledge proof system for constraints defined over a bilinear group we construct a threshold signature scheme. So the main functionality of this threshold signature scheme is that the valid threshold signature can only be created by a subset of at least k out of n players. A trivial approach is to ask these k individual players to exhibit their individual signatures. However, this means that a threshold signature has a size linear in k because a threshold signature contains k individual signatures. And also the threshold signature reveals the identities of the k signers. There is also another very common approach which is basically to secret share the private key of a standard signature scheme. This results in threshold signatures with size constant in k and n. So basically a threshold signature is just one individual signature. However, a trusted setup is required in which the private key is secret shared amongst the n players. But this approach does hide the identity of the k signers. We follow a very different approach. Instead of exhibiting one or multiple individual signatures, our threshold signature is a zero-knowledge proof of knowledge of k out of n signatures. The ingredients of our approach are first the BLS signature scheme. This is a signature scheme defined over a bilinear group with a very small bilinear group verification circuit. So this matches very well with our compressed sigma protocols for bilinear group arithmetic relations. We also need the proof of partial knowledge to get the k out of n threshold functionality. This was recently introduced in ACF 21. And then finally we combine everything with our compressed sigma protocols for bilinear group arithmetic circuits. This approach results in some nice properties. So first the size of the threshold signatures is logarithmic in n. We do not require a trusted setup. And also our threshold signature hides the identities of the k signers. In conclusion we have generalized compressed sigma protocol theory to the bilinear group arithmetic circuit computation model. Our approach does not require a reduction to arithmetic circuits. And the communication complexity of our protocols are logarithmic in the ZQ G1 and G2 parts and linear in the GT part of the bilinear group arithmetic circuits. We realize roughly a factor 3 improvement in the communication costs over prior work. And as an application of these zero knowledge proof systems we construct a transparent and logarithmic sized threshold signature scheme. Thanks for your attention. We are happy to answer your questions during the live session on the 10th of December.