CryptoDB
Roberto Parisella
Publications and invited talks
Year
Venue
Title
2025
CRYPTO
On Knowledge-Soundness of Plonk in ROM from Falsifiable Assumptions
Abstract
Lipmaa, Parisella, and Siim [Eurocrypt, 2024] proved the extractability of the KZG polynomial commitment scheme under the falsifiable assumption ARSDH. They also proved that variants of fully optimized zk-SNARKs like Plonk can be made knowledge-sound in the random oracle model (ROM) under the ARSDH assumption. However, they did not consider various batching optimizations, resulting in their variant of Plonk having approximately $3.5$ times longer argument. Our contributions are: (1) We prove that several batch-opening protocols for KZG, used in modern zk-SNARKs, have computational special soundness under the ARSDH assumption. (2) We prove that interactive Plonk has computational special soundness under the ARSDH assumption and a new falsifiable assumption SplitRSDH. We also prove that two minor modifications of the interactive Plonk have computational special soundness under only the ARSDH and a simpler variant of SplitRSDH. The Fiat-Shamir transform can be applied to obtain non-interactive versions, which are secure in the ROM under the same assumptions. We define a new type-safe oracle framework of the AGMOS (AGM with oblivious sampling) and prove SplitRSDH is secure in it.
2024
EUROCRYPT
Constant-Size zk-SNARKs in ROM from Falsifiable Assumptions
Abstract
We prove that the seminal KZG polynomial commitment scheme (PCS) is black-box extractable under a simple falsifiable assumption ARSDH. To create an interactive argument, we construct a compiler that combines a black-box extractable non-interactive PCS and a polynomial IOP (PIOP). The compiler incurs a minor cost per every committed polynomial. Applying the Fiat-Shamir transformation, we obtain slightly less efficient variants of well-known PIOP-based zk-SNARKs, such as Plonk, that are knowledge-sound in the ROM under the ARSDH assumption. Importantly, there is no need for idealized group models or knowledge assumptions. This results in the first known zk-SNARKs in the ROM from falsifiable assumptions with both an efficient prover and constant-size argument.
2023
TCC
Algebraic Group Model with Oblivious Sampling
Abstract
In the algebraic group model (AGM), an adversary has to return with each group element a linear representation with respect to input group elements. In many groups, it is easy to sample group elements obliviously without knowing such linear representations. Since the AGM does not model this, it can be used to prove the security of spurious knowledge assumptions. We propose AGM with oblivious sampling (AGMOS), a variant of the AGM where the adversary has additional access to an oracle that allows sampling group elements obliviously from some distribution. We separate AGM and AGMOS by classifying the family of ``total knowledge-of-exponent'' assumptions, showing that while they are all secure in the AGM (even insecure ones), most are not secure in the AGMOS if the DL holds. We show that many known AGM reductions go through also in the AGMOS, assuming a novel falsifiable assumption $\TOFR$. We prove that $\TOFR$ is secure in a version of GGM with oblivious sampling.
2021
ASIACRYPT
Efficient NIZKs for Algebraic Sets
📺
Abstract
Significantly extending the framework of (Couteau and Hartmann, Crypto 2020), we propose a general methodology to construct NIZKs for showing that an encrypted vector $\vec{\chi}$ belongs to an algebraic set, i.e., is in the zero locus of an ideal $\mathscr{I}$ of a polynomial ring. In the case where $\mathscr{I}$ is principal, i.e., generated by a single polynomial $F$, we first construct a matrix that is a ``quasideterminantal representation'' of $F$ and then a NIZK argument to show that $F (\vec{\chi}) = 0$. This leads to compact NIZKs for general computational structures, such as polynomial-size algebraic branching programs. We extend the framework to the case where $\IDEAL$ is non-principal, obtaining efficient NIZKs for R1CS, arithmetic constraint satisfaction systems, and thus for $\mathsf{NP}$. As an independent result, we explicitly describe the corresponding language of ciphertexts as an algebraic language, with smaller parameters than in previous constructions that were based on the disjunction of algebraic languages. This results in an efficient GL-SPHF for algebraic branching programs.
Coauthors
- Geoffroy Couteau (1)
- Helger Lipmaa (4)
- Arne Tobias Ødegaard (1)
- Roberto Parisella (4)
- Janno Siim (3)