A monotone policy batch \(\textsf{NP} \) language \(\mathcal {L}_{\mathcal {R}, P}\) is parameterized by a monotone policy \(P :\{0,1\}^k \rightarrow \{0,1\}\) and an \(\textsf{NP} \) relation \(\mathcal {R}\). A statement \((x_1, \ldots , x_k)\) is a yes instance if there exists \(w_1, \ldots , w_k\) where \(P(\mathcal {R}(x_1, w_1), \ldots , \mathcal {R}(x_k, w_k)) = 1\). For example, we might say that an instance \((x_1, \ldots , x_k)\) is a yes instance if a majority of the statements are true. A monotone policy batch argument (BARG) for \(\textsf{NP} \) allows a prover to prove that \((x_1, \ldots , x_k) \in \mathcal {L}_{\mathcal {R}, P}\) with a proof of size \(\textsf{poly}(\lambda , |\mathcal {R}|, \log k)\), where \(\lambda \) is the security parameter, \(|\mathcal {R}|\) is the size of the Boolean circuit that computes \(\mathcal {R}\), and k is the number of instances. Recently, Brakerski, Brodsky, Kalai, Lombardi, and Paneth (CRYPTO 2023) gave the first monotone policy BARG for \(\textsf{NP} \) from the learning with errors (LWE) assumption.
In this work, we describe a generic approach for constructing monotone policy BARGs from any BARG for \(\textsf{NP} \) together with an additively homomorphic encryption scheme. This yields the first constructions of monotone policy BARGs from the k-\(\textsf{Lin}\) assumption in prime-order pairing groups as well as the (subexponential) DDH assumption in pairing-free groups. Central to our construction is a notion of a zero-fixing hash function, which is a relaxed version of a predicate-extractable hash function from the work of Brakerski et al. Our relaxation enables a direct realization of zero-fixing hash functions from BARGs for \(\textsf{NP} \) and additively homomorphic encryption, whereas the previous notion relied on leveled homomorphic encryption, and by extension, the LWE assumption.
As an application, we also show how to combine a monotone policy BARG with a puncturable signature scheme to obtain a monotone policy aggregate signature scheme. Our work yields the first (statically-secure) monotone policy aggregate signatures that supports general monotone Boolean circuits from standard pairing-based assumptions. Previously, this was only known from LWE.
Anzeige
Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.
With a suitable strengthening of the notion of predicate-extractable hash functions, the authors of [BBK+23] also show how to obtain a somewhere extractable monotone policy BARG. In this work, we focus on achieving the core notion of non-adaptive soundness.
This step is straightforward if we had a predicate-extractable hash function where the extractor outputs a mismatching index. Namely, if the upper layer digest is \(\textsf{NotMatching}\), then the extractor outputs an index \(j \in J_{i + 1}\) that is mismatching (i.e., cannot be opened to a 0). This means the efficient adversary can only open wire j to the value 1. Now, if the BARG is extracting on the statement associated with wire j, then we either (1) obtain the opening of some index \(j' \in J_{i}\) to a 1, which breaks security of the hash function (since the lower layer digest is \(\textsf{Matching}\)); or (2) the value of wire j is inconsistent with the input wires associated with the gate computing wire j, which breaks security of the BARG.
This type of property where the output of the extractor does not change for different choices of the CRS is often referred to as a “no-signaling” extraction property [PR17, KPY19, GZ21, KVZ21, CJJ21b].
Otherwise, an honest digest on the input that is 1 at index i (and 0 everywhere else) would be declared \(\textsf{Matching}\) if the hash key was zero-fixing on a set S that contains i and \(\textsf{NotMatching}\) if the hash key was zero-fixing on the set \(S \setminus \left\{ i \right\} \).
In the static security model, we require that the adversary declare the set of corrupted verification keys, its challenge message, and the aggregation policy at the beginning of the security game.