Improved Straighline Extraction in the ROM with Applications to Signature Aggregation

@misc{KS22,
 title = {Improved Straightline Extraction in the Random Oracle Model with Applications to Signature Aggregation},
 author = {Yash Kondi and abhi shelat},
 howpublished = {To appear, Asiacrypt'22},
 year = {2022},
}

eprint 2022/393

The goal of this paper is to improve the efficiency and applicability of straightline extraction techniques in the random oracle model. Straightline extraction in the random oracle model refers to the existence of an extractor, which given the random oracle queries made by a prover $P_∗(x)$ on some theorem $x$, is able to produce a witness $w$ for $x$ with roughly the same probability that $P_∗$ produces a verifying proof. This notion applies to both zero-knowledge protocols and verifiable computation where the goal is compressing a proof.

Pass (CRYPTO ’03) first showed how to achieve this property for NP using a cut-and-choose technique which incurred a $\lambda^2$-bit overhead in communication where $\lambda$ is a security parameter. Fischlin (CRYPTO ’05) presented a more efficient technique based on “proofs of work” that sheds this $\lambda^2$ cost, but only applies to a limited class of Sigma Protocols with a “quasi-unique response” property, which for example, does not necessarily include the standard OR composition for Sigma protocols.

With Schnorr/EdDSA signature aggregation as a motivating application, we develop new techniques to improve the computation cost of straight-line extractable proofs. Our improvements to the state of the art range from 70×–200× for the best compression parameters. This is due to a uniquely suited polynomial evaluation algorithm, and the insight that a proof-of-work that relies on multicollisions and the birthday paradox is faster to solve than inverting a fixed target.

Our collision based proof-of-work more generally improves the Prover’s random oracle query complexity when applied in the NIZK setting as well. In addition to reducing the query complexity of Fischlin’s Prover, for a special class of Sigma protocols we can for the first time closely match a new lower bound we present.

Finally we extend Fischlin’s technique so that it applies to a more general class of strongly-sound Sigma protocols, which includes the OR composition. We achieve this by carefully randomizing Fischlin’s technique—we show that its current deterministic nature prevents its application to certain multi-witness languages.