WIKINDX Resources

Campanelli, M., Hall-Andersen, M., & Kamp, S. H. 2022. Curve trees: Practical and transparent zero-knowledge accumulators. [Cryptology ePrint Archive, Paper 2022/756]. 
Added by: Rucknium (2022-12-29 16:38)   Last edited by: Rucknium (2022-12-29 16:41)
Resource type: Miscellaneous
BibTeX citation key: Campanelli2022
View all bibliographic details
Categories: Not Monero-focused
Creators: Campanelli, Hall-Andersen, Kamp
Views: 22/160
Attachments   756.pdf [11/71] URLs
In this work we improve upon the state of the art for practical \textit{zero-knowledge for set membership}, a building block at the core of several privacy-aware applications, such as anonymous payments, credentials and whitelists. This primitive allows a user to show knowledge of an element in a large set without leaking the specific element. One of the obstacles to its deployment is efficiency. Concretely efficient solutions exist, e.g., those deployed in Zcash Sapling, but they often work at the price of a strong trust assumption: an underlying setup that must be generated by a trusted third party.

To find alternative approaches we focus on a common building block: accumulators, a cryptographic data structure which compresses the underlying set. We propose novel, more efficient and fully transparent constructions (i.e., without a trusted setup) for accumulators supporting zero-knowledge proofs for set membership. Technically, we introduce new approaches inspired by ``commit-and-prove'' techniques to combine shallow Merkle trees and 2-cycles of elliptic curves into a highly practical construction. Our basic accumulator construction---dubbed \emph{Curve Trees}---is completely transparent (does not require a trusted setup) and is based on simple and widely used assumptions (DLOG and Random Oracle Model). Ours is the first fully transparent construction that obtains concretely small proof/commitment sizes for large sets and a proving time one order of magnitude smaller than proofs over Merkle Trees with Pedersen hash. For a concrete instantiation targeting 128 bits of security we obtain: a commitment to a set of \textit{any} size is 256 bits; for a zero-knowledge membership proof is 3KB, its proving takes s and its verification ms on an ordinary laptop.

Using our construction as a building block we can design a simple and concretely efficient anonymous cryptocurrency with full anonymity set, which we dub cash. Its transactions can be verified in ms or ms when batch-verifying multiple () transactions; transaction sizes are KB. Our timings are competitive with those of the approach in Zcash Sapling and trade slightly larger proofs (transactions in Zcash Sapling are 2.8KB) for a completely transparent setup.

WIKINDX 6.5.0 | Total resources: 161 | Username: -- | Bibliography: WIKINDX Master Bibliography | Style: American Psychological Association (APA)