Skip to main content
SpringerLink
Log in

Time- and Space-Efficient Arguments from Groups of Unknown Order

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2021 (CRYPTO 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12828))

Included in the following conference series:

Abstract

We construct public-coin time- and space-efficient zero-knowledge arguments for \(\mathbf {NP} \). For every time T and space S non-deterministic RAM computation, the prover runs in time \(T \cdot {{\,\mathrm{polylog}\,}}(T)\) and space \(S \cdot {{\,\mathrm{polylog}\,}}(T)\), and the verifier runs in time \(n \cdot {{\,\mathrm{polylog}\,}}(T)\), where n is the input length. Our protocol relies on hidden order groups, which can be instantiated with a trusted setup from the hardness of factoring (products of safe primes), or without a trusted setup using class groups. The argument-system can heuristically be made non-interactive using the Fiat-Shamir transform.

Our proof builds on DARK (Bünz et al., Eurocrypt 2020), a recent succinct and efficiently verifiable polynomial commitment scheme. We show how to implement a variant of DARK in a time- and space-efficient way. Along the way we:

  1. 1.

    Identify a significant gap in the proof of security of DARK.

  2. 2.

    Give a non-trivial modification of the DARK scheme that overcomes the aforementioned gap. The modified version also relies on significantly weaker cryptographic assumptions than those in the original DARK scheme. Our proof utilizes ideas from the theory of integer lattices in a novel way.

  3. 3.

    Generalize Pietrzak’s (ITCS 2019) proof of exponentiation (\(\mathsf {PoE}\)) protocol to work with general groups of unknown order (without relying on any cryptographic assumption).

In proving these results, we develop general-purpose techniques for working with (hidden order) groups, which may be of independent interest.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Public verifiability has emerged as a central requirement for proof-systems. In a nutshell it means that anyone who possesses the proof-string can verify its correctness (while possibly also requiring access to a common reference string). We mention that time- and space-efficient protocols that are either privately-verifiable or based on non-standard computational assumptions were previously known. See Sect. 1.2.

  2. 2.

    Recall that a multi-variate polynomial is multilinear if its degree in each variable is at most 1.

  3. 3.

    A polynomial \(\mathsf {IOP} \) is defined similarly to a (public-coin) interactive proof, except that in every round the prover is allowed to send the truth table of a large polynomial, and the verifier can query a few points from each polynomial. The notion was proposed concurrently in [21] and [24]. Essentially the same notion appears also in [38] (called Probabilistically Checkable Interactive Proof w.r.t. Encoded Provers therein).

  4. 4.

    We emphasize that we use lattice theory to show that our group based construction is secure. In particular all of our hardness assumptions are group based.

  5. 5.

    Since the order of \(\mathbb {G} \) is not known, one cannot simply compute \(2^T\) modulo the group order and then exponentiate.

  6. 6.

    It is worth mentioning that [21] also present a variant of their scheme for multi-variate polynomials. This variant is somewhat different from the one described here and is obtained via a reduction to the univariate case.

  7. 7.

    Computing this value directly by exponentiation takes time roughly \(N=2^n\) (using the standard repeated squaring trick) whereas we seek \({{\,\mathrm{poly}\,}}(n)\) time verification. Note that since the group’s order is not known, one cannot first compute \(q^{N/2}\) modulo the group order, and only then exponentiate.

  8. 8.

    Looking ahead, it actually makes more sense to choose \(\alpha \) from \(\{0,\dots ,2^{\lambda }-1\}\) where \(\lambda \) is a statistical security parameter (independent of the field size). We ignore this here and simply follow the presentation in [21].

  9. 9.

    We note that [21] only aim to show that the protocol is an argument of knowledge (and this is inherent to their approach). Jumping ahead we mention that the evaluation proof in our variant of DARK will actually be a proof of knowledge (i.e., extraction is guaranteed even wrt computationally unbounded provers).

  10. 10.

    This is not actually precise since there are many polynomials that are consistent with the \(c'_i\)’s and so the claim could be true wrt some of these polynomials. This is dealt with formally by showing knowledge soundness (i.e., constructing an extractor).

  11. 11.

    The group description includes a \({{\,\mathrm{poly}\,}}(\lambda )\) description of the identity element, and \({{\,\mathrm{poly}\,}}(\lambda )\) size circuits checking membership in the group, equality, performing the group operation and generating a random element in the group.

  12. 12.

    MA stands for Merlin-Arthur proofs [3] (differing from Arthur-Merlin proofs in that the prover (Merlin) sends the first message).

  13. 13.

    In particular, this definition implies there is a polynomial in n that bounds the length of any accepting transcript for V(x) when \(x \in \{0,1\}^n\).

  14. 14.

    This encoding is valid for sequences of arbitrary length, but we restrict to powers of two for convenience.

References

  1. Cash for RSA assumptions. https://rsa.cash/rsa-assumptions/

  2. Aly, A., Ashur, T., Ben-Sasson, E., Dhooghe, S., Szepieniec, A.: Design of symmetric-key primitives for advanced cryptographic protocols. Cryptology ePrint Archive, Report 2019/426 (2019). https://eprint.iacr.org/2019/426

  3. Babai, L., Moran, S.: Arthur-Merlin games: a randomized proof system, and a hierarchy of complexity classes. JCSS 36(2), 254–276 (1988). https://doi.org/10.1016/0022-0000(88)90028-1. https://www.sciencedirect.com/science/article/pii/0022000088900281

  4. Ben-Or, M., et al.: Everything provable is provable in zero-knowledge. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 37–56. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2_4

    Chapter  Google Scholar 

  5. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Fast Reed-Solomon interactive oracle proofs of proximity. In: Chatzigiannakis, I., Kaklamanis, C., Marx, D., Sannella, D. (eds.) 45th International Colloquium on Automata, Languages, and Programming, ICALP 2018, Prague, Czech Republic, 9–13 July 2018. LIPIcs, vol. 107, pp. 14:1–14:17. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2018). https://doi.org/10.4230/LIPIcs.ICALP.2018.14

  6. Ben-Sasson, E., Carmon, D., Ishai, Y., Kopparty, S., Saraf, S.: Proximity gaps for Reed-Solomon codes. In: FOCS (2020)

    Google Scholar 

  7. Ben-Sasson, E., Goldberg, L., Kopparty, S., Saraf, S.: DEEP-FRI: sampling outside the box improves soundness. Cryptology ePrint Archive, Report 2019/336 (2019). https://eprint.iacr.org/2019/336

  8. Ben-Sasson, E., Goldberg, L., Kopparty, S., Saraf, S.: DEEP-FRI: sampling outside the box improves soundness. In: Vidick, T. (ed.) ITCS (2020)

    Google Scholar 

  9. Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: Recursive composition and bootstrapping for SNARKS and proof-carrying data. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 111–120. ACM Press, June 2013. https://doi.org/10.1145/2488608.2488623

  10. Bitansky, N., Chiesa, A.: Succinct arguments from multi-prover interactive proofs and their efficiency benefits. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 255–272. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_16

    Chapter  Google Scholar 

  11. Block, A.R., Holmgren, J., Rosen, A., Rothblum, R.D., Soni, P.: Public-coin zero-knowledge arguments with (almost) minimal time and space overheads. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part II. LNCS, vol. 12551, pp. 168–197. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_7

    Chapter  Google Scholar 

  12. Block, A.R., Holmgren, J., Rosen, A., Rothblum, R.D., Soni, P.: Time- and space-efficient arguments from groups of unknown order. Cryptology ePrint Archive, Report 2021/358 (2021). https://eprint.iacr.org/2021/358

  13. Blumberg, A.J., Thaler, J., Vu, V., Walfish, M.: Verifiable computation using multiple provers. Cryptology ePrint Archive, Report 2014/846 (2014). http://eprint.iacr.org/2014/846

  14. Boneh, D., Bonneau, J., Bünz, B., Fisch, B.: Verifiable delay functions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 757–788. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_25

    Chapter  Google Scholar 

  15. Boneh, D., Bünz, B., Fisch, B.: A survey of two verifiable delay functions. Cryptology ePrint Archive, Report 2018/712 (2018). https://eprint.iacr.org/2018/712

  16. Boneh, D., Bünz, B., Fisch, B.: Batching techniques for accumulators with applications to IOPs and stateless blockchains. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part I. LNCS, vol. 11692, pp. 561–586. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_20

    Chapter  Google Scholar 

  17. Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12

    Chapter  MATH  Google Scholar 

  18. Bowe, S., Grigg, J., Hopwood, D.: Halo: recursive proof composition without a trusted setup. Cryptology ePrint Archive, Report 2019/1021 (2019). https://eprint.iacr.org/2019/1021

  19. Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334. IEEE Computer Society Press, May 2018. https://doi.org/10.1109/SP.2018.00020

  20. Bünz, B., Chiesa, A., Mishra, P., Spooner, N.: Recursive proof composition from accumulation schemes. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part II. LNCS, vol. 12551, pp. 1–18. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_1

    Chapter  Google Scholar 

  21. Bünz, B., Fisch, B., Szepieniec, A.: Transparent SNARKs from DARK compilers. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part I. LNCS, vol. 12105, pp. 677–706. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_24

    Chapter  Google Scholar 

  22. Bünz, B., Fisch, B., Szepieniec, A.: Transparent snarks from DARK compilers. IACR Cryptology ePrint Archive 2019, 1229 (20200226:080105 (posted 26-Feb-2020 08:01:05 UTC)). https://eprint.iacr.org/2019/1229

  23. Bünz, B., Fisch, B., Szepieniec, A.: Personal Communication (2021)

    Google Scholar 

  24. Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: preprocessing zkSNARKs with universal and updatable SRS. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part I. LNCS, vol. 12105, pp. 738–768. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_26

    Chapter  Google Scholar 

  25. Chiesa, A., Ojha, D., Spooner, N.: Fractal: post-quantum and transparent recursive proofs from holography. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part I. LNCS, vol. 12105, pp. 769–793. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_27

    Chapter  Google Scholar 

  26. Damgård, I., Fujisaki, E.: A statistically-hiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_8

    Chapter  Google Scholar 

  27. Damgård, I., Koprowski, M.: Generic lower bounds for root extraction and signature schemes in general groups. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 256–271. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_17

    Chapter  MATH  Google Scholar 

  28. Ephraim, N., Freitag, C., Komargodski, I., Pass, R.: SPARKs: succinct parallelizable arguments of knowledge. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part I. LNCS, vol. 12105, pp. 707–737. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_25

    Chapter  Google Scholar 

  29. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12

    Chapter  Google Scholar 

  30. Goldreich, O.: Computational Complexity - A Conceptual Perspective. Cambridge University Press, New York (2008). https://doi.org/10.1017/CBO9780511804106

    Book  MATH  Google Scholar 

  31. Holmgren, J., Rothblum, R.: Delegating computations with (almost) minimal time and space overhead. In: Thorup, M. (ed.) 59th FOCS, pp. 124–135. IEEE Computer Society Press, October 2018. https://doi.org/10.1109/FOCS.2018.00021

  32. Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 177–194. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_11

    Chapter  Google Scholar 

  33. Kattis, A., Panarin, K., Vlasov, A.: RedShift: transparent SNARKs from list polynomial commitment IOPs. Cryptology ePrint Archive, Report 2019/1400 (2019). https://eprint.iacr.org/2019/1400

  34. Lee, J.: Dory: efficient, transparent arguments for generalised inner products and polynomial commitments. Cryptology ePrint Archive, Report 2020/1274 (2020). https://eprint.iacr.org/2020/1274

  35. Lindell, Y.: Parallel coin-tossing and constant-round secure two-party computation. J. Cryptol. 16(3), 143–184 (2003). https://doi.org/10.1007/s00145-002-0143-7

    Article  MathSciNet  MATH  Google Scholar 

  36. Papamanthou, C., Shi, E., Tamassia, R.: Signatures of correct computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 222–242. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_13

    Chapter  MATH  Google Scholar 

  37. Pietrzak, K.: Simple verifiable delay functions. In: Blum, A. (ed.) ITCS 2019. LIPIcs, vol. 124, pp. 60:1–60:15, January 2019. https://doi.org/10.4230/LIPIcs.ITCS.2019.60

  38. Reingold, O., Rothblum, G.N., Rothblum, R.D.: Constant-round interactive proofs for delegating computation. In: Wichs, D., Mansour, Y. (eds.) 48th ACM STOC, pp. 49–62. ACM Press, June 2016. https://doi.org/10.1145/2897518.2897652

  39. Rivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto. Technical report, USA (1996)

    Google Scholar 

  40. Rubinfeld, R., Sudan, M.: Robust characterizations of polynomials with applications to program testing. SIAM J. Comput. 25(2), 252–271 (1996). https://doi.org/10.1137/S0097539793255151

    Article  MathSciNet  MATH  Google Scholar 

  41. Setty, S.: Spartan: efficient and general-purpose zkSNARKs without trusted setup. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part III. LNCS, vol. 12172, pp. 704–737. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_25

    Chapter  Google Scholar 

  42. Setty, S., Lee, J.: Quarks: quadruple-efficient transparent zkSNARKs. Cryptology ePrint Archive, Report 2020/1275 (2020). https://eprint.iacr.org/2020/1275

  43. Tomescu, A.: Cryptographic assumptions in hidden-order groups. https://alinush.github.io/2020/11/05/cryptographic-assumptions-in-hidden-order-groups.html

  44. Valiant, P.: Incrementally verifiable computation or proofs of knowledge imply time/space efficiency. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 1–18. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_1

    Chapter  MATH  Google Scholar 

  45. Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly-efficient zkSNARKs without trusted setup. In: 2018 IEEE Symposium on Security and Privacy, pp. 926–943. IEEE Computer Society Press, May 2018. https://doi.org/10.1109/SP.2018.00060

  46. Wesolowski, B.: Efficient verifiable delay functions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part III. LNCS, vol. 11478, pp. 379–407. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_13

    Chapter  Google Scholar 

  47. Wijesekera, P., et al.: The feasibility of dynamically granted permissions: aligning mobile privacy with user preferences. In: 2017 IEEE Symposium on Security and Privacy, pp. 1077–1093. IEEE Computer Society Press, May 2017. https://doi.org/10.1109/SP.2017.51

  48. Zhang, J., Xie, T., Zhang, Y., Song, D.: Transparent polynomial delegation and its applications to zero knowledge proof. In: 2020 IEEE Symposium on Security and Privacy, pp. 859–876. IEEE Computer Society Press, May 2020. https://doi.org/10.1109/SP40000.2020.00052

Download references

Acknowledgments

Alexander R. Block was supported in part by NSF grant CCF-1910659. Pratik Soni was supported in part by the NSF award 1916939, DARPA SIEVE program, a gift from Ripple, a DoE NETL award, a JP Morgan Faculty Fellowship, a PNC center for financial services innovation award, and a Cylab seed funding award. Ron Rothblum was supported in part by a Milgrom family grant, by the Israeli Science Foundation (Grants No. 1262/18 and 2137/19), and grants from the Technion Hiroshi Fujiwara cyber security research center and Israel cyber directorate. Alon Rosen is supported in part by ISF grant No. 1399/17 and Project PROMETHEUS (Grant 780701).

Author information

Authors and Affiliations

  1. Purdue University, West Lafayette, USA

    Alexander R. Block

  2. NTT Research, Sunnyvale, CA, USA

    Justin Holmgren

  3. IDC Herzliya, Herzliya, Israel

    Alon Rosen

  4. Technion, Haifa, Israel

    Ron D. Rothblum

  5. Carnegie Mellon University, Pittsburgh, USA

    Pratik Soni

Authors
  1. Alexander R. Block
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Justin Holmgren
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alon Rosen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ron D. Rothblum
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Pratik Soni
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alexander R. Block .

Editor information

Editors and Affiliations

  1. Columbia University, New York City, NY, USA

    Tal Malkin

  2. University of Michigan, Ann Arbor, MI, USA

    Chris Peikert

Rights and permissions

Reprints and permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Block, A.R., Holmgren, J., Rosen, A., Rothblum, R.D., Soni, P. (2021). Time- and Space-Efficient Arguments from Groups of Unknown Order. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12828. Springer, Cham. https://doi.org/10.1007/978-3-030-84259-8_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-84259-8_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-84258-1

  • Online ISBN: 978-3-030-84259-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation