Abstract
Proof-carrying data (PCD) is a powerful cryptographic primitive that enables mutually distrustful parties to perform distributed computations that run indefinitely. Known approaches to construct PCD are based on succinct non-interactive arguments of knowledge (SNARKs) that have a succinct verifier or a succinct accumulation scheme.
In this paper we show how to obtain PCD without relying on SNARKs. We construct a PCD scheme given any non-interactive argument of knowledge (e.g., with linear-size arguments) that has a split accumulation scheme, which is a weak form of accumulation that we introduce.
Moreover, we construct a transparent non-interactive argument of knowledge for R1CS whose split accumulation is verifiable via a (small) constant number of group and field operations. Our construction is proved secure in the random oracle model based on the hardness of discrete logarithms, and it leads, via the random oracle heuristic and our result above, to concrete efficiency improvements for PCD.
Along the way, we construct a split accumulation scheme for Hadamard products under Pedersen commitments and for a simple polynomial commitment scheme based on Pedersen commitments.
Our results are supported by a modular and efficient implementation.
The full version of this paper is available online [BCL+20].
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
By “working definition” we mean a definition that we can provably fulfill under concrete hardness assumptions in the random oracle model, and, separately, that provably suffices for recursive composition in the plain model without random oracles.
- 3.
We could even “re-arrange” computation between the NARK and the accumulation scheme, and simplify the NARK further to be the NP decider (the verifier receives just the witness \(w\) and checks that the R1CS condition holds). We do not do so because this does not lead to any savings in the accumulation verifier (the main efficiency metric of interest) and also because the current presentation more naturally leads to the zero knowledge variant described in Sect. 2.3.2. (We note that the foregoing rearrangement is a general transformation that does not preserve zero knowledge or succinctness of the given NARK.).
- 4.
For now we view the commitment key \(\mathsf {ck}\) and coefficient matrices \(A,B,C\) as hardcoded in the accumulation predicate \(\varPhi \); our definitions later handle this more precisely.
- 5.
The verifier performs 4 group scalar multiplication by computing \(\beta \cdot \mathsf {qx}.C_{\scriptscriptstyle C}\) and then \(\beta \cdot \mathsf {pf}+ \beta ^2 \cdot \mathsf {qx}.C_{\scriptscriptstyle C}= \beta \cdot (\mathsf {pf}+ \beta \cdot \mathsf {qx}.C_{\scriptscriptstyle C})\) via another group scalar multiplication. Further it is possible to combine \(C_{\scriptscriptstyle A}\) and \(C_{\scriptscriptstyle B}\) in one commitment in both the NARK and the accumulation scheme. This reduces the group scalar multiplications in the verifier to 3, and the accumulator size to \(3\;\mathbb {G}+ \mathsf {n}\;\mathbb {F}\).
- 6.
Instantiations based on hashes are also possible [COS20] but are (post-quantum and) less efficient.
- 7.
- 8.
This comparison is meaningful because the cost of accumulating polynomial commitments provides a lower bound on the cost accumulating SNARKs that rely on these PC schemes.
References
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: S & P 2018 (2018)
J. Bootle, A. Cerulli, P. Chaidos, J. Groth, and C. Petit. “Efficient Zero- Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting”. In: EUROCRYPT ’16
Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: Recursive composition and bootstrapping for SNARKs and proof-carrying data. In: STOC 2013 (2013)
Bünz, B., Chiesa, A., Lin, W., Mishra, P., Spooner, N.: Proof-carrying data without succinct arguments. In: IACR Cryptol. ePrint Arch. (2020). https://eprint.iacr.org/2020/1618
Bünz, B., Chiesa, A., Mishra, P., Spooner, N.: Proof-carrying data from accumulation schemes. In: TCC 2020 (2020)
E. Ben-Sasson, A. Chiesa, E. Tromer, and M. Virza. “Scalable Zero Knowledge via Cycles of Elliptic Curves”. In: CRYPTO ’14
Boneh, D., Drake, J., Fisch, B., Gabizon, A.: Halo Infinite: Recursive zk-SNARKs from any Additive Polynomial Commitment Scheme. Cryptology ePrint Archive, Report 2020/1536
Bowe, S., Grigg, J., Hopwood, D.: Halo: Recursive Proof Composition without a Trusted Setup. Cryptology ePrint Archive, Report 2019/1021
Bünz, B., Maller, M., Mishra, P., Tyagi, N., Vesely, P.: Proofs for Inner Pairing Products and Applications. Cryptology ePrint Archive, Report 2019/1177
Bonneau, J., Meckler, I., Rao, V., Shapiro, E.: Coda: Decentralized Cryptocurrency at Scale. Cryptology ePrint Archive, Report 2020/352
Bellare, M., Neven, G.: Multi-signatures in the plain public-Key model and a general forking lemma. In: CCS 2006 (2006)
Chen, W., Chiesa, A., Dauterman, E., Ward, N.P.: Reducing Participation Costs via Incremental Verification for Ledger Systems. Cryptology ePrint Archive, Report 2020/1522
Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS. In: EUROCRYPT 2020 (2020)
Chiesa, A., Ojha, D., Spooner, N.: Fractal: Post-Quantum and Transparent Recursive Proofs from Holography. In: EUROCRYPT 2020 (2020)
Chiesa, A., Tromer, E.: Proof-Carrying Data and Hearsay Arguments from Signature Cards. In: ICS 2010 (2010)
Chong, S., Tromer, E., Vaughan, J.A.: Enforcing Language Semantics Using Proof-Carrying Data. Cryptology ePrint Archive, Report 2013/513
Chiesa, A., Tromer, E., Virza, M.: Cluster Computing in Zero Knowledge. In: EUROCRYPT 2015 (2015)
Groth, J.: On the Size of Pairing-Based Non-interactive Arguments. In: EUROCRYPT 2016 (2016)
Ghoshal, A., Tessaro, S.: Tight State-Restoration Soundness in the Algebraic Group Model. Cryptology ePrint Archive, Report 2020/1351
Bowe, S., Grigg, J., Hopwood, D.: Halo2 (2020). https://github.com/zcash/halo2
Hopwood, D.: The Pasta Curves for Halo 2 and Beyond. https://electriccoin.co/blog/the-pasta-curves-for-halo-2-and-beyond/
Kattis, A., Bonneau, J.: Proof of Necessary Work: Succinct State Verification with Fairness Guarantees. Cryptology ePrint Archive, Report 2020/190
O(1) Labs. “Mina Cryptocurrency”. https://minaprotocol.com/
Naveh, A., Tromer, E.: PhotoProof: cryptographic image authentication for any set of permissible transformations. In: S & P 2016 (2016)
O(1) Labs. Pickles. https://github.com/o1-labs/marlin
P. Valiant. “Incrementally Verifiable Computation or Proofs of Knowledge Imply Time/Space Efficiency”. In: TCC ’08
Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly- efficient zkSNARKs without trusted setup. In: S & P 2018 (2018)
Acknowledgements
This research was supported in part by the Ethereum Foundation, NSF, DARPA, a grant from ONR, and the Simons Foundation. Nicholas Spooner was supported by DARPA under Agreement No. HR00112020023.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Bünz, B., Chiesa, A., Lin, W., Mishra, P., Spooner, N. (2021). Proof-Carrying Data Without Succinct Arguments. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12825. Springer, Cham. https://doi.org/10.1007/978-3-030-84242-0_24
Download citation
DOI: https://doi.org/10.1007/978-3-030-84242-0_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-84241-3
Online ISBN: 978-3-030-84242-0
eBook Packages: Computer ScienceComputer Science (R0)