Practical Statistically-Sound Proofs of Exponentiation in Any Group

Abstract

A proof of exponentiation (PoE) in a group \({\mathbb {G}}\) of unknown order allows a prover to convince a verifier that a tuple \((x,q,T,y)\in {\mathbb {G}}\times {\mathbb {N}}\times {\mathbb {N}}\times {\mathbb {G}}\) satisfies \(x^{q^T}=y\). This primitive has recently found exciting applications in the constructions of verifiable delay functions and succinct arguments of knowledge. The most practical PoEs only achieve soundness either under computational assumptions, i.e., they are arguments (Wesolowski, Journal of Cryptology 2020), or in groups that come with the promise of not having any small subgroups (Pietrzak, ITCS 2019). The only statistically-sound PoE in general groups of unknown order is due to Block et al. (CRYPTO 2021), and can be seen as an elaborate parallel repetition of Pietrzak’s PoE: to achieve \(\lambda \) bits of security, say \(\lambda =80\), the number of repetitions required (and thus the blow-up in communication) is as large as \(\lambda \).

In this work, we propose a statistically-sound PoE for the case where the exponent q is the product of all primes up to some bound B. We show that, in this case, it suffices to run only \(\lambda /\log (B)\) parallel instances of Pietrzak’s PoE, which reduces the concrete proof-size compared to Block et al. by an order of magnitude. Furthermore, we show that in the known applications where PoEs are used as a building block such structured exponents are viable. Finally, we also discuss batching of our PoE, showing that many proofs (for the same \(\mathbb {G}\) and q but different x and T) can be batched by adding only a single element to the proof per additional statement.

Pavel Hubáček was supported by the Grant Agency of the Czech Republic under the grant agreement no. 19-27871X and by the Charles University project UNCE/SCI/004. Chethan Kamath is supported by Azrieli International Postdoctoral Fellowship. Karen Klein was supported in part by ERC CoG grant 724307 and conducted part of this work at Institute of Science and Technology Austria.

Appendices

A Improving Verifier’s Efficiency

In Fig. 2 we see that for large values of B and q the verifier’s complexity increases because the final computation \((y')^{q^C}\) becomes expensive. The cost of this computation is \(C\cdot \log (q)\), where so far we have set \(C=t\log (B)\). We can reduce this number to \(C=t\log (B)/2\) by setting q to

$$\begin{aligned} q=2^2\cdot 3^2\cdot \prod _{3<p<B}p. \end{aligned}$$

(2)

It is straightforward to check that this does not affect our soundness bound, but it has a notable effect on verifier’s efficiency as shown in Fig. 6.

Fig. 6.

Number of multiplications of the verifier in one round for 80-bit security depending on the bound \(B\). The blue line is the number of multiplications in [7], the dotted orange graph is the complexity of our protocol with \(C=t\log (B)\), the red graph is the complexity in our protocol with \(C=t\log (B)/2\) and the green line is the verifier’s complexity in [40]. (Color figure online)

This approach can be generalized to setting \(C=t\log (B)/k\) for any integer \(k\le \log (B)\). To ensure soundness we need to modify q as follows: Let m be the largest prime number such that \(m<2^k\). Then we set

$$\begin{aligned} q=2^k\cdot 3^{\lceil k/\log (3)\rceil }\cdot 5^{\lceil k/\log (5)\rceil }\cdots m^{\lceil k/\log (m)\rceil }\cdot \prod _{m<p<B}p. \end{aligned}$$

In particular, the choice of q that optimizes verifier’s efficiency for large values of B is

$$\begin{aligned} q=\prod _{p<B}p^{\lceil \log (B)/\log (p)\rceil } \end{aligned}$$

for which we can set \(C=t\). The cost for the verifier with this parameters is shown in Fig. 7. We conclude that the verifier’s complexity of our scheme improves upon [7] for values of B from 59 up to 2749, which corresponds to values of q between approximately \(2^{71}\) and \(2^{400\cdot \log (2749)}\approx 2^{3167}\).

Fig. 7.

Number of multiplications of the verifier in one round for 80-bit security depending on the bound \(B\). The dotted blue line is the number of multiplications in [7], the orange graph is the complexity of our protocol with \(C=t\) and q as above and the green line is verifier’s complexity in [40] (which is 240 multiplications). (Color figure online)

B Application in Polynomial Commitments

In this section we analyse the gain in efficiency when we use our PoE as a building block instead of the one proposed in [7].

In the full version of the paper [31] we provide an overview of the polynomial commitment scheme in [7]. Here we only state the key properties that the PoE should satisfy in order to be applicable in the polynomial commitment scheme.

Requirements from the PoE. Note that the use of the PoE in the [7] polynomial commitment is more or less black-box. However, there are two important criteria that it should satisfy.

1. 1.

   Firstly, the PoE has to satisfy statistical soundness so that the knowledge soundness of the polynomial commitment built upon it can be argued ([7, Lemma 6.4]).⁹ Our PoE satisfies statistical soundness.

2. 2.

   Secondly, the base \(q\) used in the PoE protocol is borrowed from the polynomial commitment. In order for the polynomial commitment to satisfy its homomorphic properties, [7] set it to be a large, odd integer – in particular, they require \(q\gg p\cdot 2^{n\textbf{poly} (\lambda )}\). This requirement that \(q\) be large, as we saw in Sect. 2 is advantageous for our PoE. On the other hand, the requirement that \(q\) be odd is in conflict with our trick of choosing an even \(q\) as in Eq. (1). However, we show in the full version of the paper [31] that the requirement that \(q\) be odd is not necessary in [7].

1.1 B.1 Efficiency

In this section we analyze the improvement in efficiency of the polynomial commitment scheme in [7] using our PoE, the batching protocol and the optimization in Appendix A. In the polynomial commitment scheme the PoE protocol is used to prove statements of the form \(x_i^{q^{2^{n-k-1}}}=y_i\) for every \(i\in \left[ \lambda \right] \) and every \(k\in \{0,1,\ldots ,n-1\}\).

Communication Complexity. In [7] the communication complexity of proving \(\lambda \) many statements with the same exponent is \(\lambda (n-k-1)\) group elements. This gives a total PoE proof-size of

$$\begin{aligned} \lambda \sum _{k=0}^{n-1}(n-k-1)=\frac{\lambda }{2}(n-1)n. \end{aligned}$$

As we have seen in Sect. 3.2, in our PoE the cost of proving \(\lambda n\) statements, in which the largest exponent is \(q^{n-1}\), is

$$\begin{aligned} \lambda n\log ^*(n-1)+\frac{\lambda }{\log (B)}(n-1). \end{aligned}$$

We conclude that we decrease the proof-size of the polynomial commitment by a factor of approximately \(n/(2\log ^*(n-1))\). This number can be increased to n/2 at the cost of a higher verifier complexity. More generally, the number of recursive steps explained in Sect. 3.2 can be used to choose a trade-off between proof-size and verifier efficiency.

Verifier’s Efficiency. In [7] the verifier’s complexity of proving \(\lambda \) many statements with the same exponent is \(2\lambda ^2 (n-k-1)+\lambda \log (q)\) multiplications. This gives a total verifier’s complexity of

$$\begin{aligned} 2\lambda ^2\sum _{k=0}^{n-1}((n-k-1)+\lambda \log (q))=(\lambda \log (q)+2\lambda ^2(n-1))n. \end{aligned}$$

As we have seen in Sect. 3.2, in our PoE the cost of verifying \(\lambda n\) statements, in which the largest exponent is \(q^{n-1}\), is

$$\begin{aligned} (n-1)(6\log (B)+32)\rho ^2+3\lambda n\log ^*(C)\rho \cdot (\log (B)+5)+(\rho +\lambda n)\log (q)\approx 15\lambda ^2 n+\lambda n \log (q). \end{aligned}$$

Since in practice we have \(n\approx 32\), we conclude that the verifier’s efficiency of the polynomial commitment scheme implemented with our PoE is comparable to that in [7].