Abstract
We propose Flashproofs, a new type of efficient special honest verifier zero-knowledge arguments with a transparent setup in the discrete logarithm (DL) setting. First, we put forth gas-efficient range arguments that achieve \(O(N^{\frac{2}{3}})\) communication cost, and involve \(O(N^{\frac{2}{3}})\) group exponentiations for verification and a slightly sub-linear number of group exponentiations for proving with respect to the range \([0, 2^N-1]\), where N is the bit length of the range. For typical confidential transactions on blockchain platforms supporting smart contracts, verifying our range arguments consumes only 237K and 318K gas for 32-bit and 64-bit ranges, which are comparable to 220K gas incurred by verifying the most efficient zkSNARK with a trusted setup (EUROCRYPT ’ 16) at present. Besides, the aggregation of multiple arguments can yield further efficiency improvement. Second, we present polynomial evaluation arguments based on the techniques of Bayer & Groth (EUROCRYPT ’ 13). We provide two zero-knowledge arguments, which are optimised for lower-degree (\(D \in [3, 2^9]\)) and higher-degree (\(D > 2^9\)) polynomials, where D is the polynomial degree. Our arguments yield a non-trivial improvement in the overall efficiency. Notably, the number of group exponentiations for proving drops from \(8\log D\) to \(3(\log D+\sqrt{\log D})\). The communication cost and the number of group exponentiations for verification decrease from \(7\log D\) to \((\log D + 3\sqrt{\log D})\). To the best of our knowledge, our arguments instantiate the most communication-efficient arguments of membership and non-membership in the DL setting among those not requiring trusted setups. More importantly, our techniques enable a significantly asymptotic improvement in the efficiency of communication and verification (group exponentiations) from \(O(\log D)\) to \(O(\sqrt{\log D})\) when multiple arguments satisfying different polynomials with the same degree and inputs are aggregated.
S. C.-K. Chau—This research was supported by ARC Discovery Project No: GA69027/DP200101985.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsChange history
09 April 2023
A correction has been published.
Notes
- 1.
According to the recent study [22], class groups of 3392-bit order can barely achieve 128-bit security as 256-bit elliptic curve groups.
- 2.
We will call the range instance of Bulletproofs by “Bulletproof” in the following.
- 3.
A 52-bit range can cover all the values from 1 satoshi up to 21 million bitcoins.
- 4.
The size of one field element in CKLR21 is larger than 256 bits for 32-bit ranges.
- 5.
We skip the protocol for \(D \in \{1, 2\}\), which is simpler than the lower-degree one.
- 6.
Gas costs would be significantly reduced if precompiled contracts for non-pairing curves, e.g., secp256k1, are supported in future on smart contract platforms.
- 7.
The Java code [9] was implemented by the first author of Bulletproofs paper.
- 8.
Note that the arguments may not be sound when \(y=x^k\) is greater than the group order p. We use these monomials only for measuring the computational costs.
- 9.
The number of runs specifies how often each opcode will be executed across the contract’s lifetime [38]. The larger the value, the more gas efficient code is generated.
- 10.
We did not find the aggregate proofs of CKLR21 in the DL setting [20].
- 11.
The data refers to the 50 million UTXOs mentioned in Bulletproofs [13].
References
Alex, V., Sergey, V.: Solidity implementation of bulletproof (2018). https://github.com/BANKEX/BulletproofJS
Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: lightweight sublinear arguments without a trusted setup. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017 (2017)
Bayer, S., Groth, J.: Zero-knowledge argument for polynomial evaluation with application to blacklists. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 646–663. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_38
Bellare, M., Garay, J.A., Rabin, T.: Fast batch verification for modular exponentiation and digital signatures. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 236–250. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054130
Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. IACR Cryptol. ePrint Arch. (2018)
Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.P.: Aurora: transparent succinct arguments for R1CS. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 103–128. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_4
Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Succinct non-interactive zero knowledge for a von Neumann architecture. In: 23rd USENIX Security Symposium (USENIX Security 2014) (2014)
Benarroch, D., Campanelli, M., Fiore, D., Gurkan, K., Kolonelos, D.: Zero-knowledge proofs for set membership: efficient, succinct, modular. In: Financial Cryptography and Data Security (2021)
Benedikt, B.: Java implementation of bulletproof (2017). https://github.com/bbuenz/BulletProofLib
Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12
Bootle, J., Groth, J.: Efficient batch zero-knowledge arguments for low degree polynomials. In: Public-Key Cryptography - PKC 2018 (2018)
BouncyCastle: Bouncycastle. https://www.bouncycastle.org/
Bunz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: Short proofs for confidential transactions and more, pp. 315–334, May 2018
Bünz, B., Fisch, B., Szepieniec, A.: Transparent SNARKs from DARK compilers. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 677–706. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_24
Camenisch, J., Chaabouni, R., shelat: Efficient protocols for set membership and range proofs. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 234–252. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7_15
Cardozo, A.S., Williamson, Z.: https://eips.ethereum.org/EIPS/eip-1108
Chiesa, A., Ojha, D., Spooner, N.: FRACTAL: post-quantum and transparent recursive proofs from holography. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 769–793. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_27
Christian, R.: EIP-196: Precompiled contracts for addition and scalar multiplication on the elliptic curve \(alt_bn128\) (2017). https://eips.ethereum.org/EIPS/eip-196
coindesk (2022). https://www.coindesk.com/price/ethereum
Couteau, G., Klooß, M., Lin, H., Reichle, M.: Efficient range proofs with transparent setup from bounded integer commitments. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12698, pp. 247–277. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77883-5_9
Deng, C., Tang, X., You, L., Hu, G.: Cuproof: a novel range proof with constant size. IACR Cryptol. ePrint Arch. (2021)
Dobson, S., Galbraith, S., Smith, B.: Trustless unknown-order groups. Math. Cryptol. 1(2), 25–39 (2022). https://journals.flvc.org/mathcryptology/article/view/130579
Etherscan. https://ropsten.etherscan.io/address/0xa1f11d83a5222692c0eff9eca32254a7452c4f29#code#L1
Etherscan: https://etherscan.io/gasTracker (2022)
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Gregory, M.: Confidential transactions (2016). https://elementsproject.org/features/confidential-transactions/investigation
Groth, J.: Non-interactive zero-knowledge arguments for voting. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 467–482. Springer, Heidelberg (2005). https://doi.org/10.1007/11496137_32
Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11
Groth, J., Kohlweiss, M.: One-out-of-many proofs: or how to leak a secret and spend a coin. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 253–280. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_9
matter labs: Awesome zero knowledge proofs. https://github.com/matter-labs/awesome-zero-knowledge-proofs
Language, S.P.: https://docs.soliditylang.org
Lipmaa, H.: On Diophantine complexity and statistical zero-knowledge arguments. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 398–415. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40061-5_26
Lyu, L., Chau, S.C.K., Wang, N., Zheng, Y.: Cloud-based privacy-preserving collaborative consumption for sharing economy. IEEE Trans. Cloud Comput. 10(3), 1647–1660 (2022)
Maller, M., Bowe, S., Kohlweiss, M., Meiklejohn, S.: Sonic: Zero-knowledge snarks from linear-size universal and updatable structured reference strings. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 2111–2128 (2019)
Michaud-Rodgers, P.: Sum of three squares (2019). https://warwick.ac.uk/fac/sci/maths/people/staff/michaud/threesquarestalk.pdf
Setty, S.: Spartan: efficient and general-purpose zkSNARKs without trusted setup. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 704–737. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_25
Solidity: Solidity optimizer (2022). https://docs.soliditylang.org/en/v0.8.14/internals/optimizer.html#optimizer-parameter-runs
Suite, T.: https://www.trufflesuite.com
TornadoCash: Tornadocash (2021). https://tornado.cash/
Wahby, R., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly-efficient zksnarks without trusted setup, pp. 926–943, May 2018
Wang, N., Chau, S.C.K., Zhou, Y.: Privacy-preserving energy storage sharing with blockchain and secure multi-party computation. ACM SIGENERGY Energy Inform. Rev. 1(1), 32–50 (2022). https://doi.org/10.1145/3508467.3508471
Weisstein, E.W.: Lagrange’s four-square theorem (2021). https://mathworld.wolfram.com/LagrangesFour-SquareTheorem.html
Weisstein, E.W.: Maclaurin series (2021). https://mathworld.wolfram.com/MaclaurinSeries.html
Williamson, Z.J.: The Aztec protocol (2018). https://github.com/AztecProtocol/AZTEC/blob/master/AZTEC.pdf
Zhang, J., Xie, T., Zhang, Y., Song, D.X.: Transparent polynomial delegation and its applications to zero knowledge proof. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 859–876 (2020)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Wang, N., Chau, S.CK. (2022). Flashproofs: Efficient Zero-Knowledge Arguments of Range and Polynomial Evaluation with Transparent Setup. In: Agrawal, S., Lin, D. (eds) Advances in Cryptology – ASIACRYPT 2022. ASIACRYPT 2022. Lecture Notes in Computer Science, vol 13792. Springer, Cham. https://doi.org/10.1007/978-3-031-22966-4_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-22966-4_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22965-7
Online ISBN: 978-3-031-22966-4
eBook Packages: Computer ScienceComputer Science (R0)