Skip to main content
SpringerLink
Log in

SNARGs and PPAD Hardness from the Decisional Diffie-Hellman Assumption

  • Conference paper
  • First Online:
Advances in Cryptology – EUROCRYPT 2023 (EUROCRYPT 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14005))

Abstract

We construct succinct non-interactive arguments (SNARGs) for bounded-depth computations assuming that the decisional Diffie-Hellman (DDH) problem is sub-exponentially hard. This is the first construction of such SNARGs from a Diffie-Hellman assumption. Our SNARG is also unambiguous: for every (true) statement x, it is computationally hard to find any accepting proof for x other than the proof produced by the prescribed prover strategy.

We obtain our result by showing how to instantiate the Fiat-Shamir heuristic, under DDH, for a variant of the Goldwasser-Kalai-Rothblum (GKR) interactive proof system. Our new technical contributions are (1) giving a \(TC^0\) circuit family for finding roots of cubic polynomials over a special family of characteristic-2 fields (Healy-Viola, STACS 2006) and (2) constructing a variant of the GKR protocol whose invocations of the sumcheck protocol (Lund-Fortnow-Karloff-Nisan, STOC 1990) only involve degree 3 polynomials over said fields.

Along the way, since we can instantiate the Fiat-Shamir heuristic for certain variants of the sumcheck protocol, we also show the existence of (sub-exponentially) hard problems in the complexity class \(\textsf{PPAD}\), assuming the sub-exponential hardness of DDH. Previous \(\textsf{PPAD}\) hardness results required either bilinear maps or the learning with errors assumption.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    As is common, we consider arguments in the common reference string (CRS) model, where the reference string is set up in advance. Throughout this paper, our reference strings will be uniformly random without loss of generality.

  2. 2.

    We note that the circuit C itself is always fixed in the protocol description.

  3. 3.

    Here and below, by “degree” we refer to individual degree: a multivariate polynomial has individual degree \(\le d\) if it has degree \(\le d\) in each variable.

  4. 4.

    In fact, our algorithm finds all roots that lie in the unique degree-2 extension of \(\mathbb {K}\) but not its algebraic closure.

  5. 5.

    The variant of [GKR08] that we use actually runs pairs of sumcheck protocols in parallel with shared verifier randomness (as is done in [Mei13, JKKZ21]), but this detail does not substantially change the proof.

  6. 6.

    This follows from the fact that \(az^2 + bz + c = 0 \iff (a/b\cdot z)^2 + (a/b\cdot z) + a/b^2 \cdot c = 0\).

  7. 7.

    This is the case since in characteristic 2 fields, \(-\alpha = \alpha \) for all \(\alpha \).

  8. 8.

    These groups will be used to instantiate the lossy trapdoor function component of a lossy CI hash family; the CI component does not have to satisfy all of these properties (but \(\textsf{DDH}\) must still be sub-exponentially hard).

  9. 9.

    Following [JKKZ21], we require perfect correctness for simplicity only.

  10. 10.

    As usual, the circuit size will be polynomial in the description length of its input, which will be at least n as a single field element is an n-bit string.

  11. 11.

    An element \(\alpha \) in a field extension \(\mathbb {K}\) of \(\mathbb {F}_2\) is said to have degree d if d is the minimal degree of a nonzero polynomial p over \(\mathbb {F}_2\) such that \(p(\alpha )=0\) (over \(\mathbb {K}\)).

  12. 12.

    \(\mathbb {F}_{p^d}\) is a subfield of \(\mathbb {F}_{p^n}\) if and only if \(d\mid n\).

  13. 13.

    The (large) exponent can also be computed in \(\textsf{TC}^0\) [HAB02], or can be nonuniformly hard-wired for simplicity.

References

  1. Adleman, L., Manders, K., Miller, G.: On taking roots in finite fields. In: 18th Annual Symposium on Foundations of Computer Science (SFCS 1977), pp. 175–178. IEEE Computer Society (1977)

    Google Scholar 

  2. Barak, B.: How to go beyond the black-box simulation barrier. In: 42nd FOCS, pp. 106–115. IEEE Computer Society Press, October 2001

    Google Scholar 

  3. Bartusek, J., Bronfman, L., Holmgren, J., Ma, F., Rothblum, R.D.: On the (in)security of Kilian-based SNARGs. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019, Part II. LNCS, vol. 11892, pp. 522–551. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-36033-7_20

    Chapter  Google Scholar 

  4. Bitansky, N., et al.: PPAD is as hard as iterated squaring and LWE. In: TCC 2022 (2022). https://eprint.iacr.org/2022/1272

  5. Berlekamp, E.R.: Factoring polynomials over large finite fields. Math. Comput. 24(111), 713–735 (1970)

    Google Scholar 

  6. Brakerski, Z., Koppula, V., Mour, T.: NIZK from LPN and trapdoor hash via correlation intractability for approximable relations. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part III. LNCS, vol. 12172, pp. 738–767. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-56877-1_26

    Chapter  Google Scholar 

  7. Bitansky, N., Paneth, O., Rosen, A.: On the cryptographic hardness of finding a Nash equilibrium. In: Guruswami, V. (ed.) 56th FOCS, pp. 1480–1498. IEEE Computer Society Press, October 2015

    Google Scholar 

  8. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 1993, pp. 62–73. ACM Press, November 1993

    Google Scholar 

  9. Blake, I., Seroussi, G., Smart, N.: Elliptic Curves in Cryptography, vol. 265. Cambridge University Press, Cambridge (1999)

    Google Scholar 

  10. Canetti, R., et al.: Fiat-Shamir: from practice to theory. In: Charikar, M., Cohen, E. (eds.) 51st ACM STOC, pp. 1082–1090. ACM Press, June 2019

    Google Scholar 

  11. Canetti, R., Chen, Y., Reyzin, L.: On the correlation intractability of obfuscated pseudorandom functions. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016-A, Part I. LNCS, vol. 9562, pp. 389–415. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_17

    Chapter  Google Scholar 

  12. Canetti, R., Chen, Y., Reyzin, L., Rothblum, R.D.: Fiat-Shamir and correlation intractability from strong KDM-secure encryption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 91–122. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_4

    Chapter  Google Scholar 

  13. Chen, X., Deng, X., Teng, S.-H.: Settling the complexity of computing two-player Nash equilibria. J. ACM (JACM) 56(3), 1–57 (2009)

    Article  MathSciNet  MATH  Google Scholar 

  14. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited (preliminary version). In: 30th ACM STOC, pp. 209–218. ACM Press, May 1998

    Google Scholar 

  15. Choudhuri, A.R., Hubácek, P., Kamath, C., Pietrzak, K., Rosen, A., Rothblum, G.N.: Finding a Nash equilibrium is no easier than breaking Fiat-Shamir. In: Charikar, M., Cohen, E. (eds.) 51st ACM STOC, pp. 1103–1114. ACM Press, June 2019

    Google Scholar 

  16. Choudhuri, A.R., Hubacek, P., Kamath, C., Pietrzak, K., Rosen, A., Rothblum, G.N.: PPAD-hardness via iterated squaring modulo a composite. Cryptology ePrint Archive, Report 2019/667 (2019). https://eprint.iacr.org/2019/667

  17. Choudhuri, A.R., Jain, A., Jin, Z.: Non-interactive batch arguments for NP from standard assumptions. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 394–423. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_14

    Chapter  Google Scholar 

  18. Choudhuri, A.R., Jain, A., Jin, Z.: SNARGs for P from LWE. In: 2021 IEEE 62nd Annual Symposium on Foundations of Computer Science (FOCS), pp. 68–79. IEEE (2022)

    Google Scholar 

  19. Cantor, D.G., Zassenhaus, H.: A new algorithm for factoring polynomials over finite fields. Math. Comput. 36, 587–592 (1981)

    Article  MathSciNet  MATH  Google Scholar 

  20. Daskalakis, C., Goldberg, P.W., Papadimitriou, C.H.: The complexity of computing a Nash equilibrium. SIAM J. Comput. 39(1), 195–259 (2009)

    Article  MathSciNet  MATH  Google Scholar 

  21. Ephraim, N., Freitag, C., Komargodski, I., Pass, R.: Continuous verifiable delay functions. In: Canteaut, A., Ishai, Y. (eds.) Annual International Conference on the Theory and Applications of Cryptographic Techniques, vol. 12107, pp. 125–154. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_5

  22. Freeman, D.M., Goldreich, O., Kiltz, E., Rosen, A., Segev, G.: More constructions of lossy and correlation-secure trapdoor functions. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 279–295. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_17

    Chapter  Google Scholar 

  23. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12

    Chapter  Google Scholar 

  24. Goldwasser, S., Kalai, Y.T.: On the (in)security of the Fiat-Shamir paradigm. In: 44th FOCS, pp. 102–115. IEEE Computer Society Press, October 2003

    Google Scholar 

  25. Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: interactive proofs for muggles. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 113–122. ACM Press, May 2008

    Google Scholar 

  26. Goldreich, O.: On doubly-efficient interactive proof systems. Found. Trends® Theor. Comput. Sci. 13(3), 158–246 (2018)

    Google Scholar 

  27. Garg, S., Pandey, O., Srinivasan, A.: Revisiting the cryptographic hardness of finding a Nash equilibrium. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 579–604. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_20

    Chapter  Google Scholar 

  28. Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: Fortnow, L., Vadhan, S.P. (eds.) 43rd ACM STOC, pp. 99–108. ACM Press, June 2011

    Google Scholar 

  29. González, A., Zacharakis, A.: Fully-succinct publicly verifiable delegation from constant-size assumptions. In: Nissim, K., Waters, B. (eds.) TCC 2021. LNCS, vol. 13042, pp. 529–557. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90459-3_18

    Chapter  Google Scholar 

  30. Hesse, W., Allender, E., Barrington, D.A.M.: Uniform constant-depth threshold circuits for division and iterated multiplication. J. Comput. Syst. Sci. 65(4), 695–716 (2002)

    Article  MathSciNet  MATH  Google Scholar 

  31. Hulett, J., Jawale, R., Khurana, D., Srinivasan, A.: SNARGs for P from sub-exponential DDH and QR. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part II. LNCS, vol. 13276, pp. 520–549. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-07085-3_18

  32. Holmgren, J., Lombardi, A.: Cryptographic hashing from strong one-way functions (or: One-way product functions and their applications). In: Thorup, M. (ed.) 59th FOCS, pp. 850–858. IEEE Computer Society Press, October 2018

    Google Scholar 

  33. Holmgren, J., Lombardi, A., Rothblum, R.D.: Fiat-Shamir via list-recoverable codes (or: parallel repetition of GMW is not zero-knowledge). In: Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing, pp. 750–760 (2021)

    Google Scholar 

  34. Healy, A., Viola, E.: Constant-depth circuits for arithmetic in finite fields of characteristic two. In: Durand, B., Thomas, W. (eds.) STACS 2006. LNCS, vol. 3884, pp. 672–683. Springer, Heidelberg (2006). https://doi.org/10.1007/11672142_55

    Chapter  Google Scholar 

  35. Jain, A., Jin, Z.: Non-interactive zero knowledge from sub-exponential DDH. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021, Part I. LNCS, vol. 12696, pp. 3–32. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_1

    Chapter  Google Scholar 

  36. Jawale, R., Kalai, Y.T., Khurana, D., Zhang, R.: SNARGs for bounded depth computations and ppad hardness from sub-exponential LWE. In: Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing, pp. 708–721 (2021)

    Google Scholar 

  37. Jain, A., Lin, H., Sahai, A.: Indistinguishability obfuscation from well-founded assumptions. In: Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing, pp. 60–73 (2021)

    Google Scholar 

  38. Kalai, Y.T., Lombardi, A., Vaikuntanathan, V., Wichs, D.: Boosting batch arguments and ram delegation. In: STOC (2023). https://eprint.iacr.org/2022/1320

  39. Kalai, Y.T., Paneth, O., Yang, L.: On publicly verifiable delegation from standard assumptions. Cryptology ePrint Archive, Report 2018/776 (2018). https://eprint.iacr.org/2018/776

  40. Kalai, Y.T., Paneth, O., Yang, L.: How to delegate computations publicly. In: Charikar, M., Cohen, E. (eds.) 51st ACM STOC, pp. 1115–1124. ACM Press, June 2019

    Google Scholar 

  41. Kalai, Y.T., Paneth, O., Yang, L.: Delegation with updatable unambiguous proofs and PPAD-hardness. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part III. LNCS, vol. 12172, pp. 652–673. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_23

    Chapter  Google Scholar 

  42. Kalai, Y.T., Rothblum, G.N., Rothblum, R.D.: From obfuscation to the security of Fiat-Shamir for proofs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part II. LNCS, vol. 10402, pp. 224–251. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_8

    Chapter  Google Scholar 

  43. Kalai, Y.T., Vaikuntanathan, V., Zhang, R.Y.: Somewhere statistical soundness, post-quantum security, and SNARGs. In: Nissim, K., Waters, B. (eds.) TCC 2021, Part I. LNCS, vol. 13042, pp. 330–368. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90459-3_12

    Chapter  Google Scholar 

  44. Lagrange, J.-L.: Reflexions sur la resolution algebrique des equations, nouveaux memoires de l’acade. Royale des sciences et belles-letteres, avec l’histire pour la meme annee 1, 134–215 (1770)

    Google Scholar 

  45. Lund, C., Fortnow, L., Karloff, H.J., Nisan, N.: Algebraic methods for interactive proof systems. In: 31st FOCS, pp. 2–10. IEEE Computer Society Press, October 1990

    Google Scholar 

  46. Lombardi, A., Vaikuntanathan, V.: Fiat-Shamir for repeated squaring with applications to PPAD-hardness and VDFs. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part III. LNCS, vol. 12172, pp. 632–651. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_22

    Chapter  Google Scholar 

  47. Meir, O.: IP = PSPACE using error-correcting codes. SIAM J. Comput. 42(1), 380–403 (2013)

    Article  MathSciNet  MATH  Google Scholar 

  48. Micali, S.: CS proofs (extended abstracts). In: 35th FOCS, pp. 436–453. IEEE Computer Society Press, November 1994

    Google Scholar 

  49. Papadimitriou, C.H.: On the complexity of the parity argument and other inefficient proofs of existence. J. Comput. Syst. Sci. 48(3), 498–532 (1994)

    Article  MathSciNet  MATH  Google Scholar 

  50. Peikert, C., Shiehian, S.: Noninteractive Zero Knowledge for NP from (Plain) Learning with Errors. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part I. LNCS, vol. 11692, pp. 89–114. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_4

    Chapter  Google Scholar 

  51. Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 187–196. ACM Press, May 2008

    Google Scholar 

  52. Rabin, M.O.: Probabilistic algorithms in finite fields. SIAM J. Comput. 9(2), 273–280 (1980)

    Article  MathSciNet  MATH  Google Scholar 

  53. Reingold, O., Rothblum, G.N., Rothblum, R.D.: Constant-round interactive proofs for delegating computation. In: Wichs, D., Mansour, Y. (eds.) 48th ACM STOC, pp. 49–62. ACM Press, June 2016

    Google Scholar 

  54. Tovey, C.A.: A simplified np-complete satisfiability problem. Discrete Appl. Math. 8(1), 85–89 (1984)

    Article  MathSciNet  MATH  Google Scholar 

  55. Valiant, L.G., Vazirani, V.V.: NP is as easy as detecting unique solutions. In: 17th ACM STOC, pp. 458–463. ACM Press, May 1985

    Google Scholar 

  56. Waters, B., Wu, D.J.: Batch arguments for np and more from standard bilinear group assumptions. In: Dodis, Y., Shrimpton, T. (eds.) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. LNCS, vol. 13508. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15979-4_15

Download references

Acknowledgements

VV was supported in part by DARPA under Agreement No. HR00112020023, NSF CNS-2154174, and a Thornton Family Faculty Research Innovation Fellowship from MIT. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or DARPA. This research was conducted in part while AL was at MIT, where he was supported by a Charles M. Vest fellowship and the grants above.

Author information

Authors and Affiliations

  1. Microsoft Research, Cambridge, USA

    Yael Tauman Kalai

  2. Simons Institute and UC Berkeley, Berkeley, USA

    Alex Lombardi

  3. MIT, Cambridge, USA

    Yael Tauman Kalai & Vinod Vaikuntanathan

Authors
  1. Yael Tauman Kalai
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alex Lombardi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vinod Vaikuntanathan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alex Lombardi .

Editor information

Editors and Affiliations

  1. Bar-Ilan University, Ramat Gan, Israel

    Carmit Hazay

  2. Simula UiB, Bergen, Norway

    Martijn Stam

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kalai, Y.T., Lombardi, A., Vaikuntanathan, V. (2023). SNARGs and PPAD Hardness from the Decisional Diffie-Hellman Assumption. In: Hazay, C., Stam, M. (eds) Advances in Cryptology – EUROCRYPT 2023. EUROCRYPT 2023. Lecture Notes in Computer Science, vol 14005. Springer, Cham. https://doi.org/10.1007/978-3-031-30617-4_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-30617-4_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-30616-7

  • Online ISBN: 978-3-031-30617-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation