Abstract
We propose a new inner product argument (IPA), called TENET, which features sublogarithmic proof size and sublinear verifier without a trusted setup. IPA is a core primitive for various advanced proof systems including range proofs, circuit satisfiability, and polynomial commitment, particularly where a trusted setup is hard to apply. At ASIACRYPT 2022, Kim, Lee, and Seo showed that pairings can be utilized to exceed the complexity barrier of the previous discrete logarithm-based IPA without a trusted setup. More precisely, they proposed two pairing-based IPAs, one with sublogarithmic proof size and the other one with sublinear verifier cost, but they left achieving both complexities simultaneously as an open problem. We investigate the obstacles for this open problem and then provide our solution TENET, which achieves both sublogarithmic proof size and sublinear verifier. We prove the soundness of TENET under the discrete logarithm assumption and double pairing assumption.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
To the best of our knowledge, [7] is the oldest reference introducing DLR. Although the DLR is widely used due to the equivalence to the DL, we could not find the original reference that firstly proved the equivalence. Instead, we provide a recent reference [20] for the proof of the equivalence between the DLR and the DL.
- 2.
The complexity for computing \({\boldsymbol{v}}'_\ell \) is \(O(ndR^2)\). However, in \(\textsf{TENET}\), the prover sets \({\boldsymbol{v}}_{s,\ell }=\textbf{1}\) for all distinct \(s,\ell \). For this reason, the exponentiation of the redundant terms can be omitted.
- 3.
Once \({\boldsymbol{v}}_s\) and \({\boldsymbol{w}}_s\) are constructed, the extractor extracts the witness using them. In the extract process, the extractor does not decompose \({\boldsymbol{v}}_s\) to multi-\({\boldsymbol{v}}[i,j]\). That is, it does not affect soundness to substitute sending \({\boldsymbol{v}}\in {\mathbb {G}}_1^{n\times 2d(2d-1)}\) with \(\bar{\boldsymbol{v}}\in {\mathbb {G}}_1^{4d-2}\) in Sect. 3.3.
References
Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structure-preserving signatures and commitments to group elements. J. Cryptol. 29(2), 363–421 (2016)
Arun, A., Ganesh, C., Lokam, S.V., Mopuri, T., Sridhar, S.: Dew: transparent constant-sized zkSNARKs. Cryptology ePrint Archive, Report 2022/419 (2022). https://eprint.iacr.org/2022/419.pdf
Attema, T., Cramer, R., Kohl, L.: A compressed \(\sigma \)-protocol theory for lattices. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part II. LNCS, vol. 12826, pp. 549–579. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_19
Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive oracle proofs. In: Hirt, M., Smith, A. (eds.) TCC 2016, Part II. LNCS, vol. 9986, pp. 31–60. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_2
Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12
Bowe, S., Grigg, J., Hopwood, D.: Recursive proof composition without a trusted setup (2019). https://eprint.iacr.org/2019/1021
Brands, S.: Untraceable off-line cash in wallet with observers. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 302–318. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_26
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: IEEE Symposium on Security and Privacy 2018, pp. 315–334. IEEE (2018)
Bünz, B., Fisch, B., Szepieniec, A.: Transparent SNARKs from DARK compilers. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 677–706. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_24
Bünz, B., Maller, M., Mishra, P., Tyagi, N., Vesely, P.: Proofs for inner pairing products and applications. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021, Part III. LNCS, vol. 13092, pp. 65–97. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92078-4_3
Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: preprocessing zkSNARKs with universal and updatable SRS. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 738–768. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_26
Chung, H., Han, K., Ju, C., Kim, M., Seo, J.H.: Bulletproofs+: shorter proofs for a privacy-enhanced distributed ledger. IEEE Access 10, 42067–42082 (2022)
Daza, V., Ràfols, C., Zacharakis, A.: Updateable inner product argument with logarithmic verifier and applications. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12110, pp. 527–557. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_18
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Gabizon, A., Williamson, Z.J., Ciobotaru, O.: PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive, Report 2019/953 (2019). https://eprint.iacr.org/2019/953.pdf.
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18, 186–208 (1989)
Groth, J.: Linear algebra with sub-linear zero-knowledge arguments. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 192–208. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_12
Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11
Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 177–194. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_11
Kim, S., Lee, H., Seo, J.H.: Efficient zero-knowledge arguments in discrete logarithm setting: sublogarithmic proof or sublinear verifier. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022. LNCS, vol. 13792, pp. 403–433. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-22966-4_14
Lai, R.W.F., Malavolta, G., Ronge, V.: Succinct arguments for bilinear group arithmetic: practical structure-preserving cryptography. In: ACM CCS 2019, pp. 2057–2074 (2019)
Lee, J.: Dory: efficient, transparent arguments for generalised inner products and polynomial commitments. In: Nissim, K., Waters, B. (eds.) TCC 2021, Part II. LNCS, vol. 13043, pp. 1–34. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90453-1_1
Maller, M., Bowe, S., Kohlweiss, M., Meiklejohn, S.: Sonic: zero-knowledge snarks from linear-size universal and updatable structured reference strings. In: ACM CCS 2019, pp. 2111–2128. Association for Computing Machinery (2019)
Seo, J.H.: Round-efficient sub-linear zero-knowledge arguments for linear algebra. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 387–402. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_24
Seo, J.H.: Short round sub-linear zero-knowledge argument for linear algebraic relations. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 95(4), 776–789 (2012)
Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly-efficient zkSNARKs without trusted setup. In: IEEE Symposium on Security and Privacy 2018, pp. 926–943. IEEE (2018)
Zhou, Z., Zhang, Z., Tao, H., Li, T., Zhao, B.: Efficient inner product arguments and their applications in range proofs. IET Inf. Secur. 17, 485–504 (2023)
Acknowledgement
This work was supported in part by the Institute of Information and Communications Technology Planning and Evaluation (IITP) grant funded by the Korea Government (MSIT) (A Study on Cryptographic Primitives for SNARK, under Grant 20210007270012002.)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
1.1 A.1 Proof of Theorem 1
Proof
(completeness) If \(m=1\), completeness holds by perfect completeness of \(\mathsf {BP_{IP}}\). Consider the case \(m>1\).
Now, we claim that \(\overrightarrow{{{\boldsymbol{g}}}^{{\boldsymbol{a}}}}\circ \overrightarrow{{{\boldsymbol{h}}}^{{\boldsymbol{b}}}}\circ \widehat{{{\boldsymbol{v}}}^{{\boldsymbol{x}}}}=\overrightarrow{{{\boldsymbol{g}}'}^{{\boldsymbol{a}}'}}\circ \overrightarrow{{{\boldsymbol{h}}'}^{{\boldsymbol{b}}'}}\) and \(u^{\langle {\boldsymbol{a}},{\boldsymbol{b}}\rangle }\cdot {\boldsymbol{w}}^{{\boldsymbol{x}}}=u^{\langle {\boldsymbol{a}}',{\boldsymbol{b}}' \rangle }\). From the prover’s computation, we achieve the following equations:
From the equation \(P'={\boldsymbol{E}}(\overrightarrow{{{\boldsymbol{g}}'}^{{{\boldsymbol{a}}}'}}\circ \overrightarrow{{{\boldsymbol{h}}'}^{{{\boldsymbol{b}}}'}},{\boldsymbol{H}})\cdot e(u,U)^{\langle {{\boldsymbol{a}}'}, {{\boldsymbol{b}}'} \rangle }\), the updated instance-witness pair \(({\boldsymbol{g}}',{\boldsymbol{h}}',{\boldsymbol{H}},u,U,P';{\boldsymbol{a}}',{\boldsymbol{b}}')\) belongs to the relation \(\mathcal R\)
(witness extended emulation) In order to show the computational witness extended emulation, we construct an expected polynomial time extractor whose goal is to extract the witness using a polynomially bounded tree of accepting transcripts. If so, we can apply the general forking lemma [5].
The case \((m=1)\) is clear because \(\mathsf {BP_{IP}}\) has witness extended emulation [8]. Let us focus on the case \((m>1)\). We prove that, for each recursive step on input \(({\boldsymbol{g}}, {\boldsymbol{h}},{\boldsymbol{H}}, u,U,P)\), we can efficiently extract from the prover witness vectors \({\boldsymbol{a}}\) and \({\boldsymbol{b}}\) under the DLR assumption, whose instance is the CRS \({\boldsymbol{g}}\parallel {\boldsymbol{h}}\parallel u\) on \({\mathbb {G}}_1\) and \({\boldsymbol{H}}\parallel u\) on \({\mathbb {G}}_2\). First, the extractor runs the prover to obtain \({\boldsymbol{v}}\in {\mathbb {G}}_1^{n\times {2d(2d-1)}}\) and \({\boldsymbol{w}}\in {\mathbb {G}}_1^{2d(2d-1)}\). At this point, the extractor rewinds the prover \(12d-5\) times and feeds \(12d-5\) non-zero challenges \(x_t\) such that all \(x_t^2\) are distinct. Then, the extractor obtains \(12d-5\) pairs \({\boldsymbol{a}}'_t\) and \({\boldsymbol{b}}'_t \) such that for \(t\in [12d-5]\),
where \(\underset{j-i=s}{\bigcirc }{\boldsymbol{v}}[i,j]={\boldsymbol{v}}_s\in {\mathbb {G}}_1^n, \underset{j-i=s}{\bigcirc }w[i,j]=w_s\in {\mathbb {G}}_1\).Footnote 3
The left-hand side (LHS) of Eq. (1) has exponentiation of \(x_t\), and its degree takes even integers between \(-4n+2\) and \(4n-2\). Our \(4n+1\) distinct challenges \(x_t\) determine P. Then, the extractor can compute \({\boldsymbol{v}}_P,w_P\) such that \(P={\boldsymbol{E}}({\boldsymbol{v}}_P,{\boldsymbol{H}})e(w_P,U)\). By q-pairing assumption whose instance is the CRS \({\boldsymbol{H}}\parallel U\) on \({\mathbb {G}}_2\), we can separate the \({\boldsymbol{H}}\) and U terms. Then, we obtain two equations:
for all \(t\in [12d-5]\).
The extractor knows all the exponents \(x_t^{j-i},x_t^{-i}, x_t^j, {\boldsymbol{a}}'_t\), and \({\boldsymbol{b}}'_t\) in Eq. (2) from \(4d-2\) distinct challenges. There are \(4d-1\) distinct powers of \(x_t^2\) in the LHS in Eq. (2). Thus, by using the inverse matrix of M and elementary linear algebra in the public exponents of the first \(4d-1\) equalities in Eq. (2), the extractor can find the exponent matrices \(\{ {\boldsymbol{a}}_{P,r}, {\boldsymbol{b}}_{P,r} \}_{r\in I_d}\) and \(\{ {\boldsymbol{a}}_{s,r}, {\boldsymbol{b}}_{s,r}\}_{r\in I_d}\) for \(s\in J_d\) satisfying
We claim that concatenation of submatrices \({\boldsymbol{a}}_{P,r},{\boldsymbol{b}}_{P,r}\in \mathbb {Z}_p^{m'\times n}\) are valid witnesses.
By discrete logarithm relation assumption, we can separate exponents. For all \(t\in [12d-5]\) and \(r\in I_d\), we obtain
Let both Eq. (6) and Eq. (7) be multiplied by \(x_t^r\) and \(x_t^{-r}\) respectively. Then, both equations have degrees of \(x_t\) range between \(6d-3\) and \(-6d+3\) according to \(r\in I_d\) and \(s\in J_d\), and it holds for all \(t\in [12d-5]\). \(12d-5\) distinct challenges \(\{x_t\}\) determine polynomials \(f, g:\mathbb {Z}_p\rightarrow \mathbb {Z}_p^{m\times n}\) satisfying the following equations:
for all \(r\in I_d\). Notice that the RHSs of Eq. (8) do not depend on the choice of r. Since the possible value of r is between \(-2d+1\) and \(r=2d-1\), the polynomials f(X) and g(X) take degrees between \(-2d+1\) and \(2d-1\). Then, we obtain the following equations:
In a similar way to obtain exponent vectors \({\boldsymbol{a}}_{P,r}\) \({\boldsymbol{b}}_{P,r}\), the extractor can obtain exponents \(c_P,c_s\in \mathbb {Z}_p\) such that \(w_P=u^{c_P}\) and \(w_s=u^{c_s}\). In the RHS in Eq. (2), let us put the results of Eq. (9). Then, we obtain the following equation:
The exponents equation \(c_P+\sum _{s\in J_d}c_sx_t^s=\sum _{i,j\in I_d}\langle {\boldsymbol{a}}_{P,j},{\boldsymbol{b}}_{P,i}\rangle x_t^{j-i}\) holds by DLR assumption. The \(8n-3\) distinct values determine the coefficient of the equation. Therefore, the emulator extracts valid witness \({\boldsymbol{a}}_P,{\boldsymbol{b}}_P\), which satisfies \(c_P=\sum _{i\in I_d}\langle {\boldsymbol{a}}_{P,i},{\boldsymbol{b}}_{P,i}\rangle =\langle {\boldsymbol{a}}_P, {\boldsymbol{b}}_P \rangle \). \(\square \)
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Lee, H., Seo, J.H. (2023). TENET: Sublogarithmic Proof and Sublinear Verifier Inner Product Argument without a Trusted Setup. In: Shikata, J., Kuzuno, H. (eds) Advances in Information and Computer Security. IWSEC 2023. Lecture Notes in Computer Science, vol 14128. Springer, Cham. https://doi.org/10.1007/978-3-031-41326-1_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-41326-1_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-41325-4
Online ISBN: 978-3-031-41326-1
eBook Packages: Computer ScienceComputer Science (R0)