TENET: Sublogarithmic Proof and Sublinear Verifier Inner Product Argument without a Trusted Setup

Abstract

We propose a new inner product argument (IPA), called TENET, which features sublogarithmic proof size and sublinear verifier without a trusted setup. IPA is a core primitive for various advanced proof systems including range proofs, circuit satisfiability, and polynomial commitment, particularly where a trusted setup is hard to apply. At ASIACRYPT 2022, Kim, Lee, and Seo showed that pairings can be utilized to exceed the complexity barrier of the previous discrete logarithm-based IPA without a trusted setup. More precisely, they proposed two pairing-based IPAs, one with sublogarithmic proof size and the other one with sublinear verifier cost, but they left achieving both complexities simultaneously as an open problem. We investigate the obstacles for this open problem and then provide our solution TENET, which achieves both sublogarithmic proof size and sublinear verifier. We prove the soundness of TENET under the discrete logarithm assumption and double pairing assumption.

A Appendix

1.1 A.1 Proof of Theorem 1

Proof

(completeness) If \(m=1\), completeness holds by perfect completeness of \(\mathsf {BP_{IP}}\). Consider the case \(m>1\).

$$\begin{aligned} \begin{aligned} P'&=P\cdot \nu \cdot e(\mu ,U)=P\cdot {\boldsymbol{E}}(\widehat{{{\boldsymbol{v}}}^{{\boldsymbol{x}}}},{\boldsymbol{H}})\cdot e({\boldsymbol{w}}^{{\boldsymbol{x}}},U)\\&={\boldsymbol{E}}(\overrightarrow{{{\boldsymbol{g}}}^{{\boldsymbol{a}}}} \circ \overrightarrow{{{\boldsymbol{h}}}^{{\boldsymbol{b}}}},{\boldsymbol{H}}) \cdot e(u,U)^{\langle {\boldsymbol{a}},{\boldsymbol{b}}\rangle }\cdot {\boldsymbol{E}}(\widehat{{{\boldsymbol{v}}}^{{\boldsymbol{x}}}},{\boldsymbol{H}})\cdot e({\boldsymbol{w}}^{{\boldsymbol{x}}} ,U)\\&={\boldsymbol{E}}(\overrightarrow{{{\boldsymbol{g}}}^{{\boldsymbol{a}}}}\circ \overrightarrow{{{\boldsymbol{h}}}^{{\boldsymbol{b}}}}\circ \widehat{{{\boldsymbol{v}}}^{{\boldsymbol{x}}}},{\boldsymbol{H}})\cdot e(u^{\langle {\boldsymbol{a}},{\boldsymbol{b}}\rangle }\cdot {\boldsymbol{w}}^{{\boldsymbol{x}}},U)\\ \end{aligned} \end{aligned}$$

Now, we claim that \(\overrightarrow{{{\boldsymbol{g}}}^{{\boldsymbol{a}}}}\circ \overrightarrow{{{\boldsymbol{h}}}^{{\boldsymbol{b}}}}\circ \widehat{{{\boldsymbol{v}}}^{{\boldsymbol{x}}}}=\overrightarrow{{{\boldsymbol{g}}'}^{{\boldsymbol{a}}'}}\circ \overrightarrow{{{\boldsymbol{h}}'}^{{\boldsymbol{b}}'}}\) and \(u^{\langle {\boldsymbol{a}},{\boldsymbol{b}}\rangle }\cdot {\boldsymbol{w}}^{{\boldsymbol{x}}}=u^{\langle {\boldsymbol{a}}',{\boldsymbol{b}}' \rangle }\). From the prover’s computation, we achieve the following equations:

$$\begin{aligned} \overrightarrow{{{\boldsymbol{g}}}^{{\boldsymbol{a}}}}\circ \overrightarrow{{{\boldsymbol{h}}}^{{\boldsymbol{b}}}}\circ \widehat{{{\boldsymbol{v}}}^{{\boldsymbol{x}}}}&=\big (\circ _{i\in I_d}\overrightarrow{{{\boldsymbol{g}}_i}^{{\boldsymbol{a}}_i}}\circ \overrightarrow{{{\boldsymbol{h}}_i}^{{\boldsymbol{b}}_i}}\big )\circ \big (\circ _{i,j\in I_d\wedge i\ne j}(\overrightarrow{{{\boldsymbol{g}}_i}^{{\boldsymbol{a}}_j}}\circ \overrightarrow{{{\boldsymbol{h}}_j}^{{\boldsymbol{b}}_i}})^{x^{j-i}}\big )\\&=\circ _{i,j\in I_d}(\overrightarrow{{{\boldsymbol{g}}_i}^{{\boldsymbol{a}}_j}}\circ \overrightarrow{{{\boldsymbol{h}}_j}^{{\boldsymbol{b}}_i}})^{x^{j-i}}\\&=\overrightarrow{{\big (\circ _{i\in I_d}{\boldsymbol{g}}_i^{x^{-i}}\big )}^{(\sum _{j\in I_d} x^j{\boldsymbol{a}}_j)}}\circ \overrightarrow{{\big (\circ _{j\in I_d}{\boldsymbol{h}}_j^{x^j}\big )}^{(\sum _{i\in I_d}x^{-i}{\boldsymbol{b}}_i)}}\\&=\overrightarrow{{{\boldsymbol{g}}'}^{{\boldsymbol{a}}'}}\circ \overrightarrow{{{\boldsymbol{h}}'}^{{\boldsymbol{b}}'}} \end{aligned}$$

$$\begin{aligned} u^{\langle {\boldsymbol{a}},{\boldsymbol{b}}\rangle }\cdot {\boldsymbol{w}}^{{\boldsymbol{x}}}&=\prod _{i\in I_d}{u}^{\langle {\boldsymbol{a}}_i, {\boldsymbol{b}}_i \rangle } \cdot \prod _{i,j\in I_d\wedge i\ne j}{u}^{\langle {\boldsymbol{a}}_j x^j,{\boldsymbol{b}}_i x^{-i} \rangle }=\prod _{i,j\in I_d}{u}^{\langle {\boldsymbol{a}}_j x^j,{\boldsymbol{b}}_i x^{-i} \rangle }\\&=u^{\langle {\sum _{j\in I_d} {\boldsymbol{a}}_j x^j}, {\sum _{i\in I_d} {\boldsymbol{b}}_i x^{-i}}\rangle }=u^{\langle {{\boldsymbol{a}}'}, {{\boldsymbol{b}}'} \rangle } \end{aligned}$$

From the equation \(P'={\boldsymbol{E}}(\overrightarrow{{{\boldsymbol{g}}'}^{{{\boldsymbol{a}}}'}}\circ \overrightarrow{{{\boldsymbol{h}}'}^{{{\boldsymbol{b}}}'}},{\boldsymbol{H}})\cdot e(u,U)^{\langle {{\boldsymbol{a}}'}, {{\boldsymbol{b}}'} \rangle }\), the updated instance-witness pair \(({\boldsymbol{g}}',{\boldsymbol{h}}',{\boldsymbol{H}},u,U,P';{\boldsymbol{a}}',{\boldsymbol{b}}')\) belongs to the relation \(\mathcal R\)

(witness extended emulation) In order to show the computational witness extended emulation, we construct an expected polynomial time extractor whose goal is to extract the witness using a polynomially bounded tree of accepting transcripts. If so, we can apply the general forking lemma [5].

The case \((m=1)\) is clear because \(\mathsf {BP_{IP}}\) has witness extended emulation [8]. Let us focus on the case \((m>1)\). We prove that, for each recursive step on input \(({\boldsymbol{g}}, {\boldsymbol{h}},{\boldsymbol{H}}, u,U,P)\), we can efficiently extract from the prover witness vectors \({\boldsymbol{a}}\) and \({\boldsymbol{b}}\) under the DLR assumption, whose instance is the CRS \({\boldsymbol{g}}\parallel {\boldsymbol{h}}\parallel u\) on \({\mathbb {G}}_1\) and \({\boldsymbol{H}}\parallel u\) on \({\mathbb {G}}_2\). First, the extractor runs the prover to obtain \({\boldsymbol{v}}\in {\mathbb {G}}_1^{n\times {2d(2d-1)}}\) and \({\boldsymbol{w}}\in {\mathbb {G}}_1^{2d(2d-1)}\). At this point, the extractor rewinds the prover \(12d-5\) times and feeds \(12d-5\) non-zero challenges \(x_t\) such that all \(x_t^2\) are distinct. Then, the extractor obtains \(12d-5\) pairs \({\boldsymbol{a}}'_t\) and \({\boldsymbol{b}}'_t \) such that for \(t\in [12d-5]\),

$$\begin{aligned} \begin{aligned} P\cdot \prod _{s\in J_d} \left( {\boldsymbol{E}}({\boldsymbol{v}}_s,{\boldsymbol{H}}) e(w_s,U)\right) ^{x_t^s}=P'_t ={\boldsymbol{E}}\left( \underset{i\in I_d}{\bigcirc }\overrightarrow{{\big ({\boldsymbol{g}}_i^{x_t^{-i}}\big )}^{{\boldsymbol{a}}_t'}}\circ \overrightarrow{{\big ({\boldsymbol{h}}_i^{x_t^{i}}\big )}^{{\boldsymbol{b}}_t'}},{\boldsymbol{H}}\right) e\left( u^{\langle {\boldsymbol{a}}'_t, {\boldsymbol{b}}'_t\rangle },U\right) \end{aligned} \end{aligned}$$

(1)

where \(\underset{j-i=s}{\bigcirc }{\boldsymbol{v}}[i,j]={\boldsymbol{v}}_s\in {\mathbb {G}}_1^n, \underset{j-i=s}{\bigcirc }w[i,j]=w_s\in {\mathbb {G}}_1\).³

The left-hand side (LHS) of Eq. (1) has exponentiation of \(x_t\), and its degree takes even integers between \(-4n+2\) and \(4n-2\). Our \(4n+1\) distinct challenges \(x_t\) determine P. Then, the extractor can compute \({\boldsymbol{v}}_P,w_P\) such that \(P={\boldsymbol{E}}({\boldsymbol{v}}_P,{\boldsymbol{H}})e(w_P,U)\). By q-pairing assumption whose instance is the CRS \({\boldsymbol{H}}\parallel U\) on \({\mathbb {G}}_2\), we can separate the \({\boldsymbol{H}}\) and U terms. Then, we obtain two equations:

(2)

(3)

for all \(t\in [12d-5]\).

The extractor knows all the exponents \(x_t^{j-i},x_t^{-i}, x_t^j, {\boldsymbol{a}}'_t\), and \({\boldsymbol{b}}'_t\) in Eq. (2) from \(4d-2\) distinct challenges. There are \(4d-1\) distinct powers of \(x_t^2\) in the LHS in Eq. (2). Thus, by using the inverse matrix of M and elementary linear algebra in the public exponents of the first \(4d-1\) equalities in Eq. (2), the extractor can find the exponent matrices \(\{ {\boldsymbol{a}}_{P,r}, {\boldsymbol{b}}_{P,r} \}_{r\in I_d}\) and \(\{ {\boldsymbol{a}}_{s,r}, {\boldsymbol{b}}_{s,r}\}_{r\in I_d}\) for \(s\in J_d\) satisfying

$$\begin{aligned} {\boldsymbol{v}}_P=\underset{r\in I_d}{\bigcirc }\overrightarrow{{{\boldsymbol{g}}_r}^{{\boldsymbol{a}}_{P,r}}}\circ \overrightarrow{{{\boldsymbol{h}}_r}^{{\boldsymbol{b}}_{P,r}}},\quad {\boldsymbol{v}}_s=\underset{r\in I_d}{\bigcirc }\overrightarrow{{{\boldsymbol{g}}_r}^{{\boldsymbol{a}}_{s,r}}}\circ \overrightarrow{{{\boldsymbol{h}}_r}^{{\boldsymbol{b}}_{s,r}}} \end{aligned}$$

(4)

We claim that concatenation of submatrices \({\boldsymbol{a}}_{P,r},{\boldsymbol{b}}_{P,r}\in \mathbb {Z}_p^{m'\times n}\) are valid witnesses.

Combine Eq. (4) with Eq. (2):

$$\begin{aligned} \begin{aligned} {\boldsymbol{v}}_P\circ \big (\underset{s\in J_d}{\bigcirc }{\boldsymbol{v}}_s^{x_t^s}\big )&=\underset{r\in I_d}{\bigcirc } \overrightarrow{{{\boldsymbol{g}}_r}^{{\boldsymbol{a}}_{P,r}}}\circ \overrightarrow{{{\boldsymbol{h}}_r}^{{\boldsymbol{b}}_{P,r}}}\circ (\underset{s\in J_d}{\bigcirc }\overrightarrow{{{\boldsymbol{g}}_r}^{{\boldsymbol{a}}_{s,r}}}\circ \overrightarrow{{{\boldsymbol{h}}_r}^{{\boldsymbol{b}}_{s,r}}})^{x_t^s}\\&=\underset{r\in I_d}{\bigcirc } \overrightarrow{{{\boldsymbol{g}}_r}^{{\boldsymbol{a}}_{P,r}+{\sum _{s\in J_d}{\boldsymbol{a}}_{s,r}x_t^s}}}\circ \overrightarrow{{{\boldsymbol{h}}_r}^{{{\boldsymbol{b}}_{P,r}+{\sum _{s\in J_d}{\boldsymbol{b}}_{s,r}}x_t^s}}}\\&=\underset{r\in I_d}{\bigcirc } \overrightarrow{{{\boldsymbol{g}}_r}^{{\boldsymbol{a}}_t^{\prime }x_t^{-r}}}\circ \overrightarrow{{{\boldsymbol{h}}_r}^{{\boldsymbol{b}}_t^{\prime }x_t^{r}}} \end{aligned} \end{aligned}$$

(5)

By discrete logarithm relation assumption, we can separate exponents. For all \(t\in [12d-5]\) and \(r\in I_d\), we obtain

(6)

(7)

Let both Eq. (6) and Eq. (7) be multiplied by \(x_t^r\) and \(x_t^{-r}\) respectively. Then, both equations have degrees of \(x_t\) range between \(6d-3\) and \(-6d+3\) according to \(r\in I_d\) and \(s\in J_d\), and it holds for all \(t\in [12d-5]\). \(12d-5\) distinct challenges \(\{x_t\}\) determine polynomials \(f, g:\mathbb {Z}_p\rightarrow \mathbb {Z}_p^{m\times n}\) satisfying the following equations:

$$\begin{aligned} {\boldsymbol{a}}_{P,r}X^r+\sum _{s\in J_d}{\boldsymbol{a}}_{s,r}X^{s+r}=f(X),\quad {\boldsymbol{b}}_{P,r}X^{-r}+\sum _{s\in J_d}{\boldsymbol{b}}_{s,r}X^{s-r}=g(X) \end{aligned}$$

(8)

for all \(r\in I_d\). Notice that the RHSs of Eq. (8) do not depend on the choice of r. Since the possible value of r is between \(-2d+1\) and \(r=2d-1\), the polynomials f(X) and g(X) take degrees between \(-2d+1\) and \(2d-1\). Then, we obtain the following equations:

$$\begin{aligned} {\boldsymbol{a}}'_t=\sum _{r\in I_d}{\boldsymbol{a}}_{P,r}x_t^r,\quad {\boldsymbol{b}}'_t=\sum _{r\in I_d}{\boldsymbol{b}}_{P,r}x_t^{-r} \end{aligned}$$

(9)

In a similar way to obtain exponent vectors \({\boldsymbol{a}}_{P,r}\) \({\boldsymbol{b}}_{P,r}\), the extractor can obtain exponents \(c_P,c_s\in \mathbb {Z}_p\) such that \(w_P=u^{c_P}\) and \(w_s=u^{c_s}\). In the RHS in Eq. (2), let us put the results of Eq. (9). Then, we obtain the following equation:

$$\begin{aligned} u^{c_P}\cdot \prod _{s\in J_d}u^{c_sx_t^s}=u^{\langle {\boldsymbol{a}}'_t,{\boldsymbol{b}}'_t\rangle }=\prod _{i,j\in I_d}u^{\sum _{i,j\in I_d}\langle {\boldsymbol{a}}_{P,j},{\boldsymbol{b}}_{P,i}\rangle x_t^{j-i} } \end{aligned}$$

(10)

The exponents equation \(c_P+\sum _{s\in J_d}c_sx_t^s=\sum _{i,j\in I_d}\langle {\boldsymbol{a}}_{P,j},{\boldsymbol{b}}_{P,i}\rangle x_t^{j-i}\) holds by DLR assumption. The \(8n-3\) distinct values determine the coefficient of the equation. Therefore, the emulator extracts valid witness \({\boldsymbol{a}}_P,{\boldsymbol{b}}_P\), which satisfies \(c_P=\sum _{i\in I_d}\langle {\boldsymbol{a}}_{P,i},{\boldsymbol{b}}_{P,i}\rangle =\langle {\boldsymbol{a}}_P, {\boldsymbol{b}}_P \rangle \).   \(\square \)