Abstract
A succinct non-interactive argument (SNARG) is called holographic if the verifier runs in time sub-linear in the input length when given oracle access to an encoding of the input. We present holographic SNARGs for P and Batch-NP under the learning with errors (LWE) assumption. Our holographic SNARG for P has a verifier that runs in time \(\textsf{poly}(\lambda , \log T, \log n)\) for T-time computations and \(n\)-bit inputs (\(\lambda \) is the security parameter), while our holographic SNARG for Batch-NP has a verifier that runs in time \(\textsf{poly}(\lambda , T, \log k)\) for k instances of T-time computations. Before this work, constructions with the same asymptotic efficiency were known in the designated-verifier setting or under the sub-exponential hardness of the LWE assumption. We obtain our holographic SNARGs (in the public-verification setting under the polynomial hardness of the LWE assumption) by constructing holographic SNARGs for certain hash computations and then applying known/trivial transformations.
As an application, we use our holographic SNARGs to weaken the assumption needed for a recent public-coin 3-round zero-knowledge (ZK) argument [Kiyoshima, CRYPTO 2022]. Specifically, we use our holographic SNARGs to show that a public-coin 3-round ZK argument exists under the same assumptions as the state-of-the-art private-coin 3-round ZK argument [Bitansky et al., STOC 2018].
This work was done while the author was a member of NTT Research.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In SNARGs for Batch-NP computations, a statement consists of multiple instances of an NP language, and the prover tries to convince the verifier that all the instances belong to the language. The communication complexity and the verification time are required to be smaller than the naive check.
- 2.
- 3.
For the definition of low-degree extensions, see, e.g., [14].
- 4.
- 5.
In this overview, we view \(\textsf{rt}_i\) as a hash of a vector that consists of \(2^i\) blocks, where each block is a \(\lambda \)-bit string. Thus, \(\textsf{SEH}\mathsf {.}\textsf{Ext}\) extracts a \(\lambda \)-bit string as the \(\sigma \)-th position of the pre-image. .
- 6.
\(S_i\) is efficiently verifiable by a circuit that has \(\{\textsf{td}_{\textbf{u}} \}_{\textbf{u}\in \mathbb {F}^{m_{\lambda }}}\) and \(\{\widehat{x}(\textbf{u}, \textbf{v}^*) \}_{\textbf{u}\in \mathbb {F}^{m_{\lambda }}}\) as hardwired inputs.
- 7.
The definition is slightly modified in that the size of \(C\) is required to be bounded by T rather than an arbitrary polynomial.
- 8.
For convenience, we use a slightly weaker bound than prior works [25], where the bound is \(O(L_{\pi }) + n\cdot \textsf{poly}(\lambda )\).
- 9.
If not, it suffices to additionally use any LWE-based somewhere extractable hash function family (cf. Theorem 2) as a building block in our scheme.
- 10.
E.g, \(|\mathbb {H} |=\lceil \log N \rceil \), \(|\mathbb {F} |=\textsf{poly}(|\mathbb {H} |)\), and \(m= \lceil \log _{|\mathbb {H} |}N \rceil \).
- 11.
The concrete requirements about \(\textsf{poly}_X\), \(\textsf{poly}_Y\), \(\textsf{poly}_T\), and \(\rho \) are determined based on \(\textsf{SEH}\) and \(\textsf{param}_{\textrm{LDE}}\) (cf. the proof of Claim 2).
- 12.
In \(\textsf{SEH}\text {-}\textsf{Del}\) and \(\textsf{SEH}\text {-}\textsf{Del}_{\textrm{sub}}\), \(\textsf{SEH}\) is used for strings over a finite field (cf. Sect. 3.3).
- 13.
The recursive structure of \(\textsf{SEH}\text {-}\textsf{Del}_{\textrm{sub}}\) is the reason why we define it w.r.t. strings over finite fields.
References
Babai, L., Fortnow, L., Levin, L.A., Szegedy, M.: Checking computations in polylogarithmic time. In: 23rd ACM STOC, pp. 21–31. ACM Press, May 1991. https://doi.org/10.1145/103418.103428
Badrinarayanan, S., Kalai, Y.T., Khurana, D., Sahai, A., Wichs, D.: Succinct delegation for low-space non-deterministic computation. In: Diakonikolas, I., Kempe, D., Henzinger, M. (eds.) 50th ACM STOC, pp. 709–721. ACM Press, June 2018. https://doi.org/10.1145/3188745.3188924
Bitansky, N., Kalai, Y.T., Paneth, O.: Multi-collision resistance: a paradigm for keyless hash functions. In: Diakonikolas, I., Kempe, D., Henzinger, M. (eds.) 50th ACM STOC, pp. 671–684. ACM Press, June 2018. https://doi.org/10.1145/3188745.3188870
Brakerski, Z., Holmgren, J., Kalai, Y.T.: Non-interactive delegation and batch NP verification from standard computational assumptions. In: Hatami, H., McKenzie, P., King, V. (eds.) 49th ACM STOC, pp. 474–482. ACM Press, June 2017. https://doi.org/10.1145/3055399.3055497
Bronfman, L., Rothblum, R.D.: PCPs and instance compression from a cryptographic lens. In: Braverman, M. (ed.) 13th Innovations in Theoretical Computer Science Conference (ITCS 2022). Leibniz International Proceedings in Informatics (LIPIcs), vol. 215, pp. 30:1–30:19. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, Dagstuhl, Germany (2022). https://doi.org/10.4230/LIPIcs.ITCS.2022.30. https://drops.dagstuhl.de/opus/volltexte/2022/15626
Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004). https://doi.org/10.1145/1008731.1008734
Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: preprocessing zkSNARKs with universal and updatable SRS. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 738–768. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_26
Chiesa, A., Ojha, D., Spooner, N.: Fractal: post-quantum and transparent recursive proofs from holography. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 769–793. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_27
Choudhuri, A.R., Jain, A., Jin, Z.: Non-interactive batch arguments for NP from standard assumptions. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 394–423. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_14
Choudhuri, A.R., Jain, A., Jin, Z.: SNARGs for \(\cal{{P}} \) from LWE. Cryptology ePrint Archive, Report 2021/808, Version 20211108:181325 (2021). https://eprint.iacr.org/2021/808. An extended version of [11]
Choudhuri, A.R., Jain, A., Jin, Z.: SNARGs for \(\cal{P} \) from LWE. In: 62nd FOCS, pp. 68–79. IEEE Computer Society Press, February 2022. https://doi.org/10.1109/FOCS52979.2021.00016
Chung, K.-M., Kalai, Y.T., Liu, F.-H., Raz, R.: Memory delegation. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 151–168. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_9
Devadas, L., Goyal, R., Kalai, Y., Vaikuntanathan, V.: Rate-1 non-interactive arguments for batch-NP and applications. In: 63rd FOCS, pp. 1057–1068. IEEE Computer Society Press, October/November 2022. https://doi.org/10.1109/FOCS54457.2022.00103
Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: interactive proofs for muggles. J. ACM 62(4), 27:1–27:64 (2015)
Gur, T., Rothblum, R.D.: A hierarchy theorem for interactive proofs of proximity. In: Papadimitriou, C.H. (ed.) ITCS 2017, vol. 4266, pp. 39:1–39:43. LIPIcs, 67, January 2017. https://doi.org/10.4230/LIPIcs.ITCS.2017.39
Holmgren, J., Lombardi, A., Rothblum, R.D.: Fiat-Shamir via list-recoverable codes (or: Parallel repetition of GMW is not zero-knowledge). Cryptology ePrint Archive, Report 2021/286, Version 20210307:022349 (2021). https://eprint.iacr.org/2021/286. An extended version of [17]
Holmgren, J., Lombardi, A., Rothblum, R.D.: Fiat-Shamir via list-recoverable codes (or: parallel repetition of GMW is not zero-knowledge). In: Khuller, S., Williams, V.V. (eds.) 53rd ACM STOC, p. 750–760. ACM Press, June 2021. https://doi.org/10.1145/3406325.3451116
Holmgren, J., Rothblum, R.: Delegating computations with (almost) minimal time and space overhead. In: Thorup, M. (ed.) 59th FOCS, pp. 124–135. IEEE Computer Society Press, October 2018. https://doi.org/10.1109/FOCS.2018.00021
Hsiao, C.Y., Reyzin, L.: Finding collisions on a public road, or do secure hash functions need secret coins? In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 92–105. Springer, Heidelberg (Aug 2004). https://doi.org/10.1007/978-3-540-28628-8_6
Hubacek, P., Wichs, D.: On the communication complexity of secure function evaluation with long output. In: Roughgarden, T. (ed.) ITCS 2015, pp. 163–172. ACM, January 2015. https://doi.org/10.1145/2688073.2688105
Hulett, J., Jawale, R., Khurana, D., Srinivasan, A.: SNARGs for P from sub-exponential DDH and QR. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part II. LNCS, vol. 13276, pp. 520–549. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-07085-3_18
Jawale, R., Kalai, Y.T., Khurana, D., Zhang, R.Y.: SNARGs for bounded depth computations and PPAD hardness from sub-exponential LWE. In: Khuller, S., Williams, V.V. (eds.) 53rd ACM STOC, pp. 708–721. ACM Press, June 2021. https://doi.org/10.1145/3406325.3451055
Kalai, Y., Paneth, O., Yang, L.: How to delegate computations publicly. Cryptology ePrint Archive, Report 2019/603, Version 20190602:113205 (2019). https://eprint.iacr.org/2019/603. An extended version of [25]
Kalai, Y.T., Paneth, O.: Delegating RAM computations. In: Hirt, M., Smith, A.D. (eds.) TCC 2016-B, Part II. LNCS, vol. 9986, pp. 91–118. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_4
Kalai, Y.T., Paneth, O., Yang, L.: How to delegate computations publicly. In: Charikar, M., Cohen, E. (eds.) 51st ACM STOC, pp. 1115–1124. ACM Press, June 2019. https://doi.org/10.1145/3313276.3316411
Kalai, Y.T., Raz, R., Rothblum, R.D.: How to delegate computations: the power of no-signaling proofs. J. ACM 69(1), 1–82 (2022). https://doi.org/10.1145/3456867
Kalai, Y.T., Rothblum, R.D.: Arguments of proximity - [extended abstract]. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 422–442. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_21
Kalai, Y.T., Vaikuntanathan, V., Zhang, R.Y.: Somewhere statistical soundness, post-quantum security, and SNARGs. In: Nissim, K., Waters, B. (eds.) TCC 2021, Part I. LNCS, vol. 13042, pp. 330–368. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-030-90459-3_12
Kilian, J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: 24th ACM STOC, pp. 723–732. ACM Press, May 1992. https://doi.org/10.1145/129712.129782
Kiyoshima, S.: Public-coin 3-round zero-knowledge from Learning with Errors and keyless multi-collision-resistant hash. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part I. LNCS, vol. 13507, pp. 444–473. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15802-5_16
Paneth, O., Pass, R.: Incrementally verifiable computation via rate-1 batch arguments. In: 63rd FOCS, pp. 1045–1056. IEEE Computer Society Press, October/November 2022. https://doi.org/10.1109/FOCS54457.2022.00102
Rothblum, G.N., Vadhan, S.P., Wigderson, A.: Interactive proofs of proximity: delegating computation in sublinear time. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 793–802. ACM Press, June 2013. https://doi.org/10.1145/2488608.2488709
Waters, B., Wu, D.J.: Batch arguments for NP and more from standard bilinear group assumptions. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part II. LNCS, vol. 13508, pp. 433–463. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15979-4_15
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Kiyoshima, S. (2023). Holographic SNARGs for P and Batch-NP from (Polynomially Hard) Learning with Errors. In: Rothblum, G., Wee, H. (eds) Theory of Cryptography. TCC 2023. Lecture Notes in Computer Science, vol 14371. Springer, Cham. https://doi.org/10.1007/978-3-031-48621-0_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-48621-0_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-48620-3
Online ISBN: 978-3-031-48621-0
eBook Packages: Computer ScienceComputer Science (R0)