Succinct Non-subsequence Arguments

Abstract

Lookup arguments have recently attracted a lot of developments due to their applications in the constructions of succinct non-interactive arguments of knowledge (SNARKs). A closely related topic is subsequence arguments in which one can prove that string \(\textbf{s}\) is a subsequence of another string \(\textbf{t}\), i.e., deleting some characters in \(\textbf{t}\) can achieve \(\textbf{s}\). A dual notion, namely, non-subsequence arguments, is to prove that \(\textbf{s}\) is not a subsequence of \(\textbf{t}\). These problems have a lot of important applications in DNA sequence analysis, internet of things, blockchains, natural language processing, speech recognition, etc. However, despite their applications, they are not well-studied in cryptography, especially succinct arguments for non-subsequences with efficient proving time and sublinear verification time.

In this work, we propose the first succinct non-subsequence argument. Our solution applies the sumcheck protocol and is instantiable by any multivariate polynomial commitment schemes (PCSs). We achieve an efficient prover whose running time is linear in the size of sequences \(\textbf{s}\), \(\textbf{t}\) and their respective alphabet \(\varSigma \). Our proof is succinct and the verifier time is sublinear assuming the employed PCS has succinct commitments and sublinear verification time. When instantiating with Sona PCS (EUROCRYPT’24), we achieve proof size \(\mathcal {O}(\log _2|\textbf{s}| + \log _2|\textbf{t}|+\log _2|\varSigma |)\), prover time \(\mathcal {O}(|\textbf{s}|+|\textbf{t}|+|\varSigma |)\) and verifier time \(\mathcal {O}(\sqrt{|\textbf{s}|}+\sqrt{|\textbf{t}|}+\sqrt{|\varSigma |})\).

Extending our technique, we can achieve a batch subsequence argument for proving in batch k interleaving subsequence and non-subsequence arguments without proof size suffering a linear blow-up in k.

A Proof of Lemma 1

Proof

(Proof of Lemma 1). We prove this lemma by induction.

For the base case with \(p_0 = 0\), it is trivial since an empty string is a subsequence of an empty string.

Assume by inductive hypothesis that, for \(j \in [N-1]\), \(p_{j - 1}\) is the maximum index satisfying

$$(s_1, \dots , s_{p_{j-1}})\lhd (t_1, \dots , t_{j - 1}).$$

Now, we prove that this is also true w.r.t. \(p_j\), i.e., the maximum index satisfying \((s_1, \dots , s_{p_j}) \lhd (t_1, \dots , t_j)\). We claim that \(p_{j - 1} \le p_j \le p_{j - 1} + 1\). It is trivial to see that \(p_{j - 1} \le p_j\) since a subsequence to \((t_1, \dots , t_{j -1})\) is also a subsequence of \((t_1, \dots , t_j)\). What happens if \(p_j \ge p_{j - 1} + 2\)?

Since \((s_1, \dots , s_{p_{j-1}}) \lhd (t_1, \dots , t_{j-1})\), we know that there exist \(\textsf{id}_1, \dots , \textsf{id}_{p_{j-1}}\) satisfying

$$\begin{aligned} {\left\{ \begin{array}{ll} \textsf{id}_1 < \dots < \textsf{id}_{p_{j-1}} \le j - 1,\\ (s_1, \dots , s_{p_{j - 1}}) = (t_{\textsf{id}_1}, \dots , t_{\textsf{id}_{p_{j-1}}}). \end{array}\right. } \end{aligned}$$

Hence, if \(p_j \ge p_{j - 1} + 2\), we know that there exist \(\textsf{id}_{p_{j - 1} + 1}\) and \(\textsf{id}_{p_{j - 1}+2}\) satisfying

$$\begin{aligned} {\left\{ \begin{array}{ll} \textsf{id}_1 < \dots < \textsf{id}_{p_{j - 1} +2} \le j,\\ (s_1, \dots , s_{p_{j - 1} + 2}) = (t_{\textsf{id}_1}, \dots , t_{\textsf{id}_{p_{j - 1} + 2}}). \end{array}\right. } \end{aligned}$$

If \(\textsf{id}_{p_{j - 1} + 1} \le j - 1\), then it contradicts to the fact that \(p_{j - 1}\) is the maximum index satisfying \((s_1, \dots , s_{p_{j-1}})\lhd (t_1, \dots , t_{j - 1})\). Hence, \(j - 1 < \textsf{id}_{p_{j - 1} + 1} \le j\). Therefore, we also have \(j - 1 < \textsf{id}_{p_{j - 1} + 1} < \textsf{id}_{p_{j-1}+2} \le j\), a contradiction since there cannot exist two distinct integers in \((j-1,j]\). Thus, \(p_{j - 1} \le p_j \le p_{j - 1} + 1\).

With the above argument, we know that, if \(p_j = p_{j - 1} + 1\), then it must hold that \(\textsf{id}_{p_{j-1} + 1} = \textsf{id}_{p_j} = j\) which only happens when \(s_{p_{j - 1} + 1} = t_j\). Thus, we deduce that \(p_j = p_{j - 1} + 1\), if \(s_{p_{j -1} + 1} = t_j\), and \(p_{j} = p_{j-1}\), otherwise. We hence conclude the proof.    \(\square \)