Scalable Zero Knowledge Via Cycles of Elliptic Curves

Non-interactive zero-knowledge proofs of knowledge for general NP statements are a powerful cryptographic primitive, both in theory and in practical applications. Recently, much research has focused on achieving an additional property, succinctness, requiring the proof to be very short and easy to verify. Such proof systems are known as zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARKs), and are desired when communication is expensive, or the verifier is computationally weak.

[1]  D. Shanks Class number, a theory of factorization, and genera , 1971 .

[2]  Stephen A. Cook,et al.  Time-bounded random access machines , 1972, J. Comput. Syst. Sci..

[3]  Stephen C. Pohlig,et al.  An Improved Algorithm for Computing Logarithms over GF(p) and Its Cryptographic Significance , 2022, IEEE Trans. Inf. Theory.

[4]  Leslie G. Valiant,et al.  Fast probabilistic algorithms for hamiltonian circuits and matchings , 1977, STOC '77.

[5]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[6]  Martin E. Hellman,et al.  An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[7]  Rudolf Lide,et al.  Finite fields , 1983 .

[8]  Andrew M. Odlyzko,et al.  Discrete Logarithms in Finite Fields and Their Cryptographic Significance , 1985, EUROCRYPT.

[9]  Joseph H. Silverman,et al.  The arithmetic of elliptic curves , 1986, Graduate texts in mathematics.

[10]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[11]  A. Razborov Lower bounds on the size of bounded depth circuits over a complete basis with logical addition , 1987 .

[12]  Roman Smolensky,et al.  Algebraic methods in the theory of lower bounds for Boolean circuit complexity , 1987, STOC.

[13]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[14]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[15]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[16]  S. Micali,et al.  Noninteractive Zero-Knowledge , 1990, SIAM J. Comput..

[17]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[18]  Leonid A. Levin,et al.  Checking computations in polylogarithmic time , 1991, STOC '91.

[19]  Manuel Blum,et al.  Noninteractive Zero-Knowledge , 1991, SIAM J. Comput..

[20]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[21]  A. Atkin,et al.  ELLIPTIC CURVES AND PRIMALITY PROVING , 1993 .

[22]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[23]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[24]  Oded Goldreich,et al.  Collision-Free Hashing from Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[25]  Miklós Ajtai,et al.  Generating Hard Instances of Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[26]  Antoine Joux,et al.  Lattice Reduction: A Toolbox for the Cryptanalyst , 1998, Journal of Cryptology.

[27]  Takakazu Satoh,et al.  Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves , 1998 .

[28]  Igor A. Semaev,et al.  Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p , 1998, Math. Comput..

[29]  Gerhard Frey,et al.  The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems , 1999, IEEE Trans. Inf. Theory.

[30]  Nigel P. Smart,et al.  The Discrete Logarithm Problem on Elliptic Curves of Trace One , 1999, Journal of Cryptology.

[31]  Atsuko Miyaji,et al.  Characterization of Elliptic Curve Traces under FR-Reduction , 2000, ICISC.

[32]  Radek Vingralek,et al.  How to build a trusted database system on untrusted storage , 2000, OSDI.

[33]  Silvio Micali,et al.  Computationally Sound Proofs , 2000, SIAM J. Comput..

[34]  Dennis Shasha,et al.  Don't trust your file server , 2001, Proceedings Eighth Workshop on Hot Topics in Operating Systems.

[35]  A. Miyaji,et al.  New Explicit Conditions of Elliptic Curve Traces for FR-Reduction , 2001 .

[36]  Steven D. Galbraith,et al.  Implementing the Tate Pairing , 2002, ANTS.

[37]  Paulo S. L. M. Barreto,et al.  Constructing Elliptic Curves with Prescribed Embedding Degrees , 2002, SCN.

[38]  Paulo S. L. M. Barreto,et al.  Efficient Algorithms for Pairing-Based Cryptosystems , 2002, CRYPTO.

[39]  Qian Wang,et al.  USENIX Association Proceedings of FAST ’ 03 : 2 nd USENIX Conference on File and Storage Technologies , 2003 .

[40]  L. Washington Elliptic Curves: Number Theory and Cryptography , 2003 .

[41]  G. Edward Suh,et al.  Caches and hash trees for efficient memory integrity verification , 2003, The Ninth International Symposium on High-Performance Computer Architecture, 2003. HPCA-9 2003. Proceedings..

[42]  Jerome A. Solinas,et al.  ID-based Digital Signature Algorithms , 2003 .

[43]  Hovav Shacham,et al.  SiRiUS: Securing Remote Untrusted Storage , 2003, NDSS.

[44]  Paulo S. L. M. Barreto,et al.  Efficient pairing computation on supersingular Abelian varieties , 2007, IACR Cryptol. ePrint Arch..

[45]  Dan Boneh,et al.  Secure Identity Based Encryption Without Random Oracles , 2004, CRYPTO.

[46]  K. Conrad Finite Fields , 2004, Series and Products in the Development of Mathematics.

[47]  Rosario Gennaro,et al.  Multi-trapdoor Commitments and Their Applications to Proofs of Knowledge Secure Under Concurrent Man-in-the-Middle Attacks , 2004, CRYPTO.

[48]  Paulo S. L. M. Barreto,et al.  Efficient Implementation of Pairing-Based Cryptosystems , 2004, Journal of Cryptology.

[49]  Andreas Enge,et al.  Building Curves with Arbitrary Small MOV Degree over Finite Prime Fields , 2004, Journal of Cryptology.

[50]  Eli Ben-Sasson,et al.  Short PCPs verifiable in polylogarithmic time , 2005, 20th Annual IEEE Conference on Computational Complexity (CCC'05).

[51]  Daniele Micciancio,et al.  Generalized Compact Knapsacks Are Collision Resistant , 2006, ICALP.

[52]  A. Weng,et al.  Elliptic Curves Suitable for Pairing Based Cryptography , 2005, Des. Codes Cryptogr..

[53]  Michael Scott,et al.  Computing the Tate Pairing , 2005, CT-RSA.

[54]  Tanja Lange,et al.  Handbook of Elliptic and Hyperelliptic Curve Cryptography , 2005 .

[55]  Manuel Blum,et al.  Checking the correctness of memories , 2005, Algorithmica.

[56]  Chris Peikert,et al.  Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices , 2006, TCC.

[57]  Paulo S. L. M. Barreto,et al.  Generating More MNT Elliptic Curves , 2006, Des. Codes Cryptogr..

[58]  Frederik Vercauteren,et al.  The Eta Pairing Revisited , 2006, IEEE Transactions on Information Theory.

[59]  Nigel P. Smart,et al.  On Computing Products of Pairings , 2006, IACR Cryptol. ePrint Arch..

[60]  M. Scott Implementing cryptographic pairings , 2007 .

[61]  Paul Valiant,et al.  Incrementally Verifiable Computation or Proofs of Knowledge Imply Time/Space Efficiency , 2008, TCC.

[62]  Koray Karabina,et al.  On Prime-Order Elliptic Curves with Embedding Degrees k = 3, 4, and 6 , 2008, ANTS.

[63]  Michael Scott,et al.  On the Final Exponentiation for Calculating Pairings on Ordinary Elliptic Curves , 2009, Pairing.

[64]  Chris Peikert,et al.  SWIFFT: A Modest Proposal for FFT Hashing , 2008, FSE.

[65]  Alon Rosen,et al.  SWIFFTX : A Proposal for the SHA-3 Standard , 2008 .

[66]  Shachar Lovett,et al.  The Complexity of Boolean Functions in Different Characteristics , 2009, 2009 24th Annual IEEE Conference on Computational Complexity.

[67]  Andrew V. Sutherland Computing Hilbert class polynomials with the Chinese remainder theorem , 2009, Math. Comput..

[68]  Shachar Lovett,et al.  The Complexity of Boolean Functions in Different Characteristics , 2009, 2009 24th Annual IEEE Conference on Computational Complexity.

[69]  Michael Scott,et al.  A Taxonomy of Pairing-Friendly Elliptic Curves , 2010, Journal of Cryptology.

[70]  晋輝 趙,et al.  H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen and F. Vercauteren (eds.): Handbook of Elliptic and Hyperelliptic Curve Cryptography, Discrete Math. Appl. (Boca Raton)., Chapman & Hall/CRC, 2006年,xxxiv + 808ページ. , 2009 .

[71]  Michael Scott,et al.  Faster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions , 2009, IACR Cryptol. ePrint Arch..

[72]  By J. M. Pollard Monte Carlo Methods for Index Computation (mod p) , 2010 .

[73]  Jens Groth,et al.  Short Pairing-Based Non-interactive Zero-Knowledge Arguments , 2010, ASIACRYPT.

[74]  Frederik Vercauteren,et al.  Optimal Pairings , 2010, IEEE Transactions on Information Theory.

[75]  Michael Naehrig,et al.  An Analysis of Affine Coordinates for Pairing Computation , 2010, Pairing.

[76]  Eran Tromer,et al.  Proof-Carrying Data and Hearsay Arguments from Signature Cards , 2010, ICS.

[77]  Andreas Enge,et al.  Class Invariants by the CRT Method , 2010, ANTS.

[78]  Michael Scott,et al.  Constructing Tower Extensions of Finite Fields for Implementation of Pairing-Based Cryptography , 2010, WAIFI.

[79]  Joseph H. Silverman,et al.  Amicable Pairs and Aliquot Cycles for Elliptic Curves , 2009, Exp. Math..

[80]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, STOC '11.

[81]  Andrew J. Blumberg Toward Practical and Unconditional Verification of Remote Computations , 2011, HotOS.

[82]  Ran Canetti,et al.  Practical delegation of computation using multiple servers , 2011, CCS '11.

[83]  Benjamin Braun,et al.  Taking Proof-Based Verified Computation a Few Steps Closer to Practicality , 2012, USENIX Security Symposium.

[84]  Nir Bitansky,et al.  Succinct Non-Interactive Arguments via Linear Interactive Proofs , 2013, Journal of Cryptology.

[85]  Helger Lipmaa,et al.  Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments , 2012, TCC.

[86]  Nir Bitansky,et al.  From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again , 2012, ITCS '12.

[87]  Brent Waters,et al.  Targeted malleability: homomorphic encryption for restricted computations , 2012, ITCS '12.

[88]  Graham Cormode,et al.  Practical verified computation with streaming interactive proofs , 2011, ITCS '12.

[89]  Hanspeter Pfister,et al.  Verifiable Computation with Massively Parallel Interactive Proofs , 2012, HotCloud.

[90]  Srinath T. V. Setty,et al.  Making argument systems for outsourced computation practical (sometimes) , 2012, NDSS.

[91]  Andrew V. Sutherland Accelerating the CM method , 2010, 1009.1082.

[92]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[93]  Stephen Chong,et al.  Enforcing Language Semantics Using Proof-Carrying Data , 2013, IACR Cryptol. ePrint Arch..

[94]  Benjamin Braun,et al.  Verifying computations with state , 2013, IACR Cryptol. ePrint Arch..

[95]  Benjamin Braun,et al.  Resolving the conflict between generality and plausibility in verified computation , 2013, EuroSys '13.

[96]  Eli Ben-Sasson,et al.  Fast reductions from RAMs to delegatable succinct constraint satisfaction problems: extended abstract , 2013, ITCS '13.

[97]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[98]  Paul C. van Oorschot,et al.  Parallel Collision Search with Cryptanalytic Applications , 2013, Journal of Cryptology.

[99]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, IEEE Symposium on Security and Privacy.

[100]  Craig Gentry,et al.  Candidate Multilinear Maps from Ideal Lattices , 2013, EUROCRYPT.

[101]  Eli Ben-Sasson,et al.  SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge , 2013, CRYPTO.

[102]  Justin Thaler,et al.  Time-Optimal Interactive Proofs for Circuit Evaluation , 2013, CRYPTO.

[103]  Eli Ben-Sasson,et al.  On the concrete efficiency of probabilistically-checkable proofs , 2013, STOC '13.

[104]  Nir Bitansky,et al.  Recursive composition and bootstrapping for SNARKS and proof-carrying data , 2013, STOC '13.

[105]  Jung Hee Cheon,et al.  On the Final Exponentiation in Tate Pairing Computations , 2013, IEEE Transactions on Information Theory.

[106]  Helger Lipmaa,et al.  Succinct Non-Interactive Zero Knowledge Arguments from Span Programs and Linear Error-Correcting Codes , 2013, IACR Cryptol. ePrint Arch..

[107]  Nir Bitansky,et al.  How To Construct Extractable One-Way Functions Against Uniform Adversaries , 2013, IACR Cryptol. ePrint Arch..

[108]  Nir Bitansky,et al.  Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall , 2013, IACR Cryptol. ePrint Arch..

[109]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[110]  Jonathan Katz,et al.  ALITHEIA: Towards Practical Verifiable Graph Processing , 2014, CCS.

[111]  Ian Miers,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin (extended version) , 2014 .

[112]  H. Lipmaa Efficient NIZK Arguments via Parallel Verification of Benes Networks , 2014, SCN.

[113]  Elaine Shi,et al.  TRUESET: Faster Verifiable Set Computations , 2014, USENIX Security Symposium.

[114]  Eli Ben-Sasson,et al.  Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture , 2014, USENIX Security Symposium.

[115]  George Danezis,et al.  Square Span Programs with Applications to Succinct NIZK Arguments , 2014, ASIACRYPT.

[116]  Jon Howell,et al.  Geppetto: Versatile Verifiable Computation , 2015, 2015 IEEE Symposium on Security and Privacy.

[117]  John M. Pollard,et al.  Kangaroos, Monopoly and Discrete Logarithms , 2015, Journal of Cryptology.

[118]  Eran Tromer,et al.  Cluster Computing in Zero Knowledge , 2015, EUROCRYPT.

[119]  Zuocheng Ren,et al.  Efficient RAM and control flow in verifiable outsourced computation , 2015, NDSS.

[120]  Michael Backes,et al.  ADSNARK: Nearly Practical and Privacy-Preserving Proofs on Authenticated Data , 2015, 2015 IEEE Symposium on Security and Privacy.

[121]  Eli Ben-Sasson,et al.  Scalable Zero Knowledge Via Cycles of Elliptic Curves , 2016, Algorithmica.

[122]  Proof-carrying data : Secure computation on untrusted platforms , 2022 .

[123]  8.2: Elliptic Curves , .