SNARGs for Bounded Depth Computations from Sub-Exponential LWE

We construct a succinct non-interactive publicly-verifiable delegation scheme for any log-space uniform circuit under the sub-exponential LWE assumption, a standard assumption that is believed to be postquantum secure. For a circuit of size S and depth D, the prover runs in time poly(S), and the verifier runs in time (D+n) ·S, where n is the input size. We obtain this result by slightly modifying the GKR protocol and proving that the Fiat-Shamir heuristic is sound when applied to this modified protocol. We build on the recent works of Canetti et al. (STOC 2019) and Peikert and Shiehian (Crypto 2020), which prove the soundness of the Fiat-Shamir heuristic when applied to a specific (non-succinct) zero-knowledge protocol. As a corollary, by the work of Choudhuri et al. (STOC 2019), this implies that the complexity class PPAD is hard (on average) under the sub-exponential LWE assumption, assuming that #SAT with o(logn · log logn) variables is hard (on average).

[1]  R. Raz,et al.  How to delegate computations: the power of no-signaling proofs , 2014, Electron. Colloquium Comput. Complex..

[2]  Omer Paneth,et al.  On Publicly Verifiable Delegation From Standard Assumptions , 2018, IACR Cryptol. ePrint Arch..

[3]  Omer Paneth,et al.  On Zero-Testable Homomorphic Encryption and Publicly Verifiable Non-interactive Arguments , 2017, TCC.

[4]  Eylon Yogev,et al.  Hardness of Continuous Local Search: Query Complexity and Cryptographic Lower Bounds , 2017, SODA.

[5]  Jens Groth,et al.  Short Pairing-Based Non-interactive Zero-Knowledge Arguments , 2010, ASIACRYPT.

[6]  Krzysztof Pietrzak,et al.  Simple Verifiable Delay Functions , 2018, IACR Cryptol. ePrint Arch..

[7]  Boaz Barak,et al.  How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[8]  Zvika Brakerski,et al.  Witness Indistinguishability for Any Single-Round Argument with Applications to Access Control , 2020, Public Key Cryptography.

[9]  Christos H. Papadimitriou,et al.  On the Complexity of the Parity Argument and Other Inefficient Proofs of Existence , 1994, J. Comput. Syst. Sci..

[10]  Carsten Lund,et al.  Algebraic methods for interactive proof systems , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[11]  Brent Waters,et al.  Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based , 2013, CRYPTO.

[12]  Yael Tauman Kalai,et al.  Succinct delegation for low-space non-deterministic computation , 2018, STOC.

[13]  Ilan Komargodski,et al.  Continuous Verifiable Delay Functions , 2020, IACR Cryptol. ePrint Arch..

[14]  Yael Tauman Kalai,et al.  Non-interactive delegation and batch NP verification from standard computational assumptions , 2017, STOC.

[15]  Ran Canetti,et al.  Succinct Garbling and Indistinguishability Obfuscation for RAM Programs , 2015, STOC.

[16]  Kai-Min Chung,et al.  Delegating RAM Computations with Adaptive Soundness and Privacy , 2016, TCC.

[17]  Oded Goldreich,et al.  On Doubly-Efficient Interactive Proof Systems , 2018, Found. Trends Theor. Comput. Sci..

[18]  Eli Ben-Sasson,et al.  Interactive Oracle Proofs , 2016, TCC.

[19]  Yael Tauman Kalai,et al.  Delegating RAM Computations , 2016, TCC.

[20]  Nir Bitansky,et al.  On the Cryptographic Hardness of Finding a Nash Equilibrium , 2015, FOCS.

[21]  Kai-Min Chung,et al.  Cryptography for Parallel RAM from Indistinguishability Obfuscation , 2016, ITCS.

[22]  Vinod Vaikuntanathan,et al.  Fiat-Shamir for Repeated Squaring with Applications to PPAD-Hardness and VDFs , 2020, IACR Cryptol. ePrint Arch..

[23]  Ron Rothblum,et al.  Fiat-Shamir: from practice to theory , 2019, STOC.

[24]  Guy N. Rothblum,et al.  Constant-Round Interactive Proofs for Delegating Computation , 2016, Electron. Colloquium Comput. Complex..

[25]  Yael Tauman Kalai,et al.  Multi-collision resistance: a paradigm for keyless hash functions , 2018, IACR Cryptol. ePrint Arch..

[26]  Abhi Shelat,et al.  Doubly-Efficient zkSNARKs Without Trusted Setup , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[27]  Yael Tauman Kalai,et al.  How to delegate computations publicly , 2019, IACR Cryptol. ePrint Arch..

[28]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[29]  Silvio Micali,et al.  CS Proofs (Extended Abstracts) , 1994, FOCS 1994.

[30]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[31]  Yael Tauman Kalai,et al.  Delegation for bounded space , 2013, STOC '13.

[32]  Adi Shamir,et al.  IP = PSPACE , 1992, JACM.

[33]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[34]  Ran Canetti,et al.  Succinct Adaptive Garbled RAM , 2015, IACR Cryptol. ePrint Arch..

[35]  Yael Tauman Kalai,et al.  On the Space Complexity of Linear Programming with Preprocessing , 2016, Electron. Colloquium Comput. Complex..

[36]  Sanjam Garg,et al.  Revisiting the Cryptographic Hardness of Finding a Nash Equilibrium , 2016, CRYPTO.

[37]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[38]  Paul W. Goldberg,et al.  The complexity of computing a Nash equilibrium , 2006, STOC '06.

[39]  Nir Bitansky,et al.  Succinct Randomized Encodings and their Applications , 2015, IACR Cryptol. ePrint Arch..

[40]  Ivan Damgård,et al.  Secure Two-Party Computation with Low Communication , 2012, IACR Cryptol. ePrint Arch..

[41]  Xiaotie Deng,et al.  Settling the complexity of computing two-player Nash equilibria , 2007, JACM.

[42]  James Bartusek,et al.  On the (In)security of Kilian-Based SNARGs , 2019, IACR Cryptol. ePrint Arch..

[43]  Joe Kilian,et al.  A note on efficient zero-knowledge proofs and arguments (extended abstract) , 1992, STOC '92.

[44]  Vinod Vaikuntanathan,et al.  How to Delegate and Verify in Public: Verifiable Computation from Attribute-based Encryption , 2012, IACR Cryptol. ePrint Arch..

[45]  Allison Bishop,et al.  Indistinguishability Obfuscation for Turing Machines with Unbounded Memory , 2015, IACR Cryptol. ePrint Arch..

[46]  Yael Tauman Kalai,et al.  On the (In)security of the Fiat-Shamir paradigm , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[47]  Guy N. Rothblum,et al.  PPAD-Hardness via Iterated Squaring Modulo a Composite , 2019, IACR Cryptol. ePrint Arch..

[48]  Nir Bitansky,et al.  The Hunting of the SNARK , 2016, Journal of Cryptology.

[49]  Chris Peikert,et al.  Noninteractive Zero Knowledge for NP from (Plain) Learning With Errors , 2019, IACR Cryptol. ePrint Arch..

[50]  Silvio Micali,et al.  Computationally Sound Proofs , 2000, SIAM J. Comput..

[51]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[52]  Guy N. Rothblum,et al.  Finding a Nash equilibrium is no easier than breaking Fiat-Shamir , 2019, IACR Cryptol. ePrint Arch..

[53]  Nir Bitansky,et al.  Recursive composition and bootstrapping for SNARKS and proof-carrying data , 2013, STOC '13.

[54]  Yael Tauman Kalai,et al.  Delegating computation: interactive proofs for muggles , 2008, STOC.

[55]  Ran Canetti,et al.  Fully Succinct Garbled RAM , 2016, ITCS.

[56]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[57]  Moni Naor,et al.  On Cryptographic Assumptions and Challenges , 2003, CRYPTO.

[58]  Helger Lipmaa,et al.  Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments , 2012, TCC.

[59]  Nir Bitansky,et al.  Succinct Non-Interactive Arguments via Linear Interactive Proofs , 2013, Journal of Cryptology.

[60]  D. Cantor,et al.  A new algorithm for factoring polynomials over finite fields , 1981 .

[61]  Ron Rothblum,et al.  Fiat-Shamir and Correlation Intractability from Strong KDM-Secure Encryption , 2018, IACR Cryptol. ePrint Arch..