Recursive composition and bootstrapping for SNARKS and proof-carrying data

Succinct non-interactive arguments of knowledge (SNARKs) enable verifying NP statements with complexity that is essentially independent of that required for classical NP verification. In particular, they provide strong solutions to the problem of verifiably delegating computation. We construct the first fully-succinct publicly-verifiable SNARK. To do that, we first show how to "bootstrap" any SNARK that requires expensive preprocessing to obtain a SNARK that does not, while preserving public verifiability. We then apply this transformation to known SNARKs with preprocessing. Moreover, the SNARK we construct only requires of the prover time and space that are essentially the same as that required for classical NP verification. Our transformation assumes only collision-resistant hashing; curiously, it does not rely on PCPs. We also show an analogous transformation for privately-verifiable SNARKs, assuming fully-homomorphic encryption. At the heart of our transformations is a technique for recursive composition of SNARKs. This technique uses in an essential way the proof-carrying data (PCD) framework, which extends SNARKs to the setting of distributed networks of provers and verifiers. Concretely, to bootstrap a given SNARK, we recursively compose the SNARK to obtain a "weak" PCD system for shallow distributed computations, and then use the PCD framework to attain stronger notions of SNARKs and PCD systems.

[1]  Stephen A. Cook,et al.  Time-bounded random access machines , 1972, J. Comput. Syst. Sci..

[2]  Leslie G. Valiant,et al.  Fast probabilistic algorithms for hamiltonian circuits and matchings , 1977, STOC '77.

[3]  Claus-Peter Schnorr Satisfiability Is Quasilinear Complete in NQL , 1978, JACM.

[4]  Silvio Micali,et al.  Probabilistic encryption & how to play mental poker keeping secret all partial information , 1982, STOC '82.

[5]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1983, PODS '83.

[6]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[7]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[8]  Stathis Zachos,et al.  Does co-NP Have Short Interactive Proofs? , 1987, Inf. Process. Lett..

[9]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[10]  Avi Wigderson,et al.  Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation (Extended Abstract) , 1988, STOC.

[11]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[12]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[13]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[14]  Eiji Okamoto,et al.  Key distribution system based on identification information , 1989, IEEE J. Sel. Areas Commun..

[15]  Saharon Shelah,et al.  Nearly Linear Time , 1989, Logic at Botik.

[16]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[17]  John Michael Robson,et al.  An O (T log T) Reduction from RAM Computations to Satisfiability , 1991, Theor. Comput. Sci..

[18]  Manuel Blum,et al.  Checking the correctness of memories , 1991, [1991] Proceedings 32nd Annual Symposium of Foundations of Computer Science.

[19]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[20]  Leonid A. Levin,et al.  Checking computations in polylogarithmic time , 1991, STOC '91.

[21]  D. Sivakumar,et al.  On Quasilinear-Time Complexity Theory , 1995, Theor. Comput. Sci..

[22]  D. Sivakumar,et al.  Quasilinear Time Complexity Theory , 1994, STACS.

[23]  Ralph Johnson,et al.  Design patterns: elements of reuseable object-oriented software , 1994 .

[24]  V. Nechaev Complexity of a determinate algorithm for the discrete logarithm , 1994 .

[25]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[26]  R. Cramer,et al.  Linear Zero-Knowledgde. A Note on Efficient Zero-Knowledge Proofs and Arguments , 1996 .

[27]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[28]  Oded Goldreich,et al.  On the Complexity of Interactive Proofs with Bounded Communication , 1998, Inf. Process. Lett..

[29]  Toshiaki Tanaka,et al.  On the Existence of 3-Round Zero-Knowledge Protocols , 1998, CRYPTO.

[30]  Silvio Micali,et al.  Computationally Sound Proofs , 2000, SIAM J. Comput..

[31]  Rafail Ostrovsky,et al.  Fast Verification of Any Remote Procedure Call: Short Witness-Indistinguishable One-Round Proofs for NP , 2000, ICALP.

[32]  Avi Wigderson,et al.  On interactive proofs with a laconic prover , 2001, computational complexity.

[33]  Oded Goldreich,et al.  Universal arguments and their applications , 2002, Proceedings 17th IEEE Annual Conference on Computational Complexity.

[34]  Qian Wang,et al.  USENIX Association Proceedings of FAST ’ 03 : 2 nd USENIX Conference on File and Storage Technologies , 2003 .

[35]  Moni Naor,et al.  On Cryptographic Assumptions and Challenges , 2003, CRYPTO.

[36]  Hovav Shacham,et al.  SiRiUS: Securing Remote Untrusted Storage , 2003, NDSS.

[37]  Mihir Bellare,et al.  The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols , 2004, CRYPTO.

[38]  Ran Canetti,et al.  On the Random-Oracle Methodology as Applied to Length-Restricted Signature Schemes , 2004, TCC.

[39]  Yuval Ishai,et al.  Sufficient Conditions for Collision-Resistant Hashing , 2005, TCC.

[40]  Manuel Blum,et al.  Checking the correctness of memories , 2005, Algorithmica.

[41]  Hoeteck Wee,et al.  On Round-Efficient Argument Systems , 2005, ICALP.

[42]  Rafail Ostrovsky,et al.  Non-interactive Zaps and New Techniques for NIZK , 2006, CRYPTO.

[43]  Yael Tauman Kalai,et al.  Succinct Non-Interactive Zero-Knowledge Proofs with Preprocessing for LOGSNP , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[44]  Alexander W. Dent The Hardness of the DHK Problem in the Generic Group Model , 2006, IACR Cryptol. ePrint Arch..

[45]  Steven D. Galbraith,et al.  Hidden Pairings and Trapdoor DDH Groups , 2006, ANTS.

[46]  Serge Fehr,et al.  Perfect NIZK with Adaptive Soundness , 2007, TCC.

[47]  Rafail Ostrovsky,et al.  Efficient Arguments without Short PCPs , 2007, Twenty-Second Annual IEEE Conference on Computational Complexity (CCC'07).

[48]  Paul Valiant,et al.  Incrementally Verifiable Computation or Proofs of Knowledge Imply Time/Space Efficiency , 2008, TCC.

[49]  Ran Canetti,et al.  Extractable Perfectly One-Way Functions , 2008, ICALP.

[50]  Thilo Mie,et al.  Polylogarithmic two-round argument systems , 2008, J. Math. Cryptol..

[51]  Eli Ben-Sasson,et al.  Short PCPs with Polylog Query Complexity , 2008, SIAM J. Comput..

[52]  Yael Tauman Kalai,et al.  Delegating computation: interactive proofs for muggles , 2008, STOC.

[53]  Giovanni Di Crescenzo,et al.  Succinct NP Proofs from an Extractability Assumption , 2008, CiE.

[54]  Manoj Prabhakaran,et al.  Statistically Hiding Sets , 2009, CT-RSA.

[55]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[56]  Ramzi Ronny Dakdouk Theory and application of extractable functions , 2009 .

[57]  Guy N. Rothblum,et al.  Are PCPs Inherent in Efficient Arguments? , 2009, Computational Complexity Conference.

[58]  Ran Canetti,et al.  Towards a Theory of Extractable Functions , 2009, TCC.

[59]  Yael Tauman Kalai,et al.  Probabilistically Checkable Arguments , 2009, CRYPTO.

[60]  Jens Groth,et al.  Short Pairing-Based Non-interactive Zero-Knowledge Arguments , 2010, ASIACRYPT.

[61]  Eran Tromer,et al.  Proof-Carrying Data and Hearsay Arguments from Signature Cards , 2010, ICS.

[62]  Yuval Ishai,et al.  From Secrecy to Soundness: Efficient Verification via Secure Computation , 2010, ICALP.

[63]  Yael Tauman Kalai,et al.  Improved Delegation of Computation using Fully Homomorphic Encryption , 2010, IACR Cryptol. ePrint Arch..

[64]  Hugo Krawczyk,et al.  Okamoto-Tanaka Revisited: Fully Authenticated Diffie-Hellman with Minimal Overhead , 2010, ACNS.

[65]  Craig Gentry,et al.  Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers , 2010, CRYPTO.

[66]  P. Jebb,et al.  Prove yourself. , 2010, Nursing standard (Royal College of Nursing (Great Britain) : 1987).

[67]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, STOC '11.

[68]  Ran Canetti,et al.  Two 1-Round Protocols for Delegation of Computation , 2011, IACR Cryptol. ePrint Arch..

[69]  Dan Boneh,et al.  Homomorphic Signatures for Polynomial Functions , 2011, EUROCRYPT.

[70]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[71]  Yevgeniy Vahlis,et al.  Verifiable Delegation of Computation over Large Datasets , 2011, IACR Cryptol. ePrint Arch..

[72]  Shafi Goldwasser,et al.  Delegation of Computation without Rejection Problem from Designated Verifier CS-Proofs , 2011, IACR Cryptol. ePrint Arch..

[73]  Ivan Damgård,et al.  Secure Two-Party Computation with Low Communication , 2012, IACR Cryptol. ePrint Arch..

[74]  Nir Bitansky,et al.  Succinct Non-Interactive Arguments via Linear Interactive Proofs , 2013, Journal of Cryptology.

[75]  Eli Ben-Sasson,et al.  On the Concrete-Efficiency Threshold of Probabilistically-Checkable Proofs , 2012, Electron. Colloquium Comput. Complex..

[76]  Helger Lipmaa,et al.  Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments , 2012, TCC.

[77]  Nir Bitansky,et al.  From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again , 2012, ITCS '12.

[78]  Brent Waters,et al.  Targeted malleability: homomorphic encryption for restricted computations , 2012, ITCS '12.

[79]  Nir Bitansky,et al.  Succinct Arguments from Multi-prover Interactive Proofs and Their Efficiency Benefits , 2012, CRYPTO.

[80]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[81]  Eli Ben-Sasson,et al.  Fast reductions from RAMs to delegatable succinct constraint satisfaction problems: extended abstract , 2013, ITCS '13.

[82]  Eli Ben-Sasson,et al.  On the concrete efficiency of probabilistically-checkable proofs , 2013, STOC '13.

[83]  Abhi Shelat,et al.  Computing on Authenticated Data , 2012, Journal of Cryptology.

[84]  Proof-carrying data : Secure computation on untrusted platforms , 2022 .