Abstract
Most efficient zeroknowledge arguments lack a concrete security analysis, making parameter choices and efficiency comparisons challenging. This is even more true for noninteractive versions of these systems obtained via the FiatShamir transform, for which the security guarantees generically derived from the interactive protocol are often too weak, even when assuming a random oracle.
This paper initiates the study of staterestoration soundness in the algebraic group model (AGM) of Fuchsbauer, Kiltz, and Loss (CRYPTO ’18). This is a stronger notion of soundness for an interactive proof or argument which allows the prover to rewind the verifier, and which is tightly connected with the concrete soundness of the noninteractive argument obtained via the FiatShamir transform.
We propose a general methodology to prove tight bounds on staterestoration soundness, and apply it to variants of Bulletproofs (Bootle et al., S&P ’18) and Sonic (Maller et al., CCS ’19). To the best of our knowledge, our analysis of Bulletproofs gives the first nontrivial concrete security analysis for a nonconstant round argument combined with the FiatShamir transform.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
 Zeroknowledge proof systems
 Concrete security
 FiatShamir transform
 Algebraic group model
 Staterestoration soundness
1 Introduction
The last decade has seen zeroknowledge proof systems [1] gain enormous popularity in the design of efficient privacypreserving systems. Their concrete efficiency is directly affected by the choice of a security parameter, yet concrete security analyses are rare and, as we explain below, hit upon technical barriers, even in ideal models (such as the randomoracle [2] or the genericgroup models [3, 4]). This has led to parameter choices not backed by proofs, and to efficiency comparisons across protocols with possibly incomparable levels of security. This paper addresses the question of narrowing this gap for protocols whose security can be analyzed in the Algebraic Group Model [5].
A concrete example. It is convenient to start with an example to illustrate the challenges encountered in proving concrete security of proof systems. We focus on Bulletproofs [6], which are argument systems with applications across the cryptocurrencies^{Footnote 1} and in verifiably deterministic signatures [9], which in turn optimize prior work [10]. The soundness^{Footnote 2} analysis (of their interactive version) is asymptotic, based on the hardness of the discrete logarithm problem (DLP). Even when instantiated from 256bit elliptic curves, due to the absence of a tight, concrete, reduction, we have no formal guarantee on concrete security. Indeed, recent work [11] gives concrete soundness bounds in the genericgroup model with somewhat unfavorable dependence on the size of the statement being proved, and no better analysis is known.
Even more importantly, existing bounds are for the interactive version of the protocol, but Bulletproofs are meant to be used noninteractively via the FiatShamir (FS) transform [12]. However, the (folklore) analysis of the FS transform gives no useful guarantees: Namely, for a soundness bound \(\varepsilon \) on the interactive ZK proof system, the resulting NIZK has soundness \(q^r \varepsilon \), where q is the number of randomoracle queries, and r is the number of challenges sent by the verifier. For Bulletproofs, we have \(\varepsilon \ge 2^{256}\) (this is the probability of merely guessing the discrete log), and if (say) \(r = \varTheta (\log (n)) \ge 16\), we only get security for (at best) \(q \le 2^{16}\) queries, which is clearly insufficient.
Overview of this paper. This paper studies the concrete security of succinct proof systems in the algebraic group model (AGM) [5], with the goal of developing (near)exact security bounds. The AGM considers in particular algebraic provers that provide representations of group elements to the reduction (or to the extractor), and has been successful to study security in a variety of contexts. More specifically, this work is the first to look at multiround publiccoin protocols and their noninteractive version obtained via the FiatShamir transform. For the latter, we aim for bounds with linear degradation in the number of random oracle queries q even for a large number of rounds r, as opposed to the \(q^r\) degradation obtained from naïve analyses. Prior work [5] has focused on the simpler case of linearPCP based SNARKs [13], which are built from twomove interactive proofs and without the FS transform.
The soundness of noninteractive systems resulting from the FS transform is tightly related to the staterestoration soundness [14, 15] of the underlying interactive protocol, where the cheating prover can rewind the verifier as it pleases, until it manages to complete a full accepting interaction with the verifier. No nontrivial bounds on staterestoration soundness are currently known on any nonconstant round argument.
We propose a general framework to quantitatively study staterestoration version of witnessextended emulation (wee) [16, 17] (which implies both staterestoration soundness and a proofofknowledge property) in the AGM. We then and apply it to three case studies, which include two variants of Bulletproofs, as well as Sonic [18]. These protocols have previously been analyzed only with respect to plain soundness in the interactive setting. The analysis of Bulletproofs relies in particular on the Forking Lemma of Bootle et al. [10], which was only very recently made concrete [11]. We believe that our framework can be applied to a number of other protocols, such as Hyrax [19], Dory [20] or pairingbased instantiations of IOPs [21, 22], and leave their analysis for future work.
Remark 1
We stress that our approach differs formally from prior and concurrent works (e.g., [18, 22]) which use the AGM to give a heuristic validation of the security of a component of a protocol, which is then however assumed to satisfy extractability properties compatible with a standardmodel proof (i.e., an AGM extractor is used as a standardmodel extractor.) Here, we aim for full analyses in the AGM, and as we point out in our technical overview below, these approaches actually do not give a fullfledged proof in the AGM (beyond not giving a proof in the standard model either).
Bulletproofs. We apply our framework to two instantiations of Bulletproofs – the first is for range proofs, and the other is for general satisfiability of arithmetic circuits. For example, in the former, a prover shows in \(O(\log n)\) rounds that for a given Pedersen commitment \(C = g^vh^r\) in a cyclic group \(\mathbb {G}\) of prime order p we have \(v \in [0, 2^n)\). (Here, clearly, \(2^n \le p\).)
For the final noninteractive protocol obtained via the FS transform, our result implies that an (algebraic) ttime prover making q randomoracle queries can break security as a Proof of Knowledge (when properly formalized) with advantage roughly
where \(\mathsf {Adv}^{\mathsf {dl}}_{\mathbb {G}}(t)\) is the advantage of breaking the DLP within time t. In the generic group model, this is roughly \(O(t^2/p)\), and this bound justifies the instantiation of Bulletproofs from a 256bit curve. For arithmetic circuit satisfiability, we obtain a similar bound.
Tightness and discussion. Assuming \(\mathsf {Adv}^{\mathsf {dl}}_{\mathbb {G}}(t) \sim t^2/p\) (which is true in the generic group model), the above bound implies in particular that for most values of n,^{Footnote 3} the term O(qn/p) is not leading. Still, we show that the dependence on n is necessary – in particular, we show that there exist n, p for which we can construct a cheating prover that can break soundness with probability \(\varOmega (q n/p)\), meaning that this part of the bound is tight. (Our argument can be extended to all bounds claimed in the paper.) Also, the term \(\mathsf {Adv}^{\mathsf {dl}}_{\mathbb {G}}(t)\) is clearly necessary, given that breaking the DLP would directly give us an attack. This makes our bound essentially exact (up to small constants).
AGM and composition. A challenging aspect of our analysis is the difficulty of dealing with composition. The core of the Bulletproofs is indeed its \(O(\log (n))\)round innerproduct argument. In the standard model, and in the interactive case, it is not hard to reduce the security (as a proof of knowledge) of the fullfledged system using Bulletproofs to the analysis of the underlying innerproduct argument, but it is not that clear how to do this generically in the AGM. In particular, in the AGM, the adversary provides representations of group elements to the reduction (or the extractor), and these are as a function of all priorly given group elements. The problem is that when analyzing a protocol in isolation (such as the innerproduct argument) the bases to which elements are described are not necessarily the same as those that would be available to a cheating algebraic prover against the full protocol. This makes it hard to use an extractor for the innerproduct argument in isolation as a subroutine to obtain an extractor for a protocol using it. Also, because we consider staterestoration soundness, a subprotocol can be initiated by a cheating prover several times, with several choices of these basis elements.
The downside of this is that our analyses are not modular, at least not at a level which considers subprotocols are isolated building blocks – we give two different analyses for two different instantiations of Bulletproofs, and the shared modularity is at the algebraic level.
We discuss this further at the end of our technical overview below.
Sonic. As a second application, we study Sonic [18]. This is a constantround protocol, and in particular with \(3M+2\) challenges for some constant \(M\ge 1\). In this case, the folklore analysis of the FS transform can be used to obtain a nontrivial bound, incurring a multiplicative loss of \(q^{3M+2}\) from the soundness of the interactive version. Here, we want to show that this loss is not necessary and also obtain a bound which degrades linearly in q. Moreover, no concrete bound on the concrete soundness of Sonic was given in the interactive setting.
We ignore the stronger requirement of updatable witnessextended emulation because our pedagogical point here is that our framework can improve soundness even for constantround protocols.
We also note that Sonic’s proof already uses the AGM to justify security of the underlying polynomial commitment scheme, but follows a (heuristic) pattern described above where the resulting extractor is expected to behave as a standardmodel one, and is used within a standardmodel proof.
Adaptive vs nonadaptive soundness. It is important to understand that one can consider both adaptive and nonadaptive provers, where the former also chooses the input for which it attempts to provide a proof. Clearly, one expects adaptive provers to be harder to handle, but this is not necessarily true for algebraic provers – in particular, if the input contains group elements, the extractor can obtain useful information (and, possibly, directly extract) from their group representation. While this does not render the proof trivial at all, it turns out that for nonadaptive security, the proof is even harder. In this paper, we deal mostly with adaptive provers, but for the case of range proofs (where the inputs are commitments in a group), we also give a proof for nonadaptive security – the resulting bound is increased to the square root of the adaptive bound, due to our limited use of rewinding.
Related work: Proofs vs arguments. We clarify that staterestoration soundness has been studied for several forms of interactive proofs [14, 15, 23, 24], also in its equivalent form of “roundbyround” soundness. Some proof systems satisfy it directly (such as those based on the sumcheck protocol [25]), whereas any proof with nontrivial (plain) soundness can be amplified into one with sufficient starerestoration soundness (e.g., with parallel repetition). This is because (similar to our statement about the FiatShamir transform above) one can naïvely infer that a concrete soundness bound \(\varepsilon \) implies a staterestoration soundness bound \(q^r \varepsilon \), where r is the number of challenges, and thus \(\varepsilon \) needs to be smaller than \(q^{r}\).
However, we do not know of any nontrivial bounds on staterestoration soundness for multiround arguments based on computational assumptions (as opposed to, say, arguments in the ROM), and moreover, soundness amplification (e.g., [26,27,28,29]) does not reduce soundness beyond the largest negligible function, and this is insufficient to absorb the \(q^r\) loss.
Beyond the AGM. Our results are inherently based on online extraction, which is only meaningful in ideal models or using knowledge assumptions. One scenario where ideal models are inherently used is in the compilation of IOPs into NIZKs in the ROM via the BCS transform [14] – it is unclear whether our technique can be used to give tight staterestoration soundness bounds for systems such as Aurora [30] and STARK [31].
Concurrent Work. In a recently updated version of [32], Bünz et al. analyse the soundness of the noninteractive innerproduct argument of Bulletproofs in the AGM. We provide a brief comparison with their result in the full version [34], but note here that their analysis is asymptotic, and gives weaker concrete security (insufficient for instantiations on 256bit curves) when made concrete.
1.1 Overview of Our Techniques
We give a general framework to derive tight bounds on staterestoration soundness in the AGM. In fact, we will target the stronger notion of witnessextended emulation [16, 17], which we adapt to staterestoration provers. Recall first that the main characteristic of the AGM is that it allows the reduction, or in our case the extractor, to access representations of group elements. A contribution of independent interest is to set up a formal framework to define extraction in the AGM.
Preface: Online Extraction in the AGM. In the AGM, the reduction (or an extractor) obtains representations of each group element in terms of all previously seen group elements. A useful feature of the AGM is that it often (but not always) allows us to achieve online witness extraction, as already observed in [5, 33]. In other words, by looking at the representation of the group elements provided by the prover in a single interaction, the extractor is able to extract a witness, without the need of rewinding.
Online extraction however immediately appears to be very useful to tame the complexity of staterestoration provers. Indeed, one can visualize an interaction of an adversarial staterestoration prover \(\mathcal {P}^*\) with the verifier V as defining an execution tree. In particular, \(\mathcal {P}^*\) wins if it manages to create a path in the execution tree associated with an accepting (simple) transcript \(\tau = (a_1, c_1, a_2, \ldots , c_{r}, a_{r+1})\), where \(a_1, a_2, \ldots , a_{r+1}\) are \(\mathcal {P}^*\)’s messages, and \(c_1, \ldots , c_r\) are the verifier’s challenges. (We focus on publiccoin protocols here.) Online extraction from a single transcript \(\tau \) directly implies extraction here, because a witness can directly be extracted locally from the path \(\tau \) (and the corresponding representations of group elements), disregarding what happened in the rest of the execution tree. In particular, the probability that \(\mathcal {P}^*\) succeeds equals the probability that a witness is extracted. Without online extraction, we would have to use rewinding – but current techniques [10, 11] do not seem to easily extend to staterestoration provers.
However, this only holds for perfect online extraction – in general, we may be able to generate transcripts which are accepting, but for which no witness can be extracted. This is typically because of two reasons:

Bad Challenges. A bad choice of challenges may prevent witness extraction.

Violating an assumption. A transcript is accepting, but the resulting interaction corresponds to a violation of some underlying assumption (i.e., one can extract a nontrivial discrete logarithm relation).
Our framework will exactly follow this pattern. For an rchallenge publiccoin protocol, we identify bad challenges, i.e., for each \(i \in [r]\), input x, and partial transcript \(\tau ' = (a_1, c_1, \ldots ,a_{i1},c_{i1}, a_{i})\), we define a set of bad challenges \(c_i\) which would make extraction impossible. Crucially, these sets are defined according to a simple interaction transcript (i.e., not a staterestoration one) and can be defined according to the representation of group elements in the transcript so far. Then, given a transcript \(\tau \) with no bad challenges, we show that:

We can either extract a witness for x from \(\tau \) (and the representations of the group elements in \(\tau \)).

We can use \(\tau \) (and the representation of the group elements in terms of the public parameters) to break some underlying assumption.
To illustrate this, we give a nontrivial example next, which considers a simplified instance of the inner product argument at the core of Bulletproofs, but which already captures all subtleties of the model.
InnerProduct Argument of Bulletproofs. In the inner product argument the prover proves that a group element \(P\in \mathbb {G}\) is a wellformed commitment to vectors \(\mathbf {a},\mathbf {b}\in \mathbb {Z}_p^n\) and their innerproduct \(\langle {\mathbf {a}},{\mathbf {b}} \rangle \).^{Footnote 4} More precisely, the prover wants to prove to the verifier that \(P=\mathbf {g}^{\mathbf {a}}\mathbf {h}^{\mathbf {b}}u^{\langle {\mathbf {a}},{\mathbf {b}} \rangle }\) where \(\mathbf {g}\in \mathbb {G}^n,\mathbf {h}\in \mathbb {G}^n, u \in \mathbb {G}\) are independent generators of \(\mathbb {G}\).
Here, we shall focus on the special case \(n=2\) first, and below discuss challenges in scaling our analysis up to any n. The prover first sends to the verifier group elements L, R where
The verifier samples x uniformly at random from \(\mathbb {Z}_p^*\) and sends it to the prover. We then define
The prover sends \(a'=a_1 x+a_2 x^{1}\) and \(b'=b_1x^{1}+b_2 x\) to the verifier, which in turns accepts if and only if
Extraction for \(n = 2\) . For this discussion, we focus in particular on the notion of adaptive soundness – i.e., the prover provides P along with its representation, i.e., we get \(\mathbf {a}'=(p_{g_1},p_{g_2})\), \(\mathbf {b}'=(p_{h_1},p_{h_2})\) and \(p_u\) such that \(P=\mathbf {g}^{\mathbf {a}'}\mathbf {h}^{\mathbf {b}'}u^{p_u}\). At first, it looks like we are done – after all, we can just check whether \(\langle \mathbf {a}', \mathbf {b}' \rangle = p_u\), and if so, output \((\mathbf {a}', \mathbf {b}')\) as our witness. Unfortunately, things are not that simple – we need to ensure that no accepting transcript \(\tau =((L,R),x,(a',b'))\), i.e., such that \(P'=(g')^{a'}(h')^{b'}u^{a'b'}\), is ever produced if \(\langle \mathbf {a}', \mathbf {b}' \rangle \ne p_u\), for otherwise our naïve extraction would fail.
To this end, we will prove that if the cheating prover can produce an accepting interaction such while \(\langle \mathbf {a}', \mathbf {b}' \rangle \ne p_u\), then we can solve the discrete logarithm problem in the group \(\mathbb {G}\). We construct an adversary \(\mathcal {A}\) that takes as inputs \(g_1, g_2, h_1, h_2,u\) and attempts to return a nontrivial discrete logarithm relation between them. (Breaking this is tightly equivalent to breaking the discrete logarithm problem.) Concretely, the adversary \(\mathcal {A}\) gives \(g_1, g_2, h_1, h_2, u\) as input to the cheating prover \(\mathcal {P}\), which first returns an adaptively chosen input \(P \in \mathbb {G}\), along with is algebraic representation
The adversary then simulates the execution of \(\mathcal {P}\) with a honest verifier further, and assumes it generates an accepting transcript \(\tau =((L,R),x,(a',b'))\) – this transcript contains the representations of L, R such that \(L = g_1^{l_{g_1}} g_2^{l_{g_2}} h_1^{l_{h_1}} h_2^{l_{h_2}} u^{l_u}\) and \(R = g_1^{r_{g_1}} g_2^{r_{g_2}} h_1^{r_{h_1}} h_2^{r_{h_2}} u^{r_u}\) and since it is an accepting transcript we have
We can plug in the representations of L, R into the equality and obtain values \(e_{g_1}, e_{g_2}, e_{h_1}, e_{h_2}, e_u\) such that
For example \(e_{g_1}=x^{1}a'l_{g_1}x^2r_{g_1}x^{2}p_{g_1}\) and \(e_u=a'b'l_{u}x^2r_{u}x^{2}p_{u}\).
The adversary \(\mathcal {A}\) then simply outputs \((e_{g_1}, e_{g_2}, e_{h_1}, e_{h_2}, e_u)\) – it has found a nontrivial discrete logarithm relation if \((e_{g_1}, e_{g_2}, e_{h_1}, e_{h_2}, e_u)\ne (0,0,0,0,0)\), which we next show happens with very high probability if \(p_u \ne p_{g_1} p_{h_1} + p_{g_2} p_{h_2}\).
Suppose \((e_{g_1}, e_{g_2}, e_{h_1}, e_{h_2}, e_u)=(0,0,0,0,0)\). From \(e_{g_1}=0\), we have that \(x^{1}a'l_{g_1}x^2r_{g_1}x^{2}p_{g_1}=0\). Since \(x\ne 0\), we get that \(a'=l_{g_1}x^3+r_{g_1}x^{1}+p_{g_1}x\). Similarly from \(e_{g_2}=0\), we would get \(a'=l_{g_2}x+p_{g_2}x^{1}+r_{g_2}x^{3}\). With high probability over the choice of x’s, by the SchwartzZippel Lemma, we can infer by equating both righthand sides that
Similarly, from \(e_{h_1} = 0\) and \(e_{h_2} = 0\), we obtain that
for most x’s. Finally, from \(e_u =0\), we similarly learn that
Hence from the above
Since we have that \(p_{g_1} p_{h_1} + p_{g_2} p_{h_2} \ne p_u\), the above equality holds with very small probability over the choice of x’s.
Hence we have shown that \((e_{g_1}, e_{g_2}, e_{h_1}, e_{h_2}, e_u)=(0,0,0,0,0)\) with very small probability. Therefore \(\mathcal {A}\) succeeds with high probability.
Nonadaptive security. The above proof exploits the fact that the prover provides a representation of P – this corresponds to the case of an adaptive prover. But there are scenarios where the prover may be nonadaptive and not be able to do that – for example, the input P has been generated by another party, and the prover tries to prove knowledge with respect to this P. It turns out that in this case, one needs a different proof. In fact, one could give an extraction strategy which does not require knowing an initial representation for P, but it is then hard to give a reduction to the discrete logarithm problem to show correctness.
We stress that nonadaptive provers and adaptive provers are equivalent in many applications – they only differ when the input includes group elements. We give a formalization and a case study (for Bulletproofs range proofs) in the full version [34]. There, we can actually give a reduction to the discrete logarithm problem (to bound the probability of failing to extract), but this requires rewinding once – this allows us to prove a bound which is the square root of the bound for adaptive provers.
The recursive protocol for \(n=4\). Scaling the protocol to an arbitrary n proceeds via recursion. For concreteness, let us focus on the case \(n=4\). The prover first sends to the verifier group elements L, R where
The verifier samples x uniformly at random from \(\mathbb {Z}_p^*\) and sends it to the prover. The prover and the verifier both compute
The prover also computes \(a_1'=a_1 x+a_3 x^{1}\), \(a_2'=a_2 x + a_4 x^{1}\), \(b_1'=b_1x^{1}+b_3 x\) and \(b_2'=b_2x^{1}+b_4x\). Observe that \(P'=(g_1')^{a_1'}(g_2')^{a_2'}(h_1')^{b_1'}(h_3')^{b_2'}u^{a_1'b_1'+a_2'b_2'}\). Now, the prover and the verifier engage, recursively, in the protocol for \(n=2\) with inputs \((g_1',g_2'),(h_1',h_2'),u,P',(a_1',a_2'),(b_1',b_2')\). The difficulty in analyzing this is that we would like our proof strategy to be recursive, i.e., given we analyzed the protocol for n secure, we can now infer that the one for 2n also is secure. This will not be so direct, unfortunately. One major technical issue is for example that the recursive call uses different generators than the ones used for the calling protocol – in our case, here, \((g_1',g_2'),(h_1',h_2')\) – however, when looking at the combined protocol in the AGM, all element representations would be with respect to the generators \(g_1, \ldots , g_4, h_1, \ldots , h_4\), and this makes it difficult to directly recycle the above analysis.
The challenges with composition. The inability to leverage recursion to simplify the approach from the previous paragraph is not an isolated incident. We note that a nontrivial aspect of our analyses is due to the lack of easy composition properties in the AGM. In particular, we encounter the following problem – if we have a protocol \(\varPi '\) (e.g., the innerproduct argument) which is used as a subprotocol for \(\varPi \) (a Bulletproofs range proof), and we prove extractability for \(\varPi '\), it is not clear we can infer extractability for \(\varPi \) in a modular way by just calling the extractor for \(\varPi '\). This is because a standalone analysis of \(\varPi '\) may assume group elements output by a malicious prover \(\mathcal {P}'\) are represented with respect to some set of basis elements – say, the generators \(g_1, \ldots , g_n, h_1, \ldots , h_n, u\) in the concrete example of innerproduct argument described above. However, when \(\varPi '\) is used within \(\varPi \), the generators of the innerproduct argument are functions of different group elements. When studying a prover \(\mathcal {P}\) attacking \(\varPi \), then, representations of group elements are with respect to this different set of group elements, and this makes it hard to use an extractor for \(\varPi '\) directly, as it assumes different representations.
This is a problem we encounter in our analyses, and which prevents us from abstracting a theorem for the innerproduct argument which we could use, in a plugandplay way, to imply security of higherlevel protocols using it. The flip side is that this lack of composability also comes to our advantage – our extractors will in fact not even need to extract anything from the transcript of an accepting execution of the innerproduct argument, but only use the fact that it is accepting to infer correctness of the extracted value.
The issue with prior AGM analyses. Composition issues seemingly affect existing analyses of proof systems in the literature (e.g., [18, 22]), whenever some components are analyzed in the AGM (typically, a polynomial commitment scheme), but the overall proof is expressed in the standard model. As far as we can tell, unlike this work, one cannot directly extract a full AGM analysis from these works – let us elaborate on this.
Obviously, from a purely formal perspective, the standard model and the algebraic group model cannot be quite mixed, as in particular the AGM extractor for the component cannot be used in the standard model – the only formally correct way to interpret the analysis is as fully in the AGM, but part of the analysis does not leverage the full power of the model, and is effectively a standardmodel reduction. Yet, in order for composition to be meaningful, it is important to verify that the basis elements assumed in the AGM analysis of the components are the same available to a prover attacking the complete protocol. While we cannot claim any issues (in fact, we give an analysis of Sonic in this paper with a concrete bound), it does appear that all existing works do not attempt to provide a formal composition – they use the existence of an AGM extractor as a heuristic validation for the existence of a standardmodel extractor, rather than making formally correct use as an AGM extractor within an AGM proof. Making this composition sound is potentially nontrivial. Having said this, for pairingbased polynomial commitment schemes, the basis elements are generally the same, and thus this can likely be made rigorous fairly easily (unlike the case of innerproduct arguments).
2 Preliminaries
Let \(\mathbb {N}=\{0,1,2,\ldots \}\) represent the set of all natural numbers and let \(\mathbb {N}^+=\mathbb {N}\setminus \{0\}\). For \(N\in \mathbb {N}^+\), let \([N]=\{1,\ldots ,N\}\). We use \(\mathsf {Pr}\left[ { \textsf {G}} \right] \) to denote the probability that the game \({ \textsf {G}}\) returns \(\texttt {true}\). Let \(\mathbb {G}\) be a cyclic group of prime order p with identity 1 and let \(\mathbb {G}^*=\mathbb {G}\setminus \{1\}\) be the set of its generators. We use boldface to denote a vector, e.g., \(\mathbf {g}\in \mathbb {G}^n\) is a vector of n group elements with its \(i^\text {th}\) element being \(g_i\), i.e., \(\mathbf {g}=(g_1,\ldots ,g_n)\). For two vectors \(\mathbf {a}=(a_1,\ldots ,a_n),\mathbf {g}=(g_1,\ldots ,g_n)\), we use \(\mathbf {g}^\mathbf {a}\) to denote \(\prod _{i=1}^n g_i^{a_i}\). We use python notation to denote slices of vectors:
For \(z\in \mathbb {Z}_p^*\), we use \({\mathbf {z}}^{n}\) to denote the vector \((1,z,z^2,\ldots ,z^{n1})\). Similarly, we use \({\mathbf {z}}^{n}\) to denote the vector \((1,z^{1},z^{2},\ldots ,z^{n+1})\). If Z is a variable, \({\mathbf {Z}}^{n}\) represents the vector \((1,Z,Z^2,\ldots ,Z^{n1})\). Our vectors are indexed starting from 1, so \({\mathbf {z}}^{n+1}_{[1:]}\) is the vector \((z,z^2,\ldots ,z^{n})\). The operator \(\circ \) denotes the Hadamard product of two vectors, i.e., \(\mathbf {a}=(a_1,\ldots ,a_n), \mathbf {b}=(b_1,\ldots ,b_n), \mathbf {a}\circ \mathbf {b}=(a_1b_1,\ldots , a_nb_n)\). We use capitalized boldface letters to denote matrices, e.g., \(\mathbf {W}\in \mathbb {Z}_p^{n\times m}\) is a matrix with n rows and m columns.
We denote the inner product of two vectors \(\mathbf {a},\mathbf {b}\in \mathbb {Z}_p^n\) using \(\langle {\mathbf {a}},{\mathbf {b}} \rangle \). We also define vector polynomials, e.g., \(f(X)=\sum _{i=0}^d \mathbf {f}_iX^i\), where each coefficient \(\mathbf {f}_i\) is a vector in \(\mathbb {Z}_p^n\).
The function \(\mathsf {bit}(k,i,t)\) returns the bit \(k_i\) where \((k_1,\ldots ,k_t)\) is the tbit representation of k.
SchwartzZippel Lemma. The polynomial ring in variables \(X_1,\ldots ,X_n\) over the field \(\mathbb {F}\) is denoted by \(\mathbb {F}[X_1,\ldots ,X_n]\).
Lemma 1
(SchwartzZippel Lemma). Let \(\mathbb {F}\) be a finite field and let \(f\in \mathbb {F}[X_1,\ldots ,X_n]\) be a nonzero n variate polynomial with maximum degree d. Let S be a subset of \(\mathbb {F}\). Then \(\mathsf {Pr}\left[ f(x_1,\ldots ,x_n)=0 \right] \le {d}/{\left S \right }\), where the probability is over the choice of \(x_1,\ldots ,x_n\) according to .
In particular if p is a prime and \(f\in \mathbb {Z}_p[X]\) is a polynomial of degree d and x is sampled uniformly at random from \({\mathbb {Z}_p^*}\), then \(\mathsf {Pr}\left[ f(x)=0 \right] \le {d}/({p1})\). Further this implies that if \(g(X)=f(X)/X^i\) for \(i\in \mathbb {N}\) and x is sampled uniformly at random from \({\mathbb {Z}_p^*}\), then \(\mathsf {Pr}\left[ g(x)=0 \right] =\mathsf {Pr}\left[ f(x)=0 \right] \le {d}/({p1})\).
The Discrete logarithm problem. The game \({ \textsf {G}}^{\mathsf {dl}}_{\mathbb {G}}\) in Fig. 1 is used for is used for defining the advantage of a nonuniform adversary \(\mathcal {A}=\{\mathcal {A}_\lambda \}_{\lambda \in \mathbb {N}^+}\) against the discrete logarithm problem in a family of cyclic groups \(\mathbb {G}=\{\mathbb {G}_\lambda \}_{\lambda \in \mathbb {N}^+}\) of prime order \(p=p(\lambda )\) with identity 1 and set of generators \(\mathbb {G}^*=\{\mathbb {G}_\lambda ^*\}_{\lambda \in \mathbb {N}^+}=\{\mathbb {G}_\lambda \setminus \{1\}\}_{\lambda \in \mathbb {N}^+}\). We define \(\mathsf {Adv}^\mathsf {dl}_{\mathbb {G}}(\mathcal {A},\lambda )=\mathsf {Pr}\left[ { \textsf {G}}^{\mathsf {dl}}_{\mathbb {G}}(\mathcal {A},\lambda ) \right] \).
The Discrete logarithm relation problem. The game \({ \textsf {G}}^{\mathsf {dl\hbox {}rel}}_{\mathbb {G},n}\) in Fig. 1 is used for defining the advantage of a nonuniform adversary \(\mathcal {A}=\{\mathcal {A}_\lambda \}_{\lambda \in \mathbb {N}^+}\) against the discrete logarithm relation problem in a family of cyclic groups \(\mathbb {G}=\{\mathbb {G}_\lambda \}_{\lambda \in \mathbb {N}^+}\). We define \(\mathcal {A}=\{\mathcal {A}_\lambda \}_{\lambda \in \mathbb {N}^+}\) as \(\mathsf {Adv}^\mathsf {dl\hbox {}rel}_{\mathbb {G},n}(\mathcal {A},\lambda )=\mathsf {Pr}\left[ { \textsf {G}}^{\mathsf {dl\hbox {}rel}}_{\mathbb {G},n}(\mathcal {A},\lambda ) \right] \). The following lemma shows that hardness of the discrete logarithm relation problem in \(\mathbb {G}\) is tightly implied by the hardness of discrete logarithm problem in a family of cyclic groups \(\mathbb {G}=\{\mathbb {G}_\lambda \}_{\lambda \in \mathbb {N}^+}\).
Lemma 2
Let \(n\in \mathbb {N}^+\). Let \(\mathbb {G}=\{\mathbb {G}_\lambda \}_{\lambda \in \mathbb {N}^+}\) be a family of cyclic groups with order \(p=p(\lambda )\). For every nonuniform adversary \(\mathcal {A}=\{\mathcal {A}_\lambda \}_{\lambda \in \mathbb {N}^+}\) there exists a nonuniform adversary \(\mathcal {B}=\{\mathcal {B}_\lambda \}_{\lambda \in \mathbb {N}^+}\) such that for all \(\lambda \in \mathbb {N}^+\), \( \mathsf {Adv}^{\mathsf {dl\hbox {}rel}}_{\mathbb {G},n}(\mathcal {A},\lambda )\le \mathsf {Adv}^{\mathsf {dl}}_{\mathbb {G}}(\mathcal {B},\lambda )+1/p \). Moreover, \(\mathcal {B}\) is nearly as efficient as \(\mathcal {A}\).
We refer the reader to [11] for a proof of this lemma.
The q DLOG problem. The game \({ \textsf {G}}^{{q\hbox {}\mathsf {dl}}}_{\mathbb {G}}\) in Fig. 1 is used for defining the advantage of a nonuniform adversary \(\mathcal {A}=\{\mathcal {A}_\lambda \}_{\lambda \in \mathbb {N}^+}\) against the qDLOG problem in a family of groups \(\mathbb {G}=\{\mathbb {G}_\lambda \}_{\lambda \in \mathbb {N}^+}\). We define \(\mathsf {Adv}^{q\hbox {}\mathsf {dl}}_{\mathbb {G}}(\mathcal {A},\lambda )=\mathsf {Pr}\left[ { \textsf {G}}^{{q\hbox {}\mathsf {dl}}}_{\mathbb {G}}(\mathcal {A},\lambda ) \right] \).
We note that there are other problems known as qDLOG which are not equivalent to the one we use here. We use the version stated above because it was the version used in the analysis of Sonic [18] which we analyse in this paper.
3 Interactive Proofs and StateRestoration Soundness
We introduce our formalism for handling interactive proofs and arguments, which is particularly geared towards understanding their concrete staterestoration soundness.
Interactive proofs. An interactive proof [1] \(\mathsf {IP}\) is a triple of algorithms: (1) the setup algorithm \(\mathsf {IP}.\mathsf {Setup}\) which generates the public parameters \(\mathsf {pp}\), (2) the prover \(\mathsf {IP}.\mathsf {P}\) and (3) the verifier \(\mathsf {IP}.\mathsf {V}\). In particular, the prover and the verifier are interactive machines which define a twoparty protocol, where the prover does not produce any output, and the verifier outputs a decision bit \(d \in \{0,1\}\). We let \(\langle \mathsf {IP}.\mathsf {P}(x), \mathsf {IP}.\mathsf {V}(y) \rangle \) denote the algorithm which runs an execution of the prover and the verifier on inputs x and y, respectively, and outputs the verifier’s decision bit. We say that \(\mathsf {IP}\) is public coin if all messages sent from \(\mathsf {IP}.\mathsf {V}\) to \(\mathsf {IP}.\mathsf {P}\) are fresh random values from some understood set (which we refer to as challenges).
Completeness. A relation R is (without loss of generality) a subset of \(\{0,1\}^* \times \{0,1\}^* \times \{0,1\}^*\). We denote a relation R that uses specified public parameters \(\mathsf {pp}\), instance x and witness w as \(\{(\mathsf {pp},x,w):f_R(\mathsf {pp},x,w)\}\) where \(f_R(\mathsf {pp},x,w)\) is a function that returns \(\texttt {true}\) if \((\mathsf {pp},x,w)\in R\) and \(\texttt {false}\) otherwise. For every \(\lambda \in \mathbb {N}^+\) and every \(\mathcal {A}\), define the following experiment:
Then, we say that \(\mathsf {IP}\) is an interactive proof for the relation R if for all \(\mathcal {A}\) and all \(\lambda \in \mathbb {N}^+\), in the above experiment the event \((d = 1) \vee ((\mathsf {pp}, x, w) \notin R)\) holds with probability one.
Staterestoration soundness. We target a stronger notion of soundness – staterestoration soundness (SRS) [14, 15] – which (as we show below) tightly reduces to the soundness of the noninteractive proof obtained via the FiatShamir transform. The SRS security game allows the cheating prover to rewind the verifier as it pleases, and wins if and only if it manages to produce some accepting interaction. We only consider an \(r(\lambda )\)challenge publiccoin interactive proof \(\mathsf {IP}\), and consider the case where challenges are drawn uniformly from some sets \(\mathsf {Ch}_1, \ldots , \mathsf {Ch}_r\). We also assume that the verifier is described by an algorithm which given \(\mathsf {pp}\), x, and a transcript \(\tau = (a_1, c_1, \ldots , a_{r}, c_r, a_{r+1})\), outputs a decision bit \(d \in \{0,1\}\). We overload notation and write \(\mathsf {IP}.\mathsf {V}(\mathsf {pp}, x, \tau )\) for this output.
Our definition considers a game \(\mathsf {SRS}_{\mathsf {IP}}^{\mathcal {P}}(\lambda )\) (which is formalized in Fig. 2) that involves a nonuniform cheating prover \(\mathcal {P}= \{\mathcal {P}_{\lambda }\}_{\lambda \in \mathbb {N}}\). (Henceforth, whenever we have any nonuniform adversary \(\mathcal {A}\), it is understood \(\mathcal {A}=\{\mathcal {A}_{\lambda }\}_{\lambda \in \mathbb {N}}\) – we shall not specify this explicitly). The prover is initially responsible for generating the input x on which it attempts to convince the verifier on some execution. Its rewinding access to the verifier is ensured by an oracle \(\mathbf {O}_{\mathrm {ext}}\), to which it has access. Roughly speaking, the oracle allows the prover to build an execution tree, which is extended with each query to it by the prover. This execution tree can be inferred from \(\mathsf {tr}\), which sequentially logs all (valid) queries to \(\mathbf {O}_{\mathrm {ext}}\) by the prover. For a partial transcript \(\tau '\), we write \(\tau ' \in \mathsf {tr}\) to mean that a partial execution corresponding to \(\tau '\) can be inferred from \(\mathsf {tr}\).
We then associate the probability of winning the game with the \(\mathsf {srs}\) advantage metric, \(\mathsf {Adv}^{\mathsf {srs}}_{\mathsf {IP}}(\mathcal {P}, \lambda ) = \mathsf {Pr}\left[ \mathsf {SRS}^{\mathsf {IP}}_{\mathcal {P}}(\lambda ) \right] \). For notational convenience, we do not restrict the input x not to have a witness. Therefore, if \(\mathsf {IP}\) is an interactive proof for a relation R, we cannot hope to show that \(\mathsf {Adv}^{\mathsf {srs}}_{\mathsf {IP}}(\mathcal {P},\lambda )\) is small for all \(\mathcal {P}\). Clearly, if \(\mathcal {P}\) outputs (x, a) such that \((\mathsf {pp}, x, a) \in R\), then a is a witness and \(\mathcal {P}\) can simply (honestly) convince the verifier. The classical notion of staterestoration soundness is recovered by only considering \(\mathcal {P}\)’s which output x such that \((\mathsf {pp}, x, w) \notin R\) for any w.
4 Proofs of Knowledge in the AGM
The Algebraic Group Model. We start here with a brief review of the AGM [5]. For an understood group \(\mathbb {G}\) with prime order p, an algebraic algorithm \(\mathcal {A}_{\mathsf {alg}}\) is an interactive algorithm whose inputs and outputs are made of distinct group elements and strings. Furthermore, each (encoding) of a group element X output by \(\mathcal {A}_{\mathsf {alg}}\) is accompanied by a representation \((x_{A_1}, x_{A_2}, \ldots , x_{A_k}) \in \mathbb {Z}_p^k\) such that \(X = \prod _{i=1}^k A_i^{x_{A_i}}\), where \(A_1, \ldots , A_k\) are all group elements previously input and output by \(\mathcal {A}_{\mathsf {alg}}\). Generally, we write \(\left[ X \right] \) for a group element X enhanced with its representation, e.g., \( \left[ X \right] = (X, x_{A_1}, x_{A_2}, \ldots , x_{A_k})\). In particular, when we use a group element X output by \(\mathcal {A}_{\mathsf {alg}}\), e.g. it is input to a reduction or used in a cryptographic game, we write \(\left[ X \right] \) to make explicit that the representation is available, whereas write X only when the representation is omitted. The notation extends to a mix of group elements and strings a – \(\left[ a \right] \) enhances each group element with its representation.
Defining AGM extraction. We formalize a notion of proofofknowledge (PoK) security in the AGM, following the lines of witnessextended emulation [16, 17], which we extend to provers that can rewind the verifier.
We will be interested in cases where the AGM allows for online extraction, i.e., the additional group representations will allow for extraction without rewinding the prover. We target an adaptive notion of security, where the input is generated by the adversarial prover itself, depending on the public parameters \(\mathsf {pp}\), and can contain group elements.
Online srswee security. The definition consists of two games – denoted \( \mathsf {WEE}\hbox {}1^{\mathcal {P}_{\mathsf {alg}},\mathcal {D}}_{\mathsf {IP}}\) and \(\mathsf {WEE}\hbox {}0^{\mathcal {E},\mathcal {P}_{\mathsf {alg}},\mathcal {D}}_{\mathsf {IP},R}\), and described in Fig. 3. The former captures the real game, lets our prover \(\mathcal {P}= \{\mathcal {P}_{\lambda }\}_{\lambda \in \mathbb {N}}\) interact with an oracle \(\mathbf {O}^1_{\mathrm {ext}}\) as in the staterestoration soundness game defined above, which additionally stores a transcript \(\mathsf {tr}\). The latter is finally given to a distinguisher \(\mathcal {D}\) which outputs a decision bit. In contrast, the ideal game delegates the role of answering \(\mathcal {P}\)’s oracle queries to a (stateful) extractor \(\mathcal {E}\). The extractor, at the end of the execution, also outputs a witness candidate for w. The extractor in particular exploits here the fact that \(\mathcal {P}\) is algebraic by learning the representation of every input to the oracle \(\mathbf {O}^0_{\mathrm {ext}}\). (This representation can be thought, without loss of generality, as being in terms of all group elements contained in \(\mathsf {pp}\).) Here, the final output of the game is not merely \(\mathcal {D}\)’s decision bit – should the latter output 1, the output of the game is \(\texttt {true}\) only if additionally the extracted witness is correct assuming the interaction with \(\mathbf {O}^0_{\mathrm {ext}}\) resulted in an accepting execution – a condition we capture via the predicate \(\mathsf {Acc}(\mathsf {tr})\).
For an interactive proof \(\mathsf {IP}\) and an associated relation R, nonuniform algebraic prover \(\mathcal {P}_\mathsf {alg}\), a distinguisher \(\mathcal {D}\), and an extractor \(\mathcal {E}\), we define
One can consider also scenarios where the prover may be nonadaptive – for example, the input has been generated by another party, and the prover tries to prove knowledge with respect to this input. For this reason, introduce the notion of nonadaptive srswee in the full version [34].
4.1 The Basic Framework
We develop a general framework that we will use, via Theorem 1, to derive concrete AGM bounds on srswee security. Our goal, in particular, is to give conditions on single path executions – i.e., executions not involving any rewinding of the verifier by the prover, which could be seen as roottoleaf paths in an execution tree generated by the interaction of a staterestoration prover.
Transcripts. From now on, let us fix an interactive publiccoin proof \(\mathsf {IP}= (\mathsf {IP}.\mathsf {Setup}, \mathsf {IP}.\mathsf {P}, \mathsf {IP}.\mathsf {V})\) for a relation R. Assume further this protocol has exactly r rounds of challenges. Then, we represent a (potential) singleexecution transcript generated by an algebraic prover in different forms, depending on whether we include the representations of group elements or not. Specifically, we let the (plain) transcript be \( \tau = (\mathsf {pp}, x, a_1, c_1, a_2, c_2, \ldots , a_r, c_r, a_{r+1}) \), where \(\mathsf {pp}\) are the generated parameters, x is the input produced by \(\mathcal {P}_{\mathsf {alg}}\), \(c_i \in \mathsf {Ch}_i\) for all \(i \in \{1, \ldots , r\}\) are the challenges, and \(a_1, \ldots ,a_{r+1}\) are the prover’s messages. The corresponding extended transcript with representations is denoted as \( \left[ \tau \right] = (\mathsf {pp}, \left[ x \right] , \left[ a_1 \right] , c_1, \left[ a_2 \right] , c_2, \ldots , \left[ a_r \right] , c_r, \left[ a_{r+1} \right] ) \).
In particular, the representation of each group element contained in \(a_i\) is with respect to all elements contained in \(\mathsf {pp}, x, a_1, \ldots , a_{i1}\). We let \(\mathcal {T}^{\mathsf {IP}}\) be the set of all possible extended transcripts \(\left[ \tau \right] \). We also let \(\mathcal {T}^{\mathsf {IP}}_{\mathsf {Acc}} \subseteq \mathcal {T}^{\mathsf {IP}}\) be the set of accepting transcripts \(\left[ \tau \right] \), i.e., \(\mathsf {IP}.\mathsf {V}(\tau ) = 1\).
Path Extraction. We now would like to define a function \(\mathsf {e}\) which extracts a witness from any accepting transcript \(\left[ \tau \right] \in \mathcal {T}^{\mathsf {IP}}_{\mathsf {Acc}}\). For a particular function \(\mathsf {e}\) we now define the set of extended transcripts on which it succeeds in extracting a valid witness, i.e.,
Therefore, a natural extractor \(\mathcal {E}\) just answers challenges honestly, and applies \(\mathsf {e}\) to a path in the execution tree which defines an accepting transcript, and returns the corresponding witness w. The probability of this extractor failing can be upper bounded naïvely by the probability that the prover generates, in its execution tree, a path corresponding to an extended transcript \(\left[ \tau \right] \in \mathcal {T}^{\mathsf {IP}}_{\mathsf {Acc}} \setminus \mathcal {T}^{\mathsf {IP}, \mathsf {e}, R}_{\mathsf {correct}}\). This is however not directly helpful, as the main challenge is to actually estimate this probability.
Bad Challenges. In all of our examples, the analysis of the probability of generating a transcript in \(\mathcal {T}^{\mathsf {IP}}_{\mathsf {Acc}} \setminus \mathcal {T}^{\mathsf {IP}, \mathsf {e}, R}_{\mathsf {correct}}\) will generally consist of an informationtheoretic and a computational part.
The informationtheoretic part will account to choosing some bad challenges. We capture such choices of bad challenges by defining, for any partial extended transcript \(\left[ \tau ' \right] = (\mathsf {pp}, \left[ x \right] , \left[ a_1 \right] , c_1, \ldots , \left[ a_i \right] )\), a set \(\mathsf {BadCh}(\tau ') \subseteq \mathsf {Ch}_i\) of such bad challenges. (Crucially, whether a challenge is bad or not only depends on the extended transcript so far.) We now denote as \(\mathcal {T}^{\mathsf {IP}}_{\mathsf {BadCh}}\) the set of all extended transcripts which contain at least one bad challenge. It turns out that the probability of generating such a bad challenge is easily bounded by \(q \cdot \varepsilon \) for a prover making q oracle queries, assuming \(\left \mathsf {BadCh}(\tau ') \right /\left \mathsf {Ch}_i \right \le \varepsilon \).
The only case that the extractor can now fail is if the execution tree contains an extended transcript \(\left[ \tau \right] \) in the set \( \mathcal {T}^{\mathsf {IP}, \mathsf {e}, R}_{\mathsf {fail}} = \mathcal {T}^{\mathsf {IP}}_{\mathsf {Acc}} \; \setminus \; (\mathcal {T}^{\mathsf {IP}, \mathsf {e}, R}_{\mathsf {correct}} \cup \mathcal {T}^{\mathsf {IP}}_{\mathsf {BadCh}})\). We denote the probability that this happens in \(\mathsf {SRS}^{\mathcal {P}_{\mathsf {alg}}}_{\mathsf {IP}}(\lambda )\) as \(p_{\mathsf {fail}}(\mathsf {IP}, \mathcal {P}_{\mathsf {alg}}, \mathsf {e}, R, \lambda )\). Generally, in all of our applications, upper bounding this probability for a suitably defined extractor will constitute the computational core of the proof – i.e., we will prove (generally tight) reductions to breaking some underlying assumption.
The Master Theorem. We are now ready to state our master theorem, which assumes the formal set up.
Theorem 1
(Master Theorem). Let \(\mathsf {IP}\) be an \(r=r(\lambda )\)challenge public coin interactive proof for a relation R. Assume there exist functions \(\mathsf {BadCh}\) and \(\mathsf {e}\) for \(\mathsf {IP}\) as described above, and let \(p_\mathsf {fail}\) be as defined above. Let \(\tau '\) be a partial transcript such that the challenge that comes right after is sampled from \(\mathsf {Ch}_i\). Assume that for all \(i \in \{1, \ldots , r\}\), we have \( \left \mathsf {BadCh}(\tau ') \right /\left \mathsf {Ch}_i \right \le \varepsilon \), for some \(\varepsilon \in [0,1]\). Then, there exists an extractor \(\mathcal {E}\) that uses \(\mathsf {e}\) such that for any nonuniform algebraic prover \(\mathcal {P}_{\mathsf {alg}}\) making at most \(q=q(\lambda )\) queries to its oracle, and any (computationally unbounded) distinguisher \(\mathcal {D}\), for all \(\lambda \in \mathbb {N}^+\),
The time complexity of the extractor \(\mathcal {E}\) is \(O(q\cdot t_V+t_\mathsf {e})\) where \(t_V\) is the time required to run \(\mathsf {IP}.\mathsf {V}\) and \(t_\mathsf {e}\) is the time required to run \(\mathsf {e}\).
The proof of this theorem is straightforward has been deferred to the full version [34].
4.2 The FiatShamir Transform
The FiatShamir transform uses a family of hash functions \(\mathcal {H}\) to convert a rchallenge public coin interactive protocol (proof or argument) \(\mathsf {IP}\) to a noninteractive argument \(\mathsf {FS}[\mathsf {IP},\mathcal {H}]\). When \(\mathcal {H}\) is modelled as a random oracle, we denote the noninteractive argument using \(\mathsf {FS}^\mathbf {RO}[\mathsf {IP}]\). In \(\mathsf {FS}[\mathsf {IP},\mathcal {H}]\), a hash function H is first sampled from \(\mathcal {H}\). A proof on public parameters \(\mathsf {pp}\) and input x is \(\pi =(a_1,c_1,a_2,c_2,\ldots ,a_r,c_r,a_{r+1})\), such that \(c_i=H(\mathsf {pp},x,a_1,c_1,\ldots ,a_{i1},c_{i1},a_i)[:\mathsf {cLen}_i]\) for \(i\in \{1,\ldots ,r\}\), and \(\mathsf {IP}.\mathsf {V}\) returns 1 on input \((\mathsf {pp},x,\pi )\).
fsext1 security. We formalize a notion of proofofknowledge (PoK) security in the AGM for noninteractive arguments obtained by applying the FiatShamir transform to an interactive protocol \(\mathsf {IP}\). For simplicity, this notion just captures extractability instead of witnessextended emulation. We define a notion of soundness called fsext1 that captures the setting where the prover has to commit to the instance beforehand. It is formally defined using the game \(\mathsf {FS}\hbox {}\mathsf {EXT}\hbox {}\mathsf {1}\) in Fig. 4.
For an interactive proof \(\mathsf {IP}\) and an associated relation R, algebraic prover \(\mathcal {P}_\mathsf {alg}\), and an extractor \(\mathcal {E}\), we define \(\mathsf {Adv}^{\mathsf {fs}\hbox {}\mathsf {ext}\hbox {}\mathsf {1}}_{\mathsf {FS}^\mathbf {RO}[\mathsf {IP}], R}(\mathcal {P}_{\mathsf {alg}}, \mathcal {E}, \lambda ) = \mathsf {Pr}\left[ \mathsf {FS}\hbox {}\mathsf {EXT}\hbox {}\mathsf {1}^{\mathcal {P}_{\mathsf {alg}},\mathcal {E}}_{\mathsf {IP},R}(\lambda ) \right] \).
The following theorem connects the online srswee security of a publiccoin protocol \(\mathsf {IP}\) and the fsext1 soundness of noninteractive protocol \(\mathsf {FS}^\mathbf {RO}[\mathsf {IP}]\), obtained by applying the FiatShamir transform using a random oracle.
Theorem 2
Let R be a relation. Let \(\mathsf {IP}\) be a \(r=r(\lambda )\)challenge public coin interactive protocol for the relation R where the length of the \(i^\text {th}\) challenge is \(\mathsf {cLen}_i(\lambda )\) such that \(\mathsf {sLen}(\lambda )\le \mathsf {cLen}_i(\lambda )\le \mathsf {hLen}(\lambda )\) for \(i\in \{1,\ldots ,r\}\). Let \(\mathcal {E}\) be an extractor for \(\mathsf {IP}\). We can construct an extractor \(\mathcal {E}^*\) for \(\mathsf {FS}^\mathbf {RO}[\mathsf {IP}]\) such that for every nonuniform algebraic prover \(\mathcal {P}^*_{\mathsf {alg}}\) against \(\mathsf {FS}^\mathbf {RO}[\mathsf {IP}]\) that makes \(q=q(\lambda )\) random oracle queries, there exists a nonuniform algebraic prover \(\mathcal {P}_{\mathsf {alg}}\) and \(\mathcal {D}\) such that for all \(\lambda \in \mathbb {N}^+\),
Moreover, \(\mathcal {P}_\mathsf {alg}\) makes at most q queries to its oracle and is nearly as efficient as \(\mathcal {P}^*_\mathsf {alg}\). The extractor \(\mathcal {E}^*\) is nearly as efficient as \(\mathcal {E}\).
This proof of this theorem is deferred to the full version [34].
In the above theorem we considered challenges in \(\mathsf {IP}\) to be bitstrings – however, this can be adapted to protocols where the challenges are from sets that are not bitstrings. The denominator of the fraction of the bound would become the size of smallest set from which the challenges are sampled, e.g., if the challenges in the a protocol were all from the set \(\mathbb {Z}_p^*\), the fraction would become \((q+1)/(p1)\).
We can also consider an adaptive notion of soundness where the prover can output the instance and proof together – we call this notion fsext2. It is formally defined using the game \(\mathsf {FS}\hbox {}\mathsf {EXT}\hbox {}\mathsf {2}\) in Fig. 5. Unlike fsext1, here the prover need not commit to the instance beforehand and can output the instance and proof together. For an interactive proof \(\mathsf {IP}\) and an associated relation R, algebraic prover \(\mathcal {P}_\mathsf {alg}\), and an extractor \(\mathcal {E}\), we define \(\mathsf {Adv}^{\mathsf {fs}\hbox {}\mathsf {ext}\hbox {}\mathsf {2}}_{\mathsf {FS}^\mathbf {RO}[\mathsf {IP}], R}(\mathcal {P}_{\mathsf {alg}}, \mathcal {E}, \lambda ) = \mathsf {Pr}\left[ \mathsf {FS}\hbox {}\mathsf {EXT}\hbox {}\mathsf {2}^{\mathcal {P}_{\mathsf {alg}},\mathcal {E}}_{\mathsf {IP},R}(\lambda ) \right] \).
We assume that \(\mathsf {IP}\) has \(\mathsf {BadCh}\), \(\mathsf {e}\) functions as described previously. Further, we assume \(\mathcal {T}^{\mathsf {IP}}_{\mathsf {BadCh}}\) is defined as above. We use \(p_{\mathsf {fail},\mathsf {FS}}(\mathsf {FS}^\mathbf {RO}[\mathsf {IP}], \mathcal {P}_{\mathsf {alg}}, \mathsf {e}, R, \lambda )\) to denote the probability that in \(\mathsf {FS}\hbox {}\mathsf {EXT}\hbox {}\mathsf {2}^{\mathcal {P}_{\mathsf {alg}},\mathcal {E}}_{\mathsf {IP},R}\), \(\mathcal {P}_{\mathsf {alg}}\) outputs \((\left[ x \right] ,\left[ \pi \right] )\), \(\mathsf {accept}\) is \(\texttt {true}\), \(\pi \not \in \mathcal {T}^{\mathsf {IP}}_{\mathsf {BadCh}}\) but \(\mathsf {e}\) on input \((\left[ x \right] ,\left[ \pi \right] )\) fails to produce a valid witness. The following theorem upper bounds the fsext2 soundness of noninteractive protocol \(\mathsf {FS}^\mathbf {RO}[\mathsf {IP}]\).
Theorem 3
Let \(\mathsf {IP}\) be an \(r=r(\lambda )\)challenge public coin interactive proof for a relation R where the length of the \(i^\text {th}\) challenge is \(\mathsf {cLen}_i(\lambda )\) such that \(\mathsf {sLen}(\lambda )\le \mathsf {cLen}_i(\lambda )\le \mathsf {hLen}(\lambda )\) for \(i\in \{1,\ldots ,r\}\). Assume there exist functions \(\mathsf {BadCh}\) and \(\mathsf {e}\) as described previously and let \(p_{\mathsf {fail},\mathsf {FS}}\) be as described above. Let \(\tau '\) be a partial transcript such that the challenge that comes right after is sampled from \(\mathsf {Ch}_i\). Assume that for all \(i \in \{1, \ldots , r\}\), we have that \(\left \mathsf {BadCh}(\tau ') \right /\left \mathsf {Ch}_i \right \le \varepsilon \) for some \(\varepsilon \in [0,1]\). Then, there exists an extractor \(\mathcal {E}^*\) that uses \(\mathsf {e}\) such that for any nonuniform algebraic prover \(\mathcal {P}_{\mathsf {alg}}^*\) for \(\mathsf {FS}^\mathbf {RO}[\mathsf {IP}]\) making at most \(q=q(\lambda )\) queries to its random oracle, for all \(\lambda \in \mathbb {N}^+\),
The time complexity of the extractor \(\mathcal {E}^*\) is \(O(q\cdot t_V+t_\mathsf {e})\) where \(t_V\) is the time required to run \(\mathsf {IP}.\mathsf {V}\) and \(t_\mathsf {e}\) is the time required to run \(\mathsf {e}\).
The proof of this theorem is similar to Theorem 1 and has been omitted.
5 Online srswee Security of Bulletproofs
In this section, we shall apply our framework to prove online srswee security in the AGM for two instantiations of Bulletproofs range proofs (\(\mathsf {RngPf}\)) and proofs for arithmetic circuit satisfiability (\(\mathsf {ACSPf}\)). We first introduce the Bulletproofs inner product argument (\(\mathsf {InPrd}\)) in Sect. 5.1 which forms the core of both \(\mathsf {RngPf}\) and \(\mathsf {ACSPf}\). Then, in Sects. 5.2 and 5.3 we introduce and analyze online srswee security of \(\mathsf {RngPf}\) and \(\mathsf {ACSPf}\) respectively.
5.1 Inner Product Argument \(\mathsf {InPrd}\)
We shall assume that \(\mathsf {InPrd}=\mathsf {InPrd}[\mathbb {G}]\) is instantiated on an understood family of groups \(\mathbb {G}=\{\mathbb {G}_\lambda \}_{\lambda \in \mathbb {N}^+}\) of order \(p=p(\lambda )\). Using \(\mathsf {InPrd}\), a prover can convince a verifier that \(P\in \mathbb {G}\) is a wellformed commitment to vectors \(\mathbf {a},\mathbf {b}\in \mathbb {Z}_p^n\) and their innerproduct \(\langle {\mathbf {a}},{\mathbf {b}} \rangle \). More precisely, the prover wants to prove to the verifier that \(P=\mathbf {g}^{\mathbf {a}}\mathbf {h}^{\mathbf {b}}u^{\langle {\mathbf {a}},{\mathbf {b}} \rangle }\) where \(\mathbf {g}\in \mathbb {G}^n,\mathbf {h}\in \mathbb {G}^n, u \in \mathbb {G}\) are independent generators of \(\mathbb {G}\). We assume that n is a power of 2 without loss of generality since if needed, one can pad the input appropriately to ensure that this holds. The prover and the verifier for \(\mathsf {InPrd}\) is formally defined in Fig. 6.
5.2 Online srswee Security of \(\mathsf {RngPf}\)
We shall assume that \(\mathsf {RngPf}=\mathsf {RngPf}[\mathbb {G}]\) is instantiated on an understood family of groups \(\mathbb {G}=\{\mathbb {G}_\lambda \}_{\lambda \in \mathbb {N}^+}\) of order \(p=p(\lambda )\). The argument \(\mathsf {RngPf}\) is an argument of knowledge for the relation
Description of \(\mathsf {RngPf}\).\(\mathsf {RngPf}.\mathsf {Setup}\) returns \(\mathbf {g}\in \mathbb {G}^n,\mathbf {h}\in \mathbb {G}^n,g,h,u\in \mathbb {G}\) where \(\mathbf {g},\mathbf {h}\) are vectors of independent generators and \(g,h,u\) are other independent generators of the group \(\mathbb {G}\). The prover and verifier for \(\mathsf {RngPf}\) are defined in Fig. 7.
In Theorem 4, we analyze the online srswee security for \(\mathsf {RngPf}\). Since \(\mathsf {RngPf}\) has a group element V in its input, the analysis of nonadaptive srswee security would differ from the online srswee analysis. In the full version [34], we analyse the nonadaptive srswee security of \(\mathsf {RngPf}\) – it turns out that the proof is even harder for this case because the function \(\mathsf {e}\) does not have the representation of V. The resulting bound is increased to the square root of the adaptive bound, due to our limited use of rewinding.
Theorem 4
Let \(\mathbb {G}=\{\mathbb {G}_\lambda \}_{\lambda \in \mathbb {N}^+}\) be a family of groups of order \(p=p(\lambda )\). Let \(\mathsf {RngPf}=\mathsf {RngPf}[\mathbb {G}]\) be the interactive argument as defined in Fig. 7, for the relation R in (4). We can construct an extractor \(\mathcal {E}\) such that for any nonuniform algebraic prover \(\mathcal {P}_{\mathsf {alg}}\) making at most \(q=q(\lambda )\) queries to its oracle, there exists a nonuniform adversary \(\mathcal {F}\) with the property that for any (computationally unbounded) distinguisher \(\mathcal {D}\), for all \(\lambda \in \mathbb {N}^+\),
Moreover, the time complexity of the extractor \(\mathcal {E}\) is \(O(q\cdot n)\) and that of adversary \(\mathcal {F}\) is \(O(q\cdot n)\).
We show that the bound above is tight in Theorem 5. Using Theorem 2, we get the following corollary.
Corollary 1
Let \(\mathbb {G}=\{\mathbb {G}_\lambda \}_{\lambda \in \mathbb {N}^+}\) be a family of groups of order \(p=p(\lambda )\). Let \(\mathsf {RngPf}=\mathsf {RngPf}[\mathbb {G}]\) be the interactive argument as defined in Fig. 7, for the relation R in 4. Let \(\mathsf {FS}^\mathbf {RO}[\mathsf {RngPf}]\) be the noninteractive argument obtained by applying the FiatShamir transform to \(\mathsf {RngPf}\) using a random oracle. We can construct an extractor \(\mathcal {E}\) such that for any nonuniform algebraic prover \(\mathcal {P}_{\mathsf {alg}}\) making at most \(q=q(\lambda )\) queries to the random oracle there exists a nonuniform adversary \(\mathcal {F}\) with the property that for all \(\lambda \in \mathbb {N}^+\),
Moreover, the time complexity of the extractor \(\mathcal {E}\) is \(O(q\cdot n)\) and that of adversary \(\mathcal {F}\) is \(O(q\cdot n)\).
In order to prove Theorem 4, we invoke Theorem 1 by defining \(\mathsf {BadCh}\) and \(\mathsf {e}\) and showing that \(\varepsilon \le ({14n+8})/({p1})\) and there exists an adversary \(\mathcal {F}\) such that \( p_{\mathsf {fail}}(\mathsf {RngPf}, \mathcal {P}_{\mathsf {alg}},\mathsf {e},R,\lambda ) \le \mathsf {Adv}^{\mathsf {dl}}_{\mathbb {G}}(\mathcal {F})+{1}/{p}\). In more detail, we construct a function \(\mathsf {h}\) such that for an accepting transcript \(\tau \not \in \mathcal {T}^{\mathsf {RngPf}}_{\mathsf {BadCh}}\) if \(\mathsf {e}(\left[ \tau \right] )\) fails to produce a valid witness, then \(\mathsf {h}(\left[ \tau \right] )\) returns a nontrivial discrete logarithm relation with respect to the generators. This \(\mathsf {h}\) is used to construct an adversary \(\mathcal {H}\) against the discrete logarithm relation problem and we invoke Lemma 2 to transform into adversary \(\mathcal {F}\) against the discrete logarithm problem, thus upper bounding \(p_{\mathsf {fail}}(\mathsf {RngPf}, \mathcal {P}_{\mathsf {alg}},\mathsf {e},R,\lambda )\) using \(\mathsf {Adv}^{\mathsf {dl}}_{\mathbb {G}}(\mathcal {F})\).
Proof
(Theorem 4). We extend the notation for representation of group elements introduced in Sect. 4 for representation with respect to vector of group elements like \(\mathbf {g}\). The representation of a group element \(A=\mathbf {g}^{a_\mathbf {g}}g^{a_g}\) with respect to \((\mathbf {g},g)\) is \(\left[ A \right] =(A,a_\mathbf {g},a_g)\) where \(a_\mathbf {g}=(a_{g_1},\cdots , a_{g_n})\).
Defining \(\mathsf {BadCh}\) and upper bounding \(\varepsilon \). To start off, we define \(\mathsf {BadCh}(\tau ')\) for all partial transcripts \(\tau '\). Let \(\mathsf {Ch}\) be the set from which the challenge that just follows \(\tau '\) is sampled. We use a helper function \(\mathsf {CheckBad}\) to define \(\mathsf {BadCh}(\tau ')\). The function \(\mathsf {CheckBad}\) takes as input a partial extended transcript \(\left[ \tau ' \right] \) and a challenge \(c\in \mathsf {Ch}\) and returns \(\texttt {true}\) if and only if \(c\in \mathsf {BadCh}(\tau ')\). For each verifier challenge in \(\mathsf {RngPf}\), there is a definition of \(\mathsf {CheckBad}\) in Fig. 8. Every \(\mathsf {CheckBad}\) function defines several bad conditions that depend on \(\tau '\) – most of these bad conditions are checked using the predicate \(\mathsf {SZ}\). This predicate takes as input a vector of polynomials and a corresponding vector of points to evaluate the polynomial on and returns \(\texttt {true}\) iff any of the polynomials is nonzero but its evaluation at the corresponding point is zero. One can safely ignore the details of the definitions of \(\mathsf {CheckBad}\) functions for now – the rationale behind their definitions shall become apparent later on.
The following lemma establishes an upper bound of \({(14n+8)}/{(p1)}\) on \({\left \mathsf {BadCh}(\tau ') \right }/{\left \mathsf {Ch} \right }\).
Lemma 3
Let \(\tau '\) be a partial transcript for \(\mathsf {RngPf}\). Let \(\mathsf {Ch}\) be the set from which the challenge that comes right after \(\tau '\) is sampled. Then, \({\left \mathsf {BadCh}(\tau ') \right }/{\left \mathsf {Ch} \right }\le {(14n+8)}/{(p1)}\).
The proof of this lemma has been deferred to the full version [34].
Defining \(\mathsf {e}\). Let \(\tau \) be a transcript of \(\mathsf {RngPf}\) as defined below.
Let us represent using \(\tau _c\) the prefix of \(\tau \) just before the challenge c. For example \(\tau _{(y,z)}=\big ((n,\mathbf {g},\mathbf {h},u,g,h),V,(A,S)\big )\). The function \(\mathsf {e}\) simply returns \((v_g,v_h)\) (Fig. 9). However, its output is a valid witness only if \(v_\mathbf {g}=v_\mathbf {h}={\mathbf {0}}^{n},v_u=0\) and \(v_g\in [0,2^{n}1]\).
Proving an upper bound on \(p_{\mathsf {fail}}(\mathsf {RngPf}, \mathcal {P}_{\mathsf {alg}},\mathsf {e},R,\lambda )\). We construct an adversary \(\mathcal {H}\) against the discrete logarithm relation problem that takes as input independent generators \(\mathbf {g},\mathbf {h},g,h,u\) of the group \(\mathbb {G}\) and works as follows. It simulates the game \(\mathsf {SRS}_{\mathsf {RngPf}}\) to \(\mathcal {P}_{\mathsf {alg}}\) using public parameters \(n,\mathbf {g},\mathbf {h},g,h,u\). If \(\mathcal {P}_{\mathsf {alg}}\) manages to produce an accepting transcript \(\tau \), \(\mathcal {H}\) calls a helper function \(\mathsf {h}\) on input \(\left[ \tau \right] \) and outputs whatever \(\mathsf {h}\) outputs. We shall define \(\mathsf {h}\) in such a way that for \(\tau \not \in \mathcal {T}^{\mathsf {RngPf}}_{\mathsf {BadCh}}\) if \(\mathsf {e}({\left[ \tau \right] })\) does not return a valid witness, then \(\mathsf {h}(\left[ \tau \right] )\) returns a nontrivial discrete logarithm relation. In other words, we have that whenever \(\mathsf {e}({\left[ \tau \right] })\) fails to extract a valid witness for an accepting transcript \(\tau \not \in \mathcal {T}^{\mathsf {RngPf}}_{\mathsf {BadCh}}\), \(\mathcal {H}\) succeeds. So we have that \(p_{\mathsf {fail}}(\mathsf {RngPf}, \mathcal {P}_{\mathsf {alg}},\mathsf {e},R,\lambda )\le \mathsf {Adv}^{\mathsf {dl\hbox {}rel}}_{\mathbb {G},2n+3}(\mathcal {H})\). Using Lemma 2 we would have that there exists an adversary \(\mathcal {F}\) such that \(p_{\mathsf {fail}}(\mathsf {RngPf}, \mathcal {P}_{\mathsf {alg}},\mathsf {e},R,\lambda ) \le \mathsf {Adv}^{\mathsf {dl}}_{\mathbb {G}}(\mathcal {F})+{1}/{p}\). We also have that \(\mathcal {F}\) is nearly as efficient as \(\mathcal {H}\).
Defining \(\mathsf {h}\). We next describe the \(\mathsf {h}\) function. Let \(\tau \), as defined in 5, be an accepting transcript. \(V^{z^2}g^{\delta (y,z)}T_1^xT_2^{x^2}=g^{\hat{t}}h^{\beta _x}\;.\) must hold since \(\tau \) is an accepting transcript.
The function \(\mathsf {h}\) can plug in the representations of \(T_1,T_2,V\) into the above equation and compute \(e^{(1)}_\mathbf {g},e^{(1)}_\mathbf {h},e^{(1)}_g,e^{(1)}_h,e^{(1)}_u\) such that \( \mathbf {g}^{e^{(1)}_\mathbf {g}}\mathbf {h}^{e^{(1)}_\mathbf {h}}g^{e^{(1)}_g}h^{e^{(1)}_h}u^{e^{(1)}_u}=1 \). If not all of these are zero, \(\mathsf {h}\) returns \(e^{(1)}_\mathbf {g},e^{(1)}_\mathbf {h},e^{(1)}_g,e^{(1)}_h,e^{(1)}_u\).
Again since \(\tau \) is an accepting transcript, \(\mathsf {InPrd}.\mathsf {V}\) must have returned 1 and hence \(P^{(\log n)}=(\mathbf {g}^{(\log n)})^a(\mathbf {h}^{(\log n)})^bu^{{a}{b}}\) must hold. All the terms in the above equality can be expressed in terms of \(\mathbf {g},\mathbf {h},g,h,u\) and one can compute \(e^{(2)}_\mathbf {g},e^{(2)}_\mathbf {h},e^{(2)}_g,e^{(2)}_h, e^{(2)}_u\) such that \( \mathbf {g}^{e^{(2)}_\mathbf {g}}\mathbf {h}^{e^{(2)}_\mathbf {h}}g^{e^{(2)}_g}h^{e^{(2)}_h}u^{e^{(2)}_u}=1 \). The function \(\mathsf {h}\) computes and returns \(e^{(2)}_\mathbf {g},e^{(2)}_\mathbf {h},e^{(2)}_g,e^{(2)}_h, e^{(2)}_u\). We define the function \(\mathsf {h}\) formally in Fig. 10. It follows from the description of \(\mathsf {h}\) that it runs in time O(n). The running time of \(\mathcal {H}\) consists of the time required to answers q queries, run \(\mathsf {RngPf}.\mathsf {V}\) in at most q paths in the execution tree and the time required to run \(\mathsf {h}\). Hence its time complexity is \(O(q\cdot n)\). Using Lemma 2, time complexity of \(\mathcal {F}\) is \(O(q\cdot n)\).
Relating \(\mathsf {h},\mathsf {e}\). In order to complete the proof of Theorem 4, in the following lemma we show that – for an accepting transcript \(\tau \) such that \(\tau \not \in \mathcal {T}^{\mathsf {RngPf}}_{\mathsf {BadCh}}\) if \(\mathsf {e}({\left[ \tau \right] })\) does not return a valid witness, then \(\mathsf {h}(\left[ \tau \right] )\) returns a nontrivial discrete logarithm relation. Proving this lemma would conclude the proof of Theorem 4.
Lemma 4
Let \(\tau \), as defined in 5, be an accepting transcript of \(\mathsf {RngPf}\) such that \(\tau \not \in \mathcal {T}^{\mathsf {RngPf}}_{\mathsf {BadCh}}\). If \(\mathsf {e}({\left[ \tau \right] })\) returns \((v^*,\gamma ^*)\) such that at least one of the following hold: \(g^{v^*}h^{\gamma ^*}\ne V\) or \(v^*\not \in [0,2^n1]\), then \(\mathsf {h}(\left[ \tau \right] )\) returns a nontrivial discrete logarithm relation.
Proof
(Lemma 4). For simplicity, we shall prove the contrapositive of the statement, i.e., assuming \(\mathsf {h}(\left[ \tau \right] )\) returns a trivial discrete logarithm relation, then \(g^{v^*}h^{\gamma ^*}= V\) and \(v^*\in [0,2^n1]\).
In order to prove \(g^{v^*}h^{\gamma ^*}=V \text { and } v^*\in [0,2^n1]\), it suffices to show that \(v_\mathbf {g}=v_\mathbf {h}={\mathbf {0}}^{n}\), \(v_u=0\) and \(v_g\in [0,2^n1]\). Let us denote using \(\tau _c\) the partial transcript that is the prefix of \(\tau \) just before the challenge c. For example \(\tau _{(y,z)}=\big ((n,\mathbf {g},\mathbf {h},u,g,h),V,(A,S)\big )\). Since we assumed that \(\mathsf {h}(\left[ \tau \right] )\) returns \(({\mathbf {0}}^{n},{\mathbf {0}}^{n},0,0,0)\), we have that for \(i=1,2\), \((e^{(i)}_\mathbf {g},e^{(i)}_\mathbf {h},e^{(i)}_g,e^{(i)}_h,e^{(i)}_u)=({\mathbf {0}}^{n},{\mathbf {0}}^{n},0,0,0)\).
Writing out the expression for \(e^{(1)}_\mathbf {g}\) we get \(v_\mathbf {g}z^2+t_{1\mathbf {g}}x+t_{2\mathbf {g}}x^2={\mathbf {0}}^{n}\). Since \(\tau \not \in \mathcal {T}^{\mathsf {RngPf}}_{\mathsf {BadCh}}\), we have that \(x\not \in \mathsf {BadCh}(\tau _x)\). Therefore, \(\mathsf {SZ}(f_1(X),x)\) is \(\texttt {false}\) where \(f_1\) is as defined in \(\mathsf {CheckBad}(\tau ',x)\). Since we have here that \(f_1(x)=0\), the polynomial \(f_1(X)\) is the zero vector polynomial. Since \(z\ne 0\) it follows that \(v_\mathbf {g}={\mathbf {0}}^{n}\). Similarly using \(e^{(1)}_\mathbf {h}={\mathbf {0}}^{n}\) and \(e^{(1)}_u=0\) we can show that \(v_\mathbf {h}={\mathbf {0}}^{n}\) and \(v_u=0\) respectively. Writing out the expression for \(e^{(1)}_g\) we have \(v_gz^2+\delta (y,z)+t_{1g}x+t_{2g}x^2\hat{t}=0\). Hence,
Using \(e^{(2)}_{\mathbf {g}}={\mathbf {0}}^{n}\) we get for all \(k \in \{0,\ldots ,n1\}\)
Using \(e^{(2)}_{\mathbf {h}}={\mathbf {0}}^{n}\) we get for all \(k \in \{0,\ldots ,n1\}\)
Using \(e^{(2)}_u=0\) we get that
We shall next use the following lemma which essentially says that if all of \(e^{(2)}_{\mathbf {g}},e^{(2)}_{\mathbf {h}},e^{(2)}_{u},e^{(2)}_{g},e^{(2)}_{h}\) are zero and \(\tau \not \in \mathcal {T}^{\mathsf {RngPf}}_{\mathsf {BadCh}}\), then \(w\cdot \langle {p'_\mathbf {g}},{p'_\mathbf {h}\circ {\mathbf {y}}^{n}} \rangle =p'_u\).
Lemma 5
Let \(\tau \), as shown in (5), be an accepting transcript of \(\mathsf {RngPf}\) such that \(\tau \not \in \mathcal {T}^{\mathsf {RngPf}}_{\mathsf {BadCh}}\). Let
Suppose, the for all \(k \in \{0,\ldots ,n1\}\)
Also, \(\left( \sum \limits _{i=1}^{\log n}(l_{iu}x_i^2+r_{iu}x_i^{2})\right) +p'_uw\cdot ab=0\). Then \( w\cdot \langle {p'_\mathbf {g}},{p'_\mathbf {h}\circ {\mathbf {y}}^{n}} \rangle =p'_u \).
The proof of this lemma is a generalization of the proof that we gave for the inner product argument for \(n=2\) in the technical overview. We defer the proof of Lemma 5 to the full version [34].
Since \(\tau \) is an accepting transcript of \(\mathsf {RngPf}\) and \(\tau \not \in \mathcal {T}^{\mathsf {RngPf}}_{\mathsf {BadCh}}\) and (7) to (9) hold, using Lemma 5, we get \( w\langle {p'_\mathbf {g}},{p'_\mathbf {h}\circ {\mathbf {y}}^{n}} \rangle =p'_u\). Plugging in the values of \(p'_\mathbf {g},p'_\mathbf {h},p'_u\) we get
Since \(\tau \not \in \mathcal {T}^{\mathsf {RngPf}}_{\mathsf {BadCh}}\), we have that \(w\not \in \mathsf {BadCh}(\tau _w)\). Therefore, \(\mathsf {SZ}(f(W),w)\) is \(\texttt {false}\) where f is as defined in \(\mathsf {CheckBad}(\tau ',w)\). Since we have here that \(f(w)=0\), the polynomial \(f(W)\) must be the zero polynomial. In particular its \(W\) term must be zero, i.e., \(\langle {a_{\mathbf {g}}+xs_{\mathbf {g}}z{\mathbf {1}}^{n}},{(a_{\mathbf {h}}+xs_{\mathbf {h}}+z{\mathbf {1}}^{n})\circ {\mathbf {y}}^{n}+z^2{\mathbf {2}}^{n}} \rangle =\hat{t}\). Plugging in the value of \(\hat{t}\) obtained in (6) and using \(x\not \in \mathsf {BadCh}(\tau _x)\), we have that
Plugging in the value of \(\delta (y,z)\), rearranging and simplifying we get
Using \((y,z)\not \in \mathsf {BadCh}(\tau _{(y,z)})\), we get that \(v_g\langle {a_{\mathbf {g}}},{{\mathbf {2}}^{n}} \rangle =0\), \(a_{\mathbf {g}}a_{\mathbf {h}}{\mathbf {1}}^{n}={\mathbf {0}}^{n}\), \(a_{\mathbf {g}}\circ a_{\mathbf {h}}={\mathbf {0}}^{n}\). Note that \(a_{\mathbf {g}}a_{\mathbf {h}}{\mathbf {1}}^{n}={\mathbf {0}}^{n}\) and \(a_{\mathbf {g}}\circ a_{\mathbf {h}}={\mathbf {0}}^{n}\) imply that \(a_{\mathbf {g}}\in \{0,1\}^n\). Further \(v_g\langle {a_{\mathbf {g}}},{{\mathbf {2}}^{n}} \rangle =0\), i.e., \(v_g=\langle {a_{\mathbf {g}}},{{\mathbf {2}}^{n}} \rangle \). So, \(v_g\in [0,2^n1]\). Therefore, \(v^*,\gamma ^*\) output by \(\mathsf {e}({\left[ \tau \right] })\) satisfy \(V=g^{v^*}h^{\gamma ^*}\) and \( v^*\in [0,2^n1]\). This concludes the proof of Lemma 4 and Theorem 4. \(\square \)
Further for a prover \(\mathcal {P}_\mathsf {alg}\) for \(\mathsf {FS}^\mathbf {RO}[\mathsf {RngPf}]\), and the \(\mathsf {e}\) we define in the proof of Theorem 4, we can upper bound \(p_{\mathsf {fail},\mathsf {FS}}(\mathsf {FS}^\mathbf {RO}[\mathsf {RngPf}], \mathcal {P}_{\mathsf {alg}}, \mathsf {e}, R, \lambda )\) using techniques very similar to those used in the proof of Theorem 4. This is because we can prove that if the prover outputs an instance and an accepting proof and \(\mathsf {e}\) fails to produce a valid witness, then we can compute a nontrivial discrete logarithm relation from the representation of the transcript and instance unless one of the challenges in the transcript are bad which we can show happens with small probability. Then using Theorem 3 we obtain a bound for the fsext2 security of \(\mathsf {FS}^\mathbf {RO}[\mathsf {RngPf}]\) similar to the one we obtained for fsext1 security in Corollary 1.
Tightness of Theorem 4. We next argue that the factor \(O(nq/(p1))\) in Theorem 4 is tight. We first note that the protocol \(\mathsf {RngPf}\) can be used for the following relation
by fixing \(\gamma \) to 0.
We shall construct a cheating prover \(\mathcal {P}\) (that makes O(q) queries to \(\mathbf {O}_{\mathrm {ext}}\)) for the relation \(R'\) that outputs an instance \(V=g^v\) such that \(v \not \in [0,2^n1]\) but can still convince the \(\mathsf {RngPf}\) verifier with probability \(\varOmega (nq/(p1))\) if n divides \(p1\). This would imply that the bound in Theorem 4 is tight up to constant factors.
Theorem 5
Let \(\mathbb {G}=\{\mathbb {G}_\lambda \}_{\lambda \in \mathbb {N}^+}\) be a family of groups of prime order \(p=p(\lambda )\). Let \(\mathsf {RngPf}=\mathsf {RngPf}[\mathbb {G}]\) be the interactive argument for the relation \(R'\) in (10) obtained by setting \(\gamma =0\) in the protocol defined in Fig. 7. If n divides \(p1\), we can construct a nonuniform prover \(\mathcal {P}\) making at most \(q+\log n+1\) queries to its oracle, such that for all \(\lambda \in \mathbb {N}^+\), \(\mathsf {Adv}^{\mathsf {srs}}_{\mathsf {RngPf}}(\mathcal {P}, \lambda ) = {(n1)q}/({p1})\).
The proof of this theorem has been deferred to the full version [34].
5.3 Online srswee Security for \(\mathsf {ACSPf}\)
In this section, we introduce \(\mathsf {ACSPf}\) and apply our framework to prove online srswee security. As shown in [10], any arithmetic circuit with n multiplication gates can be represented using a constraint system that has three vectors \(\mathbf {a}_L,\mathbf {a}_R,\mathbf {a}_O\in \mathbb {Z}_p^n\) representing the left inputs, right inputs, and outputs of multiplication gates respectively, so that \(\mathbf {a}_L \circ \mathbf {a}_R =\mathbf {a}_O\), with additional \(Q\le 2n\) linear constraints. The linear constraints can be represented as \(\mathbf {a}_L\cdot \mathbf {W}_L+\mathbf {a}_R\cdot \mathbf {W}_R +\mathbf {a}_O\cdot \mathbf {W}_O=\mathbf {c}\), where \(\mathbf {W}_L,\mathbf {W}_R,\mathbf {W}_O\in \mathbb {Z}_p^{Q\times n}\).
We shall assume that \(\mathsf {ACSPf}=\mathsf {ACSPf}[\mathbb {G}]\) is instantiated on an understood family of groups \(\mathbb {G}=\{\mathbb {G}_\lambda \}_{\lambda \in \mathbb {N}^+}\) of order \(p=p(\lambda )\). The argument \(\mathsf {ACSPf}\) is an argument of knowledge for the relation
The description of \(\mathsf {ACSPf}\) is deferred to the full version [34]. We prove the following theorem that gives an upper bound on the advantage against online srswee security of \(\mathsf {ACSPf}\).
Theorem 6
Let \(\mathbb {G}=\{\mathbb {G}_\lambda \}_{\lambda \in \mathbb {N}^+}\) be a family of groups of order \(p=p(\lambda )\). Let \(\mathsf {ACSPf}=\mathsf {ACSPf}[\mathbb {G}]\) be the Bulletproofs interactive argument system for arithmetic circuit satisfiability for the relation R in (11). We can construct an extractor \(\mathcal {E}\) such that for any nonuniform algebraic prover \(\mathcal {P}_{\mathsf {alg}}\) making at most \(q=q(\lambda )\) queries to its oracle, there exists a nonuniform adversary \(\mathcal {F}\) with the property that for any (computationally unbounded) distinguisher \(\mathcal {D}\), for all \(\lambda \in \mathbb {N}^+\), \(\mathsf {Adv}^{\mathsf {sr}\hbox {}\mathsf {wee}}_{\mathsf {ACSPf},R}(\mathcal {P}_{\mathsf {alg}}, \mathcal {D}, \mathcal {E}, \lambda ) \le {((14n+8)q)}/{p1} +\mathsf {Adv}^{\mathsf {dl}}_{\mathbb {G}}(\mathcal {F},\lambda )+{1}/{p}\).
Moreover, the time complexity of the extractor \(\mathcal {E}\) is \(O(q\cdot n)\) and that of adversary \(\mathcal {F}\) is \(O(q\cdot n)\).
We can show that the bound in Theorem 6 is tight by constructing a cheating prover like we did in Theorem 5. Using Theorem 2, we can get a corollary about fsext1 security of \(\mathsf {FS}^\mathbf {RO}[\mathsf {ACSPf}]\) which we include in the full version [34]. Additionally, using techniques similar to those in the proof of Theorem 6, we can prove a similar bound for fsext2 security of \(\mathsf {FS}^\mathbf {RO}[\mathsf {ACSPf}]\). The proof of Theorem 6 is similar to the proof of Theorem 4 and has been deferred to the full version [34].
6 Online srswee Security of Sonic
We apply our framework to prove srswee security of Sonic [18] which is an interactive argument for arithmetic circuit satisfiability based on pairings (we refer to this argument as \(\mathsf {SnACSPf}\)). The argument \(\mathsf {SnACSPf}\) is again an argument of knowledge for the relation 11. The description of \(\mathsf {SnACSPf}\) has been deferred to the full version [34]. We prove the following theorem that establishes an upper bound on the advantage against online srswee security of \(\mathsf {SnACSPf}\).
Theorem 7
Let \(\mathbb {G}=\{\mathbb {G}_\lambda \}_{\lambda \in \mathbb {N}^+}\) be a family of groups with order \(p=p(\lambda )\). Let \(\mathbb {G}_T=\{\mathbb {G}_{T,\lambda }\}_{\lambda \in \mathbb {N}^+}\) be a family of groups such that there exists a bilinear map \(e:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\). Let \(\mathsf {SnACSPf}=\mathsf {SnACSPf}[\mathbb {G},\mathbb {G}_T,e]\) be the Sonic interactive argument system for the relation R in (11). We can construct an extractor \(\mathcal {E}\) such that for any nonuniform algebraic prover \(\mathcal {P}_{\mathsf {alg}}\) making at most \(q=q(\lambda )\) queries to its oracle, there exist nonuniform adversaries \(\mathcal {F}_1,\mathcal {F}_2,\mathcal {F}_3\) with the property that for any (computationally unbounded) distinguisher \(\mathcal {D}\), for all \(\lambda \in \mathbb {N}^+\),
Moreover, the time complexities of the extractor \(\mathcal {E}\) and adversaries \(\mathcal {F}_1,\mathcal {F}_2,\mathcal {F}_3\) are all \(O(q\cdot n)\).
We can show that the bound in Theorem 7 is tight by constructing a cheating prover like we did in Theorem 5. Using Theorem 2, we can get a corollary about fsext1 security of \(\mathsf {FS}^\mathbf {RO}[\mathsf {SnACSPf}]\) which we state in the full version [34]. Additionally, using techniques similar to those in the proof of Theorem 7, we can prove a similar bound for fsext2 security of \(\mathsf {FS}^\mathbf {RO}[\mathsf {SnACSPf}]\). The proof of Theorem 7 has been deferred to the full version [34].
Notes
 1.
 2.
In this introduction, security is with respect to soundness – usually the analysis of zeroknowledge security is much more straightforward.
 3.
For the circuit satisfiability version of our result, one should think of \(n = 2^{20}\) and \(p = 2^{256}\) as representative values.
 4.
We use boldface to denote vectors. For two vectors \(\mathbf {a}=(a_1,\ldots ,a_n),\mathbf {g}=(g_1,\ldots ,g_n)\), we use \(\mathbf {g}^\mathbf {a}\) to denote \(\prod \limits _{i=1}^n g_i^{a_i}\).
References
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proofsystems (extended abstract). In: 17th ACM STOC, pp. 291–304. ACM Press (May 1985)
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 1993, pp. 62–73. ACM Press (Nov 1993)
Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3540690530_18
Maurer, U.: Abstract models of computation in cryptography. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 1–12. Springer, Heidelberg (2005). https://doi.org/10.1007/11586821_1
Fuchsbauer, G., Kiltz, E., Loss, J.: The algebraic group model and its applications. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 33–62. Springer, Cham (2018). https://doi.org/10.1007/9783319968810_2
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334. IEEE Computer Society Press (May 2018)
Monero to become first billiondollar crypto to implement ‘bulletproofs’ tech. https://www.coindesk.com/monerotobecomefirstbilliondollarcryptotoimplementbulletproofstech
Signal adds a payments feature—with a privacyfocused cryptocurrency. https://www.wired.com/story/signalmobilecoinpaymentsmessagingcryptocurrency/
Nick, J., Ruffing, T., Seurin, Y., Wuille, P.: MuSigDN: Schnorr multisignatures with verifiably deterministic nonces. Cryptology ePrint Archive, Report 2020/1057 (2020). https://eprint.iacr.org/2020/1057
Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zeroknowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016, Part II. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662498965_12
Jaeger, J., Tessaro, S.: Expectedtime cryptography: generic techniques and applications to concrete soundness. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part III. LNCS, vol. 12552, pp. 414–443. Springer, Cham (2020). https://doi.org/10.1007/9783030643812_15
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3540477217_12
Groth, J.: On the size of pairingbased noninteractive arguments. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016, Part II. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662498965_11
BenSasson, E., Chiesa, A., Spooner, N.: Interactive oracle proofs. In: Hirt, M., Smith, A. (eds.) TCC 2016, Part II. LNCS, vol. 9986, pp. 31–60. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662536445_2
Holmgren, J.: On roundbyround soundness and state restoration attacks. Cryptology ePrint Archive, Report 2019/1261 (2019). https://eprint.iacr.org/2019/1261
Lindell, Y.: Parallel cointossing and constantround secure twoparty computation. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 171–189. Springer, Heidelberg (2001). https://doi.org/10.1007/3540446478_10
Groth, J., Ishai, Y.: Sublinear zeroknowledge argument for correctness of a shuffle. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 379–396. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540789673_22
Maller, M., Bowe, S., Kohlweiss, M., Meiklejohn, S.: Sonic: zeroknowledge SNARKs from linearsize universal and updatable structured reference strings. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) ACM CCS 2019, pp. 2111–2128. ACM Press (Nov 2019)
Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doublyefficient zkSNARKs without trusted setup. In: 2018 IEEE Symposium on Security and Privacy, pp. 926–943. IEEE Computer Society Press (May 2018)
Lee, J.: Dory: efficient, transparent arguments for generalised inner products and polynomial commitments. Cryptology ePrint Archive: 2020/1274 (2020)
Bünz, B., Fisch, B., Szepieniec, A.: Transparent SNARKs from DARK compilers. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part I. LNCS, vol. 12105, pp. 677–706. Springer, Cham (2020). https://doi.org/10.1007/9783030457211_24
Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: preprocessing zkSNARKs with universal and updatable SRS. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part I. LNCS, vol. 12105, pp. 738–768. Springer, Cham (2020). https://doi.org/10.1007/9783030457211_26
Canetti, R., Chen, Y., Holmgren, J., Lombardi, A., Rothblum, G.N., Rothblum, R.D.: FiatShamir from simpler assumptions. Cryptology ePrint Archive, Report 2018/1004 (2018). https://eprint.iacr.org/2018/1004
Canetti, R., et al.: FiatShamir: from practice to theory. In: Charikar, M., Cohen, E. (eds.) 51st ACM STOC, pp. 1082–1090. ACM Press (Jun 2019)
Lund, C., Fortnow, L., Karloff, H.J., Nisan, N.: Algebraic methods for interactive proof systems. In: 31st FOCS, pp. 2–10. IEEE Computer Society Press (Oct 1990)
Haitner, I.: A parallel repetition theorem for any interactive argument. In: 50th FOCS, pp. 241–250. IEEE Computer Society Press (Oct 2009)
Håstad, J., Pass, R., Wikström, D., Pietrzak, K.: An efficient parallel repetition theorem. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642117992_1
Chung, K.M., Liu, F.H.: Parallel repetition theorems for interactive arguments. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 19–36. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642117992_2
Berman, I., Haitner, I., Tsfadia, E.: A tight parallel repetition theorem for partially simulatable interactive arguments via smooth KLdivergence. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part III. LNCS, vol. 12172, pp. 544–573. Springer, Cham (2020). https://doi.org/10.1007/9783030568771_19
BenSasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.P.: Aurora: transparent succinct arguments for R1CS. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part I. LNCS, vol. 11476, pp. 103–128. Springer, Cham (2019). https://doi.org/10.1007/9783030176532_4
BenSasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable zero knowledge with no trusted setup. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 701–732. Springer, Cham (2019). https://doi.org/10.1007/9783030269548_23
Bünz, B., Maller, M., Mishra, P., Tyagi, N., Vesely, P.: Proofs for inner pairing products and applications. Cryptology ePrint Archive: 2019/1177 (2020)
Fuchsbauer, G., Plouviez, A., Seurin, Y.: Blind Schnorr signatures and signed ElGamal encryption in the algebraic group model. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part II. LNCS, vol. 12106, pp. 63–95. Springer, Cham (2020). https://doi.org/10.1007/9783030457242_3
Ghoshal, A., Tessaro, S.: Tight staterestoration soundness in the algebraic group model. Cryptology ePrint Archive, Report 2020/1351 (2020). https://eprint.iacr.org/2020/1351
Acknowledgements
We thank Joseph Jaeger for extensive discussions and his involvement in the earlier stages of this work. We thank the anonymous reviewers for helpful comments. This work was partially supported by NSF grants CNS1930117 (CAREER), CNS1926324, CNS2026774, a Sloan Research Fellowship, and a JP Morgan Faculty Award.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Ghoshal, A., Tessaro, S. (2021). Tight StateRestoration Soundness in the Algebraic Group Model. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12827. Springer, Cham. https://doi.org/10.1007/9783030842529_3
Download citation
DOI: https://doi.org/10.1007/9783030842529_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030842512
Online ISBN: 9783030842529
eBook Packages: Computer ScienceComputer Science (R0)