Skip to main content
SpringerLink
Log in
Book cover

International Conference on the Theory and Application of Cryptology and Information Security

ASIACRYPT 2022: Advances in Cryptology – ASIACRYPT 2022 pp 403–433Cite as

Efficient Zero-Knowledge Arguments in Discrete Logarithm Setting: Sublogarithmic Proof or Sublinear Verifier

Part of the Lecture Notes in Computer Science book series (LNCS,volume 13792)

Abstract

We propose three interactive zero-knowledge arguments for arithmetic circuit of size N in the common random string model, which can be converted to be non-interactive by Fiat-Shamir heuristics in the random oracle model. First argument features \(O(\sqrt{\log N})\) communication and round complexities and O(N) computational complexity for the verifier. Second argument features \(O(\log N)\) communication and \(O(\sqrt{N})\) computational complexity for the verifier. Third argument features \(O(\log N)\) communication and \(O(\sqrt{N}\log N)\) computational complexity for the verifier. Contrary to first and second arguments, the third argument is free of reliance on pairing-friendly elliptic curves. The soundness of three arguments is proven under the standard discrete logarithm and/or the double pairing assumption, which is at least as reliable as the decisional Diffie-Hellman assumption.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    We often use a terminology ‘transparent’ in the meaning of ‘without trusted setup’.

  2. 2.

    Note that we use the indices \((1,-1)\) instead of (1, 2) since it harmonizes well with the usage of the challenges in Bulletproofs and our generalization of Bulletproofs. e.g., let \({\boldsymbol{a}}={\boldsymbol{a}}_1\Vert {\boldsymbol{a}}_{-1}\) be a witness and x be a challenge, and then \({\boldsymbol{a}}\) is updated to \(\sum _{i=\pm 1}{\boldsymbol{a}}_i x^i\), a witness for the next recursive round.

  3. 3.

    The BP-IP is about two witness vectors \({\boldsymbol{a}}\) and \({\boldsymbol{b}}\) and it can be easily modified with one witness vector \({\boldsymbol{a}}\) and a public \({\boldsymbol{b}}\). e.g., [46]. Our multi-exponentiation argument corresponds to this variant.

  4. 4.

    Note that when the communication complexity is evaluated, we set \(n=2^{\sqrt{\log N}}\) that is much smaller than \(\sqrt{N}=2^{\frac{1}{2}\log N}\), and thus our estimation for computational cost makes sense.

  5. 5.

    Note that this operation is also called “projecting bilinear map" in the context of converting composite-order bilinear groups to prime-order bilinear groups [26].

  6. 6.

    Note that the DL assumption on \({\mathbb {G}}_1\) implies the DL assumption on \({\mathbb {G}}_t\) by the MOV attack [39].

  7. 7.

    If needed, we can appropriately pad zeros in the vectors since zeros do not affect the result of inner-product.

  8. 8.

    More precisely, we use a slightly modified Pedersen commitment scheme in the sense that (1) opening is not an integer but a vector and (2) the random element is always set to be zero since the hiding property is not required.

  9. 9.

    Notice that we use a subscript k in reverse order from \(k=\ell \) to \(k=1\). That is, \(\mathsf {Protocol4.Row}\) reduces an instance from \(P_{k+1}\) to \(P_{k}\).

References

  1. Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structure-preserving signatures and commitments to group elements. J. Cryptol. 29(2), 363–421 (2016)

    CrossRef  MathSciNet  MATH  Google Scholar 

  2. Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: lightweight sublinear arguments without a trusted setup. In ACM CCS 2017, pp. 2087–2104. ACM (2017)

    Google Scholar 

  3. Bayer, S., Groth, J.: Zero-knowledge argument for polynomial evaluation with application to blacklists. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 646–663. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_38

    CrossRef  Google Scholar 

  4. Bellare M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM CCS 1993, pp. 62–73. ACM (1993)

    Google Scholar 

  5. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/046 (2018). https://eprint.iacr.org/2018/046

  6. Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: SNARKs for C: verifying program executions succinctly and in zero knowledge. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 90–108. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_6

    CrossRef  MATH  Google Scholar 

  7. Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.P.: Aurora: transparent succinct arguments for R1CS. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 103–128. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_4

    CrossRef  Google Scholar 

  8. Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive oracle proofs. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 31–60. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_2

    CrossRef  Google Scholar 

  9. Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Succinct non-interactive zero knowledge for a von Neumann architecture. In: USENIX Security, vol. 2014, pp. 781–796 (2014)

    Google Scholar 

  10. Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In: ITCS 2012, pp. 326–349. Springer (2012)

    Google Scholar 

  11. Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: Recursive composition and bootstrapping for snarks and proof-carrying data. In: Symposium on Theory of Computing Conference, STOC 2013, pp. 111–120. ACM(2013)

    Google Scholar 

  12. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. J. Cryptol. 17(4), 297–319 (2004)

    CrossRef  MathSciNet  MATH  Google Scholar 

  13. Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12

    CrossRef  MATH  Google Scholar 

  14. Bootle, J., Cerulli, A., Ghadafi, E., Groth, J., Hajiabadi, M., Jakobsen, S.K.: Linear-time zero-knowledge proofs for arithmetic circuit satisfiability. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 336–365. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_12

    CrossRef  Google Scholar 

  15. Bootle, J., Chiesa, A., Liu, S.: Zero-knowledge IOPs with linear-time prover and polylogarithmic-time verifier. In: EUROCRYPT 2022, vol. 13276. LNCS, pp. 275–304. Springer, Cham (2022) https://doi.org/10.1007/978-3-031-07085-3_10

  16. Bosma, W., Lenstra, H.W.: Complete systems of two addition laws for elliptic curves. J. Number Theory 53, 229–240 (1995)

    CrossRef  MathSciNet  MATH  Google Scholar 

  17. Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: Short proofs for confidential transactions and more. In: IEEE Symposium on Security and Privacy 2018, pp 315–334. IEEE Computer Society (2018)

    Google Scholar 

  18. Bünz, B., Fisch, B., Szepieniec, A.: Transparent SNARKs from DARK compilers. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 677–706. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_24

    CrossRef  Google Scholar 

  19. Bünz, B., Maller, M., Mishra, P., Tyagi, N., Vesely, P.: Proofs for inner pairing products and applications. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13092, pp. 65–97. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92078-4_3

    CrossRef  Google Scholar 

  20. Cheon, J.H.: Discrete logarithm problems with auxiliary inputs. J. Cryptol. 23(3), 457–476 (2010)

    CrossRef  MathSciNet  MATH  Google Scholar 

  21. Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: preprocessing zkSNARKs with universal and updatable SRS. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 738–768. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_26

    CrossRef  Google Scholar 

  22. Chiesa, A., Ojha, D., Spooner, N.: Fractal: post-quantum and transparent recursive proofs from holography. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 769–793. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_27

    CrossRef  Google Scholar 

  23. dalek cryptography:Bulletproofs (2018). https://github.com/dalek-cryptography/bulletproofs

  24. Daza, V., Ràfols, C., Zacharakis, A.: Updateable inner product argument with logarithmic verifier and applications. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12110, pp. 527–557. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_18

    CrossRef  Google Scholar 

  25. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12

    CrossRef  Google Scholar 

  26. Freeman, D.M.: Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 44–61. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_3

    CrossRef  Google Scholar 

  27. Gabizon, A., Williamson, Z.J., Ciobotaru, O.: Plonk: Permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive, Report 2019/953 (2019). https://eprint.iacr.org/2019/953.pdf

  28. Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_37

    CrossRef  Google Scholar 

  29. Groth, J.: Linear algebra with sub-linear zero-knowledge arguments. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 192–208. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_12

    CrossRef  Google Scholar 

  30. Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_19

    CrossRef  Google Scholar 

  31. Groth, J.: Efficient zero-knowledge arguments from two-tiered homomorphic commitments. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 431–448. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_23

    CrossRef  Google Scholar 

  32. Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11

    CrossRef  Google Scholar 

  33. Groth, J., Kohlweiss, M.: One-out-of-many proofs: or how to leak a secret and spend a coin. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 253–280. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_9

    CrossRef  Google Scholar 

  34. Hoffmann, M., Klooß, M., Rupp, A.: Efficient zero-knowledge arguments in the discrete log setting, revisited. In: ACM CCS, vol. 2019, pp. 2093–2110 (2019)

    Google Scholar 

  35. Kim, S., Lee, H., Seo, J.H.: Efficient zero-knowledge argument in discrete logarithm setting: Sublogarithmic proof or sublinear verifier. Cryptology ePrint Archive, Paper 2021/1450 (2021). https://eprint.iacr.org/2021/1450

  36. libsnark (2017). https://github.com/scipr-lab/libsnark

  37. Lipmaa, H.: Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 169–189. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_10

    CrossRef  Google Scholar 

  38. Maller, M., Bowe, S., Kohlweiss, M., Meiklejohn, S.: Sonic: Zero-knowledge snarks from linear-size universal and updatable structured reference strings. In ACM CCS 2019, pp. 2111–2128. Association for Computing Machinery (2019)

    Google Scholar 

  39. Menezes, A., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39(5), 1639–1646 (1993)

    CrossRef  MathSciNet  MATH  Google Scholar 

  40. Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: Nearly practical verifiable computation. In: IEEE Symposium on Security and Privacy 2013, pp. 238–252. IEEE (2013)

    Google Scholar 

  41. Renes, J., Costello, C., Batina, L.: Complete addition formulas for prime order elliptic curves. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 403–428. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_16

    CrossRef  Google Scholar 

  42. Savaş, E., Schmidt, T.A., Koç, Ç.K.: Generating elliptic curves of prime order. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 142–158. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44709-1_13

    CrossRef  Google Scholar 

  43. Scott, M.: On the deployment of curve based cryptography for the internet of things. Cryptology ePrint Archive, Report 2020/514 (2020). https://eprint.iacr.org/2020/514

  44. Seo, J.H.: Round-efficient sub-linear zero-knowledge arguments for linear algebra. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 387–402. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_24

    CrossRef  Google Scholar 

  45. Setty, S.: Spartan: efficient and general-purpose zkSNARKs without trusted setup. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 704–737. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_25

    CrossRef  Google Scholar 

  46. Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly-efficient zkSNARKs without trusted setup. In: IEEE Symposium on Security and Privacy 2018, pp. 926–943. IEEE (2018)

    Google Scholar 

  47. Xie, T., Zhang, J., Zhang, Y., Papamanthou, C., Song, D.: Libra: succinct zero-knowledge proofs with optimal prover computation. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 733–764. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_24

    CrossRef  Google Scholar 

  48. Zhang, J., Xie, T., Zhang, Y., Song., D.: Transparent polynomial delegation and its applications to zero knowledge proof. In: IEEE Symposium on Security and Privacy 2020, pp. 859–876. IEEE (2019)

    Google Scholar 

Download references

Acknowledgement

We thank Taechan Kim for discussion on complete addition formulas for elliptic curves. This work was supported in part by the Institute of Information and Communications Technology Planning and Evaluation (IITP) grant funded by the Korea Government (MSIT) (A Study on Cryptographic Primitives for SNARK, 50%) under Grant 20210007270012002, and in part by the National Research Foundation of Korea (NRF) grant funded by the Korean Government (MSIT), 50%, under Grant 2020R1C1C1A0100696812.

Author information

Authors and Affiliations

  1. Department of Information Security, Seoul Women’s University, Seoul, 01797, Republic of Korea

    Sungwook Kim

  2. Department of Mathematics and Research Institute for Natural Sciences, Hanyang University, Seoul, 04763, Republic of Korea

    Hyeonbum Lee & Jae Hong Seo

Authors
  1. Sungwook Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hyeonbum Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jae Hong Seo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jae Hong Seo .

Editor information

Editors and Affiliations

  1. Indian Institute of Technology Madras, Chennai, India

    Shweta Agrawal

  2. Chinese Academy of Sciences, Beijing, China

    Dongdai Lin

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kim, S., Lee, H., Seo, J.H. (2022). Efficient Zero-Knowledge Arguments in Discrete Logarithm Setting: Sublogarithmic Proof or Sublinear Verifier. In: Agrawal, S., Lin, D. (eds) Advances in Cryptology – ASIACRYPT 2022. ASIACRYPT 2022. Lecture Notes in Computer Science, vol 13792. Springer, Cham. https://doi.org/10.1007/978-3-031-22966-4_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22966-4_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22965-7

  • Online ISBN: 978-3-031-22966-4

  • eBook Packages: Computer ScienceComputer Science (R0)

search

Navigation