TY - CHAP
T1 - Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs
AU - Boneh, Dan
AU - Ishai, Yuval
AU - Sahai, Amit
AU - Wu, David J.
N1 - Publisher Copyright:
© 2018, International Association for Cryptologic Research.
PY - 2018
Y1 - 2018
N2 - Succinct non-interactive arguments (SNARGs) enable verifying$$\mathsf {NP} $$ computations with significantly less complexity than that required for classical$$\mathsf {NP} $$ verification. In this work, we focus on simultaneously minimizing the proof size and the prover complexity of SNARGs. Concretely, for a security parameter$$\lambda $$, we measure the asymptotic cost of achieving soundness error$$2^{-\lambda }$$ against provers of size$$2^\lambda $$. We say a SNARG is quasi-optimally succinct if its proof length is$$\widetilde{O}(\lambda )$$, and that it is quasi-optimal, if moreover, its prover complexity is only polylogarithmically greater than the running time of the classical$$\mathsf {NP} $$ prover. We show that this definition is the best we could hope for assuming that$$\mathsf {NP} $$ does not have succinct proofs. Our definition strictly strengthens the previous notion of quasi-optimality introduced in the work of Boneh et al. (Eurocrypt 2017). This work gives the first quasi-optimal SNARG for Boolean circuit satisfiability from a concrete cryptographic assumption. Our construction takes a two-step approach. The first is an information-theoretic construction of a quasi-optimal linear multi-prover interactive proof (linear MIP) for circuit satisfiability. Then, we describe a generic cryptographic compiler that transforms our quasi-optimal linear MIP into a quasi-optimal SNARG by relying on the notion of linear-only vector encryption over rings introduced by Boneh et al. Combining these two primitives yields the first quasi-optimal SNARG based on linear-only vector encryption. Moreover, our linear MIP construction leverages a new robust circuit decomposition primitive that allows us to decompose a circuit satisfiability instance into several smaller circuit satisfiability instances. This primitive may be of independent interest. Finally, we consider (designated-verifier) SNARGs that provide optimal succinctness for a non-negligible soundness error. Concretely, we put forward the notion of “1-bit SNARGs” that achieve soundness error$$1\text {/}2$$ with only one bit of proof. We first show how to build 1-bit SNARGs from indistinguishability obfuscation, and then show that 1-bit SNARGs also suffice for realizing a form of witness encryption. The latter result highlights a two-way connection between the soundness of very succinct argument systems and powerful forms of encryption.
AB - Succinct non-interactive arguments (SNARGs) enable verifying$$\mathsf {NP} $$ computations with significantly less complexity than that required for classical$$\mathsf {NP} $$ verification. In this work, we focus on simultaneously minimizing the proof size and the prover complexity of SNARGs. Concretely, for a security parameter$$\lambda $$, we measure the asymptotic cost of achieving soundness error$$2^{-\lambda }$$ against provers of size$$2^\lambda $$. We say a SNARG is quasi-optimally succinct if its proof length is$$\widetilde{O}(\lambda )$$, and that it is quasi-optimal, if moreover, its prover complexity is only polylogarithmically greater than the running time of the classical$$\mathsf {NP} $$ prover. We show that this definition is the best we could hope for assuming that$$\mathsf {NP} $$ does not have succinct proofs. Our definition strictly strengthens the previous notion of quasi-optimality introduced in the work of Boneh et al. (Eurocrypt 2017). This work gives the first quasi-optimal SNARG for Boolean circuit satisfiability from a concrete cryptographic assumption. Our construction takes a two-step approach. The first is an information-theoretic construction of a quasi-optimal linear multi-prover interactive proof (linear MIP) for circuit satisfiability. Then, we describe a generic cryptographic compiler that transforms our quasi-optimal linear MIP into a quasi-optimal SNARG by relying on the notion of linear-only vector encryption over rings introduced by Boneh et al. Combining these two primitives yields the first quasi-optimal SNARG based on linear-only vector encryption. Moreover, our linear MIP construction leverages a new robust circuit decomposition primitive that allows us to decompose a circuit satisfiability instance into several smaller circuit satisfiability instances. This primitive may be of independent interest. Finally, we consider (designated-verifier) SNARGs that provide optimal succinctness for a non-negligible soundness error. Concretely, we put forward the notion of “1-bit SNARGs” that achieve soundness error$$1\text {/}2$$ with only one bit of proof. We first show how to build 1-bit SNARGs from indistinguishability obfuscation, and then show that 1-bit SNARGs also suffice for realizing a form of witness encryption. The latter result highlights a two-way connection between the soundness of very succinct argument systems and powerful forms of encryption.
UR - http://www.scopus.com/inward/record.url?scp=85045893302&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-78372-7_8
DO - 10.1007/978-3-319-78372-7_8
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.chapter???
SN - 978-3-319-78371-0
SN - 9783319783710
VL - 10822
T3 - Lecture Notes in Computer Science
SP - 222
EP - 255
BT - ADVANCES IN CRYPTOLOGY - EUROCRYPT 2018, PT III
A2 - Nielsen, Jesper Buus
A2 - Rijmen, Vincent
T2 - 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2018
Y2 - 29 April 2018 through 3 May 2018
ER -