## AI generates interpretation videos

AI extracts and analyses the key points of the paper to generate videos automatically

Go Generating

## AI Traceability

AI parses the academic lineage of this thesis

Generate MRT

## AI Insight

AI extracts a summary of this paper

Weibo:
Our work provides a brand new form of arithmetization which we call Quadratic Span Programs, since it is a generalization of the notion of Span Programs proposed by Karchmer and Wigderson

# Quadratic Span Programs and Succinct NIZKs without PCPs.

ADVANCES IN CRYPTOLOGY - EUROCRYPT 2013, (2013): 626-645

Cited by: 568|Views167
EI
Full Text
Bibtex
Weibo

Abstract

We introduce a new characterization of the NP complexity class, called Quadratic Span Programs (QSPs), which is a natural extension of span programs defined by Karchmer and Wigderson. Our main motivation is the quick construction of succinct, easily verified arguments for NP statements. To achieve this goal, QSPs use a new approach to the...More

Code:

Data:

Introduction
• Arithmetization of Boolean computations is a well known technique: it maps a Boolean circuit to a set of polynomial equations over a field.
• To compensate for the weakness of the wire checker, the authors require the SP being checked to be conscientious, which guarantees that every satisfying linear combination uses at least one polynomial from the sets associated with its input.
• To obtain a conscientious SP for an entire circuit, the authors build a conscientious SP for each gate, using a distinct set of roots Ri for each SP, and compose the gate SPs together using the Chinese Remainder Theorem, just as the authors did when building the aggregate wire checker.
Highlights
• Arithmetization of Boolean computations is a well known technique: it maps a Boolean circuit to a set of polynomial equations over a field
• The celebrated result IP=PSPACE [35, 41] used arithmetization as a crucial tool and set the stage for the probabilistically checkable proofs theorem [2,3,4, 20], which provided a new characterization of NP that revolutionized the notion of “proof” – in particular, it shows that NP statements have probabilistically checkable proofs (PCPs) that can be verified in time polylogarithmic in the size of a classical proof
• Our work provides a brand new form of arithmetization which we call Quadratic Span Programs (QSPs), since it is a generalization of the notion of Span Programs proposed by Karchmer and Wigderson [31]
• If the q-power Diffie-Hellman and d-PKE assumptions hold for some q ≥ max{2d− 1, d + 2}, the non-interactive zero-knowledge scheme defined in Section 3.3, instantiated with a Quadratic Span Programs of degree d, is secure under Definition 6
• The full details of the Quadratic Arithmetic Programs construction appear in the final version [22]; here we present the definition of Quadratic Arithmetic Programs and our main result about them
• We developed a system called Pinocchio [38] that includes a compiler that transforms a subset of C into either a Quadratic Span Programs or Quadratic Arithmetic Programs, and a set of programs for generating the common reference string, creating proofs, and verifying proofs
Results
• For each gate g ∈ Γ , there is a conscientious SP of size m and degree d that computes whether its input is a satisfying assignment of g’s input/output wires.
• The wire checker’s guarantee of no double assignments relies on the fact that the SP for the gate checker is conscientious, and must use at least one polynomial for each wire to arrive at a satisfying linear combination.
• The authors construct the polynomials for the aggregate wire checker described above, using a third set of distinct roots.
• 4. Using disjoint sets of roots R = {R(i0), R(i1) : i ∈ [N ]} and the partition of Ilabeled, construct the aggregate wire checker from Lemma 3, which consists of the following polynomials: D (x) = r∈R(x − r), V = {v1(x), .
• For any Boolean circuit C with n inputs, s gates, and N = n + s total wire values, the canonical QSP computes C.
• This property helps improve the performance of the cryptographic constructions for NIZKs and verifiable computation, since a verifier who knows part of the circuit input will be able to “predict” the portion of the QSP linear combination that corresponds to u.
• When it is applied to the partition Ilabeled = ∪i∈[N],j∈{0,1}Iij of the SP for the gate checker function, the size of the aggregate wire checker is |Ilabeled| ≤ 24s and the degree is 76s.
Conclusion
• At a high-level, the prover uses his inputs to evaluate the circuit for f , obtaining linear combinations for the QSP that satisfy Eq.1.
• If the q-PDH and d-PKE assumptions hold for some q ≥ max{2d− 1, d + 2}, the NIZK scheme defined in Section 3.3, instantiated with a QSP of degree d, is secure under Definition 6.
• The authors construct Quadratic Arithmetic Programs (QAPs), a natural extension of QSPs which “naturally” compute arithmetic circuits modulo the group order p.
Funding
• The research of this author was sponsored by the U.S Army Research Laboratory and the U.K
• Supported by NSF Grant No.1017660
Reference
• Abe, M., Fehr, S.: Perfect NIZK with adaptive soundness. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 118–136. Springer, Heidelberg (2007)
• Arora, S., Lund, C., Motwani, R., Sudan, M., Szegedy, M.: Proof verification and the hardness of approximation problems. J. ACM 45(3), 501–555 (1998)
• Arora, S., Safra, S.: Probabilistic checking of proofs: A new characterization of NP. J. ACM 45(1), 70–122 (1998)
• Babai, L., Fortnow, L., Levin, L.A., Szegedy, M.: Checking computations in polylogarithmic time. In: STOC, pp. 21–31 (1991)
• Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 200LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)
• Bellare, M., Palacio, A.: The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 273–289. Springer, Heidelberg (2004)
• Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E.: On the concrete-efficiency threshold of probabilistically-checkable proofs. In: STOC (to appear 2013)
• Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In: ITCS, pp. 326–349 (2012)
• Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: STOC, pp. 103–112 (1988)
• Blum, M., De Santis, A., Micali, S., Persiano, G.: Noninteractive zero-knowledge. SIAM Journal on Computing 20(6), 1084–1118 (1991)
• Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005)
• Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)
• Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275.
• Brassard, G., Chaum, D., Crepeau, C.: Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)
• Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004)
• Cormode, G., Mitzenmacher, M., Thaler, J.: Practical verified computation with streaming interactive proofs. In: ITCS (2012)
• Di Crescenzo, G., Lipmaa, H.: Succinct NP proofs from an extractability assumption. In: Beckmann, A., Dimitracopoulos, C., Lowe, B. (eds.) CiE 2008. LNCS, vol. 5028, pp. 175–185. Springer, Heidelberg (2008)
• Damgard, I.B.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992)
• Damgard, I., Faust, S., Hazay, C.: Secure two-party computation with low communication. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 54–74. Springer, Heidelberg (2012)
• Feige, U., Goldwasser, S., Lovasz, L., Safra, S., Szegedy, M.: Interactive proofs and the hardness of approximating cliques. J. ACM 43(2), 268–292 (1996)
• Gennaro, R., Gentry, C., Parno, B.: Non-interactive verifiable computing: Outsourcing computation to untrusted workers. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 465–482. Springer, Heidelberg (2010)
• Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. Cryptology ePrint Archive, Report 2012/215 (2012)
• Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: STOC, pp. 99–108. ACM (2011)
• Gjøsteen, K.: Subgroup membership problems and public key cryptosystems. PhD thesis, Norwegian University of Science and Technology (2004)
• Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: Interactive proofs for muggles. In: STOC, pp. 113–122 (2008)
• Goldwasser, S., Lin, H., Rubinstein, A.: Delegation of computation without rejection problem from designated verifier CS-proofs. IACR Cryptology ePrint Archive, 2011: 456 (2011)
• Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340.
• Groth, J., Ostrovsky, R., Sahai, A.: New techniques for noninteractive zeroknowledge. Journal of the ACM 59(3), 11:1–11:35 (2012)
• Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. SIAM Journal on Computing 41(5), 1193–1232 (2012)
• Ishai, Y., Kushilevitz, E., Ostrovsky, R.: Efficient arguments without short PCPs. In: IEEE Conference on Computational Complexity (2007)
• Karchmer, M., Wigderson, A.: On span programs. In: Structure in Complexity Theory Conference, pp. 102–111 (1993)
• Kilian, J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: STOC, pp. 723–732 (1992)
• Lipmaa, H.: Progression-free sets and sublinear pairing-based non-interactive zeroknowledge arguments. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 169– 189.
• Loftus, J., May, A., Smart, N.P., Vercauteren, F.: On CCA-secure somewhat homomorphic encryption. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 55–72.
• Lund, C., Fortnow, L., Karloff, H.J., Nisan, N.: Algebraic methods for interactive proof systems. J. ACM 39(4), 859–868 (1992)
• Micali, S.: Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000); Extended abstract in FOCS (1994)
• Naor, M.: On cryptographic assumptions and challenges. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 96–109. Springer, Heidelberg (2003)
• Parno, B., Gentry, C., Howell, J., Raykova, M.: Pinocchio: Nearly practical verifiable computation. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2013)
• Parno, B., Raykova, M., Vaikuntanathan, V.: How to delegate and verify in public: Verifiable computation from attribute-based encryption. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 422–439.
• Setty, S., Vu, V., Panpalia, N., Braun, B., Blumberg, A.J., Walfish, M.: Taking proof-based verified computation a few steps closer to practicality. In: Proceedings of USENIX Security (August 2012)
• Shamir, A.: IP = PSPACE. J. ACM 39(4), 869–877 (1992)
Author