Proof-Carrying Data from Accumulation Schemes
Benedikt Bünz
Alessandro Chiesa
[email protected]
Stanford University
[email protected]
UC Berkeley
Pratyush Mishra
Nicholas Spooner
[email protected]
UC Berkeley
[email protected]
UC Berkeley
May 25, 2020
Abstract
Recursive proof composition has been shown to lead to powerful primitives such as incrementallyverifiable computation (IVC) and proof-carrying data (PCD). All existing approaches to recursive composition take a succinct non-interactive argument of knowledge (SNARK) and use it to prove a statement
about its own verifier. This technique requires that the verifier run in time sublinear in the size of the
statement it is checking, a strong requirement that restricts the class of SNARKs from which PCD can be
built. This in turn restricts the efficiency and security properties of the resulting scheme.
Bowe, Grigg, and Hopwood (ePrint 2019/1021) outlined a novel approach to recursive composition,
and applied it to a particular SNARK construction which does not have a sublinear-time verifier. However,
they omit details about this approach and do not prove that it satisfies any security property. Nonetheless,
schemes based on their ideas have already been implemented in software.
In this work we present a collection of results that establish the theoretical foundations for a generalization of the above approach. We define an accumulation scheme for a non-interactive argument, and
show that this suffices to construct PCD, even if the argument itself does not have a sublinear-time verifier.
Moreover we give constructions of accumulation schemes for SNARKs, which yield PCD schemes with
novel efficiency and security features.
Keywords: succinct arguments; proof-carrying data; recursive proof composition
1
Contents
1 Introduction
1.1 Our contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
3
6
2 Techniques
2.1 PCD from arguments with accumulation schemes . .
2.2 Accumulation schemes . . . . . . . . . . . . . . . .
2.3 Constructing arguments with accumulation schemes .
2.4 Accumulation schemes for polynomial commitments
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
8
8
10
11
12
3 Preliminaries
3.1 Non-interactive arguments in the ROM
3.2 Proof-carrying data . . . . . . . . . .
3.3 Instantiating the random oracle . . . .
3.4 Post-quantum security . . . . . . . .
3.5 Commitment schemes . . . . . . . . .
3.6 Polynomial commitments . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
16
16
17
18
18
19
20
4 Accumulation schemes
4.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.2 Accumulation schemes for certain predicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
22
23
5 Proof-carrying data from accumulation schemes
5.1 Construction . . . . . . . . . . . . . . . . . .
5.2 Efficiency . . . . . . . . . . . . . . . . . . .
5.3 Completeness . . . . . . . . . . . . . . . . .
5.4 Knowledge soundness . . . . . . . . . . . . .
5.5 Zero knowledge . . . . . . . . . . . . . . . .
5.6 Post-quantum security . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
24
25
26
27
27
29
29
6 Accumulation schemes for non-interactive arguments
6.1 Construction . . . . . . . . . . . . . . . . . . . . .
6.2 Completeness . . . . . . . . . . . . . . . . . . . .
6.3 Soundness . . . . . . . . . . . . . . . . . . . . . .
6.4 Zero knowledge . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
31
32
32
33
34
7 Accumulating polynomial commitments based on discrete logarithms
7.1 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.2 Proof of Theorem 7.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
36
36
37
8 Accumulating polynomial commitments based on bilinear groups
8.1 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.2 Proof of Theorem 8.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
42
42
43
A Construction of PCDL
A.1 Pedersen commitments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A.2 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
48
48
48
50
Acknowledgements
52
References
52
.
.
.
.
.
.
.
.
.
.
.
.
2
1 Introduction
Proof-carrying data (PCD) [CT10] is a cryptographic primitive that enables mutually distrustful parties to
perform distributed computations that run indefinitely, while ensuring that every intermediate state of the
computation can be succinctly verified. PCD supports computations defined on (possibly infinite) directed
acyclic graphs, with messages passed along directed edges. Verification is facilitated by attaching to each
message a succinct proof of correctness. This is a generalization of the notion of incrementally-verifiable
computation (IVC) due to [Val08], which can be viewed as PCD for the path graph (i.e., for automata).
PCD has found applications in enforcing language semantics [CTV13], verifiable MapReduce computations
[CTV15], image authentication [NT16], succinct blockchains [Co17; KB20; BMRS20], and others.
Recursive composition. Prior to this work, the only known method for constructing PCD was from
recursive composition of succinct non-interactive arguments (SNARGs) [BCCT13; BCTV14; COS20]. This
method informally works as follows. A proof that the computation was executed correctly for t steps consists
of a proof of the claim “the t-th step of the computation was executed correctly, and there exists a proof
that the computation was executed correctly for t − 1 steps”. The latter part of the claim is expressed using
the SNARG verifier itself. This construction yields secure PCD (with IVC as a special case) provided the
SNARG satisfies an adaptive knowledge soundness property (i.e., is a SNARK). The efficiency and security
properties of the resulting PCD scheme correspond to those of a single invocation of the SNARK.
Limitations of recursion. Recursion as realized in prior work requires proving a statement that contains a
description of the SNARK verifier. In particular, for efficiency, we must ensure that the statement we are
proving (essentially) does not grow with the number of recursion steps t. For example, if the representation
of the verifier were to grow even linearly with the statement it is verifying, then the size of the statement to
be checked would grow exponentially in t. Therefore, prior works have achieved efficiency by focusing on
SNARKs which admit sublinear-time verification: either SNARKs for machine computations [BCCT13] or
preprocessing SNARKs for circuit computations [BCTV14; COS20]. Requiring sublinear-time verification
significantly restricts our choice of SNARK, which limits what we can achieve for PCD.
In addition to the above asymptotic considerations, recursion raises additional considerations concerning
concrete efficiency. All SNARK constructions require that statements be encoded as instances of some
particular (algebraic) NP-complete problem, and difficulties often arise when encoding the SNARK verifier
itself as such an instance. The most well-known example of this is in recursive composition of pairing-based
SNARKs, since the verifier performs operations over a finite field that is necessarily different from the field
supported “natively” by the NP-complete problem [BCTV14]. This type of problem also appears when
recursing SNARKs whose verifiers make heavy use of cryptographic hash functions [COS20].
A new technique. Bowe, Grigg, and Hopwood [BGH19] suggest an exciting novel approach to recursive
composition that replaces the SNARK verifier in the circuit with a simpler algorithm. This algorithm does not
itself verify the previous proof πt−1 . Instead, it adds the proof to an accumulator for verification at the end.
The accumulator must not grow in size. A key contribution of [BGH19] is to sketch a mechanism by which
this might be achieved for a particular SNARK construction. While they prove this SNARK construction
secure, they do not include definitions or proofs of security for their recursive technique. Nonetheless,
practitioners have already built software based on these ideas [Halo19; Pickles20].
1.1
Our contributions
In this work we provide a collection of results that establish the theoretical foundations for the above approach.
We introduce the cryptographic object, an accumulation scheme, that enables this technique, and prove that it
3
suffices for constructing PCD. We then provide generic tools for building accumulation schemes, as well as
several concrete instantiations. Our framework establishes the security of schemes that are already being
used by practitioners, and we believe that it will simplify and facilitate further research in this area.
Accumulation schemes. We introduce the notion of an accumulation scheme for a predicate Φ : X → {0, 1}.
This formalizes, and generalizes, an idea outlined in [BGH19]. An accumulation scheme is best understood
in the context of the following process. Consider an infinite stream q1 , q2 , . . . with each qi ∈ X. We augment
this stream with accumulators acci as follows: at time i, the accumulation prover receives (qi , acci−1 ) and
computes acci ; the accumulation verifier receives (qi , acci−1 , acci ) and checks that acci−1 and qi were
correctly accumulated into acci (if not, the process ends). Then at any time t, the decider can validate
acct , which establishes that, for all i ∈ [t], Φ(qi ) = 1. All three algorithms are stateless. To avoid trivial
constructions, we want (i) the accumulation verifier to be more efficient than Φ, and (ii) the size of an
accumulator (and hence the running time of the three algorithms) does not grow over time. Accumulation
schemes are powerful, as we demonstrate next.
Recursion from accumulation. We say that a SNARK has an accumulation scheme if the predicate
corresponding to its verifier has an accumulation scheme (so X is a set of instance-proof pairs). We show
that any SNARK having an accumulation scheme where the accumulation verifier is sublinear can be used to
build a proof-carrying data (PCD) scheme, even if the SNARK verifier is not itself sublinear. This broadens
the class of SNARKs from which PCD can be built. Similarly to [COS20], we show that if the SNARK and
accumulation scheme are post-quantum secure, so is the PCD scheme. (Though it remains an open question
whether there are non-trivial accumulation schemes for post-quantum SNARKs.)
Theorem 1 (informal). There is an efficient transformation that compiles any SNARK with an efficient
accumulation scheme into a PCD scheme. If the SNARK and its accumulation scheme are zero knowledge,
then the PCD scheme is also zero knowledge. Additionally, if the SNARK and its accumulation scheme are
post-quantum secure then the PCD scheme is also post-quantum secure.
The above theorem holds in the standard model (where all parties have access to a common reference string,
but no oracles). Since our construction makes non-black-box use of the accumulation scheme verifier, the
theorem does not carry over to the random oracle model (ROM). It remains an intriguing open problem to
determine whether or not SNARKs in the ROM imply PCD in the ROM (and if the latter is even possible).
Note that we require a suitable definition of zero knowledge for an accumulation scheme. This is not
trivial, and our definition is informed by what is required for Theorem 1 and what our constructions achieve.
Proof-carrying data is a powerful primitive: it implies IVC and, further assuming collision-resistant
hash functions, also efficient SNARKs for machine computations. Hence, Theorem 1 may be viewed as an
extension of the “bootstrapping” theorem of [BCCT13] to certain non-succinct-verifier SNARKs.
See Section 2.1 for a summary of the ideas behind Theorem 1, and Section 5 for technical details.
Accumulation from accumulation. Given the above, a natural question is: where do accumulation schemes
for SNARKs come from? In [BGH19] it was informally observed that a specific SNARK construction, based
on the hardness of the discrete logarithm problem, has an accumulation scheme. To show this, [BGH19]
first observe that the verifier in the SNARK construction is sublinear except for the evaluation of a certain
predicate (checking an opening of a polynomial commitment [KZG10]), then outline a construction which is
essentially an accumulation scheme for that predicate.
We prove that this idea is a special case of a general paradigm for building accumulation schemes for SNARKs.
Theorem 2 (informal). There is an efficient transformation that, given a SNARK whose verifier is succinct
when given oracle access to a “simpler” predicate, and an accumulation scheme for that predicate, constructs
4
an accumulation scheme for the SNARK. Moreover, this transformation preserves zero knowledge and postquantum security of the accumulation scheme.
The construction underlying Theorem 2 is black-box. In particular, if both the SNARK and the accumulation scheme for the predicate are secure with respect to an oracle, then the resulting accumulation scheme for
the SNARK is secure with respect to that oracle.
See Section 2.3 for a summary of the ideas behind Theorem 2, and Section 6 for technical details.
Accumulating polynomial commitments. Several works [MBKM19; GWC19; CHMMVW20] have
constructed SNARKs whose verifiers are succinct relative to a specific predicate: checking the opening of
a polynomial commitment [KZG10]. We prove that two natural polynomial commitment schemes possess
accumulation schemes in the random oracle model: PCDL , a scheme based on the security of discrete
logarithms [BCCGP16; BBBPWM18; WTSTW18]; and PCAGM , a scheme based on knowledge assumptions
in bilinear groups [KZG10; CHMMVW20].
Theorem 3 (informal). In the random oracle model, there exist (zero knowledge) accumulation schemes for
PCDL and PCAGM that achieve the efficiency outlined in the table below (n denotes the number of evaluation
proofs, and d denotes the degree of committed polynomials).
assumption
cost to check
evaluation proofs
cost to check an
accumulation step
cost to check
final accumulator
accumulator
size
PCDL
DLOG + RO
Θ(nd) G mults.
Θ(n log d) G mults.
Θ(d) G mults.
Θ(log d) G
PCAGM
AGM + RO
Θ(n) pairings
Θ(n) G1 mults.
1 pairing
2 G1
polynomial
commitment
For both schemes the cost of checking that an accumulation step was performed correctly is much less than
the cost of checking an evaluation proof. We can apply Theorem 2 to combine either of these accumulation
schemes for polynomial commitments with any of the aforementioned predicate-efficient SNARKs, which
yields concrete accumulation schemes for these SNARKs with the same efficiency benefits.
We remark that our accumulation scheme for PCDL is a variation of a construction presented in [BGH19],
and so our result establishes the security of a type of construction used by practitioners.
We sketch the constructions underlying Theorem 3 in Section 2.4, and provide details in Sections 7 and 8.
New constructions of PCD. By combining our results, we (heuristically) obtain constructions of PCD
that achieve new properties. Namely, starting from either PCDL or PCAGM , we can apply Theorem 2 to a
suitable SNARK to obtain a SNARK with an accumulation scheme in the random oracle model. Then we can
instantiate the random oracle, obtaining a SNARK and accumulation scheme with heuristic security in the
standard (CRS) model, to which we apply Theorem 1 to obtain a corresponding PCD scheme. Depending on
whether we started with PCDL or PCAGM , we get a PCD scheme with different features, as summarized below.
• From PCDL : PCD based on discrete logarithms. We obtain a PCD scheme in the uniform reference string
model (i.e., without secret parameters) and small argument sizes. In contrast, prior PCD schemes require
structured reference strings [BCTV14] or have larger argument sizes [COS20]. Moreover, our PCD scheme
can be efficiently instantiated from any cycle of elliptic curves [SS11]. In contrast, prior PCD schemes
with small argument size use cycles of pairing-friendly elliptic curves [BCTV14; CCW19], which are
more expensive.
• From PCAGM : lightweight PCD based on bilinear groups. The recursive statement inside this PCD scheme
does not involve checking any pairing computations, because pairings are deferred to a verification that
occurs outside the recursive statement. In contrast, the recursive statements in prior PCD schemes based
on pairing-based SNARKs were more expensive because they checked pairing computations [BCTV14].
5
Note again that our constructions of PCD are heuristic as they involve instantiating the random oracle of
certain SNARK constructions with an appropriate hash function. This is because Theorem 3 is proven in the
random oracle model, but Theorem 1 is explicitly not (as is the case for all prior IVC/PCD constructions
[Val08; BCCT13; BCTV14; COS20]). There is evidence that this limitation might be inherent [CL20].
Open problem: accumulation in the standard model. All known constructions of accumulation schemes
for non-interactive arguments make use of either random oracles (as in our constructions) or knowledge
assumptions (e.g., the “trivial” construction from succinct-verifier SNARKs). A natural question, then,
is whether there exist constructions of accumulation schemes for non-interactive arguments, or any other
interesting predicate, from standard assumptions, or any assumptions which are not known to imply SNARKs.
A related question is whether there is a black-box impossibility for accumulation schemes similar to the result
for SNARGs of [GW11].
1.2
Related work
Below we survey prior constructions of IVC/PCD.
PCD from SNARKs. Bitansky, Canetti, Chiesa, and Tromer [BCCT13] proved that recursive composition
of SNARKs for machine computations implies PCD for constant-depth graphs, and that this in turn implies
IVC for polynomial-time machine computations. From the perspective of concrete efficiency, however,
one can achieve more efficient recursive composition by using preprocessing SNARKs for circuits rather
than SNARKs for machines [BCTV14; COS20]; this observation has led to real-world applications [Co17;
BMRS20]. The features of the PCD scheme obtained from recursion depends on the features of the underlying
preprocessing SNARK. Below we summarize the features of the two known constructions.
• PCD from pairing-based SNARKs. Ben-Sasson, Chiesa, Tromer, and Virza [BCTV14] used pairing-based
SNARKs with a special algebraic property to achieve efficient recursive composition with very small
argument sizes (linear in the security parameter λ). The use of pairing-based SNARKs has two main
downsides. First, they require sampling a structured reference string involving secret values (“toxic waste”)
that, if revealed, compromise security. Second, the verifier performs operations over a finite field that
is necessarily different from the field supported “natively” by the statement it is checking. To avoid
expensive simulation of field arithmetic, the construction uses pairing-friendly cycles of elliptic curves,
which severely restricts the choice of field in applications and requires a large base field for security.
• PCD from IOP-based SNARKs. Chiesa, Ojha, and Spooner [COS20] used a holographic IOP to construct
a preprocessing SNARK that is unconditionally secure in the (quantum) random oracle model, which
heuristically implies a post-quantum preprocessing SNARK in the uniform reference string model (i.e.,
without toxic waste). They then proved that any post-quantum SNARK leads to a post-quantum PCD
scheme via recursive composition. The downside of this construction is that, given known holographic
IOPs, the argument size is larger, currently at O(λ2 log2 N ) bits for circuits of size N .
IVC from homomorphic encryption. Naor, Paneth, and Rothblum [NPR19] obtain a notion of IVC by
using somewhat homomorphic encryption and an information-theoretic object called an “incremental PCP”.
The key feature of their scheme is that security holds under falsifiable assumptions.
There are two drawbacks, however, that restrict the use of the notion of IVC that their scheme achieves.
First, the computation to be verified must be deterministic (this appears necessary for schemes based on
falsifiable assumptions given known impossibility results [GW11]). Second, and more subtly, completeness
holds only in the case where intermediate proofs were honestly generated. This means that the following
6
attack may be possible: an adversary provides an intermediate proof that verifies, but it is impossible for
honest parties to generate new proofs for subsequent computations. Our construction of PCD achieves the
stronger condition that completeness holds so long as intermediate proofs verify, ruling out this attack.
Both nondeterministic computation and the stronger completeness notion (achieved by all SNARK-based
PCD schemes) are necessary for many of the applications of IVC/PCD.
7
2 Techniques
2.1
PCD from arguments with accumulation schemes
We summarize the main ideas behind Theorem 1, which obtains proof-carrying data (PCD) from any
succinct non-interactive argument of knowledge (SNARK) that has an accumulation scheme. For the sake of
exposition, in this section we focus on the special case of IVC, which can be viewed as repeated application
of a circuit F . Specifically, we wish to check a claim of the form “F T (z0 ) = zT ” where F T denotes F
composed with itself T times.
Prior work: recursion from succinct verification. Recall that in previous approaches to efficient recursive
composition [BCTV14; COS20], at each step i we prove a claim of the form “zi = F (zi−1 ), and there exists
a proof πi−1 that attests to the correctness of zi−1 ”. This claim is expressed using a circuit R which is the
conjunction of F with a circuit representing the SNARK verifier; in particular, the size of the claim is at least
the size of the verifier circuit. If the size of the verifier circuit grows linearly (or more) with the size of the
claim being checked, then verifying the final proof becomes more costly than the original computation.
For this reason, these works focus on SNARKs with succinct verification, where the verifier runs in time
sublinear in the size of the claim. In this case, the size of the claim essentially does not grow with the number
of recursive steps, and so checking the final proof costs roughly the same as checking a single step.
Succinct verification is a seemingly paradoxical requirement: the verifier does not even have time to read
the circuit R. One way to sidestep this issue is preprocessing: one designs an algorithm that, at the beginning
of the recursion, computes a small cryptographic digest of R, which the recursive verifier can use instead of
reading R directly. Because this preprocessing need only be performed once for the given R in an offline
phase, it has almost no effect on the performance of each recursive step (in the later online phase).
A new paradigm: IVC from accumulation. Even allowing for preprocessing, succinct verification
remains a strong requirement, and there are many SNARKs that are not known to satisfy it (e.g., [BCCGP16;
BBBPWM18; AHIV17; BCGGHJ17; BCRSVW19]). Bowe, Grigg, and Hopwood [BGH19] suggested
a further relaxation of succinctness that appears to still suffice for recursive composition: a type of “postprocessing”. Their observation is as follows: if a SNARK is such that we can efficiently “defer” the
verification of a claim in a way that does not grow in cost with the number of claims to be checked, then we
can hope to achieve recursive composition by deferring the verification of all claims to the end.
In the remainder of this section, we will give an overview of the proof of Theorem 1, our construction of
PCD from SNARKs that have this “post-processing” property. We note that this relaxation of requirements is
useful because, as suggested in [BGH19], it leads to new constructions of PCD with desirable properties (see
discussion at the end of Section 1.1). In fact, some of these efficiency features are already being exploited by
practitioners working on recursing SNARKs [Halo19; Pickles20].
The specific property we require, which we discuss more formally in the next section, is that the SNARK
has an accumulation scheme. This is a generalization of the idea described in [BGH19]. Informally, an
accumulation scheme consists of three algorithms: an accumulation prover, an accumulation verifier, and
a decider. The accumulation prover is tasked with taking an instance-proof pair (z, π) and a previous
accumulator acc, and producing a new accumulator acc⋆ that “includes” the new instance. The accumulation
verifier, given ((z, π), acc, acc⋆ ), checks that acc⋆ was computed correctly (i.e., that it accumulates (z, π))
into acc). Finally the decider, given a single accumulator acc, performs a single check that simultaneously
ensures that every instance-proof pair accumulated in acc verifies.1
1
We remark that the notion of an accumulation scheme is distinct from the notion of a cryptographic accumulator for a set (e.g.,
an RSA accumulator), which provides a succinct representation of a large set while supporting membership queries.
8
Given such an accumulation scheme, we can construct IVC as follows. Given a previous instance zi , proof
πi , and accumulator acci , the IVC prover first accumulates (zi , πi ) with acci to obtain a new accumulator
acci+1 . The IVC prover also generates a SNARK proof πi+1 of the claim: “zi+1 = F (zi ), and there
exist a proof πi and an accumulator acci such that the accumulation verifier accepts ((zi , πi ), acci , acci+1 )”,
expressed as a circuit R. The final IVC proof then consists of (πT , accT ). The IVC verifier checks such a
proof by running the SNARK verifier on πT and the accumulation scheme decider on accT .
Why does this achieve IVC? Throughout the computation we maintain the invariant that if acci is a valid
accumulator (according to the decider) and πi is a valid proof, then the computation is correct up to the
i-th step. Clearly if this holds at time T then the IVC verifier successfully checks the entire computation.
Observe that if we were able to prove that “zi+1 = F (zi ), πi is a valid proof, and acci is a valid accumulator”,
by applying the invariant we would be able to conclude that the computation is correct up to step i + 1.
Unfortunately we are not able to prove this directly, for two reasons: (i) proving that πi is a valid proof
requires proving a statement about the argument verifier, which may not be sublinear, and (ii) proving that
acci is a valid accumulator requires proving a statement about the decider, which may not be sublinear.
Instead of proving this claim directly, we “defer” it by having the prover accumulate (zi , πi ) into acci
to obtain a new accumulator acci+1 . The soundness property of the accumulation scheme ensures that if
acci+1 is valid and the accumulation verifier accepts ((zi , πi ), acci , acci+1 ), then πi is a valid proof and acci
is a valid accumulator. Thus all that remains to maintain the invariant is for the prover to prove that the
accumulation verifier accepts; this is possible provided that the accumulation verifier is sublinear.
From sketch to proof. In Section 5, we give the formal details of our construction and a proof of correctness.
In particular, we show how to construct PCD, a more general primitive than IVC. In the PCD setting, rather
than each computation step having a single input zi , it receives m inputs from different nodes. Proving
correctness hence requires proving that all of these inputs were computed correctly. For our construction,
this entails checking m proofs and m accumulators. To do this, we extend the definition of an accumulation
scheme to allow accumulating multiple instance-proof pairs and multiple “old” accumulators.
We now informally discuss the properties of our PCD construction.
• Efficiency requirements. Observe that the statement to be proved includes only the accumulation verifier,
and so the only efficiency requirement for obtaining PCD is that this algorithm run in time sublinear in the
size of the circuit R. This implies, in particular, that an accumulator must be of size sublinear in the size of
R, and hence must not grow with each accumulation step. The SNARK verifier and the decider algorithm
need only be efficient in the usual sense (i.e., polynomial-time). See Section 5.2 for a detailed analysis.
• Soundness. We prove that the PCD scheme is sound provided that the SNARK is knowledge sound (i.e., is
an adaptively-secure argument of knowledge) and the accumulation scheme is sound (see Section 2.2 for
more on what this means). We stress that in both cases security should be in the standard (CRS) model,
without any random oracles (as in prior PCD constructions). See Section 5.4 for details.
• Zero knowledge. We prove that the PCD scheme is zero knowledge, if the underlying SNARK and
accumulation scheme are both zero knowledge (for this part we also formulate a suitable notion of zero
knowledge for accumulation schemes as discussed shortly in Section 2.2). See Section 5.5 for details.
• Post-quantum security. We also prove that if both the SNARK and accumulation scheme are post-quantum
secure, then so is the resulting PCD scheme. Here by post-quantum secure we mean that the relevant
security properties continue to hold even against polynomial-size quantum circuits, as opposed to just
polynomial-size classical circuits. See Section 5.6 for details.
9
2.2
Accumulation schemes
A significant contribution of this work is formulating a general notion of an accumulation scheme. An
accumulation scheme for a non-interactive argument as described above is a particular instance of this
definition; in subsequent sections we will apply the definition in other settings.
We first give an informal definition that captures the key features of an accumulation scheme. For clarity
this is stated for the (minimal) case of a single predicate input q and a single “old” accumulator acc; we later
extend this in the natural way to n predicate inputs and m “old” accumulators.
Definition 2.1 (informal). An accumulation scheme for a predicate Φ : X → {0, 1} consists of a triple of
algorithms (P, V, D), known as the prover, verifier, and decider, that satisfies the following properties.
• Completeness: For all accumulators acc and predicate inputs q ∈ X, if D(acc) = 1 and Φ(q) = 1, then
for acc⋆ ← P(acc, q) it holds that V(acc, q, acc⋆ ) = 1 and D(acc⋆ ) = 1.
• Soundness: For all efficiently-generated accumulators acc, acc⋆ and predicate inputs q ∈ X, if D(acc⋆ ) =
1 and V(acc, q, acc⋆ ) = 1 then, with all but negligible probability, Φ(q) = 1 and D(acc) = 1.
An accumulation scheme for a SNARK is an accumulation scheme for the predicate induced by the argument
verifier; in this case the predicate input q consists of an instance-proof pair ( , π). Note that the completeness
requirement does not place any restriction on how the previous accumulator acc is generated; we require that
completeness holds for any acc the decider D determines to be valid, and any q for which the predicate Φ
holds. This is needed to obtain a similarly strong notion of completeness for PCD, required for applications
where accumulation is done by multiple parties that do not trust one another.
Zero knowledge. For our PCD application, the notion of zero knowledge for an accumulation scheme
that we use is the following: one can sample a “fake” accumulator that is indistinguishable from a real
accumulator acc⋆ , without knowing anything about the old accumulator acc and predicate input q that were
accumulated in acc⋆ . The existence of the accumulation verifier V complicates matters here: if the adversary
knows acc and q, then it is easy to distinguish a real accumulator from a fake one using V. We resolve this
issue by modifying Definition 2.1 to have the accumulation prover P produce a verification proof πV in
addition to the new accumulator acc⋆ . Then V uses πV in verifying the accumulator, but πV is not required
for subsequent accumulation. In our application, the simulator then does not have to simulate πV . This avoids
the problem described: even if the adversary knows acc and q, unless πV is correct, V can simply reject, as it
would for a “fake” accumulator. Our informal definition is as follows.
①
Definition 2.2. An accumulation scheme for Φ is zero knowledge if there exists an efficient simulator S such
that for all accumulators acc and inputs q ∈ X such that D(acc) = 1 and Φ(q) = 1, the distribution of acc⋆
when (acc⋆ , πV ) ← P(acc, q) is computationally indistinguishable from acc⋆ ← S(1λ ).
Predicate specification. The above informal definitions omit many important details; we now highlight
some of these. Suppose that, as required for IVC/PCD, we have some fixed circuit R for which we want to
accumulate pairs ( i , πi ), where πi is a SNARK proof that there exists i such that R( i , i ) = 1. In this
case the predicate corresponding to the verifier depends not only on the pair ( i , πi ), but also on the circuit
R, as well as the public parameters of the argument scheme pp and (often) a random oracle ρ.
Moreover, each of these inputs has different security and efficiency considerations. The security of the
SNARK (and the accumulation scheme) can only be guaranteed with high probability over public parameters
drawn by the generator algorithm of the SNARK, and over the random oracle. The circuit R may be chosen
adversarially, but cannot be part of the input q because it is too large; it must be fixed at the beginning.
These considerations lead us to define an accumulation scheme with respect to both a predicate Φ : U (∗)×
({0, 1}∗ )3 → {0, 1} and a predicate-specification algorithm H. We then adapt Definition 2.1 to hold
①
✇
10
①
① ✇
for the predicate Φ(ρ, ppΦ , iΦ , ·) where ρ is a random oracle, ppΦ is output by Hρ , and iΦ is chosen
adversarially. In our SNARK example, H is equal to the SNARK generator, iΦ is the circuit R, and
Φ(ρ, pp, R, (①, π)) = V ρ (pp, R, ①, π). For a more precise description, see Section 4.
Remark 2.3 (helped verification). We compare accumulation schemes for SNARKs with the notion of
“helped verification” [MBKM19]. In a SNARK with helped verification, an untrusted party known as the
helper can, given n proofs, produce an auxiliary proof that enables checking the n proofs at lower cost
than that of checking each proof individually. This batching capability can be viewed as a special case of
accumulation, as it applies to n “fresh” proofs only; there is no notion of batching “old” accumulators. It is
unclear whether the weaker notion of helped verification alone suffices to construct IVC/PCD schemes.
2.3
Constructing arguments with accumulation schemes
A key ingredient in our construction of PCD is a SNARK that has an accumulation scheme (see Section 2.1).
Below we summarize the ideas behind Theorem 2, by explaining how to construct accumulation schemes for
SNARKs whose verifier is succinct relative to an oracle predicate Φ◦ that itself has an accumulation scheme.
Predicate-efficient SNARKs. We call a SNARK ARG for predicate-efficient with respect to a predicate
Φ◦ if its verifier V operates as follows: (i) run a fast “inner” verifier Vpe to produce a bit b and query set Q;
(ii) accept iff b = 1 and for all q ∈ Q, Φ◦ (q) = 1. In essence, V can be viewed as a circuit with “oracle gates”
for Φ◦ .2 The aim is for Vpe to be significantly more efficient than V; that is, the queries to Φ◦ capture the
“expensive” part of the computation of V.
As noted in Section 1.1, one can view recent SNARK constructions [MBKM19; GWC19; CHMMVW20]
as being predicate-efficient with respect to a “polynomial commitment” predicate. We discuss how to
construct accumulation schemes for these predicates below in Section 2.4.
Accumulation scheme for predicate-efficient SNARKs. Let ARG be a SNARK that is predicate-efficient
with respect to a predicate Φ◦ , and let AS◦ be an accumulation scheme for Φ◦ . To check n proofs, instead of
directly invoking the SNARK verifier V, we can first run Vpe n times to generate n query sets for Φ◦ , and
then, instead of invoking Φ◦ on each of these sets, we can accumulate these queries using AS◦ . Below we
sketch the construction of an accumulation scheme ASARG for ARG based on this idea.
To accumulate n instance-proof pairs [(①i , πi )]ni=1 starting from an old accumulator acc, the accumulation
prover ASARG .P first invokes the inner verifier Vpe on each (①i , πi ) to generate a query set Qi for Φ◦ ,
accumulates their union Q = ∪ni=1 Qi into acc using AS◦ .P, and finally outputs the resulting accumulator
acc⋆ . To check that acc⋆ indeed accumulates [(①i , πi )]ni=1 into acc, the accumulation verifier ASARG .V first
checks, for each i, whether the inner verifier Vpe accepts (①i , πi ), and then invokes AS◦ .V to check whether
acc⋆ correctly accumulates the query set Q = ∪ni=1 Qi . Finally, to decide whether acc⋆ is a valid accumulator,
the accumulation scheme decider ASARG .D simply invokes AS◦ .D.
From sketch to proof. The foregoing sketch omits details required to construct a scheme that satisfies the
“full” definition of accumulation schemes as stated in Section 4. For instance, as noted in Section 2.3, the
predicate Φ◦ may be be an oracle predicate, and could depend on the public parameters of the SNARK ARG.
We handle this by requiring that the accumulation scheme for Φ◦ uses the SNARK generator G as its predicate
specification algorithm. We also show that zero knowledge and post-quantum security are preserved. See
Section 6 for a formal treatment of these issues, along with security proofs.
From predicate-efficient SNARKs to PCD. In order to build an accumulation scheme ASARG that suffices
for PCD, ARG and AS◦ must satisfy certain efficiency properties. In particular, when verifying satisfiability
2
This is not precisely the case, because the verifier is required to reject immediately if it ever makes a query q with Φ◦ (q) = 0.
11
for a circuit of size N , the running time of ASARG .V must be sublinear in N , which means in turn that the
running times of Vpe and AS◦ .V, as well as the size of the query set Q, must be sublinear in N . Crucially,
however, AS◦ .D need only run in time polynomial in N . For further discussion, see Remark 6.3.
2.4
Accumulation schemes for polynomial commitments
As noted in Section 2.3, several SNARK constructions (e.g., [MBKM19; GWC19; CHMMVW20]) are
predicate-efficient with respect to an underlying polynomial commitment, which means that constructing an
accumulation scheme for the latter leads (via Theorem 2) to an accumulation scheme for the whole SNARK.
Informally, a polynomial commitment scheme (PC scheme) is a cryptographic primitive that enables one
to produce a commitment C to a polynomial p, and then to prove that this committed polynomial evaluates to
a claimed value v at a desired point z. (See Section 3.6 for a definition.) An accumulation scheme for a PC
scheme thus accumulates claims of the form “C commits to p such that p(z) = v” for arbitrary polynomials
p and evaluation points z.
In this section, we explain the ideas behind Theorem 3, by sketching how to construct (zero knowledge)
accumulation schemes for two popular (hiding) polynomial commitment schemes.
• In Section 2.4.1, we sketch our accumulation scheme for PCDL , a polynomial commitment scheme derived
from [BCCGP16; BBBPWM18; WTSTW18] that is based on the hardness of discrete logarithms.
• In Section 2.4.2, we sketch our accumulation scheme for PCAGM , a polynomial commitment scheme based
on knowledge assumptions over bilinear groups [KZG10; CHMMVW20].
In each case, the running time of the accumulation verifier will be sublinear in the degree of the polynomial,
and the accumulator itself will not grow with the number of accumulation steps. This allows the schemes to
be used, in conjunction with a suitable predicate-efficient SNARK, to construct PCD.
We remark that each of our accumulation schemes is proved secure in the random oracle model by
invoking a useful lemma about “zero-finding games” for committed polynomials (Lemma 3.3). Security also
requires that the random oracle used for an accumulation scheme for a PC scheme is domain-separated from
the random oracle used by the PC scheme itself.
2.4.1
Accumulation scheme for PCDL
We sketch our accumulation scheme for PCDL . For univariate polynomials of degree less than d, PCDL
achieves evaluation proofs of size O(λ log d) in the random oracle model, and assuming the hardness of the
discrete logarithm problem in a prime order group G. In particular, there are no secret parameters (so-called
“toxic waste”). However, PCDL has poor verification complexity: checking an evaluation proof requires Ω(d)
scalar multiplications in G. Bowe, Grigg, and Hopwood [BGH19] suggested a way to amortize this cost
across a batch of n proofs. Below we show that their idea leads to an accumulation scheme for PCDL with an
accumulation verifier that uses only O(n log d) scalar multiplications instead of the naive Θ(n · d), and with
an accumulator of size O(log d) elements in G.
Summary of PCDL (see Appendix A for details). The committer and receiver both sample (consistently
via the random oracle) a list of group elements {G0 , G1 , . . . , Gd }P∈ Gd+1 in a group G of prime order
q (written additively). A commitment to a polynomial p(X) = di=0 ai X i ∈ F≤d
q [X] is then given by
Pd
C := i=0 ai Gi . To prove that the committed polynomial p evaluates to v at a given point z ∈ Fq , it suffices
to prove that the triple (C, z, v) satisfies the following NP statement:
P
P
∃ a0 , . . . , ad ∈ F s.t. v = di=0 ai z i and C = di=0 ai Gi .
12
This is a special case of an inner product argument (IPA), as defined in [BCCGP16], which proves the
inner product of two committed vectors. The receiver simply verifies this inner product argument to check
the evaluation. The fact that the vector (1, z, . . . , z d ) is known to the verifier and has a certain structure is
exploited in the accumulation scheme that we describe below.
Accumulation scheme for the IPA. Our accumulation scheme relies on a special structure of the IPA verifier:
it generates O(log d) challenges using the random oracle, then performs cheap checks requiring O(log d)
field and group operations, and finally performs an expensive check requiring Ω(d) scalar multiplications.
This latter check asserts consistency between the challenges and a group element U contained in the proof.
Hence, the IPA verifier is succinct barring the expensive check, and so constructing an accumulation scheme
for the IPA reduces to the task of constructing an accumulation scheme for the expensive check involving U .
To do this, we rely on an idea of Bowe, Grigg, and Hopwood [BGH19], which itself builds on an
observation in [BBBPWM18]. Namely, letting (ξ1 , . . . , ξlog2 d ) be the protocol’s challenges, U can be viewed
Qlog (d)−1
i
as a commitment to the polynomial h(X) := i=02
(1 + ξlog2 (d)−i X 2 ) ∈ F≤d
q [X]. This polynomial
has the special property that it can be evaluated at any point in just O(log d) field operations (exponentially
smaller than its degree d). This allows transforming the expensive check on U into a check that is amenable to
batching: instead of directly checking that U is a commitment to h, one can instead check that the polynomial
committed inside U agrees with h at a challenge point z sampled via the random oracle.
We leverage this idea as follows. When accumulating evaluation claims about multiple polynomials
p1 , . . . , pn , applying the foregoing transformation results in n checks of the form “check that the polynomial
contained in Ui evaluates to hi (z) at the point z”. Because these are all claims for the correct evaluation of
the polynomials hi at the same point z, we can accumulate them via standard homomorphic techniques. We
now summarize how we apply this idea to construct our accumulation scheme AS = (P, V, D) for PCDL .
Accumulators in our accumulation scheme have the same form as the instances to be accumulated: they
are tuples of the form (C, z, v, π) where π is an evaluation proof for the claim “p(z) = v” and p is the
polynomial committed in C. For simplicity, below we consider the case of accumulating one old accumulator
acc = (C1 , z1 , v1 , π1 ) and one instance (C2 , z2 , v2 , π2 ) into a new accumulator acc⋆ = (C, z, v, π).
Accumulation prover P: compute the new accumulator acc⋆ = (C, z, v, π) from the old accumulator
acc = (C1 , z1 , v1 , π1 ) and the instance (C2 , z2 , v2 , π2 ) as follows.
• Compute U1 , U2 from π1 , π2 respectively. As described above, these elements can be viewed as commitments to polynomials h1 , h2 defined by the challenges derived from π1 , π2 .
• Use the random oracle ρ to compute the random challenge α := ρ([(h1 , U1 ), (h2 , U2 )]).
• Compute C := U1 + αU2 , which is a polynomial commitment to p(X) := h1 (X) + αh2 (X).
• Compute the challenge point z := ρ(C, p), where p is uniquely represented via the tuple ([h1 , h2 ], α).
• Construct an evaluation proof π for the claim “p(z) = v”. (This step is the only expensive one.)
• Output the new accumulator acc⋆ := (C, z, v, π).
Accumulation verifier V: to check that the new accumulator acc⋆ = (C, z, v, π) was correctly generated
from the old accumulator acc = (C1 , z1 , v1 , π1 ) and the instance (C2 , z2 , v2 , π2 ), first compute the challenges
α and z from the random oracle as above, and then check that (a) (C1 , z1 , v1 , π1 ) and (C2 , z2 , v2 , π2 ) pass
the cheap checks of the IPA verifier, (b) C = U1 + αU2 , and (c) h1 (z) + αh2 (z) = v.
Decider D: on input the (final) accumulator acc⋆ = (C, z, v, π), check that π is a valid evaluation proof
for the claim that the polynomial committed inside C evaluates to v at the point z.
This construction achieves the efficiency summarized in Theorem 3.
We additionally achieve zero knowledge accumulation for the hiding variant of PCDL (also described in
Appendix A). Informally, the accumulation prover randomizes acc⋆ by including a new random polynomial
13
h0 in the accumulation step. This ensures that the evaluation claim in acc⋆ is for a random polynomial, thus
hiding all information about the original evaluation claims. To allow the accumulation verifier to check that
this randomization was performed correctly, the prover includes h0 in an auxiliary proof πV .
In Section 7, we show how to extend the above accumulation scheme to accumulate any number of old
accumulators and instances. Our security proof for the resulting accumulation scheme relies on the hardness
of zero-finding games (Lemma 3.3), and the security of PCDL .
2.4.2
Accumulation scheme for PCAGM
We sketch our accumulation scheme AS = (P, V, D) for PCAGM . Checking an evaluation proof in PCAGM
requires 1 pairing, and so checking n evaluation proofs requires n pairings. AS improves upon this as
follows: the accumulation verifier V only performs O(n) scalar multiplications in G1 in order to check the
accumulation of n evaluation proofs, while the decider D performs only a single pairing in order to check the
resulting accumulator. This is much cheaper: it reduces the number of pairings from n to 1, and also defers
this single pairing to the end of the accumulation (the decider). In particular, when instantiating the PCD
construction outlined in Section 2.1 with a PCAGM -based SNARK and our accumulation scheme for PCAGM ,
we can eliminate all pairings from the circuit being verified in the PCD construction.
Below we explain how standard techniques for batching pairings using random linear combinations
[CHMMVW20] allow us to realize an accumulation scheme for PCAGM with these desirable properties.
Summary of PCAGM . The committer key ck and receiver key rk for a given maximum degree bound D are
group elements from a bilinear group (G1 , G2 , GT , q, G, H, e): ck := {G, βG, . . . , β D G} ∈ GD+1
consists
1
of group elements encoding powers of a random field element β, while rk := (G, H, βH) ∈ G1 × G22 .
A commitment to a polynomial p ∈ F≤D
q [X] is the group element C := p(β)G ∈ G1 . To prove
that p evaluates to v at a given point z ∈ Fq , the sender computes a “witness polynomial” w(X) :=
(p(X) − v)/(X − z), and outputs the evaluation proof π := w(β)G ∈ G1 . The receiver can check this proof
by checking the pairing equation e(C − vG, H) = e(π, βH − zH). This pairing equation is the focus of our
accumulation scheme below. (This summary omits details about degree enforcement and about hiding.)
Accumulation scheme. We construct an accumulation scheme AS = (P, V, D) for PCAGM by relying on
standard techniques for batching pairing equations. Suppose that we wish to simultaneously check the validity
of n instances [(Ci , zi , vi , πi )]ni=1 . First, rewrite the pairing check for the i-th instance as follows:
e(Ci − vi G, H) = e(πi , βH − zi H) ⇐⇒ e(Ci − vi G + zi πi , H) = e(πi , βH) .
(1)
After the rewrite, the G2 inputs to both pairings do not depend on the claim being checked. This allows
batching the pairing checks by taking a random linear combination with respect to a random challenge
r := ρ([Ci , zi , vi , πi ]ni=1 ) computed from the random oracle, resulting in the following combined equation:
P
P
e( ni=1 ri (Ci − vi G + zi πi ), H) = e( ni=1 ri πi , βH) .
(2)
P
We now have a pairing equation involving
an “accumulated commitment” C ⋆ := ni=1 ri (Ci − vi G + zi πi )
P
n
and an “accumulated proof” π ⋆ := i=1 ri πi . This observation leads to the accumulation scheme below.
An accumulator in AS consists of a commitment-proof pair (C ⋆ , π ⋆ ), which the decider D validates by
checking that e(C ⋆ , H) = e(π ⋆ , βH). Moreover, observe that by Eq. (1), checking the validity of a claimed
evaluation (C, z, v, π) within PCAGM corresponds to checking that the “accumulator” (C − vG + zπ, π) is
accepted by the decider D. Thus we can restrict our discussion to accumulating accumulators.
n
⋆
⋆ n
The accumulation prover P, on input a list of old accumulators
= [(C
Pn i ⋆[acci ]i=1
Pni , πii)]⋆i=1 , computes
n
⋆
⋆
a random challenge r := ρ([acci ]i=1 ), constructs C := i=1 r Ci and π := i=1 r πi , and outputs
14
the new accumulator acc⋆ := (C ⋆ , π ⋆ ) ∈ G21 . To check that acc⋆ accumulates [acci ]ni=1 , the accumulation
verifier V simply invokes P and checks that its output matches the claimed new accumulator acc⋆ .
To achieve zero knowledge accumulation, the accumulation prover randomizes acc⋆ by including in it an
extra “old” accumulator corresponding to a random polynomial, which statistically hides the accumulated
claims. To allow the accumulation verifier to check that this randomization was performed correctly, the
prover includes this old accumulator in an auxiliary proof πV .
This construction achieves the efficiency summarized in Theorem 3.
In Section 8, we show how to extend the above accumulation scheme to account for additional features of
PCAGM (degree enforcement and hiding). Our security proof for the resulting accumulation scheme relies on
the hardness of zero-finding games (Lemma 3.3).
15
3 Preliminaries
Indexed relations. An indexed relation R is a set of triples (✐, ①, ✇) where ✐ is the index, ① is the instance,
and ✇ is the witness; the corresponding indexed language L(R) is the set of pairs (✐, ①) for which there
exists a witness ✇ such that (✐, ①, ✇) ∈ R. For example, the indexed relation of satisfiable boolean circuits
consists of triples where ✐ is the description of a boolean circuit, ① is a partial assignment to its input wires,
and ✇ is an assignment to the remaining wires that makes the circuit to output 0.
Security parameters. For simplicity of notation, we assume that all public parameters have length at least
λ, so that algorithms which receive such parameters can run in time poly(λ).
Random oracles.
We denote by U (λ) the set of all functions that map {0, 1}∗ to {0, 1}λ . We denote by
S
U (∗) the set λ∈N U (λ). A random oracle with security parameter λ is a function ρ : {0, 1}∗ → {0, 1}λ
sampled uniformly at random from U (λ).
3.1
Non-interactive arguments in the ROM
A tuple of algorithms ARG = (G, I, P, V) is a (preprocessing) non-interactive argument in the random
oracle model (ROM) for an indexed relation R if the following properties hold.
• Completeness. For every adversary A,
(✐, ①, ✇) 6∈ R
∨
Pr
V ρ (ivk, ①, π) = 1
ρ ← U(λ)
pp ← G ρ (1λ )
(✐, ①, ✇) ← Aρ (pp)
(ipk, ivk) ← I ρ (pp, ✐)
π ← P ρ (ipk, ①, ✇)
• Soundness. For every polynomial-size adversary P̃,
ρ ← U(λ)
(✐, ①) 6∈ L(R)
pp
← G ρ (1λ )
∧
Pr
ρ
(✐, ①, π) ← P̃ ρ (pp)
V (ivk, ①, π) = 1
(ipk, ivk) ← I ρ (pp, ✐)
=1 .
≤ negl(λ) .
The above formulation of completeness allows (✐, ①, ✇) to depend on the random oracle ρ and public
parameters pp, and the above formulation of soundness allows (✐, ①) to depend on the random oracle ρ and
public parameters pp.
Our PCD construction makes use of the stronger property of knowledge soundness, and optionally also
the property of (statistical) zero knowledge. We define both of these properties below. Note that this definition
is stronger the standard definition of knowledge soundness; this is required to prove post-quantum security in
Theorem 5.2. This stronger definition is similar to the notion of witness-extended emulation [Lin03].
Knowledge soundness. We say that ARG = (G, I, P, V) has knowledge soundness if for every polynomialsize adversary P̃ and every polynomial-size auxiliary input distribution D there exists an efficient extractor E
such that
ρ ← U(λ)
ρ
∀ j ∈ [ℓ], V (ivkj , ①j , πj ) = 1
pp ← G ρ (1λ )
ρ (pp)
z
←
D
⇓
Pr
≥ 1 − negl(λ)
ρ
~
(✐, ~①, ~π , aux, ✇
~ ) ← E (pp, z)
(✐j , ①j , ✇j ) ∈ R
∀ j , (ipkj , ivkj ) ← I ρ (pp, ✐j )
16
and, moreover, the following distributions are statistically close (as a function of λ)
ρ ← U(λ)
ρ ← U(λ)
ρ
λ
~
~
pp ← G ρ (1λ )
pp ← G (1 )
(ρ, pp, ✐,
(ρ, pp, ✐,
and
ρ
z ← Dρ (pp)
z ← D (pp)
~①, ~π , aux)
~①, ~π , aux)
(~✐, ~①, ~π , aux, ✇
~ ) ← E ρ (pp, z)
(~✐, ~①, ~π , aux) ← P̃ ρ (pp, z)
.
The above definition is polynomially related to the standard definition of adaptive knowledge soundness,
which does not consider a vector of outputs or an auxiliary output by the prover.
Zero knowledge. We say that ARG = (G, I, P, V) has (statistical) zero knowledge if there exists a
probabilistic polynomial-time simulator S such that for every polynomial-size honest adversary A the
distributions below are computationally indistinguishable:
ρ ← U(λ)
ρ ← U(λ)
ρ
λ
pp ← G (1 )
(pp, τ ) ← S ρ (✐, ①)
ρ
(✐, ①, ✇) ← A (pp)
(ρ, pp, ✐, ①, π)
.
and
(ρ[µ], pp, ✐, ①, π)
(✐, ①, ✇) ← Aρ (pp)
ρ
(ipk, ivk) ← I (pp, ✐)
(π, µ) ← S ρ (pp, ✐, ①, τ )
π ← P ρ (ipk, ①, ✇)
Above, ρ[µ] is the function that, on input x, equals µ(x) if µ is defined on x, or ρ(x) otherwise. This
definition uses explicitly-programmable random oracles [BR93]. (Non-interactive zero knowledge with
non-programmable random oracles is impossible for non-trivial languages [Pas03; BCS16].)
3.2
Proof-carrying data
A triple of algorithms PCD = (G, I, P, V) is a (preprocessing) proof-carrying data scheme (PCD scheme)
for a class of compliance predicates F if the properties below hold.
Definition 3.1. A transcript T is a directed acyclic graph where each vertex u ∈ V (T) is labeled by local
(u)
data zloc and each edge e ∈ E(T) is labeled by a message z (e) 6= ⊥. The output of a transcript T, denoted
o(T), is z (e) where e = (u, v) is the lexicographically-first edge such that v is a sink.
Definition 3.2. A vertex u ∈ V (T) is ϕ-compliant for ϕ ∈ F if for all outgoing edges e = (u, v) ∈ E(T):
(u)
• (base case) if u has no incoming edges, ϕ(z (e) , zloc , ⊥, . . . , ⊥) accepts;
(u)
• (recursive case) if u has incoming edges e1 , . . . , em , ϕ(z (e) , zloc , z (e1 ) , . . . , z (em ) ) accepts.
We say that T is ϕ-compliant if all of its vertices are ϕ-compliant.
Completeness. For every adversary A,
ϕ ∈ F ∧ ∀ i, zi = ⊥ ∨ ∀ i, V(ivk, zi , πi ) = 1 ∧
ϕ(z,
z
,
z
,
.
.
.
,
z
)
accepts
1
m
loc
Pr
⇓
V(ivk, z, π) = 1
G(1λ )
♣♣ ←
(ϕ, z, zloc , [zi , πi ]m
i=1 ) ← A(♣♣)
(ipk, ivk) ← I(♣♣, ϕ)
π ← P(ipk, z, zloc , [zi , πi ]m
i=1 )
=1 .
Knowledge soundness. We say that PCD = (G, I, P, V) has knowledge soundness if there exists some
polynomial e such that for every polynomial-size adversary P̃, there exists an extractor E of size at most
17
e(|P̃|) such that
Pr
ϕ ∈ F ∧ V(ivk, o(T), π) = 1
⇓
T is ϕ-compliant
♣♣ ← G(1λ )
(ϕ, π, T) ← E(♣♣)
(ipk, ivk) ← I(♣♣, ϕ)
and, moreover, the following distributions are statistically close:
♣♣
← G(1λ )
and
(ϕ, o(T), π)
(ϕ, o, π)
(ϕ, o, π) ← P̃(♣♣)
≥ 1 − negl(λ) .
♣♣ ← G(1λ )
(ϕ, π, T) ← E(♣♣)
.
Zero knowledge. We say that PCD = (G, I, P, V) has (statistical) zero knowledge if there exists a
probabilistic polynomial-time simulator S such that for every polynomial-size honest adversary A the
distributions below are computationally indistinguishable:
λ)
♣♣
←
G(1
(♣♣, τ ) ← S
m
(ϕ, z, zloc , [zi , πi ]i=1 ) ← A(♣♣)
.
(♣♣, π) (ϕ, z, zloc , [zi , πi ]m
and
(♣♣, π)
i=1 ) ← A(♣♣)
(ipk, ivk) ← I(♣♣, ϕ)
π
←
S(ϕ,
z,
τ
)
π ← P(ipk, ϕ, z, zloc , [zi , πi ]m
i=1 )
In this case, A is honest if it outputs, with probability 1, (ϕ, z, zloc , [zi , πi ]m
i=1 ) such that ϕ ∈ F, V(ivk, zi , πi ) =
1 for all i, and ϕ(z, zloc , z1 , . . . , zm ) accepts.
Efficiency. The generator G, prover P, indexer I and verifier V run in polynomial time. A proof π has size
poly(λ, |ϕ|); in particular, it is not permitted to grow with each application of P.
3.3
Instantiating the random oracle
Almost all of the results in this paper are proved in the random oracle model, and so we give definitions
which include random oracles. The single exception is our construction of proof-carrying data, in Section 5.1.
We do not know how to build PCD schemes which are secure in the random oracle model from any standard
assumption. Instead, we show that assuming the existence of a non-interactive argument with security in the
standard (CRS) model, we obtain a PCD scheme which is also secure in the standard (CRS) model.
For this reason, the definition of PCD above is stated in the standard model (without oracles). We do
not explicitly define non-interactive arguments in the standard model; the definition is easily obtained by
removing the random oracle from the definition presented in Section 3.1.
3.4
Post-quantum security
The definitions of both non-interactive arguments (in the standard model) and proof-carrying data can
be strengthened, in a straightforward way, to express post-quantum security. In particular, we replace
“polynomial-size circuit” and “polynomial-time algorithm” with their quantum analogues. Since we do not
prove post-quantum security of any construction in the random oracle model, we do not discuss the quantum
random oracle model.
18
3.5
Commitment schemes
A commitment scheme CM = (Setup, Trim, Commit) enables one to create binding commitments to
messages.
• CM.Setup, on input a message format L, outputs public parameters pp; this specifies a message universe
Mpp and a commitment universe Cpp .
• CM.Trim, on input public parameters pp and a trim specification ℓ, outputs a commitment key ck containing
a description of a message space Mck ⊆ Mpp (corresponding to ℓ).
• CM.Commit, on input a commitment key ck, a message m ∈ Mck and randomness ω, outputs a commitment C ∈ Cpp .
CM is binding if, for every message format L such that |L| = poly(λ), and for every efficient adversary A,
the following holds.
m1 ∈ Mck1 , m2 ∈ Mck2 , m1 6= m2
∧
Pr
CM.Commit(ck1 , m1 ; ω1 ) = CM.Commit(ck2 , m2 ; ω2 )
pp ← CM.Setupρ (1λ , L)
((ℓ1 , m1 , ω1 ), (ℓ2 , m2 , ω2 )) ← Aρ (pp)
≤ negl(λ) .
ck1 ← CM.Trimρ (pp, ℓ1 )
ck2 ← CM.Trimρ (pp, ℓ2 )
Note that m1 6= m2 is well-defined since Mck1 , Mck2 ⊆ Mpp .
We now give a useful lemma, which bounds the probability that applying the random oracle to a
commitment to a polynomial yields a zero of that polynomial. We refer to this as a zero-finding game.
Lemma 3.3. Let F : N → N, and CM = (Setup, Trim, Commit) be a commitment scheme. Fix a number of
variables M ∈ N and maximum degree N ∈ N. Then for every family of (not necessarily efficient) functions
{fpp }pp and fields {Fpp }pp where fpp : Mpp → F≤N
pp [X1 , . . . , XM ] and |Fpp | ≥ F (λ); for every message
format L and efficient t-query oracle algorithm A, the following holds.
ρ ← U(λ)
pp ← CM.Setup(1λ , L)
s
p 6≡ 0
(ℓ, p ∈ Mck , ω) ← Aρ (pp)
MN
ck ← CM.Trim(pp, ℓ)
∧
Pr
≤ (t + 1) · F (λ) + negl(λ) .
p(z) = 0
C ← CM.Commit(ck, p; ω)
z ∈ FN
pp ← ρ(C)
p ← fpp (p)
If CM is perfectly binding, then the above holds also for computationally-unbounded t-query adversaries A.
Proof. Let A be an adversary which wins with probability δ in the above game; we construct an adversary B
N
which breaks the binding of the commitment scheme with probability at least δ 2 /(t + 1) − FM(λ)
.
Note first that we may assume that A always queries C ← CM.Commit(ck, p; ω) for its output (p, ω),
by increasing the query bound from t to t + 1.
B(pp):
1. Run (ℓ, p, ω) ← Aρ (pp), simulating its queries to ρ.
2. Compute ck ← CM.Trim(pp, ℓ).
3. Obtain C ← CM.Commit(ck, p; ω).
4. Rewind A to the query ρ(C) and run to the end, drawing fresh randomness for this and subsequent
oracle queries, to obtain (ℓ′ , p′ , ω ′ ).
19
5. Output ((ℓ, p, ω), (ℓ′ , p′ , ω ′ )).
Let ck′ := CM.Trim(pp, ℓ′ ), C ′ := CM.Commit(ck′ , p′ ; ω ′ ), z := ρ(C), z ′ := ρ(C ′ ), p := fpp (p) and
p′ := fpp (p′ ). By the forking lemma, the probability that p(z) = p′ (z ′ ) = 0 and C = C ′ is at least δ 2 /(t+1);
call this event E. Then
Pr[E] ≤ Pr[E ∧ (p = p′ )] + Pr[E ∧ (p 6= p′ )] ≤ M N/F (λ) + Pr[E ∧ (p 6= p′ )] .
The lemma follows by noting that E ∧ (p 6= p′ ) implies that B breaks the binding property of CM.
Remark 3.4. For Lemma 3.3 to hold, the algorithms of CM must not have access to the random oracle ρ
used to generate the challenge point z. The lemma is otherwise black-box with respect to CM, and so CM
itself may use other oracles. The lemma continues to hold when A has access to these additional oracles. We
use this fact later to justify the security of domain separation.
3.6
Polynomial commitments
A polynomial commitment scheme is a cryptographic primitive that enables a sender to commit to a polynomial p over a field F and then later prove the correct evaluation of the polynomial at a desired point. In more
detail, a polynomial commitment scheme PC is a tuple of algorithms (Setup, Trim, Commit, Open, Check)
with the following syntax and properties:
• PC.Setupρ (1λ , D) → pp. On input a security parameter λ (in unary), and a maximum degree bound
D ∈ N, PC.Setup samples public parameters ppPC . The parameters contain the description of a finite field
F (which has size that is super-polynomial in λ).
• PC.Trimρ (pp, [di ]ni=1 ) → (ck, rk). On input public parameters ppPC , and degree bounds [di ]ni=1 , PC.Trim
deterministically computes a key pair (ck, rk) that is specialized to [di ]ni=1 .
• PC.Commitρ (ck, p, d; ω) → C. On input ck, a univariate polynomial p over the field F, and a degree
bound d such that deg(p) ≤ d ∈ [di ]ni=1 , PC.Commit outputs a commitment C to the polynomial p. The
randomness ω is used if the commitment C is hiding.
• PC.Openρ (ck, p, C, d, z; ω) → π. On input the commitment key ck, a univariate polynomial p over the
field F, a commitment C to p, a degree bound d, an evaluation point z, and commitment randomness ω,
PC.Open outputs an evaluation proof π.
• PC.Checkρ (rk, C, d, z, v, π) → b. On input the receiver key rk, a commitment C, a degree bound d, an
evaluation point z, a claimed evaluation v, and an evaluation proof π, PC.Check checks that the degree
bound d ∈ [di ]ni=1 , and outputs 1 if π attests that the polynomial p committed in C has degree at most d
and evaluates to v at z.
A polynomial commitment scheme PC must be such that (PC.Setup, PC.Trim, PC.Commit) is a (binding)
commitment scheme for bounded-degree polynomials over a field. The message format L is equal to the
maximum degree bound D; the message universe is the set of polynomials over some field F of degree at
most D. The trim specification ℓ is equal to the list of degree bounds [di ]ni=1 ; the corresponding message
space is the set of polynomials over F of degree at most maxi di .
A polynomial commitment scheme must also satisfy the following additional properties.
20
Completeness. For every maximum degree bound D = poly(λ) ∈ N and every adversary A,
d ∈ [di ]ni=1
deg(p) ≤ d ≤ D
Pr
⇓
PC.Checkρ (rk, C, d, z, v, π) = 1
pp ← PC.Setupρ (1λ , D)
([di ]ni=1 , p, d, z, ω) ← Aρ (pp)
(ck, rk) ← PC.Trimρ (pp, [di ]ni=1 )
C ← PC.Commitρ (ck, p, d; ω)
v ← p(z)
π ← PC.Openρ (ck, p, C, d, z; ω)
=1 .
Extractability. For every maximum degree bound D = poly(λ) ∈ N and polynomial-size adversary A
there exists an efficient extractor E such that the following holds.
PC.Checkρ (rk, C, d, z, v, π) = 1
ρ ← U(λ)
⇓
ρ λ
pp
←
PC.Setup
(1 , D)
C = PC.Commitρ (ck, p, d; ω)
n
([di ]i=1 , (C, d, z, v), π) ← Aρ (pp)
Pr
≥ 1 − negl(λ) .
v = p(z)
ρ (pp)
(p,
ω)
←
E
d ∈ [di ]ni=1
(ck, rk) ← PC.Trimρ (pp, [di ]ni=1 )
deg(p) ≤ d ≤ D
Hiding. There exists a stateful polynomial-time simulator S such that, for every maximum degree bound
D = poly(λ) ∈ N and stateful polynomial-size adversary A, the output distributions of the following games
are statistically close:
Real(1λ , D, A):
1. ρ ← U(λ).
2. pp ← PC.Setupρ (1λ , D).
3. (p, d) ← Aρ (pp).
4. (ck, rk) ← PC.Trimρ (pp, d).
5. Sample commitment randomness ω.
6. C ← PC.Commitρ (ck, p, d; ω).
7. z ← Aρ (C).
8. Sample opening randomness r.
9. π ← PC.Openρ (ck, p, C, d, z; ω, r).
10. Output (ρ, pp, p, d, C, z, π).
Ideal(1λ , D, A):
1. ρ ← U(λ).
2. (pp, trap) ← S.Setupρ (1λ , D).
3. (p, d) ← Aρ (pp).
4. C ← S.Commitρ (trap, d).
5. z ← Aρ (C).
6. (µ, π) ← S.Openρ (z, p(z)).
7. Output (ρ[µ], pp, p, d, C, z, π).
21
4 Accumulation schemes
In Section 4.1 we formally define an accumulation scheme. In Section 4.2 we define accumulation schemes
for predicates related to the cryptographic primitives used in this paper.
4.1
Definition
Let Φ : U (∗) × ({0, 1}∗ )3 → {0, 1} be a predicate (for clarity we write Φρ (ppΦ , iΦ , q) for Φ(ρ, ppΦ , iΦ , q)).
Let H be a randomized algorithm with access to a (random) oracle, which outputs predicate parameters ppΦ .
An accumulation scheme for (Φ, H) is a tuple of algorithms AS = (G, I, P, V, D) all of which have
access to the same random oracle ρ. The algorithms have the following syntax and properties.
Syntax. The algorithms comprising AS have the following syntax:
• Generator: On input a security parameter λ (in unary), G samples and outputs public parameters pp.
• Indexer: On input public parameters pp, predicate parameters ppΦ (generated by H), and a predicate index
iΦ , I deterministically computes and outputs a triple (apk, avk, dk) consisting of an accumulator proving
key apk, an accumulator verification key avk, and a decision key dk.3
• Accumulation prover: On input the accumulator proving key apk, inputs [qi ]ni=1 , and old accumulators
[accj ]m
j=1 , P outputs a new accumulator acc and a proof πV for the accumulation verifier.
• Accumulation verifier: On input the accumulator verification key avk, inputs [qi ]ni=1 , accumulator instances
[accj ]m
j=1 , a new accumulator instance acc, and a proof πV , V outputs a bit indicating whether ❛ correctly
accumulates [qi ]ni=1 and [accj ]m
j=1 .
• Decider: On input the decision key dk, and an accumulator acc, D outputs a bit indicating whether acc is a
valid accumulator.
These algorithms must satisfy two properties, completeness and soundness, defined below. We additionally
define a notion of zero knowledge that we will rely on to achieve zero knowledge PCD (see Section 5).
Completeness. For all (unbounded) adversaries A,
Pr
∀ j ∈ [m], Dρ (dk, accj ) = 1
∀ i ∈ [n], Φρ (ppΦ , iΦ , qi ) = 1
⇓
Vρ (avk, [qi ]ni=1 , [accj ]m
j=1 , acc, πV ) = 1
Dρ (dk, acc) = 1
ρ ← U(λ)
pp ← Gρ (1λ )
ppΦ ← Hρ (1λ )
m
n
(iΦ , [qi ]i=1 , [accj ]j=1 ) ← Aρ (pp, ppΦ )
(apk, avk, dk) ← Iρ (pp, ppΦ , iΦ )
(acc, πV ) ← Pρ (apk, [qi ]ni=1 , [accj ]m
j=1 )
=1 .
Note that for m = n = 0, the precondition on the left-hand side holds vacuously; this is required for the
completeness condition to be non-trivial.
Soundness. For every polynomial-size adversary A,
Pr
Vρ (avk, [qi ]ni=1 , [accj ]m
j=1 , acc, πV ) = 1
Dρ (dk, acc) = 1
⇓
∀ j ∈ [m], Dρ (dk, accj ) = 1
∀ i ∈ [n], Φρ (ppΦ , iΦ , qi ) = 1
iΦ
ρ ← U(λ)
pp ← Gρ (1λ )
ρ λ
ppΦ ← H (1 )
n
m
[qi ]i=1 [accj ]j=1
← Aρ (pp, ppΦ )
acc πV
(apk, avk, dk) ← Iρ (pp, ppΦ , iΦ )
≥ 1 − negl(λ) .
3
We remark that in some schemes it is important, for the sake of efficiency, for the indexer I to have oracle access to the predicate
parameters ppΦ and predicate index iΦ , rather than reading them in full. All of our constructions and statements extend, in a
straightforward way, to this case.
22
Zero knowledge. There exists a polynomial-time simulator S such that for every polynomial-size “honest”
adversary A (see below) the following distributions are (statistically/computationally) indistinguishable:
and
(ρ, pp, acc)
(ρ[µ], pp, acc)
ρ ← U(λ)
pp ← Gρ (1λ )
ppΦ ← Hρ (1λ )
n
m
(iΦ , [qi ]i=1 , [accj ]j=1 ) ← Aρ (pp, ppΦ )
(apk, avk, dk) ← Iρ (pp, ppΦ , iΦ )
(acc, πV ) ← Pρ (apk, [qi ]ni=1 , [accj ]m
j=1 )
ρ ← U(λ)
(pp, τ ) ← Sρ (1λ )
ppΦ ← Hρ (1λ )
n
m
(iΦ , [qi ]i=1 , [accj ]j=1 ) ← Aρ (pp, ppΦ )
(acc, µ) ← Sρ (ppΦ , τ, iΦ )
.
ρ
Here A is honest if it outputs, with probability 1, a tuple (iΦ , [qi ]ni=1 , [accj ]m
j=1 ) such that Φ (ppΦ , iΦ , qi ) =
1 and Dρ (dk, accj ) = 1 for all i ∈ [n] and j ∈ [m]. Note that the simulator S is not required to simulate the
accumulation verifier proof πV .
Security in the standard model. The corresponding security definitions in the standard (CRS) model are
obtained from the above by removing the random oracle ρ wherever it appears.
Post-quantum security. The post-quantum analogues of the above definitions are obtained by modifying
the soundness and zero knowledge guarantees to quantify over polynomial-size quantum adversaries A;
we also strengthen the zero knowledge guarantee to require quantum computational indistinguishability
(although we do not permit S to be quantum). In the random oracle variant of the definitions, we should also
allow the adversary superposition access to the random oracle (i.e., require security in the quantum random
oracle model [BDFLSZ11]). Note, however, that this latter issue is not relevant to the present work: our only
result on post-quantum security is Theorem 5.2, which is in the standard (CRS) model.
4.2
Accumulation schemes for certain predicates
We conclude by specializing the definition of an accumulation scheme to the case of predicates induced
by the verifier in a non-interactive argument (Definition 4.1) and in a polynomial commitment scheme
(Definition 4.2).
Definition 4.1 (accumulation for ARG). A non-interactive argument system ARG = (G, I, P, V) has an
accumulation scheme if the pair (ΦV , G) has an accumulation scheme, where ΦV is defined as follows:
ΦρV (iΦ = (pp, ✐), q = (①, π)):
1. (ipk, ivk) ← I ρ (pp, ✐).
2. Output V ρ (ivk, ①, π).
Definition 4.2 (accumulation for PC). A polynomial commitment scheme PC = (Setup, Trim, Commit, Open, Check)
has an accumulation scheme if, for every D(λ) = poly(λ), the pair (ΦPC , HPC,D ) defined below has an
accumulation scheme.
ΦρPC (iΦ = (ppPC , [di ]ni=1 ), q = ((C, d, z, v), π)):
1. (ck, rk) ← PC.Trimρ (ppPC , [di ]ni=1 ).
2. Output PC.Checkρ (rk, C, d, z, v, π).
ρ
HPC,D
(1λ ):
Output ppPC ← PC.Setupρ (1λ , D(λ)).
23
5 Proof-carrying data from accumulation schemes
We formally restate and then prove Theorem 1, which provides a construction of proof-carrying data (PCD)
from any SNARK that has an accumulation scheme with certain efficiency properties.
First, we provide some notation for these properties.
Definition 5.1. Let AS = (G, I, P, V, D) be an accumulation scheme for a non-interactive argument (see
Section 6). We denote by V(λ,m,N,k) the circuit corresponding to the computation of the accumulation verifier
V, for security parameter λ, when checking the accumulation of m instance-proof pairs and accumulators,
on an index of size at most N , where each instance is of size at most k.
We denote by v(λ, m, N, k) the size of the circuit V(λ,m,N,k) , by |avk(λ, m, N )| the size of the accumulator verification key avk, and by |acc(λ, m, N )| the size of an accumulator.
Note that here we have specified that the size of acc is bounded by a function of λ, m, N ; in particular, it may
not depend on the number of instances accumulated.
When we invoke the accumulation verifier in our construction of PCD, an instance will consist of an
accumulator verification key, an accumulator, and some additional data of size ℓ. Thus the size of the
accumulation verifier circuit used in the scheme is given by
v∗ (λ, m, N, ℓ) := v(λ, m, N, |avk(λ, m, N )| + |acc(λ, m, N )| + ℓ) .
The notion of “sublinear verification” which is important here is that v∗ is sublinear in N . The following
theorem shows that when this is the case, this accumulation scheme can be used to construct PCD.
Theorem 5.2. There exists a polynomial-time transformation T such that if ARG = (G, I, P, V) is a SNARK
for circuit satisfiability and AS is an accumulation scheme for ARG then PCD = (G, I, P, V) := T(ARG, AS)
is a PCD scheme for constant-depth compliance predicates, provided
∃ ǫ ∈ (0, 1) and a polynomial α s.t. v∗ (λ, m, N, ℓ) = O(N 1−ǫ · α(λ, m, ℓ)) .
Moreover:
• If ARG and AS are secure against quantum adversaries, then PCD is secure against quantum adversaries.
• If ARG and AS are (post-quantum) zero knowledge, then PCD is (post-quantum) zero knowledge.
• If the size of the predicate ϕ : F(m+2)ℓ → F is f = ω(α(λ, m, ℓ)1/ǫ ) then:
– the cost of running I is equal to the cost of running both I and I on an index of size f + o(f );
– the cost of running P is equal to the cost of accumulating m instance-proof pairs using P, and running
P, on an index of size f + o(f ) and instance of size o(f );
– the cost of running V is equal to the cost of running both V and D on an index of size f + o(f ) and an
instance of size o(f ).
This last point gives the conditions for a sublinear additive recursive overhead; i.e., when the additional cost
of proving that ϕ is satisfied recursively is asymptotically smaller than the cost of proving that ϕ is satisfied
locally. Note that the smaller the compliance predicate ϕ, the more efficient the accumulation scheme has to
be in order to achieve this.
Our PCD construction and its proof of security follow those given in [COS20], except for several
important differences.
24
• In [COS20], the circuit on which the SNARK prover is invoked contains the SNARK verifier circuit. In
our setting, this is not possible in general since the verifier may not be succinct. Instead, we invoke the
SNARK prover on a circuit containing the accumulation verifier circuit.
• The PCD proof consists of both a SNARK proof π and an accumulator acc; verifying the computation
requires running the SNARK verifier on π and the accumulation scheme decider on acc.
• Since the security of the accumulation scheme is proved separately to the security of the SNARK itself,
we require that the SNARK remain secure with respect to the auxiliary input distribution induced by the
public parameters of the accumulation scheme.
The rest of this section is dedicated to proving Theorem 5.2: in Section 5.1 we construct the PCD scheme; in
Section 5.2 we prove that accumulation verifiers that are sublinear suffice for PCD; in Section 5.3 we prove
completeness; in Section 5.4 we prove knowledge soundness; in Section 5.5 we discuss zero knowledge; and
in Section 5.6 we discuss post-quantum security.
Remark 5.3. Theorem 5.2 yields PCD that is secure for constant-depth compliance predicates. The depth
restriction is necessary because of the recursive invocation of the extractor: if the extractor has size e(n) = nc ,
d
then recursively applying the extractor d times (for a depth-d predicate) yields a circuit of size nc , which for
d = ω(1) is superpolynomial. Under a subexponential knowledge assumption one can increase d to o(log n).
5.1
Construction
Let ARG = (G, I, P, V) be a non-interactive argument for circuit satisfiability, and let AS = (G, I, P, V, D)
be an accumulation scheme for ARG. Below we construct a PCD scheme PCD = (G, I, P, V).
Given a compliance predicate ϕ : F(m+2)ℓ → F, the circuit that realizes the recursion is as follows.
(λ,N,k)
(avk, z, acc), (zloc , [zi , πi , acci ]m
RV,ϕ
i=1 , πV ) :
1. Check that the compliance predicate ϕ(z, zloc , z1 , . . . , zm ) accepts.
2. If there exists i ∈ [m] such that zi 6= ⊥, check that the SNARK accumulation verifier accepts:
m
V(λ,m,N,k) (avk, [(avk, zi , acci ), πi ]m
i=1 , [acci ]i=1 , acc, πV ) = 1 .
3. If the above checks hold, output 1; otherwise, output 0.
Above, V(λ,m,N,k) refers to the circuit representation of V with input size appropriate for security parameter
λ, number of instance-proof pairs and accumulators m, index size N , and instance size k.
Next we describe the generator G, indexer I, prover P, and verifier V of the PCD scheme.
• G(1λ ): Sample pp ← G(1λ ) and ppAS ← G(1λ ), and output ♣♣ := (pp, ppAS ).
• I(♣♣, ϕ):
1. Compute the integer N := N (λ, |ϕ|, m, ℓ), where N is defined in Lemma 5.4 below.
(λ,N,k)
2. Construct the circuit R := RV,ϕ
where k := |avk(λ, N )| + ℓ + |acc(λ, N )|.
3. Compute the index key pair (ipk, ivk) ← I(pp, R) for the circuit R for the SNARK.
4. Compute the index key triple (apk, dk, avk) ← I(ppAS , iΦ = (pp, R)) for the accumulator.
5. Output ipk := (ipk, apk) and ivk := (ivk, dk, avk).
• P(ipk, z, zloc , [zi , (πi , acci )]m
i=1 ):
1. If zi = ⊥ for all i ∈ [m] then set (acc, πV ) ← P(apk, ⊥).
m
2. If zi 6= ⊥ for some i ∈ [m] then compute (acc, πV ) ← P(apk,[(avk, zi , acci ), πi ]m
i=1 , [acci ]i=1 ).
m
3. Compute π ← P ipk, (avk, z, acc), (zloc , [zi , πi , acci ]i=1 , πV ) .
25
4. Output (π, acc).
• V(ivk, z, (π, acc)): Accept if both V(ivk, (avk, z, acc), π) and D(dk, acc) accept.
5.2
Efficiency
Denote by f the size of the compliance predicate ϕ as an R1CS instance. In the above construction, the
explicit input consists of the accumulator verification key avk, whose size depends on N and λ, a message z
whose size is ℓ (independent of N ), and an accumulator acc whose size depends on N and λ. The security
(λ,N,k)
parameter λ is independent of N . The circuit RV,ϕ
on which we wish to invoke V is of size
S(λ, f, m, ℓ, N ) = f + S0 (m, ℓ) + v∗ (λ, m, N, ℓ)
for some S0 (m, ℓ) = O(mℓ) ,
recalling that v∗ (λ, m, N, ℓ) = v(λ, m, N, |avk(λ, m, N )| + |acc(λ, m, N )| + ℓ).
The goal of this section to find the (asymptotically) smallest index size bound function N such that
S(λ, f, m, ℓ, N (λ, f, m, ℓ)) ≤ N (λ, f, m, ℓ). This ensures that the circuit for checking an index of size N is
of size at most N , which permits recursion.
Lemma 5.4. Suppose that for every security parameter λ ∈ N, arity m, and message size ℓ ∈ N the ratio of
accumulation verifier circuit size to index size v∗ (λ, m, N, ℓ)/N is monotone decreasing in N . Then there
exists a size function N (λ, f, m, ℓ) such that
∀ λ, f, m, ℓ ∈ N
S(λ, f, m, ℓ, N (λ, f, m, ℓ)) ≤ N (λ, f, m, ℓ) .
Moreover if for some ǫ > 0 and some increasing function α it holds that, for all N, λ, m, ℓ sufficiently large,
v∗ (λ, m, N, ℓ) ≤ N 1−ǫ α(λ, m, ℓ)
then, for all λ, m, ℓ sufficiently large,
N (λ, f, m, ℓ) ≤ O(f + α(λ, m, ℓ)1/ǫ ) .
Proof. Let N0 := N0 (λ, m, ℓ) be the smallest integer such that v∗ (λ, m, N0 , ℓ)/N0 < 1/2; this exists
because of the monotone decreasing condition. Let N (λ, f, m, ℓ) := max(N0 (λ, m, ℓ), 2(f + S0 (m, ℓ))).
Then for N := N (λ, f, m, ℓ) it holds that
S(λ, f, m, ℓ, N ) = f + S0 (m, ℓ) + N · v∗ (λ, m, N, ℓ)/N < N/2 + N/2 = N .
Clearly f + S0 (m, ℓ) = O(f ). Now suppose that v∗ (λ, m, N, ℓ) ≤ N 1−ǫ α(λ, m, ℓ) for all sufficiently large
N, λ, m, ℓ. Let N ′ (λ, m, ℓ) := (2 · α(λ, m, ℓ))1/ǫ . Then since α is increasing, for sufficiently large λ, m, ℓ,
for N ′ := N ′ (λ, m, ℓ),
v∗ (λ, m, N ′ , ℓ)/N ′ < α(λ, m, ℓ) · (2α(λ, m, ℓ))−1 = 1/2 .
Hence N0 ≤ N ′ = (2 · α(λ, m, ℓ))1/ǫ , for sufficiently large λ, m, ℓ, and so N (λ, f, m, ℓ) ≤ O(f +
α(λ, m, ℓ)1/ǫ ).
We can now bound the size of the recursive circuit.
Corollary 5.5. For the function N above, S(λ, f, m, ℓ, N ) = f + O(f 1−ǫ · α(λ, m, ℓ) + α(λ, m, ℓ)1/ǫ ).
26
Proof. Using the expression for S above, and the bound on N ,
S(λ, f, m, ℓ, N ) = f + O(mℓ) + v∗ (λ, m, N, ℓ)
= f + O(N 1−ǫ α(λ, m, ℓ))
= f + O(f 1−ǫ · α(λ, m, ℓ) + α(λ, m, ℓ)1/ǫ ) .
In particular if f = ω(α(λ, m, ℓ)1/ǫ ) then this is f + o(f ), and so the stated efficiency bounds hold.
5.3
Completeness
Let A be any adversary that causes the completeness condition of PCD to be satisfied with probability p.
We construct an adversary B, as follows, that causes the completeness condition of AS to be satisfied with
probability at most p.
B(pp, ppAS ):
1. Set ♣♣ := (pp, ppAS ) and compute (ϕ, z, zloc , [zi , πi , acci ]m
i=1 ) ← A(♣♣).
(λ,N,k)
2. Run (apk, dk, avk) ← I(ppAS , pp, RV,ϕ ).
(λ,N,k)
3. Output (RV,ϕ
m
, [(avk, zi , acci ), πi ]m
i=1 , [acci ]i=1 ).
Suppose that A outputs (ϕ, z, zloc , [zi , πi , acci ]m
i=1 ) such that the completeness precondition is satisfied, but
V(ivk, z, (π, acc)) = 0. Then, by construction of V, it holds that either V(ivk, (avk, z, acc), π) = 0 or
D(dk, acc) = 0. If zi = ⊥ for all i, then by perfect completeness of ARG both of these algorithms output 1;
hence there exists i such that zi 6= ⊥. Hence it holds that for all i, V(ivk, zi , (πi , acci )) = 1, whence for all i,
(λ,N,k)
V(ivk, (avk, zi , acci ), πi ) = ΦV (pp, RV,ϕ , (avk, zi , acci ), πi ) = 1 and D(dk, acci ) = 1.
(λ,N,k)
If V(ivk, (avk, z, acc), π) = 0, then, by perfect completeness of ARG, we know that RV,ϕ
rejects
m , [acc ]m , acc) = 0. Other(avk, z, acc), (zloc , [zi , πi , acci ]m
),
π
,
and
so
V(avk,
[(avk,
z
,
acc
),
π
]
i
i
i i=1
i i=1
V
i=1
wise, D(dk, acc) = 0.
Now consider the completeness experiment for AS with adversary B. Since pp, ppAS are drawn identically
to the PCD experiment, the distribution of the output of A is identical. Hence in particular it holds that
(λ,N,k)
for all i, ΦV (pp, RV,ϕ , (avk, zi , acci ), πi ) = 1 and D(dk, acci ) = 1. By the above, it holds that either
m
V(avk, [(avk, zi , acci ), πi ]m
i=1 , [acci ]i=1 , acc) = 0 or D(dk, acc) = 0, and so B1 , B2 cause the completeness
condition for AS to be satisfied with probability at most p.
5.4
Knowledge soundness
Since the extracted transcript T will be a tree, we find it convenient to associate the label z (u,v) of the unique
(u)
outgoing edge of a node u with the node u itself, so that the node u is labelled with (z (u) , zloc ). For the
purposes of the proof we also associate with each node u a SNARK proof π (u) and an accumulator acc(u) , so
(u)
that the full label for a node is (z (u) , zloc , π (u) , acc(u) ). It is straightforward to transform such a transcript
into one that satisfies Definition 3.1.
Given a malicious prover P̃, we will define an extractor EP̃ that satisfies knowledge soundness. In the
process we construct a sequence of extractors E1 , . . . , Ed for d := d(ϕ) (the depth of ϕ); Ej outputs a tree of
depth j + 1. Let E0 (♣♣) run (ϕ, o, π, acc) ← P̃(♣♣) and output (ϕ, T0 ), where T0 is a single node labeled
with (o, π, acc). Let lT (j) denote the vertices of T at depth j; lT (0) := ∅ and lT (1) is the singleton containing
the root.
27
Now we define the extractor Ej inductively for each j ∈ [d]. Suppose we have already constructed Ej−1 .
We construct a SNARK prover P̃j as follows:
P̃j (pp, ppAS ):
1. Compute (ϕ, Tj−1 ) ← Ej−1 (pp, ppAS ).
2. For each vertex v ∈ lTj−1 (j), denote its label by (z (v) , π (v) , acc(v) ).
(λ,N,k)
3. Run the argument indexer (ipk, ivk) ← I(pp, RV,ϕ
(apk, dk, avk) ←
4. Output
). Run the accumulator indexer
(λ,N,k)
I(ppAS , pp, RV,ϕ ).
~ (avk, z (v) , acc(v) )v∈l
(~✐, ~①, ~π , aux) := R,
T
(λ,N,k)
~ is the vector (R
where R
V,ϕ
(λ,N,k)
, . . . , RV,ϕ
j−1
(v)
(j) , (π )v∈lT
j−1
(j) , (ϕ, Tj−1 )
) of the appropriate length.
Next let EP̃j be the extractor that corresponds to P̃j , via the knowledge soundness of the non-interactive
argument ARG. Finally the extractor Ej is defined as follows:
Ej (♣♣ = (pp, ppAS )):
1. Run the extractor (~✐, ~①, ~π , aux, ✇
~ ) ← EP̃j (pp, ppAS ).
2. Parse the auxiliary output aux as (ϕ, T′ ).
3. If T′ is not a transcript of depth j, abort.
4. Output (ϕ, Tj ) where Tj is the transcript constructed from T′ by doing the following for each
vertex v ∈ lT′ (j):
(v)
• obtain the local data zloc and input messages zi , πi , acci i∈[m] from ✇(v) ;
(v)
• append zloc to the label of v, and if there exists any zi with zi 6= ⊥, attach m children to v
where the i-th child is labeled with (zi , πi , acci ).
The extractor EP̃ runs (ϕ, Td ) ← Ed (urs) and outputs (ϕ, (π, acc), Td ), where (z, zloc , π, acc) labels the
root node.
We now show that EP̃ has polynomial size and that it outputs a transcript that is ϕ-compliant.
Size of the extractor. P̃j is a circuit of size |Ej−1 | + |I| + O(2j ), so EP̃j is a circuit of size e(|Ej−1 | +
|I| + O(2j )). Then |Ej | ≤ e(|Ej−1 | + |I| + c · 2j ) for some c ∈ N.
A solution to this recurrence (for e(n) ≥ n) is |Ej | ≤ e(j) (|P̃| + j · |I| + 2c · 2j ), where e(j) is the
function e iterated j times. Hence in particular if d(ϕ) is a constant, EP̃ is a circuit of polynomial size.
Correctness of the extractor. Suppose that P̃ causes V to accept with probability µ. We show by induction
that, for all j ∈ {0, . . . , d}, the transcript Tj output by Ej is ϕ-compliant up to depth j, and that for all v ∈ T,
both V(ivk, (avk, z (v) , acc(v) ), π (v) ) and D(dk, acc(v) ) accept, with probability µ − negl(λ).
For j = 0 the statement is implied by V accepting with probability µ.
Now suppose that Tj−1 ← Ej−1 is ϕ-compliant up to depth j−1, and that both V(ivk, (avk, z (v) , acc(v) ), π (v) )
and D(dk, acc(v) ) accept for all v ∈ Tj−1 , with probability µ − negl(λ).
Let (~✐, (avkv , z (v) , acc(v) )v , (π (v) )v , (ϕ, T′ ), ✇
~ ) ← EP̃j .
By knowledge soundness of ARG, with probability µ − negl(λ):
• for v ∈ lT′ (j), v is labeled with (z (v) , π (v) , acc(v) ) and avkv = avk where (apk, dk, avk) ← I(ppAS , Φ),
(λ,N,k)
• for every vertex v ∈ lT′ (j), (RV,ϕ , (avk, z (v) , acc(v) ), ✇(v) ) ∈ RR1CS , and
28
• by induction T′ is ϕ-compliant up to depth j − 1 and D(dk, acc(v) ) accepts for all v ∈ T′ .
Here we use the auxiliary output in the knowledge soundness definition of ARG to ensure consistency between
the values z (v) and T′ , and to ensure that T′ is ϕ-compliant.
(λ,N,k)
Consider some v ∈ lT′ (j). Since (RV,ϕ , (avkv , z (v) , acc(v) ), ✇(v) ) ∈ RR1CS , we obtain from ✇(v)
either
• local data zloc , input messages zi , πi , acci i∈[m] and proof πV such that ϕ(z (v) , zloc , z1 , . . . , zm ) accepts
m
(v)
and the accumulation verifier V(λ,N,k) (avk, [(avk, zi , acci ), πi ]m
i=1 , [acci ]i=1 , acc , πV ) accepts; or
(v)
• local data zloc such that ϕ(z , zloc , ⊥, . . . , ⊥) accepts.
(v)
In both cases we append zloc := zloc to the label of v. In the latter case, v has no children and so is ϕ-compliant
by the base case condition. In the former case we label the children of v with (zi , πi , acci ), and so v is ϕcompliant. Moreover, by the soundness of the accumulation scheme, since D(dk, acc(v) ) and the accumulation
(w)
(w)
(λ,N,k)
verifier accept, it holds that for all descendants w, D(dk, acc(w) ) accepts and ΦV (pp, RV,ϕ , (avk, zin , acc(w) ), πin ) =
(w)
(w)
V(ivk, (avk, zin , acc(w) ), πin ) accepts.
Hence by induction, (ϕ, π, T) ← E has ϕ-compliant T.
Since (ϕ, o(T), π) are “passed up” from P̃ via a series of d extractors, the distribution output by E is
statistically close to the output of P̃ by the knowledge soundness of ARG.
5.5
Zero knowledge
The simulator S operates as follows.
S(1λ ):
1. Generate (ppAS , τAS ) ← S(1λ ), and (pp, τ ) ← S(1λ ).
2. Output (♣♣ = (pp, ppAS ), (τ, τAS )).
S(♣♣ = (pp, ppAS ), ϕ, z, (τ, τAS )):
(λ,N,k)
1. Compute acc ← S(ppAS , pp, RV,ϕ , τAS ).
(λ,N,k)
2. Compute (apk, dk, avk) ← I(ppAS , (pp, RV,ϕ
)).
(λ,N,k)
S(pp, RV,ϕ , (avk, z, acc), τ ).
3. Compute π ←
4. Output (π, acc).
We consider the following sequence of hybrids.
• H0 : The original experiment.
• H1 : As H0 , but the public parameters pp and proof π are generated by the simulator S for ARG.
• H2 : As H1 , but the public parameters ppAS and accumulator acc is generated by the simulator S for AS.
Observe that if H0 and H2 are indistinguishable, then S witnesses the zero knowledge property for PCD.
Since A is honest (for PCD), by completeness of AS it induces an honest adversary for ARG, whence H0
and H1 are indistinguishable by the zero knowledge property of ARG. Note that since they are part of the
witness, the input and accumulator lists [qi ]ni=1 , [accj ]m
j=1 and verifier proof πV are not used in H1 . Hence,
since A induces an honest adversary for AS and the simulated pp is indistinguishable from pp ← G(1λ ),
H1 , H2 are indistinguishable by the zero knowledge property of AS. This establishes that H0 , H2 are
indistinguishable.
5.6
Post-quantum security
We consider post-quantum knowledge soundness and zero knowledge.
29
Knowledge soundness. In the quantum setting, P̃ is taken to be a polynomial-size quantum circuit; hence
also P̃j , EP̃j , Ej are quantum circuits for all j, as is the final extractor E. Our definition of knowledge
soundness is such that this proof then generalizes immediately to show security against quantum adversaries.
In particular, the only difficulty arising from quantum adversaries is that they can generate their own
randomness, whereas in the classical case we can force an adversary to behave deterministically by fixing its
randomness. This is accounted for by the distributional requirement placed on the extractor of the argument
system ARG.
Zero knowledge. From the argument in the preceding section it is clear that, by modifying the definitions
of zero knowledge as appropriate for the quantum setting, if ARG and AS both achieve post-quantum zero
knowledge, then so does PCD.
30
6 Accumulation schemes for non-interactive arguments
We formally restate and then prove Theorem 2, which provides a way to “lift” an accumulation scheme for
a predicate into an accumulation scheme for any non-interactive argument whose verifier is succinct when
given oracle access to that predicate. Below we define the notion of a predicate-efficient non-interactive
argument and then state the theorem that we prove.
Definition 6.1. Let ARG = (G, I, P, V) be a non-interactive argument, Φ◦ : U (∗) × ({0, 1}∗ )3 → {0, 1}
a predicate, and T, t : N × N → N. We say that ARG is (T, t)-predicate-efficient with respect to Φ◦ if the
following conditions hold.
• The index verification key ivk has the form (i◦ , ivkpe ).
• The verifier V is equivalent to the following decision procedure, for some oracle algorithm Vpe : compute
ρ
(b, Qi ) ← Vpe
(ivkpe , ①, π); output 1 if and only if (a) b = 1, and (b) for each q ∈ Qi , Φρ◦ (pp, i◦ , qi ) = 1.4
• Vpe runs in time T (N, k), and the number of queries t to Φ◦ equals t(N, k) for indices ✐ of size N and
instances ① of size k.
The following theorem shows that an accumulation scheme for (Φ◦ , G) implies an accumulation scheme
for (ΦV , G), where ΦV is as specified in Definition 4.1.
Theorem 6.2. Let ARG be a non-interactive argument that is (T, t)-predicate-efficient with respect to Φ◦ . If
(Φ◦ , G) has an accumulation scheme AS◦ , then ARG has an accumulation scheme ASARG with the efficiency
properties below.
• Generator: ASARG .Gρ (1λ ) takes time equal to AS◦ .Gρ (1λ ).
• Indexer: ASARG .Iρ (ppAS , pp, ✐) takes time equal to the time to run AS◦ .Iρ (pp
, i◦ ).
PAS
n
m ) runs in time
• Accumulation prover: ASARG .Pρ (apk, [(①i , πi )]ni=1 , [accP
]
j j=1
i=1 T (N, |①i |) plus the time
n
ρ
m
taken to run AS◦ .P (apk◦ , Q, [accj ]j=1 ), where |Q| = i=1 t(N, |①i |).
Pn
• Accumulation verifier: ASARG .Vρ (avk, [(①i , πi )]ni=1 , [accj ]m
j=1 , acc, πV ) runs in time
i=1 T (N, |①i |) plus
ρ
n
m
the time taken to run AS◦ .V (avk◦ , Q := ∪i=1 Qi , [accj ]j=1 , acc, πV ).
• Decider: ASARG .Dρ (dk, acc) takes time equal to AS◦ .Dρ (dk◦ , acc).
Moreover, if AS◦ is post-quantum secure, then so is ASARG , and if AS◦ is zero knowledge, so is ASARG .
The rest of this section is dedicated to proving Theorem 6.2: in Section 6.1 we describe the construction
of an accumulation scheme for the argument scheme, from which the stated efficiency properties are clear;
in Section 6.2 we argue completeness; in Section 6.3 we argue soundness; in Section 6.4 we argue zero
knowledge.
Remark 6.3 (efficiency for PCD). We briefly discuss the properties required of ARG and AS◦ so that,
applying Theorem 6.2, we obtain an accumulation scheme suitable for the PCD construction in Section 5.
Recall that Theorem 5.2 states that a PCD scheme can be obtained from any SNARK for circuit satisfiability
with an accumulation scheme whose accumulation verifier runs in time that is sub-linear in the size N of the
circuit. Hence ARG must be (T, t)-predicate-efficient for T, t = o(N ), and AS◦ .V must run in time o(N ). In
particular, since it is an input to AS◦ .V, the size of an accumulator acc for AS◦ must be o(N ). The number
of inputs n and accumulators m are both equal to the arity of the compliance predicate and may be regarded
as constant. There is no restriction on the running time of AS◦ .D.
Remark 6.4. Definition 6.1 (and hence Theorem 6.2) restricts V’s access to Φ◦ : V must reject if any of its
queries to Φ◦ are answered with 0. In particular, the queries of V to Φ◦ are non-adaptive. This is necessary so
that the accumulator does not grow with the number of accumulated queries.
4
Here we assume for simplicity that the public parameters for Φ◦ are the same as those for V.
31
6.1
Construction
We construct the accumulation scheme ASARG for (ΦV , HARG ) (specified in Definition 4.1). The efficiency
properties stated in Theorem 6.2 follow from the construction below.
Data structures. An accumulator acc for ASARG is the accumulator for the underlying accumulation scheme
AS◦ .
Generator. On input the security parameter λ (in unary), ASARG .G samples public parameters pp ←
AS◦ .Gρ (1λ ) for the accumulation scheme for (Φ◦ , H◦ ), and outputs pp.
Indexer. On input public parameters ppAS , succinct argument parameters pp and index ✐, ASARG .I computes
index keys (ipk, ivk = (i◦ , ivkpe )) ← I(pp, ✐) and accumulation keys (apk◦ , avk◦ , dk◦ ) ← AS◦ .Iρ (pp, i◦ ),
and outputs the accumulation keys (apk, avk, dk) := (apk◦ , ivkpe ), (avk◦ , ivkpe ), dk◦ .
Accumulation prover. On input the accumulator proving key apk = (apk◦ , ivkpe ), instance-proof pairs
[(①i , πi )]ni=1 , and old accumulators [accj ]m
j=1 , ASARG .P computes a new accumulator acc and proof πV as
ρ
follows: for each i ∈ [n], compute (bi , Qi ) ← Vpe
(ivkpe , ①i , πi ); then output the new accumulator and proof
(acc, πV ) ← AS◦ .Pρ (apk◦ , ∪ni=1 Qi , [accj ]m
).
j=1
Accumulation verifier. On input the accumulation verification key avk = (avk◦ , ivkpe ), instance-proof
pairs [(①i , πi )]ni=1 , old accumulators [accj ]m
j=1 , the new accumulator acc, and a proof πV , ASARG .V works as
ρ
follows. For each i ∈ [n], compute (bi , Qi ) ← Vpe
(ivkpe , ①i , πi ), and check that bi = 1, and then accept if
ρ
the new accumulator is valid, i.e., AS◦ .V (avk◦ , Q := ∪ni=1 Qi , [accj ]m
j=1 , acc, πV ) = 1.
Decider. On input decision key dk = dk◦ and accumulator acc, ASARG .D accepts if AS◦ .Dρ (dk◦ , acc) = 1.
6.2
Completeness
Let A be a (possibly inefficient) adversary that breaks the completeness of the accumulation scheme ASARG
for (ΦV , G) in Section 6.1. That is, the following probability is non-zero:
Pr
ρ ← U(λ)
ppAS ← ASARG .Gρ (1λ )
pp ← G ρ (1λ )
n
m
(✐, [(①i , πi )]i=1 , [accj ]j=1 ) ← Aρ (ppAS , pp)
(apk, avk, dk) ←ASARG .Iρ (ppAS , pp, ✐)
apk [(①i , πi )]ni=1
(acc, πV ) ← ASARG .Pρ
[accj ]m
j=1
∀ j ∈ [m], ASARG .Dρ (dk, accj) = 1
∀ i ∈ [n], ΦρV pp, ✐, (①i , πi ) = 1
w
6
n
avk
[(
①
,
π
[accj ]m
i
i )]i=1
j=1
ρ
=1
ASARG .V
acc πV
ASARG .Dρ (dk, acc) = 1
. (3)
We will use A to construct adversary B that breaks the completeness of the accumulation scheme AS◦ for
(Φ◦ , G). That is, B makes the following probability nonzero:
Pr
∀ j ∈ [m], AS◦ .Dρ (pp◦ , dk◦ , accj ) = 1
∀ i ∈ [n], Φρ◦ (pp, i◦ , qi ) = 1
w
6
avk◦ [qi ]ni=1 [accj ]m
j=1
=1
AS◦ .Vρ
acc πV
AS◦ .Dρ (dk◦ , acc) = 1
We define the adversary B to operate as follows.
32
ρ ← U(λ)
pp◦ ← AS◦ .Gρ (1λ )
pp ← G ρ (1λ )
n
m
(i◦ , [qi ]i=1 , [accj ]j=1 ) ← B ρ (pp◦ , pp)
ρ
(apk◦ , avk◦ , dk◦ ) ← AS
i◦)
◦ .I (pp◦ , pp,
[qi ]ni=1
ρ apk◦
(acc, πV ) ← AS◦ .P
[accj ]m
j=1
.
(4)
B ρ (pp◦ , pp):
ρ
1. Compute (✐, [(①i , πi )]ni=1 , [accj ]m
j=1 ) ← A (ppAS = pp◦ , pp).
2. Compute (ipk, ivk = (i◦ , ivkpe )) ← I ρ (pp, ✐).
ρ
3. For each i ∈ [n], compute (bi , Qi ) ← Vpe
(ivkpe , ①i , πi ).
n
4. Set Q := ∪i=1 Qi and output (i◦ , Q, [accj ]m
j=1 ).
By construction, the distribution of ρ, ppAS and pp are identical in both experiments, and hence so is the
output of A. It remains to show that for every fixed choice of these variables, the implication in Eq. (4) does
not hold. We first use Eq. (3) to argue that the premises of the implication in Eq. (4) are satisfied:
• For each j ∈ [m], we know that AS◦ .Dρ (dk◦ , accj ) = 1 because ASARG .Dρ (dk, accj ) = 1, and so the
corresponding condition in Eq. (4) is satisfied.
• For each i ∈ [n], ΦρV pp, ✐, (①i , πi ) = 1. This means that V ρ (ivk, ①i , πi ) = 1, which in turn implies that
ρ
Vpe
(ivkpe , ①i , πi ) = (1, Qi ) and, for each query q ∈ Qi , the predicate Φρ◦ (pp, i◦ , q) = 1. Hence, for each
q ∈ Q = ∪ni=1 Qi , Φρ◦ (pp, i◦ , q) = 1.
ρ
We are now left to show that at least one of AS◦ .Vρ (avk◦ , ∪ni=1 Qi , [accj ]m
j=1 , acc, πV ) or AS◦ .D (dk◦ , acc)
rejects. We do this by considering each case.
• By construction, AS◦ .Dρ (dk◦ , acc) rejects if and only if ASARG .Dρ (dk, acc) rejects.
• By construction, ASARG .Vρ (avk, [(①i , πi )]ni=1 , [accj ]m
j=1 , acc, πV ) rejects if at least one of the following
conditions is satisfied:
ρ
– For some i ∈ [n], Vpe rejects: Vpe
(ivkpe , ①i , πi ) = (0, Qi ).
ρ
– AS◦ .V rejects: AS◦ .V (avk◦ , Q = ∪ni=1 Qi , [accj ]m
j=1 , acc, πV ) = 0.
ρ
However, because ΦV pp, ✐, (①i , πi ) = 1, we know that Vpe accepts. Hence, if ASARG .V rejects, it must
be because AS◦ .V also rejects.
Together, these cases imply that:
ρ
ASARG .Vρ (avk, [(①i , πi )]ni=1 , [accj ]m
j=1 , acc, πV ) = 0 ∨ ASARG .D (dk, acc) = 0
⇓
AS◦ .V
ρ
(avk◦ , Q, [accj ]m
j=1 , acc, πV )
= 0 ∨ AS◦ .Dρ (dk◦ , acc) = 0 .
Thus if A breaks completeness of the accumulation scheme ASARG for (ΦV , HARG ) then B breaks completeness
of the accumulation scheme AS◦ for (Φ◦ , H◦ ) (a contradiction).
6.3
Soundness
Let A be an efficient adversary that breaks the soundness of the accumulation scheme ASARG for (ΦV , G).
This means that the following probability is non-negligible:
[(①i , πi )]ni=1 [accj ]m
j=1
ASARG .V
acc πV
ASARG .Dρ (dk, acc) = 1
Pr
6⇓
∀ j ∈ [m], ASARG .Dρ (dk, accj ) = 1
∀ i ∈ [n], ΦρV pp, ✐, (①i , πi ) = 1
ρ
avk
=1
33
✐
ρ ← U (λ)
ppAS ← ASARG .Gρ (1λ )
pp ← G ρ (1λ )
.
[(①i , πi )]ni=1 [accj ]m
j=1
← Aρ (ppAS , pp)
acc πV
ρ
(apk, avk, dk) ← ASARG .I (ppAS , pp, ✐)
(5)
We will use A to construct an adversary B that breaks the soundness of the accumulation scheme AS◦ for
(Φ◦ , G). That is, B makes the following probability non-negligible:
Pr
AS◦ .Vρ (avk◦ , [qi ]ni=1 , [accj ]m
j=1 , acc, πV ) = 1
AS◦ .Dρ (dk◦ , acc) = 1
6⇓
∀ j ∈ [m], AS◦ .Dρ (dk◦ , accj ) = 1
∀ i ∈ [n], Φρ (pp, i◦ , qi ) = 1
We define the adversary B to operate as follows.
i◦
ρ ← U(λ)
pp◦ ← AS◦ .Gρ (1λ )
ρ λ
pp ← G (1 )
.
m
n
[qi ]i=1 [accj ]j=1
← B ρ (pp◦ , pp)
acc πV
ρ
(apk◦ , avk◦ , dk◦ ) ← AS◦ .I (pp◦ , i◦ )
(6)
B ρ (pp◦ , pp):
ρ
1. Compute (✐, [(①i , πi )]ni=1 , [accj ]m
j=1 , acc, πV ) ← A (ppAS = pp◦ , pp).
ρ
2. For each i ∈ [n], compute (bi , Qi ) ← Vpe (ivkpe , ①i , πi ).
3. Set Q := ∪ni=1 Qi and output (Q, [accj ]m
j=1 , i◦ , acc, πV ).
By construction, the distribution of ρ, ppAS , and pp are identical in both experiments, and hence so is the
output of A. It remains to show that for every fixed choice of these variables, the implication in Eq. (6) does
not hold. We start by using Eq. (5) to argue that the premises of the implication in Eq. (6) are satisfied:
• By construction, AS◦ .Dρ (dk◦ , acc) = ASARG .Dρ (dk, acc).
• By construction of V, we know that if ASARG .Vρ (avk, [(①i , πi )]ni=1 , [accj ]m
j=1 , acc, πV ) accepts, then
ρ
n
m
AS◦ .V (apk◦ , Q := ∪i=1 Qi , [accj ]j=1 , acc, πV ) also accepts.
We are now left to show that at least one of the following occurs: (a) for some j ∈ [m], AS◦ .Dρ (dk◦ , accj )
rejects, or (b) for some q ∈ Q, Φρ◦ (pp, i◦ , q) = 0.
• By construction, ASARG .Dρ (dk, accj ) = 0 for some j ∈ [m] implies that AS◦ .Dρ (dk◦ , accj ) = 0.
ρ
• We know that ASARG .Vρ (avk, [(①i , πi )]ni=1 , [accj ]m
j=1 , acc, πV ) = 1. Hence, for each i ∈ [n], Vpe (ivkpe , ①i , πi )
accepts and outputs
does exist k ∈ [n] such that
a query set Qi . This in turn implies that if there
ρ
ρ
ΦV pp, ✐, (①k , πk ) rejects, then there exists q ∈ Qk ⊆ Q such that Φ◦ (pp, i◦ , q) = 0.
Together, these cases imply that
∃ j ∈ [m] s.t. ASARG .Dρ (dk, accj ) = 0 ∨ ∃ i ∈ [n] s.t. ΦρV pp, ✐, (①i , πi ) = 0
⇓
ρ
∃ j ∈ [m] s.t. AS◦ .D (dk◦ , accj ) = 0 ∨ ∃ q ∈ Q s.t. Φρ◦ (pp, i◦ , q) = 0
Hence B break the soundness of AS◦ whenever A breaks the soundness of ASARG .
Post-quantum security. Note that the soundness argument applies equally to quantum adversaries A, and
so if AS◦ is post-quantum secure, then so is ASARG .
6.4
Zero knowledge
We construct the simulator SARG for ASARG using the simulator S◦ for AS◦ . The first stage of SARG is identical
to S◦ : SARG (1λ ) = S◦ (1λ ). The second stage is as follows.
SARG (pp, τ, ✐):
1. Run (ipk, ivk = (i◦ , ivkpe )) ← I ρ (pp, ✐).
2. Output (acc, µ) ← S◦ (pp, τ, i◦ ).
34
For an “honest” adversary A for ASARG , the adversary B described in Section 6.2 is an “honest” adversary for
AS◦ . Moreover, the “view” of S◦ is the same when SARG is interacting with A as when S◦ is interacting directly
with B. Hence, the zero knowledge property of AS◦ ensures that the output of SARG is indistinguishable from
that in the honest case.
Post-quantum security. We simply observe that this argument also implies that quantum computational
indistinguishability is preserved, and continues to hold when A is a quantum circuit.
35
7 Accumulating polynomial commitments based on discrete logarithms
We construct an accumulation scheme for PCDL , a polynomial commitment scheme that is inspired from
several prior works [BCCGP16; BBBPWM18; WTSTW18], and which we describe in Appendix A.
The scheme PCDL is secure in the random oracle model assuming hardness of the discrete logarithm
problem, and has the attractive feature that evaluation proofs are O(log d) elements in G, where d is the
degree of the committed polynomial. However, PCDL has the drawback that checking an evaluation proof
requires O(d) scalar multiplications in G.
Our accumulation scheme for PCDL , which is based on the batching ideas of [BGH19], enables deferring
the expensive check to the decider: the accumulation verifier V only requires O(log d) scalar multiplications
per accumulation, while the decider D requires O(d) scalar multiplications. Hence, checking n evaluation
proofs requires a total of O(n log d + d) scalar multiplications, as opposed to Ω(n · d) for the naive approach.
Theorem 7.1. If PCDL described in Appendix A is a polynomial commitment scheme then the tuple AS =
(G, I, P, V, D) constructed in Section 7.1 is a zero-knowledge accumulation scheme in the random oracle
model for PCDL . AS achieves the following efficiency:
• Generator: G(1λ ) runs in time O(λ).
• Indexer: I(pp, iΦ ) runs in time Oλ (d).
• Accumulation prover: The time of Pρ (apk, [((Ci , di , zi , vi ), πi )]ni=1 , [accj ]m
j=1 ) is dominated by the time to
perform O(n + m + d) scalar multiplications in G.
• Accumulator size: The output accumulator is a polynomial commitment consisting of one element in G
plus an evaluation proof consisting of O(log d) elements in G.
• Accumulation proof size: The accumulation proof πV consists of two elements in Fq and one element in G.
• Accumulation verifier: The time of Vρ (avk, [((Ci , di , zi , vi ), πi )]ni=1 , [accj ]m
j=1 , acc) is dominated by the
time to perform O((n + m) · log d) scalar multiplications in G.
• Decider: The time of Dρ (dk, acc) is dominated by the time to perform O(d) scalar multiplications in G.
Recall that obtaining an accumulation scheme for a polynomial commitment scheme entails obtaining an
accumulation scheme for the pair (ΦPC , HPC,D ) specified in Definition 4.2.
We remark that Theorem 7.1 considers the special case of accumulating claims about a single degree
bound (when the input to PCDL .Trim is a singleton). We leave the case of multiple degree bounds to future
work (and believe that the degree enforcement techniques in [CHMMVW20] would work in this setting).
7.1
Construction
We present our accumulation scheme AS for PCDL . Recall that the definition of an accumulation scheme requires simultaneous accumulation of previous accumulators and of new instances. In AS below, accumulators
and instances are both evaluation proofs for openings of committed polynomials. That is, an accumulator acc
and an instance q are both of the form ((C, d, z, v), π). Furthermore, the predicate ΦPC (from Definition 4.2)
and the accumulation decider D are identical, and so there is no distinction between new instances and
previous accumulators. Below, we exploit this to simplify exposition by accumulating only instances.
Our construction below uses algorithms from PCDL defined in Appendix A. In particular, we use the
subroutine PCDL .SuccinctCheck (see Figure 2) which is the “succinct” part of PCDL .Check.
Note that the algorithms of both AS and PCDL use random oracles. For security, we must ensure that
the random oracle used by the algorithms of PCDL differs from that used by the algorithms of AS. We do
so by relying on domain separation: we derive two different random oracles ρ0 (·) := ρ(0k·) (for PCDL ) and
36
ρ1 (·) := ρ(1k·) (for AS) from the common random oracle ρ. Below, as in the rest of the paper, we use [n] to
specifically denote the set of integers {1, . . . , n}. We highlight in blue the parts of the construction that are
only necessary to make the accumulator zero-knowledge. If zero-knowledge is not required these parts can
be dropped without affecting soundness.
Generator. On input a security parameter 1λ , the generator G outputs 1λ .
Indexer. On input the accumulator parameters ppAS , the PCDL public parameters ppPC , and a predicate index iΦ = D, the indexer I proceeds as follows. Compute the committer and receiver keys
(ckPC , rkPC ) := PCDL .Trim(ppPC , D). Parse ckPC as a tuple (ck, H), and ck as (hgroupi, hk, S). Addi(1)
tionally, compute the committer key for committing to linear polynomials: ckPC := PCDL .Trim(ppPC , 1). Set
(1)
rk := (hgroupi, S, H, D), avk := (rk, ckPC ), and output the accumulator proving key apk := (ckPC , avk),
the accumulator verification key avk, and decision key dk := rkPC .
Common subroutine. The accumulation prover and verifier share a common subroutine, described below.
T ρ (avk, [qi ]ni=1 , πV ):
(1)
1. Parse avk as (rk, ckPC ), and rk as (hgroupi = (G, q, G), S, H, D).
2. For each i ∈ [n]:
(a) Parse qi as a tuple ((Ci , di , zi , vi ), πi ).
(b) Compute (hi (X), Ui ) := PCDL .SuccinctCheckρ0 (rk, Ci , zi , vi , πi ) (see Figure 2).
3. For each i in [n], check that di = D. (We accumulate only the degree bound D.)
4. Parse πV as (h0 , U0 , ω), where h0 (X) = aX + b ∈ Fq [X], U0 ∈ G, and ω ∈ Fq .
(1)
5. Check that U0 is a deterministic commitment to h0 : U0 = PCDL .Commitρ0 (ckPC , h; ω = ⊥).
n
6. Compute the challenge α := P
ρ1 ([hi , Ui ]i=0 ) ∈ Fq .
7. Set the polynomial h(X) := ni=0 αi hi (X) ∈P
Fq [X].
8. Compute the accumulated commitment C := ni=0 αi Ui .
9. Compute the challenge z := ρ1 (C, h) ∈ Fq .
10. Randomize C: C̄ := C + ωS ∈ G.
11. Output (C̄, d, z, h(X)).
Accumulation prover. On input the accumulator proving key apk = (ckPC , avk), and new inputs [qi ]ni=1 ,
the accumulation prover P proceeds as follows. Sample a random linear polynomial h0 ∈ Fq [X] and
then compute a deterministic commitment to h0 : U0 := PCDL .Commitρ0 (ckPC , h0 , d; ω = ⊥). Sample
commitment randomness ω ∈ Fq , and set πV := (h0 , U0 , ω). Then, compute the tuple (C, d, z, h(X)) :=
T ρ (avk, [qi ]ni=1 , πV ). Compute the evaluation v := h(z), and generate the hiding evaluation proof π :=
PCDL .Openρ0 (ckPC , h(X), C̄, d, z; ω). Finally, output the accumulator acc = ((C̄, d, z, v), π) and the
accumulation proof πV .
Accumulation verifier. On input the accumulator verification key avk, new inputs [qi ]ni=1 , and a new accumulator acc = ((C̄, d, z, v), π), the accumulation verifier V computes (C̄ ′ , d′ , z ′ , h(X)) := T ρ (avk, [qi ]ni=1 , πV ),
and checks that C̄ ′ = C̄, d′ = d, z ′ = z, and h(z) = v.
Decider. On input dk = rkPC and acc = ((C̄, d, z, v), π), the decider D outputs PCDL .Checkρ0 (rkPC , C, d, z, v, π).
7.2
Proof of Theorem 7.1
Recall that when the commitment randomness ω is ⊥, PCDL .Commit is a deterministic function of ck and the
committed polynomial. Below we will write “A is a commitment to p” when A = PCDL .Commit(ck, p; ω =
37
⊥) (and “A is not a commitment to p” when A 6= PCDL .Commit(ck, p; ω = ⊥)); the value of ck will be
clear from context (and is also equal to rk).
To simplify our proofs below, we note that both instances and accumulators have the same form: they
consist of claims about the correct evaluation of a committed polynomial. Note also that both the predicate
ΦPC and the decider D check the same condition: that the claim of correct evaluation holds. This observation
allows us to simplify our definitions of both completeness and soundness to only consider the accumulation
of instances, and to omit old accumulators.
Completeness. We can consider the following simplified definition of completeness: for all (unbounded)
adversaries A1 , A2 , the following holds:
ρ ← U(λ)
ρ
∀ i ∈ [n], ΦPC (ppPC , iΦ , qi ) = 1
pp ← Gρ (1λ )
ρ
⇓
ppPC ← HPC,D
(1λ )
=1 .
Pr
(iΦ , [qi ]ni=1 ) ← Aρ (pp, ppPC )
Vρ (avk, [qi ]ni=1 , acc, πV ) = 1
(apk, avk, dk) ← Iρ (pp, ppPC , iΦ )
Dρ (dk, acc) = 1
(acc, πV ) ← Pρ (apk, [qi ]ni=1 )
We prove this directly.
First, since for each i ∈ [n] we have ΦρPC (ppPC , iΦ , qi ) = 1, we know that PCDL .Checkρ0 (rk, Ci , di , zi , vi , πi ) =
1, where qi = ((Ci , di , zi , vi ), πi ). This in turn means that:
• PCDL .SuccinctCheckρ0 (hgroupi, Ci , di , zi , vi , πi ) accepts and outputs (hi , Ui ); and that
• Ui is a commitment to the polynomial hi .
Next, since the new accumulator acc and the accumulation proof πV are generated honestly (i.e., (acc =
((C̄, d, z, v), π), πV = (h0 , U0 , ω)) = Pρ (apk, [qi ]ni=1 )), the following statements hold:
P
P
• The commitment C equals the linear combination ni=0 αi Ui , so C is a commitment to h = ni=0 αi hi ,
and C̄ is a commitment to h under the randomness ω (as each Ui is a commitment to the polynomial hi ,
and PCDL is a homomorphic commitment scheme).
• The evaluation of h at z equals v (i.e., v = h(z)).
• π = PCDL .Openρ0 (ck, h(X), C̄, d, z; ω) is an honestly-generated proof of a true statement.
Together, these points imply that:
1. The accumulation verifier accepts. Recall that the accumulation verifier V: (a) runs the same subroutine
T that the prover P runs, and checks that the output matches the one in the claimed (honest) accumulator;
and (b) checks that v = h(z). Both of these checks pass because the accumulation prover is honest.
2. The decider accepts. We know that v = h(z), C̄ is a commitment to h under randomness ω, and that π is
an honestly-generated proof that C̄ commits to a polynomial which evaluates to v at z. By completeness
of PCDL , D accepts.
We conclude that the accumulation scheme AS constructed in Section 7.1 is complete.
Soundness. Similarly to the completeness case, we consider a simplified version of the definition of
soundness in Section 4. This simpler definition requires that the following probability is negligible for every
38
polynomial-size adversary A:
Vρ (avk, [qi ]ni=1 , acc, πV ) = 1
Dρ (dk, acc) = 1
Pr
∧
ρ
∃ i ∈ [n], ΦPC (ppPC , iΦ , qi ) = 0
ρ ← U(λ)
pp ← Gρ (1λ )
ρ
ppPC ← HPC,D
(1λ )
n
ρ
(iΦ , [qi ]i=1 , acc, πV ) ← A (pp, ppPC )
(apk, avk, dk) ← Iρ (pp, ppPC , iΦ )
.
(7)
Fix a polynomial-size adversary A and degree bound D, and denote by δ the above probability for these
choices. We will construct an adversary for the zero-finding game in Lemma 3.3 that wins with probability
δ/2 − negl(λ), from which it follows that δ is negligible (since q is superpolynomial in λ).
We first describe the commitment schemes CM1 , CM2 used in the zero-finding games. Both schemes
have common setup and trimming algorithms, and public parameters pp equal to the public parameters of
PCDL with maximum degree L. The message space Mpp for CM1 consists of tuples (p, h), where p and h
are univariate polynomials of degree at most L. Note that h is uniquely represented by ([hi ]ni=0 , α), where
each hi is a univariate polynomial of degree L, and α ∈ Fq . The message space Mpp for CM2 consists of
lists of pairs [(hi , Ui )]ni=0 , where each hi is a univariate polynomial of degree at most L, and each Ui is a
group element.
CMj .Setupρ0 (1λ , L): Output pp ← PCDL .Setupρ0 (1λ , L).
CMj .Trimρ0 (pp, n, N ):
1. Compute (ck0 , rk0 ) ← PCDL .Trimρ0 (pp, N ).
2. Output ck := (ck0 , n).
CM1 .Commit(ck = (ck0 , n), p = (p, h); r):
1. Commit to p: C ← PCDL .Commit(ck0 , p; ω = ⊥).
2. Output (C, h).
CM2 .Commit(ck, p = ([(hi , Ui )]ni=0 ); r): Output p.
(1)
(2)
Both commitment schemes are binding. It remains to specify the families of functions {fpp }pp ,{fpp }pp that
P
(1)
we use in the respective zero-finding games. We define fpp (p, h = ([hi ]ni=0 , α)) := p − ni=0 αi hi , and
(2)
fpp (p = ([(hi , Ui )]ni=0 )):
1. Construct the key pair (ck0 , rk0 ) := PCDL .Trim(ppPC , deg(h1 )).
2. For each i ∈ {0, . . . , n}, construct a PCDL commitment to hi : Bi ← PCDL .Commit(ck0 , hi ; ⊥).
3. For each i ∈ {0, . . . , n}, compute
Pani ∈ Fq such that ai G = Ui − Bi .
4. Output the polynomial a(Z) := i=0 ai Z i .
We next describe an adversary C against PCDL , which simply runs the soundness experiment for the
accumulation scheme and outputs acc as output by A. For convenience we also have C output [qi ]ni=1 and
πV ; this will be ignored by the extractor.
C ρ (ppPC ):
1. Set AS public parameters ppAS := 1λ .
2. Compute (iΦ , [qi ]ni=1 , acc, πV ) ← Aρ (ppAS , ppPC ).
39
3. Parse iΦ as the degree bound N .
4. Output (N, acc = ((C̄, d, z, v), π); [qi ]ni=1 , πV ).
We use the extractor EC corresponding to C to construct adversaries B1 , B2 for zero-finding games against
(1)
(2)
(CM1 , {fpp }pp ), (CM2 , {fpp }pp ) respectively, with L = D where D = poly(λ) is the maximum degree
parameter as in the soundness experiment for the accumulation scheme.
Bjρ (pp):
1. Compute (N, acc, [qi ]ni=1 , πV ) ← C ρ (pp).
n
2. Parse [qi ]ni=1 as [((Ci , di , zi , vi ), πi )]i=1 , and πV as (h0 , U0 , ω).
ρ
3. Compute p ← EC (pp).
4. For each i ∈ [n], obtain hi and Ui from πi .
5. Compute α := ρ1 ([(hi , Ui )]ni=0 ).
6. If j = 1, output ((n, N ), (p, h := ([hi ]ni=0 , α))). If j = 2, output ((n, N ), ([(hi , Ui )]ni=0 )).
We show that either B1 or B2 wins its respective zero-finding game with probability at least δ/2 − negl(λ).
Since D accepts with probability δ, and by the extraction property of PCDL , the following holds with
probability at least δ − negl(λ): EC outputs a polynomial p such that C̄ is a commitment to p with randomness
ω (and so C is a deterministic commitment to p), p(z) = v, and deg(p) ≤ d; and, moreover, (acc, [qi ]ni=1 , πV )
satisfies the left-hand side of Eq. (7). This latter point implies that, parsing qi as ((Ci , di , zi , vi ), πi ) and
letting (hi , Ui ) := PCDL .SuccinctCheckρ0 (rk, Ci , di , zi , vi , πi ):
• Since Vρ (avk, [qi ]ni=1 , acc, πV ) accepts, the following are true: (a) for each i ∈ [n], PCDL .SuccinctCheck
accepts; (b) U0 is a commitment to h0 ; andP
(c) parsing acc as ((C,Pd, z, v), π) and setting α := ρ1 ([hi , Ui ]ni=0 ),
n
we have that z = ρ1 (C, [hi ]i=0 , α), C = ni=0 αi Ui , and v = ni=0 αi hi (z).
• For some i ∈ [n], ΦρPC (ppPC , iΦ , qi ) = PCDL .Checkρ0 (rk, (Ci , di , zi , vi ), πi ) = 0. By construction (see
Appendix A.2), this implies that either PCDL .SuccinctCheck rejects, or the group element Ui is not a
commitment to hi .
The above tells us that there exists some i ∈ [n] such that Ui is not a commitment to hi . In other words, if we
define Bi := PCDL .Commit(ck, hi ), then there exists an i ∈ [n]
P such that Ui 6= Bi . Letting ai ∈ Fq be such
that ai G = Ui − Bi , we deduce that the polynomial a(Z) = ni=0 ai Z i is not identically zero.
There are then two cases.
Pn
i
1. C 6=
i=0 α Bi . Then since C is a commitment to p, p(X) − h(X) is not identically zero, but
(1)
p(z) = v = h(z). Hence B1 wins the zero-finding game against (CM1 , {fpp }pp ).
P
P
2. C = ni=0 αi Bi . Then since C = ni=0 αi Ui , α is a zero of the polynomial a(Z). Hence B2 wins the
(2)
zero-finding game against (CM2 , {fpp }pp ).
Since at least one of these two cases occurs with probability at least δ/2 − negl(λ), the claim follows.
Zero knowledge. We show that if PCDL is hiding, then AS is zero knowledge. We do so by constructing an
efficient simulator S for AS from the simulator S for PCDL . During the setup phase, Sρ (1λ ) outputs pp ←
Gρ (1λ ). Then, during the proving phase, Sρ (pp, τ, iΦ ): (a) samples a random polynomial s(X) ∈ F≤d
q [X] and
an evaluation point z ∈ Fq ; (b) computes a simulated commitment for s: C ← S.Commitρ0 (trap := pp, d);
(c) computes a simulated evaluation proof: (µ, π) ← S.Openρ0 (z, v := s(z)); and (d) outputs (µ, acc :=
((C, d, z, v), π)). (Note that for PCDL , the simulation trapdoor just equals the PCDL public parameters pp.)
40
First, the hiding property of PCDL ensures that the programmed random oracle is indistinguishable from
an honestly sampled random oracle. Next, the simulated public parameters are identical to the honest ones,
and so the output of the setup phase is identically distributed in both cases.
We are left to argue that the accumulators are computationally indistinguishable. First, in both cases, since
PCDL is hiding, then the commitments are indistinguishable. Next, in the honest case, the evaluation point z
is the evaluation of the random oracle on input (C, h) where h is unpredictable; hence it is indistinguishable
from random. Since h0 is chosen at random, h(z) is identically distributed to s(z). Finally, because PCDL is
hiding, then the evaluation proofs are indistinguishable. Thus, the simulated accumulator is indistinguishable
from the honest accumulator, and so AS is zero knowledge.
Efficiency. We now analyze the efficiency of our accumulation scheme.
• Generator: Gρ (1λ ) outputs 1λ , and hence takes O(λ) time.
• Indexer: Iρ (pp, ppPC , iΦ ) runs PCDL .Trim and outputs (apk, dk) := (ck, rk), which have size Oλ (d), and
also avk, which has size Oλ (1). This takes time Oλ (d).
• Accumulation prover: The time of Pρ (apk, [((Ci , di , zi , vi ), πi )]ni=1 , [accj ]m
j=1 ) is dominated by running
PCDL .Open, which uses 3d scalar multiplications for each i, for a total of 3d · n scalar multiplications.
• Accumulator size: The accumulator acc consists of an evaluation claim and a proof. The total size is
2 log2 (d) + 1 elements in G (2 log2 (d) group elements for the proof and 1 for the commitment) and a
constant number of field elements.
• Accumulation proof size: The accumulation proof πV consists of a linear polynomial h0 which can be
represented in two elements in Fq , and a commitment U0 , which is an element of G.
• Accumulation verifier: Vρ (avk, [((Ci , di , zi , vi ), πi )]ni=1 , [accj ]m
j=1 , acc) runs PCDL .SuccinctCheck as a
subroutine, which requires (2 log2 (d) + 2) scalar multiplications per iteration among n iterations. (Note
that h is succinctly represented, and can be evaluated in O(log d) field operations).
• Decider: Dρ (dk, acc) runs PCDL .Check, which requires uses O(d) scalar multiplications.
41
8 Accumulating polynomial commitments based on bilinear groups
We construct an accumulation scheme for the pairing-based polynomial commitment scheme PCAGM [KZG10;
CHMMVW20]. The main feature of our accumulation scheme is that, while invoking PCAGM .Check to check
n evaluation proofs requires O(n) pairings, verifying an accumulation of these proofs is much cheaper: it
requires only O(n) scalar multiplications in G1 to run the accumulation scheme verifier V, plus one pairing
to run the decider D. In more detail, we prove the following theorem.
Theorem 8.1. The tuple AS = (G, I, P, V, D) constructed in Section 8.1 is a zero knowledge accumulation
scheme in the random oracle model for the polynomial commitment scheme PCAGM described in Fig. 1. AS
achieves the following efficiency:
• Generator: Gρ (1λ ) runs in poly(λ) time.
• Indexer: Iρ (pp, iΦ ) runs in poly(λ) time.
• Accumulation prover: The time of Pρ (apk, [((Ci , di , zi , vi ), πi )]ni=1 , [accj ]m
j=1 ) is dominated by the time to
perform O(n + m) scalar multiplications in G1 .
• Accumulator size: The accumulator acc consists of two elements in G1 .
• Accumulation proof size: The accumulation proof πV consists of two elements in G1 .
• Accumulation verifier: The time of Vρ (avk, [((Ci , di , zi , vi ), πi )]ni=1 , [accj ]m
j=1 , acc, πV ) is dominated by
the time to perform O(n + m) scalar multiplications in G1 .
• Decider: The time of Dρ (dk, acc) is dominated by the time to perform 1 pairing.
We proceed as follows: in Section 8.1 we describe our accumulation scheme; and then in Section 8.2 we
prove that it fulfills Theorem 8.1. Recall that obtaining an accumulation scheme for a polynomial commitment
scheme involves obtaining an accumulation scheme for the pair (ΦPC , HPC,D ) specified in Definition 4.2.
Throughout, we highlight in blue the parts of PCAGM used for the hiding property, and the corresponding
parts of our accumulation scheme dealing with these; they can be dropped if no hiding is used for PCAGM .
8.1
Construction
The algorithms of PCAGM and of AS use random oracles, but for security they have to be distinct. For
this we use domain separation: we derive two different random oracles ρ0 (·) := ρ(0k·) (for PCAGM ) and
ρ1 (·) := ρ(1k·) (for AS) from the common random oracle ρ that all algorithms have access to.
Generator. On input a security parameter λ (written in unary), G outputs 1λ .
Indexer. On input the accumulator parameters ppAS , the PCAGM public parameters ppPC , and a predicate
index iΦ = [di ]ni=1 , the indexer I computes the receiver key rk the same way as PCAGM .Trim, and outputs
(apk, avk, dk) := (rk, rk, rk).
The accumulation prover and the accumulation verifier both rely on the following common subroutine:
ComputeAccρ (avk, [qi ]ni=1 , [accj ]m
j=1 , πV ):
n
1. Parse [qi ]ni=1 as [((Ci , di , zi , vi ), πi )]i=1 .
2. Parse πV as (sβG, sG).
3. Obtain the supported degree bounds d from apk = rk.
4. For each i ∈ [n],
(a) Check that di ∈ d.
(b) Parse the commitment Ci as a tuple (Ui , Si ) ∈ G21 .
(c) Generate the i-th opening challenge ξi := ρ0 (rk, di , Ci , zi , vi ) ∈ Fq .
42
(d) Parse the proof πi as (Wi , v̄i ).
5. For each j ∈ [m], parse the j-th old accumulator accj as a tuple (Cj⋆ , πj⋆ ) ∈ G21 .
6. Compute the new accumulation challenge r ∈ Fq as
n
r := ρ1 (rk, [((Ci , di , zi , vi ), πi )]i=1 , [accj ]m
j=1 , πV ) .
7. Accumulate commitments
Pn and proofs as follows:
i
(a) Compute C := i=1 ri−1 ((Ui − vi G) + ξi (Si − vi β D−d
− v̄i γG + zi Wi ).
PG)
m
⋆
(b) Accumulate old accumulated commitments: C := C + j=1 rn+j−1 Cj⋆ + rn+m · sβG.
Pn
Pm
(c) Accumulate all old and new proofs: π ⋆ := i=1 ri−1 Wi + j=1 rn+j−1 πj⋆ + rn+m · sG.
8. Output the new accumulator acc := (C ⋆ , π ⋆ ).
Accumulation prover. On input the accumulator proving key apk, new inputs [qi ]ni=1 , and old accumulators [accj ]m
j=1 , P computes a new accumulator acc as follows. Sample a random scalar s ∈ Fq , set
the accumulation proof πV := (sβG, sG), compute the new accumulator acc := ComputeAccρ (apk =
avk, [qi ]ni=1 , [accj ]m
j=1 , πV ), and output (acc, πV ).
Accumulation verifier. On input the accumulator verification key avk, new instances [qi ]ni=1 , old accumun
m
lators [accj ]m
j=1 , and a new accumulator acc, V checks that acc accumulates [qi ]i=1 and [accj ]j=1 simply by
running the common subroutine ComputeAcc, i.e. by checking that
acc = ComputeAccρ (avk, [qi ]ni=1 , [accj ]m
j=1 , πV ) .
Decider. On input the decision key dk and an accumulator acc, D checks the validity of acc by parsing acc
as a tuple (C ⋆ , π ⋆ ) ∈ G21 and checking that e(C ⋆ , H) = e(π ⋆ , βH).
8.2
Proof of Theorem 8.1
Note that in the foregoing construction, one can view the accumulation proof πV = (sβG, sG) as an
accumulator because it passes the decider’s pairing check: e(sβG, H) = e(sG, βH). We adopt this
viewpoint below, and omit explicit discussion of πV in both the completeness and soundness proofs. This is a
valid change because it never weakens the adversary: in the completeness proof, the honest prover simply
adds another honest old accumulator to the list sampled by the adversary A, and in the soundness proof the
adversary A already samples old accumulators.
Completeness. We argue completeness directly. First, we follow [CHMMVW20] and rewrite the pairing
equation in PCAGM .Check as follows:
e(C ′ − vG − v̄γG, H) = e(W, βH − zH)
= e(W, βH) − e(W, zH)
= e(W, βH) − e(zW, H)
′
=⇒ e(C − vG − v̄γG + zW, H) = e(W, βH) .
Now, we want to show that AS.P, when given accepting inputs [((Ci , di , zi , vi ), πi )]ni=1 and old accumulators
[accj ]m
j=1 that are accepted by AS.D, outputs a new accumulator acc such that AS.V successfully verifies
that acc is the accumulation of [((Ci , di , zi , vi ), πi )]ni=1 and [accj ]m
j=1 , and that AS.D accepts acc.
First, since for each i ∈ [n], ΦPC (iΦ , (Ci , zi , di , vi ), πi ) = 1, we know that e(Ci′ − vi G − v̄i γG, H) =
e(Wi , βH − zi H), which, by the foregoing manipulation, implies that e(C ′ − vG − v̄i γG + zi Wi , H) =
e(Wi , βH). Hence, for any choice of r ∈ Fq , it holds that
P
P
(8)
e( ni=1 ri−1 (Ci′ − vi G − v̄i γG + zWi ), H) = e( ni=1 ri−1 Wi , βH) .
43
Next, since for each j ∈ [m], accj is accepted by D, we know that e(Cj⋆ , H) = e(πj⋆ , βH). Hence, for
any choice of r ∈ Fq , it holds that
P
P
n+j−1 C ⋆ , H) = e( m r n+j−1 π ⋆ , βH) .
e( m
(9)
j
j
j=1 r
j=1
Adding Equations (8) and (9), we obtain that e(C ⋆ , H) = e(π ⋆ , βH), and hence AS.D(dk, acc = (C ⋆ , π ⋆ )) =
1, as required. Furthermore, V accepts as it just runs the common subroutine P. Hence AS achieves completeness.
Soundness. Recall that we must show that the following probability is negligible for all polynomial-size
adversaries A1 , A2 :
ρ
V (avk, [qi ]ni=1 , [accj ]m
ρ ← U(λ)
j=1 , acc) = 1
Dρ (dk, acc) = 1
pp ← Gρ (1λ )
ρ,A1
Pr
(10)
∧
(iΦ , aux) ← HPC,D
(pp) .
ρ
n
m
ρ
([qi ]i=1 , [accj ]j=1 , acc) ← A2 (pp, iΦ , aux)
∃ j ∈ [m], D (dk, accj ) = 0 ∨
ρ
(apk, avk, dk) ← Iρ (pp, iΦ )
∃ i ∈ [n], ΦPC (iΦ , qi , πi ) = 0
First, we rewrite the pairing equation check in the decider D as follows:
e(C ⋆ , H) = e(π ⋆ , βH)
m
e(
P
e(
i−1 (C ′
i
ir
P
− vi G − v̄i γG + zi Wi ), H) + e(
i−1 (C ′
i
ir
P
− vi G − v̄i γG + zi Wi ), H) − e(
n+j−1 C ⋆ , H)
j
jr
P
= e(
P
= e(
P
m
i
ri−1 W
i , βH)
Writing GT operations additively, this is equivalent to:
n
X
ri−1 (e(Ci′ − vi G − v̄i γG + zi Wi , H) − e(Wi , βH)) =
i=1
m
X
ir
j
i−1 W
i , βH)
+ e(
P
rn+j−1 πj⋆ , βH) − e(
n+j−1 ⋆
πj , βH)
j r1
P
j
rn+j−1 Cj⋆ , H)
rn+j−1 (e(πj⋆ , βH) − e(Cj⋆ , H))
j=1
We define a function s : Fq → GT :
s(X) :=
n
X
X i−1 (e(Ci′ − vi G − v̄i γG + zi Wi , H) − e(Wi , βH)) −
m
X
X n+j−1 (e(πj⋆ , βH) − e(Cj⋆ , H)) ,
j=1
i=1
P
i−1 ∈ F [X], where a ∈ F is such that the
along with an associated polynomial ŝ(X) = m+n
i
q
q
i=1 ai X
i−1
coefficient of X
in the above expression is equal to ai GT for some fixed generator GT of GT . Note that,
for all r ∈ Fq , ŝ(r) = 0 if and only if s(r) = 0.
If the pairing equation e(C ⋆ , H) = e(π ⋆ , βH) holds, then s(r) = 0, whence ŝ(r) = 0. Furthermore,
observe that ŝ is identically zero if and only if:
• For each i in [n], the coefficient of X i−1 is zero. That is, each e(Ci′ −vi G−v̄i γG+zi Wi , H)−e(πi , βH) =
0, which in turn means that the predicate ΦPC (iΦ , qi , πi ) accepts.
• For each j in [m], the coefficient of X n+j−1 is zero. That is, each e(Cj⋆ , H) − e(πj⋆ , βH) = 0, which in
turn means that the decider D(dk, accj ) accepts.
44
Together, this means that the implication in Eq. (10) is equivalent to the condition that ŝ 6≡ 0 but ŝ(r) = 0.
To show that this occurs with negligible probability, we define a zero-finding game and apply Lemma 3.3.
We define a commitment scheme CM′ = (Setup, Commit) and associated family of mapping functions
{fpp }pp . The message space Mpp for CM′ is Gn+m
.
1
CM′ .Setupρ0 (1λ , L = (m, n)):
1. Sample a bilinear group
hgroupi = (G1 , G2 , GT , q, G, H, e) ← SampleGrpρ0 (1λ ).
2. Sample β, γ ∈ Fq .
3. Set the public parameters pp = (hgroupi, β, γ, m, n).
4. Output pp.
CM′ .Commit(pp, p ∈ Mpp ; r):
fpp (p ∈ Mpp ) → p:
1. Parse p as (A1 , . . . An+m ).
2. Let GT = e(G, H) be a generator of GT .
3. Compute ai ∈ Fq such that Ai = ai GT . P
i−1
4. Output the bivariate polynomial ŝ(X) := n+m
.
i=1 ai X
Output p.
Fix a choice of D ∈ N (inside HPC,D from Definition 4.2) that maximizes the success probability of the
adversary A = (A1 , A2 ). We use A to construct an adversary B against Lemma 3.3 for CM′ and {fpp }pp :
B ρ (ppCM′ ):
1. Parse ppCM′ as (hgroupi, β, γ, m, n).
G βG β 2 G . . . β D G
γG γβG γβ 2 G . . . γβ D G
Set PCAGM public parameters ppPC := (hgroupi, Σ, βH).
Set AS public parameters ppAS := 1λ .
Compute the predicate index iΦ as follows:
(a) Compute (✐, aux) ← Aρ1 (ppPC , ppAS ).
(b) Set iΦ := (✐, ppPC ).
ρ
Compute ([qi ]ni=1 , [accj ]m
j=1 , acc) ← A2 (ppAS , iΦ , aux).
n
⋆
⋆ m
Parse [qi ]ni=1 as [((Ci , di , zi , vi ), πi )]i=1 , and [accj ]m
j=1 as [(Cj , πj )]j=1 .
′
For each i ∈ [n], set Ai := e(Ci − vi G − v̄i γG + zi Wi , H) − e(Wi , βH).
For each j ∈ [m], set An+j := e(πj⋆ , βH) − e(Cj⋆ , H).
Output p := ([Ai ]n+m
i=1 ).
2. Compute multiples of G as follows: Σ :=
3.
4.
5.
6.
7.
8.
9.
10.
∈ G12D+2 .
Notice that if A succeeds, then f (p) = ŝ 6≡ 0, but ŝ(r) = 0. This is exactly the winning condition for
Lemma 3.3, and so B succeeds whenever A does. This means that if A succeeds with probability δ, then B
succeeds in the zero-finding game with probability δ, and so δ ≤ negl(λ) (since q is superpolynomial).
Zero knowledge. We demonstrate that AS is zero knowledge by constructing an efficient simulator S.
During the setup phase, Sρ (1λ ) computes pp ← Gρ (1λ ), and outputs (pp, τ = ⊥). Then, during the
proving phase, Sρ (pp, τ, iΦ ) samples a random scalar s ∈ Fq , sets (C ⋆ , π ⋆ ) := (sβG, sG), and outputs the
accumulator acc := (C ⋆ , π ⋆ ). Note that the simulator does not program the random oracle. This implies
that AS is zero knowledge, because the simulated public parameters are identical to the honest ones, and the
accumulators are identically distributed: in both cases, the accumulator consists of a pair of random group
elements.
Efficiency. We now analyze the efficiency of our accumulation scheme.
• Generator: Gρ (1λ ) outputs 1λ , and hence takes poly(λ) time.
• Indexer: Iρ (pp, ppPC , iΦ ) takes time poly(λ).
45
• Accumulation prover: Pρ (apk, [((Ci , di , zi , vi ), πi )]ni=1 , [accj ]m
j=1 ) invokes the subroutine ComputeAcc,
which in turn computes O(1) linear combinations of O(n + m) elements in G1 , and so requires time equal
to O(n + m) scalar multiplications in G1 .
• Accumulator size: The accumulator acc consists of a pair (C ⋆ , π ⋆ ) of elements in G1 .
• Accumulation proof size: The accumulation proof πV consists of two elements in G1 .
• Accumulation verifier: Vρ (avk, [((Ci , di , zi , vi ), πi )]ni=1 , [accj ]m
j=1 , acc, πV ) simply invokes the common
subroutine ComputeAcc, and so runs in the same time as P.
• Decider: Dρ (dk, acc) performs one pairing, and so its running time is as claimed.
46
All algorithms below have access to the same random oracle ρ0 .
Setup. On input a security parameter λ (in unary) and a maximum degree D, PCAGM .Setup samples public
parameters ppPC as follows. Sample a bilinear group (G1 , G2 , GT , q, G, H, e) ← SampleGrpρ0 (1λ ), and then
sample a field element β ∈ Fq . Compute
G
βG
β2G . . .
βD G
Σ :=
∈ G2D+2
.
1
γG γβG γβ 2 G . . . γβ D G
Output ppPC := (hgroupi, Σ, βH).
Trim. Given oracle access to public parameters ppPC , and on input a list of degree bounds [di ]ni=1 , PCAGM .Trim specializes the public parameters ppPC to the degree bounds [di ]ni=1 as follows. Compute d := maxi∈[n] (d1 , . . . , dn ).
From the powers Σ in ppPC , select Σck as follows:
G
βG . . .
β d G β D−d G β D−d+1 G . . . β D G
Σck :=
∈ G3d+3
.
1
γG γβG . . . γβ d G
Select Σrk := {β D−di G}i∈[n] . Set the commitment key ck := (hgroupi, D, Σck ) and receiver key rk :=
(D, hgroupi, Σrk , γG, βH, [di ]ni=1 ). Output (ck, rk).
Commit. On input the commitment key ck, a univariate polynomial p over the field Fq , a degree bound d,
and commitment randomness (ω, ω ⋆ ), PCAGM .Commit computes a commitment to p as follows. Obtain the
supported degree bounds [di ]ni=1 from ck. If deg(p) > d or d 6∈ [di ]ni=1 , abort. If ω and ω ⋆ are not ⊥, then
obtain from them random univariate polynomials p̄ and p̄⋆ of degree deg(p); otherwise, set p̄ and p̄⋆ to be the
zero polynomial. Compute an “unshifted” commitment U := p(β)G + p̄(β)γG and a “shifted” commitment
S := β D−di p(β)G + p̄⋆ (β)γG. Finally, output C := (U, S). Note that the U and S can be computed as linear
combinations of terms in ck.
Open. On input the commitment key ck, a univariate polynomial p over the field Fq , a commitment C to p, a
degree bound d, an evaluation point z, and commitment randomness (ω, ω ⋆ ), PCAGM .Open computes an opening
proof π as follows.
Obtain the supported degree bounds [di ]ni=1 from ck. If ω and ω ⋆ are not ⊥, then obtain from them random
univariate polynomials p̄ and p̄⋆ of degree deg(p); otherwise, set p̄ and p̄⋆ to be the zero polynomial. If deg(p) > d
or d 6∈ [di ]ni=1 , abort. Compute the evaluation v := p(z) and the opening challenge ξ := ρ0 (rk, d, C, z, v) ∈ Fq .
Then, define the polynomial p⋆ (X) := X D−d p(X) − X D−d p(z), and compute a witness polynomial w(X) :=
p(X)−p(z)
for p, and a witness polynomial w⋆ (X) := X D−d w(X) for p⋆ . Combine these into w′ := w + ξw⋆
X−z
⋆
⋆
p̄(z)
p̄ (z)
Compute witness polynomials w̄(X) := p̄(X)−
for p̄ and w̄⋆ (X) := p̄ (X)−
for p̄⋆ . Combine these into
X−z
X−z
′
⋆
′
w̄ := w̄ + ξ w̄ . Compute the evaluation v̄ := w̄ (z).
Compute W := w′ (β)G + w̄′ (β)γG, and output the evaluation proof π := (W, v̄).
Check. On input the receiver key rk, a commitment C, a degree bound d, an evaluation point z, a claimed
evaluation v, a evaluation proof π, PCAGM .Check proceeds as follows.
If d 6∈ rk, abort. Parse the commitment C as a tuple (U, S) ∈ G21 . Parse the proof π as (W, v̄) ∈ G1 × Fq .
Compute the opening challenge ξ := ρ0 (rk, C, z, d, v). Compute the combined commitment C ′ := U + ξS, and
check the evaluation proof via the equality e(C ′ − vG − vβ D−d G − v̄γG, H) = e(W, βH − zH).
Figure 1: The polynomial commitment scheme PCAGM . Note that this scheme differs from the one described in
[CHMMVW20] in that above PCAGM .Check take as input the commitment, and generates an opening challenge by
evaluating a random oracle on the commitment, whereas in [CHMMVW20], the opening challenge is provided as
an explicit external input.
47
Construction of PCDL
A
We describe PCDL , a polynomial commitment scheme based on the discrete logarithm problem that is inspired
by several prior works [BCCGP16; BBBPWM18; WTSTW18]. This section is organized as follows: in
Appendix A.1 we define Pedersen commitments; in Appendix A.2 we provide the construction of PCDL ; and
in Appendix A.3 we discuss the security of PCDL . Throughout the section we highlight in blue the parts of
the construction that are necessary to make the commitment scheme hiding.
A.1 Pedersen commitments
The Pedersen commitment scheme [Ped92] is a binding commitment on vectors of field elements that is
linearly homomorphic with respect to both the commitment key and the committed elements.
• CM.Setup, on input a security parameter λ (written in unary) and a message format L ∈ N, samples public
parameters pp = (hgroupi, Σ, S) where hgroupi = (G, q, G) ← SampleGrpρ (1λ ) is a description of a
group of prime order, and (S, Σ = (G1 , . . . , GL )) are independent uniformly-sampled generators for G.5
• CM.Trim, on input public parameters pp and a trim specification ℓ ∈ N, selects hk := (G1 , . . . , Gℓ ) ∈ Gℓ
from Σ and outputs ck := (hgroupi, hk, S). The message space is M := Fℓq .
• CM.Commit, on input a commitment key ck = (hgroupi, hk, S), a message m ∈ M = Fℓq , and commitment randomness ω ∈ Fq , computes the commitment C as follows. If ω = ⊥, set ω := 0. Then, compute
P
the commitment C := ωS + ℓi=1 mi Gi ∈ G.
The Pedersen commitment scheme is binding provided the discrete logarithm problem is hard for SampleGrp.
Observe that for fixed ω, the commitment algorithm CM.Commit is a deterministic function of ck and m.
Below we use CM.Commithk (m) to denote the deterministic commitment CM.Commit(ck, m; ω = ⊥),
where ck = (hgroupi, hk, S).
Notice that CM.Commit satisfies the following bilinearity property: if ck = (hgroupi, hk, S) and
ck′ = (hgroupi, hk′ , S) have the same group description and |hk| = |hk′ | = ℓ then
Commit(ck,~a; ωa ) + Commit(ck,~b; ωb ) = Commit(ck,~a + ~b; ωa + ωb )
and
CM.Commithk (~a) + CM.Commithk′ (~a) = CM.Commithk+hk′ (~a) ,
where hk + hk′ denotes addition in the group Gℓ . Note that the foregoing bilinearity property implies that
CM.Commithk (~a) = CM.Commitx−1 ·hk (x · ~a) for all x ∈ F∗q .
A.2 Construction
In our construction below, all algorithms have oracle access to the same random oracle ρ0 . We assume
without loss of generality that expressions of the form d + 1 and D + 1 are powers of 2. For a vector ~a ∈ S n
for any set S, we use the notation l(~a) := (a1 , . . . , an/2 ) and r(~a) := (an/2+1 , . . . , an ) to denote the left
and right halves of ~a, respectively.
Setup. On input security parameter λ (written in unary) and a maximum supported degree D, PCDL .Setup
samples public parameters pp = (hgroupi = (G, q, G), Σ, S) ← CM.Setupρ0 (1λ , D + 1), samples a random
generator H ← ρ0 (pp) in the group G, and outputs the public parameters ppPC := (pp, H).
5
In practice, one would sample the generators using the random oracle: (S, Σ = (G1 , . . . , GL )) ← ρ(hgroupi, L).
48
Trim. Given oracle access to the public parameters ppPC and a single degree bound d that is at most
D, PCDL .Trim specializes the public parameters for the degree bounds as follows: parse
ppPC as (pp, H),
compute ck ← CM.Trim(pp, d + 1), and output (ckPC , rkPC ) := (ck, H), (ck, H) . (We note that we
consider the case where PCDL .Trim only receives a single degree bound d rather than a vector of degrees
[di ]ni=1 . We omit details for this more general case.)
Commit. On input the commitment key ckPC = (ck, H), a univariate polynomial p over the field Fq , a
degree bound d, and commitment randomness ω, PCDL .Commit outputs C := CM.Commit(ck,~c, ω), where
~c = (c0 , . . . , cd ) are the coefficients of p.
Open. On input the commitment key ckPC = (ck, H), a univariate polynomial p(X), a commitment C to p,
a degree bound d, an evaluation point z, and commitment randomness ω, PCDL .Open computes an evaluation
proof π by using (a variant of) the inner product argument in [BCCGP16; BBBPWM18] as follows.
1. Compute the evaluation v := p(z) ∈ Fq .
2. Sample a random polynomial p̄ ∈ F≤d
q [X] such that p̄(z) = 0.
3. Sample corresponding commitment randomness ω̄ ∈ Fq .
4. Compute a hiding commitment to p̄: C̄ ← CM.Commitρ0 (ck, p̄; ω̄) ∈ G.
5. Compute the challenge α := ρ(C, z, v, C̄) ∈ F∗q .
P
6. Compute the polynomial p′ := p + αp̄ = di=0 ci X i ∈ Fq [X].
7. Compute commitment randomness ω ′ := ω + αω̄ ∈ Fq .
8. Compute a non-hiding commitment to p′ : C ′ := C + αC̄ − ω ′ S ∈ G.
Compute the 0-th challenge field element ξ0 := ρ0 (C ′ , z, v) ∈ Fq , and use it to compute the group element
H ′ := ξ0 H ∈ G. Initialize the following vectors:
~c0 := (c0 , c1 , . . . , cd ) ∈ Fd+1
q
and ~z 0 := (1, z, . . . , z d ) ∈ Fd+1
q
and
~ 0 := (G0 , G1 , . . . , Gd ) ∈ Gd+1 .
G
Next, for each i ∈ [log (d + 1)], perform the following steps:
1.
2.
3.
4.
5.
~ i−1 ) || H ′ , compute the left commitment Li := CM.CommitΣ r(~ci−1 )||hr(~ci−1 ), l(~z i−1 )i .
Setting ΣL := l(G
L
~ i−1 ) || H ′ , compute the right commitment Ri := CM.CommitΣ l(~ci−1 )||hl(~ci−1 ), r(~z i−1 )i .
Setting ΣR := r(G
R
Generate the i-th challenge ξi := ρ0 (ξi−1 , Li , Ri ) ∈ Fq .
~ i := l(G
~ i−1 ) + ξi · r(G
~ i−1 ).
Construct the commitment key for the next round: G
−1
Construct commitment inputs for the next round: ~ci := l(~ci−1 ) + ξi · r(~ci−1 ) and ~z i := l(~z i−1 ) + ξi · r(~z i−1 ).
~ U, c, C̄, ω ′ ).
Finally, set U := Glog (d+1) , c := clog (d+1) , and output the evaluation proof π := (~L, R,
Check. On input the receiver key rkPC = (ck, H), a commitment C, a degree bound d, an evaluation point
z, a claimed evaluation v, and an evaluation proof π, PCDL .Check verifies the evaluation proof by invoking
the verifier of the inner product argument as follows.
1.
2.
3.
4.
5.
Parse ck as (hgroupi, hk, S).
Set d′ := |hk| − 1.
Set rk := (hgroupi, S, H, d′ ).
Check that PCDL .SuccinctCheckρ0 (rk, C, d, z, v, π) accepts and outputs (h, U ). (See Figure 2).
Check that U = CM.Commit(ck, ~h), where ~h is the coefficient vector of the polynomial h.
49
PCDL .SuccinctCheckρ0 (rk, C, d, z, v, π):
~ U, c, C̄, ω ′ ).
1. Parse rk as (hgroupi, S, H, d′ ), and π as (~L, R,
′
2. Check that d = d .
3. Compute the challenge α := ρ0 (C, z, v, C̄) ∈ F∗q .
4. Compute the non-hiding commitment C ′ := C + αC̄ − ω ′ S ∈ G.
5. Compute the 0-th challenge ξ0 := ρ0 (C ′ , z, v), and set H ′ := ξ0 H ∈ G.
6. Compute the group element C0 := C ′ + vH ′ ∈ G.
7. For each i ∈ [log (d + 1)]:
(a) Generate the i-th challenge: ξi := ρ0 (ξi−1 , Li , Ri ) ∈ Fq .
(b) Compute the i-th commitment: Ci := ξi−1 Li + Ci−1 + ξi Ri ∈ G.
Qlog (d+1)−1
i
8. Define the univariate polynomial h(X) := i=0
(1 + ξlog (d+1)−i X 2 ) ∈ Fq [X].
9. Compute the evaluation v ′ := c · h(z) ∈ Fq .
10. Check that Clog (d+1) = CM.CommitΣ (c || v ′ ), where Σ = (U || H ′ ).
11. Output (h, U ).
Figure 2: The subroutine PCDL .SuccinctCheck that is invoked by PCDL .Check and by our accumulation scheme.
A.3 Security
A.3.1
Hiding
We construct the following simulator S for PCDL .
S.Setupρ0 (1λ , D):
1. Compute pp := PCDL .Setupρ (1λ ).
2. Output (pp, trap := pp).
S.Commitρ0 (trap = pp, d):
1. Compute (ck, rk) := PC.Trimρ0 (pp, d).
2. Sample commitment randomness ω ∈ Fq .
3. Output C := PCDL .Commitρ0 (ck, 0, d; ω).
S.Openρ0 (z, v):
1. Sample a random challenge α ∈ F∗q .
2. Sample a random polynomial p̄ ∈ F≤d
q [X] such that p̄(z) = v/α.
3. Sample a commitment randomness ω̄ ∈ Fq .
4. Compute a hiding commitment to p̄: C̄ ← CM.Commitρ0 (ck, p̄; ω̄).
5. Define the programming function µ(C, z, v, C̄) := α.
6. Proceed as in PCDL .Open to compute the evaluation proof π.
7. Output (µ, π).
We now informally argue that the output of S is computationally indistinguishable from that of an honest
execution. First, the public parameters are both honestly sampled. Next, the hiding property of CM means
that commitments are uniformly random group elements, and are hence identically distributed in both
cases. Next, in both cases the inner product argument is performed with respect to a polynomial p′ drawn
independently and uniformly conditioned on p′ (v) = z, and so these are identically distributed. Finally, for
any polynomial-time adversary the programmed random oracle ρ[µ] is indistinguishable from the honestly
sampled random oracle ρ because S programs it at the point (C, z, v, C̄), which has sufficiently high entropy
due to the randomness of C̄.
A.3.2
Extractability
It is conjectured that if the Pedersen commitment scheme is binding, then PCDL constructed in Appendix A.2
is a polynomial commitment scheme in the random oracle model (Section 3.6). Below we summarize what is
currently known about this conjecture.
50
Recall that in PCDL , the algorithms PCDL .Open and PCDL .Check are obtained by applying the Fiat–Shamir
transformation [FS86] to a public-coin “inner-product” argument system. We first discuss the security of
this interactive argument, and then discuss the security (in the random oracle model) of the non-interactive
argument obtained after applying the Fiat–Shamir transformation.
Security of the interactive argument. A sequence of works [BCCGP16; BBBPWM18; WTSTW18;
BMMV19] have shown how to construct various inner-product arguments of knowledge from any doublyhomomorphic commitment scheme by explicitly constructing an efficient rewinding extractor. The innerproduct argument used in PCDL is a special case of an inner-product argument in [BMMV19], and thus
inherits its knowledge soundness guarantees.
Security of the resulting non-interactive argument. It is known from folklore that applying the Fiat–
Shamir transformation to a public-coin k-round interactive argument of knowledge with negligible soundness
error yields a non-interactive argument of knowledge in the random-oracle model where the extractor E runs
in time exponential in k. In more detail, to extract from an adversary that makes t queries to the random
oracle, E runs in time tO(k) . In our setting, the inner-product argument has k = O(log d) rounds, which
means that if we apply this folklore result, we would obtain an extractor that runs in superpolynomial (but
2
subexponential) time tO(log d) = 2O(log(λ) ) . It remains an interesting open problem to construct an extractor
that runs in polynomial time.
51
Acknowledgements
The authors thank William Lin for pointing out an error in a prior version of the construction of PCDL . This
research was supported in part by: the Berkeley Haas Blockchain Initiative and a donation from the Ethereum
Foundation. Benedikt Bünz performed part of the work while visiting the Simons Institute for the Theory of
Computing.
References
[AHIV17]
S. Ames, C. Hazay, Y. Ishai, and M. Venkitasubramaniam. “Ligero: Lightweight Sublinear Arguments Without a Trusted Setup”. In: Proceedings of the 24th ACM Conference on Computer and
Communications Security. CCS ’17. 2017, pp. 2087–2104.
[BBBPWM18]
B. Bünz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, and G. Maxwell. “Bulletproofs: Short Proofs
for Confidential Transactions and More”. In: Proceedings of the 39th IEEE Symposium on Security
and Privacy. S&P ’18. 2018, pp. 315–334.
[BCCGP16]
J. Bootle, A. Cerulli, P. Chaidos, J. Groth, and C. Petit. “Efficient Zero-Knowledge Arguments for
Arithmetic Circuits in the Discrete Log Setting”. In: Proceedings of the 35th Annual International
Conference on Theory and Application of Cryptographic Techniques. EUROCRYPT ’16. 2016,
pp. 327–357.
[BCCT13]
N. Bitansky, R. Canetti, A. Chiesa, and E. Tromer. “Recursive Composition and Bootstrapping for
SNARKs and Proof-Carrying Data”. In: Proceedings of the 45th ACM Symposium on the Theory of
Computing. STOC ’13. 2013, pp. 111–120.
[BCGGHJ17]
J. Bootle, A. Cerulli, E. Ghadafi, J. Groth, M. Hajiabadi, and S. K. Jakobsen. “Linear-Time
Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability”. In: Proceedings of the 23rd International Conference on the Theory and Applications of Cryptology and Information Security.
ASIACRYPT ’17. 2017, pp. 336–365.
[BCRSVW19]
E. Ben-Sasson, A. Chiesa, M. Riabzev, N. Spooner, M. Virza, and N. P. Ward. “Aurora: Transparent
Succinct Arguments for R1CS”. In: Proceedings of the 38th Annual International Conference on the
Theory and Applications of Cryptographic Techniques. EUROCRYPT ’19. Full version available at
https://eprint.iacr.org/2018/828. 2019, pp. 103–128.
[BCS16]
E. Ben-Sasson, A. Chiesa, and N. Spooner. “Interactive Oracle Proofs”. In: Proceedings of the 14th
Theory of Cryptography Conference. TCC ’16-B. 2016, pp. 31–60.
[BCTV14]
E. Ben-Sasson, A. Chiesa, E. Tromer, and M. Virza. “Scalable Zero Knowledge via Cycles of Elliptic
Curves”. In: Proceedings of the 34th Annual International Cryptology Conference. CRYPTO ’14.
2014, pp. 276–294.
[BDFLSZ11]
D. Boneh, Ö. Dagdelen, M. Fischlin, A. Lehmann, C. Schaffner, and M. Zhandry. “Random Oracles
in a Quantum World”. In: Proceedings of the 17th International Conference on the Theory and
Application of Cryptology and Information Security. ASIACRYPT ’11. 2011, pp. 41–69.
[BGH19]
S. Bowe, J. Grigg, and D. Hopwood. Halo: Recursive Proof Composition without a Trusted Setup.
Cryptology ePrint Archive, Report 2019/1021. 2019.
[BMMV19]
B. Bünz, M. Maller, P. Mishra, and N. Vesely. Proofs for Inner Pairing Products and Applications.
Cryptology ePrint Archive, Report 2019/1177. 2019.
[BMRS20]
J. Bonneau, I. Meckler, V. Rao, and E. Shapiro. Coda: Decentralized Cryptocurrency at Scale.
Cryptology ePrint Archive, Report 2020/352. 2020.
52
[BR93]
M. Bellare and P. Rogaway. “Random Oracles Are Practical: A Paradigm for Designing Efficient
Protocols”. In: Proceedings of the 1st ACM Conference on Computer and Communications Security.
CCS ’93. 1993, pp. 62–73.
[CCW19]
A. Chiesa, L. Chua, and M. Weidner. “On Cycles of Pairing-Friendly Elliptic Curves”. In: SIAM
Journal on Applied Algebra and Geometry 3.2 (2019), pp. 175–192.
[CHMMVW20]
A. Chiesa, Y. Hu, M. Maller, P. Mishra, N. Vesely, and N. Ward. “Marlin: Preprocessing zkSNARKs
with Universal and Updatable SRS”. In: Proceedings of the 39th Annual International Conference
on the Theory and Applications of Cryptographic Techniques. EUROCRYPT ’20. 2020.
[CL20]
A. Chiesa and S. Liu. “On the Impossibility of Probabilistic Proofs in Relativized Worlds”. In:
Proceedings of the 11th Innovations in Theoretical Computer Science Conference. ITCS ’20. 2020,
57:1–57:30.
[Co17]
O(1) Labs. Coda Cryptocurrency. https://codaprotocol.com/. 2017.
[COS20]
A. Chiesa, D. Ojha, and N. Spooner. “Fractal: Post-Quantum and Transparent Recursive Proofs
from Holography”. In: Proceedings of the 39th Annual International Conference on the Theory and
Applications of Cryptographic Techniques. EUROCRYPT ’20. 2020.
[CT10]
A. Chiesa and E. Tromer. “Proof-Carrying Data and Hearsay Arguments from Signature Cards”. In:
Proceedings of the 1st Symposium on Innovations in Computer Science. ICS ’10. 2010, pp. 310–331.
[CTV13]
S. Chong, E. Tromer, and J. A. Vaughan. Enforcing Language Semantics Using Proof-Carrying
Data. Cryptology ePrint Archive, Report 2013/513. 2013.
[CTV15]
A. Chiesa, E. Tromer, and M. Virza. “Cluster Computing in Zero Knowledge”. In: Proceedings of
the 34th Annual International Conference on Theory and Application of Cryptographic Techniques.
EUROCRYPT ’15. 2015, pp. 371–403.
[FS86]
A. Fiat and A. Shamir. “How to prove yourself: practical solutions to identification and signature
problems”. In: Proceedings of the 6th Annual International Cryptology Conference. CRYPTO ’86.
1986, pp. 186–194.
[GW11]
C. Gentry and D. Wichs. “Separating Succinct Non-Interactive Arguments From All Falsifiable
Assumptions”. In: Proceedings of the 43rd Annual ACM Symposium on Theory of Computing.
STOC ’11. 2011, pp. 99–108.
[GWC19]
A. Gabizon, Z. J. Williamson, and O. Ciobotaru. PLONK: Permutations over Lagrange-bases for
Oecumenical Noninteractive arguments of Knowledge. Cryptology ePrint Archive, Report 2019/953.
2019.
[Halo19]
S. Bowe, J. Grigg, and D. Hopwood. Halo. 2019. URL: https://github.com/ebfull/
halo.
[KB20]
A. Kattis and J. Bonneau. Proof of Necessary Work: Succinct State Verification with Fairness
Guarantees. Cryptology ePrint Archive, Report 2020/190. 2020.
[KZG10]
A. Kate, G. M. Zaverucha, and I. Goldberg. “Constant-Size Commitments to Polynomials and Their
Applications”. In: Proceedings of the 16th International Conference on the Theory and Application
of Cryptology and Information Security. ASIACRYPT ’10. 2010, pp. 177–194.
[Lin03]
Y. Lindell. “Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation”. In: Journal
of Cryptology 16.3 (2003), pp. 143–184.
[MBKM19]
M. Maller, S. Bowe, M. Kohlweiss, and S. Meiklejohn. “Sonic: Zero-Knowledge SNARKs from
Linear-Size Universal and Updateable Structured Reference Strings”. In: Proceedings of the 26th
ACM Conference on Computer and Communications Security. CCS ’19. 2019.
[NPR19]
M. Naor, O. Paneth, and G. N. Rothblum. “Incrementally Verifiable Computation via Incremental
PCPs”. In: Proceedings of the 17th International Conference on the Theory of Cryptography.
TCC ’19. 2019, pp. 552–576.
53
[NT16]
A. Naveh and E. Tromer. “PhotoProof: Cryptographic Image Authentication for Any Set of Permissible Transformations”. In: Proceedings of the 37th IEEE Symposium on Security and Privacy.
S&P ’16. 2016, pp. 255–271.
[Pas03]
R. Pass. “On Deniability in the Common Reference String and Random Oracle Model”. In: Proceedings of the 23rd Annual International Cryptology Conference. CRYPTO ’03. 2003, pp. 316–
337.
[Ped92]
T. P. Pedersen. “Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing”. In:
Proceedings of the 11th Annual International Cryptology Conference. CRYPTO ’91. 1992, pp. 129–
140.
[Pickles20]
O(1) Labs. Pickles. URL: https://github.com/o1-labs/marlin.
[SS11]
J. H. Silverman and K. E. Stange. “Amicable Pairs and Aliquot Cycles for Elliptic Curves”. In:
Experimental Mathematics 20.3 (2011), pp. 329–357.
[Val08]
P. Valiant. “Incrementally Verifiable Computation or Proofs of Knowledge Imply Time/Space
Efficiency”. In: Proceedings of the 5th Theory of Cryptography Conference. TCC ’08. 2008, pp. 1–
18.
[WTSTW18]
R. S. Wahby, I. Tzialla, A. Shelat, J. Thaler, and M. Walfish. “Doubly-Efficient zkSNARKs Without
Trusted Setup”. In: Proceedings of the 39th IEEE Symposium on Security and Privacy. S&P ’18.
2018, pp. 926–943.
54