Slides for Eylon Yogev's (Bar-Ilan University) presentation at ZKStudyClub, covering his new work (co-authored w/ Alessandro Chiesa of UC Berkeley) about SNARGs in the random oracle model of sub- quadratic complexity. Link to the original paper: https://eprint.iacr.org/2021/281.pdf

1. Subquadratic SNARGs
in the Random Oracle Model
Alessandro Chiesa
UC Berkeley
Eylon Yogev
Bar-Ilan University

2. An “NP proof system”:
Completeness: if 𝑥 ∈ 𝐿 then there exist w ∶ V 𝑥, 𝑤 = 1
Soundness: if 𝑥 ∉ 𝐿 then for all w ∶ V 𝑥, 𝑤 = 0
Proof Systems
Verifier
Prover
𝑤
?
𝑥 ∈ 𝐿
2

3. Parameters:
1. Communication complexity
2. # rounds
3. # bits read by the verifier
4. Class of cheating provers
5. Setup
(Interactive) Proof Systems
Verifier
Prover
?
𝑥 ∈ 𝐿
3

4. Many rounds: interactive proofs
IP = PSPACE
IP
Verifier
Prover
?
𝑥 ∈ 𝐿
4

5. One round, local verifier: PCPs
PCP Theorem: PCP[log n, O(1)] = NP
PCP
Verifier
Prover
?
𝑥 ∈ 𝐿
5

6. Many rounds, local verifier: IOPs
IOP Theorem: IOP[comm = O(n)] = NP
IOP
6

7. Best of all worlds:
One round, succinct communication, computational soundness
SNARG
Verifier
Prover
?
𝑥 ∈ 𝐿
7

8. A non-interactive protocol for a language 𝐿
The communication complexity is succinct
Soundness is computational
SNARGs in the ROM
Verifier
Prover
𝜁: 0,1 ∗
→ 0,1 "
𝜋
?
𝑥 ∈ 𝐿
8

9. SNARGs in the ROM
Verifier
Prover
𝜁: 0,1 ∗
→ 0,1 "
𝜋
?
𝑥 ∈ 𝐿
𝑡, 𝜖 -security: for any 𝑡-query unbounded adversary /
𝑃
Pr
!
𝑉!
𝑥, 𝜋 = 1 ∶
𝜁 ← 𝑈(𝜆)
𝜋 ← /
𝑃!
≤ 𝜖
9

10. The Random Oracle Model (ROM)
• An elegant information-theoretic model
• Supports several well-known constructions of succinct arguments
• Heuristically instantiated via lightweight crypto
• Plausibly post-quantum secure
• Deployed today in various systems
𝜁: 0,1 ∗
→ 0,1 "
𝜁
10

11. Known SNARG constructions [Micali’94 , BCS’16]
Information
Theoretic Proof
(PCP or IOP)
Cryptographic
Commitment
(with local opening)
(non-interactive)
Succinct Argument
+ =
11
𝝅

12. PCPs
Probabilistically Checkable Proofs
12

13. Micali’s SNARG
PCP =
root =
1. Write PCP
2. Compute Merkle tree
3. Derive PCP randomness
4. Send root and auth paths
for all queries
Verifier
Prover
1. Verify PCP answers
2. Verify auth paths
What is the
size of 𝝅?
13
(root, PCP answers, auth paths)
𝝅 =

14. tl;dr
• Micali’s construction has a quadratic argument size
• We give a subquadratic argument size
This is the first improvement to Micali’s construction in 25 years
14

15. Micali’s argument size
• Suppose the PCP has length 𝑙, alphabet Σ, query complexity 𝑞
• Then, the size is:
Information-
theoretic proof
Cryptographic
commitment
𝑞 ⋅ log Σ + 𝑞 ⋅ 𝜆 ⋅ log 𝑙 = /
𝑂 log
𝑡
𝜖
2
15
• Claim: to get (𝑡, 𝜖)-security:
• Oracle output must be: 𝜆 = 𝑂 log
!
"
• PCP query complexity: 𝑞 = 𝑂 log
!
"
• Corollary: argument size is quadratic

16. Collision attack
Micali’s argument size
16

17. inversion attack
Micali’s argument size
17

18. oracle output size
To get (𝑡, 𝜖)-security, oracle output must be 𝜆 = 𝑂 log
3
4
:
• Guess the root in advance, and derive a fooling PCP
• Success probability: 2!"
• Repeating the above 𝑡 times
• Success probability: 𝑂(𝑡 ⋅ 2!")
• Setting 𝑂(𝑡 ⋅ 2#$) ≤ 𝜖 implies 𝜆 = 𝑂 log
!
"
Micali’s argument size
18

19. To get (𝑡, 𝜖)-security, PCP query complexity 𝑞 = /
𝑂 log
3
4
• PCP Soundness must be 𝜖%&% = 𝑂
"
!
• Try winnig the PCP 𝑡 times
• CY20: assuming ETH it must be that 𝑞 = 1
𝑂 log 1/𝜖%&% = 1
𝑂 log
!
"
A strong version of the
“P vs NP” conjecture
19
Micali’s argument size
PCP query complexity

20. Argument size
20
/
𝑂 log
𝑡
𝜖
2
Micali
/
𝑂 log
𝑡
𝜖
Lower bound

21. Our Results
21

22. Subquadratic SNARGs in the ROM
Theorem:
There exist SNARGs in the random oracle model that achieves argument size
!
𝑂 log
𝑡
𝜖
⋅ log 𝑡
Strong
Information
Theoretic Proof
Weak
Cryptographic
Commitment
Subquadratic
SNARG
+ =
Our approach:
22

23. Argument size
23
/
𝑂 log
𝑡
𝜖
2
Micali
/
𝑂 log
𝑡
𝜖
Lower bound
!
𝑂 log
𝑡
𝜖
⋅ log 𝑡 This work
New!
Tight for a large family of constructions
[NHY21]

24. Concrete Argument Size
• Our construction has good concrete efficiency as well
• Below, we compare Micali’s construction (in red) with ours (in blue)
• Both instantiated with the repetition of a “base” PCP with soundness error 1/2, query
complexity 3, and proof length 2#$
24

25. What Should 𝒕 and 𝝐 be?
• Values depend on the desired security and setting
• Common approach: 𝑡 = 1/𝜖 (𝑡 = 2<2=
, 𝜖 = 2><2=
).
• Online setting: small 𝑡, large 1/𝜖 (𝑡 = 2?@
, 𝜖 = 2><@@
).
• Offline setting: large 𝑡, small 1/𝜖 (𝑡 = 2<2=
, 𝜖 = 2><@
).
25

26. Our Construction
26

27. Our construction
• Starting point: Micali’s construction
• Set the oracle output size 𝜆 = /
𝑂 log 𝑡
• Make 4 main changes:
1. Chopped tree
2. Domain separation
3. Permuting the proof
4. Robust PCPs
27
• These changes do not increase the argument size
• But, combined they do increase security
• Which lets us reduce the output size of the random oracle
• Our analysis works even with salts (useful for zero-knowledge)

28. Change 1: Chopped tree
28
PCP =
root =
𝜁

29. Cap
Change 1: Chopped tree
PCP =
…
𝑖∗
𝜁
29

30. Cap
Change 1: Chopped tree
PCP =
…
𝑖∗
30

31. Change 1: Chopped tree
𝑖∗
= 0 → Micali
𝑖∗
= log 𝑙 → The entire PCP
As 𝑖∗
is larger the security is higher but the argument size is larger
Special layer: 𝑖∗
= log 𝑞, better security, same argument size
Inverting a node in the cap has small
effect on the PCP
31

32. Change 2: Domain separation
• We use an oracle for each location in the tree
• Prefix all queries with location (𝑖, 𝑗)
• Prevents re-using inversions/collisions
32

33. Cap
Change 2: Domain separation
PCP =
…
𝑖∗
33
(1,1) (1,2) 1,3 … (1,16)
(2,1) (2,2)
(3,1)

34. Change 3: Permuting the proof
• We permute the PCP proof before applying the (chopped) Merkle tree
• For simplicity: assume access to a random permutation over [𝑙]
• Permutation can be derived from a random oracle (Luby–Rackoff)
• Creates the effect of a PCP with uniform random queries
34

35. Cap
Change 3: Permuting the proof
𝑃𝑒𝑟𝑚
(PCP) =
…
𝑖∗
𝜁
35
(1,1) (1,2) 1,3 …

36. Change 4: Robust PCP
• We use a strong PCP notion: permuted robust PCP
• Intuition: if the prover changes a few symbols after the fact, no harm
made
• Let 𝑏 be the number of blocks, let 𝑃𝑒𝑟𝑚 be a permutation over [𝑙]
• Define ΔB
CDEF
Π, ΠG
to be the block-wise distance when strings are
permuted according to (non-block-wise) 𝑃𝑒𝑟𝑚
36
distance 1

37. Robust PCP
1. Publish a random permutation 𝑃𝑒𝑟𝑚
2. /
𝑃 outputs a PCP string Π ∈ ΣH
3. Sample PCP randomness 𝜌, and give it to /
𝑃
4. /
𝑃 outputs another PCP string Π′ ∈ ΣH
5. The game outputs 1 if and only if
ΔB
CDEF
Π, ΠG
≤ 𝑑 and VI!
x; 𝜌 = 1
• We use a strong PCP notion: permuted robust PCP
• Intuition: if prover changes a few symbols after the fact, no harm made
• Permuted robust soundness 𝜖JDE(𝑏𝑙𝑜𝑐𝑘𝑠 = 𝑏, 𝑑𝑖𝑠𝑡𝑎𝑛𝑐𝑒 = 𝑑):
37

38. Robust PCP
• We use a strong PCP notion: permuted robust PCP
• Intuition: if prover changes a few symbols after the fact, no harm made
• A PCP has robustness ratio 𝛽(𝑏) if for any 𝑑:
38
𝜖!"# 𝑏, 𝑑 + 1
𝜖!"#(𝑏, 𝑑)
≤ 𝛽(𝑏)

39. Cap
Our construction in full
𝑃𝑒𝑟𝑚(RobustPCP)
…
𝑖∗
𝜁
39
(1,1) (1,2) 1,3 …
(2,1) (2,2)
(3,1)

40. Security of our construction
Security is shown in two steps:
1.
2. Constructing permuted robust PCPs
40
Permuted robust
PCPs
Chopped tree +
Domain separation +
Permutation
Subquadratic
SNARG
+ =

41. Security of our construction
Lemma:
Our construction instantiated with a PCP with soundness 𝜖CKC,
permuted robustness ratio 𝛽(𝑏),
with 𝜆 ≥ 2 log 𝑡 + log 𝛽(𝑏) , and 2L∗
= 𝑏
has soundness 𝑡 ⋅ 𝜖CKC
Proof:
1. Introduce scores for oracle queries
2. Using them to reduce any cheating prover to a strategy for permuted robust
soundness
41

42. Scoring oracle queries
• We use a notion of scoring functions for query traces
• Scoring collisions: the score of a 𝑘-wise collision is 𝑘 − 1
• This “counts” the number of collisions in a given trace
• Scoring inversions: we count the number of queries with response 𝑦
that hit a previous query (𝑥<, 𝑥2)
• Claim: for any 𝑡-query algorithm:
Pr 𝑐𝑜𝑙𝑙𝑖𝑠𝑖𝑜𝑛 𝑠𝑐𝑜𝑟𝑒 > 𝑘 ≤
!!
""
#
Pr 𝑖𝑛𝑣𝑒𝑟𝑠𝑖𝑜𝑛 𝑠𝑐𝑜𝑟𝑒 > 𝑘 ≤
𝑡"
2$
#
42

43. Proof of the lemma
Pr
veri:ier
accepts
≤ @
/01
2
Pr
veri:ier
accepts
∶ score of 𝑘 ⋅ Pr[score of 𝑘]
≤ @
/01
2
𝑡 ⋅ 2/ ⋅ 𝜖345 𝑏𝑙𝑜𝑐𝑘𝑠 = 𝑏, 𝑑𝑖𝑠𝑡𝑎𝑛𝑐𝑒 = 𝑘 ⋅ Pr[score of 𝑘]
≤ @
/01
2
𝑡 ⋅ 2/ ⋅ 𝜖%&% ⋅ 𝛽/ ⋅
2𝑡6
2$
/
≤ 𝑂 𝑡 ⋅ 𝜖%&% ⋅ @
/01
2
4𝛽 ⋅ 𝑡6
2$
/
= 𝑂 𝑡 ⋅ 𝜖%&%
Major step
I spared you
Robustness ratio
+ score lemma
Converges since
𝜆 ≥ 2 log 𝑡 + log 𝛽(𝑏)
43

44. Security of our construction
Security is shown in two steps:
1.
2. Constructing permuted robust PCPs
44
Permuted robust
PCPs
Chopped tree +
Domain separation +
Permutation
Subquadratic
SNARG
+ =

45. Repeated PCPs are Robust
Any repeated PCP satisfies the strong notion of permuted robust soundness:
Lemma:
Let (𝑃, 𝑉) be a “base” PCP with soundness 𝜖%&'( and query complexity 𝑞.
Then, for any 𝑘 and any 𝑏 ≥ 𝑘 ⋅ 𝑞 ⋅ 𝜖%&'(
)*
it holds that (𝑃#, 𝑉#) has
Assuming each location is queried with probability 𝑝 ≤
*
+%⋅#
.
In particular, it has robustness ratio 𝑂(𝑏).
𝜖#$% 𝑥, 𝑏, 𝑑 ≤
𝑒&.()
𝑑!
⋅ 𝑏)
⋅ 𝜖*+,$
-
45

46. Argument size of our construction
• Use any PCP with constant query and constant soundness
• Repeat 𝑂 log 𝑡/𝜖 times to get a PCP with
• Soundness error 𝑂 log 𝜖/𝑡
• Query complexity 𝑂 log 𝑡/𝜖
• 𝛽 = 𝑂 log 𝑡/𝜖
• Set 𝜆 = 2 log 𝑡 + log 𝛽(𝑏) + 3 = 𝑂(log 𝑡) + 𝑂 log log 𝑡/𝜖
• Conclude:
𝜋 = /
𝑂 𝑞 ⋅ 𝜆 = /
𝑂 log
𝑡
𝜖
⋅ (log 𝑡 + log log 𝑡/𝜖) = /
𝑂 log
𝑡
𝜖
⋅ log 𝑡
46

47. Conclusions and open problems
• Construction: SNARG or size /
𝑂 log
3
4
⋅ log 𝑡
• Lower bound: /
𝑂 log
3
4
Open problem:
Are there SNARGs in the random oracle model of size 𝑂 log
3
4
?
Thanks!
47

48. Proof of Lemma
48