TY - GEN
T1 - From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again
AU - Bitansky, Nir
AU - Canetti, Ran
AU - Chiesa, Alessandro
AU - Tromer, Eran
PY - 2012
Y1 - 2012
N2 - The existence of succinct non-interactive arguments for NP (i.e., non-interactive computationally-sound proofs where the verifier's work is essentially independent of the complexity of the NP nondeterministic verifier) has been an intriguing question for the past two decades. Other than CS proofs in the random oracle model [Micali, FOCS '94], the only existing candidate construction is based on an elaborate assumption that is tailored to a specific protocol [Di Crescenzo and Lipmaa, CiE '08]. We formulate a general and relatively natural notion of an extractable collision-resistant hash function (ECRH) and show that, if ECRHs exist, then a modified version of Di Crescenzo and Lipmaa's protocol is a succinct non-interactive argument for NP. Furthermore, the modified protocol is actually a succinct non-interactive adaptive argument of knowledge (SNARK). We then propose several candidate constructions for ECRHs and relaxations thereof. We demonstrate the applicability of SNARKs to various forms of delegation of computation, to succinct non-interactive zero knowledge arguments, and to succinct two-party secure computation. Finally, we show that SNARKs essentially imply the existence of ECRHs, thus demonstrating the necessity of the assumption.
AB - The existence of succinct non-interactive arguments for NP (i.e., non-interactive computationally-sound proofs where the verifier's work is essentially independent of the complexity of the NP nondeterministic verifier) has been an intriguing question for the past two decades. Other than CS proofs in the random oracle model [Micali, FOCS '94], the only existing candidate construction is based on an elaborate assumption that is tailored to a specific protocol [Di Crescenzo and Lipmaa, CiE '08]. We formulate a general and relatively natural notion of an extractable collision-resistant hash function (ECRH) and show that, if ECRHs exist, then a modified version of Di Crescenzo and Lipmaa's protocol is a succinct non-interactive argument for NP. Furthermore, the modified protocol is actually a succinct non-interactive adaptive argument of knowledge (SNARK). We then propose several candidate constructions for ECRHs and relaxations thereof. We demonstrate the applicability of SNARKs to various forms of delegation of computation, to succinct non-interactive zero knowledge arguments, and to succinct two-party secure computation. Finally, we show that SNARKs essentially imply the existence of ECRHs, thus demonstrating the necessity of the assumption.
UR - http://www.scopus.com/inward/record.url?scp=84856494511&partnerID=8YFLogxK
U2 - https://doi.org/10.1145/2090236.2090263
DO - https://doi.org/10.1145/2090236.2090263
M3 - منشور من مؤتمر
SN - 9781450311151
T3 - ITCS 2012 - Innovations in Theoretical Computer Science Conference
SP - 326
EP - 349
BT - ITCS 2012 - Innovations in Theoretical Computer Science Conference
T2 - 3rd Conference on Innovations in Theoretical Computer Science, ITCS 2012
Y2 - 8 January 2012 through 10 January 2012
ER -