The Cost of Statistical Security in Proofs for Repeated Squaring

Cody R. Freitag, Ilan Komargodski
{"title":"The Cost of Statistical Security in Proofs for Repeated Squaring","authors":"Cody R. Freitag, Ilan Komargodski","doi":"10.4230/LIPIcs.ITC.2023.4","DOIUrl":null,"url":null,"abstract":"In recent years, the number of applications of the repeated squaring assumption has been growing rapidly. The assumption states that, given a group element x , an integer T , and an RSA modulus N , it is hard to compute x 2 T mod N – or even decide whether y ? = x 2 T mod N – in parallel time less than the trivial approach of simply computing T squares. This rise has been driven by efficient proof systems for repeated squaring, opening the door to more efficient constructions of verifiable delay functions, various secure computation primitives, and proof systems for more general languages. In this work, we study the complexity of statistically sound proofs for the repeated squaring relation. Technically, we consider proofs where the prover sends at most k ≥ 0 elements and the (probabilistic) verifier performs generic group operations over the group Z ⋆N . As our main contribution, we show that for any (one-round) proof with a randomized verifier (i.e., an MA proof) the verifier either runs in parallel time Ω( T/ ( k + 1)) with high probability, or is able to factor N given the proof provided by the prover. This shows that either the prover essentially sends p, q such that N = p · q (which is infeasible or undesirable in most applications), or a variant of Pietrzak’s proof of repeated squaring (ITCS 2019) has optimal verifier complexity O ( T/ ( k + 1)). In particular, it is impossible to obtain a statistically sound one-round proof of repeated squaring with efficiency on par with the computationally-sound protocol of Wesolowski (EUROCRYPT 2019), with a generic group verifier. We further extend our one-round lower bound to a natural class of recursive interactive proofs for repeated squaring. For r -round recursive proofs where the prover is allowed to send k group elements per round, we show that the verifier either runs in parallel time Ω( T/ ( k + 1) r ) with high probability, or is able to factor N given the proof transcript","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"79 1","pages":"4:1-4:23"},"PeriodicalIF":0.0000,"publicationDate":"2023-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2007 IEEE International Test Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.4230/LIPIcs.ITC.2023.4","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

In recent years, the number of applications of the repeated squaring assumption has been growing rapidly. The assumption states that, given a group element x , an integer T , and an RSA modulus N , it is hard to compute x 2 T mod N – or even decide whether y ? = x 2 T mod N – in parallel time less than the trivial approach of simply computing T squares. This rise has been driven by efficient proof systems for repeated squaring, opening the door to more efficient constructions of verifiable delay functions, various secure computation primitives, and proof systems for more general languages. In this work, we study the complexity of statistically sound proofs for the repeated squaring relation. Technically, we consider proofs where the prover sends at most k ≥ 0 elements and the (probabilistic) verifier performs generic group operations over the group Z ⋆N . As our main contribution, we show that for any (one-round) proof with a randomized verifier (i.e., an MA proof) the verifier either runs in parallel time Ω( T/ ( k + 1)) with high probability, or is able to factor N given the proof provided by the prover. This shows that either the prover essentially sends p, q such that N = p · q (which is infeasible or undesirable in most applications), or a variant of Pietrzak’s proof of repeated squaring (ITCS 2019) has optimal verifier complexity O ( T/ ( k + 1)). In particular, it is impossible to obtain a statistically sound one-round proof of repeated squaring with efficiency on par with the computationally-sound protocol of Wesolowski (EUROCRYPT 2019), with a generic group verifier. We further extend our one-round lower bound to a natural class of recursive interactive proofs for repeated squaring. For r -round recursive proofs where the prover is allowed to send k group elements per round, we show that the verifier either runs in parallel time Ω( T/ ( k + 1) r ) with high probability, or is able to factor N given the proof transcript
重复平方证明中的统计安全代价
近年来,重复平方假设的应用数量迅速增长。这个假设表明,给定一个群元素x、一个整数T和一个RSA模N,很难计算x2t模N,甚至很难决定y ?= x 2t模N -在并行时间内小于简单计算T平方的平凡方法。这种增长是由有效的重复平方证明系统驱动的,这为更有效地构造可验证的延迟函数、各种安全计算原语和更通用语言的证明系统打开了大门。在这项工作中,我们研究了重复平方关系的统计可靠证明的复杂性。从技术上讲,我们认为证明者最多发送k≥0个元素,并且(概率)验证者对组Z -百科N执行一般的组操作。作为我们的主要贡献,我们证明了对于随机验证者(即MA证明)的任何(一轮)证明,验证者要么以高概率并行时间Ω(T/ (k + 1))运行,要么能够在给定证明者提供的证明的情况下分解N。这表明证明者发送的p, q使得N = p·q(这在大多数应用中是不可行的或不希望的),或者Pietrzak的重复平方证明(ITCS 2019)的变体具有最佳验证者复杂度O (T/ (k + 1))。特别是,不可能获得统计上合理的重复平方的一轮证明,其效率与Wesolowski的计算合理的协议(EUROCRYPT 2019)相当,并且具有通用的组验证器。我们进一步将单轮下界推广到一类自然的重复平方的递归交互证明。对于允许证明者每轮发送k个组元素的r轮递归证明,我们表明验证者要么以高概率并行时间Ω(T/ (k + 1) r)运行,要么能够在给定证明副本的情况下分解N
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信