The Cost of Statistical Security in Proofs for Repeated Squaring

2007 IEEE International Test Conference Pub Date : 2023-01-01 DOI:10.4230/LIPIcs.ITC.2023.4

Cody R. Freitag, Ilan Komargodski

{"title":"The Cost of Statistical Security in Proofs for Repeated Squaring","authors":"Cody R. Freitag, Ilan Komargodski","doi":"10.4230/LIPIcs.ITC.2023.4","DOIUrl":null,"url":null,"abstract":"In recent years, the number of applications of the repeated squaring assumption has been growing rapidly. The assumption states that, given a group element x , an integer T , and an RSA modulus N , it is hard to compute x 2 T mod N – or even decide whether y ? = x 2 T mod N – in parallel time less than the trivial approach of simply computing T squares. This rise has been driven by efficient proof systems for repeated squaring, opening the door to more efficient constructions of verifiable delay functions, various secure computation primitives, and proof systems for more general languages. In this work, we study the complexity of statistically sound proofs for the repeated squaring relation. Technically, we consider proofs where the prover sends at most k ≥ 0 elements and the (probabilistic) verifier performs generic group operations over the group Z ⋆N . As our main contribution, we show that for any (one-round) proof with a randomized verifier (i.e., an MA proof) the verifier either runs in parallel time Ω( T/ ( k + 1)) with high probability, or is able to factor N given the proof provided by the prover. This shows that either the prover essentially sends p, q such that N = p · q (which is infeasible or undesirable in most applications), or a variant of Pietrzak’s proof of repeated squaring (ITCS 2019) has optimal verifier complexity O ( T/ ( k + 1)). In particular, it is impossible to obtain a statistically sound one-round proof of repeated squaring with efficiency on par with the computationally-sound protocol of Wesolowski (EUROCRYPT 2019), with a generic group verifier. We further extend our one-round lower bound to a natural class of recursive interactive proofs for repeated squaring. For r -round recursive proofs where the prover is allowed to send k group elements per round, we show that the verifier either runs in parallel time Ω( T/ ( k + 1) r ) with high probability, or is able to factor N given the proof transcript","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2023-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2007 IEEE International Test Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.4230/LIPIcs.ITC.2023.4","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

In recent years, the number of applications of the repeated squaring assumption has been growing rapidly. The assumption states that, given a group element x , an integer T , and an RSA modulus N , it is hard to compute x 2 T mod N – or even decide whether y ? = x 2 T mod N – in parallel time less than the trivial approach of simply computing T squares. This rise has been driven by efficient proof systems for repeated squaring, opening the door to more efficient constructions of verifiable delay functions, various secure computation primitives, and proof systems for more general languages. In this work, we study the complexity of statistically sound proofs for the repeated squaring relation. Technically, we consider proofs where the prover sends at most k ≥ 0 elements and the (probabilistic) verifier performs generic group operations over the group Z ⋆N . As our main contribution, we show that for any (one-round) proof with a randomized verifier (i.e., an MA proof) the verifier either runs in parallel time Ω( T/ ( k + 1)) with high probability, or is able to factor N given the proof provided by the prover. This shows that either the prover essentially sends p, q such that N = p · q (which is infeasible or undesirable in most applications), or a variant of Pietrzak’s proof of repeated squaring (ITCS 2019) has optimal verifier complexity O ( T/ ( k + 1)). In particular, it is impossible to obtain a statistically sound one-round proof of repeated squaring with efficiency on par with the computationally-sound protocol of Wesolowski (EUROCRYPT 2019), with a generic group verifier. We further extend our one-round lower bound to a natural class of recursive interactive proofs for repeated squaring. For r -round recursive proofs where the prover is allowed to send k group elements per round, we show that the verifier either runs in parallel time Ω( T/ ( k + 1) r ) with high probability, or is able to factor N given the proof transcript

查看原文本刊更多论文

重复平方证明中的统计安全代价

近年来，重复平方假设的应用数量迅速增长。这个假设表明，给定一个群元素x、一个整数T和一个RSA模N，很难计算x2t模N，甚至很难决定y ?= x 2t模N -在并行时间内小于简单计算T平方的平凡方法。这种增长是由有效的重复平方证明系统驱动的，这为更有效地构造可验证的延迟函数、各种安全计算原语和更通用语言的证明系统打开了大门。在这项工作中，我们研究了重复平方关系的统计可靠证明的复杂性。从技术上讲，我们认为证明者最多发送k≥0个元素，并且(概率)验证者对组Z -百科N执行一般的组操作。作为我们的主要贡献，我们证明了对于随机验证者(即MA证明)的任何(一轮)证明，验证者要么以高概率并行时间Ω(T/ (k + 1))运行，要么能够在给定证明者提供的证明的情况下分解N。这表明证明者发送的p, q使得N = p·q(这在大多数应用中是不可行的或不希望的)，或者Pietrzak的重复平方证明(ITCS 2019)的变体具有最佳验证者复杂度O (T/ (k + 1))。特别是，不可能获得统计上合理的重复平方的一轮证明，其效率与Wesolowski的计算合理的协议(EUROCRYPT 2019)相当，并且具有通用的组验证器。我们进一步将单轮下界推广到一类自然的重复平方的递归交互证明。对于允许证明者每轮发送k个组元素的r轮递归证明，我们表明验证者要么以高概率并行时间Ω(T/ (k + 1) r)运行，要么能够在给定证明副本的情况下分解N

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2007 IEEE International Test Conference

自引率

0.00%

发文量