**Time- and Space-Efficient Arguments from Groups of Unknown Order**

*Alexander R. Block and Justin Holmgren and Alon Rosen and Ron D. Rothblum and Pratik Soni*

**Abstract: **We construct public-coin time- and space-efficient zero-knowledge arguments for $\mathbf{NP}$. For every time $T$ and space $S$ non-deterministic RAM computation, the prover runs in time $T \cdot \mathrm{polylog}(T)$ and space $S \cdot \mathrm{polylog}(T)$, and the verifier runs in time $n \cdot \mathrm{polylog}(T)$, where $n$ is the input length. Our protocol relies on hidden order groups, which can be instantiated with a trusted setup from the hardness of factoring (products of safe primes), or without a trusted setup using class groups. The argument-system can heuristically be made non-interactive using the Fiat-Shamir transform.

Our proof builds on DARK (Bünz et al., Eurocrypt 2020), a recent succinct and efficiently verifiable polynomial commitment scheme. We show how to implement a variant of DARK in a time- and space-efficient way. Along the way we:

1. Identify a significant gap in the proof of security of DARK. 2. Give a non-trivial modification of the DARK scheme that overcomes the aforementioned gap. The modified version also relies on significantly weaker cryptographic assumptions than those in the original DARK scheme. Our proof utilizes ideas from the theory of integer lattices in a novel way. 3. Generalize Pietrzak's (ITCS 2019) proof of exponentiation ($\mathsf{PoE}$) protocol to work with general groups of unknown order (without relying on any cryptographic assumption).

In proving these results, we develop general-purpose techniques for working with (hidden order) groups, which may be of independent interest.

**Category / Keywords: **cryptographic protocols / Proofs and Arguments, Succinct Arguments, Zero Knowledge

**Original Publication**** (with major differences): **IACR-CRYPTO-2021

**Date: **received 17 Mar 2021, last revised 25 Jun 2021

**Contact author: **block9 at purdue edu, justin holmgren at ntt-research com, alon rosen at idc ac il, rothblum at cs technion ac il, psoni at andrew cmu edu

**Available format(s): **PDF | BibTeX Citation

**Version: **20210626:002148 (All versions of this report)

**Short URL: **ia.cr/2021/358

[ Cryptology ePrint archive ]