On Efficient and Secure Compression Modes for Arithmetization-Oriented Hashing

Elena Andreeva; Rishiraj Bhattacharyya; Arnab Roy; Stefano Trevisani

Paper 2024/047

On Efficient and Secure Compression Modes for Arithmetization-Oriented Hashing

Elena Andreeva

, TU Wien

Rishiraj Bhattacharyya, University of Birmingham

Arnab Roy

, Universität Innsbruck

Stefano Trevisani

, TU Wien

Abstract

ZK-SNARKs are advanced cryptographic protocols used in private verifiable computation: modern SNARKs allow to encode the invariants of an arithmetic circuit over some large prime field in an appropriate NP language, from which a zero-knowlege short non-interactive argument of knowledge is built. Due to the high cost of proof generation, ZK-SNARKs for large constraint systems are inpractical. ZK-SNARKs are used in privacy-oriented blockchains such as Filecoin, ZCash and Monero, to verify Merkle tree opening proofs, which in turn requires computing a fixed-input-length (FIL) cryptographic compression function. As classical, bit-oriented hash functions like SHA-2 require huge constraint systems, Arithmetization-Oriented (AO) compression functions have emerged to fill the gap. Usually, AO compression functions are obtained by applying the Sponge hashing mode on a fixed-key permutation: while this avoids the cost of dynamic key scheduling, AO schedulers are often cheap to compute, making the exploration of AO compression functions based directly on blockciphers a topic of practical interest. In this work, we first adapt notions related to classical hash functions and their security notions to the AO syntax, and inspired by the classical PGV modes, we propose AO PGV-LC and AO PGV-ELC, two blockcipher-based FIL compression modes with parametrizable input and output sizes. In the ideal cipher model, we prove the collision and preimage resistance of both our modes, and give bounds for collision and opening resistance over Merkle trees of arbitrary arity. We then experimentally compare the AO PGV-LC mode over the Hades-MiMC blockcipher with its popular Sponge instantiation, Poseidon. The resulting construction, called Poseidon-DM, is $2$-$5\times$ faster than Poseidon in native computations, and $15$-$35\%$ faster in generating Merkle tree proofs over the Groth16 SNARK framework, depending on the tree arity. In particular, proof generation for an $8$-ary tree over Poseidon-DM is $2.5\times$ faster than for a binary tree with the same capacity over Poseidon. Finally, in an effort to further exploit the benefits of wide trees, we propose a new strategy to obtain a compact R1CS constraint system for Merkle trees with arbitrary arity.

Note: Extended analysis

Metadata

Available format(s): PDF
Category: Secret-key cryptography
Publication info: Preprint.
Keywords: Hash function Block cipher Arithmetization-Oriented Merkle tree Zero-Knowledge SNARK Poseidon
Contact author(s): elena andreeva @ tuwien ac at
rishiraj bhattacharyya @ gmail com
Arnab Roy @ uibk ac at
stefano trevisani @ tuwien ac at
History: 2024-02-20: last of 2 revisions; 2024-01-11: received; See all versions
Short URL: https://ia.cr/2024/047
License: CC BY

BibTeX

@misc{cryptoeprint:2024/047,
      author = {Elena Andreeva and Rishiraj Bhattacharyya and Arnab Roy and Stefano Trevisani},
      title = {On Efficient and Secure Compression Modes for Arithmetization-Oriented Hashing},
      howpublished = {Cryptology ePrint Archive, Paper 2024/047},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/047}},
      url = {https://eprint.iacr.org/2024/047}
}