{"OA_type":"green","title":"Practical batch proofs of exponentiation","_id":"20701","department":[{"_id":"KrPi"}],"citation":{"short":"C. Hoffmann, P. Hubáček, S. Ivanova, Cryptology EPrint Archive (n.d.).","chicago":"Hoffmann, Charlotte, Pavel Hubáček, and Svetlana Ivanova. “Practical Batch Proofs of Exponentiation.” <i>Cryptology EPrint Archive</i>. International Association for Cryptologic Research , n.d.","ista":"Hoffmann C, Hubáček P, Ivanova S. Practical batch proofs of exponentiation. Cryptology ePrint Archive, 2024/145.","mla":"Hoffmann, Charlotte, et al. “Practical Batch Proofs of Exponentiation.” <i>Cryptology EPrint Archive</i>, 2024/145, International Association for Cryptologic Research .","ama":"Hoffmann C, Hubáček P, Ivanova S. Practical batch proofs of exponentiation. <i>Cryptology ePrint Archive</i>.","apa":"Hoffmann, C., Hubáček, P., &#38; Ivanova, S. (n.d.). Practical batch proofs of exponentiation. <i>Cryptology ePrint Archive</i>. International Association for Cryptologic Research .","ieee":"C. Hoffmann, P. Hubáček, and S. Ivanova, “Practical batch proofs of exponentiation,” <i>Cryptology ePrint Archive</i>. International Association for Cryptologic Research ."},"abstract":[{"text":"A Proof of Exponentiation (PoE) allows a prover to efficiently convince a verifier that 𝑦 = 𝑥\r\n𝑒\r\nin some group of unknown order. PoEs\r\nare the basis for practical constructions of Verifiable Delay Functions (VDFs), which, in turn, are important for various higher-level\r\nprotocols in distributed computing. In applications such as distributed consensus, many PoEs are generated regularly, motivating\r\nprotocols for secure aggregation of batches of statements into a\r\nfew statements to improve the efficiency for both parties. Rotem\r\n(TCC 2021) recently presented two such generic batch PoEs.\r\nIn this work, we introduce two batch PoEs that outperform\r\nboth proposals of Rotem and we evaluate their practicality. First,\r\nwe show that the two batch PoEs of Rotem can be combined to\r\nimprove the overall efficiency by at least a factor of two. Second, we\r\nrevisit the work of Bellare, Garay, and Rabin (EUROCRYPT 1998)\r\non batch verification of digital signatures and show that, under the\r\nlow order assumption, their bucket test can be securely adapted to\r\nthe setting of groups of unknown order. The resulting batch PoE\r\nquickly outperforms the state of the art in the expected number of\r\ngroup multiplications with the growing number of instances, and it\r\ndecreases the cost of batching by an order of magnitude already for\r\nhundreds of thousands of instances. Importantly, it is the first batch\r\nPoE that significantly decreases both the proof size and complexity\r\nof verification. Our experimental evaluations show that even a nonoptimized implementation achieves such improvements, which\r\nwould match the demands of real-life systems requiring large-scale\r\nPoE processing.\r\nFinally, even though our proof techniques are conceptually similar to Rotem, we give an improved analysis of the application of the\r\nlow order assumption towards secure batching of PoE instances,\r\nresulting in a tight reduction, which is important when setting the\r\nsecurity parameter in practice.","lang":"eng"}],"related_material":{"record":[{"relation":"dissertation_contains","status":"public","id":"20556"}]},"publisher":"International Association for Cryptologic Research ","date_created":"2025-11-27T10:13:38Z","author":[{"first_name":"Charlotte","orcid":"0000-0003-2027-5549","id":"0f78d746-dc7d-11ea-9b2f-83f92091afe7","last_name":"Hoffmann","full_name":"Hoffmann, Charlotte"},{"last_name":"Hubáček","full_name":"Hubáček, Pavel","first_name":"Pavel"},{"first_name":"Svetlana","last_name":"Ivanova","full_name":"Ivanova, Svetlana"}],"date_published":"2024-02-02T00:00:00Z","publication":"Cryptology ePrint Archive","tmp":{"short":"CC BY (4.0)","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png"},"corr_author":"1","acknowledgement":"Pavel Hubáček was supported by the Institute of Mathematics, Czech Academy of Sciences (RVO 67985840).","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","date_updated":"2025-11-27T12:21:38Z","status":"public","type":"preprint","oa":1,"article_processing_charge":"No","language":[{"iso":"eng"}],"main_file_link":[{"url":"https://eprint.iacr.org/2024/145","open_access":"1"}],"year":"2024","day":"02","article_number":"2024/145","OA_place":"repository","month":"02","publication_status":"draft","oa_version":"Preprint"}