Theory of Cryptography 18th

International Conference TCC 2020

Durham NC USA November 16 19 2020
Proceedings Part II Rafael Pass
Visit to download the full and correct content document:
https://textbookfull.com/product/theory-of-cryptography-18th-international-conference-
tcc-2020-durham-nc-usa-november-16-19-2020-proceedings-part-ii-rafael-pass/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Theory of Cryptography 18th International Conference

TCC 2020 Durham NC USA November 16 19 2020 Proceedings
Part I Rafael Pass

https://textbookfull.com/product/theory-of-cryptography-18th-
international-conference-tcc-2020-durham-nc-usa-
november-16-19-2020-proceedings-part-i-rafael-pass/

Theory of Cryptography 18th International Conference

TCC 2020 Durham NC USA November 16 19 2020 Proceedings
Part III Rafael Pass

https://textbookfull.com/product/theory-of-cryptography-18th-
international-conference-tcc-2020-durham-nc-usa-
november-16-19-2020-proceedings-part-iii-rafael-pass/

Applied Cryptography and Network Security 18th

International Conference ACNS 2020 Rome Italy October
19 22 2020 Proceedings Part II Mauro Conti

https://textbookfull.com/product/applied-cryptography-and-
network-security-18th-international-conference-acns-2020-rome-
italy-october-19-22-2020-proceedings-part-ii-mauro-conti/

Theory of Cryptography 16th International Conference

TCC 2018 Panaji India November 11 14 2018 Proceedings
Part II Amos Beimel

https://textbookfull.com/product/theory-of-cryptography-16th-
international-conference-tcc-2018-panaji-india-
november-11-14-2018-proceedings-part-ii-amos-beimel/
Applied Cryptography and Network Security 18th
International Conference ACNS 2020 Rome Italy October
19 22 2020 Proceedings Part I Mauro Conti

https://textbookfull.com/product/applied-cryptography-and-
network-security-18th-international-conference-acns-2020-rome-
italy-october-19-22-2020-proceedings-part-i-mauro-conti/

Theory of Cryptography 16th International Conference

TCC 2018 Panaji India November 11 14 2018 Proceedings
Part I Amos Beimel

https://textbookfull.com/product/theory-of-cryptography-16th-
international-conference-tcc-2018-panaji-india-
november-11-14-2018-proceedings-part-i-amos-beimel/

HCI International 2020 Posters 22nd International

Conference HCII 2020 Copenhagen Denmark July 19 24 2020
Proceedings Part II Constantine Stephanidis

https://textbookfull.com/product/hci-
international-2020-posters-22nd-international-conference-
hcii-2020-copenhagen-denmark-july-19-24-2020-proceedings-part-ii-
constantine-stephanidis/

HCI International 2020 Late Breaking Posters 22nd

International Conference HCII 2020 Copenhagen Denmark
July 19 24 2020 Proceedings Part II Constantine
Stephanidis
https://textbookfull.com/product/hci-international-2020-late-
breaking-posters-22nd-international-conference-
hcii-2020-copenhagen-denmark-july-19-24-2020-proceedings-part-ii-
constantine-stephanidis/

Information Processing and Management of Uncertainty in

Knowledge Based Systems 18th International Conference
IPMU 2020 Lisbon Portugal June 15 19 2020 Proceedings
Part II Marie-Jeanne Lesot
https://textbookfull.com/product/information-processing-and-
management-of-uncertainty-in-knowledge-based-systems-18th-
international-conference-ipmu-2020-lisbon-portugal-
 Rafael Pass
Krzysztof Pietrzak (Eds.)
LNCS 12551

Theory
of Cryptography
18th International Conference, TCC 2020
Durham, NC, USA, November 16–19, 2020
Proceedings, Part II
Lecture Notes in Computer Science 12551

Founding Editors
Gerhard Goos
Karlsruhe Institute of Technology, Karlsruhe, Germany
Juris Hartmanis
Cornell University, Ithaca, NY, USA

Editorial Board Members

Elisa Bertino
Purdue University, West Lafayette, IN, USA
Wen Gao
Peking University, Beijing, China
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Gerhard Woeginger
RWTH Aachen, Aachen, Germany
Moti Yung
Columbia University, New York, NY, USA
More information about this subseries at http://www.springer.com/series/7410
Rafael Pass Krzysztof Pietrzak (Eds.)
•

Theory
of Cryptography
18th International Conference, TCC 2020
Durham, NC, USA, November 16–19, 2020
Proceedings, Part II

123
Editors
Rafael Pass Krzysztof Pietrzak
Cornell Tech Institute of Science and Technology Austria
New York, NY, USA Klosterneuburg, Austria

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-030-64377-5 ISBN 978-3-030-64378-2 (eBook)
https://doi.org/10.1007/978-3-030-64378-2
LNCS Sublibrary: SL4 – Security and Cryptology

© International Association for Cryptologic Research 2020

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, expressed or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
 Preface

The 18th Theory of Cryptography Conference (TCC 2020) was held virtually during
November 16–19, 2020. It was sponsored by the International Association for Cryp-
tologic Research (IACR). The general chair of the conference was Alessandra Scafuro.
TCC 2020 was originally planned to be co-located with FOCS 2020 in Durham,
North Carolina, USA. Due to the COVID-19 pandemic both events were converted into
virtual events, and were held on the same day at the same time. The authors uploaded
videos of roughly 20 minutes prior to the conference, and at the conference had a
10-minute window to present a summary of their work and answer questions. The
virtual event would not have been possible without the generous help of Kevin and Kay
McCurley, and we would like to thank them wholeheartedly.
The conference received 167 submissions, of which the Program Committee
(PC) selected 71 for presentation. Each submission was reviewed by at least four PC
members. The 39 PC members (including PC chairs), all top researchers in the field,
were helped by 226 external reviewers, who were consulted when appropriate. These
proceedings consist of the revised version of the 71 accepted papers. The revisions
were not reviewed, and the authors bear full responsibility for the content of their
papers.
As in previous years, we used Shai Halevi’s excellent Web-review software, and are
extremely grateful to him for writing it, and for providing fast and reliable technical
support whenever we had any questions.
This was the 7th year that TCC presented the Test of Time Award to an outstanding
paper that was published at TCC at least eight years ago, making a significant con-
tribution to the theory of cryptography, preferably with influence also in other areas of
cryptography, theory, and beyond. This year the Test of Time Award Committee
selected the following paper, published at TCC 2008: “Perfectly-Secure MPC with
Linear Communication Complexity” by Zuzana Trubini and Martin Hirt. The Award
Committee recognized this paper “for introducing hyper-invertible matrices to perfectly
secure multiparty computation, thus enabling significant efficiency improvements and,
eventually, constructions with minimal communication complexity.”
We are greatly indebted to many people who were involved in making TCC 2020 a
success. A big thanks to the authors who submitted their papers and to the PC members
and external reviewers for their hard work, dedication, and diligence in reviewing the
papers, verifying the correctness, and in-depth discussions. A special thanks goes to the
general chair Alessandra Scafuro and the TCC Steering Committee.

October 2020 Rafael Pass

Krzysztof Pietrzak
 Organization

General Chair
Alessandra Scafuro North Carolina State University, USA

Program Chairs
Rafael Pass Cornell Tech, USA
Krzysztof Pietrzak IST Austria, Austria

Program Committee
Prabhanjan Ananth University of California, Santa Barbara, USA
Marshall Ball Columbia University, USA
Sonia Belaïd CryptoExperts, France
Jeremiah Blocki Purdue University, USA
Andrej Bogdanov The Chinese University of Hong Kong, Hong Kong
Chris Brzuszka Aalto University, Finland
Ignacio Cascudo IMDEA Software Institute, Spain
Kai-Min Chung Academia Sinica, Taiwan
Aloni Cohen Boston University, USA
Ran Cohen Northeastern University, USA
Nico Dottling CISPA - Helmholtz Center for Information Security,
Germany
Stefan Dziembowski University of Warsaw, Poland
Oriol Farràs Universitat Rovira i Virgili, Spain
Georg Fuchsbauer TU Wien, Austria
Niv Gilboa Ben-Gurion University of the Negev, Israel
Vipul Goyal Carnegie Mellon University, USA
Mohammad Hajiabadi University of California, Berkeley, USA
Justin Holmgren NTT Research, USA
Zahra Jafargholi Aarhus University, Denmark
Yael Tauman Kalai Microsoft Research and MIT, USA
Seny Kamara Brown University, USA
Dakshita Khurana University of Illinois Urbana-Champaign, USA
Markulf Kohlweiss The University of Edinburgh, UK
Ilan Komargodski NTT Research, USA
Huijia Lin University of Washington, USA
Mohammad Mahmoody University of Virginia, USA
Jesper Buus Nielsen Aarhus University, Denmark
Emmanuela Orsini KU Leuven, Belgium
Sunoo Park MIT and Harvard University, USA
viii Organization

Anat Paskin-Cherniavsky Ariel University, Israel

Oxana Poburinnaya Simons Institute for the Theory of Computing, USA
Silas Richelson University of California, Riverside, USA
Alon Rosen IDC Herzliya, Israel
Abhi Shelat Northeastern University, USA
Nicholas Spooner University of California, Berkeley, USA
Uri Stemmer Ben-Gurion University of the Negev, Israel
Justin Thaler Georgetown University, USA
Daniel Wichs Northeastern University and NTT Research, USA
Eylon Yogev Boston University, USA, and Tel Aviv University,
Israel

External Reviewers

Hamza Abusalah Yilei Chen Rex Fernando

Amit Agarwal Ilaria Chillotti Ben Fisch
Archita Agarwal Arka Rai Choudhuri Cody Freitag
Divesh Aggarwal Hao Chung Shiuan Fu
Navid Alamati Michele Ciampi Tommaso Gagliardoni
Younes Talibi Alaoui Katriel Cohn-Gordon Chaya Ganesh
Bar Alon Sandro Coretti Sanjam Garg
Joel Alwen Sandro Coretti-Drayton Romain Gay
Joël Alwen Henry Corrigan-Gibbs Marilyn George
Miguel Ambrona Geoffroy Couteau Marios Georgiou
Ghous Amjad Dana Dachman-Soled Essam Ghadafi
Christian Badertscher Hila Dahari Alexandru Gheorghiu
Saikrishna Jost Daniel Satrajit Ghosh
Badrinarayanan Pratish Datta Aarushi Goel
James Bartusek Bernardo David Sasha Golovnev
Balthazar Bauer Bernardo Machado David Junqing Gong
Carsten Baum Gareth Davies Rishab Goyal
Alex Block Akshay Degwekar Daniel Grier
Alexander Block Jack Doerner Alex Grilo
Jonathan Bootle Rafael Dowsley Siyao Guo
Adam Bouland Betul Durak Iftach Haitner
Elette Boyle Betül Durak Britta Hale
Zvika Brakerski Naomi Ephraim Ariel Hamlin
Pedro Branco Daniel Escudero Adam Blatchley Hansen
Benedikt Bünz Grzegorz Fabianski Alexander Hartl
Alper Cakan Islam Faisal Carmit Hazay
Matteo Campanelli Xiong Fan Javier Herranz
Wouter Castryck Song Fang Kyle Hogan
Hubert Chan Antonio Faonio Thibaut Horel
Lijie Chen Prastudy Fauzi Yao-Ching Hsieh
Yanlin Chen Serge Fehr James Hulett
 Organization ix

Shih-Han Hung Saeed Mahloujifar Ido Shahaf

Rawane Issa Christian Majenz Sina Shiehian
Håkon Jacobsen Nikolaos Makriyannis Omri Shmueli
Aayush Jain Giulio Malavolta Jad Silbak
Abhishek Jain Mary Maller Mark Simkin
Ruta Jawale Easwar Mangipudi Luisa Siniscalchi
Zhengzhong Jin Nathan Manohar Marjan Skrobot
Fatih Kaleoglu Jeremias Mechler Fang Song
Chethan Kamath Pierre Meyer Pratik Soni
Simon Holmgaard Kamp Tarik Moataz Akshayaram Srinivasan
Pihla Karanko Tomoyuki Morimae Ron Steinfeld
Shuichi Katsumata Tamer Mour Patrick Struck
Tomasz Kazana Marta Mularczyk Marika Swanberg
Thomas Kerber Jörn Müller-Quade Akira Takahashi
Fuyuki Kitagawa Ryo Nishimaki Aravind Thyagarajan
Susumu Kiyoshima Olga Nissenbaum Rotem Tsabary
Michael Klooß Adam O’Neill Yiannis Tselekounis
Dima Kogan Maciej Obremski Prashant Vasudevan
Dmitry Kogan Michele Orrù Muthuramakrishnan
Lisa Kohl Elena Pagnin Venkitasubramaniam
Yash Kondi Georgios Panagiotakos Daniele Venturi
Yashvanth Kondi Omer Paneth Mikhail Volkhov
Venkata Koppula Alain Passelègue Philip Wadler
Ashutosh Kumar Sikhar Patranabis Hendrik Waldner
Po-Chun Kuo Alice Pellet–Mary Mingyuan Wang
Thijs Laarhoven Rafael Del Pino Tianhao Wang
Fabien Laguillaumie Rolando La Placa Rachit Garg and
Kasper Green Larsen Antoine Plouviez Brent Waters
Eysa Lee Antigoni Polychroniadou Hoeteck Wee
Seunghoon Lee Sihang Pu Weiqiang Wen
Yi Lee Chen Qian Jeroen van Wier
Tancrède Lepoint Luowen Qian David Wu
Xiao Liang Willy Quach Sophia Yakoubov
Chengyu Lin Jordi Ribes-González Takashi Yamakawa
Wei-Kai Lin Thomas Ricosset Lisa Yang
Yao-Ting Lin Schuyler Rosefield Kevin Yeo
Quanquan Liu Dragos Rotaru Michal Zajac
Tianren Liu Lior Rotem Mark Zhandry
Alex Lombardi Sylvain Ruhault Bingsheng Zhang
Sébastien Lord Alexander Russell Chen-Da Liu Zhang
Julian Loss Paul Rösler Hong-Sheng Zhou
George Lu Pratik Sarkar Jiadong Zhu
Ji Luo Or Sattath Vassilis Zikas
Fermi Ma Sarah Scheffler Georgios Zirdelis
Yi-Hsin Ma Adam Sealfon
Urmila Mahadev Gil Segev
 Contents – Part II

Recursive Proof Composition from Accumulation Schemes . . . . . . . . . . . . . 1

Benedikt Bünz, Alessandro Chiesa, Pratyush Mishra,
and Nicholas Spooner

Linear-Time Arguments with Sublinear Verification from Tensor Codes . . . . 19

Jonathan Bootle, Alessandro Chiesa, and Jens Groth

Barriers for Succinct Arguments in the Random Oracle Model . . . . . . . . . . . 47

Alessandro Chiesa and Eylon Yogev

Accumulators in (and Beyond) Generic Groups: Non-trivial Batch

Verification Requires Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Gili Schul-Ganz and Gil Segev

Batch Verification and Proofs of Proximity with Polylog Overhead . . . . . . . . 108

Guy N. Rothblum and Ron D. Rothblum

Batch Verification for Statistical Zero Knowledge Proofs . . . . . . . . . . . . . . . 139

Inbar Kaslasi, Guy N. Rothblum, Ron D. Rothblum, Adam Sealfon,
and Prashant Nalini Vasudevan

Public-Coin Zero-Knowledge Arguments with (almost) Minimal Time

and Space Overheads. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Alexander R. Block, Justin Holmgren, Alon Rosen, Ron D. Rothblum,
and Pratik Soni

On the Price of Concurrency in Group Ratcheting Protocols. . . . . . . . . . . . . 198

Alexander Bienstock, Yevgeniy Dodis, and Paul Rösler

Stronger Security and Constructions of Multi-designated Verifier

Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Ivan Damgård, Helene Haagh, Rebekah Mercer, Anca Nitulescu,
Claudio Orlandi, and Sophia Yakoubov

Continuous Group Key Agreement with Active Security . . . . . . . . . . . . . . . 261

Joël Alwen, Sandro Coretti, Daniel Jost, and Marta Mularczyk

Round Optimal Secure Multiparty Computation

from Minimal Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Arka Rai Choudhuri, Michele Ciampi, Vipul Goyal,
Abhishek Jain, and Rafail Ostrovsky
xii Contents – Part II

Reusable Two-Round MPC from DDH . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

James Bartusek, Sanjam Garg, Daniel Masny, and Pratyay Mukherjee

Mr NISC: Multiparty Reusable Non-Interactive Secure Computation . . . . . . . 349

Fabrice Benhamouda and Huijia Lin

Secure Massively Parallel Computation for Dishonest Majority . . . . . . . . . . . 379

Rex Fernando, Ilan Komargodski, Yanyi Liu, and Elaine Shi

Towards Multiparty Computation Withstanding Coercion of All Parties . . . . . 410

Ran Canetti and Oxana Poburinnaya

Synchronous Constructive Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . 439

Chen-Da Liu-Zhang and Ueli Maurer

Topology-Hiding Communication from Minimal Assumptions . . . . . . . . . . . 473

Marshall Ball, Elette Boyle, Ran Cohen, Lisa Kohl, Tal Malkin,
Pierre Meyer, and Tal Moran

Information-Theoretic 2-Round MPC Without Round Collapsing: Adaptive

Security, and More . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
Huijia Lin, Tianren Liu, and Hoeteck Wee

On Statistical Security in Two-Party Computation . . . . . . . . . . . . . . . . . . . . 532

Dakshita Khurana and Muhammad Haris Mughees

The Resiliency of MPC with Low Interaction: The Benefit of Making

Errors (Extended Abstract) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Benny Applebaum, Eliran Kachlon, and Arpita Patra

Revisiting Fairness in MPC: Polynomial Number of Parties and General

Adversarial Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Dana Dachman-Soled

On the Power of an Honest Majority in Three-Party Computation

Without Broadcast. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
Bar Alon, Ran Cohen, Eran Omri, and Tom Suad

A Secret-Sharing Based MPC Protocol for Boolean Circuits with Good

Amortized Complexity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652
Ignacio Cascudo and Jaron Skovsted Gundersen

On the Round Complexity of the Shuffle Model . . . . . . . . . . . . . . . . . . . . . 683

Amos Beimel, Iftach Haitner, Kobbi Nissim, and Uri Stemmer

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713

 Recursive Proof Composition
from Accumulation Schemes

Benedikt Bünz1 , Alessandro Chiesa2 , Pratyush Mishra2(B) , and Nicholas Spooner2

1
Stanford University, Stanford, USA
benedikt@cs.stanford.edu
2
UC Berkeley, Berkeley, USA
{alexch,pratyush,nick.spooner}@berkeley.edu

Abstract. Recursive proof composition has been shown to lead to powerful prim-
itives such as incrementally-verifiable computation (IVC) and proof-carrying data
(PCD). All existing approaches to recursive composition take a succinct non-
interactive argument of knowledge (SNARK) and use it to prove a statement
about its own verifier. This technique requires that the verifier run in time sublin-
ear in the size of the statement it is checking, a strong requirement that restricts
the class of SNARKs from which PCD can be built. This in turn restricts the effi-
ciency and security properties of the resulting scheme.
Bowe, Grigg, and Hopwood (ePrint 2019/1021) outlined a novel approach to
recursive composition, and applied it to a particular SNARK construction which
does not have a sublinear-time verifier. However, they omit details about this
approach and do not prove that it satisfies any security property. Nonetheless,
schemes based on their ideas have already been implemented in software.
In this work we present a collection of results that establish the theoretical
foundations for a generalization of the above approach. We define an accumula-
tion scheme for a non-interactive argument, and show that this suffices to con-
struct PCD, even if the argument itself does not have a sublinear-time verifier.
Moreover we give constructions of accumulation schemes for SNARKs, which
yield PCD schemes with novel efficiency and security features.

Keywords: Succinct arguments · Proof-carrying data · Recursive proof

composition

1 Introduction
Proof-carrying data (PCD) [CT10] is a cryptographic primitive that enables mutually
distrustful parties to perform distributed computations that run indefinitely, while ensur-
ing that every intermediate state of the computation can be succinctly verified. PCD sup-
ports computations defined on (possibly infinite) directed acyclic graphs, with messages
passed along directed edges. Verification is facilitated by attaching to each message a
succinct proof of correctness. This is a generalization of the notion of incrementally-
verifiable computation (IVC) due to [Val08], which can be viewed as PCD for the path
graph (i.e., for automata). PCD has found applications in enforcing language semantics
[CTV13], verifiable MapReduce computations [CTV15], image authentication [NT16],
succinct blockchains [Co17, KB20, BMRS20], and others.


c International Association for Cryptologic Research 2020
R. Pass and K. Pietrzak (Eds.): TCC 2020, LNCS 12551, pp. 1–18, 2020.
https://doi.org/10.1007/978-3-030-64378-2_1
2 B. Bünz et al.

Recursive Composition. Prior to this work, the only known method for constructing
PCD was from recursive composition of succinct non-interactive arguments (SNARGs)
[BCCT13, BCTV14, COS20]. This method informally works as follows. A proof that
the computation was executed correctly for t steps consists of a proof of the claim “the
t-th step of the computation was executed correctly, and there exists a proof that the
computation was executed correctly for t − 1 steps”. The latter part of the claim is
expressed using the SNARG verifier itself. This construction yields secure PCD (with
IVC as a special case) provided the SNARG satisfies an adaptive knowledge soundness
property (i.e., is a SNARK). The efficiency and security properties of the resulting PCD
scheme correspond to those of a single invocation of the SNARK.
Limitations of Recursion. Recursion as realized in prior work requires proving a
statement that contains a description of the SNARK verifier. In particular, for effi-
ciency, we must ensure that the statement we are proving (essentially) does not grow
with the number of recursion steps t. For example, if the representation of the veri-
fier were to grow even linearly with the statement it is verifying, then the size of the
statement to be checked would grow exponentially in t. Therefore, prior works have
achieved efficiency by focusing on SNARKs which admit sublinear-time verification:
either SNARKs for machine computations [BCCT13] or preprocessing SNARKs for
circuit computations [BCTV14, COS20]. Requiring sublinear-time verification signifi-
cantly restricts our choice of SNARK, which limits what we can achieve for PCD.
In addition to the above asymptotic considerations, recursion raises additional con-
siderations concerning concrete efficiency. All SNARK constructions require that state-
ments be encoded as instances of some particular (algebraic) NP-complete problem, and
difficulties often arise when encoding the SNARK verifier itself as such an instance. The
most well-known example of this is in recursive composition of pairing-based SNARKs,
since the verifier performs operations over a finite field that is necessarily different
from the field supported “natively” by the NP-complete problem [BCTV14]. This type
of problem also appears when recursing SNARKs whose verifiers make heavy use of
cryptographic hash functions [COS20].
A New Technique. Bowe, Grigg, and Hopwood [BGH19] suggest an exciting novel
approach to recursive composition that replaces the SNARK verifier in the circuit with a
simpler algorithm. This algorithm does not itself verify the previous proof πt−1 . Instead,
it adds the proof to an accumulator for verification at the end. The accumulator must
not grow in size. A key contribution of [BGH19] is to sketch a mechanism by which
this might be achieved for a particular SNARK construction. While they prove this
SNARK construction secure, they do not include definitions or proofs of security for
their recursive technique. Nonetheless, practitioners have already built software based
on these ideas [Halo19, Pickles20].

1.1 Our Contributions

In this work we provide a collection of results that establish the theoretical founda-
tions for the above approach. We introduce the cryptographic object, an accumulation
scheme, that enables this technique, and prove that it suffices for constructing PCD. We
then provide generic tools for building accumulation schemes, as well as several con-
crete instantiations. Our framework establishes the security of schemes that are already
 Recursive Proof Composition from Accumulation Schemes 3

being used by practitioners, and we believe that it will simplify and facilitate further
research in this area.
Accumulation Schemes. We introduce the notion of an accumulation scheme for
a predicate Φ : X → {0, 1}. This formalizes, and generalizes, an idea outlined in
[BGH19]. An accumulation scheme is best understood in the context of the follow-
ing process. Consider an infinite stream q1 , q2 , . . . with each qi ∈ X. We augment this
stream with accumulators acci as follows: at time i, the accumulation prover receives
(qi , acci−1 ) and computes acci ; the accumulation verifier receives (qi , acci−1 , acci )
and checks that acci−1 and qi were correctly accumulated into acci (if not, the process
ends). Then at any time t, the decider can validate acct , which establishes that, for all
i ∈ [t], Φ(qi ) = 1. All three algorithms are stateless. To avoid trivial constructions, we
want (i) the accumulation verifier to be more efficient than Φ, and (ii) the size of an
accumulator (and hence the running time of the three algorithms) does not grow over
time. Accumulation schemes are powerful, as we demonstrate next.
Recursion from Accumulation. We say that a SNARK has an accumulation scheme
if the predicate corresponding to its verifier has an accumulation scheme (so X is a set
of instance-proof pairs). We show that any SNARK having an accumulation scheme
where the accumulation verifier is sublinear can be used to build a proof-carrying
data (PCD) scheme, even if the SNARK verifier is not itself sublinear. This broadens
the class of SNARKs from which PCD can be built. Similarly to [COS20], we show
that if the SNARK and accumulation scheme are post-quantum secure, so is the PCD
scheme. (Though it remains an open question whether there are non-trivial accumula-
tion schemes for post-quantum SNARKs.)

Theorem 1 (informal). There is an efficient transformation that compiles any SNARK

with an efficient accumulation scheme into a PCD scheme. If the SNARK and its accu-
mulation scheme are zero knowledge, then the PCD scheme is also zero knowledge.
Additionally, if the SNARK and its accumulation scheme are post-quantum secure then
the PCD scheme is also post-quantum secure.

The above theorem holds in the standard model (where all parties have access to a
common reference string, but no oracles). Since our construction makes non-black-box
use of the accumulation scheme verifier, the theorem does not carry over to the random
oracle model (ROM). It remains an intriguing open problem to determine whether or
not SNARKs in the ROM imply PCD in the ROM (and if the latter is even possible).
Note that we require a suitable definition of zero knowledge for an accumulation
scheme. This is not trivial, and our definition is informed by what is required for
Theorem 1 and what our constructions achieve.
Proof-carrying data is a powerful primitive: it implies IVC and, further assuming
collision-resistant hash functions, also efficient SNARKs for machine computations.
Hence, Theorem 1 may be viewed as an extension of the “bootstrapping” theorem of
[BCCT13] to certain non-succinct-verifier SNARKs.
See Sect. 2.1 for a summary of the ideas behind Theorem 1, and the full version for
technical details.
4 B. Bünz et al.

Accumulation from Accumulation. Given the above, a natural question is: where
do accumulation schemes for SNARKs come from? In [BGH19] it was informally
observed that a specific SNARK construction, based on the hardness of the discrete
logarithm problem, has an accumulation scheme. To show this, [BGH19] first observe
that the verifier in the SNARK construction is sublinear except for the evaluation of a
certain predicate (checking an opening of a polynomial commitment [KZG10]), then
outline a construction which is essentially an accumulation scheme for that predicate.
We prove that this idea is a special case of a general paradigm for building accumu-
lation schemes for SNARKs.
Theorem 2 (informal). There is an efficient transformation that, given a SNARK whose
verifier is succinct when given oracle access to a “simpler” predicate, and an accumu-
lation scheme for that predicate, constructs an accumulation scheme for the SNARK.
Moreover, this transformation preserves zero knowledge and post-quantum security of
the accumulation scheme.
The construction underlying Theorem 2 is black-box. In particular, if both the
SNARK and the accumulation scheme for the predicate are secure with respect to an
oracle, then the resulting accumulation scheme for the SNARK is secure with respect
to that oracle.
See Sect. 2.3 for a summary of the ideas behind Theorem 2, and the full version for
technical details.
Accumulating Polynomial Commitments. Several works [MBKM19, GWC19,
CHM+20] have constructed SNARKs whose verifiers are succinct relative to a spe-
cific predicate: checking the opening of a polynomial commitment [KZG10]. We prove
that two natural polynomial commitment schemes possess accumulation schemes in
the random oracle model: PCDL , a scheme based on the security of discrete logarithms
[BCC+16, BBB+18, WTS+18]; and PCAGM , a scheme based on knowledge assumptions
in bilinear groups [KZG10, CHM+20].
Theorem 3 (informal). In the random oracle model, there exist (zero knowledge) accu-
mulation schemes for PCDL and PCAGM that achieve the efficiency outlined in the table
below (n denotes the number of evaluation proofs, and d denotes the degree of commit-
ted polynomials).

Polynomial Assumption Cost to check Cost to check an Cost to check final Accumulator
commitment evaluation proofs accumulation step accumulator size
PCDL DLOG + RO Θ(nd) G mults. Θ(n log d) G mults. Θ(d) G mults. Θ(log d) G
PCAGM AGM + RO Θ(n) pairings Θ(n) G1 mults. 1 pairing 2 G1

For both schemes the cost of checking that an accumulation step was performed cor-
rectly is much less than the cost of checking an evaluation proof. We can apply Theorem 2
to combine either of these accumulation schemes for polynomial commitments with any
of the aforementioned predicate-efficient SNARKs, which yields concrete accumulation
schemes for these SNARKs with the same efficiency benefits.
 Recursive Proof Composition from Accumulation Schemes 5

We remark that our accumulation scheme for PCDL is a variation of a construction

presented in [BGH19], and so our result establishes the security of a type of construction
used by practitioners.
We sketch the constructions underlying Theorem 3 in Sect. 2.4, and provide details
in the full version of our paper.
New Constructions of PCD. By combining our results, we (heuristically) obtain con-
structions of PCD that achieve new properties. Namely, starting from either PCDL or
PCAGM , we can apply Theorem 2 to a suitable SNARK to obtain a SNARK with an
accumulation scheme in the random oracle model. Then we can instantiate the random
oracle, obtaining a SNARK and accumulation scheme with heuristic security in the
standard (CRS) model, to which we apply Theorem 1 to obtain a corresponding PCD
scheme. Depending on whether we started with PCDL or PCAGM , we get a PCD scheme
with different features, as summarized below.
– From PCDL : PCD based on discrete logarithms. We obtain a PCD scheme in the
uniform reference string model (i.e., without secret parameters) and small argument
sizes. In contrast, prior PCD schemes require structured reference strings [BCTV14]
or have larger argument sizes [COS20]. Moreover, our PCD scheme can be effi-
ciently instantiated from any cycle of elliptic curves [SS11]. In contrast, prior PCD
schemes with small argument size use cycles of pairing-friendly elliptic curves
[BCTV14, CCW19], which are more expensive.
– From PCAGM : lightweight PCD based on bilinear groups. The recursive statement
inside this PCD scheme does not involve checking any pairing computations,
because pairings are deferred to a verification that occurs outside the recursive state-
ment. In contrast, the recursive statements in prior PCD schemes based on pairing-
based SNARKs were more expensive because they checked pairing computations
[BCTV14].
Note again that our constructions of PCD are heuristic as they involve instantiat-
ing the random oracle of certain SNARK constructions with an appropriate hash
function. This is because Theorem 3 is proven in the random oracle model, but
Theorem 1 is explicitly not (as is the case for all prior IVC/PCD constructions
[Val08, BCCT13, BCTV14, COS20]). There is evidence that this limitation might be
inherent [CL20].
Open Problem: Accumulation in the Standard Model. All known constructions of
accumulation schemes for non-interactive arguments make use of either random ora-
cles (as in our constructions) or knowledge assumptions (e.g., the “trivial” construction
from succinct-verifier SNARKs). A natural question, then, is whether there exist con-
structions of accumulation schemes for non-interactive arguments, or any other inter-
esting predicate, from standard assumptions, or any assumptions which are not known
to imply SNARKs. A related question is whether there is a black-box impossibility for
accumulation schemes similar to the result for SNARGs of [GW11].

1.2 Related Work

Below we survey prior constructions of IVC/PCD.
6 B. Bünz et al.

PCD from SNARKs. Bitansky, Canetti, Chiesa, and Tromer [BCCT13] proved that
recursive composition of SNARKs for machine computations implies PCD for constant-
depth graphs, and that this in turn implies IVC for polynomial-time machine computa-
tions. From the perspective of concrete efficiency, however, one can achieve more effi-
cient recursive composition by using preprocessing SNARKs for circuits rather than
SNARKs for machines [BCTV14, COS20]; this observation has led to real-world appli-
cations [Co17, BMRS20]. The features of the PCD scheme obtained from recursion
depend on the features of the underlying preprocessing SNARK. Below we summarize
the features of the two known constructions.

– PCD from Pairing-based SNARKs. Ben-Sasson, Chiesa, Tromer, and Virza

[BCTV14] used pairing-based SNARKs with a special algebraic property to achieve
efficient recursive composition with very small argument sizes (linear in the secu-
rity parameter λ). The use of pairing-based SNARKs has two main downsides. First,
they require sampling a structured reference string involving secret values (“toxic
waste”) that, if revealed, compromise security. Second, the verifier performs opera-
tions over a finite field that is necessarily different from the field supported “natively”
by the statement it is checking. To avoid expensive simulation of field arithmetic, the
construction uses pairing-friendly cycles of elliptic curves, which severely restricts
the choice of field in applications and requires a large base field for security.
– PCD from IOP-based SNARKs. Chiesa, Ojha, and Spooner [COS20] used a holo-
graphic IOP to construct a preprocessing SNARK that is unconditionally secure in
the (quantum) random oracle model, which heuristically implies a post-quantum pre-
processing SNARK in the uniform reference string model (i.e., without toxic waste).
They then proved that any post-quantum SNARK leads to a post-quantum PCD
scheme via recursive composition. The downside of this construction is that, given
known holographic IOPs, the argument size is larger, currently at O(λ2 log2 N ) bits
for circuits of size N .

IVC from Homomorphic Encryption. Naor, Paneth, and Rothblum [NPR19] obtain
a notion of IVC by using somewhat homomorphic encryption and an information-
theoretic object called an “incremental PCP”. The key feature of their scheme is that
security holds under falsifiable assumptions.
There are two drawbacks, however, that restrict the use of the notion of IVC that
their scheme achieves.
First, the computation to be verified must be deterministic (this appears neces-
sary for schemes based on falsifiable assumptions given known impossibility results
[GW11]). Second, and more subtly, completeness holds only in the case where inter-
mediate proofs were honestly generated. This means that the following attack may be
possible: an adversary provides an intermediate proof that verifies, but it is impossible
for honest parties to generate new proofs for subsequent computations. Our construction
of PCD achieves the stronger condition that completeness holds so long as intermediate
proofs verify, ruling out this attack.
Both nondeterministic computation and the stronger completeness notion (achieved
by all SNARK-based PCD schemes) are necessary for many of the applications of
IVC/PCD.
 Recursive Proof Composition from Accumulation Schemes 7

2 Techniques
2.1 PCD from Arguments with Accumulation Schemes
We summarize the main ideas behind Theorem 1, which obtains proof-carrying data
(PCD) from any succinct non-interactive argument of knowledge (SNARK) that has an
accumulation scheme. For the sake of exposition, in this section we focus on the special
case of IVC, which can be viewed as repeated application of a circuit F . Specifically,
we wish to check a claim of the form “F T (z0 ) = zT ” where F T denotes F composed
with itself T times.
Prior Work: Recursion from Succinct Verification. Recall that in previous
approaches to efficient recursive composition [BCTV14, COS20], at each step i we
prove a claim of the form “zi = F (zi−1 ), and there exists a proof πi−1 that attests
to the correctness of zi−1 ”. This claim is expressed using a circuit R which is the con-
junction of F with a circuit representing the SNARK verifier; in particular, the size of
the claim is at least the size of the verifier circuit. If the size of the verifier circuit grows
linearly (or more) with the size of the claim being checked, then verifying the final
proof becomes more costly than the original computation.
For this reason, these works focus on SNARKs with succinct verification, where the
verifier runs in time sublinear in the size of the claim. In this case, the size of the claim
essentially does not grow with the number of recursive steps, and so checking the final
proof costs roughly the same as checking a single step.
Succinct verification is a seemingly paradoxical requirement: the verifier does not
even have time to read the circuit R. One way to sidestep this issue is preprocessing:
one designs an algorithm that, at the beginning of the recursion, computes a small cryp-
tographic digest of R, which the recursive verifier can use instead of reading R directly.
Because this preprocessing need only be performed once for the given R in an offline
phase, it has almost no effect on the performance of each recursive step (in the later
online phase).
A New Paradigm: IVC from Accumulation. Even allowing for preprocessing, suc-
cinct verification remains a strong requirement, and there are many SNARKs that are
not known to satisfy it (e.g., [BCC+16, BBB+18, AHIV17, BCG+17, BCR+19]). Bowe,
Grigg, and Hopwood [BGH19] suggested a further relaxation of succinctness that
appears to still suffice for recursive composition: a type of “post-processing”. Their
observation is as follows: if a SNARK is such that we can efficiently “defer” the verifi-
cation of a claim in a way that does not grow in cost with the number of claims to be
checked, then we can hope to achieve recursive composition by deferring the verifica-
tion of all claims to the end.
In the remainder of this section, we will give an overview of the proof of Theorem 1,
our construction of PCD from SNARKs that have this “post-processing” property. We
note that this relaxation of requirements is useful because, as suggested in [BGH19], it
leads to new constructions of PCD with desirable properties (see discussion at the end
of Sect. 1.1). In fact, some of these efficiency features are already being exploited by
practitioners working on recursing SNARKs [Halo19, Pickles20].
The specific property we require, which we discuss more formally in the next
section, is that the SNARK has an accumulation scheme. This is a generalization of
8 B. Bünz et al.

the idea described in [BGH19]. Informally, an accumulation scheme consists of three

algorithms: an accumulation prover, an accumulation verifier, and a decider. The accu-
mulation prover is tasked with taking an instance-proof pair (z, π) and a previous accu-
mulator acc, and producing a new accumulator acc that “includes” the new instance.
The accumulation verifier, given ((z, π), acc, acc ), checks that acc was computed
correctly (i.e., that it accumulates (z, π)) into acc). Finally the decider, given a sin-
gle accumulator acc, performs a single check that simultaneously ensures that every
instance-proof pair accumulated in acc verifies.1
Given such an accumulation scheme, we can construct IVC as follows. Given a
previous instance zi , proof πi , and accumulator acci , the IVC prover first accumulates
(zi , πi ) with acci to obtain a new accumulator acci+1 . The IVC prover also generates
a SNARK proof πi+1 of the claim: “zi+1 = F (zi ), and there exist a proof πi and an
accumulator acci such that the accumulation verifier accepts ((zi , πi ), acci , acci+1 )”,
expressed as a circuit R. The final IVC proof then consists of (πT , accT ). The IVC
verifier checks such a proof by running the SNARK verifier on πT and the accumulation
scheme decider on accT .
Why does this achieve IVC? Throughout the computation we maintain the invariant
that if acci is a valid accumulator (according to the decider) and πi is a valid proof,
then the computation is correct up to the i-th step. Clearly if this holds at time T then
the IVC verifier successfully checks the entire computation. Observe that if we were
able to prove that “zi+1 = F (zi ), πi is a valid proof, and acci is a valid accumulator”,
by applying the invariant we would be able to conclude that the computation is correct
up to step i + 1. Unfortunately we are not able to prove this directly, for two reasons: (i)
proving that πi is a valid proof requires proving a statement about the argument verifier,
which may not be sublinear, and (ii) proving that acci is a valid accumulator requires
proving a statement about the decider, which may not be sublinear.
Instead of proving this claim directly, we “defer” it by having the prover accumu-
late (zi , πi ) into acci to obtain a new accumulator acci+1 . The soundness property of
the accumulation scheme ensures that if acci+1 is valid and the accumulation verifier
accepts ((zi , πi ), acci , acci+1 ), then πi is a valid proof and acci is a valid accumula-
tor. Thus all that remains to maintain the invariant is for the prover to prove that the
accumulation verifier accepts; this is possible provided that the accumulation verifier is
sublinear.
From Sketch to Proof. In the full version of our paper, we give the formal details of our
construction and a proof of correctness. In particular, we show how to construct PCD, a
more general primitive than IVC. In the PCD setting, rather than each computation step
having a single input zi , it receives m inputs from different nodes. Proving correctness
hence requires proving that all of these inputs were computed correctly. For our con-
struction, this entails checking m proofs and m accumulators. To do this, we extend the
definition of an accumulation scheme to allow accumulating multiple instance-proof
pairs and multiple “old” accumulators.
We now informally discuss the properties of our PCD construction.
1
We remark that the notion of an accumulation scheme is distinct from the notion of a crypto-
graphic accumulator for a set (e.g., an RSA accumulator), which provides a succinct represen-
tation of a large set while supporting membership queries.
 Recursive Proof Composition from Accumulation Schemes 9

– Efficiency requirements. Observe that the statement to be proved includes only the
accumulation verifier, and so the only efficiency requirement for obtaining PCD is
that this algorithm run in time sublinear in the size of the circuit R. This implies, in
particular, that an accumulator must be of size sublinear in the size of R, and hence
must not grow with each accumulation step. The SNARK verifier and the decider
algorithm need only be efficient in the usual sense (i.e., polynomial-time).
– Soundness. We prove that the PCD scheme is sound provided that the SNARK is
knowledge sound (i.e., is an adaptively-secure argument of knowledge) and the accu-
mulation scheme is sound (see Sect. 2.2 for more on what this means). We stress that
in both cases security should be in the standard (CRS) model, without any random
oracles (as in prior PCD constructions).
– Zero knowledge. We prove that the PCD scheme is zero knowledge, if the underly-
ing SNARK and accumulation scheme are both zero knowledge (for this part we
also formulate a suitable notion of zero knowledge for accumulation schemes as
discussed shortly in Sect. 2.2).
– Post-quantum security. We also prove that if both the SNARK and accumulation
scheme are post-quantum secure, then so is the resulting PCD scheme. Here by
post-quantum secure we mean that the relevant security properties continue to hold
even against polynomial-size quantum circuits, as opposed to just polynomial-size
classical circuits.

2.2 Accumulation Schemes

A significant contribution of this work is formulating a general notion of an accumu-

lation scheme. An accumulation scheme for a non-interactive argument as described
above is a particular instance of this definition; in subsequent sections we will apply the
definition in other settings.
We first give an informal definition that captures the key features of an accumulation
scheme. For clarity this is stated for the (minimal) case of a single predicate input q and
a single “old” accumulator acc; we later extend this in the natural way to n predicate
inputs and m “old” accumulators.

Definition 1 (informal). An accumulation scheme for a predicate Φ : X → {0, 1}

consists of a triple of algorithms (P, V, D), known as the prover, verifier, and decider,
that satisfies the following properties.

– Completeness: For all accumulators acc and predicate inputs q ∈ X, if D(acc) = 1

and Φ(q) = 1, then for acc ← P(acc, q) it holds that V(acc, q, acc ) = 1 and
D(acc ) = 1.
– Soundness: For all efficiently-generated accumulators acc, acc and predicate
inputs q ∈ X, if D(acc ) = 1 and V(acc, q, acc ) = 1 then, with all but negli-
gible probability, Φ(q) = 1 and D(acc) = 1.

An accumulation scheme for a SNARK is an accumulation scheme for the predicate

induced by the argument verifier; in this case the predicate input q consists of an
instance-proof pair (x, π). Note that the completeness requirement does not place any
10 B. Bünz et al.

restriction on how the previous accumulator acc is generated; we require that complete-
ness holds for any acc the decider D determines to be valid, and any q for which the
predicate Φ holds. This is needed to obtain a similarly strong notion of completeness
for PCD, required for applications where accumulation is done by multiple parties that
do not trust one another.
Zero Knowledge. For our PCD application, the notion of zero knowledge for an accu-
mulation scheme that we use is the following: one can sample a “fake” accumulator
that is indistinguishable from a real accumulator acc , without knowing anything about
the old accumulator acc and predicate input q that were accumulated in acc . The exis-
tence of the accumulation verifier V complicates matters here: if the adversary knows
acc and q, then it is easy to distinguish a real accumulator from a fake one using V. We
resolve this issue by modifying Definition 1 to have the accumulation prover P produce
a verification proof πV in addition to the new accumulator acc . Then V uses πV in
verifying the accumulator, but πV is not required for subsequent accumulation. In our
application, the simulator then does not have to simulate πV . This avoids the problem
described: even if the adversary knows acc and q, unless πV is correct, V can simply
reject, as it would for a “fake” accumulator. Our informal definition is as follows.

Definition 2. An accumulation scheme for Φ is zero knowledge if there exists an effi-

cient simulator S such that for all accumulators acc and inputs q ∈ X such that
D(acc) = 1 and Φ(q) = 1, the distribution of acc when (acc , πV ) ← P(acc, q)
is computationally indistinguishable from acc ← S(1λ ).

Predicate Specification. The above informal definitions omit many important details;
we now highlight some of these. Suppose that, as required for IVC/PCD, we have some
fixed circuit R for which we want to accumulate pairs (xi , πi ), where πi is a SNARK
proof that there exists wi such that R(xi , wi ) = 1. In this case the predicate corre-
sponding to the verifier depends not only on the pair (xi , πi ), but also on the circuit
R, as well as the public parameters of the argument scheme pp and (often) a random
oracle ρ.
Moreover, each of these inputs has different security and efficiency considerations.
The security of the SNARK (and the accumulation scheme) can only be guaranteed
with high probability over public parameters drawn by the generator algorithm of the
SNARK, and over the random oracle. The circuit R may be chosen adversarially, but
cannot be part of the input q because it is too large; it must be fixed at the beginning.
These considerations lead us to define an accumulation scheme with respect to both
a predicate Φ : U(∗) × ({0, 1}∗ )3 → {0, 1} and a predicate-specification algorithm H.
We then adapt Definition 1 to hold for the predicate Φ(ρ, ppΦ , iΦ , ·) where ρ is a random
oracle, ppΦ is output by H, and iΦ is chosen adversarially. In our SNARK example,
H is equal to the SNARK generator, iΦ is the circuit R, and Φ(ρ, pp, R, (x, π)) =
V ρ (pp, R, x, π).
Remark 1 (helped verification). We compare accumulation schemes for SNARKs with
the notion of “helped verification” [MBKM19]. In a SNARK with helped verification,
an untrusted party known as the helper can, given n proofs, produce an auxiliary proof
 Recursive Proof Composition from Accumulation Schemes 11

that enables checking the n proofs at lower cost than that of checking each proof indi-
vidually. This batching capability can be viewed as a special case of accumulation, as
it applies to n “fresh” proofs only; there is no notion of batching “old” accumulators. It
is unclear whether the weaker notion of helped verification alone suffices to construct
IVC/PCD schemes.

2.3 Constructing Arguments with Accumulation Schemes

A key ingredient in our construction of PCD is a SNARK that has an accumulation
scheme (see Sect. 2.1). Below we summarize the ideas behind Theorem 2, by explaining
how to construct accumulation schemes for SNARKs whose verifier is succinct relative
to an oracle predicate Φ◦ that itself has an accumulation scheme.
Predicate-Efficient SNARKs. We call a SNARK ARG predicate-efficient with respect
to a predicate Φ◦ if its verifier V operates as follows: (i) run a fast “inner” verifier Vpe
to produce a bit b and query set Q; (ii) accept iff b = 1 and for all q ∈ Q, Φ◦ (q) = 1. In
essence, V can be viewed as a circuit with “oracle gates” for Φ◦ .2 The aim is for Vpe to
be significantly more efficient than V; that is, the queries to Φ◦ capture the “expensive”
part of the computation of V.
As noted in Sect. 1.1, one can view recent SNARK constructions [MBKM19,
GWC19, CHM+20] as being predicate-efficient with respect to a “polynomial commit-
ment” predicate. We discuss how to construct accumulation schemes for these predi-
cates below in Sect. 2.4.
Accumulation Scheme For Predicate-Efficient SNARKs. Let ARG be a SNARK that
is predicate-efficient with respect to a predicate Φ◦ , and let AS◦ be an accumulation
scheme for Φ◦ . To check n proofs, instead of directly invoking the SNARK verifier
V, we can first run Vpe n times to generate n query sets for Φ◦ , and then, instead of
invoking Φ◦ on each of these sets, we can accumulate these queries using AS◦ . Below
we sketch the construction of an accumulation scheme ASARG for ARG based on this
idea.
To accumulate n instance-proof pairs [(xi , πi )]ni=1 starting from an old accumulator
acc, the accumulation prover ASARG .P first invokes the inner verifier Vpe on each (xi , πi )
to generate a query set Qi for Φ◦ , accumulates their union Q = ∪ni=1 Qi into acc using
AS◦ .P, and finally outputs the resulting accumulator acc . To check that acc indeed
accumulates [(xi , πi )]ni=1 into acc, the accumulation verifier ASARG .V first checks, for
each i, whether the inner verifier Vpe accepts (xi , πi ), and then invokes AS◦ .V to check
whether acc correctly accumulates the query set Q = ∪ni=1 Qi . Finally, to decide
whether acc is a valid accumulator, the accumulation scheme decider ASARG .D sim-
ply invokes AS◦ .D.
From Sketch to Proof. The foregoing sketch omits details required to construct a
scheme that satisfies the “full” definition of accumulation schemes as stated in the full
version of our paper. For instance, as noted in Sect. 2.3, the predicate Φ◦ may be an
oracle predicate, and could depend on the public parameters of the SNARK ARG. We
2
This is not precisely the case, because the verifier is required to reject immediately if it ever
makes a query q with Φ◦ (q) = 0.
12 B. Bünz et al.

handle this by requiring that the accumulation scheme for Φ◦ uses the SNARK gen-
erator G as its predicate specification algorithm. We also show that zero knowledge
and post-quantum security are preserved. See the full version of our paper for a formal
treatment of these issues, along with security proofs.
From Predicate-Efficient SNARKs to PCD. In order to build an accumulation scheme
ASARG that suffices for PCD, ARG and AS◦ must satisfy certain efficiency properties.
In particular, when verifying satisfiability for a circuit of size N , the running time of
ASARG .V must be sublinear in N , which means in turn that the running times of Vpe
and AS◦ .V, as well as the size of the query set Q, must be sublinear in N . Crucially,
however, AS◦ .D need only run in time polynomial in N .

2.4 Accumulation Schemes for Polynomial Commitments

As noted in Sect. 2.3, several SNARK constructions (e.g., [MBKM19, GWC19,
CHM+20]) are predicate-efficient with respect to an underlying polynomial commit-
ment, which means that constructing an accumulation scheme for the latter leads (via
Theorem 2) to an accumulation scheme for the whole SNARK.
Informally, a polynomial commitment scheme (PC scheme) is a cryptographic prim-
itive that enables one to produce a commitment C to a polynomial p, and then to prove
that this committed polynomial evaluates to a claimed value v at a desired point z. An
accumulation scheme for a PC scheme thus accumulates claims of the form “C commits
to p such that p(z) = v” for arbitrary polynomials p and evaluation points z.
In this section, we explain the ideas behind Theorem 3, by sketching how to con-
struct (zero knowledge) accumulation schemes for two popular (hiding) polynomial
commitment schemes.
– In Sect. 2.4.1, we sketch our accumulation scheme for PCDL , a polynomial com-
mitment scheme derived from [BCC+16, BBB+18, WTS+18] that is based on the
hardness of discrete logarithms.
– In Sect. 2.4.2, we sketch our accumulation scheme for PCAGM , a polynomial com-
mitment scheme based on knowledge assumptions over bilinear groups [KZG10,
CHM+20].
In each case, the running time of the accumulation verifier will be sublinear in the
degree of the polynomial, and the accumulator itself will not grow with the number of
accumulation steps. This allows the schemes to be used, in conjunction with a suitable
predicate-efficient SNARK, to construct PCD.
We remark that each of our accumulation schemes is proved secure in the random
oracle model by invoking a useful lemma about “zero-finding games” for committed
polynomials. Security also requires that the random oracle used for an accumulation
scheme for a PC scheme is domain-separated from the random oracle used by the PC
scheme itself. See the full version for details.

2.4.1 Accumulation scheme for PCDL

We sketch our accumulation scheme for PCDL . For univariate polynomials of degree
less than d, PCDL achieves evaluation proofs of size O(λ log d) in the random oracle
 Recursive Proof Composition from Accumulation Schemes 13

model, and assuming the hardness of the discrete logarithm problem in a prime order
group G. In particular, there are no secret parameters (so-called “toxic waste”). How-
ever, PCDL has poor verification complexity: checking an evaluation proof requires Ω(d)
scalar multiplications in G. Bowe, Grigg, and Hopwood [BGH19] suggested a way to
amortize this cost across a batch of n proofs. Below we show that their idea leads to an
accumulation scheme for PCDL with an accumulation verifier that uses only O(n log d)
scalar multiplications instead of the naive Θ(n · d), and with an accumulator of size
O(log d) elements in G.
Summary of PCDL . The committer and receiver both sample (consistently via the ran-
dom oracle) a list of group elements {G0 , G1 , . . . , Gd } ∈ Gd+1 in a group G of prime
d
order q (written additively). A commitment to a polynomial p(X) = i=0 ai X ∈
i

F≤d
d
q [X] is then given by C := i=0 ai Gi . To prove that the committed polynomial
p evaluates to v at a given point z ∈ Fq , it suffices to prove that the triple (C, z, v)
satisfies the following NP statement:
d d
∃ a0 , . . . , ad ∈ F s.t. v = i=0 ai z i and C = i=0 ai Gi .

This is a special case of an inner product argument (IPA), as defined in [BCC+16],

which proves the inner product of two committed vectors. The receiver simply ver-
ifies this inner product argument to check the evaluation. The fact that the vector
(1, z, . . . , z d ) is known to the verifier and has a certain structure is exploited in the
accumulation scheme that we describe below.
Accumulation Scheme for the IPA. Our accumulation scheme relies on a special
structure of the IPA verifier: it generates O(log d) challenges using the random ora-
cle, then performs cheap checks requiring O(log d) field and group operations, and
finally performs an expensive check requiring Ω(d) scalar multiplications. This latter
check asserts consistency between the challenges and a group element U contained in
the proof. Hence, the IPA verifier is succinct barring the expensive check, and so con-
structing an accumulation scheme for the IPA reduces to the task of constructing an
accumulation scheme for the expensive check involving U .
To do this, we rely on an idea of Bowe, Grigg, and Hopwood [BGH19], which
itself builds on an observation in [BBB+18]. Namely, letting (ξ1 , . . . , ξlog2 d ) be the
protocol’s challenges, U can be viewed as a commitment to the polynomial h(X) :=
log2 (d)−1 i
i=0 (1+ξlog2 (d)−i X 2 ) ∈ F≤d q [X]. This polynomial has the special property that
it can be evaluated at any point in just O(log d) field operations (exponentially smaller
than its degree d). This allows transforming the expensive check on U into a check that
is amenable to batching: instead of directly checking that U is a commitment to h, one
can instead check that the polynomial committed inside U agrees with h at a challenge
point z sampled via the random oracle.
We leverage this idea as follows. When accumulating evaluation claims about mul-
tiple polynomials p1 , . . . , pn , applying the foregoing transformation results in n checks
of the form “check that the polynomial contained in Ui evaluates to hi (z) at the point z”.
Because these are all claims for the correct evaluation of the polynomials hi at the same
point z, we can accumulate them via standard homomorphic techniques. We now sum-
14 B. Bünz et al.

marize how we apply this idea to construct our accumulation scheme AS = (P, V, D)
for PCDL .
Accumulators in our accumulation scheme have the same form as the instances to
be accumulated: they are tuples of the form (C, z, v, π) where π is an evaluation proof
for the claim “p(z) = v” and p is the polynomial committed in C. For simplicity, below
we consider the case of accumulating one old accumulator acc = (C1 , z1 , v1 , π1 ) and
one instance (C2 , z2 , v2 , π2 ) into a new accumulator acc = (C, z, v, π).
Accumulation prover P: compute the new accumulator acc = (C, z, v, π) from the
old accumulator acc = (C1 , z1 , v1 , π1 ) and the instance (C2 , z2 , v2 , π2 ) as follows.
– Compute U1 , U2 from π1 , π2 respectively. As described above, these elements can
be viewed as commitments to polynomials h1 , h2 defined by the challenges derived
from π1 , π2 .
– Use the random oracle ρ to compute the random challenge
α := ρ([(h1 , U1 ), (h2 , U2 )]).
– Compute C := U1 + αU2 , which is a polynomial commitment to p(X) := h1 (X) +
αh2 (X).
– Compute the challenge point z := ρ(C, p), where p is uniquely represented via the
tuple ([h1 , h2 ], α).
– Construct an evaluation proof π for the claim “p(z) = v”. (This step is the only
expensive one.)
– Output the new accumulator acc := (C, z, v, π).
Accumulation verifier V: to check that the new accumulator acc = (C, z, v, π) was
correctly generated from the old accumulator acc = (C1 , z1 , v1 , π1 ) and the instance
(C2 , z2 , v2 , π2 ), first compute the challenges α and z from the random oracle as above,
and then check that (a) (C1 , z1 , v1 , π1 ) and (C2 , z2 , v2 , π2 ) pass the cheap checks of the
IPA verifier, (b) C = U1 + αU2 , and (c) h1 (z) + αh2 (z) = v.
Decider D: on input the (final) accumulator acc = (C, z, v, π), check that π is a
valid evaluation proof for the claim that the polynomial committed inside C evaluates
to v at the point z.
This construction achieves the efficiency summarized in Theorem 3.
We additionally achieve zero knowledge accumulation for the hiding variant of
PCDL . Informally, the accumulation prover randomizes acc by including a new ran-
dom polynomial h0 in the accumulation step. This ensures that the evaluation claim in
acc is for a random polynomial, thus hiding all information about the original evalu-
ation claims. To allow the accumulation verifier to check that this randomization was
performed correctly, the prover includes h0 in an auxiliary proof πV .
In the full version, we show how to extend the above accumulation scheme to accu-
mulate any number of old accumulators and instances. Our security proof for the result-
ing accumulation scheme relies on the hardness of zero-finding games, and the security
of PCDL .

2.4.2 Accumulation scheme for PCAGM

We sketch our accumulation scheme AS = (P, V, D) for PCAGM . Checking an evalua-
tion proof in PCAGM requires 1 pairing, and so checking n evaluation proofs requires n
 Recursive Proof Composition from Accumulation Schemes 15

pairings. AS improves upon this as follows: the accumulation verifier V only performs
O(n) scalar multiplications in G1 in order to check the accumulation of n evaluation
proofs, while the decider D performs only a single pairing in order to check the result-
ing accumulator. This is much cheaper: it reduces the number of pairings from n to 1,
and also defers this single pairing to the end of the accumulation (the decider). In partic-
ular, when instantiating the PCD construction outlined in Sect. 2.1 with a PCAGM -based
SNARK and our accumulation scheme for PCAGM , we can eliminate all pairings from
the circuit being verified in the PCD construction.
Below we explain how standard techniques for batching pairings using random lin-
ear combinations [CHM+20] allow us to realize an accumulation scheme for PCAGM
with these desirable properties.
Summary of PCAGM . The committer key ck and receiver key rk for a given maximum
degree bound D are group elements from a bilinear group (G1 , G2 , GT , q, G, H, e):
ck := {G, βG, . . . , β D G} ∈ GD+1
1 consists of group elements encoding powers of a
random field element β, while rk := (G, H, βH) ∈ G1 × G22 .
A commitment to a polynomial p ∈ F≤D q [X] is the group element C := p(β)G ∈
G1 . To prove that p evaluates to v at a given point z ∈ Fq , the sender computes a
“witness polynomial” w(X) := (p(X) − v)/(X − z), and outputs the evaluation proof
π := w(β)G ∈ G1 . The receiver can check this proof by checking the pairing equation
e(C − vG, H) = e(π, βH − zH). This pairing equation is the focus of our accumula-
tion scheme below. (This summary omits details about degree enforcement and about
hiding.)
Accumulation Scheme. We construct an accumulation scheme AS = (P, V, D) for
PCAGM by relying on standard techniques for batching pairing equations. Suppose that
n
we wish to simultaneously check the validity of n instances [(Ci , zi , vi , πi )]i=1 . First,
rewrite the pairing check for the i-th instance as follows:

e(Ci −vi G, H) = e(πi , βH −zi H) ⇐⇒ e(Ci −vi G+zi πi , H) = e(πi , βH) . (1)

After the rewrite, the G2 inputs to both pairings do not depend on the claim being
checked. This allows batching the pairing checks by taking a random linear combina-
n
tion with respect to a random challenge r := ρ([Ci , zi , vi , πi ]i=1 ) computed from the
random oracle, resulting in the following combined equation:
n n
e( i=1 ri (Ci − vi G + zi πi ), H) = e( i=1 ri πi , βH) . (2)

We
n nowi have a pairing equation involving an “accumulated commitment” C  :=
n
i=1 r (Ci − vi G + zi πi ) and an “accumulated proof” π :=
 i
i=1 r πi . This obser-
vation leads to the accumulation scheme below.
An accumulator in AS consists of a commitment-proof pair (C  , π  ), which the
decider D validates by checking that e(C  , H) = e(π  , βH). Moreover, observe that
by Eq. (1), checking the validity of a claimed evaluation (C, z, v, π) within PCAGM corre-
sponds to checking that the “accumulator” (C − vG + zπ, π) is accepted by the decider
D. Thus we can restrict our discussion to accumulating accumulators.
The accumulation prover P, on input a list of old accumulators [acci ]ni=1 =
[(Ci , πi )]ni=1 , computes a random challenge r := ρ([acci ]ni=1 ), constructs C  :=

16 B. Bünz et al.

n n i 
Ci and π  :=
i=1 r
i
i=1 r πi , and outputs the new accumulator acc

:=
2
(C , π ) ∈ G1 . To check that acc accumulates [acci ]ni=1 , the accumulation verifier
 

V simply invokes P and checks that its output matches the claimed new accumulator
acc .
To achieve zero knowledge accumulation, the accumulation prover randomizes acc
by including in it an extra “old” accumulator corresponding to a random polynomial,
which statistically hides the accumulated claims. To allow the accumulation verifier
to check that this randomization was performed correctly, the prover includes this old
accumulator in an auxiliary proof πV .
This construction achieves the efficiency summarized in Theorem 3.
In the full version of our paper, we show how to extend the above accumulation
scheme to account for additional features of PCAGM (degree enforcement and hiding).
Our security proof for the resulting accumulation scheme relies on the hardness of zero-
finding games (see full version).

Acknowledgements. The authors thank William Lin for pointing out an error in a prior version
of the construction of PCDL , and Github user 3for for pointing out errors in a prior version of the
construction of PCAGM . This research was supported in part by: the Berkeley Haas Blockchain
Initiative and a donation from the Ethereum Foundation. Benedikt Bünz performed part of the
work while visiting the Simons Institute for the Theory of Computing.

References
[AHIV17] Scott, A., Carmit, H., Yuval, I., Muthuramakrishnan, V.: Ligero: Lightweight sub-
linear arguments without a trusted setup. In: Proceedings of the 24th ACM Con-
ference on Computer and Communications Security, CCS 2017, pp. 2087–2104
(2017)
[BBB+18] Bünz, B., Jonathan, B., Dan, B., Andrew, P., Pieter, W., Greg, M.: Bulletproofs:
short proofs for confidential transactions and more. In: Proceedings of the 39th
IEEE Symposium on Security and Privacy, S&P 2018, pp. 315–334 (2018)
[BCC+16] Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge
arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M.,
Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer,
Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5 12
[BCCT13] Bitansky, N., Canetti, R., Chiesa, A. and Tromer, E.: Recursive composition and
bootstrapping for SNARKs and proof-carrying data. In: Proceedings of the 45th
ACM Symposium on the Theory of Computing. STOC 2013, pp. 111–120 (2013)
[BCG+17] Bootle, J., Cerulli, A., Ghadafi, E., Groth, J., Hajiabadi, M., Jakobsen, S.K.:
Linear-time zero-knowledge proofs for arithmetic circuit satisfiability. In: Tak-
agi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 336–365.
Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6 12
[BCR+19] Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.P.:
Aurora: transparent succinct arguments for R1CS. In: Ishai, Y., Rijmen, V. (eds.)
EUROCRYPT 2019. LNCS, vol. 11476, pp. 103–128. Springer, Cham (2019).
https://doi.org/10.1007/978-3-030-17653-2 4
[BCTV14] Ben-Sasson, E., Chiesa, A., Tromer, E.: Scalable zero knowledge via cycles of
elliptic curves. In: Proceedings of the 34th Annual International Cryptology Con-
ference, CRYPTO 2014, pp. 276–294, (2014)
 Recursive Proof Composition from Accumulation Schemes 17

[BGH19] Sean, B., Jack, G., Daira, H.: Halo: Recursive proof composition without a trusted
setup. ePrint Report 2019/1021 (2019)
[BMRS20] Bonneau, J., Meckler, I., Rao, V., Shapiro, E.: Coda: Decentralized cryptocur-
rency at scale. ePrint Report 2020/352 (2020)
[CCW19] Chiesa, A.: Chua, Lynn, Weidner, Matthew: On cycles of pairing-friendly elliptic
curves. SIAM J. Appl. Algebra Geo. 3(2), 175–192 (2019)
[CHM+20] Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: pre-
processing zksnarks with universal and updatable SRS. In: Canteaut, A., Ishai,
Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 738–768. Springer, Cham
(2020). https://doi.org/10.1007/978-3-030-45721-1 26
[CL20] Chiesa, A., Liu, S.: On the impossibility of probabilistic proofs in relativized
worlds. In: Proceedings of the 11th Innovations in Theoretical Computer Science
Conference, ITCS 2020, pp. 1–30 (2020)
[Co17] O(1) Labs. “Coda Cryptocurrency” (2017) https://codaprotocol.com/
[COS20] Chiesa, A., Ojha, D., Spooner, N.: F RACTAL: post-quantum and transparent recur-
sive proofs from holography. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020.
LNCS, vol. 12105, pp. 769–793. Springer, Cham (2020). https://doi.org/10.1007/
978-3-030-45721-1 27
[CT10] Chiesa, A. and Tromer, E.: Proof-carrying data and hearsay arguments from sig-
nature cards. In: Proceedings of the 1st Symposium on Innovations in Computer
Science, ICS 2010, pp. 310–331 (2010)
[CTV13] Stephen, C., Eran, T., Jeffrey, A.V.: Enforcing language semantics using proof-
carrying data. ePrint Report 2013/513 (2013)
[CTV15] Chiesa, A., Tromer, E., Virza, M.: Cluster computing in zero knowledge.
In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057,
pp. 371–403. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-
46803-6 13
[GW11] Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all
falsifiable assumptions. In: Proceedings of the 43rd Annual ACM Symposium on
Theory of Computing, STOC 2011, pp. 99–108 (2011)
[GWC19] Ariel, G., Zachary, J.W., Oana, C.: PLONK: Permutations over lagrange-bases
for oecumenical noninteractive arguments of knowledge. ePrint Report 2019/953
(2019)
[Halo19] Sean, B., Jack, G., Daira, H.: Halo (2019) https://github.com/ebfull/halo
[KB20] Assimakis, K., Bonneau, J.: Proof of necessary work: Succinct state verification
with fairness guarantees. ePrint Report 2020/190 (2020)
[KZG10] Aniket, K., Gregory, M.Z., Ian, G.: Constant-size commitments to polynomials
and their applications. In: Proceedings of the 16th International Conference on the
Theory and Application of Cryptology and Information Security, ASIACRYPT
2010, pp. 177–194 (2010)
[MBKM19] Maller, M., Bowe, S., Kohlweiss, M., Meiklejohn, S.: Sonic: Zero-knowledge
SNARKs from linear-size universal and updateable structured reference strings.
In: Proceedings of the 26th ACM Conference on Computer and Communications
Security. CCS 2019 (2019)
[NPR19] Moni, N., Omer, P., Guy, N.R.: Incrementally verifiable computation via incre-
mental pcps. In: Proceedings of the 17th International Conference on the Theory
of Cryptography, TCC 2019, pp. 552–576 (2019)
[NT16] Naveh, A., Tromer, E.: PhotoProof: Cryptographic image authentication for any
set of permissible transformations. In: Proceedings of the 37th IEEE Symposium
on Security and Privacy, S&P 2016, pp. 255–271 (2016)
18 B. Bünz et al.

[Pickles20] O(1) Labs. Pickles. https://github.com/o1-labs/marlin

[SS11] Silverman, J.H., Stange, K.E.: Amicable pairs and aliquot cycles for elliptic
curves. Exp. Math. 20(3), 329–357 (2011)
[Val08] Paul, V.: Incrementally verifiable computation or proofs of knowledge imply
time/space efficiency. In: Proceedings of the 5th Theory of Cryptography Con-
ference, TCC 2008, pp. 1–18 (2008)
[WTS+18] Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly-efficient
zkSNARKs without trusted setup. In: Proceedings of the 39th IEEE Symposium
on Security and Privacy, S&P 2018, pp. 926–943 (2018)
Another random document with
no related content on Scribd:
mutta tämä Mdali myy uniaan. Sillä hän sanoo jollekulle: »Anna
minulle säkki suolaa, tai muuten näen unen, että sinä kuolet», ja kun
he pelkäävät häntä, he kantavat hänelle, mitä hän tahtoo.

— Huomaan, sanoi Sanders ajattelevasti.

Hän lähetti vakoojan pois ja nousi.

Vähän ajan kuluttua hän lähetti hakemaan hausakersanttiaan.

— Mene kolmen miehen keralla, Abibu, sanoi hän, — Tembolinin

kylään, krotiilisärkän laitaan, ja tuo minulle Mdali, uneksija.

— Pääni ja sydämeni kautta, sanoi Abibu ja lähti iloisena matkalle

kanootilla.

Hän oli kymmenen päivää poissa ja palasi tyhjin toimin.

— Sillä ihmiset uhkasivat tappaa minut, sanoi hän, — kun Mdali oli
nähnyt unen minun tulostani ja sanonut, että jos minä vien hänet,
niin jokainen kylässä tulee sokeaksi. Ja, herra, koska tunnen mielesi,
en halunnut tappopalaveria, ja tulin takaisin ilman häntä, vaikka, niin
kuin tiedät, en pelkää kuolemaa.

— Teit oikein, sanoi Sanders.

Tunnin kuluttua hänen höyrylaivansa oli valmiina ja lähtenyt, ja

kahden päivän ja yön kuluttua »Zaire» tuli kylään, jossa vastassa oli
kylän päällikkö Kambori, älykäs mies.

— Herra, sanoi hän, — sanon sinulle, että jos otat uneksijan, niin
ihmiset nousevat kapinaan — ei vain minun kyläni, vaan koko
ympärillä oleva maa — sillä häntä pidetään hyvin pyhänä miehenä.
 — Minä olen hänelle pyhä mies, sanoi Sanders englanniksi ja
jatkoi matkaansa rannalle.

Hän tuli kylään kahden hausan saattamana ja meni suoraan sille

majalle, jossa Mdali piti valtaa.

Mdali oli ollut aivan tavallinen mies, ennen kuin hän alkoi uneksia.
Hän oli ollut kalankeihästäjä, ei varakkaampi eikä köyhempi kuin
muutkaan ammattitoverinsa.

Nyt hän istui leikkauksin koristetulla tuolilla, jonka Kusaun Lalinobi

oli lahjoittanut hänelle, kun hän oli nähnyt unen, että tämän vaimo
synnyttää poikalapsen, ja hänen hartioillaan oli marakatinhännistä
tehty vaippa, jonka Tonda, Lulangu-joen päällikkö, oli lahjoittanut
hänelle siitä hyvästä, että Mdali oli uneksinut Tondan elävän
kauemmin kuin veljensä.

Hänellä oli lukuisia muita lahjoja — kädessä kirjailtu keppi,

kaulassa rautahelminauha, koristeltuja kuparirenkaita, pieni peili —
kaikki saatu palkinnoksi hänen osoittamastaan suosiosta.

Hän ei noussut Sandersin tullessa.

Viisisataa silmäparia tarkasteli Sandersia; koko takamaa oli tullut

koolle, sillä Mdali oli nähnyt unen komissaarin tulosta.

— Hei, valkea mies, sanoi Mdali äänekkäästi, — oletko tullut

minun unieni takia?

Sitten hän nousi äkkiä.

Kaksi kertaa Sanders löi häntä kepillään, ja molemmat iskut

sattuivat.
 Sanders kuuli keihäiden kalinan takanaan ja kääntyi — raskas
automaattinen pistooli kädessään.

— Minä uneksin, kärisi Sanders pistooli tähdättynä lähimpään

joukkoon, — minä näin unta, että eräs mies kohotti keihäänsä minua
vastaan ja kuoli. Ja kuoleman jälkeen hänen sielunsa joutui
paikkaan, joka oli täynnä kaloja, ja joka aamu kalat söivät siitä
palasen, ja joka ilta sielu kasvoi jälleen.

He pudottivat keihäänsä. Pureskellen rystysiään varma

hämmennyksen merkki — he katsoivat häneen kauhuissaan ja
hämillään.

— Minä uneksin, jatkoi Sanders, — että Mdali tuli minun mukanani

Kahleitten kylään, ja mitä häneltä jäi, kaiken omaisuuden, jonka
hullut olivat lahjoittaneet hänelle, kylän asukkaat jakoivat keskenään.

Kuului hyväksymisen mutinaa, mutta jotkut suhtautuivat asiaan

äreästi, ja Sanders arveli heidän olevan maalta tulleita.

Hän kääntyi Mdaliin, joka vapisevin käsin hieroi kirveleviä

olkapäitään.

— Ih, uneksija! sanoi Sanders lempeästi. — Puhu nyt ja kerro

näille ihmisille, miten kaikki asiat tulevat hyviksi, kun sinä lähdet
heidän luotaan.

Mies epäröi kohottaen kiukkuiset silmänsä komissaarin silmiin ja

huomasi niiden kylmän ilmeen.

— Miehet, sanoi hän väristen, — asia on, niin kuin herramme

sanoo.
 — Sinä uneksit niin, ehdotti Sanders.

— Minä uneksin niin, sanoi Mdali, ja kuului yleinen helpotuksen

huokaus.

— Vie hänet laivaan, sanoi Sanders. Hän puhui arabiaa Abibulle.

—
Henkesi uhalla älä anna hänen puhua kenellekään.

Hän seurasi hausoja ja vankia ja lähti aikaa hukkaamatta

matkaan.

Siten päättyi uneksijan tarina — tällä kertaa.

Mutta vaikka Mdali työskenteli Kahleitten kylässä valtakunnan

hyväksi, niin hänen työnsä kantoi hedelmiä, sillä hän oli ollut uuras
mies. Sattui useita kuolemantapauksia. Miehet ja naiset panivat
terveinä nukkumaan ja heräsivät vain kuollakseen. Eikä kukaan
pitänyt sitä merkillisenä eikä ilmoittanut siitä, sillä Mdali oli uneksinut
niin, ja se tapahtui.

Mutta huhulla on jalat kulkea ja suu kertoa; ja aikanaan Sanders

kulki pitkin maita mukanaan päämajasta pikaisesti kutsuttu lääkäri, ja
moni tapasi hänet surren.

Miehet, jotka olivat kadottaneet pahantapaiset vaimonsa, toiset,

jotka olivat haudanneet rikkaita sukulaisiaan, vaimot, jotka olivat
saaneet vapauden Mdalin unien täyttymisen kautta, istuivat vaiti ja
odottivat Sandersia pureskellen rystysiään.

Sanders jakoi oikeutta ilman muita todistuksia kuin mitä hänen

lääkärinsä voi sanoa pahanhajuisissa paikoissa; mutta sillä oli
vaikutus, ja Mdali, puunhakkaaja kahleitten kylässä, tapasi monta
tuttua naamaa.

Kahleitten kylä oli kielekkeellä, jonka oikealla puolen laskee

mereen
Isisi-joki ja vasemmalla Bokaru-joki. Se oli puhtain kylä Sandersin
hallintoalueella, mutta sen puhtautta eivät ylistäneet muut kuin
Sanders.

Siinä virtasivat voimakkaat joet niin väkevästi, etteivät

vahvimmatkaan uimarit siinä kestäneet. Ja kolmion kantaan oli
kaivettu leveä kanava, pituudeltaan viisi tai kuusisataa jaardia,
yhdistämään molempia jokia, niin että kylä pikemminkin oli saarella
kuin niemellä — ja saarelta oli vaikea pääsy, kun piikkilanka-aita oli
pantu kanavan molemmille rannoille. Sitä paitsi kanava oli kolmen
krokotiilin oleskelupaikka — ne oli komissaari Sanders
kaukonäköisenä siihen asettanut — ja niiden poispääsyn estivät
kanavan molempiin päihin vedetyt vahvat verkot.

Kylä itse oli jaettu kolmeen osaan: yksi varattu miehille, toinen
naisille ja kolmas — ainoan maihinnousupaikan vastainen —
puolelle hausakomppanialle.

Vaikka paikkaa sanottiinkin Kahleitten kyläksi, niin vain suurimmat

lurjukset siellä olivat raudoissa, ja elämä kulki tässä pikku kylässä
tasaisesti, ellei oteta lukuun sitä, että naiset asuivat korkean
rautalanka-aidan toisella puolen ja miehet toisella.

Mdali saapui, sai numeron ja peitteen. Hänet käskettiin erääseen

majaan kuuden muun vangin seuraan.
 — Olen Isisin Mdali, sanoi hän, — ja Sandi lähetti minut tänne,
koska näin unia.

— Se on hullua, sanoi majan päämies, — sillä minut hän lähetti

tänne siksi, että pieksin hänen vakoojansa — veljeni kanssa —
kunnes hän kuoli.

— Minut lähetettiin tänne, sanoi toinen mies, — koska olin

päällikkö ja aloitin sodan — minä olen Pikku Isisin Tembeli.

Toinen toisensa jälkeen he esittäytyivät ja kertoivat rikolliset

tekonsa yksinkertaisen ylpeinä.

— Minä olen unien näkijä, sanoi Mdali. — Kun minä uneksin

jotakin tapahtuvaksi, se tapahtuu, sillä minä olen paholaisten
suosiossa ja näen unissani ihmeellisiä asioita.

— Huomaan, sanoi Tembeli viisaana. — Sinä olet hullu.

*****

Ei ole vaikeata kuvitella, miten Mdali sai valtoihinsa uusien

toveriensa mielen ja luottamuksen.

Kerrotaan hänen ennustaneen erään vartian hukkumisen, joka

sitten tapahtuikin. Jokainen Tembolinista saapuva uusi vanki oli
hänen tekojensa todistaja.

Ja parhaalla tavallaan Mdali uneksi heille. Ja tällaisen suuren

unen hän heille näki:

Tapahtui, että Sandi saapui tarkastamaan Kahleitten kylää, ja kun

hän oli päässyt erään majan kohdalle, niin kuusi miestä hyökkäsi
hänen kimppuunsa ja yksi leikkasi hänen kurkkunsa, ja sotilaat
pakenivat kauhuissaan, ja vangit vapauttivat itsensä, eikä enää ollut
vankeutta.

Hän uneksi tämän kolmena peräkkäisenä yönä.

Kun hän oli kertonut ensimmäisen unensa, niin Tembeli, jolle hän
sen uskoi, sanoi miettiväisenä:

— Tuo on kyllä hyvä ajatus, mutta me olemme aseettomia, ja se ei

siis voi tulla todeksi.

— Tänä iltana se selviää minulle unessa, sanoi Mdali.

Ja seuraavana aamuna hän kertoi, miten hän näyssä oli nähnyt

vankien joukossa kongolaisen miehen, jolla oli kongolainen
partaveitsi hiuksiin pistettynä.

Ja tosiaankin siellä oli kongolainen mies, jolla oli sellainen

partaveitsi.

— Kuka leikkaisi kurkun? kysyi Tembeli. — Tämä on asia, joka

vaatii perinpohjaisen selvityksen.

Ja taas Mdali uneksi ja huomasi, että Sandersin kurkun leikkaaja

oli Koforo, puolihullu akasavalainen vanki. Kaikki oli nyt valmista
suurta hetkeä varten.

Oli syitä, joiden vuoksi Sanders ei ollut suopea nti Ruth

Glandynnelle, lähetyssaarnaajalle, ja näistä ei vähäpätöisin ollut
alituinen huoli tytön turvallisuudesta ja tietoisuus siitä, että tyttö ei
tuntenut alkuasukkaita niin hyvin kuin luuli tuntevansa — mikä oli
suurin vaara.
 Eräänä päivänä Sanders sai kirjeen, jossa neiti pyysi päästä
käymään
Kahleitten kylässä.

Sanders noitui.

Hän ei ollut ylpeä kylästään — se osoitti laittomuuden kasvamista

eräässä osassa hänen alaisistaan, ja hän oli tässä suhteessa
sangen arka. Sitä paitsi hän oli, niin kuin itsekin tiesi, sangen huono
näyttämään mitään.

Hieman pahalla tuulella hän vastasi olevansa valmis näyttämään

neidille Kahleitten kylää milloin tahansa, paitsi — hän laati
pyörryttävän listan kielletyistä päivistä.

Tämän listan laatimisessa Sanders osoitti tavallista suurempaa

kekseliäisyyttä. Yhtenä päivänä hän ei voinut täyttää pyyntöä
»neljännestarkastuksen» vuoksi, toisena »terveyskatsastuksen»
vuoksi; eräs kielletty päivä oli »varusteiden tarkastuksen» päivä.

Aivojaan pinnistäen hän keksi kolmekymmentäviisi jaksoa

vuodessa, pituudeltaan yhdestä seitsemään päivään, jolloin
rikollisten tapaaminen oli tuiki mahdotonta; ja hän toivoi
sydämessään, että neiti luopuisi kokonaan aikeestaan.

Hänen mielipahakseen neiti vastasi heti, valiten erään päivän, joka

oli »valituspäivän» ja »korjausviikon» välissä — jotka molemmat
tilaisuudet Sandersin mielikuvitus oli loihtinut ilmoille.

Hän saapui myötävirtaa kanootillaan, jota meloi kaksikymmentä

miestä, ja Sanders tapasi hänet puolimatkassa ja otti hänet
laivaansa.
 Sanders oli pilkuttoman valkeassa puvussa, mutta hieman jäykkä
ja hyvin muodollinen.

— Ellette pahastuisi sanoistani, olisin ollut hyvin mielissäni, jos

olisitte luopunut tästä huvimatkasta.

— Tämä on tuskin huvimatka, neiti kylmästi. — Minulla on

velvollisuuksia näitä ihmisiä kohtaan — tunnustatte, että
lähetyssaarnaajat harvoin heitä näkevät — ja minusta tuntuisi siltä,
että olisin laiminlyönyt velvollisuuteni, ellen olisi käyttänyt tilaisuutta,
jonka niin hyväntahtoisesti tarjoatte minulle (Sanders kirosi itsekseen
hänen loistavaa julkeuttaan) tavatakseni heitä.

Ison hellekypäränsä alta Sanders silmäsi neitiä.

— En voi antaa teidän käydä elämänne läpi epätietoisena siitä,

etten halunnut teidän tuloanne, sanoi hän jyrkästi, ja nti Glandynnen
nenä kohosi hieman, sillä paitsi lähetyssaarnaaja hän oli myöskin
nainen.

He tulivat Kahleitten kylään eräänä säteilevänä aamuna

— No, mutta mitä pirua tämä tarkoittaa? sanoi Sanders.

Sillä vain kaksi hausaa oli jäljellä, toinen vartiana ja toinen hänen
vuorolaisenaan.

— Herra, sanoi tämä mies, kun Sanders astui maalle, —

komppanian miehet ovat menneet alas virtaa erääseen Palmujen
paikkaan.

— Kenen käskystä? kysyi Sanders.

 — Heille oli ilmoitettu, herra, sanoi mies, — he kun kuuluivat
sufilahkoon, että Profeetan siunattu poika ilmestyy siinä paikassa ja
näyttää heille paljon ihmeitä.

Komissaarille välähti valo, ja hän puoleksi hymyili, vaikka hänen

sydämensä raivosi.

— Näyttää siltä kuin uneksija Mdali vielä uneksisi, sanoi hän. —

Täällä tulee huomenna pieksäjäiset.

Hänen ensimäinen aikomuksensa oli lähettää tyttö takaisin; hän ei

pelännyt, että vartioston satunnainen poissaolo johtaisi mihinkään
vakavampaan tapahtumaan — sellainen ajatus ei hetkeksikään
johtunut hänen mieleensä — mutta hän oli varovainen mies, eikä
hänellä ollut lainkaan halua antautua vaaraan.

Hän oli jo puoleksi palaamassa veneelleen, kun päätti, että koska

tyttö oli täällä ja oli matkustanut pitkän matkan, oli selvintä tehdä,
mitä oli aiottu.

— Teidän on parasta mennä naisten puolelle, sanoi hän. —

Lähetän Abibun kanssanne — minulla puolestani on asiaa eräälle
Mdalille.

Hän avasi naisten osastoon johtavan portin ja katseli hentoa tyttöä

tämän mennessä pikku katua myöten ryhdikäs, leveäharteinen
hausa rinnallaan.

Hän käveli sen alueen poikki, joka erotti miesten osaston naisten
osastosta, avasi portin ja astui sisään sulkien sen jälkeensä.

Kukaan ei tullut puhumaan hänelle, mikä oli omituista, sillä

tavallisesti he tulivat pyytämään kuulustelua nimittäen häntä
hyväntahtoisesti hänen jokapäiväisellä nimellään, joka merkitsee
»öisin lentävää pientä teurastajalintua».

Nyt he istuivat majainsa edessä posket polvilla katsellen häntä

vaieten, peloissaan.

— Tästä minä en pidä, sanoi Sanders.

Hän pani huolimattomasti kätensä taskuun ja päästi browningin

varmistimesta. Keskisormellaan hän tutki revolverin perää, oliko
makasiini paikallaan.

Hän seisoi hyvin lakaistun tien keskellä, ja hänellä oli hyvä

näköala kadun päästä päähän.

Häthätää hän silmäsi oikealle puolen. Hän näki Ruthin puhuvan

alkuasukasnaisten kanssa — niitä oli kolme ryhmässä kyykkien
maassa.

Hänen takanaan erillään ryhmästä seisoi Abibu pitäen

winchesterkarbiinia — lahja Sandersilta — käsivarrellaan.
Komissaarin silmätessä hausa veti salaa lukkoa vireeseen.

— Abibu lataa, sanoi jokin Sandersin aivoissa.

Hän käänsi silmänsä takaisin miesten osastoon. Kukaan ei

liikkunut. Vangit istuivat majainsa edessä vaiteliaina ja odottaen.
Epäilyksen värähdys kulki hänen hermojensa läpi. Hän silmäsi
jälleen Abibuun. Tämä oli hiljaisuudessa vetäytynyt vielä
kauemmaksi naisryhmästä ja piteli nyt kivääriä kaksin käsin —
oikealla sormeillen lukon kohtaa ja vasemmalla hypistellen
makasiinia.
 Sitten hän hieman kääntyi ja nyökkäsi, ja Sanders tiesi merkin
olevan hänelle.

Sanders kääntyi nopeasti. Jos vaara uhkasi, niin se uhkasi naisten

osastosta. Hän meni nopeasti takaisin samaa tietä, jota oli tullut.
Neljä miestä, jotka olivat istuneet hiljaa, nousivat ja tulivat häntä
kohti kiirettä pitämättä.

— Herra, meillä on pyyntö, aloitti yksi.

— Mene takaisin majaasi, Tembeli! sanoi Sanders jyrkästi. —

Tulen takaisin kuulemaan pyyntönne.

— Krak!

Abibu ampui erääseen majaan, ja tyttö pakeni tietä pitkin portille

päin.

Tämän Sanders näki kääntäessään päätänsä, ja samassa nuo

neljä syöksyivät hänen kimppuunsa.

Suuri käsi peitti hänen kasvonsa ja luja peukalo pyrki hänen

silmäänsä.
Tembeli kaatui kuoliaaksi ammuttuna, ja Sanders tempaisi itsensä
irti.
Hän juoksi porttia kohti ottaen avaimen esille mennessään.

Hän kääntyi ja ampui kahta seuraajaansa, mutta näillä, ei ollut

halua taisteluun.

Hän avasi portin vakavin käsin ja sulki sen jälkeensä. Hän näki
Abibun maassa miesjoukon alla. Tyttö oli kadonnut. Sitten hän näki
tämän taistelevan kahden naisen kanssa, ja puolihullu Koforo hääri
hänen kimpussaan.

Hän pääsi naisten luo, kun toinen tarttui tyttöä tukasta ja veti
hänen päätään taaksepäin.

Koforo näki Sandersin tulevan ja laski kätensä.

— Ho, isä! sanoi hän hupsulla tavallaan. — Aion tappaa sinut,

koska olet paholainen!

Naiset peräytyivät, ja Sanders tarttui heikkoa tyttöä vyötäisiltä ja

heitti hänet pois heidän ulottuviltaan.

Koforo tuli häntä kohti herjaten ja irvistellen pieni lapionmuotoinen

partaveitsi kädessään.

Sanders tähtäsi tarkkaan, sillä hänellä oli vain viisi panosta jäljellä;
sitten hän kiinnitti huomionsa Abibuun.

Tämä makasi maassa tunnottomana; hänen kimppuunsa

hyökänneet olivat paenneet, sillä vartia ja hänen varamiehensä
ampuivat verkkoaidan läpi — ja harjaantunut hausa on tavattoman
hyvä ampuja.

Yhdessä he kantoivat tytön veneeseen, ja Abibu virotettiin ja

hänen haavansa sidottiin.

Kello neljältä iltapäivällä palasi rukoilemassa käynyt vartio, ja

Sanders pani toimeen tarkastuksen molemmissa leireissä.

— Herra, sanoi muuan, joka oli ollut vain passiivinen katselija, —

tarkoituksena oli johdattaa sinut naisten osastoon. Sen vuoksi
muutamat miehet kätkeytyivät majoihin arvellen, ettei herra kanna
pientä pyssyään naisten keskuudessa. Kaiken tämän uneksi Mdali,
joka on paennut.

— Ei yksikään mies pakene Kahleitten kylästä, sanoi Sanders. —

Mitä tietä Mdali meni?

Mies osoitti kanavan rannalla olevaa rautalanka-aitaa.

Sanders meni aidan luo ja katsoi ruohoakasvavaa kanavaa.

— Näin hänen kapuavan ensimmäisen aidan yli, sanoi hänen

tiedonantajansa, — mutta en enää toisen yli.

Komissaari kumartui ja otti käteensä heinää, jonka heitti vedessä

olevalle vihreälle pölkylle.

Pölkky avasi karsaan silmän ja murisi vihaisesti, sillä se oli saanut

hyvän aterian eikä pitänyt, että sen unta häirittiin.
AJATTELIJA JA KUMIPUU

On kolme asiaa, jotka ovat filosofian ja logiikan ulkopuolella.

Kolme asiaa, jotka tekevät lempeät miehet raivokkaiksi ja

välinpitämättömän urhoolliseksi. Yksi on rakkaus, toinen on uskonto,
ja kolmas on maa.

Isisissä oli mies, joka oli suuri ajattelija. Hän ajatteli asioita, jotka
eivät olleet ajateltavissa, sellaisia kuin tähdet, myrskyt ja aika, joka ei
alkanut eikä loppunut koskaan.

Usein hän meni joen rantaan, istui poski polven varassa ja ajatteli
suuria asioita päivät umpeensa. Kylän asukkaat — Akalavi-särkän
rannalla — ajattelivat, eikä se ole luonnotontakaan, että hän oli hullu,
sillä tämä nuori mies pysytteli erillään elämän iloista, eikä hän
löytänyt mitään huvitusta neitosten parista; hän pysyi poissa
tansseista ja juhlista, jotka muodostivat jokivarren elämän
valoisamman puolen.

Kmaka — se oli hänen nimensä — oli Jokon poika, joka oli

Nkeman poika, jonka isä taas oli Suuren kuninkaan aikainen uljas
soturi. Ja äitinsä puolelta hän polveutui Pikisamokosta, joka myöskin
oli voimakas ja verinen mies, niin että hänessä ei sukunsa puolesta
kylläkään ollut hempeätä luonnetta. — Sen vuoksi, sanoi Joko,
hänen isänsä, — hänen täytyy olla hullu, ja jos asia voidaan järjestää
Sandin tietämättä, niin puhkaisemme hänen silmänsä ja viemme
hänet kauas metsään, jossa pedot tai nälkä hänet pian tappavat.

Kaikki sukulaiset oli kutsuttu perheneuvotteluun, koska hullu poika

on kauhistus. Hän kulkee pitkin metsiä ja kulkiessaan tai
narrimaisuudessaan hän särkee kapineita ja tekee vahinkoja, joista
perhe on laillisessa vastuussa. He keskustelivat asiasta melkein
koko yön eivätkä päässeet päätökseen. Neuvottelua jatkettiin
seuraavana päivänä, ja perheen vanhin, toisen kylän hyvin vanha ja
hyvin viisas päällikkö, antoi lausuntonsa. — Jos hän on hullu, sanoi
hän, — niin hänet on kaikkien lakien ja tapojen mukaan tuhottava.
Minä olen kokenut mies, niin kuin kaikki tiedätte, sillä olen elänyt
useita vuosia kauemmin kuin te. Antakaa minun siis tutkia Kmakaa,
onko hän hullu vaiko vain yksinkertainen, niin kuin pojat tavallisesti
naimaiässä ovat.

Sitten he päättivät kutsua Kmakan kuultavaksi, ja ne, jotka

menivät häntä hakemaan, löysivät hänet metsästä makaamasta
pehmeällä nurmella. Hän makasi kasvot maahan päin, pää
käsissään, katsellen kukkaa.

— Kmaka, sanoi häntä hakemaan tullut mies, — mitä sinä teet?

— Opiskelen, sanoi Kmaka yksinkertaisesti, — sillä tämä ruoho

opettaa minulle paljon asioita, joista en ennen tiennyt.

Toinen katsoi maahan ja nauroi.

— Se on ruoho, sanoi hän, — se ei tee hedelmää, eikä se sen

vuoksi ole mitään.
 — Se on elävä, sanoi Kmaka katsellen yhä kukan terälehtiä. — Ja
minä arvelen, että se on suurempi kuin minä, koska se on
lainkuuliainen.

— Olet tosiaankin hullu, sanoi hänen serkkunsa, — se on aivan

varma.

Hän vei hänet perheneuvotteluun.

— Löysin hänet, sanoi hän tärkeänä, — katselemasta ruohoja, ja

hän väitti niiden olevan suurempia kuin hän itse.

Perhe katsoi synkästi Kinakaan, ja vanha päällikkö aloitti

hyökkäyksen.

— Kmaka, sanotaan, että sinä olet hullu. Minä perheen päänä

olen kutsunut suvun koolle, jotta näkisimme, onko syytös tosi vai ei.
Sanotaan, että sinulla on kummallisia ajatuksia — sellaisiakin, että
tähdet ovat muka kaukaisia maita.

— Se on totta, isä, sanoi toinen.

— Sanotaan sinun myöskin arvelevan, että aurinko paistaa yöllä.

— Niin luulenkin, sanoi Kmaka, — ja tarkoitan, että se paistaa

jossakin. Sillä ei ole viisasta arvella, että joki olisi suurempi kuin
aurinko.

— Huomaan, että sinä todellakin olet hullu, sanoi vanhus kylmästi,

— sillä mitä tekemistä joella ja auringolla on keskenään.

— Herra, sanoi nuori mies vakavasti, — jokihan juoksee päivin ja

öin, joko kävelet tai makaat, näetpä sen tai olet näkemättä. Kuitenkin
typerät ajattelevat, että mitä he eivät näe, sitä ei ole olemassa. Ja
onko joki suurempi kuin aurinko? Sillä jos joki, joka on osa Suuresta
Kulusta, juoksee öisin, pitääkö auringon, joka on monta vertaa
tärkeämpi maalle, lakata paistamasta?

Vanha päällikkö pudisti päätään.

— Ei kukaan muu kuin hyvin hullu mies puhu sellaisia asioita,

sanoi hän, — sillä eikö aurinko muutu yöllä kuuksi, paitsi silloin kun
se nukkuu? Ja kun ihmiset nukkuvat ja vuohet nukkuvat, niin miksei
aurinko nuku ja ryömi maakuoppaan, niin kuin olen itse nähnyt?

He ajoivat Kmakan pois. Näytti mahdottomalta keskustella sen

enempää.

Hän nukkui majassa yksikseen. Hän palasi myöhään sinä yönä,

sillä hän oli ollut metsässä katselemassa lepakoita; mutta tullessaan
hän tapasi kuusi serkkuaan odottamasta. He kävivät häneen käsiksi,
eikä hän vastustellut.

He sitoivat hänet käsistä ja jaloista pitkään paaluun ja asettivat

hänet kanoottiin. Sitten hänen kuusi serkkuaan kävivät kanoottiin ja
meloivat nopeasti myötävirtaa. He aikoivat Paholaisten metsään,
joka on Hiljaisella joella — erämaan vesistö, johon vain krokotiilit
menevät laskemaan munansa, sillä siellä on hiekkarantoja, jotka
ovat sopivia siihen tarkoitukseen.

Päivänkoitteessa he pysähtyivät ja tehtyään tulen keittivät ruokaa.

He antoivat vangilleen hiukan kalaa ja maniokkia.

— Nälkäiset päivät odottavat sinua, veli, sanoi yksi serkuista, sillä

me aiomme lopettaa sinut, koska olet hullu.
 — En ole niin hullu, sanoi Kmaka tyynesti, — etten huomaisi
teidän hulluuttanne.

Serkku ei vastannut tietäen, että, sellaiset hullut, jotka pitivät muita

hulluina, olivat hulluimpia.

Aurinko oli noussut, ja kanootti jatkoi matkaansa Kmaka maaten

pohjalla syventyneenä katsomaan kahta muurahaista, jotka olivat
uhkarohkeasti tulleet tutkimusretkelle kanoottiin.

Äkkiä melominen taukosi.

Höyryten vastavirtaa, runko loistaen uudessa valkeassa maalissa,

punavalkea kansikatos kirkkaana tuli »Zaire», ja komissaari
Sandersin pieni sininen lippu liehui velttona laivan ainoassa
mastontyngässä.

— Melotaan lähemmäksi rantaa, sanoi serkkujen päällikkö, — sillä

tämä on Sandi, ja jos hän näkee, mitä me kuljetamme, niin hän
suuttuu.

He siirtyivät syrjään antaen laivalle lavean tilan.

Mutta Joen Sanders, joka nojasi komentosillan laitaa vasten

hellekypärä työnnettynä suojaamaan niskaa auringolta, oli nähnyt
heidät. Hän oli myöskin havainnut, että miehet äkkiä lakkasivat
melomasta, ja huomasi heidän taas alkavan voimakkaasti meloa ja
ottavan uuden suunnan.

Hän nosti sormeaan merkiksi ruorimiehelle: peräsin käännähti ja

äkkiä oli »Zaire» poikkiteloin kanootin tiellä.
 — Tällä miehellä, sanoi serkkujen ällistynyt päällikkö, — on silmät
kuin okapilla, joka näkee puiden läpi vihollisensa.

Hän lakkasi melomasta ja odotti palaveria.

— Mitä tämä on, Sambili? kysyi Sanders, kun höyrylaiva saapui

kohdalle ja puoshaka tarttui pikku alukseen. Sanders kurottautui
laivan laidan yli ja puhutteli serkkua nimeltä.

— Herra, sanoi Sambili, — en aio valehdella sinulle; tämä mies on

minun serkkuni ja on hullu. Sen vuoksi viemme hänet kuuluisan
poppamiehen luo.

Sanders nyökkäsi ja tipautti valkean tuhkan sikaristaan veteen.

— Tunnen joen paremmin kuin kukaan toinen, mutta en tiedä

sellaisesta miehestä mitään, virkkoi hän. — Myöskin olen kuullut,
että monta hullua miestä on viety Paholaisten metsään, jossa heitä
odottaa poppamies, jota he eivät ole nähneet. Ja hänen nimensä on
Iwa, joka merkitsee kuolemaa.

Kaksi hausaa kiskoi sidotun miehen laivaan.

— Päästäkää hänet, sanoi Sanders.

— Herra, sanoi serkku kiihtyneenä, — hän on hyvin hullu ja hyvin

raivokas.

— Minä olen myöskin hyvin raivokas, sanoi Sanders, — ja

sanotaan, että minä olen hullu, mutta minua ei sittenkään sidota
paaluun.