Ligero: lightweight sublinear arguments without a trusted setup

Abstract

We design and implement a simple zero-knowledge argument protocol for \({\textsf{NP}}\) whose communication complexity is proportional to the square-root of the verification circuit size. The protocol can be based on any collision-resistant hash function. Alternatively, it can be made non-interactive in the random oracle model, yielding concretely efficient zk-SNARKs that do not require a trusted setup or public-key cryptography. Our protocol is obtained by applying an optimized version of the general transformation of Ishai et al. (in: STOC, pp. 21–30, 2007) to a variant of the protocol for secure multiparty computation of Damgård and Ishai (in: CRYPTO, pp. 501–520, 2006). It can be viewed as a simple zero-knowledge interactive PCP based on “interleaved” Reed-Solomon codes. This paper is an extended version of the paper published in CCS 2017 and features a tighter analysis, better implementation along with formal proofs. For large verification circuits, the Ligero prover remains competitive against subsequent works with respect to the prover’s running time, where our efficiency advantages become even bigger in an amortized setting, where several instances need to be proven simultaneously. Our protocol is attractive not only for very large verification circuits but also for moderately large circuits that arise in applications. For instance, for verifying a SHA-256 preimage with \(2^{-40}\) soundness error, the communication complexity is roughly 35KB. The communication complexity of our protocol is independent of the circuit structure and depends only on the number of gates. For \(2^{-40}\) soundness error, the communication becomes smaller than the circuit size for circuits containing roughly 3 million gates or more. With our refined analysis the Ligero system’s proof lengths and prover’s running times are better than subsequent post-quantum ZK-SNARKs for small to moderately large circuits.

Appendices

A case \(\mathbf {e < d/3}\): Proof of Lemma 4.8

In this section, we provide the proof of our main lemma for the case when \(e < d/3\). The proof of claim A.2 below is due to Ronny Roth and Gilles Zémor [80].⁵

Lemma A.1

(restatement of Lemma 4.8) Let e be a positive integer such that \(e<d/3\). Suppose \(d(U,L^m) >e\). Then, for a random \(w^*\) in the row-span of U, we have

$$\begin{aligned} \Pr [d(w^*,L)\le e]\le (e+1)/|\mathbb {F}|. \end{aligned}$$

Proof

Suppose that \(d(U^*,L^m) >e\) and \(L^*\) is the span of the vectors in \(U^*\). Assume towards a contradiction that \(d(v^*,L) \le e\) for all \(v^*\in L^*\). Suppose \(v_0^*\in L^*\) maximizes the distance from L. Since \(d(U^{*},L^m) >e\), there must be a row \(U^{*}_i\) such that \(\Delta (U^{*}_i,L){\setminus } \Delta (v^*_0,L)\ne \emptyset \). Let \(v^*_0=u_0+\chi _0\) and \(U^{*}_i=u_i+\chi _i\) for \(u_0,u_i\in L\) and \(\chi _0,\chi _i\) of weight \(\le e\). We argue that there exists \(\alpha \in \mathbb {F}\) such that for \({\hat{v}}=v^*_0+\alpha U^{*}_i\) we have \(d({\hat{v}},L)>d(v^*_0,L)\), contradicting the choice of \(v^*_0\). This follows by a union bound, noting that for any \(j\in \Delta (v^*_0,L)\cup \Delta (U^{*}_i,L)\) there is at most one choice of \(\alpha \) such that \({\hat{v}}_j=0\).

Now, it suffices to show that in any affine subspace of \(\mathbb {F}^n\), either all points are e-close to L or almost all are not. This reduces to showing the following claim. We state an explicit version of the conjecture for the case of RS codes. \(\square \)

Claim A.2

Let L be an arbitrary linear code over \(\mathbb {F}\) of length n. Let e be a positive integer such that \(e<d/3\). Then for every \(u,v\in \mathbb {F}^n\), defining an affine line \(\ell _{u,v}=\{ u+\alpha v \,:\, \alpha \in \mathbb {F}\}\), either (1) for every \(x\in \ell _{u,v}\) we have \(d(x,L)\le e\), or (2) for at most d points \(x\in \ell _{u,v}\) we have \(d(x,L)\le e\).

We begin with the observation that for any two length n vectors u and v of weight at most e, \(\ell _{u,v}\) contains N points at most distance e from L if and only if \(\ell _{u,v+c}\) contains N points of distance at most e from L for any codeword \(c\in L\). This means it suffices to prove the claim for vectors u and v of weight at most e.

We now prove the lemma in two cases

• Case 1: \(|Support(u) \cup Support(v)| \le e\) This means that \(\ell _{u,v}\) is entirely contained in the ball \(B_e(\textbf{0})\) where \(\textbf{0}\) is the all 0 s vector which in turn means all the vectors in the line are at most t from L.

• Case 2: \(|Support(u) \cup Support(v)| \ge e+1\) Since u and v each have weight at most e, the intersection of their supports can be of cardinality at most \(e-1\). For each of the coordinates in the intersection of the supports, there can be at most one vector in \(\ell _{u,v}\) such that the entry in that coordinate is 0. Therefore, there are at most \(e-1\) vectors in \(\ell _{u,v}\) that are contained in the ball \(B_e(\textbf{0})\) where \(\textbf{0}\) is the all 0 s vector. To conclude this case, we need to demonstrate that there exists no codeword \(c \ne \textbf{0}\) such that the line \(\ell _{u,v}\) intersects with a vector inside the ball of radius e around c. Assume for contradiction there exists a codeword c and vector w of weight at most e such that \(c+w \in \ell _{u,v}\). Then we have that

  $$\begin{aligned} c+w = u + \alpha v \end{aligned}$$

  This means that c is equal to the sum of three vectors each of weight at most e. Now we arrive at a contradiction because the minimum distance of L is d and \(e < d/3\).

\(\square \)

B Generalizing IPCP tests

In this section, we provide the generalized versions of the tests in our basic IPCP. This is required for improving the soundness analysis and achieving better concrete parameters. We remark that the theorem statements in this section are provided for the case \(e<d/4\). But we can incorporate the subsequent improvement in the analyses and directly generalize for the cases \(e<d/3\) and \(e<d/2\).

1.1 B.1 Generalized interleaved linear code testing

In this section we present a generalized version of the testing algorithm that uses \(\sigma \) linear combinations to amplify soundness; see Fig. 7. This algorithm is useful for obtaining better soundness over a small field \({\mathbb F}\).

Fig. 7

Generalized-Test-Interleaved \(({\mathbb F},L[n,k,d], m, t,\sigma ; U)\)

Lemma B.1

If \(U\in L^m\) and \({\mathsf {\mathcal { P}}}\) is honest, then \({\mathsf {\mathcal { V}}}\) always accepts.

Lemma B.2

Let e be a positive integer such that \(e<d/4\). Suppose \(d(U^{*},L^m) >e\). Then, for a random \(w^*\) in the row-span of \(U^{*}\), we have

$$\begin{aligned} \Pr [d(w^*,L)\le e]\le (e+1)/|{\mathbb F}|^\sigma . \end{aligned}$$

The proof of Lemma B.2 follows identically as the proof of Lemma 4.5 with the exception that the denominator \(|{\mathbb F}|\) in Eqs. 1 and 2 need to be replaced by \(|{\mathbb F}|^\sigma \). This is because in each of Cases 1 and 2, we express \(w^* = \alpha v^*+x\) and bound the probability of a bad event regarding \(w^*\) claiming that any value of x happens for a unique value of \(\alpha \in {\mathbb F}\). Therefore this probability is bound by \(1/|{\mathbb F}|\). In the repeated version, there is one possible value in \({\mathbb F}^\sigma \) which happens with probability \(1/|{\mathbb F}|^\sigma \).

We can conclude the following theorem, the same way Theorem 4.6 is concluded from Lemma 4.5.

Theorem B.1

Let e be a positive integer such that \(e<d/4\). Suppose \(d(U^{*},L^m)\ge e\). Then, for any malicious \({\mathsf {\mathcal { P}}}\) strategy, the oracle \(U^{*}\) is rejected by \({\mathsf {\mathcal { V}}}\) except with \(\le (1-e/n)^t+(e+1)/|{\mathbb F}|^\sigma \) probability.

1.2 B.2 Affine interleaved linear code testing

For the purpose of obtaining a zero-knowledge IPCP, the following “affine” variant of Test-Interleaved is useful. Whenever \({\mathsf {\mathcal { V}}}\) requests a random linear combination of the rows of U, this linear combination will be masked with an additional blinding vector \(u'\in {\mathbb F}^n\). The vector \(u'\), which is also given as part of the proof oracle, will be picked by an honest \({\mathsf {\mathcal { P}}}\) at random from L and will therefore hide all information about U whose rows are from L. The soundness of the test should hold even when \(u'\) is adversarially chosen and is not necessarily a codeword. The complete test is given in Fig. 8.

Fig. 8

Affine-Test-Interleaved\(({\mathbb F}, L[n,k,d], m, t; U, u')\)

Completeness follows directly from the description.

Lemma B.3

If \(U\in L^m\), \(u'\in L\), and \({\mathsf {\mathcal { P}}}\) is honest, then \({\mathsf {\mathcal { V}}}\) always accepts.

Our soundness analysis will rely on the following lemma.

Lemma B.4

Let e be a positive integer such that \(e<d/4\). Suppose \(d(U^{*},L^m) >e\). Then, for arbitrary \(u' \in {\mathbb F}^n\) and a random \(w^*\) in the row-span of \(U^{*}\), we have \(\Pr [ d(w^*, L)\le e]\le (e+1)/|{\mathbb F}|\).

Theorem B.2

Let e be a positive integer such that \(e<d/4\). Suppose \(d(U^{*},L^m)\ge e\). Then, for an arbitrary \(u' \in {\mathbb F}^n\) and any malicious \({\mathsf {\mathcal { P}}}\) strategy, the oracle \(U^{*}\) is rejected by \({\mathsf {\mathcal { V}}}\) except with \(\le (1-e/n)^t+(e+1)/|{\mathbb F}|\) probability.

We provide a formal proof of a generalization of this test in the next section.

1.3 B.3 Generalized affine interleaved linear code testing

For the purpose of obtaining a zero-knowledge IPCP, the following “affine” variant of Test-Interleaved is useful. Whenever \({\mathsf {\mathcal { V}}}\) requests a random linear combination of the rows of U, this linear combination will be masked with an additional blinding vector \(u'\in {\mathbb F}^n\). The vector \(u'\), which is also given as part of the proof oracle, will be picked by an honest \({\mathsf {\mathcal { P}}}\) at random from L and will therefore hide all information about U whose rows are from L. The soundness of the test should hold even when \(u'\) is adversarially chosen and is not necessarily a codeword. We generalize it further following the previous section to achieve better soundness by repetition; see Fig. 9.

Fig. 9

Generalized-Affine-Test-Interleaved\(({\mathbb F}, L[n,k,d], m, t, \sigma ; U, u')\)

Completeness follows directly from the description. Soundness analysis follows as described in Sect. B.1.

Lemma B.5

If \(U\in L^m\), \(u'_1,\ldots ,u'_\sigma \in L\), and \({\mathsf {\mathcal { P}}}\) is honest, then \({\mathsf {\mathcal { V}}}\) always accepts.

Lemma B.6

Let e be a positive integer such that \(e<d/4\). Suppose \(d(U^{*},L^m) >e\). Then, for arbitrary \(u'_1,\ldots ,u'_\sigma \in {\mathbb F}^n\) and a random \(w^*\) in the row-span of \(U^{*}\), we have \(\Pr [\forall \ h \in [\sigma ], d(w^*+u'_h, L)\le e]\le (e+1)/|{\mathbb F}|^\sigma \).

Theorem B.3

Let e be a positive integer such that \(e<d/4\). Suppose \(d(U^{*},L^m)\ge e\). Then, for arbitrary \(u'_1,\ldots ,u'_\sigma \in {\mathbb F}\) and any malicious \({\mathsf {\mathcal { P}}}\) strategy, the oracle \(U^{*}\) is rejected by \({\mathsf {\mathcal { V}}}\) except with \(\le (1-e/n)^t+(e+1)/|{\mathbb F}|^\sigma \) probability.

1.4 B.4 Generalized affine linear constraint testing over interleaved Reed Solomon codes

For the purpose of obtaining a zero-knowledge IPCP, we provide the following “affine” variant of Test-Linear-Constraints-IRS. Whenever \({\mathsf {\mathcal { V}}}\) provides the challenge vector r, the linear combination \(r^TA\) of the rows of U, will be masked with an additional blinding vector \(u'\in {\mathbb F}^n\) that encodes messages that sum up to 0. The vector \(u'\), which is also given as part of the proof oracle, will be picked by an honest \({\mathsf {\mathcal { P}}}\) at random from L subject to the condition that it encodes messages that sum up to 0 and will therefore hide all information about the individual column sums in the computation of \(r^TAx\). The soundness of the test should hold even when \(u'\) is adversarially chosen and is not necessarily a codeword. We will further generalize the test to achieve better soundness. Namely, instead of relying on repetition, we improve soundness by considering the challenge space from an extension field. The test is given in Fig. 10. Note that just as in Sect. 4.2, we will analyze the test under the promise that the (possibly badly formed) U is close to \(L^{m+1}\). Completeness follows directly as \(u'\) does not affect the verification. We argue soundness next.

Fig. 10

Generalized-Affine-Test-Linear-Constraints-IRS\( ({\mathbb F},L={\textsf{RS}}_{{\mathbb F},n,k,\eta }, m, t, \zeta , A,b,\sigma ; U)\)

Lemma B.7

Let e be a positive integer such that \(e<d/2\). Suppose that a (badly formed) oracle \(U^{*}\) that is vertically juxtaposed with an arbitrary \(u'\) is e-close to a codeword \(V\in L^{m+1}\), where V contains the codewords \(U \in L^m\) and \(u^* \in L\) vertically juxtaposed, and U encodes \(x\in {\mathbb F}^{m\ell }\) such that \(Ax\ne b\). Then, for any malicious \(\mathcal { P}\) strategy, \(U^{*}\) is rejected by \({\mathsf {\mathcal { V}}}\) except with at most \(1/|{\mathbb F}|^\sigma + ((e+k+\ell )/n)^t\) probability.

1.5 B.5 Generalized testing quadratic constraints over interleaved Reed Solomon codes

Finally, in this section we extend our quadratic constraint test over Interleaved Reed Solomon codes via parallel repetition to improve soundness. The complete test description is provided in Fig. 11. Next, we state the completeness and soundness statements.

Lemma B.8

If \(U^x,U^y,U^z \in L^m\) encode vectors \(x,y,z\in {\mathbb F}^{m\ell }\) satisfying \(x \odot y + a\odot z =b\) and \({\mathsf {\mathcal { P}}}\) is honest, \({\mathsf {\mathcal { V}}}\) always accepts.

Lemma B.9

Let e be a positive integer such that \(e<d/2\). Let \(U^{x*},U^{y*},U^{z*}\) be badly formed oracles and let \(U^{*}\in {\mathbb F}^{3m\times n}\) be the matrix obtained by vertically juxtaposing the corresponding \(m\times n\) matrices. Suppose \(d(U^{*},L^{3m})\le e\), and let \(U^x,U^y,U^z\), respectively, be the (unique) codewords in \(L^m\) that are closest to \(U^{x*},U^{y*},U^{z*}\). Suppose \(U^x,U^y,U^z\) encode x, y, z such that \(x \odot y + a\odot z \ne b\). Then, for any malicious \({\mathsf {\mathcal { P}}}\) strategy, \((U^{x*},U^{y*},U^{z*})\) is rejected by \({\mathsf {\mathcal { V}}}\) except with at most \(1/|{\mathbb F}|^\sigma +((e+2k)/n)^t\) probability.

Fig. 11

Generalized-Test-Quadratic-Constraints-IRS \(({\mathbb F},L={\textsf{RS}}_{{\mathbb F},n,k,\eta }, m, t, \zeta , a,b, \sigma ; U^x,U^y,U^z)\)

C Improving the soundness analysis

Recall that the soundness error is calculated by applying a union bound over the following tests: (1) Interleaved Reed-Solomon Test, (2) Linear Constraints Test, and (3) Quadratic Test. We show next how we can improve the soundness of the Linear and Quadratic tests assuming that the Interleaved Reed–Solomon Test passes.

• Interleaved Reed Solomon (IRS) test. The soundness of this test was bounded by \((e+1)/|\mathbb {F}|+(1-e/n)^t\) when \(e < d/4\) and bounded by \(d/|\mathbb {F}|+(1-e/n)^t\) when \(e<d/3\). More recently, a better analysis has been presented in [20] where they improve Lemma 4.8 from \(e<d/3\) to \(e<d/2\) bounding the error by \(n/|\mathbb {F}|\) where n is the code length (See Theorem 1.2: Unique decoding bound). Thus the soundness of this test can be bounded by \(n/|\mathbb {F}| + (1-e/n)^t\) for \(e<d/2\). We make a slight modification to the analysis here where we bound the following “bad” events.

• Let \(E_1\) be the event that more than e columns of U have errors. From the preceding analysis we have that the probability the verifier accepts the IRS test in this case is at most \(n/|\mathbb {F}|+(1-e/n)^t\) for \(e<d/2\).

• Suppose that event \(E_1\) does not occur. Denote by the prover’s response to the IRS test by \(w^*\). Since \(e < (n-k)/2\) and there are fewer than e errors, let U be the unique codeword such that \(d(U,U^*) < e\). Define w to be the codeword that is the result of correctly computing the IRS test with the matrix U. In particular, w will agree columnwise with all columns of \(U^*\) (except the ones that have errors). Define the event \(E_2\) to be when \(w\ne w^*\). We bound the probability that the test passes if \(E_2\) occurs and \(E_1\) does not. If the test passes we have that \(w^*\) is a valid codeword. Therefore, w and \(w^*\) can agree in at most k columns. With at most e columns with errors, the verifier can possible accept the test only if all the indices it chooses come from the k columns they agree on and additionally the e columns containing errors. This probability is at most

  $$\begin{aligned} \frac{{{k+e} \atopwithdelims ()t}}{{n \atopwithdelims ()t}} \le \left( \frac{k+e}{n}\right) ^t \le \left( 1-\frac{e}{n}\right) ^t \end{aligned}$$

  where the last equality comes from setting \(k \le n-2e\).

• Let \(E_3\) be the event that the verifier picks any of the columns that contain errors. We argue that then the IRS test would fail with probability \(1/|\mathbb {F}|\). Let U and \(U^*\) disagree on the ith column, jth row. Then, in the IRS test, if \(E_1\) and \(E_2\) do not occur then given the random combination for all the rows except the jth row, there will be exactly one possible value in the linear combination corresponding the jth row that will make the test pass if i was selected by the verifier. This occurs with probability \(1/|\mathbb {F}|\).

We now have that:

$$\begin{aligned}&\Pr [V^* \text{ accepts } \text{ IRS } \text{ test } \wedge (E_1 \vee E_2 \vee E_3)] \\&\hspace{1cm} \le \Pr [V^* \text{ accepts } \text{ IRS } \text{ test } \wedge E_1 ] + \Pr [V^* \text{ accepts } \text{ IRS } \text{ test } \wedge ( E_2 \vee E_3) \wedge \lnot E_1]\\&\hspace{1cm} = \Pr [V^* \text{ accepts } \text{ IRS } \text{ test } | E_1 ]\cdot \Pr [E_1] + \Pr [V^* \text{ accepts } \text{ IRS } \text{ test } \wedge ( E_2 \vee E_3) | \lnot E_1]\\&\hspace{1cm} \le \left[ \frac{n}{|\mathbb {F}|}+\left( 1-\frac{e}{n}\right) ^t\right] \cdot \Pr [E_1]\\&\hspace{2cm} + \Pr [V^* \text{ accepts } \text{ IRS } \text{ test } \wedge ( E_2 \vee E_3) \wedge \lnot E_1] \\&\hspace{1cm} \le \frac{n}{|\mathbb {F}|}+\left( 1-\frac{e}{n}\right) ^t\cdot \Pr [E_1]\\&\hspace{2cm} + \Pr [V^* \text{ accepts } \text{ IRS } \text{ test } \wedge E_2| \lnot E_1 ]\cdot \Pr [\lnot E_1]\\&\hspace{3cm} + \Pr [V^* \text{ accepts } \text{ IRS } \text{ test } \wedge E_3\wedge \lnot E_1 \wedge \lnot E_2 ]\\&\hspace{1cm} \le \frac{n}{|\mathbb {F}|}+\left( 1-\frac{e}{n}\right) ^t\cdot \Pr [E_1]\\&\hspace{2cm} + \left( 1-\frac{e}{n}\right) ^t\cdot \Pr [\lnot E_1]+ \Pr [V^* \text{ accepts } \text{ IRS } \text{ test } \wedge E_3 | \lnot E_1 \wedge \lnot E_2 ]\\&\hspace{1cm} \le \frac{n}{|\mathbb {F}|}+\left( 1-\frac{e}{n}\right) ^t\cdot \Pr [E_1]\\&\hspace{2cm} + \left( 1-\frac{e}{n}\right) ^t\cdot \Pr [\lnot E_1]+ \frac{1}{|\mathbb {F}|}\\&\hspace{1cm} = \frac{n+1}{|\mathbb {F}|}+\left( 1-\frac{e}{n}\right) ^t \end{aligned}$$

• Linear Constraints Test: The analysis in [2] bounds this test by \(((e+k+\ell )/n)^t+1/|\mathbb {F}|\). By analyzing this test in conjunction with the IRS test we can replace the term \(((e+k+\ell )/n)^t\) with \(((k+\ell )/n)^t\). The main idea here is that term \(((e+k+\ell )/n)^t\) computes the probability that the verifier chooses all its t indices from within the e columns that have errors and an additional of at most \(k+\ell \) columns. Now we analyze the linear test assuming \(E_1,E_2\) and \(E_3\) do not occur as we have bounded them in the IRS test. Specifically, since \(E_3\) does not occur, it suffices to bound the case when all the indices are chosen within the additional at most \(k+\ell \) columns excluding the columns with errors. This can be bounded by \(\left( \frac{k+\ell }{n}\right) ^t.\) Therefore, the soundness of this test can be bounded by

  $$\begin{aligned} \left( \frac{k+\ell }{n}\right) ^t+1/|\mathbb {F}| \end{aligned}$$

  assuming that none of the columns containing errors are chosen.

• Quadratic Test: The analysis in [2] bounds this test by \(((e+2k)/n)^t+1/|\mathbb {F}|\). Following the same arguments as in the Linear Test, the soundness of this test can be improved to simply

  $$\begin{aligned} \left( \frac{2k}{n}\right) ^t+1/|\mathbb {F}|. \end{aligned}$$

Therefore, the overall the soundless error can be bounded by

$$\begin{aligned} \left[ (1-e/n)^t + \left( \frac{k+\ell }{n}\right) ^t + \left( \frac{2k}{n}\right) ^t + \left( \frac{n+3}{(2^{30})^\sigma }\right) \right] \end{aligned}$$