Advertisement

Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability

  • Jonathan Bootle
  • Andrea Cerulli
  • Essam Ghadafi
  • Jens Groth
  • Mohammad Hajiabadi
  • Sune K. Jakobsen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10626)

Abstract

We give computationally efficient zero-knowledge proofs of knowledge for arithmetic circuit satisfiability over a large field. For a circuit with N addition and multiplication gates, the prover only uses \(\mathcal {O}(N)\) multiplications and the verifier only uses \(\mathcal {O}(N)\) additions in the field. If the commitments we use are statistically binding, our zero-knowledge proofs have unconditional soundness, while if the commitments are statistically hiding we get computational soundness. Our zero-knowledge proofs also have sub-linear communication if the commitment scheme is compact.

Our construction proceeds in three steps. First, we give a zero-knowledge proof for arithmetic circuit satisfiability in an ideal linear commitment model where the prover may commit to secret vectors of field elements, and the verifier can receive certified linear combinations of those vectors. Second, we show that the ideal linear commitment proof can be instantiated using error-correcting codes and non-interactive commitments. Finally, by choosing efficient instantiations of the primitives we obtain linear-time zero-knowledge proofs.

Keywords

Zero-knowledge Arithmetic circuit Ideal linear commitments 

References

  1. [AHI+17]
    Applebaum, B., Haramaty, N., Ishai, Y., Kushilevitz, E., Vaikuntanathan, V.: Low-complexity cryptographic hash functions. Cryptology ePrint Archive, Report 2017/036 (2017). http://eprint.iacr.org/2017/036
  2. [BCC+16]
    Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49896-5_12 CrossRefGoogle Scholar
  3. [BCCT12]
    Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In: Innovations in Theoretical Computer Science Conference-ITCS. ACM (2012)Google Scholar
  4. [BCCT13]
    Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: Recursive composition and bootstrapping for SNARKS and proof-carrying data. In: ACM Symposium on Theory of Computing-STOC. ACM (2013)Google Scholar
  5. [BCG+13]
    Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: SNARKs for C: verifying program executions succinctly and in zero knowledge. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 90–108. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40084-1_6 CrossRefGoogle Scholar
  6. [BCI+13]
    Bitansky, N., Chiesa, A., Ishai, Y., Ostrovsky, R., Paneth, O.: Erratum: succinct non-interactive arguments via linear interactive proofs. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, p. E1. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-36594-2_41 CrossRefGoogle Scholar
  7. [BFM88]
    Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications. In: ACM Symposium on Theory of Computing-STOC. ACM (1988)Google Scholar
  8. [BJY97]
    Bellare, M., Jakobsson, M., Yung, M.: Round-optimal zero-knowledge arguments based on any one-way function. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 280–305. Springer, Heidelberg (1997).  https://doi.org/10.1007/3-540-69053-0_20 Google Scholar
  9. [BR93]
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security (ACM CCS). ACM (1993)Google Scholar
  10. [BSCG+16]
    Ben-Sasson, E., Chiesa, A., Gabizon, A., Riabzev, M., Spooner, N.: Short interactive oracle proofs with constant query complexity, via composition and sumcheck. In: Electronic Colloquium on Computational Complexity (ECCC) (2016)Google Scholar
  11. [BSCGV16]
    Ben-Sasson, E., Chiesa, A., Gabizon, A., Virza, M.: Quasi-linear size zero knowledge from linear-algebraic PCPs. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 33–64. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49099-0_2 CrossRefGoogle Scholar
  12. [BSCS16]
    Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive oracle proofs. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 31–60. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53644-5_2 CrossRefGoogle Scholar
  13. [CD98]
    Cramer, R., Damgård, I.: Zero-knowledge proofs for finite field arithmetic, or: can zero-knowledge be for free? In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 424–441. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0055745 CrossRefGoogle Scholar
  14. [CDD+16]
    Cascudo, I., Damgård, I., David, B., Döttling, N., Nielsen, J.B.: Rate-1, linear time and additively homomorphic UC commitments. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 179–207. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53015-3_7 CrossRefGoogle Scholar
  15. [CDP12]
    Cramer, R., Damgård, I., Pastro, V.: On the amortized complexity of zero knowledge protocols for multiplicative relations. In: Smith, A. (ed.) ICITS 2012. LNCS, vol. 7412, pp. 62–79. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32284-6_4 CrossRefGoogle Scholar
  16. [CDS94]
    Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48658-5_19 Google Scholar
  17. [CGM16]
    Chase, M., Ganesh, C., Mohassel, P.: Efficient zero-knowledge proof of algebraic and non-algebraic statements with applications to privacy preserving credentials. Cryptology ePrint Archive, Report 2016/583 (2016). http://eprint.iacr.org/2016/583
  18. [Dam00]
    Damgård, I.: Efficient concurrent zero-knowledge in the auxiliary string model. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 418–430. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-45539-6_30 CrossRefGoogle Scholar
  19. [DI06]
    Damgård, I., Ishai, Y.: Scalable secure multiparty computation. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 501–520. Springer, Heidelberg (2006).  https://doi.org/10.1007/11818175_30 CrossRefGoogle Scholar
  20. [DI14]
    Druk, E., Ishai, Y.: Linear-time encodable codes meeting the Gilbert-Varshamov bound and their cryptographic applications. In: Innovations in Theoretical Computer Science Conference-ITCS. ACM (2014)Google Scholar
  21. [DIK10]
    Damgård, I., Ishai, Y., Krøigaard, M.: Perfectly secure multiparty computation and the computational overhead of cryptography. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 445–465. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_23 CrossRefGoogle Scholar
  22. [FNO15]
    Frederiksen, T.K., Nielsen, J.B., Orlandi, C.: Privacy-free garbled circuits with applications to efficient zero-knowledge. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 191–219. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46803-6_7 Google Scholar
  23. [FS86]
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987).  https://doi.org/10.1007/3-540-47721-7_12 CrossRefGoogle Scholar
  24. [Gal62]
    Gallager, R.G.: Low-density parity-check codes. IRE Trans. Inf. Theory 8(1), 21 (1962)MathSciNetCrossRefMATHGoogle Scholar
  25. [GGI+14]
    Gentry, C., Groth, J., Ishai, Y., Peikert, C., Sahai, A., Smith, A.: Using fully homomorphic hybrid encryption to minimize non-interative zero-knowledge proofs. J. Cryptol. (2014)Google Scholar
  26. [GGPR13]
    Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38348-9_37 CrossRefGoogle Scholar
  27. [GI01]
    Guruswami, V., Indyk, P.: Expander-based constructions of efficiently decodable codes. In: Symposium on Foundations of Computer Science-FOCS. IEEE Computer Society (2001)Google Scholar
  28. [GI02]
    Guruswami, V., Indyk, P.: Near-optimal linear-time codes for unique decoding and new list-decodable codes over smaller alphabets. In: ACM Symposium on Theory of Computing-STOC. ACM (2002)Google Scholar
  29. [GI03]
    Guruswami, V., Indyk, P.: Linear time encodable and list decodable codes. In: ACM Symposium on Theory of Computing-STOC. ACM (2003)Google Scholar
  30. [GI05]
    Guruswami, V., Indyk, P.: Linear-time encodable/decodable codes with near-optimal rate. IEEE Trans. Inf. Theory 51(10), 3393 (2005)MathSciNetCrossRefMATHGoogle Scholar
  31. [GKR08]
    Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: interactive proofs for muggles. In: ACM Symposium on Theory of Computing-STOC. ACM (2008)Google Scholar
  32. [GMR85]
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems (extended abstract). In: ACM Symposium on Theory of Computing-STOC. ACM (1985)Google Scholar
  33. [GQ88]
    Guillou, L.C., Quisquater, J.-J.: A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988).  https://doi.org/10.1007/3-540-45961-8_11 Google Scholar
  34. [Gro04]
    Groth, J.: Honest verifier zero-knowledge arguments applied. BRICS (2004)Google Scholar
  35. [Gro09]
    Groth, J.: Linear algebra with sub-linear zero-knowledge arguments. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 192–208. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03356-8_12 CrossRefGoogle Scholar
  36. [Gro10]
    Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-17373-8_19 CrossRefGoogle Scholar
  37. [Gro16]
    Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49896-5_11 CrossRefGoogle Scholar
  38. [GSV98]
    Goldreich, O., Sahai, A., Vadhan, S.: Honest-verifier statistical zero-knowledge equals general statistical zero-knowledge. In: ACM Symposium on Theory of Computing-STOC. ACM (1998)Google Scholar
  39. [HM96]
    Halevi, S., Micali, S.: Practical and provably-secure commitment schemes from collision-free hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 201–215. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-68697-5_16 Google Scholar
  40. [HMR15]
    Hu, Z., Mohassel, P., Rosulek, M.: Efficient zero-knowledge proofs of non-algebraic statements with sublinear amortized cost. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 150–169. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48000-7_8 CrossRefGoogle Scholar
  41. [IKOS08]
    Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Cryptography with constant computational overhead. In: ACM Symposium on Theory of Computing-STOC. ACM (2008)Google Scholar
  42. [IKOS09]
    Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge proofs from secure multiparty computation. SIAM J. Comput. 39(3), 1121 (2009)MathSciNetCrossRefMATHGoogle Scholar
  43. [JKO13]
    Jawurek, M., Kerschbaum, F., Orlandi, C.: Zero-knowledge using garbled circuits: how to prove non-algebraic statements efficiently. In: ACM Conference on Computer and Communications Security (ACM CCS). ACM (2013)Google Scholar
  44. [Kil92]
    Kilian, J.: A note on efficient zero-knowledge proofs and arguments. In: ACM Symposium on Theory of Computing-STOC. ACM (1992)Google Scholar
  45. [KR08]
    Kalai, Y.T., Raz, R.: Interactive PCP. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 536–547. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-70583-3_44 CrossRefGoogle Scholar
  46. [MP03]
    Micciancio, D., Petrank, E.: Simulatable commitments and efficient concurrent zero-knowledge. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 140–159. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-39200-9_9 CrossRefGoogle Scholar
  47. [MRS17]
    Mohassel, P., Rosulek, M., Scafuro, A.: Sublinear zero-knowledge arguments for RAM programs. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 501–531. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56620-7_18 CrossRefGoogle Scholar
  48. [PHGR13]
    Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: IEEE Symposium on Security and Privacy. IEEE Computer Society (2013)Google Scholar
  49. [Sch91]
    Schnorr, C.-P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161 (1991)CrossRefMATHGoogle Scholar
  50. [Spi95]
    Spielman, D.A.: Linear-time encodable and decodable error-correcting codes. In: ACM Symposium on Theory of Computing-STOC. ACM (1995)Google Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Jonathan Bootle
    • 1
  • Andrea Cerulli
    • 1
  • Essam Ghadafi
    • 2
  • Jens Groth
    • 1
  • Mohammad Hajiabadi
    • 3
  • Sune K. Jakobsen
    • 1
  1. 1.University College LondonLondonUK
  2. 2.University of the West of EnglandBristolUK
  3. 3.University of CaliforniaBerkeleyUSA

Personalised recommendations