Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability

  • Jonathan BootleEmail author
  • Andrea Cerulli
  • Essam Ghadafi
  • Jens Groth
  • Mohammad Hajiabadi
  • Sune K. Jakobsen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10626)


We give computationally efficient zero-knowledge proofs of knowledge for arithmetic circuit satisfiability over a large field. For a circuit with N addition and multiplication gates, the prover only uses \(\mathcal {O}(N)\) multiplications and the verifier only uses \(\mathcal {O}(N)\) additions in the field. If the commitments we use are statistically binding, our zero-knowledge proofs have unconditional soundness, while if the commitments are statistically hiding we get computational soundness. Our zero-knowledge proofs also have sub-linear communication if the commitment scheme is compact.

Our construction proceeds in three steps. First, we give a zero-knowledge proof for arithmetic circuit satisfiability in an ideal linear commitment model where the prover may commit to secret vectors of field elements, and the verifier can receive certified linear combinations of those vectors. Second, we show that the ideal linear commitment proof can be instantiated using error-correcting codes and non-interactive commitments. Finally, by choosing efficient instantiations of the primitives we obtain linear-time zero-knowledge proofs.


Zero-knowledge Arithmetic circuit Ideal linear commitments 


  1. [AHI+17]
    Applebaum, B., Haramaty, N., Ishai, Y., Kushilevitz, E., Vaikuntanathan, V.: Low-complexity cryptographic hash functions. Cryptology ePrint Archive, Report 2017/036 (2017).
  2. [BCC+16]
    Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). Scholar
  3. [BCCT12]
    Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In: Innovations in Theoretical Computer Science Conference-ITCS. ACM (2012)Google Scholar
  4. [BCCT13]
    Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: Recursive composition and bootstrapping for SNARKS and proof-carrying data. In: ACM Symposium on Theory of Computing-STOC. ACM (2013)Google Scholar
  5. [BCG+13]
    Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: SNARKs for C: verifying program executions succinctly and in zero knowledge. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 90–108. Springer, Heidelberg (2013). Scholar
  6. [BCI+13]
    Bitansky, N., Chiesa, A., Ishai, Y., Ostrovsky, R., Paneth, O.: Erratum: succinct non-interactive arguments via linear interactive proofs. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, p. E1. Springer, Heidelberg (2013). Scholar
  7. [BFM88]
    Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications. In: ACM Symposium on Theory of Computing-STOC. ACM (1988)Google Scholar
  8. [BJY97]
    Bellare, M., Jakobsson, M., Yung, M.: Round-optimal zero-knowledge arguments based on any one-way function. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 280–305. Springer, Heidelberg (1997). Scholar
  9. [BR93]
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security (ACM CCS). ACM (1993)Google Scholar
  10. [BSCG+16]
    Ben-Sasson, E., Chiesa, A., Gabizon, A., Riabzev, M., Spooner, N.: Short interactive oracle proofs with constant query complexity, via composition and sumcheck. In: Electronic Colloquium on Computational Complexity (ECCC) (2016)Google Scholar
  11. [BSCGV16]
    Ben-Sasson, E., Chiesa, A., Gabizon, A., Virza, M.: Quasi-linear size zero knowledge from linear-algebraic PCPs. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 33–64. Springer, Heidelberg (2016). Scholar
  12. [BSCS16]
    Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive oracle proofs. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 31–60. Springer, Heidelberg (2016). Scholar
  13. [CD98]
    Cramer, R., Damgård, I.: Zero-knowledge proofs for finite field arithmetic, or: can zero-knowledge be for free? In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 424–441. Springer, Heidelberg (1998). Scholar
  14. [CDD+16]
    Cascudo, I., Damgård, I., David, B., Döttling, N., Nielsen, J.B.: Rate-1, linear time and additively homomorphic UC commitments. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 179–207. Springer, Heidelberg (2016). Scholar
  15. [CDP12]
    Cramer, R., Damgård, I., Pastro, V.: On the amortized complexity of zero knowledge protocols for multiplicative relations. In: Smith, A. (ed.) ICITS 2012. LNCS, vol. 7412, pp. 62–79. Springer, Heidelberg (2012). Scholar
  16. [CDS94]
    Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994). Scholar
  17. [CGM16]
    Chase, M., Ganesh, C., Mohassel, P.: Efficient zero-knowledge proof of algebraic and non-algebraic statements with applications to privacy preserving credentials. Cryptology ePrint Archive, Report 2016/583 (2016).
  18. [Dam00]
    Damgård, I.: Efficient concurrent zero-knowledge in the auxiliary string model. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 418–430. Springer, Heidelberg (2000). Scholar
  19. [DI06]
    Damgård, I., Ishai, Y.: Scalable secure multiparty computation. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 501–520. Springer, Heidelberg (2006). Scholar
  20. [DI14]
    Druk, E., Ishai, Y.: Linear-time encodable codes meeting the Gilbert-Varshamov bound and their cryptographic applications. In: Innovations in Theoretical Computer Science Conference-ITCS. ACM (2014)Google Scholar
  21. [DIK10]
    Damgård, I., Ishai, Y., Krøigaard, M.: Perfectly secure multiparty computation and the computational overhead of cryptography. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 445–465. Springer, Heidelberg (2010). Scholar
  22. [FNO15]
    Frederiksen, T.K., Nielsen, J.B., Orlandi, C.: Privacy-free garbled circuits with applications to efficient zero-knowledge. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 191–219. Springer, Heidelberg (2015). Scholar
  23. [FS86]
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). Scholar
  24. [Gal62]
    Gallager, R.G.: Low-density parity-check codes. IRE Trans. Inf. Theory 8(1), 21 (1962)MathSciNetCrossRefGoogle Scholar
  25. [GGI+14]
    Gentry, C., Groth, J., Ishai, Y., Peikert, C., Sahai, A., Smith, A.: Using fully homomorphic hybrid encryption to minimize non-interative zero-knowledge proofs. J. Cryptol. (2014)Google Scholar
  26. [GGPR13]
    Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). Scholar
  27. [GI01]
    Guruswami, V., Indyk, P.: Expander-based constructions of efficiently decodable codes. In: Symposium on Foundations of Computer Science-FOCS. IEEE Computer Society (2001)Google Scholar
  28. [GI02]
    Guruswami, V., Indyk, P.: Near-optimal linear-time codes for unique decoding and new list-decodable codes over smaller alphabets. In: ACM Symposium on Theory of Computing-STOC. ACM (2002)Google Scholar
  29. [GI03]
    Guruswami, V., Indyk, P.: Linear time encodable and list decodable codes. In: ACM Symposium on Theory of Computing-STOC. ACM (2003)Google Scholar
  30. [GI05]
    Guruswami, V., Indyk, P.: Linear-time encodable/decodable codes with near-optimal rate. IEEE Trans. Inf. Theory 51(10), 3393 (2005)MathSciNetCrossRefGoogle Scholar
  31. [GKR08]
    Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: interactive proofs for muggles. In: ACM Symposium on Theory of Computing-STOC. ACM (2008)Google Scholar
  32. [GMR85]
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems (extended abstract). In: ACM Symposium on Theory of Computing-STOC. ACM (1985)Google Scholar
  33. [GQ88]
    Guillou, L.C., Quisquater, J.-J.: A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988). Scholar
  34. [Gro04]
    Groth, J.: Honest verifier zero-knowledge arguments applied. BRICS (2004)Google Scholar
  35. [Gro09]
    Groth, J.: Linear algebra with sub-linear zero-knowledge arguments. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 192–208. Springer, Heidelberg (2009). Scholar
  36. [Gro10]
    Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010). Scholar
  37. [Gro16]
    Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). Scholar
  38. [GSV98]
    Goldreich, O., Sahai, A., Vadhan, S.: Honest-verifier statistical zero-knowledge equals general statistical zero-knowledge. In: ACM Symposium on Theory of Computing-STOC. ACM (1998)Google Scholar
  39. [HM96]
    Halevi, S., Micali, S.: Practical and provably-secure commitment schemes from collision-free hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 201–215. Springer, Heidelberg (1996). Scholar
  40. [HMR15]
    Hu, Z., Mohassel, P., Rosulek, M.: Efficient zero-knowledge proofs of non-algebraic statements with sublinear amortized cost. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 150–169. Springer, Heidelberg (2015). Scholar
  41. [IKOS08]
    Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Cryptography with constant computational overhead. In: ACM Symposium on Theory of Computing-STOC. ACM (2008)Google Scholar
  42. [IKOS09]
    Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge proofs from secure multiparty computation. SIAM J. Comput. 39(3), 1121 (2009)MathSciNetCrossRefGoogle Scholar
  43. [JKO13]
    Jawurek, M., Kerschbaum, F., Orlandi, C.: Zero-knowledge using garbled circuits: how to prove non-algebraic statements efficiently. In: ACM Conference on Computer and Communications Security (ACM CCS). ACM (2013)Google Scholar
  44. [Kil92]
    Kilian, J.: A note on efficient zero-knowledge proofs and arguments. In: ACM Symposium on Theory of Computing-STOC. ACM (1992)Google Scholar
  45. [KR08]
    Kalai, Y.T., Raz, R.: Interactive PCP. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 536–547. Springer, Heidelberg (2008). Scholar
  46. [MP03]
    Micciancio, D., Petrank, E.: Simulatable commitments and efficient concurrent zero-knowledge. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 140–159. Springer, Heidelberg (2003). Scholar
  47. [MRS17]
    Mohassel, P., Rosulek, M., Scafuro, A.: Sublinear zero-knowledge arguments for RAM programs. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 501–531. Springer, Cham (2017). Scholar
  48. [PHGR13]
    Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: IEEE Symposium on Security and Privacy. IEEE Computer Society (2013)Google Scholar
  49. [Sch91]
    Schnorr, C.-P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161 (1991)CrossRefGoogle Scholar
  50. [Spi95]
    Spielman, D.A.: Linear-time encodable and decodable error-correcting codes. In: ACM Symposium on Theory of Computing-STOC. ACM (1995)Google Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Jonathan Bootle
    • 1
    Email author
  • Andrea Cerulli
    • 1
  • Essam Ghadafi
    • 2
  • Jens Groth
    • 1
  • Mohammad Hajiabadi
    • 3
  • Sune K. Jakobsen
    • 1
  1. 1.University College LondonLondonUK
  2. 2.University of the West of EnglandBristolUK
  3. 3.University of CaliforniaBerkeleyUSA

Personalised recommendations