Linear Algebra with Sub-linear Zero-Knowledge Arguments

  • Jens Groth
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5677)


We suggest practical sub-linear size zero-knowledge arguments for statements involving linear algebra. Given commitments to matrices over a finite field, we give a sub-linear size zero-knowledge argument that one committed matrix is the product of two other committed matrices. We also offer a sub-linear size zero-knowledge argument for a committed matrix being equal to the Hadamard product of two other committed matrices. Armed with these tools we can give many other sub-linear size zero-knowledge arguments, for instance for a committed matrix being upper or lower triangular, a committed matrix being the inverse of another committed matrix, or a committed matrix being a permutation of another committed matrix.

A special case of what can be proved using our techniques is the satisfiability of an arithmetic circuit with N gates. Our arithmetic circuit zero-knowledge argument has a communication complexity of \(O(\sqrt{N})\) group elements. We give both a constant round variant and an O(logN) round variant of our zero-knowledge argument; the latter has a computation complexity of O(N/logN) exponentiations for the prover and O(N) multiplications for the verifier making it efficient for the prover and very efficient for the verifier. In the case of a binary circuit consisting of NAND-gates we give a zero-knowledge argument of circuit satisfiability with a communication complexity of \(O(\sqrt{N})\) group elements and a computation complexity of O(N) multiplications for both the prover and the verifier.


Sub-linear size zero-knowledge arguments public-coin special honest verifier zero-knowledge Pedersen commitments linear algebra circuit satisfiability 


  1. [ALM+98]
    Arora, S., Lund, C., Motwani, R., Sudan, M., Szegedy, M.: Proof verification and the hardness of approximation problems. Journal of the ACM 45(3), 501–555 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  2. [AS98]
    Arora, S., Safra, S.: Probabilistic checking of proofs: a new characterization of NP. Journal of the ACM 45(1), 70–122 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  3. [BSGH+05]
    Ben-Sasson, E., Goldreich, O., Harsha, P., Sudan, M., Vadhan, S.P.: Short PCPs verifiable in polylogarithmic time. In: IEEE Conference on Computational Complexity, pp. 120–134 (2005)Google Scholar
  4. [Cha81]
    Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM 24(2), 84–88 (1981)CrossRefGoogle Scholar
  5. [Din07]
    Dinur, I.: The PCP theorem by gap amplification. Journal of the ACM 54(3) (2007)Google Scholar
  6. [GI08]
    Groth, J., Ishai, Y.: Sub-linear zero-knowledge argument for correctness of a shuffle. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 379–396. Springer, Heidelberg (2008), Scholar
  7. [GKR08]
    Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: interactive proofs for muggles. In: STOC, pp. 113–122 (2008)Google Scholar
  8. [Gro03]
    Groth, J.: A verifiable secret shuffle of homomorphic encryptions. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 145–160. Springer, Heidelberg (2002), ePrint Archive: Scholar
  9. [Gro04]
    Groth, J.: Honest verifier zero-knowledge arguments applied. Dissertation Series DS-04-3, BRICS. Ph.D thesis, pp. xii+119 (2004)Google Scholar
  10. [IKOS07]
    Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: STOC, pp. 21–30 (2007)Google Scholar
  11. [Joh00]
    Johnson, D.: Challenges for theoretical computer science (2000),
  12. [Kil92]
    Kilian, J.: A note on efficient zero-knowledge proofs and arguments. In: STOC, pp. 723–732 (1992)Google Scholar
  13. [KR08]
    Kalai, Y.T., Raz, R.: Interactive pcp. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 536–547. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. [Lim00]
    Lim, C.H.: Efficient multi-exponentiation and application to batch verification of digital signatures (2000),
  15. [Nef01]
    Andrew Neff, C.: A verifiable secret shuffle and its application to e-voting. In: ACM CCS, pp. 116–125 (2001)Google Scholar
  16. [Ped91]
    Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)Google Scholar
  17. [Pip80]
    Pippenger, N.: On the evaluation of powers and monomials. SIAM Journal of Computing 9(2), 230–250 (1980)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Jens Groth
    • 1
  1. 1.University College LondonUK

Personalised recommendations