Advertisement

Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting

  • Jonathan Bootle
  • Andrea Cerulli
  • Pyrros Chaidos
  • Jens Groth
  • Christophe Petit
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9666)

Abstract

We provide a zero-knowledge argument for arithmetic circuit satisfiability with a communication complexity that grows logarithmically in the size of the circuit. The round complexity is also logarithmic and for an arithmetic circuit with fan-in 2 gates the computation of the prover and verifier is linear in the size of the circuit. The soundness of our argument relies solely on the well-established discrete logarithm assumption in prime order groups.

At the heart of our new argument system is an efficient zero-knowledge argument of knowledge of openings of two Pedersen multicommitments satisfying an inner product relation, which is of independent interest. The inner product argument requires logarithmic communication, logarithmic interaction and linear computation for both the prover and the verifier.

We also develop a scheme to commit to a polynomial and later reveal the evaluation at an arbitrary point, in a verifiable manner. This is used to build an optimized version of the constant round square root complexity argument of Groth (CRYPTO 2009), which reduces both communication and round complexity.

Keywords

Sigma-protocol Zero-knowledge argument Arithmetic circuit Discrete logarithm assumption 

Supplementary material

References

  1. 1.
    Bayer, S., Groth, J.: Efficient zero-knowledge argument for correctness of a shuffle. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 263–280. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  2. 2.
    Bayer, S., Groth, J.: Zero-knowledge argument for polynomial evaluation with application to blacklists. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 646–663. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security – CCS 1993, pp. 62–73 (1993)Google Scholar
  4. 4.
    Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: SNARKs for C: verifying program executions succinctly and in zero knowledge. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 90–108. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  5. 5.
    Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Succinct non-interactive zero knowledge for a von Neumann architecture. In: USENIX Security Symposium 2014, pp. 781–796 (2014)Google Scholar
  6. 6.
    Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In: Innovations in Theoretical Computer Science – ITCS 2012, pp. 326–349 (2012)Google Scholar
  7. 7.
    Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: Recursive composition and bootstrapping for SNARKS and proof-carrying data. In: Symposium on Theory of Computing Conference – TCC 2013, pp. 111–120 (2013)Google Scholar
  8. 8.
    Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Cantor, D.G.: On arithmetical algorithms over finite fields. J. Comb. Theor. Ser. A 50(2), 285–300 (1989)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Cramer, R., Damgård, I.B.: Zero-knowledge proofs for finite field arithmetic or: can zero-knowledge be for free? In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 424–441. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  11. 11.
    Danezis, G.: Petlib: a Python library that implements a number of privacy enhancing technologies (PETs) (2015). https://github.com/gdanezis/petlib
  12. 12.
    Garay, J.A., MacKenzie, P., Yang, K.: Strengthening zero-knowledge protocols using signatures. J. Cryptology 19(2), 169–209 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  14. 14.
    Gentry, C., Groth, J., Ishai, Y., Peikert, C., Sahai, A., Smith, A.: Using fully homomorphic hybrid encryption to minimize non-interative zero-knowledge proofs. J. Cryptology 28(4), 820–843 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Goldreich, O., Håstad, J.: On the complexity of interactive proofs with bounded communication. Inf. Process. Lett. 67(4), 205–214 (1998)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 38(3), 691–729 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Goldreich, O., Vadhan, S.P., Wigderson, A.: On interactive proofs with a laconic prover. Comput. Complex. 11(1–2), 1–53 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proofs. SIAM J. Comput. 18(1), 186–208 (1989)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Groth, J.: Honest verifier zero-knowledge arguments applied. Ph.D. thesis, University of Aarhus (2004)Google Scholar
  20. 20.
    Groth, J.: Efficient zero-knowledge arguments from two-tiered homomorphic commitments. In: Wang, X., Lee, D.H. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 431–448. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  21. 21.
    Groth, J.: Linear algebra with sub-linear zero-knowledge arguments. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 192–208. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  22. 22.
    Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  23. 23.
    Groth, J., Ishai, Y.: Sub-linear zero-knowledge argument for correctness of a shuffle. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 379–396. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  24. 24.
    Groth, J., Kohlweiss, M.: One-out-of-many proofs: or how to leak a secret and spend a coin. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 253–280. Springer, Heidelberg (2015)Google Scholar
  25. 25.
    Guillou, L.C., Quisquater, J.-J.: A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988)CrossRefGoogle Scholar
  26. 26.
    Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 177–194. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  27. 27.
    Kilian, J.: A note on efficient zero-knowledge proofs and arguments. In: Symposium on Theory of Computing Conference – TCC 1992, pp. 723–732 (1992)Google Scholar
  28. 28.
    Lim, C.H.: Efficient multi-exponentiation and application to batch verification of digital signatures, manuscript (2000). http://dasan.sejong.ac.kr/ chlim/pub/multi_exp.ps
  29. 29.
    Lindell, Y.: Parallel coin-tossing and constant-round secure two-party computation. J. Cryptology 16(3), 143–184 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    Lipmaa, H.: Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 169–189. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  31. 31.
    Möller, B.: Algorithms for multi-exponentiation. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 165–180. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  32. 32.
    Möller, B., Rupp, A.: Faster multi-exponentiation through caching: accelerating (EC) DSA signature verification. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 39–56. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  33. 33.
    Oliphant, T.E.: A guide to NumPy, vol. 1. Trelgol Publishing, USA (2006)Google Scholar
  34. 34.
    Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: IEEE Symposium on Security and Privacy, pp. 238–252 (2013)Google Scholar
  35. 35.
    Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptology 4(3), 161–174 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    Seo, J.H.: Round-efficient sub-linear zero-knowledge arguments for linear algebra. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 387–402. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  37. 37.
    Shoup, V.: NTL: a library for doing number theory (2001). http://www.shoup.net/ntl/

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Jonathan Bootle
    • 1
  • Andrea Cerulli
    • 1
  • Pyrros Chaidos
    • 1
  • Jens Groth
    • 1
  • Christophe Petit
    • 2
  1. 1.University College LondonLondonUK
  2. 2.University of OxfordOxfordUK

Personalised recommendations