Skip to main content

Linear-Time Arguments with Sublinear Verification from Tensor Codes

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12551)

Abstract

Minimizing the computational cost of the prover is a central goal in the area of succinct arguments. In particular, it remains a challenging open problem to construct a succinct argument where the prover runs in linear time and the verifier runs in polylogarithmic time.

We make progress towards this goal by presenting a new linear-time probabilistic proof. For any fixed \(\epsilon > 0\), we construct an interactive oracle proof (IOP) that, when used for the satisfiability of an N-gate arithmetic circuit, has a prover that uses O(N) field operations and a verifier that uses \(O(N^{\epsilon })\) field operations. The sublinear verifier time is achieved in the holographic setting for every circuit (the verifier has oracle access to a linear-size encoding of the circuit that is computable in linear time).

When combined with a linear-time collision-resistant hash function, our IOP immediately leads to an argument system where the prover performs O(N) field operations and hash computations, and the verifier performs \(O(N^{\epsilon })\) field operations and hash computations (given a short digest of the N-gate circuit).

Keywords

  • Interactive oracle proofs
  • Tensor codes
  • Succinct arguments

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-64378-2_2
  • Chapter length: 28 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   84.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-64378-2
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   109.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.

Notes

  1. 1.

    The sublinear time of the argument verifier is achieved in the preprocessing setting, which means that the verifier receives as input a short digest of the circuit that can be derived by anyone (in linear time). Some form of preprocessing is necessary for sublinear verification because the argument verifier just reading the circuit takes linear time. In turn, preprocessing is enabled by the fact that our IOP is holographic, which means that the IOP verifier has oracle access to a linear-size encoding of the circuit that is computable in linear time. See [CHMMVW20, COS20] for more on how holography leads to preprocessing.

  2. 2.

    Recall that satisfiability of an \(N\)-gate arithmetic circuit is reducible, in linear time, to an R1CS instance where the coefficient matrices are \(N\times N\) and have \(O(N)\) non-zero entries.

  3. 3.

    We stress that this is a non-trivial property, in the sense that other approaches to construct succinct arguments introduce super-constant multiplicative overheads. For example, the transformation from algebraic proofs to succinct arguments in [CHMMVW20] introduces a linear number of exponentiations (which translates to a super-linear number of group operations). These approaches seem unlikely to lead to linear-time succinct arguments, and hence we focus on IOP-based succinct arguments.

  4. 4.

    The “big O” notation here hides a dependence on the output size of the collision-resistant hash function.

  5. 5.

    We remark that the more restricted proof model of Probabilistically Checkable Proofs (PCPs) also directly leads to a succinct argument with only constant computational overheads, however the problem of designing linear-time PCPs, with any non-trivial query complexity, seems far beyond current techniques.

  6. 6.

    Bootle et al. [BCGGHJ17] show how to implement the Ideal Linear Commitment (ILC) model in linear time, which is reminiscent of, but distinct from, the linear IOP model. As noted in [BBCGI19], these are reducible to one another, but with losses in parameters. (Applying the transformation of [BCGGHJ17] to an ILC protocol obtained from a linear IOP does not preserve linear time.).

  7. 7.

    Extended tensor queries capture tensor queries to specific proof strings: for any desired \(i \in [\ell ]\), one can choose \(q_0 \in \mathbb {F}^{\ell }\) to be all zeros except for a 1 in the i-th entry so that \(\langle q_0 \otimes q_1 \otimes \cdots \otimes q_{t},\varPi \rangle = \langle q_1 \otimes \cdots \otimes q_{t},\varPi _i \rangle \).

  8. 8.

    Query complexity for the strategy using local testing would be \(O((\ell +kt) \cdot n)\), while that for our test will be \(O(\ell +kt)\).

  9. 9.

    Let \(\delta = d/n\) be the relative distance of \(\mathcal {C}\). By incurring a multiplicative increase of \(\lambda \) in query complexity, the strategy using local testing gives a soundness error of, e.g., \(O(d^t/|\mathbb {F}|) + (1-\delta ^{O(t)}\cdot \varDelta )^\lambda \) when applied to an input of distance \(\varDelta \) from \(\mathcal {C}^{\otimes t}\). In contrast, the test in this work will give a soundness error that is (approximately) \(O(d^t/|\mathbb {F}|) + (1-\varDelta )^\lambda \).

  10. 10.

    Consider the setting in [RR20], which is a single tensor query (\(\mathsf {q}=1\)) to a single tensor codeword (\(\ell =1\)). The sumcheck protocol in [RR20] branches at each recursion, and has query complexity \(\lambda ^t\) and verifier time to achieve soundness error \(2^{-\varOmega (\lambda )}\). By contrast, we achieve query complexity \(O(\lambda \cdot kt)\) and verifier time \(O(\lambda \cdot \theta kt)\), where \(\theta \) is a constant.

  11. 11.

    We remark that one can improve this cost from linear in the number \(M\) of non-zero entries in \(A,B,C\) to linear in the cost of right multiplication by \(A,B,C\). By the transposition principle (see e.g., [KKB88]), this latter is closely related to the cost \(E\) of left multiplication by \(A,B,C\), which could be much less than \(M\). For example, if \(A\) is the matrix corresponding to a discrete Fourier transform, then \(E=O(N\log N)\) is much less than \(M= \varTheta (N^2)\).

  12. 12.

    When the entries of \(b\) are not distinct, one can consider a more complex \(\mathrm {merge}\) operation; the full version of this paper for details.

  13. 13.

    One can draw parallels between the combination of randomized hashing and the polynomial identity used in this work, and the combination of randomized and multi-set hashing used in the memory-checking circuit of [Set20]. Conceptually, the [GW20] polynomial identity enforces stronger conditions on \(w\), \(a\) and \(b\) than a multi-set hash and removes the need for the time-stamping data used in [Set20].

References

  1. Applebaum, B., Haramaty-Krasne, N., Ishai, Y., Kushilevitz, E., Vaikuntanathan, V.: Low-complexity cryptographic hash functions. In: Proceedings of the 8th Innovations in Theoretical Computer Science Conference, ITCS 2017, pp. 1–31, (2017)

    Google Scholar 

  2. Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: Lightweight sublinear arguments without a trusted setup. In: Proceedings of the 24th ACM Conference on Computer and Communications Security, CCS 2017, pp. 2087–2104 (2017)

    Google Scholar 

  3. Benedikt, B., Bootle, J., Dan, B., Andrew, P., Pieter, W., Greg, M.: Bulletproofs: short proofs for confidential transactions and more. In: Proceedings of the 39th IEEE Symposium on Security and Privacy, S&P 2018, pp. 315–334 (2018)

    Google Scholar 

  4. Boneh, D., Boyle, E., Corrigan-Gibbs, H., Gilboa, N., Ishai, Y.: Zero-knowledge proofs on secret-shared data via fully linear PCPs. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 67–97. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_3

    CrossRef  Google Scholar 

  5. Ben-Sasson, E., Bentov, I., Horesh, Y. and Riabzev, M.: Fast Reed-Solomon interactive oracle proofs of proximity. In: Proceedings of the 45th International Colloquium on Automata, Languages and Programming, ICALP 2018. pp. 1–17 (2018)

    Google Scholar 

  6. Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12

    CrossRef  MATH  Google Scholar 

  7. Bootle, J., Cerulli, A., Ghadafi, E., Groth, J., Hajiabadi, M., Jakobsen, S.K.: Linear-time zero-knowledge proofs for arithmetic circuit satisfiability. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 336–365. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_12

    CrossRef  Google Scholar 

  8. Bootle, J., Cerulli, A., Groth, J., Jakobsen, S., Maller, M.: Arya: nearly linear-time zero-knowledge proofs for correct program execution. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 595–626. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_20

    CrossRef  Google Scholar 

  9. Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.P.: Aurora: transparent succinct arguments for R1CS. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 103–128. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_4

    CrossRef  Google Scholar 

  10. Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive oracle proofs. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 31–60. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_2

    CrossRef  Google Scholar 

  11. Bünz, B., Fisch, B., Szepieniec, A.: Transparent SNARKs from DARK compilers. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 677–706. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_24

    CrossRef  Google Scholar 

  12. Ben-Sasson, E.: Sudan, madhu: robust locally testable codes and products of codes. Random Struct. Alg. 28(4), 387–402 (2006)

    CrossRef  Google Scholar 

  13. Sasson, E.B., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., Virza, M.: Zerocash: Decentralized anonymous payments from Bitcoin. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP 2014. pp. 459–474, (2014)

    Google Scholar 

  14. Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: Preprocessing zksnarks with universal and updatable SRS. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 738–768. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_26

    CrossRef  Google Scholar 

  15. Chiesa, A., Manohar, P., Shinkar, I.: On axis-parallel tests for tensor product codes. In: Proceedings of the 21st International Workshop on Randomization and Computation, RANDOM 2017. pp. 1–22, (2017)

    Google Scholar 

  16. Chiesa, A., Ojha, D., Spooner, N.: Fractal: Post-quantum and transparent recursive proofs from holography. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 769–793. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_27

    CrossRef  Google Scholar 

  17. Druk, E., Ishai, Y.: Linear-time encodable codes meeting the Gilbert-Varshamov bound and their cryptographic applications. In: Proceedings of the 5th Innovations in Theoretical Computer Science Conference, ITCS 2014. pp. 169–182 (2014)

    Google Scholar 

  18. Shafi, G., Yael, T.K., Guy, N.R.: Delegating computation: interactive proofs for Muggles. In: Proceedings of the 40th Annual ACM Symposium on Theory of Computing, STOC 2008. pp. 113–122 (2008)

    Google Scholar 

  19. Ariel, G., Zachary J.W.: plookup: A simplified polynomial protocol for lookup tables (2020)

    Google Scholar 

  20. Groth, J.: Linear algebra with sub-linear zero-knowledge arguments. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 192–208. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_12

    CrossRef  Google Scholar 

  21. Kaminski, M.: Kirkpatrick, David, Bshouty, Nader: addition requirements for matrix and transposed matrix products. J. Alg. 9(3), 354–364 (1988)

    CrossRef  Google Scholar 

  22. Joe, K.: A note on efficient zero-knowledge proofs and arguments. In: Proceedings of the 24th Annual ACM Symposium on Theory of Computing, STOC 1992. pp. 723–732 (1992)

    Google Scholar 

  23. Meir, O.: IP = PSPACE using error-correcting codes. SIAM J. Comput. 42(1), 380–403 (2013)

    MathSciNet  CrossRef  Google Scholar 

  24. Micali, S.: Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000)

    MathSciNet  CrossRef  Google Scholar 

  25. Ozdemir, A., Wahby, R., Whitehat, B., Boneh, D.: Scaling verifiable computation using efficient set accumulators. In: Proceedings of the 29th USENIX Security Symposium, Security 2020. pp. 2075–2092 (2020)

    Google Scholar 

  26. Pippenger, N.: On the evaluation of powers and monomials. SIAM J. Comput. 9(2), 230–250 (1980)

    MathSciNet  CrossRef  Google Scholar 

  27. Ron-Zewi, N., Rothblum, R.: Local proofs approaching the witness length. In: Proceedings of the 61st Annual IEEE Symposium on Foundations of Computer Science FOCS 2020 (2020)

    Google Scholar 

  28. Reingold, O., Rothblum, G.N., Rothblum, R.D.: Constant-round interactive proofs for delegating computation. In: Proceedings of the 48th ACM Symposium on the Theory of Computing, STOC 2016. pp. 49–62 (2016)

    Google Scholar 

  29. Setty, S.: Spartan: efficient and general-purpose zksnarks without trusted setup. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 704–737. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_25

    CrossRef  Google Scholar 

  30. Thaler, J.: Time-optimal interactive proofs for circuit evaluation. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 71–89. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_5

    CrossRef  Google Scholar 

  31. Viderman, M.: A combination of testability and decodability by tensor products. Random Struct. Alg. 46(3), 572–598 (2015)

    MathSciNet  CrossRef  Google Scholar 

  32. Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J, Walfish, M.: Doubly-efficient zkSNARKs without trusted setup. In: Proceedings of the 39th IEEE Symposium on Security and Privacy, S&P 2018, pp. 926–943 (2018)

    Google Scholar 

  33. Xie, T., Zhang, J., Zhang, Y., Papamanthou, C., Song, D.: Libra: Succinct zero-knowledge proofs with optimal prover computation. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 733–764. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_24

    CrossRef  Google Scholar 

  34. Zhang, J., Xie, T., Zhang, Y., Song, D.: Transparent polynomial delegation and its applications to zero knowledge proof. In: Proceedings of the 41st IEEE Symposium on Security and Privacy, S&P 2020. pp. 859–876 (2020)

    Google Scholar 

Download references

Acknowledgements

We are deeply grateful to Sune K. Jakobsen who was instrumental in the early stages of this research project and provided an initial analysis of a compiler from tensor queries to point queries based on tensor codes. We thank Andrea Cerulli for discussions about error correcting codes.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Jonathan Bootle .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Bootle, J., Chiesa, A., Groth, J. (2020). Linear-Time Arguments with Sublinear Verification from Tensor Codes. In: Pass, R., Pietrzak, K. (eds) Theory of Cryptography. TCC 2020. Lecture Notes in Computer Science(), vol 12551. Springer, Cham. https://doi.org/10.1007/978-3-030-64378-2_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-64378-2_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-64377-5

  • Online ISBN: 978-3-030-64378-2

  • eBook Packages: Computer ScienceComputer Science (R0)