BooLigero: Improved Sublinear Zero Knowledge Proofs for Boolean Circuits

Abstract

We provide a modified version of the Ligero sublinear zero knowledge proof system for arithmetic circuits provided by Ames et al. (CCS ’17). Our modification “BooLigero” tailors Ligero for use in Boolean circuits to achieve a significant improvement in proof size. Although the original Ligero system could be used for Boolean circuits, Ligero generally requires allocating an entire field element to represent a single bit on a wire in a Boolean circuit. In contrast, our system performs operations over words of bits, allowing a proof size savings of between \(O((\log \vert \mathbb {F} \vert )^{1/4})\) and \(O((\log \vert \mathbb {F} \vert )^{1/2})\) compared to Ligero, where \(\mathbb {F} \) is the field that leads to the optimal proof size in original Ligero. We achieve improvements in proof size of approximately 1.1–1.6x for SHA-2 and 1.7–2.8x for SHA-3. In addition to checking constraints of standard Boolean operations such as AND, XOR, and NOT over words, BooLigero also supports several other constraints such as multiplication in \(\text {GF} (2^w) \), bit masking, testing for zero bits, bit rearrangement within and across words, and bitwise outer product. Most of these techniques batch very efficiently, with only a constant overhead regardless of how many constraints of the same type are tested. Like Ligero, our construction requires no trusted setup and no computational assumptions, which is ideal for blockchain applications. It is plausibly post-quantum secure in the standard model. Furthermore, it is public-coin, perfect honest-verifier zero knowledge, and can be made non-interactive in the random oracle model using the Fiat-Shamir transform.

A Proofs of Lemmas

Proof

(Security of Test-And-Constraints). We must show that \(\mathbf{Test} \text {-}\mathbf{And} \text {-}\mathbf{Constraints} \) is complete, zero-knowledge, and sound up to error \(3(1/2^\kappa ) + \delta _1 + \delta _2 + \delta _3\), where \(\delta _1\) is the soundness error of \(\mathbf{Test}- \mathbf{Quadratic}- \mathbf{Constraints}- \mathbf{IRS} \), \(\delta _2\) is the soundness error of \(\mathbf{Test}- \mathbf{Linear}- \mathbf{Constraints}- \mathbf{IRS} \), and \(\delta _3\) is the soundness error of \(\mathbf{Test}- \mathbf{Interleaved} \).

Completeness: If \(\mathcal {P}\) is honest, then all variables are well-formed. We must show that following the process described in step 1(b) of Fig. 3 will lead to computing bitwise AND. Elements in \(\text {GF} (2^w) \) are polynomials over \(\text {GF} (2)\) of degree at most \((w-1)\), and multiplication in \(\text {GF} (2^w) \) is polynomial multiplication modulo an irreversible polynomial. As in step 1(a), let \(w_0 = \lfloor \sqrt{w} \rfloor \). Fix \(i \in [N]\).

By construction, the polynomial representations of all \(\hat{y}_{i,h}\) variables (for \(h \in [w_1]\)) have degree at most \(w_0-1\). They can be written as \(\sum _{k=0}^{w_0-1} c_{k} v^k\), where v is the polynomial variable and c is the coefficient (either 0 or 1).

The \(\hat{x}_{i,h}\) variables are of the form \(\sum _{k=0}^{w_0-1} d_{k} v^{kw_0}\) (using d as the coefficient). Thus, if we multiply \(\hat{x}_{i,h} * \hat{y}_{i,h}\), the result can be written as:

$$\begin{aligned} \hat{z}_{i,h}&= \hat{x}_{i,h} * \hat{y}_{i,h} = \left( \sum _{k=0}^{w_0-1} d_k v^{kw_0} \right) \left( \sum _{k=0}^{w_0-1} c_k v^k \right) \\&= d_0 \left( \sum _{k=0}^{w_0-1} c_k v^k \right) + d_1 \left( \sum _{k=0}^{w_0-1} c_k v^{w_0+k} \right) + \ldots + d_{w_0-1} \left( \sum _{k=0}^{w_0-1} c_k v^{(w_0-1)w_0+k} \right) \\&= \left( d_0 c_0 v^0 + \ldots + d_0 c_{w_0-1} v^{w_0-1} \right) \\&~~~~~~~~~~~~~~~~~~~ + \left( d_1 c_0 v^{w_0} + \ldots + d_1 c_{w_0-1} v^{2w_0-1} \right) \\&~~~~~~~~~~~~~~~~~~~ + \ldots + \left( d_{w_0-1} c_0 v^{(w_0-1)w_0} + \ldots + d_{w_0-1} c_{w_0-1} v^{w_0^2-1} \right) \\&= \sum _{k=0}^{w_0^2-1} d_{\lfloor k/w_0 \rfloor } c_{(k \mod w_0)} v^{k} \end{aligned}$$

First, notice that the degree of this polynomial is at most \(w_0^2-1\), so by construction, this polynomial will not need to be reduced modulo the irreducible polynomial. Next, notice that the coefficient \(e_k\) of \(v^k\) can be written as \(e_k = d_{\lfloor k/w_0 \rfloor } c_{(k \mod w_0)}\). But the c and d coefficients correspond to the bits of \(\hat{x}_{i,h}\) and \(\hat{y}_{i,h}\), which in turn correspond to the bits of \(x_i\) and \(y_i\). So if we wish to know the AND of \(c_{k'}\) and \(d_{k'}\), we can look at the coefficient of \(v^k\), for the k for which \(k' = \lfloor k/w_0 \rfloor = (k \mod w_0)\), This will occur at \(k=k'w_0 + k'\). Thus, each \(\hat{z}_{i,h}\) can be used to find the AND of \(w_0\) bits. For \(k' \in \{0, \ldots , w_0-1\}\), bit \(\hat{z}_{i,h}[1 + k' + k'w_0]\) is the AND of \(\hat{x}_{i,h}[1 + w_0 k']\) and \(\hat{y}_{i,h}[1+k']\).

Zooming back out to \(z_i\), we find that each bit of \(z_i\) can be found as \(z_i[k] = \hat{z}_{i,\lfloor \frac{k+1}{w_0} \rfloor }[1 + ((k-1) \mod w_0) + w_0((k-1) \mod w_0)]\). Since the \(\hat{z}_{i,h}\) variables were formed correctly from the \(\hat{x}_{i,h}\) and \(\hat{y}_{i,h}\) variables, which were formed correctly from \(x_i\) and \(y_i\), \(z_i\) will be the AND of \(x_i\) and \(y_i\) for all \(i \in [N]\), as desired.

Zero-knowledge: Deferred to full version [22].

Soundness: Suppose \(\mathcal {P}\) is cheating, that is, there is at least one \((x_i, y_i, z_i)\) triple for which \( z_i \ne x_i \& y_i\). Without loss of generality, let \(i=1\) be an index on which the prover cheats.

If the Ligero matrix is not well-formed, \(\mathbf{Test}- \mathbf{Interleaved} \) will fail with probability at least \(1-\delta _3\); we assume this is not the case for the rest of the proof.

If \( z_1 \ne x_1 \& y_1\), then one of the following must be true:

1. 1.

   There exists an \(h \in [w_1]\) for which \(\hat{z}_{1,h} \ne \hat{x}_{1,h} * \hat{y}_{1,h}\).

2. 2.

   The \(\hat{x}_{1,h}\) variables were not properly formed from \(x_1\). That is, \(T _{\pi _x} [x_1, \hat{x}_{1,1}, \ldots , \hat{x}_{1,w_1}, x_1]^\perp \ne \vec {0}.\) The same may be true for \(T _{\pi _y}\) on the y variables, or \(T _{\pi _z}\) on the z variables.

If the former is true, then \(\mathbf{Test}- \mathbf{Quadratic}- \mathbf{Constraints}- \mathbf{IRS} \) will fail with probability at least \(1 - \delta _1\). If the latter is true, then either \(\mathbf{Test}- \mathbf{Linear}- \mathbf{Constraints}- \mathbf{IRS} \) will fail with probability at least \(1-\delta _2\), or the pattern-checking part of \(\mathbf{Test} \text {-}\mathbf{Pattern} \text {-}\mathbf{Zeros}- \mathbf{Constraints} \) for \(R _x\) will fail with probability at most \(1/2^\kappa \). Similarly for \(R _y\) and \(R _z\). Thus, by a Union bound, the overall protocol has soundness error \(3(1/2^\kappa ) + \delta _1 + \delta _2 + \delta _3\) over the verifier’s coins.