Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability

We give computationally efficient zero-knowledge proofs of knowledge for arithmetic circuit satisfiability over a large field. For a circuit with N addition and multiplication gates, the prover only uses O(N) multiplications and the verifier only uses O(N) additions in the field. If the commitments we use are statistically binding, our zero-knowledge proofs have unconditional soundness, while if the commitments are statistically hiding we get computational soundness. Our zero-knowledge proofs also have sub-linear communication if the commitment scheme is compact. Our construction proceeds in three steps. First, we give a zero-knowledge proof for arithmetic circuit satisfiability in an ideal linear commitment model where the prover may commit to secret vectors of field elements, and the verifier can receive certified linear combinations of those vectors. Second, we show that the ideal linear commitment proof can be instantiated using error-correcting codes and non-interactive commitments. Finally, by choosing efficient instantiations of the primitives we obtain linear-time zero-knowledge proofs.

[1]  Rafail Ostrovsky,et al.  Zero-Knowledge Proofs from Secure Multiparty Computation , 2009, SIAM J. Comput..

[2]  Eli Ben-Sasson,et al.  Short Interactive Oracle Proofs with Constant Query Complexity, via Composition and Sumcheck , 2016, IACR Cryptol. ePrint Arch..

[3]  Eli Ben-Sasson,et al.  Interactive Oracle Proofs , 2016, TCC.

[4]  Nir Bitansky,et al.  From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again , 2012, ITCS '12.

[5]  Markus Jakobsson,et al.  Round-Optimal Zero-Knowledge Arguments Based on any One-Way Function , 1997, EUROCRYPT.

[6]  Robert G. Gallager,et al.  Low-density parity-check codes , 1962, IRE Trans. Inf. Theory.

[7]  Jean-Jacques Quisquater,et al.  A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory , 1988, EUROCRYPT.

[8]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[9]  Venkatesan Guruswami,et al.  Expander-based constructions of efficiently decodable codes , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[10]  Silvio Micali,et al.  Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing , 1996, CRYPTO.

[11]  Florian Kerschbaum,et al.  Zero-knowledge using garbled circuits: how to prove non-algebraic statements efficiently , 2013, IACR Cryptol. ePrint Arch..

[12]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[13]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[14]  Venkatesan Guruswami,et al.  Linear-time encodable/decodable codes with near-optimal rate , 2005, IEEE Transactions on Information Theory.

[15]  Nir Bitansky,et al.  Recursive composition and bootstrapping for SNARKS and proof-carrying data , 2013, STOC '13.

[16]  Yael Tauman Kalai,et al.  Delegating computation: interactive proofs for muggles , 2008, STOC.

[17]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[18]  Daniel A. Spielman,et al.  Linear-time encodable and decodable error-correcting codes , 1995, STOC '95.

[19]  Yuval Ishai,et al.  Perfectly Secure Multiparty Computation and the Computational Overhead of Cryptography , 2010, IACR Cryptol. ePrint Arch..

[20]  Venkatesan Guruswami,et al.  Near-optimal linear-time codes for unique decoding and new list-decodable codes over smaller alphabets , 2002, STOC '02.

[21]  Joe Kilian,et al.  A note on efficient zero-knowledge proofs and arguments (extended abstract) , 1992, STOC '92.

[22]  Amit Sahai,et al.  Honest-verifier statistical zero-knowledge equals general statistical zero-knowledge , 1998, STOC '98.

[23]  Ignacio Cascudo,et al.  Rate-1, Linear Time and Additively Homomorphic UC Commitments , 2016, CRYPTO.

[24]  Payman Mohassel,et al.  Efficient Zero-Knowledge Proofs of Non-algebraic Statements with Sublinear Amortized Cost , 2015, CRYPTO.

[25]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, IEEE Symposium on Security and Privacy.

[26]  Jens Groth,et al.  Short Pairing-Based Non-interactive Zero-Knowledge Arguments , 2010, ASIACRYPT.

[27]  Venkatesan Guruswami,et al.  Linear time encodable and list decodable codes , 2003, STOC '03.

[28]  Yuval Ishai,et al.  Low-Complexity Cryptographic Hash Functions , 2017, ITCS.

[29]  Yuval Ishai,et al.  Scalable Secure Multiparty Computation , 2006, CRYPTO.

[30]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[31]  Nir Bitansky,et al.  Erratum: Succinct Non-interactive Arguments via Linear Interactive Proofs , 2013, TCC.

[32]  R. Cramer,et al.  Linear Zero-Knowledgde. A Note on Efficient Zero-Knowledge Proofs and Arguments , 1996 .

[33]  Jens Groth,et al.  Linear Algebra with Sub-linear Zero-Knowledge Arguments , 2009, CRYPTO.

[34]  Jens Groth,et al.  Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting , 2016, EUROCRYPT.

[35]  Eli Ben-Sasson,et al.  Quasi-Linear Size Zero Knowledge from Linear-Algebraic PCPs , 2016, TCC.

[36]  Erez Petrank,et al.  Simulatable Commitments and Efficient Concurrent Zero-Knowledge , 2003, EUROCRYPT.

[37]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[38]  Yuval Ishai,et al.  Linear-time encodable codes meeting the gilbert-varshamov bound and their cryptographic applications , 2014, ITCS.

[39]  Jens Groth,et al.  On the Size of Pairing-Based Non-interactive Arguments , 2016, EUROCRYPT.

[40]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[41]  Rafail Ostrovsky,et al.  Cryptography with constant computational overhead , 2008, STOC.

[42]  Melissa Chase,et al.  Efficient Zero-Knowledge Proof of Algebraic and Non-Algebraic Statements with Applications to Privacy Preserving Credentials , 2016, CRYPTO.

[43]  Eli Ben-Sasson,et al.  SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge , 2013, CRYPTO.

[44]  Ivan Damgård,et al.  Zero-Knowledge Proofs for Finite Field Arithmetic; or: Can Zero-Knowledge be for Free? , 1998, CRYPTO.

[45]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[46]  Ivan Damgård,et al.  On the Amortized Complexity of Zero Knowledge Protocols for Multiplicative Relations , 2012, ICITS.

[47]  Claudio Orlandi,et al.  Privacy-Free Garbled Circuits with Applications To Efficient Zero-Knowledge , 2015, IACR Cryptol. ePrint Arch..

[48]  Payman Mohassel,et al.  Sublinear Zero-Knowledge Arguments for RAM Programs , 2017, EUROCRYPT.

[49]  Yael Tauman Kalai,et al.  Interactive PCP , 2007 .

[50]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[51]  Yuval Ishai,et al.  Using Fully Homomorphic Hybrid Encryption to Minimize Non-interative Zero-Knowledge Proofs , 2015, Journal of Cryptology.