Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability

Bootle, Jonathan; Cerulli, Andrea; Ghadafi, Essam; Groth, Jens; Hajiabadi, Mohammad; Jakobsen, S.

doi:10.1007/978-3-319-70700-6_12

Cited by 51 publications

(18 citation statements)

References 49 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our permutation argument given in Figure 9 is similar to that of Bootle et al [23]. If the prover commits to f (X ) = n i=1 a i X i , then we have for random challenges β, γ ∈ F p that n i=1…”

Section: A the Polynomial Permutation Argumentmentioning

confidence: 94%

“…Symmetric primitives such as Reed-Solomon codes have recently been gaining attention for their post-quantum potential, as there are no known quantum attacks on error-correcting codes and protocols that use them do not require expensive and trusted pre-processing phases. Schemes that use these techniques [2,9,23] are typically made non-interactive in the random oracle model, as opposed to the quantum random oracle model, and designing efficient zeroknowledge protocols in the quantum random oracle model [21] remains an open problem. The codes are typically cheap to compute for the prover.…”

Section: Related Workmentioning

confidence: 99%

“…A large part of its overhead comes from compiling the addition gates, and the authors observed that when there are many repetitions of the same addition gates in the same layer, it is possible to batch the compilation. Bootle et al [23] introduce a model that they call the ideal linear commitment (ILC) model in which a prover can commit to vectors by sending them to a channel, and a verifier can query the channel on linear combinations of the committed vectors. They then compile the ILC programs into proofs using a code by Ishai et al [48] which can be computed in linear time.…”

Section: Related Workmentioning

confidence: 99%

“…We use the structure of s(X , Y ) in order to prove its correct calculation using a permutation argument, which itself has a grandproduct argument as an underlying component. We take inspiration from our main construction and from the permutation and grandproduct arguments described by Bayer and Groth [5] and by Bootle et al [23]. We restrict ourselves to constraint systems for which s(X , Y ) can be expressed as the sum of M polynomials, where the j-th such polynomial is of the form…”

Section: Succinct Signatures Of Correct Computationmentioning

confidence: 99%

See 3 more Smart Citations

Sonic

Maller

Bowe²,

Kohlweiss

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

185

View full text Add to dashboard Cite

Ever since their introduction, zero-knowledge proofs have become an important tool for addressing privacy and scalability concerns in a variety of applications. In many systems each client downloads and verifies every new proof, and so proofs must be small and cheap to verify. The most practical schemes require either a trusted setup, as in (pre-processing) zk-SNARKs, or verification complexity that scales linearly with the complexity of the relation, as in Bulletproofs. The structured reference strings required by most zk-SNARK schemes can be constructed with multi-party computation protocols, but the resulting parameters are specific to an individual relation. Groth et al. discovered a zk-SNARK protocol with a universal structured reference string that is also updatable, but the string scales quadratically in the size of the supported relations.Here we describe a zero-knowledge SNARK, Sonic, which supports a universal and continually updatable structured reference string that scales linearly in size. We also describe a generally useful technique in which untrusted "helpers" can compute advice that allows batches of proofs to be verified more efficiently. Sonic proofs are constant size, and in the "helped" batch verification context the marginal cost of verification is comparable with the most efficient SNARKs in the literature.

show abstract

Section: A the Polynomial Permutation Argumentmentioning

confidence: 94%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Succinct Signatures Of Correct Computationmentioning

confidence: 99%

See 2 more Smart Citations

Sonic

Maller

Bowe²,

Kohlweiss

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

185

View full text Add to dashboard Cite

show abstract

“…Bootle et al [7] construct arguments with logarithmic communication complexity and linear computation costs based on the discrete logarithm assumption. Recent progress [8] yields zero-knowledge arguments with constant overhead for the prover, and square-root communication costs, though the large constants involved in the construction prevent it from being practical. For more specialised languages, such as range proofs, membership arguments, and polynomial evaluation arguments, there are numerous constructions [28,2], including some extremely simple Σ-protocols.…”

Section: Related Workmentioning

confidence: 99%

Efficient Batch Zero-Knowledge Arguments for Low Degree Polynomials

Bootle

Groth

2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Bootle et al. (EUROCRYPT 2016) construct an extremely efficient zero-knowledge argument for arithmetic circuit satisfiability in the discrete logarithm setting. However, the argument does not treat relations involving commitments, and furthermore, for simple polynomial relations, the complex machinery employed is unnecessary. In this work, we give a framework for expressing simple relations between commitments and field elements, and present a zero-knowledge argument which, by contrast with Bootle et al., is constant-round and uses fewer group operations, in the case where the polynomials in the relation have low degree. Our method also directly yields a batch protocol, which allows many copies of the same relation to be proved and verified in a single argument more efficiently with only a square-root communication overhead in the number of copies. We instantiate our protocol with concrete polynomial relations to construct zero-knowledge arguments for membership proofs, polynomial evaluation proofs, and range proofs. Our work can be seen as a unified explanation of the underlying ideas of these protocols. In the instantiations of membership proofs and polynomial evaluation proofs, we also achieve better efficiency than the state of the art.

show abstract

Post‐quantum secure two‐party computing protocols against malicious adversaries

Huo,

Zhao,

Qin

et al. 2023

Concurrency and Computation

View full text Add to dashboard Cite

SummarySecure two‐party computation allows a pair of parties to compute a function together while keeping their inputs private. Ultimately, each party receives only its own correct output. In this paper, a post‐quantum secure two‐party computation protocol is proposed that can be used to effectively block malicious parties. The protocol solves the problems of traditional protocols based on garbled circuits, which are vulnerable to quantum attacks, high communication costs and low computational efficiency. The input garbled keys of the circuit constructor is structured as a Learning with Error (LWE) equation, enabling the circuit constructor to employ a zero‐knowledge proof that demonstrates the uniformity of inputs across all circuits.In the key transfer phase, an LWE‐based batch single‐choice cut‐and‐choose oblivious transfer is proposed to avoid selective failure attacks. In addition, the protocol employs a penalty mechanism to detect if the circuit constructor has generated an incorrect circuit. We have compared the communication overhead of this protocol with three other secure two‐party computation protocols based on Cut‐and‐Choose technology. The analytical results show that this protocol has the best error probability and is resilient to quantum attacks under the malicious adversary model. In addition, with appropriate parameters, the protocol is able to reduce its communication bandwidth by an average of 40.41%.

show abstract

Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability

Cited by 51 publications

References 49 publications

Sonic

Sonic

Efficient Batch Zero-Knowledge Arguments for Low Degree Polynomials

Post‐quantum secure two‐party computing protocols against malicious adversaries

Contact Info

Product

Resources

About