Ligero

Scott Ames, Carmit Hazay, Yuval Ishai, Muthuramakrishnan Venkitasubramaniam
2017 Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security - CCS '17  
We design and implement a simple zero-knowledge argument protocol for NP whose communication complexity is proportional to the square-root of the veri cation circuit size. The protocol can be based on any collision-resistant hash function. Alternatively, it can be made non-interactive in the random oracle model, yielding concretely e cient zk-SNARKs that do not require a trusted setup or public-key cryptography. Our protocol is attractive not only for very large veri cation circuits but also
more » ... moderately large circuits that arise in applications. For instance, for verifying a SHA-256 preimage in zeroknowledge with 2 −40 soundness error, the communication complexity is roughly 44KB (or less than 34KB under a plausible conjecture), the prover running time is 140 ms, and the veri er running time is 62 ms. This proof is roughly 4 times shorter than a similar proof of ZKB++ ( Chase et al., CCS 2017), an optimized variant of ZKBoo (Giacomelli et al., USENIX 2016). The communication complexity of our protocol is independent of the circuit structure and depends only on the number of gates. For 2 −40 soundness error, the communication becomes smaller than the circuit size for circuits containing roughly 3 million gates or more. Our e ciency advantages become even bigger in an amortized setting, where several instances need to be proven simultaneously. Our zero-knowledge protocol is obtained by applying an optimized version of the general transformation of Ishai et al. (STOC 2007) to a variant of the protocol for secure multiparty computation of Damgård and Ishai (Crypto 2006). It can be viewed as a simple zero-knowledge interactive PCP based on "interleaved" Reed-Solomon codes. 1 The GKR technique has been recently extended to the case of NP statements by Zhang et al. [48] . However, the communication complexity of the resulting arguments still grows with the veri cation circuit depth, and moreover their e cient instantiation requires the use of public-key cryptography. Session J1: Outsourcing CCS'17, October 30-November 3, 2017, Dallas, TX, USA T 1.1 (I ). Assume the existence of collision-resistant hash-functions. Then there is a public-coin zero-knowledge argument for proving the satis ability of a circuit C with communication com-plexityÕ( |C|). Concrete e ciency. We now give more detailed information about the concrete e ciency of our implementation. The following numbers apply either to interactive zero-knowledge protocols based on collision-resistant hash functions or to non-interactive zk-SNARKs in the random oracle model obtained via the Fiat-Shamir transform. We refer the reader to Section 6 for more details and give only a few representative gures below. The communication complexity of proving the satis ability of an arithmetic circuit with s > 30000 gates over a nite eld F of size |F| ≥ 2 128 with soundness error 2 −40 consists of roughly 95 √ s eld elements (or 70 √ s elements under Conjecture 4.1). For the case of 2 −80 error, the communication is roughly 140 √ s (or 120 √ s under Conjecture 4.1). In the case of Boolean circuits, the communication complexity becomes smaller than the circuit size for circuits with more than roughly 3 million gates. One concrete benchmark that has been used in prior works is verifying a SHA-256 preimage in zero-knowledge. For this benchmark, the communication complexity of our protocol with 2 −40 soundness error is roughly 44KB (or less than 34KB under a Conjecture 4.1), the prover running time is 140 ms, and the veri er running time is 62 ms. This is roughly 4 times less communication than a similar proof of ZKB++ [13] , an optimized variant of ZKBoo [22] . Requiring 2 −80 soundness error doubles the communication (as in [13, 22] ). Our protocol easily extends to a multi-instance setting to provide additional bene ts. In this setting, we can handle N instances of a circuit of size s with soundness error 2 −κ at an amortized communication cost per instance smaller than s when N = Ω(κ 2 ).
doi:10.1145/3133956.3134104 dblp:conf/ccs/AmesHIV17 fatcat:fe7vy5gt3zhofpsckw65l6hiqi