TY - GEN
T1 - Linear-time zero-knowledge proofs for arithmetic circuit satisfiability
AU - Bootle, Jonathan
AU - Cerulli, Andrea
AU - Ghadafi, Essam
AU - Groth, Jens
AU - Hajiabadi, Mohammad
AU - Jakobsen, Sune K.
N1 - Funding Information:
The research leading to these results has received funding from the European Research Council under the European Union’s Seventh Framework Programme (FP/2007–2013)/ERC Grant Agreement no. 307937.
Funding Information:
The research leading to these results has received funding from the European Research Council under the European Union’s Seventh Framework Programme (FP/2007-2013)/ERC Grant Agreement no. 307937. E. Ghadafi and M. Hajiabadi-Part of the work was done while at University College London.
Publisher Copyright:
© International Association for Cryptologic Research 2017.
PY - 2017
Y1 - 2017
N2 - We give computationally efficient zero-knowledge proofs of knowledge for arithmetic circuit satisfiability over a large field. For a circuit with N addition and multiplication gates, the prover only uses O(N) multiplications and the verifier only uses O(N) additions in the field. If the commitments we use are statistically binding, our zero-knowledge proofs have unconditional soundness, while if the commitments are statistically hiding we get computational soundness. Our zero-knowledge proofs also have sub-linear communication if the commitment scheme is compact. Our construction proceeds in three steps. First, we give a zeroknowledge proof for arithmetic circuit satisfiability in an ideal linear commitment model where the prover may commit to secret vectors of field elements, and the verifier can receive certified linear combinations of those vectors. Second, we show that the ideal linear commitment proof can be instantiated using error-correcting codes and non-interactive commitments. Finally, by choosing efficient instantiations of the primitives we obtain linear-time zero-knowledge proofs.
AB - We give computationally efficient zero-knowledge proofs of knowledge for arithmetic circuit satisfiability over a large field. For a circuit with N addition and multiplication gates, the prover only uses O(N) multiplications and the verifier only uses O(N) additions in the field. If the commitments we use are statistically binding, our zero-knowledge proofs have unconditional soundness, while if the commitments are statistically hiding we get computational soundness. Our zero-knowledge proofs also have sub-linear communication if the commitment scheme is compact. Our construction proceeds in three steps. First, we give a zeroknowledge proof for arithmetic circuit satisfiability in an ideal linear commitment model where the prover may commit to secret vectors of field elements, and the verifier can receive certified linear combinations of those vectors. Second, we show that the ideal linear commitment proof can be instantiated using error-correcting codes and non-interactive commitments. Finally, by choosing efficient instantiations of the primitives we obtain linear-time zero-knowledge proofs.
UR - http://www.scopus.com/inward/record.url?scp=85037841927&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85037841927&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-70700-6_12
DO - 10.1007/978-3-319-70700-6_12
M3 - Conference contribution
AN - SCOPUS:85037841927
SN - 9783319706993
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 336
EP - 365
BT - Advances in Cryptology – ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Proceedings
A2 - Takagi, Tsuyoshi
A2 - Peyrin, Thomas
PB - Springer Verlag
T2 - 23rd Annual International Conference on Theory and Application of Cryptology and Information Security, ASIACRYPT 2017
Y2 - 3 December 2017 through 7 December 2017
ER -