Zero-Knowledge IOPs with Linear-Time Prover and Polylogarithmic-Time Verifier

Bootle, Jonathan; Chiesa, Alessandro; Liu, Siqi

doi:10.1007/978-3-031-07085-3_10

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13276))

Included in the following conference series:

Annual International Conference on the Theory and Applications of Cryptographic Techniques

1939 Accesses
13 Citations

Abstract

Interactive oracle proofs (IOPs) are a multi-round generalization of probabilistically checkable proofs that play a fundamental role in the construction of efficient cryptographic proofs.

We present an IOP that simultaneously achieves the properties of zero knowledge, linear-time proving, and polylogarithmic-time verification. We construct a zero-knowledge IOP where, for the satisfiability of an N-gate arithmetic circuit over any field of size $\varOmega (N)$, the prover uses O(N) field operations and the verifier uses ${\mathsf {polylog}}(N)$ field operations (with proof length O(N) and query complexity ${\mathsf {polylog}}(N)$). Polylogarithmic verification is achieved in the holographic setting for every circuit (the verifier has oracle access to a linear-time-computable encoding of the circuit whose satisfiability is being proved).

Our result implies progress on a basic goal in the area of efficient zero knowledge. Via a known transformation, we obtain a zero knowledge argument system where the prover runs in linear time and the verifier runs in polylogarithmic time; the construction is plausibly post-quantum and only makes a black-box use of lightweight cryptography (collision-resistant hash functions).

Access provided by Autonomous University of Puebla. Download conference paper PDF

Linear-Size Constant-Query IOPs for Delegating Computation

Interactive Oracle Proofs

A Toolbox for Barriers on Interactive Oracle Proofs

Keywords

1 Introduction

Zero knowledge proofs enable a prover to convince a verifier that a statement is true without revealing any further information about the statement [28]. The main efficiency measures in a zero knowledge proof are the running time of the prover, the running time of the verifier, and the number of bits exchanged between them. A central goal in the study of zero knowledge proofs is to minimize the complexity of these measures.

Motivated by real-world applications, researchers across multiple communities have invested significant effort, and made much progress, in designing efficient zero knowledge protocols.

Several works (e.g., [18, 24, 31, 32, 36, 52]) focus on prover time. They construct zero-knowledge proofs for circuit satisfiability where the prover’s time complexity is linear in circuit size, which is asymptotically optimal.^{Footnote 1} The drawback of these constructions is that communication complexity and verifier time also grow linearly with circuit size, which is undesirable for many applications.

This drawback is inevitable because, even without zero knowledge, interactive proofs for hard languages with sublinear communication are unlikely [25, 27]. Nevertheless, if instead of considering proofs we consider arguments [15], wherein soundness is required to hold only against efficient adversaries rather than all adversaries, then one can hope to avoid the drawback. For this, rather than studying proofs where zero knowledge holds computationally, one studies arguments where zero knowledge holds statistically.^{Footnote 2}

Succinctness. In a seminal work, Kilian [37] constructed zero knowledge arguments that are succinct: communication complexity and verifier time are polylogarithmic in computation size. While these are essentially optimal, the prover in Kilian’s construction is a polynomial-time algorithm that fails to achieve the asymptotically-optimal linear time achieved via the aforementioned (non-succinct) zero knowledge proofs. Improving the prover time in succinct arguments has been a major goal in a subsequent line of work.

Essentially all approaches for constructing succinct arguments follow the same high-level template: first construct a probabilistic proof in some proof model, and then make a black-box use of cryptography to compile the probabilistic proof into an argument system.

A notable exception are zero-knowledge arguments with a linear-time prover and a polylogarithmic-time verifier. This goal is presently achieved as a consequence of the zero-knowledge argument in [13] (see Sect. 1.3), but only via a non-black-box use of cryptography. This is unfortunate, as black-box results are a cryptographic “gold standard” that typically reflect a deeper understanding, and over time lead to more efficient solutions (once each black-box is suitably optimized), when compared to non-black-box results.

Interactive Oracle Proofs. The above status quo is due to inefficiencies in probabilistic proofs. Prior results on zero-knowledge argument systems with a linear-time prover and sublinear-time verifier rely on compiling interactive oracle proofs (IOPs) [8, 44] into corresponding succinct arguments via a black-box use of suitable collision-resistant hash functions. The verifier time was sublinear rather than polylogarithmic due to the underlying IOP constructions. In particular, the following basic question has remained open:

Do there exist zero-knowledge IOPs with a linear-time prover and a polylogarithmic-time verifier?

In this paper we give a positive answer to this question for arithmetic computations over a large field, and obtain a corresponding black-box result about zero-knowledge succinct arguments. The question of whether an analogous result can be proved for boolean computations remains an exciting open problem.

1.1 Our Results

Our main result is an interactive oracle proof (IOP) [8, 44] that simultaneously achieves zero knowledge, linear-time proving, and polylogarithmic-time verification (so also linear proof length and polylogarithmic query complexity). This implies the first zero-knowledge argument system with linear-time proving and polylogarithmic-time verification (and thus polylogarithmic communication complexity) that makes a black-box use of cryptography. Jumping ahead, our solution uses a lightweight cryptographic primitive (linear-time collision-resistant hash functions) for which there are plausibly post-quantum candidates.

IOP for R1CS. Our IOP is for a standard generalization of arithmetic circuit satisfiability, known as rank-1 constraint satisfiability (R1CS), where the “circuit description” is given by coefficient matrices. This $\textsf {NP}$-complete problem is widely used in the probabilistic proof literature (and beyond) because it efficiently expresses arithmetic circuits^{Footnote 3} and is convenient to use when designing a succinct argument.

Definition 1

(informal). The R1CS problem asks: given a finite field $\mathbb {F}$, coefficient matrices $A,B,C\in \mathbb {F}^{n\times n}$ each containing at most $m= \varOmega (n)$ non-zero entries,^{Footnote 4} and an instance vector $x\in \mathbb {F}^{*}$, is there a witness vector $w\in \mathbb {F}^{*}$ such that $z:= (x, w) \in \mathbb {F}^{n}$ and $Az\circ Bz= Cz$? (Here “$\circ $” denotes the entry-wise product.)

Merely checking the validity of a witness by directly checking the R1CS condition costs $O(m)$ field operations, so “linear time” for R1CS means computations that cost no more than $O(m)$ field operations.

We construct an IOP for the R1CS problem with the parameters below. Our result significantly improves over prior linear-time IOPs, as summarized in Fig. 1 and further discussed in Sect. 1.2.

Theorem 1

(informal). There is a public-coin IOP for R1CS over any field $\mathbb {F}$ of size $\varOmega (m)$, where:

the prover uses $O(m)$ field operations;
the verifier uses ${\mathsf {poly}}(|x|,\log m)$ field operations;
round complexity is $O(\log m)$;
proof length is $O(m)$ elements in $\mathbb {F}$;
query complexity is $O(\log m)$;
soundness error is O(1).

Moreover, the IOP is semi-honest-verifier zero-knowledge.

Succinct Argument for R1CS. The above theorem directly implies a zero-knowledge succinct argument with a linear-time prover and polylogarithmic-time verifier, obtained in a black-box way under standard cryptographic assumptions. The implication involves combining IOPs and linear-time collision resistant hashing [13], as reviewed in Sect. 2.7.

In more detail, the result below relies on any linear-time collision-resistant hash function. Such hash functions are known to exist, e.g., under certain assumptions about finding short codewords in linear codes [1]; moreover, these candidate hash functions are not known to be insecure against quantum adversaries, and so our succinct argument is plausibly post-quantum secure.

Theorem 2

(informal). Using any linear-time collision-resistant hash function with security parameter $\lambda $ as a black box, one can obtain an interactive argument for R1CS, over any field of size $\varOmega (m)$, where:

time complexity of the prover is bounded by the cost of $O(\lambda +m)$ field operations;
time complexity of the verifier is bounded by the cost of ${\mathsf {poly}}(\lambda ,|x|,\log m)$ field operations;
round complexity is $O(\log m)$;
communication complexity is ${\mathsf {poly}}(\lambda ,\log m)$ field elements;
soundness error is O(1).

Moreover, the argument is malicious-verifier zero-knowledge with private coins.^{Footnote 5}

On Zero Knowledge. The notion of semi-honest-verifier zero-knowledge in Theorem 1 means that the IOP prover leaks no information to an honest IOP verifier for any choice of verifier randomness. This suffices for malicious-verifier zero-knowledge in Theorem 2, as explained in Sect. 2.7. We also present results (see Sect. 2.6) that allow us to prove a variant of Theorem 1 where the IOP satisfies the stronger property of bounded-query zero-knowledge, but at the cost of a sublinear verifier time rather than polylogarithmic. Bounded-query zero-knowledge is the hiding notion typically studied for PCPs [38], and often enables reductions in communication complexity when compiling the IOP into a succinct argument. The aforementioned loss in verifier time only comes from the fact that known constructions of “zero knowledge codes” with a linear-time encoder are probabilistic, and the loss could be avoided by derandomizing such families—overcoming this barrier remains an exciting open problem in coding theory.

On Sublinear Verification. The polylogarithmic verifier time in Theorem 1 is achieved in the holographic setting, which means that the verifier is given query access to a linear-length encoding of the coefficient matrices that is computable in linear time. Similarly, polylogarithmic verifier time in Theorem 2 is achieved in the preprocessing setting, which means that the verifier receives as input a short digest of the circuit that can be derived by anyone (in linear time). This follows a general paradigm wherein holographic proofs lead to preprocessing arguments [20, 21]. Holography/preprocessing is necessary for sublinear verification in the general case because just reading the R1CS instance takes linear time.^{Footnote 6}

Open Questions. Our IOP works for satisfiability problems over fields of at least linear size, as is the case for all known linear-time IOPs (see Sect. 1.2); obtaining analogous results for all fields, or just the boolean field, is open. Moreover, our IOP achieves constant soundness error, and the question of additionally achieving a sub-constant soundness error (ideally, negligible in a security parameter) is open. Finally, while our focus is asymptotic efficiency, we are optimistic that the ideas in this paper will facilitate further research that may additionally achieve good concrete efficiency. (We point to specific ideas for this in Sect. 2.) Initial progress in this direction has been made in subsequent work discussed in Sect. 1.3.

1.2 Related Work on Probabilistic Proofs

As our main result concerns IOPs, we summarize prior works on probabilistic proofs that study related questions. Further connections to prior work are given in Sect. 2 where we overview our techniques.

First we discuss a line of work on probabilistic proofs with linear proof length, a necessary condition for a linear-time prover (our goal). The first result was [9], which provides a PCP for boolean circuit satisfiability with linear proof length and sublinear query complexity; this is the only known result for PCPs, and constructing PCPs with linear proof length and polylogarithmic query complexity remains a major open problem. Subsequently, [4] obtained a 3-round IOP for boolean circuit satisfiability with linear proof length and constant query complexity; and [45] showed how to reduce the multiplicative constant in the proof length to arbitrarily close to 1 at the cost of a slightly larger constant round complexity. None of these works study linear-time proving or sublinear-time verification. Here we omit a discussion of numerous works that achieve IOPs with linear size, but not linear prover time, for many other models of computation.

Next, [13] obtained a zero-knowledge IOP for arithmetic circuit satisfiability with linear-time prover and square-root-time verifier. Then [14] improved the verifier time to any sublinear polynomial, but without zero knowledge. We improve on this by simultaneously achieving the properties of zero knowledge and polylogarithmic-time verifier. All of these results require working over a finite field of linear size, and analogous results for boolean circuits are not known. See Fig. 1 for a table comparing these latter works.

Recurring tools across many of these works, as well as this paper, include: the sumcheck protocol for tensor codes [42], proof composition (for PCPs [2] and for IOPs [4]), the linear-time sumcheck [49], and the use of codes without the multiplication property. (The property states that coordinate-wise multiplication of codewords yields codewords in a code whose relative distance is still good.)

The main challenge in designing IOPs with linear-time provers is that one cannot use “useful” codes like the Reed–Solomon code since the encoding time is quasilinear. Instead, prior works resorted to using linear-time encodable codes (e.g., of Spielman [48] or Druk–Ishai [22]) that, unfortunately, do not have the multiplication property, which makes designing IOPs more difficult. (See [41, 42] for more on why the multiplication property is useful in constructing probabilistic proofs.)

Our zero-knowledge IOPs with linear-time prover and polylogarithmic-time verifier achieve a central goal in the area of probabilistic proofs, and to construct them we contribute several novel pieces all towards zero knowledge: (i) constructions of linear-time-encodable codes that satisfy a zero-knowledge property; (ii) structural results on the tensor products of codes that satisfy the zero-knowledge property; (iii) a tensor-query zero-knowledge holographic IOP for R1CS with low randomness complexity; (iv) results on zero knowledge preservation under proof composition.

1.3 Related Work on Succinct Arguments

Our main result implies a result on succinct arguments, and below we summarize prior works relevant to that.

A Non-Black-Box Construction. A relaxation of Theorem 2 that makes a non-black-box use of cryptography is a straightforward implication of [13]. In more detail, [13] obtained a zero-knowledge argument system for arithmetic circuit satisfiability over linear-size fields where the prover runs in linear time and the verifier runs in square-root time. The verifier time can be reduced to polylogarithmic, while preserving zero knowledge and a linear-time prover, by using any zero-knowledge succinct argument with subquadratic prover time to prove that the “outer” verifier would have accepted. A similar implication, however from the non-zero-knowledge succinct argument in [14], is described in subsequent work [29, 40], and thus we refer the reader to that work for more details on these non-black-box approaches. (We remark that [29, 40] additionally contribute ideas and implementations to improve the concrete efficiency of argument systems with a linear-time prover and sublinear-time verifier.)

Black-Box Constructions from Probabilistic Proofs. Essentially all approaches for constructing succinct arguments follow this high-level template: first construct a probabilistic proof in some proof model, and then make a black-box use of cryptography to compile the probabilistic proof into an argument system. The first step alone typically costs more than linear time because it involves (among other things) using the Fast Fourier Transform (FFT) to encode the computation as a polynomial.

Several works [12, 16, 39, 46, 47, 50, 53, 54] construct various forms of succinct arguments without FFTs by first constructing linear-time probabilistic proofs in certain “algebraic” models and then compiling these into arguments by using homomorphic commitments. However, the cryptography introduces quasilinear work for the prover,^{Footnote 7} usually to perform a linear number of multi-exponentiations over a cryptographically-large group (which translates to a quasilinear number of group operations for the prover);^{Footnote 8} we refer the reader to follow up work [29, 40] for a detailed discussion of these quasilinear costs in terms of computation size and the security parameter. In sum, the above line of works has contributed among the best asymptotic prover times for succinct arguments (as well as excellent concrete efficiency), but the cryptography has precluded linear-time provers.

Bootle et al. [13] observe that Kilian’s approach to succinct arguments introduces only linear cryptographic costs, when the collision-resistant hash function used for the compilation is suitably instantiated. (We elaborate on this in Sect. 2.7.) Prior work leveraged this observation to construct argument systems with linear-time prover and sublinear-time verifier, given a collision-resistant hash function as a black box.

[13] achieves an honest-verifier zero knowledge argument system for arithmetic circuit satisfiability with a communication complexity of $O(\sqrt{n})$, where the prover performs $O(n)$ field operations and hash computations while the verifier performs $O(\sqrt{n})$ field operations and hash computations.
[14] achieves, for every $\epsilon >0$, an argument system for R1CS with a communication complexity of $O(n^{\epsilon })$, where the prover performs $O(n)$ field operations and hash computations while the verifier performs $O(n^{\epsilon })$ field operations and hash computations. No zero knowledge property is achieved in this work.

There are linear-time candidates for the hash function [1], leading to a linear-time prover.

In both cases the technical core is the construction of IOPs with a linear-time prover, but, as discussed in Sect. 1.2, these prior works only achieved sublinear query complexity thereby, after compilation, falling short of the goal of polylogarithmic communication complexity. No prior work thus achieves Theorem 2.

Our main result (Theorem 1) offers improved IOP constructions, and we are then able to improve the state of the art of succinct arguments that make a black-box use of cryptography (Theorem 2).

2 Techniques

We overview our approach towards Theorem 1 in Sect. 2.1 and the construction in Sect. 2.2. We provide additional details behind different aspects of the construction in Sects. 2.3 to 2.6. Finally, in Sect. 2.7 we explain how our result about zero-knowledge succinct arguments (Theorem 2) is a direct implication of our result about zero-knowledge IOPs (Theorem 1).

Throughout, recall that an IOP is a proof model in which a prover and a verifier interact over multiple rounds, and in each round the prover sends a proof message and the verifier replies with a challenge message. The verifier has query access to all received proof messages, in the sense that it can query any of the proof messages at any desired location. The verifier decides to accept or reject depending on its input, its randomness, and answers to its queries. The main information-theoretic efficiency measures in an IOP are proof length (total size of all proof messages) and query complexity (number of read locations across all proof messages), while the main computational efficiency measures are prover time and verifier time.

2.1 Approach Overview

We provide an overview of our approach to Theorem 1.

Review: Proof Composition. Many constructions of PCPs rely on proof composition [2] to achieve the desired goal by combining an “outer” PCP and an “inner” PCP with suitable properties. The composed PCP (roughly) has the prover complexity of the outer PCP, and the verifier complexity of the inner PCP. Informally, the new PCP string consists of the outer PCP string and also, for every choice of randomness of the outer PCP verifier, an inner PCP string attesting that the outer PCP verifier would have accepted the local view of the outer PCP string induced by that choice of randomness. Soundness of the composed PCP requires the outer PCP to be robust^{Footnote 9} and the inner PCP to be a proximity proof.^{Footnote 10}

Proof composition extends to the IOP model [4]: the outer and inner proof systems can be IOPs instead of PCPs, and must satisfy corresponding notions of robustness and proximity; moreover, composition is more efficient because the inner IOP has only to be invoked once rather than for every choice of randomness of the outer IOP verifier (this is because, after running the outer IOP, the verifier can simply send the chosen randomness to the prover and then run the inner IOP on that randomness). Proof composition of IOPs also plays a central role in constructions of IOPs, and we also use it in our construction, as described next.

Our Setting. Using proof composition in our setting involves several considerations.

Zero knowledge. We want the composed IOP to be semi-honest-verifier zero-knowledge, and for this, one can prove that it suffices for the outer IOP to be semi-honest-verifier zero-knowledge, regardless of any zero knowledge properties of the inner IOP. We prove this and other properties about zero knowledge within proof composition in the full version.
Prover time. We want the prover of the composed IOP to run in linear time. The composed prover time is the sum of the outer IOP prover time and the inner IOP prover time. This means that the outer IOP prover must run in time that is linear, e.g., in the R1CS instance. The requirement on the inner IOP prover is less straightforward: the inner IOP prover attests to a computation related to the outer IOP verifier. For example, if the outer IOP verifier runs in cube-root time (relative to the R1CS instance) then we can afford an inner IOP prover that runs in up to cubic time (as the cubic blow up applied to a cube-root time gives linear time overall). In other words, we require the polynomial blow up of the inner IOP prover time to be made up by the savings offered by the outer IOP verifier time.
Verifier time. We want the verifier of the composed IOP to run in polylogarithmic time. The composed verifier time equals the time of the inner IOP verifier when used to test that the outer IOP verifier would have accepted. At minimum, the inner IOP verifier needs to read the description of the outer IOP verifier computation, which consists of its input instance (e.g., the R1CS public input) and its randomness. This implies that the outer IOP verifier can have at most polylogarithmic randomness complexity, and also implies that the compound savings in running time of the outer IOP verifier and inner IOP verifier must lead to a polylogarithmic running time.

The above considerations suggest that one approach that suffices is the following: (i) an inner IOP of proximity for general computations with polylogarithmic verifier time; and (ii) an outer IOP for R1CS that is semi-honest-verifier zero-knowledge, is robust, has a linear prover time, has polylogarithmic randomness complexity, and has a verifier time that is sufficiently small so that we can afford the blowup incurred by the inner IOP prover time. For the inner IOP of proximity we choose the state-of-the-art PCP of proximity for $\textsf {NTIME}(T)$ due to Mie [43] (discussed later). Our technical contribution is constructing a suitable outer IOP. As the blowup incurred by the inner PCP prover time will be polynomial, we need the outer IOP verifier to run in time that is sufficiently sublinear. We now outline the challenges that arise given prior work.

Challenges. There are two natural paths to explore in order to construct the outer IOP.

1.
One path would be to somehow construct the desired outer IOP by starting from the semi-honest-verifier zero-knowledge IOP for arithmetic circuit satisfiability in [13], which works over any field of linear size and has linear prover time and square-root verifier time. This would require addressing some challenges. First, we would need to robustify the IOP, but robustification techniques typically work for verifiers with constant query complexity (possibly over a large alphabet), and so one would have to adapt [13] for this setting. Second, the IOP verifier in [13] would have to be derandomized to achieve polylogarithmic randomness complexity. Third, we cannot afford more than a quadratic blow up in the inner IOP prover time because the verifier in [13] runs in square-root time.
2.
An alternative path would be to somehow construct the desired outer IOP by starting from the IOP for R1CS in [14], which over any field of size $O(m)$ has prover time $O(m)$ and verifier time $O(m^{\epsilon })$ for any a-priori fixed constant $\epsilon >0$. This would require somehow additionally achieving zero knowledge (not a goal in [14]), and moreover would still require addressing the robustification and derandomization challenges mentioned above. On the other hand, because we can choose $\epsilon $ to be small enough, we can afford an inner proximity proof whose prover runs in any fixed polynomial time (in particular, the PCP of proximity in [43] would suffice).

This Paper. We believe that both paths are plausible. In this paper we use an approach that (roughly) follows the second path, because we can use an off-the-shelf inner proximity proof and we can focus our attention solely on constructing an appropriate outer IOP. Moreover, we believe that building on [14] will contribute new understanding of zero knowledge techniques that are likely to be useful elsewhere, and will lead to a simpler exposition due to the modular nature of that construction.

2.2 Construction Overview

We outline the steps in the construction of an IOP that satisfies Theorem 1. We elaborate on each of these steps in subsequent subsections.

Review: The Tensor-to-Point Approach. The IOP for R1CS in [14] is obtained in two steps: first construct a tensor IOP for R1CS with linear prover time and constant query complexity; then apply a compiler that transforms any tensor IOP into a standard IOP. In a tensor IOP, the verifier may make multiple tensor queries directly to a proof message $\varPi $, each of the form $q= (q_{1},\ldots ,q_{t})$ and receiving the corresponding answer $v:= \langle \otimes _i q_{i},\varPi \rangle $. This differs from a standard IOP, where the verifier makes point queries, that is, it queries single locations of proof messages. As mentioned in Sect. 2.1, the resulting (point-query) IOP in [14] has prover time $O(m)$ and verifier time $O(m^{\epsilon })$ for any a-priori fixed constant $\epsilon >0$. (Here $m$ is the maximum number of non-zero entries in an R1CS coefficient matrix.)

Steps in Our Proof. We take an analogous two-step approach as in [14], except that we additionally achieve semi-honest-verifier zero knowledge, while still achieving a prover time of $O(m)$ and reducing the verifier time from $O(m^{\epsilon })$ to ${\mathsf {poly}}(|x|,\log m)$. (Here $x$ is the instance vector of the R1CS instance.)

Step 1: tensor IOP for R1CS with zero knowledge. Given any finite field $\mathbb {F}$, we construct a tensor IOP for R1CS over $\mathbb {F}$ that is semi-honest-verifier zero-knowledge, has soundness error $O(\frac{m}{|\mathbb {F}|})$, has prover time $O(m)$, and has verifier time $O(|{x}|+\log m)$; moreover, the verifier makes O(1) tensor queries (and also interacts with the prover in a $O(\log m)$-round interactive proof). In Sect. 2.4 we outline the main ideas that we use to additionally achieve zero knowledge compared to the tensor IOP for R1CS in [14].
Step 2: from tensor IOPs to standard IOPs while preserving zero knowledge. Given any finite field $\mathbb {F}$, we construct a compiler that maps a tensor IOP over the field $\mathbb {F}$ into a standard IOP while preserving the zero knowledge property; moreover, efficiency measures are preserved up to overheads in the dimension of the tensor and the query complexity of the input tensor IOP. In Sect. 2.3 we outline the main ideas that we use compared to the tensor-query to point-query compiler in [14] (which does not preserve zero knowledge and leads to a large verifier time).

Theorem 1 follows by applying the compiler in the second step to the tensor IOP for R1CS in the first step, as shown diagrammatically in Fig. 2. Below we highlight two aspects of our construction of the compiler.

(a) Proof composition. Differing from the approach overview in Sect. 2.1, the proof composition step actually happens within the tensor-query to point-query compiler rather than as a final step. This choice leads to a compiler that preserves efficiency measures of the tensor IOP up to constants (of independent interest), and moreover invokes the inner proximity proof on a linear computation rather than an arbitrary computation.

(b) Linear codes that are linear-time encodable and zero knowledge. A key ingredient in the construction of our compiler is tensor codes that simultaneously are linear-time encodable and satisfy a zero-knowledge property (informally, codewords do not reveal any information about the underlying message when queried in a restricted way). For this, we establish structural properties of zero-knowledge codes and prove that they are preserved under tensor products, which reduces the problem to constructing a linear-time encodable zero-knowledge code to act as the base of the tensor product code. We obtain a suitable base code via an explicit (deterministic) construction of zero-knowledge code based on [48] codes, which protect against a single malicious query. This is enough to prove zero-knowledge against semi-honest verifiers in Theorem 1, which suffices for our main theorem. We also give a probabilistic construction of zero-knowledge codes based on [22] codes which do not reveal information on the underlying message even when the verifier makes queries to a constant fraction of codeword entries. This allows us to prove a variation of Theorem 1 with the stronger property of bounded-query zero-knowledge. We review notions of zero knowledge for linear codes in Sect. 2.5, and then describe our results about zero-knowledge codes in Sect. 2.6.

Concrete Efficiency. We do not make any claims regarding the concrete efficiency of our construction. That said, we are optimistic that the ideas introduced in this work can lead to improved constructions with the same asymptotic efficiency but better concrete efficiency. In particular, we believe that further research into zero-knowledge linear-time-encodable codes and further research in specializing the proof composition step to the specific outer statement (a certain linear computation) may significantly improve efficiency. Subsequent work has made progress in this direction [29].

2.3 From Tensor-Queries to Point-Queries in Zero-Knowledge

We generically transform any tensor-query IOP into a corresponding point-query IOP, while preserving zero knowledge. The transformation is parametrized by a zero-knowledge linear code (a notion explained in more detail in Sect. 2.5) and outputs a point-query IOP that is bounded-query zero knowledge, meaning that malicious queries up to a fixed query bound do not leak any information. In contrast, the tensor-query IOP being transformed is only required to satisfy a weaker notion of zero knowledge, called semi-honest-verifier zero knowledge, that we describe further below. Here, “$(\mathbb {F},k,t)$-tensor IOP” means that each tensor-IOP query $q= (q_{1},\ldots ,q_{t})$ lies in $(\mathbb {F}^{k})^t$.

Theorem 3

(informal). There is an efficient transformation that takes as input a tensor-query IOP and a linear code, and outputs a point-query IOP that has related complexity parameters, as summarized below.

Input IOP: an $(\mathbb {F},k,t)$-tensor IOP for a relation $R$ with soundness error $\epsilon $, round complexity $\mathsf {rc}$, proof length $\mathsf {l}$, query complexity $\mathsf {q}$, prover arithmetic complexity $\mathsf {tp}$, and verifier arithmetic complexity $\mathsf {tv}$.
Input code: a linear code $\mathcal {C}$ over $\mathbb {F}$ with rate $\rho =\frac{k}{n}$, relative distance $\delta = \frac{d}{n}$, encoding time $\varPsi (k)\cdot k$, and description size $|{\mathcal {C}}|$. (The description of a linear code consists of a specification of the circuit used to compute the encoding function, including any random coins used to generate the circuit.)
Output IOP: a point-query IOP with soundness error $O_{\delta ,t}(\epsilon ) + O(d^t/|\mathbb {F}|)$, round complexity $O_{t}(\mathsf {rc})$, proof length $O_{\rho ,t}(\mathsf {q}\cdot \mathsf {l})$, query complexity $O_t(\mathsf {q})$, prover arithmetic complexity $\mathsf {tp}+ O_{\rho ,t}(\mathsf {q}\cdot \mathsf {l}) \cdot \varPsi (k) + {\mathsf {poly}}(|{\mathcal {C}}|,t,\mathsf {q},k)$, and verifier arithmetic complexity $\mathsf {tv}+ {\mathsf {poly}}(|{\mathcal {C}}|,t,\mathsf {q},\log k)$.

Moreover, when the tensor-query IOP is semi-honest-verifier zero knowledge the following also holds:

if the code $\mathcal {C}$ is 1-query zero-knowledge, then the point-query IOP is semi-honest-verifier zero knowledge;
if the code $\mathcal {C}$ is $b$-query zero-knowledge, then the point-query IOP is $b$-query zero knowledge.

Finally, the transformation preserves holography up to the multiplicative encoding overhead $\varPsi $ of $\mathcal {C}$ and terms that depend on $\rho $ and $t$: if the indexer for the input tensor-query IOP runs in time $\mathsf {ti}$ and produces an index of length $\mathsf {li}$, then the indexer for the output point-query IOP runs in time $\mathsf {ti}+ O_{\rho ,t}(\mathsf {q}\cdot \mathsf {li})\cdot \varPsi (k)$.

We now explain the main ideas behind our compiler.

Starting Point: An Inefficient Compiler that Breaks Zero Knowledge. Our starting point is the code-based compiler of [14], which takes as input a tensor-query IOP $(\mathbf {P},\mathbf {V})$ and a linear error-correcting code $\mathcal {C}$ and produces a corresponding point-query IOP $(\hat{\mathbf {P}},\hat{\mathbf {V}})$. We briefly summarize how the compiler works.

First, the point-query IOP simulates the tensor-query IOP with the modification that: (i) each proof oracle $\varPi \in \mathbb {F}^{k^{t}}$ is replaced by its encoding $\hat{\varPi }\in \mathbb {F}^{n^{t}}$ using the tensor product code $\mathcal {C}^{\otimes t}$; (ii) instead of making tensor queries to the proof oracles directly, the new verifier $\hat{\mathbf {V}}$ sends tensor queries $q_{}^{(s)}$ to the prover, who replies with the answers $v^{(s)}$. Second, the new prover $\hat{\mathbf {P}}$ and new verifier $\hat{\mathbf {V}}$ engage in a consistency test subprotocol to ensure that the answers $v^{(s)}$ (which may have been computed dishonestly) are consistent with the proofs $\varPi $. The consistency test incorporates a proximity test to make sure that each proof message $\hat{\varPi }$ is close to a valid encoding of some proof message $\varPi $ (as a malicious prover may send messages which are far from $\mathcal {C}^{\otimes t}$). As part of the consistency check, the prover sends the verifier “folded” proof messages $c^{(s)}_{j} = \langle \otimes _{i\le j}q_{i}^{(s)},\varPi \rangle $ encoded under lower-dimensional tensor codes $\mathcal {C}^{\otimes t-j}$. The proximity test works similarly, using random linear combinations of length $k$ sampled by the verifier instead of structured tensor queries. In both cases, the verifier checks linear relations between successive encodings $c_{j}^{(s)}$ and $c_{j+1}^{(s)}$ by making $O(k)$ point queries.

This compiler preserves prover time up to the encoding overhead $\varPsi (k)$ as in our Theorem 3, but has two shortcomings. The compiler does not preserve zero-knowledge, even if the tensor IOP to be compiled is zero knowledge. Moreover, the output IOP has query complexity $\varOmega (k)$ and verifier complexity $\varOmega (k)$, which does not suffice for Theorem 3 (we can at most afford a polylogarithmic dependence in $k$). Below we elaborate on how we overcome these shortcomings for zero-knowledge (Sect. 2.3.1) and for efficiency (Sect. 2.3.2).

2.3.1 Preserving Zero-Knowledge

We explain semi-honest verifier zero knowledge (the property of the tensor IOP used to achieve zero knowledge for the output IOP) and then how we preserve zero knowledge in the compiler.

Semi-honest-Verifier Zero Knowledge. Here, “semi-honest” means that there exists a simulator that (perfectly) simulates the honest verifier’s view for any fixed choice of the honest verifier’s randomness.^{Footnote 11} This requirement is stronger than honest-verifier zero-knowledge, where the simulator must simulate the honest verifier’s view for a random choice of its randomness; also, this requirement is weaker than the standard definition of zero-knowledge for IOPs, in which the verifier may deviate from the protocol and make arbitrary queries to the received oracles up to some query bound. Nevertheless, this notion suffices for our compilation procedure, which will produce point-query IOPs with zero-knowledge against semi-honest verifiers or against verifiers making a bounded number of point queries (depending on the zero-knowledge property of the code).

Approach for Zero Knowledge. We need to ensure that, in our compiler, if the tensor-query IOP given as input is semi-honest-verifier zero knowledge then, depending on the zero knowledge property of the code $\mathcal {C}$, the output point-query IOP is either semi-honest verifier zero knowledge or bounded-query zero knowledge. This implication does not hold for the compiler of [14] because, when using a (non-zero-knowledge) linear code $\mathcal {C}$, a point query to any encoded proof message $\hat{\varPi }$ or folded proof message $c_j^{(s)}$ leaks information about $\varPi $. We address the information leaked by $\hat{\varPi }$ and $c^{(s)}_{j}$ in two ways.

We ensure that the folded proof messages $c^{(s)}_{j}$ do not leak any information by leveraging the fact that the consistency test of [14] is about a linear relation, and thus can be invoked on a random shift of the instance of interest. In more detail, the usual approach to making the messages in such a subprotocol zero-knowledge is to mask the input message as $f = \gamma \varPi + \varXi $, where $\varXi $ is a random message sent by the prover and $\gamma $ is a random challenge sent by the verifier after that, and then run the consistency test on the encoding $c= \gamma \hat{\varPi } + \hat{\varXi }$ [3]. (The claimed tensor-query answers $v^{(s)}$ need to be adjusted accordingly too to account for the contribution of $\varXi $.) Informally, this enables the simulator to randomly sample $c$ and honestly run the [14] consistency test protocol. Queries on the resulting messages $c^{(s)}_{j}$ do not reveal any information, since they are derived from $c$, which is a random tensor codeword. Further, we do not require any zero-knowledge properties from the consistency test.

The simulator must still simulate the answers to point queries on $\varXi $ by querying $\hat{\varPi }$ instead. To avoid information leakage from the encoded proofs $\hat{\varPi }$, we use a linear code $\mathcal {C}$ with bounded-query zero-knowledge. This is similar to the notion for IOPs, and means that queries to a codeword up to a fixed query bound do not leak any information. The [14] compiler uses tensor products of codes, and to achieve semi-honest-verifier zero knowledge for the output IOP, it is important that the tensor product code $\mathcal {C}^{\otimes t}$ is 1-query zero-knowledge. Furthermore, to achieve $b$-query zero knowledge for the output IOP, it is important that the tensor product code $\mathcal {C}^{\otimes t}$ is also zero-knowledge against $b$ queries.^{Footnote 12} This leads to the problem of finding a zero-knowledge code which is encodable in linear time, which we discuss in Sect. 2.6.2, and showing that the zero-knowledge property of codes is preserved under tensor products, which we discuss in Sect. 2.6.1.

2.3.2 Improving Efficiency

Our modifications to the compiler of [14] to preserve zero-knowledge do not affect its efficiency; in particular, if the zero-knowledge code $\mathcal {C}^{\otimes t}$ has a linear-time encoding, then the compiler preserves linear arithmetic complexity of the prover. However, when applied to our $(\mathbb {F},k,t)$-tensor IOP with $n= \varTheta (k^t)$, the improved consistency test has query complexity $O(k)$, prover arithmetic complexity $O(k^t)$, and verifier arithmetic complexity $O(k)$. Though the query complexity and verifier complexity can be improved by increasing $t$, they remain sublinear in $n$, which does not suffice for Theorem 3. To prove Theorem 3, we must reduce the query complexity from $\varOmega (k)$ to O(1) and the verifier complexity from $\varOmega (k)$ to ${\mathsf {poly}}(\log k)$.

We achieve these goals using interactive proof composition and derandomization techniques. First, we strengthen the improved consistency test through robustification, and then use interactive proof composition for IOPs [4]. This reduces the query complexity so that it is independent of $k$, and makes the verifier complexity depend only on the randomness complexity of the consistency test verifier. Next, we show that linear prover complexity is preserved. Finally, we explain how to derandomize the consistency test to obtain the desired verifier complexity. (It remains an interesting question whether one can also achieve proof length that approaches witness length, the efficiency goal studied in [45] via related techniques.)

Interactive Proof Composition. Interactive proof composition involves an “outer” IOP that is robust and is for the desired relation, and an “inner” IOP of proximity that is for a relation about the outer IOP’s verifier. At a high level, we wish to apply this with the zero-knowledge consistency test from Sect. 2.3.1 as the outer IOP, and the PCP of proximity of [43] as the inner IOP. This requires some care, in part because the consistency check is not robust, and also because our target parameters do not leave much wiggle room. Below, we elaborate on how we robustify the outer protocol, and how we perform proof composition.

Robustification. Any IOP can be generically robustified by encoding each proof symbol in every round via an appropriate error-correcting code: if the IOP has query complexity $\mathsf {q}$ then this transformation yields a robustness parameter $\alpha =O(1/\mathsf {q})$ (over the alphabet of the code).^{Footnote 13} This is a straightforward generalization of robustifications for IPs (each prover message in each round is encoded) and for PCPs (each proof symbol of the PCP is encoded). This also extends to robustifying IOPPs, in which case each symbol of the witness whose proximity is being proved is also encoded (and this modifies the relation proved by the IOPP slightly).

Superficially, this robustification seems insufficient to prove Theorem 3 because zero-knowledge consistency test from Sect. 2.3.1 has sublinear query complexity $\mathsf {q}= O(k) = O(n^{1/t})$, which would lead to a robustness parameter that is sub-constant. However, fortunately, the queries are bundled: the verifier always queries entire sets of $O(n^{1/t})$ locations, so the IOPP can be restated as a constant-query IOPP over the large alphabet $\mathbb {F}^{O(n^{1/t})}$. To robustify an IOPP over such a large alphabet, we need to use a code with linear-time encoding such as [48] (here zero-knowledge codes are not essential) in order to preserve the linear complexity of the prover. This gives us an IOPP for tensor queries with prover complexity $O(n)$, verifier complexity $O(n^{1/t})$, query complexity $O(n^{1/t})$ over the alphabet $\mathbb {F}$, constant soundness error, and, most importantly, a constant robustness parameter $\alpha $. We are now ready for the next step, proof composition.
Composition. Interactive proof composition [4] applies to any outer IOP that is robust and inner IOP that is a proof of proximity. If the outer IOP is a proof of proximity (as is the case when using the IOPP obtained above) then the composed IOP is also a proof of proximity; similarly, if the inner IOP is robust then the composed IOP is also robust.

We apply proof composition as follows: (i) the outer proof system is the robust zero-knowledge IOPP for tensor queries obtained above; (ii) the inner proof system is the PCP of proximity for $\textsf {NTIME}(T)$ due to Mie [43] (which achieves any constant soundness error and constant proximity parameter, with proof length $\tilde{O}(T(|\mathbbm {x}|))$, query complexity O(1), prover time ${\mathsf {poly}}(T(|\mathbbm {x}|))$, and verifier time ${\mathsf {poly}}(|\mathbbm {x}|,\log T(|\mathbbm {x}|))$).

Informally, the new verifier in the composed proof system runs the interactive phase of the IOPP for tensor queries and then, rather than running the query phase of the outer IOPP, runs the PCPP verifier of [43] to check that the witness is close to a tensor encoding of a message that is consistent with all the answers to the tensor queries. This reduces the query complexity from $O(n^{1/t})$ to O(1) queries.

Preserving Prover Complexity. We discuss prover complexity for the composed proof system. The cost of the prover in the composed IOP is $O(n)$ field operations to run the prover of the robust IOPP for tensor queries plus ${\mathsf {poly}}(T(|\mathbbm {x}|))$ bit operations to run the PCPP prover in [43]. In our case, the $\textsf {NTIME}(T)$ relation being checked is the decision predicate for the verifier in the robust IOPP, so that $T = O(n^{1/t})$ (times smaller factors depending on $\log |\mathbb {F}|$ since T refers to bit operations rather than field operations). If we take the tensor power $t\in \mathbb {N}$ to be a sufficiently large constant, then we can ensure that the prover time in the PCPP of [43], which is polynomial in $O(n^{1/t})$, is dominated by $O(n)$ field operations.

Reducing Verifier Complexity. We discuss verifier complexity for the composed proof system. The cost of the verifier in the composed IOP is dominated by ${\mathsf {poly}}(|\mathbbm {x}|,\log T(|\mathbbm {x}|))$ bit operations, the time to run the PCPP verifier in [43]. From our discussion of prover complexity for the composed proof system, we know that $T = O(n^{1/t})$ and so $\log T(|\mathbbm {x}|) = O(\log n)$. We are thus left to discuss $|\mathbbm {x}|$. Here $\mathbbm {x}$ is the state used to describe (not run) the computation of the decision predicate for the verifier in the robust IOPP. The description consists of: (a) the description of the code $\mathcal {C}$ used for the tensor encoding; (b) the description of the tensor queries whose answers are being checked; and (c) the verifier randomness for the robust IOPP.

The second term depends on the tensor queries, but for simplicity here we will ignore it because in our application all the tensor queries can be described via $O(t\log n)$ elements, again a low-order term. The first term depends on the choice of code $\mathcal {C}$, so we keep it as a parameter. As for the last term, the randomness complexity of the robust consistency check is $O(\mathsf {q}\cdot k\cdot t)$, due to the random linear combinations used in the proximity test of [14], whose randomness complexity is unchanged by robustification. In sum, the cost of the verifier in the composed system is ${\mathsf {poly}}(|\mathcal {C}|,\log n,\mathsf {q}\cdot k\cdot t)$ bit operations. This leads to a sublinear verifier complexity and does not suffice for Theorem 3.

Fortunately, these linear combinations can be derandomized so to reduce their description size to $O(t)$ (a low-order term), as we now explain. The linear combinations are used in the soundness analysis of the [14] proximity test as part of a “distortion statement”: if any member of a collection of messages is far (in Hamming distance) from a linear code, then a random linear combination of those messages is also far from the code, except with some small, bounded, failure probability. Ben-Sasson et al. [10] prove distortion statements for linear combinations of the form $\zeta _{} = (\alpha ^1,\alpha ^2,\alpha ^3,\dots ,\alpha ^{k})$ for a uniformly random $\alpha \in \mathbb {F}$, at the cost of a tolerable increase in failure probability, and thus, in the soundness error of the proximity test. This allows us to dramatically reduce the number of random field elements used in the proximity test from $O(\mathsf {q}\cdot k\cdot t)$ to $O(\mathsf {q}\cdot t)$. After some work, the result is a verifier complexity of ${\mathsf {poly}}(|\mathcal {C}|,\log n)$ bit operations in the composed system which suffices for Theorem 3.

Remark 1

We use the freedom to choose a large enough $t$ in our robust zero-knowledge IOPP based on [14] to obtain query complexity (and verifier time) that is $O(n^{1/t})$. It is plausible that [13] similarly implies a robust zero-knowledge IOPP with query complexity (and verifier time) $O(n^{1/2})$. We do not know how to leverage such a result because that would require an inner IOPP with subquadratic prover time and constant query complexity, and we do not know of such a result. While it is plausible that the prover of [43] prover runs in subquadratic time, proving this seems an arduous task.

2.4 Tensor IOP for R1CS with Semi-honest Verifier Zero Knowledge

The input to the compiler in Sect. 2.3 is a tensor IOP for R1CS that is semi-honest-verifier zero knowledge.

Theorem 4

(informal). For every finite field $\mathbb {F}$ and positive integers $k,t\in \mathbb {N}$, there is a $(\mathbb {F},k,t)$-tensor holographic IOP for the indexed relation $R_{\mathrm {R1CS}}$, which is semi-honest-verifier zero-knowledge, that supports instances over $\mathbb {F}$ with $m= O(k^t)$, that has the following parameters: (1) soundness error is $O(\frac{ m}{|\mathbb {F}|})$; (2) round complexity is $O(\log m)$; (3) proof length is $O(m)$ elements in $\mathbb {F}$; (4) query complexity is O(1); (5) the indexer and prover use $O(m)$ field operations; (6) the verifier uses $O(|{x}|+\log m)$ field operations.

Our starting point is the holographic tensor IOP for R1CS in [14], which achieves the same parameters as in the above theorem^{Footnote 14} except that it is not zero knowledge. We use re-randomization techniques to additionally achieve zero knowledge against semi-honest verifiers, while preserving all efficiency parameters. We now elaborate on this: first we review the structure of the tensor IOP in [14], and then explain our ideas for how to additionally achieve zero knowledge.

The Holographic Tensor IOP of BCG. The holographic tensor IOP for R1CS in [14] follows a standard blueprint for constructing protocols for R1CS [7], adapted to the case of tensor queries. The prover first sends oracles containing the full assignment $z= (x, w)$ and its linear combinations $z_{A}:= Az$, $z_{B}:= Bz$, and $z_{C}:= Cz$. The verifier wishes to check that $z_{A}\circ z_{B}= z_{C}$ and that $z_{A},z_{B},z_{C}$ are the correct linear combinations of $z$. To facilitate this, the verifier sends some randomness to the prover, which enables reducing the first condition (a Hadamard product) to a scalar-product condition. The verifier then engages with the prover in scalar-product subprotocols for checking the scalar products, and holographic “lincheck” subprotocols for checking the linear relations (given tensor-query access to suitable linear-time encodings of the matrices $A,B,C$). The verifier makes a constant number of tensor queries to each of $z,z_{A},z_{B},z_{C}$ for concluding the subprotocols and performing other consistency checks (e.g., consistency of $z$ with $x$).

This protocol is not zero knowledge even for an honest verifier because: (1) the answer to each tensor query to $z,z_{A},z_{B},z_{C}$ reveals information about the secret input $w$ (part of the full assignment $z$); (2) messages sent by the prover during the scalar-product and lincheck protocols reveal further information about $z,z_{A},z_{B},z_{C}$.

Approach for Zero Knowledge. We need to ensure that every prover message and the answer to every tensor query is simulatable. The fact that queries are linear combinations with a tensor structure would make this rather difficult if we had to deal with malicious verifiers.^{Footnote 15} Fortunately, we seek zero knowledge against semi-honest verifiers only, which means that it suffices to consider any valid execution of an honest verifier, and in particular we have the freedom to assume that the verifier’s queries have a certain structure. While there are generic techniques for related settings (e.g., a transformation for linear PCPs with degree-2 verifiers in [11]), they do not seem to be useful for our setting (tensor IOPs with linear-time proving). So our approach here will be to modify the protocol in [14] by adapting ideas used in prior works.

We incorporate random values into the protocol in two different ways to address the two types of leakage above. This will enable us to make every prover message and query answer either uniformly random (independent of the witness) or uniquely determined by other prover messages or query answers. The simulator that we construct will then simply sample all the random values and derive the rest from them. We elaborate on this strategy in the paragraphs below.

(1) ZK against verifier queries. The answer to each verifier query is a linear combination (with tensor structure) of elements in the prover’s oracle message. Intuitively, if we pad each oracle message with as many random values as the number of queries it receives, and also “force” the linear combination to have non-zero coefficients in the padded region, then all the query answers will be uniformly random and reveal no information. Padding each of $z,z_{A},z_{B},z_{C}$ with independent randomness, however, does not preserve completeness because the padded vectors would not satisfy the R1CS condition.

This naive strategy, however, can be fixed as follows. We rely on a small R1CS gadget, whose solutions can be efficiently sampled, for which we can control the amount of independent randomness. Then we augment the original R1CS instance with this gadget.^{Footnote 16} In the first step of the protocol, the prover samples a random solution to the R1CS gadget and appends it to the witness to obtain an augmented witness.^{Footnote 17} In the rest of the protocol, the random solution acts as padding as described above, while preserving completeness. The choice of how much to pad depends on how many independent queries each oracle receives.

Though conceptually simple, this approach requires careful design and analysis. Intuitively, this is because the solutions to the R1CS gadget, which act as random padding, satisfy some non-linear relations, and therefore cannot consist entirely of uniformly random field elements. For example, since $z_{C}= z_{A}\circ z_{B}$, if the padding for $z_{A}$ and $z_{B}$ was uniformly random, then the padding for $z_{C}$ would be a sum of products of uniformly random field elements, which would not lead to uniformly random answers to queries on $z_{C}$. However, introducing uniformly random padding into $z_{C}$ requires setting some elements of $z_{A}$ (or $z_{B}$) to fixed non-zero elements, which cannot then be used to make queries on $z_{A}$ uniformly random. In sum, the solutions to the R1CS gadgets must hide not only the results to queries on the vectors $z_{A},z_{B},z_{C}$, but also the dependencies in the solutions themselves.

(2) ZK for the subprotocols. Each lincheck subprotocol checks a linear relation $Uz= z_U$, and as with the point-query compiler, the usual approach to making the messages in such a subprotocol zero-knowledge is to run the subprotocol on the input vector $e= \gamma z+ y$, where $y$ is a random vector sent by the prover and $\gamma $ is a random challenge sent by the verifier after that. (The claimed output vector $z_U$ needs to be adjusted accordingly too.) This enables the simulator to randomly sample $e$ and honestly run the lincheck protocol, which reveals no information, since the honest verifier only queries $e= \gamma z+y$, and never $z$ and $y$ separately. As the lincheck subprotocol is used as a black-box, the holographic properties of our protocol are unaffected by our modifications for zero-knowledge, and are inherited from the lincheck protocol of [14].

The scalar-product subprotocol is a sumcheck protocol on a certain polynomial p. Sumcheck protocols are usually made zero knowledge by following a similar pattern and running the sumcheck protocol on the polynomial $u := \gamma p + q$, where q is a random polynomial [3]. The simulator can randomly sample u and honestly run the sumcheck protocol, while simulating answers to q by querying p instead.

We cannot apply this idea in our setting of linear-time provers without change. In the protocol of [14], the polynomial p is the product of two multilinear polynomials f and g, each with $\log n$ variables (and thus $O(n)$ coefficients). To achieve linear arithmetic complexity for the prover, it is crucial that the prover does not compute the sumcheck directly on p, which could have up to $O(n^2)$ coefficients, and works only with f and g following a certain linear-time algorithm [49]. Thus the prover cannot simply sample a random q.

The solution is to re-randomize the multiplicands f and g separately to $\gamma f + r$ and $\gamma g + s$, and run the sumcheck protocol on their product $(\gamma f + r) \cdot (\gamma g + s)$. (If $p=f \cdot g$ sums to $\alpha $ then $(\gamma f + r) \cdot (\gamma g + s)$ sums to $\alpha \gamma ^2 + \rho \gamma + \sigma $ for some $\rho $ and $\sigma $ derived from r and s alone.) The prover can then compute on polynomials with $O(n)$ coefficients, and the simulator can sample each factor of p at random and proceed similarly.

Efficiency. The resulting tensor IOP inherits all efficiency parameters of the non-ZK tensor IOP of [14]: soundness error $O(m/|\mathbb {F}|)$; logarithmic round complexity; linear proof length; constant query complexity; linear-time indexer; linear-time prover; and logarithmic-time verifier.

2.5 Hiding Properties of Linear Codes

Linear codes have been used to achieve hiding properties in many applications, including secret sharing, multi-party computation, and probabilistic proofs. Below we introduce useful notation and then review the properties of linear codes that we use, along with other ingredients, to achieve zero knowledge IOPs. Informally, we consider probabilistic encodings for linear codes with the property that a small number of locations of a codeword reveal no information about the underlying encoded message.

Randomized Linear Codes. Let $\mathcal {C}$ be a linear code over a field $\mathbb {F}$ with message length $k$ and block length $n$, and let $\mathrm {Enc}:\mathbb {F}^{k} \rightarrow \mathbb {F}^{n}$ be an encoding function for $\mathcal {C}$ (that is, $\mathrm {Enc}(\mathbb {F}^{k}) = \mathcal {C}$). For a fixed choice of $k_m$ and $k_r$ such that $k_m+k_r=k$, we can derive from $\mathrm {Enc}$ the bivariate function $\widetilde{\mathrm {Enc}}:\mathbb {F}^{k_m} \times \mathbb {F}^{k_r} \rightarrow \mathbb {F}^{n}$ defined as $\widetilde{\mathrm {Enc}}(m;r):=\mathrm {Enc}(m\Vert r)$. In turn, this function naturally induces a probabilistic encoding: we define $\widetilde{\mathrm {Enc}}(m)$ to be the random variable $\{\widetilde{\mathrm {Enc}}(m;r)\}_{r\leftarrow \mathbb {F}^{k_r}}$. In other words, we have designated the first $k_m$ inputs of $\mathrm {Enc}$ for the message and the remaining $k_r$ inputs for encoding randomness. We shall refer to a code $\mathcal {C}$ specified via a bivariate function $\widetilde{\mathrm {Enc}}$ as a randomized linear code.

Bounded-Query Zero Knowledge. A randomized linear code is $b$-query zero knowledge if reading any $b$ locations of a random encoding of a message does not reveal any information about the message. The locations may be chosen arbitrarily and adaptively. In more detail, we denote by $\mathrm {View}(\widetilde{\mathrm {Enc}}(m;r),A)$ the view of an oracle algorithm A that is given query access to the codeword $\widetilde{\mathrm {Enc}}(m;r)$. We say that $\mathcal {C}$ is $b$-query zero knowledge if there exists a ${\mathsf {poly}}(n,\log |\mathbb {F}|)$-time simulator algorithm $\mathcal {S}$ such that, for every message $m\in \mathbb {F}^{k_m}$ and $b$-query algorithm A, the following random variables are identically distributed:

$$\begin{aligned} \left\{ \mathrm {View}\big (\widetilde{\mathrm {Enc}}(m;r),A\big ) \right\} _{r\leftarrow \mathbb {F}^{k_r}} \quad \text {and}\quad \mathcal {S}^A . \end{aligned}$$

To achieve even 1-query zero knowledge the random encoding cannot be systematic (as otherwise the algorithm A could learn any location of the message by querying the corresponding location in the codeword).

The above notion mirrors the standard notion of bounded-query zero knowledge for several models of probabilistic proofs (PCPs [33, 34, 38], IPCPs [30], and IOPs [3, 5]). Moreover, it is equivalent, in the special case of codes with a polynomial-time encoding, to the message-indistinguishability definition of zero knowledge of [35] (which requires that the encodings of any two messages are equidistributed when restricted to any small-enough subset of coordinates).

Bounded-Query Uniformity. In intermediate steps we also consider a stronger notion of zero knowledge: we say that $\mathcal {C}$ is $b$-query uniform if any $b$ locations of $\{\widetilde{\mathrm {Enc}}(m;r)\}_{r\leftarrow \mathbb {F}^{k_r}}$ are uniformly random and independent symbols. This is a strengthening over the prior notion because the simulator for this case is a simple fixed strategy: answer each query with a freshly sampled random symbol. We refer the reader to the full version for more intuition on the difference between the two notions; there we explain how code concatenation, a standard operation on codes, naturally leads to codes that are bounded-query zero knowledge but not bounded-query uniform, and in particular the simulator cannot employ the foregoing simple strategy.

2.6 On Bounded-Query Zero Knowledge

Theorem 1 guarantees zero-knowledge against semi-honest verifiers. However, we can achieve bounded-query zero-knowledge against a malicious verifier who makes at most $O(m^\epsilon )$ queries, if we relax the verifier time in our construction to ${\mathsf {poly}}(|x|)+O(m^\epsilon )$ field operations.

The reason behind this is as follows. By Theorem 3, the zero-knowledge property in Theorem 1 relies (among other things) on a family of explicit linear-time encodable error-correcting codes which themselves have a zero-knowledge property, whereby a single query to a codeword leaks no information about the encoded message. These codes suffice for semi-honest-verifier zero-knowledge because the honest verifier never learns more than one query of each codeword. By contrast, in the setting of bounded-query zero-knowledge, we require codes with a zero-knowledge property against a sublinear number of queries. The above codes do not satisfy this property. Instead, we show how to obtain suitable codes from a probabilistic construction of Druk and Ishai [22], leading to an IOP verifier whose randomness complexity is sublinear.

Obtaining an explicit construction of linear-time encodable zero-knowledge codes remains an interesting open problem, which would allow us to prove Theorem 1 with both polylogarithmic verifier complexity and bounded-query zero-knowledge.

2.6.1 Tensor Products of Zero Knowledge Codes

As part of the tensor-query to point-query compiler (see Sect. 2.4), the prover sends to the verifier proof messages $\hat{\varPi }$ consisting of tensor-IOP proof messages $\varPi $ encoded under a tensor code $\mathcal {C}^{\otimes t}$. The verifier has point-query access to the encoded messages $\hat{\varPi }$. To ensure that these queries do not leak information (up to a certain number of queries), we require the tensor code $\mathcal {C}^{\otimes t}$ to be zero-knowledge. To this end, we prove that the tensor product operation preserves the property of bounded-query zero-knowledge (and bounded-query uniformity). In particular, for $\mathcal {C}^{\otimes t}$ to be zero knowledge it will suffice for $\mathcal {C}$ to be zero knowledge. (We discuss how to obtain a zero-knowledge code that is linear-time encodable after this, in Sect. 2.6.2.)

Theorem 5

Let $\mathcal {C}$ and $\mathcal {C}'$ be randomized linear codes.

1.
If $\mathcal {C}$ is $b$-query zero-knowledge and $\mathcal {C}'$ is $b'$-query zero-knowledge, then $\mathcal {C}\otimes \mathcal {C}'$ is $\min (b,b')$-query zero-knowledge.
2.
If $\mathcal {C}$ is $b$-query uniform and $\mathcal {C}'$ is $b'$-query uniform, then $\mathcal {C}\otimes \mathcal {C}'$ is $\min (b,b')$-query uniform.

The formal statement and proof are provided in the full version.

2.6.2 Zero-Knowledge Codes with Linear-Time Encoding

To prove our main theorem, Theorem 1, we require an explicit construction of a randomized linear code, that must be both linear-time encodable and 1-query zero-knowledge. Prior works such as [13, 17] achieve this by applying a 1-out-of-2 secret sharing scheme to every element of the output of an explicit (non zero-knowledge) linear-time encodable code, such as [48]. Given the encoding function $\mathrm {Enc}$ for a linear-time encodable code, the new code is defined by $\widetilde{\mathrm {Enc}}(m;r) := ( \mathrm {Enc}(m)+r, r)$.

Investigating Bounded-Query Zero-Knowledge. To prove the variation on our main theorem, Theorem 1, with bounded-query zero-knowledge, we require randomized linear codes which are linear-time encodable as above, but with a stronger zero-knowledge property. In this case, the code must be $b$-query zero-knowledge where $b$ is not only greater than 1, but may even be a constant fraction of the block length.

Prior works achieved these properties separately. For example, it is well-known that the Reed–Solomon code can be made $b$-query zero-knowledge by using $b$ elements of encoding randomness, but their encoding functions incur costs quasilinear in the message length. On the other hand, the zero-knowledge properties of linear-time encodable codes, such as the explicit family by Spielman [48] or the probabilistic family by Druk and Ishai [22], have not been investigated.

We prove the existence of codes satisfying both requirements, via a probabilistic construction. In the statement below, $H_q:[0,1] \rightarrow [0,1]$ denotes the $q$-ary entropy function.

Theorem 6

For every finite field $\mathbb {F}$, every $\epsilon \in (0,1)$, and every function $\beta :\mathbb {N}\rightarrow (0,1)$ bounded away from 1, letting $q:= |\mathbb {F}|,$ there is a circuit family $\{E_{k_m} :\mathbb {F}^{k_m} \times \mathbb {F}^{(H_{q}(\beta (k_m))+\epsilon )\cdot O(k_m)} \times \mathbb {F}^{O(k_m)} \rightarrow \mathbb {F}^{O(k_m)}\}_{k_m\in \mathbb {N}}$ such that: (1) $E_{k_m}$ has size $O(k_m)$; (2) with probability at least $1-q^{-\varOmega _\epsilon (k_m)}$ over $R\in \mathbb {F}^{O(k)}$, the randomized linear code $\mathcal {C}_{k_m}$ whose encoding function is $\widetilde{\mathrm {Enc}}_{k_m}(m;r) := E_{k_m}(m,r,R)$ has constant relative distance and is $O(\beta (k_m)\cdot k_m)$-query uniform.

The precise statement of the theorem and its proof are provided in the full version.

Below we provide an overview of the proof; and finally discuss related constructions and analyses. Derandomizing Theorem 6, namely the goal of obtaining an explicit family of codes that are both zero knowledge and linear-time encodable, remains an open problem.

Overview of Proof of Theorem 6. We use the same code as in [22], which is a probabilistic construction (which we inherit). Our contribution is to show that their construction additionally satisfies the strong requirement of $b$-query uniformity, by using ideas from the analysis of [22].

Informally, Druk and Ishai [22] construct a family of distributions $\mathcal {G} = \{\mathcal {G}_{k}\}_{k\in \mathbb {N}}$ such that, for every $k\in \mathbb {N}$, $\mathcal {G}_{k} = \{G_R\in \mathbb {F}^{O(k) \times k}\}_{R\in \mathbb {F}^{O(k)}}$ is a distribution over generator matrices such that: (1) matrix-vector multiplication is computable in linear time; (2) for any fixed non-zero vector x, when $G_R$ is sampled at random from the distribution, $G_Rx$ is uniformly distributed. This latter property is known as linear uniform output, and implies that, with high probability over $R$, $G_R$ has constant relative distance and dual distance.

We are interested in analyzing what happens if we split the message space of a generator matrix $G\in \mathcal {G}_{k}$ into two parts, one of length $k_m$ for the actual message and another of length $k_r$ for the encoding randomness, for $k_m+k_r=k$. As in Sect. 2.5, this induces a corresponding split in the generator matrix: $G= \begin{bmatrix}G_{m}&G_{r}\end{bmatrix}$. In the full version we show that the probability that this code is $b$-query uniform is bounded from below by the probability that $(G_{r})^\perp $, the dual of $G_{r}$, has minimum (absolute) distance at least $b+1$.

Druk and Ishai [22] show that $G^\perp $ has constant relative distance with high probability. We observe that $G_{r}$ inherits the linear-uniform output property from $G$, and then adapt their analysis to $(G_{r})^\perp $. We now summarize the main ideas of their analysis when it is applied to our setting of $b$-query uniformity. Similarly, to the standard probabilistic proof of the Gilbert–Varshamov bound, requiring that $(G_{r})^\perp $ has distance at least $b+1$ is equivalent to showing that each non-zero vector $z\in \mathbb {F}^{n}$ with Hamming weight at most $b$ is not in $(G_{r})^\perp $, i.e., $z G_{r}\ne 0$. The linear-uniform output property of $G$ implies that $z G_{r}$ is uniformly distributed, over a random choice of $G_{r}$; therefore the probability that $z\in \mathbb {F}^{n}$ is in $(G_{r})^\perp $ is at most $q^{-k_r}$. Taking a union bound over all vectors of weight at most $b$, of which there are at most $q^{H_q(b/n) \cdot n}$, gives an upper bound on the probability that the distance of $(G_{r})^\perp $ is at most $b$.

We can choose parameters so that $n= O(k_m)$ and $k_r= O(H_q(b/n) \cdot n)$ with suitable constants so that $q^{-k_r} \cdot q^{H_q(b/n) \cdot n} = q^{-\varOmega (k_m)}$. In combination with results on the distance of $G$, this yields Theorem 6.

In sum, we obtain a trade-off between the fraction of the message space allocated to the encoding randomness and the $b$-query uniformity of the code. For example, if (as we use in this paper) $b$ is linear in $n$ then $H_q(b/n)$ is constant and the encoding randomness is a constant fraction of the input.

Comparison with Related Work. Chen et al. [19] show a result analogous to Theorem 6 for random codes: with high probability over a choice of random code with block length $O(k_m)$, using $H_{q}(\beta (k_m))\cdot O(k_m)$ elements of encoding randomness ensures $O(\beta (k_m)\cdot k_m)$-query zero-knowledge. Random codes, however, are not linear-time encodable. Theorem 6 can be viewed as strengthening the result for random codes in [19, Theorem 11] to apply to the linear-time codes of [22] (and to proving the stronger property of bounded-query uniformity). The proofs of both results follow the standard template of the existence proof of codes meeting the Gilbert–Varshamov bound, except that the analyzed code family changes.

Druk and Ishai [22] give a linear-time secret sharing scheme for message vectors of constant length, based on the same code family used to prove Theorem 6. Their construction generalizes to a randomized encoding scheme with $b$-query zero-knowledge (and most likely $b$-query uniformity), where $b$ is determined by the distance of the dual code. For this code family, the dual distance is linear in $k_m$, giving $b$-query zero-knowledge for $b= \varTheta (k_m)$. However, encoding requires solving a system of linear equations whose dimension is the same length as the message, and so fails to be linear-time.

Ishai et al. [35, 51] give a generic construction of zero-knowledge codes from any linear code, which works by randomizing a generator matrix for the code, but this does not preserve linear-time encoding.

2.7 Linear-Time Succinct Arguments from Linear-Time IOPs

Known approaches for constructing succinct arguments rely on cryptography to “compile” various forms of probabilistic proofs into argument systems. However, the cryptography used typically introduces super-linear overheads, ruling out a linear-time argument system even when compiling a linear-time probabilistic proof. Bootle et al. [13] observe that Kilian’s approach [37] is a notable exception. We review this below because Theorem 1 implies Theorem 2 via this approach; our technical contribution is Theorem 1.

Linear-Time Arguments via Kilian’s Approach. The cryptography used in Kilian’s approach is collision-resistant hash functions, for which there are linear-time candidates under standard assumptions (e.g., based on the hardness of finding short codewords in linear codes [1]). If we use a linear-time hash function in Kilian’s approach to compile a linear-time PCP (over a large-enough alphabet) then we obtain a linear-time argument system.^{Footnote 18} While constructions of linear-time PCPs are not known (and seem far beyond current techniques), the foregoing implication equally holds for IOPs [8, 44]. This route was used in [13, 14] to obtain interactive arguments with linear-time prover and sublinear-time verifier from IOPs with linear-time prover and sublinear-time verifier.

Zero Knowledge. Kilian’s approach to additionally achieve zero knowledge makes a non-black-box use of the collision-resistant hash function and the probabilistic proof’s verifier.^{Footnote 19} Ishai et al. [34] then proved that if the underlying probabilistic proof satisfies a mild notion of zero knowledge then Kilian’s approach can be significantly simplified to yield a zero-knowledge succinct argument where the collision-resistant hash function and the probabilistic proof are used as black boxes. This implication, too, preserves linear time of both building blocks to yield a zero-knowledge succinct argument with a linear-time prover.

The notion of zero-knowledge required of the underlying probabilistic proof depends on the desired notion of zero knowledge for the argument system. If the argument system is desired to be honest-verifier zero knowledge (this suffices, e.g., to subsequently apply the Fiat–Shamir heuristic) then the probabilistic proof must be honest-verifier zero knowledge. If instead the argument system is desired to be malicious-verifier zero-knowledge then the probabilistic proof must be semi-honest-verifier zero knowledge (the simulator works for any possible fixed execution of the honest verifier). A further strengthening known as bounded-query zero knowledge, the hiding notion typically studied for PCPs [38], enables reductions in communication.

In Sum. The interactive argument in Theorem 2 is constructed via the above approach from the IOP in Theorem 1 (with sublinear verification in the holographic setting mapping to sublinear verification in the preprocessing setting). The semi-honest-verifier zero-knowledge property of the IOP implies the malicious-verifier zero-knowledge property of the interactive argument. The linear prover time and polylogarithmic verifier time of the IOP imply the corresponding running times of the interactive argument, as the given collision-resistant hash function runs in linear time.

Notes

1.
Several of these works additionally achieve excellent concrete efficiency, via experiments that demonstrate the ability to prove the satisfiability of circuits with billions of gates.
2.
As soundness is computational then we can hope for zero knowledge to be statistical.
3.
Satisfiability of an $n$-gate arithmetic circuit over the field $\mathbb {F}$ is reducible, in linear time, to an R1CS instance also over $\mathbb {F}$ where the coefficient matrices are $n\times n$ and have $m=O(n)$ non-zero entries. (In particular, the coefficient matrices are sparse.).
4.
Note that $m= \varOmega (n)$ without loss of generality because if $m< n/3$ then there are variables of $z$ that do not participate in any constraint, which can be dropped. Thus the main size measure for R1CS is the sparsity parameter $m$.
5.
The private coins come from using the Goldreich–Kahan technique [26]. Achieving public coins is also possible via different relaxations: (i) (ii) we could rely on a reference string (which enables the zero knowledge simulator to access a trapdoor); or (iii) we could relax the goal to honest-verifier zero-knowledge while remaining in the plain model. See [34] for more on these considerations.
6.
Holography/preprocessing may be avoidable by focusing on R1CS instances with a short description [6] or, more generally, uniform models of computation. Achieving results analogous to ours in such a setting remains an open problem.
7.
The quasilinear costs in some works (due to cryptography [53, 54] or an FFT [55]) scale with witness size rather than computation size, and so the prover runs in linear time when the witness is small relative to the computation.
8.
Some of the cited works still refer to such prover time as “linear” or “asymptotically optimal”. This is a misnomer.
9.
A proof system is robust if the local view of the verifier is far (e.g. in Hamming distance) from an accepting view with high probability (over the verifier’s randomness) whenever the instance is not in the language.
10.
A proximity proof shows that a given input is close to some input in the language.
11.
This is related to special honest-verifier zero-knowledge for sigma protocols.
12.
Note also that query bound $b$ must be at least the number of queries that $\hat{\mathbf {V}}$ makes to the encoded proof $\hat{\varPi }$.
13.
An IOP is said to have robustness parameter $\alpha $ if the local view of the verifier is $\alpha $-close (in relative Hamming distance) to an accepting view with probability bounded by the IOP’s soundness error.
14.
Note that as described in [14], the tensor IOP of [14] achieves verifier complexity $O(|{x}|+k)$ because some of the verifier’s tensor queries are generated from seeds of length $O(k)$. We reduce the verifier complexity by generating the verifier’s tensor queries using short seeds.
15.
For example, constructing linear PCPs that are zero knowledge against malicious verifiers remains an open problem. Constructing tensor IOPs that are zero knowledge against malicious verifiers, while formally an easier question, appears similarly hard.
16.
This is distinct from how zero knowledge is achieved for prior IOPs for R1CS based on the Reed–Solomon code [7]. Instead, it is closer in spirit to how semi-honest-verifier zero knowledge was achieved for linear PCPs for circuits or quadratic arithmetic programs in [11, 23].
17.
We stress that this modification achieves zero knowledge only against semi-honest verifiers, because a malicious verifier could choose to query the padded vectors with a linear combination that leaves out the randomness and thereby learns information about the secret witness. Nevertheless, as discussed in Sect. 2.3, a tensor IOP that is merely semi-honest-verifier zero knowledge suffices for obtaining a point-query IOP with zero knowledge against bounded-query malicious verifiers.
18.
In Kilian’s approach, the argument prover’s cryptographic cost is dominated by the cost to commit to the PCP string via a Merkle tree. In particular, if the PCP has proof length $\mathsf {l}$ and the size of a proof symbol is linear in the input size of the hash function, then the running time of the argument prover is within a constant of the running time of the PCP prover.
19.
Modify the Merkle tree to be over hiding commitments to proof symbols (rather than over the proof symbols themselves) and then prove in zero knowledge that opening the queried locations would have made the probabilistic proof verifier accept.

References

Applebaum, B., Haramaty, N., Ishai, Y., Kushilevitz, E., Vaikuntanathan, V.: Low-complexity cryptographic hash functions. In: Proceedings of the 8th Innovations in Theoretical Computer Science Conference, ITCS 2017, pp. 7:1–7:31 (2017)
Google Scholar
Arora, S., Safra, S.: Probabilistic checking of proofs: a new characterization of NP. J. ACM 45(1), 70–122 (1998). Preliminary version in FOCS ’92
Google Scholar
Ben-Sasson, E., Chiesa, A., Forbes, M.A., Gabizon, A., Riabzev, M., Spooner, N.: Zero knowledge protocols from succinct constraint detection. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10678, pp. 172–206. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70503-3_6
Chapter Google Scholar
Ben-Sasson, E., Chiesa, A., Gabizon, A., Riabzev, M., Spooner, N.: Interactive oracle proofs with constant rate and query complexity. In: Proceedings of the 44th International Colloquium on Automata, Languages and Programming, ICALP 2017, pp. 40:1–40:15 (2017)
Google Scholar
Ben-Sasson, E., Chiesa, A., Gabizon, A., Virza, M.: Quasi-linear size zero knowledge from linear-algebraic PCPs. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 33–64. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49099-0_2
Chapter Google Scholar
Ben-Sasson, E., Chiesa, A., Goldberg, L., Gur, T., Riabzev, M., Spooner, N.: Linear-size constant-query IOPs for delegating computation. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 494–521. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_19
Chapter Google Scholar
Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.P.: Aurora: transparent succinct arguments for R1CS. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 103–128. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_4
Chapter Google Scholar
Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive oracle proofs. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 31–60. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_2
Chapter Google Scholar
Ben-Sasson, E., Kaplan, Y., Kopparty, S., Meir, O., Stichtenoth, H.: Constant rate PCPs for circuit-SAT with sublinear query complexity. In: Proceedings of the 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, pp. 320–329 (2013)
Google Scholar
Ben-Sasson, E., Kopparty, S., Saraf, S.: Worst-case to average case reductions for the distance to a code. In: Proceedings of the 33rd ACM Conference on Computer and Communications Security, CCS 2018, pp. 24:1–24:23 (2018)
Google Scholar
Bitansky, N., Chiesa, A., Ishai, Y., Paneth, O., Ostrovsky, R.: Succinct non-interactive arguments via linear interactive proofs. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 315–333. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_18
Chapter Google Scholar
Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12
Chapter MATH Google Scholar
Bootle, J., Cerulli, A., Ghadafi, E., Groth, J., Hajiabadi, M., Jakobsen, S.K.: Linear-time zero-knowledge proofs for arithmetic circuit satisfiability. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 336–365. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_12
Chapter Google Scholar
Bootle, J., Chiesa, A., Groth, J.: Linear-time arguments with sublinear verification from tensor codes. In: Proceedings of the 18th Theory of Cryptography Conference, TCC 2020, pp. 19–46 (2020)
Google Scholar
Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)
Article MathSciNet Google Scholar
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: Proceedings of the 39th IEEE Symposium on Security and Privacy, S&P 2018, pp. 315–334 (2018)
Google Scholar
Cerulli, A.: Efficient zero-knowledge proofs and their applications (2019)
Google Scholar
Chase, M., et al.: Post-quantum zero-knowledge and signatures from symmetric-key primitives. In: Proceedings of the 24th ACM Conference on Computer and Communications Security, CCS 2017, pp. 1825–1842 (2017)
Google Scholar
Chen, H., Cramer, R., Goldwasser, S., de Haan, R., Vaikuntanathan, V.: Secure computation from random error correcting codes. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 291–310. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_17
Chapter Google Scholar
Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: preprocessing zkSNARKs with universal and updatable SRS. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 738–768. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_26
Chapter Google Scholar
Chiesa, A., Ojha, D., Spooner, N.: Fractal: post-quantum and transparent recursive proofs from holography. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 769–793. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_27
Chapter Google Scholar
Druk, E., Ishai, Y.: Linear-time encodable codes meeting the Gilbert-Varshamov bound and their cryptographic applications. In: Proceedings of the 5th Innovations in Theoretical Computer Science Conference, ITCS 2014, pp. 169–182 (2014)
Google Scholar
Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_37
Chapter Google Scholar
Giacomelli, I., Madsen, J., Orlandi, C.: ZKBoo: faster zero-knowledge for boolean circuits. In: Proceedings of the 25th USENIX Security Symposium, Security 2016, pp. 1069–1083 (2016)
Google Scholar
Goldreich, O., Håstad, J.: On the complexity of interactive proofs with bounded communication. Inf. Process. Lett. 67(4), 205–214 (1998)
Article MathSciNet Google Scholar
Goldreich, O., Kahan, A.: How to construct constant-round zero-knowledge proof systems for NP. J. Cryptol. 9(3), 167–189 (1996). https://doi.org/10.1007/BF00208001
Article MathSciNet MATH Google Scholar
Goldreich, O., Vadhan, S., Wigderson, A.: On interactive proofs with a laconic prover. Comput. Complex. 11(1/2), 1–53 (2002)
Article MathSciNet Google Scholar
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989). Preliminary version appeared in STOC ’85
Google Scholar
Golovnev, A., Lee, J., Setty, S., Thaler, J., Wahby, R.: Brakedown: linear-time and post-quantum snarks for r1cs. Cryptology ePrint Archive, Report 2021/1043 (2021)
Google Scholar
Goyal, V., Ishai, Y., Mahmoody, M., Sahai, A.: Interactive locking, zero-knowledge PCPs, and unconditional cryptography. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 173–190. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_10
Chapter Google Scholar
Heath, D., Kolesnikov, V.: Stacked garbling for disjunctive zero-knowledge proofs. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 569–598. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_19
Chapter Google Scholar
Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: Proceedings of the 39th Annual Symposium on Theory of Computing, STOC 2007, pp. 21–30 (2007)
Google Scholar
Ishai, Y., Mahmoody, M., Sahai, A.: On efficient zero-knowledge PCPs. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 151–168. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_9
Chapter Google Scholar
Ishai, Y., Mahmoody, M., Sahai, A., Xiao, D.: On zero-knowledge PCPs: Limitations, simplifications, and applications (2015). http://www.cs.virginia.edu/~mohammad/files/papers/ZKPCPs-Full.pdf
Ishai, Y., Sahai, A., Viderman, M., Weiss, M.: Zero knowledge LTCs and their applications. In: Raghavendra, P., Raskhodnikova, S., Jansen, K., Rolim, J.D.P. (eds.) APPROX/RANDOM -2013. LNCS, vol. 8096, pp. 607–622. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40328-6_42
Chapter MATH Google Scholar
Katz, J., Kolesnikov, V., Wang, X.: Improved non-interactive zero knowledge with applications to post-quantum signatures. In: Proceedings of the 25th ACM Conference on Computer and Communications Security, CCS 2018, pp. 525–537 (2018)
Google Scholar
Kilian, J.: A note on efficient zero-knowledge proofs and arguments. In: Proceedings of the 24th Annual ACM Symposium on Theory of Computing, STOC 1992, pp. 723–732 (1992)
Google Scholar
Kilian, J., Petrank, E., Tardos, G.: Probabilistically checkable proofs with zero knowledge. In: Proceedings of the 29th Annual ACM Symposium on Theory of Computing, STOC 1997, pp. 496–505 (1997)
Google Scholar
Kothapalli, A., Masserova, E., Parno, B.: A direct construction for asymptotically optimal zkSNARKs. Cryptology ePrint Archive, Report 2020/1318 (2020)
Google Scholar
Lee, J., Setty, S., Thaler, J., Wahby, R.: Linear-time zero-knowledge SNARKs for R1CS. Cryptology ePrint Archive, Report 2021/030 (2021)
Google Scholar
Meir, O.: Combinatorial PCPs with short proofs. In: Proceedings of the 26th Annual IEEE Conference on Computational Complexity, CCC 2012 (2012)
Google Scholar
Meir, O.: IP = PSPACE using error-correcting codes. SIAM J. Comput. 42(1), 380–403 (2013)
Article MathSciNet Google Scholar
Mie, T.: Short PCPPs verifiable in polylogarithmic time with o(1) queries. Ann. Math. Artif. Intell. 56, 313–338 (2009)
Article MathSciNet Google Scholar
Reingold, O., Rothblum, R., Rothblum, G.: Constant-round interactive proofs for delegating computation. In: Proceedings of the 48th ACM Symposium on the Theory of Computing, STOC 2016, pp. 49–62 (2016)
Google Scholar
Ron-Zewi, N., Rothblum, R.: Local proofs approaching the witness length. In: Proceedings of the 61st Annual IEEE Symposium on Foundations of Computer Science, FOCS 2020, pp. 846–857 (2020)
Google Scholar
Setty, S.: Spartan: efficient and general-purpose zkSNARKs without trusted setup. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 704–737. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_25
Chapter Google Scholar
Setty, S., Lee, J.: Quarks: quadruple-efficient transparent zkSNARKs. Cryptology ePrint Archive, Report 2020/1275 (2020)
Google Scholar
Spielman, D.A.: Linear-time encodable and decodable error-correcting codes. IEEE Trans. Inf. Theory 42(6), 1723–1731 (1996). Preliminary version appeared in STOC ’95
Google Scholar
Thaler, J.: Time-optimal interactive proofs for circuit evaluation. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 71–89. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_5
Chapter Google Scholar
Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly-efficient zkSNARKs without trusted setup. In: Proceedings of the 39th IEEE Symposium on Security and Privacy, S&P 2018, pp. 926–943 (2018)
Google Scholar
Weiss, M.: Secure computation and probabilistic checking (2016)
Google Scholar
Weng, C., Yang, K., Katz, J., Wang, X.: Wolverine: fast, scalable, and communication-efficient zero-knowledge proofs for boolean and arithmetic circuits. IACR Cryptology ePrint Archive, Report 2020/925 (2020)
Google Scholar
Xie, T., Zhang, J., Zhang, Y., Papamanthou, C., Song, D.: Libra: succinct zero-knowledge proofs with optimal prover computation. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 733–764. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_24
Chapter Google Scholar
Zhang, J., Wang, W., Zhang, Y., Zhang, Y.: Doubly efficient interactive proofs for general arithmetic circuits with linear prover time. Cryptology ePrint Archive, Report 2020/1247 (2020)
Google Scholar
Zhang, J., Xie, T., Zhang, Y., Song, D.: Transparent polynomial delegation and its applications to zero knowledge proof. In: Proceedings of the 41st IEEE Symposium on Security and Privacy, S&P 2020, pp. 859–876 (2020)
Google Scholar

Download references

Author information

Authors and Affiliations

IBM Research, Zurich, Switzerland
Jonathan Bootle
École polytechnique fédérale de Lausanne, Lausanne, Switzerland
Alessandro Chiesa
University of California, Berkeley, Berkeley, USA
Alessandro Chiesa & Siqi Liu

Authors

Jonathan Bootle
View author publications
You can also search for this author in PubMed Google Scholar
Alessandro Chiesa
View author publications
You can also search for this author in PubMed Google Scholar
Siqi Liu
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Jonathan Bootle or Alessandro Chiesa .

Editor information

Editors and Affiliations

University of Haifa, Haifa, Haifa, Israel
Orr Dunkelman
University of Warsaw, Warsaw, Poland
Stefan Dziembowski

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Bootle, J., Chiesa, A., Liu, S. (2022). Zero-Knowledge IOPs with Linear-Time Prover and Polylogarithmic-Time Verifier. In: Dunkelman, O., Dziembowski, S. (eds) Advances in Cryptology – EUROCRYPT 2022. EUROCRYPT 2022. Lecture Notes in Computer Science, vol 13276. Springer, Cham. https://doi.org/10.1007/978-3-031-07085-3_10

Download citation

DOI: https://doi.org/10.1007/978-3-031-07085-3_10
Published: 25 May 2022
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-07084-6
Online ISBN: 978-3-031-07085-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Zero-Knowledge IOPs with Linear-Time Prover and Polylogarithmic-Time Verifier