TY - JOUR
T1 - Ligero
T2 - lightweight sublinear arguments without a trusted setup
AU - Ames, Scott
AU - Hazay, Carmit
AU - Ishai, Yuval
AU - Venkitasubramaniam, Muthuramakrishnan
N1 - Publisher Copyright:
© 2023, The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature.
PY - 2023/11
Y1 - 2023/11
N2 - We design and implement a simple zero-knowledge argument protocol for NP whose communication complexity is proportional to the square-root of the verification circuit size. The protocol can be based on any collision-resistant hash function. Alternatively, it can be made non-interactive in the random oracle model, yielding concretely efficient zk-SNARKs that do not require a trusted setup or public-key cryptography. Our protocol is obtained by applying an optimized version of the general transformation of Ishai et al. (in: STOC, pp. 21–30, 2007) to a variant of the protocol for secure multiparty computation of Damgård and Ishai (in: CRYPTO, pp. 501–520, 2006). It can be viewed as a simple zero-knowledge interactive PCP based on “interleaved” Reed-Solomon codes. This paper is an extended version of the paper published in CCS 2017 and features a tighter analysis, better implementation along with formal proofs. For large verification circuits, the Ligero prover remains competitive against subsequent works with respect to the prover’s running time, where our efficiency advantages become even bigger in an amortized setting, where several instances need to be proven simultaneously. Our protocol is attractive not only for very large verification circuits but also for moderately large circuits that arise in applications. For instance, for verifying a SHA-256 preimage with 2 - 40 soundness error, the communication complexity is roughly 35KB. The communication complexity of our protocol is independent of the circuit structure and depends only on the number of gates. For 2 - 40 soundness error, the communication becomes smaller than the circuit size for circuits containing roughly 3 million gates or more. With our refined analysis the Ligero system’s proof lengths and prover’s running times are better than subsequent post-quantum ZK-SNARKs for small to moderately large circuits.
AB - We design and implement a simple zero-knowledge argument protocol for NP whose communication complexity is proportional to the square-root of the verification circuit size. The protocol can be based on any collision-resistant hash function. Alternatively, it can be made non-interactive in the random oracle model, yielding concretely efficient zk-SNARKs that do not require a trusted setup or public-key cryptography. Our protocol is obtained by applying an optimized version of the general transformation of Ishai et al. (in: STOC, pp. 21–30, 2007) to a variant of the protocol for secure multiparty computation of Damgård and Ishai (in: CRYPTO, pp. 501–520, 2006). It can be viewed as a simple zero-knowledge interactive PCP based on “interleaved” Reed-Solomon codes. This paper is an extended version of the paper published in CCS 2017 and features a tighter analysis, better implementation along with formal proofs. For large verification circuits, the Ligero prover remains competitive against subsequent works with respect to the prover’s running time, where our efficiency advantages become even bigger in an amortized setting, where several instances need to be proven simultaneously. Our protocol is attractive not only for very large verification circuits but also for moderately large circuits that arise in applications. For instance, for verifying a SHA-256 preimage with 2 - 40 soundness error, the communication complexity is roughly 35KB. The communication complexity of our protocol is independent of the circuit structure and depends only on the number of gates. For 2 - 40 soundness error, the communication becomes smaller than the circuit size for circuits containing roughly 3 million gates or more. With our refined analysis the Ligero system’s proof lengths and prover’s running times are better than subsequent post-quantum ZK-SNARKs for small to moderately large circuits.
KW - MPC-in-the-head
KW - Post-quantum
KW - Sublinear ZK arguments
UR - http://www.scopus.com/inward/record.url?scp=85164769244&partnerID=8YFLogxK
U2 - 10.1007/s10623-023-01222-8
DO - 10.1007/s10623-023-01222-8
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
AN - SCOPUS:85164769244
SN - 0925-1022
VL - 91
SP - 3379
EP - 3424
JO - Designs, Codes, and Cryptography
JF - Designs, Codes, and Cryptography
IS - 11
ER -