1. Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability
Jens Groth University College London Joint work with Jonathan Bootle, Andrea Cerulli, Essam Ghadafi and Mohammad Hajiabadi to appear at Asiacrypt 2017

2.  Zero-knowledge proof Statement: Witness
𝑥 1 ∧ 𝑥 2 ∧¬ 𝑥 3 ∨( 𝑥 2 ∧ x 4 ∧ 𝑥 5 )
Witness
Completeness: Honest prover convinces verifier 
Zero-knowledge: Nothing but truth revealed
Soundness: Statement is true
Prover Verifier

3. Internet voting Encrypts vote to keep it private
Tally without decrypting individual votes
Ciphertext
Voter Election authorities

4. Is the encrypted vote valid?
Election fraud
Encrypts 1,000 votes for Macron
Is the encrypted vote valid?
!!!!!!!!
Ciphertext
Voter Election authorities

5. Zero-knowledge proof as solution
Zero-knowledge: Vote is secret
Soundness: Vote is valid
Ciphertext
Zero-knowledge proof for valid vote encrypted
Voter Election authorities

6. Cryptography
Problems typically arise when attackers deviate from a protocol (active attack)
Zero-knowledge proofs prevent deviation and give security against active attacks

7. Parameters Efficiency Security Communication (bits)
Prover’s computation (seconds/operations)
Verifier’s computation (seconds/operations)
Round complexity (number of messages)
Security
Setup
Cryptographic assumptions

8. Arithmetic circuit satisfiability
Circuit with fan-in 2 multiplication and addition gates over a finite field 𝑭
Statement specifies circuit and constants
Witness consists of wire assignments such that all gates satisfied 5 7 2

9. Zero-knowledge proof for arithmetic circuits
Arithmetic circuit and constants
Public coin setup and challenges
Satisfying assignment
Perfect completeness: Honest prover convinces verifier 
Statistical special honest verifier zero-knowledge: Nothing but truth revealed
Computational soundness: Statement is true
Prover Verifier

10. Efficiency Arithmetic circuit and constants
Security parameter: 𝜆 Field size: 𝑭 = 𝜆 𝜔 1
Number of gates: 𝑁= 𝜆 𝑂 1
Efficiency
Arithmetic circuit and constants
Prover computation: 𝑂(𝑁) multiplications in 𝑭
Verifier computation: 𝑂(𝑁) additions in 𝑭
Communication: poly 𝜆 𝑁 elements in 𝑭
Rounds: 𝑂( log log 𝑁)

11. Strategy
Reformulate arithmetic circuit satisfiability as set of conditions over matrices of field elements
Prove each of the constraints in an ideal linear commitment model
Compile the ideal linear commitment model to the standard model using error-correcting codes and collision-resistant hash functions

12. Organize gate inputs and outputs as matrices
Organize left inputs, right inputs and outputs of addition gates into matrices 𝐴,𝐵,𝐶∈ 𝐹 𝑚 𝐴 ×𝑘 such that if the gates are satisfied 𝐴+𝐵=𝐶
Organize left inputs, right inputs and outputs of multiplication gates into matrices 𝐷,𝐸,𝐹∈ 𝐹 𝑚 𝑀 ×𝑘 such that if the gates are satisfied 𝐷∘𝐸=𝐹 where ∘ is the entry-wise product
Moreover, sort the gates such that constants appear in full rows of these matrices, e.g., 𝐴= 𝑎 11 𝑎 12 𝑎 𝑎 31 𝑎 32 𝑎 𝐵= 𝑏 21 𝑏 22 𝑏 23 𝑏 31 𝑏 32 𝑏 …

13. Arithmetic circuit specification
Public parameters specify 𝑝𝑝=(𝑭,𝑘)
A statement is given by 𝑢= 𝑚 𝐴 , 𝑚 𝐵 ,𝜋, 𝒖 𝑖 𝑖∈𝑆
𝑆 is the set of rows of constants 𝒖 𝑖
𝜋 describes the wiring of the circuit
A witness 𝑤 is a matrix of input and output values 𝑉= 𝐴 𝐵 𝐶 𝐷 𝐸 𝐹 = 𝒗 ⋮ 𝒗 3 𝑚 𝐴 +3 𝑚 𝐵 ∈ 𝑭 3 𝑚 𝐴 +3 𝑚 𝑀 ×𝑘

14. Wiring of the circuit
Consider the additions and multiplications 𝑣 1,1 𝑣 1,2 𝑣 1,3 𝑣 2,1 𝑣 2,2 𝑣 2,3 𝑣 3,1 𝑣 3,2 𝑣 3, 𝑣 4,1 𝑣 4,2 𝑣 4,3 𝑣 5,1 𝑣 5,2 𝑣 5,3 𝑣 6,1 𝑣 6,2 𝑣 6,3 = 𝑣 7,1 𝑣 7,2 𝑣 7,3 𝑣 8,1 𝑣 8,2 𝑣 8,3 𝑣 9,1 𝑣 9,2 𝑣 9, 𝑣 10,1 𝑣 10,2 𝑣 10,3 𝑣 11,1 𝑣 11,2 𝑣 11,3 ∘ 𝑣 12,1 𝑣 12,2 𝑣 12,3 𝑣 13,1 𝑣 13,2 𝑣 13,3 = 𝑣 14,1 𝑣 14,2 𝑣 14,3 𝑣 15,1 𝑣 15,2 𝑣 15,3
The wiring is specified by a permutation 𝜋∈ Σ 3 𝑚 𝐴 +3 𝑚 𝐵 × 𝑘 with cycles through sets of indices on the same wire. For instance 𝜋 9,2 =(5,2), 𝜋 5,2 = 11,1 , 𝜋 11,1 =(9,2)
𝑣 5,2
𝑣 11,1
𝑣 9,2

15. Witness satisfying circuit
For arithmetic circuit specified by 𝑢= 𝑚 𝐴 , 𝑚 𝐵 ,𝜋, 𝒖 𝑖 𝑖∈𝑆
The witness 𝑉= 𝒗 𝒊 𝑖=1 3 𝑚 𝐴 +3 𝑚 𝐵 satisfies the arithmetic circuit if and only if
Constants are correct, 𝒗 𝑖 = 𝒖 𝑖 for all 𝑖∈𝑆
Addition gates are satisfied, 𝐴+𝐵=𝐶
Multiplication gates are satisfied, 𝐷∘𝐸=𝐹
Values respect the wiring of the circuit, 𝑣 𝜋 𝑖,𝑗 = 𝑣 𝑖,𝑗 for all 𝑖∈[3 𝑚 𝐴 +3 𝑚 𝐵 ] and 𝑗∈[𝑘]

16. Ideal linear commitment model
𝒗 𝑖 𝑖=1 𝑚 1
𝑚 1 𝑥
𝒗 𝑖 𝑖= 𝑚 𝑚 1 + 𝑚 2
𝑚 2 𝒒
𝑖=1 𝑚 1 + 𝑚 2 𝑞 𝑖 𝒗 𝑖

17. Arithmetic circuit satisfiability in the ideal linear commitment model
Statement 𝑢=( 𝑚 𝐴 , 𝑚 𝐵 ,𝜋, 𝑢 𝑖 𝑖∈𝑆 ) 𝑉 𝑉
3 𝑚 𝐴 +3 𝑚 𝐵 𝑉′ 𝑚′ ⋮ 𝑄
Proofs 𝑉 satisfies
𝐴+𝐵=𝐶 𝐷∘𝐸=𝐹 𝒗 𝑖 = 𝒖 𝑖 𝑣 𝜋 𝑖,𝑗 = 𝑣 𝑖,𝑗
𝑄 𝑉 𝑉′ ⋮

18. Addition proof in ideal linear commitment model
Statement 𝑢=( 𝑚 𝐴 , 𝐴 , 𝐵 ,[𝐶])
𝐴,𝐵,𝐶
𝐴,𝐵,𝐶
3 𝑚 𝐴 𝒒 𝒓
Verifier picks 𝑥←𝑭 Sets 𝒙=(𝑥,…, 𝑥 𝑚 𝐴 ) and 𝒒= 𝒙,𝒙,−𝒙
Gets response 𝒓=𝒙𝐴+𝒙𝐵−𝒙𝐶 Accepts if and only if 𝒓=𝟎

19. Linear error-correcting code
Encoding function 𝐸 𝐶 : 𝑭 𝑘 → 𝑭 𝑛
1,4,0 ↦ 3,1,4,2,0,5
1,4,1 ↦(3,0,0,2,3,5) …
Linear minimum distance (hamming)
Linearity 𝐸 𝐶 𝒗 1 + 𝛼𝐸 𝐶 𝒗 2 = 𝐸 𝐶 𝒗 1 +𝛼 𝒗 2
1,4,0 + 1,4,1 = 2,8,1 ↦(6,1,4,4,3,10)
Linear-time computable
Example: Druk-Ishai 2014

20. From ideal to real linear commitments
𝑉= 𝑣 1,1 ⋯ 𝑣 1,𝑘 ⋱ 𝑣 𝑚,1 ⋯ 𝑣 𝑚,𝑘
𝐸= 𝑒 1,1 ⋯ 𝑒 1,𝑛 ⋱ 𝑒 𝑚,1 ⋯ 𝑒 𝑚,𝑛
𝐸 𝐶 ℎ
ℎ 1 =ℎ 𝐸 1 ,⋯, ℎ 𝑛 =ℎ( 𝐸 𝑛 )
𝑚, ℎ 1 ,…, ℎ 𝑛 𝒒 𝒒𝑉

21. From ideal to real linear commitments
𝑉= 𝑣 1,1 ⋯ 𝑣 1,𝑘 ⋱ 𝑣 𝑚,1 ⋯ 𝑣 𝑚,𝑘
𝐸= 𝑒 1,1 ⋯ 𝑒 1,𝑛 ⋱ 𝑒 𝑚,1 ⋯ 𝑒 𝑚,𝑛
𝐸 𝐶 ℎ
ℎ 1 =ℎ 𝐸 1 ,⋯, ℎ 𝑛 =ℎ( 𝐸 𝑛 ) 𝒒𝑉
{ 𝑗 1 ,…, 𝑗 𝜆 }
𝐸 𝑗 1 ,…, 𝐸 𝑗 𝜆

22. From ideal to real linear commitments
𝑉= 𝑣 1,1 ⋯ 𝑣 1,𝑘 ⋱ 𝑣 𝑚,1 ⋯ 𝑣 𝑚,𝑘
𝐸= 𝑒 1,1 ⋯ 𝑒 1,𝑛 ⋱ 𝑒 𝑚,1 ⋯ 𝑒 𝑚,𝑛
𝐸 𝐶 𝒒 𝒒
𝐸 𝐶 𝒒𝑉
𝑒 1 =𝒒 𝐸 1 ,…, 𝑒 𝑛 =𝒒 𝐸 𝑛
Verifier spot checks 𝜆 columns with 𝐸 𝐶 (𝒒𝑉) Code has high minimum distance, so cheating caught
𝑗 𝑗 …

23. Linear commitments with zero-knowledge
Randomized encoding Exposure resilient
𝑉= 𝑣 1,1 ⋯ 𝑣 1,𝑘 ⋱ 𝑣 𝑚,1 ⋯ 𝑣 𝑚,𝑘
𝐸= 𝑒 1,1 ⋯ 𝑒 1,2𝑛 ⋱ 𝑒 𝑚,1 ⋯ 𝑒 𝑚,2𝑛
𝐸 𝐶
… 𝑐 𝑗 =commit 𝐸 𝑗 ; 𝑟 𝑗 …
𝑚, 𝑐 1 ,…, 𝑐 2𝑛
Commitments can be constructed from hash functions 𝒒 𝒒𝑉

24. Efficiency and security
Arguments
Proofs
Perfect completeness Computational soundness - assuming binding commits Statistical SHVZK Using [AHIKV17] commits Prover 𝑂(𝑁) multiplications Verifier 𝑂 𝑁 additions Communication poly 𝜆 𝑁 Rounds 𝑂( log log 𝑁)
Perfect completeness Statistical soundness Computational SHVZK - assuming hiding commits Using [IKOS08] commits Prover 𝑂(𝑁) multiplications Verifier 𝑂 𝑁 additions Communication 𝑂(𝑁) elements Rounds 𝑂( log log 𝑁)