Cryptology ePrint Archive: Report 2018/380

Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution

Jonathan Bootle and Andrea Cerulli and Jens Groth and Sune Jakobsen and Mary Maller

Abstract: There have been tremendous advances in reducing interaction, communication and verification time in zero-knowledge proofs but it remains an important challenge to make the prover efficient. We construct the first zero-knowledge proof of knowledge for the correct execution of a program on public and private inputs where the prover computation is nearly linear time. This saves a polylogarithmic factor in asymptotic performance compared to current state of the art proof systems.

We use the TinyRAM model to capture general purpose processor computation. An instance consists of a TinyRAM program and public inputs. The witness consists of additional private inputs to the program. The prover can use our proof system to convince the verifier that the program terminates with the intended answer within given time and memory bounds. Our proof system has perfect completeness, statistical special honest verifier zero-knowledge, and computational knowledge soundness assuming linear-time computable collision-resistant hash functions exist.

The main advantage of our new proof system is asymptotically efficient prover computation. The prover's running time is only a superconstant factor larger than the program's running time in an apples-to-apples comparison where the prover uses the same TinyRAM model. Our proof system is also efficient on the other performance parameters; the verifier's running time time and the communication are sublinear in the execution time of the program and we only use a log-logarithmic number of rounds.

Category / Keywords: Zero-knowledge proofs, succinct arguments of knowledge, TinyRAM, ideal linear commitments

Date: received 26 Apr 2018, last revised 27 Apr 2018

Contact author: andrea cerulli 13 at ucl ac uk

Available format(s): PDF | BibTeX Citation

Version: 20180430:210505 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]