Cryptology ePrint Archive: Report 2019/317

Libra: Succinct Zero-Knowledge Proofs with Optimal Prover Computation

Tiancheng Xie and Jiaheng Zhang and Yupeng Zhang and Charalampos Papamanthou and Dawn Song

Abstract: We present Libra, the first zero-knowledge proof system that has both optimal prover time and succinct proof size/verification time. In particular, if C is the size of the circuit being proved (i) the prover time is O(C) irrespective of the circuit type; (ii) the proof size and verification time are both O(d log C) for d-depth log-space uniform circuits (such as RAM programs). In addition Libra features an one-time trusted setup that depends only on the size of the input to the circuit and not on the circuit logic. Underlying Libra is a new linear-time algorithm for the prover of the interactive proof protocol by Goldwasser, Kalai and Rothblum (also known as GKR protocol), as well as an efficient approach to turn the GKR protocol to zero-knowledge using small masking polynomials. Not only does Libra have excellent asymptotics, but it is also efficient in practice. For example, our implementation shows that it takes 200 seconds to generate a proof for constructing a SHA2-based Merkle tree root on 256 leaves, outperforming all existing zero-knowledge proof systems. Proof size and verification time of Libra are also competitive.

Category / Keywords: cryptographic protocols / Zero knowledge proof; interactive proof; polynomial delegation

Original Publication (in the same form): IACR-CRYPTO-2019

Date: received 21 Mar 2019, last revised 11 Jun 2019

Contact author: zhangyp at tamu edu,jiaheng_zhang@berkeley edu,tianc x@berkeley edu

Available format(s): PDF | BibTeX Citation

Version: 20190611:204804 (All versions of this report)

Short URL: ia.cr/2019/317


[ Cryptology ePrint archive ]