**Libra: Succinct Zero-Knowledge Proofs with Optimal Prover Computation**

*Tiancheng Xie and Jiaheng Zhang and Yupeng Zhang and Charalampos Papamanthou and Dawn Song*

**Abstract: **We present Libra, the first zero-knowledge proof system that has both optimal prover time and succinct proof size/verification time. In particular, if C is the size of the circuit being proved (i) the prover time is O(C) irrespective of the circuit type; (ii) the proof size and verification time are both O(d log C) for d-depth log-space uniform circuits (such as RAM programs). In addition Libra features an one-time trusted setup that depends only on the size of the input to the circuit and not on the circuit logic. Underlying Libra is a new linear-time algorithm for the prover of the interactive proof protocol by Goldwasser, Kalai and Rothblum (also known as GKR protocol), as well as an efficient approach to turn the GKR protocol to zero-knowledge using small masking polynomials. Not only does Libra have excellent asymptotics, but it is also efficient in practice. For example, our implementation shows that it takes 200 seconds to generate a proof for constructing a SHA2-based Merkle tree root on 256 leaves, outperforming all existing zero-knowledge proof systems. Proof size and verification time of Libra are also competitive.

**Category / Keywords: **cryptographic protocols / Zero knowledge proof; interactive proof; polynomial delegation

**Original Publication**** (with minor differences): **IACR-CRYPTO-2019

**Date: **received 21 Mar 2019, last revised 20 Nov 2021

**Contact author: **zhangyp at tamu edu, jiaheng_zhang at berkeley edu, niconiconi at berkeley edu

**Available format(s): **PDF | BibTeX Citation

**Note: **keep aligned as virgo

**Version: **20211120:075452 (All versions of this report)

**Short URL: **ia.cr/2019/317

[ Cryptology ePrint archive ]