Paper 2020/1425

Public-Coin Zero-Knowledge Arguments with (almost) Minimal Time and Space Overheads

Abstract

Zero-knowledge protocols enable the truth of a mathematical statement to be certified by a verifier without revealing any other information. Such protocols are a cornerstone of modern cryptography and recently are becoming more and more practical. However, a major bottleneck in deployment is the efficiency of the prover and, in particular, the space-efficiency of the protocol. For every $$ relation that can be verified in time $$ and space $$, we construct a public-coin zero-knowledge argument in which the prover runs in time $$ and space $$. Our proofs have length $$ and the verifier runs in time $$ (and space $$). Our scheme is in the random oracle model and relies on the hardness of discrete log in prime-order groups. Our main technical contribution is a new space efficient polynomial commitment scheme for multi-linear polynomials. Recall that in such a scheme, a sender commits to a given multi-linear polynomial $$ so that later on it can prove to a receiver statements of the form "$$". In our scheme, which builds on the commitment schemes of Bootle et al. (Eurocrypt 2016) and Bünz et al. (S&P 2018), we assume that the sender is given multi-pass streaming access to the evaluations of $$ on the Boolean hypercube and w show how to implement both the sender and receiver in roughly time $$ and space $$ and with communication complexity roughly $$.

Note: Fixed abstract and added full version of paper.