**Public-Coin Zero-Knowledge Arguments with (almost) Minimal Time and Space Overheads**

*Alexander R. Block and Justin Holmgren and Alon Rosen and Ron D. Rothblum and Pratik Soni*

**Abstract: **Zero-knowledge protocols enable the truth of a mathematical statement to be certified by a verifier without revealing any other information. Such protocols are a cornerstone of modern cryptography and recently are becoming more and more practical. However, a major bottleneck in deployment is the efficiency of the prover and, in particular, the space-efficiency of the protocol.

For every $\mathsf{NP}$ relation that can be verified in time $T$ and space $S$, we construct a public-coin zero-knowledge argument in which the prover runs in time $T \cdot \mathrm{polylog}(T)$ and space $S \cdot \mathrm{polylog}(T)$. Our proofs have length $\mathrm{polylog}(T)$ and the verifier runs in time $T \cdot \mathrm{polylog}(T)$ (and space $\mathrm{polylog}(T)$$. Our scheme is in the random oracle model and relies on the hardness of discrete log in prime-order groups.

Our main technical contribution is a new space efficient polynomial commitment scheme for multi-linear polynomials. Recall that in such a scheme, a sender commits to a given multi-linear polynomial $P \colon \mathbb{F}^n \rightarrow \mathbb{F}$ so that later on it can prove to a receiver statements of the form "$P(x) = y$". In our scheme, which builds on the commitment schemes of Bootle et al. (Eurocrypt 2016) and Bünz et al. (S&P 2018), we assume that the sender is given multi-pass streaming access to the evaluations of $P$ on the Boolean hypercube and w show how to implement both the sender and receiver in roughly time $2^n$ and space $n$ and with communication complexity roughly $n$.

**Category / Keywords: **cryptographic protocols / zero knowledge, SNARKs, space efficiency

**Original Publication**** (in the same form): **IACR-TCC-2020

**Date: **received 14 Nov 2020

**Contact author: **block9 at purdue edu

**Available format(s): **PDF | BibTeX Citation

**Version: **20201115:074532 (All versions of this report)

**Short URL: **ia.cr/2020/1425

[ Cryptology ePrint archive ]