Skip to main content

Scalable Zero Knowledge with No Trusted Setup

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2019 (CRYPTO 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11694))

Included in the following conference series:

Abstract

One of the approaches to constructing zero knowledge (ZK) arguments relies on “PCP techniques” that date back to influential works from the early 1990’s [Babai et al., Arora et al. 1991-2]. These techniques require only minimal cryptographic assumptions, namely, the existence of a family of collision-resistant hash functions [Kilian, STOC 1992], and achieve two remarkable properties: (i) all messages generated by the verifier are public random coins, and (ii) total verification time is merely poly-logarithmic in the time needed to naïvely execute the computation being verified [Babai et al., STOC 1991].

Those early constructions were never realized in code, mostly because proving time was too large. To address this, the model of interactive oracle proofs (IOPs), which generalizes the PCP model, was recently suggested. Proving time for ZK-IOPs was reduced to quasi-linear, even for problems that require nondeterministic exponential time to decide [Ben-Sasson et al., TCC 2016, ICALP 2017].

Despite these recent advances it was still not clear whether ZK-IOP systems can lead to concretely efficient succinct argument systems. Our main claim is that this is indeed the case. We present a new construction of an IOP of knowledge (which we call a zk-STIK) that improves, asymptotically, on the state of art: for log-space computations of length T it is the first to \(O(T \log T)\) arithmetic prover complexity and \(O(\log T)\) verifier arithmetic complexity. Prior IOPs had additional \(\mathsf{poly} \log T\) factors in both prover and verifier. Additionally, we report a C++ realization of this system (which we call libSTARK). Compared to prevailing ZK realizations, it has the fastest proving and (total) verification time for sufficiently large sequential computations.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    The machine could either be a Turing machine or a RAM machine.

  2. 2.

    In the “random oracle” model where all parties have access to the same random function, these systems can be made non-interactive [22, 60].

  3. 3.

    Henceforth, a proof system realization refers to an implementation in code, along with reported measurements, of it.

  4. 4.

    Reingold et al. [67] use the name “Probabilistically Checkable Interactive Proofs” (PCIP).

  5. 5.

    The first work [6] shows this for \(\mathsf{NEXP} \) and the second [5] scales it down to \(\mathsf{NP} \).

  6. 6.

    The first work [25] presents a PCP with scalable verification and quasi-linear proof length, the second work [17] bounds the prover running time and also proves the proof of knowledge property.

  7. 7.

    For simplicity, the current description discusses the case of space bounded computations; the case of computations with large space also uses multiple codewords but the reduction is more complicated, and discussed in the online version of the paper.

  8. 8.

    Our ZK-STARK still requires a collision resistant hash function, and in the interactive setting even the Fiat-Shamir heuristic, and, obviously, we make no information-theoretic claims on those.

  9. 9.

    The other solutions described in Sect. 3.1 like those based on Homomorphic public-key cryptography (hPKC) have different end points.

  10. 10.

    AIRs are called algebraic constraint satisfaction problems (ACSPs) in prior works like [9, 27]; we prefer the mono-syllable term AIRs which also relates to the notion of an intermediate representation used in other areas of computer science.

References

  1. Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: lightweight sublinear arguments without a trusted setup. In: Proceedings of the 24th ACM Conference on Computer and Communications Security (2017)

    Google Scholar 

  2. Arora, S., Lund, C., Motwani, R., Sudan, M., Szegedy, M.: Proof verification and the hardness of approximation problems. J. ACM 45(3), 501–555 (1998). Preliminary version in FOCS 1992

    Article  MathSciNet  Google Scholar 

  3. Arora, S., Safra, S.: Probabilistic checking of proofs: a new characterization of NP. J. ACM 45(1), 70–122 (1998). Preliminary version in FOCS 1992

    Article  MathSciNet  Google Scholar 

  4. Babai, L., Fortnow, L.: Arithmetization: a new method in structural complexity theory. Comput. Complex. 1(1), 41–66 (1991). https://doi.org/10.1007/BF01200057. ISSN 1420–8954

    Article  MathSciNet  MATH  Google Scholar 

  5. Babai, L., Fortnow, L., Levin, L.A., Szegedy, M.: Checking computations in polylogarithmic time. In: Proceedings of the 23rd Annual ACM Symposium on Theory of Computing, STOC 1991, pp. 21–32 (1991)

    Google Scholar 

  6. Babai, L., Fortnow, L., Lund, C.: Nondeterministic exponential time has two-prover interactive protocols. In: Proceedings of the 31st Annual Symposium on Foundations of Computer Science, FOCS 1990, pp. 16–25 (1990)

    Google Scholar 

  7. Bellare, M., Goldreich, O.: On defining proofs of knowledge. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 390–420. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_28

    Chapter  Google Scholar 

  8. Ben-Or, M., et al.: Everything provable is provable in zero-knowledge. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 37–56. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2_4

    Chapter  Google Scholar 

  9. Ben-Sasson, E., et al.: Computational integrity with a public random string from quasi-linear PCPs. In: IACR Cryptology ePrint Archive 2016, p. 646 (2016). http://eprint.iacr.org/2016/646

  10. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: libSTARK: a library for zero knowledge (ZK) scalable transparent argument of knowledge (STARK). https://github.com/elibensasson/libSTARK

  11. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Fast reed-solomon interactive oracle proofs of proximity. In: 45th International Colloquium on Automata, Languages, and Programming, ICALP 2018, Prague, Czech Republic, 9–13 July 2018, pp. 14:1–14:17 (2018). https://doi.org/10.4230/LIPIcs.ICALP.2018.14

  12. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/046 (2018). https://eprint.iacr.org/2018/046

  13. Ben-Sasson, E., Chiesa, A., Forbes, M.A., Gabizon, A., Riabzev, M., Spooner, N.: On probabilistic checking in perfect zero knowledge. In: Electron. Colloq. Comput. Complex. (ECCC) 23, 156 (2016). http://eccc.hpi-web.de/report/2016/156

  14. Ben-Sasson, E., Chiesa, A., Forbes, M.A., Gabizon, A., Riabzev, M., Spooner, N.: Zero knowledge protocols from succinct constraint detection. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part II. LNCS, vol. 10678, pp. 172–206. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70503-3_6

    Chapter  Google Scholar 

  15. Ben-Sasson, E., Chiesa, A., Gabizon, A., Riabzev, M., Spooner, N.: Short interactive oracle proofs with constant query complexity, via composition and sumcheck. Electron. Colloq. Comput. Complex. (ECCC) 23, 46 (2016)

    Google Scholar 

  16. Ben-Sasson, E., Chiesa, A., Gabizon, A., Virza, M.: Quasi-linear size zero knowledge from linear-algebraic PCPs. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 33–64. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49099-0_2

    Chapter  Google Scholar 

  17. Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E.: On the concrete efficiency of probabilistically-checkable proofs. In: Proceedings of the 45th ACM Symposium on the Theory of Computing, STOC 2013, pp. 585–594 (2013)

    Google Scholar 

  18. Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: TinyRAM architecture specification v2. 00 (2013). http://scipr-lab.org/tinyram

  19. Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: SNARKs for C: verifying program executions succinctly and in zero knowledge. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 90–108. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_6

    Chapter  MATH  Google Scholar 

  20. Ben-Sasson, E., Chiesa, A., Green, M., Tromer, E., Virza, M.: Secure sampling of public parameters for succinct zero knowledge proofs. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, 17–21 May 2015, pp. 287–304 (2015). https://doi.org/10.1109/SP.2015.25

  21. Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.P.: Aurora: transparent succinct arguments for R1CS. Cryptology ePrint Archive, Report 2018/828 (2018). https://eprint.iacr.org/2018/828. To appear in Eurocrypt 2019

  22. Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive oracle proofs. In: Hirt, M., Smith, A. (eds.) TCC 2016, Part II. LNCS, vol. 9986, pp. 31–60. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_2. ISBN 978-3-662-53644-5

    Chapter  Google Scholar 

  23. Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Scalable zero knowledge via cycles of elliptic curves. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 276–294. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_16. Extended version at http://eprint.iacr.org/2014/595

    Chapter  Google Scholar 

  24. Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Succinct non-interactive zero knowledge for a von Neumann architecture. In: Proceedings of the 23rd USENIX Security Symposium, Security 2014, pp. 781-796 (2014). Extended version at http://eprint.iacr.org/2013/879

  25. Ben-Sasson, E., Goldreich, O., Harsha, P., Sudan, M., Vadhan, S.: Short PCPs verifiable in polylogarithmic time. In: Proceedings of the 20th Annual IEEE Conference on Computational Complexity, CCC 2005, pp. 120–134 (2005)

    Google Scholar 

  26. Ben-Sasson, E., Kopparty, S., Saraf, S.: Worst-case to average case reductions for the distance to a code. In: 33rd Computational Complexity Conference, CCC 2018, San Diego, CA, USA, 22–24 June 2018, pp. 24:1–24:23 (2018). https://doi.org/10.4230/LIPIcs.CCC.2018.24

  27. Ben-Sasson, E., Sudan, M.: Short PCPs with polylog query complexity. SIAM J. Comput. 38(2), 551–607 (2008). Preliminary version appeared in STOC 2005

    Article  MathSciNet  Google Scholar 

  28. Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: Recursive composition and bootstrapping for SNARKs and proof-carrying data. In: Proceedings of the 45th ACM Symposium on the Theory of Computing, STOC 2013, pp. 111–120 (2013)

    Google Scholar 

  29. Bitansky, N., Chiesa, A., Ishai, Y., Paneth, O., Ostrovsky, R.: Succinct non-interactive arguments via linear interactive proofs. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 315–333. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_18

    Chapter  Google Scholar 

  30. Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part II. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12

    Chapter  MATH  Google Scholar 

  31. Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: efficient range proofs for confidential transactions. Cryptology ePrint Archive, Report 2017/1066 (2017). https://eprint.iacr.org/2017/1066

  32. Buterin, V.: (2017). https://vitalik.ca/

  33. Chiesa, A., Zhu, Z.A.: Shorter arithmetization of nondeterministic computations. Theor. Comput. Sci. 600, 107–131 (2015)

    Article  MathSciNet  Google Scholar 

  34. Chiesa, A., Tromer, E.: Proof-carrying data and hearsay arguments from signature cards. In: Proceedings of the 1st Symposium on Innovations in Computer Science, ICS 2010, pp. 310–331 (2010)

    Google Scholar 

  35. Cormode, G., Mitzenmacher, M., Thaler, J.: Practical verified computation with streaming interactive proofs. In: Proceedings of the 4th Symposium on Innovations in Theoretical Computer Science. ITCS 2012, pp. 90–112 (2012)

    Google Scholar 

  36. Cormode, G., Thaler, J., Yi, K.: Verifying computations with streaming interactive proofs. Proc. VLDB Endow. 5(1), 25–36 (2011)

    Article  Google Scholar 

  37. Danezis, G., Fournet, C., Groth, J., Kohlweiss, M.: Square span programs with applications to succinct NIZK arguments. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 532–550. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_28. ISBN 978-3-662-45611-8

    Chapter  Google Scholar 

  38. Dinur, I.: The PCP theorem by gap amplification. J. ACM 54(3), 12 (2007)

    Article  MathSciNet  Google Scholar 

  39. Dwork, C., Feige, U., Kilian, J., Naor, M., Safra, M.: Low communication 2-prover zero-knowledge proofs for NP. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 215–227. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_15

    Chapter  Google Scholar 

  40. Gennaro, R., Gentry, C., Parno, B.: Non-interactive verifiable computing: outsourcing computation to untrusted workers. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 465–482. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_25. http://dl.acm.org/citation.cfm?id=1881412.1881445. ISBN 3-642-14622-8, 978-3-642-14622-0

    Chapter  Google Scholar 

  41. Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_37

    Chapter  Google Scholar 

  42. Giacomelli, I., Madsen, J., Orlandi, C.: ZKBoo: faster zero-knowledge for boolean circuits. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 1069–1083. USENIX Association, Austin (2016). https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/giacomelli. ISBN 978-1-931971-32-4

  43. Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: interactive proofs for Muggles. In: Proceedings of the 40th Annual ACM Symposium on Theory of Computing, STOC 2008, pp. 113–122 (2008)

    Google Scholar 

  44. Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989). Preliminary version appeared in STOC 1985

    Article  MathSciNet  Google Scholar 

  45. Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_19

    Chapter  Google Scholar 

  46. Groth, J.: Efficient zero-knowledge arguments from two-tiered homomorphic commitments. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 431–448. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_23

    Chapter  Google Scholar 

  47. Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part II. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11

    Chapter  Google Scholar 

  48. Groth, J., Maller, M.: Snarky signatures: minimal signatures of knowledge from simulation-extractable SNARKs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part II. LNCS, vol. 10402, pp. 581–612. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_20

    Chapter  Google Scholar 

  49. Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_24

    Chapter  Google Scholar 

  50. Ishai, Y., Kushilevitz, E., Ostrovsky, R.: Efficient arguments without short PCPs. In: Proceedings of the Twenty-Second Annual IEEE Conference on Computational Complexity, CCC 2007, pp. 278–291 (2007)

    Google Scholar 

  51. Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: Proceedings of the Thirty-Ninth Annual ACM Symposium on Theory of Computing, pp. 21–30. ACM (2007)

    Google Scholar 

  52. Ishai, Y., Mahmoody, M., Sahai, A., Xiao, D.: On Zero-Knowledge PCPs: Limitations, Simplifications, and Applications (2015). http://www.cs.virginia.edu/~mohammad/files/papers/ZKPCPs-Full.pdf

  53. Kalai, Y.T., Raz, R.: Interactive PCP. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 536–547. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70583-3_44

    Chapter  Google Scholar 

  54. Kilian, J.: A note on efficient zero-knowledge proofs and arguments. In: Proceedings of the 24th Annual ACM Symposium on Theory of Computing, STOC 1992, pp. 723–732 (1992)

    Google Scholar 

  55. Kilian, J., Petrank, E., Tardos, G.: Probabilistically checkable proofs with zero knowledge. In: Proceedings of the 29th Annual ACM Symposium on Theory of Computing, STOC 1997, pp. 496–505 (1997)

    Google Scholar 

  56. Lin, S.-J., Al-Naffouri, T.Y., Han, Y.S., Chung, W.-H.: Novel polynomial basiswith fast fourier transform and its application to Reed-Solomon erasure codes. IEEE Trans. Inf. Theory 62(11), 6284–6299 (2016)

    Article  Google Scholar 

  57. Lin, S.-J., Chung, W.-H., Han, Y.S.: Novel polynomial basis and its application to Reed-Solomon erasure codes. In: Proceedings of the 2014 IEEE 55th Annual Symposium on Foundations of Computer Science, FOCS 2014, pp. 316–325. IEEE Computer Society, Washington, DC (2014). https://doi.org/10.1109/FOCS.2014.41. ISBN 978-1-4799-6517-5

  58. Lipmaa, H.: Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 169–189. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_10

    Chapter  Google Scholar 

  59. Lund, C., Fortnow, L., Karloff, H.J., Nisan, N.: Algebraic methods for interactive proof systems. J. ACM 39(4), 859–868 (1992)

    Article  MathSciNet  Google Scholar 

  60. Micali, S.: Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000). Preliminary version appeared in FOCS 1994

    Article  MathSciNet  Google Scholar 

  61. Micali, S.: Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000). https://doi.org/10.1137/S0097539795284959

    Article  MathSciNet  MATH  Google Scholar 

  62. Mie, T.: Polylogarithmic two-round argument systems. J. Math. Cryptol. 2(4), 343–363 (2008)

    Article  MathSciNet  Google Scholar 

  63. Parno, B., Gentry, C., Howell, J., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: Proceedings of the 34th IEEE Symposium on Security and Privacy, Oakland 2013, pp. 238–252 (2013)

    Google Scholar 

  64. Peck, M.: A blockchain currency that beat s bitcoin on privacy [News]. IEEE Spectr. 53(12), 11–13 (2016). https://doi.org/10.1109/MSPEC.2016.7761864. ISSN 0018-9235

    Article  Google Scholar 

  65. Pergament, E.: Algebraic RAM. MA thesis. Technion—Israel Institute of Technology (2017)

    Google Scholar 

  66. Razborov, A.A.: Lower bounds on the size of bounded depth circuits over a complete basis with logical addition. Math. Notes Acad. Sci. USSR 41(4), 333–338 (1987)

    MATH  Google Scholar 

  67. Reingold, O., Rothblum, G.N., Rothblum, R.D.: Constant-round interactive proofs for delegating computation. In: Proceedings of the 48th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2016, Cambridge, MA, USA, 18–21 June 2016, pp. 49–62 (2016). https://doi.org/10.1145/2897518.2897652

  68. SCIPR Lab. libsnark: a C++ library for zkSNARK proofs. https://github.com/scipr-lab/libsnark

  69. Seo, J.H.: Round-efficient sub-linear zero-knowledge arguments for linear algebra. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 387–402. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_24

    Chapter  Google Scholar 

  70. Setty, S., Blumberg, A.J., Walfish, M.: Toward practical and unconditional verification of remote computations. In: Proceedings of the 13th USENIX Conference on Hot Topics in Operating Systems, HotOS 2011, p. 29 (2011)

    Google Scholar 

  71. Setty, S., Braun, B., Vu, V., Blumberg, A.J., Parno, B., Walfish, M.: Resolving the conflict between generality and plausibility in verified computation. In: Proceedings of the 8th EuoroSys Conference, EuroSys 2013, pp. 71–84 (2013)

    Google Scholar 

  72. Setty, S., McPherson, M., Blumberg, A.J., Walfish, M.: Making argument systems for outsourced computation practical (sometimes). In: Proceedings of the 2012 Network and Distributed System Security Symposium, NDSS 2012 (2012)

    Google Scholar 

  73. Setty, S., Vu, V., Panpalia, N., Braun, B., Blumberg, A.J., Walfish, M.: Taking proof-based verified computation a few steps closer to practicality. In: Proceedings of the 21st USENIX Security Symposium, Security 2012, pp. 253–268 (2012)

    Google Scholar 

  74. Shamir, A.: IP = PSPACE. J. ACM 39(4), 869–877 (1992)

    Article  MathSciNet  Google Scholar 

  75. Smolensky, R.: Algebraic methods in the theory of lower bounds for Boolean circuit complexity. In: Proceedings of the Nineteenth Annual ACM Symposium on Theory of Computing, pp. 77–82. ACM (1987)

    Google Scholar 

  76. Thaler, J.: Time-optimal interactive proofs for circuit evaluation. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 71–89. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_5

    Chapter  Google Scholar 

  77. Valiant, P.: Incrementally verifiable computation or proofs of knowledge imply time/space efficiency. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 1–18. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_1. http://dl.acm.org/citation.cfm?id=1802614.1802616. ISBN 3-540-78523-X, 978-3-540-78523-1

    Chapter  MATH  Google Scholar 

  78. Vu, V., Setty, S., Blumberg, A.J., Walfish, M.: A hybrid architecture for interactive verifiable computation. In: Proceedings of the 34th IEEE Symposium on Security and Privacy, Oakland 2013, pp. 223–237 (2013)

    Google Scholar 

  79. Wahby, R.S., Setty, S.T.V., Ren, Z., Blumberg, A.J., Walfish, M.: Efficient RAM and control flow in verifiable outsourced computation. In: 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, 8–11 February 2014 (2015)

    Google Scholar 

  80. Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly-efficient zkSNARKs without trusted setup. Cryptology ePrint Archive, Report 2017/1132 (2017). https://eprint.iacr.org/2017/1132

  81. Zhang, Y., Genkin, D., Katz, J., Papadopoulos, D., Papamanthou, C.: vRAM: faster verifiable RAM with program-independent preprocessing. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 203–220 (2018). https://doi.org/10.1109/SP.2018.00013

  82. Zhang, Y., Genkin, D., Katz, J., Papadopoulos, D., Papamanthou, C.: A zero-knowledge version of vSQL. Cryptology ePrint Archive, Report 2017/1146 (2017). https://eprint.iacr.org/2017/1146

Download references

Acknowledgements

We thank Arie Tal, Yechiel Kimchi and Gala Yadgar for help optimizing code performance. We thank the Andrea Cerulli, Venkitasubramaniam Muthuramakrishnan, Madars Virza, and the other authors of [1, 30] for assistance in obtaining the data reported in Fig. 2. We thank Alessandro Chiesa, Yuval Ishai and the anonymous referees for commenting on earlier drafts of this paper.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Eli Ben-Sasson .

Editor information

Editors and Affiliations

A Standalone Construction

A Standalone Construction

In this section we give an overview of the process leading to the main theorems specified above (Sect. 2.3). For didactic reasons we accompany our description with a simple and concrete “toy” computation as an example, marked in boxed texts, and gloss over some of the (numerous) technicalities (a few examples are discussed in the last part in this section); nevertheless, the same steps apply to more complex computations. Further details and formal definitions appear in the full version of this paper [12].

Many ZKsystems (including ours) use arithmetization, a technique introduced to prove circuit lower bounds [66, 75] and adapted later to interactive proof systems [4, 59]. Arithmetization is the reduction of computational problems to algebraic problems, that involve “low degree” polynomials over a finite field \(\mathbb {F} \); in this context, “low degree” means degree is significantly smaller than field size.

The start point for arithmetization in all proof systems is a computational integrity statement which the prover wishes to prove, like the following instance of the CI language (see Remark 1):

For our ZK-STIK and for related prior systems [9, 25, 27], the end point of arithmetization is a pair of Reed-Solomon (RS) proximity testing (RPT) problemsFootnote 9, and the scalability of our ZK-STIK relies on a new solution to it—the FRI protocol discussed below [11]. For \(S\subset \mathbb {F} \) and rate parameter \(\rho \in (0,1)\), the RS code with evaluation domain S and rate \(\rho \) is the space of evaluations of low-degree functions over S,

$$\mathsf{RS} [\mathbb {F},S,\rho ]=\left\{ f:S\rightarrow \mathbb {F} \mid \deg (f)<\rho |S|\right\} .$$

The RPT problem for \(\mathsf{RS} [\mathbb {F},S,\rho ]\) is one of deciding, with a small number of queries, whether a function \(f:S\rightarrow \mathbb {F} \) is a member of \(\mathsf{RS} [\mathbb {F},S,\rho ]\) or far from all members of the code in relative Hamming distance.

figure a

Our process has 4 parts (see Fig. 5). When reading the description below, the main thing to notice is that from start to end, verification costs are logarithmic in \(\mathsf{T} \) (and polynomial in the description of the computation \({\mathsf{C}}\)). To see this it is useful to think informally of \(\mathsf{T} \gg |{\mathsf{C}}|\), like \(\mathsf{T} =2^{|{\mathsf{C}}|}\). In each of the reductions, the verifier receives only an instance (denoted ) as its input, whereas the prover additionally receives a witness (denoted ) for membership of in the relevant language.

Fig. 5.
figure 5

The reduction from an AIR instance to a pair of RPT problems, solved using the FRI protocol, explained later in this section. Briefly, the Algebraic Intermediate Representation (AIR) is converted via the Algebraic Placement and Routing (APR) reduction to an APR instance. This is reduced via the Algebraic Linking IOPP (ALI) protocol to a pair of RPT problems, which are solved using two applications of the FRI protocol.

Part I. The starting point is a natural algebraic intermediate representationFootnote 10 (AIR) of and , denoted . The verifier receives and the prover also receives . Informally, corresponds to the statement (*) and corresponds to an execution trace witnessing correctness of (*), i.e., is a \(\mathsf{T} \times \mathsf{a} \) array in which the ith row describes the state of the computation at time i and the jth column tracks the contents of the jth register over time (this column will later give rise to \(f_j\)). Each entry of this array is an element in the field \(\mathbb {F} \). The transition relation of the computation is specified by a set of multi-variate polynomials over variables \(X_1,\ldots ,X_\mathsf{a}, Y_1,\ldots , Y_\mathsf{a} \) that correspond to the current state registers (X variables) and next state registers (Y variables). These constraints enforce the validity of the transition from one state to the next.

figure b

Notice that can be much smaller than ; this is crucial for (full) scalability because \(\mathsf{tv} \) must be bounded by a polynomial in and \(\log \mathsf{T} \). Another point to bear in mind is that constructing an AIR for simple computations is straightforward (as shown in our toy example); additional examples appear in Vitalik Buterin’s blog posts I and III on STARKs [32], in the examples in libSTARK [10], and in previous works like [9, Appendix B] and [65].

Part II. We reduce the AIR representation into a different one, in which states of the execution trace are “placed” on nodes of an affine graph, so that consecutive states are connected by an edge in that graph. Informally, an affine graph is a “circuit” that has “algebraic” topology. The process of “placing” machine states on nodes of a circuit is roughly analogous to the process of placement and routing which is commonly used in computer and circuit design, although our design space is constrained by algebra rather than by physical reality. We refer to this particular transformation as the algebraic placement and routing (APR) reduction, and the resulting representation is an APR instance/witness pair . The affine graph will necessarily be quite large, larger than , but the verifier requires only a succinct representation of this graph, via a constant size set of (edge) generators. This succinct representation is crucial for obtaining verifier scalability and avoiding the “computation unrolling” costs incurred by other ZKapproaches. We first explain how a prover computes this transformation, and then address the verifier’s transformation.

The (honest) prover interprets the jth column of the algebraic execution trace as a partial function \(\hat{f}_j\) from a domain that is a subset of \(\mathbb {F} \) and which maps into the field \(\mathbb {F} \). Thus, the prover now interpolates this function \(\hat{f}_j\) to obtain a polynomial \(P_j(X)\), and then evaluates this polynomial on a different domain \(S\subset \mathbb {F} \) of size \(|S|=\beta \cdot \mathsf{T} \), to obtain a function \(f_j\). The final step of this stage on the prover-side is providing the verifier with oracle access to the sequence \(\mathbf {f}=(f_1,\ldots , f_\mathsf{a})\) where \(f_i:S\rightarrow \mathbb {F} \), noticing this sequence is an encoding of columns (registers) of the execution trace via RS codewords. (in the ZK-STARK, this oracle access will be realized via Merkle-tree commitments to \(\mathbf {f}\)).

The verifier, on receiving , computes the size \(\beta \cdot \mathsf{T} \) and picks the same domain \(S\subset \mathbb {F} \) as the prover (notice S does not depend on ). Then, the verifier computes the succinct set of affine transformations that correspond to edges in the affine graph, and obtains an APR instance, denoted .

figure c

The reduction in this step is deterministic on the verifier side, i.e., involves no verifier-side randomness and no interaction; as such, it also has perfect completeness and perfect soundness. On the prover side, randomness is used to create a zero knowledge version of the execution trace, by allowing the prover to use polynomials of degree slightly greater than \(\mathsf{T} \), as to allow for Shamir-style secret sharing techniques to hide individual entries of the execution trace.

Part III. The APR representation is used to produce, via a 1-round IOP, a pair of instances of the Reed-Solomon proximity testing (RPT) problem. In our case, the two codes resulting from the reduction are over the same field \(\mathbb {F} \) but may have different evaluation domains and different code rates. To maintain verifier scalability, we point out that specifying the code parameters—S and \(\rho \), will be done in a succinct manner, one that requires space \(\log |\mathsf{T} |\); thus, this part of our construction also supports verifier-side scalability.

The witness in this case is a pair of purported codewords (\({f^{(0)}}, {g^{(0)}}\)). The first function \({f^{(0)}}\) is simply a random linear combination of \(\mathbf {f}\) to which the prover committed in the previous step. The second function \({g^{(0)}}\) is obtained after the various constraints that enforce execution trace validity are randomly “linked” into a single (random) constraint. We thus refer to this step as the algebraic linking IOP (ALI) protocol.

figure d

Part IV. In the last step of our reduction, for each of the two functions (oracles) \({f^{(0)}}, {g^{(0)}}\), the prover and verifier interact according to the fast RS IOP of proximity (FRI) protocol from [11] (cf. [12, Appendix B.6]). That protocol has a scalable verifier and query complexity that is logarithmic in the size of the evaluation domain of the code, further establishing verifier scalability. And thus, from start to end, verifier side complexity remains scalable—logarithmic in \(\mathsf{T} \) (and polynomial in \(|{\mathsf{C}}|\)).

figure e

Regarding prover scalability, inspection reveals that the main bottleneck in the process is the low-degree extension part, in which each function \(\hat{f}_j\) that encodes a register gets interpolated and then evaluated on a domain of size \(\beta \cdot \mathsf{T} \). For this part we use so-called additive FFTs; in particular, libSTARK uses the recent innovative algorithm of [56] that performs this computation with \(O(\beta \mathsf{T} \log (\beta \mathsf{T}))\) arithmetic operations. All other steps of the prover’s computation are merely linear in \(|\mathsf{T} |\); in particular, the FRI computation is such.

In closing we briefly mention some of the subtle issues that were glossed over in our toy example and are discussed at length in our formal proofs, and implemented in the code:

  1. 1.

    The toy construction is not zero knowledge, because each entry of \(\mathbf {f}\) does reveal some information about \(y_0,y_1\). To achieve zero knowledge we slacken the degree constraint on \(f_0,f_1\), allowing the prover to sample a random polynomial that agrees with \(\hat{f}_0,\hat{f}_1\) on G, and thus hide information regarding \(y_0,y_1\) for query-limited verifiers (in a manner resembling Shamir secret sharing [74]).

  2. 2.

    We did not enforce the boundary condition stating that the last entry is z. To enforce this, the verifier interpolates a polynomial corresponding to all boundary constraints (in our toy example there is only one such constraint) and “incorporates it” in the proof oracle \(\mathbf {f}\).

  3. 3.

    Verifier scalability requires that \(\mathsf{Zero} _G\) be computed efficiently. This is indeed the case (because G is a subgroup of \(\mathbb {F} \)), and holds also for additive subgroups (as implemented by libSTARK [10]).

  4. 4.

    The toy computation does not make use of random memory access (RAM); maintaining scalability for programs that make significant use of RAM complicates the construction, requiring more elaborate affine graphs that embed DeBruijn switching networks; these issues are addressed by Theorem 2 and its proof.

Rights and permissions

Reprints and permissions

Copyright information

© 2019 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M. (2019). Scalable Zero Knowledge with No Trusted Setup. In: Boldyreva, A., Micciancio, D. (eds) Advances in Cryptology – CRYPTO 2019. CRYPTO 2019. Lecture Notes in Computer Science(), vol 11694. Springer, Cham. https://doi.org/10.1007/978-3-030-26954-8_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-26954-8_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-26953-1

  • Online ISBN: 978-3-030-26954-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics