Abstract
In this paper, we investigate zero-knowledge proof systems based on the “MPC-in-the-head” paradigm (MPCitH), which presents the advantage of offering fast proof generation and post-quantum security. However, current constructions suffer from the drawbacks of large proof sizes and high memory consumption. Particularly, as the underlying circuit increases in size, the proof size grows significantly, and the machine that executes MPCitH-based protocol quickly surpasses its memory bounds due to the multiple parallel executions of MPC. To overcome this challenge, we present the VC-then-MPCitH paradigm, which integrates verifiable computation (VC) techniques into MPCitH. We implement our protocol using concrete VC protocol Virgo++ and MPCitH protocol BN++. Leveraging the properties of the underlying protocols, we can embed Virgo++ into BN++ efficiently. The resulting protocol can significantly reduce the memory consumption and the cost of both computation and communication of MPCitH for large circuits. We conduct our evaluation on a circuit over the field \({\mathbb F}_{2^{128}}\) consisting of 40,006 multiplication gates and almost 100000 gates in total. With soundness error of \(2^{-128}\), our protocol can generate proofs of size 8891 KB in 86 ms, and verify in 70 ms. Furthermore, our protocol outperforms BN++ with the same parameter settings by reducing the proof size by a factor of 10 and shortening both the prover and verifier time by 13 times. On a resource-constrained device that offers 10 GB of memory, our protocol can handle effectively circuits with up to 10 million gates, while BN++ only supports circuits with up to 330,000 gates.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ahmad, H., et al.: Primitives towards verifiable computation: a survey. Front. Comput. Sci. 12, 451–478 (2018)
Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_7
Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: lightweight sublinear arguments without a trusted setup. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 2087–2104 (2017)
Baum, C., Nof, A.: Concretely-efficient zero-knowledge arguments for arithmetic circuits and their application to lattice-based cryptography. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12110, pp. 495–526. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_17
Baum, C., de Saint Guilhem, C.D., Kales, D., Orsini, E., Scholl, P., Zaverucha, G.: Banquet: short and fast signatures from AES. In: Garay, J.A. (ed.) PKC 2021. LNCS, vol. 12710, pp. 266–297. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75245-3_11
Belling, A., Soleimanian, A., Bégassat, O.: Recursion over public-coin interactive proof systems; faster hash verification. Cryptology ePrint Archive (2022). https://eprint.iacr.org/2022/1072
Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.P.: Aurora: transparent succinct arguments for R1CS. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 103–128. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_4
Bhadauria, R., Fang, Z., Hazay, C., Venkitasubramaniam, M., Xie, T., Zhang, Y.: Ligero++: a new optimized sublinear IOP. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 2025–2038 (2020)
Bowe, S., Grigg, J., Hopwood, D.: Recursive proof composition without a trusted setup. Cryptology ePrint Archive (2019). https://eprint.iacr.org/2019/1021
Chase, M., et al.: The picnic signature scheme, design document v2.2 (2020)
Chase, M., et al.: Post-quantum zero-knowledge and signatures from symmetric-key primitives. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1825–1842 (2017)
Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: preprocessing zkSNARKs with universal and updatable SRS. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 738–768. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_26
Dobraunig, C., Kales, D., Rechberger, C., Schofnegger, M., Zaverucha, G.: Shorter signatures based on tailor-made minimalist symmetric-key crypto. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 843–857 (2022)
Gabizon, A., Williamson, Z.J., Ciobotaru, O.: Plonk: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive (2019). https://eprint.iacr.org/2019/953
Giacomelli, I., Madsen, J., Orlandi, C.: ZKBoo: faster zero-knowledge for boolean circuits. In: 25th USENIX Security Symposium (USENIX Security), pp. 1069–1083 (2016)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems. In: Proceedings of the Seventeenth Annual ACM Symposium on Theory of Computing (STOC), pp. 291–304 (1985)
Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: interactive proofs for muggles. J. ACM (JACM) 62(4), 1–64 (2015)
Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11
Gvili, Y., Ha, J., Scheffler, S., Varia, M., Yang, Z., Zhang, X.: TurboIKOS: improved non-interactive zero knowledge and post-quantum signatures. In: Sako, K., Tippenhauer, N.O. (eds.) ACNS 2021. LNCS, vol. 12727, pp. 365–395. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78375-4_15
Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: Proceedings of the Thirty-Ninth Annual ACM Symposium on Theory of Computing (STOC), pp. 21–30 (2007)
Kales, D., Zaverucha, G.: Improving the performance of the picnic signature scheme. IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 154–188 (2020)
Kales, D., Zaverucha, G.: Efficient lifting for shorter zero-knowledge proofs and post-quantum signatures. Cryptology ePrint Archive (2022). https://eprint.iacr.org/2022/588
Kales, D., et al.: BN++ implementation. https://github.com/IAIK/bnpp_helium_signatures
Katz, J., Kolesnikov, V., Wang, X.: Improved non-interactive zero knowledge with applications to post-quantum signatures. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 525–537 (2018)
Kothapalli, A., Setty, S., Tzialla, I.: Nova: recursive zero-knowledge arguments from folding schemes. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. LNCS, vol. 13510, pp. 359–388. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15985-5_13
Liu, T., et al.: Virgo++ implementation. https://github.com/TAMUCrypto/virgo-plus
Lund, C., Fortnow, L., Karloff, H., Nisan, N.: Algebraic methods for interactive proof systems. J. ACM (JACM) 39(4), 859–868 (1992)
Delpech de Saint Guilhem, C., Orsini, E., Tanguy, T.: Limbo: efficient zero-knowledge MPCitH-based arguments. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 3022–3036 (2021)
de Saint Guilhem, C.D., De Meyer, L., Orsini, E., Smart, N.P.: BBQ: using AES in picnic signatures. In: Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, pp. 669–692. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38471-5_27
Wahby, R.S., et al.: Full accounting for verifiable outsourcing. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 2071–2086 (2017)
Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly-efficient zksnarks without trusted setup. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 926–943. IEEE (2018)
Zhang, J., et al.: Doubly efficient interactive proofs for general arithmetic circuits with linear prover time. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 159–177 (2021)
Zhang, J., Xie, T., Zhang, Y., Song, D.: Transparent polynomial delegation and its applications to zero knowledge proof. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 859–876. IEEE (2020)
Acknowledgements
This work was supported by the National Key R &D Program of China (Grant No. 2022YFB2701700, 2018YFA0704702) and Shandong Provincial Natural Science Foundation (Grant No. ZR2020MF053).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof of Theorem 1
A Proof of Theorem 1
Completeness. The completeness of \(\varPi \) follows from the completeness of Virgo++ and BN++.
HVZK. The HVZK property of \(\varPi \) is ensured by the underlying MPCitH-based ZK protocol, which is HVZK for the statement \(\mathcal {V}_{IP}(\hat{\textbf{w}},\textbf{y})=\textbf{0}\). So the construction of simulator \(\mathcal {S}\) for \(\varPi \) follows the main idea of the ZK simulator for BN++. In the simulation, the offsets of \(\textbf{w},\boldsymbol{\pi },c,z,\alpha \) in the protocol are randomly chosen instead of computing from the secret shares. Due to the randomness of shares and the hiding property of Commit, the transcript output by \(\mathcal {S}\) is indistinguishable from the real script in distribution.
Knowledge Soundness. Under the premise that \(\mathsf{Commit, H_0,H_1}\) and \(\mathsf{H_2}\) are modeled as random oracles, the following lemmas hold.
Lemma 1
\(\varPi \) is an argument of knowledge for the relation: \(R'=\{\langle x'=(\mathcal V_{IP},\textbf{y}); \hat{\textbf{w}}\rangle :\mathcal V_{IP}(\hat{\textbf{w}},\textbf{y})=\textbf{0}\}\) with knowledge error
Proof Sketch. The knowledge soundness of the relation \(R'\) is inherited from BN++. In one of the M independent executions, a malicious \(\mathcal {P}^*\) can cheat \(\mathcal {V}\) by first adjusting the output shares of multiplication gates, and then adjusting one of the parties’ views if the challenges received from \(\mathcal V\) cannot result in acc. According to Lemma 2 of [22], the probability that \(\mathcal {P}^*\) successfully cheats is at most \(\frac{1}{|{\mathbb F}|}\) in the first stage, and at most \(\frac{1}{N}\) in the second stage due to the opening of \(N-1\) views. Thus the total success probability of \(P^*\) is at most \((\frac{1}{|\mathbb F|}+(1-\frac{1}{|\mathbb F|})\cdot \frac{1}{N})^M=\xi _a\). The extractability of knowledge can be proven by listing all possible challenges in Phase 3 and Phase 4 and their responses in a \(N\times |{\mathbb F}|^{V_m}\) matrix for each execution. The extractor \(\mathcal {E}\) can extract the valid witness by tracking entries in the expected time \(O(\frac{1}{\delta (x)-\xi _a)})\) where \(\delta (x)\) is the probability that \(\mathcal {P}^*\) passes verification check. More details about the process of knowledge extraction can be found in [4].
Lemma 2
If Lemma 1 holds and the event causing the knowledge error never happened, then \(\textbf{w}\) in the extracted \(\hat{\textbf{w}}=(\textbf{w},\boldsymbol{\pi })\) will satisfy \(\mathcal C(\textbf{w})=\textbf{y}\) except the probability
When \(|\mathbb {F}|\) is large enough, \(\xi _b<\mathsf{negl(\kappa )}\).
Proof Sketch. The proof of Lemma 2 follows the main idea of the soundness analysis of Virgo++. The soundness error \(\xi _b\) consists of 3 parts: the soundness error of the sumcheck protocol applied respectively in each layer of the circuit and the linear combination between the adjacent layers, as well as the soundness error of the linear combination itself.
According to Lemma 1, \(\varPi \) is knowledge-soundness for the relation \(R'=\{\langle x'=(\mathcal V_{IP},\textbf{y});\ \hat{\textbf{w}}\rangle :\mathcal V_{IP}(\hat{\textbf{w}},\textbf{y})=\textbf{0}\}\) with knowledge error \(\xi _a\). Then we can invoke the extractor \(\mathcal {E}\) in Lemma 1 to extract the witness \(\hat{\textbf{w}}\) such that \(\mathcal V_{IP}(\hat{\textbf{w}},\textbf{y})=\textbf{0}\) in \(O(\frac{1}{1-\xi _a})\) steps, and the intercepted \(\textbf{w}\) from \(\hat{\textbf{w}}\) satisfies \(\mathcal {C}(\textbf{w})=\textbf{y}\) with the probability at least \(1-\xi _b\) by Lemma 2. Considering the knowledge error for the whole protocol, it is sufficient to ensure the consistency of the extracted witness in the relation R with \(R'\). Suppose \(\mathcal {P}^*\) holds \(\textbf{w}_1, \textbf{w}_2\) trying to convince the verifier of \(\mathcal {C}(\textbf{w})=\textbf{y}\) and \(\mathcal {V}_{IP}((\hat{\textbf{w}}),\textbf{y}) = \textbf{0}\). Conditioned on the verifier of \(\varPi \) outputs \(\textsf{acc}\), if \(\textbf{w}\) does not consist with \(\hat{\textbf{w}}\), the cases in which \(\mathcal {P}^*\) passes the verification are always reduced to the case that leads to the knowledge error \(\xi _a\) or \(\xi _b\). Therefore, \(\varPi \) is knowledge-soundness for the relation \(R=\{\langle x=(\mathcal C,\textbf{y});\ \textbf{w}\rangle :\mathcal {C}(\textbf{w})=\textbf{y}\}\) with knowledge error at most \(\xi \le \xi _a+\xi _b\).
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Liu, L., Wei, P. (2023). When MPC in the Head Meets VC. In: Meng, W., Yan, Z., Piuri, V. (eds) Information Security Practice and Experience. ISPEC 2023. Lecture Notes in Computer Science, vol 14341. Springer, Singapore. https://doi.org/10.1007/978-981-99-7032-2_30
Download citation
DOI: https://doi.org/10.1007/978-981-99-7032-2_30
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-7031-5
Online ISBN: 978-981-99-7032-2
eBook Packages: Computer ScienceComputer Science (R0)