Zero-Knowledge IOPs Approaching Witness Length

Noga Ron-Zewi, Mor Weiss

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Interactive Oracle Proofs (IOPs) allow a probabilistic verifier interacting with a prover to verify the validity of an NP statement while reading only few bits from the prover messages. IOPs generalize standard Probabilistically-Checkable Proofs (PCPs) to the interactive setting, and in the few years since their introduction have already exhibited major improvements in main parameters of interest (such as the proof length and prover and verifier running times), which in turn led to significant improvements in constructions of succinct arguments. Zero-Knowledge (ZK) IOPs additionally guarantee that the view of any query-bounded (possibly malicious) verifier can be efficiently simulated. ZK-IOPs are the main building block of succinct ZK arguments which use the underlying cryptographic object (e.g., a collision-resistant hash function) as a black box. In this work, we construct the first ZK-IOPs approaching the witness length for a natural NP problem. More specifically, we design constant-query and constant-round IOPs for 3SAT in which the total communication is (1+γ)m, where m is the number of variables and γ>0 is an arbitrarily small constant, and ZK holds against verifiers querying mβ bits from the prover’s messages, for a constant β>0. This gives a ZK variant of a recent result of Ron-Zewi and Rothblum (FOCS ‘20), who construct (non-ZK) IOPs approaching the witness length for a large class of NP languages. Previous constructions of ZK-IOPs incurred an (unspecified) large constant multiplicative overhead in the proof length, even when restricting to ZK against the honest verifier. We obtain our ZK-IOPs by improving the two main building blocks underlying most ZK-IOP constructions, namely ZK codes and ZK-IOPs for sumcheck. More specifically, we give the first ZK-IOPs for sumcheck that achieve both sublinear communication for sumchecking a general tensor code, and a ZK guarantee. We also show a strong ZK preservation property for tensors of ZK codes, which extends a recent result of Bootle, Chiesa, and Liu (EC ‘22). Given the central role of these objects in designing ZK-IOPs, these results might be of independent interest.

Original languageEnglish
Title of host publicationAdvances in Cryptology – CRYPTO 2024 - 44th Annual International Cryptology Conference, Proceedings
EditorsLeonid Reyzin, Douglas Stebila
PublisherSpringer Science and Business Media Deutschland GmbH
Pages105-137
Number of pages33
ISBN (Print)9783031684029
DOIs
StatePublished - 2024
Event44th Annual International Cryptology Conference, CRYPTO 2024 - Santa Barbara, United States
Duration: 18 Aug 202422 Aug 2024

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume14929 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference44th Annual International Cryptology Conference, CRYPTO 2024
Country/TerritoryUnited States
CitySanta Barbara
Period18/08/2422/08/24

Bibliographical note

Publisher Copyright:
© International Association for Cryptologic Research 2024.

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science

Fingerprint

Dive into the research topics of 'Zero-Knowledge IOPs Approaching Witness Length'. Together they form a unique fingerprint.

Cite this