TY - GEN
T1 - Proving as fast as computing
T2 - 54th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2022
AU - Ron-Zewi, Noga
AU - Rothblum, Ron D.
N1 - Publisher Copyright:
© 2022 ACM.
PY - 2022/9/6
Y1 - 2022/9/6
N2 - Succinct arguments are proof systems that allow a powerful, but untrusted, prover to convince a weak verifier that an input x belongs to a language L NP, with communication that is much shorter than the NP witness. Such arguments, which grew out of the theory literature, are now drawing immense interest also in practice, where a key bottleneck that has arisen is the high computational cost of proving correctness. In this work we address this problem by constructing succinct arguments for general computations, expressed as Boolean circuits (of bounded fan-in), with a strictly linear size prover. The soundness error of the protocol is an arbitrarily small constant. Prior to this work, succinct arguments were known with a quasi-linear size prover for general Boolean circuits or with linear-size only for arithmetic circuits, defined over large finite fields. In more detail, for every Boolean circuit C=C(x,w), we construct an O(log|C|)-round argument-system in which the prover can be implemented by a size O(|C|) Boolean circuit (given as input both the instance x and the witness w), with arbitrarily small constant soundness error and using poly(λ,log|C|) communication, where λ denotes the security parameter. The verifier can be implemented by a size O(|x|) + poly(λ, log|C|) circuit following a size O(|C|) private pre-processing step, or, alternatively, by using a purely public-coin protocol (with no pre-processing) with a size O(|C|) verifier. The protocol can be made zero-knowledge using standard techniques (and with similar parameters). The soundness of our protocol is computational and relies on the existence of collision resistant hash functions that can be computed by linear-size circuits, such as those proposed by Applebaum et al. (ITCS, 2017). At the heart of our construction is a new information-theoretic interactive oracle proof (IOP), an interactive analog of a PCP, for circuit satisfiability, with constant prover overhead. The improved efficiency of our IOP is obtained by bypassing a barrier faced by prior IOP constructions, which needed to (either explicitly or implicitly) encode the entire computation using a multiplication code.
AB - Succinct arguments are proof systems that allow a powerful, but untrusted, prover to convince a weak verifier that an input x belongs to a language L NP, with communication that is much shorter than the NP witness. Such arguments, which grew out of the theory literature, are now drawing immense interest also in practice, where a key bottleneck that has arisen is the high computational cost of proving correctness. In this work we address this problem by constructing succinct arguments for general computations, expressed as Boolean circuits (of bounded fan-in), with a strictly linear size prover. The soundness error of the protocol is an arbitrarily small constant. Prior to this work, succinct arguments were known with a quasi-linear size prover for general Boolean circuits or with linear-size only for arithmetic circuits, defined over large finite fields. In more detail, for every Boolean circuit C=C(x,w), we construct an O(log|C|)-round argument-system in which the prover can be implemented by a size O(|C|) Boolean circuit (given as input both the instance x and the witness w), with arbitrarily small constant soundness error and using poly(λ,log|C|) communication, where λ denotes the security parameter. The verifier can be implemented by a size O(|x|) + poly(λ, log|C|) circuit following a size O(|C|) private pre-processing step, or, alternatively, by using a purely public-coin protocol (with no pre-processing) with a size O(|C|) verifier. The protocol can be made zero-knowledge using standard techniques (and with similar parameters). The soundness of our protocol is computational and relies on the existence of collision resistant hash functions that can be computed by linear-size circuits, such as those proposed by Applebaum et al. (ITCS, 2017). At the heart of our construction is a new information-theoretic interactive oracle proof (IOP), an interactive analog of a PCP, for circuit satisfiability, with constant prover overhead. The improved efficiency of our IOP is obtained by bypassing a barrier faced by prior IOP constructions, which needed to (either explicitly or implicitly) encode the entire computation using a multiplication code.
KW - IOP
KW - Interactive Oracle Proofs
KW - Succinct Arguments
UR - http://www.scopus.com/inward/record.url?scp=85132719746&partnerID=8YFLogxK
U2 - 10.1145/3519935.3519956
DO - 10.1145/3519935.3519956
M3 - Conference contribution
AN - SCOPUS:85132719746
T3 - Proceedings of the Annual ACM Symposium on Theory of Computing
SP - 1353
EP - 1363
BT - STOC 2022 - Proceedings of the 54th Annual ACM SIGACT Symposium on Theory of Computing
A2 - Leonardi, Stefano
A2 - Gupta, Anupam
PB - Association for Computing Machinery
Y2 - 20 June 2022 through 24 June 2022
ER -