The product protocol given in 6 and the linear consistency protocol given in 7 imply an arithmetic circuit protocol with the same asymptotic efficiency as the two subprotocols, in which the prover formsO(mk) commitments, each tonwire values inp, and runs both subprotocols in order to prove that they satisfy the arith- metic circuit, reusing the same commitmentsAi,tothewiresinbothsubprotocols. This yields a zero-knowledge argument for arithmetic circuit satisfiability with communication costsO(√NlogN) elements ofZq, computational costs of
O(NlogN) for the prover, and approximately O(N) for the verifier.
References
AHIV17. Scott Ames, Carmit Hazay, Yuval Ishai, and Muthuramakrishnan Venkita- subramaniam. Ligero: Lightweight sublinear arguments without a trusted setup. In Thuraisingham et al. [TEMX17], pages 2087–2104.
Ajt96. Mikl´os Ajtai. Generating hard instances of lattice problems (extended abstract). In28th ACM STOC, pages 99–108. ACM Press, May 1996. Ban93. Wojciech Banaszczyk. New bounds in some transference theorems in the
geometry of numbers. Mathematische Annalen, 296:625–635, 1993. BBB+17. Benedikt Bunz, Jonathan Bootle, Dan Boneh, Andrew Poelstra, and Greg
Maxwell. Bulletproofs: Short proofs for confidential transactions and more. Cryptology ePrint Archive, Report 2017/1066, 2017.https://eprint.iacr. org/2017/1066.
BCC+16. Jonathan Bootle, Andrea Cerulli, Pyrros Chaidos, Jens Groth, and Christophe Petit. Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In Fischlin and Coron [FC16], pages 327–357. BCCT12. Nir Bitansky, Ran Canetti, Alessandro Chiesa, and Eran Tromer. From
extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In Shafi Goldwasser, editor,ITCS 2012, pages 326–349. ACM, January 2012.
BCCT13. Nir Bitansky, Ran Canetti, Alessandro Chiesa, and Eran Tromer. Recursive composition and bootstrapping for SNARKS and proof-carrying data. In Dan Boneh, Tim Roughgarden, and Joan Feigenbaum, editors,45th ACM STOC, pages 111–120. ACM Press, June 2013.
BCG+17. Jonathan Bootle, Andrea Cerulli, Essam Ghadafi, Jens Groth, Mohammad
Hajiabadi, and Sune K. Jakobsen. Linear-time zero-knowledge proofs for arithmetic circuit satisfiability. In Tsuyoshi Takagi and Thomas Peyrin,
editors,ASIACRYPT 2017, Part III, volume 10626 ofLNCS, pages 336–365. Springer, Heidelberg, December 2017.
BCK+14. Fabrice Benhamouda, Jan Camenisch, Stephan Krenn, Vadim Lyubashevsky, and Gregory Neven. Better zero-knowledge proofs for lattice encryption and their application to group signatures. In Palash Sarkar and Tetsu Iwata, editors,ASIACRYPT 2014, Part I, volume 8873 ofLNCS, pages 551–572. Springer, Heidelberg, December 2014.
BD10. Rikke Bendlin and Ivan Damg˚ard. Threshold decryption and zero-knowledge proofs for lattice-based cryptosystems. In Daniele Micciancio, editor,
TCC 2010, volume 5978 of LNCS, pages 201–218. Springer, Heidelberg, February 2010.
BDLN16. Carsten Baum, Ivan Damg˚ard, Kasper Green Larsen, and Michael Nielsen. How to prove knowledge of small secrets. In Matthew Robshaw and Jonathan Katz, editors,CRYPTO 2016, Part III, volume 9816 ofLNCS, pages 478–498. Springer, Heidelberg, August 2016.
BDOP16. Carsten Baum, Ivan Damg˚ard, Sabine Oechsner, and Chris Peikert. Efficient commitments and zero-knowledge protocols from ring-SIS with applications to lattice-based threshold cryptosystems. Cryptology ePrint Archive, Report 2016/997, 2016. http://eprint.iacr.org/2016/997.
BG14. Shi Bai and Steven D. Galbraith. An improved compression technique for signatures based on learning with errors. In Josh Benaloh, editor,
CT-RSA 2014, volume 8366 ofLNCS, pages 28–47. Springer, Heidelberg, February 2014.
BKLP15. Fabrice Benhamouda, Stephan Krenn, Vadim Lyubashevsky, and Krzysztof Pietrzak. Efficient zero-knowledge proofs for commitments from learning with errors over rings. In G¨unther Pernul, Peter Y. A. Ryan, and Edgar R. Weippl, editors,ESORICS 2015, Part I, volume 9326 ofLNCS, pages 305– 325. Springer, Heidelberg, September 2015.
CD97. Ronald Cramer and Ivan Damg˚ard. Linear zero-knowledge - a note on efficient zero-knowledge proofs and arguments. In29th ACM STOC, pages 436–445. ACM Press, May 1997.
CDG+17. Melissa Chase, David Derler, Steven Goldfeder, Claudio Orlandi, Sebastian
Ramacher, Christian Rechberger, Daniel Slamanig, and Greg Zaverucha. Post-quantum zero-knowledge and signatures from symmetric-key primitives. In Thuraisingham et al. [TEMX17], pages 1825–1842.
CDK14. Ronald Cramer, Ivan Damg˚ard, and Marcel Keller. On the amortized complexity of zero-knowledge protocols. Journal of Cryptology, 27(2):284– 316, April 2014.
CDXY17. Ronald Cramer, Ivan Damg˚ard, Chaoping Xing, and Chen Yuan. Amortized complexity of zero-knowledge proofs revisited: Achieving linear soundness slack. In Coron and Nielsen [CN17], pages 479–500.
CN17. Jean-S´ebastien Coron and Jesper Buus Nielsen, editors.EUROCRYPT 2017, Part I, volume 10210 ofLNCS. Springer, Heidelberg, May 2017.
Dam10. Ivan Damg˚ard. OnΣ-protocols, 2010. http://www.cs.au.dk/~ivan/Sigma.
pdf.
DDLL13. L´eo Ducas, Alain Durmus, Tancr`ede Lepoint, and Vadim Lyubashevsky. Lattice signatures and bimodal Gaussians. In Ran Canetti and Juan A. Garay, editors,CRYPTO 2013, Part I, volume 8042 ofLNCS, pages 40–56. Springer, Heidelberg, August 2013.
DL12. Ivan Damg˚ard and Adriana L´opez-Alt. Zero-knowledge proofs with low amortized communication from lattice assumptions. In Ivan Visconti and Roberto De Prisco, editors,SCN 12, volume 7485 ofLNCS, pages 38–56. Springer, Heidelberg, September 2012.
dPL17. Rafa¨el del Pino and Vadim Lyubashevsky. Amortization with fewer equations for proving knowledge of small secrets. In Jonathan Katz and Hovav Shacham, editors,CRYPTO 2017, Part III, volume 10403 ofLNCS, pages 365–394. Springer, Heidelberg, August 2017.
FC16. Marc Fischlin and Jean-S´ebastien Coron, editors. EUROCRYPT 2016, Part II, volume 9666 ofLNCS. Springer, Heidelberg, May 2016.
GG98. Oded Goldreich and Shafi Goldwasser. On the limits of non-approximability of lattice problems. In30th ACM STOC, pages 1–9. ACM Press, May 1998. GGI+15. Craig Gentry, Jens Groth, Yuval Ishai, Chris Peikert, Amit Sahai, and
Adam D. Smith. Using fully homomorphic hybrid encryption to minimize non-interative zero-knowledge proofs. Journal of Cryptology, 28(4):820–843, October 2015.
GGPR13. Rosario Gennaro, Craig Gentry, Bryan Parno, and Mariana Raykova. Quadratic span programs and succinct NIZKs without PCPs. In Thomas Johansson and Phong Q. Nguyen, editors,EUROCRYPT 2013, volume 7881 ofLNCS, pages 626–645. Springer, Heidelberg, May 2013.
GH98. Oded Goldreich and Johan H˚astad. On the complexity of interactive proofs with bounded communication. Information Processing Letters, 1998. GLP12. Tim G¨uneysu, Vadim Lyubashevsky, and Thomas P¨oppelmann. Practical
lattice-based cryptography: A signature scheme for embedded systems. In Emmanuel Prouff and Patrick Schaumont, editors,CHES 2012, volume 7428 ofLNCS, pages 530–547. Springer, Heidelberg, September 2012.
GMO16. Irene Giacomelli, Jesper Madsen, and Claudio Orlandi. Zkboo: Faster zero- knowledge for boolean circuits. In25th USENIX Security Symposium, pages 1069–1083, 2016.
GMR85. Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge com- plexity of interactive proof-systems (extended abstract). In17th ACM STOC, pages 291–304. ACM Press, May 1985.
GN08. Nicolas Gama and Phong Q. Nguyen. Predicting lattice reduction. In Nigel P. Smart, editor,EUROCRYPT 2008, volume 4965 ofLNCS, pages 31–51. Springer, Heidelberg, April 2008.
GQ88. Louis C. Guillou and Jean-Jacques Quisquater. A practical zero-knowledge protocol fitted to security microprocessor minimizing both trasmission and memory. In C. G. G¨unther, editor,EUROCRYPT’88, volume 330 ofLNCS, pages 123–128. Springer, Heidelberg, May 1988.
Gro09a. Jens Groth. Linear algebra with sub-linear zero-knowledge arguments. In Shai Halevi, editor,CRYPTO 2009, volume 5677 ofLNCS, pages 192–208. Springer, Heidelberg, August 2009.
Gro09b. Jens Groth. Linear algebra with sub-linear zero-knowledge arguments. In
Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptol- ogy Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings, pages 192–208, 2009.
Gro10a. Jens Groth. Short pairing-based non-interactive zero-knowledge arguments. In Masayuki Abe, editor,ASIACRYPT 2010, volume 6477 ofLNCS, pages 321–340. Springer, Heidelberg, December 2010.
Gro10b. Jens Groth. A verifiable secret shuffle of homomorphic encryptions. J. Cryptology, 23(4):546–579, 2010.
Gro16. Jens Groth. On the size of pairing-based non-interactive arguments. In Fischlin and Coron [FC16], pages 305–326.
GVW02. Oded Goldreich, Salil P. Vadhan, and Avi Wigderson. On interactive proofs with a laconic prover. Computational Complexity, 11(1-2):1–53, 2002. GW11. Craig Gentry and Daniel Wichs. Separating succinct non-interactive ar-
guments from all falsifiable assumptions. In Lance Fortnow and Salil P. Vadhan, editors,43rd ACM STOC, pages 99–108. ACM Press, June 2011. IKOS07. Yuval Ishai, Eyal Kushilevitz, Rafail Ostrovsky, and Amit Sahai. Zero-
knowledge from secure multiparty computation. In David S. Johnson and Uriel Feige, editors,39th ACM STOC, pages 21–30. ACM Press, June 2007. Kil92. Joe Kilian. A note on efficient zero-knowledge proofs and arguments (ex- tended abstract). In24th ACM STOC, pages 723–732. ACM Press, May 1992.
KR08. Yael Tauman Kalai and Ran Raz. Interactive PCP. In Luca Aceto, Ivan Damg˚ard, Leslie Ann Goldberg, Magn´us M. Halld´orsson, Anna Ing´olfsd´ottir, and Igor Walukiewicz, editors,ICALP 2008, Part II, volume 5126 ofLNCS, pages 536–547. Springer, Heidelberg, July 2008.
Lip12. Helger Lipmaa. Progression-free sets and sublinear pairing-based non- interactive zero-knowledge arguments. In Ronald Cramer, editor,TCC 2012, volume 7194 ofLNCS, pages 169–189. Springer, Heidelberg, March 2012. LM06. Vadim Lyubashevsky and Daniele Micciancio. Generalized compact Knap-
sacks are collision resistant. In Michele Bugliesi, Bart Preneel, Vladimiro Sassone, and Ingo Wegener, editors,ICALP 2006, Part II, volume 4052 of
LNCS, pages 144–155. Springer, Heidelberg, July 2006.
LN17. Vadim Lyubashevsky and Gregory Neven. One-shot verifiable encryption from lattices. In Coron and Nielsen [CN17], pages 293–323.
LNSW13. San Ling, Khoa Nguyen, Damien Stehl´e, and Huaxiong Wang. Improved zero-knowledge proofs of knowledge for the ISIS problem, and applications. In Kaoru Kurosawa and Goichiro Hanaoka, editors,PKC 2013, volume 7778 ofLNCS, pages 107–124. Springer, Heidelberg, February / March 2013. Lyu09. Vadim Lyubashevsky. Fiat-Shamir with aborts: Applications to lattice and
factoring-based signatures. In Mitsuru Matsui, editor,ASIACRYPT 2009, volume 5912 ofLNCS, pages 598–616. Springer, Heidelberg, December 2009. Lyu12. Vadim Lyubashevsky. Lattice signatures without trapdoors. In David
Pointcheval and Thomas Johansson, editors,EUROCRYPT 2012, volume 7237 ofLNCS, pages 738–755. Springer, Heidelberg, April 2012.
MR04. Daniele Micciancio and Oded Regev. Worst-case to average-case reductions based on Gaussian measures. In45th FOCS, pages 372–381. IEEE Computer Society Press, October 2004.
MR08. Daniele Micciancio and Oded Regev. Lattice-based cryptography. In Daniel J. Bernstein, Johannes Buchmann, and Erik Dahmen, editors,Chapter in Post- quantum Cryptography, pages 147–191. Springer, 2008.
MV03. Daniele Micciancio and Salil P. Vadhan. Statistical zero-knowledge proofs with efficient provers: Lattice problems and more. In Dan Boneh, editor,
CRYPTO 2003, volume 2729 ofLNCS, pages 282–298. Springer, Heidelberg, August 2003.
PHGR13. Bryan Parno, Jon Howell, Craig Gentry, and Mariana Raykova. Pinocchio: Nearly practical verifiable computation. In 2013 IEEE Symposium on Security and Privacy, pages 238–252. IEEE Computer Society Press, May 2013.
PR06. Chris Peikert and Alon Rosen. Efficient collision-resistant hashing from worst- case assumptions on cyclic lattices. In Shai Halevi and Tal Rabin, editors,
TCC 2006, volume 3876 of LNCS, pages 145–166. Springer, Heidelberg, March 2006.
Reg05. Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. In Harold N. Gabow and Ronald Fagin, editors,37th ACM STOC, pages 84–93. ACM Press, May 2005.
Sch91. Claus-Peter Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3):161–174, 1991.
Ste94. Jacques Stern. A new identification scheme based on syndrome decoding. In Douglas R. Stinson, editor,CRYPTO’93, volume 773 ofLNCS, pages 13–21. Springer, Heidelberg, August 1994.
TEMX17. Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu, editors.ACM CCS 17. ACM Press, October / November 2017.