Zero Knowledge Succinct Arguments: an Introduction Alessandro - - PowerPoint PPT Presentation

Alessandro Chiesa UC Berkeley

1

Zero Knowledge Succinct Arguments: an Introduction

2

Motivation

3

3

cryptography is a powerful tool for building secure systems

3

cryptography is a powerful tool for building secure systems much of the cryptography used today

• ffers security properties for data

3

cryptography is a powerful tool for building secure systems

Alice Bob

much of the cryptography used today

• ffers security properties for data

confidentiality

m

3

cryptography is a powerful tool for building secure systems

Alice Bob

much of the cryptography used today

• ffers security properties for data

confidentiality

Enc(m)

3

cryptography is a powerful tool for building secure systems

Alice Bob

much of the cryptography used today

• ffers security properties for data

confidentiality authenticity

Alice Bob m Enc(m)

3

cryptography is a powerful tool for building secure systems

Alice Bob

much of the cryptography used today

• ffers security properties for data

confidentiality authenticity

Alice Bob m Enc(m) Sig(m)

3

cryptography is a powerful tool for building secure systems

Alice Bob

much of the cryptography used today

• ffers security properties for data

confidentiality authenticity

Alice Bob

what about security properties for computation?

m Enc(m) Sig(m)

3

cryptography is a powerful tool for building secure systems

Alice Bob

much of the cryptography used today

• ffers security properties for data

confidentiality authenticity

Alice Bob

what about security properties for computation? cryptographic proofs offer privacy-preserving integrity for computation

m Enc(m) Sig(m)

3

cryptography is a powerful tool for building secure systems

Alice Bob

much of the cryptography used today

• ffers security properties for data

confidentiality authenticity

Alice Bob

what about security properties for computation? cryptographic proofs offer privacy-preserving integrity for computation

m Enc(m) Sig(m)

• ne of the exciting crypto deployment frontiers today

Cryptographic Proofs

4

Cryptographic Proofs

4

a powerful defense against malicious behavior especially in distributed protocols

Cryptographic Proofs

4

1980s a powerful defense against malicious behavior securely compute y=F(x1,…,xn) via a multi-party protocol especially in distributed protocols

Cryptographic Proofs

4

1980s a powerful defense against malicious behavior

passive security

securely compute y=F(x1,…,xn) via a multi-party protocol especially in distributed protocols

active security

[GMW87]

Cryptographic Proofs

4

1980s a powerful defense against malicious behavior

passive security

securely compute y=F(x1,…,xn) via a multi-party protocol especially in distributed protocols

active security

[GMW87]

• zero knowledge
• proof of knowledge

Key properties

Cryptographic Proofs

4

1980s 2010s a powerful defense against malicious behavior

passive security

securely compute y=F(x1,…,xn) via a multi-party protocol especially in distributed protocols

active security

[GMW87]

blockchain technology

• zero knowledge
• proof of knowledge

Key properties

Cryptographic Proofs

4

1980s 2010s a powerful defense against malicious behavior

passive security

securely compute y=F(x1,…,xn) via a multi-party protocol especially in distributed protocols

active security

[GMW87]

blockchain technology

• zero knowledge
• proof of knowledge

Key properties

Cryptographic Proofs

4

1980s 2010s a powerful defense against malicious behavior

passive security

I know x s.t. y=F(x)

securely compute y=F(x1,…,xn) via a multi-party protocol especially in distributed protocols

active security

[GMW87]

blockchain technology

• zero knowledge
• proof of knowledge

Key properties

Cryptographic Proofs

4

1980s 2010s a powerful defense against malicious behavior

passive security

I know x s.t. y=F(x) proof

securely compute y=F(x1,…,xn) via a multi-party protocol especially in distributed protocols

active security

[GMW87]

blockchain technology

• zero knowledge
• proof of knowledge

Key properties

Cryptographic Proofs

4

1980s 2010s a powerful defense against malicious behavior

passive security

I know x s.t. y=F(x) proof

securely compute y=F(x1,…,xn) via a multi-party protocol especially in distributed protocols

active security

[GMW87]

blockchain technology

• zero knowledge
• proof of knowledge
• non-interactive
• publicly verifiable
• succinct

Key properties Additional key properties

Cryptographic Proofs

4

1980s 2010s a powerful defense against malicious behavior

passive security

I know x s.t. y=F(x) proof

securely compute y=F(x1,…,xn) via a multi-party protocol especially in distributed protocols

active security

[GMW87]

blockchain technology

• zero knowledge
• proof of knowledge
• non-interactive
• publicly verifiable
• succinct

Key properties Additional key properties zk-SNARK

Cryptographic Proofs

4

1980s 2010s a powerful defense against malicious behavior

passive security

I know x s.t. y=F(x) proof

securely compute y=F(x1,…,xn) via a multi-party protocol especially in distributed protocols

active security

[GMW87]

blockchain technology

• zero knowledge
• proof of knowledge
• non-interactive
• publicly verifiable
• succinct

Key properties Additional key properties zk-SNARK

5

Origins

Zero Knowledge Proofs

6

completeness

∃ x: y=F(x) → Pr[P(F,y,x) convinces V(F,y)]=1

soundness

∄ x: y=F(x) → ∀ P’, Pr[P’ convinces V(F,y)]≃0

zero knowledge ∃ x: y=F(x) → ∀ V’, S(V',F,y) ≃ view of V' with P(F,y,x)

[GMR85]

Zero Knowledge Proofs

6

P V

completeness

∃ x: y=F(x) → Pr[P(F,y,x) convinces V(F,y)]=1

soundness

∄ x: y=F(x) → ∀ P’, Pr[P’ convinces V(F,y)]≃0

zero knowledge ∃ x: y=F(x) → ∀ V’, S(V',F,y) ≃ view of V' with P(F,y,x)

[GMR85]

Zero Knowledge Proofs

6

P V

rover erifier

completeness

∃ x: y=F(x) → Pr[P(F,y,x) convinces V(F,y)]=1

soundness

∄ x: y=F(x) → ∀ P’, Pr[P’ convinces V(F,y)]≃0

zero knowledge ∃ x: y=F(x) → ∀ V’, S(V',F,y) ≃ view of V' with P(F,y,x)

[GMR85]

Zero Knowledge Proofs

6

P V

F function y claimed output x private input F function y claimed output

rover erifier

completeness

∃ x: y=F(x) → Pr[P(F,y,x) convinces V(F,y)]=1

soundness

∄ x: y=F(x) → ∀ P’, Pr[P’ convinces V(F,y)]≃0

zero knowledge ∃ x: y=F(x) → ∀ V’, S(V',F,y) ≃ view of V' with P(F,y,x)

[GMR85]

Zero Knowledge Proofs

6

P V

“I know x s.t. y=F(x)”

F function y claimed output x private input F function y claimed output

rover erifier

completeness

∃ x: y=F(x) → Pr[P(F,y,x) convinces V(F,y)]=1

soundness

∄ x: y=F(x) → ∀ P’, Pr[P’ convinces V(F,y)]≃0

zero knowledge ∃ x: y=F(x) → ∀ V’, S(V',F,y) ≃ view of V' with P(F,y,x)

[GMR85]

Zero Knowledge Proofs

6

P V

“I know x s.t. y=F(x)”

F function y claimed output x private input F function y claimed output

rover erifier

completeness

∃ x: y=F(x) → Pr[P(F,y,x) convinces V(F,y)]=1

soundness

∄ x: y=F(x) → ∀ P’, Pr[P’ convinces V(F,y)]≃0

zero knowledge ∃ x: y=F(x) → ∀ V’, S(V',F,y) ≃ view of V' with P(F,y,x)

[GMR85]

Zero Knowledge Proofs

6

P V

“I know x s.t. y=F(x)”

F function y claimed output x private input F function y claimed output

rover erifier

completeness

∃ x: y=F(x) → Pr[P(F,y,x) convinces V(F,y)]=1

soundness

∄ x: y=F(x) → ∀ P’, Pr[P’ convinces V(F,y)]≃0

zero knowledge ∃ x: y=F(x) → ∀ V’, S(V',F,y) ≃ view of V' with P(F,y,x)

[GMR85]

Zero Knowledge Proofs

6

P V

“I know x s.t. y=F(x)”

F function y claimed output x private input F function y claimed output

rover erifier

completeness

∃ x: y=F(x) → Pr[P(F,y,x) convinces V(F,y)]=1

soundness

∄ x: y=F(x) → ∀ P’, Pr[P’ convinces V(F,y)]≃0

zero knowledge ∃ x: y=F(x) → ∀ V’, S(V',F,y) ≃ view of V' with P(F,y,x)

[GMR85]

Zero Knowledge Proofs

6

P V

“I know x s.t. y=F(x)”

F function y claimed output x private input F function y claimed output

rover erifier

completeness

∃ x: y=F(x) → Pr[P(F,y,x) convinces V(F,y)]=1

soundness

∄ x: y=F(x) → ∀ P’, Pr[P’ convinces V(F,y)]≃0

zero knowledge ∃ x: y=F(x) → ∀ V’, S(V',F,y) ≃ view of V' with P(F,y,x)

simulator

[GMR85]

Zero Knowledge Proofs

[GMR85]

7

P V

“I know x s.t. y=F(x)”

F function y claimed output x private input F function y claimed output

rover erifier

Zero Knowledge Proofs

[GMR85]

7

P V

“I know x s.t. y=F(x)”

F function y claimed output x private input F function y claimed output

rover erifier

[GMR85]: ZKPs for certain number-theoretic problems (QR,QNR)

Zero Knowledge Proofs

[GMR85]

7

P V

“I know x s.t. y=F(x)”

F function y claimed output x private input F function y claimed output

rover erifier

If one-way functions exist: [GMR85]: ZKPs for certain number-theoretic problems (QR,QNR)

Zero Knowledge Proofs

[GMR85]

7

P V

“I know x s.t. y=F(x)”

F function y claimed output x private input F function y claimed output

rover erifier

[GMW86]: ZKPs for all poly-time computable functions F If one-way functions exist: [GMR85]: ZKPs for certain number-theoretic problems (QR,QNR)

Zero Knowledge Proofs

[GMR85]

7

P V

“I know x s.t. y=F(x)”

F function y claimed output x private input F function y claimed output

rover erifier

[GMW86]: ZKPs for all poly-time computable functions F If one-way functions exist: [BGGHKMR88]: ZKPs for all poly-space computable functions F [GMR85]: ZKPs for certain number-theoretic problems (QR,QNR)

Zero Knowledge Proofs

[GMR85]

8

P V

“I know x s.t. y=F(x)”

F function y claimed output x private input F function y claimed output

rover erifier

Powerful cryptographic primitive.

Zero Knowledge Proofs

[GMR85]

8

P V

“I know x s.t. y=F(x)”

F function y claimed output x private input F function y claimed output

rover erifier

Powerful cryptographic primitive. BUT

Zero Knowledge Proofs

[GMR85]

8

P V

“I know x s.t. y=F(x)”

F function y claimed output x private input F function y claimed output

rover erifier

Powerful cryptographic primitive. BUT interactive

Zero Knowledge Proofs

[GMR85]

8

P V

“I know x s.t. y=F(x)”

F function y claimed output x private input F function y claimed output

rover erifier

Powerful cryptographic primitive. BUT interactive not succinct

Zero Knowledge Proofs

[GMR85]

8

P V

“I know x s.t. y=F(x)”

F function y claimed output x private input F function y claimed output

rover erifier

Powerful cryptographic primitive. BUT interactive not succinct

communication complexity & verification complexity are proportional to time(F)

Zero Knowledge Proofs

[GMR85]

8

P V

“I know x s.t. y=F(x)”

F function y claimed output x private input F function y claimed output

rover erifier

Powerful cryptographic primitive. BUT interactive not succinct

communication complexity & verification complexity are proportional to time(F) for typical F size(F) ≪ time(F)

Zero Knowledge Succinct Proofs

9

[Kilian92][Micali94]

Zero Knowledge Succinct Proofs

9

P

V

“I know x s.t. y=F(x)”

[Kilian92][Micali94]

Zero Knowledge Succinct Proofs

9

P

V

“I know x s.t. y=F(x)” completeness

∃ x: y=F(x) → Pr[P(F,y,x) convinces V(F,y)]=1

soundness

∄ x: y=F(x) → ∀ P’ Pr[P’ convinces V(F,y)]≃0

zero knowledge ∃ x: y=F(x) → ∀ V’, S(V',F,y) ≃ view of V' with P(F,y,x) succinctness

V(F,y) runs in time proportional to |F|+|y| (not time(F)+|y|)

[Kilian92][Micali94]

Zero Knowledge Succinct Proofs

9

P

V

“I know x s.t. y=F(x)” completeness

∃ x: y=F(x) → Pr[P(F,y,x) convinces V(F,y)]=1

soundness

∄ x: y=F(x) → ∀ P’ Pr[P’ convinces V(F,y)]≃0

zero knowledge ∃ x: y=F(x) → ∀ V’, S(V',F,y) ≃ view of V' with P(F,y,x) succinctness

V(F,y) runs in time proportional to |F|+|y| (not time(F)+|y|)

[Kilian92][Micali94]

*

Zero Knowledge Succinct Proofs

9

P

V

“I know x s.t. y=F(x)” completeness

∃ x: y=F(x) → Pr[P(F,y,x) convinces V(F,y)]=1

soundness

∄ x: y=F(x) → ∀ P’ Pr[P’ convinces V(F,y)]≃0

zero knowledge ∃ x: y=F(x) → ∀ V’, S(V',F,y) ≃ view of V' with P(F,y,x) succinctness

V(F,y) runs in time proportional to |F|+|y| (not time(F)+|y|)

[Kilian92][Micali94]

* * must relax to computational soundness: ∀ PPT P’ ... [GH98]

Zero Knowledge Succinct Proofs

9

P

V

“I know x s.t. y=F(x)” completeness

∃ x: y=F(x) → Pr[P(F,y,x) convinces V(F,y)]=1

soundness

∄ x: y=F(x) → ∀ P’ Pr[P’ convinces V(F,y)]≃0

zero knowledge ∃ x: y=F(x) → ∀ V’, S(V',F,y) ≃ view of V' with P(F,y,x) succinctness

V(F,y) runs in time proportional to |F|+|y| (not time(F)+|y|)

[Kilian92][Micali94]

* * must relax to computational soundness: ∀ PPT P’ ... [GH98]

Arguments

Achieving Succinctness

10

Achieving Succinctness

10

Zero Knowledge Succinct Proof

Achieving Succinctness

10

[Kilian92]

Zero Knowledge Succinct Proof

Achieving Succinctness

10

Probabilistically Checkable Proof

[BFLS91][FGLSS96][AS92][ALMSS92]

[Kilian92]

Zero Knowledge Succinct Proof

Achieving Succinctness

10

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

[Kilian92]

Zero Knowledge Succinct Proof

Achieving Succinctness

10

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

[Kilian92]

Zero Knowledge Succinct Proof

Achieving Succinctness

10

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

[Kilian92]

Zero Knowledge Succinct Proof

Achieving Succinctness

10

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

[Kilian92]

Zero Knowledge Succinct Proof

Achieving Succinctness

10

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

P

[Kilian92]

Zero Knowledge Succinct Proof

COM

Achieving Succinctness

10

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

Q

P

[Kilian92]

Zero Knowledge Succinct Proof

COM

Achieving Succinctness

10

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

Q

P

[Kilian92]

Zero Knowledge Succinct Proof

COM DECOM

Achieving Succinctness

10

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

Q D

P

[Kilian92]

Zero Knowledge Succinct Proof

COM DECOM

Achieving Succinctness

10

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

Q D

P

[Kilian92]

Zero Knowledge Succinct Proof

COM DECOM

interactive not succinct TOFIX

Achieving Succinctness

10

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

Q D

P

[Kilian92]

Zero Knowledge Succinct Proof

COM DECOM

interactive not succinct TOFIX

Achieving Succinctness

10

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

Q D

P

[Kilian92]

Zero Knowledge Succinct Proof

COM DECOM

bad concrete efficiency interactive not succinct TOFIX

Achieving Non-Interactivity

11

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

Q D

P

[Kilian92]

Zero Knowledge Succinct Proof

COM DECOM

bad concrete efficiency interactive not succinct TOFIX

Achieving Non-Interactivity

11

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

Q D

P

[Kilian92]

Zero Knowledge Succinct Proof

COM DECOM

[Micali94]

bad concrete efficiency interactive not succinct TOFIX

Achieving Non-Interactivity

11

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

Q D

P

[Kilian92]

Zero Knowledge Succinct Proof

COM DECOM

[Micali94]

Zero Knowledge SNARK

(the first)

bad concrete efficiency interactive not succinct TOFIX

Achieving Non-Interactivity

11

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

Q D

P

[Kilian92]

Zero Knowledge Succinct Proof

COM DECOM

[Micali94]

Zero Knowledge SNARK

Random Oracle

(SHA-256)

(the first)

bad concrete efficiency interactive not succinct TOFIX

Achieving Non-Interactivity

11

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

Q D

P

[Kilian92]

Zero Knowledge Succinct Proof

COM DECOM

[Micali94]

Zero Knowledge SNARK

Random Oracle

(SHA-256)

(the first)

bad concrete efficiency interactive not succinct TOFIX

Achieving Non-Interactivity

11

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

Q D

P

[Kilian92]

Zero Knowledge Succinct Proof

COM DECOM

[Micali94]

Zero Knowledge SNARK

P

COM

Random Oracle

(SHA-256)

(the first)

bad concrete efficiency interactive not succinct TOFIX

Achieving Non-Interactivity

11

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

Q D

P

[Kilian92]

Zero Knowledge Succinct Proof

COM DECOM

[Micali94]

Zero Knowledge SNARK

P

COM

Random Oracle

(SHA-256)

(the first)

bad concrete efficiency interactive not succinct TOFIX

Achieving Non-Interactivity

11

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

Q D

P

[Kilian92]

Zero Knowledge Succinct Proof

COM DECOM

[Micali94]

Zero Knowledge SNARK

Q

P

COM

Random Oracle

(SHA-256)

(the first)

bad concrete efficiency interactive not succinct TOFIX

Achieving Non-Interactivity

11

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

Q D

P

[Kilian92]

Zero Knowledge Succinct Proof

COM DECOM

[Micali94]

Zero Knowledge SNARK

Q

P

COM DECOM

Random Oracle

(SHA-256)

(the first)

bad concrete efficiency interactive not succinct TOFIX

Achieving Non-Interactivity

11

Probabilistically Checkable Proof

P

Q D

[BFLS91][FGLSS96][AS92][ALMSS92]

Q D

P

[Kilian92]

Zero Knowledge Succinct Proof

COM DECOM

[Micali94]

Zero Knowledge SNARK

Q D

P

COM DECOM

Random Oracle

(SHA-256)

(the first)

bad concrete efficiency interactive not succinct TOFIX

12

Modern Era

The Quest for ZK-SNARKs without Random Oracles

13

The Quest for ZK-SNARKs without Random Oracles

13

Negative result: constructing them "requires strong assumptions" [GW11]

The Quest for ZK-SNARKs without Random Oracles

13

Negative result: constructing them "requires strong assumptions" [GW11] Positive results (under strong assumptions):

The Quest for ZK-SNARKs without Random Oracles

13

Negative result: constructing them "requires strong assumptions" [GW11] Positive results (under strong assumptions):

Knowledge of Exponent [D 92]

The Quest for ZK-SNARKs without Random Oracles

13

Negative result: constructing them "requires strong assumptions" [GW11] Positive results (under strong assumptions):

Knowledge of Exponent [D 92]

The Quest for ZK-SNARKs without Random Oracles

13

Negative result: constructing them "requires strong assumptions" [GW11] Positive results (under strong assumptions):

Knowledge of Exponent Extractable Hash Functions [D 92]

The Quest for ZK-SNARKs without Random Oracles

13

Negative result: constructing them "requires strong assumptions" [GW11] Positive results (under strong assumptions):

Knowledge of Exponent Extractable Hash Functions [BCCT 12] [DFH 12] [GLR 12] [BC 12] [BCCT 13] [BCCGLRT 16] [D 92]

The Quest for ZK-SNARKs without Random Oracles

13

Negative result: constructing them "requires strong assumptions" [GW11] Positive results (under strong assumptions):

Knowledge of Exponent Extractable Hash Functions [BCCT 12] [DFH 12] [GLR 12] [BC 12] [BCCT 13] [BCCGLRT 16] based on PCPs [D 92]

The Quest for ZK-SNARKs without Random Oracles

13

Negative result: constructing them "requires strong assumptions" [GW11] Positive results (under strong assumptions):

Knowledge of Exponent Extractable Hash Functions Linear-Only Encryption/Encoding [BCCT 12] [DFH 12] [GLR 12] [BC 12] [BCCT 13] [BCCGLRT 16] based on PCPs [D 92]

The Quest for ZK-SNARKs without Random Oracles

13

Negative result: constructing them "requires strong assumptions" [GW11] Positive results (under strong assumptions):

Knowledge of Exponent Extractable Hash Functions Linear-Only Encryption/Encoding [BCCT 12] [DFH 12] [GLR 12] [BC 12] [BCCT 13] [BCCGLRT 16] [G 10] [L 12] [BCIOP 13] [GGPR 13] [PGHR 13] [BCGTV 13] [BCTV 14a] [DFGK 14] [WSRBW 15] [BBFR 15] [BCTV 14b] [CTV 15] [CFHKKNPZ 15] [BISW 17] ⁞ based on PCPs [D 92]

The Quest for ZK-SNARKs without Random Oracles

13

Negative result: constructing them "requires strong assumptions" [GW11] Positive results (under strong assumptions):

Knowledge of Exponent Extractable Hash Functions Linear-Only Encryption/Encoding Generic Group Model [BCCT 12] [DFH 12] [GLR 12] [BC 12] [BCCT 13] [BCCGLRT 16] [G 10] [L 12] [BCIOP 13] [GGPR 13] [PGHR 13] [BCGTV 13] [BCTV 14a] [DFGK 14] [G 16] [WSRBW 15] [BBFR 15] [BCTV 14b] [CTV 15] [CFHKKNPZ 15] [BISW 17] ⁞ based on PCPs [D 92]

The Quest for ZK-SNARKs without Random Oracles

13

Negative result: constructing them "requires strong assumptions" [GW11] Positive results (under strong assumptions):

Knowledge of Exponent Extractable Hash Functions Linear-Only Encryption/Encoding Generic Group Model [BCCT 12] [DFH 12] [GLR 12] [BC 12] [BCCT 13] [BCCGLRT 16] [G 10] [L 12] [BCIOP 13] [GGPR 13] [PGHR 13] [BCGTV 13] [BCTV 14a] [DFGK 14] [G 16] [WSRBW 15] [BBFR 15] [BCTV 14b] [CTV 15] [CFHKKNPZ 15] [BISW 17] ⁞ based on PCPs based on linear PCPs [D 92]

strike a different tradeoff…

The Quest for ZK-SNARKs without Random Oracles

13

Negative result: constructing them "requires strong assumptions" [GW11] Positive results (under strong assumptions):

Knowledge of Exponent Extractable Hash Functions Linear-Only Encryption/Encoding Generic Group Model [BCCT 12] [DFH 12] [GLR 12] [BC 12] [BCCT 13] [BCCGLRT 16] [G 10] [L 12] [BCIOP 13] [GGPR 13] [PGHR 13] [BCGTV 13] [BCTV 14a] [DFGK 14] [G 16] [WSRBW 15] [BBFR 15] [BCTV 14b] [CTV 15] [CFHKKNPZ 15] [BISW 17] ⁞ based on PCPs based on linear PCPs [D 92]

ZK-SNARKs from Linear PCPs

14

ZK-SNARKs from Linear PCPs

14

Linear PCP

[IKO07][BCIOP13]

P

Q D

h~ ↵, ·i

ZK-SNARKs from Linear PCPs

14

Linear PCP

[IKO07][BCIOP13]

[BCIOP13]

P

Q D

h~ ↵, ·i

ZK-SNARKs from Linear PCPs

14

Linear PCP

[IKO07][BCIOP13]

[BCIOP13]

Zero Knowledge SNARK

P

Q D

h~ ↵, ·i

ZK-SNARKs from Linear PCPs

14

Linear PCP

[IKO07][BCIOP13]

[BCIOP13]

Zero Knowledge SNARK

P

Q D

h~ ↵, ·i

P

V Setup

pk vk

ZK-SNARKs from Linear PCPs

14

Linear PCP

[IKO07][BCIOP13]

[BCIOP13]

Zero Knowledge SNARK

P

Q D

h~ ↵, ·i

P

V Setup

pk vk

linear-only encodings

ZK-SNARKs from Linear PCPs

14

Linear PCP

[IKO07][BCIOP13]

[BCIOP13]

Zero Knowledge SNARK

P

Q D

h~ ↵, ·i

P

V Setup

pk vk

linear-only encodings

ZK-SNARKs from Linear PCPs

14

Linear PCP

[IKO07][BCIOP13]

[BCIOP13]

Zero Knowledge SNARK

P

Q D

h~ ↵, ·i

P

V Setup

pk vk

linear-only encodings

pk vk

ZK-SNARKs from Linear PCPs

14

Linear PCP

[IKO07][BCIOP13]

[BCIOP13]

Zero Knowledge SNARK

P

Q D

h~ ↵, ·i

P

V Setup

pk vk

linear-only encodings

Q

pk vk

ZK-SNARKs from Linear PCPs

14

Linear PCP

[IKO07][BCIOP13]

[BCIOP13]

Zero Knowledge SNARK

P

Q D

h~ ↵, ·i

P

V Setup

pk vk

linear-only encodings

Q

pk vk

Enc

ZK-SNARKs from Linear PCPs

14

Linear PCP

[IKO07][BCIOP13]

[BCIOP13]

Zero Knowledge SNARK

P

Q D

h~ ↵, ·i

P

V Setup

pk vk

linear-only encodings

Q

pk vk

Enc

h~ ↵, ·i

P

ZK-SNARKs from Linear PCPs

14

Linear PCP

[IKO07][BCIOP13]

[BCIOP13]

Zero Knowledge SNARK

P

Q D

h~ ↵, ·i

P

V Setup

pk vk

linear-only encodings

Q

pk vk

Enc Hom Eval

h~ ↵, ·i

P

ZK-SNARKs from Linear PCPs

14

Linear PCP

[IKO07][BCIOP13]

[BCIOP13]

Zero Knowledge SNARK

P

Q D

h~ ↵, ·i

P

V Setup

pk vk

linear-only encodings

Q

pk vk

Enc Enc Hom Eval

h~ ↵, ·i

P

ZK-SNARKs from Linear PCPs

14

Linear PCP

[IKO07][BCIOP13]

[BCIOP13]

Zero Knowledge SNARK

P

Q D

h~ ↵, ·i

P

V Setup

pk vk

linear-only encodings

Q

pk vk

Enc Enc Hom Eval

h~ ↵, ·i

D

P

ZK-SNARKs from Linear PCPs

14

Linear PCP

[IKO07][BCIOP13]

[BCIOP13]

Zero Knowledge SNARK

P

Q D

h~ ↵, ·i

P

V Setup

pk vk

linear-only encodings

Q

pk vk

Enc Enc Hom Eval

h~ ↵, ·i

ZeroTest D

P

15

ZK-SNARKs from Linear PCPs

15

+

⨉

+

⨉

arithmetic circuit

C

ZK-SNARKs from Linear PCPs

15

Setup

+

⨉

+

⨉

arithmetic circuit

C

ZK-SNARKs from Linear PCPs

15

Q Setup

+

⨉

+

⨉

arithmetic circuit

C

ZK-SNARKs from Linear PCPs

15

Q

pkC vkC

Enc Enc

Setup

+

⨉

+

⨉

arithmetic circuit proving key verification key

C

ZK-SNARKs from Linear PCPs

15

Q

pkC vkC

Enc Enc

Setup

+

⨉

+

⨉

arithmetic circuit

Prover

proving key verification key

C

input x witness w Given public C,x ∃ secret w s.t. C(x,w)=0

ZK-SNARKs from Linear PCPs

15

Q

pkC vkC

Enc Enc

h~ ↵, ·i

P

Setup

+

⨉

+

⨉

arithmetic circuit

Prover

proving key verification key

C

input x witness w Given public C,x ∃ secret w s.t. C(x,w)=0

ZK-SNARKs from Linear PCPs

15

Q

pkC vkC

Enc Enc Hom Eval

h~ ↵, ·i

P

Setup

+

⨉

+

⨉

arithmetic circuit

Prover

proving key verification key

C

input x witness w Given public C,x ∃ secret w s.t. C(x,w)=0

ZK-SNARKs from Linear PCPs

15

Q

pkC vkC

Enc Enc Hom Eval

h~ ↵, ·i

P

Setup

+

⨉

+

⨉

arithmetic circuit

Prover Verifier

proving key verification key

C

input x witness w Given public C,x ∃ secret w s.t. C(x,w)=0

ZK-SNARKs from Linear PCPs

15

Q

pkC vkC

Enc Enc Hom Eval

h~ ↵, ·i

ZeroTest D

P

Setup

+

⨉

+

⨉

arithmetic circuit

Prover Verifier

proving key verification key

C

input x witness w Given public C,x ∃ secret w s.t. C(x,w)=0

ZK-SNARKs from Linear PCPs

15

Q

pkC vkC

Enc Enc Hom Eval

h~ ↵, ·i

ZeroTest D

P

Setup

+

⨉

+

⨉

arithmetic circuit

Prover Verifier

proving key verification key

C

input x witness w Given public C,x ∃ secret w s.t. C(x,w)=0

ZK-SNARKs from Linear PCPs

libsnark's implementation

• f [Groth EUROCRYPT '16]

15

Q

pkC vkC

Enc Enc Hom Eval

h~ ↵, ·i

ZeroTest D

P

Setup

+

⨉

+

⨉

arithmetic circuit

Prover Verifier

proving key verification key

C

input x witness w Given public C,x ∃ secret w s.t. C(x,w)=0

ZK-SNARKs from Linear PCPs

3 group elts (128 bytes) libsnark's implementation

• f [Groth EUROCRYPT '16]

15

Q

pkC vkC

Enc Enc Hom Eval

h~ ↵, ·i

ZeroTest D

P

Setup

+

⨉

+

⨉

arithmetic circuit

Prover Verifier

proving key verification key

C

input x witness w Given public C,x ∃ secret w s.t. C(x,w)=0 3 pairings (3 ms)

ZK-SNARKs from Linear PCPs

3 group elts (128 bytes) libsnark's implementation

• f [Groth EUROCRYPT '16]

15

Q

pkC vkC

Enc Enc Hom Eval

h~ ↵, ·i

ZeroTest D

P

Setup

+

⨉

+

⨉

arithmetic circuit

Prover Verifier

proving key verification key

C

input x witness w Given public C,x ∃ secret w s.t. C(x,w)=0 3 pairings (3 ms)

ZK-SNARKs from Linear PCPs

3 group elts (128 bytes) 0.1ms / gate 1KB / gate libsnark's implementation

• f [Groth EUROCRYPT '16]

15

Q

pkC vkC

Enc Enc Hom Eval

h~ ↵, ·i

ZeroTest D

P

Setup

+

⨉

+

⨉

arithmetic circuit

Prover Verifier

proving key verification key

C

input x witness w Given public C,x ∃ secret w s.t. C(x,w)=0 3 pairings (3 ms)

ZK-SNARKs from Linear PCPs

3 group elts (128 bytes) 0.1ms / gate 1KB / gate

FFT MULTIEXP

libsnark's implementation

• f [Groth EUROCRYPT '16]

Which approach is better?

16

Which approach is better?

16

Linear PCP

P

Q

D

h~ ↵, ·i

P

V Setup

pk vk

PCP

P P

V

RO

Which approach is better?

16

Linear PCP

P

Q

D

h~ ↵, ·i

P

V Setup

pk vk

PCP

P P

V

RO

memory intensive

Which approach is better?

16

Linear PCP

P

Q

D

h~ ↵, ·i

P

V Setup

pk vk

PCP

P P

V

RO

memory intensive

FFT MEXP FFT

Which approach is better?

16

Linear PCP

P

Q

D

h~ ↵, ·i

P

V Setup

pk vk

PCP

P P

V

RO

memory intensive

• slower verifier
• bigger proofs
• faster verifier

3 pairings (3ms)

• smaller proofs

3 group elts (128 bytes)

FFT MEXP FFT

Which approach is better?

16

Linear PCP

P

Q

D

h~ ↵, ·i

P

V Setup

pk vk

PCP

P P

V

RO

memory intensive

trapdoor no trapdoor

• slower verifier
• bigger proofs
• faster verifier

3 pairings (3ms)

• smaller proofs

3 group elts (128 bytes)

FFT MEXP FFT

Which approach is better?

16

Linear PCP

P

Q

D

h~ ↵, ·i

P

V Setup

pk vk

PCP

P P

V

RO

memory intensive

no trapdoor

• slower verifier
• bigger proofs
• faster verifier

3 pairings (3ms)

• smaller proofs

3 group elts (128 bytes)

[BCGTV15]

FFT MEXP FFT

Which approach is better?

16

Linear PCP

P

Q

D

h~ ↵, ·i

P

V Setup

pk vk

PCP

P P

V

RO

memory intensive

no trapdoor

• slower verifier
• bigger proofs
• faster verifier

3 pairings (3ms)

• smaller proofs

3 group elts (128 bytes)

[BCGTV15]

ceremony

FFT MEXP FFT

Which approach is better?

16

Linear PCP

P

Q

D

h~ ↵, ·i

P

V Setup

pk vk

PCP

P P

V

RO

memory intensive

no trapdoor

• slower verifier
• bigger proofs
• faster verifier

3 pairings (3ms)

• smaller proofs

3 group elts (128 bytes)

[BCGTV15]

ceremony

FFT MEXP FFT

deployed today

17

Frontiers

Authenticated Inputs

18

Authenticated Inputs

18

x

Authenticated Inputs

18

Hash

h

x

Authenticated Inputs

18

Setup C

pkC vkC

Hash

h

x

Authenticated Inputs

18

P

Setup C

pkC vkC

Hash

h

x

Given public C,h ∃ secret x,w s.t. C(x,w)=0 & Hash(x)=h

Authenticated Inputs

18

P

V Setup C

pkC vkC

Hash

h

x

Given public C,h ∃ secret x,w s.t. C(x,w)=0 & Hash(x)=h

Authenticated Inputs

18

P

V Setup C D Setup

pkC vkC pkD vkD

Hash

h

x

P

V

Given public C,h ∃ secret x,w s.t. C(x,w)=0 & Hash(x)=h Given public D,h ∃ secret x,w s.t. D(x,w)=0 & Hash(x)=h

Authenticated Inputs

18

P

V Setup C D Setup

pkC vkC pkD vkD

Hash

h

x

P

V

Given public C,h ∃ secret x,w s.t. C(x,w)=0 & Hash(x)=h Given public D,h ∃ secret x,w s.t. D(x,w)=0 & Hash(x)=h

• generic uses of ZK-SNARKs are expensive

Authenticated Inputs

18

P

V Setup C D Setup

pkC vkC pkD vkD

Hash

h

x

P

V

Given public C,h ∃ secret x,w s.t. C(x,w)=0 & Hash(x)=h Given public D,h ∃ secret x,w s.t. D(x,w)=0 & Hash(x)=h

• generic uses of ZK-SNARKs are expensive
• better: co-design Hash and SNARK [FFGKOP CCS '16]

Authenticated Inputs

18

P

V Setup C D Setup

pkC vkC pkD vkD

Hash

h

x

P

V

Given public C,h ∃ secret x,w s.t. C(x,w)=0 & Hash(x)=h Given public D,h ∃ secret x,w s.t. D(x,w)=0 & Hash(x)=h

• generic uses of ZK-SNARKs are expensive
• better: co-design Hash and SNARK [FFGKOP CCS '16]
• open: preserve ZK?

Post-Quantum Security

19

Post-Quantum Security

19

PCP

P P

V

RO

Post-Quantum Security

19

PCP

P P

V

RO

Looks solid.

Post-Quantum Security

19

Linear PCP

P

Q

D

h~ ↵, ·i

PCP

P P

V

RO

P

V Setup

pk vk

Looks solid.

Post-Quantum Security

19

Linear PCP

P

Q

D

h~ ↵, ·i

PCP

P P

V

RO

P

V Setup

pk vk

Looks solid.

Based on hardness of DLOG in EC groups.

☹

Post-Quantum Security

19

Linear PCP

P

Q

D

h~ ↵, ·i

PCP

P P

V

RO

P

V Setup

pk vk

Looks solid.

[BISW EUROCRYPT '17] Based on hardness of DLOG in EC groups.

☹

P

V Setup

pk vk

Post-Quantum Security

19

Linear PCP

P

Q

D

h~ ↵, ·i

PCP

P P

V

RO

P

V Setup

pk vk

Looks solid.

[BISW EUROCRYPT '17] Based on hardness of DLOG in EC groups. Lattice-based privately-verifiable ZK-SNARK

☹

P

V Setup

pk vk

Post-Quantum Security

19

Linear PCP

P

Q

D

h~ ↵, ·i

PCP

P P

V

RO

P

V Setup

pk vk

Looks solid.

[BISW EUROCRYPT '17] Based on hardness of DLOG in EC groups. Lattice-based privately-verifiable ZK-SNARK

☹

OPEN: public?

P

V Setup

pk vk

PCP-Based ZK-SNARKs

20

PCP-Based ZK-SNARKs

20

PCP

P

ZK-SNARK

P

V

RO

PCP-Based ZK-SNARKs

20

PCP

P

ZK-SNARK

P

V

RO

succinct ✓

PCP-Based ZK-SNARKs

20

PCP

P

ZK-SNARK

P

V

RO

succinct non-interactive ✓ ✓

PCP-Based ZK-SNARKs

20

PCP

P

ZK-SNARK

P

V

RO

succinct non-interactive no setup ✓ ✓ ✓

PCP-Based ZK-SNARKs

20

PCP

P

ZK-SNARK

P

V

RO

succinct non-interactive no setup post-quantum secure ✓ ✓ ✓ ✓

PCP-Based ZK-SNARKs

20

PCP

P

ZK-SNARK

P

V

RO

succinct non-interactive no setup post-quantum secure terrible concrete efficiency ✓ ✓ ✓ ✓

😮

Interactive Oracle Proofs

21

[BCS16][RRR16]

Interactive Oracle Proofs

21

P

Q D

[BCS16][RRR16]

Interactive Oracle Proofs

21

P

Q D

[BCS16][RRR16]

Interactive Oracle Proofs

21

P

Q D

[BCS16][RRR16]

Interactive Oracle Proofs

21

P

Q D

[BCS16][RRR16]

Interactive Oracle Proofs

21

P

Q D

[BCS16][RRR16]

Interactive Oracle Proofs

21

P

Q D

[BCS16][RRR16]

Interactive Oracle Proofs

21

P

Q D

[BCS16][RRR16]

The verifier can simultaneously leverage randomness, interaction, and probabilistic checking.

ZK-SNARKs From IOPs

22

ZK-SNARKs From IOPs

22

Probabilistically Checkable Proof

P P

V

RO [ M i c a l i 9 4 ]

Zero Knowledge SNARK

ZK-SNARKs From IOPs

22

Probabilistically Checkable Proof

P P

V

RO

Interactive Oracle Proof

P

[ M i c a l i 9 4 ] [ B C S 1 6 ]

Zero Knowledge SNARK

ZK-SNARKs From IOPs

22

Probabilistically Checkable Proof

P P

V

RO

Interactive Oracle Proof

P

[ M i c a l i 9 4 ] [ B C S 1 6 ]

Q: any efficiency gains?

Zero Knowledge SNARK

IOPs are more efficient than PCPs

23

IOPs are more efficient than PCPs

23

P P

IOPs are more efficient than PCPs

23

P P

best proof length without ZK

IOPs are more efficient than PCPs

23

P P

best proof length without ZK quasilinear

[BS08][Din07]

IOPs are more efficient than PCPs

23

P P

best proof length without ZK quasilinear

[BS08][Din07]

linear

[BCGRS16]

IOPs are more efficient than PCPs

23

P P

best proof length without ZK quasilinear

[BS08][Din07]

linear

[BCGRS16]

best proof length with ZK

IOPs are more efficient than PCPs

23

P P

best proof length without ZK quasilinear

[BS08][Din07]

linear

[BCGRS16]

best proof length with ZK polynomial

[KPT97]

IOPs are more efficient than PCPs

23

P P

best proof length without ZK quasilinear

[BS08][Din07]

linear

[BCGRS16]

best proof length with ZK polynomial

[KPT97]

quasilinear

[BCGV16]

IOPs are more efficient than PCPs

23

P

cheaper ZK… [BCFGRS16][BCFS17]

P

best proof length without ZK quasilinear

[BS08][Din07]

linear

[BCGRS16]

best proof length with ZK polynomial

[KPT97]

quasilinear

[BCGV16]

IOPs are more efficient than PCPs

23

P

cheaper ZK… [BCFGRS16][BCFS17]

P

best proof length without ZK quasilinear

[BS08][Din07]

linear

[BCGRS16]

best proof length with ZK polynomial

[KPT97]

quasilinear

[BCGV16]

Encouraging progress, and it already improved working prototypes.

IOPs are more efficient than PCPs

23

P

cheaper ZK… [BCFGRS16][BCFS17]

P

best proof length without ZK quasilinear

[BS08][Din07]

linear

[BCGRS16]

best proof length with ZK polynomial

[KPT97]

quasilinear

[BCGV16]

Encouraging progress, and it already improved working prototypes. Still more research is needed for practical deployment.

24

24

Cryptographic Proofs

24

Mathematics

low-degree testing additive combinatorics Fourier analysis algebraic geometry coding theory

Cryptographic Proofs

24

Mathematics Complexity Theory

low-degree testing additive combinatorics Fourier analysis algebraic geometry coding theory interactive proofs probabilistically checkable proofs zero knowledge

Cryptographic Proofs

24

Mathematics Complexity Theory Cryptography

low-degree testing additive combinatorics Fourier analysis algebraic geometry coding theory interactive proofs probabilistically checkable proofs zero knowledge function commitments linear-only encryption privacy-preserving payments

Cryptographic Proofs

24

Mathematics Complexity Theory Cryptography Security

low-degree testing additive combinatorics Fourier analysis algebraic geometry coding theory interactive proofs probabilistically checkable proofs zero knowledge function commitments linear-only encryption cryptocurrencies privacy-preserving payments

Cryptographic Proofs

25

Thanks!

I know x s.t. y=F(x) proof

26

A Simple Linear PCP

27

P

Q D

h~ ↵, ·i

Def: The language L consists of tuples (p1,…,pm) where each pi is a quadratic polynomial

• ver F in n variables such that there is an

assignment w=(w1,…,wn) such that p1(w) = … = pm(w) =0.

Theorem: The language L has a linear PCP with

• proof length (n+1)2,
• query complexity 3,
• soundness error 2/|F|.

A Simple Linear PCP

A Simple Linear PCP

• Bundling. Let r1, . . . , rm 2 F be random and ! = (!1, . . . , !n) 2 Fn.

If p1(!) = · · · = pm(!) = 0 then Pm

i=1 ripi(!) = 0 with probability 1.

If 9j 2 [m] s.t. pj(!) 6= 0 then Pm

i=1 ripi(!) = 0 with probability  1/|F|.

A Simple Linear PCP

• Bundling. Let r1, . . . , rm 2 F be random and ! = (!1, . . . , !n) 2 Fn.

If p1(!) = · · · = pm(!) = 0 then Pm

i=1 ripi(!) = 0 with probability 1.

If 9j 2 [m] s.t. pj(!) 6= 0 then Pm

i=1 ripi(!) = 0 with probability  1/|F|.

P 9 2 6 P  |

• Prover. Given an assignment ! = (!1, . . . , !n) 2 Fn, the prover writes

the linear function: ~ ↵ := B B B B B @ 1 !1 !2 . . . !n !1 !2

1

!1!2 . . . !1!n !2 !2!1 !2

2

. . . !2!n . . . . . . . . . ... . . . !n !n!1 !n!2 . . . !2

n

1 C C C C C A .

A Simple Linear PCP

• Verifier. The verifier has oracle access to some linear function

~ ↵ =        ↵0,0 ↵0,1 ↵0,2 . . . ↵0,n ↵1,0 ↵1,1 ↵1,2 . . . ↵1,n ↵2,0 ↵2,1 ↵2,2 . . . ↵2,n . . . . . . . . . ... . . . ↵n,0 ↵n,1 ↵n,2 . . . ↵n,n        . and thinks of each quadratic polynomial pi as pi =        pi,0,0 pi,0,1 pi,0,2 . . . pi,0,n pi,1,1 pi,1,2 . . . pi,1,n pi,2,2 . . . pi,2,n . . . . . . . . . ... . . . . . . pi,n,n        .

• Bundling. Let r1, . . . , rm 2 F be random and ! = (!1, . . . , !n) 2 Fn.

If p1(!) = · · · = pm(!) = 0 then Pm

i=1 ripi(!) = 0 with probability 1.

If 9j 2 [m] s.t. pj(!) 6= 0 then Pm

i=1 ripi(!) = 0 with probability  1/|F|.

P 9 2 6 P  |

• Prover. Given an assignment ! = (!1, . . . , !n) 2 Fn, the prover writes

the linear function: ~ ↵ := B B B B B @ 1 !1 !2 . . . !n !1 !2

1

!1!2 . . . !1!n !2 !2!1 !2

2

. . . !2!n . . . . . . . . . ... . . . !n !n!1 !n!2 . . . !2

n

1 C C C C C A .

A Simple Linear PCP

• Verifier. The verifier has oracle access to some linear function

~ ↵ =        ↵0,0 ↵0,1 ↵0,2 . . . ↵0,n ↵1,0 ↵1,1 ↵1,2 . . . ↵1,n ↵2,0 ↵2,1 ↵2,2 . . . ↵2,n . . . . . . . . . ... . . . ↵n,0 ↵n,1 ↵n,2 . . . ↵n,n        . and thinks of each quadratic polynomial pi as pi =        pi,0,0 pi,0,1 pi,0,2 . . . pi,0,n pi,1,1 pi,1,2 . . . pi,1,n pi,2,2 . . . pi,2,n . . . . . . . . . ... . . . . . . pi,n,n        .

Verifier (cont’d). The verifier samples r1, . . . , rm 2 F and s0, . . . , sn 2 F at random and then generates three queries: ~ q1 := Pm

i=1 ripi;

~ q2 := (s0, s1, . . . , sn) ⌦ (1, 0, . . . , 0); ~ q3 := (s0, s1, . . . , sn) ⌦ (s0, s1, . . . , sn). Upon receiving answers a1 := h~ ↵, ~ q1i, a2 := h~ ↵, ~ q2i, a3 := h~ ↵, ~ q3i, check that a1 = 0 and a2

2 = a3 .

• Bundling. Let r1, . . . , rm 2 F be random and ! = (!1, . . . , !n) 2 Fn.

If p1(!) = · · · = pm(!) = 0 then Pm

i=1 ripi(!) = 0 with probability 1.

If 9j 2 [m] s.t. pj(!) 6= 0 then Pm

i=1 ripi(!) = 0 with probability  1/|F|.

P 9 2 6 P  |

• Prover. Given an assignment ! = (!1, . . . , !n) 2 Fn, the prover writes

the linear function: ~ ↵ := B B B B B @ 1 !1 !2 . . . !n !1 !2

1

!1!2 . . . !1!n !2 !2!1 !2

2

. . . !2!n . . . . . . . . . ... . . . !n !n!1 !n!2 . . . !2

n

1 C C C C C A .

A Simple Linear PCP

• Verifier. The verifier has oracle access to some linear function

~ ↵ =        ↵0,0 ↵0,1 ↵0,2 . . . ↵0,n ↵1,0 ↵1,1 ↵1,2 . . . ↵1,n ↵2,0 ↵2,1 ↵2,2 . . . ↵2,n . . . . . . . . . ... . . . ↵n,0 ↵n,1 ↵n,2 . . . ↵n,n        . and thinks of each quadratic polynomial pi as pi =        pi,0,0 pi,0,1 pi,0,2 . . . pi,0,n pi,1,1 pi,1,2 . . . pi,1,n pi,2,2 . . . pi,2,n . . . . . . . . . ... . . . . . . pi,n,n        .

Verifier (cont’d). The verifier samples r1, . . . , rm 2 F and s0, . . . , sn 2 F at random and then generates three queries: ~ q1 := Pm

i=1 ripi;

~ q2 := (s0, s1, . . . , sn) ⌦ (1, 0, . . . , 0); ~ q3 := (s0, s1, . . . , sn) ⌦ (s0, s1, . . . , sn). Upon receiving answers a1 := h~ ↵, ~ q1i, a2 := h~ ↵, ~ q2i, a3 := h~ ↵, ~ q3i, check that a1 = 0 and a2

2 = a3 .

• Bundling. Let r1, . . . , rm 2 F be random and ! = (!1, . . . , !n) 2 Fn.

If p1(!) = · · · = pm(!) = 0 then Pm

i=1 ripi(!) = 0 with probability 1.

If 9j 2 [m] s.t. pj(!) 6= 0 then Pm

i=1 ripi(!) = 0 with probability  1/|F|.

P 9 2 6 P  |

• Prover. Given an assignment ! = (!1, . . . , !n) 2 Fn, the prover writes

the linear function: ~ ↵ := B B B B B @ 1 !1 !2 . . . !n !1 !2

1

!1!2 . . . !1!n !2 !2!1 !2

2

. . . !2!n . . . . . . . . . ... . . . !n !n!1 !n!2 . . . !2

n

1 C C C C C A .

29