Zero Knowledge Protocols from Succinct Constraint Detection

Ben–Sasson, Eli; Chiesa, Alessandro; Forbes, Michael A.; Gabizon, Ariel; Riabzev, Michael; Spooner, Nicholas

doi:10.1007/978-3-319-70503-3_6

Cited by 16 publications

(41 citation statements)

References 47 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…1 BCFGRS17], we prove lower bounds on algebraic query complexity of polynomial summation (Lemma 10.1). This allows us to construct the perfectly-hiding statistically-binding algebraic commitment scheme that underlies our strong perfect zero knowledge sumcheck protocol (Theorem 11.5, which also relies on the weak zero knowledge sumcheck protocol in [BCFGRS17]), and in turn, prove that there exists a perfect zero knowledge low-degree IPCP for any language in NEXP (Theorem 12.2). Finally, we show a lemma that lifts low-degree IPCPs to MIP * protocols (Lemma 8.1), while preserving zero knowledge, and use it to derive our main result (Theorem 1); namely, a perfect zero knowledge low-degree MIP * for any language in NEXP.…”

Section: Roadmapmentioning

confidence: 99%

“…, c i ∈ F chosen by the verifier, which could reveal additional information about Q. Instead, the prover and verifier run on this claim the IPCP for sumcheck of [BCFGRS17], whose "weak" zero knowledge guarantee ensures that this cannot happen. (Thus, in addition to the commitment, the honest prover also sends the evaluation of a random low-degree polynomial as required by the IPCP for sumcheck of [BCFGRS17].…”

Section: Algebraic Commitments From Algebraic Query Complexity Lower mentioning

confidence: 99%

“…Zero knowledge. We consider the standard notion of (perfect) zero knowledge for IPCPs [GIMS10;BCFGRS17]. Let A, B be algorithms and x, y strings.…”

Section: Low-degree Interactive Pcpsmentioning

confidence: 99%

“…The purpose of this part is to show that there exists a perfect zero knowledge low-degree IPCP for any language in NEXP, which is the remaining step in our construction of perfect zero knowledge MIP * protocols for NEXP (as discussed in Section 9). To this end we build on advances in algebraic zero knowledge [BCFGRS17] and ideas from algebraic complexity theory, and we develop new techniques for obtaining algebraic zero knowledge.…”

Section: Low-degree Ipcp With Zero Knowledgementioning

confidence: 99%

“…More precisely, the sampling algorithm runs in time that is only poly(log |F|, m, d, |H|, ℓ), which is much faster than the trivial running time of Ω(d m ) achieved by sampling R explicitly. This "succinct" sampling follows from the notion of succinct constraint detection studied in [BCFGRS17] for the case of partial sums of low-degree polynomials.…”

Section: Sampling Partial Sums Of Random Low-degree Polynomialsmentioning

confidence: 99%

See 4 more Smart Citations

Spatial Isolation Implies Zero Knowledge Even in a Quantum World

Chiesa

Forbes

Gur

et al. 2018

2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS)

Self Cite

View full text Add to dashboard Cite

Zero knowledge plays a central role in cryptography and complexity. The seminal work of Ben-Or et al. (STOC 1988) shows that zero knowledge can be achieved unconditionally for any language in NEXP, as long as one is willing to make a suitable physical assumption: if the provers are spatially isolated, then they can be assumed to be playing independent strategies.Quantum mechanics, however, tells us that this assumption is unrealistic, because spatially-isolated provers could share a quantum entangled state and realize a non-local correlated strategy. The MIP * model captures this setting.In this work we study the following question: does spatial isolation still suffice to unconditionally achieve zero knowledge even in the presence of quantum entanglement?We answer this question in the affirmative: we prove that every language in NEXP has a 2-prover zero knowledge interactive proof that is sound against entangled provers; that is, NEXP ⊆ ZK-MIP * .Our proof consists of constructing a zero knowledge interactive PCP with a strong algebraic structure, and then lifting it to the MIP * model. This lifting relies on a new framework that builds on recent advances in low-degree testing against entangled strategies, and clearly separates classical and quantum tools.Our main technical contribution is the development of new algebraic techniques for obtaining unconditional zero knowledge; this includes a zero knowledge variant of the celebrated sumcheck protocol, a key building block in many probabilistic proof systems. A core component of our sumcheck protocol is a new algebraic commitment scheme, whose analysis relies on algebraic complexity theory. Keywords: zero knowledge; multi-prover interactive proofs; quantum entangled strategies; interactive PCPs; sumcheck protocol; algebraic complexity † This work was supported in part by the UC Berkeley Center for Long-Term Cybersecurity. A part of the earlier technical report [CFS17] was merged with this work. ContentsClaim 6.1 (Approximate consistency to trace distance [Vid11; Vid16]). Let |Ψ be a permutation-invariant entangled state on r ≥ 2 registers, and let {A z }, {B z } be single-register measurements with outcomes in the same set. Then, z A In the rest of this section we prove Lemma 8.1. Specifically, in Section 8.1 we begin with a classical preprocessing step (a query reduction); in Section 8.2 we present our transformation; in Section 8.3 we prove soundness against entangled provers; and in Section 8.4 we prove preservation of zero knowledge. The conceptual contribution of Lemma 8.1 is that it provides an abstraction of techniques in [IV12; Vid16].Remark 8.2 (on preserving round complexity). If we do not wish to preserve zero knowledge, then the round complexity of the MIP * that is obtained in Lemma 8.1 can be reduced by 1 (see discussion at the end of Section 8.2). In addition, if the original low-degree IPCP makes a single, uniformly distributed query to its PCP oracle, then the preprocessing step is not required, and we can save an additional round. In particular,...

show abstract

Section: Roadmapmentioning

confidence: 99%

Section: Algebraic Commitments From Algebraic Query Complexity Lower mentioning

confidence: 99%

“…Zero knowledge. We consider the standard notion of (perfect) zero knowledge for IPCPs [GIMS10;BCFGRS17]. Let A, B be algorithms and x, y strings.…”

Section: Low-degree Interactive Pcpsmentioning

confidence: 99%

Section: Low-degree Ipcp With Zero Knowledgementioning

confidence: 99%

Section: Sampling Partial Sums Of Random Low-degree Polynomialsmentioning

confidence: 99%