TY - GEN
T1 - Batch verification for statistical zero knowledge proofs
AU - Kaslasi, Inbar
AU - Rothblum, Guy N.
AU - Rothblum, Ron D.
AU - Sealfon, Adam
AU - Vasudevan, Prashant Nalini
N1 - Publisher Copyright: © International Association for Cryptologic Research 2020.
PY - 2020/12/9
Y1 - 2020/12/9
N2 - A statistical zero-knowledge proof (SZK) for a problem Π enables a computationally unbounded prover to convince a polynomial-time verifier that x∈ Π without revealing any additional information about x to the verifier, in a strong information-theoretic sense. Suppose, however, that the prover wishes to convince the verifier that k separate inputs x1, ⋯, xk all belong to Π (without revealing anything else). A naive way of doing so is to simply run the SZK protocol separately for each input. In this work we ask whether one can do better – that is, is efficient batch verification possible for SZK ? We give a partial positive answer to this question by constructing a batch verification protocol for a natural and important subclass of SZK – all problems Π that have a non-interactive SZK protocol (in the common random string model). More specifically, we show that, for every such problem Π, there exists an honest-verifier SZK protocol for batch verification of k instances, with communication complexity poly(n) + k· poly(log n, log k), where poly refers to a fixed polynomial that depends only on Π (and not on k). This result should be contrasted with the naive solution, which has communication complexity k· poly(n). Our proof leverages a new NISZK -complete problem, called Approximate Injectivity, that we find to be of independent interest. The goal in this problem is to distinguish circuits that are nearly injective, from those that are non-injective on almost all inputs.
AB - A statistical zero-knowledge proof (SZK) for a problem Π enables a computationally unbounded prover to convince a polynomial-time verifier that x∈ Π without revealing any additional information about x to the verifier, in a strong information-theoretic sense. Suppose, however, that the prover wishes to convince the verifier that k separate inputs x1, ⋯, xk all belong to Π (without revealing anything else). A naive way of doing so is to simply run the SZK protocol separately for each input. In this work we ask whether one can do better – that is, is efficient batch verification possible for SZK ? We give a partial positive answer to this question by constructing a batch verification protocol for a natural and important subclass of SZK – all problems Π that have a non-interactive SZK protocol (in the common random string model). More specifically, we show that, for every such problem Π, there exists an honest-verifier SZK protocol for batch verification of k instances, with communication complexity poly(n) + k· poly(log n, log k), where poly refers to a fixed polynomial that depends only on Π (and not on k). This result should be contrasted with the naive solution, which has communication complexity k· poly(n). Our proof leverages a new NISZK -complete problem, called Approximate Injectivity, that we find to be of independent interest. The goal in this problem is to distinguish circuits that are nearly injective, from those that are non-injective on almost all inputs.
UR - http://www.scopus.com/inward/record.url?scp=85098272110&partnerID=8YFLogxK
U2 - https://doi.org/10.1007/978-3-030-64378-2_6
DO - https://doi.org/10.1007/978-3-030-64378-2_6
M3 - منشور من مؤتمر
SN - 9783030643775
VL - 12551
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 139
EP - 167
BT - Theory of Cryptography - 18th International Conference, TCC 2020, Proceedings
A2 - Pass, Rafael
A2 - Pietrzak, Krzysztof
PB - Springer Science and Business Media Deutschland GmbH
T2 - 18th International Conference on Theory of Cryptography, TCCC 2020
Y2 - 16 November 2020 through 19 November 2020
ER -