TY - GEN
T1 - Batchman and Robin
T2 - 30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023
AU - Yang, Yibin
AU - Heath, David
AU - Hazay, Carmit
AU - Kolesnikov, Vladimir
AU - Venkitasubramaniam, Muthuramakrishnan
N1 - Publisher Copyright: © 2023 Copyright held by the owner/author(s).
PY - 2023/11/15
Y1 - 2023/11/15
N2 - Vector Oblivious Linear Evaluation (VOLE) supports fast and scal-able interactive Zero-Knowledge (ZK) proofs. Despite recent improvements to VOLE-based ZK, compiling proof statements to a control-flow oblivious form (e.g., a circuit) continues to lead to expensive proofs. One useful setting where this inefficiency stands out is when the statement is a disjunction of clauses L1 LB. Typically, ZK requires paying the price to handle all B branches. Prior works have shown how to avoid this price in communication, but not in computation. Our main result, Batchman, is asymptotically and concretely efficient VOLE-based ZK for batched disjunctions, i.e. statements containing R repetitions of the same disjunction. This is crucial for, e.g., emulating CPU steps in ZK. Our prover and verifier complexity is only O(RB+R|C| + B|C|), where |C| is the maximum circuit size of the B branches. Prior works' computation scales in RB|C|. For non-batched disjunctions, we also construct a VOLE-based ZK protocol, Robin, which is (only) communication efficient. For small fields and for statistical security parameter, this proto-col's communication improves over the previous state of the art (Mac'n 'Cheese, Baum et al., CRYPTO'21) by up to factor. Our implementation outperforms prior state of the art. E.g., we achieve up to 6× improvement over Mac'n'Cheese (Boolean, single disjunction), and for arithmetic batched disjunctions our experi-ments show we improve over QuickSilver (Yang et al., CCS'21) by up to 70× and over AntMan (Weng et al., CCS'22) by up to 36×.
AB - Vector Oblivious Linear Evaluation (VOLE) supports fast and scal-able interactive Zero-Knowledge (ZK) proofs. Despite recent improvements to VOLE-based ZK, compiling proof statements to a control-flow oblivious form (e.g., a circuit) continues to lead to expensive proofs. One useful setting where this inefficiency stands out is when the statement is a disjunction of clauses L1 LB. Typically, ZK requires paying the price to handle all B branches. Prior works have shown how to avoid this price in communication, but not in computation. Our main result, Batchman, is asymptotically and concretely efficient VOLE-based ZK for batched disjunctions, i.e. statements containing R repetitions of the same disjunction. This is crucial for, e.g., emulating CPU steps in ZK. Our prover and verifier complexity is only O(RB+R|C| + B|C|), where |C| is the maximum circuit size of the B branches. Prior works' computation scales in RB|C|. For non-batched disjunctions, we also construct a VOLE-based ZK protocol, Robin, which is (only) communication efficient. For small fields and for statistical security parameter, this proto-col's communication improves over the previous state of the art (Mac'n 'Cheese, Baum et al., CRYPTO'21) by up to factor. Our implementation outperforms prior state of the art. E.g., we achieve up to 6× improvement over Mac'n'Cheese (Boolean, single disjunction), and for arithmetic batched disjunctions our experi-ments show we improve over QuickSilver (Yang et al., CCS'21) by up to 70× and over AntMan (Weng et al., CCS'22) by up to 36×.
KW - Batched Disjunctions
KW - Disjunctions
KW - Zero Knowledge
UR - http://www.scopus.com/inward/record.url?scp=85179838430&partnerID=8YFLogxK
U2 - https://doi.org/10.1145/3576915.3623169
DO - https://doi.org/10.1145/3576915.3623169
M3 - منشور من مؤتمر
T3 - CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security
SP - 1452
EP - 1466
BT - CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security
Y2 - 26 November 2023 through 30 November 2023
ER -