Proofs, Arguments, and Zero-Knowledge1 Justin Thaler2 August 17, 2021 1This manuscript is not in final form. It is being made publicly available in conjunction with the Fall 2020 offering of COSC 544 at Georgetown University, and will be updated regularly over the course of the semester and beyond. Feedback is welcome. The most recent version of the manuscript is available at: http://people.cs.georgetown. edu/jthaler/ProofsArgsAndZK.html. 2Georgetown University. Supported by NSF CAREER award CCF-1845125 and by DARPA under Agreement No. HR00112020022. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author and do not necessarily reflect the views of the United States Government or DARPA. Abstract Interactive proofs (IPs) and arguments are cryptographic protocols that enable an untrusted prover to provide a guarantee that it performed a requested computation correctly. Introduced in the 1980s, IPs and arguments represented a major conceptual expansion of what constitutes a “proof” that a statement is true. Traditionally, a proof is a static object that can be easily checked step-by-step for correctness. In con- trast, IPs allow for interaction between prover and verifier, as well as a tiny but nonzero probability that an incorrect proof passes verification. Arguments (but not IPs) even permit there to be “proofs” of incorrect statements, so long as those “proofs” require exorbitant computational power to find. To an extent, these notions mimic in-person interactions that mathematicians use to convince each other that a claim is true, without going through the painstaking process of writing out and checking a traditional static proof. Celebrated theoretical results from the 1980s and 1990s such as IP = PSPACE and MIP = NEXP showed that, in principle, surprisingly complicated statements can be verified efficiently. What is more, any argument can in principle be transformed into one that is zero-knowledge, which means that proofs reveal no information other than their own validity. Zero-knowledge arguments have a myriad of applications in cryptography. Within the last decade, general-purpose zero-knowledge arguments have made the jump from theory to practice. This has opened new doors in the design of cryptographic systems, and generated additional insights into the power of IPs and arguments (zero-knowledge or otherwise). There are now no fewer than five promising approaches to designing efficient, general-purpose zero-knowledge arguments. This survey covers these approaches in a unified manner, emphasizing commonalities between them. 1 Preface and Acknowledgements This manuscript began as a set of lecture notes accompanying the Fourteenth Bellairs’ Crypto-Workshop in 2015. I am indebted to Claude Crepeau´ and Gilles Brassard for their warm hospitality in organizing the workshop, and to all of the workshop participants for their generosity, patience, and enthusiasm. The notes were further expanded during the Fall 2017 offering of COSC 544 at Georgetown University, and benefited from comments provided by students in the course. The knowledge and feedback of a number of people heavily influenced the development of this manuscript, including Sebastian Angel, Srinath Setty, abhi shelat, Michael Walfish, and Riad Wahby. I owe a special thanks to Riad for his patient explanations of many cryptographic tools covered in this survey, and his willingness to journey to the end of any rabbit hole he encounters. There are many fewer errors in this manuscript because of Riad’s help; any that remain are entirely my own. A major benefit of taking 5 years (and counting) to complete this manuscript is the many exciting developments that can now be included. This survey would have looked very different had it been completed in 2015, or even in 2018 (perhaps 1=3 of the content covered did not exist 5 years ago). During this period, the various approaches to the design of zero-knowledge arguments, and the relationships between them, have come into finer focus. Yet owing to the sheer volume of research papers, it is increasingly challenging for those first entering the area to extract a clear picture from the literature itself. Will the next 5-10 years bring a similar flood of developments? Will this be enough to render general- purpose arguments efficient enough for routine deployment in diverse cryptographic systems? It is my hope that this survey will make this exciting and beautiful area slightly more accessible, and thereby play some role in ensuring that the answer to both questions is “yes.” Washington D.C., August 2020 2 Contents 1 Introduction 6 1.1 Mathematical Proofs . .9 1.2 What kinds of non-traditional proofs will we study? . .9 2 The Power of Randomness: Fingerprinting and Freivalds’ Algorithm 12 2.1 Reed-Solomon Fingerprinting . 12 2.2 Freivalds’ Algorithm . 15 3 Definitions and Technical Preliminaries 17 3.1 Interactive Proofs . 17 3.2 Argument Systems . 18 3.3 Robustness of Definitions and the Power of Interaction . 19 3.4 Schwartz-Zippel Lemma . 21 3.5 Low Degree and Multilinear Extensions . 22 3.6 Exercises . 25 4 Interactive Proofs 26 4.1 The Sum-Check Protocol . 26 4.2 First Application of Sum-Check: #SAT 2 IP .......................... 31 4.3 Second Application: A Simple IP for Counting Triangles in Graphs . 33 4.4 Third Application: Super-Efficient IP for MATMULT ..................... 35 4.5 Applications of the Super-Efficient MATMULT IP....................... 41 4.6 The GKR Protocol and Its Efficient Implementation . 46 4.7 Publicly Verifiable, Non-interactive Argument via Fiat-Shamir . 59 4.8 Exercises . 65 5 Front Ends: Turning Computer Programs Into Circuits 69 5.1 Introduction . 69 5.2 Machine Code . 70 5.3 A First Technique For Turning Programs Into Circuits [Sketch] . 71 5.4 Turning Small-Space Programs Into Shallow Circuits . 72 5.5 Turning Computer Programs Into Circuit Satisfiability Instances . 73 5.6 Alternative Transformations and Optimizations . 79 5.7 Exercises . 87 3 6 A First Succinct Argument for Circuit Satisfiability, from Interactive Proofs 89 6.1 A Naive Approach: An IP for Circuit Satisfiability . 89 6.2 Succinct Arguments for Circuit Satisfiability . 89 6.3 A First Succinct Argument for Circuit Satisfiability . 90 7 MIPs and Succinct Arguments 98 7.1 MIPs: Definitions and Basic Results . 98 7.2 An Efficient MIP For Circuit Satisfiability . 100 7.3 A Succinct Argument for Deep Circuits . 107 7.4 Preview: A General Paradigm for the Design of Succinct Arguments . 107 7.5 Extension from Circuit-SAT to R1CS-SAT . 108 7.6 MIP = NEXP .......................................... 111 8 PCPs and Succinct Arguments 113 8.1 PCPs: Definitions and Relationship to MIPs . 113 8.2 Compiling a PCP Into a Succinct Argument . 114 8.3 A First Polynomial Length PCP, From a MIP . 117 8.4 A PCP of Quasilinear Length for Arithmetic Circuit Satisfiability . 119 9 Interactive Oracle Proofs 125 9.1 IOPs: Definition and Relation to IPs and PCPs . 125 9.2 Background on FRI . 126 9.3 An IOP for R1CS-SAT . 128 9.4 Details of FRI: Better Reed-Solomon Proximity Proofs via Interaction . 134 9.5 From Reed-Solomon Testing to Multilinear Polynomial Commitments . 138 9.6 An Alternative IOP-Based Polynomial Commitment: Ligero . 139 10 Zero-Knowledge Proofs and Arguments 144 10.1 What is Zero-Knowledge? . 144 10.2 The Limits of Statistical Zero Knowledge Proofs . 147 10.3 Honest-Verifier SZK Protocol for Graph Non-Isomorphism . 147 11 S-Protocols and Commitments from Hardness of Discrete Logarithm 150 11.1 Cryptographic Background . 150 11.2 Schnorr’s S-Protocol for Knowledge of Discrete Logarithms . 152 11.3 A Homomorphic Commitment Scheme . 158 12 Zero-Knowledge for Circuit Satisfiability Via Commit-And-Prove 167 12.1 Proof Length of Witness Size Plus Multiplicative Complexity . 168 12.2 Avoiding Linear Dependence on Multiplicative Complexity: zk-Arguments from IPs . 170 12.3 Zero-Knowledge via Masking Polynomials . 172 13 Polynomial Commitment Schemes from Discrete Logarithm or Pairings 177 13.1 Polynomial Commitments from Hardness of Discrete Logarithm . 177 13.2 Polynomial Commitments from Pairings and a Trusted Setup . 191 13.3 Commitment Scheme for Sparse Polynomials . 200 13.4 Polynomial Commitment Schemes: Pros and Cons . 202 4 13.5 Additional Approaches . 204 14 Linear PCPs and Succinct Arguments 205 14.1 Overview: Interactive Arguments From “Long”, Structured PCPs . 205 14.2 Committing to a Linear PCP without Materializing It . 206 14.3 A First Linear PCP for Arithmetic Circuit Satisfiability . 208 S 14.4 GGPR: A Linear PCP Of Size O(jFj ) for Arithmetic Circuit-SAT . 211 14.5 Non-Interactivity and Public Verifiability . 214 15 Bird’s Eye View of Practical Arguments 221 15.1 A Taxonomy of SNARKs . 221 15.2 Pros and Cons of the Approaches . 223 15.3 Other Issues Affecting Concrete Efficiency . 226 5 Chapter 1 Introduction This manuscript is about verifiable computing (VC). VC refers to cryptographic protocols called interactive proofs (IPs) and arguments that enable a prover to provide a guarantee to a verifier that the prover performed a requested computation correctly. Introduced in the 1980s, IPs and arguments represented a major concep- tual expansion of what constitutes a “proof” that a statement is true. Traditionally, a proof is a static object that can be easily checked step-by-step for correctness, because each individual step of the proof should be trivial to verify. In contrast, IPs allow for interaction between prover and verifier, as well as a tiny but nonzero probability that an incorrect proof passes verification. The difference between IPs and arguments is that arguments (but not IPs) permit the existence of “proofs” of incorrect statements, so long as those “proofs” require exorbitant computational power to find. Celebrated theoretical results from the mid-1980s and early 1990s indicated that VC protocols can, at least in principle, accomplish amazing feats.