Batchman and Robin: Batched and Non-batched Branching for Interactive ZK

Yibin Yang; David Heath; Carmit Hazay; Vladimir Kolesnikov; Muthuramakrishnan Venkitasubramaniam

doi:10.1145/3576915.3623169

Batchman and Robin: Batched and Non-batched Branching for Interactive ZK

Yibin Yang, David Heath, Carmit Hazay, Vladimir Kolesnikov, Muthuramakrishnan Venkitasubramaniam

Bar-Ilan University - The Alexander Kofkin Faculty of Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

5 Scopus citations

Abstract

Vector Oblivious Linear Evaluation (VOLE) supports fast and scal-able interactive Zero-Knowledge (ZK) proofs. Despite recent improvements to VOLE-based ZK, compiling proof statements to a control-flow oblivious form (e.g., a circuit) continues to lead to expensive proofs. One useful setting where this inefficiency stands out is when the statement is a disjunction of clauses L₁ L_B. Typically, ZK requires paying the price to handle all B branches. Prior works have shown how to avoid this price in communication, but not in computation. Our main result, Batchman, is asymptotically and concretely efficient VOLE-based ZK for batched disjunctions, i.e. statements containing R repetitions of the same disjunction. This is crucial for, e.g., emulating CPU steps in ZK. Our prover and verifier complexity is only O(RB+R|C| + B|C|), where |C| is the maximum circuit size of the B branches. Prior works' computation scales in RB|C|. For non-batched disjunctions, we also construct a VOLE-based ZK protocol, Robin, which is (only) communication efficient. For small fields and for statistical security parameter, this proto-col's communication improves over the previous state of the art (Mac'n 'Cheese, Baum et al., CRYPTO'21) by up to factor. Our implementation outperforms prior state of the art. E.g., we achieve up to 6× improvement over Mac'n'Cheese (Boolean, single disjunction), and for arithmetic batched disjunctions our experi-ments show we improve over QuickSilver (Yang et al., CCS'21) by up to 70× and over AntMan (Weng et al., CCS'22) by up to 36×.

Original language	English
Title of host publication	CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery, Inc
Pages	1452-1466
Number of pages	15
ISBN (Electronic)	9798400700507
DOIs	https://doi.org/10.1145/3576915.3623169
State	Published - 15 Nov 2023
Event	30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023 - Copenhagen, Denmark Duration: 26 Nov 2023 → 30 Nov 2023

Publication series

Name	CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Conference

Conference	30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023
Country/Territory	Denmark
City	Copenhagen
Period	26/11/23 → 30/11/23

Bibliographical note

Publisher Copyright:
© 2023 Copyright held by the owner/author(s).

Funding

This work is supported in part by Cisco research award and NSF awards CNS-2246353, CNS-2246354, and CCF-2217070. This material is also based upon work supported in part by DARPA under Contract No. HR001120C0087. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of DARPA. Distribution Statement “A” (Approved for Public Release, Distribution Unlimited).

Funders	Funder number
National Science Foundation	CCF-2217070, CNS-2246353, CNS-2246354
Defense Advanced Research Projects Agency	HR001120C0087

Keywords

Batched Disjunctions
Disjunctions
Zero Knowledge

Access to Document

10.1145/3576915.3623169

Cite this

Yang, Y., Heath, D., Hazay, C., Kolesnikov, V., & Venkitasubramaniam, M. (2023). Batchman and Robin: Batched and Non-batched Branching for Interactive ZK. In CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (pp. 1452-1466). (CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security). Association for Computing Machinery, Inc. https://doi.org/10.1145/3576915.3623169

Yang, Yibin ; Heath, David ; Hazay, Carmit et al. / Batchman and Robin : Batched and Non-batched Branching for Interactive ZK. CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2023. pp. 1452-1466 (CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security).

@inproceedings{7f32a6211b3f4e6abcfd73230ee4e235,

title = "Batchman and Robin: Batched and Non-batched Branching for Interactive ZK",

abstract = "Vector Oblivious Linear Evaluation (VOLE) supports fast and scal-able interactive Zero-Knowledge (ZK) proofs. Despite recent improvements to VOLE-based ZK, compiling proof statements to a control-flow oblivious form (e.g., a circuit) continues to lead to expensive proofs. One useful setting where this inefficiency stands out is when the statement is a disjunction of clauses L1 LB. Typically, ZK requires paying the price to handle all B branches. Prior works have shown how to avoid this price in communication, but not in computation. Our main result, Batchman, is asymptotically and concretely efficient VOLE-based ZK for batched disjunctions, i.e. statements containing R repetitions of the same disjunction. This is crucial for, e.g., emulating CPU steps in ZK. Our prover and verifier complexity is only O(RB+R|C| + B|C|), where |C| is the maximum circuit size of the B branches. Prior works' computation scales in RB|C|. For non-batched disjunctions, we also construct a VOLE-based ZK protocol, Robin, which is (only) communication efficient. For small fields and for statistical security parameter, this proto-col's communication improves over the previous state of the art (Mac'n 'Cheese, Baum et al., CRYPTO'21) by up to factor. Our implementation outperforms prior state of the art. E.g., we achieve up to 6× improvement over Mac'n'Cheese (Boolean, single disjunction), and for arithmetic batched disjunctions our experi-ments show we improve over QuickSilver (Yang et al., CCS'21) by up to 70× and over AntMan (Weng et al., CCS'22) by up to 36×.",

keywords = "Batched Disjunctions, Disjunctions, Zero Knowledge",

author = "Yibin Yang and David Heath and Carmit Hazay and Vladimir Kolesnikov and Muthuramakrishnan Venkitasubramaniam",

note = "Publisher Copyright: {\textcopyright} 2023 Copyright held by the owner/author(s).; 30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023 ; Conference date: 26-11-2023 Through 30-11-2023",

year = "2023",

month = nov,

day = "15",

doi = "10.1145/3576915.3623169",

language = "אנגלית",

series = "CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery, Inc",

pages = "1452--1466",

booktitle = "CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security",

}

Yang, Y, Heath, D, Hazay, C, Kolesnikov, V & Venkitasubramaniam, M 2023, Batchman and Robin: Batched and Non-batched Branching for Interactive ZK. in CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, Association for Computing Machinery, Inc, pp. 1452-1466, 30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023, Copenhagen, Denmark, 26/11/23. https://doi.org/10.1145/3576915.3623169

Batchman and Robin: Batched and Non-batched Branching for Interactive ZK. / Yang, Yibin; Heath, David; Hazay, Carmit et al.
CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2023. p. 1452-1466 (CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Batchman and Robin

T2 - 30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023

AU - Yang, Yibin

AU - Heath, David

AU - Hazay, Carmit

AU - Kolesnikov, Vladimir

AU - Venkitasubramaniam, Muthuramakrishnan

PY - 2023/11/15

Y1 - 2023/11/15

N2 - Vector Oblivious Linear Evaluation (VOLE) supports fast and scal-able interactive Zero-Knowledge (ZK) proofs. Despite recent improvements to VOLE-based ZK, compiling proof statements to a control-flow oblivious form (e.g., a circuit) continues to lead to expensive proofs. One useful setting where this inefficiency stands out is when the statement is a disjunction of clauses L1 LB. Typically, ZK requires paying the price to handle all B branches. Prior works have shown how to avoid this price in communication, but not in computation. Our main result, Batchman, is asymptotically and concretely efficient VOLE-based ZK for batched disjunctions, i.e. statements containing R repetitions of the same disjunction. This is crucial for, e.g., emulating CPU steps in ZK. Our prover and verifier complexity is only O(RB+R|C| + B|C|), where |C| is the maximum circuit size of the B branches. Prior works' computation scales in RB|C|. For non-batched disjunctions, we also construct a VOLE-based ZK protocol, Robin, which is (only) communication efficient. For small fields and for statistical security parameter, this proto-col's communication improves over the previous state of the art (Mac'n 'Cheese, Baum et al., CRYPTO'21) by up to factor. Our implementation outperforms prior state of the art. E.g., we achieve up to 6× improvement over Mac'n'Cheese (Boolean, single disjunction), and for arithmetic batched disjunctions our experi-ments show we improve over QuickSilver (Yang et al., CCS'21) by up to 70× and over AntMan (Weng et al., CCS'22) by up to 36×.

AB - Vector Oblivious Linear Evaluation (VOLE) supports fast and scal-able interactive Zero-Knowledge (ZK) proofs. Despite recent improvements to VOLE-based ZK, compiling proof statements to a control-flow oblivious form (e.g., a circuit) continues to lead to expensive proofs. One useful setting where this inefficiency stands out is when the statement is a disjunction of clauses L1 LB. Typically, ZK requires paying the price to handle all B branches. Prior works have shown how to avoid this price in communication, but not in computation. Our main result, Batchman, is asymptotically and concretely efficient VOLE-based ZK for batched disjunctions, i.e. statements containing R repetitions of the same disjunction. This is crucial for, e.g., emulating CPU steps in ZK. Our prover and verifier complexity is only O(RB+R|C| + B|C|), where |C| is the maximum circuit size of the B branches. Prior works' computation scales in RB|C|. For non-batched disjunctions, we also construct a VOLE-based ZK protocol, Robin, which is (only) communication efficient. For small fields and for statistical security parameter, this proto-col's communication improves over the previous state of the art (Mac'n 'Cheese, Baum et al., CRYPTO'21) by up to factor. Our implementation outperforms prior state of the art. E.g., we achieve up to 6× improvement over Mac'n'Cheese (Boolean, single disjunction), and for arithmetic batched disjunctions our experi-ments show we improve over QuickSilver (Yang et al., CCS'21) by up to 70× and over AntMan (Weng et al., CCS'22) by up to 36×.

KW - Batched Disjunctions

KW - Disjunctions

KW - Zero Knowledge

UR - http://www.scopus.com/inward/record.url?scp=85179838430&partnerID=8YFLogxK

U2 - 10.1145/3576915.3623169

DO - 10.1145/3576915.3623169

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:85179838430

T3 - CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

SP - 1452

EP - 1466

BT - CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery, Inc

Y2 - 26 November 2023 through 30 November 2023

ER -

Yang Y, Heath D, Hazay C, Kolesnikov V, Venkitasubramaniam M. Batchman and Robin: Batched and Non-batched Branching for Interactive ZK. In CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Inc. 2023. p. 1452-1466. (CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security). doi: 10.1145/3576915.3623169

Batchman and Robin: Batched and Non-batched Branching for Interactive ZK

Abstract

Publication series

Conference

Bibliographical note

Funding

Keywords

Access to Document

Other files and links

Fingerprint

Cite this