Sub-linear lattice-based zero-knowledge arguments for arithmetic circuits

Carsten Baum, Jonathan Bootle, Andrea Cerulli, Rafael del Pino, Jens Groth, Vadim Lyubashevsky

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

36 Scopus citations


We propose the first zero-knowledge argument with sub-linear communication complexity for arithmetic circuit satisfiability over a prime (formula presented) whose security is based on the hardness of the short integer solution (SIS) problem. For a circuit with (FORMULA PRESENTED) gates, the communication complexity of our protocol is (formula presented), where (formula presented) is the security parameter. A key component of our construction is a surprisingly simple zero-knowledge proof for pre-images of linear relations whose amortized communication complexity depends only logarithmically on the number of relations being proved. This latter protocol is a substantial improvement, both theoretically and in practice, over the previous results in this line of research of Damgård et al. (CRYPTO 2012), Baum et al. (CRYPTO 2016), Cramer et al. (EUROCRYPT 2017) and del Pino and Lyubashevsky (CRYPTO 2017), and we believe it to be of independent interest.

Original languageEnglish
Title of host publicationAdvances in Cryptology – CRYPTO 2018 - 38th Annual International Cryptology Conference, 2018, Proceedings
EditorsAlexandra Boldyreva, Hovav Shacham
PublisherSpringer Verlag
Number of pages31
ISBN (Print)9783319968803
StatePublished - 2018
Event38th Annual International Cryptology Conference, CRYPTO 2018 - Santa Barbara, United States
Duration: 19 Aug 201823 Aug 2018

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10992 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference38th Annual International Cryptology Conference, CRYPTO 2018
Country/TerritoryUnited States
CitySanta Barbara

Bibliographical note

Publisher Copyright:
© 2018, International Association for Cryptologic Research.


  • Arithmetic circuit
  • SIS assumption
  • Sigma-protocol
  • Zero-knowledge argument


Dive into the research topics of 'Sub-linear lattice-based zero-knowledge arguments for arithmetic circuits'. Together they form a unique fingerprint.

Cite this