Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Streaming Zero-Knowledge Proofs

Graham Cormode, Marcel Dall'Agnol, Tom Gur, Chris Hickey

TL;DR

The notion of zero-knowledge in the streaming setting is defined and zero-knowledge SIPs for the two main algorithmic building blocks in the streaming interactive proofs literature are constructed: the sumcheck and polynomial evaluation protocols.

Abstract

Streaming interactive proofs (SIPs) enable a space-bounded algorithm with one-pass access to a massive stream of data to verify a computation that requires large space, by communicating with a powerful but untrusted prover. This work initiates the study of zero-knowledge proofs for data streams. We define the notion of zero-knowledge in the streaming setting and construct zero-knowledge SIPs for the two main algorithmic building blocks in the streaming interactive proofs literature: the sumcheck and polynomial evaluation protocols. To the best of our knowledge all known streaming interactive proofs are based on either of these tools, and indeed, this allows us to obtain zero-knowledge SIPs for central streaming problems such as index, point and range queries, median, frequency moments, and inner product. Our protocols are efficient in terms of time and space, as well as communication: the verifier algorithm's space complexity is $\mathrm{polylog}(n)$ and, after a non-interactive setup that uses a random string of near-linear length, the remaining parameters are $n^{o(1)}$. En route, we develop an algorithmic toolkit for designing zero-knowledge data stream protocols, consisting of an algebraic streaming commitment protocol and a temporal commitment protocol.Our analyses rely on delicate algebraic and information-theoretic arguments and reductions from average-case communication complexity.

Streaming Zero-Knowledge Proofs

TL;DR

The notion of zero-knowledge in the streaming setting is defined and zero-knowledge SIPs for the two main algorithmic building blocks in the streaming interactive proofs literature are constructed: the sumcheck and polynomial evaluation protocols.

Abstract

Streaming interactive proofs (SIPs) enable a space-bounded algorithm with one-pass access to a massive stream of data to verify a computation that requires large space, by communicating with a powerful but untrusted prover. This work initiates the study of zero-knowledge proofs for data streams. We define the notion of zero-knowledge in the streaming setting and construct zero-knowledge SIPs for the two main algorithmic building blocks in the streaming interactive proofs literature: the sumcheck and polynomial evaluation protocols. To the best of our knowledge all known streaming interactive proofs are based on either of these tools, and indeed, this allows us to obtain zero-knowledge SIPs for central streaming problems such as index, point and range queries, median, frequency moments, and inner product. Our protocols are efficient in terms of time and space, as well as communication: the verifier algorithm's space complexity is and, after a non-interactive setup that uses a random string of near-linear length, the remaining parameters are . En route, we develop an algorithmic toolkit for designing zero-knowledge data stream protocols, consisting of an algebraic streaming commitment protocol and a temporal commitment protocol.Our analyses rely on delicate algebraic and information-theoretic arguments and reductions from average-case communication complexity.
Paper Structure (36 sections, 30 theorems, 115 equations, 3 figures, 2 algorithms)

This paper contains 36 sections, 30 theorems, 115 equations, 3 figures, 2 algorithms.

Table of Contents

  1. Introduction
  2. Zero-knowledge in the streaming model
  3. Main results
  4. Streaming commitment protocols
  5. Applications
  6. Related work
  7. Open problems
  8. Technical overview
  9. A starting point: the polynomial evaluation protocol
  10. Curtailing leakage with commitments
  11. From honest to malicious verifiers: temporal commitments
  12. A sketch of the zero-knowledge index protocol
  13. A general-purpose zero-knowledge SIP: sumcheck
  14. Preliminaries
  15. Information theory
  16. ...and 21 more sections

Key Result

Theorem 1.1

There exists a zkSIP for sumcheck where, for $m$-variate low-degree polynomials over $\mathbb{F}$, the verifier uses $s = O(m^2 \log \abs{\mathbb{F}})$ bits of space. The SIP communicates $\tilde{O}(\abs{\mathbb{F}}^m)$ bits in its setup and $\abs{\mathbb{F}}^{\log\log \abs{\mathbb{F}} + O(1)}$ bits

Figures (3)

  • Figure 1: Leakage in the SIP for index via evaluation of the bivariate polynomial $\hat{x}: \mathbb{F}^2 \to \mathbb{F}$, and an (unsuccessful) attempt to prevent it.
  • Figure 2: Preventing leakage by committing to $\hat{x}_{|L}$ as an interpolating set for the polynomial. To decommit to an evaluation outside the set, the scheme must be algebraic.
  • Figure 3: Reduction from index to distinguishability of views when $\ell = 3$ and $dm = 4$. The instance $w$ is inserted into the first $2$ rows of $y$, while $y_3$ is filled in with joint randomness and $y_4$ is the solution of the linear system shown in the diagram.

Theorems & Definitions (73)

  • Theorem 1.1: \ref{['thm:sumcheck-correctness', 'thm:sumcheck-zk']}, informally stated
  • Theorem 1.2: \ref{['thm:pep-correctness', 'thm:pep-zk']}, informally stated
  • Theorem 1.3: \ref{['thm:pv-algebraic-commitment']}, informally stated
  • Theorem 1.4: \ref{['thm:correct-set']}, informally stated
  • Corollary 1.5: \ref{['cor:index']}, informally stated
  • Corollary 1.6: \ref{['cor:frequency-moment']}, informally stated
  • Corollary 1.7: \ref{['cor:point-query', 'cor:range-count', 'cor:selection', 'cor:inner-product']}, informally stated
  • Remark 2.1: Superpolynomial to near-linear communication
  • Lemma 3.1: Additive Chernoff-Hoeffding bound
  • Lemma 3.2: Hoeffding's inequality
  • ...and 63 more