Succinct Non-Interactive Zero-Knowledge Proofs with Preprocessing for LOGSNP

Let Lambda : {0, 1}ⁿ times {0,1}^m rarr {0,1} be a Boolean formula of size d, or more generally, an arithmetic circuit of degree d, known to both Alice and Bob, and let y isin {0,1} ^m be an input known only to Alice. Assume that Alice and Bob interacted in the past in a preamble phase (that is, applied a preamble protocol that depends only on the parameters, and not on Lambday). We show that Alice can (non-interactively) commit to y, by a message of size poly(m, log d), and later on prove to Bob any N statements of the form Lambda (x₁, y) = z₁,..., Lambda(x_N ,y) = z_N by a (computationally sound) non-interactive zero-knowledge proof of size poly(d, log N). (Note the logarithmic dependence on N). We give many applications and motivations for this result. In particular, assuming that Alice and Bob applied in the past the (poly-logarithmic size) preamble protocol: 1. given a CNF formula Psi(w₁,..., w_m) of size N, Alice can prove the satisfiability of Psi by a (computationally sound) non-interactive zero-knowledge proof of size poly(m). That is, the size of the proof depends only on the size of the witness and not on the size of the formula. 2. Given a language L in the class LOGSNP and an input x isin {0, 1}ⁿ, Alice can prove the membership x isin L by a (computationally sound) non-interactive zero-knowledge proof of size polylog n. 3. Alice can commit to a Boolean formula y of size m, by a message of size poly(m), and later on prove to Bob any N statements of the form y(x₁) = z₁,..., y(x_N) = z_N by a (computationally sound) non-interactive zero-knowledge proof of size poly(m, log N). Our cryptographic assumptions include the existence of a poly-logarithmic symmetric-private-information-retrieval (SPIR) scheme, as defined in (C. Cachin et. al, 1999), and the existence of commitment schemes, secure against circuits of siz- e exponential in the security parameter