Ligerolight: Optimized IOP-Based Zero-Knowledge Argument for Blockchain Scalability

Zero-knowledge scalable transparent arguments of knowledge (zk-STARKs) are a promising approach to solving the blockchain scalability problem while maintaining security, decentralization and privacy. However, compared with zero-knowledge proofs with trusted setups deployed in existing scalability solutions, zk-STARKs are usually less efficient. In this paper, we introduce Ligerolight, an optimized zk-STARK for the arithmetic circuit satisfiability problem following the framework of Ligero (ACM CCS 2017) and Aurora (Eurocrypt 2019) based on interactive oracle proof, which could be used for blockchain scalability. Evaluations show that Ligerolight has performance advantages compared with existing zk-STARKs. The prover time is 30% faster than Aurora to generate proof for computing an authentication path of a Merkle tree with 32 leaves. The proof size is about 131 KB, one-tenth of Ligero and 50% smaller than Aurora. The verifier time is 2 times as fast as Aurora. Underlying Ligerolight is a new batch zero-knowledge inner product argument, allowing to prove multiple inner product relations once. Using this argument, we build a batch multivariate polynomial commitment with poly-logarithmic communication complexity and verification. This polynomial commitment is particularly efficient when opening multiple points in multiple polynomials at one time, and may be of independent interest in constructing scalability solutions.