Nova: recursive zero-knowledge arguments from folding schemes. (English) Zbl 1517.94119
Dodis, Yevgeniy (ed.) et al., Advances in cryptology – CRYPTO 2022. 42nd annual international cryptology conference, CRYPTO 2022, Santa Barbara, CA, USA, August 15–18, 2022. Proceedings. Part IV. Cham: Springer. Lect. Notes Comput. Sci. 13510, 359-388 (2022).
Summary: We introduce a new approach to realize incrementally verifiable computation (IVC), in which the prover recursively proves the correct execution of incremental computations of the form \(y=F^{(\ell)}(x)\), where \(F\) is a (potentially non-deterministic) computation, \(x\) is the input, \(y\) is the output, and \(\ell > 0\). Unlike prior approaches to realize IVC, our approach avoids succinct non-interactive arguments of knowledge (SNARKs) entirely and arguments of knowledge in general. Instead, we introduce and employ folding schemes, a weaker, simpler, and more efficiently realizable primitive, which reduces the task of checking two instances in some relation to the task of checking a single instance. We construct a folding scheme for a characterization of NP and show that it implies an IVC scheme with improved efficiency characteristics: (1) the “recursion overhead” (i.e., the number of steps that the prover proves in addition to proving the execution of \(F\)) is a constant and it is dominated by two group scalar multiplications expressed as a circuit (this is the smallest recursion overhead in the literature), and (2) the prover’s work at each step is dominated by two multiexponentiations of size \(O(|F|)\), providing the fastest prover in the literature. The size of a proof is \(O(|F|)\) group elements, but we show that using a variant of an existing zkSNARK, the prover can prove the knowledge of a valid proof succinctly and in zero-knowledge with \(O(\log{|F|})\) group elements. Finally, our approach neither requires a trusted setup nor FFTs, so it can be instantiated efficiently with any cycles of elliptic curves where DLOG is hard.
For the entire collection see [Zbl 1514.94004].
For the entire collection see [Zbl 1514.94004].
MSC:
| 94A60 | Cryptography |
References:
| [1] | bellperson. https://github.com/filecoin-project/bellperson |
| [2] | neptune. https://github.com/filecoin-project/neptune |
| [3] | Nova: Recursive SNARKs without trusted setup. https://github.com/Microsoft/Nova |
| [4] | Pasta curves. https://github.com/zcash/pasta |
| [5] | Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive Oracle Proofs. In: TCC (2016) · Zbl 1397.94048 |
| [6] | Ben-Sasson, E.; Chiesa, A.; Tromer, E.; Virza, M.; Garay, JA; Gennaro, R., Scalable zero knowledge via cycles of elliptic curves, Advances in Cryptology - CRYPTO 2014, 276-294 (2014), Heidelberg: Springer, Heidelberg · Zbl 1334.68077 · doi:10.1007/978-3-662-44381-1_16 |
| [7] | Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In: ITCS (2012) · Zbl 1347.68129 |
| [8] | Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: Recursive composition and bootstrapping for SNARKs and proof-carrying data. In: STOC (2013) · Zbl 1293.68264 |
| [9] | Boneh, D., Bünz, B., Fisch, B.: A survey of two verifiable delay functions. Cryptology ePrint Archive, Report 2018/712 (2018) · Zbl 1444.94046 |
| [10] | Boneh, D., Drake, J., Fisch, B., Gabizon, A.: Halo infinite: recursive zk-SNARKs from any additive polynomial commitment scheme. Cryptology ePrint Archive, Report 2020/1536 (2020) |
| [11] | Bootle, J.; Cerulli, A.; Chaidos, P.; Groth, J.; Petit, C.; Fischlin, M.; Coron, J-S, Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting, Advances in Cryptology - EUROCRYPT 2016, 327-357 (2016), Heidelberg: Springer, Heidelberg · Zbl 1369.94520 · doi:10.1007/978-3-662-49896-5_12 |
| [12] | Bowe, S., Grigg, J., Hopwood, D.: Halo: recursive proof composition without a trusted setup. Cryptology ePrint Archive, Report 2019/1021 (2019) |
| [13] | Bowe, S., Grigg, J., Hopwood, D.: Halo2 (2020). https://github.com/zcash/halo2 |
| [14] | Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: S &P (2018) |
| [15] | Bünz, B., Chiesa, A., Lin, W., Mishra, P., Spooner, N.: Proof-carrying data without succinct arguments. Cryptology ePrint Archive, Report 2020/1618 (2020) · Zbl 1485.94066 |
| [16] | Bünz, B., Chiesa, A., Mishra, P., Spooner, N.: Proof-carrying data from accumulation schemes. In: TCC (2020) · Zbl 1485.94132 |
| [17] | Bünz, B.; Fisch, B.; Szepieniec, A.; Canteaut, A.; Ishai, Y., Transparent SNARKs from DARK compilers, Advances in Cryptology - EUROCRYPT 2020, 677-706 (2020), Cham: Springer, Cham · Zbl 1542.94111 · doi:10.1007/978-3-030-45721-1_24 |
| [18] | Bünz, B., Maller, M., Mishra, P., Vesely, N.: Proofs for inner pairing products and applications. Cryptology ePrint Archive, Report 2019/1177 (2019) · Zbl 1514.94052 |
| [19] | Chen, W., Chiesa, A., Dauterman, E., Ward, N.P.: Reducing participation costs via incremental verification for ledger systems. Cryptology ePrint Archive, Report 2020/1522 (2020) |
| [20] | Chiesa, A.; Hu, Y.; Maller, M.; Mishra, P.; Vesely, N.; Ward, N.; Canteaut, A.; Ishai, Y., Marlin: preprocessing zkSNARKs with universal and updatable SRS, Advances in Cryptology - EUROCRYPT 2020, 738-768 (2020), Cham: Springer, Cham · Zbl 1541.94048 · doi:10.1007/978-3-030-45721-1_26 |
| [21] | Chiesa, A.; Ojha, D.; Spooner, N.; Canteaut, A.; Ishai, Y., Fractal: post-quantum and transparent recursive proofs from holography, Advances in Cryptology - EUROCRYPT 2020, 769-793 (2020), Cham: Springer, Cham · Zbl 1539.68118 · doi:10.1007/978-3-030-45721-1_27 |
| [22] | Fiat, A.; Shamir, A.; Odlyzko, AM, How to prove yourself: practical solutions to identification and signature problems, Advances in Cryptology — CRYPTO’ 86, 186-194 (1987), Heidelberg: Springer, Heidelberg · Zbl 0636.94012 · doi:10.1007/3-540-47721-7_12 |
| [23] | Gennaro, R.; Gentry, C.; Parno, B.; Raykova, M.; Johansson, T.; Nguyen, PQ, Quadratic span programs and succinct NIZKs without PCPs, Advances in Cryptology - EUROCRYPT 2013, 626-645 (2013), Heidelberg: Springer, Heidelberg · Zbl 1300.94056 · doi:10.1007/978-3-642-38348-9_37 |
| [24] | Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: STOC, pp. 99-108 (2011) · Zbl 1288.94063 |
| [25] | Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems. In: STOC (1985) · Zbl 0900.94025 |
| [26] | Grassi, L., Khovratovich, D., Rechberger, C., Roy, A., Schofnegger, M.: Poseidon: a new hash function for zero-knowledge proof systems. Cryptology ePrint Archive, Paper 2019/458 (2019) |
| [27] | Groth, J.; Fischlin, M.; Coron, J-S, On the size of pairing-based non-interactive arguments, Advances in Cryptology - EUROCRYPT 2016, 305-326 (2016), Heidelberg: Springer, Heidelberg · Zbl 1369.94539 · doi:10.1007/978-3-662-49896-5_11 |
| [28] | Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: ASIACRYPT, pp. 177-194 (2010) · Zbl 1253.94054 |
| [29] | Kilian, J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: STOC (1992) |
| [30] | Kothapalli, A., Setty, S., Tzialla, I.: Nova: recursive zero-knowledge arguments from folding schemes. Cryptology ePrint Archive, Paper 2021/370 (2021) |
| [31] | Labs, O.: Mina cryptocurrency (2020). https://minaprotocol.com |
| [32] | Lee, J.: Dory: efficient, transparent arguments for generalised inner products and polynomial commitments. Cryptology ePrint Archive, Report 2020/1274 (2020) · Zbl 1511.94126 |
| [33] | Lee, J., Nikitin, K., Setty, S.: Replicated state machines without replicated execution. In: S &P (2020) |
| [34] | Lee, J., Setty, S., Thaler, J., Wahby, R.: Linear-time zero-knowledge SNARKs for R1CS. Cryptology ePrint Archive, Report 2021/030 (2021) |
| [35] | Lund, C., Fortnow, L., Karloff, H., Nisan, N.: Algebraic methods for interactive proof systems. In: FOCS (October 1990) · Zbl 0799.68097 |
| [36] | Micali, S.: CS proofs. In: FOCS (1994) |
| [37] | Reingold, O., Rothblum, G.N., Rothblum, R.D.: Constant-round interactive proofs for delegating computation. In: STOC, pp. 49-62 (2016) · Zbl 1373.68274 |
| [38] | Setty, S.; Micciancio, D.; Ristenpart, T., Spartan: efficient and general-purpose zkSNARKs without trusted setup, Advances in Cryptology - CRYPTO 2020, 704-737 (2020), Cham: Springer, Cham · Zbl 1504.94185 · doi:10.1007/978-3-030-56877-1_25 |
| [39] | Setty, S., Angel, S., Gupta, T., Lee, J.: Proving the correct execution of concurrent services in zero-knowledge. In: OSDI (October 2018) |
| [40] | Setty, S., Braun, B., Vu, V., Blumberg, A.J., Parno, B., Walfish, M.: Resolving the conflict between generality and plausibility in verified computation. In: EuroSys (April 2013) |
| [41] | Setty, S., Lee, J.: Quarks: quadruple-efficient transparent zkSNARKs. Cryptology ePrint Archive, Report 2020/1275 (2020) |
| [42] | Thaler, J.; Canetti, R.; Garay, JA, Time-optimal interactive proofs for circuit evaluation, Advances in Cryptology - CRYPTO 2013, 71-89 (2013), Heidelberg: Springer, Heidelberg · Zbl 1316.94093 · doi:10.1007/978-3-642-40084-1_5 |
| [43] | Valiant, P.; Canetti, R., Incrementally verifiable computation or proofs of knowledge imply time/space efficiency, Theory of Cryptography, 1-18 (2008), Heidelberg: Springer, Heidelberg · Zbl 1162.68448 · doi:10.1007/978-3-540-78524-8_1 |
| [44] | Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly-efficient zkSNARKs without trusted setup. In: S &P (2018) |
| [45] | Wesolowski, B.; Ishai, Y.; Rijmen, V., Efficient verifiable delay functions, Advances in Cryptology - EUROCRYPT 2019, 379-407 (2019), Cham: Springer, Cham · Zbl 1509.94139 · doi:10.1007/978-3-030-17659-4_13 |
| [46] | Xie, T.; Zhang, J.; Zhang, Y.; Papamanthou, C.; Song, D.; Boldyreva, A.; Micciancio, D., Libra: succinct zero-knowledge proofs with optimal prover computation, Advances in Cryptology - CRYPTO 2019, 733-764 (2019), Cham: Springer, Cham · Zbl 1509.94140 · doi:10.1007/978-3-030-26954-8_24 |
| [47] | Zhang, Y., Genkin, D., Katz, J., Papadopoulos, D., Papamanthou, C.: vSQL: verifying arbitrary SQL queries over dynamic outsourced databases. In: S &P (2017) |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
