TY - GEN
T1 - Proofs for Inner Pairing Products and Applications
AU - Bünz, Benedikt
AU - Maller, Mary
AU - Mishra, Pratyush
AU - Tyagi, Nirvan
AU - Vesely, Psi
N1 - Publisher Copyright:
© 2021, International Association for Cryptologic Research.
PY - 2021
Y1 - 2021
N2 - We present a generalized inner product argument and demonstrate its applications to pairing-based languages. We apply our generalized argument to prove that an inner pairing product is correctly evaluated with respect to committed vectors of n source group elements. With a structured reference string (SRS), we achieve a logarithmic-time verifier whose work is dominated by 6 log n target group exponentiations. Proofs are of size 6 log n target group elements, computed using 6n pairings and 4n exponentiations in each source group. We apply our inner product arguments to build the first polynomial commitment scheme with succinct (logarithmic) verification, O(d) prover complexity for degree d polynomials (not including the cost to evaluate the polynomial), and a SRS of size O(d). Concretely, this means that for d= 228, producing an evaluation proof in our protocol is 76 × faster than doing so in the KZG commitment scheme, and the CRS in our protocol is 1000 × smaller: 13 MB vs 13 GB for KZG. As a second application, we introduce an argument for aggregating n Groth16 zkSNARKs into an O(log n) sized proof. Our protocol is significantly faster (> 1000 × ) than aggregating SNARKs via recursive composition: we aggregate ∼ 130, 000 proofs in 25 min, versus 90 proofs via recursive composition. Finally, we further apply our aggregation protocol to construct a low-memory SNARK for machine computations that does not rely on recursive composition. For a computation that requires time T and space S, our SNARK produces proofs in space O~ (S+ T), which is significantly more space efficient than a monolithic SNARK, which requires space O~ (S· T).
AB - We present a generalized inner product argument and demonstrate its applications to pairing-based languages. We apply our generalized argument to prove that an inner pairing product is correctly evaluated with respect to committed vectors of n source group elements. With a structured reference string (SRS), we achieve a logarithmic-time verifier whose work is dominated by 6 log n target group exponentiations. Proofs are of size 6 log n target group elements, computed using 6n pairings and 4n exponentiations in each source group. We apply our inner product arguments to build the first polynomial commitment scheme with succinct (logarithmic) verification, O(d) prover complexity for degree d polynomials (not including the cost to evaluate the polynomial), and a SRS of size O(d). Concretely, this means that for d= 228, producing an evaluation proof in our protocol is 76 × faster than doing so in the KZG commitment scheme, and the CRS in our protocol is 1000 × smaller: 13 MB vs 13 GB for KZG. As a second application, we introduce an argument for aggregating n Groth16 zkSNARKs into an O(log n) sized proof. Our protocol is significantly faster (> 1000 × ) than aggregating SNARKs via recursive composition: we aggregate ∼ 130, 000 proofs in 25 min, versus 90 proofs via recursive composition. Finally, we further apply our aggregation protocol to construct a low-memory SNARK for machine computations that does not rely on recursive composition. For a computation that requires time T and space S, our SNARK produces proofs in space O~ (S+ T), which is significantly more space efficient than a monolithic SNARK, which requires space O~ (S· T).
UR - http://www.scopus.com/inward/record.url?scp=85121910438&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85121910438&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-92078-4_3
DO - 10.1007/978-3-030-92078-4_3
M3 - Conference contribution
AN - SCOPUS:85121910438
SN - 9783030920777
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 65
EP - 97
BT - Advances in Cryptology – ASIACRYPT 2021 - 27th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings, Part 3
A2 - Tibouchi, Mehdi
A2 - Wang, Huaxiong
PB - Springer Science and Business Media Deutschland GmbH
T2 - 27th International Conference on Theory and Application of Cryptology and Information Security, ASIACRYPT 2021
Y2 - 6 December 2021 through 10 December 2021
ER -