Skip to main content

Gemini: Elastic SNARKs for Diverse Environments

  • Conference paper
  • First Online:
Advances in Cryptology – EUROCRYPT 2022 (EUROCRYPT 2022)

Abstract

We introduce a new class of succinct arguments, that we call elastic. Elastic SNARKs allow the prover to allocate different resources (such as memory and time) depending on the execution environment and the statement to prove. The resulting output is independent of the prover’s configuration. To study elastic SNARKs, we extend the streaming paradigm of [Block et al., TCC’20]. We provide a definitional framework for elastic polynomial interactive oracle proofs for R1CS instances and design a compiler which transforms an elastic PIOP into a preprocessing argument system that supports streaming or random access to its inputs. Depending on the configuration, the prover will choose different trade-offs for time (either linear, or quasilinear) and memory (either linear, or logarithmic). We prove the existence of elastic SNARKS by presenting Gemini, a novel FFT-free preprocessing argument. We prove its security and develop a proof-of-concept implementation in Rust based on the arkworks framework. We provide benchmarks for large R1CS instances of tens of billions of gates on a single machine.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://ethereum.org/en/developers/docs/scaling/layer-2-rollups/.

  2. 2.

    https://research.protocol.ai/sites/snarks/.

  3. 3.

    Note that \({M}= \varOmega ({N})\) without loss of generality because if \({M}< {N}/3\) then there are variables of \(\mathbf {z}\) that do not participate in any constraint, which can be dropped. Thus the main size measure for R1CS is the sparsity parameter \({M}\).

  4. 4.

    The canonical stream of a vector consists of the sequence of its entries, from last to first.

  5. 5.

    The argument prover and argument verifier emulate the underlying probabilistic proof, with the argument prover sending commitments to proof messages and sending answers to queries together with commitment openings to authenticate those answers.

  6. 6.

    For example, if one polynomial consists of all of the even coefficients of another, one can produce streams of the coefficients of both polynomials simultaneously, in half the number of passes required to compute streams of each polynomial one at a time.

  7. 7.

    Here \(|\mathbb {G}_1|=|\mathbb {G}_2|=|\mathbb {G}_T|=q\), \(G\) generates \(\mathbb {G}_1\), \(H\) generates \(\mathbb {G}_2\), and \(e:\mathbb {G}_1\times \mathbb {G}_2\rightarrow \mathbb {G}_T\) is a non-degenerate bilinear map.

  8. 8.

    This restriction is merely didactical. Given any \(\mathbf {f}\in \mathbb {F}^{N}\), representing the coefficients of a degree \(N-1\) polynomial, it is easy to simulate polynomial-evaluation query access to \((\mathbf {f},1)\) using the polynomial \(\mathbf {f}({X}) + {X}^{N+1}\). For any evaluation query in \(x \in \mathbb {F}\), forward evaluation queries to \(\mathbf {f}\) and add \(x^{N+1}\) before returning. This costs \(O(\log N)\) \(\mathbb {F}\)-ops.

  9. 9.

    See https://github.com/arkworks-rs/gemini.

  10. 10.

    cf. https://github.com/arkworks-rs/marlin.

  11. 11.

    This is vm.overcommit=2. See https://www.kernel.org/doc/Documentation/vm/overcommit-accounting.

  12. 12.

    source: https://calculator.aws.

References

  1. Baum, C., Malozemoff, A.J., Rosen, M.B., Scholl, P.: \(\sf Mac^{\prime }n^{\prime }Cheese\): zero-knowledge proofs for Boolean and arithmetic circuits with nested disjunctions. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 92–122. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_4

    Chapter  Google Scholar 

  2. Bitansky, N., Chiesa, A.: Succinct arguments from multi-prover interactive proofs and their efficiency benefits. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 255–272. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_16

    Chapter  Google Scholar 

  3. Bootle, J., Chiesa, A., Groth, J.: Linear-time arguments with sublinear verification from tensor codes. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12551, pp. 19–46. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_2

    Chapter  Google Scholar 

  4. Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive oracle proofs. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 31–60. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_2

    Chapter  Google Scholar 

  5. Belenkiy, M., Camenisch, J., Chase, M., Kohlweiss, M., Lysyanskaya, A., Shacham, H.: Randomizable proofs and delegatable anonymous credentials. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 108–125. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_7

    Chapter  Google Scholar 

  6. Bünz, B., Fisch, B., Szepieniec, A.: Transparent SNARKs from DARK compilers. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 677–706. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_24

    Chapter  Google Scholar 

  7. Bowe, S., et al.: Scalable multi-party computation for zk-SNARK parameters in the random beacon model. Cryptology ePrint Archive, Report 2017/1050

    Google Scholar 

  8. Bitansky, N., et al.: Recursive composition and bootstrapping for SNARKs and proof-carrying data. In: STOC 2013 (2013)

    Google Scholar 

  9. Block, A.R., Holmgren, J., Rosen, A., Rothblum, R.D., Soni, P.: Public-coin zero-knowledge arguments with (almost) minimal time and space overheads. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12551, pp. 168–197. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_7

    Chapter  Google Scholar 

  10. Block, A.R., Holmgren, J., Rosen, A., Rothblum, R.D., Soni, P.: Time- and space-efficient arguments from groups of unknown order. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 123–152. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_5

    Chapter  Google Scholar 

  11. Blum, M., et al.: Checking the correctness of memories. In: FOCS 1991 (1991)

    Google Scholar 

  12. Boneh, D., et al.: Efficient polynomial commitment schemes for multiple points and polynomials. Cryptology ePrint Archive, Report 2020/081

    Google Scholar 

  13. Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12

    Chapter  MATH  Google Scholar 

  14. Bootle, J., Cerulli, A., Ghadafi, E., Groth, J., Hajiabadi, M., Jakobsen, S.K.: Linear-time zero-knowledge proofs for arithmetic circuit satisfiability. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 336–365. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_12

    Chapter  Google Scholar 

  15. Bootle, J., Cerulli, A., Groth, J., Jakobsen, S., Maller, M.: Arya: nearly linear-time zero-knowledge proofs for correct program execution. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 595–626. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_20

    Chapter  Google Scholar 

  16. Bünz, B., Maller, M., Mishra, P., Tyagi, N., Vesely, P.: Proofs for inner pairing products and applications. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13092, pp. 65–97. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92078-4_3

    Chapter  Google Scholar 

  17. Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: preprocessing zkSNARKs with universal and updatable SRS. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 738–768. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_26

    Chapter  Google Scholar 

  18. Clarke, D., Devadas, S., van Dijk, M., Gassend, B., Suh, G.E.: Incremental multiset hash functions and their application to memory integrity checking. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 188–207. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40061-5_12

    Chapter  Google Scholar 

  19. Cormode, G., et al.: Practical Verified Computation with Streaming Interactive Proofs. In: ITCS 2012 (2012)

    Google Scholar 

  20. Chiesa, A., Ojha, D., Spooner, N.: Fractal: post-quantum and transparent recursive proofs from holography. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 769–793. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_27

    Chapter  Google Scholar 

  21. Drake, J.: PLONK without FFTs. https://www.youtube.com/watch?v=ffXgxvlCBvo

  22. Daza, V., Ràfols, C., Zacharakis, A.: Updateable inner product argument with logarithmic verifier and applications. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12110, pp. 527–557. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_18

    Chapter  Google Scholar 

  23. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12

    Chapter  Google Scholar 

  24. Gabizon, A.: Lineval Protocol. https://hackmd.io/aWXth2dASPaGVrXiGg1Cmg?view

  25. Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_37

    Chapter  Google Scholar 

  26. Garman, C., et al.: Decentralized anonymous credentials (2013)

    Google Scholar 

  27. Golovnev, A., et al.: Brakedown: linear-time and post-quantum SNARKs for R1CS. Cryptology ePrint Archive, Report 2021/1043 (2021)

    Google Scholar 

  28. Gabizon, A., et al.: Plookup: a simplified polynomial protocol for lookup tables. Cryptology ePrint Archive, Report 2020/315 (2020)

    Google Scholar 

  29. Holmgren, J., et al.: Delegating computations with (almost) minimal time and space overhead. In: FOCS 2018 (2018)

    Google Scholar 

  30. Javeed, K., et al.: Low latency flexible FPGA implementation of point multiplication on elliptic curves over GF(p). In: International Journal of Circuit Theory and Applications (2017)

    Google Scholar 

  31. Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 177–194. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_11

    Chapter  Google Scholar 

  32. Lund, C., et al.: Algebraic methods for interactive proof systems. J. ACM 39, 859–868 (1992)

    Article  MathSciNet  Google Scholar 

  33. Parno, B., et al.: Pinocchio: nearly practical verifiable computation. In: S&P 2013 (2013)

    Google Scholar 

  34. Pippenger, N.: On the Evaluation of Powers and Monomials (1980)

    Google Scholar 

  35. del Pino, R., Lyubashevsky, V., Seiler, G.: Short discrete log proofs for FHE and ring-LWE ciphertexts. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11442, pp. 344–373. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17253-4_12

    Chapter  Google Scholar 

  36. Reingold, O., et al.: Constant-round interactive proofs for delegating computation. In: STOC 2016 (2016)

    Google Scholar 

  37. Setty, S.: Spartan: efficient and general-purpose zkSNARKs without trusted setup. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 704–737. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_25

    Chapter  Google Scholar 

  38. Thaler, J.: Time-optimal interactive proofs for circuit evaluation. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 71–89. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_5

    Chapter  Google Scholar 

  39. Wu, H., et al.: DIZK: a distributed zero knowledge proof system. In: USENIX Security 2018 (2018)

    Google Scholar 

  40. Xie, T., Zhang, J., Zhang, Y., Papamanthou, C., Song, D.: Libra: succinct zero-knowledge proofs with optimal prover computation. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 733–764. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_24

    Chapter  Google Scholar 

  41. Zcash. https://z.cash/

  42. Zhang, Y., et al.: vSQL: verifying arbitrary SQL queries over dynamic outsourced databases. In: S&P 2017 (2017)

    Google Scholar 

  43. Zhang, Y., et al.: vRAM: faster verifiable RAM with program-independent preprocessing. In: S&P 2018 (2018)

    Google Scholar 

  44. Zhang, Y., et al.: PipeZK: accelerating zero-knowledge proof with a pipelined architecture. In: ISCA 2021 (2021)

    Google Scholar 

  45. Ben-Sasson, E., et al.: Succinct non-interactive zero knowledge for a von neumann architecture. In: USENIX Security 2014 (2014)

    Google Scholar 

  46. Sasson, E.B., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: SP 2014 (2014)

    Google Scholar 

  47. Ben-Sasson, E., et al.: Fast reed-solomon interactive oracle proofs of proximity. In: ICALP 2018 (2018)

    Google Scholar 

  48. Ben-Sasson, E., et al.: Aurora: transparent succinct arguments for R1CS. In: EUROCRYPT 2019 (2019)

    Google Scholar 

  49. arkworks. arkworks: an ecosystem for developing and programming with zkSNARKs.https://github.com/arkworks-rs

Download references

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Jonathan Bootle or Michele Orrú .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bootle, J., Chiesa, A., Hu, Y., Orrú, M. (2022). Gemini: Elastic SNARKs for Diverse Environments. In: Dunkelman, O., Dziembowski, S. (eds) Advances in Cryptology – EUROCRYPT 2022. EUROCRYPT 2022. Lecture Notes in Computer Science, vol 13276. Springer, Cham. https://doi.org/10.1007/978-3-031-07085-3_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-07085-3_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-07084-6

  • Online ISBN: 978-3-031-07085-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics