Skip to main content

Scalable and Transparent Proofs over All Large Fields, via Elliptic Curves

(ECFFT Part II)

  • Conference paper
  • First Online:
Theory of Cryptography (TCC 2022)

Abstract

Concretely efficient interactive oracle proofs (IOPs) are of interest due to their applications to scaling blockchains, their minimal security assumptions, and their potential future-proof resistance to quantum attacks.

Scalable IOPs, in which prover time scales quasilinearly with the computation size and verifier time scales poly-logarithmically with it, have been known to exist thus far only over a set of finite fields of negligible density, namely, over “FFT-friendly” fields that contain a sub-group of size \(2^\mathsf{{k}} \).

Our main result is to show that scalable IOPs can be constructed over any sufficiently large finite field, of size that is at least quadratic in the length of computation whose integrity is proved by the IOP. This result has practical applications as well, because it reduces the proving and verification complexity of cryptographic statements that are naturally stated over pre-defined finite fields which are not “FFT-friendly”. Prior state-of-the-art scalable IOPs relied heavily on arithmetization via univariate polynomials and Reed–Solomon codes over FFT-friendly fields. To prove our main result and extend scalability to all large finite fields, we generalize the prior techniques and use new algebraic geometry codes evaluated on sub-groups of elliptic curves (elliptic curve codes). We also show a new arithmetization scheme that uses the rich and well-understood group structure of elliptic curves to reduce statements of computational integrity to other statements about the proximity of functions evaluated on the elliptic curve to the new family of elliptic curve codes.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    A proof system is transparent when all verifier messages are public random coins; such systems are also called Arthur Merlin protocols.

  2. 2.

    Unless mentioned otherwise, throughout the paper running time is measured in number of field operations, i.e., we assign unit cost to arithmetic operations over the finite field.

  3. 3.

    More generally, scalable PCPs and IOPs can be constructed over any \(\mathbb {F}\) which has a sub-group of size that is a product of small primes, but prover and verifier running time increase as the prime factors increase in number and size. For simplicity we stick to interpreting an FFT-friendly field as one containing a multiplicative subgroup of size \(2^\mathsf{{k}} \).

  4. 4.

    The proving and verifying procedures depend on \(O(\mathsf{{T}} \log q)\) bits of advice that depend only on \(|\mathbb {F}|\) and \(\mathsf{{T}} \) – furthermore, this advice can be generated by a randomized algorithm in time \(O(\mathsf{{T}} {\text {polylog}}(\mathsf{{T}} \cdot q))\) with high probability.

  5. 5.

    The rate parameter, defined as the ratio between a code’s dimension and its blocklength, can be picked to be any constant \(\rho <1\), and affects the soundness error and proximity parameters; see [8] for state of the art soundness bounds as a function of rate.

  6. 6.

    The need for cyclic subgroups of size \(2^\mathsf{{k}} \), as opposed to general subgroups of size \(2^\mathsf{{k}} \), of elliptic curve groups is new to this paper in comparison to [9]. The cyclicity is essential for arithmetization.

  7. 7.

    Arithmetization in the context of such SNARKs has as its output a system of R1CS constraints defined over an elliptic curve subgroup of prime order p that has small constant embedding degree.

  8. 8.

    An AIR can also be defined using Hamiltonian paths in affine graphs, but restricting to cyclic groups suffices for \(\mathsf{{NEXP}} \)-completeness, see [7].

  9. 9.

    To be precise, we work with a suitable Riemann–Roch space.

  10. 10.

    Some optimizations from [49], which are important for practical considerations and could also be done here, are omitted for clarity.

References

  1. Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: lightweight sublinear arguments without a trusted setup. In: Proceedings of the 24th ACM Conference on Computer and Communications Security, pp. 2087–2104. CCS 2017 (2017)

    Google Scholar 

  2. Arora, S., Lund, C., Motwani, R., Sudan, M., Szegedy, M.: Proof verification and the hardness of approximation problems. J. ACM 45(3), 501–555 (1998). Preliminary version in FOCS 1992

    Google Scholar 

  3. Arora, S., Safra, S.: Probabilistic checking of proofs: a new characterization of NP. J. ACM 45(1), 70–122 (1998). Preliminary version in FOCS 1992

    Google Scholar 

  4. Babai, L., Fortnow, L., Levin, L.A., Szegedy, M.: Checking computations in polylogarithmic time. In: Proceedings of the 23rd Annual ACM Symposium on Theory of Computing, pp. 21–32. STOC 1991 (1991)

    Google Scholar 

  5. Babai, L., Fortnow, L., Lund, C.: Non-deterministic exponential time has two-prover interactive protocols. Comput. Complex. 1, 3–40 (1991). Preliminary version appeared in FOCS 1990

    Google Scholar 

  6. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Fast reed-solomon interactive oracle proofs of proximity. In: Chatzigiannakis, I., Kaklamanis, C., Marx, D., Sannella, D. (eds.) ICALP. LIPIcs, vol. 107, pp. 1–17. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2018). https://www.dagstuhl.de/dagpub/978-3-95977-076-7

  7. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable zero knowledge with no trusted setup. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 701–732. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_23

    Chapter  Google Scholar 

  8. Ben-Sasson, E., Carmon, D., Ishai, Y., Kopparty, S., Saraf, S.: Proximity gaps for reed-solomon codes. In: Irani, S. (ed.) 61st IEEE Annual Symposium on Foundations of Computer Science, FOCS 2020, Durham, NC, USA, 16–19 November 2020, pp. 900–909. IEEE (2020). https://doi.org/10.1109/FOCS46700.2020.00088

  9. Ben-Sasson, E., Carmon, D., Kopparty, S., Levit, D.: Elliptic curve fast fourier transform (ECFFT) part I: fast polynomial algorithms over all finite fields. Electronic Colloquium on Computational Complexity, p. 103 (2021). https://eccc.weizmann.ac.il/report/2021/103

  10. Ben-Sasson, E., Carmon, D., Kopparty, S., Levit, D.: Scalable and transparent proofs over all large fields, via elliptic curves (ECFFT Part II) (2022). https://eccc.weizmann.ac.il/report/2022/110

  11. Ben-Sasson, E., Chiesa, A., Forbes, M.A., Gabizon, A., Riabzev, M., Spooner, N.: Zero knowledge protocols from succinct constraint detection. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10678, pp. 172–206. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70503-3_6

    Chapter  Google Scholar 

  12. Ben-Sasson, E., Chiesa, A., Gabizon, A., Riabzev, M., Spooner, N.: Interactive oracle proofs with constant rate and query complexity. In: Chatzigiannakis, I., Indyk, P., Kuhn, F., Muscholl, A. (eds.) 44th International Colloquium on Automata, Languages, and Programming, ICALP 2017, 10–14 July 2017, Warsaw, Poland. LIPIcs, vol. 80, pp. 1–15. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2017). https://doi.org/10.4230/LIPIcs.ICALP.2017.40

  13. Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E.: On the concrete efficiency of probabilistically-checkable proofs. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) Symposium on Theory of Computing Conference, STOC2013, Palo Alto, CA, USA, 1–4 June 2013, pp. 585–594. ACM (2013). https://doi.org/10.1145/2488608.2488681

  14. Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: SNARKs for C: verifying program executions succinctly and in zero knowledge. In: Proceedings of the 33rd Annual International Cryptology Conference, pp. 90–108. CRYPTO 2013 (2013)

    Google Scholar 

  15. Ben-Sasson, E., Chiesa, A., Goldberg, L., Gur, T., Riabzev, M., Spooner, N.: Linear-size constant-query IOPs for delegating computation. In: Proceedings of the 17th Theory of Cryptography Conference. TCC 2019 (2019)

    Google Scholar 

  16. Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive oracle proofs. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 31–60. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_2

    Chapter  Google Scholar 

  17. Ben-Sasson, E., Goldberg, L., Kopparty, S., Saraf, S.: DEEP-FRI: sampling outside the box improves soundness. In: Vidick, T. (ed.) 11th Innovations in Theoretical Computer Science Conference, ITCS 2020, 12–14 January 2020, Seattle, Washington, USA. LIPIcs, vol. 151, pp. 1–32. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2020). https://doi.org/10.4230/LIPIcs.ITCS.2020.5

  18. Ben-Sasson, E., Goldreich, O., Harsha, P., Sudan, M., Vadhan, S.: Short PCPs verifiable in polylogarithmic time. In: Proceedings of the 20th Annual IEEE Conference on Computational Complexity, pp. 120–134. CCC 2005 (2005)

    Google Scholar 

  19. Ben-Sasson, E., Kaplan, Y., Kopparty, S., Meir, O., Stichtenoth, H.: Constant rate pcps for circuit-sat with sublinear query complexity. J. ACM 63(4), 1–57 (2016). https://doi.org/10.1145/2901294

  20. Ben-Sasson, E., Sudan, M.: Short PCPs with polylog query complexity. SIAM J. Comput. 38(2), 551–607 (2008)

    Article  MathSciNet  MATH  Google Scholar 

  21. Bootle, J., Cerulli, A., Ghadafi, E., Groth, J., Hajiabadi, M., Jakobsen, S.K.: Linear-time zero-knowledge proofs for arithmetic circuit satisfiability. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 336–365. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_12

    Chapter  Google Scholar 

  22. Bootle, J., Chiesa, A., Groth, J.: Linear-time arguments with sublinear verification from tensor codes. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12551, pp. 19–46. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_2

    Chapter  Google Scholar 

  23. Bowe, S., Grigg, J., Hopwood, D.: Recursive proof composition without a trusted setup. Cryptology ePrint Archive, Report 2019/1021 (2019). https://ia.cr/2019/1021

  24. Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: Proceedings of the 39th IEEE Symposium on Security and Privacy, pp. 315–334. S &P 2018 (2018)

    Google Scholar 

  25. Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: Preprocessing zkSNARKs with universal and updatable SRS. In: Proceedings of the 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 738–768. EUROCRYPT 2020 (2020)

    Google Scholar 

  26. Chiesa, A., Ma, F., Spooner, N., Zhandry, M.: Post-quantum succinct arguments. Electronic Colloquium on Computational Complexity, p. 38 (2021). https://eccc.weizmann.ac.il/report/2021/038

  27. Chiesa, A., Manohar, P., Spooner, N.: Succinct arguments in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 1–29. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_1

    Chapter  Google Scholar 

  28. Chiesa, A., Ojha, D., Spooner, N.: Fractal: post-quantum and transparent recursive proofs from holography. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 769–793. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_27

    Chapter  Google Scholar 

  29. Chiesa, A., Yogev, E.: Subquadratic SNARGs in the random oracle model. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 711–741. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_25

    Chapter  MATH  Google Scholar 

  30. Chiesa, A., Yogev, E.: Tight security bounds for Micali’s SNARGs. In: Nissim, K., Waters, B. (eds.) TCC 2021. LNCS, vol. 13042, pp. 401–434. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90459-3_14

    Chapter  Google Scholar 

  31. Chudnovsky, D.V., Chudnovsky, G.V.: Computational problems in arithmetic of linear differential equations. some diophantine applications. In: Chudnovsky, D.V., Chudnovsky, G.V., Cohn, H., Nathanson, M.B. (eds.) Number Theory. LNM, vol. 1383, pp. 12–49. Springer, Heidelberg (1989). https://doi.org/10.1007/BFb0083567

    Chapter  Google Scholar 

  32. Gabizon, A., Williamson, Z.J., Ciobotaru, O.: Plonk: Permutations over Lagrange-bases for oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive, Report 2019/953 (2019). https://ia.cr/2019/953

  33. Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Proceedings of the 32nd Annual International Conference on Theory and Application of Cryptographic Techniques, pp. 626–645. EUROCRYPT 2013 (2013)

    Google Scholar 

  34. Goldberg, L., Papini, S., Riabzev, M.: Cairo - a turing-complete stark-friendly CPU architecture. IACR Cryptol. ePrint Arch, p. 1063 (2021). https://eprint.iacr.org/2021/1063

  35. Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: interactive proofs for muggles. In: Proceedings of the 40th Annual ACM Symposium on Theory of Computing, pp. 113–122. STOC 2008 (2008)

    Google Scholar 

  36. Golovnev, A., Lee, J., Setty, S., Thaler, J., Wahby, R.S.: Brakedown: Linear-time and post-quantum snarks for r1cs. Cryptology ePrint Archive, Report 2021/1043 (2021). https://ia.cr/2021/1043

  37. Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11

    Chapter  Google Scholar 

  38. Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: Proceedings of the Thirty-Ninth Annual ACM Symposium on Theory of Computing, pp. 21–30. STOC 2007, Association for Computing Machinery, New York, NY, USA (2007).https://doi.org/10.1145/1250790.1250794

  39. Kilian, J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: Proceedings of the Twenty-Fourth Annual ACM Symposium on Theory of Computing, pp. 723–732. STOC 1992, Association for Computing Machinery, New York, NY, USA (1992). https://doi.org/10.1145/129712.129782

  40. Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987)

    Article  MathSciNet  MATH  Google Scholar 

  41. Lund, C., Fortnow, L., Karloff, H.J., Nisan, N.: Algebraic methods for interactive proof systems. J. ACM 39(4), 859–868 (1992)

    Article  MathSciNet  MATH  Google Scholar 

  42. Maller, M., Bowe, S., Kohlweiss, M., Meiklejohn, S.: Sonic: zero-knowledge SNARKs from linear-size universal and updateable structured reference strings. Cryptology ePrint Archive, Report 2019/099 (2019)

    Google Scholar 

  43. Micali, S.: Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000). https://doi.org/10.1137/S0097539795284959

  44. Parno, B., Gentry, C., Howell, J., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: Proceedings of the 34th IEEE Symposium on Security and Privacy, pp. 238–252. Oakland 2013 (2013)

    Google Scholar 

  45. Reingold, O., Rothblum, R., Rothblum, G.: Constant-round interactive proofs for delegating computation. In: Proceedings of the 48th ACM Symposium on the Theory of Computing, pp. 49–62. STOC 2016 (2016)

    Google Scholar 

  46. Ron-Zewi, N., Rothblum, R.: Proving as fast as computing: succinct arguments with constant prover overhead. Electronic Colloquium on Computational Complexity, pp. 180 (2021). https://eccc.weizmann.ac.il/report/2021/180

  47. Shamir, A.: IP = PSPACE. J. ACM 39(4), 869–877 (1992)

    Article  MathSciNet  Google Scholar 

  48. Silverman, J.H.: The Arithmetic of Elliptic Curves. GTM, vol. 106. Springer, New York (2009). https://doi.org/10.1007/978-0-387-09494-6

    Book  MATH  Google Scholar 

  49. StarkWare: ethstark documentation. Cryptology ePrint Archive, Report 2021/582 (2021). https://eprint.iacr.org/2021/582

  50. Washington, L.C.: Elliptic Curves: Number Theory and Cryptography, Second Edition. Chapman & Hall/CRC, 2 edn. (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Dan Carmon .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ben–Sasson, E., Carmon, D., Kopparty, S., Levit, D. (2022). Scalable and Transparent Proofs over All Large Fields, via Elliptic Curves. In: Kiltz, E., Vaikuntanathan, V. (eds) Theory of Cryptography. TCC 2022. Lecture Notes in Computer Science, vol 13747. Springer, Cham. https://doi.org/10.1007/978-3-031-22318-1_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22318-1_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22317-4

  • Online ISBN: 978-3-031-22318-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics