Skip to main content
SpringerLink
Log in

Brakedown: Linear-Time and Field-Agnostic SNARKs for R1CS

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2023 (CRYPTO 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14082))

Included in the following conference series:

Abstract

This paper introduces a SNARK called Brakedown. Brakedown targets R1CS, a popular NP-complete problem that generalizes circuit-satisfiability. It is the first built system that provides a linear-time prover, meaning the prover incurs O(N) finite field operations to prove the satisfiability of an N-sized R1CS instance. Brakedown ’s prover is faster, both concretely and asymptotically, than prior SNARK implementations. It does not require a trusted setup and may be post-quantum secure. Furthermore, it is compatible with arbitrary finite fields of sufficient size; this property is new among built proof systems with sublinear proof sizes. To design Brakedown, we observe that recent work of Bootle, Chiesa, and Groth (BCG, TCC 2020) provides a polynomial commitment scheme that, when combined with the linear-time interactive proof system of Spartan (CRYPTO 2020), yields linear-time IOPs and SNARKs for R1CS (a similar theoretical result was previously established by BCG, but our approach is conceptually simpler, and crucial for achieving high-speed SNARKs). A core ingredient in the polynomial commitment scheme that we distill from BCG is a linear-time encodable code. Existing constructions of such codes are believed to be impractical. Nonetheless, we design and engineer a new one that is practical in our context.

We also implement a variant of Brakedown that uses Reed-Solomon codes instead of our linear-time encodable codes; we refer to this variant as Shockwave. Shockwave is not a linear-time SNARK, but it provides shorter proofs and lower verification times than Brakedown, and also provides a faster prover than prior plausibly post-quantum SNARKs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    It is possible to construct elliptic curves with specified group order [26], which suffices for many discrete log–based SNARKs. Unfortunately, the most efficient elliptic curve implementations are tailored to specific curves—so using a newly constructed curve may entail a performance or engineering cost.

  2. 2.

    For our SNARKs, a field of size \(\exp (\lambda )\) is sufficient to achieve \(\lambda \) bits of security with a linear-time prover. More generally, our SNARK can work over any field \(\mathbb {F}\) of size \(|\mathbb {F}| \ge \varOmega (N)\) with a prover runtime that is superlinear by a factor of \(O(\lambda /\log |\mathbb {F}|)\), where N denotes instance size.

  3. 3.

    RedShift and ethStark [1, 46] use FRI to construct a related primitive called a list polynomial commitment with a relaxed notion of soundness, and smaller opening proofs (by up to \(\approx \)30% using Reed-Solomon rate \(\nicefrac {1}{4}\) and existing analyses). That primitive, however, is not a drop-in replacement for polynomial commitments, so we restrict our focus to the latter.

  4. 4.

    Rate parameter \(\nicefrac {38}{39}\) cannot be used in the Ligero-PC scheme for multilinear polynomials (as required by Shockwave; Sect. 6.2). This is because Ligero-PC ’s FFT uses power-of-two–length codewords, and multilinear polynomial evaluation can only be decomposed into tensor products with power-of-two-sized tensors (see Sect. 3.1). Since \(\rho \) is the ratio of one tensor’s size to codeword length, \(\rho ^{-1}\) must be a power of two. As a result, \(\rho = \nicefrac {1}{2} \) is the highest rate Ligero-PC supports for multilinear polynomials.

References

  1. ethSTARK. https://github.com/starkware-libs/ethSTARK

  2. The Ristretto group. https://ristretto.group/

  3. Spartan: High-speed zkSNARKs without trusted setup. https://github.com/Microsoft/Spartan

  4. Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: lightweight sublinear arguments without a trusted setup. In: CCS (2017)

    Google Scholar 

  5. Applebaum, B., Haramaty, N., Ishai, Y., Kushilevitz, E., Vaikuntanathan, V.: Low-complexity cryptographic hash functions. In: ITCS (2017)

    Google Scholar 

  6. Baum, C., Malozemoff, A.J., Rosen, M., Scholl, P.: Mac’n’cheese: zero-knowledge proofs for arithmetic circuits with nested disjunctions. Cryptology ePrint Archive, Report 2020/1410 (2020)

    Google Scholar 

  7. Belling, A., Soleimanian, A.: Vortex: building a lattice-based snark scheme with transparent setup. Cryptology ePrint Archive, Paper 2022/1633 (2022)

    Google Scholar 

  8. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Fast reed-solomon interactive oracle proofs of proximity. In: ICALP (2018)

    Google Scholar 

  9. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable zero knowledge with no trusted setup. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 701–732. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_23

    Chapter  Google Scholar 

  10. Ben-Sasson, E., Carmon, D., Ishai, Y., Kopparty, S., Saraf, S.: Proximity gaps for Reed-Solomon codes. In: FOCS (2020)

    Google Scholar 

  11. Ben-Sasson, E., Carmon, D., Kopparty, S., Levit, D.: Elliptic Curve Fast Fourier Transform (ECFFT) part I: fast polynomial algorithms over all finite fields. Electronic Colloquium on Computational Complexity, Report 2021/103 (2021)

    Google Scholar 

  12. Ben-Sasson, E., Carmon, D., Kopparty, S., Levit, D.: Scalable and transparent proofs over all large fields, via elliptic curves. Electronic Colloquium on Computational Complexity, Report 2022/110 (2022)

    Google Scholar 

  13. Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E.: Fast reductions from RAMs to delegatable succinct constraint satisfaction problems: extended abstract. In: ITCS (2013)

    Google Scholar 

  14. Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.P.: Aurora: transparent succinct arguments for R1CS. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 103–128. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_4

    Chapter  Google Scholar 

  15. Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive oracle proofs. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 31–60. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_2

    Chapter  Google Scholar 

  16. Bernstein, D.J., Doumen, J., Lange, T., Oosterwijk, J.-J.: Faster batch forgery identification. Cryptology ePrint Archive, Paper 2012/549 (2012)

    Google Scholar 

  17. Bhadauria, R., Fang, Z., Hazay, C., Venkitasubramaniam, M., Xie, T., Zhang, Y.: Ligero++: a new optimized sublinear IOP. In: CCS, pp. 2025–2038 (2020)

    Google Scholar 

  18. Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In: ITCS (2012)

    Google Scholar 

  19. Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: Recursive composition and bootstrapping for SNARKs and proof-carrying data. In: STOC (2013)

    Google Scholar 

  20. Bootle, J., Cerulli, A., Ghadafi, E., Groth, J., Hajiabadi, M., Jakobsen, S.K.: Linear-time zero-knowledge proofs for arithmetic circuit satisfiability. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 336–365. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_12

    Chapter  Google Scholar 

  21. Bootle, J., Chiesa, A., Groth, J.: Linear-time arguments with sublinear verification from tensor codes. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12551, pp. 19–46. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_2

    Chapter  Google Scholar 

  22. Bootle, J., Chiesa, A., Guan, Z., Liu, S.: Linear-time probabilistic proofs over every field. Cryptology ePrint Archive, Paper 2022/1056 (2022)

    Google Scholar 

  23. Bootle, J., Chiesa, A., Liu, S.: Zero-knowledge succinct arguments with a linear-time prover. ePrint Report 2020/1527 (2020)

    Google Scholar 

  24. Bootle, J., Lyubashevsky, V., Nguyen, N.K., Seiler, G.: A non-PCP approach to succinct quantum-safe zero-knowledge. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 441–469. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_16

    Chapter  Google Scholar 

  25. Braun, B., Feldman, A.J., Ren, Z., Setty, S., Blumberg, A.J., Walfish, M.: Verifying computations with state. In: SOSP (2013)

    Google Scholar 

  26. Bröker, R., Stevenhagen, P.: Efficient CM-constructions of elliptic curves over finite fields. Math. Comp. 76(260), 2161–2179 (2007)

    Article  MathSciNet  MATH  Google Scholar 

  27. Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: S &P (2018)

    Google Scholar 

  28. Bünz, B., Fisch, B., Szepieniec, A.: Transparent SNARKs from DARK compilers. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 677–706. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_24

    Chapter  Google Scholar 

  29. Chen, B., Bünz, B., Boneh, D., Zhang, Z.: Hyperplonk: plonk with linear-time prover and high-degree custom gates. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023. LNCS, vol. 14005, pp. 499–530. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30617-4_17

  30. Chiesa, A., Forbes, M.A., Spooner, N.: A zero knowledge sumcheck and its applications. CoRR, abs/1704.02086 (2017)

    Google Scholar 

  31. Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: preprocessing zkSNARKs with universal and updatable SRS. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 738–768. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_26

    Chapter  Google Scholar 

  32. Chiesa, A., Ojha, D., Spooner, N.: Fractal: post-quantum and transparent recursive proofs from holography. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 769–793. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_27

    Chapter  Google Scholar 

  33. Cormode, G., Mitzenmacher, M., Thaler, J.: Practical verified computation with streaming interactive proofs. In: ITCS (2012)

    Google Scholar 

  34. Druk, E., Ishai, Y.: Linear-time encodable codes meeting the Gilbert-Varshamov bound and their cryptographic applications. In: ITCS, pp. 169–182 (2014)

    Google Scholar 

  35. Fiat, A., Shamir, A.: How To prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12

    Chapter  Google Scholar 

  36. Gelfand, S.I., Dobrushin, R.L., Pinsker, M.S.: On the complexity of coding. pp. 177–184 (1973)

    Google Scholar 

  37. Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: STOC, pp. 99–108 (2011)

    Google Scholar 

  38. Goldreich, O., Kahan, A.: How to construct constant-round zero-knowledge proof systems for NP. J. Cryptol. 9(3), 167–189 (1996)

    Article  MathSciNet  MATH  Google Scholar 

  39. Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: Interactive proofs for muggles. In: STOC (2008)

    Google Scholar 

  40. Golovnev, A., Lee, J., Setty, S., Thaler, J., Wahby, R.S.: Brakedown: linear-time and post-quantum snarks for r1cs. Cryptology ePrint Archive, Paper 2021/1043 (2021)

    Google Scholar 

  41. Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11

    Chapter  Google Scholar 

  42. Hamburg, M.: Decaf: eliminating cofactors through point compression. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 705–723. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_34

    Chapter  Google Scholar 

  43. Hazay, C., Lindell, Y.: Efficient Secure Two-Party Protocols: Techniques and Constructions. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14303-8

  44. Housni, Y.E., Botrel, G.: EdMSM: multi-scalar-multiplication for SNARKs and faster montgomery multiplication. Cryptology ePrint Archive, Paper 2022/1400 (2022)

    Google Scholar 

  45. Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 177–194. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_11

    Chapter  Google Scholar 

  46. Kattis, A., Panarin, K., Vlasov, A.: RedShift: transparent SNARKs from list polynomial commitment IOPs. Cryptology ePrint Archive, Report 2019/1400 (2019)

    Google Scholar 

  47. Kilian, J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: STOC (1992)

    Google Scholar 

  48. Kothapalli, A., Setty, S., Tzialla, I.: Nova: recursive zero-knowledge arguments from folding schemes. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. LNCS, vol. 13510, pp. 359–388. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15985-5_13

  49. Lee, J.: Dory: efficient, transparent arguments for generalised inner products and polynomial commitments. Cryptology ePrint Archive, Report 2020/1274 (2020)

    Google Scholar 

  50. Lee, J., Nikitin, K., Setty, S.: Replicated state machines without replicated execution. In: S &P (2020)

    Google Scholar 

  51. libfennel. Hyrax reference implementation. https://github.com/hyraxZK/fennel

  52. libiop. A C++ library for IOP-based zkSNARK. https://github.com/scipr-lab/libiop

  53. libsnark. A C++ library for zkSNARK proofs. https://github.com/scipr-lab/libsnark

  54. Lund, C., Fortnow, L., Karloff, H., Nisan, N.: Algebraic methods for interactive proof systems. In: FOCS, October 1990

    Google Scholar 

  55. Micali, S.: CS proofs. In: FOCS (1994)

    Google Scholar 

  56. Mitzenmacher, M., Upfal, E.: Probability and Computing: Randomization and Probabilistic Techniques in Algorithms and Data Analysis. Cambridge University Press, Cambridge (2017)

    Google Scholar 

  57. O’Connor, J., Aumasson, J.-P., Neves, S., Wilcox-O’Hearn, Z.: BLAKE3: one function, fast everywhere, February 2020. https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf

  58. Ozdemir, A., Brown, F., Wahby, R.S.: Unifying compilers for SNARKs, SMT, and more. Cryptology ePrint Archive, Report 2020/1586 (2020)

    Google Scholar 

  59. Parno, B., Gentry, C., Howell, J., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: S &P, May 2013

    Google Scholar 

  60. Pippenger, N.: On the evaluation of powers and related problems. In: SFCS (1976)

    Google Scholar 

  61. Reingold, O., Rothblum, G.N., Rothblum, R.D.: Constant-round interactive proofs for delegating computation. In: STOC, pp. 49–62 (2016)

    Google Scholar 

  62. Ron-Zewi, N., Rothblum, R.D.: Proving as fast as computing: succinct arguments with constant prover overhead. In: STOC (2022)

    Google Scholar 

  63. Setty, S.: Spartan: efficient and general-purpose zkSNARKs without trusted setup. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 704–737. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_25

    Chapter  Google Scholar 

  64. Setty, S., Angel, S., Gupta, T., Lee, J.: Proving the correct execution of concurrent services in zero-knowledge. In: OSDI, October 2018

    Google Scholar 

  65. Setty, S., Lee, J.: Quarks: quadruple-efficient transparent zkSNARKs. Cryptology ePrint Archive, Report 2020/1275 (2020)

    Google Scholar 

  66. Setty, S., Vu, V., Panpalia, N., Braun, B., Blumberg, A.J., Walfish, M.: Taking proof-based verified computation a few steps closer to practicality. In: USENIX Security, August 2012

    Google Scholar 

  67. Spielman, D.A.: Linear-time encodable and decodable error-correcting codes. IEEE Trans. Inf. Theory 42(6), 1723–1731 (1996)

    Article  MathSciNet  MATH  Google Scholar 

  68. Thaler, J.: Time-optimal interactive proofs for circuit evaluation. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 71–89. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_5

    Chapter  Google Scholar 

  69. Thaler, J.: Proofs, arguments, and zero-knowledge (2020). http://people.cs.georgetown.edu/jthaler/ProofsArgsAndZK.html

  70. Valiant, P.: Incrementally verifiable computation or proofs of knowledge imply time/space efficiency. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 1–18. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_1

    Chapter  MATH  Google Scholar 

  71. Vlasov, A., Panarin, K.: Transparent polynomial commitment scheme with polylogarithmic communication complexity. Cryptology ePrint Archive, Report 2019/1020 (2019)

    Google Scholar 

  72. Wahby, R.S., et al.: Full accounting for verifiable outsourcing. In: CCS (2017)

    Google Scholar 

  73. Wahby, R.S., Setty, S., Ren, Z., Blumberg, A.J., Walfish, M.: Efficient RAM and control flow in verifiable outsourced computation. In: NDSS (2015)

    Google Scholar 

  74. Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly-efficient zkSNARKs without trusted setup. In: S &P (2018)

    Google Scholar 

  75. Weng, C., Yang, K., Katz, J., Wang, X.: Wolverine: fast, scalable, and communication-efficient zero-knowledge proofs for Boolean and arithmetic circuits. Cryptology ePrint Archive, Report 2020/925 (2020)

    Google Scholar 

  76. Xie, T., Zhang, J., Zhang, Y., Papamanthou, C., Song, D.: Libra: succinct zero-knowledge proofs with optimal prover computation. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 733–764. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_24

    Chapter  Google Scholar 

  77. Xie, T., Zhang, Y., Song, D.: Orion: zero knowledge proof with linear prover time. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. LNCS, vol. 13510, pp. 299–328. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15985-5_11

  78. Zhang, J., Xie, T., Zhang, Y., Song, D.: Transparent polynomial delegation and its applications to zero knowledge proof. In: S &P (2020)

    Google Scholar 

  79. Zhang, Y., Genkin, D., Katz, J., Papadopoulos, D., Papamanthou, C.: vSQL: Verifying arbitrary SQL queries over dynamic outsourced databases. In: S &P (2017)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Georgetown University, Washington, D.C., USA

    Alexander Golovnev & Justin Thaler

  2. Nanotronics, New York, USA

    Jonathan Lee

  3. Microsoft Research, Cambridge, USA

    Srinath Setty

  4. Stanford University, Stanford, USA

    Riad S. Wahby

Authors
  1. Alexander Golovnev
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jonathan Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Srinath Setty
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Justin Thaler
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Riad S. Wahby
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alexander Golovnev .

Editor information

Editors and Affiliations

  1. Rambus Inc., San Jose, CA, USA

    Helena Handschuh

  2. Brown University, Providence, RI, USA

    Anna Lysyanskaya

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Golovnev, A., Lee, J., Setty, S., Thaler, J., Wahby, R.S. (2023). Brakedown: Linear-Time and Field-Agnostic SNARKs for R1CS. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14082. Springer, Cham. https://doi.org/10.1007/978-3-031-38545-2_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-38545-2_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38544-5

  • Online ISBN: 978-3-031-38545-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation