When MPC in the Head Meets VC

Abstract

In this paper, we investigate zero-knowledge proof systems based on the “MPC-in-the-head” paradigm (MPCitH), which presents the advantage of offering fast proof generation and post-quantum security. However, current constructions suffer from the drawbacks of large proof sizes and high memory consumption. Particularly, as the underlying circuit increases in size, the proof size grows significantly, and the machine that executes MPCitH-based protocol quickly surpasses its memory bounds due to the multiple parallel executions of MPC. To overcome this challenge, we present the VC-then-MPCitH paradigm, which integrates verifiable computation (VC) techniques into MPCitH. We implement our protocol using concrete VC protocol Virgo++ and MPCitH protocol BN++. Leveraging the properties of the underlying protocols, we can embed Virgo++ into BN++ efficiently. The resulting protocol can significantly reduce the memory consumption and the cost of both computation and communication of MPCitH for large circuits. We conduct our evaluation on a circuit over the field \({\mathbb F}_{2^{128}}\) consisting of 40,006 multiplication gates and almost 100000 gates in total. With soundness error of \(2^{-128}\), our protocol can generate proofs of size 8891 KB in 86 ms, and verify in 70 ms. Furthermore, our protocol outperforms BN++ with the same parameter settings by reducing the proof size by a factor of 10 and shortening both the prover and verifier time by 13 times. On a resource-constrained device that offers 10 GB of memory, our protocol can handle effectively circuits with up to 10 million gates, while BN++ only supports circuits with up to 330,000 gates.

A Proof of Theorem 1

Completeness. The completeness of \(\varPi \) follows from the completeness of Virgo++ and BN++.

HVZK. The HVZK property of \(\varPi \) is ensured by the underlying MPCitH-based ZK protocol, which is HVZK for the statement \(\mathcal {V}_{IP}(\hat{\textbf{w}},\textbf{y})=\textbf{0}\). So the construction of simulator \(\mathcal {S}\) for \(\varPi \) follows the main idea of the ZK simulator for BN++. In the simulation, the offsets of \(\textbf{w},\boldsymbol{\pi },c,z,\alpha \) in the protocol are randomly chosen instead of computing from the secret shares. Due to the randomness of shares and the hiding property of Commit, the transcript output by \(\mathcal {S}\) is indistinguishable from the real script in distribution.

Knowledge Soundness. Under the premise that \(\mathsf{Commit, H_0,H_1}\) and \(\mathsf{H_2}\) are modeled as random oracles, the following lemmas hold.

Lemma 1

\(\varPi \) is an argument of knowledge for the relation: \(R'=\{\langle x'=(\mathcal V_{IP},\textbf{y}); \hat{\textbf{w}}\rangle :\mathcal V_{IP}(\hat{\textbf{w}},\textbf{y})=\textbf{0}\}\) with knowledge error

$$ \xi _a=\left( \frac{N+|\mathbb {F}|-1}{N\cdot |\mathbb {F}|}\right) ^M. $$

Proof Sketch. The knowledge soundness of the relation \(R'\) is inherited from BN++. In one of the M independent executions, a malicious \(\mathcal {P}^*\) can cheat \(\mathcal {V}\) by first adjusting the output shares of multiplication gates, and then adjusting one of the parties’ views if the challenges received from \(\mathcal V\) cannot result in acc. According to Lemma 2 of [22], the probability that \(\mathcal {P}^*\) successfully cheats is at most \(\frac{1}{|{\mathbb F}|}\) in the first stage, and at most \(\frac{1}{N}\) in the second stage due to the opening of \(N-1\) views. Thus the total success probability of \(P^*\) is at most \((\frac{1}{|\mathbb F|}+(1-\frac{1}{|\mathbb F|})\cdot \frac{1}{N})^M=\xi _a\). The extractability of knowledge can be proven by listing all possible challenges in Phase 3 and Phase 4 and their responses in a \(N\times |{\mathbb F}|^{V_m}\) matrix for each execution. The extractor \(\mathcal {E}\) can extract the valid witness by tracking entries in the expected time \(O(\frac{1}{\delta (x)-\xi _a)})\) where \(\delta (x)\) is the probability that \(\mathcal {P}^*\) passes verification check. More details about the process of knowledge extraction can be found in [4].

Lemma 2

If Lemma 1 holds and the event causing the knowledge error never happened, then \(\textbf{w}\) in the extracted \(\hat{\textbf{w}}=(\textbf{w},\boldsymbol{\pi })\) will satisfy \(\mathcal C(\textbf{w})=\textbf{y}\) except the probability

$$ \xi _b = \frac{\sum _{i=0}^d (4\lceil \log S_{i,i+1}\rceil + 2\lceil \log S_{i+1}\rceil ) + \sum _{i=1}^d (i+2)}{|{\mathbb F}|}. $$

When \(|\mathbb {F}|\) is large enough, \(\xi _b<\mathsf{negl(\kappa )}\).

Proof Sketch. The proof of Lemma 2 follows the main idea of the soundness analysis of Virgo++. The soundness error \(\xi _b\) consists of 3 parts: the soundness error of the sumcheck protocol applied respectively in each layer of the circuit and the linear combination between the adjacent layers, as well as the soundness error of the linear combination itself.

According to Lemma 1, \(\varPi \) is knowledge-soundness for the relation \(R'=\{\langle x'=(\mathcal V_{IP},\textbf{y});\ \hat{\textbf{w}}\rangle :\mathcal V_{IP}(\hat{\textbf{w}},\textbf{y})=\textbf{0}\}\) with knowledge error \(\xi _a\). Then we can invoke the extractor \(\mathcal {E}\) in Lemma 1 to extract the witness \(\hat{\textbf{w}}\) such that \(\mathcal V_{IP}(\hat{\textbf{w}},\textbf{y})=\textbf{0}\) in \(O(\frac{1}{1-\xi _a})\) steps, and the intercepted \(\textbf{w}\) from \(\hat{\textbf{w}}\) satisfies \(\mathcal {C}(\textbf{w})=\textbf{y}\) with the probability at least \(1-\xi _b\) by Lemma 2. Considering the knowledge error for the whole protocol, it is sufficient to ensure the consistency of the extracted witness in the relation R with \(R'\). Suppose \(\mathcal {P}^*\) holds \(\textbf{w}_1, \textbf{w}_2\) trying to convince the verifier of \(\mathcal {C}(\textbf{w})=\textbf{y}\) and \(\mathcal {V}_{IP}((\hat{\textbf{w}}),\textbf{y}) = \textbf{0}\). Conditioned on the verifier of \(\varPi \) outputs \(\textsf{acc}\), if \(\textbf{w}\) does not consist with \(\hat{\textbf{w}}\), the cases in which \(\mathcal {P}^*\) passes the verification are always reduced to the case that leads to the knowledge error \(\xi _a\) or \(\xi _b\). Therefore, \(\varPi \) is knowledge-soundness for the relation \(R=\{\langle x=(\mathcal C,\textbf{y});\ \textbf{w}\rangle :\mathcal {C}(\textbf{w})=\textbf{y}\}\) with knowledge error at most \(\xi \le \xi _a+\xi _b\).