Abstract
Zero-Knowledge Virtual Machines (ZKVMs) have gained traction in recent years due to their potential applications in a variety of areas, particularly blockchain ecosystems. Despite tremendous progress on ZKVMs in the industry, no formal definitions or security proofs have been established in the literature. Due to this lack of formalization, existing protocols exhibit significant discrepancies in terms of problem definitions and performance metrics, making it difficult to analyze and compare these advancements, or to trust the security of the increasingly complex ZKVM implementations.
In this work, we focus on random-access memory, an influential and expensive component of ZKVMs. Specifically, we investigate the state-of-the-art protocols for validating the correct functioning of memory, which we refer to as the memory consistency checks. Isolating these checks from the rest of the system allows us to formalize their definition and security notion. Furthermore, we summarize the state-of-the-art constructions using the Polynomial IOP model and formally prove their security. Observing that the bottleneck of existing designs lies in sorting the entire memory trace, we break away from this paradigm and propose a novel memory consistency check, dubbed \(\textsf{Permem}\). \(\textsf{Permem}\) bypasses this bottleneck by introducing a technique called the address cycle method, which requires fewer building blocks and—after instantiating the building blocks with state-of-the-art constructions—fewer online polynomial oracles and evaluation queries. In addition, we propose \(\textsf{gcq}\), a new construction for the lookup argument—a key building block of the memory consistency check, which costs fewer online polynomial oracles than the state-of-the-art construction \(\textsf{cq}\).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Strictly speaking, the corresponding PIOP protocol behind \(\textsf{cq}\) is without the KZG-specific optimizations.
- 2.
For example, the machine can be designed such that executing the last instruction (e.g., a \(\textsf{STOP}\) instruction) does not change the state of the machine, so that this instruction can be repeated as many times as needed until T reaches N.
- 3.
Except for some special-purpose components designed particularly for ZKVMs, e.g., the hash table in Triton VM and some builtins in Cairo, that are not in a traditional CPU architecture. The stack in stack-based architectures like EVM can be considered as a simpler version of random-access memory, whose consistency checks are similar to those for memories.
- 4.
It is indeed used in some works, but very rarely, e.g., in Flookup [GK22]. It is used only in a small component of Flookup, where univariate sumcheck is unusable.
- 5.
If soundness holds only against a polynomial-bounded prover, then we say this protocol is an argument.
- 6.
Unless for extremely special cases where the program relies on the memory check to decide whether to abort or not.
References
Ambrona, M., Beunardeau, M., Schmitt, A.-L., Toledo, R.R.: aPlonK: aggregated PlonK from multi-polynomial commitment schemes. https://eprint.iacr.org/2022/1352 (2022)
Team of Aztec. Aztec (2022). https://zk.money/
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: SP 2018, Proceedings, pp. 315–334. IEEE Computer Society (2018)
Ben-Sasson, E., et al.: Computational integrity with a public random string from quasi-linear PCPs. In: Coron, J.S., Nielsen, J. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 551–579. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_19
Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. IACR Cryptol. ePrint Arch., 2018:46 (2018). http://eprint.iacr.org/2018/046
Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: SNARKs for C: verifying program executions succinctly and in zero knowledge. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 90–108. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_6
Bootle, J., Cerulli, A., Ghadafi, E., Groth, J., Hajiabadi, M., Jakobsen, S.K.: Linear-time zero-knowledge proofs for arithmetic circuit satisfiability. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 336–365. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_12
Bootle, J., Cerulli, A., Groth, J., Jakobsen, S., Maller, M.: Arya: nearly linear-time zero-knowledge proofs for correct program execution. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 595–626. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_20
Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E.: Fast reductions from RAMs to delegatable succinct constraint satisfaction problems: extended abstract. In: ITCS 2013, pp. 401, Berkeley, California, USA. ACM Press (2013). http://dl.acm.org/citation.cfm?doid=2422436.2422481
Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.P.: Aurora: transparent succinct arguments for R1CS. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 103–128. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_4
Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture. Technical report 879 (2013). https://eprint.iacr.org/2013/879
Boneh, D., Drake, J., Fisch, B., Gabizon, A.: Halo infinite: recursive zk-SNARKs from any additive polynomial commitment scheme. Technical report 1536 (2020). http://eprint.iacr.org/2020/1536
Bhadauria, R., Fang, Z., Hazay, C., Venkitasubramaniam, M., Xie, T., Zhang, Y.: Ligero++: a new optimized sublinear IOP. In: CCS 2020, pp. 2025–2038 (2020)
Braun, B., Feldman, A.J., Ren, Z., Setty, S., Blumberg, A.J., Walfish, M.: Verifying computations with state. In: Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles, Farminton Pennsylvania, November 2013, pp. 341–357. ACM (2013). https://dl.acm.org/doi/10.1145/2517349.2522733
Bünz, B., Fisch, B., Szepieniec, A.: Transparent SNARKs from DARK compilers. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 677–706. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_24
Chen, B., Bünz, B., Boneh, D., Zhang, Z.: HyperPlonk: plonk with linear-time prover and high-degree custom gates (2022). https://eprint.iacr.org/2022/1355
Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: preprocessing zkSNARKs with universal and updatable SRS. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 738–768. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_26
Chiesa, A., Ojha, D., Spooner, N.: Fractal: post-quantum and transparent recursive proofs from holography. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 769–793. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_27
Eagen, L.: Bulletproofs++. Technical report 510 (2022). https://eprint.iacr.org/2022/510
Eagen, L., Fiore, D., Gabizon A.:. CQ: Cached quotients for fast lookups (2022). https://eprint.iacr.org/2022/1763
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Gennaro, R., Gentry, C., Parno, B.: Non-interactive verifiable computing: outsourcing computation to untrusted workers. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 465–482. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_25
Gabizon, A., Khovratovich, D.: Flookup: fractional decomposition-based lookups in quasi-linear time independent of table size (2022). https://eprint.iacr.org/2022/1447
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems. In: Proceedings of the Seventeenth Annual ACM Symposium on Theory of Computing - STOC 1985, pp. 291–304, Providence, Rhode Island, United States. ACM Press (1985). http://portal.acm.org/citation.cfm?doid=22145.22178
Goldberg, L., Papini, S., Riabzev, M.: Cairo – a turing-complete STARK-friendly CPU architecture. Technical report 1063 (2021). http://eprint.iacr.org/2021/1063
Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11
Gabizon, A., Williamson, Z.J.: Plookup: a simplified polynomial protocol for lookup tables. Technical report 315 (2020). http://eprint.iacr.org/2020/315
Gabizon, A., Williamson, Z.J., Ciobotaru, O.: PLONK: permutations over Lagrange-bases for Oecumenical noninteractive arguments of knowledge. Technical report 953 (2019). https://eprint.iacr.org/2019/953
Haböck, U.: Multivariate lookups based on logarithmic derivatives (2022). https://eprint.iacr.org/2022/1530
Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 177–194. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_11
Team of Loopring. Loopring - zkRollup Layer2 for Trading and Payment (2022). https://loopring.org/#/
Team of Miden. Miden VM Documentation (2022). https://maticnetwork.github.io/miden/
Mignotte, M.: Mathematics for Computer Algebra. Springer, New York (1992). https://doi.org/10.1007/978-1-4613-9171-5
Pearson, L., Fitzgerald, J., Masip, H., Bellés-Mutextasciitilde noz, M., noz-Tapia, J.L.M.: PlonKup: reconciling PlonK with plookup. Technical report 086 (2022). https://eprint.iacr.org/2022/086
Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: SP 2013, pp. 238–252, Berkeley, CA, May 2013. IEEE (2013). http://ieeexplore.ieee.org/document/6547113/
Posen, J., Kattis, A.A.: Caulk+: table-independent lookup arguments. Cryptology ePrint Archive (2022). https://eprint.iacr.org/2022/957
Team of Polygon. Polygon Hermez (2022). https://polygon.technology/solutions/polygon-hermez/
Team of RiscZero. RISC Zero: General-Purpose Verifiable Computing (2022). https://risczero.com/
Ràfols, C., Zapico, A.: An algebraic framework for universal and updatable SNARKs. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 774–804. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_27
Team of Scroll. Scroll (2022). https://scroll.io/
Setty, S.: Spartan: efficient and general-purpose zkSNARKs without trusted setup. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 704–737. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_25
Setty, S., Lee, J.: Quarks: Quadruple-efficient transparent zkSNARKs. Technical report 1275 (2020). http://eprint.iacr.org/2020/1275
Szepieniec, A., Lemmens, A., Sauer, J.F., Threadbare, B.: The Tip5 Hash Function for Recursive STARKs (2023). https://eprint.iacr.org/2023/107
Szepieniec, A., Zhang, Y.: Polynomial IOPs for linear algebra relations. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds.) PKC 2022. LNCS, vol. 13177, pp. 523–552. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-97121-2_19
Team of Triton VM. Triton VM. Triton VM, September 2022. https://github.com/TritonVM/triton-vm
Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly-Efficient zkSNARKs without trusted setup. In: SP 2018, pp. 926–943 (2018)
Xie, T., Zhang, J., Zhang, Y., Papamanthou, C., Song, D.: Libra: succinct zero-knowledge proofs with optimal prover computation. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 733–764. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_24
Zapico, A., Buterin, V., Khovratovich, D., Maller, M., Nitulescu, A., Simkin, M.: Caulk: lookup arguments in sublinear time. Technical report 621 (2022). https://eprint.iacr.org/2022/621
Zhang, Y., Genkin, D., Katz, J., Papadopoulos, D., Papamanthou, C.: vRAM: faster verifiable RAM with program-independent preprocessing. In: SP 2018, pp. 908–925. IEEE (2018)
Zapico, A., Gabizon, A., Khovratovich, D., Maller, M., Ràfols, C.: Baloo: nearly optimal lookup arguments (2022). https://eprint.iacr.org/2022/1565
Team of zkSync. zkSync (2022). https://zksync.io/
Zhang, Y., Szepeniec, A., Zhang, R., Sun, S.F., Wang, G., Gu, D.: VOProof: efficient zkSNARKs from vector oracle compilers. In: CCS 2022, CCS 2022, New York, NY, USA, November 2022, pp. 3195–3208 (2022). https://doi.org/10.1145/3548606.3559387
Zhang, J., Xie, T., Zhang, Y., Song, D.: Transparent polynomial delegation and its applications to zero knowledge proof. In: SP 2020, pp. 859–876. IEEE (2020)
Acknowledgement
This work is partially supported by the National Key Research and Development Project (Grant No. 2020YFA0712300) and the National Natural Science Foundation of China (Grant No. 62272294). We thank Alan Szepieniec and the anonymous reviewers for their valuable comments.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Zhang, Y., Sun, SF., Zhang, R., Gu, D. (2023). Polynomial IOPs for Memory Consistency Checks in Zero-Knowledge Virtual Machines. In: Guo, J., Steinfeld, R. (eds) Advances in Cryptology – ASIACRYPT 2023. ASIACRYPT 2023. Lecture Notes in Computer Science, vol 14439. Springer, Singapore. https://doi.org/10.1007/978-981-99-8724-5_4
Download citation
DOI: https://doi.org/10.1007/978-981-99-8724-5_4
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8723-8
Online ISBN: 978-981-99-8724-5
eBook Packages: Computer ScienceComputer Science (R0)