Article

Nova: Recursive Zero-Knowledge Arguments from Folding Schemes

Authors:

Abhiram Kothapalli,

Ioanna TziallaAuthors Info & Claims

Advances in Cryptology – CRYPTO 2022: 42nd Annual International Cryptology Conference, CRYPTO 2022, Santa Barbara, CA, USA, August 15–18, 2022, Proceedings, Part IV

Pages 359 - 388

https://doi.org/10.1007/978-3-031-15985-5_13

Published: 15 August 2022 Publication History

Abstract

We introduce a new approach to realize incrementally verifiable computation (IVC), in which the prover recursively proves the correct execution of incremental computations of the form

y = F^{(ℓ)} (x)

, where F is a (potentially non-deterministic) computation, x is the input, y is the output, and

ℓ > 0

. Unlike prior approaches to realize IVC, our approach avoids succinct non-interactive arguments of knowledge (SNARKs) entirely and arguments of knowledge in general. Instead, we introduce and employ folding schemes, a weaker, simpler, and more efficiently-realizable primitive, which reduces the task of checking two instances in some relation to the task of checking a single instance. We construct a folding scheme for a characterization of NP and show that it implies an IVC scheme with improved efficiency characteristics: (1) the “recursion overhead” (i.e., the number of steps that the prover proves in addition to proving the execution of F) is a constant and it is dominated by two group scalar multiplications expressed as a circuit (this is the smallest recursion overhead in the literature), and (2) the prover’s work at each step is dominated by two multiexponentiations of size O(|F|), providing the fastest prover in the literature. The size of a proof is O(|F|) group elements, but we show that using a variant of an existing zkSNARK, the prover can prove the knowledge of a valid proof succinctly and in zero-knowledge with

O (log | F |)

group elements. Finally, our approach neither requires a trusted setup nor FFTs, so it can be instantiated efficiently with any cycles of elliptic curves where DLOG is hard.

References

[1]

bellperson. https://github.com/filecoin-project/bellperson

[2]

neptune. https://github.com/filecoin-project/neptune

[3]

Nova: Recursive SNARKs without trusted setup. https://github.com/Microsoft/Nova

[4]

Pasta curves. https://github.com/zcash/pasta

[5]

Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive Oracle Proofs. In: TCC (2016)

[6]

Ben-Sasson E, Chiesa A, Tromer E, and Virza M Garay JA and Gennaro R Scalable zero knowledge via cycles of elliptic curves Advances in Cryptology – CRYPTO 2014 2014 Heidelberg Springer 276-294

[7]

Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In: ITCS (2012)

[8]

Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: Recursive composition and bootstrapping for SNARKs and proof-carrying data. In: STOC (2013)

[9]

Boneh, D., Bünz, B., Fisch, B.: A survey of two verifiable delay functions. Cryptology ePrint Archive, Report 2018/712 (2018)

[10]

Boneh, D., Drake, J., Fisch, B., Gabizon, A.: Halo infinite: recursive zk-SNARKs from any additive polynomial commitment scheme. Cryptology ePrint Archive, Report 2020/1536 (2020)

[11]

Bootle J, Cerulli A, Chaidos P, Groth J, and Petit C Fischlin M and Coron J-S Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting Advances in Cryptology – EUROCRYPT 2016 2016 Heidelberg Springer 327-357

[12]

Bowe, S., Grigg, J., Hopwood, D.: Halo: recursive proof composition without a trusted setup. Cryptology ePrint Archive, Report 2019/1021 (2019)

[13]

Bowe, S., Grigg, J., Hopwood, D.: Halo2 (2020). https://github.com/zcash/halo2

[14]

Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: S &P (2018)

[15]

Bünz, B., Chiesa, A., Lin, W., Mishra, P., Spooner, N.: Proof-carrying data without succinct arguments. Cryptology ePrint Archive, Report 2020/1618 (2020)

[16]

Bünz, B., Chiesa, A., Mishra, P., Spooner, N.: Proof-carrying data from accumulation schemes. In: TCC (2020)

[17]

Bünz B, Fisch B, and Szepieniec A Canteaut A and Ishai Y Transparent SNARKs from DARK compilers Advances in Cryptology – EUROCRYPT 2020 2020 Cham Springer 677-706

[18]

Bünz, B., Maller, M., Mishra, P., Vesely, N.: Proofs for inner pairing products and applications. Cryptology ePrint Archive, Report 2019/1177 (2019)

[19]

Chen, W., Chiesa, A., Dauterman, E., Ward, N.P.: Reducing participation costs via incremental verification for ledger systems. Cryptology ePrint Archive, Report 2020/1522 (2020)

[20]

Chiesa A, Hu Y, Maller M, Mishra P, Vesely N, and Ward N Canteaut A and Ishai Y Marlin: preprocessing zkSNARKs with universal and updatable SRS Advances in Cryptology – EUROCRYPT 2020 2020 Cham Springer 738-768

[21]

Chiesa A, Ojha D, and Spooner N Canteaut A and Ishai Y Fractal: post-quantum and transparent recursive proofs from holography Advances in Cryptology – EUROCRYPT 2020 2020 Cham Springer 769-793

[22]

Fiat A and Shamir A Odlyzko AM How to prove yourself: practical solutions to identification and signature problems Advances in Cryptology — CRYPTO’ 86 1987 Heidelberg Springer 186-194

[23]

Gennaro R, Gentry C, Parno B, and Raykova M Johansson T and Nguyen PQ Quadratic span programs and succinct NIZKs without PCPs Advances in Cryptology – EUROCRYPT 2013 2013 Heidelberg Springer 626-645

[24]

Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: STOC, pp. 99–108 (2011)

[25]

Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems. In: STOC (1985)

[26]

Grassi, L., Khovratovich, D., Rechberger, C., Roy, A., Schofnegger, M.: Poseidon: a new hash function for zero-knowledge proof systems. Cryptology ePrint Archive, Paper 2019/458 (2019)

[27]

Groth J Fischlin M and Coron J-S On the size of pairing-based non-interactive arguments Advances in Cryptology – EUROCRYPT 2016 2016 Heidelberg Springer 305-326

[28]

Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: ASIACRYPT, pp. 177–194 (2010)

[29]

Kilian, J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: STOC (1992)

[30]

Kothapalli, A., Setty, S., Tzialla, I.: Nova: recursive zero-knowledge arguments from folding schemes. Cryptology ePrint Archive, Paper 2021/370 (2021)

[31]

Labs, O.: Mina cryptocurrency (2020). https://minaprotocol.com

[32]

Lee, J.: Dory: efficient, transparent arguments for generalised inner products and polynomial commitments. Cryptology ePrint Archive, Report 2020/1274 (2020)

[33]

Lee, J., Nikitin, K., Setty, S.: Replicated state machines without replicated execution. In: S &P (2020)

[34]

Lee, J., Setty, S., Thaler, J., Wahby, R.: Linear-time zero-knowledge SNARKs for R1CS. Cryptology ePrint Archive, Report 2021/030 (2021)

[35]

Lund, C., Fortnow, L., Karloff, H., Nisan, N.: Algebraic methods for interactive proof systems. In: FOCS (October 1990)

[36]

Micali, S.: CS proofs. In: FOCS (1994)

[37]

Reingold, O., Rothblum, G.N., Rothblum, R.D.: Constant-round interactive proofs for delegating computation. In: STOC, pp. 49–62 (2016)

[38]

Setty S Micciancio D and Ristenpart T Spartan: efficient and general-purpose zkSNARKs without trusted setup Advances in Cryptology – CRYPTO 2020 2020 Cham Springer 704-737

[39]

Setty, S., Angel, S., Gupta, T., Lee, J.: Proving the correct execution of concurrent services in zero-knowledge. In: OSDI (October 2018)

[40]

Setty, S., Braun, B., Vu, V., Blumberg, A.J., Parno, B., Walfish, M.: Resolving the conflict between generality and plausibility in verified computation. In: EuroSys (April 2013)

[41]

Setty, S., Lee, J.: Quarks: quadruple-efficient transparent zkSNARKs. Cryptology ePrint Archive, Report 2020/1275 (2020)

[42]

Thaler J Canetti R and Garay JA Time-optimal interactive proofs for circuit evaluation Advances in Cryptology – CRYPTO 2013 2013 Heidelberg Springer 71-89

[43]

Valiant P Canetti R Incrementally verifiable computation or proofs of knowledge imply time/space efficiency Theory of Cryptography 2008 Heidelberg Springer 1-18

[44]

Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly-efficient zkSNARKs without trusted setup. In: S &P (2018)

[45]

Wesolowski B Ishai Y and Rijmen V Efficient verifiable delay functions Advances in Cryptology – EUROCRYPT 2019 2019 Cham Springer 379-407

[46]

Xie T, Zhang J, Zhang Y, Papamanthou C, and Song D Boldyreva A and Micciancio D Libra: succinct zero-knowledge proofs with optimal prover computation Advances in Cryptology – CRYPTO 2019 2019 Cham Springer 733-764

[47]

Zhang, Y., Genkin, D., Katz, J., Papadopoulos, D., Papamanthou, C.: vSQL: verifying arbitrary SQL queries over dynamic outsourced databases. In: S &P (2017)

Cited By

Bui DChu HCouteau GWang XWeng CYang KYu Y(2025)An Efficient ZK Compiler from SIMD Circuits to General CircuitsJournal of Cryptology10.1007/s00145-024-09531-438:1Online publication date: 1-Jan-2025
https://dl.acm.org/doi/10.1007/s00145-024-09531-4
Russinovich MFournet CZaverucha GBenaloh JMurdoch BCosta M(2024)Confidential Computing ProofsQueue10.1145/368994922:4(73-100)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3689949
Yang YHeath DHazay CKolesnikov VVenkitasubramaniam MLuo BLiao XXu JKirda ELie D(2024)Tight ZK CPU: Batched ZK Branching with Cost Proportional to Evaluated InstructionProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690289(3095-3109)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690289
Show More Cited By

Index Terms

Nova: Recursive Zero-Knowledge Arguments from Folding Schemes
1. Computing methodologies
  1. Symbolic and algebraic manipulation
    1. Symbolic and algebraic algorithms
      1. Theorem proving algorithms
2. Theory of computation

Index terms have been assigned to the content through auto-classification.

Recommendations

Program Schemes, Queues, the Recursive Spectrum and Zero-one Laws
Machines, Computations and Universality, Part II

We prove that a very basic class of program schemes augmented with access to a queue and an additional numeric universe within which counting is permitted, so that the resulting class is denoted NPSQ$_+$(1), is such that the class of problems accepted ...
Program Schemes, Queues, the Recursive Spectrum and Zero-one Laws
Machines, Computations and Universality, Part II

We prove that a very basic class of program schemes augmented with access to a queue and an additional numeric universe within which counting is permitted, so that the resulting class is denoted NPSQ$_+$(1), is such that the class of problems accepted ...
Program schemes, arrays, Lindström quantifiers and zero-one laws

We characterize the class of problems accepted by a class of program schemes with arrays, NPSA, as the class of problems defined by the sentences of a logic formed by extending first-order logic with a particular uniform (or vectorized) sequence of ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

Advances in Cryptology – CRYPTO 2022: 42nd Annual International Cryptology Conference, CRYPTO 2022, Santa Barbara, CA, USA, August 15–18, 2022, Proceedings, Part IV

Aug 2022

589 pages

ISBN:978-3-031-15984-8

DOI:10.1007/978-3-031-15985-5

Editors:
Yevgeniy Dodis
New York University, New York, NY, USA
,
Thomas Shrimpton
University of Florida, Gainesville, FL, USA

© International Association for Cryptologic Research 2022.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 15 August 2022

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

28
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 20 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Bui DChu HCouteau GWang XWeng CYang KYu Y(2025)An Efficient ZK Compiler from SIMD Circuits to General CircuitsJournal of Cryptology10.1007/s00145-024-09531-438:1Online publication date: 1-Jan-2025
https://dl.acm.org/doi/10.1007/s00145-024-09531-4
Russinovich MFournet CZaverucha GBenaloh JMurdoch BCosta M(2024)Confidential Computing ProofsQueue10.1145/368994922:4(73-100)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3689949
Yang YHeath DHazay CKolesnikov VVenkitasubramaniam MLuo BLiao XXu JKirda ELie D(2024)Tight ZK CPU: Batched ZK Branching with Cost Proportional to Evaluated InstructionProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690289(3095-3109)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690289
Rosenberg MMopuri THafezi HMiers IMishra PLuo BLiao XXu JKirda ELie D(2024)Hekaton: Horizontally-Scalable zkSNARKs Via Proof AggregationProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690282(929-940)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690282
Beal JFisch BLuo BLiao XXu JKirda ELie D(2024)Derecho: Privacy Pools with Proof-Carrying DisclosuresProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670270(3197-3211)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670270
Zheng SLi ZLuo JXin ZLiu XChua TNgo CKa-Wei Lee RKumar RLauw H(2024)IDEA-DAC: Integrity-Driven Editing for Accountable Decentralized Anonymous Credentials via ZK-JSONProceedings of the ACM Web Conference 202410.1145/3589334.3645658(1868-1879)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645658
Meng ZZhou ZZhang ZJin Y(2024)Lightweight Instance Batch Schemes Towards Prover-Efficient Decentralized Private ComputationInformation Security and Privacy10.1007/978-981-97-5101-3_4(64-83)Online publication date: 15-Jul-2024
https://dl.acm.org/doi/10.1007/978-981-97-5101-3_4
Bünz BChen J(2024)Proofs for Deep Thought: Accumulation for Large Memories and Deterministic ComputationsAdvances in Cryptology – ASIACRYPT 202410.1007/978-981-96-0935-2_9(269-301)Online publication date: 10-Dec-2024
https://dl.acm.org/doi/10.1007/978-981-96-0935-2_9
Garreta AManzur I(2024)FLI: Folding Lookup InstancesAdvances in Cryptology – ASIACRYPT 202410.1007/978-981-96-0935-2_13(402-435)Online publication date: 10-Dec-2024
https://dl.acm.org/doi/10.1007/978-981-96-0935-2_13
Ling STang KVu KWang HYan Y(2024)Succinct Non-subsequence ArgumentsSecurity and Cryptography for Networks10.1007/978-3-031-71070-4_2(24-45)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1007/978-3-031-71070-4_2
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents