Abstract
We propose a novel KZG-based sum-check scheme, dubbed \(\textsf{Losum}\), with optimal efficiency. Particularly, its proving cost is one multi-scalar-multiplication of size k—the number of non-zero entries in the vector, its verification cost is one pairing plus one group scalar multiplication, and the proof consists of only one group element.
Using \(\textsf{Losum}\) as a component, we then construct a new lookup argument, named \(\textsf{Locq}\), which enjoys a smaller proof size and a lower verification cost compared to the state of the arts \(\textsf{cq}\), \(\textsf{cq}\)+ and \(\textsf{cq}\)++. Specifically, the proving cost of \(\textsf{Locq}\) is comparable to \(\textsf{cq}\), keeping the advantage that the proving cost is independent of the table size after preprocessing. For verification, \(\textsf{Locq}\) costs four pairings, while \(\textsf{cq}\), \(\textsf{cq}\)+ and \(\textsf{cq}\)++ require five, five and six pairings, respectively. For proof size, a \(\textsf{Locq}\) proof consists of four \(\mathbb {G}_1\) elements and one \(\mathbb {G}_2\) element; when instantiated with the BLS12-381 curve, the proof size of \(\textsf{Locq}\) is 2304 bits, while \(\textsf{cq}\), \(\textsf{cq}\)+ and \(\textsf{cq}\)++ have 3840, 3328 and 2944 bits, respectively. Moreover, \(\textsf{Locq}\) is zero-knowledge as \(\textsf{cq}\)+ and \(\textsf{cq}\)++, whereas \(\textsf{cq}\) is not. \(\textsf{Locq}\) is more efficient even compared to the non-zero-knowledge (and more efficient) versions of \(\textsf{cq}\)+ and \(\textsf{cq}\)++.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Concurrent to this work.
- 2.
This requires the table has been randomized by a mask when computing its commitment, before putting it into the lookup argument.
- 3.
The cost of one scalar multiplication can be ignored compared to the pairing.
- 4.
As long as \(\mathbb {F}\) is sufficiently large, as required by all succinct arguments.
- 5.
References
Bootle, J., Cerulli, A., Groth, J., Jakobsen, S., Maller, M.: Arya: nearly linear-time zero-knowledge proofs for correct program execution. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 595–626. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_20
Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.P.: Aurora: transparent succinct arguments for R1CS. In: Ishai, Y., Rijmen, V. (eds.) Advances in Cryptology – EUROCRYPT 2019, vol. 11476, pp. 103–128. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_4, http://link.springer.com/10.1007/978-3-030-17653-2_4
Blum, M., Evans, W.S., Gemmell, P., Kannan, S., Naor, M.: Checking the correctness of memories. In: 32nd Annual Symposium on Foundations of Computer Science, San Juan, Puerto Rico, 1–4 October 1991, pp. 90–99. IEEE Computer Society (1991)
Chen, B., Bünz, B., Boneh, D., Zhang, Z.: HyperPlonk: plonk with linear-time prover and high-degree custom gates (2022). https://eprint.iacr.org/2022/1355
Campanelli, M., Faonio, A., Fiore, D., Li, T., Lipmaa, H.: Lookup arguments: improvements, extensions and applications to zero-knowledge decision trees (2023)
Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: preprocessing zkSNARKs with universal and updatable SRS. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 738–768. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_26
Chiesa, A., Ojha, D., Spooner, N.: Fractal: post-quantum and transparent recursive proofs from holography. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 769–793. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_27
Eagen, L., Fiore, D., Gabizon, A.: CQ: cached quotients for fast lookups (2022). https://eprint.iacr.org/2022/1763
Fuchsbauer, G., Kiltz, E., Loss, J.: The algebraic group model and its applications. Technical report 620 (2017). http://eprint.iacr.org/2017/620
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Gabizon, A., Khovratovich, D.: Flookup: fractional decomposition-based lookups in quasi-linear time independent of table size (2022). https://eprint.iacr.org/2022/1447
Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: interactive proofs for muggles. In: Proceedings of the Fourtieth Annual ACM Symposium on Theory of Computing - STOC 2008, p. 113. ACM Press (2008). http://dl.acm.org/citation.cfm?doid=1374376.1374396
Goldberg, L., Papini, S., Riabzev, M.: Cairo – a Turing-complete STARK-friendly CPU architecture. Technical report 1063 (2021). http://eprint.iacr.org/2021/1063
Groth, Jens: On the size of pairing-based non-interactive arguments. In: Fischlin, Marc, Coron, Jean-Sébastien. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11, http://link.springer.com/10.1007/978-3-662-49896-5_11
Gabizon, A., Williamson, Z.J.: Plookup: a simplified polynomial protocol for lookup tables. Technical report 315 (2020). http://eprint.iacr.org/2020/315
Haböck, U.: Multivariate lookups based on logarithmic derivatives (2022)
Kung, H.-T.: Fast evaluation and interpolation. Carnegie-Mellon University, Department of Computer Science (1973)
Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Abe, M. (eds.) Advances in Cryptology – ASIACRYPT 2010. ASIACRYPT 2010. LNCS, vol. 6477, pp. 177–194. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_11, http://link.springer.com/10.1007/978-3-642-17373-8_11
Lund, C., Fortnow, L., Karloff, H.J., Nisan, N.: Algebraic methods for interactive proof systems. In: 31st Annual Symposium on Foundations of Computer Science, vol. 1, pp. 2–10. IEEE Computer Society (1990)
Team Miden. Miden VM Documentation (2022). https://maticnetwork.github.io/miden/
Pearson, L., Fitzgerald, J., Masip, H., Bellés-Munoz, M., Munoz-Tapia, J.L.: PlonKup: reconciling PlonK with Plookup. Technical report 086 (2022). https://eprint.iacr.org/2022/086
Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: 2013 IEEE Symposium on Security and Privacy, pp. 238–252. IEEE, May 2013. http://ieeexplore.ieee.org/document/6547113/
Posen, J., Kattis, A.A.: Caulk+: table-independent lookup arguments. Cryptology ePrint Archive (2022). https://eprint.iacr.org/2022/957
Team RiscZero. RISC Zero: General-Purpose Verifiable Computing (2022). https://risczero.com/
Team Scroll. Scroll (2022). https://scroll.io/
Setty, S.: Spartan: efficient and general-purpose zkSNARKs without trusted setup. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 704–737. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_25
Szepieniec, A., Lemmens, A., Sauer, J.F., Threadbare, B.: The Tip5 Hash Function for Recursive STARKs (2023)
Setty, S., Thaler, J., Wahby, R.: Unlocking the lookup singularity with Lasso (2023)
Triton VM. Triton VM, September 2022
Xie, T., Zhang, J., Zhang, Y., Papamanthou, C., Song, D.: Libra: succinct zero-knowledge proofs with optimal prover computation. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 733–764. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_24
Zapico, A., Buterin, V., Khovratovich, D., Maller, M., Nitulescu, A., Simkin, M.: Caulk: lookup arguments in sublinear time. Technical report 621 (2022)
Zapico, A., Gabizon, A., Khovratovich, D., Maller, M., Ràfols, C.: Baloo: nearly optimal lookup arguments (2022). https://eprint.iacr.org/2022/1565
zkSync Team. zkSync (2022). https://zksync.io/
Zhang, J., Xie, T., Zhang, Y., Song, D.: Transparent polynomial delegation and its applications to zero knowledge proof. In: 2020 IEEE Symposium on Security and Privacy, SP 2020, pp. 859–876. IEEE (2020)
Acknowledgement
This work is partially supported by Shanghai Science and Technology Innovation Action Plan (Grant No. 23511101100), the National Key Research and Development Project (Grant No. 2020YFA0712300) and the National Natural Science Foundation of China (Grant No. 62272294). We thank Ren Zhang and Alan Szepieniec for their valuable comments and feedback. We thank the anonymous reviewers for their careful examination of our work and their insightful comments and constructive suggestions.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 International Association for Cryptologic Research
About this paper
Cite this paper
Zhang, Y., Sun, SF., Gu, D. (2024). Efficient KZG-Based Univariate Sum-Check and Lookup Argument. In: Tang, Q., Teague, V. (eds) Public-Key Cryptography – PKC 2024. PKC 2024. Lecture Notes in Computer Science, vol 14602. Springer, Cham. https://doi.org/10.1007/978-3-031-57722-2_13
Download citation
DOI: https://doi.org/10.1007/978-3-031-57722-2_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57721-5
Online ISBN: 978-3-031-57722-2
eBook Packages: Computer ScienceComputer Science (R0)
