SublonK: Sublinear Prover PlonK

A. Choudhuri, Sanjam Garg, Aarushi Goel, Sruthi Sekar, Rohit Sinha
{"title":"SublonK: Sublinear Prover PlonK","authors":"A. Choudhuri, Sanjam Garg, Aarushi Goel, Sruthi Sekar, Rohit Sinha","doi":"10.56553/popets-2024-0080","DOIUrl":null,"url":null,"abstract":"We propose SublonK --- a new succinct non-interactive argument of knowledge (SNARK). SublonK is the first SNARK that achieves both a constant proof size and prover runtime that grows only with the size of the ``active part'' of the executed circuit (i.e., *sub-linear* in the size of the entire circuit) while being *black-box in cryptography*. For instance, consider circuits encoding conditional execution, where only a fraction of the circuit is exercised by the input. For such circuits, the prover runtime in SublonK grows only with the exercised execution path. Our new construction builds on PlonK [Gabizon-Williamson-Ciobotaru, EPRINT'19], a popular state-of-the-art practical zkSNARK, and preserves all its great features --- constant size proofs, constant time proof verification, a circuit-independent universal setup, and support for custom gates and lookup gates. Our techniques are useful for a wide range of applications that involve a circuit executing k steps, where at each step, a (possibly different) s-sized segment is executed from a choice of n segments. Our prover cost for such circuits is O(ks(log (ks) + log(n))). Finally, we show that our improvements are not purely asymptotic. Specifically, we demonstrate the concrete efficiency of SublonK using zkRollups as an example application. Based on our implementation, for parameter choices derived from rollup contracts on Ethereum, n =8, k = 128, s= 2^{16}, the SublonK prover is approximately 4.8x faster than the PlonK prover, and proofs in SublonK are 2.4KB and can be verified in under 50ms.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"66 1","pages":"902"},"PeriodicalIF":0.0000,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Cryptol. ePrint Arch.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.56553/popets-2024-0080","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 7

Abstract

We propose SublonK --- a new succinct non-interactive argument of knowledge (SNARK). SublonK is the first SNARK that achieves both a constant proof size and prover runtime that grows only with the size of the ``active part'' of the executed circuit (i.e., *sub-linear* in the size of the entire circuit) while being *black-box in cryptography*. For instance, consider circuits encoding conditional execution, where only a fraction of the circuit is exercised by the input. For such circuits, the prover runtime in SublonK grows only with the exercised execution path. Our new construction builds on PlonK [Gabizon-Williamson-Ciobotaru, EPRINT'19], a popular state-of-the-art practical zkSNARK, and preserves all its great features --- constant size proofs, constant time proof verification, a circuit-independent universal setup, and support for custom gates and lookup gates. Our techniques are useful for a wide range of applications that involve a circuit executing k steps, where at each step, a (possibly different) s-sized segment is executed from a choice of n segments. Our prover cost for such circuits is O(ks(log (ks) + log(n))). Finally, we show that our improvements are not purely asymptotic. Specifically, we demonstrate the concrete efficiency of SublonK using zkRollups as an example application. Based on our implementation, for parameter choices derived from rollup contracts on Ethereum, n =8, k = 128, s= 2^{16}, the SublonK prover is approximately 4.8x faster than the PlonK prover, and proofs in SublonK are 2.4KB and can be verified in under 50ms.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
SublonK: 次线性箴言 PlonK
我们提出了SublonK--一种新的简洁非交互式知识论证(SNARK)。SublonK是第一个同时实现恒定证明大小和证明者运行时间的SNARK,证明者运行时间只随执行电路的 "活动部分 "的大小增长(即与整个电路的大小*次线性),同时在密码学中*黑箱。例如,考虑对条件执行进行编码的电路,其中只有一部分电路由输入执行。对于这种电路,SublonK 中的验证器运行时间只会随着执行路径的增加而增加。我们的新结构建立在 PlonK [Gabizon-Williamson-Ciobotaru, EPRINT'19] -- 一种流行的先进实用 zkSNARK -- 的基础上,并保留了它的所有强大功能 -- 大小不变的证明、时间不变的证明验证、与电路无关的通用设置,以及对自定义门和查找门的支持。我们的技术适用于涉及执行 k 步的电路的各种应用,在每一步中,都会从可选的 n 个段中执行一个(可能不同的)s 大小的段。我们对此类电路的验证成本为 O(ks(log (ks) + log(n)))。最后,我们证明了我们的改进并非纯粹是渐进式的。具体来说,我们以 zkRollups 为例,展示了 SublonK 的具体效率。基于我们的实现,对于从以太坊上的卷积合约中得出的参数选择,n = 8,k = 128,s= 2^{16},SublonK 验证器比 PlonK 验证器快约 4.8 倍,SublonK 中的证明大小为 2.4KB,验证时间不到 50 毫秒。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Synchronous Distributed Key Generation without Broadcasts Optimizing and Implementing Fischlin's Transform for UC-Secure Zero-Knowledge A Long Tweak Goes a Long Way: High Multi-user Security Authenticated Encryption from Tweakable Block Ciphers Efficient isochronous fixed-weight sampling with applications to NTRU Decentralized Multi-Client Functional Encryption with Strong Security
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1