Abstract
In settings such as delegation of computation where a prover is doing computation as a service for many verifiers, it is important to amortize the prover’s costs without increasing those of the verifier. We introduce folding schemes with selective verification. Such a scheme allows a prover to aggregate m NP statements \(x_i\in \mathcal {L}\) in a single statement \(x\in \mathcal {L}\). Knowledge of a witness for x implies knowledge of witnesses for all m statements. Furthermore, each statement can be individually verified by asserting the validity of the aggregated statement and an individual proof \(\pi _i\) with size sublinear in the number of aggregated statements. In particular, verification of statement \(x_i\) does not require reading (or even knowing) all the statements aggregated. We demonstrate natural folding schemes for various languages: inner product relations, vector and polynomial commitment openings and relaxed R1CS of NOVA. All these constructions incur a minimal overhead for the prover, comparable to simply reading the statements.
The research leading to this work was funded by Protocol Labs under grant agreement PL-RGP1-2021-048.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In fact, both inner product arguments and polynomial commitment folding can be used for either approach but the presentation becomes more natural by using one approach for each.
- 2.
We note that it is also possible to use a different strategy if one changes the statement about the polynomial commitments slightly: the prover can fold statements of the form “I know a polynomial that is a valid opening of a commitment” and fold such statements for each verifier resulting in a claim about a single polynomial commitment. Then, it can prove this statement at a single point which will be the same for all verifiers. The point is derived by hashing the final folded statement. During folding, the transcript of the first protocol rounds is included in the hashing part of the folding. Thus, each verifier can check that its transcript indeed contributed in the sampling of the FS challenge point.
- 3.
The bootstrapping construction can in fact bootstrap any m-folding scheme for \(m\ge 2\). We only present the \(m=2\) case for ease of presentation. All constructions in this work are derived from 2-folding schemes but one could in fact consider \(m>2\) to improve concrete efficiency.
References
Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive oracle proofs. In: Hirt, M., Smith, A. (eds.) TCC 2016, Part II. LNCS, vol. 9986, pp. 31–60. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_2
Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE Computer Society Press (2014). https://doi.org/10.1109/SP.2014.36
Bitansky, N., et al.: Recursive composition and bootstrapping for SNARKS and proof-carrying data. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 111–120. ACM Press (2013). https://doi.org/10.1145/2488608.2488623
Boneh, D., Drake, J., Fisch, B., Gabizon, A.: Halo Infinite: proof-carrying data from additive polynomial commitments. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part I. LNCS, vol. 12825, pp. 649–680. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_23
Bootle, J., Chiesa, A., Groth, J.: Linear-time arguments with sublinear verification from tensor codes. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part II. LNCS, vol. 12551, pp. 19–46. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_2
Bootle, J., Chiesa, A., Liu, S.: Zero-Knowledge Succinct Arguments with a Linear-Time Prover. In: IACR Cryptology ePrint Archive, p. 1527 (2020). https://eprint.iacr.org/2020/1527
Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part II. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12
Bootle, J., et al.: Gemini: Elastic SNARKs for Diverse Environments. In: IACR Cryptology ePrint Archive, p. 420 (2022). https://eprint.iacr.org/2022/420
Bowe, S., Grigg, J., Hopwood, D.: Halo: Recursive Proof Composition without a Trusted Setup. Cryptology ePrint Archive, Report 2019/1021 (2019). https://eprint.iacr.org/2019/1021
Bünz, B., et al.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334. IEEE Computer Society Press (2018). https://doi.org/10.1109/SP.2018.00020
Bünz, B., Chiesa, A., Lin, W., Mishra, P., Spooner, N.: Proof-carrying data without succinct arguments. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part I. LNCS, vol. 12825, pp. 681–710. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_24
Bünz, B., Chiesa, A., Mishra, P., Spooner, N.: Recursive proof composition from accumulation schemes. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part II. LNCS, vol. 12551, pp. 1–18. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_1
Campanelli, M., et al.: Lunar: a Toolbox for More Efficient Universal and Updatable zkSNARKs and Commit-and-Prove Extensions. Cryptology ePrint Archive, Report 2020/1069 (2020). https://eprint.iacr.org/2020/1069
Catalano, D., Fiore, D.: Vector commitments and their applications. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 55–72. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_5
Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: preprocessing zkSNARKs with universal and updatable SRS. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part I. LNCS, vol. 12105, pp. 738–768. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_26
Gabizon, A., Williamson, Z.J., Ciobotaru, O.: PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge. Cryptology ePrint Archive, Report 2019/953 (2019). https://eprint.iacr.org/2019/953
Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: interactive proofs for muggles. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 113–122. ACM Press (2008). https://doi.org/10.1145/1374376.1374396
Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 177–194. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_11
Kothapalli, A., Setty, S.: HyperNova: recursive arguments for customizable constraint systems. In: IACR Cryptology ePrint Archive, p. 573 (2023). https://eprint.iacr.org/2023/573
Kothapalli, A., Setty, S., Tzialla, I.: Nova: recursive zero-knowledge arguments from folding schemes. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. LNCS, vol. 13510, pp. 359–388. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15985-5_13
Mohnblatt, N.: Sangria: A Folding Scheme for PLONK. https://github.com/geometryresearch/technical_notes/blob/main/sangria_folding_plonk.pdf. Accessed 07 Aug 2023
Ràfols, C., Zacharakis, A.: Folding Schemes with Selective Verification. In: IACR Cryptology ePrint Archive, p. 1576 (2022). https://eprint.iacr.org/2022/1576
Ron-Zewi, N., Rothblum, R.: Proving as fast as computing: succinct arguments with constant prover overhead. In: Electronic Colloquium on Computational Complexity, p. 180 (2021). https://eccc.weizmann.ac.il/report/2021/180
Valiant, P.: Incrementally verifiable computation or proofs of knowledge imply time/space efficiency. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 1–18. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_1
Yurek, T., et al.: hbACSS: How to Robustly Share Many Secrets. Cryptology ePrint Archive, Report 2021/159 (2021). https://eprint.iacr.org/2021/159
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ráfols, C., Zacharakis, A. (2023). Folding Schemes with Selective Verification. In: Aly, A., Tibouchi, M. (eds) Progress in Cryptology – LATINCRYPT 2023. LATINCRYPT 2023. Lecture Notes in Computer Science, vol 14168. Springer, Cham. https://doi.org/10.1007/978-3-031-44469-2_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-44469-2_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-44468-5
Online ISBN: 978-3-031-44469-2
eBook Packages: Computer ScienceComputer Science (R0)