SublonK: Sublinear Prover PlonK

IACR Cryptol. ePrint Arch. Pub Date : 2024-07-01 DOI:10.56553/popets-2024-0080

A. Choudhuri, Sanjam Garg, Aarushi Goel, Sruthi Sekar, Rohit Sinha

{"title":"SublonK: Sublinear Prover PlonK","authors":"A. Choudhuri, Sanjam Garg, Aarushi Goel, Sruthi Sekar, Rohit Sinha","doi":"10.56553/popets-2024-0080","DOIUrl":null,"url":null,"abstract":"We propose SublonK --- a new succinct non-interactive argument of knowledge (SNARK). SublonK is the first SNARK that achieves both a constant proof size and prover runtime that grows only with the size of the ``active part'' of the executed circuit (i.e., *sub-linear* in the size of the entire circuit) while being *black-box in cryptography*. For instance, consider circuits encoding conditional execution, where only a fraction of the circuit is exercised by the input. For such circuits, the prover runtime in SublonK grows only with the exercised execution path. Our new construction builds on PlonK [Gabizon-Williamson-Ciobotaru, EPRINT'19], a popular state-of-the-art practical zkSNARK, and preserves all its great features --- constant size proofs, constant time proof verification, a circuit-independent universal setup, and support for custom gates and lookup gates. Our techniques are useful for a wide range of applications that involve a circuit executing k steps, where at each step, a (possibly different) s-sized segment is executed from a choice of n segments. Our prover cost for such circuits is O(ks(log (ks) + log(n))). Finally, we show that our improvements are not purely asymptotic. Specifically, we demonstrate the concrete efficiency of SublonK using zkRollups as an example application. Based on our implementation, for parameter choices derived from rollup contracts on Ethereum, n =8, k = 128, s= 2^{16}, the SublonK prover is approximately 4.8x faster than the PlonK prover, and proofs in SublonK are 2.4KB and can be verified in under 50ms.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"66 1","pages":"902"},"PeriodicalIF":0.0000,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Cryptol. ePrint Arch.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.56553/popets-2024-0080","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 7

Abstract

We propose SublonK --- a new succinct non-interactive argument of knowledge (SNARK). SublonK is the first SNARK that achieves both a constant proof size and prover runtime that grows only with the size of the ``active part'' of the executed circuit (i.e., *sub-linear* in the size of the entire circuit) while being *black-box in cryptography*. For instance, consider circuits encoding conditional execution, where only a fraction of the circuit is exercised by the input. For such circuits, the prover runtime in SublonK grows only with the exercised execution path. Our new construction builds on PlonK [Gabizon-Williamson-Ciobotaru, EPRINT'19], a popular state-of-the-art practical zkSNARK, and preserves all its great features --- constant size proofs, constant time proof verification, a circuit-independent universal setup, and support for custom gates and lookup gates. Our techniques are useful for a wide range of applications that involve a circuit executing k steps, where at each step, a (possibly different) s-sized segment is executed from a choice of n segments. Our prover cost for such circuits is O(ks(log (ks) + log(n))). Finally, we show that our improvements are not purely asymptotic. Specifically, we demonstrate the concrete efficiency of SublonK using zkRollups as an example application. Based on our implementation, for parameter choices derived from rollup contracts on Ethereum, n =8, k = 128, s= 2^{16}, the SublonK prover is approximately 4.8x faster than the PlonK prover, and proofs in SublonK are 2.4KB and can be verified in under 50ms.

查看原文本刊更多论文

SublonK：次线性箴言 PlonK

我们提出了SublonK--一种新的简洁非交互式知识论证（SNARK）。SublonK是第一个同时实现恒定证明大小和证明者运行时间的SNARK，证明者运行时间只随执行电路的 "活动部分 "的大小增长（即与整个电路的大小*次线性），同时在密码学中*黑箱。例如，考虑对条件执行进行编码的电路，其中只有一部分电路由输入执行。对于这种电路，SublonK 中的验证器运行时间只会随着执行路径的增加而增加。我们的新结构建立在 PlonK [Gabizon-Williamson-Ciobotaru, EPRINT'19] -- 一种流行的先进实用 zkSNARK -- 的基础上，并保留了它的所有强大功能 -- 大小不变的证明、时间不变的证明验证、与电路无关的通用设置，以及对自定义门和查找门的支持。我们的技术适用于涉及执行 k 步的电路的各种应用，在每一步中，都会从可选的 n 个段中执行一个（可能不同的）s 大小的段。我们对此类电路的验证成本为 O(ks(log (ks) + log(n)))。最后，我们证明了我们的改进并非纯粹是渐进式的。具体来说，我们以 zkRollups 为例，展示了 SublonK 的具体效率。基于我们的实现，对于从以太坊上的卷积合约中得出的参数选择，n = 8，k = 128，s= 2^{16}，SublonK 验证器比 PlonK 验证器快约 4.8 倍，SublonK 中的证明大小为 2.4KB，验证时间不到 50 毫秒。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IACR Cryptol. ePrint Arch.

自引率

0.00%

发文量