Ben-Sasson, Eli, et al. "Aurora: Transparent succinct arguments for R1CS." Annual international conference on the theory and applications of cryptographic techniques. Springer, Cham, 2019.
Work for a Member company and need a Member Portal account? Register here with your company email address.
April 18, 2019
Ben-Sasson, Eli, et al. "Aurora: Transparent succinct arguments for R1CS." Annual international conference on the theory and applications of cryptographic techniques. Springer, Cham, 2019.
We design, implement, and evaluate a zero knowledge succinct non-interactive argument (SNARG) for Rank-1 Constraint Satisfaction (R1CS), a widely-deployed NP language undergoing standardization. Our SNARG has a transparent setup, is plausibly post-quantum secure, and uses lightweight cryptography. A proof attesting to the satisfiability of n constraints has size 𝑂(log2𝑛)O(log2n); it can be produced with 𝑂(𝑛log𝑛)O(nlogn) field operations and verified with O(n). At 128 bits of security, proofs are less than 250kB250kB even for several million constraints, more than 10×10× shorter than prior SNARGs with similar features.
A key ingredient of our construction is a new Interactive Oracle Proof (IOP) for solving a univariate analogue of the classical sumcheck problem [LFKN92], originally studied for multivariate polynomials. Our protocol verifies the sum of entries of a Reed–Solomon codeword over any subgroup of a field.
We also provide 𝚕𝚒𝚋𝚒𝚘𝚙libiop, a library for writing IOP-based arguments, in which a toolchain of transformations enables programmers to write new arguments by writing simple IOP sub-components. We have used this library to specify our construction and prior ones, and plan to open-source it.