Proofs for Inner Pairing Products and Applications.

We present a generalized inner product argument and demonstrate its applications to pairing-based languages. We apply our generalized argument to prove that an inner pairing product is correctly evaluated with respect to committed vectors of n source group elements. With a structured reference string (SRS), we achieve a logarithmic-time verifier whose work is dominated by 6 log n target group exponentiations. Proofs are of size 6logn target group elements, computed using 6n pairings and 4n exponentiations in each source group. We apply our inner product arguments to build the first polynomial commitment scheme with succinct (logarithmic) verification, O(v d) prover complexity for degree d polynomials (not including the cost to evaluate the polynomial), and a SRS of size O(v d). Concretely, this means that for d = 2(28), producing an evaluation proof in our protocol is 76x faster than doing so in the KZG commitment scheme, and the CRS in our protocol is 1000x smaller: 13MB vs 13GB for KZG. As a second application, we introduce an argument for aggregating n Groth16 zkSNARKs into an O(log n) sized proof. Our protocol is significantly faster (>1000x) than aggregating SNARKs via recursive composition: we aggregate similar to 130, 000 proofs in 25 min, versus 90 proofs via recursive composition. Finally, we further apply our aggregation protocol to construct a low-memory SNARK for machine computations that does not rely on recursive composition. For a computation that requires time T and space S, our SNARK produces proofs in space (O) over tilde (S + T), which is significantly more space efficient than a monolithic SNARK, which requires space (O) over tilde (S center dot T).