On Interactive Oracle Proofs for Boolean R1CS Statements
Financial Cryptography and Data Security(2022)
摘要
The framework of interactive oracle proofs (IOP) has been used with great success to construct a number of efficient transparent zk-SNARKs in recent years. However, these constructions are based on Reed-Solomon codes and can only be applied directly to statements given in the form of arithmetic circuits or R1CS over large enough fields
$$\mathbb {F}$$
. This motivates the question: what is the best way to apply these IOPs to statements that are naturally written as R1CS over small fields, and more concretely, the binary field
$$\mathbb {F}_2$$
? While one can just see the system as one over an extension field
$$\mathbb {F}_{2^e}$$
containing
$$\mathbb {F}_2$$
, this seems wasteful, as it uses e bits to encode just one “information” bit. In fact, in FC21 the work BooLigero devised a way to apply the well-known Ligero while being able to encode
$$\sqrt{e}$$
bits into one element of
$$\mathbb {F}_{2^e}$$
. In this paper, we introduce a new protocol for
$$\mathbb {F}_2$$
-R1CS which among other things relies on a more efficient embedding which (for practical parameters) allows to encode
$$\ge e/4$$
bits into an element of
$$\mathbb {F}_{2^e}$$
. Our protocol makes then black box use of lincheck and rowcheck protocols for the larger field. Using the lincheck and rowcheck introduced in Aurora and Ligero respectively we obtain
$$1.31 - 1.65 \times $$
smaller proofs for Aurora and
$$3.71 \times $$
for Ligero. We also estimate the reduction of prover time by a factor of
$$24.7 \times $$
for Aurora and between
$$6.9 - 32.5 \times $$
for Ligero without interactive repetitions. Our methodology uses the notion of reverse multiplication friendly embeddings introduced in the area of secure multiparty computation, combined with a new IOPP to test linear statements modulo a subspace
$$V \le \mathbb {F}_{2^e}$$
which may be of independent interest.
更多查看译文
关键词
interactive oracle proofs,statements
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要