Spartan

From this paper, we adopt the notation $\langle\mathcal{A}(z_a),\mathcal{B}(z_b)\rangle(x)$ to denote the random variable representing the local output of machine $\mathcal{B}$ when interacting with the machine $\mathcal{A}$ on common input $x$, when the random tapes for each machine are uniformly and independently chosen, and $\mathcal{A}$ and $\mathcal{B}$ has auxiliary inputs $z_a$ and $z_b$, respectively.

Let $\langle\mathcal{P},\mathcal{V}\rangle$ denote a pair of algorithms and $\mathsf{Setup}$ denotes an algorithm that outputs public parameters $\mathsf{pp}$ given as input the security parameter $\lambda$.

from the paper. A protocol between a pair of algorithms $\langle\mathcal{P},\mathcal{V}\rangle$ is called a public-coin succinct interactive argument of knowledge for a language $\mathcal{L}$ if:

Completeness. For any problem instance $\mathbf{x}\in\mathcal{L}$, there exists a witness $w$ such that for all $r\in\{0, 1\}^{*}$, $\mathsf{Pr}\{\langle\mathcal{P}(\mathsf{pp},w),\mathcal{V}(\mathsf{pp},r)\rangle(\mathbf{x}) = 1\} ≥ 1 − \mathsf{negl}(\lambda)$.

Soundness. For any non-satisfiable problem instance $\mathbf{x}$, any PPT prover $P^∗$ , and for all $w,r\in\{0, 1\}^∗$, $Pr\{\langle\mathcal{P}^* (\mathsf{pp},w), \mathcal{V}(\mathsf{pp},r)⟩(\mathbf{x}) = 1\} ≤ \mathsf{negl}(\lambda)$.

Knowledge soundness. For any PPT adversary $\mathcal{A}$, there exists a PPT extractor $\mathcal{E}$ such that for any problem instance $\mathbf{x}$ and for all $w,r\in\{0, 1\}^∗$ , if $\mathsf{Pr}\{\langle\mathcal{A}(pp, w), \mathcal{V}(\mathsf{pp},r)⟩(\mathbf{x}) = 1\} \geq\mathsf{negl}(\lambda)$, then $\mathsf{Pr}\{\mathsf{Sat}_\mathcal{L}(\mathbf{x},w') = 1|w'\leftarrow\mathcal{E}^{\mathcal{A}}(\mathsf{pp}, \mathbf{x})\} \geq \mathsf{negl}(\lambda)$.

Succinctness. The total communication between $\mathcal{P}$ and $\mathcal{V}$ is sublinear in the size of the NP statement $\mathbf{x}\in\mathcal{L}$.

Public coin. $\mathcal{V}$'s messages are chosen uniformly at random.

Using , a prover can prove statements of the form:

We can denote the sumcheck protocol as $\mathsf{IsSat}\leftarrow\langle\mathcal{P}_{sc},\mathcal{V}_{sc}(\bm{r})\rangle(\mathcal{G},\mu,l,T)$ for any $\mu$-variate polynomial $\mathcal{G}$ with degree at most $l$ in each variable. This is typically reduced to the claim $\mathcal{G}(\bm{r})\stackrel{?}{=}e$ and using $\mu$ round interactive protocol which can be denoted as $e\leftarrow\langle\mathcal{P}_{sc}(\mathcal{G}),\mathcal{V}_{sc}(\bm{r})\rangle(\mu,l,T)$

Generally, the verifier must evaluate $\mathcal{G}$ at some random point in its domain $\bm{r}=(r_1,\dots,r_\mu)$.

. (Multilinear polynomial) A multivariate polynomial is called a multilinear polynomial if the degree of the polynomial in each variable is at most one.

. (Low-degree polynomial) A multivariate polynomial $\mathcal{G}$ over a finite field $\mathbb{F}$ is called low-degree polynomial if the degree of $\mathcal{G}$ in each variable is exponentially smaller than $|\mathbb{F}|$.

Low-degree extensions (LDEs). Suppose $g:\{0,1\}^\mu\rightarrow\mathbb{F}$ is a function that maps $\mu$-bit elements into an element of $\mathbb{F}$. A polynomial extension of $g$ is a low-degree $\mu$-variate polynomial $\tilde{\mathcal{g}}(\cdot)$ such that $\tilde{\mathcal{g}}(\bm{x})=\mathcal{g}(\bm{x})$ for all $\bm{x}\in\{0,1\}^\mu$.

Multilinear extension (MLE) is a LDE where the extension is a multilinear polynomial. Given a function $Z:\{0,1\}^\mu\rightarrow\mathbb{F}$, the MLE of $Z(\cdot)$ is the unique multilinear polynomial $\tilde{Z}:\mathbb{F}^\mu\rightarrow\mathbb{F}$. It can be computed as follows:

Note that $\widetilde{\mathsf{eq}}(\bm{x},\bm{e})$ is the MLE of the following function:

For any $\bm{r}\in \mathbb{F}^\mu$, $\tilde{Z}(\bm{r})$ can be computed in $O(2^\mu)$ operations in $\mathbb{F}$. [, ]

A polynomial commitment scheme for multilinear polynomials is a tuple of four protocols $\mathsf{PC} = (\mathsf{Setup}, \mathsf{Commit}, \mathsf{Open}, \mathsf{Eval})$.

$\mathsf{pp} \leftarrow \mathsf{Setup}(1^λ, \mu)$: takes as input $\mu$ (the number of variables in a multilinear polynomial); produces public parameters $\mathsf{pp}$.

$(\mathcal{C}; \mathcal{S}) \leftarrow \mathsf{Commit}(\mathsf{pp}; \mathcal{G})$: takes as input a $\mu$-variate multilinear polynomial over a finite field $\mathcal{G} \in \mathbb{F}[X_1,...,X_\mu]$; produces a public commitment $\mathcal{C}$ and a secret opening hint $\mathcal{S}$.

$b \leftarrow \mathsf{Open}(\mathsf{pp}, \mathcal{C}, \mathcal{G}, \mathcal{S})$: verifies the opening of commitment $\mathcal{C}$ to the $\mu$-variate multilinear polynomial $\mathcal{G} \in \mathbb{F}[X_1,\dots,X_\mu]$ with the opening hint $\mathcal{S}$; outputs a boolean $b \in \{0, 1\}$.

$b \leftarrow \mathsf{Eval}(\mathsf{pp}, \mathcal{C}, r, v; \mathcal{G}, \mathcal{S})$ is an interactive public-coin protocol between a prover $\mathcal{P}$ and verifier $\mathcal{V}$. Both $\mathcal{V}$ and $\mathcal{P}$ hold a commitment $\mathcal{C}$, a scalar $v\in\mathbb{F}$ , and $r\in \mathbb{F}^\mu$. $\mathcal{P}$ additionally knows a $\mu$-variate multilinear polynomial $\mathcal{G} \in\mathbb{F} [X_1,\dots,X_\mu]$ and its secret opening hint $\mathcal{S}$. $\mathcal{P}$ attempts to convince $\mathcal{V}$ that $\mathcal{G}(r) = v$. At the end of the protocol, $\mathcal{V}$ outputs $b \in \{0, 1\}$.

from the paper. For any R1CS instance $\mathbf{x}=(\mathbb{F},\bm{A,B,C},\bm{io},m,n)$ there exists a degree-3, $\log m$-variate polynomial $\mathcal{G}$ such that $\sum_{\bm{x}\in\{0,1\}^{\log m}}\mathcal{G}(\bm{x})=0$ if and only if there exists a witness $w$ such that $\mathsf{Sat}(\mathbb{x},w)=1$ (except for a soundness error that is negligible in $\lambda$). Here, $n$ is the upper bound on the non-zero entries in the $\bm{A}, \bm{B}, \bm{C}$ matrices.

If we denote $\log m = s$ for the sake of simplicity, for a given $\bm{A,B,C}\in\mathbb{F}^{m\times m}$, we can view them as functions with the following signature: $\{0,1\}^s\times\{0,1\}^s\rightarrow \mathbb{F}$. Furthermore, given a witness $\bm{w}$ to instance $\mathbf{x}$, let $\bm{Z}=(\bm{io},1,\bm{w})$. Then we can also view $\bm{Z}$ as a function mapping $\{0,1\}^s\rightarrow\mathbb{F}$.

We define $F_{\bm{io}}(\cdot)$ that can be used to encode $\bm{w}$ as:

from the paper. $\forall \bm{x}\in\{0,1\}^s, F_{io}(x)=0$ if and only if $\mathsf{Sat}(\mathbf{x},\bm{w})=1$.

Proof. This follows from the definition of $\mathsf{Sat}_\mathsf{R1CS}(\mathbf{x}, \bm{w})$ (Section 2.1) and of $Z(\cdot)$. $\square$

Unfortunately, $F_{io}(\cdot)$ is a function, not a polynomial, so it cannot be directly used in the sumcheck protocol. But, consider its polynomial extension $\tilde{F}_{\bm{io}}:\mathbb{F}^s\rightarrow\mathbb{F}$:

from the paper. Then, $\forall \bm{x}\in\{0,1\}^s, \tilde{F}_{\bm{io}}(\bm{x})=0$ if and only if $\mathsf{Sat}(\mathbf{x},\bm{w})=1$.

Proof. For any $\bm{x} \in \{0, 1\}^s$, $\tilde{F}_{\bm{io}}(x) = F_{\bm{io}}(x)$, so the result follows from Lemma 4.1. $\square$

Since $\tilde{F}_{\bm{io}}(\cdot)$ is a low-degree multivariate polynomial over $\mathbb{F}$ in $s$ variables, a verifier could check if $\sum_{\bm{x}\in\{0,1\}^s}\tilde{F}_{\bm{io}}(\bm{x})=0$ using the sumcheck protocol. But the sum being 0 doesn't exactly mean that each of them was 0 since some of the terms in the sum may cancel each other out. This is addressed using a prior idea from by taking:

$Q_{\bm{io}}$ is same as $\tilde{F}_{\bm{io}}$ over the boolean hypercube.

$Q_{\bm{io}}$ is $s$-variate multilinear polynomial

$\forall\bm{t}\in\{0,1\}^s$, $Q_{\bm{io}}(\bm{t})=0 \Leftrightarrow \mathsf{Sat}(\mathbf{x},\bm{w})=1$ . Therefore, Since it has $2^s$ solutions, it has to be a 0 polynomial over the $\mathbb{F}^s$ if and only if $\mathsf{Sat(\mathbf{x},\bm{w})}=1$.

This implies that $Q_{\bm{io}}(\bm{\tau})$ is zero-polynomial if and only if $\mathsf{Sat}(\mathbb{x},w)=1$ and to check if $Q_{\bm{io}}(\cdot)$ is a zero-polynomial, its enough with a single random challenge $Q_{\bm{io}}(\bm{r_\tau})\stackrel{?}{=}0$ where $\bm{r_\tau}\in_R \mathbb{F}^s$ (this will introduce soundness error $\frac{\log m}{|\mathbb{F}|})$.

Proof of . For a given R1CS instance $\mathbf{x} = (\mathbb{F} ,\bm{A},\bm{B},\bm{C}, \bm{io}, m, n)$, define, $\mathcal{G}_{\bm{io},\bm{\tau}} (\bm{x}) = \tilde{F}_{\bm{io}}(\bm{x}) \cdot\widetilde{\mathsf{eq}}(\bm{\tau}, \bm{x})$, so $Q_{io}(\bm{\tau}) = \sum_{\bm{x}∈\{0,1\}^s}\mathcal{G}_{\bm{io},\bm{\tau}}(\bm{x})$. Observe that $\mathcal{G}_{\bm{io},\bm{\tau}}(\cdot)$ is a degree-3 $s$-variate polynomial if multilinear extensions of $\bm{A},\bm{B},\bm{C}$, and $\bm{Z}$ are used in $\tilde{F}_{\bm{io}}(\cdot)$. In the terminology of the sumcheck protocol, $T = 0$, $\mu = s = \log m$, and $l = 3$. Furthermore, if $\bm{r_\tau}\in_R\mathbb{F}^s$, $\sum_{\bm{x}\in\{0,1\}^s} \mathcal{G}_{\bm{io},\bm{r_\tau}} (\bm{x}) = 0$ if and only $\tilde{F}_{\bm{io}}(\bm{x}) = 0$, $\forall \bm{x}\in\{0,1\}^s$—except for soundness error that is negligible in $\lambda$ under the assumptions noted above (). This combined with implies the desired result.

from the paper. Given an extractable polynomial commitment scheme for multilinear polynomials, there exists a public-coin succinct interactive argument of knowledge where security holds under the assumptions needed for the polynomial commitment scheme and assuming $|\mathbb{F}|$ is exponential in $\lambda$ and the size parameter of R1CS instance $n = O(\lambda)$.

established that for $\mathcal{V}$ to verify if an R1CS instance $\mathbf{x}=(\mathbb{F},\bm{A,B,C},\bm{io},m,n)$ is satisfiable, it can check if $\sum_{\bm{x}\in\{0,1\}^{\log m}}\mathcal{G}_{\bm{io},\bm{\tau}}(\bm{x})=0$. By using the sumcheck protocol, we can reduce the claim about the sum to $e_x \stackrel{?}{=} \mathcal{G}_{\bm{io},\bm{\tau}}(\bm{r}_x)$ where $\bm{r}_x\in \mathbb{F}^s$, so $\mathcal{V}$ needs a mechanism to evaluate $\mathcal{G}_{\bm{io},\bm{\tau}}(\bm{r}_x)$—without incurring $O(m)$ communication from $\mathcal{P}$ to $\mathcal{V}$.

Now, the prover can make three separate claims $\bar{A}(\bm{r}_x)=v_A, \bar{B}(\bm{r}_x)=v_B, \bar{C}(\bm{r}_x)=v_C$ and verifier can check:

Of course, the verifier still needs verify the $v_A, v_B, v_C$ claims and to do so, it can run three independent instances of sumcheck protocol but instead, we can use a to combine these into a single claim:

Verifier samples $r_A, r_B, r_C \leftarrow \mathbb{F}$ and computes $c=r_A\cdot v_A + r_B\cdot v_B + r_C \cdot v_C$.

Let $L(\bm{x})=r_A\cdot\bar{A}(\bm{x}) + r_B\cdot\bar{B}(\bm{x})+r_C\cdot\bar{C}(\bm{x})$. Then:

Still there are some problems left. To verify the last sumcheck $\sum_{\bm{y}\in\{0,1\}^s}\bm{M}_{\bm{r}_x}(\bm{y})\stackrel{?}{=}c$, the verifier has to evaluate $\bm{M}_{\bm{r}_x}$ at some random $\bm{r}_y\in_R \mathbb{F}^s$:

Observe that the only term in $\bm{M}_{\bm{r}_x}(\bm{r}_y)$ that depends on the prover’s witness is $\tilde{Z}(\bm{r}_y)$. This is because all other terms in the above expression can be computed locally by $\mathcal{V}$ using $\mathbf{x}=(\mathbb{F},\bm{A,B,C},\bm{io},m,n)$ in $O(n)$ time ( in the paper discusses how to reduce the cost of those evaluations to be sub-linear in $n$).

To evaluate $\tilde{Z}(\bm{r}_y)$, $\mathcal{V}$ does the following. WLOG, assume $|\bm{w}| = |\bm{io}| + 1$. Thus, by the closed form expression of multilinear polynomial evaluations, we have:

If you recall that $\bm{Z}=(\bm{io},1,\bm{w})$ and $\widetilde{\mathsf{eq}}(\bm{e},\bm{x})=\prod_{i=1}^s(x_i\cdot e_i + (1-x_i)(1-e_i))$:

Similar technique is also used by under the section .

We assume that there exists an extractable polynomial commitment scheme for multilinear polynomials $\mathsf{PC}=(\mathsf{Setup, Commit, Open, Eval)}$.

$\mathsf{pp}\leftarrow \mathsf{PC.Setup}(1^\lambda,s)$

$\mathsf{IsSat}\leftarrow\langle\mathcal{P}(\bm{w}),\mathcal{V}(r)\rangle(\mathbb{F},\bm{A},\bm{B},\bm{C},\bm{io},m,n):$

$\mathcal{P}:(\mathcal{C},\mathcal{S})\leftarrow \mathsf{PC.Commit}(\mathsf{pp},\tilde{\bm{w}})$ and send $\mathcal{C}$ to $\mathcal{V}$.

$\mathcal{V}:\bm{\tau}\in_R\mathbb{F}^{s}$ and send $\bm{\tau}$ to $\mathcal{P}$

Let $T_1=0, \mu_1=\log m,l_1=3$.

$\mathcal{V}:$ Sample $\bm{r}_x\in_R\mathbb{F}^{\mu_1}$

Sumcheck #1: $e_x\leftarrow\langle\mathcal{P}_{sc}(\mathcal{G}_{\bm{io},\bm{\tau}}),\mathcal{V}_{sc}(\bm{r}_x)\rangle(\mu_1,l_1,T_1)$

$\mathcal{P}:$ Compute $\bar{A}(\bm{r}_x)=v_A, \bar{B}(\bm{r}_x)=v_B, \bar{C}(\bm{r}_x)=v_C$ and send $(v_A,v_B,v_C)\rightarrow \mathcal{V}$.

$\mathcal{V}:$ Abort with $\mathsf{IsSat}=0$ if $e_x\neq(v_A\cdot v_B - v_C)\cdot\tilde{eq}(\bm{r}_x,\bm{\tau}).$

$\mathcal{V}:$ Sample $r_A,r_B,r_C\in_R\mathbb{F}$ and send them to $\mathcal{P}$.

Let $T_2=r_A\cdot v_A + r_B\cdot v_B + r_C\cdot v_C, \mu_2=\log m, l_2=2$.

$\mathcal{V}:$ Sample $r_y\in_R \mathbb{F}^{\mu_2}$

Sumcheck #2: $e_y\leftarrow\langle\mathcal{P}_{sc}(\bm{M}_{\bm{r}_x}),\mathcal{V}_{sc}(\bm{r}_y)\rangle(\mu_2,l_2,T_2)$

$\mathcal{P} : v\leftarrow \tilde{w}(r_y[1..])$ and send $v$ to $\mathcal{V}$.

$\mathsf{IsSat}_e \leftarrow \langle\mathcal{P}_\mathsf{PC.Eval}(\tilde{w},\mathcal{S}),\mathcal{V}_\mathsf{PC.Eval}(r)\rangle(\mathsf{pp}, \mathcal{C},r_y[1..],v,\mu_2)$

$\mathcal{V}:$ if $\mathsf{IsSat}_e == 0$, abort with $\mathsf{IsSat}=0$.

$\mathcal{V}: v_Z\leftarrow r_y[0]\cdot v+(1-r_y[0])\cdot\widetilde{(\bm{io},1)}(r_y[1...])$

$\mathcal{V}:v_1\leftarrow\tilde{A}(r_x,r_y),v_2\leftarrow\tilde{B}(r_x,r_y),v_3\leftarrow\tilde{C}(r_x,r_y)$

$\mathcal{V}:$ Abort with $\mathsf{IsSat}=0$ if $e_y\neq(r_A\cdot v_1 + r_B\cdot v_2 + r_C\cdot v_3)\cdot v_Z$

$\mathcal{V}:$ return $\mathsf{IsSat}=1$

$O(n)$ for each sumcheck instances

Cost of $\mathsf{PC.Commit}$ and $\mathsf{PC.Eval}$ for $\log m$-variate multilinear polynomial $\tilde{w}(\cdot)$.

$O(\log m)$ for each sumcheck instances

Cost of $\mathsf{PC.Eval}$ for $log\ m$-variate multilinear polynomial $\tilde{w}(\cdot)$

$O(n)$ to evaluate $\tilde{A}, \tilde{B}, \tilde{C}$ at $(\bm{r}_x, \bm{r}_y)$

$O(\log m)$ for each sumcheck instances

The size of the commitment to $\tilde{w}(\cdot)$ and the communication in $\mathsf{PC.Eval}$

The protocol described above is not succinct yet since the verifier incurs costs linear in the size of the R1CS instance to evaluate $\tilde{A}, \tilde{B}, \tilde{C}$ at $(\bm{r}_x, \bm{r}_y)$ on step 16. We can get around this by introducing an offline preprocessing step for $\mathcal{V}$. In this offline step, $\mathcal{V}$ with access to non-$\bm{io}$ portions of an R1CS instance $\mathbf{x}=(\mathbb{F},\bm{A,B,C},\bm{io},m,n)$ executes the following, where $\mathsf{pp}_{cc} \leftarrow \mathsf{PC.Setup}(1^λ, 2 \log m)$ and PC is an extractable polynomial commitment scheme for multilinear polynomials.

$\mathsf{Encode}(\mathsf{pp}_{cc},(\bm{A},\bm{B},\bm{C})):$

$(\mathcal{C}_A,\perp)\leftarrow \mathsf{PC.Commit}(\mathsf{pp}_{cc},\tilde{A})$

$(\mathcal{C}_B,\perp)\leftarrow \mathsf{PC.Commit}(\mathsf{pp}_{cc},\tilde{B})$

$(\mathcal{C}_C,\perp)\leftarrow \mathsf{PC.Commit}(\mathsf{pp}_{cc},\tilde{C})$

After encoding, $\mathcal{V}$ retains the commitments and instead of evaluating at step 16, it verifies the opening proof of $\tilde{A}, \tilde{B}, \tilde{C}$ at $(\bm{r}_x, \bm{r}_y)$. Unfortunately, existing polynomial commitment schemes are not efficient enough to be practical. Since, the number of variables in $\tilde{A}, \tilde{B}, \tilde{C}$ is $2\log m$, existing polynomial commitment schemes incur $O(2^{2\log m})=O(m^2)=O(n^2)$ cost for the prover side. Furthermore, in schemes such as Hyrax-PC, $\mathcal{V}_\mathsf{Eval}$ incurs $O(n)$ costs. This problem is addressed by introducing a new cryptographic compiler to transform an existing extractable polynomial commitment scheme for dense multilinear polynomials to one that can efficiently handle sparse multilinear polynomials.

According to the table below, which is taken from the paper, among the proof-succinct NIZKs, SpartanNIZK is 100× faster than Hyrax, 113× faster than Aurora, and 22× faster than Ligero at $2^{20}$ constraints. The commitment scheme used for this benchmark is Hyrax-PC over curve25519 ().

Written by from