![(zk)SNARKs
(zk)SNARK = A succinct ZK proof showing that ∃𝒘 s.t. 𝐶(𝒙, 𝒘) = 0
𝜋
S(𝐶)→ (𝑝𝑝!, 𝑣𝑝")
P(𝑝𝑝!, 𝒙, 𝒘)
Properties:
• Completeness: honest P can compute valid 𝜋
• Knowledge soundness: malicious P* knows valid 𝒘 if it can generate valid 𝜋
• Zero knowledge: 𝜋 hide the witness 𝒘
V (𝑣𝑝!, 𝒙, 𝜋) → 0/1
E.g., SHA-3(𝒘) = 𝒙
Key requirements for 𝝅: Short (i.e. 𝜋 ≪ |𝒘|) + Fast to verify (e.g. O(log 𝐹 ) time)
Applications: Blockchain, Verifiable zkML/FHE, Fighting disinformation & more
[Xie+22, NT16, DB22, KHSS22, BBBF18, XCBFCK22……]
Challenges: Proving expensive statements (e.g., ML tasks) efficiently](https://image.slidesharecdn.com/latticefold-binyi-240614223226-84c61ee9/85/zkStudyClub-LatticeFold-A-Lattice-based-Folding-Scheme-and-its-Applications-to-Succinct-Proof-Systems-Binyi-Chen-2-320.jpg)
![Monolithic SNARKs [Bitansky-Canetti-Chiesa-Tromer12…]
Global computation
over the entire 𝑊
Proof 𝜋
Challenges for proving expensive computation:
• Expensive global computation
• Large prover memory
• Harder parallelization + less streaming-friendly
NP statement 𝑥, 𝑤 for a relation 𝑅!
Extended witness 𝑊 ∈ 𝔽"
Algebraic transform
Full computation trace
Pre-quantum Schemes:
• Groth16, Plonk [GWC19], Marlin[CHMMVW20], Bulletproof[BBBPWM18]
• HyperPlonk[CBBZ22], Spartan[Setty19], etc…
Post-quantum Schemes:
• STARK[BBHR18],Brakedown[GLSTW21],Ligero[AHIV17], Basefold[ZCF23] …
• Lattice Bulletproofs[BLNS20,ACK21], LaBRADOR[BS22] …
E.g., a block of 10K txs is valid w.r.t. ledger state update
FFTs, MSMs, etc…](https://image.slidesharecdn.com/latticefold-binyi-240614223226-84c61ee9/85/zkStudyClub-LatticeFold-A-Lattice-based-Folding-Scheme-and-its-Applications-to-Succinct-Proof-Systems-Binyi-Chen-3-320.jpg)
![Piecemeal SNARKs [Valiant08, BCTV14, BCCT12]
NP statement 𝑥, 𝑤 for a relation 𝑅!
split
SNARK Proof 𝜋#$
Ideas:
• Split the statement into multiple small chunks
• Prove chunk statements using SNARK Recursion
Problem: noticeable recursion overhead
• SNARK generation at each recursion step
• Concretely expensive SNARK verifier circuit
Pros:
• Minimal memory overhead
• Streaming/parallelization friendly
+ v
+ v
+ v
𝜋! 𝜋"
SNARK Circuit:
(1) chunk stmt 3 is correct
(2) 𝜋%, 𝜋& verify correctly
e.g., a block of 10K txs is valid w.r.t. the ledger state
𝜋!
∗ 𝜋"
∗
[Bitansky-Canetti-Chiesa-Tromer12]
e.g. Mangrove[NDCTB24], [Sou23]
chunk
stmt 1
chunk
stmt 2
chunk
stmt 3](https://image.slidesharecdn.com/latticefold-binyi-240614223226-84c61ee9/85/zkStudyClub-LatticeFold-A-Lattice-based-Folding-Scheme-and-its-Applications-to-Succinct-Proof-Systems-Binyi-Chen-4-320.jpg)
![Folding Schemes [KST21,BCLMS20,KS23,BC23]
Committed NP Relation:
𝑥, 𝑤 ∈ 𝑅
com: A commitment scheme
𝑥′ = (𝑐, 𝑥), 𝑤 ∈ 𝑅!
𝑥, 𝑤 ∈ 𝑅 ∧ (𝑐 = com 𝑤 )
if and only if
Next: We omit public input 𝑥 for notational convenience](https://image.slidesharecdn.com/latticefold-binyi-240614223226-84c61ee9/85/zkStudyClub-LatticeFold-A-Lattice-based-Folding-Scheme-and-its-Applications-to-Succinct-Proof-Systems-Binyi-Chen-5-320.jpg)
![Folding Schemes [KST21,BCLMS20,KS23,BC23]
Folding:
E.g., 𝑐% = com 𝑤% ∧ 𝜙 𝑤% = 1
Folding 𝑃'(
Folding v'( 𝚷
𝑤'(
Stmt 𝑐%, 𝑤%
𝑐%, 𝑐&
𝑐'(
Completeness: If 𝑐%, 𝑤% × 𝑐&, 𝑤& ∈ 𝑅×𝑅, then 𝑐'(, 𝑤'( ∈ 𝑅 for honest execution
Knowledge soundness: If 𝑐'( 𝑤'( ∈ 𝑅 for 𝑃∗’s output 𝑤'(, then 𝑃∗ also knows 𝑤%, 𝑤&
Reduced goal: prove 𝑐'(, 𝑤'( ∈ 𝑅
Generalization: Reduction of knowledge [Kothapalli and Parno23]
Input relation: 𝑅% Output relation: 𝑅&
𝑐*+, 𝑤*+
Goal: prove 𝑐%, 𝑤% × 𝑐&, 𝑤& ∈ 𝑅×𝑅
𝑐,-$, 𝑤,-$
𝑃$% and v$% can be made non-interactive
× 𝑐&, 𝑤&
≔ 𝑅×𝑅 ≔ 𝑅
≔ 𝑐%, 𝑤% × 𝑐&, 𝑤& ≔ (𝑐'(, 𝑤'()](https://image.slidesharecdn.com/latticefold-binyi-240614223226-84c61ee9/85/zkStudyClub-LatticeFold-A-Lattice-based-Folding-Scheme-and-its-Applications-to-Succinct-Proof-Systems-Binyi-Chen-6-320.jpg)
![SNARKs from Folding [KST21,BCLMS20,KS23,BC23]
Piecemeal SNARK:
NP statement 𝑥, 𝑤 for a relation 𝑅!
(𝑐!, 𝑤!) ∈ 𝑅"#$ (𝑐%, 𝑤%) ∈ 𝑅"#$
split
…… …… (𝑐&, 𝑤&) ∈ 𝑅"#$
(𝑐'(
)
, 𝑤'(
())
) (𝑐'(
!
, 𝑤'(
(!)
)
𝑃!" 𝑃!" … …
SNARK V checks
∈ 𝑅&'(
𝑃!" 𝑃!" 𝑃!" 𝜋 = (𝑐'(
&
, 𝑤'(
(&)
)
… …
(𝑐'(
,
, 𝑤'(
(,)
)
Is 𝑐"#
$
correct?
Fix:
• Set x = H(𝑐), H(𝑐)*!, … , H(𝑐!)) as public input
• SNARK P also sends (𝑐!, … , 𝑐))
• V checks x = H(𝑐), H(𝑐)*!, … , H(𝑐!)) and computes 𝑐$%
)
by iteratively calling folding v$% given 𝑐!, … , 𝑐)
Caveat: proof/verifier complexity linear to 𝑛
Idea: Delegate the verifier work into the folded relation
Prove a chain of computations (can extend to a tree of computations)
Similar strategies used in SNARGs for P and BARGs[Choudhuru-Jain-Jin21, Waters-Wu22]
SNARK P computes:](https://image.slidesharecdn.com/latticefold-binyi-240614223226-84c61ee9/85/zkStudyClub-LatticeFold-A-Lattice-based-Folding-Scheme-and-its-Applications-to-Succinct-Proof-Systems-Binyi-Chen-7-320.jpg)
![SNARKs from Folding [KST21,BCLMS20,KS23,BC23]
Relation 𝑅 :
(1) 𝑐+,! = com(𝑤+,!)
(2) local computation is correct
(3) Folding verifier v$% 𝑐+, 𝑐$%
(+)
, 𝑐$%
(+,!)
; 𝜋$% = 1
𝑐'(
(/0%)
+ witness 𝑤'(
(/0%)
Folding verifier 𝐯$%:
• ≈ check 𝑐$%
(+,!)
= 𝑐+ + 𝑟 ⋅ 𝑐$%
(+)
for some scalar 𝑟
• much simpler than a SNARK verifier!
v$%
𝑐$%
(+)
𝑐+
𝜋"#
Compute
𝑐+,!, 𝑤+,! ∈ 𝑅
v$%
𝑐$%
(+)
, 𝑤$%
(+)
∈ 𝑅
𝑐+, 𝑤+ ∈ 𝑅
v$%
Prev 𝑖 − 1 steps are correct
The 𝑖-th step is correct
Piecemeal SNARK: Prove a chain of computations (can extend to a tree of computations)
𝑅: an expanded relation to 𝑅&'(
Omit public input hash checks for simplicity
Folding prover 𝐏$%:
• 𝑤$%
(+,!)
= 𝑤+ + 𝑟 ⋅ 𝑤$%
(+)
: linear combination of field elems
• much faster than a SNARK prover!
Why faster than SNARK recursion?
Simpler relation 𝑅 Faster folding for relation 𝑅 than SNARK proving
A folding scheme could be more eXicient than a SNARK](https://image.slidesharecdn.com/latticefold-binyi-240614223226-84c61ee9/85/zkStudyClub-LatticeFold-A-Lattice-based-Folding-Scheme-and-its-Applications-to-Succinct-Proof-Systems-Binyi-Chen-8-320.jpg)
![Folding for Ajtai Commitment Openings
Committed NP statement 𝑐, 𝑤 ∈ 𝑅
• Instance 𝑐: a short com(𝑤) to witness 𝑤
• com is linearly-homomorphic for easy folding
𝐴 ←$ ℤ/
2×)
𝜆
𝑛
How about Ajtai binding commitments?[Ajt96,99]
𝑤 ∈ ℤ2
"
= 𝑐
Binding for “small-norm” 𝑤 (under SIS assumption)
𝑐! 𝑐"
+ = 𝐴 ×
𝑤! 𝑤"
+
= 𝐴
𝑤!
+
𝑤"
Homomorphic property: (over small-norm messages)
speed ≈ Poseidon hash over fast fields [GKRRS19]
𝑤+ ∈ (−𝛽, 𝛽) for 𝑖 ∈ [𝑛]
∈ ℤ2
3
Compact
Module-SIS
Generalization
ℤ ⇒ 𝑅 ≔ ℤ[𝑋]/(𝑋4 + 1)
ℤ2 ⇒ 𝑅2 ≔ 𝑅/𝑞𝑅
[LM’07,PR’07]
How to commit to 𝑤 w/ large norms?](https://image.slidesharecdn.com/latticefold-binyi-240614223226-84c61ee9/85/zkStudyClub-LatticeFold-A-Lattice-based-Folding-Scheme-and-its-Applications-to-Succinct-Proof-Systems-Binyi-Chen-13-320.jpg)
![Our Strategy
Relation: 𝑅&'(&)
*
≔ { 𝑐, 𝑤 ∶ 𝑐 = 𝐴𝑤 ∧ 𝑤 < 𝛽}
𝑅78$7*
9
𝑅78$7*
9
Π
Recall our goal: reduction of knowledge Π
× 𝑅78$7*
9
Attempt:
𝑅78$7*
9
𝑅78$7*
9
Decompose 𝑤
×
𝑅78$7*
:
𝑅78$7*
:
𝑅78$7*
:
𝑅78$7*
:
×
×
× Fold 𝑅78$7*
9
Π
(𝑏 < 𝛽)
How to instantiate
Decompose and Fold?
Sequential composition:
𝑅% 𝑅& 𝑅;
Π5 Π6
𝑅% 𝑅;
Π6 ∘ Π5
Nice property of RoK! [Kothapalli and Parno23]](https://image.slidesharecdn.com/latticefold-binyi-240614223226-84c61ee9/85/zkStudyClub-LatticeFold-A-Lattice-based-Folding-Scheme-and-its-Applications-to-Succinct-Proof-Systems-Binyi-Chen-16-320.jpg)
![Folding: Naïve Approach
Fold 𝑅78$7*
9
𝑅78$7*
:
𝑅78$7*
:
×
×
…
…
Goal:
Folding 𝑃'(
𝑐'( ≔ 𝑐% + 𝑟 ⋅ 𝑐&
𝑤'( ≔ 𝑤% + 𝑟 ⋅ 𝑤&
𝑟 ∈ ℤ( is a
small random scalar
Knowledge extraction:
Naïve idea:
𝑐%, 𝑤% ∈ 𝑅78$7*
:
𝑐&, 𝑤& ∈ 𝑅78$7*
:
Solve linear eqs
for 𝑤%, 𝑤&
𝑤V = 𝑤WX
Y
− 𝑤WX
Z
⋅ 𝒓𝒚 − 𝒓𝒙
]𝟏
Extracted witness:
The norm can be much larger than 𝒃!
∈ 𝑅IJKIL
M
!
Completeness ✔
𝑤WX
Z
= 𝑤_ + 𝑟Z ⋅ 𝑤V
𝑤WX
Y
= 𝑤_ + 𝑟Y ⋅ 𝑤V
Same for 𝑤_
Rewind 𝑃'(
∗
to obtain 𝑤'(
<
, 𝑤'(
=
for 𝑐'(
<
= 𝑐% + 𝑟< ⋅ 𝑐& and 𝑐'(
=
= 𝑐% + 𝑟= ⋅ 𝑐&
𝑏 ≪ 𝛽
𝑐V, 𝑤V ∉ 𝑅IJKIL
`
!](https://image.slidesharecdn.com/latticefold-binyi-240614223226-84c61ee9/85/zkStudyClub-LatticeFold-A-Lattice-based-Folding-Scheme-and-its-Applications-to-Succinct-Proof-Systems-Binyi-Chen-20-320.jpg)
![Review of the Sumcheck Protocol [LFKN92]
Goal: Given a “committed” 𝑚-variate poly 𝑔(𝑥%, … , 𝑥>), convince V that ∑<∈ @,% 4 𝑔 ⃗
𝑥 = 𝑠
Naïve verifier: query 𝑔 at every 𝑥 ∈ 0,1 > and check the sum Ω 2> complexity : (
Sumcheck protocol [LFKN92]
• 𝑚-round interactive protocol between P and V
• V sends a random challenge 𝑟/ ∈ 𝔽 in each round
• At the end of the protocol, V queries 𝑔 at a single random point
Sumcheck: Σ ⃗
<∈ @,% 4𝑔( ⃗
𝑥) = 𝑠
Sumcheck protocol [LFKN92]
EvalCheck: 𝑔 ⃗
𝑟%, … , ⃗
𝑟> = 𝑡′ at a random ⃗
𝑟 ∈ ℤ2
>
History: Key ingredient for proving 𝑃𝐻 ⊆ 𝐼𝑃 and inspires the proof of 𝐼𝑃 = 𝑃𝑆𝑃𝐴𝐶𝐸
𝑂 𝑚 -time verifier A reduction from
Sumcheck to Eval stmt](https://image.slidesharecdn.com/latticefold-binyi-240614223226-84c61ee9/85/zkStudyClub-LatticeFold-A-Lattice-based-Folding-Scheme-and-its-Applications-to-Succinct-Proof-Systems-Binyi-Chen-23-320.jpg)
![Step 1: Reducing Range proof to Sumcheck
Range proof: Prove knowledge of a witness 𝑤C = 𝑓%, 𝑓&, … , 𝑓" ∈ ℤ" s.t.
Can extend to elements in ring
𝑅 = ℤ 𝑋 /(𝑋7 + 1)
ℎ 𝑥 ≔ 𝑥 𝑥 + 1 ⋅ 𝑥 − 1 ⋯ 𝑥 + 𝑏 − 1 𝑥 − 𝑏 − 1 over ℤ/ ≔ −
/
"
,
/
"
and 𝑞 > 2𝑏 is a prime
Embed 𝑤′ to the Boolean hypercube of
a multilinear polynomial 𝑓 𝑥!, … , 𝑥89:)
Zero-check to sum-check [CBBZ23, Setty20]
Sumcheck: prove that Σ ⃗
<∈ @,% 5678𝑔( ⃗
𝑥) = 0 where 𝑔 ⃗
𝑥 ≔ ℎ 𝑓 ⃗
𝑥 ⋅ 𝑒𝑞D( ⃗
𝑥) for a rand 𝛼 ∈ ℤ2
E,F"
𝑓! ∈ ℤ 𝑓" … … … 𝑓)*! 𝑓)
∈ −𝑏, 𝑏 ⊆ ℤ ∈ −𝑏, 𝑏 ∈ −𝑏, 𝑏 ∈ −𝑏, 𝑏
ℎ 𝑓! = 0 ℎ(𝑓") = 0 … … … ℎ 𝑓)*! = 0 ℎ 𝑓) = 0
⃗
𝑥 00 … 00 00 … 01 … … … 11 … 10 11 … 11
ℎ 𝑥 = 0 ⟺ 𝑥 ∈ −𝑏, 𝑏
𝑓 ⃗
𝑥 𝑓! 𝑓" … … … 𝑓)*! 𝑓)
ℎ(𝑓 ⃗
𝑥 ) ℎ 𝑓! = 0 ℎ(𝑓") = 0 … … … ℎ 𝑓)*! = 0 ℎ 𝑓) = 0](https://image.slidesharecdn.com/latticefold-binyi-240614223226-84c61ee9/85/zkStudyClub-LatticeFold-A-Lattice-based-Folding-Scheme-and-its-Applications-to-Succinct-Proof-Systems-Binyi-Chen-25-320.jpg)
![Step 2: Sumcheck Folding
Sumcheck: Σ ⃗
<∈ @,% 5678𝑔( ⃗
𝑥) = 0
Range proof: witness 𝑤′ = 𝑓%, 𝑓&, … , 𝑓" ∈ −𝑏, 𝑏 "
Sumcheck protocol [LFKN92]
EvalCheck: 𝑔 ⃗
𝑟 = 𝑡′ at a random ⃗
𝑟 ∈ ℤ2
E,F"
Prover time: ≈ 𝑂(𝑏𝑛)
Verifier time: 𝑂(𝑏log𝑛)
Problem: How to check 𝑓 ⃗
𝑟 = 𝑡 given the comm of 𝑓?
• Send 𝑓_, 𝑓V, … , 𝑓b to the folding verifier to check it?
Observation: EvalStmt 𝑓 ⃗
𝑟 = 𝑡 is easy to fold!
EvalCheck: 𝑓 ⃗
𝑟 = 𝑡
𝑔 ⃗
𝑥 ≔ ℎ 𝑓 ⃗
𝑥 ⋅ 𝑒𝑞;( ⃗
𝑥) Step 1 ✔
(and verifier can check 𝑔 ⃗
𝑟 = ℎ 𝑡 ⋅ 𝑒𝑞; ⃗
𝑟 = 𝑡′ itself)
𝑂(𝑛) folding verifier : (](https://image.slidesharecdn.com/latticefold-binyi-240614223226-84c61ee9/85/zkStudyClub-LatticeFold-A-Lattice-based-Folding-Scheme-and-its-Applications-to-Succinct-Proof-Systems-Binyi-Chen-26-320.jpg)
![Subtleties & Optimizations
Sumcheck over Rings: [CCKP19, BCS21]
• Ajtai commitments over ring 𝑅< ≔ ℤ<[𝑋]/(𝑋=
+ 1) for concrete e;iciency
• Small-norm random folding scalar chosen from 𝑆 ⊆ 𝑅< for negligible soundness error
• Implication: Run Sumcheck over rings
Supporting Small Modulus:
• We want a small modulus 𝑞 for better efficiency
• Efficient CPU/GPU ops; no big-number arithmetics
• More efficient packing of real-world data
Folding for NP-complete relation
Relation 𝑅 :
(1) 𝑐+,! = com(𝑤+,!)
(2) local computation is correct
(3) Folding verifier v$% 𝑐!, 𝑐", 𝑐$%; 𝜋$% = 1
needs to express computation
Arithmetic over a ring → Great fit for Verifiable ML/FHE](https://image.slidesharecdn.com/latticefold-binyi-240614223226-84c61ee9/85/zkStudyClub-LatticeFold-A-Lattice-based-Folding-Scheme-and-its-Applications-to-Succinct-Proof-Systems-Binyi-Chen-29-320.jpg)
![ETiciency Estimates
Folding prover:
𝑂( 𝐶JKL )-sized Multi-Scalar-Muls
𝑅/ ≔ ℤ/[𝑋]/(𝑋EF
+ 1) ≅ 𝔽/!
!E
; 𝑞: a 64-bit prime
𝐶&'(: chunk circuit size (e.g. 2"G gates over 𝔽/!)
Norm bound: 𝛽 ≈ 2!E; Base: 𝑏 = 2
Folding verifier:
native-ops in the circuit over 𝑅2
non-native field ops in the circuit
Competitive circuit sizes
Piecemeal SNARK proof: ≈2 folding instance-witness pairs
Solution: Use a PQ-secure STARK to prove the correctness of the folding statement
< 100KB and 2ms verifier (STIR[ACFY24])
𝑂( 𝐶JKL ) multiplications over 𝑅2
Compute Ajtai commitments
LatticeFold Existing schemes
Pedersen commimtents
𝑂(𝑏 ⋅ log|𝐶JKL|) hashes and 𝑅2-ops
Sumcheck verifier ECC scalar-mul + (Sumcheck V)
speed ≈ fast hash
Can reuse fast FHE impl!
< 5KB w/ Hyperplonk+KZG[CBBZ23]
i.e., arithmetic in 𝔽/ as a circuit over 𝔽0
What if it’s still large?
E.g., splitting a stmt of size 2-)
to 2%)
chunks → 2%)
-sized chunk stmts](https://image.slidesharecdn.com/latticefold-binyi-240614223226-84c61ee9/85/zkStudyClub-LatticeFold-A-Lattice-based-Folding-Scheme-and-its-Applications-to-Succinct-Proof-Systems-Binyi-Chen-30-320.jpg)
![Summary & Open Problems
Takeaway:
• The first lattice-based folding scheme based on Ajtai commitments
• Gives memory-efficient, plausibly PQ-secure SNARKs, with fast provers
• Generic techniques for folding lattice-based commitments w/ norm constraints
Open problems:
• Compact + homomorphic lattice commitments with no norm constraints
• Folding table lookup relations (e.g., from Lasso [Setty-Thaler-Wahby23])
• Efficient implementation
Concurrent work:[Bünz-Mishra-Nguyen-Wang24]
• Purely from hashing; no lattice crypto
• General optimization techniques for piecemeal SNARKs (apply to LatticeFold)
• Larger verifier circuit; only supports bounded-depth folding (attack exists)](https://image.slidesharecdn.com/latticefold-binyi-240614223226-84c61ee9/85/zkStudyClub-LatticeFold-A-Lattice-based-Folding-Scheme-and-its-Applications-to-Succinct-Proof-Systems-Binyi-Chen-31-320.jpg)
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Applications to Succinct Proof Systems (Binyi Chen)
- 1. LatticeFold & its Applications to Succinct Proof Systems Dan Boneh Binyi Chen Stanford University
- 2. (zk)SNARKs (zk)SNARK = A succinct ZK proof showing that ∃𝒘 s.t. 𝐶(𝒙, 𝒘) = 0 𝜋 S(𝐶)→ (𝑝𝑝!, 𝑣𝑝") P(𝑝𝑝!, 𝒙, 𝒘) Properties: • Completeness: honest P can compute valid 𝜋 • Knowledge soundness: malicious P* knows valid 𝒘 if it can generate valid 𝜋 • Zero knowledge: 𝜋 hide the witness 𝒘 V (𝑣𝑝!, 𝒙, 𝜋) → 0/1 E.g., SHA-3(𝒘) = 𝒙 Key requirements for 𝝅: Short (i.e. 𝜋 ≪ |𝒘|) + Fast to verify (e.g. O(log 𝐹 ) time) Applications: Blockchain, Verifiable zkML/FHE, Fighting disinformation & more [Xie+22, NT16, DB22, KHSS22, BBBF18, XCBFCK22……] Challenges: Proving expensive statements (e.g., ML tasks) efficiently
- 3. Monolithic SNARKs [Bitansky-Canetti-Chiesa-Tromer12…] Global computation over the entire 𝑊 Proof 𝜋 Challenges for proving expensive computation: • Expensive global computation • Large prover memory • Harder parallelization + less streaming-friendly NP statement 𝑥, 𝑤 for a relation 𝑅! Extended witness 𝑊 ∈ 𝔽" Algebraic transform Full computation trace Pre-quantum Schemes: • Groth16, Plonk [GWC19], Marlin[CHMMVW20], Bulletproof[BBBPWM18] • HyperPlonk[CBBZ22], Spartan[Setty19], etc… Post-quantum Schemes: • STARK[BBHR18],Brakedown[GLSTW21],Ligero[AHIV17], Basefold[ZCF23] … • Lattice Bulletproofs[BLNS20,ACK21], LaBRADOR[BS22] … E.g., a block of 10K txs is valid w.r.t. ledger state update FFTs, MSMs, etc…
- 4. Piecemeal SNARKs [Valiant08, BCTV14, BCCT12] NP statement 𝑥, 𝑤 for a relation 𝑅! split SNARK Proof 𝜋#$ Ideas: • Split the statement into multiple small chunks • Prove chunk statements using SNARK Recursion Problem: noticeable recursion overhead • SNARK generation at each recursion step • Concretely expensive SNARK verifier circuit Pros: • Minimal memory overhead • Streaming/parallelization friendly + v + v + v 𝜋! 𝜋" SNARK Circuit: (1) chunk stmt 3 is correct (2) 𝜋%, 𝜋& verify correctly e.g., a block of 10K txs is valid w.r.t. the ledger state 𝜋! ∗ 𝜋" ∗ [Bitansky-Canetti-Chiesa-Tromer12] e.g. Mangrove[NDCTB24], [Sou23] chunk stmt 1 chunk stmt 2 chunk stmt 3
- 5. Folding Schemes [KST21,BCLMS20,KS23,BC23] Committed NP Relation: 𝑥, 𝑤 ∈ 𝑅 com: A commitment scheme 𝑥′ = (𝑐, 𝑥), 𝑤 ∈ 𝑅! 𝑥, 𝑤 ∈ 𝑅 ∧ (𝑐 = com 𝑤 ) if and only if Next: We omit public input 𝑥 for notational convenience
- 6. Folding Schemes [KST21,BCLMS20,KS23,BC23] Folding: E.g., 𝑐% = com 𝑤% ∧ 𝜙 𝑤% = 1 Folding 𝑃'( Folding v'( 𝚷 𝑤'( Stmt 𝑐%, 𝑤% 𝑐%, 𝑐& 𝑐'( Completeness: If 𝑐%, 𝑤% × 𝑐&, 𝑤& ∈ 𝑅×𝑅, then 𝑐'(, 𝑤'( ∈ 𝑅 for honest execution Knowledge soundness: If 𝑐'( 𝑤'( ∈ 𝑅 for 𝑃∗’s output 𝑤'(, then 𝑃∗ also knows 𝑤%, 𝑤& Reduced goal: prove 𝑐'(, 𝑤'( ∈ 𝑅 Generalization: Reduction of knowledge [Kothapalli and Parno23] Input relation: 𝑅% Output relation: 𝑅& 𝑐*+, 𝑤*+ Goal: prove 𝑐%, 𝑤% × 𝑐&, 𝑤& ∈ 𝑅×𝑅 𝑐,-$, 𝑤,-$ 𝑃$% and v$% can be made non-interactive × 𝑐&, 𝑤& ≔ 𝑅×𝑅 ≔ 𝑅 ≔ 𝑐%, 𝑤% × 𝑐&, 𝑤& ≔ (𝑐'(, 𝑤'()
- 7. SNARKs from Folding [KST21,BCLMS20,KS23,BC23] Piecemeal SNARK: NP statement 𝑥, 𝑤 for a relation 𝑅! (𝑐!, 𝑤!) ∈ 𝑅"#$ (𝑐%, 𝑤%) ∈ 𝑅"#$ split …… …… (𝑐&, 𝑤&) ∈ 𝑅"#$ (𝑐'( ) , 𝑤'( ()) ) (𝑐'( ! , 𝑤'( (!) ) 𝑃!" 𝑃!" … … SNARK V checks ∈ 𝑅&'( 𝑃!" 𝑃!" 𝑃!" 𝜋 = (𝑐'( & , 𝑤'( (&) ) … … (𝑐'( , , 𝑤'( (,) ) Is 𝑐"# $ correct? Fix: • Set x = H(𝑐), H(𝑐)*!, … , H(𝑐!)) as public input • SNARK P also sends (𝑐!, … , 𝑐)) • V checks x = H(𝑐), H(𝑐)*!, … , H(𝑐!)) and computes 𝑐$% ) by iteratively calling folding v$% given 𝑐!, … , 𝑐) Caveat: proof/verifier complexity linear to 𝑛 Idea: Delegate the verifier work into the folded relation Prove a chain of computations (can extend to a tree of computations) Similar strategies used in SNARGs for P and BARGs[Choudhuru-Jain-Jin21, Waters-Wu22] SNARK P computes:
- 8. SNARKs from Folding [KST21,BCLMS20,KS23,BC23] Relation 𝑅 : (1) 𝑐+,! = com(𝑤+,!) (2) local computation is correct (3) Folding verifier v$% 𝑐+, 𝑐$% (+) , 𝑐$% (+,!) ; 𝜋$% = 1 𝑐'( (/0%) + witness 𝑤'( (/0%) Folding verifier 𝐯$%: • ≈ check 𝑐$% (+,!) = 𝑐+ + 𝑟 ⋅ 𝑐$% (+) for some scalar 𝑟 • much simpler than a SNARK verifier! v$% 𝑐$% (+) 𝑐+ 𝜋"# Compute 𝑐+,!, 𝑤+,! ∈ 𝑅 v$% 𝑐$% (+) , 𝑤$% (+) ∈ 𝑅 𝑐+, 𝑤+ ∈ 𝑅 v$% Prev 𝑖 − 1 steps are correct The 𝑖-th step is correct Piecemeal SNARK: Prove a chain of computations (can extend to a tree of computations) 𝑅: an expanded relation to 𝑅&'( Omit public input hash checks for simplicity Folding prover 𝐏$%: • 𝑤$% (+,!) = 𝑤+ + 𝑟 ⋅ 𝑤$% (+) : linear combination of field elems • much faster than a SNARK prover! Why faster than SNARK recursion? Simpler relation 𝑅 Faster folding for relation 𝑅 than SNARK proving A folding scheme could be more eXicient than a SNARK
- 9. Folding Schemes: State-of-the-Art Committed NP statement 𝑐, 𝑤 ∈ 𝑅 • Instance 𝑐: a short com(𝑤) to witness 𝑤 • com is linearly-homomorphic for easy folding State-of-the-art: • Pedersen commitments • Linearly-homomorphic • Pairing-free • No trusted setup Security: • Based on DLOG assumptions & not post-quantum secure E?iciency: • Require cycle curves • Prover: many group-exponentiations over a large field • Wasteful as real data units usually small (e.g. 32-bit) • The folding verifier circuit v'(: • Elliptic curve scalar multiplications : ( • Non-native field-op simulations : ( Alternative Option: Recursive SNARKs from hash-based STARKs Less e5icient: need full SNARK recursion implement arithmetic in 𝔽/ as a circuit over 𝔽0 e.g., com 𝑎 + com 𝑏 = com(𝑎 + 𝑏)
- 10. Can we construct a folding scheme with • Post-quantum security • Ultra-fast prover • Efficient verifier circuit (e.g., no need for non-native field emulation)
- 11. LatticeFold: The first lattice-based folding scheme • Based on the Module Short-Integer-Solution (MSIS) assumption • Competitive efficiency vs existing folding schemes • Linear-time prover + succinct verifier circuit • Relatively small fields (e.g., 32-bit or 64-bit) • Native simulation of ring operations in circuits • More friendly for applications like verifiable FHEs/MLs Technical contribution: New folding techniques for lattice-based commitments Contributions
- 12. Folding for Relation 𝑅 : (1) 𝑐/0% = com(𝑤/0%) (2) local computation is correct (3) Folding verifier v'( 𝑐%, 𝑐&, 𝑐'(; 𝜋'( = 1 Commitments Opening Relation Warmup:
- 13. Folding for Ajtai Commitment Openings Committed NP statement 𝑐, 𝑤 ∈ 𝑅 • Instance 𝑐: a short com(𝑤) to witness 𝑤 • com is linearly-homomorphic for easy folding 𝐴 ←$ ℤ/ 2×) 𝜆 𝑛 How about Ajtai binding commitments?[Ajt96,99] 𝑤 ∈ ℤ2 " = 𝑐 Binding for “small-norm” 𝑤 (under SIS assumption) 𝑐! 𝑐" + = 𝐴 × 𝑤! 𝑤" + = 𝐴 𝑤! + 𝑤" Homomorphic property: (over small-norm messages) speed ≈ Poseidon hash over fast fields [GKRRS19] 𝑤+ ∈ (−𝛽, 𝛽) for 𝑖 ∈ [𝑛] ∈ ℤ2 3 Compact Module-SIS Generalization ℤ ⇒ 𝑅 ≔ ℤ[𝑋]/(𝑋4 + 1) ℤ2 ⇒ 𝑅2 ≔ 𝑅/𝑞𝑅 [LM’07,PR’07] How to commit to 𝑤 w/ large norms?
- 14. Dealing with Arbitrary Witness How to commit to an arbitrary witness 𝑤 w/ large norms? Comm open relation: & 𝑅IJKIL M ≔ { 𝑐; (𝑤, ⃗ 𝑣 ): (𝑐 = 𝐴 ⃗ 𝑣) ∧ ( 𝑣 < 𝛽) ∧ (𝑤 = 𝐺× ⃗ 𝑣)} Gadget matrix E.g. 𝑤% = 1, 2, 2&, … , 256% × ⃗ 𝑣% ⃗ 𝑣& . . . ⃗ 𝑣5 Our full-fledged protocol fold a similar relation The infinite norm of 𝑤 ∈ ℤ) 𝑤 ≔ max |𝑤+| +4! ) Comm open relation: 𝑅IJKIL M ≔ { 𝑐, 𝑤 ∶ 𝑐 = 𝐴𝑤 ∧ 𝑤 < 𝛽} Next, assume that 𝑤 is always low-norm in the first place!
- 15. Folding for Ajtai Commitment Openings Comm open relation: 𝑅IJKIL M Naïve approach: 𝑐%, 𝑤% ∈ 𝑅78$7* 9 𝑐&, 𝑤& ∈ 𝑅78$7* 9 𝑐'( ≔ 𝑐% + 𝑟 ⋅ 𝑐& 𝑤'( ≔ 𝑤% + 𝑟 ⋅ 𝑤& Folding 𝑃'( 𝑟 ∈ ℤ( is a random scalar ∉ 𝑅IJKIL M ! Problems: • ‖𝑤/0‖ can be larger than 𝛽 (even if 𝑟 is small) • 𝑐/0 no longer binding after ‖𝑤/0‖ exceeds threshold Thoughts: Make 𝑤1 , 𝑤2 smaller before random LinComb? The infinite norm of 𝑤 ∈ ℤ) 𝑤 ≔ max |𝑤+| +4! ) Can’t support many folding steps ≔ { 𝑐, 𝑤 ∶ 𝑐 = 𝐴𝑤 ∧ 𝑤 < 𝛽}
- 16. Our Strategy Relation: 𝑅&'(&) * ≔ { 𝑐, 𝑤 ∶ 𝑐 = 𝐴𝑤 ∧ 𝑤 < 𝛽} 𝑅78$7* 9 𝑅78$7* 9 Π Recall our goal: reduction of knowledge Π × 𝑅78$7* 9 Attempt: 𝑅78$7* 9 𝑅78$7* 9 Decompose 𝑤 × 𝑅78$7* : 𝑅78$7* : 𝑅78$7* : 𝑅78$7* : × × × Fold 𝑅78$7* 9 Π (𝑏 < 𝛽) How to instantiate Decompose and Fold? Sequential composition: 𝑅% 𝑅& 𝑅; Π5 Π6 𝑅% 𝑅; Π6 ∘ Π5 Nice property of RoK! [Kothapalli and Parno23]
- 17. Roadmap • Decomposition Protocol • Fold Protocol 𝑅78$7* 9 𝑅78$7* 9 Decompose 𝑤 × 𝑅78$7* : 𝑅78$7* : 𝑅78$7* : 𝑅78$7* : × × ×
- 18. Norm Control with Decomposition 𝑐, 𝑤 ∈ 𝑅78$7* 9 Decompose 𝑅78$7* : 𝑅78$7* : × Goal: 𝑏& = 𝛽 RoK from 𝑅)*+), - ×𝑅)*+), - to 𝑅)*+), . / is a parallel composition of the above protocol “Write” the big vector 𝑤 using “base” 𝑏 𝑤 ℤ-coeffs in (−𝛽, 𝛽) 𝑤! ℤ-coeLs in (−𝑏, 𝑏) 𝑤" ℤ-coeLs in (−𝑏, 𝑏) = + 𝑏 ⋅ 𝑐0, 𝑐1 𝑐0 = 𝐴𝑤0 , 𝑐1 = 𝐴𝑤1 V check: 𝑐 = 𝑐! + 𝑏 ⋅ 𝑐" 𝑤0 , 𝑤1 Decompose: 𝑃 𝑉 𝑐 = 𝐴𝑤 𝑤 𝑐 = 𝐴𝑤 𝑤 𝑤! 𝑤" = + 𝑏 ⋅ 𝐴 𝐴 𝑐 = 𝑐" + 𝑐# 𝑏 ⋅ Extract: 𝑤∗ = 𝑤0 + 𝑏 ⋅ 𝑤1 “remainder” + “quotient” 𝑐, 𝑤∗ ∈ 𝑅78$7* 9
- 19. Roadmap • Decomposition Protocol • Fold Protocol 𝑅78$7* 9 𝑅78$7* 9 Decompose 𝑤 × 𝑅78$7* : 𝑅78$7* : 𝑅78$7* : 𝑅78$7* : × × × Fold 𝑅78$7* 9
- 20. Folding: Naïve Approach Fold 𝑅78$7* 9 𝑅78$7* : 𝑅78$7* : × × … … Goal: Folding 𝑃'( 𝑐'( ≔ 𝑐% + 𝑟 ⋅ 𝑐& 𝑤'( ≔ 𝑤% + 𝑟 ⋅ 𝑤& 𝑟 ∈ ℤ( is a small random scalar Knowledge extraction: Naïve idea: 𝑐%, 𝑤% ∈ 𝑅78$7* : 𝑐&, 𝑤& ∈ 𝑅78$7* : Solve linear eqs for 𝑤%, 𝑤& 𝑤V = 𝑤WX Y − 𝑤WX Z ⋅ 𝒓𝒚 − 𝒓𝒙 ]𝟏 Extracted witness: The norm can be much larger than 𝒃! ∈ 𝑅IJKIL M ! Completeness ✔ 𝑤WX Z = 𝑤_ + 𝑟Z ⋅ 𝑤V 𝑤WX Y = 𝑤_ + 𝑟Y ⋅ 𝑤V Same for 𝑤_ Rewind 𝑃'( ∗ to obtain 𝑤'( < , 𝑤'( = for 𝑐'( < = 𝑐% + 𝑟< ⋅ 𝑐& and 𝑐'( = = 𝑐% + 𝑟= ⋅ 𝑐& 𝑏 ≪ 𝛽 𝑐V, 𝑤V ∉ 𝑅IJKIL ` !
- 21. Roadmap • Decomposition Protocol • Fold Protocol • Naïve extraction + argue smallness of the extracted witness Using Range proof: witness 𝑤 ∈ −𝑏, 𝑏 "
- 22. • 𝑐′ = 𝐴𝑤a • 𝑤a = 𝑓_, 𝑓V, … , 𝑓b has small norms (Batched) Range proof via Sumcheck Goal: Given input commitment 𝑐a, prove knowledge of 𝑤a = 𝑓_, 𝑓V, … , 𝑓b ∈ ℤb • 𝑐′ = 𝐴𝑤a • 𝑤a = 𝑓_, 𝑓V, … , 𝑓b has norm smaller than 𝑏 • Eicient (folding) verifier circuit 𝑐3 = 𝑐0 & 𝑐1 in folding Our strategy: Combine naïve folding & extraction + Range proof protocol (achieved by naïve folding + extraction) 𝑤3 = 𝑤0 & 𝑤1 in folding Our solution: A range-proof protocol from Sumcheck
- 23. Review of the Sumcheck Protocol [LFKN92] Goal: Given a “committed” 𝑚-variate poly 𝑔(𝑥%, … , 𝑥>), convince V that ∑<∈ @,% 4 𝑔 ⃗ 𝑥 = 𝑠 Naïve verifier: query 𝑔 at every 𝑥 ∈ 0,1 > and check the sum Ω 2> complexity : ( Sumcheck protocol [LFKN92] • 𝑚-round interactive protocol between P and V • V sends a random challenge 𝑟/ ∈ 𝔽 in each round • At the end of the protocol, V queries 𝑔 at a single random point Sumcheck: Σ ⃗ <∈ @,% 4𝑔( ⃗ 𝑥) = 𝑠 Sumcheck protocol [LFKN92] EvalCheck: 𝑔 ⃗ 𝑟%, … , ⃗ 𝑟> = 𝑡′ at a random ⃗ 𝑟 ∈ ℤ2 > History: Key ingredient for proving 𝑃𝐻 ⊆ 𝐼𝑃 and inspires the proof of 𝐼𝑃 = 𝑃𝑆𝑃𝐴𝐶𝐸 𝑂 𝑚 -time verifier A reduction from Sumcheck to Eval stmt
- 24. Step 1: Rephrase the range-proof statement as a Sumcheck statement Step 2: Construct a folding protocol for the Sumcheck statement Goal: Given input commitment 𝑐a, prove knowledge of 𝑤a = 𝑓_, 𝑓V, … , 𝑓b ∈ ℤb • 𝑤a = 𝑓_, 𝑓V, … , 𝑓b has norm smaller than 𝑏 Our solution: A range-proof protocol from Sumcheck
- 25. Step 1: Reducing Range proof to Sumcheck Range proof: Prove knowledge of a witness 𝑤C = 𝑓%, 𝑓&, … , 𝑓" ∈ ℤ" s.t. Can extend to elements in ring 𝑅 = ℤ 𝑋 /(𝑋7 + 1) ℎ 𝑥 ≔ 𝑥 𝑥 + 1 ⋅ 𝑥 − 1 ⋯ 𝑥 + 𝑏 − 1 𝑥 − 𝑏 − 1 over ℤ/ ≔ − / " , / " and 𝑞 > 2𝑏 is a prime Embed 𝑤′ to the Boolean hypercube of a multilinear polynomial 𝑓 𝑥!, … , 𝑥89:) Zero-check to sum-check [CBBZ23, Setty20] Sumcheck: prove that Σ ⃗ <∈ @,% 5678𝑔( ⃗ 𝑥) = 0 where 𝑔 ⃗ 𝑥 ≔ ℎ 𝑓 ⃗ 𝑥 ⋅ 𝑒𝑞D( ⃗ 𝑥) for a rand 𝛼 ∈ ℤ2 E,F" 𝑓! ∈ ℤ 𝑓" … … … 𝑓)*! 𝑓) ∈ −𝑏, 𝑏 ⊆ ℤ ∈ −𝑏, 𝑏 ∈ −𝑏, 𝑏 ∈ −𝑏, 𝑏 ℎ 𝑓! = 0 ℎ(𝑓") = 0 … … … ℎ 𝑓)*! = 0 ℎ 𝑓) = 0 ⃗ 𝑥 00 … 00 00 … 01 … … … 11 … 10 11 … 11 ℎ 𝑥 = 0 ⟺ 𝑥 ∈ −𝑏, 𝑏 𝑓 ⃗ 𝑥 𝑓! 𝑓" … … … 𝑓)*! 𝑓) ℎ(𝑓 ⃗ 𝑥 ) ℎ 𝑓! = 0 ℎ(𝑓") = 0 … … … ℎ 𝑓)*! = 0 ℎ 𝑓) = 0
- 26. Step 2: Sumcheck Folding Sumcheck: Σ ⃗ <∈ @,% 5678𝑔( ⃗ 𝑥) = 0 Range proof: witness 𝑤′ = 𝑓%, 𝑓&, … , 𝑓" ∈ −𝑏, 𝑏 " Sumcheck protocol [LFKN92] EvalCheck: 𝑔 ⃗ 𝑟 = 𝑡′ at a random ⃗ 𝑟 ∈ ℤ2 E,F" Prover time: ≈ 𝑂(𝑏𝑛) Verifier time: 𝑂(𝑏log𝑛) Problem: How to check 𝑓 ⃗ 𝑟 = 𝑡 given the comm of 𝑓? • Send 𝑓_, 𝑓V, … , 𝑓b to the folding verifier to check it? Observation: EvalStmt 𝑓 ⃗ 𝑟 = 𝑡 is easy to fold! EvalCheck: 𝑓 ⃗ 𝑟 = 𝑡 𝑔 ⃗ 𝑥 ≔ ℎ 𝑓 ⃗ 𝑥 ⋅ 𝑒𝑞;( ⃗ 𝑥) Step 1 ✔ (and verifier can check 𝑔 ⃗ 𝑟 = ℎ 𝑡 ⋅ 𝑒𝑞; ⃗ 𝑟 = 𝑡′ itself) 𝑂(𝑛) folding verifier : (
- 27. Folding Evaluation Statements Observation: 𝑓 ⃗ 𝑟 = 𝑡 is easy to fold! 𝑓% ⃗ 𝑟% =? 𝑡% 𝑓& ⃗ 𝑟& =? 𝑡& Translate to SumChk Stmt Multilinear extension: 𝑓 ⃗ 𝑟 = Σ ⃗ <∈ @,% 5678𝑓 ⃗ 𝑥 ⋅ 𝑒𝑞⃗ H( ⃗ 𝑥) SumCheck 𝑓'( ≔ 𝑓% + 𝜌 ⋅ 𝑓& for rand 𝜌 𝑓'( ⃗ 𝑟I =? 𝑡I efficiently computable 𝑓% ⃗ 𝑟I =? 𝑡I,% 𝑓& ⃗ 𝑟I =? 𝑡I,& ⃗ 𝑟I: sumcheck challenge How does it help to check 𝑓 ⃗ 𝑟 = 𝑡 given the comm of 𝑓? • Fold the evaluation statement without checking!
- 28. Folding for Ajtai Commitment Openings Solution: Expand relation 𝑅IJKIL to include the evaluation statement (𝑐 = com 𝑓 ) ∧ (𝑓 ⃗ 𝑟 = 𝑡) Naïve Fold + SumCheck for RangeProof & EvalStmt Verifier: 𝑂(𝑏log𝑛) 𝑐" =? com6 𝑓" ∧ 𝑓" ⃗ 𝑟" =? 𝑡" 𝑅=>?8 6 Accumulated statement 𝑐! =? com6 𝑓! 𝑅?@A?B 6 Online statement 𝑐$% =? comC 𝑓$% ∧ 𝑓$% ⃗ 𝑟D =? 𝑡D 𝑅=>?8 C New accumulated statement MatMul + RangePf + EvalStmt The knowledge soundness proof is more subtle than intuition • A malicious prover can adaptively choose the output witness after seeing the challenges • ⇒ The extracted input witnesses could depend on the sumcheck challenges
- 29. Subtleties & Optimizations Sumcheck over Rings: [CCKP19, BCS21] • Ajtai commitments over ring 𝑅< ≔ ℤ<[𝑋]/(𝑋= + 1) for concrete e;iciency • Small-norm random folding scalar chosen from 𝑆 ⊆ 𝑅< for negligible soundness error • Implication: Run Sumcheck over rings Supporting Small Modulus: • We want a small modulus 𝑞 for better efficiency • Efficient CPU/GPU ops; no big-number arithmetics • More efficient packing of real-world data Folding for NP-complete relation Relation 𝑅 : (1) 𝑐+,! = com(𝑤+,!) (2) local computation is correct (3) Folding verifier v$% 𝑐!, 𝑐", 𝑐$%; 𝜋$% = 1 needs to express computation Arithmetic over a ring → Great fit for Verifiable ML/FHE
- 30. ETiciency Estimates Folding prover: 𝑂( 𝐶JKL )-sized Multi-Scalar-Muls 𝑅/ ≔ ℤ/[𝑋]/(𝑋EF + 1) ≅ 𝔽/! !E ; 𝑞: a 64-bit prime 𝐶&'(: chunk circuit size (e.g. 2"G gates over 𝔽/!) Norm bound: 𝛽 ≈ 2!E; Base: 𝑏 = 2 Folding verifier: native-ops in the circuit over 𝑅2 non-native field ops in the circuit Competitive circuit sizes Piecemeal SNARK proof: ≈2 folding instance-witness pairs Solution: Use a PQ-secure STARK to prove the correctness of the folding statement < 100KB and 2ms verifier (STIR[ACFY24]) 𝑂( 𝐶JKL ) multiplications over 𝑅2 Compute Ajtai commitments LatticeFold Existing schemes Pedersen commimtents 𝑂(𝑏 ⋅ log|𝐶JKL|) hashes and 𝑅2-ops Sumcheck verifier ECC scalar-mul + (Sumcheck V) speed ≈ fast hash Can reuse fast FHE impl! < 5KB w/ Hyperplonk+KZG[CBBZ23] i.e., arithmetic in 𝔽/ as a circuit over 𝔽0 What if it’s still large? E.g., splitting a stmt of size 2-) to 2%) chunks → 2%) -sized chunk stmts
- 31. Summary & Open Problems Takeaway: • The first lattice-based folding scheme based on Ajtai commitments • Gives memory-efficient, plausibly PQ-secure SNARKs, with fast provers • Generic techniques for folding lattice-based commitments w/ norm constraints Open problems: • Compact + homomorphic lattice commitments with no norm constraints • Folding table lookup relations (e.g., from Lasso [Setty-Thaler-Wahby23]) • Efficient implementation Concurrent work:[Bünz-Mishra-Nguyen-Wang24] • Purely from hashing; no lattice crypto • General optimization techniques for piecemeal SNARKs (apply to LatticeFold) • Larger verifier circuit; only supports bounded-depth folding (attack exists)