Cryptology ePrint Archive: Report 2018/828

Aurora: Transparent Succinct Arguments for R1CS

Eli Ben-Sasson and Alessandro Chiesa and Michael Riabzev and Nicholas Spooner and Madars Virza and Nicholas P. Ward

Abstract: We design, implement, and evaluate a zkSNARK for Rank-1 Constraint Satisfaction (R1CS), a widely-deployed NP-complete language that is undergoing standardization. Our construction uses a transparent setup, is plausibly post-quantum secure, and uses lightweight cryptography. A proof attesting to the satisfiability of n constraints has size $O(\log^2 n)$; it can be produced with $O(n \log n)$ field operations and verified with $O(n)$. At 128 bits of security, proofs are less than 130kB even for several million constraints, more than 20x shorter than prior zkSNARK with similar features.

A key ingredient of our construction is a new Interactive Oracle Proof (IOP) for solving a *univariate* analogue of the classical sumcheck problem [LFKN92], originally studied for *multivariate* polynomials. Our protocol verifies the sum of entries of a Reed--Solomon codeword over any subgroup of a field.

We also provide libiop, an open-source library for writing IOP-based arguments, in which a toolchain of transformations enables programmers to write new arguments by writing simple IOP sub-components. We have used this library to specify our construction and prior ones.

Category / Keywords: foundations / zero knowledge; interactive oracle proofs; succinct arguments; sumcheck protocol

Original Publication (with major differences): IACR-EUROCRYPT-2019

Date: received 4 Sep 2018, last revised 8 May 2019

Contact author: alexch at berkeley edu

Available format(s): PDF | BibTeX Citation

Version: 20190508:195055 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]