We achieve a collection of zkSNARKs with different tradeoffs. One of our constructions achieves the smallest proof size and proving time compared to the state of art for proofs for arithmetic circuits. The language supported by this scheme is a variant of R1CS, called R1CS-lite, introduced by this work. Another of our constructions supports directly standard R1CS and improves on previous work achieving the fastest proving time for this type of constraint systems.
We achieve this result via the combination of different contributions: (1) a new algebraically-flavored variant of IOPs that we call $\mathit{Polynomial}$ $\mathit{Holographic}$ $\mathit{IOPs}$ (PHPs), (2) a new compiler that combines our PHPs with $\mathit{commit}$-$\mathit{and}$-$\mathit{prove}$ $\mathit{\ zkSNARKs}$ for committed polynomials, (3) pairing-based realizations of these CP-SNARKs for polynomials, (4) constructions of PHPs for R1CS and R1CS-lite, (5) a variant of the compiler that yields a commit-and-prove universal zkSNARK.
Category / Keywords: cryptographic protocols / zero knowledge, succinct arguments, polynomial commitments, commit-and-prove, universal SRS, IOP Original Publication (with major differences): IACR-ASIACRYPT-2021 Date: received 3 Sep 2020, last revised 11 Oct 2021 Contact author: anais querol at gmail com Available format(s): PDF | BibTeX Citation Note: Full version Version: 20211011:161729 (All versions of this report) Short URL: ia.cr/2020/1069