Paper 2020/1536
Halo Infinite: Recursive zk-SNARKs from any Additive Polynomial Commitment Scheme
Dan Boneh, Justin Drake, Ben Fisch, and Ariel Gabizon
Abstract
Polynomial commitment schemes (PCS) have recently been in the spotlight for their key role in building SNARKs. A PCS provides the ability to commit to a polynomial over a finite field and prove its evaluation at points. A succinct PCS has commitment and evaluation proof size sublinear in the degree of the polynomial. An efficient PCS has sublinear proof verification. Any efficient and succinct PCS can be used to construct a SNARK with similar security and efficiency characteristics (in the random oracle model). Proof-carrying data (PCD) enables a set of parties to carry out an indefinitely long distributed computation where every step along the way is accompanied by a proof of correctness. It generalizes incrementally verifiable computation and can even be used to construct SNARKs. Until recently, however, the only known method for constructing PCD required expensive SNARK recursion. A system called Halo first demonstrated a new methodology for building PCD without SNARKs, exploiting an aggregation property of the Bulletproofs inner-product argument. The construction was heuristic because it makes non-black-box use of a concrete instantiation of the Fiat-Shamir transform. We expand upon this methodology to show that PCD can be (heuristically) built from any homomorphic polynomial commitment scheme (PCS), even if the PCS evaluation proofs are neither succinct nor efficient. In fact, the Halo methodology extends to any PCS that has an even more general property, namely the ability to aggregate linear combinations of commitments into a new succinct commitment that can later be opened to this linear combination. Our results thus imply new constructions of SNARKs and PCD that were not previously described in the literature and serve as a blueprint for future constructions as well.
Note: This paper expands on results in the manuscript https://eprint.iacr.org/2020/081.pdf and includes content from this prior manuscript in an appendix.
Metadata
- Available format(s)
- Category
- Cryptographic protocols
- Publication info
- A major revision of an IACR publication in CRYPTO 2021
- Keywords
- zero-knowledgeproof of knowledgeproof carrying dataSNARKspolynomial commitmentsverifiable computation
- Contact author(s)
- benafisch @ gmail com
- History
- 2021-08-17: last of 2 revisions
- 2020-12-13: received
- See all versions
- Short URL
- https://ia.cr/2020/1536
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2020/1536, author = {Dan Boneh and Justin Drake and Ben Fisch and Ariel Gabizon}, title = {Halo Infinite: Recursive zk-{SNARKs} from any Additive Polynomial Commitment Scheme}, howpublished = {Cryptology {ePrint} Archive, Paper 2020/1536}, year = {2020}, url = {https://eprint.iacr.org/2020/1536} }