Paper 2023/961

Testudo: Linear Time Prover SNARKs with Constant Size Proofs and Square Root Size Universal Setup

Abstract

We present $$, a new FFT-less SNARK with a near linear-time prover, constant-time verifier, constant-size proofs and a square-root-size universal setup. $$ is based on a variant of Spartan~\cite{C:Setty20}—and hence does not require FFTs—as well as a new, fast multivariate polynomial commitment scheme (PCS) with a square-root-sized trusted setup that is derived from PST (TCC 2013) and IPPs (Asiacrypt 2021). To achieve constant-size SNARK proofs in $$ we then combine our PCS openings proofs recursively with a Groth16 SNARK. We also evaluate our construction and its building blocks: to compute a PCS opening proof for a polynomial of size $$, our new scheme opening procedure achieves a 110x speed-up compared to PST and 3x compared to Gemini (Eurocrypt 2022), since opening computations are heavily parallelizable and operate on smaller polynomials. Furthermore, a $$ proof for a witness of size $$ requires a setup of size only $$ ($$ tens of kilobytes). Finally, we show that a $$ variant for proving data-parallel computations is almost 10x faster at verifying $$ Poseidon-based Merkle tree opening proofs than the regular version.