Paper 2024/1038

Constraint-Packing and the Sum-Check Protocol over Binary Tower Fields

Quang Dao, Carnegie Mellon University
Justin Thaler, a16z crypto research, Georgetown University
Abstract

SNARKs based on the sum-check protocol often invoke the ``zero-check PIOP''. This reduces the vanishing of many constraints to a single sum-check instance applied to an n-variate polynomial of the form g(x)=eq(r,x)p(x), where p is a product of multilinear polynomials, r is a random vector, and eq is the multilinear extension of the equality function. In recent SNARK designs, p(x) is defined over a ``small'' base field, while r is drawn from a large extension field F for security. Recent papers (Bagad, Domb, and Thaler 2024; Gruen 2024) have optimized the sum-check protocol prover for this setting. However, these works still require the prover to ``pre-compute'' all evaluations of as ranges over , and this computation involves about multiplications over the extension field . In this note, we describe a modification to the zero-check PIOP in the case of binary tower fields that reduces this pre-computation cost by a factor of close to , which is in important applications. We show that our modification is sound, and that it strictly generalizes a (possibly folklore) technique of constraint-packing over field extensions.

Note: Typo fixes

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
sum-check protocolbinary tower fieldsinteractive proofsSNARKs
Contact author(s)
justin thaler @ georgetown edu
History
2024-07-11: revised
2024-06-26: received
See all versions
Short URL
https://ia.cr/2024/1038
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/1038,
      author = {Quang Dao and Justin Thaler},
      title = {Constraint-Packing and the Sum-Check Protocol over Binary Tower Fields},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1038},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1038}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.