Improved Polynomial Division in Cryptography

Kostas Kryptos Chalkias; Charanjit Jutla; Jonas Lindstrom; Varun Madathil; Arnab Roy

Paper 2024/1279

Improved Polynomial Division in Cryptography

Kostas Kryptos Chalkias

, Mysten Labs

Charanjit Jutla, IBM Research - Thomas J. Watson Research Center

Jonas Lindstrom

, Mysten Labs

Varun Madathil

, North Carolina State University

Arnab Roy

, Mysten Labs

Abstract

Several cryptographic primitives, especially succinct proofs of various forms, transform the satisfaction of high-level properties to the existence of a polynomial quotient between a polynomial that interpolates a set of values with a cleverly arranged divisor. Some examples are SNARKs, like Groth16, and polynomial commitments, such as KZG. Such a polynomial division naively takes $O(n \log n)$ time with Fast Fourier Transforms, and is usually the asymptotic bottleneck for these computations. Several works have targeted specific constructions to optimize these computations and trade-off one-time setup costs with faster online computation times. In this paper, we present a unified approach to polynomial division related computations for a diverse set of schemes. We show how our approach provides a common abstract lens which recasts and improves existing approaches. Additionally, we present benchmarks for the Groth16 and the KZG systems, illustrating the significant practical benefits of our approach in terms of speed, memory, and parallelizability. We get a speedup of $2\times$ over the state-of-the-art in computing all openings for KZG commitments and a speed-up of about $2-3\%$ for Groth16 proofs when compared against the Rust Arkworks implementation. Although our Groth16 speedup is modest, our approach supports twice the number of gates as Arkworks and SnarkJS as it avoids computations at higher roots of unity. Conversely this reduces the need for employing larger groups for bigger circuits. Our core technical contributions are novel conjugate representations and compositions of the derivative operator and point-wise division under the Discrete Fourier Transform. These allow us to leverage l'Hôpital's rule to efficiently compute polynomial division, where in the evaluation basis such divisions maybe of the form $0/0$. As a concrete example, our technique allows applying a Toeplitz-matrix transform to a vector of elliptic curve group elements using only $n\log{n}$ elliptic-curve scalar multiplcations, whereas earlier techniques can at best achieve $\frac{3}{2}n\log{n}$ complexity. Our techniques are generic with potential applicability to many existing protocols.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Preprint.
Keywords: Vector Commitments SNARKs Zero-Knowledge Mathematical foundations
Contact author(s): kostas @ mystenlabs com
csjutla @ us ibm com
jonas @ mystenlabs com
vrmadath @ ncsu edu
arnabr @ gmail com
History: 2024-08-16: approved; 2024-08-13: received; See all versions
Short URL: https://ia.cr/2024/1279
License: CC BY

BibTeX

@misc{cryptoeprint:2024/1279,
      author = {Kostas Kryptos Chalkias and Charanjit Jutla and Jonas Lindstrom and Varun Madathil and Arnab Roy},
      title = {Improved Polynomial Division in Cryptography},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1279},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1279}
}