Paper 2024/854

Simulation-Extractable KZG Polynomial Commitments and Applications to HyperPlonk

Benoit Libert, Zama, France
Abstract

HyperPlonk is a recent SNARK proposal (Eurocrypt'23) that features a linear-time prover and supports custom gates of larger degree than Plonk. For the time being, its instantiations are only proven to be knowledge-sound (meaning that soundness is only guaranteed when the prover runs in isolation) while many applications motivate the stronger notion of simulation-extractability (SE). Unfortunately, the most efficient SE compilers are not immediately applicable to multivariate polynomial interactive oracle proofs. To address this problem, we provide an instantiation of HyperPlonk for which we can prove simulation-extractability in a strong sense. As a crucial building block, we describe KZG-based commitments to multivariate polynomials that also provide simulation-extractability while remaining as efficient as malleable ones. Our proofs stand in the combined algebraic group and random oracle model and ensure straight-line extractability (i.e., without rewinding).

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
A major revision of an IACR publication in PKC 2024
DOI
10.1007/978-3-031-57722-2\_3
Keywords
Polynomial commitmentsSNARKszero-knowledgesimulation-extractability
Contact author(s)
benoit libert @ zama ai
History
2024-05-31: approved
2024-05-30: received
See all versions
Short URL
https://ia.cr/2024/854
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/854,
      author = {Benoit Libert},
      title = {Simulation-Extractable {KZG} Polynomial Commitments and Applications to {HyperPlonk}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/854},
      year = {2024},
      doi = {10.1007/978-3-031-57722-2\_3},
      url = {https://eprint.iacr.org/2024/854}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.