Paper 2025/294

Neo: Lattice-based folding scheme for CCS over small fields and pay-per-bit commitments

Wilson Nguyen, Stanford University
Srinath Setty, Microsoft Research
Abstract

This paper introduces Neo, a new lattice-based folding scheme for CCS, an NP-complete relation that generalizes R1CS, Plonkish, and AIR. Neo's folding scheme can be viewed as adapting the folding scheme in HyperNova (CRYPTO'24), which assumes elliptic-curve based linearly homomorphic commitments, to the lattice setting. Unlike HyperNova, Neo can use “small” prime fields (e.g., over the Goldilocks prime). Additionally, Neo provides plausible post-quantum security. Prior to Neo, folding schemes in the lattice setting, notably LatticeFold (ePrint 2024/257), worked with constraint systems defined over a cyclotomic polynomial ring. This structure allows packing a fixed batch of constraint systems over a small prime field into a single constraint system over a polynomial ring. However, it introduces significant overheads, both for committing to witnesses (e.g., the commitment scheme cannot take advantage of bit-width of values), and within the folding protocol itself (e.g., the sum-check protocol is run over cyclotomic polynomial rings). Additionally, the required ring structure places restrictions on the choice of primes (e.g., LatticeFold is not compatible with the Goldilocks field). Neo addresses these problems, by drawing inspiration from both HyperNova and LatticeFold. A key contribution is a folding-friendly instantiation of Ajtai's commitments, with "pay-per-bit" commitment costs i.e., the commitment costs scale with the bit-width of the scalars (e.g., committing to a vector of bits is cheaper than committing to a vector of -bit values). This scheme commits to vectors over a small prime field. It does so by transforming the provided vector into a matrix and committing to that matrix. We prove that this commitment scheme provides the desired linear homomorphism for building a folding scheme. Additionally, like HyperNova, Neo runs a single invocation of the sum-check protocol, where in HyperNova it is over the scalar field of an elliptic curve and in Neo it is over an extension of a small prime field.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
Foldinglatticeproof systemssmall fieldscommitmentsCCS
Contact author(s)
wdnguyen @ cs stanford edu
srinath @ microsoft com
History
2025-02-20: approved
2025-02-20: received
See all versions
Short URL
https://ia.cr/2025/294
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/294,
      author = {Wilson Nguyen and Srinath Setty},
      title = {Neo: Lattice-based folding scheme for {CCS} over small fields and pay-per-bit commitments},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/294},
      year = {2025},
      url = {https://eprint.iacr.org/2025/294}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.