IACR News item: 05 August 2014
Eli Ben-Sasson, Alessandro Chiesa, Eran Tromer, Madars Virza
ePrint ReportExisting zk-SNARK implementations have severe scalability limitations, in terms of space complexity as a function of the size of the computation being proved (e.g., running time of the NP statement\'s decision program). First, the size of the proving key is quasilinear in the upper bound on the computation size. Second, producing a proof requires \"writing down\" all intermediate values of the entire computation, and then conducting global operations such as FFTs.
The bootstrapping technique of Bitansky et al. (STOC \'13), following Valiant (TCC \'08), offers an approach to scalability, by recursively composing proofs: proving statements about acceptance of the proof system\'s own verifier (and correctness of the program\'s latest step). Alas, recursive composition of known zk-SNARKs has never been realized in practice, due to enormous computational cost.
Using new elliptic-curve cryptographic techniques, and methods for exploiting the proof systems\' field structure and nondeterminism, we achieve the first zk-SNARK implementation that practically achieves recursive proof composition. Our zk-SNARK implementation runs random-access machine programs and produces proofs of their correct execution, on today\'s hardware, for any program running time. It takes constant time to generate the keys that support all computation sizes. Subsequently, the proving process only incurs a constant multiplicative overhead compared to the original computation\'s time, and an essentially-constant additive overhead in memory. Thus, our zk-SNARK implementation is the first to have a well-defined, albeit low, clock rate of \"verified instructions per second\".
Additional news items may be found on the IACR news page.