Welcome to the resource topic for 2024/1279

Title:
Improved Polynomial Division in Cryptography

Authors: Kostas Kryptos Chalkias, Charanjit Jutla, Jonas Lindstrom, Varun Madathil, Arnab Roy

Several cryptographic primitives, especially succinct proofs of various forms, transform the satisfaction of high-level properties to the existence of a polynomial quotient between a polynomial that interpolates a set of values with a cleverly arranged divisor. Some examples are SNARKs, like Groth16, and polynomial commitments, such as KZG. Such a polynomial division naively takes O(n \log n) time with Fast Fourier Transforms, and is usually the asymptotic bottleneck for these computations.

Several works have targeted specific constructions to optimize these computations and trade-off one-time setup costs with faster online computation times. In this paper, we present a unified approach to polynomial division related computations for a diverse set of schemes. We show how our approach provides a common abstract lens which recasts and improves existing approaches. Additionally, we present benchmarks for the Groth16 and the KZG systems, illustrating the significant practical benefits of our approach in terms of speed, memory, and parallelizability. We get a speedup of 2\times over the state-of-the-art in computing all openings for KZG commitments and a speed-up of about 2-3\% for Groth16 proofs when compared against the Rust Arkworks implementation. Although our Groth16 speedup is modest, our approach supports twice the number of gates as Arkworks and SnarkJS as it avoids computations at higher roots of unity. Conversely this reduces the need for employing larger groups for bigger circuits.

Our core technical contributions are novel conjugate representations and compositions of the derivative operator and point-wise division under the Discrete Fourier Transform. These allow us to leverage l’Hôpital’s rule to efficiently compute polynomial division, where in the evaluation basis such divisions maybe of the form 0/0. As a concrete example, our technique allows applying a Toeplitz-matrix transform to a vector of elliptic curve group elements using only n\log{n} elliptic-curve scalar multiplcations, whereas earlier techniques can at best achieve
\frac{3}{2}n\log{n} complexity. Our techniques are generic with potential applicability to many existing protocols.

ePrint: https://eprint.iacr.org/2024/1279

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .