[Resource Topic] 2024/1873: $\mathsf{Cirrus}$: Performant and Accountable Distributed SNARK

Resource Cryptographic protocols
#1

Welcome to the resource topic for 2024/1873

Title:
\mathsf{Cirrus}: Performant and Accountable Distributed SNARK

Authors: Wenhao Wang, Fangyan Shi, Dani Vilardell, Fan Zhang

Abstract:

As Succinct Non-interactive Arguments of Knowledge (SNARKs) gain traction for large-scale applications, distributed proof generation is a promising technique to horizontally scale up the performance. In such protocols, the workload to generate SNARK proofs is distributed among a set of workers, potentially with the help of a coordinator. Desiderata include linear worker time (in the size of their sub-tasks), low coordination overhead, low communication complexity, and accountability (the coordinator can identify malicious workers). State-of-the-art schemes, however, do not achieve these properties.

In this paper, we introduced \mathsf{Cirrus}, the first accountable distributed proof generation protocol with linear computation complexity for all parties. \mathsf{Cirrus} is based on HyperPlonk (EUROCRYPT’23) and therefore supports a universal trusted setup.
\mathsf{Cirrus} is horizontally scalable: proving statements about a circuit of size O(MT) takes O(T) time with M workers. The per-machine communication cost of \mathsf{Cirrus} is low, which is only logarithmic in the size of each sub-circuit. \mathsf{Cirrus} is also accountable, and the verification overhead of the coordinator is efficient. We further devised a load balancing technique to make the workload of the coordinator independent of the size of each sub-circuit.

We implemented an end-to-end prototype of \mathsf{Cirrus} and evaluated its performance on modestly powerful machines. Our results confirm the horizontal scalability of \mathsf{Cirrus}, and the proof generation time for circuits with 2^{25} gates is roughly $40$s using 32 8-core machines. We also compared \mathsf{Cirrus} with Hekaton (CCS’24), and \mathsf{Cirrus} is faster when proving PLONK-friendly circuits such as Pedersen hash.

ePrint: https://eprint.iacr.org/2024/1873

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .