-
Notifications
You must be signed in to change notification settings - Fork 299
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question about soundness after Fiat--Shamir transformation #506
Comments
Hello! Thank you for reporting this, it seems like a very important issue. I haven't had a chance to look at the paper yet, but will do when I can. |
I haven't had time yet to really digest the framework of that paper, but I thought for now I'd just give my informal reasoning for why I think our uses of As the IOP paper states, the soundness of an IOP with Fiat-Shamir is the state-restoration soundness of the IOP. Clearly The IOP paper mentions an upper bound on An example where we use parallel repetition is for permutation checks. The prover commits to
Later, it is shown that Do you see any issues with this line of reasoning? If not, we can try to write up a more complete and rigorous version. (Though analyzing the whole protocol seems like a big task, since AFAIK there's no such existing analysis for any of the PLONK/FRI protocols we build on.) |
I think you are right in saying that a single round IOP is state-restoration sound by default. However, I am not sure that you can lift the security of the whole protocol by repeating only its part. As far as I understand, similarly to the original Plonk, Plonky2 combines constraints of the circuit with the permutation argument check (in Plonk it is done in polynomial |
For that step where
Does that make sense? I think the key point is that for each sub-protocol we repeat in parallel, the larger protocol is designed to handle the case where |
That's a very interesting discussion and I am learning a lot from it. |
@mpzajac @dlubarov ... awesome exchange. I must admit I am not a theoretical cryptographer by training, so please excuse any stupid questions. I find the plonky2 approach fascinating -- it is a bit of "have your cake and eat it too" ;-) Two questions:
Again, I might be totally off my rocker here. BTW, we are building an NFT platform that uses recursive zk-snarks for proof of authenticity and genealogy using Aztec's Barretenberg library. Since we need recursive snarks at scale, we are looking for optimizations. We have made advances such that we can multi-thread the library but are schlepping, a lot of PCD with us -> e.g. for a 4 generation NFT tree of generative art with 10 derivative artworks per wrt work in each generation, we have over 11,000 proofs to generate ... for one NFT tree. We hope there will be hundreds of thousands. So my question is, have you checked if plonky2 can be multi-threaded? @dlubarov |
Why is this issue still considered open? Because known results bound soundness error of any IOP compiled into a NIROP by |
Hi Team! Great work!
Do you intend to use Fiat--Shamir transformation to get a non-interactive argument?
If you do, let me note the following result by Attema, Fehr and Kloss (https://eprint.iacr.org/2021/1377.pdf). They shown the following. Let
Prot
be a\kappa
sound interactive\mu
-round protocol. Let's amplify its soundness to\kappa^t
byt
-fold parallel repetition. Denote byProt-t
the "folded" protocol. Next, letProt-t-FS
beProt-t
after Fiat-Shamir transformation, then there is an adversarial proverP^*
which produces acceptable proof for invalid statement with probability about1/2 Q^\mu \kappa^t / \mu^{\mu + t}
whereQ
is the upper bound for the random oracle queriesP^*
can make. (We can also interpretQ
as the upper bound for the number of operationsP^*
makes, say2^80
). (NOTE: Some additional conditions for this attack apply though, but I think your protocol follow them.)Hence, in practice, where the non-interactive protocol is used (assuming use of the FS transform) soundness requires greater number of rounds than
3
proposed in Sec 3.4.3.Alternatively, one could do soundness amplification by running the protocol sequentially what would increase the number of rounds. In that case, security loss introduced by the Fiat--Shamir transformation is roughly of factor
(Q + 1)
. Hence, give the example from 3.4.3 increasing the number of repetitions from3
to5
, assumingn < 2^21
and adversary who makes up to2^86
operations should give the required security of about2^-128
.The text was updated successfully, but these errors were encountered: