Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
133 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Formal Verification of the Sumcheck Protocol (2402.06093v1)

Published 8 Feb 2024 in cs.CR and cs.LO

Abstract: The sumcheck protocol, introduced in 1992, is an interactive proof which is a key component of many probabilistic proof systems in computational complexity theory and cryptography, some of which have been deployed. However, none of these proof systems based on the sumcheck protocol enjoy a formally-verified security analysis. In this paper, we make progress in this direction by providing a formally verified security analysis of the sumcheck protocol using the interactive theorem prover Isabelle/HOL. We follow a general and modular approach. First, we give a general formalization of public-coin interactive proofs. We then define a generalized sumcheck protocol for which we axiomatize the underlying mathematical structure and we establish its soundness and completeness. Finally, we prove that these axioms hold for multivariate polynomials, the original setting of the sumcheck protocol. Our modular analysis facilitates formal verification of sumcheck instances based on different mathematical structures with little effort, by simply proving that these structures satisfy the axioms. Moreover, the analysis supports the development and formal verification of future cryptographic protocols using the sumcheck protocol as a building block.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (67)
  1. Shafi Goldwasser, Silvio Micali and Charles Rackoff “The Knowledge Complexity of Interactive Proof-Systems (Extended Abstract)” In Proceedings of the 17th Annual ACM Symposium on Theory of Computing, STOC ’85, 1985, pp. 291–304
  2. László Babai “Trading Group Theory for Randomness” In Proceedings of the 17th Annual ACM Symposium on Theory of Computing, STOC ’85, 1985, pp. 421–429
  3. “Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations” In Proceedings of the 17th Annual International Cryptology Conference 1294, CRYPTO ’97, 1997, pp. 16–30
  4. “A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order” In Proceedings of the 8th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT ’02, 2002, pp. 125–142
  5. “Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture” In Proceedings of the 23rd USENIX Security Symposium, USENIX ’14, 2014, pp. 781–796
  6. Josh Swihart, Benjamin Winston and Sean Bowe “ZCash Counterfeiting Vulnerability Successfully Remediated”, 2019 URL: https://electriccoin.co/blog/zcash-counterfeiting-vulnerability-successfully-remediated/
  7. Benedikt Bünz, Ben Fisch and Alan Szepieniec “Transparent SNARKs from DARK Compilers” In Proceedings of the 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT ’20, 2020, pp. 677–706
  8. “Time- and Space-Efficient Arguments from Groups of Unknown Order” In Proceedings of the 41st Annual International Cryptology Conference, CRYPTO ’21, 2021, pp. 123–152
  9. “Dew: A Transparent Constant-Sized Polynomial Commitment Scheme” In Proceedings of the 26th IACR International Conference on Practice and Theory of Public-Key Cryptography, PKC ’23, 2023, pp. 542–571
  10. “Schwartz-Zippel for multilinear polynomials mod N”, IACR Cryptology ePrint Archive, Report 2022/458, 2022 URL: https://eprint.iacr.org/2022/458
  11. “A Non-PCP Approach to Succinct Quantum-Safe Zero-Knowledge” In Proceedings of the 40th Annual International Cryptology Conference, CRYPTO ’20, 2020, pp. 441–469
  12. Thomas Attema, Ronald Cramer and Lisa Kohl “A Compressed Sigma-Protocol Theory for Lattices” In Proceedings of the 41st Annual International Cryptology Conference, CRYPTO ’21, 2021, pp. 549–579
  13. Martin R. Albrecht and Russell W. F. Lai “Subtractive Sets over Cyclotomic Rings - Limits of Schnorr-Like Arguments over Lattices” In Proceedings of the 41st Annual International Cryptology Conference, CRYPTO ’21, 2021, pp. 519–548
  14. “Bulletproofs: Short Proofs for Confidential Transactions and More” In Proceedings of the 39th IEEE Symposium on Security and Privacy, S&P ’18, 2018, pp. 315–334
  15. Jim Miller “Coordinated disclosure of vulnerabilities affecting Girault, Bulletproofs, and PlonK”, 2022 URL: https://blog.trailofbits.com/2022/04/13/part-1-coordinated-disclosure-of-vulnerabilities-affecting-girault-bulletproofs-and-plonk/
  16. “ZenGo Zero Knowledge Paillier Implementation” URL: https://github.com/ZenGo-X/zk-paillier
  17. “SecBit Labs Zero-Knowledge Proofs Toolkit” URL: https://github.com/sec-bit/ckb-zkp
  18. “Dusk Network Plonk Implementation” URL: https://github.com/dusk-network/plonk
  19. “Iden3 snarkjs Library” URL: https://github.com/iden3/snarkjs
  20. “Consensys gnark Library” URL: https://github.com/ConsenSys/gnark
  21. “Code-based game-playing proofs and the security of triple encryption” In Cryptology ePrint Archive, 2004
  22. “SoK: Computer-Aided Cryptography” In Proceedings of the 42nd IEEE Symposium on Security and Privacy, S&P ’21, 2021, pp. 777–795
  23. Jens Groth “On the Size of Pairing-Based Non-Interactive Arguments” In Proceedings of the 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT ’16, 2016, pp. 305–326
  24. “Formalizing Soundness Proofs of SNARKs”, IACR Cryptology ePrint Archive, Report 2023/656, 2023
  25. Bolton Bailey “Formalization of SNARKs”, https://github.com/BoltonBailey/formal-snarks-project, last accessed 22.03.2023
  26. “Zero-Knowledge in EasyCrypt” In Proceedings of the 36th IEEE Computer Security Foundations Symposium, CSF ’23, 2023, pp. 1–16
  27. “Zero-Knowledge Proofs from Secure Multiparty Computation” In SIAM J. Comput. 39, 2009, pp. 1121–1152
  28. Nikolaj Sidorenco, Sabine Oechsner and Bas Spitters “Formal security analysis of MPC-in-the-head zero-knowledge protocols” In 2021 IEEE 34th Computer Security Foundations Symposium (CSF), CSF ’21, 2021, pp. 1–14
  29. “Machine-checked ZKP for NP relations: Formally Verified Security Proofs and Implementations of MPC-in-the-Head” In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS ’21
  30. “Schnorr protocol in Jasmin”, IACR Cryptology ePrint Archive, Report 2023/752, 2023 URL: https://eprint.iacr.org/2023/752.pdf
  31. “Fixing and Mechanizing the Security Proof of Fiat-Shamir with Aborts and Dilithium” In Proceedings of the 43rd Annual International Cryptology Conference, CRYPTO ’23, 2023, pp. 358–389
  32. Shafi Goldwasser, Yael Tauman Kalai and Guy N Rothblum “Delegating computation: interactive proofs for muggles” In Journal of the ACM 62.4, 2015, pp. 1–64
  33. Srinath Setty “Spartan: Efficient and General-Purpose zkSNARKs Without Trusted Setup” In Proceedings of the 40th Annual International Cryptology Conference, CRYPTO ’20, 2020, pp. 704–737
  34. “Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting” In Proceedings of the 35th Annual International Conference on Theory and Application of Cryptographic Techniques, EUROCRYPT ’16, 2016, pp. 327–357
  35. Jonathan Bootle, Alessandro Chiesa and Jens Groth “Linear-Time Arguments with Sublinear Verification from Tensor Codes” In Proceedings of the 18th Theory of Cryptography Conference, TCC ’20, 2020, pp. 19–46
  36. Jonathan Bootle, Alessandro Chiesa and Siqi Liu “Zero-Knowledge Succinct Arguments with a Linear-Time Prover” In Proceedings of the 42nd Annual International Conference on Theory and Application of Cryptographic Techniques, EUROCRYPT ’22, 2022, pp. 275–304
  37. Noga Ron-Zewi and Ron D. Rothblum “Proving as Fast as Computing: Succinct Arguments with Constant Prover Overhead” In Proceedings of the 54th Annual ACM Symposium on Theory of Computing, STOC ’22, 2022
  38. “Faster Sounder Succinct Arguments and IOPs” In Proceedings of the 42nd Annual International Cryptology Conference, CRYPTO ’22, 2022, pp. 474–503
  39. Graham Cormode, Michael Mitzenmacher and Justin Thaler “Practical Verified Computation with Streaming Interactive Proofs” In Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, ITCS ’12, 2012, pp. 90–112
  40. “Public-Coin Zero-Knowledge Arguments with (almost) Minimal Time and Space Overheads” In Proceedings of the 18th Theory of Cryptography Conference, TCC ’20, 2020, pp. 168–197
  41. “Gemini: Elastic SNARKs for Diverse Environments” In Proceedings of the 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT ’22, 2022, pp. 427–457
  42. Jonathan Bootle, Alessandro Chiesa and Katerina Sotiraki “Sumcheck Arguments and their Applications” Extended version at https://eprint.iacr.org/2021/333.pdf. In Proceedings of the 41st Annual International Cryptology Conference, CRYPTO ’21, 2021, pp. 681–710
  43. Or Meir “IP = PSPACE using error-correcting codes” In SIAM Journal on Computing 42, 2013, pp. 380–403
  44. Adi Shamir “IP = PSPACE” In J. ACM 39.4, 1992, pp. 869–877
  45. Alexander Shen “IP = PSPACE: simplified proof” In Journal of the ACM 39.4, 1992, pp. 878–880
  46. “SNARGs for bounded depth computations and PPAD hardness from sub-exponential LWE” In Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing, STOC ’21, 2021, pp. 708–721
  47. “Finding a Nash equilibrium is no easier than breaking Fiat-Shamir” In Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing, STOC ’19, 2019, pp. 1103–1114
  48. Yael Tauman Kalai, Alex Lombardi and Vinod Vaikuntanathan “SNARGs and PPAD Hardness from the Decisional Diffie-Hellman Assumption” In Proceedings of the 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT ’23, 2023, pp. 470–498
  49. “Fiat–Shamir From Simpler Assumptions”, Cryptology ePrint Archive, Report 2018/1004, 2018
  50. “Algebraic Methods for Interactive Proof Systems” In J. ACM 39.4, 1992, pp. 859–868
  51. “Executable Multivariate Polynomials” https://isa-afp.org/entries/Polynomials.html, Formal proof development In Archive of Formal Proofs, 2010
  52. “Verifiable Computing for Approximate Computation”, IACR Cryptology ePrint Archive, Report 2019/762, 2019 URL: https://eprint.iacr.org/2019/762
  53. “Quadratic Span Programs and Succinct NIZKs without PCPs” In Proceedings of the 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT ’13’, 2013, pp. 626–645
  54. “Pinocchio: Nearly Practical Verifiable Computation” In Proceedings of the 2013 IEEE Symposium on Security and Privacy, S&P ’13, 2013, pp. 238–252
  55. “Another Look at Extraction and Randomization of Groth’s zk-SNARK” In Proceedings of the 25th International Conference on Financial Cryptography and Data Security, FC ’21, 2021, pp. 457–475
  56. Helger Lipmaa “Simulation-Extractable SNARKs Revisited”, IACR Cryptology ePrint Archive, Report 2019/612, 2022 URL: https://eprint.iacr.org/2019/612
  57. “BabySNARK” URL: https://github.com/initc3/babySNARK
  58. “Formalising ΣΣ\Sigmaroman_Σ-Protocols and Commitment Schemes using CryptHOL” In Journal of Automated Reasoning 65.4 Springer, 2021, pp. 521–567
  59. Sunpill Kim and Yong Kiam Tan “The Schwartz-Zippel Lemma” https://isa-afp.org/entries/Schwartz_Zippel.html, Formal proof development In Archive of Formal Proofs, 2023
  60. Azucena Garvía, Christoph Sprenger and Jonathan Bootle “The Sumcheck Protocol” https://isa-afp.org/entries/Sumcheck_Protocol.html, Formal proof development In Archive of Formal Proofs, 2024
  61. Tobias Nipkow, Lawrence C. Paulson and Markus Wenzel “Isabelle/HOL - A Proof Assistant for Higher-Order Logic” 2283, Lecture Notes in Computer Science, 2002 URL: https://doi.org/10.1007/3-540-45949-9
  62. “Computational Complexity: A Modern Approach” Cambridge University Press, 2009
  63. Justin Thaler “Proofs, Arguments, and Zero-Knowledge” In Foundations and Trends in Privacy and Security 4.2–4, 2022, pp. 117–660 DOI: 10.1561/3300000030
  64. Justin Thaler “The Sum-Check Protocol” https://people.cs.georgetown.edu/jthaler/sumcheck.pdf
  65. “Isabelle/HOL Computational Algebra Library” URL: https://isabelle.in.tum.de/library/HOL/HOL-Computational_Algebra
  66. “Theory HOL-Library.Poly_Mapping” URL: https://isabelle.in.tum.de/library/HOL/HOL-Library/Poly_Mapping.html
  67. “Theory Polynomial” URL: https://isabelle.in.tum.de/library/HOL/HOL-Computational_Algebra/Polynomial.html

Summary

  • The paper presents a formal verification of the sumcheck protocol using Isabelle/HOL to prove its soundness and completeness.
  • The study employs an axiomatization of multivariate polynomial properties and modular instantiation with concrete cases.
  • The verified protocol enhances reliability in cryptographic designs and paves the way for future formal analyses of similar systems.

Overview of Formal Verification of the Sumcheck Protocol

The paper "Formal Verification of the Sumcheck Protocol" presents a comprehensive paper and formal verification of the sumcheck protocol—an avenue of interactive proof fundamental to computational complexity and cryptographic systems. This verification is performed using the Isabelle/HOL theorem prover, which provides a rigorous framework for validating mathematical proofs and protocols. The overarching aim is to improve the reliability of cryptographic systems that incorporate the sumcheck protocol as a component, addressing potential security vulnerabilities that might arise from misinterpretations or oversight in pen-and-paper proofs.

Abstract and Goals

The sumcheck protocol, a fundamental interactive proof system, involves verifying the sum of values evaluated over a polynomial function across a finite field space. It operates through multivariate polynomials to confirm that a provided sum matches a verifier's public data. Despite its utility in many cryptographic applications, prior instantiations lacked formal proofs of correctness, leaving systems susceptible to implementation flaws and security lapses.

The authors leverage Isabelle/HOL to create a modular and general framework for formalizing and verifying the sumcheck protocol. By doing so, the research aims to not only guarantee the soundness and completeness of this protocol but also address broader security considerations in cryptosystems reliant on similar proof structures.

Methodology

The research proceeds through three primary stages of development:

  1. Axiomatization of Multivariate Polynomial Properties: The paper first distills the necessary mathematical structures and properties pertinent to multivariate polynomials used within the sumcheck protocol. These include axioms related to polynomial evaluation, degree properties, and variable handling.
  2. Formal Definition and Proof of Protocol Security: The authors formalize the protocol in Isabelle/HOL, ensuring each aspect of the prover-verifier interaction is expressed in precise logical terms. They then proceed to formally establish key security properties—soundness and completeness—which assure that valid proofs by honest provers are accepted (completeness) and invalid proofs by dishonest provers are rejected with a high probability (soundness).
  3. Instantiation with Concrete Polynomials: To demonstrate the feasibility of their approach, the authors instantiate their abstract definitions with concrete representations of multivariate polynomials, connecting them back to Isabelle's library. This step affirms both the consistency of their framework with mathematical theory and its applicability to real-world cryptographic systems.

Results and Contributions

The formal analysis successfully establishes the sumcheck protocol's soundness and completeness. It demonstrates that:

  • The protocol is complete for any legitimate input (i.e., correct inputs are accepted with absolute certainty).
  • The sumcheck protocol maintains soundness against malicious provers within the bounds defined by its algebraic degree and input size, thereby protecting cryptographic applications against fraudulent claims.
  • The abstraction and modularity of their formalization mean that this work can lay the groundwork for formal analyses of other complex protocols that utilize similar structures.

Implications and Future Work

The consequences of this research extend to various domains within computational theory and practice:

  • Security Assurance: By providing a formal foundation, the paper enhances the security assurances offered by cryptographic protocols incorporating the sumcheck mechanism.
  • Cryptographic Design: This work informs the development of future cryptographic designs, underlining the importance of formal methods in anticipating and precluding potential protocol failures or vulnerabilities.
  • Framework for Future Analyses: The modular approach paves the way for formal verification of other algebraic protocols in both complexity theory and cryptography, promising enhancements in broader cryptographic safety and reliability.

The authors call for further formal verification work encompassing various generalizations and adaptations of the sumcheck protocol, stressing the need for machine-checkable security analyses as cryptographic protocols grow more intricate and integral to digital safety.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets