When MPC in the Head Meets VC

In this paper, we investigate zero-knowledge proof systems based on the "MPC-in-the-head" paradigm (MPCitH), which presents the advantage of offering fast proof generation and post-quantum security. However, current constructions suffer from the drawbacks of large proof sizes and high memory consumption. Particularly, as the underlying circuit increases in size, the proof size grows significantly, and the machine that executes MPCitH-based protocol quickly surpasses its memory bounds due to the multiple parallel executions of MPC. To overcome this challenge, we present the VC-then-MPCitH paradigm, which integrates verifiable computation (VC) techniques into MPCitH. We implement our protocol using concrete VC protocol Virgo++ and MPCitH protocol BN++. Leveraging the properties of the underlying protocols, we can embed Virgo++ into BN++ efficiently. The resulting protocol can significantly reduce the memory consumption and the cost of both computation and communication of MPCitH for large circuits. We conduct our evaluation on a circuit over the field F 2128 consisting of 40,006 multiplication gates and almost 100000 gates in total. With soundness error of 2-128, our protocol can generate proofs of size 8891 KB in 86 ms, and verify in 70 ms. Furthermore, our protocol outperforms BN++ with the same parameter settings by reducing the proof size by a factor of 10 and shortening both the prover and verifier time by 13 times. On a resource-constrained device that offers 10 GB of memory, our protocol can handle effectively circuits with up to 10 million gates, while BN++ only supports circuits with up to 330,000 gates.