zkDaily - 2026-01-31

零知识证明 zkDaily

ZKP Frontier Tracker 🎯

Sat

01.31

2026

Dinocchio: Distributed Prover for Ring Arithmetic

Paper

https://eprint.iacr.org/2026/159

Katerina Sotiraki FHE Lattice

Sotiraki et al. proposed Dinocchio, the first distributed SNARK for ring arithmetic, achieving constant proof size and verification time with significant prover speedup.

Notes

Existing SNARKs are optimized for finite fields, incurring high overhead for ring arithmetic (e.g., lattice-based crypto and FHE).
Dinocchio is the first distributed SNARK for rings with constant proof size and verification time.
Achieves ~m-fold prover time speedup vs. Rinocchio with m sub-provers.
Demonstrated via matrix multiplication, handling ~2^32 constraints beyond prior works.
Microbenchmarks: 128 sub-provers generate proof in ~9.23 hours, verified in <16 seconds.
Addresses verifiability gap in FHE, reducing reliance on honest-but-curious assumptions.

Collected by @icerdesign

零知识证明 zkDaily

Q&A Deep Dive 💬

Sat

01.31

2026

What core problem does Dinocchio address?

Dinocchio addresses the inefficiency of zero knowledge proofs for ring arithmetic. Most SNARKs are optimized for finite fields, causing large overhead when used for rings that underlie lattice cryptography and FHE. Dinocchio achieves constant proof size and constant verification time, making verifiable large scale FHE computations practical.

How does Dinocchio support proofs for large scale matrix multiplication?

Dinocchio encodes matrix multiplication as a ring arithmetic circuit and reduces prover load using distributed sum check and batch evaluation techniques. In experiments, a 2^12 by 2^12 matrix with about 2^32 constraints can still be proven within several hours.

What are the implications of Dinocchio for zkVMs or verifiable FHE systems?

Dinocchio shows that ring arithmetic is no longer the bottleneck for verifiable computation. This enables scalable lattice based zkVMs and verifiable FHE systems that avoid the honest but curious model and support real world linear algebra and batch workloads.

Prompted by @icerdesign