Research

Mercury MLPCS Achieves Constant Proof Size and Linear Prover Time

Mercury, a new pairing-based multilinear polynomial commitment scheme, fundamentally resolves the proof size versus prover time trade-off for scalable verifiable computation.
November 30, 20254 min

The image showcases a sophisticated, brushed metallic device with a prominent, glowing blue central light, set against a softly blurred background of abstract, translucent forms. A secondary, circular blue-lit component is visible on the device's side, suggesting multiple functional indicators
A central, white, segmented cylindrical mechanism forms the core, flanked by clusters of metallic blue, geometric blocks. Soft, white, cloud-like formations partially obscure these block clusters, creating a dynamic interplay

Briefing

The core research problem in verifiable computation is the inherent trade-off between the succinctness of a proof and the computational cost for the prover. Existing multilinear polynomial commitment schemes (MLPCS), foundational to ZK-SNARKs, forced developers to choose between logarithmic proof size with linear prover time or constant proof size with $O(n log n)$ prover time. This paper introduces the Mercury MLPCS, which achieves the optimal combination → a constant-size opening proof coupled with a near-linear $O(n)$ prover complexity. This breakthrough, enabled by a novel verifiable witness folding method using univariate polynomial division, fundamentally lowers the computational barrier for generating zero-knowledge proofs, thereby making large-scale ZK-rollup execution dramatically more cost-effective and practical for ubiquitous deployment.

Interconnected white and transparent blue cylindrical modules form a linear chain, with the blue sections revealing intricate glowing internal structures. A prominent central connection highlights a metallic shaft joining two modules, one opaque white and the other translucent blue

Context

Before Mercury, the design of efficient, pairing-based multilinear polynomial commitment schemes was constrained by a critical asymptotic trade-off. Schemes based on the KZG construction either required complex, time-consuming Fast Fourier Transforms (FFTs) resulting in $O(n log n)$ prover time to achieve the desirable constant proof size, or they sacrificed succinctness, resulting in a logarithmic $O(log n)$ proof size to maintain a faster linear $O(n)$ prover time. This established limitation forced a compromise in the foundational efficiency of all subsequent SNARK protocols that rely on multilinear extensions and the Sum-Check protocol.

A detailed close-up shot captures a complex, futuristic mechanical device with metallic silver and translucent blue components. Glowing blue specks are visible within the blue sections, suggesting internal activity and digital processes

Analysis

Mercury’s core mechanism integrates the succinctness of KZG with an efficient prover by introducing a new, verifiable folding technique. A polynomial commitment allows a prover to commit to a large polynomial with a single, short cryptographic string. The breakthrough lies in how the prover demonstrates the polynomial’s correct evaluation at a challenge point.

Instead of performing a costly, full-scale computation, Mercury uses univariate polynomial division to recursively fold the commitment and the witness into smaller, constant-sized components. This folding process is itself verifiable and ensures that the proof size remains constant regardless of the original polynomial’s size, while the prover’s work scales linearly with the input, bypassing the previous $O(n log n)$ complexity bottleneck.

The close-up displays interconnected white and blue modular electronic components, featuring metallic accents at their precise connection points. These units are arranged in a linear sequence, suggesting a structured system of linked modules operating in unison

Parameters

  • Prover Complexity → $O(n)$ field operations. (Achieves linear-time complexity for proof generation, a major improvement over $O(n log n)$.)
  • Proof Size → Constant number of field elements. (The ideal size for succinctness, independent of the input size $n$.)
  • Scalar Multiplications → $2n + O(sqrt{n})$. (A concrete measure of the prover’s elliptic curve work.)
  • Core Technique → Univariate polynomial division. (The new method for verifiably folding the witness.)

A close-up view reveals complex, interconnected metallic machinery, featuring sleek silver and dark grey components, accented by bright blue glowing tubes or conduits. The intricate structure displays various circular nodes and linear tracks, conveying a sense of advanced engineering and precise functionality

Outlook

This foundational cryptographic efficiency improvement immediately opens new avenues for ZK-rollup architecture. In the next 3-5 years, this MLPCS will be integrated into next-generation SNARKs, enabling rollups to process significantly larger batches of transactions with lower gas costs for proof verification. The research trajectory will now shift toward optimizing the constant factors in the $O(n)$ prover complexity and exploring how this constant-size, linear-time primitive can be applied to other resource-intensive cryptographic protocols, such as verifiable data storage and private machine learning.

The image displays a high-tech modular hardware component, featuring a central translucent blue unit flanked by two silver metallic modules. The blue core exhibits internal structures, suggesting complex data processing, while the silver modules have ribbed designs, possibly for heat dissipation or connectivity

Verdict

The Mercury MLPCS establishes a new asymptotic efficiency standard for zero-knowledge proofs, directly accelerating the practical deployment of scalable, verifiable computation.

Multilinear polynomial commitment, constant proof size, linear prover time, verifiable folding technique, zero-knowledge SNARKs, scalable verifiable computation, KZG based scheme, succinct cryptographic argument, polynomial division, elliptic curve pairing, proof generation cost, ZK rollup efficiency, asymptotic complexity, foundational cryptography, witness commitment, sum check protocol, algebraic properties, prover work optimization, constant size proof, cryptographic primitive Signal Acquired from → eprint.iacr.org

Micro Crypto News Feeds

multilinear polynomial commitment

Definition ∞ A multilinear polynomial commitment is a cryptographic scheme that allows a prover to commit to a multilinear polynomial and later reveal its evaluations at specific points.

polynomial commitment schemes

Definition ∞ Polynomial commitment schemes are cryptographic primitives that allow a prover to commit to a polynomial and later reveal specific evaluations of that polynomial without disclosing the entire polynomial itself.

polynomial commitment

Definition ∞ Polynomial commitment is a cryptographic primitive that allows a prover to commit to a polynomial in a concise manner.

computation

Definition ∞ Computation refers to the process of performing calculations and executing algorithms, often utilizing specialized hardware or software.

prover complexity

Definition ∞ Prover complexity is a measure of the computational resources, specifically time and memory, required by a "prover" to generate a cryptographic proof in zero-knowledge or other proof systems.

succinctness

Definition ∞ Succinctness refers to the quality of being brief but comprehensive in expression.

elliptic curve

Definition ∞ An elliptic curve is a specific type of smooth, non-singular algebraic curve defined by a cubic equation.

efficiency

Definition ∞ Efficiency denotes the capacity to achieve maximal output with minimal expenditure of effort or resources.

verifiable computation

Definition ∞ Verifiable computation is a cryptographic technique that allows a party to execute a computation and produce a proof that the computation was performed correctly.

Tags:

Tags: