1970-01-01

(2026-03) RoKoko; Lattice-based Succinct Arguments, a Committed Refinement

[[Michael Klooss]]
[[Russell W. F. Lai]]
[[Ngoc Khanh Nguyen]]
[[Michał Osadnik]]
[[Lorenzo Tucci]]

2026-03-23

Abstract

We present RoKoko, a new lattice-based succinct argument system that achieves a linear-time prover alongside polylogarithmic communication and verifier complexity. Asymptotically, our construction improves upon RoK and Roll (ASIACRYPT 2025), the first post-quantum SNARK with $\tilde{O}(\lambda)$ proof size, by a multiplicative factor of $\Theta(\log \lambda)$ . Practically, our system yields proofs of roughly $200$ KB, while outperforming the state-of-the-art polynomial commitment scheme Greyhound (CRYPTO 2024) with a $100\times$ faster verification time, similar prover time, and competitive proof size. Our framework natively supports (tensor-)structured relations, such as polynomial evaluation and sumcheck relations.

At a high level, our construction follows the recursive split-and-fold paradigm: the prover first splits the witness into $\rho$ sub-witnesses, sends the corresponding cross-terms, and then folds them into a single witness that is shorter by a factor of $\rho$ using verifier challenges. Prior works typically restrict $\rho = O(1)$ to preserve succinct verification and maintain the optimal $\tilde{O}(\lambda)$ proof size. We overcome this “constant barrier”, which enables larger $\rho$ and thereby reduces the proof size. To achieve this, we introduce the following technical contributions.

(i) Committed folding. Instead of sending $O(\rho)$ cross-terms in the clear, the prover commits to the messages and later proves that the committed vector satisfies the verification relations. This enables the use of a larger shrinking factor, thereby reducing the number of recursion rounds. While this strategy has been successfully used in LaBRADOR (CRYPTO 2023), additional care is required here to preserve succinct verification. (ii) Recursive commitments. We generalise the double-commitment technique from LaBRADOR into a framework for recursive commitments, yielding further compression in commitment size. This results in concrete improvements in communication within each recursion round. (iii) Sumcheck-driven structured recursion. We extend the sumcheck framework from SALSAA (ePrint 2025/2124) to prove substantially more complex constraints arising in our construction (and open for future extensions), including correctness of random projections, inner-product claims and well-formedness of recursive commitments. While expressing these constraints as sumcheck relations requires considerable technical effort, the resulting protocols compose seamlessly with the structured recursion, yielding both linear-time proving and succinct verification.