A survey on SNARKs Carla R` afols Elliptic Curve Cryptography, - - PowerPoint PPT Presentation

A survey on SNARKs

Carla R` afols Elliptic Curve Cryptography, Bochum, December 3rd

What are ZK Proofs?

2 5 1 9 8 2 3 6 3 6 7 1 6 5 4 1 9 2 7 9 3 8 2 8 4 7 1 9 7 6

x=“Unsolved Sudoku”

2 5 1 9 8 2 3 6 3 6 7 1 6 5 4 1 9 2 7 9 3 8 2 8 4 7 1 9 7 6

w=“Solved Sudoku”

4 6 7 3 8 5 7 9 1 4 1 9 4 8 2 5 9 7 3 8 5 2 4 3 7 2 6 8 6 8 1 4 9 5 3 7 4 6 2 5 1 6 5 1 9 3 3 8 5 4 2 Peggy: (x, w) Victor: x Proof Accept or Reject

A process in which a prover probabilistically convinces a verifier of the correctness

• f a mathematical proposition, and the verifier learns nothing else.

What are ZK Proofs?

Peggy: (x, w) Victor: x x is true (x ∈ L) Accept or Reject x = CircuitSat = (There exists w s.t. C(w) = 1) w x = (There exist (p, q) s.t. N = pq) w = (p, q) x= (I know sk) sk A process in which a prover probabilistically convinces a verifier of the correctness

• f a mathematical proposition, and the verifier learns nothing else.

Applications

Movie DB Proof that > 18 Movie

Mixing Anonymous Anonymous in E-voting Credentials Financial Transactions In a dream world zero-knowledge solves all your privacy concerns: keep your data and prove you have played by the rules.

Applications: Verifiable Computation

• F(data) =??

y = F(data) + proof Check correctness of computation without downloading data. In some applications “Proof”(not Zero-Knowledge) sufficient (the case when skPeggy = ∅.)

What is a “good” ZK Proof

Performance measured in different parameters.

Peggy: (x, w) Victor: x π b ∈ {0, 1}

Expressivity. Prover complexity/ Verifier complexity. Proof size. Weaker/ Stronger Computational assumptions. Need for a trusted Setup. Amount of interaction. Of Knowledge. Private vs Public Verification...

What is a “good” ZK Proof

Performance measured in different parameters.

Peggy: (x, w) Victor: x π b ∈ {0, 1}

Expressivity. Prover complexity/ Verifier complexity. Proof size. Weaker/ Stronger Computational assumptions. With/without Common Reference String. Amount of interaction. Non-interactive. Of Knowledge. Private vs Public Verification...

Properties of ZKProofs

Peggy: (x, w) Victor: x π b ∈ {0, 1}

• Completeness. If Peggy and Victor behave honestly, the proof will be

accepted.

• Soundness. Peggy cannot prove false statements.

Zero-Knowledge. Victor learns nothing beyond the truth of the statement. Of Knowledge. Victor is conviced that the prover knows a witness for the statement being true.

Formalizing Zero-Knowledge in the CRS model

Peggy: (CRS, x, w) Victor: (CRS, x) π b ∈ {0, 1} Simulator: (CRS, x, τ) Victor: (CRS, x) π b ∈ {0, 1}

Setting: Common Reference String setting, Non-Interactive. In the (trusted) Setup phase, the common reference string CRS is generated with a trapdoor τ. Real and simulated setting indistinguishable.

Expressivity: Specific Statements

Until recently “practical ZK”was limited to non NP complete languages.

• s

Mixing Encryption Digital in E-voting Signatures x = ((g, ga, gb, gc)is a DH tuple ) w = (a, b) x = (C1 and C2 have same plaintext) w = (r1, r2)

Expressivity: General Languages until 2009

CircuitSat naturally encodes computation. It is also the “standard”NP complete problem for ZKProofs.

Proof size is always (at least) linear in the witness size. except proofs that use PCP Theorem, non-interactive in the RO ([Kilian92],[Micali00]..)

PCP-based proofs: General Proof Strategy

(very simplified)

Theorem (PCP Theorem)

NP = PCP(O(1), O(log n)) (probabilistically checkable proofs with O(1) queries and log n randomness). Peggy: (x, w) Victor: x Commit to Π i1, . . . , ik πi1, . . . , πik Accept or Reject It was not a practical approach, but proofs were succinct. Non-interactive in RO [Micali00].

The Hunting of the (practical) SNARK

Succint Non-Interactive Arguments of Knowledge We have sailed many weeks, we have sailed many days, (Seven days to the week I allow), But a Snark, on the which we might lovingly gaze, We have never beheld till now!

• L. Carroll

ZK Proofs History: The Hunting of the SNARK

1989 – Interactive Proof-Systems [GMR89] – (...) 2010 –

• Groth. Succinct argument without PCPs (42 bilinear group elements)

2013 – QAPs: ZK friendly characterization of NP, linear CRS [GGPR13] Implementation: Pinocchio: Nearly Practical Verifiable Computation” [PGHR13] 2014 – ZeroCash 2016 –

• Groth. Most efficient zk-SNARK (3 bilinear group elements)

.... – and so much more...

SNARKs: Technical core

Overview (not so far from PCPs, after all)

Information Theoretic Step. Circuit, a Rank 1 Constraint Quadratic Arithmetic System Program → L, R, O s.t.

• a satisfies circuit
• a⊤L ◦

a⊤R = a⊤O → t(x), {vi(x), wi(x), yi(x)}i s.t.

• a satisfies circuit ⇔ t(x) divides

(∑i aivi(x)) (∑i aiwi(x)) − ∑i aiyi(x) Computational Step. Quadratic Arithmetic Program SNARK t(x), {vi(x), wi(x), yi(x)}i Compiler − − − − − − → CRS, π

Example

a1 a2 a3 a4 + ×2 + × × a6 a5 a5 = (2a2)(a3 + a4) a6 = (a1 + a2)a5

Example

a1 a2 a3 a4 + ×2 + × × a6 a5 a5 = (2a2)(a3 + a4) a6 = (a1 + a2)a5

• a =

        a1 a2 a3 a4 a5 a6         , L =

a5 a6

        1 2 1         , R =

a5 a6

        1 1 1         O =

a5 a6

        1 1        

• a⊤L ◦

a⊤R = a⊤O ⇐ ⇒ (2a2, a1 + a2) ◦ (a3 + a4, a5) = (a5, a6)

Example

• a⊤L ◦

a⊤R = a⊤O ⇐ ⇒ (2a2, a1 + a2) ◦ (a3 + a4, a5) = (a5, a6) L =    v1(r1) v1(r2) . . . . . . v6(r1) v6(r2)    , R =    w1(r1) w1(r2) . . . . . . w6(r1) w6(r2)    O =    y1(r1) y1(r2) . . . . . . y6(r1) y6(r2)   

• a⊤L ◦

a⊤R = a⊤O ⇐ ⇒ (∑ aivi(r1),∑ aivi(r2)) ◦ (∑ aiwi(r1),∑ aiwi(r2)) = (∑ aiyi(r1),∑ aiyi(r2)) ⇐ ⇒ (∑ aivi(X))(∑ aiwi(X)) − (∑ aiyi(X)) is divisible by (x − r1)(x − r2)

QAP

Definition

A quadratic arithmetic program consists of some polynomials {vi(x)}n

i=0, {wi(x)}n i=0, {yi(x)}n i=0 and t(x). A vector

a is accepted by the QAP iff t(x) divides

• v0(x) +∑ aivi(X)
• w0(x) +∑ aiwi(X)
• −
• y0(x) +∑ aiyi(X)
• .

We have seen how to construct a QAP such that a is accepted if and only if it satisfies the circuit. Polynomials can be computed from circuit description. Degree of the polynomial: number of gates, number of polynomials: input + gates. Idea for succinctness: check equality at a single evaluation point!!

Bilinear map or Pairing

Implicit notation: [a]i = aPi.

Definition

G1, G2, GT cyclic groups of order p where DLOG is hard, P1, P2 generators of G1, G2 respectively, e : G1 × G2 → GT is a non-degenerate bilinear map (or pairing) if for all ([α]1, [β]2) ∈ G1 × G2, e([α]1, [β]2) = e(P1, P2)αβ (Bilinearity), e([α]1, [β]2) = 1GT (Non-degeneracy)

(Bilinear) groups: What can we efficiently do?

(Recall: Implicit notation: [a] = aP, group of order p). Essentially all we can efficiently do: given [x1], . . . , [xn], compute combinations with known linear coefficients ci ∈ Zp:

∑ ci[xi].

In particular, given some element [p(s)] a polynomial p(X) with known coefficients ci ∈ Zp, and [1], [s], . . . , [sq]:

If p(X) is divisible by t(X): [p(s)/t(s)] easy to compute. h(X) := p(X)/t(X), [p(s)/t(s)]1 = ∑ hi[si]. If p(X) is not divisible by t(X): [p(s)/t(s)] hard to compute (q-Strong Diffie Hellman type of assumption).

SNARK construction (an abstraction of [ParGenHowRay13])

Setup: Chooses s ← Zp, evaluates t(s), {vi(s), wi(s), yi(s)}i and appends [t(s)]1,2, [vi(s)]1, [wi(s)]2, [yi(s)]1, [si] to CRS.

SNARK construction (an abstraction of [ParGenHowRay13])

Setup: Chooses s ← Zp, evaluates t(s), {vi(s), wi(s), yi(s)}i and appends [t(s)]1,2, [vi(s)]1, [wi(s)]2, [yi(s)]1, [si] to CRS. Prover (CRS, a): Samples δ1, δ2, δ3 ← Z∗

p, combining elements of CRS computes:

V = [∑ aivi(s)+δ1t(s)]1 W = [∑ aiwi(s)+δ2t(s)]2, Y = [∑ aiyi(s)+δ3t(s)], and

1 A proof H that divisibility relation holds at point s.

H = [ 1 t(s) (∑ aivi(s))(∑ aiwi(s)) − ∑ aiyi(s)+(δ1δ2 − δ3)t(s)

• ]1,

2 A proof Π that V, W, Y are well formed, in “span” of {vi(s)} (resp. {wi(s)},

{yi(s)} for same witness.)

SNARK construction (an abstraction of [ParGenHowRay13])

Setup: Chooses s ← Zp, evaluates t(s), {vi(s), wi(s), yi(s)}i and appends [t(s)]1,2, [vi(s)]1, [wi(s)]2, [yi(s)]1, [si] to CRS. Prover (CRS, a): Samples δ1, δ2, δ3 ← Z∗

p, combining elements of CRS computes:

V = [∑ aivi(s)+δ1t(s)]1 W = [∑ aiwi(s)+δ2t(s)]2, Y = [∑ aiyi(s)+δ3t(s)], and

1 A proof H that divisibility relation holds at point s.

H = [ 1 t(s) (∑ aivi(s))(∑ aiwi(s)) − ∑ aiyi(s)+(δ1δ2 − δ3)t(s)

• ]1,

2 A proof Π that V, W, Y are well formed, in “span” of {vi(s)} (resp. {wi(s)},

{yi(s)} for same witness.) Verifier (CRS, H, V, W, Y):

1 Checks divisibility at point s using pairings.

e(H, [t(s)]2) ? = e(V, W)e(Y, [1]2)−1. Checks well-formedness of .

SNARK construction: Security

Perfect Zero-Knowledge: Randomization! (proof distribution is uniform conditioned on being accepted by Verifier.) Soundness:

1 Extract a “witness candidate”

a from proof of well formedness, i.e. V = ∑ aivi(s), W = ∑ aiwi(s) Y = ∑ aiyi(s),

2 If adversary breaks soundness, p(X) = (∑ aivi(X))(∑ aiwi(X)) − (∑ aiyi(X))

not divisible by t(X), but adversary has computed p(s)/t(s) in the exponent!!

Step 2 is standard (q-Strong DH type). Step 1?

SNARK construction: Security II

Proof that V (resp. W, Y) is in the span of {vi(s)} (resp. wi(s), yi(s)) include in CRS : {[αvi(s)]1}, [α]2

• Prover:

V′ = αV Verifier: e(V, [1]2) ? = e(V′, [α]2).

Definition (q-Power Knowledge of Exponent Assumption)

For every PPT A which, on input [1]1, [s]1, . . . , [sq]1 and [α]1, [α]2, [αs]1, . . . , [αsq]1, outputs V, αV ∈ G1, there exists a PPT extractor which outputs a1, . . . , aq ∈ Zp such that V = ∑ aisi. Non-falsifiable Assumption. Black-box extraction is information theoretically impossible, would also mean the SNARKs contradict known impossibility results (e.g. [GenWic11])

Remarks

Construction generalizes to case where some a1, . . . , aℓ are public (prover computes the secret part of U, V, W, verifier computes public part.) Simulation: given s ∈ Zp, we can simulate any proof by dividing by t(s)!! Best zk-SNARK construction by Groth 2016 based on similar ideas. n Circuit size, ℓ public inputs, Prover computation O(n log n). Verifier’s computation 3 Pairings + O(ℓ) exponentiations. Size of Common Reference String linear in n.

SNARKs and Verifiable Computation: A dream come true?

• F(data) =??

y = F(data) + proof The problem of Verifiable Computation Pinocchio: First nearly practical solution

PROOF is very short, superefficient to verify Succinct = independent of F’s size. Not much faster than local computation, but pays off in applications where Zero-Knowledge is necessary.

ZeroCash [BenChiGarGreMieTroVir14]

2014 First cryptocurrency to use ZK-SNARKs to provide anonymity with zk-SNARKs. Bitcoin with a privacy layer, allowing shielded transactions. Essential to have very fast verification. Really important push towards practical zero-knowledge.

ZCash Circuit1

A circuit of roughly 2 million gates, encoding complex cryptographic

• perations (like hashing, opening commitments, etc.)

JubJub a curve specially designed to be “circuit friendly”: exponentiation in curve described as quadratic constraints (≈ 4,2) for bit of the exponent.

1Slide from E. Tromer,

http://www.cs.tau.ac.il/ tromer/istvr1516-files/lecture12-verified-computation.pdf

Industrial Interest and Other Applications

Open Problems and Research Directions

Main Weaknesses of SNARKs

Setup: Trusted and Circuit Dependent. Very long common reference string. Slow prover. Very strong assumptions. Models computations as circuits. Only known instantiations in bilinear groups (not postquantum).

In the CRS generator we trust...

• Z. Wilcox (ZCash) on his knees destroying a computer after parameter generation.

SNARKs require a trusted party to generate the parameters. Knowledge of randomness to generate parameters: complete failure. Solution: distribute trust.

SNARKs: Improving Parameter Generation [GroKohMalMeiMie18]

a b c d

Multiparty Computation Model Updatable Model Generate an updatable common reference string phase. Updatable Model: for soundness it suffices that one party is honest, and CRS can always be updated NI. In [BowGabMie17]: after a trusted setup phase to generate [s], [s2], . . . , [sq], circuit dependent setup is updatable. Single phase updatability??

The Single Phase Updatability Race

a b c d

Multiparty Computation Model Updatable Model Groth et al. Crypto 2018 Maller et al. Sonic (ACM CCS 2019). Marlin. AuroraLight Plonk Supersonic...

SNARK Alternatives2

Bulletproofs interactive proofs with logarithmic round complexity based on DL, Hyrax and Libra build on double efficient IP of [GolKalRot08]; Ligero, Stark, Aurora: hash-based. No Setup = public or transparent setup. Even asymptotically, far from SNARKs in proof size and verification.

2Table from Xie et al. Libra: Succinct Zero-Knowledge Proofs with Optimal Prover,

Crypto’19.

¿Succintness with standard assumptions?

Succinct Arguments under Standard Assumptions

Can we find NIZK Arguments for CircuitSat (proving that there is some secret w such that C(w) = 1),

• r Arguments for proving that C(w) is the correct evaluation of C at some

public value w, which are non-interactive, publicly verifiable, based on standard assumptions (no Random Oracle, nor knowledge of exponent type) with efficient verifier? (more efficient than evaluating C) with “small” proof?

Arguments under Standard Assumptions

Can we find NIZK Arguments for CircuitSat (proving that there is some secret w such that C(w) = 1), NP Complete.

• r Arguments for proving that C(w) is the correct evaluation of C at some

public value w, in P. which are non-interactive, publicly verifiable, based on standard assumptions (no Random Oracle, nor knowledge of exponent type) with efficient verifier? (more efficient than evaluating C) with “small” proof? When w is secret, best to expect: O(|input|) !!!

NIZK Proofs under Standard Assumptions

Until recently3, all such NIZK proofs for CircuitSat are linear in number of all wires. Except trivial solutions using FHE (where verifier evaluates the circuit). Commit to input and all wires, for each gate show that one quadratic equation is satisfied. Gap with best to expect: O(|input|). When input is public (as in verifiable computation), no known scheme (with

• publ. verif., standard assumptions, NI, sublinear verification4)

3Katsumata et al. at Crypto’19 give proofs of O(|input|) for Circuits in NC1. 4Except concurrent work of Canetti et al. (eprint IACR) using some form of FHE, Kalai et al.

STOC’19. for general computations.

Our Results5

A proof for Correct Arithmetic and Boolean Circuit Evaluation of O(d), d depth (≈ 8d bilinear group elements). A NIZK proof for boolean CircuitSat of size O(n + d), n input lengt (≈ 2n + 8d bilinear group elements), Building on SNARK techniques, but removing falsifiable assumptions (plus

• ther technical challenges).
• 5A. Gonz´

alez and C. R`

• afols. Shorter Pairing Based Arguments under Standard
• Assumptions. Asiacrypt’19

Our Results: Starting point

Strategy for achieving linear size: Commit to input and all wires, for each gate show that one quadratic equation is satisfied. Can we use SNARK techniques to aggregate some of these proofs?

Revisiting SNARK Techniques

An abstraction: SNARK techniques allow you to prove compactly many degree 1 relations (a flat circuit). Given that you have some advice or knowledge of the witness that adversary used. In SNARKs this knowledge comes from knowledge assumption, how can we move it to standard assumptions?

× ×

• • •

× × a5 = (2a2)(a3 + a4) . . .

Overview: Circuit Level Slicing

Slice circuit into different levels. In level i we prove many quadratic equations on variables which are the

• uputs of previous levels.

Main idea: get the knowledge from knowledge of previous levels of the circuit and not from knowledge assumption.

Quadratic Aggregation with Input Knowledge

Assume we know input assignment used by prover (e.g. Verifiable Computation, proof of knowledge) Them, we know consistent assignment at each level. Idea: when prover evaluates inconsistently, reduction uses honest opening knowledge to break hard problem. The proof of soundness has two steps: quadratic knowledge transfer, linear knowledge transfer (much harder). Only knowledge of input is necessary!!

Quadratic Aggregation with Input Knowledge

Proof of O(d) when input is public. Proof of O(|input| + d) under standard assumptions when input is boolean (e.g. Lifted ElGamal is extractable for plaintexts m ∈ {0, 1}). Security/efficiency tradeoff for SNARKs: use extractable commitments under knowledge assumptions only for input. Main weakness: circuit dependent CRS. Input extracted from extractable commitments when secret, or public.

Thank you!