LegoSNARK Modular Design and Composition of Succinct Zero-Knowledge - PowerPoint PPT Presentation

LegoSNARK Modular Design and Composition of Succinct Zero-Knowledge Proofs Matteo Campanelli, Dario Fiore , Anaïs Querol IMDEA Software Institute, Spain 2nd ZKProof Workshop — April 10, 2019

zkSNARKs ⟵ focus of this work from theoretical feasibility 
 Setup to real systems R I know w s.t. 
 succinct arguments 
 1992 R(x, w)=1 [Kilian92, Micali94] crs … 𝛒 x 2013 first implemented systems Verifier Prover x, 𝝆 x , w plenty of schemes and 2019 software libraries knowledge soundness : prover must know a valid w two keys of success zero-knowledge : 𝝆 hides w succinctness succinctness : | 𝝆 |=poly(log| w |), Ver time=poly(| x |+log| w |) generality (NP stmt) � 2

zkSNARKs construction paradigm target statement intermediate representation proof system theory. these representations can capture any NP statement / NP-complete computation R(x, w)=1 𝚸 reduction 𝛒 language practice. conversions can be a L 𝜬 source of overhead each zkSNARK 𝚸 uses a Matrix mult. Arithmetic 𝚸 reduction C = A · B Circuit SAT 
 single representation Pinocchio, Groth16, vSQL, Hyrax, (R1CS) Bulletproofs, Aurora… reduction reduction 𝚸 Boolean x=SHA256(w) reduction Circuit SAT ZKBoo, ZKB+ +, QSP , SSP � 3

computation is often heterogeneous forced to choose a single ?? unifying representation for Arithmetic 𝚸 the whole computation 𝛒 Circuit SAT 
 Pinocchio, Groth16, vSQL, Hyrax, (R1CS) Bulletproofs, R 1 (x 1 , w 1 ) Aurora… …not necessarily the best for all ⋀ subroutines R 2 (x 2 , w 1 , w 2 ) 𝚸 Boolean 𝛒 “I have an unspent token 
 Circuit SAT ZKBoo, ZKB+ +, QSP , SSP whose value v complies with 
 an arithmetic policy” can we split the statement and use both systems? � 4

LegoSNARK vision: alternative bottom-up design general-purpose zkSNARKs via lightweight linking of specialized zkSNARKs zkSNARKs portfolio (“proof gadgets”) Arith. Groth Matrix 
 𝚸 𝛒 m Circuits 
 16 Mult. R(x , u , w) (R1CS) F ⋅ u = 0 low-depth Hyrax 
 proof 
 𝚸 Hadam. 
 ⋀ 𝛒 Arith. vSQL Product integration Circuits ∀ i: u i ∈ [ min , max ] ⋀ 𝚸 𝛒 r Range MerkleT(rt , u ,path) Boolean 
 ZKB ++ 
 𝛒 b SSP Circuits � 5

how to achieve this approach? linking must preserve soundness , zero-knowledge , succinctness… and efficiency zkSNARKs portfolio (“proof gadgets”) Arith. Groth Matrix 
 𝚸 𝛒 m Circuits 
 16 Mult. R(x , u , w) (R1CS) F ⋅ u = 0 low-depth Hyrax 
 proof 
 𝚸 Hadam. 
 ⋀ 𝛒 Arith. vSQL Product integration Circuits ∀ i: u i ∈ [ min , max ] ⋀ 𝚸 we build on the 𝛒 r Range commit MerkleT(rt , u ,path) and Boolean 
 ZKB ++ 
 𝛒 b prove SSP Circuits methodology � 6

LegoSNARK framework proof gadgets applications for commit-and-prove zkSNARKs to populate the framework combining proof gadgets Interface Building blocks Let’s play! � 7

LegoSNARK framework proof gadgets applications for commit-and-prove zkSNARKs to populate the framework combining proof gadgets •definitions •composition recipes Interface Building blocks Let’s play! � 8

(non-interactive) commitments Setup(1 𝝻 ) → ck Com( ck, u ) → ( c, o ) VerCom( ck, c, u, o ) → 0/1 � 9

modeling relations statement witness R ( x , w ) a more granular model: R ( x , u , ω ) statement committed 
 free 
 witness witness R : D x × D u × … × D ω � 10

CP-SNARKs R ( x , u , ω ) CP R R Com Def. A CP-SNARK for relation R and commitment scheme Com 
 is a zkSNARK for the relation R com ≔ ( ck, R ) s.t. R com ( x, c, u, o, ω ) ≔ “ R ( x, u, ω )=1 ⋀ VerCom( ck, c, u, o )=1 ” minimal definition. Com scheme as decoupled as possible from proof system � 11

⇒ composing CP-SNARKs If you have two appropriate bricks you can combine them × D u × D 0 × D u × D 1 R 0 : D 0 ω R 1 : D 1 ω x x = CP ⋀ CP 0 CP 1 + R ⋀ R 0 R 1 Com Com Com R ⋀ ( (x 0 , x 1 ), u , ( ω 0 , ω 1 ) ) ≔ R 0 ( x 0 , u , ω 0 ) ⋀ R 1 ( x 1 , u , ω 1 ) simple idea. 𝝆 ⋀ =( Com ck ( u ), 𝝆 0 , 𝝆 1 ), 𝝆 0 ← CP 0 , 𝝆 1 ← CP 1 other compositions. disjunction, sequential composition, >2 relations main message. focus on constructing proof gadgets, security is proven once for all � 12

LegoSNARK framework proof gadgets applications for commit-and-prove zkSNARKs to populate the framework combining proof gadgets • definitions • generic composition recipes Interface Building blocks Let’s play! � 13

how to populate LegoSNARK framework? LegoSNARK 
 gadgets Time to produce bricks… 1. import existing zkSNARKs in the framework don’t want to throw away years of research… 
 + may want general-purpose systems as fallback option 2. construct new CP-SNARKs 
 exploit the power of specialization � 14

1. import existing zkSNARKs into the framework zkSNARKs LegoSNARK 
 ??? [DFGK14] [Gro16] gadgets [Pinocchio] [GM17] ~CP-SNARKs [Geppetto] [Lipmaa16] [vSQL] [Bulletp.] [Hyrax] two challenges. (a) many popular zkSNARKs not commit-and-prove really a limitation? if 𝚸 general-purpose it can also prove “ c ck (x) opens to x ”… but encoding commitment verification in L 𝚸 can be costly (proving 2048-wide Pedersen com. ~7mins) (b) some others are CP under weaker definitions / have different commitment schemes and keys: how can they speak to each other? � 15

SNARK ⟼ CP-SNARK compiler zkSNARKs LegoSNARK 
 ccSNARKs [DFGK14] [Gro16] gadgets [Pinocchio] [GM17] ~CP-SNARKs [Geppetto] [Lipmaa16] [vSQL] [Bulletp.] [Hyrax] Interesting: 1. formalize the notion of commit-carrying SNARKs (ccSNARKs) no need to be fully binding cc 𝚸 .KeyGen( R ) → ( ck, crs ) cc 𝚸 .Prove( crs, x, w ) → ( com ck (w), 𝝆 ) (see paper) 2. for many existing schemes we prove they are ccSNARKs 3. cc-SNARK-lifting compiler 
 � 16

⇒ ccSNARK-lifting compiler zkSNARKs LegoSNARK 
 ccSNARKs [DFGK14] [Gro16] gadgets [Pinocchio] [GM17] ~CP-SNARKs [Geppetto] CP link [Lipmaa16] [vSQL] [Bulletp.] [Hyrax] CP link CP R cc 𝚸 + cc.VerCom R R Com Com cc.VerCom cc . Com( u ) Com( u ) efficiency? this is specialized! � 17

how to populate LegoSNARK framework? LegoSNARK 
 gadgets [Geppetto] [Lipmaa16] [Gro16] [vSQL] Time to produce bricks… CP link 1. import existing zkSNARKs in the framework don’t want to throw away years of research… 
 + may want general-purpose systems as fallback option 2. construct new CP-SNARKs 
 exploit the power of specialization � 18

specialized LegoSNARK gadgets Relation commit. CP time space assumpt. uni upd scheme scheme Prove Ver crs 𝝆 Pedersen commitments open to the same vector Pedersen* CP link AGM n 1 n 1 R link (c’, u , o’) ≔ c’ ≟ Ped( u , o’) n =| u | Linear properties Pedersen* CP lin AGM n 1 n 1 F m × n log m ⋅ n q-SDH, KoE, R F,c ( u ) ≔ F ⋅ u ≟ c CP' lin PolyCom log m ⋅ n m ⋅ n | F | +m+n ROM Matrix multiplication q-SDH, KoE, CP mmul PolyCom n 2 n 2 +log n n 2 log n ROM R mm ( X , A , B ) ≔ X ≟ A ⋅ B n x n Hadamard product q-SDH, KoE, CP had PolyCom n log n n log n ROM R had ( a , b , c ) ≔ c ≟ a ∘ b n =| u | Self permutation q-SDH, KoE, CP sfprm PolyCom n log n n log n ROM R 𝜚 ( u ) ≔ ∀ i: u i ≟ u 𝜚 (i) n =| u | Pedersen* = any Pedersen-like commitment. PolyCom from [zk-vSQL] AGM =‘Algebraic Group Model’. uni versal crs (yes, no). upd atable crs (yes, to be proven) � 19

techniques Relation commit. CP time space assumpt. uni upd scheme scheme Prove Ver crs 𝝆 Pedersen commitments open to the same vector Pedersen* CP link knowledge version of 
 AGM n 1 n 1 R link (c’, u , o’) ≔ c’ ≟ Ped( u , o’) n=| u | QA-NIZKs for linear subspaces Linear properties Pedersen* CP lin AGM n 1 n 1 log m ⋅ n q-SDH, KoE, F m × n R F,c ( u ) ≔ F ⋅ u ≟ c CP' lin PolyCom log m ⋅ n m ⋅ n | F | +m+n ROM Matrix multiplication q-SDH, KoE, CP mmul PolyCom n 2 n 2 +log n n 2 log n ROM R mm ( X , A , B ) ≔ X ≟ A ⋅ B n x n multivariate polynomial commitments Hadamard product and zero-knowledge sum-check q-SDH, KoE, CP had PolyCom n log n n log n ROM R had ( a , b , c ) ≔ c ≟ a ∘ b n=|u| Self permutation q-SDH, KoE, CP sfprm PolyCom n log n n log n ROM R 𝜚 ( u ) ≔ ∀ i: u i ≟ u 𝜚 (i) n=|u| Pedersen* = any Pedersen-like commitment. PolyCom from [zk-vSQL] AGM =‘Algebraic Group Model’. uni versal crs (yes, no). upd atable crs (yes, to be proven) � 20

LegoSNARK framework proof gadgets applications for commit-and-prove zkSNARKs to populate the framework combining proof gadgets • definitions •import existing SNARKs • LegoGro16 : CP version of Groth16, w/5000x faster • generic composition recipes •new specialized CP-SNARKs: proofs linear, Hadamard, matrix mult, • LegoUAC : CP-SNARK for permutation… Arith. Circ. w/universal linear-size CRS Interface Building blocks Let’s play! � 21