LegoSNARK Modular Design and Composition of Succinct Zero-Knowledge - - PowerPoint PPT Presentation
LegoSNARK Modular Design and Composition of Succinct Zero-Knowledge Proofs Matteo Campanelli, Dario Fiore , Anas Querol IMDEA Software Institute, Spain 2nd ZKProof Workshop April 10, 2019 zkSNARKs focus of this work from theoretical
Matteo Campanelli, Dario Fiore, Anaïs Querol IMDEA Software Institute, Spain
2nd ZKProof Workshop — April 10, 2019
knowledge soundness: prover must know a valid w zero-knowledge: 𝝆 hides w succinctness: |𝝆|=poly(log|w|), Ver time=poly(|x|+log|w|)
2
Prover x, w Setup R Verifier x, 𝝆
crs
𝛒
x
I know w s.t. R(x, w)=1
from theoretical feasibility to real systems succinct arguments [Kilian92, Micali94] … first implemented systems plenty of schemes and software libraries two keys of success succinctness generality (NP stmt)
1992 2013 2019
3
R(x, w)=1
NP-complete language
L𝜬
x=SHA256(w)
capture any NP statement / computation
source of overhead each zkSNARK 𝚸 uses a single representation
Matrix mult. C=A·B
reduction
proof system intermediate representation target statement
𝚸
Pinocchio, Groth16, vSQL, Hyrax, Bulletproofs, Aurora…
Arithmetic Circuit SAT (R1CS)
𝚸
ZKBoo, ZKB+ +, QSP , SSP
Boolean Circuit SAT
𝛒
reduction reduction reduction reduction
4
forced to choose a single unifying representation for the whole computation …not necessarily the best for all subroutines
⋀
R2(x2, w1, w2) R1(x1, w1)
“I have an unspent token whose value v complies with an arithmetic policy” 𝚸
ZKBoo, ZKB+ +, QSP , SSP
Boolean Circuit SAT
𝚸
Pinocchio, Groth16, vSQL, Hyrax, Bulletproofs, Aurora…
Arithmetic Circuit SAT (R1CS) 𝛒 𝛒
can we split the statement and use both systems?
general-purpose zkSNARKs via lightweight linking of specialized zkSNARKs
5
Groth 16
Arith. Circuits (R1CS)
𝛒m
Hyrax vSQL
low-depth Arith. Circuits
𝚸
Hadam. Product
𝚸
Matrix Mult.
ZKB++ SSP
Boolean Circuits
𝚸
Range
zkSNARKs portfolio (“proof gadgets”)
MerkleT(rt,u,path)
F⋅u = 0
∀i: ui ∈[min, max]
⋀ ⋀
𝛒r 𝛒b
𝛒
R(x, u, w)
proof integration
linking must preserve soundness, zero-knowledge, succinctness… and efficiency
6
Groth 16
Arith. Circuits (R1CS)
𝛒m
Hyrax vSQL
low-depth Arith. Circuits
𝚸
Hadam. Product
𝚸
Matrix Mult.
ZKB++ SSP
Boolean Circuits
𝚸
Range
zkSNARKs portfolio (“proof gadgets”)
MerkleT(rt,u,path)
F⋅u = 0
∀i: ui ∈[min, max]
⋀ ⋀
𝛒r 𝛒b
𝛒
R(x, u, w)
proof integration
we build on the commit and prove methodology
7
for commit-and-prove zkSNARKs
to populate the framework
combining proof gadgets
Interface Building blocks Let’s play!
8
for commit-and-prove zkSNARKs
Interface Building blocks Let’s play!
to populate the framework
combining proof gadgets
Setup(1𝝻)→ck Com(ck, u)→(c, o) VerCom(ck, c, u, o)→0/1
9
a more granular model:
10
statement witness statement committed witness free witness
R( x , u , ω )
minimal definition. Com scheme as decoupled as possible from proof system
11
CPR
R Com
If you have two appropriate bricks you can combine them
R0: D0
x
× Du × D0
ω R1: D1 x
× Du × D1
ω
R⋀( (x0, x1), u, (ω0, ω1) ) ≔ R0(x0, u, ω0) ⋀ R1(x1, u, ω1)
simple idea. 𝝆⋀=(Comck(u), 𝝆0, 𝝆1), 𝝆0←CP0, 𝝆1←CP1
main message. focus on constructing proof gadgets, security is proven once for all
12
=
CP0
R0 Com
CP1
R1 Com
CP⋀
R⋀ Com
Let’s play! Building blocks Interface
13
for commit-and-prove zkSNARKs
to populate the framework
combining proof gadgets
don’t want to throw away years of research… + may want general-purpose systems as fallback option
exploit the power of specialization
14
Time to produce bricks…
LegoSNARK gadgets
two challenges.
(a) many popular zkSNARKs not commit-and-prove
really a limitation? if 𝚸 general-purpose it can also prove “cck(x) opens to x”… but encoding commitment verification in L𝚸 can be costly (proving 2048-wide Pedersen com. ~7mins)
(b) some others are CP under weaker definitions / have different commitment schemes and keys: how can they speak to each other?
15
zkSNARKs
~CP-SNARKs
[Gro16] [Pinocchio] [DFGK14] [Geppetto] [Lipmaa16] [vSQL] [Bulletp.]
[GM17] [Hyrax]
LegoSNARK gadgets
cc𝚸.KeyGen(R)→(ck, crs) cc𝚸.Prove(crs, x, w)→(comck(w), 𝝆)
16
Interesting: no need to be fully binding (see paper)
zkSNARKs
~CP-SNARKs
[Gro16] [Pinocchio] [DFGK14] [Geppetto] [Lipmaa16] [vSQL] [Bulletp.] [GM17] [Hyrax]
LegoSNARK gadgets
17
zkSNARKs
~CP-SNARKs
[Gro16] [Pinocchio] [DFGK14] [Geppetto] [Lipmaa16] [vSQL] [Bulletp.] [GM17] [Hyrax]
CPlink
CPR
R Com
CPlink
cc.VerCom Com
cc𝚸
R cc.VerCom
efficiency? this is specialized!
cc.Com(u) Com(u) LegoSNARK gadgets
don’t want to throw away years of research… + may want general-purpose systems as fallback option
exploit the power of specialization
18
LegoSNARK gadgets
CPlink
[Gro16] [Geppetto] [Lipmaa16] [vSQL]
Time to produce bricks…
Pedersen* = any Pedersen-like commitment. PolyCom from [zk-vSQL] AGM=‘Algebraic Group Model’. universal crs (yes, no). updatable crs (yes, to be proven)
19
Relation commit. CP time space
scheme scheme Prove Ver crs 𝝆
Pedersen commitments open to the same vector Pedersen* CPlink
n 1 n 1 AGM Rlink(c’, u, o’)≔ c’≟Ped(u, o’) n=|u|
Linear properties
Pedersen* CPlin n 1 n 1 AGM RF,c(u) ≔ F⋅u ≟ c F m×n PolyCom
CP'lin
|F|+m+n log m⋅n m⋅n log m⋅n q-SDH, KoE, ROM
Matrix multiplication
PolyCom
CPmmul
n2 n2+log n n2 log n q-SDH, KoE, ROM Rmm(X, A, B) ≔ X ≟ A⋅B n x n
Hadamard product
PolyCom
CPhad
n log n n log n q-SDH, KoE, ROM Rhad(a, b, c) ≔ c ≟ a∘b n=|u|
Self permutation
PolyCom
CPsfprm
n log n n log n q-SDH, KoE, ROM R𝜚(u) ≔ ∀i: ui ≟ u𝜚(i) n=|u|
Pedersen* = any Pedersen-like commitment. PolyCom from [zk-vSQL] AGM=‘Algebraic Group Model’. universal crs (yes, no). updatable crs (yes, to be proven)
20
Relation commit. CP time space
scheme scheme Prove Ver crs 𝝆
Pedersen commitments open to the same vector Pedersen* CPlink
n 1 n 1 AGM Rlink(c’, u, o’)≔ c’≟Ped(u, o’) n=|u|
Linear properties
Pedersen* CPlin n 1 n 1 AGM RF,c(u) ≔ F⋅u ≟ c F m×n PolyCom
CP'lin
|F|+m+n log m⋅n m⋅n log m⋅n q-SDH, KoE, ROM
Matrix multiplication
PolyCom
CPmmul
n2 n2+log n n2 log n q-SDH, KoE, ROM Rmm(X, A, B) ≔ X ≟ A⋅B n x n
Hadamard product
PolyCom
CPhad
n log n n log n q-SDH, KoE, ROM Rhad(a, b, c) ≔ c ≟ a∘b n=|u|
Self permutation
PolyCom
CPsfprm
n log n n log n q-SDH, KoE, ROM R𝜚(u) ≔ ∀i: ui ≟ u𝜚(i) n=|u|
knowledge version of QA-NIZKs for linear subspaces multivariate polynomial commitments and zero-knowledge sum-check
combining proof gadgets
Groth16, w/5000x faster proofs
linear-size CRS
Let’s play! Building blocks Interface
21
for commit-and-prove zkSNARKs
to populate the framework
linear, Hadamard, matrix mult, permutation…
can prove statements about data committed with a “classical” Pedersen vector commitment
22
Prove Ver |crs| |𝝆| n=8 n=2048 n=8 n=2048
LegoGro16
0.003s 0.08s 4.1ms 0.5KB 130KB 191B
CPGroth16
1.2s 428s 3.4ms 3.6MB 935MB 127B 5000× speedup 7000× shorter
ck=random group elms // no trusted setup // a-priori generated
SNARK-friendly R1CS encoding
CPlink
Gro16.Ped Pedersen*
LegoGro16
QAP Pedersen*
Groth16
QAP Gro16.Ped
a byproduct of our lifting compiler
Groth09 encoding of arithmetic circuit satisfiability ua
L
+ ua
R
= ua
O
⋀ um
L
∘ um
R
= um
O
⋀ “wire consistency of (ua
L
,ua
R
, ua
O
, um
L
,um
R
, um
O
)” Radd(ua
L
,ua
R
, ua
O
) ⋀ Rhad(um
L
,um
R
, um
O
) ⋀ Rsfprm,𝜚(ua
L
,ua
R
, ua
O
, um
L
,um
R
, um
O
)
23
+ ×
x1 x2 x3
for free if commitment is additive homomorphic
CPhad
Rhad Com
CPsfprm
Rsfprm Com
LegoUAC
Arith.Circ. Com
24
CP time space assumpt. uni upd scheme Prove Ver crs 𝝆
CPhad
n log n n log n
q-SDH, KoE, ROM
CPsfprm
n log n n log n
q-SDH, KoE, ROM
CP time space assumpt. uni upd scheme Prove Ver crs 𝝆
GKMMM18
n log n |x| n2 1
q-MC, KoE
Sonic
n log n |x| n 1
AGM, ROM
LegoUAC
N |x|+log N N log N
q-SDH, KoE, ROM
CPhad
CPsfprm
CP-SNARK proof gadgets
Table: zkSNARKs for arithmetic circuits with universal crs and log- or constant-size succinctness. n = #multgates, N = #gates (including addition gates)
25
for commit-and-prove zkSNARKs
will go public soon
to populate the framework
for set membership
combining proof gadgets
Groth16
universal linear-size CRS
universal O(#mulgates)-size CRS
Interface Building blocks Let’s play!
Check out our Paper ⇾ ePrint 2019/142
thanks to our sponsors: