Updatable and Universal Common Reference Strings with Applications - - PowerPoint PPT Presentation

Updatable and Universal Common Reference Strings with Applications to zk-SNARKs

Jens Groth, Markulf Kohlweiss, Mary Maller, Sarah Meiklejohn, Ian Miers.

Crypto - 23/08/2018

Our Goal

Slide 1 of 22

Find a better method than trusted setups for generating the public parameters for zk-SNARKs.

What are zk-SNARKs?

Slide 2 of 22

Zero-Knowledge Succinct Non- interactive ARgument of Knowledge.

Very small proofs. Verification is fast. Requires trusted setup. KoE assumptions.

What are zk-SNARKs?

Slide 2 of 22

Very small proofs. Verification is fast. Requires trusted setup. KoE assumptions.

Zero-Knowledge Succinct Non- interactive ARgument of Knowledge.

When to use zk-SNARKs?

Slide 3 of 22

• When lots of the same problem

need to be proven over and over and over.

• The verifier has limited time and

space.

Great for blockchains!

zk-SNARKS have Trapdoors

Slide 3 of 22 The trapdoor can be used to break integrity (all the time).

• Proofs are generated and verified using a shared common reference

string.

• Whoever generated the reference string may keep some trapdoor

information that can be used to simulate proofs.

The trapdoor cannot be used to break privacy (most

• f the time).

zk-SNARKS have Trapdoors

The trapdoor cannot be used to break privacy (most

• f the time).

The trapdoor can be used to break integrity (all the time).

• Proofs are generated and verified using a shared common reference

string.

• Whoever generated the reference string may keep some trapdoor

information that can be used to simulate proofs.

We design a setup process more suited to zk-SNARKs used in distributed systems.

Slide 3 of 22

Our Contributions

Slide 4 of 22

Ingredients: 1) Knowledge Assumptions 2) q-type Assumptions 3) Quadratic Arithmetic Programs

Updatable trust model Efficient new zk-SNARK Universal setup Null-Space Argument.

What is zero-knowledge?

• Prover aims to convince verifier that they know a secret while

revealing no information about the secret.

Common Reference String

Prover Verifier

Proof of knowledge

• f a secret.

Slide 5 of 22 Prover cannot create proof without the secret. Verifier learns the truth, the whole proof, and nothing but its truth.

What is zero-knowledge?

• Prover aims to convince verifier that they know a secret while

revealing no information about the secret.

Common Reference String

Prover Verifier

Proof of knowledge

• f a secret.

Prover cannot create proof without the secret. Verifier learns the truth, the whole proof, and nothing but its truth. Slide 5 of 22

Unlike other zero-knowledge systems, hard to prevent trapdoor being leaked in zk-SNARKs.

Our Goal

Slide 7 of 22

• SNARKs cannot be zero-knowledge without

a trapdoor existing.

• Aim for subversion zero-knowledge.
• Aim for middle ground between trusted

setup and subversion soundness.

Our Goal

Slide 7 of 22

• SNARKs cannot be zero-knowledge without

a trapdoor existing.

• Aim for subversion zero-knowledge.
• Aim for middle ground between trusted

setup and subversion soundness.

CRS

Verifier

Verifier learns nothing from the proof even if it knows a trapdoor.

Our Goal

Slide 7 of 22

• SNARKs cannot be zero-knowledge without

a trapdoor existing.

• Aim for subversion zero-knowledge.
• Aim for middle ground between trusted

setup and non-existent trapdoor.

CRS

Prover

Prover with a trapdoor can create proofs without the secret, but hard to get the trapdoor.

But don’t we have NIZKs without Setup?

Slide 8 of 22

• In random oracle model, can generate an unstructured CRS

for which nobody knows the trapdoor.

• But zk-SNARKs rely on structured CRS for efficiency.

• Example: Zcash ran a trusted setup in 2016 and in 2018.
• If the trapdoor was not properly disposed of two years ago, then

some people might be able to print money at will.

• There is no way of knowing whether the setup was compromised
• r not.

What’s so scandalous about a trusted setup?

1 ZEC, 2 ZEC, 3 ZEC, 4…. Slide 9 of 22

What’s so scandalous about a trusted setup?

• The output of each trusted setup can only be used to prove the exact circuit it

was designed for.

• Performing one trusted setup per application may result in each trusted setup

receiving less and less scrutiny.

Slide 10 of 22

Application 1 Application 2 Application 3 Trusted Setup 1 Trusted Setup 2 Trusted Setup 3 CRS 1 CRS 2 CRS 3

Our Contributions

Ingredients: 1) Knowledge Assumptions 2) q-type Assumptions 3) Quadratic Arithmetic Programs

Updatable trust model Efficient new zk-SNARK Universal setup Null-Space Argument.

• In theory, one honest party runs the setup, and the scheme is secure.
• In practice, a few parties to run the setup, if one is honest then the scheme is secure.
• In our work, continuously add more parties to the setup, if one is honest at any point in

time then the scheme is secure.

Updatable Setups for zk-SNARKs

Why should I trust you? Here is the output

• f the setup

procedure.

Theory

Slide 11 of 22

Updatable Setups for zk-SNARKs

• In theory, one honest party runs the setup, and the scheme is secure.
• In practice, a few parties to run the setup, if one is honest then the scheme is secure.
• In our work, continuously add more parties to the setup, if one is honest at any point in

time then the scheme is secure.

Why should I trust any of you? Here is the output

• f the setup

procedure.

Practice

Slide 11 of 22

• In theory, one honest party runs the setup, and the scheme is secure.
• In practice, a few parties to run the setup, if one is honest then the scheme is secure.
• In our work, continuously add more parties to the setup, if one is honest at any point in

time then the scheme is secure.

Updatable Setups for zk-SNARKs

Why should I trust any of you? Here is the output

• f the setup

procedure. Here is the new

• utput of the

setup procedure.

This work

• In theory, one honest party runs the setup, and the scheme is secure.
• In practice, a few parties to run the setup, if one is honest then the scheme is secure.
• In our work, continuously add more parties to the setup, if one is honest at any point in

time then the scheme is secure.

Updatable Setups for zk-SNARKs

Why should I trust any of you? Here is the output

• f the setup

procedure.

This work No longer really a setup

Here is the new

• utput of the

setup procedure.

Trusted Setup vs Updates?

Trusted Setup

• Setup be completed before the

system goes live.

• Secure provided a single honest

user participates.

Slide 12 of 22

Updatable CRS

• Parameters can be updated

at any point.

• Secure at any point after an

honest user has participated.

When can we update?

SNARKs have secrets in the exponent

• Exponents contain hidden polynomial evaluations.
• We can update monomials.

Slide 12 of 22

Updating Monomials is Easy

Slide 13 of 22

𝑕𝑦1 𝑕𝑦1𝑦2 𝑕𝑦1𝑦2𝑦3

Proof of knowledge

• f 𝒚𝟐

Proof of knowledge

• f 𝒚𝟑

Proof of knowledge

• f 𝒚𝟒

etc.

Could use Groth or Lipmaa?

Slide 14 of 22

CRS only uses monomials. At the sacrifice

• f quasi-linear

prover time? These schemes have quadratic provers.

Updating Polynomials is Hard

• Secrets inside the global parameters were correlated, and once a

correlated secret is inside the global parameters it cannot be changed.

Slide 15 of 22

Correlated randomness is hidden with uncorrelated randomness.

Updating Polynomials is Hard

Slide 16 of 22

𝑕𝑔 𝑦 𝜀

• CRS contains polynomials.
• Any adversary that can update 𝑕𝑔 𝑦 𝜀 can extract monomials 𝑕1, 𝑕𝑦𝜀, 𝑕𝑦2𝜀, … , 𝑕𝑦𝑜𝜀.
• Cannot rely on hidden polynomials.

Previous schemes rely on hidden polynomials for security.

Updating Polynomials is Hard

Slide 16 of 22

𝑕𝑔 𝑦 𝜀

• CRS contains polynomials.
• Any adversary that can update 𝑕𝑔 𝑦 𝜀 can extract monomials 𝑕1, 𝑕𝑦𝜀, 𝑕𝑦2𝜀, … , 𝑕𝑦𝑜𝜀.
• Cannot rely on hidden polynomials.

We prove this. Previous schemes rely on hidden polynomials for security.

Updating Polynomials is Hard

Slide 16 of 22

𝑕𝑔 𝑦 𝜀

• CRS contains polynomials.
• Any adversary that can update 𝑕𝑔 𝑦 𝜀 can extract monomials 𝑕1, 𝑕𝑦𝜀, 𝑕𝑦2𝜀, … , 𝑕𝑦𝑜𝜀.
• Cannot rely on hidden polynomial evaluations.

Previous schemes rely on hidden polynomials for security.

Our Contributions

Ingredients: 1) Knowledge Assumptions 2) q-type Assumptions 3) Quadratic Arithmetic Programs

Updatable trust model Efficient new zk-SNARK Universal setup Null-Space Argument.

What tricks to we use?

• We start with more global parameters, with monomials inside, from which we derive a smaller

set of derived parameters. The derive algorithm can be run by any party.

Slide 17 of 22 Global Common Reference String 1 Global Common Reference String 2 Global Common Reference String 3

Global parameters independent

• f circuit.

Update 1 Update 2 Derive Derive Derive Derived Common Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3

What tricks to we use?

Slide 17 of 22

• We start with more global parameters, with monomials inside, from which we derive a smaller

set of derived parameters. The derive algorithm can be run by any party.

Global Common Reference String 1 Global Common Reference String 2 Global Common Reference String 3 Derive Derive Derive Update 1 Update 2 Derived Common Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3

What tricks to we use?

Slide 17 of 22 Derived Common Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3

Derived parameters embed circuit dependent QAP.

• We start with more global parameters, with monomials inside, from which we derive a smaller

set of derived parameters. The derive algorithm can be run by any party.

Global Common Reference String 1 Global Common Reference String 2 Global Common Reference String 3 Derive Derive Derive Update 1 Update 2

What tricks to we use?

Slide 17 of 22 Derived Common Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3

Derived parameters embed circuit dependent QAP.

• We start with more global parameters, with monomials inside, from which we derive a smaller

set of derived parameters. The derive algorithm can be run by any party.

Derive Derive Derive Global Common Reference String 1 Global Common Reference String 2 Global Common Reference String 3 Update 1 Update 2

Each derived string is equivalent to the

• utput of one

trusted setup in previous schemes.

What’s the Price?

Slide 18 of 22

Quadratic sized Only need to store one quadratic string at any given time.

Global Common Reference String 1 Global Common Reference String 2 Global Common Reference String 3 Update 1 Update 2 Derive Derive Derive Derived Common Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3

What’s the Price?

Slide 18 of 22

Very small (<300 bytes) Update proofs must be sequential and are stored forever.

Global Common Reference String 1 Global Common Reference String 2 Global Common Reference String 3 Update 1 Update 2 Derive Derive Derive Derived Common Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3

Global Common Reference String 1

What’s the Price?

Slide 18 of 22

𝑃(𝑒3) multiplications due to Gaussian Elimination

Global Common Reference String 2 Global Common Reference String 3 Derive Derive Derive Derived Common Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Update 1 Update 2

Global Common Reference String 1

What’s the Price?

Slide 18 of 22

𝑃(𝑒3) multiplications due to Gaussian Elimination

Global Common Reference String 2 Global Common Reference String 3 Derive Derive Derive Derived Common Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Update 1 Update 2

Can run multiple updates between each iteration of derive.

What’s the Price?

Slide 18 of 22

Linear sized

Global Common Reference String 1 Global Common Reference String 2 Global Common Reference String 3 Update 1 Update 2 Derive Derive Derive Derived Common Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3

Derived string sufficient for prover and verifier.

Our Contributions

Ingredients: 1) Knowledge Assumptions 2) q-type Assumptions 3) Quadratic Arithmetic Programs

Trust model Efficient new zk-SNARK Universal setup Null-Space Argument

Our Techniques

Slide 19 of 22 Prover needs to show

𝐁 = 𝒉𝒃 𝒈 𝒚

for known 𝒈 𝒀 = 𝒈𝟏 + 𝒈𝟐𝒀𝟐 + ⋯+ 𝒈𝒆𝒀𝒆 Have

Linear algebra: ∃ matrix 𝑶 such that 𝒈𝟏, … , 𝒈𝒆 ⋅ 𝒐𝒍,𝟏, … , 𝒐𝒍,𝒆 = 𝟏

Verifier checks

𝒃 𝒜𝒍 𝒈𝟏 + … + 𝒈𝒆𝒚𝒆 𝒐𝒍,𝟏 𝒚𝒆 + ⋯ + 𝒐𝒍,𝒆 = 𝟏

in 𝒜𝒍𝒚𝒆 coefficient

Our Techniques

Slide 19 of 22 Prover needs to show

𝐁 = 𝒉𝒃 𝒈 𝒚

for known 𝒈 𝒀 = 𝒈𝟏 + 𝒈𝟐𝒀𝟐 + ⋯+ 𝒈𝒆𝒀𝒆 Have

Linear algebra: ∃ matrix 𝑶 such that 𝒈𝟏, … , 𝒈𝒆 ⋅ 𝒐𝒍,𝟏, … , 𝒐𝒍,𝒆 = 𝟏

Verifier checks

𝒃 𝒜𝒍 𝒈𝟏 + … + 𝒈𝒆𝒚𝒆 𝒐𝒍,𝟏 𝒚𝒆 + ⋯ + 𝒐𝒍,𝒆 = 𝟏

in 𝒜𝒍𝒚𝒆 coefficient

Verifier checks

𝒃 𝒜𝒍 𝒈𝟏 + … + 𝒈𝒆𝒚𝒆 𝒐𝒍,𝟏 𝒚𝒆 + ⋯ + 𝒐𝒍,𝒆 = 𝟏

in 𝒜𝒍𝒚𝒆 coefficient Prover needs to show

𝐁 = 𝒉𝒃 𝒈 𝒚

for known 𝒈 𝒀 = 𝒈𝟏 + 𝒈𝟐𝒀𝟐 + ⋯+ 𝒈𝒆𝒀𝒆

Our Techniques

Slide 19 of 22

The prover wants to keep 𝑏 secret

Have

Linear algebra: ∃ matrix 𝑶 such that 𝒈𝟏, … , 𝒈𝒆 ⋅ 𝒐𝒍,𝟏, … , 𝒐𝒍,𝒆 = 𝟏

Verifier checks

𝒃 𝒜𝒍 𝒈𝟏 + … + 𝒈𝒆𝒚𝒆 𝒐𝒍,𝟏 𝒚𝒆 + ⋯ + 𝒐𝒍,𝒆 = 𝟏

in 𝒜𝒍𝒚𝒆 coefficient

Our Techniques

Slide 19 of 22 Prover needs to show

𝐁 = 𝒉𝒃 𝒈 𝒚

for known 𝒈 𝒀 = 𝒈𝟏 + 𝒈𝟐𝒀𝟐 + ⋯+ 𝒈𝒆𝒀𝒆 Have

Linear algebra: find max matrix 𝑶 such that 𝒈𝟏, … , 𝒈𝒆 ⋅ 𝒐𝒍,𝟏, … , 𝒐𝒍,𝒆 = 𝟏 Rank-Nullity: for a matrix 𝐵, 𝑡𝑞𝑏𝑜(𝐵) is

• rthogonal to

𝑂𝑣𝑚𝑚(𝐵)

Our Techniques

Slide 19 of 22 Prover needs to show

𝐁 = 𝒉𝒃 𝒈 𝒚

for known 𝒈 𝒀 = 𝒈𝟏 + 𝒈𝟐𝒀𝟐 + ⋯+ 𝒈𝒆𝒀𝒆 Verifier checks

𝒃 𝒜𝒍 𝒈𝟏 + … + 𝒈𝒆𝒚𝒆 𝒐𝒍,𝟏 𝒚𝒆 + ⋯ + 𝒐𝒍,𝒆 = 𝟏

in 𝒜𝒍𝒚𝒆 coefficient Have

Linear algebra: find max matrix 𝑶 such that 𝒈𝟏, … , 𝒈𝒆 ⋅ 𝒐𝒍,𝟏, … , 𝒐𝒍,𝒆 = 𝟏

Our Techniques

Slide 19 of 22 Have Prover needs to show

𝐁 = 𝒉𝒃𝟐𝒈𝟐 𝒚 + …+𝒃𝒐𝒈𝒐(𝒚)

for known 𝒈𝒋 𝒀 = 𝒈𝒋,𝟏 + 𝒈𝒋,𝟐𝒀𝟐 + … + 𝒈𝒋,𝒆𝒀𝒆 Verifier checks

𝒃𝒋 𝒜𝒍 𝒈𝒋,𝟏 + … + 𝒈𝒋,𝒆𝒚𝒆 𝒐𝒍,𝟏 𝒚𝒆 + ⋯ + 𝒐𝒍,𝒆 = 𝟏

in 𝒜𝒍𝒚𝒆 coefficient

Linear algebra: Find max matrix 𝑶 such that 𝒈𝒋,𝟏, … , 𝒈𝒋,𝒆 ⋅ 𝒐𝒍,𝟏, … , 𝒐𝒍,𝒆 = 𝟏 𝒈𝒋 𝒀 are determined by the QAP

Width = 3 × number of gates Length = number of wires ≤ 2 × number of gates

Why is the Null Space so Big?

Slide 20 of 22 Prover needs to show

𝐁 = 𝒉𝒃𝟐𝒈𝟐 𝒚 + …+𝒃𝒐𝒈𝒐(𝒚)

for known 𝒈𝒋 𝒀 = 𝒈𝒋,𝟏 + 𝒈𝒋,𝟐𝒀𝟐 + … + 𝒈𝒋,𝒆𝒀𝒆

• Need to show

log 𝐵 ∈ 𝑡𝑞𝑏𝑜(𝑠𝑝𝑥𝑡 𝑝𝑔 𝐺).

• 𝐺 is wider than it is long.
• 𝑥𝑗𝑒𝑢ℎ 𝐺 =

𝑆𝑏𝑜𝑙(𝐺) + 𝑂𝑣𝑚𝑚𝑗𝑢𝑧(𝐺) 𝑺𝒃𝒐𝒍 𝑮 ≤ 𝟑𝒆 row-rank = column-rank = dimension of space spanned by row vectors

Why is the Null Space so Big?

Slide 20 of 22 Prover needs to show

𝐁 = 𝒉𝒃𝟐𝒈𝟐 𝒚 + …+𝒃𝒐𝒈𝒐(𝒚)

for known 𝒈𝒋 𝒀 = 𝒈𝒋,𝟏 + 𝒈𝒋,𝟐𝒀𝟐 + … + 𝒈𝒋,𝒆𝒀𝒆

Width = 3 × number of gates Length = number of wires ≤ 2 × number of gates

• Need to show

log 𝐵 ∈ 𝑡𝑞𝑏𝑜(𝑠𝑝𝑥𝑡 𝑝𝑔 𝐺).

• 𝐺 is wider than it is long.
• 𝑥𝑗𝑒𝑢ℎ 𝐺 =

𝑆𝑏𝑜𝑙(𝐺) + 𝑂𝑣𝑚𝑚𝑗𝑢𝑧(𝐺) row-rank = column-rank = dimension of space spanned by row vectors 𝑺𝒃𝒐𝒍 𝑮 ≤ 𝟑𝒆

Why is the Null Space so Big?

Slide 20 of 22 Prover needs to show

𝐁 = 𝒉𝒃𝟐𝒈𝟐 𝒚 + …+𝒃𝒐𝒈𝒐(𝒚)

for known 𝒈𝒋 𝒀 = 𝒈𝒋,𝟏 + 𝒈𝒋,𝟐𝒀𝟐 + … + 𝒈𝒋,𝒆𝒀𝒆

Width = 3 × number of gates Length = number of wires ≤ 2 × number of gates

• Need to show

log 𝐵 ∈ 𝑡𝑞𝑏𝑜(𝑠𝑝𝑥𝑡 𝑝𝑔 𝐺).

• 𝐺 is wider than it is long.
• 𝑥𝑗𝑒𝑢ℎ 𝐺 =

𝑆𝑏𝑜𝑙(𝐺) + 𝑂𝑣𝑚𝑚𝑗𝑢𝑧(𝐺) 𝑺𝒃𝒐𝒍 𝑮 ≤ 𝟑𝒆 row-rank = column-rank = dimension of space spanned by row vectors

Why is the Null Space so Big?

Slide 20 of 22 Prover needs to show

𝐁 = 𝒉𝒃𝟐𝒈𝟐 𝒚 + …+𝒃𝒐𝒈𝒐(𝒚)

for known 𝒈𝒋 𝒀 = 𝒈𝒋,𝟏 + 𝒈𝒋,𝟐𝒀𝟐 + … + 𝒈𝒋,𝒆𝒀𝒆

Width = 3 × number of gates Length = number of wires ≤ 2 × number of gates

• Need to show

log 𝐵 ∈ 𝑡𝑞𝑏𝑜(𝑠𝑝𝑥𝑡 𝑝𝑔 𝐺).

• 𝐺 is wider than it is long.
• 𝑥𝑗𝑒𝑢ℎ 𝐺 =

𝑆𝑏𝑜𝑙(𝐺) + 𝑂𝑣𝑚𝑚𝑗𝑢𝑧(𝐺) 𝒆𝒋𝒏 𝑶𝒗𝒎𝒎 𝒏𝒃𝒖𝒔𝒋𝒚 ≈ 𝒆

Why is the Null Space so Big?

Slide 20 of 22 Prover needs to show

𝐁 = 𝒉𝒃𝟐𝒈𝟐 𝒚 + …+𝒃𝒐𝒈𝒐(𝒚)

for known 𝒈𝒋 𝒀 = 𝒈𝒋,𝟏 + 𝒈𝒋,𝟐𝒀𝟐 + … + 𝒈𝒋,𝒆𝒀𝒆

Width = 3 × number of gates Length = number of wires ≤ 2 × number of gates

• Need to show

log 𝐵 ∈ 𝑡𝑞𝑏𝑜(𝑠𝑝𝑥𝑡 𝑝𝑔 𝐺).

• 𝐺 is wider than it is long.
• 𝑥𝑗𝑒𝑢ℎ 𝐺 =

𝑆𝑏𝑜𝑙(𝐺) + 𝑂𝑣𝑚𝑚𝑗𝑢𝑧(𝐺) 𝒆𝒋𝒏 𝑶𝒗𝒎𝒎 𝒏𝒃𝒖𝒔𝒋𝒚 ≈ 𝒆 Open question: Can 𝑮 be more square?

Our Contributions

Ingredients: 1) Knowledge Assumptions 2) q-type Assumptions 3) Quadratic Arithmetic Programs

Updatable trust model Efficient new zk-SNARK Universal setup Null-Space Argument.

Prover and Verifier

Slide 21 of 22

Prover

𝑩 = 𝒉𝒃(𝒚,𝒛)

Verifier

𝒇(𝑩, 𝑪)𝒇 𝑩, 𝑶 = 𝒇(𝑫, 𝒊) 𝐵 = 𝑕𝑏(𝑦,𝑧) unless prover can compute 𝑕𝑦𝑒𝑨𝑙

𝑪 = 𝒊𝒃(𝒚,𝒛)

𝒇 𝑩, 𝒊 = 𝒇(𝒉, 𝑪)

𝑫 = 𝒉 𝒃 𝒚,𝒛 ×𝒐𝒗𝒎𝒎 +𝒃 𝒚,𝒛 ×𝒃 𝒚,𝒛

Prover and Verifier

Slide 21 of 22

𝑩 = 𝒉𝒃(𝒚,𝒛) 𝑪 = 𝒊𝒃(𝒚,𝒛)

Verifier

𝒇 𝑩, 𝒊 = 𝒇(𝒉, 𝑪) 𝐶 = 𝑕𝑏(𝑦,𝑧) by bilinearity. Prover knows 𝑏(𝑦, 𝑧) by KoE.

𝑫 = 𝒉 𝒃 𝒚,𝒛 ×𝒐𝒗𝒎𝒎 +𝒃 𝒚,𝒛 ×𝒃 𝒚,𝒛

𝒇(𝑩, 𝑪)𝒇 𝑩, 𝑶 = 𝒇(𝑫, 𝒊)

Prover

Prover and Verifier

Slide 21 of 22

Prover

𝑩 = 𝒉𝒃(𝒚,𝒛) 𝑪 = 𝒊𝒃(𝒚,𝒛)

Verifier

𝒇(𝑩, 𝑪)𝒇 𝑩, 𝑶 = 𝒇(𝑫, 𝒊) 𝒇 𝑩, 𝒊 = 𝒇(𝒉, 𝑪) QAP satisfied unless prover can compute 𝑕𝑦𝑗𝑧7

𝑫 = 𝒉 𝒃 𝒚,𝒛 ×𝒐𝒗𝒎𝒎 +𝒃 𝒚,𝒛 ×𝒃 𝒚,𝒛

Prover and Verifier

Slide 21 of 22

Prover

𝑩 = 𝒉𝒃(𝒚,𝒛) 𝑪 = 𝒊𝒃(𝒚,𝒛)

Verifier

𝒇(𝑩, 𝑪)𝒇 𝑩, 𝑶 = 𝒇(𝑫, 𝒊) 𝒇 𝑩, 𝒊 = 𝒇(𝒉, 𝑪)

𝑫 = 𝒉 𝒃 𝒚,𝒛 ×𝒐𝒗𝒎𝒎 +𝒃 𝒚,𝒛 ×𝒃 𝒚,𝒛

Our scheme = 3 group elements State of the art = 3 group elements Our scheme = O(n) group exponentiations State of the art = O(n) group exponentiations

Prover and Verifier

Slide 21 of 22

Prover

𝑩 = 𝒉𝒃(𝒚,𝒛) 𝑪 = 𝒊𝒃(𝒚,𝒛) 𝑫 = 𝒉 𝒃 𝒚,𝒛 ×𝒐𝒗𝒎𝒎 +𝒃 𝒚,𝒛 ×𝒃 𝒚,𝒛

Our scheme = 5 pairings State of the art = 4 pairings

Verifier

𝒇(𝑩, 𝑪)𝒇 𝑩, 𝑶 = 𝒇(𝑫, 𝒊) 𝒇 𝑩, 𝒊 = 𝒇(𝒉, 𝑪)

Summary

Slide 22 of 22

• Introduce notion of updatable common reference strings.
• Design efficient updatable zk-SNARK.
• Show how to use the same global parameters to derive a CRS for any

circuit of a given size.

Efficiency Table

Universal String Quadratic Derived String Linear Deriver Cost Cubic Update Proofs 9 Group Elements Proof Size 3 Group Elements Verifier Time 5 Pairings

Questions?