Scalable Zero Knowledge Via Cycles of Elliptic Curves

Abstract

Non-interactive zero-knowledge proofs of knowledge for general NP statements are a powerful cryptographic primitive, both in theory and in practical applications. Recently, much research has focused on achieving an additional property, succinctness, requiring the proof to be very short and easy to verify. Such proof systems are known as zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARKs), and are desired when communication is expensive, or the verifier is computationally weak. Existing zk-SNARK implementations have severe scalability limitations, in terms of space complexity as a function of the size of the computation being proved (e.g., running time of the NP statement’s decision program). First, the size of the proving key is quasilinear in the upper bound on the computation size. Second, producing a proof requires “writing down” all intermediate values of the entire computation, and then conducting global operations such as FFTs. The bootstrapping technique of Bitansky et al. (STOC ’13), following Valiant (TCC ’08), offers an approach to scalability, by recursively composing proofs: proving statements about acceptance of the proof system’s own verifier (and correctness of the program’s latest step). Alas, recursive composition of known zk-SNARKs has never been realized in practice, due to enormous computational cost. Using new elliptic-curve cryptographic techniques, and methods for exploiting the proof systems’ field structure and nondeterminism, we achieve the first zk-SNARK implementation that practically achieves recursive proof composition. Our zk-SNARK implementation runs random-access machine programs and produces proofs of their correct execution, on today’s hardware, for any program running time. It takes constant time to generate the keys that support all computation sizes. Subsequently, the proving process only incurs a constant multiplicative overhead compared to the original computation’s time, and an essentially-constant additive overhead in memory. Thus, our zk-SNARK implementation is the first to have a well-defined, albeit low, clock rate of “verified instructions per second”.

Appendices

Appendix 1: Computation Models

We introduce notions and notations for two computation models used in this paper: arithmetic circuits (see Appendix “Arithmetic Circuits”) and random-access machines (see Appendix “Random-Access Machines”).

1.1 Arithmetic Circuits

We work with circuits that are not boolean but arithmetic. Given a field \(\mathbb {F}\), an \(\mathbb {F}\)-arithmetic circuit takes inputs that are elements in \(\mathbb {F}\), and its gates output elements in \(\mathbb {F}\). We naturally associate a circuit with the function it computes. The circuits we consider only have bilinear gates,²² and a circuit’s size is defined as the number of gates. To model nondeterminism we consider circuits with an input \(x\in \mathbb {F}^{n}\) and an auxiliary input \(a\in \mathbb {F}^{h}\), called a witness. Arithmetic circuit satisfiability is analogous to the boolean case, as follows.

Definition 8.1

Let \(n,h,l\in \mathbb {N}\) respectively denote the input, witness, and output size. The circuit satisfaction problem of an \(\mathbb {F}\)-arithmetic circuit \(C:\mathbb {F}^{n} \times \mathbb {F}^{h} \rightarrow \mathbb {F}^{l}\) (with bilinear gates) is defined by the relation \(\mathcal {R}_{C} = \{(x,a) \in \mathbb {F}^{n} \times \mathbb {F}^{h} : C(x,a) = 0^{l} \}\); its language is \(\mathcal {L}_{C}=\{x\in \mathbb {F}^{n} : \exists \, a\in \mathbb {F}^{h}, \ C(x,a) = 0^{l} \}\).

At times, we also write \(C(x,a) = 0\) to mean \(C(x,a) = 0^{l}\) for an unspecified \(l\). All the arithmetic circuits we consider are over fields \(\mathbb {F}_{p}\) with p prime (that is at most exponential in the security parameter \(\lambda \)).

1.2 Random-Access Machines

There are many possible definitions of random-access machines [4, 36]. Here we formulate a concrete, yet relatively flexible, definition that suffices for the purposes of this paper. Informally, a machine is specified by a configuration for random-access memory (number of addresses, and number of bits stored at each address) and a CPU. At each step, the CPU gets the current state and the next instruction from memory; executes the instruction; communicates with memory (by storing or loading data); and then outputs the next state and the address for the next instruction. (Thus, random-access memory contains both program and data).

More precisely, a (non-deterministic) random-access machine with verification over a finite field \(\mathbb {F}\) is a tuple \(\mathbf {M}= (A,W,N,\mathrm {CPU}_{\mathsf {exe}},\mathrm {CPU}_{\mathsf {ver}})\) where:

• \(A,W\in \mathbb {N}\) specify that (random-access) memory \(\mathcal {M}\) contains \(A\) addresses each storing \(W\) bits (i.e., that memory is a function \(\mathcal {M}:[A] \rightarrow \{0,1\}^{W}\)).

• \(N\in \mathbb {N}\) specifies the length, in bits, of a CPU state.

• \(\mathrm {CPU}_{\mathsf {exe}}\) is a (stateful) function for executing the CPU (see below).

• \(\mathrm {CPU}_{\mathsf {ver}}\) is an \(\mathbb {F}\)-arithmetic circuit for verifying the CPU’s execution (see below).

The machine \(\mathbf {M}\) takes as input a program \(\mathcal {P}\) and an auxiliary input \(\mathcal {G}\), and computes on them. More precisely:

• A program for \(\mathbf {M}\) is a function \(\mathcal {P}:[A] \rightarrow \{0,1\}^{W}\) that specifies the initial memory contents. The program \(\mathcal {P}\) is typically represented in sparse form, by listing the (few) addresses and values for non-zero memory entries, which may store any code and data to the machine.

• An auxiliary input for \(\mathbf {M}\) is a sequence \(\mathcal {G}= (g_{0},g_{1},g_{2},\dots )\). Each \(g_{i}\) consists of \(W\) bits and is accessed at the i-th computation step. The auxiliary input is treated as a nondeterministic guess.

Then, the computation of \(\mathbf {M}\) on program \(\mathcal {P}\) and auxiliary input \(\mathcal {G}\), denoted \(\mathbf {M}(\mathcal {P};\mathcal {G})\), proceeds as follows. Initialize the CPU state and instruction address to zero: \(s_{\mathsf {cpu},0} := 0^{N}\), \(a_{\mathsf {pc},0} := 0\). Next, for \(i=0,1,2\dots \):

1. 1.

   \(\mathrm {CPU}_{\mathsf {exe}}\) is given the current CPU state (\(s_{\mathsf {cpu},i} \in \{0,1\}^{N}\)), address of the instruction to be executed (\(a_{\mathsf {pc},i} \in [A]\)), instruction to be executed (\(v_{\mathsf {pc},i} := \mathcal {M}_{i}(a_{\mathsf {pc},i}) \in \{0,1\}^{W}\)), and guess (\(g_{i} \in \{0,1\}^{W}\)).

2. 2.

   \(\mathrm {CPU}_{\mathsf {exe}}\) outputs an address (\(a_{\mathsf {mem},i} \in [A]\)), a value (\(v_{\mathsf {st},i} \in \{0,1\}^{W}\)), and a store flag (\(f_{\mathsf {st},i} \in \{0,1\}\)).

3. 3.

   \(\mathrm {CPU}_{\mathsf {exe}}\) is given the value at the address (\(v_{\mathsf {ld},i} := \mathcal {M}_{i}(a_{\mathsf {mem},i}) \in \{0,1\}^{W}\)).

   Set \(\mathcal {M}_{i+1}\) equal to \(\mathcal {M}_{i}\); if a store was requested (i.e., \(f_{\mathsf {st},i}=1\)), do it (i.e., \(\mathcal {M}_{i+1}(a_{\mathsf {mem},i}) := v_{\mathsf {st},i}\)).

4. 4.

   \(\mathrm {CPU}_{\mathsf {exe}}\) outputs a new CPU state (\(s_{\mathsf {cpu},i+1} \in \{0,1\}^{N}\)), an address for the next instruction (\(a_{\mathsf {pc},i+1} \in [A]\)), and a flag denoting whether the machine has accepted (\(f_{\mathsf {acc},i+1} \in \{0,1\}\)). \(\mathrm {CPU}_{\mathsf {exe}}\)’s state is reset.

Thus \(\mathrm {CPU}_{\mathsf {exe}}\) can be thought of as \(\mathbf {M}\)’s “processor”: step after step, \(\mathrm {CPU}_{\mathsf {exe}}\) takes the previous state and instruction (and its address), executes the instruction, communicates with random-access memory, and produces the next state and instruction address. In contrast, \(\mathrm {CPU}_{\mathsf {ver}}\) is a predicate that verifies the correct input/output relationship of \(\mathrm {CPU}_{\mathsf {exe}}\). In other words \(\mathrm {CPU}_{\mathsf {exe}}\) satisfies the following property:

Fix \(s_{\mathsf {cpu}},s_{\mathsf {cpu}}' \in \{0,1\}^{N}\), \(a_{\mathsf {pc}},a_{\mathsf {mem}},a_{\mathsf {pc}}' \in [A]\), \(v_{\mathsf {pc}},v_{\mathsf {st}},v_{\mathsf {ld}},g\in \{0,1\}^{W}\), \(f_{\mathsf {st}},f_{\mathsf {acc}}' \in \{0,1\}\), and let \(x_{\mathsf {ver}}\) be the concatenation of all these. There is a witness \(a_{\mathsf {ver}}\) such that \(\mathrm {CPU}_{\mathsf {ver}}(x_{\mathsf {ver}},a_{\mathsf {ver}}) = 0\) iff \((a_{\mathsf {mem}},v_{\mathsf {st}},f_{\mathsf {st}}) \leftarrow \mathrm {CPU}_{\mathsf {exe}}(s_{\mathsf {cpu}},a_{\mathsf {pc}},v_{\mathsf {pc}},g)\) and, afterwards, \((s_{\mathsf {cpu}}',a_{\mathsf {pc}}',f_{\mathsf {acc}}') \leftarrow \mathrm {CPU}_{\mathsf {exe}}(v_{\mathsf {ld}})\). Moreover, \(a_{\mathsf {ver}}\) can be efficiently computed from \(x_{\mathsf {ver}}\).

Of course, \(\mathrm {CPU}_{\mathsf {ver}}\) may simply internally execute \(\mathrm {CPU}_{\mathsf {exe}}\) to perform its verification; but, having access to additional advice \(a_{\mathsf {ver}}\), \(\mathrm {CPU}_{\mathsf {ver}}\) may instead perform “smarter”, and more efficient, checks.

We are not concerned about how the function \(\mathrm {CPU}_{\mathsf {exe}}\) is specified (e.g., it can be a computed program), but \(\mathrm {CPU}_{\mathsf {ver}}\) must be specified as an \(\mathbb {F}\)-arithmetic circuit (for an appropriate \(\mathbb {F}\) that we will discuss).

The language of accepting computations We define the language of accepting computations on \(\mathbf {M}\). A program \(\mathcal {P}\) is treated as “given”, while the auxiliary input \(\mathcal {G}\) is treated as a nondeterministic advice.

Definition 8.2

For a random-access machine \(\mathbf {M}\), the language \(\mathcal {L}_{\mathbf {M}}\) consists of pairs \((\mathcal {P},T)\) such that:

• \(\mathcal {P}\) is a program for \(\mathbf {M}\);

• \(T\) is a time bound;

• there exists an auxiliary input \(\mathcal {G}\) such that \(\mathbf {M}(\mathcal {P};\mathcal {G})\) accepts in at most \(T\) steps.

We denote by \(\mathcal {R}_{\mathbf {M}}\) the relation corresponding to \(\mathcal {L}_{\mathbf {M}}\).

In this paper we obtain an implementation of scalable \(\text{ zk-SNARK }\)s for proving/verifying membership in the above language (see Appendix “Scalable \(\text{ zk-SNARK }\)s for Random-Access Machines” for a definition). We evaluate our system for a specific choice of machine: \( \textsf {vnTinyRAM} \), a simple RISC von Neumann architecture introduced by [17] (see below). Of course, other choices of random-access machines are possible, and our implementation supports them.

1.3 The Architecture \( \textsf {vnTinyRAM} \)

We evaluate our scalable \(\text{ zk-SNARK }\) on an architecture that previously appeared in (preprocessing) \(\text{ zk-SNARK }\) implementations: \( \textsf {vnTinyRAM} \) [17] (see Sect. 7). We explain how to set “\(\mathbf {M}= \textsf {vnTinyRAM} \)”, i.e., how to specify the architecture \( \textsf {vnTinyRAM} \) via the formalism introduced above (and used by our prototype).

Given \(W,K\), we want to construct a tuple \(\mathbf {M}=(A,W,N,\mathrm {CPU}_{\mathsf {exe}},\mathrm {CPU}_{\mathsf {ver}})\) that implements \(W\)-bit \( \textsf {vnTinyRAM} \) with \(K\) registers. First we need to specify the parameters \(A,W\in \mathbb {N}\) for random access memory. \( \textsf {vnTinyRAM} \) accesses memory, consisting of \(2^{W}\) bytes, either as bytes or as words; moreover, \( \textsf {vnTinyRAM} \) instructions (which are stored in memory) take two words to encode in memory. Thus, we set \(A,W\) so that memory consists of \(A:= \frac{8 \cdot 2^{W}}{2 W}\) addresses, each storing \(W:= 2W\) bits. Next, we set the CPU state length to \(N:= (1+K)W+ 1\) because, in \( \textsf {vnTinyRAM} \), a CPU state consists of the program counter (\(W\) bits), \(K\) general-purpose registers (each of \(W\) bits), and a (condition) flag (1 bit). Finally, \(\mathrm {CPU}_{\mathsf {exe}}\) can be chosen to be any program implementation of \( \textsf {vnTinyRAM} \)’s CPU, while \(\mathrm {CPU}_{\mathsf {ver}}\) can be chosen to be any \(\mathbb {F}\)-arithmetic circuit for verifying the input-output relationship of \(\mathrm {CPU}_{\mathsf {exe}}\). In our implementation, \(\mathbb {F}\) is a prime field of \(298\) bits (since \(\mathbb {F}= \mathbb {F}_{r_{4}}\)), and we get the following sizes for the two settings we consider:

• for \((W,K)=(16,16)\), \(|\mathrm {CPU}_{\mathsf {ver}}|=766\); and

• for \((W,K)=(32,16)\), \(|\mathrm {CPU}_{\mathsf {ver}}|=1108\).

Appendix 2: Pairings and Elliptic Curves

The cryptographic primitives we study are based on pairings, which we briefly recall in Appendix “Pairings”. Pairings can, in turn, be based on pairing-friendly elliptic curves; in Appendix “Elliptic Curves” we review basic notions about these.

1.1 Pairings

Let \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\) be cyclic groups of a prime order \(r\). We denote elements of \(\mathbb {G}_{1},\mathbb {G}_{2}\) via calligraphic letters such as \(\mathcal {P},\mathcal {Q}\). We write \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\) in additive notation. Let \(\mathcal {P}_{1}\) be a generator of \(\mathbb {G}_{1}\), i.e., \(\mathbb {G}_{1}= \{\alpha \mathcal {P}_{1}\}_{\alpha \in \mathbb {F}_{r}}\); let \(\mathcal {P}_{2}\) be a generator for \(\mathbb {G}_{2}\). (We also view \(\alpha \) as an integer, so that \(\alpha \mathcal {P}_{1}\) is well-defined).

A pairing is an efficient map \(e:\mathbb {G}_{1}\times \mathbb {G}_{2}\rightarrow \mathbb {G}_{T}\), where \(\mathbb {G}_{T}\) is also a cyclic group of order \(r\) (which we write in multiplicative notation), satisfying the following properties:

• Bilinearity. For every nonzero elements \(\alpha ,\beta \in \mathbb {F}_{r}\), it holds that \(e(\alpha \mathcal {P}_{1}, \beta \mathcal {P}_{2}) = e( \mathcal {P}_{1}, \mathcal {P}_{2})^{\alpha \beta }\).

• Non-degeneracy. \(e(\mathcal {P}_{1},\mathcal {P}_{2})\) is not the identity in \(\mathbb {G}_{T}\).

When describing cryptographic primitives at high level, the choice of instantiation of \(\mathbb {G}_{1},\mathbb {G}_{2},\mathbb {G}_{T},e\) often does not matter. In this paper, however, we discuss implementation details, and such choices matter a great deal. Typically, pairings are based on (pairing-friendly) elliptic curves, discussed next.

1.2 Elliptic Curves

We assume familiarity with elliptic curves; here, we only recall the basic definitions in order to fix notation. See, e.g., [32, 48, 98, 112] for more details.

Definition and curve groups Given a field \(K\), an elliptic curve \(E\) defined over \(K\), denoted \(E/K\), is a smooth projective curve of genus 1 (defined over \(K\)) with a distinguished \(K\)-rational point. We denote by \(E(K)\) the group of \(K\)-rational points on \(E\); when finite, we denote the cardinality of this group by \(\#E(K)\). For any \(r \in \mathbb {N}\), \(E[r]\) denotes the group of r-torsion points in \(E(\overline{K})\), and \(E(K)[r]\) the group of r-torsion points in \(E(K)\). In this paper, we only consider elliptic curves where \(K\) is a finite field \(\mathbb {F}_{q}\); so the definitions below are specific to this case.

Trace and CM discrminant The trace of \(E/\mathbb {F}_{q}\) is \(t := q + 1 - \#E(\mathbb {F}_{q})\). The Hasse bound states that \(|t| \le 2\sqrt{q}\). If \(\gcd (q,t)=1\), then \(E/\mathbb {F}_{q}\) is ordinary; otherwise, it is supersingular. If \(E/\mathbb {F}_{q}\) is ordinary, the CM discriminant of \(E\) is the square-free part D of the integer \(4q-t^2\), non-negative by the Hasse bound.²³

ECDLP The elliptic-curve discrete logarithm problem (ECDLP) is the following: given \(E/\mathbb {F}_{q}\), \(\mathcal {P} \in E(\mathbb {F}_{q})\), and \(\mathcal {Q} \in \langle \mathcal {P} \rangle \), find \(a \in \mathbb {N}\) such that \(\mathcal {Q} = a \mathcal {P}\). There are several methods to solve, with different time and space complexities, the ECDLP. For instance: the Pohlig–Hellman algorithm [83] (which reduces the problem to subgroups of prime order); Shanks’ [97] baby-step-giant-step method; Pollard’s methods (the rho method [84] and the kangaroo method [85], and their parallel variants by van Oorschot and Wiener [111]); the Menezes–Okamoto–Vanstone (MOV) attack using the Weil pairing [76]; the Frey–Rück attack using the Tate pairing [46]; and the SSSA attack for curves of trace \(t =1\) [89, 96, 99].

Cryptographic uses require the ECDLP to be hard (typically, intractable for polynomial-time adversaries). For points \(\mathcal {P}\) of large prime order r, this is widely believed to be the case. Thus, one only considers curves \(E\) with trace \(t \ne 1\) and having cyclic subgroups of \(E(\mathbb {F}_{q})\) of large prime order r. So \(\#E(\mathbb {F}_{q})\) is either a prime r, or hr for a small cofactor h.

Pairings For cryptographic uses that require efficient computation of pairings (such as the uses considered in this paper), suitable elliptic curves need to satisfy additional requirements, as we now recall.

For any \(r \in \mathbb {N}\) with \(\gcd (q,r)=1\), the embedding degree k of \(E/\mathbb {F}_{q}\) (with respect to r) is the smallest integer such that r divides \(q^{k}-1\); for such r, a bilinear map \(e_{r} :E[r] \times E[r] \rightarrow \mu _{r}\) can be defined, where \(\mu _{r} \subset \mathbb {F}_{q^k}^{*}\) is the subgroup of r-th roots of unity in \(\overline{\mathbb {F}_{q}}\). The map \(e_{r}\) is known as the Weil pairing.

The Weil pairing is not the only bilinear map that can be defined. Depending on properties of the curve \(E\) other, sometimes more efficient, pairings can be defined, e.g., the Tate pairing [45, 46], the Eta pairing [24], and the Ate pairing [61]. In each of these cases, the pairing computation requires arithmetic in \(\mathbb {F}_{q^k}\), so that k cannot be too large. On the other hand, the ECDLP can be translated (via the pairing itself [46, 76]) to the discrete logarithm problem over \(\mathbb {F}_{q^k}^{*}\), which is susceptible to subexponential-time attacks via index calculus [81], so that k has to be large enough to achieve the desired level of hardness for the DLP in \(\mathbb {F}_{q^k}^{*}\).

In light of the above considerations, an (ordinary) elliptic curve \(E/\mathbb {F}_{q}\) is said to be pairing friendly if (i) \(E(\mathbb {F}_{q})\) contains a subgroup of large prime order r, and (ii) \(E\) has embedding degree k (with respect to r) that is not too large (i.e., computations in the field \(\mathbb {F}_{q^k}\) are feasible) and not too small (i.e., the DLP in \(\mathbb {F}_{q^k}^{*}\) is hard enough). The ideal case is when \(E\) has prime order r, and the embedding degree k is such that the ECDLP in \(E(\mathbb {F}_{q})\) and the DLP in \(\mathbb {F}_{q^k}^{*}\) have approximately the same hardness, i.e., are balanced.

Instantiations of pairings A pairing is specified by a prime \(r \in \mathbb {N}\), three cyclic groups \(\mathbb {G}_{1},\mathbb {G}_{2},\mathbb {G}_{T}\) of order r, and an efficient bilinear map \(e:\mathbb {G}_{1}\times \mathbb {G}_{2}\rightarrow \mathbb {G}_{T}\). (See Appendix “Pairings”). Suppose one uses a curve \(E/\mathbb {F}_{q}\) with embedding degree k to instantiate the pairing. Then \(\mathbb {G}_{T}\) is set to \(\mu _{r} \subset \mathbb {F}_{q^k}^*\). The instantiation of \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\) depends on the choice of \(e\); typically, \(\mathbb {G}_{1}\) is instantiated as an order-\(r\) subgroup of \(E(\mathbb {F}_{q})\), while, for efficiency reasons [25, 28], \(\mathbb {G}_{2}\) as an order-\(r\) subgroup of \(E'(\mathbb {F}_{k/d})\) where \(E'\) is a d-th twist of \(E\).

Appendix 3: Preprocessing \(\text{ zk-SNARK }\)s for Arithmetic Circuit Satisfiability

At high-level, a preprocessing \(\text{ zk-SNARK }\) for arithmetic-circuit satisfiability is a cryptographic primitive that provides short and easy-to-verify non-interactive zero-knowledge proofs of knowledge for the satisfiability of arithmetic circuits. A public proving key is used to generate proofs, and a public verification key is used to verify them; the two keys are jointly generated once, and can then be used any number of times. The adjective “preprocessing” denotes the fact that the key pair depends on the arithmetic circuit \(C\) whose satisfiability is being proved/verified; in particular, the time to generate a key pair for \(C\) is at least linear in the size of \(C\). Below, we informally define this primitive; we refer the reader to, e.g., [14] for a formal definition.

Given a field \(\mathbb {F}\),²⁴ a preprocessing \(\text{ zk-SNARK }\) for \(\mathbb {F}\)-arithmetic circuit satisfiability (see Appendix “Arithmetic Circuits”) is a triple of polynomial-time algorithms \((G ,P,V)\), with \(V\) deterministic,²⁵ working as follows.

• \(G(1^{\lambda },C) \rightarrow (\mathsf {pk}, \mathsf {vk})\). On input a security parameter \(\lambda \) (presented in unary) and an \(\mathbb {F}\)-arithmetic circuit \(C\), the key generator \(G\) probabilistically samples a proving key \(\mathsf {pk}\) and a verification key \(\mathsf {vk}\). We assume, without loss of generality, that \(\mathsf {pk}\) contains (a description of) the circuit \(C\).

The keys \(\mathsf {pk}\) and \(\mathsf {vk}\) are published as public parameters and can be used, any number of times, to prove/verify membership in the language \(\mathcal {L}_{C}\), as follows.

• \(P(\mathsf {pk},x,a) \rightarrow \pi \). On input a proving key \(\mathsf {pk}\) and any \((x,a) \in \mathcal {R}_{C}\), the prover \(P\) outputs a non-interactive proof \(\pi \) for the statement “\(x\in \mathcal {L}_{C}\)”.

• \(V(\mathsf {vk}, x, \pi ) \rightarrow b\). On input a verification key \(\mathsf {vk}\), an input \(x\), and a proof \(\pi \), the verifier \(V\) outputs \(b=1\) if he is convinced by \(\pi \) that \(x\in \mathcal {L}_{C}\).

The triple \((G ,P,V)\) satisfies the following properties.

Completeness The honest prover can convince the verifier for any instance in the language. Namely, for every security parameter \(\lambda \), \(\mathbb {F}\)-arithmetic circuit \(C\), and instance \(x\in \mathcal {L}_{C}\) with a witness \(a\),

$$\begin{aligned} \Pr \left[ V(\mathsf {vk},x,\pi )=1 \,\, \Bigg \vert \,\,\begin{array}{c} (\mathsf {pk},\mathsf {vk}) \leftarrow G(1^{\lambda },C) \\ \pi \leftarrow P(\mathsf {pk},x,a) \end{array} \right] = 1. \end{aligned}$$

Succinctness For every security parameter \(\lambda \), \(\mathbb {F}\)-arithmetic circuit \(C\), and \((\mathsf {pk},\mathsf {vk}) \in G(1^{\lambda },C)\),

• an honestly-generated proof \(\pi \) has \(O_{\lambda }(1)\) bits;

• \(V(\mathsf {vk},x,\pi )\) runs in time \(O_{\lambda }(|x|)\).

Above, \(O_{\lambda }\) hides a (fixed) polynomial factor in \(\lambda \).

Proof of knowledge (and soundness) If the verifier accepts a proof for an instance, the prover “knows” a witness for that instance. (Thus, soundness holds). Namely, for every constant \(c>0\) and every polynomial-size adversary A there is a polynomial-size witness extractor \(E\) such that, for every large-enough security parameter \(\lambda \), for every \(\mathbb {F}\)-arithmetic circuit \(C\) of size \(\lambda ^c\),

$$\begin{aligned} \Pr \left[ \begin{array}{c} V(\mathsf {vk},x,\pi )=1 \\ (x,a) \notin \mathcal {R}_{C} \end{array} \,\, \Bigg \vert \,\, \begin{array}{c} (\mathsf {pk},\mathsf {vk}) \leftarrow G(1^{\lambda },C) \\ (x,\pi ) \leftarrow A(\mathsf {pk},\mathsf {vk}) \\ a\leftarrow E(\mathsf {pk},\mathsf {vk}) \end{array} \right] \le \mathsf {negl}(\lambda ). \end{aligned}$$

Statistical zero knowledge An honestly-generated proof is statistical zero knowledge. Namely, there is a polynomial-time stateful simulator \(S\) such that, for all stateful distinguishers \(D\), the following two probabilities are negligibly-close:

Remark 8.3

All known preprocessing \(\text{ zk-SNARK }\) constructions can in fact be made perfect zero knowledge, at the only expense of a negligible probability of error in completeness.

1.1 Known Constructions and Security

There are many preprocessing \(\text{ zk-SNARK }\) constructions in the literature [9, 14, 17, 52, 55, 67, 68, 82]. The most efficient ones are based on quadratic arithmetic programs (\(\text{ QAP } \)s) [9, 14, 17, 52, 82]; such constructions provide a linear-time \(G\), quasilinear-time \(P\), and linear-time \(V\).

Three of the above works [9, 17, 82] also investigate and provide implementations of preprocessing \(\text{ zk-SNARK }\)s. As we discuss in Sect. 3.3, in this work we follow the implementation of [17], which, at the time of writing, is the fastest one.

Security of \(\text{ zk-SNARK }\)s is based on knowledge-of-exponent assumptions and variants of Diffie–Hellman assumptions in bilinear groups [5, 49, 55]. Knowledge-of-exponent assumptions are fairly strong, but there is evidence that such assumptions may be inherent for constructing \(\text{ zk-SNARK }\)s [7, 60].

Remark 8.4

(auxiliary input) More generally, the security of \(\text{ zk-SNARK }\)s relies on the extractability of certain functions. Extractability is a delicate property that, depending on how it is stated, yields conditions of different relative strength. One aspect that affects this is the choice of auxiliary input (a discussion of which was omitted in the informal definition above). For instance, if the adversary is allowed any auxiliary input (perhaps even by way of maliciously chosen circuits \(C\)), extraction may be difficult because the auxiliary input may encode an obfuscated strategy [7]; such intuition can in fact be formalized to yield limitations to extractability [16]. On the other end of the spectrum, certain notions of extractability can be achieved [15], and also no limitations are known for certain ‘benign looking’ inputs.

The focus of this paper is practical aspects of \(\text{ zk-SNARK }\)s so our perspective on extractability here is that, similarly to the Fiat–Shamir paradigm [47], knowledge-of-exponent assumptions, despite not being fully understood, provide solid heuristics in practice since no effective attacks against them are known.

1.2 Instantiations Via Elliptic Curves

Known preprocessing \(\text{ zk-SNARK }\) constructions are based on pairings (see Appendix “Pairings”), which can in turn be based on pairing-friendly elliptic curves (see Appendix “Elliptic Curves”). We recall two facts, used in this paper.

Field for the circuit language Let \(E\) be an elliptic curve that is defined over a finite field \(\mathbb {F}_{q}\), has a group \(E(\mathbb {F}_{q})\) of \(\mathbb {F}_{q}\)-rational points with a prime order r (or order divisible by a large prime r), and has embedding degree k with respect to r. Suppose that a preprocessing \(\text{ zk-SNARK }\) \((G ,P,V)\) is instantiated with \(E\). Then,

\((G ,P,V)\) works for \(\mathbb {F}_{r}\)-arithmetic circuit satisfiability,

but all of \(V\)’s arithmetic computations are over \(\mathbb {F}_{q}\) (or extensions of \(\mathbb {F}_{q}\) up to degree k).²⁶

This fact motivates most of the discussions in Sect. 3.1.

2-adicity of a curve Prior work identified the 2-adicity of a curve as an important ingredient for efficient implementations of the generator and, especially, the prover [9, 17].

An elliptic curve \(E/\mathbb {F}_{q}\) has 2-adicity \(2^{\ell }\) if the large prime r dividing \(\#E(\mathbb {F}_{q})\) is such that \(2^{\ell }\) divides \(r-1\). This property ensures that the multiplicative group of \(\mathbb {F}_{r}\) contains a \(2^{\ell }\)-th root of unity, which significantly improves the efficiency of interpolation and evaluation of functions defined over certain domains in \(\mathbb {F}_{r}\).

When instantiating a preprocessing \(\text{ zk-SNARK }\) \((G ,P,V)\) with \(E\), the \(\text{ zk-SNARK }\) works for \(\mathbb {F}_{r}\)-arithmetic circuit satisfiability, and both \(G\) and \(P\) need to solve interpolation/evaluation problems over domains of size \(|C|\), where \(C\) is the \(\mathbb {F}_{r}\)-arithmetic circuit given as input to \(G\). Thus, efficiency can be improved if \(E\) is sufficiently 2-adic. Concretely, to fully take advantage of the efficiency benefits of 2-adicity, one requires that \(2^{\ell } \ge |C|\), i.e., \(\nu _{2}(r-1) \ge \lceil \log |C| \rceil \) where \(\nu _{2}(\cdot )\) denotes the 2-adic order function.

This fact motivates much of the extensive search for suitable curve parameters, described in Sect. 3.2.

Remark 8.5

(lack of 2-adicity) One can consider other/weaker requirements (e.g., \(\nu _{3}(r-1) \ge \lceil \log _{3} |C| \rceil \), or \(r-1\) is divisible by a smooth number \(M \ge |C|\)) which would still somewhat simplify interpolation/evaluation problems over \(|C|\)-size domains in \(\mathbb {F}_{r}\). The above requirement that \(\nu _{2}(r-1) \ge \lceil \log |C| \rceil \) is, in a sense, the “ideal” one. Moreover, even if \(E\) does not satisfy these other/weaker requirements, it is still possible to instantiate the \(\text{ zk-SNARK }\), but at a higher computational cost (both asymptotically and in practice), due to the necessary use of “heavier” techniques applying to “generic” fields [82].

1.3 The \(\text{ zk-SNARK }\) Verifier Protocol

The (pairing-based) preprocessing \(\text{ zk-SNARK }\)s that we use follow those of [17] (see Sect. 3.3); in turn, these improve upon and implement those of [82]. In this paper, we construct arithmetic circuits for verifying the evaluation of the \(\text{ zk-SNARK }\) verifier \(V\): a circuit \(C_{V,4}\) for an instantiation based on the curve \(E_{4}\), and a circuit \(C_{V,6}\) for one based on the curve \(E_{6}\) (see Sect. 5.1). For completeness, in Fig. 5 we summarize \(V\)’s abstract protocol.

We see that \(V\)’s protocol consists of two main parts: (a) use the verification key \(\mathsf {vk}\) and input \(\vec {x} \in \mathbb {F}_{r}^{n}\) to compute \(\mathsf {vk}_{\vec {x}}\) (see Step 1); and (b) use the verification key \(\mathsf {vk}\), value \(\mathsf {vk}_{\vec {x}}\), and proof \(\pi \), to compute 12 pairings and perform the required checks (see Step 2, Step 3, Step 4). Thus, the first part requires \(O(n)\) scalar multiplications in \(\mathbb {G}_{1}\), while the second part requires O(1) pairing evaluations.

For additional details regarding \(V\) (and, more generally, the preprocessing \(\text{ zk-SNARK }\) construction), we refer the reader to [17, 82]. Indeed, our focus in this work is not why \(V\) executes these checks, but how we can efficiently verify its checks via suitable arithmetic circuits.

Fig. 5

Summary of the checks performed by the \(\text{ zk-SNARK }\) verifier \(V\)

Appendix 4: Proof-Carrying Data for Arithmetic Compliance Predicates

We define a proof-carrying data system (PCD system), which is a cryptographic primitive that captures the notion of proof-carrying data [38, 39]. More precisely, we define preprocessing PCD systems [8]. The definitions here are somewhat informal; for details, we refer the reader to [8].

Proof-carrying data at a glance Fix a predicate \(\Pi \). Consider a distributed computation where nodes perform computations; each computation takes as input messages and outputs a new output message. The security goal is to ensure that each output message is compliant with the predicate \(\Pi \). Proof-carrying data ensures this goal by attaching short and easy-to-verify proofs of \(\Pi \)-compliance to each message.

Concretely, a key generator \(\mathbb {G}\) first sets up a proving key and a verification key. Anyone can then use a prover \(\mathbb {P}\), which is given as input the proving key, prior messages \(\vec {z}_{\mathsf {in}}\) with proofs \(\vec {\pi }_{\mathsf {in}}\), and an output message \(z\), to generate a proof \(\pi \) attesting that \(z\) is \(\Pi \)-compliant. Anyone can use a verifier \(\mathbb {V}\), which is given as input the verification key, a message \(z\), and a proof, to verify that \(z\) is \(\Pi \)-compliant.

Crucially, proof generation and proof verification time are “history independent”: the first only depends on the time to execute \(\Pi \) on input a node’s messages, while the second only on the message length.

We now spell out more details, by first specifying the notion of distributed computation, and then that of compliance with a predicate \(\Pi \). Our discussion is specific to predicates specified as \(\mathbb {F}\)-arithmetic circuits.

Transcripts Given \(n_{\mathsf {msg}},n_{\mathsf {loc}},s\in \mathbb {N}\) and field \(\mathbb {F}\), an \(\mathbb {F}\)-arithmetic transcript (for message size \(n_{\mathsf {msg}}\), local-data size \(n_{\mathsf {loc}}\), and arity \(s\)) is a triple \(\mathsf {T}=(G,\mathsf {loc},\mathsf {data})\), where \(G=(V,E)\) is a directed acyclic graph \(G\), \(\mathsf {loc}:V\rightarrow \mathbb {F}^{n_{\mathsf {loc}}}\) are node labels, and \(\mathsf {data}:E\rightarrow \mathbb {F}^{n_{\mathsf {msg}}}\) are edge labels. The output of \(\mathsf {T}\), denoted \(\mathsf {out}(\mathsf {T})\), equals \(\mathsf {data}(\tilde{u},\tilde{v})\) where \((\tilde{u},\tilde{v})\) is the lexicographically-first edge with \(\tilde{v}\) a sink.

Intuitively, the label \(\mathsf {loc}(v)\) of a node v represents the local data used by v in his local computation; the edge label \(\mathsf {data}(u,v)\) of a directed edged (u, v) represents the message sent from node u to node v. Typically, a party at node v uses the local data \(\mathsf {loc}(v)\) and “input messages” \(\big ( \mathsf {data}(u, v) \big )_{u \in \mathsf {parents}(v)}\) to compute an “output message” \(\mathsf {data}(v,w)\) for each child \(w \in \mathsf {children}(v)\).

Compliance Given field \(\mathbb {F}\) and \(n_{\mathsf {msg}},n_{\mathsf {loc}},s\in \mathbb {N}\), an \(\mathbb {F}\) -arithmetic compliance predicate \(\Pi \) (for message size \(n_{\mathsf {msg}}\), local-data size \(n_{\mathsf {loc}}\), and arity \(s\)) is an \(\mathbb {F}\)-arithmetic circuit with domain \(\mathbb {F}^{n_{\mathsf {msg}}} \times \mathbb {F}^{n_{\mathsf {loc}}} \times \mathbb {F}^{s\cdot n_{\mathsf {msg}}} \times \mathbb {F}\). The compliance predicate \(\Pi \) specifies whether a given transcript \(\mathsf {T}\) is compliant or not, as follows. Consider any transcript \(\mathsf {T}\) with message size \(n_{\mathsf {msg}}\), local-data size \(n_{\mathsf {loc}}\), and arity \(s\). We say that \(\mathsf {T}=(G,\mathsf {loc},\mathsf {data})\) is \(\Pi \)-compliant, denoted \(\Pi (\mathsf {T})=0\), if, for every \(v \in V\) and \(w \in \mathsf {children}(v)\), it holds that

$$\begin{aligned} \Pi \Big (\mathsf {data}(v,w),\mathsf {loc}(v),\big ( \mathsf {data}(u, v) \big )_{u \in \mathsf {parents}(v)},b_{\mathsf {base}}\Big )= 0 , \end{aligned}$$

where \(b_{\mathsf {base}}\in \{0,1\}\) is the base case flag (i.e., equals 1 if and only if v is a source). Furthermore, we say that a message \(z\) is \(\Pi \)-compliant if there is \(\mathsf {T}\) such that \(\Pi (\mathsf {T})=0\) and \(\mathsf {out}(\mathsf {T})=z\).

We are now ready to describe the syntax, semantics, and security of a proof-carrying data system.

Given a field \(\mathbb {F}\), a (preprocessing) proof-carrying data system (PCD system) for \(\mathbb {F}\)-arithmetic compliance predicates is a triple of polynomial-time algorithms \((\mathbb {G} ,\mathbb {P},\mathbb {V})\) working as follows.

• \(\mathbb {G}(1^{\lambda },\Pi ) \rightarrow (\mathsf {pk}, \mathsf {vk})\). On input a security parameter \(\lambda \) (presented in unary) and an \(\mathbb {F}\)-arithmetic compliance predicate \(\Pi \), the key generator \(\mathbb {G}\) probabilistically samples a proving key \(\mathsf {pk}\) and a verification key \(\mathsf {vk}\). We assume, without loss of generality, that \(\mathsf {pk}\) contains (a description of) the predicate \(\Pi \).

The keys \(\mathsf {pk}\) and \(\mathsf {vk}\) are published as public parameters and can be used, any number of times, to prove/verify \(\Pi \)-compliance of messages.

• \(\mathbb {P}(\mathsf {pk},z,z_{\mathsf {loc}},\vec {z}_{\mathsf {in}},\vec {\pi }_{\mathsf {in}}) \rightarrow \pi \). On input a proving key \(\mathsf {pk}\), outgoing message \(z\), local data \(z_{\mathsf {loc}}\), and incoming messages \(\vec {z}_{\mathsf {in}}\) with proofs \(\vec {\pi }_{\mathsf {in}}\), the prover \(\mathbb {P}\) outputs a proof \(\pi \) for the statement “\(z\) is \(\Pi \)-compliant”.

• \(\mathbb {V}(\mathsf {vk}, z, \pi ) \rightarrow b\). On input a verification key \(\mathsf {vk}\), a message \(z\), and a proof \(\pi \), the verifier \(\mathbb {V}\) outputs \(b=1\) if he is convinced by \(\pi \) that \(z\) is \(\Pi \)-compliant.

The triple \((\mathbb {G} ,\mathbb {P},\mathbb {V})\) satisfies the following properties.

Completeness The honest prover can convince the verifier that the output of any compliant transcript is indeed compliant. Namely, for every security parameter \(\lambda \), \(\mathbb {F}\)-arithmetic compliance predicate \(\Pi \), and distributed-computation generator \(S\) (see below),

$$\begin{aligned} \Pr \left[ \begin{array}{c} \Pi (\mathsf {T}) = 0 \\ \mathbb {V}\big (\mathsf {vk},\mathsf {out}(\mathsf {T}),\pi \big ) \ne 1 \end{array} \,\, \Bigg \vert \,\, \begin{array}{c} (\mathsf {pk},\mathsf {vk}) \leftarrow \mathbb {G}(1^{\lambda },\Pi ) \\ (\mathsf {T},\pi ) \leftarrow \mathsf {ProofGen}(S,\mathsf {pk},\mathbb {P}) \end{array} \right] = 0. \end{aligned}$$

Above, \(\mathsf {ProofGen}\) is an interactive protocol between a distributed-computation generator \(S\) and the PCD prover \(\mathbb {P}\), in which both are given the compliance predicate \(\Pi \) and the proving key \(\mathsf {pk}\). Essentially, at every time step, \(S\) chooses to do one of the following actions: add a new unlabeled vertex to the computation transcript so far (this corresponds to adding a new computing node to the computation), label an unlabeled vertex (this corresponds to a choice of local data by a computing node), or add a new labeled edge (this corresponds to a new message from one node to another). In case \(S\) chooses the third action, the PCD prover \(\mathbb {P}\) produces a proof for the \(\Pi \)-compliance of the new message, and adds this new proof as an additional label to the new edge. When \(S\) halts, the interactive protocol outputs the distributed computation transcript \(\mathsf {T}\), as well as \(\mathsf {T}\)’s output and corresponding proof. Intuitively, the completeness property requires that if \(\mathsf {T}\) is compliant with \(\Pi \), then the proof attached to the output (which is the result of dynamically invoking \(\mathbb {P}\) for each message in \(\mathsf {T}\), as \(\mathsf {T}\) was being constructed by \(S\)) is accepted by the verifier.

Succinctness For every security parameter \(\lambda \), \(\mathbb {F}\)-arithmetic predicate \(\Pi \), and \((\mathsf {pk},\mathsf {vk}) \in \mathbb {G}(1^{\lambda },\Pi )\),

• an honestly-generated proof \(\pi \) has \(O_{\lambda }(1)\) bits;

• \(\mathbb {V}(\mathsf {vk},z,\pi )\) runs in time \(O_{\lambda }(|z|)\).

Above, \(O_{\lambda }\) hides a (fixed) polynomial factor in \(\lambda \).

Proof of knowledge (and soundness) If the verifier accepts a proof for a message, the prover “knows” a compliant transcript \(\mathsf {T}\) with output \(z\). (Thus, soundness holds). Namely, for every constant \(c>0\) and every polynomial-size adversary A there is a polynomial-size witness extractor \(E\) such that, for every large-enough security parameter \(\lambda \), for every \(\mathbb {F}\)-arithmetic compliance predicate \(\Pi \) of size \(\lambda ^c\),

$$\begin{aligned} \Pr \left[ \begin{array}{c} \mathbb {V}(\mathsf {vk},z,\pi )=1 \\ \Big ( \mathsf {out}(\mathsf {T}) \ne z\;\vee \; \Pi (\mathsf {T}) \ne 0 \Big ) \end{array} \,\, \Bigg \vert \,\, \begin{array}{c} (\mathsf {pk},\mathsf {vk}) \leftarrow \mathbb {G}(1^{\lambda },\Pi ) \\ (z,\pi ) \leftarrow A(\mathsf {pk},\mathsf {vk}) \\ \mathsf {T}\leftarrow E(\mathsf {pk},\mathsf {vk}) \end{array} \right] \le \mathsf {negl}(\lambda ). \end{aligned}$$

Statistical zero knowledge An honestly-generated proof is statistical zero knowledge.²⁷ Namely, there is a polynomial-time stateful simulator \(S\) such that, for all stateful distinguishers \(D\), the following two probabilities are negligibly-close:

where, above, \(\Phi = 1\) if and only if: (i) if \(\vec {\pi }_{\mathsf {in}} = \bot \), then \(\Pi (z,z_{\mathsf {loc}},\vec {z}_{\mathsf {in}},1) = 0\); (ii) if \(\vec {\pi }_{\mathsf {in}} \ne \bot \), then \(\Pi (z,z_{\mathsf {loc}},\vec {z}_{\mathsf {in}},0) = 0\) and, for each corresponding pair \((z_{\mathsf {in}},\pi _{\mathsf {in}})\), \(\mathbb {V}(\mathsf {vk},z_{\mathsf {in}},\pi _{\mathsf {in}})=1\); and (iii) \(D(\pi ) = 1\).

Appendix 5: Scalable \(\text{ zk-SNARK }\)s for Random-Access Machines

At high-level, a \(\text{ zk-SNARK }\) for random-access machines is a cryptographic primitive that provides short and easy-to-verify non-interactive zero-knowledge proofs of knowledge for the correct execution of programs. A public proving key is used to generate proofs, and a public verification key is used to verify them; the two keys are jointly generated once, and can then be used any number of times.

In this work, we seek, and obtain an implementation of, \(\text{ zk-SNARK }\)s that are scalable, i.e., that are:

• Fully succinct This property requires that a single pair of keys suffices for computations of any (polynomial) size. In particular, the time to generate a key pair is short (i.e., bounded by a fixed polynomial in the security parameter) and so is the key length.

• Incrementally computable This property requires that proof generation is carried out incrementally, along the original computation, by updating, at each step, a proof of correctness of the computation so far.

Below, we informally define fully-succinct \(\text{ zk-SNARK }\)s for random-access machines, as well as the additional property of incremental computation. We refer the reader to, e.g., [8] for a formal treatment. (Also see Remark 8.4 for a technical comment that applies here too).

A fully-succinct \(\text{ zk-SNARK }\) for random-access machines (see Appendix “Random-Access Machines”) is a triple of polynomial-time algorithms \((G^{\star } ,P^{\star },V^{\star })\) working as follows.

• \(G^{\star }(1^{\lambda },\mathbf {M}) \rightarrow (\mathsf {pk},\mathsf {vk})\). On input a security parameter \(\lambda \) (presented in unary) and a random-access machine \(\mathbf {M}\), the key generator \(G^{\star }\) probabilistically samples a proving key \(\mathsf {pk}\) and a verification key \(\mathsf {vk}\). We assume, without loss of generality, that \(\mathsf {pk}\) contains (a description of) the machine \(\mathbf {M}\).

The keys \(\mathsf {pk}\) and \(\mathsf {vk}\) are published as public parameters and can be used, any number of times, to prove/verify membership of instances in the language \(\mathcal {L}_{\mathbf {M}}\) of accepting computations on \(\mathbf {M}\) (see Definition 8.2). The key generator \(G^{\star }\) is thus succinct and universal (i.e., it does not depend on the program \(\mathcal {P}\), or even computation size, but only on the machine \(\mathbf {M}\) used to run programs). The keys \(\mathsf {pk}\) and \(\mathsf {vk}\) are used as follows.²⁸

• \(P^{\star }(\mathsf {pk},\mathcal {P},T,\mathcal {G}) \rightarrow \pi \). On input a program \(\mathcal {P}\), time bound \(T\), and auxiliary input \(\mathcal {G}\) such that \(\mathbf {M}(\mathcal {P};\mathcal {G})\) accepts in \(\le T\) steps, the prover \(P^{\star }\) outputs a non-interactive proof \(\pi \) for the statement “ \((\mathcal {P},T) \in \mathcal {L}_{\mathbf {M}}\) ”.

• \(V^{\star }(\mathsf {vk},\mathcal {P},T,\pi ) \rightarrow b\). On input a program \(\mathcal {P}\), time bound \(T\), and proof \(\pi \), the verifier \(V^{\star }\) outputs \(b=1\) if he is convinced by \(\pi \) that \((\mathcal {P},T) \in \mathcal {L}_{\mathbf {M}}\).

The triple \((G^{\star } ,P^{\star },V^{\star })\) satisfies the following properties.

Completeness The honest prover can convince the verifier for any instance in the language. Namely, for every security parameter \(\lambda \), random-access machine \(\mathbf {M}\), and instance \((\mathcal {P},T) \in \mathcal {L}_{\mathbf {M}}\) with a witness \(\mathcal {G}\),

$$\begin{aligned} \Pr \left[ V^{\star }(\mathsf {vk},\mathcal {P},T,\pi )=1 \,\, \Bigg \vert \,\,\begin{array}{c} (\mathsf {pk},\mathsf {vk}) \leftarrow G^{\star }(1^{\lambda },\mathbf {M}) \\ \pi \leftarrow P^{\star }(\mathsf {pk},\mathcal {P},T,\mathcal {G}) \end{array} \right] = 1. \end{aligned}$$

Succinctness For every security parameter \(\lambda \), random-access machine \(\mathbf {M}\), and \((\mathsf {pk},\mathsf {vk}) \in G^{\star }(1^{\lambda },\mathbf {M})\),

• an honestly-generated proof \(\pi \) has \(O_{\lambda ,\mathbf {M}}(1)\) bits;

• \(V^{\star }(\mathsf {vk},\mathcal {P},T,\pi )\) runs in time \(O_{\lambda ,\mathbf {M}}(|\mathcal {P}|+\log T)\).

Above, \(O_{\lambda ,\mathbf {M}}\) hides a (fixed) polynomial factor in \(\lambda \) and \(|\mathbf {M}|\). (In our implementation, \(\lambda ,|\mathbf {M}|\) are constants).

Proof of knowledge (and soundness) If the verifier accepts a proof for a polynomial-size computation, the prover “knows” a witness for the instance. (Thus, soundness holds). Namely, for every constant \(c>0\) and every polynomial-size adversary A there is a polynomial-size witness extractor \(E\) such that, for every large enough security parameter \(\lambda \), for every random-access machine \(\mathbf {M}\),

$$\begin{aligned} \Pr \left[ \begin{array}{c} T\le \lambda ^c \\ V^{\star }(\mathsf {vk},\mathcal {P},T,\pi )=1 \\ \big ((\mathcal {P},T),\mathcal {G}\big ) \notin \mathcal {R}_{\mathbf {M}} \end{array} \,\, \Bigg \vert \,\, \begin{array}{c} (\mathsf {pk},\mathsf {vk}) \leftarrow G^{\star }(1^{\lambda },\mathbf {M}) \\ (\mathcal {P},T,\pi ) \leftarrow A(\mathsf {pk},\mathsf {vk}) \\ \mathcal {G}\leftarrow E(\mathsf {pk},\mathsf {vk}) \end{array} \right] \le \mathsf {negl}(\lambda ). \end{aligned}$$

Statistical zero knowledge An honestly-generated proof is statistical zero knowledge.²⁹ Namely, there is a polynomial-time stateful simulator \(S\) such that, for all stateful distinguishers \(D\), the following two probabilities are negligibly-close:

Finally, a fully-succinct \(\text{ zk-SNARK }\) is also incrementally computable if there exist two algorithms, a computation supervisor \(\mathsf {SV}\) and a sub-prover \(\mathsf {SP}\), such that, for every security parameter \(\lambda \), random-access machine \(\mathbf {M}\), instance \((\mathcal {P},T) \in \mathcal {L}_{\mathbf {M}}\) with a witness \(\mathcal {G}= (g_{0},\dots ,g_{T-1})\), key pair \((\mathsf {pk},\mathsf {vk}) \in G^{\star }(1^{\lambda },\mathbf {M})\), and letting \(\pi _{T} := P^{\star }(\mathsf {pk},\mathcal {P},T,\mathcal {G})\), the following holds.

• For \(i=1,\dots ,T\), \(\pi _{i} = \mathsf {SP}(\mathsf {pk},\mathsf {aux}_{i},\pi _{i-1})\).

• For \(i=1,\dots ,T\), \(\mathsf {aux}_{i}\) is the final state of memory when \(\mathsf {SV}(\mathbf {M},g_{i})\) has read-write random access to a memory initialized to the state \(\mathsf {aux}_{i-1}\). Moreover, each \(\mathsf {aux}_{i}\) has size \(O_{\lambda ,\mathbf {M}}(S_{i})\), where \(S_{i}\) is the space usage of \(\mathbf {M}(\mathcal {P};\mathcal {G})\) at time i.³⁰

• The proof \(\pi _{0}\) is defined as \(\bot \), and \(\mathsf {aux}_{0}\) as \(\mathcal {P}\).

In particular, \(\mathsf {SV}\) and \(\mathsf {SP}\) have time and space complexity \(O_{\lambda ,\mathbf {M}}(1)\); these costs are incurred each time a new proof is generated from an old one.

1.1 Known Constructions and Security

Theoretical constructions of fully-succinct \(\text{ zk-SNARK }\)s are known, based on various cryptographic assumptions [8, 74, 109]. Despite achieving essentially-optimal asymptotics [8, 12, 13, 20, 23] no implementations of them have been reported in the literature to date.

Of the above, the only approach that also achieves incremental computation is the one of Bitansky et al. [8], which we follow in this paper. Security in [8] is based on the security of preprocessing \(\text{ zk-SNARK }\)s (see Appendix “Known Constructions and Security”) and collision-resistant hash functions.