research-article

Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updatable Structured Reference Strings

Authors:
Mary Maller

University College London, London, United Kingdom

University College London, London, United Kingdom
View Profile

,
Sean Bowe

Electric Coin Company, Denver, CO, USA

Electric Coin Company, Denver, CO, USA
View Profile

,
Markulf Kohlweiss

University of Edinburgh & IOHK, Edinburgh, United Kingdom

University of Edinburgh & IOHK, Edinburgh, United Kingdom
View Profile

,
Sarah Meiklejohn

University College London, London, United Kingdom

University College London, London, United Kingdom
View Profile

CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications SecurityNovember 2019Pages 2111–2128https://doi.org/10.1145/3319535.3339817

Published:06 November 2019Publication History

CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

Pages 2111–2128

ABSTRACT

Ever since their introduction, zero-knowledge proofs have become an important tool for addressing privacy and scalability concerns in a variety of applications. In many systems each client downloads and verifies every new proof, and so proofs must be small and cheap to verify. The most practical schemes require either a trusted setup, as in (pre-processing) zk-SNARKs, or verification complexity that scales linearly with the complexity of the relation, as in Bulletproofs. The structured reference strings required by most zk-SNARK schemes can be constructed with multi-party computation protocols, but the resulting parameters are specific to an individual relation. Groth et al. discovered a zk-SNARK protocol with a universal structured reference string that is also updatable, but the string scales quadratically in the size of the supported relations.

Here we describe a zero-knowledge SNARK, Sonic, which supports a universal and continually updatable structured reference string that scales linearly in size. We also describe a generally useful technique in which untrusted "helpers" can compute advice that allows batches of proofs to be verified more efficiently. Sonic proofs are constant size, and in the "helped" batch verification context the marginal cost of verification is comparable with the most efficient SNARKs in the literature.

Supplemental Material

p2111-maller.webm

webm

121.1 MB

Download

References

Sonic reference implementation. https://github.com/zknuckles/sonic.Google Scholar
S. Ames, C. Hazay, Y. Ishai, and M. Venkitasubramaniam. Ligero: Lightweight sublinear arguments without a trusted setup. In Proceedings of ACM CCS, 2017.Google ScholarDigital Library
R. Barbulescu and S. Duquesne. Updating key size estimations for pairings. Cryptology ePrint Archive, Report 2017/334, 2017. https://eprint.iacr.org/2017/334.Google Scholar
C. Baum, J. Bootle, A. Cerulli, R. del Pino, J. Groth, and V. Lyubashevsky. Sub-linear lattice-based zero-knowledge arguments for arithmetic circuits. In Advances in Cryptology - CRYPTO 2018 - 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19--23, 2018, Proceedings, Part II, pages 669--699, 2018.Google ScholarCross Ref
S. Bayer and J. Groth. Efficient zero-knowledge argument for correctness of a shuffle. In Advances in Cryptology - EUROCRYPT 2012 - 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 15--19, 2012. Proceedings, pages 263--280, 2012.Google ScholarDigital Library
M. Belenkiy, J. Camenisch, M. Chase, M. Kohlweiss, A. Lysyanskaya, and H. Shacham. Randomizable proofs and delegatable anonymous credentials. In Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16--20, 2009. Proceedings, pages 108--125, 2009.Google ScholarDigital Library
M. Bellare, G. Fuchsbauer, and A. Scafuro. NIZKs with an untrusted CRS: security in the face of parameter subversion. In ASIACRYPT, pages 777--804, 2016.Google ScholarDigital Library
M. Bellare and P. Rogaway. The security of triple encryption and a framework for code-based game-playing proofs. In EUROCRYPT, pages 409--426, 2006.Google ScholarDigital Library
E. Ben-Sasson, I. Bentov, Y. Horesh, and M. Riabzev. Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/046, 2018. https://eprint.iacr.org/2018/046.Google Scholar
E. Ben-Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, and M. Virza. Zerocash: Decentralized anonymous payments from Bitcoin. In Proceedings of the IEEE Symposium on Security & Privacy, 2014.Google Scholar
E. Ben-Sasson, A. Chiesa, D. Genkin, E. Tromer, and M. Virza. Snarks for C: verifying program executions succinctly and in zero knowledge. In Advances in Cryptology - CRYPTO 2013 - 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18--22, 2013. Proceedings, Part II, pages 90--108, 2013.Google Scholar
E. Ben-Sasson, A. Chiesa, M. Green, E. Tromer, and M. Virza. Secure sampling of public parameters for succinct zero knowledge proofs. In Proceedings of the IEEE Symposium on Security & Privacy, 2015.Google ScholarDigital Library
E. Ben-Sasson, A. Chiesa, M. Riabzev, N. Spooner, M. Virza, and N. P. Ward. Aurora: Transparent succinct arguments for R1CS. IACR Cryptology ePrint Archive, 2018:828, 2018.Google Scholar
E. Ben-Sasson, A. Chiesa, and N. Spooner. Interactive oracle proofs. In Theory of Cryptography - 14th International Conference, TCC 2016-B, Beijing, China, October 31 - November 3, 2016, Proceedings, Part II, pages 31--60, 2016.Google Scholar
E. Ben-Sasson, A. Chiesa, E. Tromer, and M. Virza. Scalable zero knowledge via cycles of elliptic curves. In CRYPTO, 2014.Google ScholarCross Ref
E. Ben-Sasson, A. Chiesa, E. Tromer, and M. Virza. Succinct non-interactive zero knowledge for a von neumann architecture. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20--22, 2014., pages 781--796, 2014.Google ScholarDigital Library
D. Bernhard, G. Fuchsbauer, and E. Ghadafi. Efficient signatures of knowledge and DAA in the standard model. In Applied Cryptography and Network Security - 11th International Conference, ACNS 2013, Banff, AB, Canada, June 25--28, 2013. Proceedings, pages 518--533, 2013.Google Scholar
N. Bitansky, A. Chiesa, Y. Ishai, R. Ostrovsky, and O. Paneth. Succinct non-interactive arguments via linear interactive proofs. In Theory of Cryptography - 10th Theory of Cryptography Conference, TCC 2013, Tokyo, Japan, March 3--6, 2013. Proceedings, pages 315--333, 2013.Google Scholar
D. Boneh, J. Bonneau, B. Bü nz, and B. Fisch. Verifiable delay functions. In Advances in Cryptology - CRYPTO 2018 - 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19--23, 2018, Proceedings, Part I, pages 757--788, 2018.Google Scholar
D. Boneh and X. Boyen. Short signatures without random oracles and the SDH assumption in bilinear groups. J. Cryptology, 21(2):149--177, 2008.Google ScholarCross Ref
D. Boneh, Ö. Dagdelen, M. Fischlin, A. Lehmann, C. Schaffner, and M. Zhandry. Random oracles in a quantum world. In Advances in Cryptology - ASIACRYPT 2011 - 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 4--8, 2011. Proceedings, pages 41--69, 2011.Google ScholarDigital Library
J. Bootle, A. Cerulli, P. Chaidos, J. Groth, and C. Petit. Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In EUROCRYPT, 2016.Google ScholarCross Ref
J. Bootle, A. Cerulli, E. Ghadafi, J. Groth, M. Hajiabadi, and S. Jakobsen. Linear-time zero-knowledge proofs for arithmetic circuit satisfiability. In Proceedings of Asiacrypt 2017, 2017.Google ScholarDigital Library
J. Bootle, A. Cerulli, J. Groth, S. K. Jakobsen, and M. Maller. Nearly linear-time zero-knowledge proofs for correct program execution. IACR Cryptology ePrint Archive, 2018:380, 2018.Google Scholar
S. Bowe, A. Gabizon, and I. Miers. Scalable multi-party computation for zk-SNARK parameters in the random beacon model. Cryptology ePrint Archive, Report 2017/1050, 2017. https://eprint.iacr.org/2017/1050.Google Scholar
B. Bünz, J. Bootle, D. Boneh, A. Poelstra, and G. Maxwell. Bulletproofs: Short proofs for confidential transactions and more. In Proceedings of the IEEE Symposium on Security & Privacy, 2018.Google ScholarCross Ref
J. Camenisch, M. Dubovitskaya, K. Haralambiev, and M. Kohlweiss. Composable and modular anonymous credentials: Definitions and practical constructions. In Advances in Cryptology - ASIACRYPT 2015 - 21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29 - December 3, 2015, Proceedings, Part II, pages 262--288, 2015.Google ScholarDigital Library
J. Camenisch and T. Groß. Efficient attributes for anonymous credentials. In Proceedings of the 2008 ACM Conference on Computer and Communications Security, CCS 2008, Alexandria, Virginia, USA, October 27--31, 2008, pages 345--356, 2008.Google ScholarDigital Library
P. Chaidos, V. Cortier, G. Fuchsbauer, and D. Galindo. Beleniosrf: A non-interactive receipt-free electronic voting scheme. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24--28, 2016, pages 1614--1625, 2016.Google ScholarDigital Library
M. Chase, D. Derler, S. Goldfeder, C. Orlandi, S. Ramacher, C. Rechberger, D. Slamanig, and G. Zaverucha. Post-quantum zero-knowledge and signatures from symmetric-key primitives. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017, pages 1825--1842, 2017.Google ScholarDigital Library
M. Chase, M. Kohlweiss, A. Lysyanskaya, and S. Meiklejohn. Succinct malleable nizks and an application to compact shuffles. In Theory of Cryptography - 10th Theory of Cryptography Conference, TCC 2013, Tokyo, Japan, March 3--6, 2013. Proceedings, pages 100--119, 2013.Google Scholar
M. Chase, M. Kohlweiss, A. Lysyanskaya, and S. Meiklejohn. Malleable signatures: New definitions and delegatable anonymous credentials. In IEEE 27th Computer Security Foundations Symposium, CSF 2014, Vienna, Austria, 19--22 July, 2014, pages 199--213, 2014.Google ScholarDigital Library
G. Cormode, M. Mitzenmacher, and J. Thaler. Practical verified computation with streaming interactive proofs. In Innovations in Theoretical Computer Science 2012, Cambridge, MA, USA, January 8--10, 2012, pages 90--112, 2012.Google ScholarDigital Library
R. Cramer, I. Damgård, and M. Keller. On the amortized complexity of zero-knowledge protocols. J. Cryptology, 27(2):284--316, 2014.Google ScholarDigital Library
G. Danezis, C. Fournet, J. Groth, and M. Kohlweiss. Square span programs with applications to succinct NIZK arguments. In ASIACRYPT, pages 532--550, 2014.Google ScholarCross Ref
J. Frankle, S. Park, D. Shaar, S. Goldwasser, and D. J. Weitzner. Practical accountability of secret processes. In 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, August 15--17, 2018., pages 657--674, 2018.Google ScholarDigital Library
G. Fuchsbauer, E. Kiltz, and J. Loss. The algebraic group model and its applications. In Advances in Cryptology - CRYPTO 2018 - 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19--23, 2018, Proceedings, Part II, pages 33--62, 2018.Google Scholar
S. D. Galbraith, K. G. Paterson, and N. P. Smart. Pairings for cryptographers. Discrete Applied Mathematics, 156(16):3113--3121, 2008.Google ScholarDigital Library
C. Garman, M. Green, and I. Miers. Decentralized anonymous credentials. In 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23--26, 2014, 2014.Google ScholarCross Ref
R. Gennaro, C. Gentry, B. Parno, and M. Raykova. Quadratic span programs and succinct nizks without pcps. In EUROCRYPT, pages 626--645, 2013.Google ScholarCross Ref
C. Gentry and D. Wichs. Separating succinct non-interactive arguments from all falsifiable assumptions. In Proceedings of the Forty-third Annual ACM Symposium on Theory of Computing, STOC '11, pages 99--108, New York, NY, USA, 2011. ACM.Google ScholarDigital Library
I. Giacomelli, J. Madsen, and C. Orlandi. Zkboo: Faster zero-knowledge for boolean circuits. In 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10--12, 2016., pages 1069--1083, 2016.Google Scholar
S. Goldwasser, Y. T. Kalai, and G. N. Rothblum. Delegating computation: interactive proofs for muggles. In Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, May 17--20, 2008, pages 113--122, 2008.Google ScholarDigital Library
M. Green and I. Miers. Bolt: Anonymous payment channels for decentralized currencies. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017, pages 473--489, 2017.Google ScholarDigital Library
J. Groth. On the size of pairing-based non-interactive arguments. In EUROCRYPT, pages 305--326, 2016.Google ScholarCross Ref
J. Groth, M. Kohlweiss, M. Maller, S. Meiklejohn, and I. Miers. Updatable and universal common reference strings with applications to zk-snarks. In Advances in Cryptology - CRYPTO 2018 - 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19--23, 2018, Proceedings, Part III, pages 698--728, 2018.Google ScholarCross Ref
J. Groth and M. Maller. Snarky signatures: Minimal signatures of knowledge from simulation-extractable SNARKs. In CRYPTO, pages 581--612, 2017.Google ScholarCross Ref
Y. Ishai, E. Kushilevitz, R. Ostrovsky, and A. Sahai. Cryptography with constant computational overhead. In Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, May 17--20, 2008, pages 433--442, 2008.Google ScholarDigital Library
Y. Ishai, E. Kushilevitz, R. Ostrovsky, and A. Sahai. Zero-knowledge proofs from secure multiparty computation. SIAM J. Comput., 39(3):1121--1152, 2009.Google ScholarDigital Library
A. Kate, G. M. Zaverucha, and I. Goldberg. Constant-size commitments to polynomials and their applications. In Advances in Cryptology - ASIACRYPT 2010 - 16th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 5--9, 2010. Proceedings, pages 177--194. Springer, 2010.Google ScholarCross Ref
T. Kim and R. Barbulescu. Extended tower number field sieve: A new complexity for the medium prime case. In Advances in Cryptology - CRYPTO 2016 - 36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14--18, 2016, Proceedings, Part I, pages 543--571, 2016.Google ScholarDigital Library
A. E. Kosba, A. Miller, E. Shi, Z. Wen, and C. Papamanthou. Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. In IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22--26, 2016, pages 839--858, 2016.Google ScholarCross Ref
Y. Lindell. Parallel coin-tossing and constant-round secure two-party computation. J. Cryptology, 16(3):143--184, 2003.Google ScholarCross Ref
H. Lipmaa. Succinct non-interactive zero knowledge arguments from span programs and linear error-correcting codes. In Advances in Cryptology - ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1--5, 2013, Proceedings, Part I, pages 41--60, 2013.Google Scholar
H. Lipmaa, P. Mohassel, and S. S. Sadeghian. Valiant's universal circuit: Improvements, implementation, and applications. IACR Cryptology ePrint Archive, 2016:17, 2016.Google Scholar
M. Maller, S. Bowe, M. Kohlweiss, and S. Meiklejohn. Sonic: Zero-knowledge SNARKs from linear-size universal and updatable structured reference strings. https://eprint.iacr.org/2019/099.Google Scholar
I. Meckler and E. Shapiro. Coda: Decentralized cryptocurrency at scale. 2018.Google Scholar
C. Papamanthou, E. Shi, and R. Tamassia. Signatures of correct computation. In Theory of Cryptography - 10th Theory of Cryptography Conference, TCC 2013, Tokyo, Japan, March 3--6, 2013. Proceedings, pages 222--242, 2013.Google Scholar
B. Parno, J. Howell, C. Gentry, and M. Raykova. Pinocchio: Nearly practical verifiable computation. In Proceedings of the IEEE Symposium on Security & Privacy, 2013.Google ScholarDigital Library
L. G. Valiant. Universal circuits (preliminary report). In Proceedings of the 8th Annual ACM Symposium on Theory of Computing, pages 196--203, 1976.Google Scholar
R. S. Wahby, I. Tzialla, A. Shelat, J. Thaler, and M. Walfish. Doubly-efficient zksnarks without trusted setup. In 2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, 21--23 May 2018, San Francisco, California, USA, pages 926--943, 2018.Google ScholarCross Ref
Z. Wilcox. The design of the ceremony. https://z.cash/blog/the-design-of-the-ceremony.html, Oct. 2016.Google Scholar
Z. S. Workshop, 2018. https://zkproof.org/proceedings-snapshots/zkproof-implementation-20180801.pdf.Google Scholar
H. Wu, W. Zheng, A. Chiesa, R. A. Popa, and I. Stoica. DIZK: A distributed zero knowledge proof system. In 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, August 15--17, 2018., pages 675--692, 2018.Google Scholar
Y. Zhang, D. Genkin, J. Katz, D. Papadopoulos, and C. Papamanthou. A zero-knowledge version of vsql. IACR Cryptology ePrint Archive, 2017:1146, 2017.Google Scholar

Index Terms

Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updatable Structured Reference Strings
1. Security and privacy
  1. Cryptography
    1. Public key (asymmetric) techniques

Recommendations

Constructing fair-exchange protocols for E-commerce via distributed computation of RSA signatures
PODC '03: Proceedings of the twenty-second annual symposium on Principles of distributed computing

Applications such as e-commerce payment protocols, electronic contract signing, and certified e-mail delivery require that fair exchange be assured. A fair-exchange protocol allows two parties to exchange items in a fair way so that either each party ...
Read More
Adaptive Zero-Knowledge Proofs and Adaptively Secure Oblivious Transfer
In the setting of secure computation, a set of parties wish to securely compute some function of their inputs, in the presence of an adversary. The adversary in question may be static (meaning that it controls a predetermined subset of the parties) or ...
Read More
An Unconditional Study of Computational Zero Knowledge

We prove a number of general theorems about ZK, the class of problems possessing (computational) zero-knowledge proofs. Our results are unconditional, in contrast to most previous works on ZK, which rely on the assumption that one-way functions exist. ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
November 2019
2755 pages
ISBN:9781450367479
DOI:10.1145/3319535
General Chairs:
Lorenzo Cavallaro
King's College London, UK
,
Johannes Kinder
Bundeswehr University Munich, Germany
,
Program Chairs:
XiaoFeng Wang
Indiana University, USA
,
Jonathan Katz
George Mason University, USA
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 6 November 2019
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
updatability
zero-knowledge proofs
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '19 Paper Acceptance Rate149of934submissions,16%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 162
  Total Citations
  View Citations
- 1,113
  Total Downloads
- Downloads (Last 12 months)193
- Downloads (Last 6 weeks)29
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updatable Structured Reference Strings

CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

Supplemental Material

References

Cited By

Index Terms

Recommendations

Constructing fair-exchange protocols for E-commerce via distributed computation of RSA signatures

Adaptive Zero-Knowledge Proofs and Adaptively Secure Oblivious Transfer

An Unconditional Study of Computational Zero Knowledge