ABSTRACT
Ever since their introduction, zero-knowledge proofs have become an important tool for addressing privacy and scalability concerns in a variety of applications. In many systems each client downloads and verifies every new proof, and so proofs must be small and cheap to verify. The most practical schemes require either a trusted setup, as in (pre-processing) zk-SNARKs, or verification complexity that scales linearly with the complexity of the relation, as in Bulletproofs. The structured reference strings required by most zk-SNARK schemes can be constructed with multi-party computation protocols, but the resulting parameters are specific to an individual relation. Groth et al. discovered a zk-SNARK protocol with a universal structured reference string that is also updatable, but the string scales quadratically in the size of the supported relations.
Here we describe a zero-knowledge SNARK, Sonic, which supports a universal and continually updatable structured reference string that scales linearly in size. We also describe a generally useful technique in which untrusted "helpers" can compute advice that allows batches of proofs to be verified more efficiently. Sonic proofs are constant size, and in the "helped" batch verification context the marginal cost of verification is comparable with the most efficient SNARKs in the literature.
Supplemental Material
- Sonic reference implementation. https://github.com/zknuckles/sonic.Google Scholar
- S. Ames, C. Hazay, Y. Ishai, and M. Venkitasubramaniam. Ligero: Lightweight sublinear arguments without a trusted setup. In Proceedings of ACM CCS, 2017.Google ScholarDigital Library
- R. Barbulescu and S. Duquesne. Updating key size estimations for pairings. Cryptology ePrint Archive, Report 2017/334, 2017. https://eprint.iacr.org/2017/334.Google Scholar
- C. Baum, J. Bootle, A. Cerulli, R. del Pino, J. Groth, and V. Lyubashevsky. Sub-linear lattice-based zero-knowledge arguments for arithmetic circuits. In Advances in Cryptology - CRYPTO 2018 - 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19--23, 2018, Proceedings, Part II, pages 669--699, 2018.Google ScholarCross Ref
- S. Bayer and J. Groth. Efficient zero-knowledge argument for correctness of a shuffle. In Advances in Cryptology - EUROCRYPT 2012 - 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 15--19, 2012. Proceedings, pages 263--280, 2012.Google ScholarDigital Library
- M. Belenkiy, J. Camenisch, M. Chase, M. Kohlweiss, A. Lysyanskaya, and H. Shacham. Randomizable proofs and delegatable anonymous credentials. In Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16--20, 2009. Proceedings, pages 108--125, 2009.Google ScholarDigital Library
- M. Bellare, G. Fuchsbauer, and A. Scafuro. NIZKs with an untrusted CRS: security in the face of parameter subversion. In ASIACRYPT, pages 777--804, 2016.Google ScholarDigital Library
- M. Bellare and P. Rogaway. The security of triple encryption and a framework for code-based game-playing proofs. In EUROCRYPT, pages 409--426, 2006.Google ScholarDigital Library
- E. Ben-Sasson, I. Bentov, Y. Horesh, and M. Riabzev. Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/046, 2018. https://eprint.iacr.org/2018/046.Google Scholar
- E. Ben-Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, and M. Virza. Zerocash: Decentralized anonymous payments from Bitcoin. In Proceedings of the IEEE Symposium on Security & Privacy, 2014.Google Scholar
- E. Ben-Sasson, A. Chiesa, D. Genkin, E. Tromer, and M. Virza. Snarks for C: verifying program executions succinctly and in zero knowledge. In Advances in Cryptology - CRYPTO 2013 - 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18--22, 2013. Proceedings, Part II, pages 90--108, 2013.Google Scholar
- E. Ben-Sasson, A. Chiesa, M. Green, E. Tromer, and M. Virza. Secure sampling of public parameters for succinct zero knowledge proofs. In Proceedings of the IEEE Symposium on Security & Privacy, 2015.Google ScholarDigital Library
- E. Ben-Sasson, A. Chiesa, M. Riabzev, N. Spooner, M. Virza, and N. P. Ward. Aurora: Transparent succinct arguments for R1CS. IACR Cryptology ePrint Archive, 2018:828, 2018.Google Scholar
- E. Ben-Sasson, A. Chiesa, and N. Spooner. Interactive oracle proofs. In Theory of Cryptography - 14th International Conference, TCC 2016-B, Beijing, China, October 31 - November 3, 2016, Proceedings, Part II, pages 31--60, 2016.Google Scholar
- E. Ben-Sasson, A. Chiesa, E. Tromer, and M. Virza. Scalable zero knowledge via cycles of elliptic curves. In CRYPTO, 2014.Google ScholarCross Ref
- E. Ben-Sasson, A. Chiesa, E. Tromer, and M. Virza. Succinct non-interactive zero knowledge for a von neumann architecture. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20--22, 2014., pages 781--796, 2014.Google ScholarDigital Library
- D. Bernhard, G. Fuchsbauer, and E. Ghadafi. Efficient signatures of knowledge and DAA in the standard model. In Applied Cryptography and Network Security - 11th International Conference, ACNS 2013, Banff, AB, Canada, June 25--28, 2013. Proceedings, pages 518--533, 2013.Google Scholar
- N. Bitansky, A. Chiesa, Y. Ishai, R. Ostrovsky, and O. Paneth. Succinct non-interactive arguments via linear interactive proofs. In Theory of Cryptography - 10th Theory of Cryptography Conference, TCC 2013, Tokyo, Japan, March 3--6, 2013. Proceedings, pages 315--333, 2013.Google Scholar
- D. Boneh, J. Bonneau, B. Bü nz, and B. Fisch. Verifiable delay functions. In Advances in Cryptology - CRYPTO 2018 - 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19--23, 2018, Proceedings, Part I, pages 757--788, 2018.Google Scholar
- D. Boneh and X. Boyen. Short signatures without random oracles and the SDH assumption in bilinear groups. J. Cryptology, 21(2):149--177, 2008.Google ScholarCross Ref
- D. Boneh, Ö. Dagdelen, M. Fischlin, A. Lehmann, C. Schaffner, and M. Zhandry. Random oracles in a quantum world. In Advances in Cryptology - ASIACRYPT 2011 - 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 4--8, 2011. Proceedings, pages 41--69, 2011.Google ScholarDigital Library
- J. Bootle, A. Cerulli, P. Chaidos, J. Groth, and C. Petit. Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In EUROCRYPT, 2016.Google ScholarCross Ref
- J. Bootle, A. Cerulli, E. Ghadafi, J. Groth, M. Hajiabadi, and S. Jakobsen. Linear-time zero-knowledge proofs for arithmetic circuit satisfiability. In Proceedings of Asiacrypt 2017, 2017.Google ScholarDigital Library
- J. Bootle, A. Cerulli, J. Groth, S. K. Jakobsen, and M. Maller. Nearly linear-time zero-knowledge proofs for correct program execution. IACR Cryptology ePrint Archive, 2018:380, 2018.Google Scholar
- S. Bowe, A. Gabizon, and I. Miers. Scalable multi-party computation for zk-SNARK parameters in the random beacon model. Cryptology ePrint Archive, Report 2017/1050, 2017. https://eprint.iacr.org/2017/1050.Google Scholar
- B. Bünz, J. Bootle, D. Boneh, A. Poelstra, and G. Maxwell. Bulletproofs: Short proofs for confidential transactions and more. In Proceedings of the IEEE Symposium on Security & Privacy, 2018.Google ScholarCross Ref
- J. Camenisch, M. Dubovitskaya, K. Haralambiev, and M. Kohlweiss. Composable and modular anonymous credentials: Definitions and practical constructions. In Advances in Cryptology - ASIACRYPT 2015 - 21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29 - December 3, 2015, Proceedings, Part II, pages 262--288, 2015.Google ScholarDigital Library
- J. Camenisch and T. Groß. Efficient attributes for anonymous credentials. In Proceedings of the 2008 ACM Conference on Computer and Communications Security, CCS 2008, Alexandria, Virginia, USA, October 27--31, 2008, pages 345--356, 2008.Google ScholarDigital Library
- P. Chaidos, V. Cortier, G. Fuchsbauer, and D. Galindo. Beleniosrf: A non-interactive receipt-free electronic voting scheme. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24--28, 2016, pages 1614--1625, 2016.Google ScholarDigital Library
- M. Chase, D. Derler, S. Goldfeder, C. Orlandi, S. Ramacher, C. Rechberger, D. Slamanig, and G. Zaverucha. Post-quantum zero-knowledge and signatures from symmetric-key primitives. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017, pages 1825--1842, 2017.Google ScholarDigital Library
- M. Chase, M. Kohlweiss, A. Lysyanskaya, and S. Meiklejohn. Succinct malleable nizks and an application to compact shuffles. In Theory of Cryptography - 10th Theory of Cryptography Conference, TCC 2013, Tokyo, Japan, March 3--6, 2013. Proceedings, pages 100--119, 2013.Google Scholar
- M. Chase, M. Kohlweiss, A. Lysyanskaya, and S. Meiklejohn. Malleable signatures: New definitions and delegatable anonymous credentials. In IEEE 27th Computer Security Foundations Symposium, CSF 2014, Vienna, Austria, 19--22 July, 2014, pages 199--213, 2014.Google ScholarDigital Library
- G. Cormode, M. Mitzenmacher, and J. Thaler. Practical verified computation with streaming interactive proofs. In Innovations in Theoretical Computer Science 2012, Cambridge, MA, USA, January 8--10, 2012, pages 90--112, 2012.Google ScholarDigital Library
- R. Cramer, I. Damgård, and M. Keller. On the amortized complexity of zero-knowledge protocols. J. Cryptology, 27(2):284--316, 2014.Google ScholarDigital Library
- G. Danezis, C. Fournet, J. Groth, and M. Kohlweiss. Square span programs with applications to succinct NIZK arguments. In ASIACRYPT, pages 532--550, 2014.Google ScholarCross Ref
- J. Frankle, S. Park, D. Shaar, S. Goldwasser, and D. J. Weitzner. Practical accountability of secret processes. In 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, August 15--17, 2018., pages 657--674, 2018.Google ScholarDigital Library
- G. Fuchsbauer, E. Kiltz, and J. Loss. The algebraic group model and its applications. In Advances in Cryptology - CRYPTO 2018 - 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19--23, 2018, Proceedings, Part II, pages 33--62, 2018.Google Scholar
- S. D. Galbraith, K. G. Paterson, and N. P. Smart. Pairings for cryptographers. Discrete Applied Mathematics, 156(16):3113--3121, 2008.Google ScholarDigital Library
- C. Garman, M. Green, and I. Miers. Decentralized anonymous credentials. In 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23--26, 2014, 2014.Google ScholarCross Ref
- R. Gennaro, C. Gentry, B. Parno, and M. Raykova. Quadratic span programs and succinct nizks without pcps. In EUROCRYPT, pages 626--645, 2013.Google ScholarCross Ref
- C. Gentry and D. Wichs. Separating succinct non-interactive arguments from all falsifiable assumptions. In Proceedings of the Forty-third Annual ACM Symposium on Theory of Computing, STOC '11, pages 99--108, New York, NY, USA, 2011. ACM.Google ScholarDigital Library
- I. Giacomelli, J. Madsen, and C. Orlandi. Zkboo: Faster zero-knowledge for boolean circuits. In 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10--12, 2016., pages 1069--1083, 2016.Google Scholar
- S. Goldwasser, Y. T. Kalai, and G. N. Rothblum. Delegating computation: interactive proofs for muggles. In Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, May 17--20, 2008, pages 113--122, 2008.Google ScholarDigital Library
- M. Green and I. Miers. Bolt: Anonymous payment channels for decentralized currencies. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017, pages 473--489, 2017.Google ScholarDigital Library
- J. Groth. On the size of pairing-based non-interactive arguments. In EUROCRYPT, pages 305--326, 2016.Google ScholarCross Ref
- J. Groth, M. Kohlweiss, M. Maller, S. Meiklejohn, and I. Miers. Updatable and universal common reference strings with applications to zk-snarks. In Advances in Cryptology - CRYPTO 2018 - 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19--23, 2018, Proceedings, Part III, pages 698--728, 2018.Google ScholarCross Ref
- J. Groth and M. Maller. Snarky signatures: Minimal signatures of knowledge from simulation-extractable SNARKs. In CRYPTO, pages 581--612, 2017.Google ScholarCross Ref
- Y. Ishai, E. Kushilevitz, R. Ostrovsky, and A. Sahai. Cryptography with constant computational overhead. In Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, May 17--20, 2008, pages 433--442, 2008.Google ScholarDigital Library
- Y. Ishai, E. Kushilevitz, R. Ostrovsky, and A. Sahai. Zero-knowledge proofs from secure multiparty computation. SIAM J. Comput., 39(3):1121--1152, 2009.Google ScholarDigital Library
- A. Kate, G. M. Zaverucha, and I. Goldberg. Constant-size commitments to polynomials and their applications. In Advances in Cryptology - ASIACRYPT 2010 - 16th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 5--9, 2010. Proceedings, pages 177--194. Springer, 2010.Google ScholarCross Ref
- T. Kim and R. Barbulescu. Extended tower number field sieve: A new complexity for the medium prime case. In Advances in Cryptology - CRYPTO 2016 - 36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14--18, 2016, Proceedings, Part I, pages 543--571, 2016.Google ScholarDigital Library
- A. E. Kosba, A. Miller, E. Shi, Z. Wen, and C. Papamanthou. Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. In IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22--26, 2016, pages 839--858, 2016.Google ScholarCross Ref
- Y. Lindell. Parallel coin-tossing and constant-round secure two-party computation. J. Cryptology, 16(3):143--184, 2003.Google ScholarCross Ref
- H. Lipmaa. Succinct non-interactive zero knowledge arguments from span programs and linear error-correcting codes. In Advances in Cryptology - ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1--5, 2013, Proceedings, Part I, pages 41--60, 2013.Google Scholar
- H. Lipmaa, P. Mohassel, and S. S. Sadeghian. Valiant's universal circuit: Improvements, implementation, and applications. IACR Cryptology ePrint Archive, 2016:17, 2016.Google Scholar
- M. Maller, S. Bowe, M. Kohlweiss, and S. Meiklejohn. Sonic: Zero-knowledge SNARKs from linear-size universal and updatable structured reference strings. https://eprint.iacr.org/2019/099.Google Scholar
- I. Meckler and E. Shapiro. Coda: Decentralized cryptocurrency at scale. 2018.Google Scholar
- C. Papamanthou, E. Shi, and R. Tamassia. Signatures of correct computation. In Theory of Cryptography - 10th Theory of Cryptography Conference, TCC 2013, Tokyo, Japan, March 3--6, 2013. Proceedings, pages 222--242, 2013.Google Scholar
- B. Parno, J. Howell, C. Gentry, and M. Raykova. Pinocchio: Nearly practical verifiable computation. In Proceedings of the IEEE Symposium on Security & Privacy, 2013.Google ScholarDigital Library
- L. G. Valiant. Universal circuits (preliminary report). In Proceedings of the 8th Annual ACM Symposium on Theory of Computing, pages 196--203, 1976.Google Scholar
- R. S. Wahby, I. Tzialla, A. Shelat, J. Thaler, and M. Walfish. Doubly-efficient zksnarks without trusted setup. In 2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, 21--23 May 2018, San Francisco, California, USA, pages 926--943, 2018.Google ScholarCross Ref
- Z. Wilcox. The design of the ceremony. https://z.cash/blog/the-design-of-the-ceremony.html, Oct. 2016.Google Scholar
- Z. S. Workshop, 2018. https://zkproof.org/proceedings-snapshots/zkproof-implementation-20180801.pdf.Google Scholar
- H. Wu, W. Zheng, A. Chiesa, R. A. Popa, and I. Stoica. DIZK: A distributed zero knowledge proof system. In 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, August 15--17, 2018., pages 675--692, 2018.Google Scholar
- Y. Zhang, D. Genkin, J. Katz, D. Papadopoulos, and C. Papamanthou. A zero-knowledge version of vsql. IACR Cryptology ePrint Archive, 2017:1146, 2017.Google Scholar
Index Terms
- Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updatable Structured Reference Strings
Recommendations
Constructing fair-exchange protocols for E-commerce via distributed computation of RSA signatures
PODC '03: Proceedings of the twenty-second annual symposium on Principles of distributed computingApplications such as e-commerce payment protocols, electronic contract signing, and certified e-mail delivery require that fair exchange be assured. A fair-exchange protocol allows two parties to exchange items in a fair way so that either each party ...
Adaptive Zero-Knowledge Proofs and Adaptively Secure Oblivious Transfer
In the setting of secure computation, a set of parties wish to securely compute some function of their inputs, in the presence of an adversary. The adversary in question may be static (meaning that it controls a predetermined subset of the parties) or ...
An Unconditional Study of Computational Zero Knowledge
We prove a number of general theorems about ZK, the class of problems possessing (computational) zero-knowledge proofs. Our results are unconditional, in contrast to most previous works on ZK, which rely on the assumption that one-way functions exist. ...
Comments