Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updatable Structured Reference Strings

Ever since their introduction, zero-knowledge proofs have become an important tool for addressing privacy and scalability concerns in a variety of applications. In many systems each client downloads and verifies every new proof, and so proofs must be small and cheap to verify. The most practical schemes require either a trusted setup, as in (pre-processing) zk-SNARKs, or verification complexity that scales linearly with the complexity of the relation, as in Bulletproofs. The structured reference strings required by most zk-SNARK schemes can be constructed with multi-party computation protocols, but the resulting parameters are specific to an individual relation. Groth et al. discovered a zk-SNARK protocol with a universal structured reference string that is also updatable, but the string scales quadratically in the size of the supported relations. Here we describe a zero-knowledge SNARK, Sonic, which supports a universal and continually updatable structured reference string that scales linearly in size. We also describe a generally useful technique in which untrusted "helpers" can compute advice that allows batches of proofs to be verified more efficiently. Sonic proofs are constant size, and in the "helped" batch verification context the marginal cost of verification is comparable with the most efficient SNARKs in the literature.

[1]  Nir Bitansky,et al.  Succinct Non-Interactive Arguments via Linear Interactive Proofs , 2013, Journal of Cryptology.

[2]  Eli Ben-Sasson,et al.  Scalable Zero Knowledge Via Cycles of Elliptic Curves , 2016, Algorithmica.

[3]  Yael Tauman Kalai,et al.  Delegating computation: interactive proofs for muggles , 2008, STOC.

[4]  Jens Groth,et al.  Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution , 2018, IACR Cryptol. ePrint Arch..

[5]  Ion Stoica,et al.  DIZK: A Distributed Zero Knowledge Proof System , 2018, IACR Cryptol. ePrint Arch..

[6]  S. Meiklejohn,et al.  Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings , 2019 .

[7]  George Danezis,et al.  Square Span Programs with Applications to Succinct NIZK Arguments , 2014, ASIACRYPT.

[8]  Markulf Kohlweiss,et al.  Updatable and Universal Common Reference Strings with Applications to zk-SNARKs , 2018, IACR Cryptol. ePrint Arch..

[9]  Eli Ben-Sasson,et al.  SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge , 2013, CRYPTO.

[10]  Ian Miers,et al.  Scalable Multi-party Computation for zk-SNARK Parameters in the Random Beacon Model , 2017, IACR Cryptol. ePrint Arch..

[11]  Rafail Ostrovsky,et al.  Zero-Knowledge Proofs from Secure Multiparty Computation , 2009, SIAM J. Comput..

[12]  Eli Ben-Sasson,et al.  Interactive Oracle Proofs , 2016, TCC.

[13]  Yuval Ishai,et al.  Ligero: Lightweight Sublinear Arguments Without a Trusted Setup , 2017, Designs, Codes and Cryptography.

[14]  Jens Groth,et al.  Efficient Zero-Knowledge Argument for Correctness of a Shuffle , 2012, EUROCRYPT.

[15]  Elaine Shi,et al.  Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[16]  Elaine Shi,et al.  Signatures of Correct Computation , 2013, TCC.

[17]  Ian Goldberg,et al.  Constant-Size Commitments to Polynomials and Their Applications , 2010, ASIACRYPT.

[18]  Marcel Keller,et al.  On the Amortized Complexity of Zero-Knowledge Protocols , 2009, Journal of Cryptology.

[19]  Georg Fuchsbauer,et al.  Efficient Signatures of Knowledge and DAA in the Standard Model , 2013, ACNS.

[20]  Jonathan Katz,et al.  A Zero-Knowledge Version of vSQL , 2017, IACR Cryptol. ePrint Arch..

[21]  Hovav Shacham,et al.  Randomizable Proofs and Delegatable Anonymous Credentials , 2009, CRYPTO.

[22]  Georg Fuchsbauer,et al.  NIZKs with an Untrusted CRS: Security in the Face of Parameter Subversion , 2016, IACR Cryptol. ePrint Arch..

[23]  Leslie G. Valiant,et al.  Universal circuits (Preliminary Report) , 1976, STOC '76.

[24]  Matthew Green,et al.  Bolt: Anonymous Payment Channels for Decentralized Currencies , 2017, CCS.

[25]  Jan Camenisch,et al.  Efficient attributes for anonymous credentials , 2008, CCS.

[26]  Markulf Kohlweiss,et al.  Succinct Malleable NIZKs and an Application to Compact Shuffles , 2013, TCC.

[27]  Daniel Slamanig,et al.  Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives , 2017, CCS.

[28]  Eli Ben-Sasson,et al.  Scalable, transparent, and post-quantum secure computational integrity , 2018, IACR Cryptol. ePrint Arch..

[29]  Graham Cormode,et al.  Practical verified computation with streaming interactive proofs , 2011, ITCS '12.

[30]  Matthew Green,et al.  Decentralized Anonymous Credentials , 2014, NDSS.

[31]  Razvan Barbulescu,et al.  Extended Tower Number Field Sieve: A New Complexity for the Medium Prime Case , 2016, CRYPTO.

[32]  Payman Mohassel,et al.  Valiant's Universal Circuit: Improvements, Implementation, and Applications , 2016, IACR Cryptol. ePrint Arch..

[33]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[34]  Jens Groth,et al.  Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs , 2017, IACR Cryptol. ePrint Arch..

[35]  Abhi Shelat,et al.  Doubly-Efficient zkSNARKs Without Trusted Setup , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[36]  Jesper Madsen,et al.  ZKBoo: Faster Zero-Knowledge for Boolean Circuits , 2016, USENIX Security Symposium.

[37]  Jens Groth,et al.  On the Size of Pairing-Based Non-interactive Arguments , 2016, EUROCRYPT.

[38]  Jens Groth,et al.  Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting , 2016, EUROCRYPT.

[39]  Eli Ben-Sasson,et al.  Aurora: Transparent Succinct Arguments for R1CS , 2019, IACR Cryptol. ePrint Arch..

[40]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[41]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[42]  Joseph Bonneau,et al.  Coda: Decentralized Cryptocurrency at Scale , 2020, IACR Cryptol. ePrint Arch..

[43]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[44]  Jan Camenisch,et al.  Composable and Modular Anonymous Credentials: Definitions and Practical Constructions , 2015, ASIACRYPT.

[45]  Helger Lipmaa,et al.  Succinct Non-Interactive Zero Knowledge Arguments from Span Programs and Linear Error-Correcting Codes , 2013, IACR Cryptol. ePrint Arch..

[46]  Jens Groth,et al.  Sub-Linear Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits , 2018, IACR Cryptol. ePrint Arch..

[47]  Eike Kiltz,et al.  The Algebraic Group Model and its Applications , 2018, IACR Cryptol. ePrint Arch..

[48]  Razvan Barbulescu,et al.  Updating Key Size Estimations for Pairings , 2018, Journal of Cryptology.

[49]  Mark Zhandry,et al.  Random Oracles in a Quantum World , 2010, ASIACRYPT.

[50]  Rafail Ostrovsky,et al.  Cryptography with constant computational overhead , 2008, STOC.

[51]  Dan Boneh,et al.  Verifiable Delay Functions , 2018, IACR Cryptol. ePrint Arch..

[52]  Dan Boneh,et al.  Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups , 2008, Journal of Cryptology.

[53]  Eli Ben-Sasson,et al.  Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture , 2014, USENIX Security Symposium.

[54]  Yehuda Lindell,et al.  Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation , 2001, Journal of Cryptology.

[55]  Shafi Goldwasser,et al.  Practical Accountability of Secret Processes , 2018, IACR Cryptol. ePrint Arch..

[56]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, IACR Cryptol. ePrint Arch..

[57]  Jens Groth,et al.  Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability , 2017, IACR Cryptol. ePrint Arch..

[58]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, IEEE Symposium on Security and Privacy.

[59]  Georg Fuchsbauer,et al.  BeleniosRF: A Non-interactive Receipt-Free Electronic Voting Scheme , 2016, CCS.

[60]  Markulf Kohlweiss,et al.  Malleable Signatures: New Definitions and Delegatable Anonymous Credentials , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[61]  Eli Ben-Sasson,et al.  Secure Sampling of Public Parameters for Succinct Zero Knowledge Proofs , 2015, 2015 IEEE Symposium on Security and Privacy.

[62]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..