Making Groth's zk-SNARK Simulation Extractable in the Random Oracle Model

The purpose of this note is to provide a variant of Groth’s zk-SNARK [5] that satisfies simulation extractability, which is a strong form of adaptive non-malleability. Let us call such a construction a zk-SE-SNARK for brevity. A straightforward alteration of the construction gives a succinct Signature of Knowledge (SoK). Our construction of both primitives uses a bilinear group (G1,G2,GT ) and a proof/signature requires three G1 elements and two G2 elements. Groth and Maller [6] recently gave a construction of zk-SE-SNARKs and SoKs. Their zk-SE-SNARK has the advantage of requiring only 2 G1 elements and 1 G2 element as in [5]. Their SoK requires an additonal string to be output. Furthermore, they rely on concrete assumptions holding in the Generic Group Model, together with a collision-resistant hash function only for the SoK; whereas our analysis for both primitives requires the full generic group model as in [5] together with the random oracle model.1 On the other hand, our work has the practical advantage of the prover/signer requiring only two group operations more than the prover of [5]; whereas [6], as a result of relying on Square Arithmetic Programs [3] rather than Quadratic Arithmetic Programs [4], require twice as many G2 operations As discussed with Jens Groth and Mary Maller, it is possible to phrase a concrete assumption holding in the Generic Group Model under which our construction and [5] are secure; however this assumption would be quite strong and have an ad-hoc flavor, and in particular would still be stronger than the assumptions in [6] with one exception: [6] require an assumption following from an “asymmetric” group model where there is no efficient isomorphism from G1 to G2 or from G2 to G1. Our work, as [5], does not require assuming this, and the analysis works in particular when G1 = G2.