论文信息 - Halo: Recursive Proof Composition without a Trusted Setup

Halo: Recursive Proof Composition without a Trusted Setup

Non-interactive proofs of knowledge allow us to publicly demonstrate the faithful execution of arbitrary computations. SNARKs have the additional property of succinctness, meaning that the proofs are short and fast to verify even when the computations involved are large. This property raises the prospect of recursive proof composition: proofs that verify other proofs. All previously known realizations of recursive proof composition have required a trusted setup and cycles of expensive pairing-friendly elliptic curves. We obtain the first practical example of recursive proof composition without a trusted setup, using only ordinary cycles of elliptic curves. Our primary contribution is a novel technique for amortizing away expensive verification procedures from within the proof verification cycle so that we could obtain recursion using a composition of existing protocols and techniques. We devise a technique for amortizing the cost of verifying multiple inner product arguments which may be of independent interest.

[1] Dan Boneh,et al. Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[2] Silvio Micali,et al. Computationally Sound Proofs , 2000, SIAM J. Comput..

[3] Matthew Green,et al. ZEXE: Enabling Decentralized Private Computation , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[4] Guido Bertoni,et al. Duplexing the sponge: single-pass authenticated encryption and other applications , 2011, IACR Cryptol. ePrint Arch..

[5] Eli Ben-Sasson,et al. Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture , 2014, USENIX Security Symposium.

[6] Tanja Lange,et al. Montgomery curves and the Montgomery ladder , 2017, IACR Cryptol. ePrint Arch..

[7] Manuel Blum,et al. Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[8] T-H. Hubert Chan,et al. C ∅ C ∅ : A Framework for Building Composable Zero-Knowledge Proofs , 2016 .

[9] Eli Ben-Sasson,et al. SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge , 2013, CRYPTO.

[10] Eli Ben-Sasson,et al. Efficient Symmetric Primitives for Advanced Cryptographic Protocols (A Marvellous Contribution) , 2019, IACR Cryptol. ePrint Arch..

[11] S. Meiklejohn,et al. Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings , 2019 .

[12] Paulo S. L. M. Barreto,et al. Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[13] Joseph Bonneau,et al. Coda: Decentralized Cryptocurrency at Scale , 2020, IACR Cryptol. ePrint Arch..

[14] Ruggero Susella,et al. A Compact and Exception-Free Ladder for All Short Weierstrass Elliptic Curves , 2016, CARDIS.

[15] Iwan M. Duursma,et al. Speeding up the Discrete Log Computation on Curves with Automorphisms , 1999, ASIACRYPT.

[16] Nir Bitansky,et al. From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again , 2012, ITCS '12.

[17] Craig Costello,et al. Complete Addition Formulas for Prime Order Elliptic Curves , 2016, EUROCRYPT.

[18] Srinath T. V. Setty,et al. Spartan: Efficient and general-purpose zkSNARKs without trusted setup , 2020, IACR Cryptol. ePrint Arch..

[19] Michael Scott,et al. A Taxonomy of Pairing-Friendly Elliptic Curves , 2010, Journal of Cryptology.

[20] Jens Groth,et al. On the Size of Pairing-Based Non-interactive Arguments , 2016, EUROCRYPT.

[21] Amos Fiat,et al. How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[22] Joseph H. Silverman,et al. Amicable Pairs and Aliquot Cycles for Elliptic Curves , 2009, Exp. Math..

[23] Paulo S. L. M. Barreto,et al. Constructing Elliptic Curves with Prescribed Embedding Degrees , 2002, SCN.

[24] Craig Gentry,et al. Pinocchio: Nearly Practical Verifiable Computation , 2013, IEEE Symposium on Security and Privacy.

[25] Jens Groth,et al. Short Pairing-Based Non-interactive Zero-Knowledge Arguments , 2010, ASIACRYPT.

[26] Abhi Shelat,et al. Doubly-Efficient zkSNARKs Without Trusted Setup , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[27] Paul Valiant,et al. Incrementally Verifiable Computation or Proofs of Knowledge Imply Time/Space Efficiency , 2008, TCC.

[28] Joe Kilian,et al. A note on efficient zero-knowledge proofs and arguments (extended abstract) , 1992, STOC '92.

[29] Eli Ben-Sasson,et al. Scalable, transparent, and post-quantum secure computational integrity , 2018, IACR Cryptol. ePrint Arch..

[30] Tanja Lange,et al. On the correct use of the negation map in the Pollard rho method , 2011, IACR Cryptol. ePrint Arch..

[31] Lynn Chua,et al. On Cycles of Pairing-Friendly Elliptic Curves , 2019, SIAM J. Appl. Algebra Geom..

[32] Silvio Micali,et al. The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[33] Jens Groth,et al. Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting , 2016, EUROCRYPT.