updatable and universal common reference strings with ... · reference string 1 derived common...
TRANSCRIPT
Updatable and Universal Common Reference Strings with Applications to zk-SNARKs
Jens Groth, Markulf Kohlweiss, Mary Maller, Sarah Meiklejohn, Ian Miers.
Crypto - 23/08/2018
Our Goal
Slide 1 of 22
Find a better method than trusted setups for generating the public parameters for zk-SNARKs.
What are zk-SNARKs?
Slide 2 of 22
Zero-Knowledge Succinct Non-interactive ARgument of Knowledge.
Very small proofs.
Verification is fast.
Requires trusted setup.
KoE assumptions.
What are zk-SNARKs?
Slide 2 of 22
Very small proofs.
Verification is fast.
Requires trusted setup.
KoE assumptions.
Zero-Knowledge Succinct Non-interactive ARgument of Knowledge.
When to use zk-SNARKs?
Slide 3 of 22
• When lots of the same problem need to be proven over and over and over.
• The verifier has limited time and space.
Great for blockchains!
zk-SNARKS have Trapdoors
Slide 3 of 22
The trapdoor can be used to break integrity (all the
time).
• Proofs are generated and verified using a shared common reference string.
• Whoever generated the reference string may keep some trapdoor information that can be used to simulate proofs.
The trapdoor cannot be used to
break privacy (most of the time).
zk-SNARKS have Trapdoors
The trapdoor cannot be used to
break privacy (most of the time).
The trapdoor can be used to break integrity (all the
time).
• Proofs are generated and verified using a shared common reference string.
• Whoever generated the reference string may keep some trapdoor information that can be used to simulate proofs.
We design a setup process more suited to zk-SNARKs used in distributed systems.
Slide 3 of 22
Our Contributions
Slide 4 of 22
Ingredients:1) Knowledge Assumptions2) q-type Assumptions3) Quadratic Arithmetic Programs
Updatable trust model
Efficient new zk-SNARK
Universal setupNull-Space Argument.
What is zero-knowledge?
• Prover aims to convince verifier that they know a secret while revealing no information about the secret.
Common Reference String
Prover VerifierProof of knowledge
of a secret.
Slide 5 of 22
Prover cannot create proof
without the secret.
Verifier learns the truth, the whole
proof, and nothing but its truth.
What is zero-knowledge?
• Prover aims to convince verifier that they know a secret while revealing no information about the secret.
Common Reference String
Prover VerifierProof of knowledge
of a secret.
Prover cannot create proof
without the secret.
Verifier learns the truth, the whole
proof, and nothing but its truth.
Slide 5 of 22
Unlike other zero-knowledge systems, hard to prevent trapdoor being leaked in zk-SNARKs.
Our Goal
Slide 7 of 22
• SNARKs cannot be zero-knowledge without a trapdoor existing.
• Aim for subversion zero-knowledge.
• Aim for middle ground between trusted setup and subversion soundness.
Our Goal
Slide 7 of 22
• SNARKs cannot be zero-knowledge without a trapdoor existing.
• Aim for subversion zero-knowledge.
• Aim for middle ground between trusted setup and subversion soundness.
CRS
Verifier
Verifier learns nothing from the
proof even if it knows a trapdoor.
Our Goal
Slide 7 of 22
• SNARKs cannot be zero-knowledge without a trapdoor existing.
• Aim for subversion zero-knowledge.
• Aim for middle ground between trusted setup and non-existent trapdoor.
CRS
ProverProver with a
trapdoor can create proofs without the
secret, but hard to get the trapdoor.
But don’t we have NIZKs without Setup?
Slide 8 of 22
• In random oracle model, can generate an unstructured CRS for which nobody knows the trapdoor.
• But zk-SNARKs rely on structured CRS for efficiency.
• Example: Zcash ran a trusted setup in 2016 and in 2018.
• If the trapdoor was not properly disposed of two years ago, then some people might be able to print money at will.
• There is no way of knowing whether the setup was compromised or not.
What’s so scandalous about a trusted setup?
1 ZEC, 2 ZEC, 3 ZEC, 4….
Slide 9 of 22
What’s so scandalous about a trusted setup?• The output of each trusted setup can only be used to prove the exact circuit it
was designed for.
• Performing one trusted setup per application may result in each trusted setup receiving less and less scrutiny.
Slide 10 of 22
Application 1
Application 2
Application 3
Trusted Setup 1
Trusted Setup 2
Trusted Setup 3
CRS 1
CRS 2
CRS 3
Our Contributions
Ingredients:1) Knowledge Assumptions2) q-type Assumptions3) Quadratic Arithmetic Programs
Updatable trust model
Efficient new zk-SNARK
Universal setupNull-Space Argument.
• In theory, one honest party runs the setup, and the scheme is secure.
• In practice, a few parties to run the setup, if one is honest then the scheme is secure.
• In our work, continuously add more parties to the setup, if one is honest at any point in time then the scheme is secure.
Updatable Setups for zk-SNARKs
Why should I trust you?
Here is the output of the setup procedure.
Theory
Slide 11 of 22
Updatable Setups for zk-SNARKs• In theory, one honest party runs the setup, and the scheme is secure.
• In practice, a few parties to run the setup, if one is honest then the scheme is secure.
• In our work, continuously add more parties to the setup, if one is honest at any point in time then the scheme is secure.
Why should I trust any of you?
Here is the output of the setup procedure.
Practice
Slide 11 of 22
• In theory, one honest party runs the setup, and the scheme is secure.
• In practice, a few parties to run the setup, if one is honest then the scheme is secure.
• In our work, continuously add more parties to the setup, if one is honest at any point in time then the scheme is secure.
Updatable Setups for zk-SNARKs
Why should I trust any of you?
Here is the output of the setup procedure.
Here is the new output of the
setup procedure.
This work
• In theory, one honest party runs the setup, and the scheme is secure.
• In practice, a few parties to run the setup, if one is honest then the scheme is secure.
• In our work, continuously add more parties to the setup, if one is honest at any point in time then the scheme is secure.
Updatable Setups for zk-SNARKs
Why should I trust any of you?
Here is the output of the setup procedure.
This work
No longer really a setup
Here is the new output of the
setup procedure.
Trusted Setup vs Updates?
Trusted Setup
• Setup be completed before the system goes live.
• Secure provided a single honest user participates.
Slide 12 of 22
Updatable CRS
• Parameters can be updated at any point.
• Secure at any point after an honest user has participated.
When can we update?
SNARKs have secrets in the exponent
• Exponents contain hidden polynomial evaluations.
• We can update monomials.
Slide 12 of 22
Updating Monomials is Easy
Slide 13 of 22
𝑔𝑥1 𝑔𝑥1𝑥2 𝑔𝑥1𝑥2𝑥3
Proof of knowledge
of 𝒙𝟏
Proof of knowledge
of 𝒙𝟐
Proof of knowledge
of 𝒙𝟑
etc.
Could use Groth or Lipmaa?
Slide 14 of 22
CRS only uses monomials.
At the sacrifice of quasi-linear prover time?
These schemes have quadratic provers.
Updating Polynomials is Hard
• Secrets inside the global parameters were correlated, and once a correlated secret is inside the global parameters it cannot be changed.
Slide 15 of 22
Correlated randomness is hidden with uncorrelated randomness.
Updating Polynomials is Hard
Slide 16 of 22
𝑔𝑓 𝑥 𝛿
• CRS contains polynomials.
• Any adversary that can update 𝑔𝑓 𝑥 𝛿 can extract monomials 𝑔1 , 𝑔𝑥𝛿 , 𝑔𝑥2𝛿 , … , 𝑔𝑥
𝑛𝛿 .
• Cannot rely on hidden polynomials.
Previous schemes rely on hidden polynomials for security.
Updating Polynomials is Hard
Slide 16 of 22
𝑔𝑓 𝑥 𝛿
• CRS contains polynomials.
• Any adversary that can update 𝑔𝑓 𝑥 𝛿 can extract monomials 𝑔1 , 𝑔𝑥𝛿 , 𝑔𝑥2𝛿 , … , 𝑔𝑥
𝑛𝛿 .
• Cannot rely on hidden polynomials.We prove this.
Previous schemes rely on hidden polynomials for security.
Updating Polynomials is Hard
Slide 16 of 22
𝑔𝑓 𝑥 𝛿
• CRS contains polynomials.
• Any adversary that can update 𝑔𝑓 𝑥 𝛿 can extract monomials 𝑔1 , 𝑔𝑥𝛿 , 𝑔𝑥2𝛿 , … , 𝑔𝑥
𝑛𝛿 .
• Cannot rely on hidden polynomial evaluations.
Previous schemes rely on hidden polynomials for security.
Our Contributions
Ingredients:1) Knowledge Assumptions2) q-type Assumptions3) Quadratic Arithmetic Programs
Updatable trust model
Efficient new zk-SNARK
Universal setupNull-Space Argument.
What tricks to we use?• We start with more global parameters, with monomials inside, from which we derive a smaller
set of derived parameters. The derive algorithm can be run by any party.
Slide 17 of 22
Global Common Reference String 1
Global Common Reference String 2
Global Common Reference String 3
Global parameters
independent of circuit.
Update 1
Update 2
Derive
Derive
Derive
Derived Common Reference String 1
Derived Common Reference String 2
Derived Common Reference String 3
What tricks to we use?
Slide 17 of 22
• We start with more global parameters, with monomials inside, from which we derive a smaller set of derived parameters. The derive algorithm can be run by any party.
Global Common Reference String 1
Global Common Reference String 2
Global Common Reference String 3
Derive
Derive
Derive
Update 1
Update 2
Derived Common Reference String 1
Derived Common Reference String 2
Derived Common Reference String 3
What tricks to we use?
Slide 17 of 22
Derived Common Reference String 1
Derived Common Reference String 2
Derived Common Reference String 3
Derived parameters
embed circuit dependent
QAP.
• We start with more global parameters, with monomials inside, from which we derive a smaller set of derived parameters. The derive algorithm can be run by any party.
Global Common Reference String 1
Global Common Reference String 2
Global Common Reference String 3
Derive
Derive
Derive
Update 1
Update 2
What tricks to we use?
Slide 17 of 22
Derived Common Reference String 1
Derived Common Reference String 2
Derived Common Reference String 3
Derived parameters
embed circuit dependent
QAP.
• We start with more global parameters, with monomials inside, from which we derive a smaller set of derived parameters. The derive algorithm can be run by any party.
Derive
Derive
Derive
Global Common Reference String 1
Global Common Reference String 2
Global Common Reference String 3
Update 1
Update 2
Each derived string is equivalent to the
output of one trusted setup in
previous schemes.
What’s the Price?
Slide 18 of 22
Quadratic sized
Only need to store one quadratic
string at any given time.
Global Common Reference String 1
Global Common Reference String 2
Global Common Reference String 3
Update 1
Update 2
Derive
Derive
Derive
Derived Common Reference String 1
Derived Common Reference String 2
Derived Common Reference String 3
What’s the Price?
Slide 18 of 22
Very small (<300 bytes)
Update proofs must be
sequential and are stored
forever.
Global Common Reference String 1
Global Common Reference String 2
Global Common Reference String 3
Update 1
Update 2
Derive
Derive
Derive
Derived Common Reference String 1
Derived Common Reference String 2
Derived Common Reference String 3
Global Common Reference String 1
What’s the Price?
Slide 18 of 22
𝑂(𝑑3) multiplications due to Gaussian Elimination
Global Common Reference String 2
Global Common Reference String 3
Derive
Derive
Derive
Derived Common Reference String 1
Derived Common Reference String 2
Derived Common Reference String 3
Update 1
Update 2
Global Common Reference String 1
What’s the Price?
Slide 18 of 22
𝑂(𝑑3) multiplications due to Gaussian Elimination
Global Common Reference String 2
Global Common Reference String 3
Derive
Derive
Derive
Derived Common Reference String 1
Derived Common Reference String 2
Derived Common Reference String 3
Update 1
Update 2
Can run multiple updates
between each iteration of
derive.
What’s the Price?
Slide 18 of 22
Linear sized
Global Common Reference String 1
Global Common Reference String 2
Global Common Reference String 3
Update 1
Update 2
Derive
Derive
Derive
Derived Common Reference String 1
Derived Common Reference String 2
Derived Common Reference String 3
Derived string sufficient for prover and
verifier.
Our Contributions
Ingredients:1) Knowledge Assumptions2) q-type Assumptions3) Quadratic Arithmetic Programs
Trust modelEfficient new
zk-SNARK
Universal setupNull-Space Argument
Our Techniques
Slide 19 of 22
Prover needs to show
𝐀 = 𝒈𝒂 𝒇 𝒙
for known 𝒇 𝑿 = 𝒇𝟎 + 𝒇𝟏𝑿
𝟏 +⋯+ 𝒇𝒅𝑿𝒅
Have
Linear algebra: ∃ matrix 𝑵 such that
𝒇𝟎, … , 𝒇𝒅 ⋅ 𝒏𝒌,𝟎, … , 𝒏𝒌,𝒅 = 𝟎
Verifier checks
𝒂 𝒛𝒌 𝒇𝟎 + …+ 𝒇𝒅𝒙𝒅 𝒏𝒌,𝟎 𝒙
𝒅 + ⋯+ 𝒏𝒌,𝒅 = 𝟎
in 𝒛𝒌𝒙𝒅 coefficient
Our Techniques
Slide 19 of 22
Prover needs to show
𝐀 = 𝒈𝒂 𝒇 𝒙
for known 𝒇 𝑿 = 𝒇𝟎 + 𝒇𝟏𝑿
𝟏 +⋯+ 𝒇𝒅𝑿𝒅
Have
Linear algebra: ∃ matrix 𝑵 such that
𝒇𝟎, … , 𝒇𝒅 ⋅ 𝒏𝒌,𝟎, … , 𝒏𝒌,𝒅 = 𝟎
Verifier checks
𝒂 𝒛𝒌 𝒇𝟎 + …+ 𝒇𝒅𝒙𝒅 𝒏𝒌,𝟎 𝒙
𝒅 + ⋯+ 𝒏𝒌,𝒅 = 𝟎
in 𝒛𝒌𝒙𝒅 coefficient
Verifier checks
𝒂 𝒛𝒌 𝒇𝟎 + …+ 𝒇𝒅𝒙𝒅 𝒏𝒌,𝟎 𝒙
𝒅 + ⋯+ 𝒏𝒌,𝒅 = 𝟎
in 𝒛𝒌𝒙𝒅 coefficient
Prover needs to show
𝐀 = 𝒈𝒂 𝒇 𝒙
for known 𝒇 𝑿 = 𝒇𝟎 + 𝒇𝟏𝑿
𝟏 +⋯+ 𝒇𝒅𝑿𝒅
Our Techniques
Slide 19 of 22
The prover wants to keep 𝑎 secret
Have
Linear algebra: ∃ matrix 𝑵 such that
𝒇𝟎, … , 𝒇𝒅 ⋅ 𝒏𝒌,𝟎, … , 𝒏𝒌,𝒅 = 𝟎
Verifier checks
𝒂 𝒛𝒌 𝒇𝟎 + …+ 𝒇𝒅𝒙𝒅 𝒏𝒌,𝟎 𝒙
𝒅 + ⋯+ 𝒏𝒌,𝒅 = 𝟎
in 𝒛𝒌𝒙𝒅 coefficient
Our Techniques
Slide 19 of 22
Prover needs to show
𝐀 = 𝒈𝒂 𝒇 𝒙
for known 𝒇 𝑿 = 𝒇𝟎 + 𝒇𝟏𝑿
𝟏 +⋯+ 𝒇𝒅𝑿𝒅
Have
Linear algebra: find max matrix 𝑵 such that
𝒇𝟎, … , 𝒇𝒅 ⋅ 𝒏𝒌,𝟎, … , 𝒏𝒌,𝒅 = 𝟎
Rank-Nullity: for a matrix 𝐴, 𝑠𝑝𝑎𝑛(𝐴) is orthogonal to 𝑁𝑢𝑙𝑙(𝐴)
Our Techniques
Slide 19 of 22
Prover needs to show
𝐀 = 𝒈𝒂 𝒇 𝒙
for known 𝒇 𝑿 = 𝒇𝟎 + 𝒇𝟏𝑿
𝟏 +⋯+ 𝒇𝒅𝑿𝒅
Verifier checks
𝒂 𝒛𝒌 𝒇𝟎 + …+ 𝒇𝒅𝒙𝒅 𝒏𝒌,𝟎 𝒙
𝒅 +⋯+ 𝒏𝒌,𝒅 = 𝟎
in 𝒛𝒌𝒙𝒅 coefficient
Have
Linear algebra:find max matrix 𝑵 such that
𝒇𝟎, … , 𝒇𝒅 ⋅ 𝒏𝒌,𝟎, … , 𝒏𝒌,𝒅 = 𝟎
Our Techniques
Slide 19 of 22
Have
Prover needs to show
𝐀 = 𝒈𝒂𝟏𝒇𝟏 𝒙 + …+𝒂𝒏𝒇𝒏(𝒙)
for known
𝒇𝒊 𝑿 = 𝒇𝒊,𝟎 + 𝒇𝒊,𝟏𝑿𝟏 + …+ 𝒇𝒊,𝒅𝑿
𝒅
Verifier checks
𝒂𝒊 𝒛𝒌 𝒇𝒊,𝟎 + …+ 𝒇𝒊,𝒅𝒙
𝒅 𝒏𝒌,𝟎 𝒙𝒅 +⋯+ 𝒏𝒌,𝒅 = 𝟎
in 𝒛𝒌𝒙𝒅 coefficient
Linear algebra: Find max matrix 𝑵 such that
𝒇𝒊,𝟎, … , 𝒇𝒊,𝒅 ⋅ 𝒏𝒌,𝟎, … , 𝒏𝒌,𝒅 = 𝟎
𝒇𝒊 𝑿 are determined by
the QAP
Width = 3 × number of gates
Length = number of wires≤ 2 × number of gates
Why is the Null Space so Big?
Slide 20 of 22
Prover needs to show
𝐀 = 𝒈𝒂𝟏𝒇𝟏 𝒙 + …+𝒂𝒏𝒇𝒏(𝒙)
for known
𝒇𝒊 𝑿 = 𝒇𝒊,𝟎 + 𝒇𝒊,𝟏𝑿𝟏 + …+ 𝒇𝒊,𝒅𝑿
𝒅
• Need to show log 𝐴 ∈ 𝑠𝑝𝑎𝑛(𝑟𝑜𝑤𝑠 𝑜𝑓 𝐹).
• 𝐹 is wider than it is long.
• 𝑤𝑖𝑑𝑡ℎ 𝐹 =𝑅𝑎𝑛𝑘(𝐹) + 𝑁𝑢𝑙𝑙𝑖𝑡𝑦(𝐹)
𝑹𝒂𝒏𝒌 𝑭 ≤ 𝟐𝒅
row-rank = column-rank
= dimension of space spanned by row vectors
Why is the Null Space so Big?
Slide 20 of 22
Prover needs to show
𝐀 = 𝒈𝒂𝟏𝒇𝟏 𝒙 + …+𝒂𝒏𝒇𝒏(𝒙)
for known
𝒇𝒊 𝑿 = 𝒇𝒊,𝟎 + 𝒇𝒊,𝟏𝑿𝟏 + …+ 𝒇𝒊,𝒅𝑿
𝒅Width = 3 × number of gates
Length = number of wires≤ 2 × number of gates
• Need to show log 𝐴 ∈ 𝑠𝑝𝑎𝑛(𝑟𝑜𝑤𝑠 𝑜𝑓 𝐹).
• 𝐹 is wider than it is long.
• 𝑤𝑖𝑑𝑡ℎ 𝐹 =𝑅𝑎𝑛𝑘(𝐹) + 𝑁𝑢𝑙𝑙𝑖𝑡𝑦(𝐹)
row-rank = column-rank
= dimension of space spanned by row vectors
𝑹𝒂𝒏𝒌 𝑭 ≤ 𝟐𝒅
Why is the Null Space so Big?
Slide 20 of 22
Prover needs to show
𝐀 = 𝒈𝒂𝟏𝒇𝟏 𝒙 + …+𝒂𝒏𝒇𝒏(𝒙)
for known
𝒇𝒊 𝑿 = 𝒇𝒊,𝟎 + 𝒇𝒊,𝟏𝑿𝟏 + …+ 𝒇𝒊,𝒅𝑿
𝒅Width = 3 × number of gates
Length = number of wires≤ 2 × number of gates
• Need to show log 𝐴 ∈ 𝑠𝑝𝑎𝑛(𝑟𝑜𝑤𝑠 𝑜𝑓 𝐹).
• 𝐹 is wider than it is long.
• 𝑤𝑖𝑑𝑡ℎ 𝐹 =𝑅𝑎𝑛𝑘(𝐹) + 𝑁𝑢𝑙𝑙𝑖𝑡𝑦(𝐹)
𝑹𝒂𝒏𝒌 𝑭 ≤ 𝟐𝒅
row-rank = column-rank
= dimension of space spanned by row vectors
Why is the Null Space so Big?
Slide 20 of 22
Prover needs to show
𝐀 = 𝒈𝒂𝟏𝒇𝟏 𝒙 + …+𝒂𝒏𝒇𝒏(𝒙)
for known
𝒇𝒊 𝑿 = 𝒇𝒊,𝟎 + 𝒇𝒊,𝟏𝑿𝟏 + …+ 𝒇𝒊,𝒅𝑿
𝒅Width = 3 × number of gates
Length = number of wires≤ 2 × number of gates
• Need to show log 𝐴 ∈ 𝑠𝑝𝑎𝑛(𝑟𝑜𝑤𝑠 𝑜𝑓 𝐹).
• 𝐹 is wider than it is long.
• 𝑤𝑖𝑑𝑡ℎ 𝐹 =𝑅𝑎𝑛𝑘(𝐹) + 𝑁𝑢𝑙𝑙𝑖𝑡𝑦(𝐹)
𝒅𝒊𝒎 𝑵𝒖𝒍𝒍 𝒎𝒂𝒕𝒓𝒊𝒙 ≈ 𝒅
Why is the Null Space so Big?
Slide 20 of 22
Prover needs to show
𝐀 = 𝒈𝒂𝟏𝒇𝟏 𝒙 + …+𝒂𝒏𝒇𝒏(𝒙)
for known
𝒇𝒊 𝑿 = 𝒇𝒊,𝟎 + 𝒇𝒊,𝟏𝑿𝟏 + …+ 𝒇𝒊,𝒅𝑿
𝒅Width = 3 × number of gates
Length = number of wires≤ 2 × number of gates
• Need to show log 𝐴 ∈ 𝑠𝑝𝑎𝑛(𝑟𝑜𝑤𝑠 𝑜𝑓 𝐹).
• 𝐹 is wider than it is long.
• 𝑤𝑖𝑑𝑡ℎ 𝐹 =𝑅𝑎𝑛𝑘(𝐹) + 𝑁𝑢𝑙𝑙𝑖𝑡𝑦(𝐹)
𝒅𝒊𝒎 𝑵𝒖𝒍𝒍 𝒎𝒂𝒕𝒓𝒊𝒙 ≈ 𝒅
Open question:
Can 𝑭 be more square?
Our Contributions
Ingredients:1) Knowledge Assumptions2) q-type Assumptions3) Quadratic Arithmetic Programs
Updatable trust model
Efficient new zk-SNARK
Universal setupNull-Space Argument.
Prover and Verifier
Slide 21 of 22
Prover 𝑨 = 𝒈𝒂(𝒙,𝒚)
Verifier𝒆(𝑨,𝑩)𝒆 𝑨,𝑵 = 𝒆(𝑪, 𝒉) 𝐴 = 𝑔𝑎(𝑥,𝑦) unless
prover can compute
𝑔𝑥𝑑𝑧𝑘
𝑩 = 𝒉𝒂(𝒙,𝒚)
𝒆 𝑨, 𝒉 = 𝒆(𝒈,𝑩)
𝑪 = 𝒈 𝒂 𝒙,𝒚 ×𝒏𝒖𝒍𝒍 +𝒂 𝒙,𝒚 ×𝒂 𝒙,𝒚
Prover and Verifier
Slide 21 of 22
𝑨 = 𝒈𝒂(𝒙,𝒚) 𝑩 = 𝒉𝒂(𝒙,𝒚)
Verifier𝒆 𝑨, 𝒉 = 𝒆(𝒈,𝑩)
𝐵 = 𝑔𝑎(𝑥,𝑦) by bilinearity.
Prover knows 𝑎(𝑥, 𝑦)by KoE.
𝑪 = 𝒈 𝒂 𝒙,𝒚 ×𝒏𝒖𝒍𝒍 +𝒂 𝒙,𝒚 ×𝒂 𝒙,𝒚
𝒆(𝑨,𝑩)𝒆 𝑨,𝑵 = 𝒆(𝑪, 𝒉)
Prover
Prover and Verifier
Slide 21 of 22
Prover 𝑨 = 𝒈𝒂(𝒙,𝒚) 𝑩 = 𝒉𝒂(𝒙,𝒚)
Verifier𝒆(𝑨,𝑩)𝒆 𝑨,𝑵 = 𝒆(𝑪, 𝒉)
𝒆 𝑨, 𝒉 = 𝒆(𝒈,𝑩)
QAP satisfied unless prover can compute
𝑔𝑥𝑖𝑦7
𝑪 = 𝒈 𝒂 𝒙,𝒚 ×𝒏𝒖𝒍𝒍 +𝒂 𝒙,𝒚 ×𝒂 𝒙,𝒚
Prover and Verifier
Slide 21 of 22
Prover 𝑨 = 𝒈𝒂(𝒙,𝒚) 𝑩 = 𝒉𝒂(𝒙,𝒚)
Verifier𝒆(𝑨,𝑩)𝒆 𝑨,𝑵 = 𝒆(𝑪, 𝒉)
𝒆 𝑨, 𝒉 = 𝒆(𝒈,𝑩)
𝑪 = 𝒈 𝒂 𝒙,𝒚 ×𝒏𝒖𝒍𝒍 +𝒂 𝒙,𝒚 ×𝒂 𝒙,𝒚
Our scheme = 3 group elementsState of the art = 3 group elements
Our scheme = O(n) group exponentiationsState of the art = O(n) group exponentiations
Prover and Verifier
Slide 21 of 22
Prover 𝑨 = 𝒈𝒂(𝒙,𝒚) 𝑩 = 𝒉𝒂(𝒙,𝒚)
𝑪 = 𝒈 𝒂 𝒙,𝒚 ×𝒏𝒖𝒍𝒍 +𝒂 𝒙,𝒚 ×𝒂 𝒙,𝒚
Our scheme = 5 pairingsState of the art = 4 pairings
Verifier𝒆(𝑨,𝑩)𝒆 𝑨,𝑵 = 𝒆(𝑪, 𝒉)
𝒆 𝑨, 𝒉 = 𝒆(𝒈,𝑩)
Summary
Slide 22 of 22
• Introduce notion of updatable common reference strings.
• Design efficient updatable zk-SNARK.
• Show how to use the same global parameters to derive a CRS for any circuit of a given size.
Efficiency Table Universal String Quadratic Derived String Linear Deriver Cost Cubic Update Proofs 9 Group Elements Proof Size 3 Group Elements Verifier Time 5 Pairings
Questions?