updatable and universal common reference strings with ... · reference string 1 derived common...

Updatable and Universal Common Reference Strings with Applications to zk-SNARKs

Jens Groth, Markulf Kohlweiss, Mary Maller, Sarah Meiklejohn, Ian Miers.

Crypto - 23/08/2018

Our Goal

Slide 1 of 22

Find a better method than trusted setups for generating the public parameters for zk-SNARKs.

What are zk-SNARKs?

Slide 2 of 22

Zero-Knowledge Succinct Non-interactive ARgument of Knowledge.

Very small proofs.

Verification is fast.

Requires trusted setup.

KoE assumptions.

What are zk-SNARKs?

Slide 2 of 22

Very small proofs.

Verification is fast.

Requires trusted setup.

KoE assumptions.

Zero-Knowledge Succinct Non-interactive ARgument of Knowledge.

When to use zk-SNARKs?

Slide 3 of 22

• When lots of the same problem need to be proven over and over and over.

• The verifier has limited time and space.

Great for blockchains!

zk-SNARKS have Trapdoors

Slide 3 of 22

The trapdoor can be used to break integrity (all the

time).

• Proofs are generated and verified using a shared common reference string.

• Whoever generated the reference string may keep some trapdoor information that can be used to simulate proofs.

The trapdoor cannot be used to

break privacy (most of the time).

zk-SNARKS have Trapdoors

The trapdoor cannot be used to

break privacy (most of the time).

The trapdoor can be used to break integrity (all the

time).

• Proofs are generated and verified using a shared common reference string.

• Whoever generated the reference string may keep some trapdoor information that can be used to simulate proofs.

We design a setup process more suited to zk-SNARKs used in distributed systems.

Slide 3 of 22

Our Contributions

Slide 4 of 22

Ingredients:1) Knowledge Assumptions2) q-type Assumptions3) Quadratic Arithmetic Programs

Updatable trust model

Efficient new zk-SNARK

Universal setupNull-Space Argument.

What is zero-knowledge?

• Prover aims to convince verifier that they know a secret while revealing no information about the secret.

Common Reference String

Prover VerifierProof of knowledge

of a secret.

Slide 5 of 22

Prover cannot create proof

without the secret.

Verifier learns the truth, the whole

proof, and nothing but its truth.

What is zero-knowledge?

• Prover aims to convince verifier that they know a secret while revealing no information about the secret.

Common Reference String

Prover VerifierProof of knowledge

of a secret.

Prover cannot create proof

without the secret.

Verifier learns the truth, the whole

proof, and nothing but its truth.

Slide 5 of 22

Unlike other zero-knowledge systems, hard to prevent trapdoor being leaked in zk-SNARKs.

Our Goal

Slide 7 of 22

• SNARKs cannot be zero-knowledge without a trapdoor existing.

• Aim for subversion zero-knowledge.

• Aim for middle ground between trusted setup and subversion soundness.

Our Goal

Slide 7 of 22



• Aim for middle ground between trusted setup and subversion soundness.

CRS

Verifier

Verifier learns nothing from the

proof even if it knows a trapdoor.

Our Goal

Slide 7 of 22



• Aim for middle ground between trusted setup and non-existent trapdoor.

CRS

ProverProver with a

trapdoor can create proofs without the

secret, but hard to get the trapdoor.

But don’t we have NIZKs without Setup?

Slide 8 of 22

• In random oracle model, can generate an unstructured CRS for which nobody knows the trapdoor.

• But zk-SNARKs rely on structured CRS for efficiency.

• Example: Zcash ran a trusted setup in 2016 and in 2018.

• If the trapdoor was not properly disposed of two years ago, then some people might be able to print money at will.

• There is no way of knowing whether the setup was compromised or not.

What’s so scandalous about a trusted setup?

1 ZEC, 2 ZEC, 3 ZEC, 4….

Slide 9 of 22

What’s so scandalous about a trusted setup?• The output of each trusted setup can only be used to prove the exact circuit it

was designed for.

• Performing one trusted setup per application may result in each trusted setup receiving less and less scrutiny.

Slide 10 of 22

Application 1

Application 2

Application 3

Trusted Setup 1

Trusted Setup 2

Trusted Setup 3

CRS 1

CRS 2

CRS 3

Our Contributions





• In theory, one honest party runs the setup, and the scheme is secure.

• In practice, a few parties to run the setup, if one is honest then the scheme is secure.

• In our work, continuously add more parties to the setup, if one is honest at any point in time then the scheme is secure.

Updatable Setups for zk-SNARKs

Why should I trust you?

Here is the output of the setup procedure.

Theory

Slide 11 of 22

Updatable Setups for zk-SNARKs• In theory, one honest party runs the setup, and the scheme is secure.



Why should I trust any of you?


Practice

Slide 11 of 22







Here is the new output of the

setup procedure.

This work







This work

No longer really a setup

Here is the new output of the

setup procedure.

Trusted Setup vs Updates?

Trusted Setup

• Setup be completed before the system goes live.

• Secure provided a single honest user participates.

Slide 12 of 22

Updatable CRS

• Parameters can be updated at any point.

• Secure at any point after an honest user has participated.

When can we update?

SNARKs have secrets in the exponent

• Exponents contain hidden polynomial evaluations.

• We can update monomials.

Slide 12 of 22

Updating Monomials is Easy

Slide 13 of 22

𝑔𝑥1 𝑔𝑥1𝑥2 𝑔𝑥1𝑥2𝑥3

Proof of knowledge

of 𝒙𝟏

Proof of knowledge

of 𝒙𝟐

Proof of knowledge

of 𝒙𝟑

etc.

Could use Groth or Lipmaa?

Slide 14 of 22

CRS only uses monomials.

At the sacrifice of quasi-linear prover time?

These schemes have quadratic provers.

Updating Polynomials is Hard

• Secrets inside the global parameters were correlated, and once a correlated secret is inside the global parameters it cannot be changed.

Slide 15 of 22

Correlated randomness is hidden with uncorrelated randomness.


Slide 16 of 22

𝑔𝑓 𝑥 𝛿

• CRS contains polynomials.

• Any adversary that can update 𝑔𝑓 𝑥 𝛿 can extract monomials 𝑔1 , 𝑔𝑥𝛿 , 𝑔𝑥2𝛿 , … , 𝑔𝑥

𝑛𝛿 .

• Cannot rely on hidden polynomials.

Previous schemes rely on hidden polynomials for security.


Slide 16 of 22

𝑔𝑓 𝑥 𝛿



𝑛𝛿 .

• Cannot rely on hidden polynomials.We prove this.



Slide 16 of 22

𝑔𝑓 𝑥 𝛿



𝑛𝛿 .

• Cannot rely on hidden polynomial evaluations.


Our Contributions





What tricks to we use?• We start with more global parameters, with monomials inside, from which we derive a smaller

set of derived parameters. The derive algorithm can be run by any party.

Slide 17 of 22

Global Common Reference String 1



Global parameters

independent of circuit.

Update 1

Update 2

Derive

Derive

Derive

Derived Common Reference String 1



What tricks to we use?

Slide 17 of 22

• We start with more global parameters, with monomials inside, from which we derive a smaller set of derived parameters. The derive algorithm can be run by any party.




Derive

Derive

Derive

Update 1

Update 2





Slide 17 of 22




Derived parameters

embed circuit dependent

QAP.





Derive

Derive

Derive

Update 1

Update 2


Slide 17 of 22




Derived parameters

embed circuit dependent

QAP.


Derive

Derive

Derive




Update 1

Update 2

Each derived string is equivalent to the

output of one trusted setup in

previous schemes.

What’s the Price?

Slide 18 of 22

Quadratic sized

Only need to store one quadratic

string at any given time.




Update 1

Update 2

Derive

Derive

Derive




What’s the Price?

Slide 18 of 22

Very small (<300 bytes)

Update proofs must be

sequential and are stored

forever.




Update 1

Update 2

Derive

Derive

Derive





What’s the Price?

Slide 18 of 22

𝑂(𝑑3) multiplications due to Gaussian Elimination



Derive

Derive

Derive




Update 1

Update 2


What’s the Price?

Slide 18 of 22

𝑂(𝑑3) multiplications due to Gaussian Elimination



Derive

Derive

Derive




Update 1

Update 2

Can run multiple updates

between each iteration of

derive.

What’s the Price?

Slide 18 of 22

Linear sized




Update 1

Update 2

Derive

Derive

Derive




Derived string sufficient for prover and

verifier.

Our Contributions


Trust modelEfficient new

zk-SNARK

Universal setupNull-Space Argument

Our Techniques

Slide 19 of 22

Prover needs to show

𝐀 = 𝒈𝒂 𝒇 𝒙

for known 𝒇 𝑿 = 𝒇𝟎 + 𝒇𝟏𝑿

𝟏 +⋯+ 𝒇𝒅𝑿𝒅

Have

Linear algebra: ∃ matrix 𝑵 such that

𝒇𝟎, … , 𝒇𝒅 ⋅ 𝒏𝒌,𝟎, … , 𝒏𝒌,𝒅 = 𝟎

Verifier checks

𝒂 𝒛𝒌 𝒇𝟎 + …+ 𝒇𝒅𝒙𝒅 𝒏𝒌,𝟎 𝒙

𝒅 + ⋯+ 𝒏𝒌,𝒅 = 𝟎

in 𝒛𝒌𝒙𝒅 coefficient

Verifier checks


𝒅 + ⋯+ 𝒏𝒌,𝒅 = 𝟎






Our Techniques

Slide 19 of 22

The prover wants to keep 𝑎 secret

Have

Linear algebra: ∃ matrix 𝑵 such that

𝒇𝟎, … , 𝒇𝒅 ⋅ 𝒏𝒌,𝟎, … , 𝒏𝒌,𝒅 = 𝟎

Verifier checks


𝒅 + ⋯+ 𝒏𝒌,𝒅 = 𝟎


Our Techniques

Slide 19 of 22





Have

Linear algebra: find max matrix 𝑵 such that

𝒇𝟎, … , 𝒇𝒅 ⋅ 𝒏𝒌,𝟎, … , 𝒏𝒌,𝒅 = 𝟎

Rank-Nullity: for a matrix 𝐴, 𝑠𝑝𝑎𝑛(𝐴) is orthogonal to 𝑁𝑢𝑙𝑙(𝐴)

Our Techniques

Slide 19 of 22





Verifier checks


𝒅 +⋯+ 𝒏𝒌,𝒅 = 𝟎


Have

Linear algebra:find max matrix 𝑵 such that

𝒇𝟎, … , 𝒇𝒅 ⋅ 𝒏𝒌,𝟎, … , 𝒏𝒌,𝒅 = 𝟎

Our Techniques

Slide 19 of 22

Have


𝐀 = 𝒈𝒂𝟏𝒇𝟏 𝒙 + …+𝒂𝒏𝒇𝒏(𝒙)

for known

𝒇𝒊 𝑿 = 𝒇𝒊,𝟎 + 𝒇𝒊,𝟏𝑿𝟏 + …+ 𝒇𝒊,𝒅𝑿

𝒅

Verifier checks

𝒂𝒊 𝒛𝒌 𝒇𝒊,𝟎 + …+ 𝒇𝒊,𝒅𝒙

𝒅 𝒏𝒌,𝟎 𝒙𝒅 +⋯+ 𝒏𝒌,𝒅 = 𝟎


Linear algebra: Find max matrix 𝑵 such that

𝒇𝒊,𝟎, … , 𝒇𝒊,𝒅 ⋅ 𝒏𝒌,𝟎, … , 𝒏𝒌,𝒅 = 𝟎

𝒇𝒊 𝑿 are determined by

the QAP

Width = 3 × number of gates

Length = number of wires≤ 2 × number of gates

Why is the Null Space so Big?

Slide 20 of 22



for known

𝒇𝒊 𝑿 = 𝒇𝒊,𝟎 + 𝒇𝒊,𝟏𝑿𝟏 + …+ 𝒇𝒊,𝒅𝑿

𝒅

• Need to show log 𝐴 ∈ 𝑠𝑝𝑎𝑛(𝑟𝑜𝑤𝑠 𝑜𝑓 𝐹).

• 𝐹 is wider than it is long.

• 𝑤𝑖𝑑𝑡ℎ 𝐹 =𝑅𝑎𝑛𝑘(𝐹) + 𝑁𝑢𝑙𝑙𝑖𝑡𝑦(𝐹)

𝑹𝒂𝒏𝒌 𝑭 ≤ 𝟐𝒅

row-rank = column-rank

= dimension of space spanned by row vectors


Slide 20 of 22



for known

𝒇𝒊 𝑿 = 𝒇𝒊,𝟎 + 𝒇𝒊,𝟏𝑿𝟏 + …+ 𝒇𝒊,𝒅𝑿

𝒅Width = 3 × number of gates









Slide 20 of 22



for known

𝒇𝒊 𝑿 = 𝒇𝒊,𝟎 + 𝒇𝒊,𝟏𝑿𝟏 + …+ 𝒇𝒊,𝒅𝑿










Slide 20 of 22



for known

𝒇𝒊 𝑿 = 𝒇𝒊,𝟎 + 𝒇𝒊,𝟏𝑿𝟏 + …+ 𝒇𝒊,𝒅𝑿






𝒅𝒊𝒎 𝑵𝒖𝒍𝒍 𝒎𝒂𝒕𝒓𝒊𝒙 ≈ 𝒅


Slide 20 of 22



for known

𝒇𝒊 𝑿 = 𝒇𝒊,𝟎 + 𝒇𝒊,𝟏𝑿𝟏 + …+ 𝒇𝒊,𝒅𝑿






𝒅𝒊𝒎 𝑵𝒖𝒍𝒍 𝒎𝒂𝒕𝒓𝒊𝒙 ≈ 𝒅

Open question:

Can 𝑭 be more square?

Our Contributions





Prover and Verifier

Slide 21 of 22

Prover 𝑨 = 𝒈𝒂(𝒙,𝒚)

Verifier𝒆(𝑨,𝑩)𝒆 𝑨,𝑵 = 𝒆(𝑪, 𝒉) 𝐴 = 𝑔𝑎(𝑥,𝑦) unless

prover can compute

𝑔𝑥𝑑𝑧𝑘

𝑩 = 𝒉𝒂(𝒙,𝒚)

𝒆 𝑨, 𝒉 = 𝒆(𝒈,𝑩)

𝑪 = 𝒈 𝒂 𝒙,𝒚 ×𝒏𝒖𝒍𝒍 +𝒂 𝒙,𝒚 ×𝒂 𝒙,𝒚

Prover and Verifier

Slide 21 of 22

𝑨 = 𝒈𝒂(𝒙,𝒚) 𝑩 = 𝒉𝒂(𝒙,𝒚)

Verifier𝒆 𝑨, 𝒉 = 𝒆(𝒈,𝑩)

𝐵 = 𝑔𝑎(𝑥,𝑦) by bilinearity.

Prover knows 𝑎(𝑥, 𝑦)by KoE.


𝒆(𝑨,𝑩)𝒆 𝑨,𝑵 = 𝒆(𝑪, 𝒉)

Prover

Prover and Verifier

Slide 21 of 22

Prover 𝑨 = 𝒈𝒂(𝒙,𝒚) 𝑩 = 𝒉𝒂(𝒙,𝒚)

Verifier𝒆(𝑨,𝑩)𝒆 𝑨,𝑵 = 𝒆(𝑪, 𝒉)


QAP satisfied unless prover can compute

𝑔𝑥𝑖𝑦7


Prover and Verifier

Slide 21 of 22





Our scheme = 3 group elementsState of the art = 3 group elements

Our scheme = O(n) group exponentiationsState of the art = O(n) group exponentiations

Prover and Verifier

Slide 21 of 22



Our scheme = 5 pairingsState of the art = 4 pairings



Summary

Slide 22 of 22

• Introduce notion of updatable common reference strings.

• Design efficient updatable zk-SNARK.

• Show how to use the same global parameters to derive a CRS for any circuit of a given size.

Efficiency Table Universal String Quadratic Derived String Linear Deriver Cost Cubic Update Proofs 9 Group Elements Proof Size 3 Group Elements Verifier Time 5 Pairings

Questions?

updatable and universal common reference strings with ... · reference string 1 derived common...

Documents