On the Size of Pairing-based Non-interactive Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

Non-interactive zero-knowledge argument Common reference string Statement: 𝜙∈ 𝐿 𝑅 𝜙,𝑤 ∈𝑅 OK Proof:  Prover Verifier Zero-knowledge: Nothing but truth revealed Soundness: Statement is true

Statements Statements are 𝜙∈𝐿 for a given NP-language 𝐿 𝑥 1 ∧ 𝑥 2 ∧¬ 𝑥 3 ∨( 𝑥 2 ∧ x 4 ∧ 𝑥 5 ) SAT 1 Plaintext is signature on… Hamiltonian Circuit SAT Statements are 𝜙∈𝐿 for a given NP-language 𝐿 Prover knows witness 𝑤 such that 𝜙,𝑤 ∈ 𝑅 𝐿 But wants to keep the witness secret!

Applications NIZK arguments guarantee protocol compliance (soundness) Yet they also preserve confidentiality (zero-knowledge)

Our contribution NIZK argument Efficiency Perfect completeness Perfect zero-knowledge Computational soundness Generic group model Efficiency Asymmetric (Type III) pairings 3 group element proofs Low computation zk-SNARK Succinct Non-interactive Argument of Knowledge

Our contribution Lower bound Look at pairing-based non-interactive arguments Not necessarily zero-knowledge A few restrictions on the type of argument Common for all known pairing-based SNARKs NIZK arguments cannot have 1 element proofs For asymmetric (Type III) pairings Open question whether 2 elements is possible

Prime order bilinear groups Gen( 1 𝑘 ) generates (𝑝, 𝐺 1 , 𝐺 2 , 𝐺 𝑇 ,𝑒,𝑔,ℎ) 𝐺 1 , 𝐺 2 , 𝐺 𝑇 finite cyclic groups of prime order 𝑝 generated by 𝑔,ℎ and 𝑒(𝑔,ℎ) Bilinear map 𝑒 𝑔 𝑎 , ℎ 𝑏 =𝑒 𝑔,ℎ 𝑎𝑏 Generic group operations efficiently computable Deciding group membership, group operations, pairing Symmetric bilinear groups (Type I): 𝐺 1 = 𝐺 2 and 𝑔=ℎ Asymmetric bilinear groups (Type III): No efficiently computable isomorphism between 𝐺 1 and 𝐺 2

Additive notation Given bilinear group (𝑝, 𝐺 1 , 𝐺 2 , 𝐺 𝑇 ,𝑒,𝑔,ℎ) define 𝑎 1 = 𝑔 𝑎 𝑏 2 = ℎ 𝑏 𝑐 𝑇 =𝑒 𝑔,ℎ 𝑐 and use additive notation for group operations 𝑎 ∗ + 𝑏 ∗ = 𝑎+𝑏 ∗ 𝑎 𝑏 ∗ = 𝑎𝑏 ∗ The generators can now be written 1 1 , 1 2 , 1 𝑇 Define dot products using linear algebra notation 𝑎 ∗ ⋅ 𝑏 = 𝑎 ⋅ 𝑏 ∗ 𝑎 1 ⋅ 𝑏 2 = 𝑎 ⋅ 𝑏 𝑇 And for matrix multiplication 𝑀 𝑎 ∗ = 𝑀 𝑎 ∗ In general in this talk scalars and computation in 𝑭 𝑝

SNARK preview Common reference string 𝜎=( 𝜎 1 1 , 𝜎 2 2 ) Efficiency Proof size: 2 𝐺 1 , 1 𝐺 2 Prover: 𝑚+3𝑛 𝐸 1 ,𝑛 𝐸 2 Verifier: ℓ 𝐸 1 +3𝑃 SNARK preview Common reference string 𝜎=( 𝜎 1 1 , 𝜎 2 2 ) 𝜎 1 = 𝛼,𝛽,𝛿, 𝑥 𝑖 , 𝑥 𝑖 𝑡 𝑥 𝛿 , 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛾 𝑖≤ℓ , 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛿 𝑖>ℓ 𝜎 2 = 𝛽,𝛾,𝛿, 𝑥 𝑖 Prover creates 𝜋=( 𝐴 1 , 𝐶 1 , 𝐵 2 ) 𝐴=𝛼+∑ 𝑎 𝑖 𝑢 𝑖 𝑥 +𝑟𝛿 𝐵=𝛽+∑ 𝑎 𝑖 𝑣 𝑖 (𝑥)+𝑠𝛿 𝐶= 𝑖>ℓ 𝑎 𝑖 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛿 + ℎ 𝑥 𝑡(𝑥) 𝛿 +𝐴𝑠+𝑟𝐵−𝑟𝑠𝛿 Verifier accepts if 𝐴 1 ⋅ 𝐵 2 = 𝛼 1 ⋅ 𝛽 2 + 𝑖=0 ℓ 𝑎 𝑖 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛾 1 ⋅ 𝛾 2 + 𝐶 1 ⋅ 𝛿 2

Write as quadratic equation over 𝑭 𝑝 𝑎 1 + 𝑎 3 ⋅ 𝑎 3 = 𝑎 2 In general arithmetic circuit can be written as a set of equations of the form ∑ 𝑎 𝑖 𝑢 𝑖 ⋅∑ 𝑎 𝑖 𝑣 𝑖 =∑ 𝑎 𝑖 𝑤 𝑖 over variables 𝑎 1 ,…, 𝑎 𝑚 and by convention 𝑎 0 =1 Arithmetic circuit defines an NP-language with statements ( 𝑎 1 ,…, 𝑎 ℓ ) and witnesses ( 𝑎 ℓ+1 ,…, 𝑎 𝑚 ) Arithmetic circuit 𝑎 2 𝑎 1 𝑎 3

Rewriting the circuit as polynomial equations Consider an equation ∑ 𝑎 𝑖 𝑢 𝑖 ⋅∑ 𝑎 𝑖 𝑣 𝑖 =∑ 𝑎 𝑖 𝑤 𝑖 Let 𝑢 𝑖 𝑥 , 𝑣 𝑖 𝑥 , 𝑤 𝑖 (𝑥) be polynomials such that 𝑢 𝑖 𝑟 = 𝑢 𝑖 𝑣 𝑖 𝑟 = 𝑣 𝑖 𝑤 𝑖 𝑟 = 𝑤 𝑖 Then equation satisfied if ∑ 𝑎 𝑖 𝑢 𝑖 𝑥 ⋅∑ 𝑎 𝑖 𝑣 𝑖 𝑥 ≡∑ 𝑎 𝑖 𝑤 𝑖 𝑥 mod (𝑥−𝑟) Pick degree 𝑛−1 polynomials 𝑢 𝑖 𝑥 , 𝑣 𝑖 𝑥 , 𝑤 𝑖 (𝑥) such that this holds for all equations, using distinct 𝑟 1 ,…, 𝑟 𝑛 for the 𝑛 equations in the circuit Values 𝑎 0 ,…, 𝑎 𝑚 satisfy all equations if ∑ 𝑎 𝑖 𝑢 𝑖 𝑥 ⋅∑ 𝑎 𝑖 𝑣 𝑖 𝑥 ≡∑ 𝑎 𝑖 𝑤 𝑖 𝑥 mod ∏(𝑥− 𝑟 𝑗 )

Quadratic arithmetic program A quadratic arithmetic program over 𝒁 𝑝 consists of polynomials 𝑢 𝑖 𝑥 , 𝑣 𝑖 𝑥 , 𝑤 𝑖 𝑥 ,𝑡 𝑥 ∈ 𝒁 𝑝 𝑥 It defines an NP-relation with Constant 𝑎 0 =1 Statements ( 𝑎 1 ,…, 𝑎 ℓ ) Witnesses ( 𝑎 ℓ+1 ,…, 𝑎 𝑚 ) Satisfying for some polynomial ℎ(𝑥) that ∑ 𝑎 𝑖 𝑢 𝑖 𝑥 ⋅∑ 𝑎 𝑖 𝑣 𝑖 𝑥 =∑ 𝑎 𝑖 𝑤 𝑖 𝑥 +ℎ(𝑥)𝑡(𝑥)

SNARK for QAPs Common reference string 𝜎=( 𝜎 1 1 , 𝜎 2 2 ) Zero-knowledge Simulator given 𝜏=(𝛼,𝛽,𝛾,𝛿,𝑥) Pick random 𝐴,𝐵← 𝒁 𝑝 Compute 𝐶= 𝐴𝐵−𝛼𝛽− 𝑖≤ℓ 𝑎 𝑖 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛿 Return simulated proof 𝜋=( 𝐴 1 , 𝐶 1 , 𝐵 2 ) SNARK for QAPs Common reference string 𝜎=( 𝜎 1 1 , 𝜎 2 2 ) 𝜎 1 = 𝛼,𝛽,𝛿, 𝑥 𝑖 , 𝑥 𝑖 𝑡 𝑥 𝛿 , 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛾 𝑖≤ℓ , 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛿 𝑖>ℓ 𝜎 2 = 𝛽,𝛾,𝛿, 𝑥 𝑖 Prover creates 𝜋=( 𝐴 1 , 𝐶 1 , 𝐵 2 ) 𝐴=𝛼+∑ 𝑎 𝑖 𝑢 𝑖 𝑥 +𝑟𝛿 𝐵=𝛽+∑ 𝑎 𝑖 𝑣 𝑖 (𝑥)+𝑠𝛿 𝐶= 𝑖>ℓ 𝑎 𝑖 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛿 + ℎ 𝑥 𝑡(𝑥) 𝛿 +𝐴𝑠+𝑟𝐵−𝑟𝑠𝛿 Verifier accepts if 𝐴 1 ⋅ 𝐵 2 = 𝛼 1 ⋅ 𝛽 2 + 𝑖=0 ℓ 𝑎 𝑖 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛾 1 ⋅ 𝛾 2 + 𝐶 1 ⋅ 𝛿 2 Completeness Proof of form 𝐴,𝐶 1 = Π 1 𝜎 1 1 𝐵 2 = Π 2 𝜎 2 2 computable from witness ( 𝑎 ℓ+1 ,…, 𝑎 𝑚 ) satisfies verification

Generic group model Captures attacks using generic group operations Necessary for security Not necessarily sufficient for security [Fischlin00,Dent02] In practice GGM holds up well Modelled by random bijections ⋅ 𝑖 : 𝒁 𝑝 → 𝐺 𝑖 𝜎 1 1 , 𝜎 2 2 𝑎 1 + 𝑏 1 ?  𝑎+𝑏 1

Knowledge soundness Theorem Proof outline Disclosure-free For any linear equality test of group elements in CRS either Very likely true Very likely false So answers are trivial and adversary learns nothing Theorem In the generic group model adversary can only construct valid proof if she knows witness Proof outline Generic group adversary must pick (𝜙, 𝐴 1 , 𝐶 1 , 𝐵 2 ) where 𝐴 1 , 𝐶 1 linear combinations of elements in 𝜎 1 1 and 𝐵 2 linear combination of elements in 𝜎 2 2 Adversary cannot learn non-trivial information about common reference string using generic group operations, so linear combinations chosen independently of 𝜎 1 , 𝜎 2 Careful analysis show independently chosen linear combinations are unlikely to satisfy verification equation over the random 𝛼, 𝛽,𝛾,𝛿,𝑥∈ 𝒁 𝑝 used to construct 𝜎 1 , 𝜎 2

Analysis Common reference string 𝜎=( 𝜎 1 1 , 𝜎 2 2 ) 𝜎 1 = 𝛼,𝛽,𝛿, 𝑥 𝑖 , 𝑥 𝑖 𝑡 𝑥 𝛿 , 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛾 𝑖≤ℓ , 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛿 𝑖>ℓ 𝜎 2 = 𝛽,𝛾,𝛿, 𝑥 𝑖 Adversary can choose linear combinations 𝐴 1 = 𝑎 ⋅ 𝜎 1 1 𝐶 2 = 𝑐 ⋅ 𝜎 1 1 𝐵 2 = 𝑏 ⋅ 𝜎 2 2 with 𝑎 , 𝑏 , 𝑐 chosen independently of 𝛼,𝛽,𝛾,𝛿,𝑥 The verification equation is a polynomial identity in 𝛼,𝛽,𝛾,𝛿,𝑥 𝑎 ⋅ 𝜎 1 𝑏 ⋅ 𝜎 2 =𝛼𝛽+ 𝑖=0 ℓ 𝑎 𝑖 (𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 ) +( 𝑐 ⋅ 𝜎 1 )𝛿 Coefficient analysis End up with proof, where 𝐴,𝐵,𝐶 are constructed exactly like a real proof, except 𝐴,𝐵 may be in randomized form 𝐴 𝑟 , 𝐵 1 𝑟 . The witness 𝑎 ℓ+1 ,…, 𝑎 𝑚 can now be read directly from the coefficients in 𝑐 Coefficient analysis Look at coefficients of 𝛿 2 𝑎 𝛿 ⋅ 𝑏 𝛿 = 𝑐 𝛿 Look at coefficients of 𝛼𝛽 𝑎 𝛼 ⋅ 𝑏 𝛽 =1 Etc., etc., ...

Efficiency Circuits with 𝑚 wires, 𝑛 gates, statement size ℓ (ℓ≪𝑛<𝑚) Arithmetic circuits Proof size Prover Verifier Equations [PGHR13] (symmetric) 8 𝐺 7𝑚+𝑛 𝐸 ℓ 𝐸, 11 𝑃 5 This work (symmetric) 3 𝐺 𝑚+3𝑛 𝐸 ℓ 𝐸, 3 𝑃 1 [BCTV14] 7 𝐺 1 , 1 𝐺 2 6𝑚+𝑛 𝐸 1 , 𝑚 𝐸 2 ℓ 𝐸 1 , 12 𝑃 This work 2 𝐺 1 , 1 𝐺 2 𝑚+3𝑛 𝐸 1 , 𝑛 𝐸 2 ℓ 𝐸 1 , 3 𝑃 Boolean circuits [DFGK14] 3 𝐺 1 , 1 𝐺 2 𝑚+𝑛 𝐸 1 ℓ 𝑀 1 , 6 𝑃 3 𝑛 𝐸 1 ℓ 𝑀 1 , 3 𝑃 Circuits with 𝑚 wires, 𝑛 gates, statement size ℓ (ℓ≪𝑛<𝑚) Group element 𝐺, exponentiation 𝐸, pairing 𝑃, multiplication 𝑀 Efficiency gain 1. Generic group model instead of knowledge of exponent assumption 2. Carefully crafted verification equations

Libsnark implementation Take any C program P with output y Statement: There exists x such that P(x)=y Generate NIZK proof that output y is correct Proof size: 200B Speedup: factor 4-5 Performance gain for two reasons Libsnark has short CRS. Uses recursive construction of SNARKs. This gives two sources of improvement 1) Faster computation 2) Smaller proofs, which means less work in recursion

} } } } Fully succinct SNARKs 𝜋 1 𝜋 2 𝜋 𝜋 3 SNARKs for correct execution of part of trace SNARKs that there are SNARKs for correct execution SNARKs that there are SNARKs that there are SNARKs for correct execution Execution } 𝜋 1 } } 𝜋 2 𝜋 } 𝜋 3 Small CRS SNARKs for small statements Short common reference string

PCD-friendly elliptic curves in libsnark SNARKs work over elliptic curve groups with pairings, i.e., 𝐺 1 =𝐸 𝑭 𝑞 of size #𝐸( 𝑭 𝑞 )=𝑝 Verifying the SNARK requires operations over 𝑭 𝑞 Writing verification as an 𝑭 𝑝 -arithmetic circuit requires expensive modulus switching from 𝑞 to 𝑝 Solution is to use two friendly curves #𝐸( 𝑭 𝑞 )=𝑝 #𝐸′( 𝑭 𝑝 )=𝑞 SNARKs over ( 𝐺 1 , 𝐺 2 , 𝐺 𝑇 ,𝑒) about SNARKs over ( 𝐺 1 ′ , 𝐺 2 ′ , 𝐺 𝑇 ′ , 𝑒 ′ ) and vice versa 𝐴 1 ⋅ 𝐵 2 = 𝛼 1 ⋅ 𝛽 2 + 𝑖=0 ℓ 𝑎 𝑖 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛾 1 ⋅ 𝛾 2 + 𝐶 1 ⋅ 𝛿 2

Pairing-based SNARK NP-relation 𝑅 with statements 𝜙 and witnesses 𝑤 Common reference string Generate 𝜎 1 , 𝜎 2 ,𝜏 ←Setup 𝑅 Let common reference be (𝑅, 𝜎 1 1 , 𝜎 2 2 ) Proof Π 1 , Π 2 ←ProofMatrix(𝑅,𝜙,𝑤) 𝜋= 𝜋 1 1 , 𝜋 2 2 =( Π 1 𝜎 1 1 , Π 2 𝜎 2 2 ) Verification 𝑇 1 ,…, 𝑇 𝜂 ←Test(𝑅,𝜙) Accept the proof 𝜋 if and only if for all 𝑇 1 ,…, 𝑇 𝜂 𝜎 1 𝜋 1 1 ⋅ 𝑇 𝑖 𝜎 2 𝜋 2 2 = 0 𝑇 Generic group operations

Lower bound Consider relation with hard decisional problem Theorem 𝜙,𝑤 ←Yes(𝑅) samples 𝜙,𝑤 ∈𝑅 𝜙←No(𝑅) samples 𝜙∉ 𝐿 𝑅 Hard to distinguish if 𝜙 sampled by Yes or No Theorem Pairing-based SNARKs in Type III bilinear groups for relations with hard decisional problems have at least 2 group elements in the proofs Intuitively because single element proofs give linear verification equations Can generalize to rule out any linear verification tests with proof elements in 𝐺 1 , 𝐺 2 and 𝐺 𝑇

Single element impossible Consider wlog 𝜋= 𝜋 𝑇 𝜎 2 and for simplicity single verification equation 𝜎 1 ⋅𝐴 𝜎 2 = 𝜎 1 ⋅ 𝑏 𝜋 Construct 𝐴(𝑅,𝜙) that decides if 𝜙∈ 𝐿 𝑅 or 𝜙∉ 𝐿 𝑅 𝜙 1 , 𝑤 1 ,…, 𝜙 𝑁 , 𝑤 𝑁 ←Yes(𝑅) 𝜋 𝑖 ←ProofMatrix(𝑅, 𝜙 𝑖 , 𝑤 𝑖 ) ( 𝐴 𝑖 , 𝑏 𝑖 )←Test(𝑅, 𝜙 𝑖 ) Define vector space 𝑉 generated by 𝐴 1 , 𝑏 1 𝜋 1 𝑇 ,…, 𝐴 𝑁 , 𝑏 𝑁 𝜋 𝑁 𝑇 𝐴, 𝑏 ←Test(𝑅,𝜙) Try to solve for 𝜋 such that 𝐴, 𝑏 𝜋 𝑇 ∈𝑉 If solution found return Yes else return No If 𝜙,𝑤 ←Yes 𝑅 and 𝑁 large enough, probably 𝐴, 𝑏 𝜋 𝑇 ∈𝑉 By completeness 𝜎 1 ⋅ 𝐴 𝑖 𝜎 2 = 𝜎 1 ⋅ 𝑏 𝜋 𝑖 𝑇 𝜎 2

Summary NIZK argument for arithmetic circuit satisfiability Perfect completeness Perfect zero-knowledge Computational knowledge soundness Proof in generic group model Proof size of 3 group elements Computationally efficient Lower bound Pairing-based non-interactive arguments using Type III pairings must have at least 2 group elements