Jens Groth and Mary Maller University College London Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs Jens Groth and Mary Maller University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA
Digital signature 𝑝𝑘,𝑠𝑘 ∈ 𝑅 key Public key 𝑝𝑘 OK Message 𝑚 Signature 𝜎 sEUF-CMA security: Adversary sees signatures 𝜎 𝑖 on adaptively chosen messages 𝑚 𝑖 , cannot forge valid message-signature pair (𝑚,𝜎) except by copying earlier pair ( 𝑚 𝑖 , 𝜎 𝑖 ) Signer Verifier
Schnorr signatures 𝑝𝑘,𝑠𝑘 ∈ 𝑅 key Public key 𝑝𝑘 Message 𝑚 Signature 𝜎 Here is a proof that I know the secret key 𝑠𝑘 associated with 𝑝𝑘 and I want to sign message 𝑚 Knowledges soundness: Really knows 𝑠𝑘 Zero-knowledge: Does not disclose enough about 𝑠𝑘 to enable others to sign messages Signer Verifier
Signatures of knowledge 𝜙,𝑤 ∈ 𝑅 NP Instance 𝜙∈ 𝐿 𝑅 Message 𝑚 Signature 𝜎 Signer Verifier Here is a proof that I know a witness 𝑤 for 𝜙∈ 𝐿 𝑅 and I want to sign message 𝑚
Signature of knowledge algorithms Relation generator 𝑹 1 𝜆 →𝑅 Security parameter 𝜆 NP-relations 𝑅 of pairs (𝜙,𝑤) Setup 𝑅 : Generate public parameters 𝑝𝑝 Sign(𝑝𝑝,𝜙,𝑤,𝑚): Given 𝜙,𝑤 ∈𝑅 return signature of knowledge 𝜎 on 𝑚 Vfy 𝑝𝑝,𝜙,𝑚,𝜎 : Return 1 (accept) or 0 (reject)
Correctness 𝜙,𝑤 ∈𝑅 Instance 𝜙 OK Message 𝑚 Signature 𝜎 For all 𝜆∈𝑵,𝑅←𝑹 1 𝜆 , 𝜙,𝑤 ∈𝑅,𝑚∈ 0,1 ∗ Pr 𝑝𝑝←Setup 𝑅 ;𝜎←Sign 𝑝𝑝,𝜙,𝑤,𝑚 :Vfy 𝑝𝑝,𝜙,𝑚,𝜎 =1 =1
What you prove Standard signatures Signatures of knowledge Public key 𝑝𝑘 Secret key 𝑠𝑘 Example 𝑝𝑘= 𝐺,𝑌 𝑠𝑘=𝑥 such that 𝑌= 𝐺 𝑥 𝑥 1 ∧ 𝑥 2 ∧¬ 𝑥 3 ∨( 𝑥 2 ∧ x 4 ∧ 𝑥 5 ) SAT 1 Hamiltonian cycle Circuit SAT Randomly chosen keys 𝑝𝑘,𝑠𝑘 ←KeyGen 1 𝜆 Often used repeatedly Arbitrary statements Two instances 𝜙,𝜙′ may be related, say, 𝑤 ′ =𝑤+1
Simulatability Damned, I did not learn the witness 𝜙,𝑤 ∈𝑅 Instance 𝜙 Message 𝑚 Signature 𝜎 For all 𝜆∈𝑁,𝑅←𝑹 1 𝜆 and all adversaries 𝐴 selecting 𝜙,𝑤 ∈𝑅 Pr[ 𝑝𝑝,𝜏 ←SimSetup 𝑅 ; 𝜙,𝑤,𝑚 ←𝐴 𝑝𝑝 ;𝜎←SimSign 𝜏,𝜙,𝑚 :𝐴 𝜎 =1] = Pr 𝑝𝑝←Setup 𝑅 ; 𝜙,𝑤,𝑚 ←𝐴 𝑝𝑝 ;𝜎←Sign 𝑝𝑝,𝜙,𝑤,𝑚 :𝐴 𝜎 =1
I don’t know 𝑤, but maybe I can cheat Simulation-extractability Non-black-box extractor because we want succinctness! I don’t know 𝑤, but maybe I can cheat Instance 𝜙 Message 𝑚 Signature 𝜎 For all PPT adversaries 𝐴 there is a PPT extractor 𝜒 𝐴 s.t. Pr 𝑅←𝑹 1 𝜆 ; 𝑝𝑝,𝜏 ←SimSetup 𝑅 ; 𝜙,𝑚,𝜎 ← 𝐴 SimSign 𝜏,⋅,⋅ 𝑝𝑝 ; 𝑤← 𝜒 𝐴 tran script 𝐴 :Vfy 𝑝𝑝,𝜙,𝑚,𝜎 =1 ∧ 𝜙,𝑚,𝜎 ∉𝑄∧ 𝜙,𝑤 ∉𝑅 ≈0
Non-interactive zero-knowledge argument 𝜙,𝑤 ∈𝑅 Common reference string OK Instance 𝜙 Proof Prover Verifier Zero-knowledge: Nothing but truth revealed Soundness: Statement is true
NIZK argument algorithms Relation generator 𝑹 1 𝜆 →𝑅 Security parameter 𝜆 NP-relations 𝑅 of pairs (𝜙,𝑤) Setup 𝑅 : Generate common reference string 𝑐𝑟𝑠 Prove(𝑐𝑟𝑠,𝜙,𝑤): Given 𝜙,𝑤 ∈𝑅 return proof 𝜋 Vfy 𝑐𝑟𝑠,𝜙,𝜋 : Return 1 (accept) or 0 (reject)
Completeness 𝜙,𝑤 ∈𝑅 OK Common reference string Instance 𝜙 Proof 𝜋 For all 𝜆∈𝑵,𝑅←𝑹 1 𝜆 , 𝜙,𝑤 ∈𝑅 Pr 𝑐𝑟𝑠←Setup 𝑅 ;𝜋←Prove 𝑐𝑟𝑠,𝜙,𝑤 :Vfy 𝑐𝑟𝑠,𝜙,𝜋 =1 =1
Zero-knowledge Damned, I did not learn the witness 𝜙,𝑤 ∈𝑅 Common reference string Instance 𝜙 Proof 𝜋 For all 𝜆∈𝑁,𝑅←𝑹 1 𝜆 and all adversaries 𝐴 selecting 𝜙,𝑤 ∈𝑅 Pr[ 𝑐𝑟𝑠,𝜏 ←SimSetup 𝑅 ; 𝜙,𝑤 ←𝐴(𝑐𝑟𝑠);𝜎←SimProve 𝜏,𝜙 :𝐴 𝜎 =1] = Pr 𝑐𝑟𝑠←Setup 𝑅 ; 𝜙,𝑤 ←𝐴 𝑐𝑟𝑠 ;𝜋←Prove 𝑐𝑟𝑠,𝜙,𝑤 :𝐴 𝜎 =1
I don’t know 𝑤, but maybe I can cheat Simulation-extractability I don’t know 𝑤, but maybe I can cheat Common reference string Instance 𝜙 Proof 𝜋 For all PPT adversaries 𝐴 there is a PPT extractor 𝜒 𝐴 s.t. Pr 𝑅←𝑹 1 𝜆 ; 𝑐𝑟𝑠,𝜏 ←SimSetup 𝑅 ; 𝜙,𝜋 ← 𝐴 SimProve 𝜏,⋅ 𝑐𝑟𝑠 ; 𝑤← 𝜒 𝐴 tran script 𝐴 :Vfy 𝑐𝑟𝑠,𝜙,𝜋 =0 or 𝜙,𝜋 ∈𝑄 or 𝜙,𝑤 ∈𝑅 ≈1
Signatures of knowledge imply simulation-extractable NIZK arguments Completeness follows from correctness Zero-knowledge follows from simulatability Simulation-extractability follows from simulation-extractability ZSetup 𝑅 Return 𝑐𝑟𝑠=𝑝𝑝←SSetup(𝑅) ZProve(𝑐𝑟𝑠,𝜙,𝑤) Set 𝑚=0 Return 𝜋=𝜎←SSign(𝑐𝑟𝑠,𝜙,𝑤,𝑚) ZVfy 𝑐𝑟𝑠,𝜙,𝜋 Return SVfy 𝑐𝑟𝑠,𝜙,𝑚,𝜋
Simulation-extractable NIZK arguments and CRHFs imply signatures of knowledge Hash-function 𝐻 𝐾 : 0,1 ∗ → 0,1 𝜆 Define 𝑅 ′ = 𝜙 ′ ,𝑤 : 𝜙 ′ = ℎ,𝜙 ℎ∈ 0,1 𝜆 𝜙,𝑤 ∈𝑅 Correctness from completeness Simulatability from zero-knowledge Simulation-extractability from collision-resistance and simulation-extractability SSetup 𝑅 Pick hash-function key 𝐾← 0,1 ℓ(𝜆) Run 𝑐𝑟𝑠←ZSetup(𝑅) Return 𝑝𝑝=(𝐾,𝑐𝑟𝑠) SSign(𝑝𝑝,𝜙,𝑤,𝑚) Set 𝜙 ′ = 𝐻 𝐾 𝑚 ,𝜙 Return 𝜎=𝜋←ZProve(𝑐𝑟𝑠,𝜙′,𝑤) SVfy 𝑐𝑟𝑠,𝜙,𝑚,𝜎 Return ZVfy 𝑐𝑟𝑠,𝜙′,𝜎
Our contribution SE-NIZK argument Efficiency Perfect completeness Perfect zero-knowledge Simulation-extractable XPKE and Poly assumptions Efficiency Asymmetric (Type III) pairings 3 group element proofs Low computation SE-SNARK Simulation-extractable Succinct Non-interactive Argument of Knowledge
Example corresponds to quadratic equation 𝑠 1 + 𝑠 3 ⋅ 𝑠 3 = 𝑠 2 In general arithmetic circuit can be written as a set of 𝑛 equations of the form (∑ 𝑠 𝑖 𝑢 𝑖 )⋅ ∑ 𝑠 𝑖 𝑣 𝑖 =∑ 𝑠 𝑖 𝑤 𝑖 over variables 𝑠 1 ,…, 𝑠 𝑚 and by convention 𝑠 0 =1 Arithmetic circuit defines an NP-language with instances ( 𝑠 1 ,…, 𝑠 ℓ ) and witnesses ( 𝑠 ℓ+1 ,…, 𝑠 𝑚 ) Arithmetic circuit 𝑠 2 𝑠 4 𝑠 1 𝑠 3
Set of squaring constraints Go from 𝑛 equations over 𝑚 variables up to 2𝑛 equations over 𝑚+𝑛 variables Consider a set of quadratic equations ∑ 𝑠 𝑖 𝑢 𝑖 ⋅ ∑ 𝑠 𝑖 𝑣 𝑖 =∑ 𝑠 𝑖 𝑤 𝑖 over a field 𝒁 𝑝 with constants 𝑢 𝑖 , 𝑣 𝑖 , 𝑤 𝑖 and variables 𝑠 0 =1,𝜙= 𝑠 1 ,…, 𝑠 ℓ ,𝑤=( 𝑠 ℓ+1 ,…, 𝑠 𝑚 ) We can use the equality 𝑎+𝑏 2 = 𝑎−𝑏 2 +4𝑎𝑏 to rewrite them as a set of squaring equations ∑ 𝑠 𝑖 ( 𝑢 𝑖 + 𝑣 𝑖 ) 2 = 𝑠 ′ +4∑ 𝑠 𝑖 𝑤 𝑖 ∑ 𝑠 𝑖 ( 𝑢 𝑖 − 𝑣 𝑖 ) 2 =𝑠′
Polynomial rewriting Consider 𝑛 squaring equations over 𝑚 variables ∑ 𝑠 𝑖 𝑢 𝑖𝑗 2 =∑ 𝑠 𝑖 𝑤 𝑖𝑗 𝑗=1,…,𝑛 Pick distinct 𝑟 1 ,…, 𝑟 𝑛 ∈ 𝑍 𝑝 Let 𝑢 0 𝑋 ,…, 𝑢 𝑚 𝑋 and 𝑤 0 𝑋 ,…, 𝑤 𝑚 (𝑋) be degree 𝑛−1 polynomials such that 𝑢 𝑖 𝑟 𝑗 = 𝑢 𝑖𝑗 𝑤 𝑖 𝑟 𝑗 = 𝑤 𝑖𝑗 Key observation ∑ 𝑠 𝑖 𝑢 𝑖 𝑟 𝑗 2 =∑ 𝑠 𝑖 𝑤 𝑖 𝑟 𝑗 𝑗=1,…,𝑛 Define 𝑡 𝑋 =∏ 𝑋− 𝑟 𝑗 Key observation can be rewritten as ∑ 𝑠 𝑖 𝑢 𝑖 𝑋 2 =∑ 𝑠 𝑖 𝑤 𝑖 𝑋 mod 𝑡(𝑋)
Square arithmetic programs Square arithmetic program described by Prime 𝑝, integers 1≤ℓ≤𝑚 and 1≤𝑛 Degree 𝑛 polys 𝑢 0 𝑋 ,…, 𝑢 𝑚 𝑋 , 𝑤 0 𝑋 ,…, 𝑤 𝑚 𝑋 ,𝑡(𝑋) Square arithmetic program relation 𝑅= 𝜙,𝑤 𝑠 0 =1 , 𝜙= 𝑠 1 ,…, 𝑠 ℓ ∈ 𝒁 𝑝 ℓ 𝑤= 𝑠 ℓ+1 ,…, 𝑠 𝑚 ∈ 𝒁 𝑝 𝑚−ℓ+1 ∑ 𝑠 𝑖 𝑢 𝑖 𝑋 2 =∑ 𝑠 𝑖 𝑤 𝑖 𝑋 mod 𝑡 𝑋
Prime order bilinear groups Gen( 1 𝜆 ) generates (𝑝, 𝐺 1 , 𝐺 2 , 𝐺 𝑇 ,𝑒,𝐺,𝐻) 𝐺 1 , 𝐺 2 , 𝐺 𝑇 finite cyclic groups of prime order 𝑝 generated by 𝐺,𝐻 and 𝑒(𝐺,𝐻) Bilinear map 𝑒 𝐺 𝑎 , 𝐻 𝑏 =𝑒 𝐺,𝐻 𝑎𝑏 Generic group operations efficiently computable Deciding group membership, group multiplications, pairing Asymmetric bilinear groups (Type III): No efficiently computable isomorphism between 𝐺 1 and 𝐺 2
SE-SNARK CRS size: 𝑚+2𝑛 𝐺 1 ,𝑛 𝐺 2 Proof size: 2 𝐺 1 , 1 𝐺 2 Prover: 𝑚+2𝑛−ℓ 𝐸 1 ,𝑛 𝐸 2 Verifier: ℓ 𝐸 1 , 5 𝑃 SE-SNARK Setup 𝑅 →𝑐𝑟𝑠 𝐺← 𝐺 1 ∗ ,𝐻← 𝐺 2 ∗ ,𝛼,𝛽,𝛾,𝑥← 𝒁 𝑝 ∗ such that 𝑡 𝑥 ≠0 𝑐𝑟𝑠= 𝑅, 𝐺 𝛼 , 𝐺 𝛽 , 𝐺 𝛾𝑡 𝑥 , 𝐺 𝛾𝑡 𝑥 2 , 𝐺 𝛼+𝛽 𝛾𝑡 𝑥 , 𝐺 𝛾 𝑥 𝑖 , 𝐻 𝛾 𝑥 𝑖 , 𝐺 𝛾 2 𝑡 𝑥 𝑥 𝑖 𝑖=1 𝑛−1 𝐺 𝛾 𝑤 𝑖 𝑥 + 𝛼+𝛽 𝑢 𝑖 𝑥 𝑖=0 ℓ , 𝐺 𝛾 2 𝑤 𝑖 𝑥 + 𝛼+𝛽 𝛾 𝑢 𝑖 𝑥 𝑖=ℓ+1 𝑚 ,𝐻, 𝐻 𝛽 , 𝐻 𝛾𝑡 𝑥 Prove 𝑐𝑟𝑠,𝜙,𝑤 →𝜋=(𝐴,𝐵,𝐶) 𝑟← 𝒁 𝑝 𝐴= 𝐺 𝛾 ∑ 𝑠 𝑖 𝑢 𝑖 𝑥 +𝑟𝑡 𝑥 𝐵= 𝐻 𝛾 ∑ 𝑠 𝑖 𝑢 𝑖 𝑥 +𝑟𝑡 𝑥 𝐶= 𝐺 𝑖>ℓ 𝑠 𝑖 ( 𝛾 2 𝑤 𝑖 𝑥 + 𝛼+𝛽 𝛾 𝑢 𝑖 (𝑥) + 𝑟 2 𝛾 2 𝑡 𝑥 2 +𝑟 𝛼+𝛽 𝛾𝑡 𝑥 ℎ 𝑥 +2𝑟∑ 𝑠 𝑖 𝑢 𝑖 𝑥 Vfy 𝑐𝑟𝑠,𝜙,𝜋 →0/1 Return 1 if and only if 𝑒 𝐴, 𝐻 𝛾 =𝑒( 𝐺 𝛾 ,𝐵) and 𝑒 𝐴 𝐺 𝛼 ,𝐵 𝐻 𝛽 =𝑒 𝐺 𝛼 , 𝐻 𝛽 𝑒 𝐺 𝑖≤ℓ 𝑠 𝑖 𝛾 𝑤 𝑖 𝑥 + 𝛼+𝛽 𝑢 𝑖 𝑥 , 𝐻 𝛾 𝑒(𝐶,𝐻)
Assumptions Computational Polynomial Assumption See paper Extended Power Knowledge of Exponent Assump. For all PPT 𝐴 there is PPT 𝜒 𝐴 s.t. Pr 𝑔𝑘= 𝑝, 𝐺 1 , 𝐺 2 , 𝐺 𝑇 ,𝑒,𝐺,𝐻 ←Gen 1 𝜆 ;𝒛← 𝒁 𝑝 𝑞 𝐺 𝑎 , 𝐻 𝑏 ← 𝐴 𝑂 𝐺,𝒛 1 ⋅ , 𝑂 𝐻,𝒛 2 ⋅ 𝑔𝑘 ;𝜼← 𝜒 𝐴 (transcrip t 𝐴 ) 𝑎=𝑏 𝑎𝑛𝑑 𝑏≠∑ 𝜂 𝑖 ℎ 𝑗 (𝒛) : ≈0 where on 𝑞-variate polynomials 𝑔 𝑗 or ℎ 𝑗 𝑂 𝐺,𝒛 1 𝑔 𝑗 𝒁 returns 𝐺 𝑔 𝑗 𝒛 and 𝑂 𝐻,𝒛 2 ℎ 𝑗 𝒁 returns 𝐻 ℎ 𝑗 𝒛
Efficiency Lower bounds Construction Proof size Prover Verifier Eq. [BCTV14] (zk-SNARK) 7 𝐺 1 , 1 𝐺 2 6𝑚+𝑛 𝐸 1 , 𝑚 𝐸 2 ℓ 𝐸 1 , 12 𝑃 5 [Groth16] (zk-SNARK) 2 𝐺 1 , 1 𝐺 2 𝑚+3𝑛 𝐸 1 , 𝑛 𝐸 2 ℓ 𝐸 1 , 3 𝑃 1 This work (SE-SNARK) 𝑚+4𝑛 𝐸 1 , 2𝑛 𝐸 2 ℓ 𝐸 1 , 5 𝑃 2 Arithmetic circuits with 𝑚 wires, 𝑛 gates, instance size ℓ (ℓ≪𝑛<𝑚) Group element 𝐺, exponentiation 𝐸, pairing 𝑃 Lower bounds [Groth16]: Pairing based zk-SNARKs cannot have 1 group element proofs This work: Pairing based SE-SNARKs cannot have 2 group element proofs or just 1 verification equation