1. On the Size of Pairing-based Non-interactive Arguments
Jens Groth University College London
TexPoint fonts used in EMF.
Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

2. Non-interactive zero-knowledge argument
Common reference string
Statement: 𝜙∈ 𝐿 𝑅
𝜙,𝑤 ∈𝑅 OK
Proof: 
Prover Verifier
Zero-knowledge:
Nothing but truth revealed
Soundness:
Statement is true

3. Statements Statements are 𝜙∈𝐿 for a given NP-language 𝐿
𝑥 1 ∧ 𝑥 2 ∧¬ 𝑥 3 ∨( 𝑥 2 ∧ x 4 ∧ 𝑥 5 )
SAT 1
Plaintext is signature on…
Hamiltonian
Circuit SAT
Statements are 𝜙∈𝐿 for a given NP-language 𝐿
Prover knows witness 𝑤 such that 𝜙,𝑤 ∈ 𝑅 𝐿
But wants to keep the witness secret!

4. Applications
NIZK arguments guarantee protocol compliance (soundness) Yet they also preserve confidentiality (zero-knowledge)

5. Our contribution NIZK argument Efficiency
Perfect completeness
Perfect zero-knowledge
Computational soundness
Generic group model
Efficiency
Asymmetric (Type III) pairings
3 group element proofs
Low computation
zk-SNARK Succinct Non-interactive Argument of Knowledge

6. Our contribution Lower bound
Look at pairing-based non-interactive arguments
Not necessarily zero-knowledge
A few restrictions on the type of argument
Common for all known pairing-based SNARKs
NIZK arguments cannot have 1 element proofs
For asymmetric (Type III) pairings
Open question whether 2 elements is possible

7. Prime order bilinear groups
Gen( 1 𝑘 ) generates (𝑝, 𝐺 1 , 𝐺 2 , 𝐺 𝑇 ,𝑒,𝑔,ℎ)
𝐺 1 , 𝐺 2 , 𝐺 𝑇 finite cyclic groups of prime order 𝑝 generated by 𝑔,ℎ and 𝑒(𝑔,ℎ)
Bilinear map
𝑒 𝑔 𝑎 , ℎ 𝑏 =𝑒 𝑔,ℎ 𝑎𝑏
Generic group operations efficiently computable
Deciding group membership, group operations, pairing
Symmetric bilinear groups (Type I): 𝐺 1 = 𝐺 2 and 𝑔=ℎ
Asymmetric bilinear groups (Type III): No efficiently computable isomorphism between 𝐺 1 and 𝐺 2

8. Additive notation
Given bilinear group (𝑝, 𝐺 1 , 𝐺 2 , 𝐺 𝑇 ,𝑒,𝑔,ℎ) define 𝑎 1 = 𝑔 𝑎 𝑏 2 = ℎ 𝑏 𝑐 𝑇 =𝑒 𝑔,ℎ 𝑐 and use additive notation for group operations 𝑎 ∗ + 𝑏 ∗ = 𝑎+𝑏 ∗ 𝑎 𝑏 ∗ = 𝑎𝑏 ∗
The generators can now be written , , 1 𝑇
Define dot products using linear algebra notation 𝑎 ∗ ⋅ 𝑏 = 𝑎 ⋅ 𝑏 ∗ 𝑎 1 ⋅ 𝑏 2 = 𝑎 ⋅ 𝑏 𝑇
And for matrix multiplication 𝑀 𝑎 ∗ = 𝑀 𝑎 ∗
In general in this talk scalars and computation in 𝑭 𝑝

9. SNARK preview Common reference string 𝜎=( 𝜎 1 1 , 𝜎 2 2 )
Efficiency Proof size: 2 𝐺 1 , 1 𝐺 2
Prover: 𝑚+3𝑛 𝐸 1 ,𝑛 𝐸 2
Verifier: ℓ 𝐸 1 +3𝑃
SNARK preview
Common reference string 𝜎=( 𝜎 , 𝜎 )
𝜎 1 = 𝛼,𝛽,𝛿, 𝑥 𝑖 , 𝑥 𝑖 𝑡 𝑥 𝛿 , 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛾 𝑖≤ℓ , 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛿 𝑖>ℓ
𝜎 2 = 𝛽,𝛾,𝛿, 𝑥 𝑖
Prover creates 𝜋=( 𝐴 1 , 𝐶 1 , 𝐵 2 )
𝐴=𝛼+∑ 𝑎 𝑖 𝑢 𝑖 𝑥 +𝑟𝛿 𝐵=𝛽+∑ 𝑎 𝑖 𝑣 𝑖 (𝑥)+𝑠𝛿
𝐶= 𝑖>ℓ 𝑎 𝑖 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛿 + ℎ 𝑥 𝑡(𝑥) 𝛿 +𝐴𝑠+𝑟𝐵−𝑟𝑠𝛿
Verifier accepts if 𝐴 1 ⋅ 𝐵 2 = 𝛼 1 ⋅ 𝛽 2 + 𝑖=0 ℓ 𝑎 𝑖 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛾 1 ⋅ 𝛾 𝐶 1 ⋅ 𝛿 2

10. Write as quadratic equation over 𝑭 𝑝 𝑎 1 + 𝑎 3 ⋅ 𝑎 3 = 𝑎 2
In general arithmetic circuit can be written as a set of equations of the form ∑ 𝑎 𝑖 𝑢 𝑖 ⋅∑ 𝑎 𝑖 𝑣 𝑖 =∑ 𝑎 𝑖 𝑤 𝑖
over variables 𝑎 1 ,…, 𝑎 𝑚 and by convention 𝑎 0 =1
Arithmetic circuit defines an NP-language with statements ( 𝑎 1 ,…, 𝑎 ℓ ) and witnesses ( 𝑎 ℓ+1 ,…, 𝑎 𝑚 )
Arithmetic circuit
𝑎 2
𝑎 1
𝑎 3

11. Rewriting the circuit as polynomial equations
Consider an equation ∑ 𝑎 𝑖 𝑢 𝑖 ⋅∑ 𝑎 𝑖 𝑣 𝑖 =∑ 𝑎 𝑖 𝑤 𝑖
Let 𝑢 𝑖 𝑥 , 𝑣 𝑖 𝑥 , 𝑤 𝑖 (𝑥) be polynomials such that 𝑢 𝑖 𝑟 = 𝑢 𝑖 𝑣 𝑖 𝑟 = 𝑣 𝑖 𝑤 𝑖 𝑟 = 𝑤 𝑖
Then equation satisfied if ∑ 𝑎 𝑖 𝑢 𝑖 𝑥 ⋅∑ 𝑎 𝑖 𝑣 𝑖 𝑥 ≡∑ 𝑎 𝑖 𝑤 𝑖 𝑥 mod (𝑥−𝑟)
Pick degree 𝑛−1 polynomials 𝑢 𝑖 𝑥 , 𝑣 𝑖 𝑥 , 𝑤 𝑖 (𝑥) such that this holds for all equations, using distinct 𝑟 1 ,…, 𝑟 𝑛 for the 𝑛 equations in the circuit
Values 𝑎 0 ,…, 𝑎 𝑚 satisfy all equations if ∑ 𝑎 𝑖 𝑢 𝑖 𝑥 ⋅∑ 𝑎 𝑖 𝑣 𝑖 𝑥 ≡∑ 𝑎 𝑖 𝑤 𝑖 𝑥 mod ∏(𝑥− 𝑟 𝑗 )

12. Quadratic arithmetic program
A quadratic arithmetic program over 𝒁 𝑝 consists of polynomials 𝑢 𝑖 𝑥 , 𝑣 𝑖 𝑥 , 𝑤 𝑖 𝑥 ,𝑡 𝑥 ∈ 𝒁 𝑝 𝑥
It defines an NP-relation with
Constant 𝑎 0 =1
Statements ( 𝑎 1 ,…, 𝑎 ℓ )
Witnesses ( 𝑎 ℓ+1 ,…, 𝑎 𝑚 )
Satisfying for some polynomial ℎ(𝑥) that ∑ 𝑎 𝑖 𝑢 𝑖 𝑥 ⋅∑ 𝑎 𝑖 𝑣 𝑖 𝑥 =∑ 𝑎 𝑖 𝑤 𝑖 𝑥 +ℎ(𝑥)𝑡(𝑥)

13. SNARK for QAPs Common reference string 𝜎=( 𝜎 1 1 , 𝜎 2 2 )
Zero-knowledge Simulator given 𝜏=(𝛼,𝛽,𝛾,𝛿,𝑥)
Pick random 𝐴,𝐵← 𝒁 𝑝 Compute 𝐶= 𝐴𝐵−𝛼𝛽− 𝑖≤ℓ 𝑎 𝑖 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛿
Return simulated proof 𝜋=( 𝐴 1 , 𝐶 1 , 𝐵 2 )
SNARK for QAPs
Common reference string 𝜎=( 𝜎 , 𝜎 )
𝜎 1 = 𝛼,𝛽,𝛿, 𝑥 𝑖 , 𝑥 𝑖 𝑡 𝑥 𝛿 , 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛾 𝑖≤ℓ , 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛿 𝑖>ℓ
𝜎 2 = 𝛽,𝛾,𝛿, 𝑥 𝑖
Prover creates 𝜋=( 𝐴 1 , 𝐶 1 , 𝐵 2 )
𝐴=𝛼+∑ 𝑎 𝑖 𝑢 𝑖 𝑥 +𝑟𝛿 𝐵=𝛽+∑ 𝑎 𝑖 𝑣 𝑖 (𝑥)+𝑠𝛿
𝐶= 𝑖>ℓ 𝑎 𝑖 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛿 + ℎ 𝑥 𝑡(𝑥) 𝛿 +𝐴𝑠+𝑟𝐵−𝑟𝑠𝛿
Verifier accepts if 𝐴 1 ⋅ 𝐵 2 = 𝛼 1 ⋅ 𝛽 2 + 𝑖=0 ℓ 𝑎 𝑖 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛾 1 ⋅ 𝛾 𝐶 1 ⋅ 𝛿 2
Completeness Proof of form 𝐴,𝐶 1 = Π 𝜎 𝐵 2 = Π 𝜎 computable from witness ( 𝑎 ℓ+1 ,…, 𝑎 𝑚 ) satisfies verification

14. Generic group model Captures attacks using generic group operations
Necessary for security
Not necessarily sufficient for security [Fischlin00,Dent02]
In practice GGM holds up well
Modelled by random bijections ⋅ 𝑖 : 𝒁 𝑝 → 𝐺 𝑖
𝜎 , 𝜎
𝑎 𝑏 1 ? 
𝑎+𝑏 1

15. Knowledge soundness Theorem Proof outline
Disclosure-free For any linear equality test of group elements in CRS either
Very likely true
Very likely false
So answers are trivial and adversary learns nothing
Theorem
In the generic group model adversary can only construct valid proof if she knows witness
Proof outline
Generic group adversary must pick (𝜙, 𝐴 1 , 𝐶 1 , 𝐵 2 ) where 𝐴 1 , 𝐶 1 linear combinations of elements in 𝜎 and 𝐵 2 linear combination of elements in 𝜎
Adversary cannot learn non-trivial information about common reference string using generic group operations, so linear combinations chosen independently of 𝜎 1 , 𝜎 2
Careful analysis show independently chosen linear combinations are unlikely to satisfy verification equation over the random 𝛼, 𝛽,𝛾,𝛿,𝑥∈ 𝒁 𝑝 used to construct 𝜎 1 , 𝜎 2

16. Analysis Common reference string 𝜎=( 𝜎 1 1 , 𝜎 2 2 )
𝜎 1 = 𝛼,𝛽,𝛿, 𝑥 𝑖 , 𝑥 𝑖 𝑡 𝑥 𝛿 , 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛾 𝑖≤ℓ , 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛿 𝑖>ℓ
𝜎 2 = 𝛽,𝛾,𝛿, 𝑥 𝑖
Adversary can choose linear combinations
𝐴 1 = 𝑎 ⋅ 𝜎 𝐶 2 = 𝑐 ⋅ 𝜎 𝐵 2 = 𝑏 ⋅ 𝜎
with 𝑎 , 𝑏 , 𝑐 chosen independently of 𝛼,𝛽,𝛾,𝛿,𝑥
The verification equation is a polynomial identity in 𝛼,𝛽,𝛾,𝛿,𝑥 𝑎 ⋅ 𝜎 𝑏 ⋅ 𝜎 2 =𝛼𝛽+ 𝑖=0 ℓ 𝑎 𝑖 (𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 ) +( 𝑐 ⋅ 𝜎 1 )𝛿
Coefficient analysis End up with proof, where 𝐴,𝐵,𝐶 are constructed exactly like a real proof, except 𝐴,𝐵 may be in randomized form 𝐴 𝑟 , 𝐵 1 𝑟 .
The witness 𝑎 ℓ+1 ,…, 𝑎 𝑚 can now be read directly from the coefficients in 𝑐
Coefficient analysis Look at coefficients of 𝛿 2
𝑎 𝛿 ⋅ 𝑏 𝛿 = 𝑐 𝛿
Look at coefficients of 𝛼𝛽 𝑎 𝛼 ⋅ 𝑏 𝛽 =1
Etc., etc., ...

17. Efficiency Circuits with 𝑚 wires, 𝑛 gates, statement size ℓ (ℓ≪𝑛<𝑚)
Arithmetic circuits
Proof size
Prover
Verifier
Equations
[PGHR13] (symmetric)
8 𝐺
7𝑚+𝑛 𝐸
ℓ 𝐸, 11 𝑃 5
This work (symmetric)
3 𝐺
𝑚+3𝑛 𝐸
ℓ 𝐸, 3 𝑃 1
[BCTV14]
7 𝐺 1 , 1 𝐺 2
6𝑚+𝑛 𝐸 1 , 𝑚 𝐸 2
ℓ 𝐸 1 , 12 𝑃
This work
2 𝐺 1 , 1 𝐺 2
𝑚+3𝑛 𝐸 1 , 𝑛 𝐸 2
ℓ 𝐸 1 , 3 𝑃
Boolean circuits
[DFGK14]
3 𝐺 1 , 1 𝐺 2
𝑚+𝑛 𝐸 1
ℓ 𝑀 1 , 6 𝑃 3
𝑛 𝐸 1
ℓ 𝑀 1 , 3 𝑃
Circuits with 𝑚 wires, 𝑛 gates, statement size ℓ (ℓ≪𝑛<𝑚)
Group element 𝐺, exponentiation 𝐸, pairing 𝑃, multiplication 𝑀
Efficiency gain 1. Generic group model instead of knowledge of exponent assumption 2. Carefully crafted verification equations

18. Libsnark implementation
Take any C program P with output y
Statement: There exists x such that P(x)=y
Generate NIZK proof that output y is correct
Proof size: 200B
Speedup: factor 4-5
Performance gain for two reasons Libsnark has short CRS. Uses recursive construction of SNARKs. This gives two sources of improvement
1) Faster computation
2) Smaller proofs, which means less work in recursion

19. } } } } Fully succinct SNARKs 𝜋 1 𝜋 2 𝜋 𝜋 3
SNARKs for correct execution of part of trace
SNARKs that there are SNARKs for correct execution
SNARKs that there are SNARKs that there are SNARKs for correct execution
Execution }
𝜋 1 } }
𝜋 2 𝜋 }
𝜋 3
Small CRS SNARKs for small statements
Short common reference string

20. PCD-friendly elliptic curves in libsnark
SNARKs work over elliptic curve groups with pairings, i.e., 𝐺 1 =𝐸 𝑭 𝑞 of size #𝐸( 𝑭 𝑞 )=𝑝
Verifying the SNARK requires operations over 𝑭 𝑞
Writing verification as an 𝑭 𝑝 -arithmetic circuit requires expensive modulus switching from 𝑞 to 𝑝
Solution is to use two friendly curves #𝐸( 𝑭 𝑞 )=𝑝 #𝐸′( 𝑭 𝑝 )=𝑞
SNARKs over ( 𝐺 1 , 𝐺 2 , 𝐺 𝑇 ,𝑒) about SNARKs over ( 𝐺 1 ′ , 𝐺 2 ′ , 𝐺 𝑇 ′ , 𝑒 ′ ) and vice versa
𝐴 1 ⋅ 𝐵 2 = 𝛼 1 ⋅ 𝛽 2 + 𝑖=0 ℓ 𝑎 𝑖 𝛽 𝑢 𝑖 𝑥 +𝛼 𝑣 𝑖 𝑥 + 𝑤 𝑖 𝑥 𝛾 1 ⋅ 𝛾 𝐶 1 ⋅ 𝛿 2

21. Pairing-based SNARK NP-relation 𝑅 with statements 𝜙 and witnesses 𝑤
Common reference string
Generate 𝜎 1 , 𝜎 2 ,𝜏 ←Setup 𝑅
Let common reference be (𝑅, 𝜎 , 𝜎 )
Proof
Π 1 , Π 2 ←ProofMatrix(𝑅,𝜙,𝑤)
𝜋= 𝜋 , 𝜋 =( Π 𝜎 , Π 𝜎 )
Verification
𝑇 1 ,…, 𝑇 𝜂 ←Test(𝑅,𝜙)
Accept the proof 𝜋 if and only if for all 𝑇 1 ,…, 𝑇 𝜂 𝜎 𝜋 ⋅ 𝑇 𝑖 𝜎 𝜋 = 0 𝑇
Generic group operations

22. Lower bound Consider relation with hard decisional problem Theorem
𝜙,𝑤 ←Yes(𝑅) samples 𝜙,𝑤 ∈𝑅
𝜙←No(𝑅) samples 𝜙∉ 𝐿 𝑅
Hard to distinguish if 𝜙 sampled by Yes or No
Theorem
Pairing-based SNARKs in Type III bilinear groups for relations with hard decisional problems have at least 2 group elements in the proofs
Intuitively because single element proofs give linear verification equations Can generalize to rule out any linear verification tests with proof elements in 𝐺 1 , 𝐺 2 and 𝐺 𝑇

23. Single element impossible
Consider wlog 𝜋= 𝜋 𝑇 𝜎 2 and for simplicity single verification equation 𝜎 1 ⋅𝐴 𝜎 2 = 𝜎 1 ⋅ 𝑏 𝜋
Construct 𝐴(𝑅,𝜙) that decides if 𝜙∈ 𝐿 𝑅 or 𝜙∉ 𝐿 𝑅
𝜙 1 , 𝑤 1 ,…, 𝜙 𝑁 , 𝑤 𝑁 ←Yes(𝑅)
𝜋 𝑖 ←ProofMatrix(𝑅, 𝜙 𝑖 , 𝑤 𝑖 )
( 𝐴 𝑖 , 𝑏 𝑖 )←Test(𝑅, 𝜙 𝑖 )
Define vector space 𝑉 generated by 𝐴 1 , 𝑏 1 𝜋 1 𝑇 ,…, 𝐴 𝑁 , 𝑏 𝑁 𝜋 𝑁 𝑇
𝐴, 𝑏 ←Test(𝑅,𝜙)
Try to solve for 𝜋 such that 𝐴, 𝑏 𝜋 𝑇 ∈𝑉
If solution found return Yes else return No
If 𝜙,𝑤 ←Yes 𝑅 and 𝑁 large enough, probably 𝐴, 𝑏 𝜋 𝑇 ∈𝑉
By completeness 𝜎 1 ⋅ 𝐴 𝑖 𝜎 2 = 𝜎 1 ⋅ 𝑏 𝜋 𝑖 𝑇 𝜎 2

24. Summary NIZK argument for arithmetic circuit satisfiability
Perfect completeness
Perfect zero-knowledge
Computational knowledge soundness
Proof in generic group model
Proof size of 3 group elements
Computationally efficient
Lower bound
Pairing-based non-interactive arguments using Type III pairings must have at least 2 group elements