ABSTRACT
We study the problem of building non-interactive proof systems modularly by linking small specialized "gadget" SNARKs in a lightweight manner. Our motivation is both theoretical and practical. On the theoretical side, modular SNARK designs would be flexible and reusable. Also, previous works (e.g., Geppetto) consider They have been successfully employed in previous works.(cite prev papers ). These approaches, however, tend to be ad-hoc and to reinventing the wheel. We propose to fill this gap. In practice, specialized SNARKs have the potential to be more efficient than general-purpose schemes, on which most existing works have focused. If a computation naturally presents different "components" (e.g. one arithmetic circuit and one boolean circuit), a general-purpose scheme would homogenize them to a single representation with a subsequent cost in performance. Through a modular approach one could instead exploit the nuances of a computation and choose the best gadget for each component. Our contribution is LegoSNARK, a "toolbox" (or framework) for commit-and-prove zkSNARKs (CP-SNARKs) that includes: 1) General composition tools: build new CP-SNARKs from proof gadgets for basic relationssimply. Formalize notion of cc-SNARK. 2) A "lifting" tool: a compiler to add commit-and-prove capabilities to a broad class of existing zkSNARKsefficiently. This makes them interoperable (linkable) within the same computation. For example, one QAP-based scheme can be used prove one component; another GKR-based scheme can be used to prove another. 3) A collection of succinct proof gadgets for a variety of relations. Additionally, through our framework and gadgets, we are able to obtain new succinct proof systems. Notably: -- LegoGro16, a commit-and-prove version of Groth16 zkSNARK, that operates over data committed with a classical Pedersen vector commitment, and that achieves a 5000× speedup in proving time. -- LegoUAC, a pairing-based SNARK for arithmetic circuits that has a universal, circuit-independent, CRS, and proving time linear in the number of circuit gates (vs. the recent scheme of Groth et al. (CRYPTO'18) with quadratic CRS and quasilinear proving time). -- LegoMM, a CP-SNARK for matrix multiplication that achieves optimal proving complexity.
Supplemental Material
- Hyrax. https://github.com/hyraxZK.Google Scholar
- libsecp256k1. https://github.com/apoelstra/secp256k1-mw/tree/bulletproofs.Google Scholar
- libsnark. https://github.com/scipr-lab/libsnark.Google Scholar
- PyPy. https://pypy.org.Google Scholar
- Shashank Agrawal, Chaya Ganesh, and Payman Mohassel. 2018. Non-Interactive Zero-Knowledge Proofs for Composite Statements. In CRYPTO 2018, Part III (LNCS), Hovav Shacham and Alexandra Boldyreva (Eds.), Vol. 10993. Springer, Heidelberg, 643--673. https://doi.org/10.1007/978--3--319--96878-0_22Google ScholarDigital Library
- Kurt M. Alonso and Jordi Herrera Joancomartí. 2018. Monero - Privacy in the Blockchain. Cryptology ePrint Archive, Report 2018/535. https://eprint.iacr.org/ 2018/535.Google Scholar
- Scott Ames, Carmit Hazay, Yuval Ishai, and Muthuramakrishnan Venkitasubramaniam. 2017. Ligero: Lightweight Sublinear Arguments Without a Trusted Setup. In ACM CCS 17, Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu (Eds.). ACM Press, 2087--2104. https://doi.org/10.1145/3133956.3134104Google ScholarDigital Library
- Michael Backes, Manuel Barbosa, Dario Fiore, and Raphael M. Reischuk. 2015. ADSNARK: Nearly Practical and Privacy-Preserving Proofs on Authenticated Data. In 2015 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 271--286. https://doi.org/10.1109/SP.2015.24Google ScholarDigital Library
- Eli Ben-Sasson, Iddo Bentov, Yinon Horesh, and Michael Riabzev. 2018. Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/046. https://eprint.iacr.org/2018/046.Google Scholar
- Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. 2014. Zerocash: Decentralized Anonymous Payments from Bitcoin. In 2014 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 459--474. https://doi.org/10.1109/SP.2014.36Google ScholarDigital Library
- Eli Ben-Sasson, Alessandro Chiesa, Daniel Genkin, Eran Tromer, and Madars Virza. 2013. SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge. In CRYPTO 2013, Part II (LNCS), Ran Canetti and Juan A. Garay (Eds.), Vol. 8043. Springer, Heidelberg, 90--108. https://doi.org/10.1007/978--3- 642--40084--1_6Google ScholarCross Ref
- Eli Ben-Sasson, Alessandro Chiesa, and Nicholas Spooner. 2016. Interactive Oracle Proofs. In TCC 2016-B, Part II (LNCS), Martin Hirt and Adam D. Smith (Eds.), Vol. 9986. Springer, Heidelberg, 31--60. https://doi.org/10.1007/978--3--662- 53644--5_2Google Scholar
- Eli Ben-Sasson, Alessandro Chiesa, Eran Tromer, and Madars Virza. 2014. Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture. In USENIX Security. 781--796.Google Scholar
- Nir Bitansky, Ran Canetti, Alessandro Chiesa, Shafi Goldwasser, Huijia Lin, Aviad Rubinstein, and Eran Tromer. 2017. The Hunting of the SNARK. Journal of Cryptology 30, 4 (Oct. 2017), 989--1066.Google ScholarDigital Library
- Nir Bitansky, Ran Canetti, Alessandro Chiesa, and Eran Tromer. 2012. From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In ITCS 2012, Shafi Goldwasser (Ed.). ACM, 326--349. https://doi.org/10.1145/2090236.2090263Google ScholarDigital Library
- Jonathan Bootle, Andrea Cerulli, Pyrros Chaidos, Jens Groth, and Christophe Petit. 2016. Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting. In EUROCRYPT 2016, Part II (LNCS), Marc Fischlin and Jean-Sébastien Coron (Eds.), Vol. 9666. Springer, Heidelberg, 327--357. https: //doi.org/10.1007/978--3--662--49896--5_12Google ScholarCross Ref
- Jonathan Bootle, Andrea Cerulli, Essam Ghadafi, Jens Groth, Mohammad Hajiabadi, and Sune K. Jakobsen. 2017. Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability. In ASIACRYPT 2017, Part III (LNCS), Tsuyoshi Takagi and Thomas Peyrin (Eds.), Vol. 10626. Springer, Heidelberg, 336--365. https://doi.org/10.1007/978--3--319--70700--6_12Google Scholar
- Sean Bowe, Ariel Gabizon, and Ian Miers. 2017. Scalable Multi-party Computation for zk-SNARK Parameters in the Random Beacon Model. Cryptology ePrint Archive, Report 2017/1050. https://eprint.iacr.org/2017/1050.Google Scholar
- Benjamin Braun, Ariel J. Feldman, Zuocheng Ren, Srinath Setty, Andrew J. Blumberg, and Michael Walfish. 2013. Verifying computations with state. In Proc. of the ACM SOSP.Google ScholarDigital Library
- Benedikt Bünz, Jonathan Bootle, Dan Boneh, Andrew Poelstra, Pieter Wuille, and Greg Maxwell. 2017. Bulletproofs: Efficient range proofs for confidential transactions. Technical Report. Cryptology ePrint Archive, Report 2017/1066, 2017. https://eprint. iacr. org/2017/1066.Google Scholar
- Matteo Campanelli, Dario Fiore, and Anaïs Querol. 2019. LegoSNARK: Modular Design and Composition of Succinct Zero-Knowledge Proofs. Cryptology ePrint Archive, Report 2019/142. http://eprint.iacr.org/.Google Scholar
- Ran Canetti, Yehuda Lindell, Rafail Ostrovsky, and Amit Sahai. 2002. Universally composable two-party and multi-party secure computation. In 34th ACM STOC. ACM Press, 494--503. https://doi.org/10.1145/509907.509980Google ScholarDigital Library
- Melissa Chase, David Derler, Steven Goldfeder, Claudio Orlandi, Sebastian Ramacher, Christian Rechberger, Daniel Slamanig, and Greg Zaverucha. 2017. PostQuantum Zero-Knowledge and Signatures from Symmetric-Key Primitives. In ACM CCS 17, Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu (Eds.). ACM Press, 1825--1842. https://doi.org/10.1145/3133956.3133997Google Scholar
- Melissa Chase, Chaya Ganesh, and Payman Mohassel. 2016. Efficient ZeroKnowledge Proof of Algebraic and Non-Algebraic Statements with Applications to Privacy Preserving Credentials. In CRYPTO 2016, Part III (LNCS), Matthew Robshaw and Jonathan Katz (Eds.), Vol. 9816. Springer, Heidelberg, 499--530. https://doi.org/10.1007/978--3--662--53015--3_18Google Scholar
- Graham Cormode, Michael Mitzenmacher, and Justin Thaler. 2012. Practical verified computation with streaming interactive proofs. In ITCS 2012, Shafi Goldwasser (Ed.). ACM, 90--112. https://doi.org/10.1145/2090236.2090245Google ScholarDigital Library
- Craig Costello, Cédric Fournet, Jon Howell, Markulf Kohlweiss, Benjamin Kreuter, Michael Naehrig, Bryan Parno, and Samee Zahur. 2015. Geppetto: Versatile Verifiable Computation. In 2015 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 253--270. https://doi.org/10.1109/SP.2015.23Google ScholarDigital Library
- Alex Escala, Gottfried Herold, Eike Kiltz, Carla Ràfols, and Jorge Villar. 2013. An Algebraic Framework for Diffie-Hellman Assumptions. In CRYPTO 2013, Part II (LNCS), Ran Canetti and Juan A. Garay (Eds.), Vol. 8043. Springer, Heidelberg, 129--147. https://doi.org/10.1007/978--3--642--40084--1_8Google ScholarCross Ref
- Prastudy Fauzi, Helger Lipmaa, Janno Siim, and Michal Zajac. 2017. An Efficient Pairing-Based Shuffle Argument. In ASIACRYPT 2017, Part II (LNCS), Tsuyoshi Takagi and Thomas Peyrin (Eds.), Vol. 10625. Springer, Heidelberg, 97--127. https: //doi.org/10.1007/978--3--319--70697--9_4Google ScholarCross Ref
- Dario Fiore, Cédric Fournet, Esha Ghosh, Markulf Kohlweiss, Olga Ohrimenko, and Bryan Parno. 2016. Hash First, Argue Later: Adaptive Verifiable Computations on Outsourced Data. In ACM CCS 16, Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi (Eds.). ACM Press, 1304--1316. https://doi.org/10.1145/2976749.2978368Google Scholar
- Georg Fuchsbauer, Eike Kiltz, and Julian Loss. 2018. The Algebraic Group Model and its Applications. In CRYPTO 2018, Part II (LNCS), Hovav Shacham and Alexandra Boldyreva (Eds.), Vol. 10992. Springer, Heidelberg, 33--62. https: //doi.org/10.1007/978--3--319--96881-0_2Google ScholarCross Ref
- Rosario Gennaro, Craig Gentry, Bryan Parno, and Mariana Raykova. 2013. Quadratic Span Programs and Succinct NIZKs without PCPs. In EUROCRYPT 2013 (LNCS), Thomas Johansson and Phong Q. Nguyen (Eds.), Vol. 7881. Springer, Heidelberg, 626--645. https://doi.org/10.1007/978--3--642--38348--9_37Google ScholarCross Ref
- Craig Gentry and Daniel Wichs. 2011. Separating succinct non-interactive arguments from all falsifiable assumptions. In 43rd ACM STOC, Lance Fortnow and Salil P. Vadhan (Eds.). ACM Press, 99--108. https://doi.org/10.1145/1993636. 1993651Google Scholar
- Irene Giacomelli, Jesper Madsen, and Claudio Orlandi. 2016. ZKBoo: Faster ZeroKnowledge for Boolean Circuits. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX, 1069--1083.Google Scholar
- Oded Goldreich, Silvio Micali, and Avi Wigderson. 1987. How to Play any Mental Game or A Completeness Theorem for Protocols with Honest Majority. In 19th ACM STOC, Alfred Aho (Ed.). ACM Press, 218--229. https://doi.org/10.1145/28395. 28420Google ScholarDigital Library
- Shafi Goldwasser, Yael Tauman Kalai, and Guy N. Rothblum. 2008. Delegating computation: interactive proofs for muggles. In 40th ACM STOC, Richard E. Ladner and Cynthia Dwork (Eds.). ACM Press, 113--122. https://doi.org/10.1145/ 1374376.1374396Google ScholarDigital Library
- Shafi Goldwasser, Silvio Micali, and Charles Rackoff. 1989. The Knowledge Complexity of Interactive Proof Systems. SIAM J. Comput. 18, 1 (1989), 186--208.Google ScholarDigital Library
- Jens Groth. 2009. Linear Algebra with Sub-linear Zero-Knowledge Arguments. In CRYPTO 2009 (LNCS), Shai Halevi (Ed.), Vol. 5677. Springer, Heidelberg, 192--208. https://doi.org/10.1007/978--3--642-03356--8_12Google Scholar
- Jens Groth. 2010. Short Pairing-Based Non-interactive Zero-Knowledge Arguments. In ASIACRYPT 2010 (LNCS), Masayuki Abe (Ed.), Vol. 6477. Springer, Heidelberg, 321--340. https://doi.org/10.1007/978--3--642--17373--8_19Google Scholar
- Jens Groth. 2016. On the Size of Pairing-Based Non-interactive Arguments. In EUROCRYPT 2016, Part II (LNCS), Marc Fischlin and Jean-Sébastien Coron (Eds.), Vol. 9666. Springer, Heidelberg, 305--326. https://doi.org/10.1007/978--3--662- 49896--5_11Google ScholarCross Ref
- Jens Groth, Markulf Kohlweiss, Mary Maller, Sarah Meiklejohn, and Ian Miers. 2018. Updatable and Universal Common Reference Strings with Applications to zk-SNARKs. In CRYPTO 2018, Part III (LNCS), Hovav Shacham and Alexandra Boldyreva (Eds.), Vol. 10993. Springer, Heidelberg, 698--728. https://doi.org/10. 1007/978--3--319--96878-0_24Google ScholarDigital Library
- Daniel Günther, Ágnes Kiss, and Thomas Schneider. 2017. More Efficient Universal Circuit Constructions. In ASIACRYPT 2017, Part II (LNCS), Tsuyoshi Takagi and Thomas Peyrin (Eds.), Vol. 10625. Springer, Heidelberg, 443--470. https://doi.org/10.1007/978--3--319--70697--9_16Google ScholarCross Ref
- Yuval Ishai, Eyal Kushilevitz, and Rafail Ostrovsky. 2007. Efficient Arguments Without Short PCPs. In Proceedings of the Twenty-Second Annual IEEE Conference on Computational Complexity (CCC '07). IEEE Computer Society, Washington, DC, USA, 278--291.Google ScholarDigital Library
- Yuval Ishai, Eyal Kushilevitz, Rafail Ostrovsky, and Amit Sahai. 2007. Zeroknowledge from secure multiparty computation. In 39th ACM STOC, David S. Johnson and Uriel Feige (Eds.). ACM Press, 21--30. https://doi.org/10.1145/ 1250790.1250794Google Scholar
- J. Kilian. 1989. Uses of Randomness in Algorithms and Protocols. PhD Thesis. Massachusetts Institute of Technology.Google Scholar
- Joe Kilian. 1992. A Note on Efficient Zero-Knowledge Proofs and Arguments (Extended Abstract). In 24th ACM STOC. ACM Press, 723--732. https://doi.org/10. 1145/129712.129782Google ScholarDigital Library
- Eike Kiltz and Hoeteck Wee. 2015. Quasi-Adaptive NIZK for Linear Subspaces Revisited. In EUROCRYPT 2015, Part II (LNCS), Elisabeth Oswald and Marc Fischlin (Eds.), Vol. 9057. Springer, Heidelberg, 101--128. https://doi.org/10.1007/978--3- 662--46803--6_4Google ScholarCross Ref
- Ahmed E. Kosba, Dimitrios Papadopoulos, Charalampos Papamanthou, Mahmoud F. Sayed, Elaine Shi, and Nikos Triandopoulos. 2014. TRUESET: Faster Verifiable Set Computations. In USENIX Security. 765--780.Google Scholar
- Helger Lipmaa. 2012. Progression-Free Sets and Sublinear Pairing-Based NonInteractive Zero-Knowledge Arguments. In TCC 2012 (LNCS), Ronald Cramer (Ed.), Vol. 7194. Springer, Heidelberg, 169--189. https://doi.org/10.1007/978--3- 642--28914--9_10Google Scholar
- Helger Lipmaa. 2016. Prover-Efficient Commit-and-Prove Zero-Knowledge SNARKs. In AFRICACRYPT 16 (LNCS), David Pointcheval, Abderrahmane Nitaj, and Tajjeeddine Rachidi (Eds.), Vol. 9646. Springer, Heidelberg, 185--206. https://doi.org/10.1007/978--3--319--31517--1_10Google Scholar
- Carsten Lund, Lance Fortnow, Howard Karloff, and Noam Nisan. 1992. Algebraic Methods for Interactive Proof Systems. J. ACM 39, 4 (Oct. 1992), 859--868.Google ScholarDigital Library
- Ralph C. Merkle. 1988. A Digital Signature Based on a Conventional Encryption Function. In CRYPTO'87 (LNCS), Carl Pomerance (Ed.), Vol. 293. Springer, Heidelberg, 369--378. https://doi.org/10.1007/3--540--48184--2_32Google Scholar
- Silvio Micali. 1994. CS Proofs (Extended Abstracts). In 35th FOCS. IEEE Computer Society Press, 436--453. https://doi.org/10.1109/SFCS.1994.365746Google ScholarDigital Library
- Silvio Micali. 2000. Computationally Sound Proofs. SIAM J. Comput. 30, 4 (2000), 1253--1298. https://doi.org/10.1137/S0097539795284959Google ScholarDigital Library
- Moni Naor and Moti Yung. 1990. Public-key Cryptosystems Provably Secure against Chosen Ciphertext Attacks. In 22nd ACM STOC. ACM Press, 427--437. https://doi.org/10.1145/100216.100273Google ScholarDigital Library
- Bryan Parno, Jon Howell, Craig Gentry, and Mariana Raykova. 2013. Pinocchio: Nearly Practical Verifiable Computation. In 2013 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 238--252. https://doi.org/10.1109/SP.2013. 47Google Scholar
- Torben P. Pedersen. 1992. Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. In CRYPTO'91 (LNCS), Joan Feigenbaum (Ed.), Vol. 576. Springer, Heidelberg, 129--140. https://doi.org/10.1007/3--540--46766--1_9Google ScholarDigital Library
- Omer Reingold, Guy N. Rothblum, and Ron D. Rothblum. 2016. Constant-round interactive proofs for delegating computation. In 48th ACM STOC, Daniel Wichs and Yishay Mansour (Eds.). ACM Press, 49--62. https://doi.org/10.1145/2897518. 2897652Google ScholarDigital Library
- Guy Rothblum. 2009. Delegating computation reliably: paradigms and constructions. PhD thesis.Google Scholar
- Claus-Peter Schnorr. 1991. Efficient Signature Generation by Smart Cards. Journal of Cryptology 4, 3 (1991), 161--174.Google ScholarDigital Library
- Justin Thaler. 2013. Time-Optimal Interactive Proofs for Circuit Evaluation. In CRYPTO 2013, Part II (LNCS), Ran Canetti and Juan A. Garay (Eds.), Vol. 8043. Springer, Heidelberg, 71--89. https://doi.org/10.1007/978--3--642--40084--1_5Google ScholarCross Ref
- Leslie G. Valiant. 1976. Universal Circuits (Preliminary Report). In STOC. ACM, 196--203.Google Scholar
- Meilof Veeningen. 2017. Pinocchio-Based Adaptive zk-SNARKs and Secure/Correct Adaptive Function Evaluation. In AFRICACRYPT 17 (LNCS), Marc Joye and Abderrahmane Nitaj (Eds.), Vol. 10239. Springer, Heidelberg, 21--39.Google Scholar
- Riad S. Wahby, Ye Ji, Andrew J. Blumberg, Abhi Shelat, Justin Thaler, Michael Walfish, and Thomas Wies. 2017. Full Accounting for Verifiable Outsourcing. In ACM CCS 17, Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu (Eds.). ACM Press, 2071--2086. https://doi.org/10.1145/3133956.3133984Google Scholar
- Riad S. Wahby, Srinath T. V. Setty, Zuocheng Ren, Andrew J. Blumberg, and Michael Walfish. 2015. Efficient RAM and control flow in verifiable outsourced computation. In NDSS 2015. The Internet Society.Google ScholarCross Ref
- Riad S. Wahby, Ioanna Tzialla, abhi shelat, Justin Thaler, and Michael Walfish. 2017. Doubly-efficient zkSNARKs without trusted setup. Cryptology ePrint Archive, Report 2017/1132. https://eprint.iacr.org/2017/1132.Google Scholar
- Riad S. Wahby, Ioanna Tzialla, Abhi Shelat, Justin Thaler, and Michael Walfish. 2018. Doubly-Efficient zkSNARKs Without Trusted Setup. In 2018 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 926--943. https://doi.org/10.1109/SP.2018.00060Google ScholarCross Ref
- Yupeng Zhang, Daniel Genkin, Jonathan Katz, Dimitrios Papadopoulos, and Charalampos Papamanthou. 2017. vSQL: Verifying Arbitrary SQL Queries over Dynamic Outsourced Databases. In 2017 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 863--880. https://doi.org/10.1109/SP.2017.43Google ScholarCross Ref
- Yupeng Zhang, Daniel Genkin, Jonathan Katz, Dimitrios Papadopoulos, and Charalampos Papamanthou. 2017. A Zero-Knowledge Version of vSQL. Cryptology ePrint Archive, Report 2017/1146. https://eprint.iacr.org/2017/1146.Google Scholar
Index Terms
- LegoSNARK: Modular Design and Composition of Succinct Zero-Knowledge Proofs
Recommendations
On efficient zero-knowledge PCPs
TCC'12: Proceedings of the 9th international conference on Theory of CryptographyWe revisit the question of Zero-Knowledge PCPs, studied by Kilian, Petrank, and Tardos (STOC '97). A ZK-PCP is defined similarly to a standard PCP, except that the view of any (possibly malicious) verifier can be efficiently simulated up to a small ...
Practical and Efficient Attribute-Based Encryption with Constant-Size Ciphertexts in Outsourced Verifiable Computation
ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications SecurityIn cloud computing, computationally weak users are always willing to outsource costly computations to a cloud, and at the same time they need to check the correctness of the result provided by the cloud. Such activities motivate the occurrence of ...
Attribute-based versions of Schnorr and ElGamal
We design in this paper the first attribute-based cryptosystems that work in the classical discrete logarithm, pairing-free, setting. The attribute-based signature scheme can be seen as an extension of Schnorr signatures, with adaptive security relying ...
Comments