Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1
Privacy-preserving cryptocurrencies
Privacy-preserving smart contracts
Proof of regulatory compliance
Blockchain-based sovereign identity
Privacy-preserving cryptocurrencies
Privacy-preserving smart contracts
Proof of regulatory compliance
Blockchain-based sovereign identitysee [ZKProof Standardization – Applications Track]
Privacy-preserving cryptocurrencies
Privacy-preserving smart contracts
Proof of regulatory compliance
Blockchain-based sovereign identitysee [ZKProof Standardization – Applications Track]
Need zero-knowledge non-interactive arguments of knowledge,
ideally succinct ones: zk-SNARK.
• QAP-based [GGPR13][PGHR13][BCGTV13][DFGK14]
[Groth16][GM17][BG18]…
Fastest verification. Widely used.
• QAP-based [GGPR13][PGHR13][BCGTV13][DFGK14]
[Groth16][GM17][BG18]…
Fastest verification. Widely used.
Common Reference String (CRS)Require a
• QAP-based [GGPR13][PGHR13][BCGTV13][DFGK14]
[Groth16][GM17][BG18]…
Fastest verification. Widely used.
Structured Reference String (SRS)Common Reference String (CRS)Require a
• QAP-based [GGPR13][PGHR13][BCGTV13][DFGK14]
[Groth16][GM17][BG18]…
Fastest verification. Widely used.
Structured Reference String (SRS)Require a
• QAP-based [GGPR13][PGHR13][BCGTV13][DFGK14]
[Groth16][GM17][BG18]…
Fastest verification. Widely used.
Generating an SRS:
• Trusted setup
Structured Reference String (SRS)Require a
• QAP-based [GGPR13][PGHR13][BCGTV13][DFGK14]
[Groth16][GM17][BG18]…
Fastest verification. Widely used.
Generating an SRS:
• Trusted setup
• MPC + destruction [BCGTV15][BGG17]
• Updatable SRS [GKMMM18, MBKM19]
• Scalable SRS generation (“Powers of Tau”) [BGM18]
Structured Reference String (SRS)Require a
Other zk-SNARKs
• PCP-based (e.g., libSTARK)
[Micali94][BCGT13][BCS16][BBCGGHPRSTV17][BBHR18]
Asymptotically succinct but large constants.
Other zk-SNARKs
• PCP-based (e.g., libSTARK)
[Micali94][BCGT13][BCS16][BBCGGHPRSTV17][BBHR18]
Asymptotically succinct but large constants.
Non-succinct ZK:
Other zk-SNARKs
• PCP-based (e.g., libSTARK)
[Micali94][BCGT13][BCS16][BBCGGHPRSTV17][BBHR18]
Asymptotically succinct but large constants.
Non-succinct ZK:
• Aurora [BCRSVW19]
• Bulletproofs [BCCGP16][BBBPWM17]
• Hyrax [WTSTW17]
• Ligero [AHIV17]
• ZKBoo(++) [GMO16][CDGORRSZ17]
Slow verification and/or large proofs (as statement grows).
Seeing transactions
Seeing transactions
Seeing transactions
Including new transactionsin a block
Seeing transactions
Including new transactionsin a block
Slow verification → miners get a head start by not validating→ double-spends and chain splits [July 2015 Bitcoin fork]
Seeing transactions
Including new transactionsin a block
Slow verification → miners get a head start by not validating→ double-spends and chain splits [July 2015 Bitcoin fork]
Seeing transactions
Including new transactionsin a block
Verifying the previous block
Slow verification → miners get a head start by not validating→ double-spends and chain splits [July 2015 Bitcoin fork]
zero-knowledge
succinct hybrid argument of knowledge
zero-knowledge
succinct hybrid argument of knowledge
Short
proof
zero-knowledge
succinct hybrid argument of knowledge
Short
proof
Prudent verificationSlow (comparable to Bulletproofs)
No SRS
zero-knowledge
succinct hybrid argument of knowledge
Optimistic verification
Fast (comparable to QAP-based SNARK)
Relies on SRS
Short
proof
Prudent verificationSlow (comparable to Bulletproofs)
No SRS
Optimistically verify during propagation.
Optimistically verify during propagation.
Optimistically verify during propagation.
Optimistically verify during propagation.
Optimistically verify during propagation.
Optimistically verify during propagation.
Optimistically verify during propagation.
Optimistically verify during propagation.
Optimisticallyverify tx for inclusion in block template.
Prudently verify later, during PoW.
Optimistically verify during propagation.
Optimisticallyverify tx for inclusion in block template.
Prudently verify later, during PoW.
Optimistically verify during propagation.
Optimisticallyverify tx for inclusion in block template.
Prudently verify later, during PoW.
Optimisticallyverify incoming blocks.
Prudently verify later, during PoW.
Optimistic
verification
Prudent verification
Optimistic
verification
Prudent verification
Optimistic
verification
Prudent verification
• Detection
– Real-timeOptimistic
verification
Prudent verification
• Detection
– Real-time
– Revoke SRS
– Such pair of proofs is a fraud proof for compromised SRS!
Optimistic
verification
Prudent verification
• Detection
– Real-time
– Revoke SRS
– Such pair of proofs is a fraud proof for compromised SRS!
• Recovery
Optimistic
verification
Prudent verification
• Detection
– Real-time
– Revoke SRS
– Such pair of proofs is a fraud proof for compromised SRS!
• Recovery
– Soundness: prudently verify
Optimistic
verification
Prudent verification
• Detection
– Real-time
– Revoke SRS
– Such pair of proofs is a fraud proof for compromised SRS!
• Recovery
– Soundness: prudently verify
– Speed: regenerate SRS + refresh the optimistic proofs.
Optimistic
verification
Prudent verification
• Detection
– Real-time
– Revoke SRS
– Such pair of proofs is a fraud proof for compromised SRS!
• Recovery
– Soundness: prudently verify
– Speed: regenerate SRS + refresh the optimistic proofs.
Optimistic
verification
Prudent verification
• Detection
– Real-time
– Revoke SRS
– Such pair of proofs is a fraud proof for compromised SRS!
• Recovery
– Soundness: prudently verify
– Speed: regenerate SRS + refresh the optimistic proofs.
Optimistic
verification
Prudent verification
SHARK requirement: anyone can refresh, without original sender.
Attempt – parallel composition:
Attempt – parallel composition:
Fix a language 𝐿 and construct a NIZK for it:1
Attempt – parallel composition:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK
Not pictured: 𝐺NIZK
𝑥
𝑤
Attempt – parallel composition:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK
Not pictured: 𝐺NIZK
𝑥
𝑤
𝑥 ∈ 𝐿
Attempt – parallel composition:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK
Not pictured: 𝐺NIZK
𝑥
𝑤 𝑥
𝑥 ∈ 𝐿
Attempt – parallel composition:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK
Not pictured: 𝐺NIZK
𝑥
𝑤 𝑥
𝑥 ∈ 𝐿Call 𝜋 “prudent proof”
Attempt – parallel composition:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK
Construct a SNARK for the same 𝐿:2
Not pictured: 𝐺NIZK
𝑥
𝑤 𝑥
𝑥 ∈ 𝐿Call 𝜋 “prudent proof”
Attempt – parallel composition:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK
Construct a SNARK for the same 𝐿:2
Not pictured: 𝐺NIZK, 𝐺SNARK
𝑃SNARK 𝑉SNARK𝑥
𝑤
𝑥
𝑤 𝑥
𝑥
𝑥 ∈ 𝐿
𝑥 ∈ 𝐿
Call 𝜋 “prudent proof”
Attempt – parallel composition:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK
Construct a SNARK for the same 𝐿:2
Not pictured: 𝐺NIZK, 𝐺SNARK
𝑃SNARK 𝑉SNARK𝑥
𝑤
𝑥
𝑤 𝑥
𝑥Optimistic proofs should be
refreshable without 𝑤
𝑥 ∈ 𝐿
𝑥 ∈ 𝐿
Call 𝜋 “prudent proof”
Attempt – parallel composition:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK
Construct a SNARK for the same 𝐿:2
Not pictured: 𝐺NIZK, 𝐺SNARK
𝑃SNARK 𝑉SNARK𝑥
𝑤
𝑥
𝑤 𝑥
𝑥
𝜙 is not a SHARKoptimistic proof
Optimistic proofs should berefreshable without 𝑤
⇒
𝑥 ∈ 𝐿
𝑥 ∈ 𝐿
Call 𝜋 “prudent proof”
Construction:
Construction:
Fix a language 𝐿 and construct a NIZK for it:1
Construction:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK𝑥
𝑤 𝑥
𝑥 ∈ 𝐿
Not pictured: 𝐺NIZK
Construction:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK Call 𝜋 “prudent proof”𝑥
𝑤 𝑥
𝑥 ∈ 𝐿
Not pictured: 𝐺NIZK
Construction:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK Call 𝜋 “prudent proof”
Construct a SNARK for “𝑉NIZK accepts”2
𝑥
𝑤 𝑥
𝑥 ∈ 𝐿
Not pictured: 𝐺NIZK
Construction:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK Call 𝜋 “prudent proof”
Construct a SNARK for “𝑉NIZK accepts”2
𝑃SNARK
𝑥
𝑤 𝑥
𝑥 ∈ 𝐿
Not pictured: 𝐺NIZK, 𝐺SNARK
Construction:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK Call 𝜋 “prudent proof”
Construct a SNARK for “𝑉NIZK accepts”2
𝑃SNARK
𝑥
𝑤 𝑥
𝑥 ∈ 𝐿
accepts
Not pictured: 𝐺NIZK, 𝐺SNARK
Construction:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK Call 𝜋 “prudent proof”
Construct a SNARK for “𝑉NIZK accepts”2
𝑃SNARK 𝑉SNARK
𝑥
𝑤 𝑥
𝑥
𝑥 ∈ 𝐿
accepts
Not pictured: 𝐺NIZK, 𝐺SNARK
Construction:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK Call 𝜋 “prudent proof”
Construct a SNARK for “𝑉NIZK accepts”2
𝑃SNARK 𝑉SNARK
𝑥
𝑤 𝑥
𝑥
𝑥 ∈ 𝐿
accepts
Not pictured: 𝐺NIZK, 𝐺SNARK
Call 𝜙 “optimistic proof”
Construction:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK Call 𝜋 “prudent proof”
Construct a SNARK for “𝑉NIZK accepts”2
𝑃SNARK 𝑉SNARK
𝑥
𝑤 𝑥
𝑥
𝑥 ∈ 𝐿
accepts
Not pictured: 𝐺NIZK, 𝐺SNARK
Call 𝜙 “optimistic proof”
Generically combining
state-of-the-art components:
Generically combining
state-of-the-art components:
● Bulletproofs NIZK + Groth16 SNARK
Generically combining
state-of-the-art components:
● Bulletproofs NIZK + Groth16 SNARK
𝑂( 𝐶 )-size circuit
Generically combining
state-of-the-art components:
● Bulletproofs NIZK + Groth16 SNARK
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
Generically combining
state-of-the-art components:
● Bulletproofs NIZK + Groth16 SNARK
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
some speed-up via multiexp
Generically combining
state-of-the-art components:
● Bulletproofs NIZK + Groth16 SNARK
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
some speed-up via multiexp
Generically combining
state-of-the-art components:
● Bulletproofs NIZK + Groth16 SNARK
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
some speed-up via multiexp
Generically combining
state-of-the-art components:
● Bulletproofs NIZK + Groth16 SNARK
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
some speed-up via multiexp
NIZK for R1CS
NIZK for R1CS
≈ “arithmetic circuits with bilinear gates”
• a new compilation technique for linear PCPs
NIZK for R1CS
≈ “arithmetic circuits with bilinear gates”
• a new compilation technique for linear PCPs
NIZK for R1CS
≈ “arithmetic circuits with bilinear gates”
• public coin NIZK from LPCPs ⇒ prudent mode
• a new compilation technique for linear PCPs
NIZK for R1CS
≈ “arithmetic circuits with bilinear gates”
• an optimized variant of Bulletproofs’inner product argument
• public coin NIZK from LPCPs ⇒ prudent mode
• a new compilation technique for linear PCPs
NIZK for R1CS
≈ “arithmetic circuits with bilinear gates”
• an optimized variant of Bulletproofs’inner product argument
⇒ 𝑉NIZK has an “algebraic heart”
• public coin NIZK from LPCPs ⇒ prudent mode
• a new compilation technique for linear PCPs
A special-purpose SNARK
NIZK for R1CS
≈ “arithmetic circuits with bilinear gates”
• an optimized variant of Bulletproofs’inner product argument
⇒ 𝑉NIZK has an “algebraic heart”
• public coin NIZK from LPCPs ⇒ prudent mode
• a new compilation technique for linear PCPs
for “encoded polynomial delegation”, a problem we introduce
A special-purpose SNARK
NIZK for R1CS
≈ “arithmetic circuits with bilinear gates”
• an optimized variant of Bulletproofs’inner product argument
⇒ 𝑉NIZK has an “algebraic heart”
• public coin NIZK from LPCPs ⇒ prudent mode
• a new compilation technique for linear PCPs
for “encoded polynomial delegation”, a problem we introduce
A special-purpose SNARK
OurSHARK
NIZK for R1CS
≈ “arithmetic circuits with bilinear gates”
• an optimized variant of Bulletproofs’inner product argument
⇒ 𝑉NIZK has an “algebraic heart”
• public coin NIZK from LPCPs ⇒ prudent mode
[GGPR12][BCIOP13]
[GGPR12][BCIOP13]
1 Design a proof system sound against linear provers
[GGPR12][BCIOP13]
1
2
Design a proof system sound against linear provers
Force prover to be linear using a cryptographic encoding
[GGPR12][BCIOP13]
1
2
Design a proof system sound against linear provers
Force prover to be linear using a cryptographic encoding
𝑃𝑥
𝑤𝜋
[GGPR12][BCIOP13]
1
2
Design a proof system sound against linear provers
Force prover to be linear using a cryptographic encoding
𝑃𝑥
𝑤
𝑄
𝜋
query sampler
[GGPR12][BCIOP13]
1
2
Design a proof system sound against linear provers
Force prover to be linear using a cryptographic encoding
𝑃𝑥
𝑤
𝑄
𝜋
Ԧ𝑞(1), … , Ԧ𝑞(𝑘)query sampler
[GGPR12][BCIOP13]
1
2
Design a proof system sound against linear provers
Force prover to be linear using a cryptographic encoding
𝑃𝑥
𝑤
𝑄
𝜋
Ԧ𝑞(1), … , Ԧ𝑞(𝑘)
state
query sampler
[GGPR12][BCIOP13]
1
2
Design a proof system sound against linear provers
Force prover to be linear using a cryptographic encoding
𝑃𝑥
𝑤
𝑄
𝜋
Ԧ𝑞(1), … , Ԧ𝑞(𝑘)
𝑎1, … , 𝑎𝑘
𝑎𝑖 = ⟨ Ԧ𝑞 𝑖 , 𝜋⟩
state
query sampler
[GGPR12][BCIOP13]
1
2
Design a proof system sound against linear provers
Force prover to be linear using a cryptographic encoding
𝑃𝑥
𝑤
𝑄
𝐷
𝜋
Ԧ𝑞(1), … , Ԧ𝑞(𝑘)
𝑎1, … , 𝑎𝑘
𝑎𝑖 = ⟨ Ԧ𝑞 𝑖 , 𝜋⟩
𝑥state
query sampler
decision predicate
[GGPR12][BCIOP13]
1
2
Design a proof system sound against linear provers
Force prover to be linear using a cryptographic encoding
𝑃𝑥
𝑤
𝑄
𝐷
𝜋
Ԧ𝑞(1), … , Ԧ𝑞(𝑘)
𝑎1, … , 𝑎𝑘
𝑎𝑖 = ⟨ Ԧ𝑞 𝑖 , 𝜋⟩
𝑥state
acc/rej
query sampler
decision predicate
[GGPR12][BCIOP13]
1
2
Design a proof system sound against linear provers
Force prover to be linear using a cryptographic encoding
𝑃𝑥
𝑤
𝑄
𝐷
𝜋
Ԧ𝑞(1), … , Ԧ𝑞(𝑘)
𝑎1, … , 𝑎𝑘
𝑎𝑖 = ⟨ Ԧ𝑞 𝑖 , 𝜋⟩
𝑥state
acc/rej
Can define natural notions of completeness, PoK, ZK.
query sampler
decision predicate
𝑃 𝑉
𝑃 𝑉
Observe that 𝑃LPCP does not need to know queries a priori.
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
Observe that 𝑃LPCP does not need to know queries a priori.
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)
Observe that 𝑃LPCP does not need to know queries a priori.
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)2 Pick coins for 𝑄LPCP
Observe that 𝑃LPCP does not need to know queries a priori.
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)2 Pick coins for 𝑄LPCP
Observe that 𝑃LPCP does not need to know queries a priori.
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)2 Pick coins for 𝑄LPCP
3 Run:
𝑄LPCPstate
Ԧ𝑞(𝑖)
Observe that 𝑃LPCP does not need to know queries a priori.
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)2 Pick coins for 𝑄LPCP
3 Run:
𝑄LPCPstate
Ԧ𝑞(𝑖)
Observe that 𝑃LPCP does not need to know queries a priori.
Public-coin so can’t encrypt queries or use functional commitments. [BCIOP13] [LRY16]
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)2 Pick coins for 𝑄LPCP
𝑎𝑖 ≔ ⟨Ԧ𝑞 𝑖 , 𝜋⟩
3 Run:
𝑄LPCPstate
Ԧ𝑞(𝑖)
Observe that 𝑃LPCP does not need to know queries a priori.
Public-coin so can’t encrypt queries or use functional commitments. [BCIOP13] [LRY16]
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)2 Pick coins for 𝑄LPCP
𝑎𝑖 ≔ ⟨Ԧ𝑞 𝑖 , 𝜋⟩
3 Run:
4 Run 𝑄LPCP tocompute state.
𝑄LPCPstate
Ԧ𝑞(𝑖)
Observe that 𝑃LPCP does not need to know queries a priori.
Public-coin so can’t encrypt queries or use functional commitments. [BCIOP13] [LRY16]
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)2 Pick coins for 𝑄LPCP
𝑎𝑖 ≔ ⟨Ԧ𝑞 𝑖 , 𝜋⟩
3 Run:
4 Run 𝑄LPCP tocompute state.
𝑄LPCPstate
Ԧ𝑞(𝑖)
Observe that 𝑃LPCP does not need to know queries a priori.
𝐷LPCP
state
𝑥
𝑎𝑖
acc/rej
accepts.
Check that
Public-coin so can’t encrypt queries or use functional commitments. [BCIOP13] [LRY16]
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)2 Pick coins for 𝑄LPCP
𝑎𝑖 ≔ ⟨Ԧ𝑞 𝑖 , 𝜋⟩
3 Run:
4 Run 𝑄LPCP tocompute state.
𝑄LPCPstate
Ԧ𝑞(𝑖)…
Observe that 𝑃LPCP does not need to know queries a priori.
𝐷LPCP
state
𝑥
𝑎𝑖
acc/rej
accepts.
Check that
Public-coin so can’t encrypt queries or use functional commitments. [BCIOP13] [LRY16]
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)2 Pick coins for 𝑄LPCP
𝑎𝑖 ≔ ⟨Ԧ𝑞 𝑖 , 𝜋⟩
3 Run:
4 Run 𝑄LPCP tocompute state.
5 Check that 𝑎𝑖’s are consistent with 𝐜𝐦𝜋.
𝑄LPCPstate
Ԧ𝑞(𝑖)…
Observe that 𝑃LPCP does not need to know queries a priori.
𝐷LPCP
state
𝑥
𝑎𝑖
acc/rej
accepts.
Check that
Public-coin so can’t encrypt queries or use functional commitments. [BCIOP13] [LRY16]
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
Goal: for every query Ԧ𝑞 check 𝑎 = ⟨ Ԧ𝑞, 𝜋⟩ for a pre-committed 𝜋
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
Goal: for every query Ԧ𝑞 check 𝑎 = ⟨ Ԧ𝑞, 𝜋⟩ for a pre-committed 𝜋
Technique: inner-product arguments [BCCGP16,BBBPWM18]
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
Goal: for every query Ԧ𝑞 check 𝑎 = ⟨ Ԧ𝑞, 𝜋⟩ for a pre-committed 𝜋
Technique: inner-product arguments
Input: Two vector Pedersen commitments 𝐜𝐦𝒖, 𝐜𝐦𝒗, and 𝑧 ∈ 𝔽.
[BCCGP16,BBBPWM18]
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
Goal: for every query Ԧ𝑞 check 𝑎 = ⟨ Ԧ𝑞, 𝜋⟩ for a pre-committed 𝜋
Technique: inner-product arguments
Input: Two vector Pedersen commitments 𝐜𝐦𝒖, 𝐜𝐦𝒗, and 𝑧 ∈ 𝔽.
[BCCGP16,BBBPWM18]
Prove: The decommitments 𝑢, Ԧ𝑣 ∈ 𝔽𝑛 have the specified inner-product 𝑧 = 𝑢, Ԧ𝑣
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
Goal: for every query Ԧ𝑞 check 𝑎 = ⟨ Ԧ𝑞, 𝜋⟩ for a pre-committed 𝜋
Technique: inner-product arguments
Input: Two vector Pedersen commitments 𝐜𝐦𝒖, 𝐜𝐦𝒗, and 𝑧 ∈ 𝔽.
So the verifier:
[BCCGP16,BBBPWM18]
Prove: The decommitments 𝑢, Ԧ𝑣 ∈ 𝔽𝑛 have the specified inner-product 𝑧 = 𝑢, Ԧ𝑣
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
Goal: for every query Ԧ𝑞 check 𝑎 = ⟨ Ԧ𝑞, 𝜋⟩ for a pre-committed 𝜋
Technique: inner-product arguments
Input: Two vector Pedersen commitments 𝐜𝐦𝒖, 𝐜𝐦𝒗, and 𝑧 ∈ 𝔽.
So the verifier: ● computes commitments to queries: 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞)
[BCCGP16,BBBPWM18]
Prove: The decommitments 𝑢, Ԧ𝑣 ∈ 𝔽𝑛 have the specified inner-product 𝑧 = 𝑢, Ԧ𝑣
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
Goal: for every query Ԧ𝑞 check 𝑎 = ⟨ Ԧ𝑞, 𝜋⟩ for a pre-committed 𝜋
Technique: inner-product arguments
Input: Two vector Pedersen commitments 𝐜𝐦𝒖, 𝐜𝐦𝒗, and 𝑧 ∈ 𝔽.
So the verifier: ● computes commitments to queries: 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞)
● engages in IP arguments for (𝐜𝐦𝑞 , 𝐜𝐦𝜋, 𝑎)
[BCCGP16,BBBPWM18]
Prove: The decommitments 𝑢, Ԧ𝑣 ∈ 𝔽𝑛 have the specified inner-product 𝑧 = 𝑢, Ԧ𝑣
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
Goal: for every query Ԧ𝑞 check 𝑎 = ⟨ Ԧ𝑞, 𝜋⟩ for a pre-committed 𝜋
Technique: inner-product arguments
Input: Two vector Pedersen commitments 𝐜𝐦𝒖, 𝐜𝐦𝒗, and 𝑧 ∈ 𝔽.
So the verifier: ● computes commitments to queries: 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞)
● engages in IP arguments for (𝐜𝐦𝑞 , 𝐜𝐦𝜋, 𝑎)
[BCCGP16,BBBPWM18]
Result: NIZK from linear PCPs!
Prove: The decommitments 𝑢, Ԧ𝑣 ∈ 𝔽𝑛 have the specified inner-product 𝑧 = 𝑢, Ԧ𝑣
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
Goal: for every query Ԧ𝑞 check 𝑎 = ⟨ Ԧ𝑞, 𝜋⟩ for a pre-committed 𝜋
Technique: inner-product arguments
Input: Two vector Pedersen commitments 𝐜𝐦𝒖, 𝐜𝐦𝒗, and 𝑧 ∈ 𝔽.
So the verifier: ● computes commitments to queries: 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞)
● engages in IP arguments for (𝐜𝐦𝑞 , 𝐜𝐦𝜋, 𝑎)
[BCCGP16,BBBPWM18]
Result: NIZK from linear PCPs! SHARK prudent proofs
Prove: The decommitments 𝑢, Ԧ𝑣 ∈ 𝔽𝑛 have the specified inner-product 𝑧 = 𝑢, Ԧ𝑣
𝑉NIZK
𝑉● check that LPCP decision
predicate accepts (cheap)
NIZK
𝑉● check that LPCP decision
predicate accepts (cheap)
● compute Pedersen commitmentto each LPCP query Ԧ𝑞 (costly)
NIZK
𝑉● check that LPCP decision
predicate accepts (cheap)
● compute Pedersen commitmentto each LPCP query Ԧ𝑞 (costly)
● check that each inner productargument verifier accepts (costly)
NIZK
𝑉
(Not pictured: Fiat-Shamir transform, …)
● check that LPCP decisionpredicate accepts (cheap)
● compute Pedersen commitmentto each LPCP query Ԧ𝑞 (costly)
● check that each inner productargument verifier accepts (costly)
NIZK
𝑉
(Not pictured: Fiat-Shamir transform, …)
● check that LPCP decisionpredicate accepts (cheap)
● compute Pedersen commitmentto each LPCP query Ԧ𝑞 (costly)
● check that each inner productargument verifier accepts (costly)
we will make 𝑃SNARK do both
NIZK
𝑉
(Not pictured: Fiat-Shamir transform, …)
● check that LPCP decisionpredicate accepts (cheap)
● compute Pedersen commitmentto each LPCP query Ԧ𝑞 (costly)
● check that each inner productargument verifier accepts (costly)
A new building block:“encoded polynomial delegation”
we will make 𝑃SNARK do both
NIZK
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Each query Ԧ𝑞 has nice algebraic structure:
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Ԧ𝑞 = (𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
𝑝𝑖 𝜏 = 𝑝𝑖,0 + 𝑝𝑖,1𝜏 +⋯+ 𝑝𝑖,𝑑𝜏𝑑
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Ԧ𝑞 = (𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
𝑝𝑖 𝜏 = 𝑝𝑖,0 + 𝑝𝑖,1𝜏 +⋯+ 𝑝𝑖,𝑑𝜏𝑑
= ( 𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Ԧ𝑞 = (𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
𝑝𝑖 𝜏 = 𝑝𝑖,0 + 𝑝𝑖,1𝜏 +⋯+ 𝑝𝑖,𝑑𝜏𝑑
= ( 𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Ԧ𝑞 = (𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
+
𝜏 ⋅ ( 𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
𝑝𝑖 𝜏 = 𝑝𝑖,0 + 𝑝𝑖,1𝜏 +⋯+ 𝑝𝑖,𝑑𝜏𝑑
= ( 𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Ԧ𝑞 = (𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
+
…
𝜏 ⋅ ( 𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1) +
𝜏𝑑 ⋅ ( 𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝑝𝑖 𝜏 = 𝑝𝑖,0 + 𝑝𝑖,1𝜏 +⋯+ 𝑝𝑖,𝑑𝜏𝑑
= ( 𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Ԧ𝑞 = (𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
+
…
𝐜𝐦𝑞 = Commit(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
𝜏 ⋅ ( 𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1) +
𝜏𝑑 ⋅ ( 𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
= Commit(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝑝𝑖 𝜏 = 𝑝𝑖,0 + 𝑝𝑖,1𝜏 +⋯+ 𝑝𝑖,𝑑𝜏𝑑
= ( 𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Ԧ𝑞 = (𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
+
…
𝐜𝐦𝑞 = Commit(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
𝜏 ⋅ ( 𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1) +
𝜏𝑑 ⋅ ( 𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Commit(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Commit(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝑝𝑖 𝜏 = 𝑝𝑖,0 + 𝑝𝑖,1𝜏 +⋯+ 𝑝𝑖,𝑑𝜏𝑑
= ( 𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Ԧ𝑞 = (𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
+
…
𝐜𝐦𝑞 = Commit(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
𝜏 ⋅ ( 𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1) +
𝜏𝑑 ⋅ ( 𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏𝑑 ⋅ Commit(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Commit(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Commit(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝑝𝑖 𝜏 = 𝑝𝑖,0 + 𝑝𝑖,1𝜏 +⋯+ 𝑝𝑖,𝑑𝜏𝑑
= ( 𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Ԧ𝑞 = (𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
+
…
𝐜𝐦𝑞 = Commit(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
𝜏 ⋅ ( 𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1) +
𝜏𝑑 ⋅ ( 𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Goal: outsource computation of
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Com( )’s are fully determined by 𝐿!
Goal: outsource computation of
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Com( )’s are fully determined by 𝐿!
Goal: outsource computation of
⇒
Fixed parameters 𝑈0, 𝑈1, … , 𝑈𝑑 ∈ 𝔾
For outsourcing 𝐜𝐦𝑞 set𝑈𝑘 = Com(𝑝1,𝑘 , 𝑝2,𝑘 , … , 𝑝𝑛,𝑘)
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Com( )’s are fully determined by 𝐿!
Goal: outsource computation of
⇒
Fixed parameters 𝑈0, 𝑈1, … , 𝑈𝑑 ∈ 𝔾
For outsourcing 𝐜𝐦𝑞 set𝑈𝑘 = Com(𝑝1,𝑘 , 𝑝2,𝑘 , … , 𝑝𝑛,𝑘)
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Com( )’s are fully determined by 𝐿!
Goal: outsource computation of
⇒
Fixed parameters 𝑈0, 𝑈1, … , 𝑈𝑑 ∈ 𝔾
Goal: given input 𝜏 ∈ 𝔽,
For outsourcing 𝐜𝐦𝑞 set𝑈𝑘 = Com(𝑝1,𝑘 , 𝑝2,𝑘 , … , 𝑝𝑛,𝑘)
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Com( )’s are fully determined by 𝐿!
Goal: outsource computation of
⇒
Fixed parameters 𝑈0, 𝑈1, … , 𝑈𝑑 ∈ 𝔾
outsource this computation:
Goal: given input 𝜏 ∈ 𝔽,
𝑈 ≔ 𝑈0 + 𝜏 ⋅ 𝑈1 +⋯+ 𝜏𝑑 ⋅ 𝑈𝑑 .
For outsourcing 𝐜𝐦𝑞 set𝑈𝑘 = Com(𝑝1,𝑘 , 𝑝2,𝑘 , … , 𝑝𝑛,𝑘)
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Com( )’s are fully determined by 𝐿!
Goal: outsource computation of
⇒
Fixed parameters 𝑈0, 𝑈1, … , 𝑈𝑑 ∈ 𝔾
outsource this computation:
Goal: given input 𝜏 ∈ 𝔽,
𝑈 ≔ 𝑈0 + 𝜏 ⋅ 𝑈1 +⋯+ 𝜏𝑑 ⋅ 𝑈𝑑 .
Encoded polynomial delegation
For outsourcing 𝐜𝐦𝑞 set𝑈𝑘 = Com(𝑝1,𝑘 , 𝑝2,𝑘 , … , 𝑝𝑛,𝑘)
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Com( )’s are fully determined by 𝐿!
Goal: outsource computation of
⇒
Fixed parameters 𝑈0, 𝑈1, … , 𝑈𝑑 ∈ 𝔾
outsource this computation:
Goal: given input 𝜏 ∈ 𝔽,
𝑈 ≔ 𝑈0 + 𝜏 ⋅ 𝑈1 +⋯+ 𝜏𝑑 ⋅ 𝑈𝑑 .
Encoded polynomial delegation
New building block: SNARK for encoded polynomial delegationin pairing groups
For outsourcing 𝐜𝐦𝑞 set𝑈𝑘 = Com(𝑝1,𝑘 , 𝑝2,𝑘 , … , 𝑝𝑛,𝑘)
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Com( )’s are fully determined by 𝐿!
Goal: outsource computation of
⇒
Fixed parameters 𝑈0, 𝑈1, … , 𝑈𝑑 ∈ 𝔾
outsource this computation:
Goal: given input 𝜏 ∈ 𝔽,
𝑈 ≔ 𝑈0 + 𝜏 ⋅ 𝑈1 +⋯+ 𝜏𝑑 ⋅ 𝑈𝑑 .
Encoded polynomial delegation
New building block: SNARK for encoded polynomial delegationin pairing groups + multilinear variant for our optimized IP argument.
For outsourcing 𝐜𝐦𝑞 set𝑈𝑘 = Com(𝑝1,𝑘 , 𝑝2,𝑘 , … , 𝑝𝑛,𝑘)
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Com( )’s are fully determined by 𝐿!
Goal: outsource computation of
⇒
Fixed parameters 𝑈0, 𝑈1, … , 𝑈𝑑 ∈ 𝔾
outsource this computation:
Goal: given input 𝜏 ∈ 𝔽,
𝑈 ≔ 𝑈0 + 𝜏 ⋅ 𝑈1 +⋯+ 𝜏𝑑 ⋅ 𝑈𝑑 .
Encoded polynomial delegation
New building block: SNARK for encoded polynomial delegationin pairing groups + multilinear variant for our optimized IP argument.
SHARK optimistic proofs
𝑃NIZK 𝑉NIZK
𝑃SNARK 𝑉SNARK
𝑥
𝑤 𝑥
𝑥
𝑃NIZK 𝑉NIZK
𝑃SNARK 𝑉SNARK
𝑥
𝑤 𝑥
𝑥
encodedpolynomialdelegation
𝑃NIZK 𝑉NIZK
𝑃SNARK 𝑉
𝑥
𝑤 𝑥
𝑥
encodedpolynomialdelegation
SNARK
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
Generic instantiation
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
Generic instantiation
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
Generic instantiation This work
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
Generic instantiation
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
This work
ops in 𝑉NIZK
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
Generic instantiation
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
This work
, 𝑃SNARKops in 𝑉NIZK
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
Generic instantiation
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
This work
, 𝑃SNARKops in 𝑉NIZK
+ competitive proof size and verification time
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
Generic instantiation
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
This work
, 𝑃SNARKops in 𝑉NIZK
+ competitive proof size and verification time
e.g. 5 batchable pairings and6 × 𝔾1 for an optimistic proof
● New primitive: private-coin setup neededfor performance but not for soundness or ZK
● New primitive: private-coin setup neededfor performance but not for soundness or ZK
● Compromised setup can be quickly detectedand easily replaced
● New primitive: private-coin setup neededfor performance but not for soundness or ZK
● Compromised setup can be quickly detectedand easily replaced
● Speed competitive with best current zk-SNARKs
● New primitive: private-coin setup neededfor performance but not for soundness or ZK
● Compromised setup can be quickly detectedand easily replaced
● Speed competitive with best current zk-SNARKs
● New building blocks along the way:
- Optimized inner product argument
- SNARK for encoded polynomial delegation