Doubly-Efficient zkSNARKs Without Trusted Setup

Riad S. Wahby, Ioanna Tzialla, Abhi Shelat, Justin Thaler, Michael Walfish

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We present a zero-knowledge argument for NP with low communication complexity, low concrete cost for both the prover and the verifier, and no trusted setup, based on standard cryptographic assumptions. Communication is proportional to d log G (for d the depth and G the width of the verifying circuit) plus the square root of the witness size. When applied to batched or data-parallel statements, the prover's runtime is linear and the verifier's is sub-linear in the verifying circuit size, both with good constants. In addition, witness-related communication can be reduced, at the cost of increased verifier runtime, by leveraging a new commitment scheme for multilinear polynomials, which may be of independent interest. These properties represent a new point in the tradeoffs among setup, complexity assumptions, proof size, and computational cost. We apply the Fiat-Shamir heuristic to this argument to produce a zero-knowledge succinct non-interactive argument of knowledge (zkSNARK) in the random oracle model, based on the discrete log assumption, which we call Hyrax. We implement Hyrax and evaluate it against five state-of-the-art baseline systems. Our evaluation shows that, even for modest problem sizes, Hyrax gives smaller proofs than all but the most computationally costly baseline, and that its prover and verifier are each faster than three of the five baselines.

Original languageEnglish (US)
Title of host publicationProceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages926-943
Number of pages18
Volume2018-May
ISBN (Electronic)9781538643525
DOIs
StatePublished - Jul 23 2018
Event39th IEEE Symposium on Security and Privacy, SP 2018 - San Francisco, United States
Duration: May 21 2018May 23 2018

Other

Other39th IEEE Symposium on Security and Privacy, SP 2018
CountryUnited States
CitySan Francisco
Period5/21/185/23/18

Fingerprint

Communication
Networks (circuits)
Costs
Polynomials
Concretes

Keywords

  • computationally sound proofs
  • cryptographic protocols
  • succinct arguments
  • zero knowledge

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Software
  • Computer Networks and Communications

Cite this

Wahby, R. S., Tzialla, I., Shelat, A., Thaler, J., & Walfish, M. (2018). Doubly-Efficient zkSNARKs Without Trusted Setup. In Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018 (Vol. 2018-May, pp. 926-943). [8418646] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2018.00060

Doubly-Efficient zkSNARKs Without Trusted Setup. / Wahby, Riad S.; Tzialla, Ioanna; Shelat, Abhi; Thaler, Justin; Walfish, Michael.

Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018. Vol. 2018-May Institute of Electrical and Electronics Engineers Inc., 2018. p. 926-943 8418646.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Wahby, RS, Tzialla, I, Shelat, A, Thaler, J & Walfish, M 2018, Doubly-Efficient zkSNARKs Without Trusted Setup. in Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018. vol. 2018-May, 8418646, Institute of Electrical and Electronics Engineers Inc., pp. 926-943, 39th IEEE Symposium on Security and Privacy, SP 2018, San Francisco, United States, 5/21/18. https://doi.org/10.1109/SP.2018.00060
Wahby RS, Tzialla I, Shelat A, Thaler J, Walfish M. Doubly-Efficient zkSNARKs Without Trusted Setup. In Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018. Vol. 2018-May. Institute of Electrical and Electronics Engineers Inc. 2018. p. 926-943. 8418646 https://doi.org/10.1109/SP.2018.00060
Wahby, Riad S. ; Tzialla, Ioanna ; Shelat, Abhi ; Thaler, Justin ; Walfish, Michael. / Doubly-Efficient zkSNARKs Without Trusted Setup. Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018. Vol. 2018-May Institute of Electrical and Electronics Engineers Inc., 2018. pp. 926-943
@inproceedings{5126e1df2ed54d069af2899258f31670,
title = "Doubly-Efficient zkSNARKs Without Trusted Setup",
abstract = "We present a zero-knowledge argument for NP with low communication complexity, low concrete cost for both the prover and the verifier, and no trusted setup, based on standard cryptographic assumptions. Communication is proportional to d log G (for d the depth and G the width of the verifying circuit) plus the square root of the witness size. When applied to batched or data-parallel statements, the prover's runtime is linear and the verifier's is sub-linear in the verifying circuit size, both with good constants. In addition, witness-related communication can be reduced, at the cost of increased verifier runtime, by leveraging a new commitment scheme for multilinear polynomials, which may be of independent interest. These properties represent a new point in the tradeoffs among setup, complexity assumptions, proof size, and computational cost. We apply the Fiat-Shamir heuristic to this argument to produce a zero-knowledge succinct non-interactive argument of knowledge (zkSNARK) in the random oracle model, based on the discrete log assumption, which we call Hyrax. We implement Hyrax and evaluate it against five state-of-the-art baseline systems. Our evaluation shows that, even for modest problem sizes, Hyrax gives smaller proofs than all but the most computationally costly baseline, and that its prover and verifier are each faster than three of the five baselines.",
keywords = "computationally sound proofs, cryptographic protocols, succinct arguments, zero knowledge",
author = "Wahby, {Riad S.} and Ioanna Tzialla and Abhi Shelat and Justin Thaler and Michael Walfish",
year = "2018",
month = "7",
day = "23",
doi = "10.1109/SP.2018.00060",
language = "English (US)",
volume = "2018-May",
pages = "926--943",
booktitle = "Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - GEN

T1 - Doubly-Efficient zkSNARKs Without Trusted Setup

AU - Wahby, Riad S.

AU - Tzialla, Ioanna

AU - Shelat, Abhi

AU - Thaler, Justin

AU - Walfish, Michael

PY - 2018/7/23

Y1 - 2018/7/23

N2 - We present a zero-knowledge argument for NP with low communication complexity, low concrete cost for both the prover and the verifier, and no trusted setup, based on standard cryptographic assumptions. Communication is proportional to d log G (for d the depth and G the width of the verifying circuit) plus the square root of the witness size. When applied to batched or data-parallel statements, the prover's runtime is linear and the verifier's is sub-linear in the verifying circuit size, both with good constants. In addition, witness-related communication can be reduced, at the cost of increased verifier runtime, by leveraging a new commitment scheme for multilinear polynomials, which may be of independent interest. These properties represent a new point in the tradeoffs among setup, complexity assumptions, proof size, and computational cost. We apply the Fiat-Shamir heuristic to this argument to produce a zero-knowledge succinct non-interactive argument of knowledge (zkSNARK) in the random oracle model, based on the discrete log assumption, which we call Hyrax. We implement Hyrax and evaluate it against five state-of-the-art baseline systems. Our evaluation shows that, even for modest problem sizes, Hyrax gives smaller proofs than all but the most computationally costly baseline, and that its prover and verifier are each faster than three of the five baselines.

AB - We present a zero-knowledge argument for NP with low communication complexity, low concrete cost for both the prover and the verifier, and no trusted setup, based on standard cryptographic assumptions. Communication is proportional to d log G (for d the depth and G the width of the verifying circuit) plus the square root of the witness size. When applied to batched or data-parallel statements, the prover's runtime is linear and the verifier's is sub-linear in the verifying circuit size, both with good constants. In addition, witness-related communication can be reduced, at the cost of increased verifier runtime, by leveraging a new commitment scheme for multilinear polynomials, which may be of independent interest. These properties represent a new point in the tradeoffs among setup, complexity assumptions, proof size, and computational cost. We apply the Fiat-Shamir heuristic to this argument to produce a zero-knowledge succinct non-interactive argument of knowledge (zkSNARK) in the random oracle model, based on the discrete log assumption, which we call Hyrax. We implement Hyrax and evaluate it against five state-of-the-art baseline systems. Our evaluation shows that, even for modest problem sizes, Hyrax gives smaller proofs than all but the most computationally costly baseline, and that its prover and verifier are each faster than three of the five baselines.

KW - computationally sound proofs

KW - cryptographic protocols

KW - succinct arguments

KW - zero knowledge

UR - http://www.scopus.com/inward/record.url?scp=85051034586&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85051034586&partnerID=8YFLogxK

U2 - 10.1109/SP.2018.00060

DO - 10.1109/SP.2018.00060

M3 - Conference contribution

VL - 2018-May

SP - 926

EP - 943

BT - Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018

PB - Institute of Electrical and Electronics Engineers Inc.

ER -