Abstract
Zero-knowledge SNARKs (zk-SNARKs) are non-interactive proof systems with short and efficiently verifiable proofs that do not reveal anything more than the correctness of the statement. zk-SNARKs are widely used in decentralised systems to address privacy and scalability concerns.
A major drawback of such proof systems in practice is the requirement to run a trusted setup for the public parameters. Moreover, these parameters set an upper bound to the size of the computations or statements to be proven, which results in new scalability problems.
We design and implement SnarkPack, a new argument that further reduces the size of SNARK proofs by means of aggregation. Our goal is to provide an off-the-shelf solution that is practical in the following sense: (1) it is compatible with existing deployed SNARK systems, (2) it does not require any extra trusted setup.
SnarkPack is designed to work with Groth16 scheme and has logarithmic size proofs and a verifier that runs in logarithmic time in the number of proofs to be aggregated. Most importantly, SnarkPack reuses the public parameters from Groth16 system.
SnarkPack can aggregate 8192 proofs in 8.7 s and verify them in 163 ms, yielding a verification mechanism that is exponentially faster than other solutions. SnarkPack can be used in blockchain applications that rely on many SNARK proofs such as Proof-of-Space or roll-up solutions.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
1 Introduction
Arguments of Knowledge. Decentralised systems make extensive use of protocols that enable a prover to post a statement together with a short proof, such that any verifier can publicly check that the statement (e.g., correctness of a computation, claims of storage etc.) is true while expending fewer resources, e.g. less time than would be required to re-execute the computation.
SNARKs are such proofs that allow one party to demonstrate knowledge of a satisfying witness to some NP statement and have verification time and proof size independent of the size of this witness. If these proofs also conceal anything else about the witness we refer to them as zk-SNARKs. In the last decade, there has been a series of works on constructing SNARKs [BCI+13, GGPR13, PHGR13, BCTV14, Gro16] with constant-size proofs that rely on trusted setups.
SNARKs are becoming very popular in real-world applications such as delegated computation or blockchain systems: as examples of early practical use case, Zerocash [BCG+14] showed how to use zk-SNARKs in distributed ledgers to achieve payment systems with strong privacy guarantees. The Zerocash protocol, with some modifications, is now commercially deployed in several cryptocurrencies, e.g. Zcash.
More recent zk-SNARK use cases are Aztec and zkSync, two projects boosting the scalability and privacy of Ethereum smart contractsFootnote 1. Another example of SNARK application is the Filecoin SystemFootnote 2 that implements a decentralized storage solution for the internet.
The rapid and massive adoption of SNARK schemes has created new scalability challenges for blockchain systems: the generation of trusted setups requires complicated ceremonies, proving large statements has significant overhead, and verifying multiple proofs is expensive even with batching.
Trusted Setup Ceremony. All the constant-size zk-SNARK schemes have a common major disadvantage in practice: they rely on some public parameters, the structured reference string (SRS), that are generated by a trusted setup. In theory, this setup is run by a trusted third party, while in practice, such a string can be generated by a so called “ceremony”, a multi-party computation between participants who are believed not to collude as shown in [ABL+19, BGM17, BCG+15]. Generating such a trusted setup is a cumbersome task. These ceremonies are expensive in terms of resources, they must follow specific rules, and they are generally hard to organise: hundreds of participants with powerful machines need to join efforts to perform a multi-party computation over multiple months.
Groth16. The construction by Groth [Gro16] is the state-of-the-art for pairing-based zk-SNARKs. Groth16 requires the computation to be expressed as an arithmetic circuit and relies on some trusted setup to prove the circuit satisfiability. Due to its short proof size (3 group elements) and verifier’s efficiency, Groth16 has become a de facto standard in blockchain projects. This results in a great number of available implementations, code auditing, and multiple trusted setup ceremonies run by independent institutions.
Motivation. Importantly, the trusted setup in SNARK schemes sets an upper bound on the size of computations that can be proven (number of constraints in the circuit description). Because modern applications have an increased demand for the size of circuits, Groth16 is starting to face scalability problems. A simple solution would be to split the computation in different pieces and prove them independently in smaller circuits, but this increases the number of proofs to be added to a single statement and the verification time.
We address this problem by demonstrating a method to reduce the overhead in communication and verification time for multiple proofs without the need of further larger trusted setup ceremonies.
Filecoin System. One example is Filecoin [Lab18] proof-of-space blockchain. To onboard storage in the network, Filecoin miners post a Groth16 proof that they correctly computed a Proof-of-Space [Fis19]. Each proof guarantees that the miner correctly “reserves” 32 GB of storage to the network and consists of 10 different SNARKs. The chain currently processes a large number of proofs each day: approximately 500,000 Groth16 proofs, representing 15 PiB of storage.
Contribution. We explore reducing proof size and verifier time for SNARKs even further by examining techniques to aggregate proofs without the requirement for additional trusted setups.
We design SnarkPack, an argument that allows to aggregate n Groth16 zkSNARKs with a \(O(\log n)\) proof size and verifier time. Our scheme is based on a trusted setup that can be constructed from two different existing ceremonies (e.g. the “powers of tau” for Zcash [Zca18] and Filecoin [Fil20]).
Being able to rely on the security of well-known trusted setups for which the ceremonies have been largely publicly advertised is a great practical advantage and makes SnarkPack immediately useful in real-world applications.
Our techniques are generic and can also apply to other pairing-based SNARKs. The roadmap is similar, since all such SNARK constructions require the generation of “powers of tau” for the setup ceremony and then have a few pairing check equations in the verification algorithm. However, we choose to focus on Groth16 proofs and tailor optimisations for this case, since it is the most popular scheme among practitioners. Therefore, SnarkPack is the first practical system that can be used in blockchain applications to reduce the on-chain work by employing verifiable outsourcing to process a large number of proofs off-chain. This applies broadly to any system that needs to delegate batches of state updates to an untrusted server.
Related Work. Prior works have built similar schemes for recursion or aggregation of proofs, but they all have critical shortcomings when it comes to implementing them in real-world systems.
Bünz et al. [BMM+19] presented a scheme for aggregating Groth16 proofs that requires a specific trusted setup to construct the structured reference string (SRS) necessary to verify such aggregated proofs. Our result is conceptually similar to that of Bünz et al. while benefiting from many optimizations. We focus specifically on aggregating proofs generated using the same Groth16 SRS which is the common use case, as opposed to the generic result in [BMM+19] that allows aggregation of proofs from different SRSes. Our result can be extended to support this latter case as well.
While our techniques built on top of inner pairing arguments with logarithmic verifier previously introduced by [DRZ20], we build new such schemes that avoid the need of a different trusted setup ceremony (other than the existing SNARK setup). Our approach for aggregation is preferable to [BMM+19] in practical use cases.
Other approaches to aggregation rely on recursive composition. In more detail, [BCG+20] propose a new SNARK for the circuit that contains n copies of the Groth16 verifier’s circuit. However, constructing arithmetic circuits for pairings is expensive (e.g., computing a pairing on the BLS12-377 curve requires \(\approx 15 000\) constraints as shown in [BCG+20]). The advantage of using such expensive schemes for aggregation is their transparent setup.
However, the costs are significant compared with our scheme: they compute FFTs, which require time \(O(n \log n)\), the verifier performs O(n) cryptographic operations as opposed to O(n) field operations in our scheme and they require special cycles of curves.
SnarkPack has the best of both worlds: it benefits from the power of structured public parameters to avoid expensive computations, while it does not require additional trust assumptions, as it relies on already available trusted setup transcripts for the underlying Groth16 scheme.
Technical Overview. To explain how SnarkPack works, we need to consider 3 multiplicative cyclic groups \(\mathbb {G}_1,\mathbb {G}_2, \mathbb {G}_T\) of order p equipped with the bilinear map, also called “pairing” \(e: \mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T\) such that \(\forall a, b \in \mathbb {Z}_p : e(g^a, h^b) = e(g, h)^{ab}\).
Groth16 proofs \(\pi =(A, B, C)\) for statements \(u=\textbf{a}\) consist of 3 group elements \(A,C \in \mathbb {G}_1\) and \(B \in \mathbb {G}_2\). The high-level idea of Groth16 aggregation is quite simple: Since Groth16 verification consists in checking a pairing equation between the proof elements \(\pi =(A, B, C)\), instead of checking that n different pairing equations are simultaneously satisfied, it is sufficient to prove that only one inner pairing product of a random linear combination of these initial equations defined by a verifier’s random challenge \(r\in \mathbb {Z}_p\) holds. In a bit more detail, Groth16 verification asks to check an equation of the type \(e(A_i,B_i)= Y_{i} \cdot e(C_i, D) \) for \(Y_{i}\in \mathbb {G}_T, D \in \mathbb {G}_2\) where \(Y_i\) is a value computed from each statement \(u_i=\textbf{a}_i\), \(D\in \mathbb {G}_2\) is a fixed verification key and \(\pi _i =( A_i,B_i, C_i)_{i=0}^{n-1}\) are proof triples.
The aggregation will instead check a single randomized equation:
We denote by \(Y_{prod}'{:}{=}\prod _{i=0}^{n-1} Y_{i}^{r^i}\) so this can be rewritten as:
What is left after checking that this unified equation holds is to verify that the elements \( Z_{AB}, Z_C\) are consistent with the initial proof triples in the sense that they compute the required inner product. This is done by applying an argument that proves two different inner pairing product relations:
-
TIPP: the target inner pairing product takes some initial committed vectors \(\textbf{A}\in \mathbb {G}_1, \textbf{B}\in \mathbb {G}_2\) and shows that \(Z_{AB}=\prod _{i=0}^{n-1} e(A_i,B_i)\);
-
MIPP: the multi-exponentiation inner product takes a committed vector \(\textbf{C}\in \mathbb {G}_1\) and a vector \(\textbf{r}\in \mathbb {Z}_p\) and shows that \(Z_{C}=\prod _{i=0}^{n-1} C_i^{r^i}\).
New Commitment Schemes. The key ingredient for SnarkPack is the efficient realisation of the two specialised inner pairing product arguments following the ideas initially proposed by [DRZ20] and generalised to other inner products by [BMM+19]. These require a special commitment scheme that allows a party to commit to vectors of group elements in both source groups \(\mathbb {G}_1\) and \(\mathbb {G}_2\) with further homomorphic and collapsing properties.
We therefore introduce two new Pair Group Commitment schemes described in Sect. 3 that enable to commit to vectors \(\textbf{A}, \textbf{C}\in \mathbb {G}_1, \textbf{B}\in \mathbb {G}_2\). Our commitments are doubly-homomorphic with respect to the message space and key space and they have a collapsing property. Both schemes have constant-size commitments and are proved to be binding based on assumptions that hold in the generic group model. Our second scheme has the advantage that it allows a party to commit to two vectors from two different groups with no size overhead. We think these schemes can be of independent interest in protocols that need to commit to source-group elements.
Reusing Groth16 Trusted Setup. The advantage of our commitment schemes is that they can reuse existing public setups for Groth16 to generate their structured commitment keys.
The public parameters required for the generation of the commitment keys can be extracted from two compatible copies of Groth16 SRS.
For a given bilinear group \((p,\mathbb {G}_1,\mathbb {G}_2, \mathbb {G}_T )\), Groth16 SRS consist (among other elements) of consecutive powers of some random evaluation point \(\tau \) in both groups \(\mathbb {G}_1\) and \(\mathbb {G}_2: \{g^{\tau ^i}\}_i \in \mathbb {G}_1^d, \{h^{\tau ^i}\}_i \in \mathbb {G}_2^d.\) We will call these “powers of tau”.
The generation of SnarkPack public parameters (the commitment keys) comes naturally from two ceremonies for Groth16 setup (also known as “powers of tau”) for the same generators g and h and different powers \(a= \tau _1\) and \(b=\tau _2\): \(g,h, g^{\tau _1},\dots ,g^{\tau _1^n},h^{\tau _1},\dots ,h^{\tau _1^n}\), one up to n and the other \(g^{\tau _2} \dots ,g^{\tau _2^m},h^{\tau _2},\dots ,h^{\tau _2^m}\) up to \(m \ge n\).
Our assumptions rely on the fact that cross powers (e.g. \(g^{\tau _1 \tau _2}\)) are not known to the prover. Since the two SRSes we use are the result of two independent ceremonies, it is unlikely that such terms can be learned since \(\tau _1\) and \(\tau _2\) were destroyed after the SRS generation.
In practice, we fortunately have at least two ceremonies that satisfy the requirements for same group generators and different powers: Such values can be obtained from the powers of tau transcript of Zcash [Zca18] and Filecoin [Lab18]. The SRS created goes up to \(n=2^{19}\) for \(\tau _1\) and \(m =2^{127}\) for \(\tau _2\).
Implementation. In ?? we provide benchmarks and optimisation details for our implementation in Rust, and evaluate its efficiency against batching. SnarkPack is exponentially more efficient than aggregation via batching: it takes 163 ms to verify an aggregated proof for 8192 proofs (including unserialization) versus 621 ms when doing batch verification. The former is of 40 kB in size. The aggregator can aggregate 8192 proofs in 8.7 s.
2 Preliminaries
Bilinear Groups. A bilinear group is given by a description \(~\textsf{gk}=(p,\mathbb {G}_1,\mathbb {G}_2, \mathbb {G}_T )\) such that
-
p is prime, so \(\mathbb {Z}_p=\mathbb {F}\) is a field.
-
\(\mathbb {G}_1 =\langle g\rangle , \mathbb {G}_2 =\langle h \rangle \) are cyclic groups of prime order p.
-
\(e: \mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T\) is a bilinear asymmetric map (pairing), which means that \(\forall a, b \in \mathbb {Z}_p : e(g^a, h^b) = e(g, h)^{ab}\).
Vectors. For n-dimensional vectors \(\textbf{a}\in \mathbb {Z}_p^n, \textbf{A}\in \mathbb {G}_1^n, \textbf{B}\in \mathbb {G}_2^n\), we denote the i-th entry by \(a_i \in \mathbb {Z}_p, A_i \in \mathbb {G}_1, B_i\in \mathbb {G}_2\) respectively. Let \(\textbf{A}\Vert \textbf{A}' = (A_0, \dots , A_{n-1},A_0', \dots , A_{n-1}')\) be the concatenation of vectors \(\textbf{A}, \textbf{A}' \in \mathbb {G}_1^n \). We write \(\textbf{A}_{[:\ell ]} = (A_0, \dots , A_{\ell -1}) \in \mathbb {G}_1^{\ell }\) and \(\textbf{A}_{[\ell :]} = (A_{\ell }, \dots , A_{n-1}) \in \mathbb {G}_1^{n-\ell }\) to denote slices of vectors \(\textbf{A}\in \mathbb {G}_1^n\) for \(0 \le \ell < n-1\).
We write group operations as multiplications. We define:
-
\(\textbf{A}^{x} = (A_0^x, \dots , A_{n-1}^x) \in \mathbb {G}_1^n\) for \(x \in \mathbb {Z}_p\) and a vector \(\textbf{A}\in \mathbb {G}_1^n\).
-
\(\textbf{A}^{\textbf{x}} = (A_0^{x_0}, \dots , A_{n-1}^{x_{n-1}}) \in \mathbb {G}_1^n\) for vectors \(\textbf{x}\in \mathbb {Z}_p^n, \textbf{A}\in \mathbb {G}_1^n\).
-
\(\textbf{A}* \textbf{x}= \prod _{i=0}^{n-1} A_i^{x_i}\) for vectors \(\textbf{x}\in \mathbb {Z}_p^n, \textbf{A}\in \mathbb {G}_1^n\).
-
\(\textbf{A}* \textbf{B}{:}{=}\prod _{i=0}^{n-1} e(A_i, B_i)\) for group vectors \(\textbf{A}\in \mathbb {G}_1^n, \textbf{B}\in \mathbb {G}_2^n\).
-
\(\textbf{A}\circ \textbf{A}' {:}{=}(A_0A_0', \dots , A_{n-1}A_{n-1}')\) for vectors \(\textbf{A}, \textbf{A}' \in \mathbb {G}_1^n \).
Relations. We use the notation \(\mathcal {R}\) to denote an efficiently decidable binary relation. For pairs \((u,w) \in \mathcal {R}\) we call u the statement and w the witness. We write \(\mathcal {R}= \{(u; w) : p(u, w)\}\) to describe an NP relation.
Common and Structured Reference String. The common reference string (CRS) model, introduced by Damgård [Dam00], captures the assumption that a trusted setup exists. Schemes proven secure in the CRS model are secure given that the setup was performed correctly. We will use the terminology “Structured Reference String” (SRS) since all our \(\textsf{crs}\) strings are structured.
Background on Groth16. We recall here some necessary elements from [Gro16] construction. The definition of zk-SNARKs is given in Appendix A.1. A detailed description of the Groth16 protocol can be found in Appendix C. The main highlights follow:
Setup. For a given bilinear group \(\textsf{gk}=(p,\mathbb {G}_1,\mathbb {G}_2, \mathbb {G}_T )\), the SRS contains, among other elements, consecutive powers of some random evaluation point s in both groups \(\mathbb {G}_1, \mathbb {G}_2: \{g^{s^i}\}_{i=0}^{d-1} ~\in \mathbb {G}_1^d,\) and \( \{h^{s^i}\}_{i=0}^{d-1} ~\in \mathbb {G}_2^d.\)
Prove. A Groth16 proof \(\pi \) for a statement \(u {:}{=}\textbf{a}= \{a_j\}_{j=0}^{t}\) (with \(a_0=1\)) and a witness \(w {:}{=}\{a_j\}_{j=t+1}^{m}\) consists in 3 group elements \(\pi =(A, B, C)\), where \(A,C \in \mathbb {G}_1\) and \(B \in \mathbb {G}_2\).
Verify. For the verification algorithm, Groth16 uses only a part of its structured reference string which we will call verification key \(\textsf{vk}\):
Groth16 verification consists in checking a pairing equation between the proof elements \(\pi =(A, B, C)\) using the verification key:
Assumptions. We introduce two new assumptions necessary to prove our schemes are secure. Formal proofs that these assumptions hold in the Generic Group Model can be found in Appendix B.1.
Assumption 1
(ASSGP). The (q, m)-Auxiliary Structured Single Group Pairing assumption holds for the bilinear group generator \(\mathcal {G}\) if for all \(~\textsf{PPT}\) adversaries \(\mathcal {A}\) we have, on the probability space \(~\textsf{gk}=(p,\mathbb {G}_1,\mathbb {G}_2, \mathbb {G}_T ) \leftarrow \mathcal {G}(1^\lambda )\), and the following probability is negligible in \(\lambda \):
Assumption 2
(ASDGP). The (q, m)-ASDGP assumption holds for the bilinear group generator \(~\mathcal {G}\) if for all \(~\textsf{PPT}\) adversaries \(\mathcal {A}\) we have, on the probability space \(~\textsf{gk}=(p,\mathbb {G}_1,\mathbb {G}_2, \mathbb {G}_T ) \leftarrow \mathcal {G}(1^\lambda )\), and the following probability is negligible in \(\lambda \):
We can similarly define the dual assumptions, by swapping \(\mathbb {G}_1\) and \(\mathbb {G}_2\) in the definition above.
3 Pair Group Commitment Schemes
In this section we introduce a new commitment scheme to group elements in a bilinear group. In order to use them in our aggregation protocol, we require the following properties from the commitment schemes:
-
Computationally Binding Commitment: as per Definition 4
-
Constant Size Commitment: the commitment value is independent of the length of the committed vector
-
Doubly-Homomorphic: homomorphic both in the message space and in the key space
$$\begin{aligned}{} & {} \textsf{CM}(\textsf{ck}_1 + \textsf{ck}_2; M_1+M_2) = \textsf{CM}(\textsf{ck}_1; M_1) + \textsf{CM}(\textsf{ck}_1; M_2)+ \\{} & {} \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \textsf{CM}(\textsf{ck}_2; M_1)+ \textsf{CM}(\textsf{ck}_2; M_2). \end{aligned}$$ -
Collapsing Property: double-homomorphism implies a distributive property between keys and messages that allows multiple messages to be collapsed via a deterministic function \(\textsf{Collapse}\) defined as follows:
There are a few candidates for such schemes, but none of them are adapted for fulfilling our goals. The commitment schemes proposed by [DRZ20, BMM+19] work under some new assumption that asks for the commitment keys to be structured in a specific way. In order to use this commitment, we need to run a new trusted setup to generate a commitment key. It would be impossible to consider existing Groth16 setups, since those give away elements that break the binding of the commitment scheme.
Our main goal is to find a commitment scheme that uses a structured reference string similar to the one from many popular SNARK implementations, e.g. Groth16.
The commitment scheme proposed by Lai et al. [LMR19] is likely to satisfy these properties, but it is shown to be binding only for unstructured random public parameters; however, in order to obtain a log-time verification Inner Pairing Product Argument scheme, we would need some structure for the commitment keys. We adapt the commitments from [LMR19] to work with structured keys and prove the binding property for an adversary that has access to these structured public parameters under our new assumptions ASSGP and ASDGP.
To optimise the commitment sizes, we define two different variants of the commitment scheme: one that takes a vector of elements of a single group \(\mathbb {G}_1\), and one that takes two vectors of points in \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively.
Single Group Version \(\boldsymbol{\textsf{CM}_s}\). This version is useful for the MIPP relation. It takes one vector \(\textbf{A}\in \mathbb {G}_1^n \) and outputs two target group elements \((T_{A}, U_{A})~\in \mathbb {G}_T^2\) as a commitment.
-
\(\textsf{KG}_s(1^\lambda ) \rightarrow \textsf{ck}_s=(\textbf{v}_1, \textbf{v}_2) \) Sample and set \(\textbf{v}_1 = (h,h^a,\dots ,h^{a^{n-1}}), \quad ~\textbf{v}_2 = (h,h^b,\dots ,h^{b^{n-1}}).\)
-
\(\textsf{CM}_s(\textsf{ck}_s=(\textbf{v}_1, \textbf{v}_2), \textbf{A}= (A_0, \dots , A_{n-1})) \rightarrow (T_A, U_A){:}\)
-
1.
\(T_A = \textbf{A}* \textbf{v}_1 = e(A_0,h) \cdot e(A_1,h^a) \dots e(A_{n-1},h^{a^{n-1}}) \)
-
2.
\(U_A = \textbf{A}* \textbf{v}_2 = e(A_0,h) \cdot e(A_1,h^b)\dots e(A_{n-1},h^{b^{n-1}}) \)
-
1.
Lemma 1
Under the hardness of (n, m)-ASSGP assumption for \(m>2n\), this commitment scheme is computationally binding as per Definition 4.
Proof
Suppose there exists a \(\textsf{PPT}\) adversary \(\mathcal {A}\) that breaks the binding property of the commitment scheme. Then, given the output \(((T_A, U_A);\textbf{A}, \textbf{A}^* ) \) of the adversary \(\mathcal {A}\), we have that \( (T_A, U_A) = (T_{A^*}, U_{A^*})\):
By applying the homomorphic properties of the commitment scheme to these equations we get:
where the vector \((A_0/A_0^*, A_1/A_1^*, \dots A_{n-1}/A_{n-1}^*) \ne \textbf{1}_{\mathbb {G}_1} \). This breaks the (n, m)-ASSGP assumption.
Double Group Version \(\boldsymbol{\textsf{CM}_d}\). This version is useful for the TIPP relation. It takes two vectors \(\textbf{A}\in \mathbb {G}_1^n, \textbf{B}\in \mathbb {G}_2^n\) and outputs two target group elements \((T_{AB}, U_{AB})~\in \mathbb {G}_T^2\) as a commitment.
-
\(\textsf{KG}_d(1^\lambda ) \rightarrow \textsf{ck}_d=(\textbf{v}_1, \textbf{v}_2, \textbf{w}_1, \textbf{w}_2): \) Sample and set \(\textbf{v}_1 = (h,h^a,\dots ,h^{a^{n-1}}), \quad \textbf{w}_1 = (g^{a^n}, \dots , g^{a^{2n-1}})\), \(\textbf{v}_2 = (h,h^b,\dots ,h^{b^{n-1}}), \quad ~\textbf{w}_2 = (g^{b^n},\dots ,g^{b^{2n-1}}).\)
-
\(\textsf{CM}_d(\textsf{ck}_d, \textbf{A}, \textbf{B}) \rightarrow (T_{AB}, U_{AB})\):
-
1.
\(T_{AB} = (\textbf{A} * \mathbf {v_1})(\mathbf {w_1} * \textbf{B}) \)
-
2.
\(U_{AB} = (\textbf{A} * \mathbf {v_2})(\mathbf {w_2} * \textbf{B}) \)
-
1.
Lemma 2
Under the hardness of (n, m)-ASDGP assumption for \(m>2n\), this commitment scheme is computationally binding.
Proof
The proof is analogous to the one of Lemma 1. Since the commitment is homomorphic, breaking the binding is equivalent to finding a non-trivial opening to 1. Thus it breaks the assumption.
Inner Pairing Product Commitments. It is straightforward to check that the two versions of pairing commitment schemes \(\textsf{CM}_s\) and \(\textsf{CM}_d\) are compatible with inner product arguments, in the sense that they satisfy all the necessary properties: constant size, doubly-homomorphic, and the identity is a collapse function defined \(\textsf{Collapse}_{id}(C) = C\).
Reusing Groth16 SRS. The two commitment schemes have the advantage that they can reuse two compatible (independent) SNARK setup ceremonies for their structured keys generation and therefore can be easily deployed without requiring a new trusted setup.
The SRSes required for the generation of the public commitment keys should satisfy some properties: We ask for the two ceremonies to use the same basis/generators in the same bilinear group \(g \in \mathbb {G}_1, h \in \mathbb {G}_2\), but two different randomnesses \( a, b, \in \mathbb {Z}_p, a \ne b\) for the exponents. The setups consists of consecutive powers \(\{g^{a^i}, h^{a^i}\}_{i=0}^m\) and \(\{g^{b^i}, h^{b^i}\}_{i=0}^n\).
Importantly, even if the two setups have different dimensions \(m\ne n\), this does not affect the binding of the commitments. The extra elements available to the adversaries are taken into account in the auxiliary input \(\textsf{aux}\) in the two assumptions, by setting the parameters accordingly.
4 \(\mathsf {MT\text {-}IPP}\) Scheme
This new protocol will be used to prove two inner pairing product relations that are essential to SNARK aggregation: the multiexponentiation inner product (MIPP) between vectors \(\textbf{C}\) and \(\textbf{r}\) and the target inner pairing product (TIPP) between vectors \(\textbf{A}, \textbf{B}\), for vectors \(\textbf{A}, \textbf{C}\in \mathbb {G}_1\) and \(\textbf{B}\in \mathbb {G}_2\).
In order to optimize the aggregation construction, we design a new protocol \(\mathsf {MT\text {-}IPP}\) that “fuses” together proofs for MIPP and TIPP relations. The formal relations \(\mathcal {R}_\textsf{mipp}\) and \(\mathcal {R}_\textsf{tipp}\) are stated in Appendix D.1.
We recall the two inner product maps for bilinear group \(\textsf{gk}= (p, \mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T, e)\) and the combined relation for \(\mathsf {MT\text {-}IPP}\):
-
1.
Multiexponentiation inner product map \(\mathbb {G}_1^n \times \mathbb {F}^n \rightarrow \mathbb {G}_1\): \( \textbf{C}*{\textbf{r}} = \prod C_i^{r_i}\)
-
2.
Target inner pairing product map \(\mathbb {G}_1^n \times \mathbb {G}_2^n \rightarrow \mathbb {G}_T\): \(\textbf{A}* \textbf{B}{:}{=}\prod e(A_i, B_i) \)
-
3.
Relation for both MIPP and TIPP:
Construction. Our \(\mathsf {MT\text {-}IPP}\) makes black-box use of the two Pair Group Commitments schemes \(\textsf{CM}_s=({\textsf{KG}}_s,\textsf{CM}_s)\) and \(\textsf{CM}_d=({\textsf{KG}}_d,\textsf{CM}_d)\) from Sect. 3 and KZG Polynomial Commitment \(\textsf{KZG}.\textsf{PC}= (\textsf{KZG}.{\textsf{KG}},\textsf{KZG}.\textsf{CM},\textsf{KZG}.\textsf{Open},\textsf{KZG}.\textsf{Check})\) from Appendix A.4.
The scheme consists of 3 algorithms: \(\mathsf {MT\text {-}IPP}= (\textsf{MT}.\textsf{Setup}, \textsf{MT}.\textsf{Prove}, \textsf{MT}.\textsf{Verify})\):
-
\(\textsf{MT}.\textsf{Setup}(1^\lambda , \mathcal {R}_\textsf{mt})\rightarrow \textsf{crs}_\textsf{mt}\):
-
1.
Run: \(\textsf{ck}_s{:}{=}(\textbf{v}_1, \textbf{v}_2) \leftarrow \textsf{CM}_s(1^\lambda ), ~\textsf{ck}_d{:}{=}(\textbf{v}_1, \textbf{v}_2, \textbf{w}_1, \textbf{w}_2) \leftarrow \textsf{CM}_d(1^\lambda )\).
-
2.
Set commitment keys for \(\textsf{KZG}.\textsf{PC}\) scheme:
$$\begin{aligned} \textsf{ck}_{1v}&{:}{=}\{h^{a^i}\}_{i=0}^{n-1}, ~\textsf{vk}_{1v} {:}{=}g^{a} \quad \quad \textsf{ck}_{1w} {:}{=}\{g^{a^i}\}_{i=0}^{2n-1}, ~\textsf{vk}_{1w} {:}{=}h^{a}\\ \textsf{ck}_{2v}&{:}{=}\{h^{b^i}\}_{i=0}^{n-1}, ~\textsf{vk}_{2v} {:}{=}g^{b} \quad \quad ~\textsf{ck}_{2w} {:}{=}\{g^{b^i}\}_{i=0}^{2n-1}, ~\textsf{vk}_{2w} {:}{=}h^{b} \end{aligned}$$ -
3.
Define \(\textsf{ck}_{\textsf{kzg}} {:}{=}(\textsf{ck}_{j\sigma }), ~\textsf{vk}_{\textsf{kzg}}{:}{=}(\textsf{vk}_{j\sigma })\) for \(j=1,2; ~ \sigma =v, w\).
-
4.
Fix \(\textsf{Hash}_{com}\): \(\mathbb {G}_T^{4} \rightarrow \mathbb {Z}_p\) and its description \(\textsf{hk}_{com}\).
-
5.
Fix \(\textsf{Hash}_{x_0}\): \( \mathbb {Z}_p^2 \times \mathbb {G}_T \times \mathbb {G}_1 \rightarrow \mathbb {Z}_p\) and its description \(\textsf{hk}_{x_0}\).
-
6.
Fix \(\textsf{Hash}: \mathbb {Z}_p \times \mathbb {G}_T^{12} \rightarrow \mathbb {Z}_p\) and its description \(\textsf{hk}\).
-
7.
Fix \(\textsf{Hash}_z: \mathbb {Z}_p \times \mathbb {G}_2^2 \times \mathbb {G}_1^2 \rightarrow \mathbb {Z}_p\) and its description \(\textsf{hk}_z\).
-
8.
Set \(\textsf{crs}_\textsf{mt}{:}{=}(\textsf{hk}_{com}, \textsf{hk}_{x_0}, \textsf{hk}, \textsf{hk}_z,\textsf{ck}_s, \textsf{ck}_d, \textsf{ck}_\textsf{kzg}, \textsf{vk}_\textsf{kzg})\).
-
1.
-
\(\textsf{MT}.\textsf{Prove}(\textsf{crs}_\textsf{mt}, (T_{AB}, U_{AB}),(T_{C}, U_{C}), Z_{AB}, Z_C, r; \textbf{A}, \textbf{B}, \textbf{C})\rightarrow \pi _\textsf{mt}\):
-
Loop “split & collapse” for step i
-
1.
\(n'=n_{i-1}/2\) where \(n_0=n=2^\ell \)
-
2.
If \(n' < 1\): break
-
3.
Set \(\textbf{B}' {:}{=}\textbf{B}^{\textbf{r}}, \textbf{w}'_1 {:}{=}\textbf{w}_1^{\textbf{r}^{-1}}, \textbf{w}'_2 {:}{=}\textbf{w}_2^{\textbf{r}^{-1}}\).
-
4.
Compute L/R inner products:
$$(Z_L)_{AB} = \textbf{A}_{[n':]} * \textbf{B}'_{[:n']} ~\text { and } ~(Z_R)_{AB} = \textbf{A}_{[:n']} * \textbf{B}'_{[n':]}$$$$ (Z_L)_C = \textbf{C}_{[n':]}^{\textbf{r}_{[:n']}}~\text { and } ~ (Z_R)_C = \textbf{C}_{[:n']}^{\textbf{r}_{[n':]}} $$ -
5.
Compute left cross commitments:
$$\begin{aligned} (T_{L},U_{L})_{AB}&= \textsf{CM}_d((\textbf{v}_1,\textbf{w}_1';\textbf{v}_2,\textbf{w}_2'); \textbf{A}_{[n':]} || \textbf{0},\textbf{0}||\textbf{B}'_{[:n']})) \\ (T_{L},U_{L})_C&= \textsf{CM}_s((\textbf{v}_1,\textbf{v}_2), \textbf{C}_{[n':]} || \textbf{0}) \\ \end{aligned}$$ -
6.
Compute right cross commitments:
$$\begin{aligned} (T_{R}, U_{R})_{AB}&= \textsf{CM}_d((\textbf{v}_1,\textbf{w}_1';\textbf{v}_2, \textbf{w}_2');\textbf{0}||\textbf{A}_{[:n']},\textbf{B}'_{[n':]}||\textbf{0}) \\ (T_{R}, U_{R})_C&= \textsf{CM}_s((\mathbf {v_1},\mathbf {v_2}),\textbf{0}||\textbf{C}_{[:n']}) \\ \end{aligned}$$ -
7.
Compute hash to the vector commitments
$$h_{com} = \textsf{Hash}_{com}((T_{AB}, U_{AB}),(T_C, U_C)).$$ -
8.
Compute challenge \(x_i\): \(x_0 = \textsf{Hash}_{x_0}(r, h_{com}, Z_{AB},Z_C).\)
$$\begin{aligned} x_i = \textsf{Hash}\left( x_{i-1};(Z_{L}, Z_{R})_{AB}, (Z_{L}, Z_{R})_{C}, (T_L,U_L; T_R, U_R)_{AB},\right. \\ \left. (T_L,U_L; T_R, U_R)_{C}\right) \end{aligned}$$ -
9.
Compute Hadamard products on vectors
$$\textbf{A} {:}{=}\textbf{A}_{[:n']} \circ \textbf{A}_{[n':]}^{x_i}, ~ \textbf{B}' {:}{=}{\textbf{B}'}_{[:n']} \circ {\textbf{B}'}_{[n':]}^{x_i^{-1}}, ~ \textbf{C}{:}{=}\textbf{C}_{[:n']} \circ \textbf{C}_{[n':]}^{x_i} $$ -
10.
Compute Hadamard products on keys \(\textbf{v}_1, \textbf{v}_2\) and \(\textbf{w}'_1, \textbf{w}'_2\):
$$\begin{aligned} (\mathbf {v_1},\mathbf {v_2})&{:}{=}(\mathbf {v_1}_{[:n']} \circ \mathbf {v_1}_{[n':]}^{x^{-1}}, \mathbf {v_2}_{[:n']} \circ \mathbf {v_2}_{[n':]}^{x^{-1}}) \nonumber \\ (\textbf{w}_1',\textbf{w}_2')&{:}{=}(\textbf{w}'_{{1}_{[:n']}} \circ \textbf{w}_{{1}_{[n':]}}^{_{'}x},\textbf{w}'_{{2}_{[:n']}} \circ \textbf{w}_{{2}_{[n':]}}^{_{'}x}) \nonumber \end{aligned}$$ -
11.
Set \(n_i = n'\)
-
1.
-
Compute proofs \((\pi _{v_j},\pi _{w_j})_{j=1,2}\) of correctness of final commitment keys \((v_1,v_2) \in \mathbb {G}_2^2; ~(w_1',w_2')\in \mathbb {G}_1^2\) (This step is detailed in Appendix E):
-
1.
Define \(f_{v}(X) = \prod _{j=0}^{\ell -1} (1 + x_{\ell -j}^{-1} X^{2^{j}})\) and \(f_w(X) = X^n \prod _{j=0}^{\ell -1} \big (1 + x_{\ell -j} r^{-2^j}X^{2^j}\big )\)
-
2.
Draw challenge \(z = \textsf{Hash}_z(x_\ell ,v_1,v_2,w_1,w_2)\)
-
3.
Prove that \(v_1 = g^{f_{v}(a)}, ~v_2 = h^{f_{v}(a)}\), \(w_1 = g^{f_w(a)}, ~w_2 = h^{f_{w}(b)}\) are \(\textsf{KZG}\) commitments of \(f_v(X)\) by opening evaluations in z
$$\begin{aligned} \pi _{v_j}&\leftarrow \textsf{KZG}.\textsf{Open}(\textsf{ck}_{jv}; v_j, z,f_v(z); f_v(X)) \text { for j=1,2} \\ \pi _{w_j}&\leftarrow \textsf{KZG}.\textsf{Open}(\textsf{ck}_{jw}; w_j, z, f_w(z); f_w(X)) \text { for j=1,2} \end{aligned}$$
-
1.
-
Given the final elements \(A, B', C\) and \((v_1,v_2),(w_1',w_2')\) at the end of the loop after split & collapsing \(\textbf{A}, \textbf{B}'=\textbf{B}^{\textbf{r}}, \textbf{C}\) and \(\textbf{v}_1, \textbf{v}_2, \textbf{w}_1', \textbf{w}_2'\), set
$$\begin{aligned} \pi _\textsf{mt}= \big (A,B',C, (\mathbf {Z_L},\mathbf {Z_R})_{AB}, (\mathbf {Z_L},\mathbf {Z_R})_{C}, (\mathbf {T_L},\mathbf {U_L})_{AB},(\mathbf {T_R},\mathbf {U_R})_{AB}, \\ (\mathbf {T_L},\mathbf {U_L})_{C},(\mathbf {T_R},\mathbf {U_R})_{C}, (v_1,v_2),(w_1',w_2'),(\pi _{v_j},\pi _{w_j})_{j=1,2}\big ) \end{aligned}$$
-
-
\(\textsf{MT}.\textsf{Verify}(\textsf{crs}_\textsf{mt}, \textsf{statement}; \pi _\textsf{mt})\rightarrow b\):
-
1.
Parse \(\textsf{statement}= ((T_{AB}, U_{AB}),(T_{C}, U_{C}), Z_{AB}, Z_C, r)\)
-
2.
Compute hash to the commitments
$$h_{com} = \textsf{Hash}_{com}((T_{AB}, U_{AB}),(T_C, U_C))$$ -
3.
Reconstruct challenges \(\{x_i\}_{i=1}^\ell \): \(\quad x_0 = \textsf{Hash}_{x_0}(r, h_{com}, Z_{AB},Z_C)\)
$$\begin{aligned}{} & {} x_i =\textsf{Hash}\big (x_{i-1},(\mathbf {Z_L}[i],\mathbf {Z_R}[i])_{AB}, (\mathbf {Z_L}[i],\mathbf {Z_R}[i])_{C}, \\{} & {} \qquad \quad (\mathbf {T_L}[i],\mathbf {T_R}[i], \mathbf {U_L}[i],\mathbf {U_R}[i])_{AB}, (\mathbf {T_L}[i],\mathbf {T_R}[i], \mathbf {U_L}[i],\mathbf {U_R}[i])_{C}\big ) \end{aligned}$$ -
4.
Construct products and commitments recursively, \(i=1 \rightarrow \ell \):
-
\((Z_i)_{AB} = \mathbf {Z_L}[i]_{AB}^{x_i}\cdot (Z_{i-1})_{AB}\cdot \mathbf {Z_R}[i]_{AB}^{x_i^{-1}}\)
-
\((T_i)_{AB} = \mathbf {T_L}[i]_{AB}^{x_i}\cdot (T_{i-1})_{AB}\cdot \mathbf {T_R}[i]_{AB}^{x_i^{-1}}\)
-
\((U_i)_{AB} = \mathbf {U_L}[i]_{AB}^{x_i}\cdot (U_{i-1})_{AB}\cdot \mathbf {U_R}[i]_{AB}^{x_i^{-1}}\)
where \((Z_0)_{AB}= Z_{AB}, (T_0)_{AB}= T_{AB}, (U_0)_{AB}= U_{AB}\)
-
\((Z_i)_{C} =\mathbf {Z_L}[i]_C^{x_i} \cdot (Z_{i-1})_C \cdot \mathbf {Z_R}[i]_C^{x_i^{-1}}\)
-
\((T_{i})_C = \mathbf {T_L}[i]_C^{x_i} \cdot (T_{i-1})_C \cdot \mathbf {T_R}[i]_C^{x_i^{-1}},\)
-
\((U_i)_C = \mathbf {U_L}[i]_C^{x_i} \cdot (U_{i-1})_C \cdot \mathbf {U_R}[i]_C^{x_i^{-1}}\)
where \((Z_0)_{C}= Z_{C}, (T_0)_{C}= T_{C}, (U_0)_{C}= U_{C}\)
-
-
5.
Compute final vector value from r: \( r' = \prod _{i=0}^{\ell -1}(1+ x_{\ell -i}^{-1}r^{2^i}) \)
-
6.
Verify final values \((T_{\ell }, U_{\ell }, Z_{\ell })_{AB}, (T_{\ell }, U_{\ell }, Z_{\ell })_C\):
-
(a)
\((Z_{\ell })_{AB} {\mathop {=}\limits ^{?}} e(A,B')\)
-
(b)
\((Z_{\ell })_C {\mathop {=}\limits ^{?}} C^{r'}\)
-
(c)
Check if \( (T_{\ell })_{AB} {\mathop {=}\limits ^{?}} e(A, v_1)e(w_1',B') \) and \((U_{\ell })_{AB} {\mathop {=}\limits ^{?}}e(A, v_2)e(w_2',B') \)
-
(d)
Check if \((T_{\ell })_C {\mathop {=}\limits ^{?}} e(C,v_1) \text { and } (U_{\ell })_C {\mathop {=}\limits ^{?}} e(C,v_2)\)
-
(a)
-
7.
Verify final commitment keys \(v_1, v_2, w_1', w_2'\) as detailed in Appendix E
-
(a)
Reconstruct KZG challenge point: \(z = \textsf{Hash}_z(A, B', C,x_\ell ,v_1,v_2,w_1',w_2')\)
-
(b)
Reconstruct commitment polynomials: \( f_{v}(X) = \prod _{j=0}^{\ell -1} \left( 1 +\right. \) \(\left. x^{-1}_{\ell -j}X^{2^{j}}\right) , f_w(X) = X^n\prod _{j=0}^{\ell -1} \left( 1 + x_{\ell -j} r^{-2^j}X^{2^j}\right) \)
-
(c)
Run verification for openings of evaluations in z for \(j=1,2\):
$$\begin{aligned} b_{1j}&\leftarrow \textsf{KZG}.\textsf{Check}(\textsf{vk}_{jv}; v_j, z,f_v(z); \pi _{v_j} ), \\ b_{2j}&\leftarrow \textsf{KZG}.\textsf{Check}(\textsf{vk}_{jw}; w_j, z, f_w(z); \pi _{w_j} ) \end{aligned}$$ -
(a)
-
1.
Theorem 3
If \(\textsf{CM}_s, \textsf{CM}_d\) are computationally binding commitments as per Definition 4, the hash functions are modelled as random oracles, and \(\textsf{KZG}.\textsf{PC}\) has computational knowledge binding as per Definition 6, then the protocol \(\mathsf {MT\text {-}IPP}\) has completeness and computational knowledge soundness (Definition 1) against algebraic adversaries in the random oracle model.
Proof
An adversary breaking soundness of the \(\mathsf {MT\text {-}IPP}\) scheme, either convinces the verifier of incorrect final keys \(v_1, v_2, w'_1, w'_2\) or breaks computational binding of one of \(\textsf{CM}_s, \textsf{CM}_d\).
Since both \(\textsf{CM}_s, \textsf{CM}_d\) are computationally binding, what is left to show is the completeness and soundness of the proof of correctness of the final commitment keys. The validity of the final commitment keys is shown using the \(\textsf{KZG}.\textsf{PC}\) scheme. The complete analysis for this step follows in Appendix E.
5 \(\textsf{SnarkPack}\): Aggregation Scheme
In this section we describe \(\textsf{SnarkPack}\), our new efficient protocol for Groth16 aggregation. The relation proven by \(\textsf{SnarkPack}\) can be stated as follows:
Relation for Aggregation. More formally, we introduce the relation for aggregating n Groth16 proof vectors \(\textbf{A},\textbf{C} \in \mathbb {G}_1^n,\textbf{B} \in \mathbb {G}_2^n\) with respect to a fixed verification key \(\textsf{vk}\):
where \(u_i= \textbf{a}_i= \{a_{i,j}\}_{j=0}^{t}, \pi _i = (A_i, B_i, C_i) \in \mathbb {G}_1 \times \mathbb {G}_2 \times \mathbb {G}_1\) for \(i=0, \dots n-1\).
The resulting argument for aggregation consists in 3 algorithms \(\textsf{SnarkPack}= (\textsf{SP}.\textsf{Setup},\textsf{SP}.\textsf{Prove},\textsf{SP}.\textsf{Verify})\) that work as follows:
-
\(\textsf{SP}.\textsf{Setup}(1^\lambda , \mathcal {R}_\textsf{AGG})\rightarrow (\textsf{crs}_{\textsf{agg}}, \textsf{vk}_{\textsf{agg}})\)
-
1.
Generate commitment key for \(\textsf{CM}_d\):
$$\textsf{ck}_{d} = (\textbf{v}_1, \textbf{v}_2, \textbf{w}_1, \textbf{w}_2) \leftarrow \textsf{CM}_d.\textsf{KG}(1^\lambda )$$ -
2.
Set commitment key for \(\textsf{CM}_s: \textsf{ck}_{s} = (\textbf{v}_1, \textbf{v}_2) \)
-
3.
Call \(\textsf{crs}_\textsf{mt}\leftarrow \textsf{MT}.\textsf{Setup}(1^\lambda , \mathcal {R}_\textsf{mt})\)
-
4.
Fix hash function \(\textsf{Hash}_r: \mathbb {Z}_p^{t \cdot n} \times \mathbb {G}_T^4 \rightarrow \mathbb {Z}_p\) given by its description \(\textsf{hk}_r\)
-
5.
Set aggregation public parameters: \( ~\textsf{crs}_{\textsf{agg}}= (\textsf{vk}, \textsf{crs}_\textsf{mt}, \textsf{hk}_r) \)
-
1.
-
\(\textsf{SP}.\textsf{Prove}(\textsf{crs}_{\textsf{agg}}, \textbf{u}, \mathbf {\pi }= (\textbf{A}, \textbf{B}, \textbf{C})) \rightarrow \pi _{\textsf{agg}}\)
-
1.
Parse proving key \(\textsf{crs}_{\textsf{agg}}{:}{=}(\textsf{vk}, \textsf{crs}_\textsf{mt}, \textsf{ck}_{s}, \textsf{ck}_{d}, \textsf{hk})\)
-
2.
Parse \(\textsf{ck}_{s} = (\textbf{v}_1, \textbf{v}_2), ~\textsf{ck}_{d} = (\textbf{v}_1, \textbf{v}_2, \textbf{w}_1, \textbf{w}_2)\)
-
3.
Commit to \(\textbf{A}\) and \(\textbf{B}\):
$$\textsf{CM}_d((\mathbf {v_1},\mathbf {v_2},\mathbf {w_1},\mathbf {w_2});\textbf{A},\textbf{B}) = (T_{AB},U_{AB})$$ -
4.
Commit to \(\textbf{C}:~\textsf{CM}_s((\mathbf {v_1},\mathbf {v_2});\textbf{C}) = (T_{C},U_{C})\)
-
5.
Hash these commitments \(h_{com} = \textsf{Hash}_{com}((T_{AB}, U_{AB}),(T_C, U_C))\)
-
6.
Derive random challenge \(r = \textsf{Hash}_r(\textbf{u},h_{com})\) and set \(\textbf{r} = \{r^i\}_{i=0}^{n-1}\)
-
7.
Compute \(Z_{AB} = \mathbf {A^r} * \textbf{B}\)
-
8.
Compute \(Z_{C} = \textbf{C}^\textbf{r}= \prod _{i=0}^{n-1} C_i^{r_i}\).
-
9.
Run \(\textsf{MT}\) proof for inner products \(Z_{AB}, Z_C,r\):
$$\begin{aligned} \pi _{\textsf{mt}} = \textsf{MT}.\textsf{Prove}(\textsf{crs}_\textsf{mt}, (T_{AB},U_{AB}), (T_C,U_C), Z_{AB}, Z_C,r; \textbf{A},\textbf{B},\textbf{C},\textbf{r}) \end{aligned}$$ -
10.
Set \(\pi _{\textsf{agg}}= ((T_{AB}, U_{AB}), (T_C, U_C), Z_{AB},Z_C, \pi _{\textsf{mt}})\)
-
1.
-
\(\textsf{SP}.\textsf{Verify}(\textsf{vk}_{\textsf{agg}}, \textbf{u}, \pi _{\textsf{agg}}) \rightarrow b\)
-
1.
Parse SNARK instances \(\textbf{u}= \{a_{i,j}\}_{i=0,\dots n-1; j=0,\dots t}\)
-
2.
Parse verification key \(\textsf{vk}_{\textsf{agg}}{:}{=}(\textsf{vk}, \textsf{crs}_\textsf{mt}, \textsf{hk})\)
-
3.
Hash the commitments \(h_{com} = \textsf{Hash}_{com}((T_{AB}, U_{AB}),(T_C, U_C))\)
-
4.
Parse \(\textsf{vk}{:}{=}\big (P = g^\alpha , Q= h^\beta , ~\{S_j \}_{j =0}^{t}, H = h^\gamma , D = h^\delta \big )\)
-
5.
Derive random challenge \(r = \textsf{Hash}_r(\textbf{u}, h_{com})\)
-
6.
Set \(\textsf{statement}= (\textbf{u},(T_{AB}, U_{AB}),(T_{C}, U_{C}), Z_{AB}, Z_C, r)\)
-
7.
Check \(\textsf{MT}\) proof \(~b_1 \leftarrow \textsf{MT}.\textsf{Verify}(\textsf{crs}_\textsf{mt}, \textsf{statement},\pi _{\textsf{mt}})\)
-
8.
Compute \(Z_{S_j}= S_j^{\sum _{i=0}^{n-1} a_{ij}r^i}\) for all \(j=0 \dots t\)
-
9.
Check Groth16 final equation to the decision bit \(b_2\):
$$ Z_{AB} {\mathop {=}\limits ^{?}} e(P^{\sum _{i=0}^{n-1} r^i},Q)e(\prod _{j=0}^{t} Z_{S_j},H)e(Z_C,D) $$ -
10.
Set decision bit \(b=b_1 \wedge b_2 \)
-
1.
Assumptions. We introduce two new assumptions necessary to prove our schemes are secure. Formal proofs that these assumptions hold in the Generic Group Model can be found in Appendix B.1.
Assumption 4
(ASSGP). The (q, m)-Auxiliary Structured Single Group Pairing assumption holds for the bilinear group generator \(\mathcal {G}\) if for all \(~\textsf{PPT}\) adversaries \(\mathcal {A}\) we have, on the probability space \(~\textsf{gk}=(p,\mathbb {G}_1,\mathbb {G}_2, \mathbb {G}_T ) \leftarrow \mathcal {G}(1^\lambda )\), and the following probability is negligible in \(\lambda \):
Assumption 5
(ASDGP). The (q, m)-ASDGP assumption holds for the bilinear group generator \(~\mathcal {G}\) if for all \(~\textsf{PPT}\) adversaries \(\mathcal {A}\) we have, on the probability space \(~\textsf{gk}=(p,\mathbb {G}_1,\mathbb {G}_2, \mathbb {G}_T ) \leftarrow \mathcal {G}(1^\lambda )\), and the following probability is negligible in \(\lambda \):
We can similarly define the dual assumptions, by swapping \(\mathbb {G}_1\) and \(\mathbb {G}_2\) in the definition above.
Notes
- 1.
Aztec, https://zk.money; zksync, https://zksync.io; https://ethereum.org.
- 2.
Filecoin, https://filecoin.io.
References
Abdolmaleki, B., Baghery, K., Lipmaa, H., Siim, J., Zajac, M.: UC-secure CRS generation for SNARKs. In: Buchmann, J., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2019. LNCS, vol. 11627, pp. 99–117. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-23696-0_6
Ben-Sasson, E., et al.: Decentralized anonymous payments from Bitcoin. Cryptology ePrint Archive, Report 2014/349 (2014). https://eprint.iacr.org/2014/349
Ben-Sasson, E., Chiesa, A., Green, M., Tromer, E., Virza, M.: Secure sampling of public parameters for succinct zero knowledge proofs, pp. 287–304 (2015)
Bowe, S., Chiesa, A., Green, M., Miers, I., Mishra, P., Wu, H.: ZEXE: enabling decentralized private computation. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 947–964 (2020)
Bitansky, N., Chiesa, A., Ishai, Y., Paneth, O., Ostrovsky, R.: Succinct non-interactive arguments via linear interactive proofs. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 315–333. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_18
Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Succinct non-interactive zero knowledge for a von Neumann architecture, pp. 781–796 (2014)
Bowe, S., Gabizon, A., Miers, I.: Scalable multi-party computation for zk-SNARK parameters in the random beacon model. Cryptology ePrint Archive, Report 2017/1050 (2017). https://eprint.iacr.org/2017/1050
Bünz, B., Maller, M., Mishra, P., Tyagi, N., Vesely, P.: Proofs for inner pairing products and applications. Cryptology ePrint Archive, Report 2019/1177 (2019). https://eprint.iacr.org/2019/1177
Damgård, I.: Efficient concurrent zero-knowledge in the auxiliary string model. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 418–430. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_30
Daza, V., Ràfols, C., Zacharakis, A.: Updateable inner product argument with logarithmic verifier and applications. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12110, pp. 527–557. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_18
Filecoin. Filecoin powers of tau ceremony attestations (2020). https://github.com/arielgabizon/perpetualpowersoftau
Fisch, B.: Tight proofs of space and replication (2019). https://web.stanford.edu/~bfisch/tight_pos.pdf
Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_37
Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11
Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 177–194. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_11
Protocol Labs. Filecoin (2018). https://filecoin.io/filecoin.pdf
Lai, R.W.F., Malavolta, G., Ronge, V.: Succinct arguments for bilinear group arithmetic: practical structure-preserving cryptography, pp. 2057–2074 (2019)
Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: nearly practical verifiable computation, pp. 238–252 (2013)
Zcash. Zcash Powers of Taus ceremony attestation (2018). https://github.com/ZcashFoundation/powersoftau-attestations
Acknowledgements
We would like to thank Benedikt Bunz, Pratyush Mishra, and Psi Vesely for valuable discussions on this work, as well as Ben Fisch and Nicola Greco for the initial intuition of using inner pairing product proofs for aggregating Filecoin SNARK-based proofs. We are also grateful to dignifiedquire for his contributions to the Rust codebase.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendices
A Cryptographic Primitives
1.1 A.1 SNARKs
Let \(\mathcal {R}\) be an efficiently computable binary relation which consists of pairs of the form (u, w). A Proof or Argument System for \(\mathcal {R}\) consists in a triple of \(\textsf{PPT}\) algorithms \(\varPi = (\textsf{Setup}, \textsf{Prove}, \textsf{Verify})\) defined as follows:
-
\(\textsf{Setup}(1^\lambda , \mathcal {R}) \rightarrow \textsf{crs}\): takes a security parameter \(\lambda \) and a binary relation \(\mathcal {R}\) and outputs a common (structured) reference string \(\textsf{crs}\).
-
\(\textsf{Prove}(\textsf{crs}, u, w) \rightarrow \pi \): on input \(\textsf{crs}\), a statement u and the witness w, outputs an argument \(\pi \).
-
\(\textsf{Verify}(\textsf{crs}, u, \pi ) \rightarrow 1/0\): on input \(\textsf{crs}\), a statement u, and a proof \(\pi \), it outputs either 1 indicating accepting the argument or 0 for rejecting it.
We call \(\varPi \) a Succinct Non-interactive ARgument of Knowledge (SNARK) if further it is complete, succinct and satisfies Knowledge Soundness (also called Proof of Knowledge).
Non-black-box Extraction. The notion of Knowledge Soundness requires the existence of an extractor that can compute a witness whenever the prover \(\mathcal {A}\) produces a valid argument. The extractor we defined bellow is non-black-box and gets full access to the prover’s state, including any random coins. More formally, a SNARK satisfies the following definition:
Definition 1 (SNARK)
\(\varPi =(\textsf{Setup}, \textsf{Prove}, \textsf{Verify})\) is a SNARK for an NP language \(L_{\mathcal {R}}\) with corresponding relation \(\mathcal {R}\), if the following properties are satisfied.
-
Completeness. For all \((x, w) \in \mathcal {R}\), the following holds:
$$ \Pr \left( \begin{array}{l} \textsf{Verify}(\textsf{crs}, u, \pi ) = 1 \end{array} \left| \begin{array}{c} \textsf{crs}\leftarrow \textsf{Setup}(1^\lambda , \mathcal {R})\\ \pi \leftarrow \textsf{Prove}(\textsf{crs}, u, w) \end{array} \right) = 1 \right. $$ -
Knowledge Soundness. For any \(\textsf{PPT}\) adversary \(\mathcal {A}\), there exists a \(\textsf{PPT}\) extractor \(\textsf{Ext}_\mathcal {A}\) such that the following probability is negligible in \(\lambda \):
$$ \Pr \left( \begin{array}{l} \textsf{Verify}(\textsf{crs},u, \pi ) = 1 \\ \wedge \, \mathcal {R}(u, w) = 0 \end{array} \left| \begin{array}{c} \textsf{crs}\leftarrow \textsf{Setup}(1^\lambda , \mathcal {R})\\ ((u, \pi ); w) \leftarrow \mathcal {A}\Vert \chi _{\mathcal {A}}(\textsf{crs}) \end{array} \right) =\textsf{negl}\!\!\left( \lambda \right) . \right. $$ -
Succinctness. For any u and w, the length of the proof \(\pi \) is given by \(\vert \pi \vert = \textsf{poly}(\lambda ) \cdot \textsf{polylog} (\vert u \vert + \vert w \vert )\).
Zero-Knowledge. A SNARK is zero-knowledge if it does not leak any information besides the truth of the statement. More formally:
Definition 2 (zk-SNARK)
A SNARK for a relation \(\mathcal {R}\) is a zk-SNARK if there exists a \(\textsf{PPT}\) simulator \((\mathcal {S}_1, \mathcal {S}_2)\) such that \(\mathcal {S}_1\) outputs a simulated common reference string \(\textsf{crs}\) and trapdoor \(\textsf{td}\); \(\mathcal {S}_2\) takes as input \(\textsf{crs}\), a statement u and \(\textsf{td}\), and outputs a simulated proof \(\pi \); and, for all \(\textsf{PPT}\) (stateful) adversaries \((\mathcal {A}_1,\mathcal {A}_2)\), for a state \(\textsf{st}\), the following is negligible in \(\lambda \):
1.2 A.2 Commitment Schemes
A non-interactive commitment scheme allows a sender to create a commitment to a secret value. It may later open the commitment and reveal the value or some information about the value in a verifiable manner. More formally:
Definition 3 (Non-interactive Commitment)
A non-interactive commitment scheme is a pair of algorithms \(\textsf{Com}= ({\textsf{KG}}, \textsf{CM})\):
-
\({\textsf{KG}}(1^\lambda ) \rightarrow \textsf{ck}\): given a security parameter \(\lambda \), it generates a commitment public key \(\textsf{ck}\). This \(\textsf{ck}\) implicitly specifies a message space \(M_\textsf{ck}\), a commitment space \(C_\textsf{ck}\) and (optionally) a randomness space \(R_\textsf{ck}\),. This algorithm is run by a trusted or distributed authority.
-
\(\textsf{CM}(\textsf{ck}; m) \rightarrow C\): given \(\textsf{ck}\) and a message m, outputs a commitment C. This algorithm specifies a function \(\textsf{Com}_\textsf{ck}: M_\textsf{ck}\times \mathcal {R}_\textsf{ck}\rightarrow C_\textsf{ck}\). Given a message \(m \in M_\textsf{ck}\), the sender (optionally) picks a randomness \(\rho \in R_\textsf{ck}\) and computes the commitment \(C= \textsf{Com}_\textsf{ck}(m,\rho )\)
For deterministic commitments we simply use the notation \(C= \textsf{CM}(\textsf{ck}; m){:}{=}\textsf{Com}_\textsf{ck}(m)\), while for randomised ones we write .
A commitment scheme is asked to satisfy one or more of the following properties:
Binding Definition. It is computationally hard, for any \(\textsf{PPT}\) adversary \(\mathcal {A}\), to come up with two different openings \(m \ne m^* \in M_\textsf{ck}\) for the same commitment C. More formally:
Definition 4 (Computationally Binding Commitment)
A commitment scheme \(\textsf{Com}= ({\textsf{KG}}, \textsf{CM})\) is computationally binding if for any \(\textsf{PPT}\) adversary \(\mathcal {A}\), the following probability is negligible:
Hiding Definition. A commitment can be hiding in the sense that it does not reveal the secret value that was committed.
Definition 5 (Statistically Hiding Commitment)
A commitment scheme \(\textsf{Com}= ({\textsf{KG}}, \textsf{CM})\) is statistically hiding if it is statistically hard, for any \(\textsf{PPT}\) adversary \(\mathcal {A}=(\mathcal {A}_0, \mathcal {A}_1)\), to first generate two messages \(\mathcal {A}_0(\textsf{ck}) \rightarrow m_0, m_1 \in M_\textsf{ck}\) such that \(\mathcal {A}_1\) can distinguish between their corresponding commitments \(C_0\) and \(C_1\) where and .
1.3 A.3 Polynomial Commitments
Polynomial commitments (PCs) first introduced by [KZG10] are commitments for the message space \(\mathbb {F}^{\le d}[X]\), the ring of polynomials in X with maximum degree \(d \in \mathbb {N}\) and coefficients in the field \(\mathbb {F}=\mathbb {Z}_p\), that support an interactive argument of knowledge \(({\textsf{KG}}, \textsf{Open}, \textsf{Check})\) for proving the correct evaluation of a committed polynomial at a given point without revealing any other information about the committed polynomial.
A polynomial commitment scheme over a field family \(\mathcal {F}\) consists in 4 algorithms \(\textsf{PC}= ({\textsf{KG}},\textsf{CM},\textsf{Open},\textsf{Check})\) defined as follows:
-
\({\textsf{KG}}(1^\lambda , d) \rightarrow (\textsf{ck}, \textsf{vk})\): given a security parameter \(\lambda \) fixing a field \(\mathcal {F}_\lambda \) family and a maximal degree d samples a group description \(\textsf{gk}\) containing a description of a field \(\mathbb {F}\in \mathcal {F}_{\lambda }\), and commitment and verification keys \((\textsf{ck}, \textsf{vk})\). We implicitly assume \(\textsf{ck}\) and \(\textsf{vk}\) each contain \(\textsf{gk}\).
-
\(\textsf{CM}(\textsf{ck}; f(X)) \rightarrow C\): given \(\textsf{ck}\) and a polynomial \(f(X) \in \mathbb {F}^{\le d}[X]\) outputs a commitment C.
-
\(\textsf{Open}(\textsf{ck}; C, x, y; f(X)) \rightarrow \pi \): given a commitment C, an evaluation point x, a value y and the polynomial \(f(X) \in \mathbb {F}[X]\), it output a prove \(\pi \) for the relation:
$$ \mathcal {R}_{\textsf{kzg}} {:}{=}\left\{ \begin{matrix} (\textsf{ck}, C, x, y; f(X)) \end{matrix} \, : \, \begin{array}{r} C=\textsf{CM}\left( \textsf{ck}; f(X)\right) \\ ~\wedge ~\deg (f(X))\le d\\ ~\wedge ~ y=f(x) \end{array} \right\} $$ -
\(\textsf{Check}(\textsf{vk}, C, x, y, \pi ) \rightarrow 1/0\): Outputs 1 if the proof \(\pi \) verifies and 0 if \(\pi \) is not a valid proof for the opening (C, x, y).
A polynomial commitment satisfy an extractable version of binding stated as follows:
Definition 6 (Computational Knowledge Binding)
For every \(\textsf{PPT}\) adversary \(\mathcal {A}\) that produces a valid proof \(\pi \) for statement C, x, y, i.e. such that \(\textsf{Check}(\textsf{vk}, C, x, y, \pi )=1\), there is an extractor \(\textsf{Ext}_\mathcal {A}\) that is able to output a pre-image polynomial f(X) with overwhelming probability:
1.4 A.4 KZG Polynomial Commitment
We describe the KZG Polynomial Commitment from [KZG10] which allows to check correctness of evaluation openings.
We recall the scheme \(\textsf{KZG}.\textsf{PC}= (\textsf{KZG}.{\textsf{KG}},\textsf{KZG}.\textsf{CM},\textsf{KZG}.\textsf{Open},\textsf{KZG}.\textsf{Check})\) defined over bilinear groups \(\textsf{gk}=(p,\mathbb {G}_1,\mathbb {G}_2, \mathbb {G}_T )\) with \(\mathbb {G}_1 =\langle g\rangle , \mathbb {G}_2 =\langle h \rangle \):
-
\(\textsf{KZG}.{\textsf{KG}}(1^\lambda , n) \rightarrow (\textsf{ck}, \textsf{vk}_h)\): Set keys \(\textsf{ck}_g = \{g^{\alpha ^i}\}_{i=0}^{n-1}, \textsf{vk}_h = h^\alpha \).
-
\(\textsf{KZG}.\textsf{CM}(\textsf{ck}_g; f(X)) \rightarrow C_f\): For \(f(X) = \sum _{i=0}^{n-1} f_i X^i\), computes \(C_f=\prod _{i=0}^{n-1} g^{f_i \alpha ^i} = g^{f(\alpha )} \).
-
\(\textsf{KZG}.\textsf{Open}(\textsf{ck}_g; C_f, x, y; f(X)) \rightarrow \pi \): For an evaluation point x, a value y, compute the quotient polynomial
$$q(X) = \displaystyle \frac{f(X) -y }{X-x}$$and output prove \(\pi {:}{=}C_q = \textsf{KZG}.\textsf{CM}(\textsf{ck}_g; q(X)) \).
-
\(\textsf{KZG}.\textsf{Check}(\textsf{vk}_h = h^\alpha , C_f, x, y, \pi ) \rightarrow 1/0\): Check if
$$e(C_f \cdot g^{-y}, h)=e(C_q, \textsf{vk}_h \cdot h^{-x} ).$$
The \(\textsf{KZG}.\textsf{PC}\) scheme works similarly for a pair of keys of the form \(\textsf{ck}_h = \{h^{\alpha ^i}\}_{i=0}^{n-1}, \textsf{vk}_g = g^\alpha \), by just swapping the values in the final pairing equation check to match the correct basis.
B Assumptions in GGM
1.1 B.1 ASSGP Assumption in GGM
Assumption 6 (ASSGP)
The (q, m)-Auxiliary Structured Single Group Pairing assumption holds for the bilinear group generator \(\mathcal {G}\) if for all \(~\textsf{PPT}\) adversaries \(\mathcal {A}\) we have, on the probability space \(~\textsf{gk}=(p,\mathbb {G}_1,\mathbb {G}_2, \mathbb {G}_T ) \leftarrow \mathcal {G}(1^\lambda )\), and the following
We can similarly define the dual assumption, by swapping \(\mathbb {G}_1\) and \(\mathbb {G}_2\) in the definition above.
Lemma 3
The (q, m)-ASSGP assumption holds in the generic group model.
Proof
Suppose \(\mathcal {A}\) is an adversary that on input \((\textsf{gk},\sigma , \textsf{aux})\), outputs \((A_0,\dots ,A_{q-1} ) \in \mathbb {G}_1^q\) such that \(\prod _{i=0}^{q-1} e(A_i,h^{a^i})=1_{\mathbb {G}_T} \) and \(\prod _{i=0}^{q-1} e(A_i,h^{b^i})=1_{\mathbb {G}_T} \). Then its GGM extractor outputs \(\alpha _i(X, Y) =\sum _{j=0}^{m} (x_j X^j+ y_{j} Y^j + c_j)\) for \(0 \le i <q\) then we have:
Then we have:
If we substract (4) and (3) we got
Now we can divide by \((X-Y)\) and obtain:
Substitute the expression of \(-\alpha _1(X, Y)\) in Eq. (3) and remark that all \(X^i \alpha _i(X, Y)\) terms are vanishing:
This implies that either \(\alpha _0(X, Y)\) is a multiple of XY or \(\alpha _0(X, Y)=0\).
By the GGM assumption, we have that \(\alpha _0(X, Y)=0\).
We continue by replacing \(\alpha _0(X, Y)=0\) in Eq. (8):
Substitute the expression of \(-\alpha _2(X, Y)\) in Eq. (4) and remark that all \(Y^i \alpha _i(X, Y)\) terms are vanishing:
This implies that either \(\alpha _1(X, Y)\) is a multiple of XY or \(\alpha _1(X, Y)=0\).
By the GGM assumption, we have that \(\alpha _1(X, Y)=0\).
We continue by replacing \(\alpha _1(X, Y)=0\) in Eq. (11):
And so on... till we show that \(\alpha _i(X, Y)=0 \ ~\forall i=0 \dots q-1\). We conclude that the adversarly produced vector \( (A_0,\dots ,A_{q-1} )=\textbf{1}_{\mathbb {G}_1} \).
1.2 B.2 ASDGP Assumption in GGM
Assumption 7
(ASDGP). The (q, m)-ASDGP assumption holds for the bilinear group generator \(~\mathcal {G}\) if for all \(~\textsf{PPT}\) adversaries \(\mathcal {A}\) we have, on the probability space \(~\textsf{gk}=(p,\mathbb {G}_1,\mathbb {G}_2, \mathbb {G}_T ) \leftarrow \mathcal {G}(1^\lambda )\), and the following probability is negligible in \(\lambda \):
Lemma 4
The (q, m)-ASDGP assumption holds in the generic group model.
Proof
Suppose \(\mathcal {A}\) is an adversary that on input \((\textsf{gk},\sigma , \textsf{aux})\), outputs \(\textbf{A}= (A_0, \dots ,A_{q-1} )\) and \(\textbf{B}= (B_0,\dots ,B_{q-1} ) \) such that:
Then its GGM extractor outputs \(\alpha _i(X, Y) =\sum _{j=0}^{m} (x_j X^j+ y_{j} Y^j + c_j)\) and \(\beta _i(X, Y) =\sum _{j=0}^{m} (x_j X^j+ y_{j} Y^j + c_j)\) for \(0 \le i <q\) such that:
By substracting (14) and (13) we got
Now we can factor \((X-Y)\) and then divide by it and obtain:
Substitute \(-\alpha _1(X, Y)\) in Eq. (13) and remark that all \(X^i \alpha _i(X, Y), X^{q+i}\beta _{q+i}(X, Y)\) terms are vanishing:
This implies that either \(\alpha _0(X, Y)\) is a multiple of XY or \(\alpha _0(X, Y)=0\).
By the GGM assumption, we have that \(\alpha _0(X, Y)=0\).
We continue by replacing \(\alpha _0(X, Y)=0\) in Eq. (17):
Substitute the expression of \(-\alpha _2(X, Y)\) in Eq. (13) or (14) and remark that all terms \(X^i \alpha _i(X, Y), X^i \beta _i(X, Y)\) (respectively \(Y^i \alpha _i(X, Y), Y^i \beta _i(X, Y)\)) terms are vanishing.
And so on till we show that \(\alpha _i(X, Y)=0 \ ~\forall i=0 \dots q-1\) and \(\beta _i(X, Y)=0 ~\forall i=q \dots 2q-1 \).
We conclude that the adversarly produced vectors \( (A_0,\dots ,A_{q-1} )=\textbf{1}_{\mathbb {G}_1},(B_0,\dots ,B_{q-1} )=\textbf{1}_{\mathbb {G}_2} \).
C Groth16 Scheme
Let C be an arithmetic circuit over \(\mathbb {Z}_p\), with m wires and d multiplication gates. Groth16 scheme proves circuit satisfiability, using a Quadratic Arithmetic Program (QAP) characterisation. Briefly, a QAP as introduced by [GGPR13] is translating a circuit into an equivalent arithmetic relation that holds only if the circuit has a solution.
Let \(Q = \left( t(x), \{v_k(x), w_k(x), y_k(x)\}_{k=0}^m \right) \) be a Quadratic Arithmetic Program (QAP) which computes C. We denote by \(I_{io} = \{1, 2, \dots t \}\) the indices corresponding to the public input and public output values of the circuit wires and by \(I_{mid}=\{t +1, \dots m\}\), the wire indices corresponding to the private input and non-input, non-output intermediate values (for the witness).
We describe Groth \(=(\textsf{Setup}, \textsf{Prove}, \textsf{Verify}) \) scheme in [Gro16] that consists in 3 algorithms as per Fig. 1.
D Building Blocks for Aggregation
SRS. We need elements from two independent compatible Groth16 SRS:
-
Common bilinear group description for both SRS: \(\textsf{gk}=(p,\mathbb {G}_1,\mathbb {G}_2, \mathbb {G}_T)\)
-
Common group generators for both SRS: \(g \in \mathbb {G}_1, h \in \mathbb {G}_2\)
-
First SRS with random evaluation point \(a \in \mathbb {Z}_p\) for:
$$\textbf{v}_1 = (h,h^a,\dots ,h^{a^{n-1}}) \text { and } \textbf{w}_1 = (g^{a^n}, \dots , g^{a^{2n-1}})$$ -
Second SRS with random evaluation point \(b \in \mathbb {Z}_p\) for:
$$ \textbf{v}_2 = (h,h^b,\dots ,h^{b^{n-1}}) \text { and }\textbf{w}_2 = (g^{b^n},\dots ,g^{b^{2n-1}})$$
Pair Group Commitments. To instantiate our aggregated scheme, we use two new pairing commitment schemes. These schemes need to satisfy special properties (as discussed in Sect. 3) and they require structured commitment keys \(\textsf{ck}_s, \textsf{ck}_d\) of the form \( \textsf{ck}_s= (\textbf{v}_1, \textbf{v}_2), \textsf{ck}_d=(\textbf{v}_1, \textbf{w}_1, \textbf{v}_2, \textbf{w}_2)\). We then commit to vectors \(\textbf{A}\in \mathbb {G}_1^n, \textbf{B}\in \mathbb {G}_2^n\) as follows:
-
1.
Single group version \( \textsf{CM}_s(\textbf{A}) {:}{=}\textsf{CM}_s(\textsf{ck}_s;\textbf{A}) = (T_A, U_A)\) where
$$\begin{aligned} T_A&= \textbf{A}* \textbf{v}_1 = e(A_0,h) e(A_1,h^a) \dots .e(A_{n-1},h^{a^{n-1}})\\ U_A&= \textbf{A}* \textbf{v}_2 = e(A_0,h) e(A_1,h^b)\dots .e(A_{n-1},h^{b^{n-1}}) \end{aligned}$$ -
2.
Double group version \(\textsf{CM}_d(\textbf{A}, \textbf{B}) {:}{=}\textsf{CM}_d(\textsf{ck}_d; \textbf{A}, \textbf{B}) = (T_{AB},U_{AB})\) where
$$ T_{AB} = (\textbf{A} * \mathbf {v_1})(\mathbf {w_1} * \textbf{B}), \quad U_{AB} = (\textbf{A} * \mathbf {v_2})(\mathbf {w_2} * \textbf{B}) $$
IPP Protocols. One of the key building blocks for our aggregation protocol are generalized inner product arguments, called GIPA or IPP protocols. These protocols, as designed in [BMM+19], enable proving the correctness of a large class of inner products between vectors of group and/or field elements committed using (possibly distinct) doubly-homomorphic commitment schemes.
For our aggregation protocol, we need to instantiate two specialised cases of IPP – multi-exponentiation inner product (MIPP) and an target inner pairing product (TIPP) – using our new commitment schemes under structured references string, and thus, we obtain logarithmic verifier time.
1.1 D.1 Relation for \(\mathsf {MT\text {-}IPP}\)
Here we define the relation proven using the merged \(\mathsf {MT\text {-}IPP}\) argument. This is a conjunction of the two relations MIPP and TIPP:
-
MIPP Relation. The multiexponentiation product relation:
$$\begin{aligned}{} & {} \mathcal {R}_{\textsf{mipp}} {:}{=}\{ ((T_C, U_C), Z_C, r; \textbf{C}, \textbf{r}): Z_C= \textbf{C}*{\textbf{r}} ~\wedge \\{} & {} \qquad \qquad \qquad \qquad \qquad \qquad ~(T_C, U_C)= \textsf{CM}_s(\textsf{ck}_s; \textbf{C}) \wedge \textbf{r}=(r^{i})_{i=0}^{n-1} \}. \end{aligned}$$ -
TIPP Relation. The target inner pairing relation:
$$\begin{aligned}{} & {} \mathcal {R}_{\textsf{tipp}} {:}{=}\{ ((T_{AB}, U_{AB}), Z_{AB}, r; \textbf{A}, \textbf{B}): Z_{AB} = \textbf{A}* \textbf{B}^{\textbf{r}} ~\wedge \\{} & {} \qquad \qquad \qquad \qquad \qquad \qquad (T_{AB},U_{AB}) = \textsf{CM}_d(\textsf{ck}_d; \textbf{A}, \textbf{B})~\wedge ~\textbf{r}=(r^{i})_{i=0}^{n-1} \}, \end{aligned}$$where \((T_{AB}, U_{AB}) \in \mathbb {G}_T^2, ~ Z_{AB} = \textbf{A}* \textbf{B}^{\textbf{r}} \in \mathbb {G}_T,~\textbf{A}\in \mathbb {G}_1^n,~\textbf{B} \in \mathbb {G}_2^n, ~r \in \mathbb {Z}_p \).
-
MT-IPP Relation. The merged \(\mathsf {MT\text {-}IPP}\) relation:
$$\mathcal {R}_{\textsf{mt}} {:}{=}\left\{ \begin{array}{l} \big ( (T_{AB}, U_{AB}), (T_{C}, U_{C}), \\ ~ \qquad ~ \ ~ Z_{AB}, Z_C, r; \textbf{A}, \textbf{B}, \textbf{C}\big ) \end{array} \, : \, \begin{array}{c} (\textsf{CM}_d(\textbf{A}, \textbf{B}), Z_{AB}, r; \textbf{A}, \textbf{B}) \in \mathcal {R}_{\textsf{tipp}} \\ \wedge \\ (\textsf{CM}_s(\textbf{C}), Z_C, r; \textbf{C}) \in \mathcal {R}_{\textsf{mipp}} \end{array} \right\} $$for vectors \(\textbf{A}, \textbf{C}\in \mathbb {G}_1\) and \(\textbf{B}\in \mathbb {G}_2\).
E Final Commitment Keys
In this section, we will detail one step of the \(\mathsf {MT\text {-}IPP}\) protocol: Checking the correctness of the final commitment key, obtained after all “split & collapse” steps.
Recall that our scheme \(\mathsf {MT\text {-}IPP}\) achieves logarithmic proof size using a specially structured commitment scheme that allows the prover to use one new challenge \(x_j\) in each round of recursion to transform the commitments homomorphically. Because of this, the verifier must also perform a linear amount of work in rescaling the commitment keys (\(\textsf{ck}_s, \textsf{ck}_d \)). To avoid having the verifier rescale the commitment keys, our scheme apply the same trick as [DRZ20, BMM+19]: we do this by outsourcing the work of rescaling the commitment keys to the prover.
Then what is left is to convince a verifier that this rescaling was done correctly just by checking a succinct proof on the final keys.
Proof for Final Key. In our \(\mathsf {MT\text {-}IPP}\) scheme, the prover will compute the final commitment keys \(v_1, v_2, w_1',w_2'\) (the result of many rounds of rescaling/collapsing \(\textbf{v}_1, \textbf{v}_2, \textbf{w}_1', \textbf{w}_2'\) until the end of the loop) and then prove that they are well-formed.
This is possible due to the structure in the commitment keys. For ease of presentation, we will show how this proof works for a generic vector \(\textbf{v}\), where \(\textbf{v}= (v_1,v_2, \dots , v_{2^\ell }) = (g, g^{\alpha }, g^{\alpha ^2}, \dots g^{\alpha ^{n-1}})\). The other checks for the keys \(v_1, v_2\) and \(w_1, w_2\) work in an analogously fashion.
Let us first define the relation to be proven, i.e. the correctness of the final commitment key \(v \in \mathbb {G}_1\) given the initial key \(\textbf{v}\):
The argument for the relation \(\mathcal {R}_{\textsf{ck}}\) allows the verifier to check well-formedness of the final structured commitment key. The idea is simple: the final commitment key \(\textbf{v}\) is interpreted as a KZG polynomial commitment that the prover must open at a random point z. The verifier produces the challenge point \(z \in \mathbb {Z}_p\) and the prover provides a valid KZG opening proof of f(z) for the commitment v. The interaction can be removed using Fiat-Shamir heuristic via a collision-resistant hash to generate the challenge z. The proof of security of such a protocol is given in [BMM+19] in the algebraic group model. In a nutshell, an algebraic adversary that convinces a verifier of incorrect keys can extract a valid 2n-SDH instance by breaking knowledge-binding of \(\textsf{KZG}.\textsf{PC}\) polynomial commitment scheme.
We will use a polynomial commitment scheme (Definition A.3) that allows for openings of evaluations on a point and proving correctness of these openings. The concrete scheme is called \(\textsf{KZG}.\textsf{PC}\) and works for both groups \(\mathbb {G}_1\) and \(\mathbb {G}_2\) as described in Appendix A.4. The verification requires an evaluation of the corresponding polynomial and four pairing checks.
Polynomial Formula. We will show now, hot to define the correct polynomials to be committed under \(\textsf{KZG}.\textsf{PC}\) scheme in order to show that the final commitment keys were honestly generated.
Recall the structure of the 4 vectors \(\textbf{v}_1, \textbf{v}_2 \in \mathbb {G}_2\) and \( \textbf{w}_1, \textbf{w}_2 \in \mathbb {G}_1\) used for the commitment keys \(\textsf{ck}_s, \textsf{ck}_d\):
We will show the formulae for the polynomials the two polynomials \(f_v(X)\) and \(f_w(X)\) that we used in our scheme MT-IPP for \(v_1, v_2\) and for \(w_1',w_2'\) are correct.
For ease of presentation, we state and prove the formula for a generic vector \( \textbf{v}= (v_1,v_2, \dots , v_{2^\ell }) = (g, g^{\alpha }, g^{\alpha ^2}, \dots g^{\alpha ^{2^\ell -1}})\) of length \(n= 2^\ell \) to which we apply the same rescaling as for the commitment keys \(\textsf{ck}_s, \textsf{ck}_d\). The specific formulae for \(\textbf{v}_1, \textbf{v}_2, \textbf{w}_1', \textbf{w}_2' \) are easy to deduce once we have a formula for \(\textbf{v}\).
Consider a challenge \(x_j\) for round j, where the total number of rounds is \(\ell \). Note that at each round j we split the sequence \(v_1,v_2, \dots , v_{n}\) in half and we use \(x_{j}\) to rescale first half and the second half of the vector recursively until we end up with a single value v.
We claim that the formula for some initial key \(\textbf{v}= (v_1=g,v_2 = g^\alpha , \dots , v_{n} =g^{\alpha ^{n -1}})\) and for a vector of challenges \( x_1 \dots x_{\ell -1}, x_{\ell }\) is:
We will prove the general formula by induction:
-
Step 1. Check the formula for \(\ell =1\) (initial commitment key \(\textbf{v}\) has two elements \(v_1, v_2\)):
$$v = v_1 v_2^{x_1} = g^{1 + x_1 \alpha } = g^{\prod _{j=0}^{0} (1 + x_{\ell -j} \alpha ^{2^{j}})}.$$ -
Step 2. Suppose the statement is true for \(\ell -1\). We prove it for \(\ell \).
On the first round, we have a challenge \(x_{1}\) and we rescale the commitment key \(\textbf{v}\) which has length \(n=2^{\ell }\) as follows:
\(\textbf{v}' = \textbf{v}_{[:2^{\ell -1}]} \circ \textbf{v}_{[2^{\ell -1}:]}^{x_{1}},\)
\(\textbf{v}' =(g \cdot g^{x_{1} \alpha ^{2^{\ell -1}}}, g^\alpha \cdot g^{x_{1}\alpha ^{{2^{\ell -1}+1}}}, g^{\alpha ^2} \cdot g^{x_{1}\alpha ^{2^{\ell -1}+2}}, \dots ).\)
We can write this differently as \(\textbf{v}'\)=\((v_1 v_1^{x_{1}\alpha ^{2^{\ell -1}}}, \dots v_{2^{\ell -1}} v_{2^{\ell -1}}^{x_{1}\alpha ^{2^{\ell -1}}}).\)
This gives us a nicely written commitment key after first round
We can apply the induction assumption for step \(\ell -1\) to \(\textbf{v}_{[:2^{\ell -1}]}\) which is a commitment key of length \(2^{\ell -1}\). This means the final key for \(\textbf{v}\) is:
Remark than in more generality, this can be written as:
Therefore, if we start with an initial key \(\textbf{w}= (w_1=g^{\alpha ^n}, w_2^{\alpha ^{n+1}} \dots , w_n =g^{\alpha ^{2n -1}})\), the final key w can be written as:
Rights and permissions
Copyright information
© 2022 International Financial Cryptography Association
About this paper
Cite this paper
Gailly, N., Maller, M., Nitulescu, A. (2022). SnarkPack: Practical SNARK Aggregation. In: Eyal, I., Garay, J. (eds) Financial Cryptography and Data Security. FC 2022. Lecture Notes in Computer Science, vol 13411. Springer, Cham. https://doi.org/10.1007/978-3-031-18283-9_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-18283-9_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-18282-2
Online ISBN: 978-3-031-18283-9
eBook Packages: Computer ScienceComputer Science (R0)