1. Jens Groth and Mary Maller University College London
Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs
Jens Groth and Mary Maller
University College London
TexPoint fonts used in EMF.
Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

2. Digital signature 𝑝𝑘,𝑠𝑘 ∈ 𝑅 key Public key 𝑝𝑘 OK Message 𝑚 Signature 𝜎
sEUF-CMA security: Adversary sees signatures 𝜎 𝑖 on adaptively chosen messages 𝑚 𝑖 , cannot forge valid message-signature pair (𝑚,𝜎) except by copying earlier pair ( 𝑚 𝑖 , 𝜎 𝑖 )
Signer Verifier

3. Schnorr signatures 𝑝𝑘,𝑠𝑘 ∈ 𝑅 key Public key 𝑝𝑘 Message 𝑚 Signature 𝜎
Here is a proof that I know the secret key 𝑠𝑘 associated with 𝑝𝑘 and I want to sign message 𝑚
Knowledges soundness: Really knows 𝑠𝑘
Zero-knowledge: Does not disclose enough about 𝑠𝑘 to enable others to sign messages
Signer Verifier

4. Signatures of knowledge
𝜙,𝑤 ∈ 𝑅 NP
Instance 𝜙∈ 𝐿 𝑅
Message 𝑚
Signature 𝜎
Signer Verifier
Here is a proof that I know a witness 𝑤 for 𝜙∈ 𝐿 𝑅 and I want to sign message 𝑚

5. Signature of knowledge algorithms
Relation generator 𝑹 1 𝜆 →𝑅
Security parameter 𝜆
NP-relations 𝑅 of pairs (𝜙,𝑤)
Setup 𝑅 : Generate public parameters 𝑝𝑝
Sign(𝑝𝑝,𝜙,𝑤,𝑚): Given 𝜙,𝑤 ∈𝑅 return signature of knowledge 𝜎 on 𝑚
Vfy 𝑝𝑝,𝜙,𝑚,𝜎 : Return 1 (accept) or 0 (reject)

6. Correctness 𝜙,𝑤 ∈𝑅 Instance 𝜙 OK Message 𝑚 Signature 𝜎
For all 𝜆∈𝑵,𝑅←𝑹 1 𝜆 , 𝜙,𝑤 ∈𝑅,𝑚∈ 0,1 ∗
Pr 𝑝𝑝←Setup 𝑅 ;𝜎←Sign 𝑝𝑝,𝜙,𝑤,𝑚 :Vfy 𝑝𝑝,𝜙,𝑚,𝜎 =1 =1

7. What you prove Standard signatures Signatures of knowledge
Public key 𝑝𝑘
Secret key 𝑠𝑘
Example
𝑝𝑘= 𝐺,𝑌
𝑠𝑘=𝑥 such that 𝑌= 𝐺 𝑥
𝑥 1 ∧ 𝑥 2 ∧¬ 𝑥 3 ∨( 𝑥 2 ∧ x 4 ∧ 𝑥 5 )
SAT 1
Hamiltonian cycle
Circuit SAT
Randomly chosen keys 𝑝𝑘,𝑠𝑘 ←KeyGen 1 𝜆 Often used repeatedly
Arbitrary statements Two instances 𝜙,𝜙′ may be related, say, 𝑤 ′ =𝑤+1

8. Simulatability Damned, I did not learn the witness 𝜙,𝑤 ∈𝑅 Instance 𝜙
Message 𝑚
Signature 𝜎
For all 𝜆∈𝑁,𝑅←𝑹 1 𝜆 and all adversaries 𝐴 selecting 𝜙,𝑤 ∈𝑅
Pr⁡[ 𝑝𝑝,𝜏 ←SimSetup 𝑅 ; 𝜙,𝑤,𝑚 ←𝐴 𝑝𝑝 ;𝜎←SimSign 𝜏,𝜙,𝑚 :𝐴 𝜎 =1] = Pr 𝑝𝑝←Setup 𝑅 ; 𝜙,𝑤,𝑚 ←𝐴 𝑝𝑝 ;𝜎←Sign 𝑝𝑝,𝜙,𝑤,𝑚 :𝐴 𝜎 =1

9. I don’t know 𝑤, but maybe I can cheat
Simulation-extractability
Non-black-box extractor because we want succinctness!
I don’t know 𝑤, but maybe I can cheat
Instance 𝜙
Message 𝑚
Signature 𝜎
For all PPT adversaries 𝐴 there is a PPT extractor 𝜒 𝐴 s.t.
Pr 𝑅←𝑹 1 𝜆 ; 𝑝𝑝,𝜏 ←SimSetup 𝑅 ; 𝜙,𝑚,𝜎 ← 𝐴 SimSign 𝜏,⋅,⋅ 𝑝𝑝 ; 𝑤← 𝜒 𝐴 tran script 𝐴 :Vfy 𝑝𝑝,𝜙,𝑚,𝜎 =1 ∧ 𝜙,𝑚,𝜎 ∉𝑄∧ 𝜙,𝑤 ∉𝑅 ≈0

10. Non-interactive zero-knowledge argument
𝜙,𝑤 ∈𝑅
Common reference string OK
Instance 𝜙
Proof 
Prover Verifier
Zero-knowledge:
Nothing but truth revealed
Soundness:
Statement is true

11. NIZK argument algorithms
Relation generator 𝑹 1 𝜆 →𝑅
Security parameter 𝜆
NP-relations 𝑅 of pairs (𝜙,𝑤)
Setup 𝑅 : Generate common reference string 𝑐𝑟𝑠
Prove(𝑐𝑟𝑠,𝜙,𝑤): Given 𝜙,𝑤 ∈𝑅 return proof 𝜋
Vfy 𝑐𝑟𝑠,𝜙,𝜋 : Return 1 (accept) or 0 (reject)

12. Completeness 𝜙,𝑤 ∈𝑅 OK Common reference string Instance 𝜙 Proof 𝜋
For all 𝜆∈𝑵,𝑅←𝑹 1 𝜆 , 𝜙,𝑤 ∈𝑅
Pr 𝑐𝑟𝑠←Setup 𝑅 ;𝜋←Prove 𝑐𝑟𝑠,𝜙,𝑤 :Vfy 𝑐𝑟𝑠,𝜙,𝜋 =1 =1

13. Zero-knowledge Damned, I did not learn the witness 𝜙,𝑤 ∈𝑅
Common reference string
Instance 𝜙
Proof 𝜋
For all 𝜆∈𝑁,𝑅←𝑹 1 𝜆 and all adversaries 𝐴 selecting 𝜙,𝑤 ∈𝑅
Pr⁡[ 𝑐𝑟𝑠,𝜏 ←SimSetup 𝑅 ; 𝜙,𝑤 ←𝐴(𝑐𝑟𝑠);𝜎←SimProve 𝜏,𝜙 :𝐴 𝜎 =1] = Pr 𝑐𝑟𝑠←Setup 𝑅 ; 𝜙,𝑤 ←𝐴 𝑐𝑟𝑠 ;𝜋←Prove 𝑐𝑟𝑠,𝜙,𝑤 :𝐴 𝜎 =1

14. I don’t know 𝑤, but maybe I can cheat
Simulation-extractability
I don’t know 𝑤, but maybe I can cheat
Common reference string
Instance 𝜙
Proof 𝜋
For all PPT adversaries 𝐴 there is a PPT extractor 𝜒 𝐴 s.t.
Pr 𝑅←𝑹 1 𝜆 ; 𝑐𝑟𝑠,𝜏 ←SimSetup 𝑅 ; 𝜙,𝜋 ← 𝐴 SimProve 𝜏,⋅ 𝑐𝑟𝑠 ; 𝑤← 𝜒 𝐴 tran script 𝐴 :Vfy 𝑐𝑟𝑠,𝜙,𝜋 =0 or 𝜙,𝜋 ∈𝑄 or 𝜙,𝑤 ∈𝑅 ≈1

15. Signatures of knowledge imply simulation-extractable NIZK arguments
Completeness follows from correctness
Zero-knowledge follows from simulatability
Simulation-extractability follows from simulation-extractability
ZSetup 𝑅
Return 𝑐𝑟𝑠=𝑝𝑝←SSetup(𝑅)
ZProve(𝑐𝑟𝑠,𝜙,𝑤)
Set 𝑚=0
Return 𝜋=𝜎←SSign(𝑐𝑟𝑠,𝜙,𝑤,𝑚)
ZVfy 𝑐𝑟𝑠,𝜙,𝜋
Return SVfy 𝑐𝑟𝑠,𝜙,𝑚,𝜋

16. Simulation-extractable NIZK arguments and CRHFs imply signatures of knowledge
Hash-function 𝐻 𝐾 : 0,1 ∗ → 0,1 𝜆
Define 𝑅 ′ = 𝜙 ′ ,𝑤 : 𝜙 ′ = ℎ,𝜙 ℎ∈ 0,1 𝜆 𝜙,𝑤 ∈𝑅
Correctness from completeness
Simulatability from zero-knowledge
Simulation-extractability from collision-resistance and simulation-extractability
SSetup 𝑅
Pick hash-function key 𝐾← 0,1 ℓ(𝜆)
Run 𝑐𝑟𝑠←ZSetup(𝑅)
Return 𝑝𝑝=(𝐾,𝑐𝑟𝑠)
SSign(𝑝𝑝,𝜙,𝑤,𝑚)
Set 𝜙 ′ = 𝐻 𝐾 𝑚 ,𝜙
Return 𝜎=𝜋←ZProve(𝑐𝑟𝑠,𝜙′,𝑤)
SVfy 𝑐𝑟𝑠,𝜙,𝑚,𝜎
Return ZVfy 𝑐𝑟𝑠,𝜙′,𝜎

17. Our contribution SE-NIZK argument Efficiency
Perfect completeness
Perfect zero-knowledge
Simulation-extractable
XPKE and Poly assumptions
Efficiency
Asymmetric (Type III) pairings
3 group element proofs
Low computation
SE-SNARK Simulation-extractable Succinct Non-interactive Argument of Knowledge

18. Example corresponds to quadratic equation 𝑠 1 + 𝑠 3 ⋅ 𝑠 3 = 𝑠 2
In general arithmetic circuit can be written as a set of 𝑛 equations of the form (∑ 𝑠 𝑖 𝑢 𝑖 )⋅ ∑ 𝑠 𝑖 𝑣 𝑖 =∑ 𝑠 𝑖 𝑤 𝑖
over variables 𝑠 1 ,…, 𝑠 𝑚 and by convention 𝑠 0 =1
Arithmetic circuit defines an NP-language with instances ( 𝑠 1 ,…, 𝑠 ℓ ) and witnesses ( 𝑠 ℓ+1 ,…, 𝑠 𝑚 )
Arithmetic circuit
𝑠 2
𝑠 4
𝑠 1
𝑠 3

19. Set of squaring constraints
Go from 𝑛 equations over 𝑚 variables up to 2𝑛 equations over 𝑚+𝑛 variables
Consider a set of quadratic equations ∑ 𝑠 𝑖 𝑢 𝑖 ⋅ ∑ 𝑠 𝑖 𝑣 𝑖 =∑ 𝑠 𝑖 𝑤 𝑖 over a field 𝒁 𝑝 with constants 𝑢 𝑖 , 𝑣 𝑖 , 𝑤 𝑖 and variables 𝑠 0 =1,𝜙= 𝑠 1 ,…, 𝑠 ℓ ,𝑤=( 𝑠 ℓ+1 ,…, 𝑠 𝑚 )
We can use the equality 𝑎+𝑏 2 = 𝑎−𝑏 2 +4𝑎𝑏 to rewrite them as a set of squaring equations ∑ 𝑠 𝑖 ( 𝑢 𝑖 + 𝑣 𝑖 ) 2 = 𝑠 ′ +4∑ 𝑠 𝑖 𝑤 𝑖 ∑ 𝑠 𝑖 ( 𝑢 𝑖 − 𝑣 𝑖 ) 2 =𝑠′

20. Polynomial rewriting
Consider 𝑛 squaring equations over 𝑚 variables ∑ 𝑠 𝑖 𝑢 𝑖𝑗 2 =∑ 𝑠 𝑖 𝑤 𝑖𝑗 𝑗=1,…,𝑛
Pick distinct 𝑟 1 ,…, 𝑟 𝑛 ∈ 𝑍 𝑝
Let 𝑢 0 𝑋 ,…, 𝑢 𝑚 𝑋 and 𝑤 0 𝑋 ,…, 𝑤 𝑚 (𝑋) be degree 𝑛−1 polynomials such that 𝑢 𝑖 𝑟 𝑗 = 𝑢 𝑖𝑗 𝑤 𝑖 𝑟 𝑗 = 𝑤 𝑖𝑗
Key observation ∑ 𝑠 𝑖 𝑢 𝑖 𝑟 𝑗 2 =∑ 𝑠 𝑖 𝑤 𝑖 𝑟 𝑗 𝑗=1,…,𝑛
Define 𝑡 𝑋 =∏ 𝑋− 𝑟 𝑗
Key observation can be rewritten as
∑ 𝑠 𝑖 𝑢 𝑖 𝑋 2 =∑ 𝑠 𝑖 𝑤 𝑖 𝑋 mod 𝑡(𝑋)

21. Square arithmetic programs
Square arithmetic program described by
Prime 𝑝, integers 1≤ℓ≤𝑚 and 1≤𝑛
Degree 𝑛 polys 𝑢 0 𝑋 ,…, 𝑢 𝑚 𝑋 , 𝑤 0 𝑋 ,…, 𝑤 𝑚 𝑋 ,𝑡(𝑋)
Square arithmetic program relation 𝑅= 𝜙,𝑤 𝑠 0 =1 , 𝜙= 𝑠 1 ,…, 𝑠 ℓ ∈ 𝒁 𝑝 ℓ 𝑤= 𝑠 ℓ+1 ,…, 𝑠 𝑚 ∈ 𝒁 𝑝 𝑚−ℓ+1 ∑ 𝑠 𝑖 𝑢 𝑖 𝑋 2 =∑ 𝑠 𝑖 𝑤 𝑖 𝑋 mod 𝑡 𝑋

22. Prime order bilinear groups
Gen( 1 𝜆 ) generates (𝑝, 𝐺 1 , 𝐺 2 , 𝐺 𝑇 ,𝑒,𝐺,𝐻)
𝐺 1 , 𝐺 2 , 𝐺 𝑇 finite cyclic groups of prime order 𝑝 generated by 𝐺,𝐻 and 𝑒(𝐺,𝐻)
Bilinear map
𝑒 𝐺 𝑎 , 𝐻 𝑏 =𝑒 𝐺,𝐻 𝑎𝑏
Generic group operations efficiently computable
Deciding group membership, group multiplications, pairing
Asymmetric bilinear groups (Type III): No efficiently computable isomorphism between 𝐺 1 and 𝐺 2

23. SE-SNARK CRS size: 𝑚+2𝑛 𝐺 1 ,𝑛 𝐺 2 Proof size: 2 𝐺 1 , 1 𝐺 2
Prover: 𝑚+2𝑛−ℓ 𝐸 1 ,𝑛 𝐸 2
Verifier: ℓ 𝐸 1 , 5 𝑃
SE-SNARK
Setup 𝑅 →𝑐𝑟𝑠
𝐺← 𝐺 1 ∗ ,𝐻← 𝐺 2 ∗ ,𝛼,𝛽,𝛾,𝑥← 𝒁 𝑝 ∗ such that 𝑡 𝑥 ≠0
𝑐𝑟𝑠= 𝑅, 𝐺 𝛼 , 𝐺 𝛽 , 𝐺 𝛾𝑡 𝑥 , 𝐺 𝛾𝑡 𝑥 2 , 𝐺 𝛼+𝛽 𝛾𝑡 𝑥 , 𝐺 𝛾 𝑥 𝑖 , 𝐻 𝛾 𝑥 𝑖 , 𝐺 𝛾 2 𝑡 𝑥 𝑥 𝑖 𝑖=1 𝑛−1 𝐺 𝛾 𝑤 𝑖 𝑥 + 𝛼+𝛽 𝑢 𝑖 𝑥 𝑖=0 ℓ , 𝐺 𝛾 2 𝑤 𝑖 𝑥 + 𝛼+𝛽 𝛾 𝑢 𝑖 𝑥 𝑖=ℓ+1 𝑚 ,𝐻, 𝐻 𝛽 , 𝐻 𝛾𝑡 𝑥
Prove 𝑐𝑟𝑠,𝜙,𝑤 →𝜋=(𝐴,𝐵,𝐶)
𝑟← 𝒁 𝑝 𝐴= 𝐺 𝛾 ∑ 𝑠 𝑖 𝑢 𝑖 𝑥 +𝑟𝑡 𝑥 𝐵= 𝐻 𝛾 ∑ 𝑠 𝑖 𝑢 𝑖 𝑥 +𝑟𝑡 𝑥
𝐶= 𝐺 𝑖>ℓ 𝑠 𝑖 ( 𝛾 2 𝑤 𝑖 𝑥 + 𝛼+𝛽 𝛾 𝑢 𝑖 (𝑥) + 𝑟 2 𝛾 2 𝑡 𝑥 2 +𝑟 𝛼+𝛽 𝛾𝑡 𝑥 ℎ 𝑥 +2𝑟∑ 𝑠 𝑖 𝑢 𝑖 𝑥
Vfy 𝑐𝑟𝑠,𝜙,𝜋 →0/1
Return 1 if and only if 𝑒 𝐴, 𝐻 𝛾 =𝑒( 𝐺 𝛾 ,𝐵) and
𝑒 𝐴 𝐺 𝛼 ,𝐵 𝐻 𝛽 =𝑒 𝐺 𝛼 , 𝐻 𝛽 𝑒 𝐺 𝑖≤ℓ 𝑠 𝑖 𝛾 𝑤 𝑖 𝑥 + 𝛼+𝛽 𝑢 𝑖 𝑥 , 𝐻 𝛾 𝑒(𝐶,𝐻)

24. Assumptions Computational Polynomial Assumption
See paper
Extended Power Knowledge of Exponent Assump.
For all PPT 𝐴 there is PPT 𝜒 𝐴 s.t. Pr 𝑔𝑘= 𝑝, 𝐺 1 , 𝐺 2 , 𝐺 𝑇 ,𝑒,𝐺,𝐻 ←Gen 1 𝜆 ;𝒛← 𝒁 𝑝 𝑞 𝐺 𝑎 , 𝐻 𝑏 ← 𝐴 𝑂 𝐺,𝒛 1 ⋅ , 𝑂 𝐻,𝒛 2 ⋅ 𝑔𝑘 ;𝜼← 𝜒 𝐴 (transcrip t 𝐴 ) 𝑎=𝑏 𝑎𝑛𝑑 𝑏≠∑ 𝜂 𝑖 ℎ 𝑗 (𝒛) : ≈0
where on 𝑞-variate polynomials 𝑔 𝑗 or ℎ 𝑗 𝑂 𝐺,𝒛 1 𝑔 𝑗 𝒁 returns 𝐺 𝑔 𝑗 𝒛 and 𝑂 𝐻,𝒛 2 ℎ 𝑗 𝒁 returns 𝐻 ℎ 𝑗 𝒛

25. Efficiency Lower bounds
Construction
Proof size
Prover
Verifier
Eq.
[BCTV14] (zk-SNARK)
7 𝐺 1 , 1 𝐺 2
6𝑚+𝑛 𝐸 1 , 𝑚 𝐸 2
ℓ 𝐸 1 , 12 𝑃 5
[Groth16] (zk-SNARK)
2 𝐺 1 , 1 𝐺 2
𝑚+3𝑛 𝐸 1 , 𝑛 𝐸 2
ℓ 𝐸 1 , 3 𝑃 1
This work (SE-SNARK)
𝑚+4𝑛 𝐸 1 , 2𝑛 𝐸 2
ℓ 𝐸 1 , 5 𝑃 2
Arithmetic circuits with 𝑚 wires, 𝑛 gates, instance size ℓ (ℓ≪𝑛<𝑚)
Group element 𝐺, exponentiation 𝐸, pairing 𝑃
Lower bounds
[Groth16]: Pairing based zk-SNARKs cannot have 1 group element proofs
This work: Pairing based SE-SNARKs cannot have 2 group element proofs or just 1 verification equation