Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for...
Transcript of Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for...
![Page 1: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/1.jpg)
1
![Page 2: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/2.jpg)
![Page 3: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/3.jpg)
Privacy-preserving cryptocurrencies
Privacy-preserving smart contracts
Proof of regulatory compliance
Blockchain-based sovereign identity
![Page 4: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/4.jpg)
Privacy-preserving cryptocurrencies
Privacy-preserving smart contracts
Proof of regulatory compliance
Blockchain-based sovereign identitysee [ZKProof Standardization – Applications Track]
![Page 5: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/5.jpg)
Privacy-preserving cryptocurrencies
Privacy-preserving smart contracts
Proof of regulatory compliance
Blockchain-based sovereign identitysee [ZKProof Standardization – Applications Track]
Need zero-knowledge non-interactive arguments of knowledge,
ideally succinct ones: zk-SNARK.
![Page 6: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/6.jpg)
![Page 7: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/7.jpg)
• QAP-based [GGPR13][PGHR13][BCGTV13][DFGK14]
[Groth16][GM17][BG18]…
Fastest verification. Widely used.
![Page 8: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/8.jpg)
• QAP-based [GGPR13][PGHR13][BCGTV13][DFGK14]
[Groth16][GM17][BG18]…
Fastest verification. Widely used.
Common Reference String (CRS)Require a
![Page 9: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/9.jpg)
• QAP-based [GGPR13][PGHR13][BCGTV13][DFGK14]
[Groth16][GM17][BG18]…
Fastest verification. Widely used.
Structured Reference String (SRS)Common Reference String (CRS)Require a
![Page 10: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/10.jpg)
• QAP-based [GGPR13][PGHR13][BCGTV13][DFGK14]
[Groth16][GM17][BG18]…
Fastest verification. Widely used.
Structured Reference String (SRS)Require a
![Page 11: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/11.jpg)
• QAP-based [GGPR13][PGHR13][BCGTV13][DFGK14]
[Groth16][GM17][BG18]…
Fastest verification. Widely used.
Generating an SRS:
• Trusted setup
Structured Reference String (SRS)Require a
![Page 12: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/12.jpg)
• QAP-based [GGPR13][PGHR13][BCGTV13][DFGK14]
[Groth16][GM17][BG18]…
Fastest verification. Widely used.
Generating an SRS:
• Trusted setup
• MPC + destruction [BCGTV15][BGG17]
• Updatable SRS [GKMMM18, MBKM19]
• Scalable SRS generation (“Powers of Tau”) [BGM18]
Structured Reference String (SRS)Require a
![Page 13: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/13.jpg)
Other zk-SNARKs
• PCP-based (e.g., libSTARK)
[Micali94][BCGT13][BCS16][BBCGGHPRSTV17][BBHR18]
Asymptotically succinct but large constants.
![Page 14: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/14.jpg)
Other zk-SNARKs
• PCP-based (e.g., libSTARK)
[Micali94][BCGT13][BCS16][BBCGGHPRSTV17][BBHR18]
Asymptotically succinct but large constants.
Non-succinct ZK:
![Page 15: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/15.jpg)
Other zk-SNARKs
• PCP-based (e.g., libSTARK)
[Micali94][BCGT13][BCS16][BBCGGHPRSTV17][BBHR18]
Asymptotically succinct but large constants.
Non-succinct ZK:
• Aurora [BCRSVW19]
• Bulletproofs [BCCGP16][BBBPWM17]
• Hyrax [WTSTW17]
• Ligero [AHIV17]
• ZKBoo(++) [GMO16][CDGORRSZ17]
Slow verification and/or large proofs (as statement grows).
![Page 16: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/16.jpg)
![Page 17: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/17.jpg)
![Page 18: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/18.jpg)
![Page 19: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/19.jpg)
![Page 20: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/20.jpg)
![Page 21: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/21.jpg)
![Page 22: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/22.jpg)
![Page 23: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/23.jpg)
Seeing transactions
![Page 24: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/24.jpg)
Seeing transactions
![Page 25: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/25.jpg)
Seeing transactions
Including new transactionsin a block
![Page 26: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/26.jpg)
Seeing transactions
Including new transactionsin a block
Slow verification → miners get a head start by not validating→ double-spends and chain splits [July 2015 Bitcoin fork]
![Page 27: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/27.jpg)
Seeing transactions
Including new transactionsin a block
Slow verification → miners get a head start by not validating→ double-spends and chain splits [July 2015 Bitcoin fork]
![Page 28: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/28.jpg)
Seeing transactions
Including new transactionsin a block
Verifying the previous block
Slow verification → miners get a head start by not validating→ double-spends and chain splits [July 2015 Bitcoin fork]
![Page 29: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/29.jpg)
zero-knowledge
succinct hybrid argument of knowledge
![Page 30: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/30.jpg)
zero-knowledge
succinct hybrid argument of knowledge
Short
proof
![Page 31: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/31.jpg)
zero-knowledge
succinct hybrid argument of knowledge
Short
proof
Prudent verificationSlow (comparable to Bulletproofs)
No SRS
![Page 32: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/32.jpg)
zero-knowledge
succinct hybrid argument of knowledge
Optimistic verification
Fast (comparable to QAP-based SNARK)
Relies on SRS
Short
proof
Prudent verificationSlow (comparable to Bulletproofs)
No SRS
![Page 33: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/33.jpg)
![Page 34: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/34.jpg)
![Page 35: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/35.jpg)
Optimistically verify during propagation.
![Page 36: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/36.jpg)
Optimistically verify during propagation.
![Page 37: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/37.jpg)
Optimistically verify during propagation.
![Page 38: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/38.jpg)
Optimistically verify during propagation.
![Page 39: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/39.jpg)
Optimistically verify during propagation.
![Page 40: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/40.jpg)
Optimistically verify during propagation.
![Page 41: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/41.jpg)
Optimistically verify during propagation.
![Page 42: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/42.jpg)
Optimistically verify during propagation.
Optimisticallyverify tx for inclusion in block template.
Prudently verify later, during PoW.
![Page 43: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/43.jpg)
Optimistically verify during propagation.
Optimisticallyverify tx for inclusion in block template.
Prudently verify later, during PoW.
![Page 44: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/44.jpg)
Optimistically verify during propagation.
Optimisticallyverify tx for inclusion in block template.
Prudently verify later, during PoW.
Optimisticallyverify incoming blocks.
Prudently verify later, during PoW.
![Page 45: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/45.jpg)
Optimistic
verification
Prudent verification
![Page 46: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/46.jpg)
Optimistic
verification
Prudent verification
![Page 47: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/47.jpg)
Optimistic
verification
Prudent verification
![Page 48: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/48.jpg)
• Detection
– Real-timeOptimistic
verification
Prudent verification
![Page 49: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/49.jpg)
• Detection
– Real-time
– Revoke SRS
– Such pair of proofs is a fraud proof for compromised SRS!
Optimistic
verification
Prudent verification
![Page 50: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/50.jpg)
• Detection
– Real-time
– Revoke SRS
– Such pair of proofs is a fraud proof for compromised SRS!
• Recovery
Optimistic
verification
Prudent verification
![Page 51: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/51.jpg)
• Detection
– Real-time
– Revoke SRS
– Such pair of proofs is a fraud proof for compromised SRS!
• Recovery
– Soundness: prudently verify
Optimistic
verification
Prudent verification
![Page 52: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/52.jpg)
• Detection
– Real-time
– Revoke SRS
– Such pair of proofs is a fraud proof for compromised SRS!
• Recovery
– Soundness: prudently verify
– Speed: regenerate SRS + refresh the optimistic proofs.
Optimistic
verification
Prudent verification
![Page 53: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/53.jpg)
• Detection
– Real-time
– Revoke SRS
– Such pair of proofs is a fraud proof for compromised SRS!
• Recovery
– Soundness: prudently verify
– Speed: regenerate SRS + refresh the optimistic proofs.
Optimistic
verification
Prudent verification
![Page 54: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/54.jpg)
• Detection
– Real-time
– Revoke SRS
– Such pair of proofs is a fraud proof for compromised SRS!
• Recovery
– Soundness: prudently verify
– Speed: regenerate SRS + refresh the optimistic proofs.
Optimistic
verification
Prudent verification
SHARK requirement: anyone can refresh, without original sender.
![Page 55: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/55.jpg)
![Page 56: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/56.jpg)
Attempt – parallel composition:
![Page 57: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/57.jpg)
Attempt – parallel composition:
Fix a language 𝐿 and construct a NIZK for it:1
![Page 58: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/58.jpg)
Attempt – parallel composition:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK
Not pictured: 𝐺NIZK
𝑥
𝑤
![Page 59: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/59.jpg)
Attempt – parallel composition:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK
Not pictured: 𝐺NIZK
𝑥
𝑤
𝑥 ∈ 𝐿
![Page 60: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/60.jpg)
Attempt – parallel composition:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK
Not pictured: 𝐺NIZK
𝑥
𝑤 𝑥
𝑥 ∈ 𝐿
![Page 61: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/61.jpg)
Attempt – parallel composition:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK
Not pictured: 𝐺NIZK
𝑥
𝑤 𝑥
𝑥 ∈ 𝐿Call 𝜋 “prudent proof”
![Page 62: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/62.jpg)
Attempt – parallel composition:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK
Construct a SNARK for the same 𝐿:2
Not pictured: 𝐺NIZK
𝑥
𝑤 𝑥
𝑥 ∈ 𝐿Call 𝜋 “prudent proof”
![Page 63: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/63.jpg)
Attempt – parallel composition:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK
Construct a SNARK for the same 𝐿:2
Not pictured: 𝐺NIZK, 𝐺SNARK
𝑃SNARK 𝑉SNARK𝑥
𝑤
𝑥
𝑤 𝑥
𝑥
𝑥 ∈ 𝐿
𝑥 ∈ 𝐿
Call 𝜋 “prudent proof”
![Page 64: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/64.jpg)
Attempt – parallel composition:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK
Construct a SNARK for the same 𝐿:2
Not pictured: 𝐺NIZK, 𝐺SNARK
𝑃SNARK 𝑉SNARK𝑥
𝑤
𝑥
𝑤 𝑥
𝑥Optimistic proofs should be
refreshable without 𝑤
𝑥 ∈ 𝐿
𝑥 ∈ 𝐿
Call 𝜋 “prudent proof”
![Page 65: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/65.jpg)
Attempt – parallel composition:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK
Construct a SNARK for the same 𝐿:2
Not pictured: 𝐺NIZK, 𝐺SNARK
𝑃SNARK 𝑉SNARK𝑥
𝑤
𝑥
𝑤 𝑥
𝑥
𝜙 is not a SHARKoptimistic proof
Optimistic proofs should berefreshable without 𝑤
⇒
𝑥 ∈ 𝐿
𝑥 ∈ 𝐿
Call 𝜋 “prudent proof”
![Page 66: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/66.jpg)
![Page 67: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/67.jpg)
Construction:
![Page 68: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/68.jpg)
Construction:
Fix a language 𝐿 and construct a NIZK for it:1
![Page 69: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/69.jpg)
Construction:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK𝑥
𝑤 𝑥
𝑥 ∈ 𝐿
Not pictured: 𝐺NIZK
![Page 70: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/70.jpg)
Construction:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK Call 𝜋 “prudent proof”𝑥
𝑤 𝑥
𝑥 ∈ 𝐿
Not pictured: 𝐺NIZK
![Page 71: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/71.jpg)
Construction:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK Call 𝜋 “prudent proof”
Construct a SNARK for “𝑉NIZK accepts”2
𝑥
𝑤 𝑥
𝑥 ∈ 𝐿
Not pictured: 𝐺NIZK
![Page 72: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/72.jpg)
Construction:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK Call 𝜋 “prudent proof”
Construct a SNARK for “𝑉NIZK accepts”2
𝑃SNARK
𝑥
𝑤 𝑥
𝑥 ∈ 𝐿
Not pictured: 𝐺NIZK, 𝐺SNARK
![Page 73: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/73.jpg)
Construction:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK Call 𝜋 “prudent proof”
Construct a SNARK for “𝑉NIZK accepts”2
𝑃SNARK
𝑥
𝑤 𝑥
𝑥 ∈ 𝐿
accepts
Not pictured: 𝐺NIZK, 𝐺SNARK
![Page 74: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/74.jpg)
Construction:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK Call 𝜋 “prudent proof”
Construct a SNARK for “𝑉NIZK accepts”2
𝑃SNARK 𝑉SNARK
𝑥
𝑤 𝑥
𝑥
𝑥 ∈ 𝐿
accepts
Not pictured: 𝐺NIZK, 𝐺SNARK
![Page 75: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/75.jpg)
Construction:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK Call 𝜋 “prudent proof”
Construct a SNARK for “𝑉NIZK accepts”2
𝑃SNARK 𝑉SNARK
𝑥
𝑤 𝑥
𝑥
𝑥 ∈ 𝐿
accepts
Not pictured: 𝐺NIZK, 𝐺SNARK
Call 𝜙 “optimistic proof”
![Page 76: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/76.jpg)
Construction:
Fix a language 𝐿 and construct a NIZK for it:1
𝑃NIZK 𝑉NIZK Call 𝜋 “prudent proof”
Construct a SNARK for “𝑉NIZK accepts”2
𝑃SNARK 𝑉SNARK
𝑥
𝑤 𝑥
𝑥
𝑥 ∈ 𝐿
accepts
Not pictured: 𝐺NIZK, 𝐺SNARK
Call 𝜙 “optimistic proof”
![Page 77: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/77.jpg)
![Page 78: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/78.jpg)
Generically combining
state-of-the-art components:
![Page 79: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/79.jpg)
Generically combining
state-of-the-art components:
● Bulletproofs NIZK + Groth16 SNARK
![Page 80: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/80.jpg)
Generically combining
state-of-the-art components:
● Bulletproofs NIZK + Groth16 SNARK
𝑂( 𝐶 )-size circuit
![Page 81: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/81.jpg)
Generically combining
state-of-the-art components:
● Bulletproofs NIZK + Groth16 SNARK
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
![Page 82: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/82.jpg)
Generically combining
state-of-the-art components:
● Bulletproofs NIZK + Groth16 SNARK
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
some speed-up via multiexp
![Page 83: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/83.jpg)
Generically combining
state-of-the-art components:
● Bulletproofs NIZK + Groth16 SNARK
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
some speed-up via multiexp
![Page 84: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/84.jpg)
Generically combining
state-of-the-art components:
● Bulletproofs NIZK + Groth16 SNARK
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
some speed-up via multiexp
![Page 85: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/85.jpg)
Generically combining
state-of-the-art components:
● Bulletproofs NIZK + Groth16 SNARK
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
some speed-up via multiexp
![Page 86: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/86.jpg)
![Page 87: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/87.jpg)
NIZK for R1CS
![Page 88: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/88.jpg)
NIZK for R1CS
≈ “arithmetic circuits with bilinear gates”
![Page 89: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/89.jpg)
• a new compilation technique for linear PCPs
NIZK for R1CS
≈ “arithmetic circuits with bilinear gates”
![Page 90: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/90.jpg)
• a new compilation technique for linear PCPs
NIZK for R1CS
≈ “arithmetic circuits with bilinear gates”
• public coin NIZK from LPCPs ⇒ prudent mode
![Page 91: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/91.jpg)
• a new compilation technique for linear PCPs
NIZK for R1CS
≈ “arithmetic circuits with bilinear gates”
• an optimized variant of Bulletproofs’inner product argument
• public coin NIZK from LPCPs ⇒ prudent mode
![Page 92: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/92.jpg)
• a new compilation technique for linear PCPs
NIZK for R1CS
≈ “arithmetic circuits with bilinear gates”
• an optimized variant of Bulletproofs’inner product argument
⇒ 𝑉NIZK has an “algebraic heart”
• public coin NIZK from LPCPs ⇒ prudent mode
![Page 93: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/93.jpg)
• a new compilation technique for linear PCPs
A special-purpose SNARK
NIZK for R1CS
≈ “arithmetic circuits with bilinear gates”
• an optimized variant of Bulletproofs’inner product argument
⇒ 𝑉NIZK has an “algebraic heart”
• public coin NIZK from LPCPs ⇒ prudent mode
![Page 94: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/94.jpg)
• a new compilation technique for linear PCPs
for “encoded polynomial delegation”, a problem we introduce
A special-purpose SNARK
NIZK for R1CS
≈ “arithmetic circuits with bilinear gates”
• an optimized variant of Bulletproofs’inner product argument
⇒ 𝑉NIZK has an “algebraic heart”
• public coin NIZK from LPCPs ⇒ prudent mode
![Page 95: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/95.jpg)
• a new compilation technique for linear PCPs
for “encoded polynomial delegation”, a problem we introduce
A special-purpose SNARK
OurSHARK
NIZK for R1CS
≈ “arithmetic circuits with bilinear gates”
• an optimized variant of Bulletproofs’inner product argument
⇒ 𝑉NIZK has an “algebraic heart”
• public coin NIZK from LPCPs ⇒ prudent mode
![Page 96: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/96.jpg)
[GGPR12][BCIOP13]
![Page 97: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/97.jpg)
[GGPR12][BCIOP13]
1 Design a proof system sound against linear provers
![Page 98: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/98.jpg)
[GGPR12][BCIOP13]
1
2
Design a proof system sound against linear provers
Force prover to be linear using a cryptographic encoding
![Page 99: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/99.jpg)
[GGPR12][BCIOP13]
1
2
Design a proof system sound against linear provers
Force prover to be linear using a cryptographic encoding
𝑃𝑥
𝑤𝜋
![Page 100: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/100.jpg)
[GGPR12][BCIOP13]
1
2
Design a proof system sound against linear provers
Force prover to be linear using a cryptographic encoding
𝑃𝑥
𝑤
𝑄
𝜋
query sampler
![Page 101: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/101.jpg)
[GGPR12][BCIOP13]
1
2
Design a proof system sound against linear provers
Force prover to be linear using a cryptographic encoding
𝑃𝑥
𝑤
𝑄
𝜋
Ԧ𝑞(1), … , Ԧ𝑞(𝑘)query sampler
![Page 102: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/102.jpg)
[GGPR12][BCIOP13]
1
2
Design a proof system sound against linear provers
Force prover to be linear using a cryptographic encoding
𝑃𝑥
𝑤
𝑄
𝜋
Ԧ𝑞(1), … , Ԧ𝑞(𝑘)
state
query sampler
![Page 103: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/103.jpg)
[GGPR12][BCIOP13]
1
2
Design a proof system sound against linear provers
Force prover to be linear using a cryptographic encoding
𝑃𝑥
𝑤
𝑄
𝜋
Ԧ𝑞(1), … , Ԧ𝑞(𝑘)
𝑎1, … , 𝑎𝑘
𝑎𝑖 = ⟨ Ԧ𝑞 𝑖 , 𝜋⟩
state
query sampler
![Page 104: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/104.jpg)
[GGPR12][BCIOP13]
1
2
Design a proof system sound against linear provers
Force prover to be linear using a cryptographic encoding
𝑃𝑥
𝑤
𝑄
𝐷
𝜋
Ԧ𝑞(1), … , Ԧ𝑞(𝑘)
𝑎1, … , 𝑎𝑘
𝑎𝑖 = ⟨ Ԧ𝑞 𝑖 , 𝜋⟩
𝑥state
query sampler
decision predicate
![Page 105: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/105.jpg)
[GGPR12][BCIOP13]
1
2
Design a proof system sound against linear provers
Force prover to be linear using a cryptographic encoding
𝑃𝑥
𝑤
𝑄
𝐷
𝜋
Ԧ𝑞(1), … , Ԧ𝑞(𝑘)
𝑎1, … , 𝑎𝑘
𝑎𝑖 = ⟨ Ԧ𝑞 𝑖 , 𝜋⟩
𝑥state
acc/rej
query sampler
decision predicate
![Page 106: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/106.jpg)
[GGPR12][BCIOP13]
1
2
Design a proof system sound against linear provers
Force prover to be linear using a cryptographic encoding
𝑃𝑥
𝑤
𝑄
𝐷
𝜋
Ԧ𝑞(1), … , Ԧ𝑞(𝑘)
𝑎1, … , 𝑎𝑘
𝑎𝑖 = ⟨ Ԧ𝑞 𝑖 , 𝜋⟩
𝑥state
acc/rej
Can define natural notions of completeness, PoK, ZK.
query sampler
decision predicate
![Page 107: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/107.jpg)
![Page 108: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/108.jpg)
𝑃 𝑉
![Page 109: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/109.jpg)
𝑃 𝑉
Observe that 𝑃LPCP does not need to know queries a priori.
![Page 110: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/110.jpg)
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
Observe that 𝑃LPCP does not need to know queries a priori.
![Page 111: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/111.jpg)
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)
Observe that 𝑃LPCP does not need to know queries a priori.
![Page 112: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/112.jpg)
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)2 Pick coins for 𝑄LPCP
Observe that 𝑃LPCP does not need to know queries a priori.
![Page 113: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/113.jpg)
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)2 Pick coins for 𝑄LPCP
Observe that 𝑃LPCP does not need to know queries a priori.
![Page 114: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/114.jpg)
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)2 Pick coins for 𝑄LPCP
3 Run:
𝑄LPCPstate
Ԧ𝑞(𝑖)
Observe that 𝑃LPCP does not need to know queries a priori.
![Page 115: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/115.jpg)
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)2 Pick coins for 𝑄LPCP
3 Run:
𝑄LPCPstate
Ԧ𝑞(𝑖)
Observe that 𝑃LPCP does not need to know queries a priori.
Public-coin so can’t encrypt queries or use functional commitments. [BCIOP13] [LRY16]
![Page 116: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/116.jpg)
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)2 Pick coins for 𝑄LPCP
𝑎𝑖 ≔ ⟨Ԧ𝑞 𝑖 , 𝜋⟩
3 Run:
𝑄LPCPstate
Ԧ𝑞(𝑖)
Observe that 𝑃LPCP does not need to know queries a priori.
Public-coin so can’t encrypt queries or use functional commitments. [BCIOP13] [LRY16]
![Page 117: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/117.jpg)
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)2 Pick coins for 𝑄LPCP
𝑎𝑖 ≔ ⟨Ԧ𝑞 𝑖 , 𝜋⟩
3 Run:
4 Run 𝑄LPCP tocompute state.
𝑄LPCPstate
Ԧ𝑞(𝑖)
Observe that 𝑃LPCP does not need to know queries a priori.
Public-coin so can’t encrypt queries or use functional commitments. [BCIOP13] [LRY16]
![Page 118: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/118.jpg)
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)2 Pick coins for 𝑄LPCP
𝑎𝑖 ≔ ⟨Ԧ𝑞 𝑖 , 𝜋⟩
3 Run:
4 Run 𝑄LPCP tocompute state.
𝑄LPCPstate
Ԧ𝑞(𝑖)
Observe that 𝑃LPCP does not need to know queries a priori.
𝐷LPCP
state
𝑥
𝑎𝑖
acc/rej
accepts.
Check that
Public-coin so can’t encrypt queries or use functional commitments. [BCIOP13] [LRY16]
![Page 119: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/119.jpg)
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)2 Pick coins for 𝑄LPCP
𝑎𝑖 ≔ ⟨Ԧ𝑞 𝑖 , 𝜋⟩
3 Run:
4 Run 𝑄LPCP tocompute state.
𝑄LPCPstate
Ԧ𝑞(𝑖)…
Observe that 𝑃LPCP does not need to know queries a priori.
𝐷LPCP
state
𝑥
𝑎𝑖
acc/rej
accepts.
Check that
Public-coin so can’t encrypt queries or use functional commitments. [BCIOP13] [LRY16]
![Page 120: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/120.jpg)
𝑃 𝑉1 Run:
𝑃LPCP𝑥
𝑤𝜋
𝐜𝐦𝜋 ≔ Commit(𝜋)2 Pick coins for 𝑄LPCP
𝑎𝑖 ≔ ⟨Ԧ𝑞 𝑖 , 𝜋⟩
3 Run:
4 Run 𝑄LPCP tocompute state.
5 Check that 𝑎𝑖’s are consistent with 𝐜𝐦𝜋.
𝑄LPCPstate
Ԧ𝑞(𝑖)…
Observe that 𝑃LPCP does not need to know queries a priori.
𝐷LPCP
state
𝑥
𝑎𝑖
acc/rej
accepts.
Check that
Public-coin so can’t encrypt queries or use functional commitments. [BCIOP13] [LRY16]
![Page 121: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/121.jpg)
![Page 122: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/122.jpg)
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
![Page 123: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/123.jpg)
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
Goal: for every query Ԧ𝑞 check 𝑎 = ⟨ Ԧ𝑞, 𝜋⟩ for a pre-committed 𝜋
![Page 124: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/124.jpg)
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
Goal: for every query Ԧ𝑞 check 𝑎 = ⟨ Ԧ𝑞, 𝜋⟩ for a pre-committed 𝜋
Technique: inner-product arguments [BCCGP16,BBBPWM18]
![Page 125: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/125.jpg)
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
Goal: for every query Ԧ𝑞 check 𝑎 = ⟨ Ԧ𝑞, 𝜋⟩ for a pre-committed 𝜋
Technique: inner-product arguments
Input: Two vector Pedersen commitments 𝐜𝐦𝒖, 𝐜𝐦𝒗, and 𝑧 ∈ 𝔽.
[BCCGP16,BBBPWM18]
![Page 126: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/126.jpg)
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
Goal: for every query Ԧ𝑞 check 𝑎 = ⟨ Ԧ𝑞, 𝜋⟩ for a pre-committed 𝜋
Technique: inner-product arguments
Input: Two vector Pedersen commitments 𝐜𝐦𝒖, 𝐜𝐦𝒗, and 𝑧 ∈ 𝔽.
[BCCGP16,BBBPWM18]
Prove: The decommitments 𝑢, Ԧ𝑣 ∈ 𝔽𝑛 have the specified inner-product 𝑧 = 𝑢, Ԧ𝑣
![Page 127: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/127.jpg)
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
Goal: for every query Ԧ𝑞 check 𝑎 = ⟨ Ԧ𝑞, 𝜋⟩ for a pre-committed 𝜋
Technique: inner-product arguments
Input: Two vector Pedersen commitments 𝐜𝐦𝒖, 𝐜𝐦𝒗, and 𝑧 ∈ 𝔽.
So the verifier:
[BCCGP16,BBBPWM18]
Prove: The decommitments 𝑢, Ԧ𝑣 ∈ 𝔽𝑛 have the specified inner-product 𝑧 = 𝑢, Ԧ𝑣
![Page 128: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/128.jpg)
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
Goal: for every query Ԧ𝑞 check 𝑎 = ⟨ Ԧ𝑞, 𝜋⟩ for a pre-committed 𝜋
Technique: inner-product arguments
Input: Two vector Pedersen commitments 𝐜𝐦𝒖, 𝐜𝐦𝒗, and 𝑧 ∈ 𝔽.
So the verifier: ● computes commitments to queries: 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞)
[BCCGP16,BBBPWM18]
Prove: The decommitments 𝑢, Ԧ𝑣 ∈ 𝔽𝑛 have the specified inner-product 𝑧 = 𝑢, Ԧ𝑣
![Page 129: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/129.jpg)
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
Goal: for every query Ԧ𝑞 check 𝑎 = ⟨ Ԧ𝑞, 𝜋⟩ for a pre-committed 𝜋
Technique: inner-product arguments
Input: Two vector Pedersen commitments 𝐜𝐦𝒖, 𝐜𝐦𝒗, and 𝑧 ∈ 𝔽.
So the verifier: ● computes commitments to queries: 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞)
● engages in IP arguments for (𝐜𝐦𝑞 , 𝐜𝐦𝜋, 𝑎)
[BCCGP16,BBBPWM18]
Prove: The decommitments 𝑢, Ԧ𝑣 ∈ 𝔽𝑛 have the specified inner-product 𝑧 = 𝑢, Ԧ𝑣
![Page 130: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/130.jpg)
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
Goal: for every query Ԧ𝑞 check 𝑎 = ⟨ Ԧ𝑞, 𝜋⟩ for a pre-committed 𝜋
Technique: inner-product arguments
Input: Two vector Pedersen commitments 𝐜𝐦𝒖, 𝐜𝐦𝒗, and 𝑧 ∈ 𝔽.
So the verifier: ● computes commitments to queries: 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞)
● engages in IP arguments for (𝐜𝐦𝑞 , 𝐜𝐦𝜋, 𝑎)
[BCCGP16,BBBPWM18]
Result: NIZK from linear PCPs!
Prove: The decommitments 𝑢, Ԧ𝑣 ∈ 𝔽𝑛 have the specified inner-product 𝑧 = 𝑢, Ԧ𝑣
![Page 131: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/131.jpg)
Verifier knows: , 𝑎’s, and commitment to proof 𝐜𝐦𝜋 ≔ Commit(𝜋)
Goal: for every query Ԧ𝑞 check 𝑎 = ⟨ Ԧ𝑞, 𝜋⟩ for a pre-committed 𝜋
Technique: inner-product arguments
Input: Two vector Pedersen commitments 𝐜𝐦𝒖, 𝐜𝐦𝒗, and 𝑧 ∈ 𝔽.
So the verifier: ● computes commitments to queries: 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞)
● engages in IP arguments for (𝐜𝐦𝑞 , 𝐜𝐦𝜋, 𝑎)
[BCCGP16,BBBPWM18]
Result: NIZK from linear PCPs! SHARK prudent proofs
Prove: The decommitments 𝑢, Ԧ𝑣 ∈ 𝔽𝑛 have the specified inner-product 𝑧 = 𝑢, Ԧ𝑣
![Page 132: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/132.jpg)
![Page 133: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/133.jpg)
𝑉NIZK
![Page 134: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/134.jpg)
𝑉● check that LPCP decision
predicate accepts (cheap)
NIZK
![Page 135: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/135.jpg)
𝑉● check that LPCP decision
predicate accepts (cheap)
● compute Pedersen commitmentto each LPCP query Ԧ𝑞 (costly)
NIZK
![Page 136: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/136.jpg)
𝑉● check that LPCP decision
predicate accepts (cheap)
● compute Pedersen commitmentto each LPCP query Ԧ𝑞 (costly)
● check that each inner productargument verifier accepts (costly)
NIZK
![Page 137: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/137.jpg)
𝑉
(Not pictured: Fiat-Shamir transform, …)
● check that LPCP decisionpredicate accepts (cheap)
● compute Pedersen commitmentto each LPCP query Ԧ𝑞 (costly)
● check that each inner productargument verifier accepts (costly)
NIZK
![Page 138: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/138.jpg)
𝑉
(Not pictured: Fiat-Shamir transform, …)
● check that LPCP decisionpredicate accepts (cheap)
● compute Pedersen commitmentto each LPCP query Ԧ𝑞 (costly)
● check that each inner productargument verifier accepts (costly)
we will make 𝑃SNARK do both
NIZK
![Page 139: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/139.jpg)
𝑉
(Not pictured: Fiat-Shamir transform, …)
● check that LPCP decisionpredicate accepts (cheap)
● compute Pedersen commitmentto each LPCP query Ԧ𝑞 (costly)
● check that each inner productargument verifier accepts (costly)
A new building block:“encoded polynomial delegation”
we will make 𝑃SNARK do both
NIZK
![Page 140: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/140.jpg)
![Page 141: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/141.jpg)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞)
![Page 142: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/142.jpg)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
![Page 143: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/143.jpg)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
![Page 144: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/144.jpg)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Each query Ԧ𝑞 has nice algebraic structure:
![Page 145: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/145.jpg)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
![Page 146: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/146.jpg)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Ԧ𝑞 = (𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
![Page 147: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/147.jpg)
𝑝𝑖 𝜏 = 𝑝𝑖,0 + 𝑝𝑖,1𝜏 +⋯+ 𝑝𝑖,𝑑𝜏𝑑
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Ԧ𝑞 = (𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
![Page 148: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/148.jpg)
𝑝𝑖 𝜏 = 𝑝𝑖,0 + 𝑝𝑖,1𝜏 +⋯+ 𝑝𝑖,𝑑𝜏𝑑
= ( 𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Ԧ𝑞 = (𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
![Page 149: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/149.jpg)
𝑝𝑖 𝜏 = 𝑝𝑖,0 + 𝑝𝑖,1𝜏 +⋯+ 𝑝𝑖,𝑑𝜏𝑑
= ( 𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Ԧ𝑞 = (𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
+
𝜏 ⋅ ( 𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
![Page 150: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/150.jpg)
𝑝𝑖 𝜏 = 𝑝𝑖,0 + 𝑝𝑖,1𝜏 +⋯+ 𝑝𝑖,𝑑𝜏𝑑
= ( 𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Ԧ𝑞 = (𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
+
…
𝜏 ⋅ ( 𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1) +
𝜏𝑑 ⋅ ( 𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
![Page 151: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/151.jpg)
𝑝𝑖 𝜏 = 𝑝𝑖,0 + 𝑝𝑖,1𝜏 +⋯+ 𝑝𝑖,𝑑𝜏𝑑
= ( 𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Ԧ𝑞 = (𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
+
…
𝐜𝐦𝑞 = Commit(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
𝜏 ⋅ ( 𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1) +
𝜏𝑑 ⋅ ( 𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
![Page 152: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/152.jpg)
= Commit(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝑝𝑖 𝜏 = 𝑝𝑖,0 + 𝑝𝑖,1𝜏 +⋯+ 𝑝𝑖,𝑑𝜏𝑑
= ( 𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Ԧ𝑞 = (𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
+
…
𝐜𝐦𝑞 = Commit(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
𝜏 ⋅ ( 𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1) +
𝜏𝑑 ⋅ ( 𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
![Page 153: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/153.jpg)
𝜏 ⋅ Commit(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Commit(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝑝𝑖 𝜏 = 𝑝𝑖,0 + 𝑝𝑖,1𝜏 +⋯+ 𝑝𝑖,𝑑𝜏𝑑
= ( 𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Ԧ𝑞 = (𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
+
…
𝐜𝐦𝑞 = Commit(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
𝜏 ⋅ ( 𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1) +
𝜏𝑑 ⋅ ( 𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
![Page 154: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/154.jpg)
𝜏𝑑 ⋅ Commit(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Commit(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Commit(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝑝𝑖 𝜏 = 𝑝𝑖,0 + 𝑝𝑖,1𝜏 +⋯+ 𝑝𝑖,𝑑𝜏𝑑
= ( 𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
Goal: compute 𝐜𝐦𝑞 ≔ Commit( Ԧ𝑞) 𝑄Ԧ𝑞
Most efficient linear PCP: quadratic arithmetic programs of [GGPR12]
Ԧ𝑞 = (𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
Each query Ԧ𝑞 has nice algebraic structure: 𝜏 =
+
…
𝐜𝐦𝑞 = Commit(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
𝜏 ⋅ ( 𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1) +
𝜏𝑑 ⋅ ( 𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
![Page 155: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/155.jpg)
![Page 156: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/156.jpg)
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Goal: outsource computation of
![Page 157: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/157.jpg)
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Com( )’s are fully determined by 𝐿!
Goal: outsource computation of
![Page 158: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/158.jpg)
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Com( )’s are fully determined by 𝐿!
Goal: outsource computation of
⇒
Fixed parameters 𝑈0, 𝑈1, … , 𝑈𝑑 ∈ 𝔾
![Page 159: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/159.jpg)
For outsourcing 𝐜𝐦𝑞 set𝑈𝑘 = Com(𝑝1,𝑘 , 𝑝2,𝑘 , … , 𝑝𝑛,𝑘)
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Com( )’s are fully determined by 𝐿!
Goal: outsource computation of
⇒
Fixed parameters 𝑈0, 𝑈1, … , 𝑈𝑑 ∈ 𝔾
![Page 160: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/160.jpg)
For outsourcing 𝐜𝐦𝑞 set𝑈𝑘 = Com(𝑝1,𝑘 , 𝑝2,𝑘 , … , 𝑝𝑛,𝑘)
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Com( )’s are fully determined by 𝐿!
Goal: outsource computation of
⇒
Fixed parameters 𝑈0, 𝑈1, … , 𝑈𝑑 ∈ 𝔾
Goal: given input 𝜏 ∈ 𝔽,
![Page 161: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/161.jpg)
For outsourcing 𝐜𝐦𝑞 set𝑈𝑘 = Com(𝑝1,𝑘 , 𝑝2,𝑘 , … , 𝑝𝑛,𝑘)
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Com( )’s are fully determined by 𝐿!
Goal: outsource computation of
⇒
Fixed parameters 𝑈0, 𝑈1, … , 𝑈𝑑 ∈ 𝔾
outsource this computation:
Goal: given input 𝜏 ∈ 𝔽,
𝑈 ≔ 𝑈0 + 𝜏 ⋅ 𝑈1 +⋯+ 𝜏𝑑 ⋅ 𝑈𝑑 .
![Page 162: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/162.jpg)
For outsourcing 𝐜𝐦𝑞 set𝑈𝑘 = Com(𝑝1,𝑘 , 𝑝2,𝑘 , … , 𝑝𝑛,𝑘)
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Com( )’s are fully determined by 𝐿!
Goal: outsource computation of
⇒
Fixed parameters 𝑈0, 𝑈1, … , 𝑈𝑑 ∈ 𝔾
outsource this computation:
Goal: given input 𝜏 ∈ 𝔽,
𝑈 ≔ 𝑈0 + 𝜏 ⋅ 𝑈1 +⋯+ 𝜏𝑑 ⋅ 𝑈𝑑 .
Encoded polynomial delegation
![Page 163: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/163.jpg)
For outsourcing 𝐜𝐦𝑞 set𝑈𝑘 = Com(𝑝1,𝑘 , 𝑝2,𝑘 , … , 𝑝𝑛,𝑘)
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Com( )’s are fully determined by 𝐿!
Goal: outsource computation of
⇒
Fixed parameters 𝑈0, 𝑈1, … , 𝑈𝑑 ∈ 𝔾
outsource this computation:
Goal: given input 𝜏 ∈ 𝔽,
𝑈 ≔ 𝑈0 + 𝜏 ⋅ 𝑈1 +⋯+ 𝜏𝑑 ⋅ 𝑈𝑑 .
Encoded polynomial delegation
New building block: SNARK for encoded polynomial delegationin pairing groups
![Page 164: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/164.jpg)
For outsourcing 𝐜𝐦𝑞 set𝑈𝑘 = Com(𝑝1,𝑘 , 𝑝2,𝑘 , … , 𝑝𝑛,𝑘)
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Com( )’s are fully determined by 𝐿!
Goal: outsource computation of
⇒
Fixed parameters 𝑈0, 𝑈1, … , 𝑈𝑑 ∈ 𝔾
outsource this computation:
Goal: given input 𝜏 ∈ 𝔽,
𝑈 ≔ 𝑈0 + 𝜏 ⋅ 𝑈1 +⋯+ 𝜏𝑑 ⋅ 𝑈𝑑 .
Encoded polynomial delegation
New building block: SNARK for encoded polynomial delegationin pairing groups + multilinear variant for our optimized IP argument.
![Page 165: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/165.jpg)
For outsourcing 𝐜𝐦𝑞 set𝑈𝑘 = Com(𝑝1,𝑘 , 𝑝2,𝑘 , … , 𝑝𝑛,𝑘)
𝜏𝑑 ⋅ Com(𝑝1,𝑑 , 𝑝2,𝑑 , … , 𝑝𝑛,𝑑)
𝜏 ⋅ Com(𝑝1,1, 𝑝2,1, … , 𝑝𝑛,1)
= Com(𝑝1,0, 𝑝2,0, … , 𝑝𝑛,0)
𝐜𝐦𝑞 = Com(𝑝1 𝜏 , 𝑝2 𝜏 , … , 𝑝𝑛 𝜏 )
+
+
…
Com( )’s are fully determined by 𝐿!
Goal: outsource computation of
⇒
Fixed parameters 𝑈0, 𝑈1, … , 𝑈𝑑 ∈ 𝔾
outsource this computation:
Goal: given input 𝜏 ∈ 𝔽,
𝑈 ≔ 𝑈0 + 𝜏 ⋅ 𝑈1 +⋯+ 𝜏𝑑 ⋅ 𝑈𝑑 .
Encoded polynomial delegation
New building block: SNARK for encoded polynomial delegationin pairing groups + multilinear variant for our optimized IP argument.
SHARK optimistic proofs
![Page 166: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/166.jpg)
![Page 167: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/167.jpg)
𝑃NIZK 𝑉NIZK
𝑃SNARK 𝑉SNARK
𝑥
𝑤 𝑥
𝑥
![Page 168: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/168.jpg)
𝑃NIZK 𝑉NIZK
𝑃SNARK 𝑉SNARK
𝑥
𝑤 𝑥
𝑥
encodedpolynomialdelegation
![Page 169: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/169.jpg)
𝑃NIZK 𝑉NIZK
𝑃SNARK 𝑉
𝑥
𝑤 𝑥
𝑥
encodedpolynomialdelegation
SNARK
![Page 170: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/170.jpg)
![Page 171: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/171.jpg)
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
Generic instantiation
![Page 172: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/172.jpg)
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
Generic instantiation
![Page 173: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/173.jpg)
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
Generic instantiation This work
![Page 174: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/174.jpg)
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
Generic instantiation
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
This work
ops in 𝑉NIZK
![Page 175: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/175.jpg)
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
Generic instantiation
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
This work
, 𝑃SNARKops in 𝑉NIZK
![Page 176: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/176.jpg)
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
Generic instantiation
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
This work
, 𝑃SNARKops in 𝑉NIZK
+ competitive proof size and verification time
![Page 177: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/177.jpg)
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
ops in 𝑉NIZK
𝑂(𝜆2 𝐶 ) group
ops in 𝑃SNARK
Generic instantiation
𝑂( 𝐶 )-size circuit
𝑂(𝜆 𝐶 ) group
This work
, 𝑃SNARKops in 𝑉NIZK
+ competitive proof size and verification time
e.g. 5 batchable pairings and6 × 𝔾1 for an optimistic proof
![Page 178: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/178.jpg)
![Page 179: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/179.jpg)
● New primitive: private-coin setup neededfor performance but not for soundness or ZK
![Page 180: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/180.jpg)
● New primitive: private-coin setup neededfor performance but not for soundness or ZK
● Compromised setup can be quickly detectedand easily replaced
![Page 181: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/181.jpg)
● New primitive: private-coin setup neededfor performance but not for soundness or ZK
● Compromised setup can be quickly detectedand easily replaced
● Speed competitive with best current zk-SNARKs
![Page 182: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/182.jpg)
● New primitive: private-coin setup neededfor performance but not for soundness or ZK
● Compromised setup can be quickly detectedand easily replaced
● Speed competitive with best current zk-SNARKs
● New building blocks along the way:
- Optimized inner product argument
- SNARK for encoded polynomial delegation
![Page 183: Privacy-preserving cryptocurrencies Privacy-preserving smart ......2019/04/10 · SHARK NIZK for R1CS ≈“arithmetic circuits with bilinear gates” • an optimized variant of](https://reader034.fdocuments.us/reader034/viewer/2022051814/6034a36bff1263728f42bed3/html5/thumbnails/183.jpg)