Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common...
Transcript of Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common...
![Page 1: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/1.jpg)
Updatable and Universal Common Reference Strings with Applications to zk-SNARKs
Jens Groth, Markulf Kohlweiss, Mary Maller, Sarah Meiklejohn, Ian Miers.
Crypto - 23/08/2018
![Page 2: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/2.jpg)
Our Goal
Slide 1 of 22
Find a better method than trusted setups for generating the public parameters for zk-SNARKs.
![Page 3: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/3.jpg)
What are zk-SNARKs?
Slide 2 of 22
Zero-Knowledge Succinct Non-interactive ARgument of Knowledge.
Very small proofs.
Verification is fast.
Requires trusted setup.
KoE assumptions.
![Page 4: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/4.jpg)
What are zk-SNARKs?
Slide 2 of 22
Very small proofs.
Verification is fast.
Requires trusted setup.
KoE assumptions.
Zero-Knowledge Succinct Non-interactive ARgument of Knowledge.
![Page 5: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/5.jpg)
When to use zk-SNARKs?
Slide 3 of 22
• When lots of the same problem need to be proven over and over and over.
• The verifier has limited time and space.
Great for blockchains!
![Page 6: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/6.jpg)
zk-SNARKS have Trapdoors
Slide 3 of 22
The trapdoor can be used to break integrity (all the
time).
• Proofs are generated and verified using a shared common reference string.
• Whoever generated the reference string may keep some trapdoor information that can be used to simulate proofs.
The trapdoor cannot be used to
break privacy (most of the time).
![Page 7: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/7.jpg)
zk-SNARKS have Trapdoors
The trapdoor cannot be used to
break privacy (most of the time).
The trapdoor can be used to break integrity (all the
time).
• Proofs are generated and verified using a shared common reference string.
• Whoever generated the reference string may keep some trapdoor information that can be used to simulate proofs.
We design a setup process more suited to zk-SNARKs used in distributed systems.
Slide 3 of 22
![Page 8: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/8.jpg)
Our Contributions
Slide 4 of 22
Ingredients:1) Knowledge Assumptions2) q-type Assumptions3) Quadratic Arithmetic Programs
Updatable trust model
Efficient new zk-SNARK
Universal setupNull-Space Argument.
![Page 9: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/9.jpg)
What is zero-knowledge?
• Prover aims to convince verifier that they know a secret while revealing no information about the secret.
Common Reference String
Prover VerifierProof of knowledge
of a secret.
Slide 5 of 22
Prover cannot create proof
without the secret.
Verifier learns the truth, the whole
proof, and nothing but its truth.
![Page 10: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/10.jpg)
What is zero-knowledge?
• Prover aims to convince verifier that they know a secret while revealing no information about the secret.
Common Reference String
Prover VerifierProof of knowledge
of a secret.
Prover cannot create proof
without the secret.
Verifier learns the truth, the whole
proof, and nothing but its truth.
Slide 5 of 22
Unlike other zero-knowledge systems, hard to prevent trapdoor being leaked in zk-SNARKs.
![Page 11: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/11.jpg)
Our Goal
Slide 7 of 22
• SNARKs cannot be zero-knowledge without a trapdoor existing.
• Aim for subversion zero-knowledge.
• Aim for middle ground between trusted setup and subversion soundness.
![Page 12: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/12.jpg)
Our Goal
Slide 7 of 22
• SNARKs cannot be zero-knowledge without a trapdoor existing.
• Aim for subversion zero-knowledge.
• Aim for middle ground between trusted setup and subversion soundness.
CRS
Verifier
Verifier learns nothing from the
proof even if it knows a trapdoor.
![Page 13: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/13.jpg)
Our Goal
Slide 7 of 22
• SNARKs cannot be zero-knowledge without a trapdoor existing.
• Aim for subversion zero-knowledge.
• Aim for middle ground between trusted setup and non-existent trapdoor.
CRS
ProverProver with a
trapdoor can create proofs without the
secret, but hard to get the trapdoor.
![Page 14: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/14.jpg)
But don’t we have NIZKs without Setup?
Slide 8 of 22
• In random oracle model, can generate an unstructured CRS for which nobody knows the trapdoor.
• But zk-SNARKs rely on structured CRS for efficiency.
![Page 15: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/15.jpg)
• Example: Zcash ran a trusted setup in 2016 and in 2018.
• If the trapdoor was not properly disposed of two years ago, then some people might be able to print money at will.
• There is no way of knowing whether the setup was compromised or not.
What’s so scandalous about a trusted setup?
1 ZEC, 2 ZEC, 3 ZEC, 4….
Slide 9 of 22
![Page 16: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/16.jpg)
What’s so scandalous about a trusted setup?• The output of each trusted setup can only be used to prove the exact circuit it
was designed for.
• Performing one trusted setup per application may result in each trusted setup receiving less and less scrutiny.
Slide 10 of 22
Application 1
Application 2
Application 3
Trusted Setup 1
Trusted Setup 2
Trusted Setup 3
CRS 1
CRS 2
CRS 3
![Page 17: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/17.jpg)
Our Contributions
Ingredients:1) Knowledge Assumptions2) q-type Assumptions3) Quadratic Arithmetic Programs
Updatable trust model
Efficient new zk-SNARK
Universal setupNull-Space Argument.
![Page 18: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/18.jpg)
• In theory, one honest party runs the setup, and the scheme is secure.
• In practice, a few parties to run the setup, if one is honest then the scheme is secure.
• In our work, continuously add more parties to the setup, if one is honest at any point in time then the scheme is secure.
Updatable Setups for zk-SNARKs
Why should I trust you?
Here is the output of the setup procedure.
Theory
Slide 11 of 22
![Page 19: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/19.jpg)
Updatable Setups for zk-SNARKs• In theory, one honest party runs the setup, and the scheme is secure.
• In practice, a few parties to run the setup, if one is honest then the scheme is secure.
• In our work, continuously add more parties to the setup, if one is honest at any point in time then the scheme is secure.
Why should I trust any of you?
Here is the output of the setup procedure.
Practice
Slide 11 of 22
![Page 20: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/20.jpg)
• In theory, one honest party runs the setup, and the scheme is secure.
• In practice, a few parties to run the setup, if one is honest then the scheme is secure.
• In our work, continuously add more parties to the setup, if one is honest at any point in time then the scheme is secure.
Updatable Setups for zk-SNARKs
Why should I trust any of you?
Here is the output of the setup procedure.
Here is the new output of the
setup procedure.
This work
![Page 21: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/21.jpg)
• In theory, one honest party runs the setup, and the scheme is secure.
• In practice, a few parties to run the setup, if one is honest then the scheme is secure.
• In our work, continuously add more parties to the setup, if one is honest at any point in time then the scheme is secure.
Updatable Setups for zk-SNARKs
Why should I trust any of you?
Here is the output of the setup procedure.
This work
No longer really a setup
Here is the new output of the
setup procedure.
![Page 22: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/22.jpg)
Trusted Setup vs Updates?
Trusted Setup
• Setup be completed before the system goes live.
• Secure provided a single honest user participates.
Slide 12 of 22
Updatable CRS
• Parameters can be updated at any point.
• Secure at any point after an honest user has participated.
![Page 23: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/23.jpg)
When can we update?
SNARKs have secrets in the exponent
• Exponents contain hidden polynomial evaluations.
• We can update monomials.
Slide 12 of 22
![Page 24: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/24.jpg)
Updating Monomials is Easy
Slide 13 of 22
𝑔𝑥1 𝑔𝑥1𝑥2 𝑔𝑥1𝑥2𝑥3
Proof of knowledge
of 𝒙𝟏
Proof of knowledge
of 𝒙𝟐
Proof of knowledge
of 𝒙𝟑
etc.
![Page 25: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/25.jpg)
Could use Groth or Lipmaa?
Slide 14 of 22
CRS only uses monomials.
At the sacrifice of quasi-linear prover time?
These schemes have quadratic provers.
![Page 26: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/26.jpg)
Updating Polynomials is Hard
• Secrets inside the global parameters were correlated, and once a correlated secret is inside the global parameters it cannot be changed.
Slide 15 of 22
Correlated randomness is hidden with uncorrelated randomness.
![Page 27: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/27.jpg)
Updating Polynomials is Hard
Slide 16 of 22
𝑔𝑓 𝑥 𝛿
• CRS contains polynomials.
• Any adversary that can update 𝑔𝑓 𝑥 𝛿 can extract monomials 𝑔1 , 𝑔𝑥𝛿 , 𝑔𝑥2𝛿 , … , 𝑔𝑥
𝑛𝛿 .
• Cannot rely on hidden polynomials.
Previous schemes rely on hidden polynomials for security.
![Page 28: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/28.jpg)
Updating Polynomials is Hard
Slide 16 of 22
𝑔𝑓 𝑥 𝛿
• CRS contains polynomials.
• Any adversary that can update 𝑔𝑓 𝑥 𝛿 can extract monomials 𝑔1 , 𝑔𝑥𝛿 , 𝑔𝑥2𝛿 , … , 𝑔𝑥
𝑛𝛿 .
• Cannot rely on hidden polynomials.We prove this.
Previous schemes rely on hidden polynomials for security.
![Page 29: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/29.jpg)
Updating Polynomials is Hard
Slide 16 of 22
𝑔𝑓 𝑥 𝛿
• CRS contains polynomials.
• Any adversary that can update 𝑔𝑓 𝑥 𝛿 can extract monomials 𝑔1 , 𝑔𝑥𝛿 , 𝑔𝑥2𝛿 , … , 𝑔𝑥
𝑛𝛿 .
• Cannot rely on hidden polynomial evaluations.
Previous schemes rely on hidden polynomials for security.
![Page 30: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/30.jpg)
Our Contributions
Ingredients:1) Knowledge Assumptions2) q-type Assumptions3) Quadratic Arithmetic Programs
Updatable trust model
Efficient new zk-SNARK
Universal setupNull-Space Argument.
![Page 31: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/31.jpg)
What tricks to we use?• We start with more global parameters, with monomials inside, from which we derive a smaller
set of derived parameters. The derive algorithm can be run by any party.
Slide 17 of 22
Global Common Reference String 1
Global Common Reference String 2
Global Common Reference String 3
Global parameters
independent of circuit.
Update 1
Update 2
Derive
Derive
Derive
Derived Common Reference String 1
Derived Common Reference String 2
Derived Common Reference String 3
![Page 32: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/32.jpg)
What tricks to we use?
Slide 17 of 22
• We start with more global parameters, with monomials inside, from which we derive a smaller set of derived parameters. The derive algorithm can be run by any party.
Global Common Reference String 1
Global Common Reference String 2
Global Common Reference String 3
Derive
Derive
Derive
Update 1
Update 2
Derived Common Reference String 1
Derived Common Reference String 2
Derived Common Reference String 3
![Page 33: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/33.jpg)
What tricks to we use?
Slide 17 of 22
Derived Common Reference String 1
Derived Common Reference String 2
Derived Common Reference String 3
Derived parameters
embed circuit dependent
QAP.
• We start with more global parameters, with monomials inside, from which we derive a smaller set of derived parameters. The derive algorithm can be run by any party.
Global Common Reference String 1
Global Common Reference String 2
Global Common Reference String 3
Derive
Derive
Derive
Update 1
Update 2
![Page 34: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/34.jpg)
What tricks to we use?
Slide 17 of 22
Derived Common Reference String 1
Derived Common Reference String 2
Derived Common Reference String 3
Derived parameters
embed circuit dependent
QAP.
• We start with more global parameters, with monomials inside, from which we derive a smaller set of derived parameters. The derive algorithm can be run by any party.
Derive
Derive
Derive
Global Common Reference String 1
Global Common Reference String 2
Global Common Reference String 3
Update 1
Update 2
Each derived string is equivalent to the
output of one trusted setup in
previous schemes.
![Page 35: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/35.jpg)
What’s the Price?
Slide 18 of 22
Quadratic sized
Only need to store one quadratic
string at any given time.
Global Common Reference String 1
Global Common Reference String 2
Global Common Reference String 3
Update 1
Update 2
Derive
Derive
Derive
Derived Common Reference String 1
Derived Common Reference String 2
Derived Common Reference String 3
![Page 36: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/36.jpg)
What’s the Price?
Slide 18 of 22
Very small (<300 bytes)
Update proofs must be
sequential and are stored
forever.
Global Common Reference String 1
Global Common Reference String 2
Global Common Reference String 3
Update 1
Update 2
Derive
Derive
Derive
Derived Common Reference String 1
Derived Common Reference String 2
Derived Common Reference String 3
![Page 37: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/37.jpg)
Global Common Reference String 1
What’s the Price?
Slide 18 of 22
𝑂(𝑑3) multiplications due to Gaussian Elimination
Global Common Reference String 2
Global Common Reference String 3
Derive
Derive
Derive
Derived Common Reference String 1
Derived Common Reference String 2
Derived Common Reference String 3
Update 1
Update 2
![Page 38: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/38.jpg)
Global Common Reference String 1
What’s the Price?
Slide 18 of 22
𝑂(𝑑3) multiplications due to Gaussian Elimination
Global Common Reference String 2
Global Common Reference String 3
Derive
Derive
Derive
Derived Common Reference String 1
Derived Common Reference String 2
Derived Common Reference String 3
Update 1
Update 2
Can run multiple updates
between each iteration of
derive.
![Page 39: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/39.jpg)
What’s the Price?
Slide 18 of 22
Linear sized
Global Common Reference String 1
Global Common Reference String 2
Global Common Reference String 3
Update 1
Update 2
Derive
Derive
Derive
Derived Common Reference String 1
Derived Common Reference String 2
Derived Common Reference String 3
Derived string sufficient for prover and
verifier.
![Page 40: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/40.jpg)
Our Contributions
Ingredients:1) Knowledge Assumptions2) q-type Assumptions3) Quadratic Arithmetic Programs
Trust modelEfficient new
zk-SNARK
Universal setupNull-Space Argument
![Page 41: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/41.jpg)
Our Techniques
Slide 19 of 22
Prover needs to show
𝐀 = 𝒈𝒂 𝒇 𝒙
for known 𝒇 𝑿 = 𝒇𝟎 + 𝒇𝟏𝑿
𝟏 +⋯+ 𝒇𝒅𝑿𝒅
Have
Linear algebra: ∃ matrix 𝑵 such that
𝒇𝟎, … , 𝒇𝒅 ⋅ 𝒏𝒌,𝟎, … , 𝒏𝒌,𝒅 = 𝟎
Verifier checks
𝒂 𝒛𝒌 𝒇𝟎 + …+ 𝒇𝒅𝒙𝒅 𝒏𝒌,𝟎 𝒙
𝒅 + ⋯+ 𝒏𝒌,𝒅 = 𝟎
in 𝒛𝒌𝒙𝒅 coefficient
![Page 42: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/42.jpg)
Our Techniques
Slide 19 of 22
Prover needs to show
𝐀 = 𝒈𝒂 𝒇 𝒙
for known 𝒇 𝑿 = 𝒇𝟎 + 𝒇𝟏𝑿
𝟏 +⋯+ 𝒇𝒅𝑿𝒅
Have
Linear algebra: ∃ matrix 𝑵 such that
𝒇𝟎, … , 𝒇𝒅 ⋅ 𝒏𝒌,𝟎, … , 𝒏𝒌,𝒅 = 𝟎
Verifier checks
𝒂 𝒛𝒌 𝒇𝟎 + …+ 𝒇𝒅𝒙𝒅 𝒏𝒌,𝟎 𝒙
𝒅 + ⋯+ 𝒏𝒌,𝒅 = 𝟎
in 𝒛𝒌𝒙𝒅 coefficient
![Page 43: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/43.jpg)
Verifier checks
𝒂 𝒛𝒌 𝒇𝟎 + …+ 𝒇𝒅𝒙𝒅 𝒏𝒌,𝟎 𝒙
𝒅 + ⋯+ 𝒏𝒌,𝒅 = 𝟎
in 𝒛𝒌𝒙𝒅 coefficient
Prover needs to show
𝐀 = 𝒈𝒂 𝒇 𝒙
for known 𝒇 𝑿 = 𝒇𝟎 + 𝒇𝟏𝑿
𝟏 +⋯+ 𝒇𝒅𝑿𝒅
Our Techniques
Slide 19 of 22
The prover wants to keep 𝑎 secret
Have
Linear algebra: ∃ matrix 𝑵 such that
𝒇𝟎, … , 𝒇𝒅 ⋅ 𝒏𝒌,𝟎, … , 𝒏𝒌,𝒅 = 𝟎
![Page 44: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/44.jpg)
Verifier checks
𝒂 𝒛𝒌 𝒇𝟎 + …+ 𝒇𝒅𝒙𝒅 𝒏𝒌,𝟎 𝒙
𝒅 + ⋯+ 𝒏𝒌,𝒅 = 𝟎
in 𝒛𝒌𝒙𝒅 coefficient
Our Techniques
Slide 19 of 22
Prover needs to show
𝐀 = 𝒈𝒂 𝒇 𝒙
for known 𝒇 𝑿 = 𝒇𝟎 + 𝒇𝟏𝑿
𝟏 +⋯+ 𝒇𝒅𝑿𝒅
Have
Linear algebra: find max matrix 𝑵 such that
𝒇𝟎, … , 𝒇𝒅 ⋅ 𝒏𝒌,𝟎, … , 𝒏𝒌,𝒅 = 𝟎
Rank-Nullity: for a matrix 𝐴, 𝑠𝑝𝑎𝑛(𝐴) is orthogonal to 𝑁𝑢𝑙𝑙(𝐴)
![Page 45: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/45.jpg)
Our Techniques
Slide 19 of 22
Prover needs to show
𝐀 = 𝒈𝒂 𝒇 𝒙
for known 𝒇 𝑿 = 𝒇𝟎 + 𝒇𝟏𝑿
𝟏 +⋯+ 𝒇𝒅𝑿𝒅
Verifier checks
𝒂 𝒛𝒌 𝒇𝟎 + …+ 𝒇𝒅𝒙𝒅 𝒏𝒌,𝟎 𝒙
𝒅 +⋯+ 𝒏𝒌,𝒅 = 𝟎
in 𝒛𝒌𝒙𝒅 coefficient
Have
Linear algebra:find max matrix 𝑵 such that
𝒇𝟎, … , 𝒇𝒅 ⋅ 𝒏𝒌,𝟎, … , 𝒏𝒌,𝒅 = 𝟎
![Page 46: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/46.jpg)
Our Techniques
Slide 19 of 22
Have
Prover needs to show
𝐀 = 𝒈𝒂𝟏𝒇𝟏 𝒙 + …+𝒂𝒏𝒇𝒏(𝒙)
for known
𝒇𝒊 𝑿 = 𝒇𝒊,𝟎 + 𝒇𝒊,𝟏𝑿𝟏 + …+ 𝒇𝒊,𝒅𝑿
𝒅
Verifier checks
𝒂𝒊 𝒛𝒌 𝒇𝒊,𝟎 + …+ 𝒇𝒊,𝒅𝒙
𝒅 𝒏𝒌,𝟎 𝒙𝒅 +⋯+ 𝒏𝒌,𝒅 = 𝟎
in 𝒛𝒌𝒙𝒅 coefficient
Linear algebra: Find max matrix 𝑵 such that
𝒇𝒊,𝟎, … , 𝒇𝒊,𝒅 ⋅ 𝒏𝒌,𝟎, … , 𝒏𝒌,𝒅 = 𝟎
𝒇𝒊 𝑿 are determined by
the QAP
![Page 47: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/47.jpg)
Width = 3 × number of gates
Length = number of wires≤ 2 × number of gates
Why is the Null Space so Big?
Slide 20 of 22
Prover needs to show
𝐀 = 𝒈𝒂𝟏𝒇𝟏 𝒙 + …+𝒂𝒏𝒇𝒏(𝒙)
for known
𝒇𝒊 𝑿 = 𝒇𝒊,𝟎 + 𝒇𝒊,𝟏𝑿𝟏 + …+ 𝒇𝒊,𝒅𝑿
𝒅
• Need to show log 𝐴 ∈ 𝑠𝑝𝑎𝑛(𝑟𝑜𝑤𝑠 𝑜𝑓 𝐹).
• 𝐹 is wider than it is long.
• 𝑤𝑖𝑑𝑡ℎ 𝐹 =𝑅𝑎𝑛𝑘(𝐹) + 𝑁𝑢𝑙𝑙𝑖𝑡𝑦(𝐹)
𝑹𝒂𝒏𝒌 𝑭 ≤ 𝟐𝒅
row-rank = column-rank
= dimension of space spanned by row vectors
![Page 48: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/48.jpg)
Why is the Null Space so Big?
Slide 20 of 22
Prover needs to show
𝐀 = 𝒈𝒂𝟏𝒇𝟏 𝒙 + …+𝒂𝒏𝒇𝒏(𝒙)
for known
𝒇𝒊 𝑿 = 𝒇𝒊,𝟎 + 𝒇𝒊,𝟏𝑿𝟏 + …+ 𝒇𝒊,𝒅𝑿
𝒅Width = 3 × number of gates
Length = number of wires≤ 2 × number of gates
• Need to show log 𝐴 ∈ 𝑠𝑝𝑎𝑛(𝑟𝑜𝑤𝑠 𝑜𝑓 𝐹).
• 𝐹 is wider than it is long.
• 𝑤𝑖𝑑𝑡ℎ 𝐹 =𝑅𝑎𝑛𝑘(𝐹) + 𝑁𝑢𝑙𝑙𝑖𝑡𝑦(𝐹)
row-rank = column-rank
= dimension of space spanned by row vectors
𝑹𝒂𝒏𝒌 𝑭 ≤ 𝟐𝒅
![Page 49: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/49.jpg)
Why is the Null Space so Big?
Slide 20 of 22
Prover needs to show
𝐀 = 𝒈𝒂𝟏𝒇𝟏 𝒙 + …+𝒂𝒏𝒇𝒏(𝒙)
for known
𝒇𝒊 𝑿 = 𝒇𝒊,𝟎 + 𝒇𝒊,𝟏𝑿𝟏 + …+ 𝒇𝒊,𝒅𝑿
𝒅Width = 3 × number of gates
Length = number of wires≤ 2 × number of gates
• Need to show log 𝐴 ∈ 𝑠𝑝𝑎𝑛(𝑟𝑜𝑤𝑠 𝑜𝑓 𝐹).
• 𝐹 is wider than it is long.
• 𝑤𝑖𝑑𝑡ℎ 𝐹 =𝑅𝑎𝑛𝑘(𝐹) + 𝑁𝑢𝑙𝑙𝑖𝑡𝑦(𝐹)
𝑹𝒂𝒏𝒌 𝑭 ≤ 𝟐𝒅
row-rank = column-rank
= dimension of space spanned by row vectors
![Page 50: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/50.jpg)
Why is the Null Space so Big?
Slide 20 of 22
Prover needs to show
𝐀 = 𝒈𝒂𝟏𝒇𝟏 𝒙 + …+𝒂𝒏𝒇𝒏(𝒙)
for known
𝒇𝒊 𝑿 = 𝒇𝒊,𝟎 + 𝒇𝒊,𝟏𝑿𝟏 + …+ 𝒇𝒊,𝒅𝑿
𝒅Width = 3 × number of gates
Length = number of wires≤ 2 × number of gates
• Need to show log 𝐴 ∈ 𝑠𝑝𝑎𝑛(𝑟𝑜𝑤𝑠 𝑜𝑓 𝐹).
• 𝐹 is wider than it is long.
• 𝑤𝑖𝑑𝑡ℎ 𝐹 =𝑅𝑎𝑛𝑘(𝐹) + 𝑁𝑢𝑙𝑙𝑖𝑡𝑦(𝐹)
𝒅𝒊𝒎 𝑵𝒖𝒍𝒍 𝒎𝒂𝒕𝒓𝒊𝒙 ≈ 𝒅
![Page 51: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/51.jpg)
Why is the Null Space so Big?
Slide 20 of 22
Prover needs to show
𝐀 = 𝒈𝒂𝟏𝒇𝟏 𝒙 + …+𝒂𝒏𝒇𝒏(𝒙)
for known
𝒇𝒊 𝑿 = 𝒇𝒊,𝟎 + 𝒇𝒊,𝟏𝑿𝟏 + …+ 𝒇𝒊,𝒅𝑿
𝒅Width = 3 × number of gates
Length = number of wires≤ 2 × number of gates
• Need to show log 𝐴 ∈ 𝑠𝑝𝑎𝑛(𝑟𝑜𝑤𝑠 𝑜𝑓 𝐹).
• 𝐹 is wider than it is long.
• 𝑤𝑖𝑑𝑡ℎ 𝐹 =𝑅𝑎𝑛𝑘(𝐹) + 𝑁𝑢𝑙𝑙𝑖𝑡𝑦(𝐹)
𝒅𝒊𝒎 𝑵𝒖𝒍𝒍 𝒎𝒂𝒕𝒓𝒊𝒙 ≈ 𝒅
Open question:
Can 𝑭 be more square?
![Page 52: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/52.jpg)
Our Contributions
Ingredients:1) Knowledge Assumptions2) q-type Assumptions3) Quadratic Arithmetic Programs
Updatable trust model
Efficient new zk-SNARK
Universal setupNull-Space Argument.
![Page 53: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/53.jpg)
Prover and Verifier
Slide 21 of 22
Prover 𝑨 = 𝒈𝒂(𝒙,𝒚)
Verifier𝒆(𝑨,𝑩)𝒆 𝑨,𝑵 = 𝒆(𝑪, 𝒉) 𝐴 = 𝑔𝑎(𝑥,𝑦) unless
prover can compute
𝑔𝑥𝑑𝑧𝑘
𝑩 = 𝒉𝒂(𝒙,𝒚)
𝒆 𝑨, 𝒉 = 𝒆(𝒈,𝑩)
𝑪 = 𝒈 𝒂 𝒙,𝒚 ×𝒏𝒖𝒍𝒍 +𝒂 𝒙,𝒚 ×𝒂 𝒙,𝒚
![Page 54: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/54.jpg)
Prover and Verifier
Slide 21 of 22
𝑨 = 𝒈𝒂(𝒙,𝒚) 𝑩 = 𝒉𝒂(𝒙,𝒚)
Verifier𝒆 𝑨, 𝒉 = 𝒆(𝒈,𝑩)
𝐵 = 𝑔𝑎(𝑥,𝑦) by bilinearity.
Prover knows 𝑎(𝑥, 𝑦)by KoE.
𝑪 = 𝒈 𝒂 𝒙,𝒚 ×𝒏𝒖𝒍𝒍 +𝒂 𝒙,𝒚 ×𝒂 𝒙,𝒚
𝒆(𝑨,𝑩)𝒆 𝑨,𝑵 = 𝒆(𝑪, 𝒉)
Prover
![Page 55: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/55.jpg)
Prover and Verifier
Slide 21 of 22
Prover 𝑨 = 𝒈𝒂(𝒙,𝒚) 𝑩 = 𝒉𝒂(𝒙,𝒚)
Verifier𝒆(𝑨,𝑩)𝒆 𝑨,𝑵 = 𝒆(𝑪, 𝒉)
𝒆 𝑨, 𝒉 = 𝒆(𝒈,𝑩)
QAP satisfied unless prover can compute
𝑔𝑥𝑖𝑦7
𝑪 = 𝒈 𝒂 𝒙,𝒚 ×𝒏𝒖𝒍𝒍 +𝒂 𝒙,𝒚 ×𝒂 𝒙,𝒚
![Page 56: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/56.jpg)
Prover and Verifier
Slide 21 of 22
Prover 𝑨 = 𝒈𝒂(𝒙,𝒚) 𝑩 = 𝒉𝒂(𝒙,𝒚)
Verifier𝒆(𝑨,𝑩)𝒆 𝑨,𝑵 = 𝒆(𝑪, 𝒉)
𝒆 𝑨, 𝒉 = 𝒆(𝒈,𝑩)
𝑪 = 𝒈 𝒂 𝒙,𝒚 ×𝒏𝒖𝒍𝒍 +𝒂 𝒙,𝒚 ×𝒂 𝒙,𝒚
Our scheme = 3 group elementsState of the art = 3 group elements
Our scheme = O(n) group exponentiationsState of the art = O(n) group exponentiations
![Page 57: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/57.jpg)
Prover and Verifier
Slide 21 of 22
Prover 𝑨 = 𝒈𝒂(𝒙,𝒚) 𝑩 = 𝒉𝒂(𝒙,𝒚)
𝑪 = 𝒈 𝒂 𝒙,𝒚 ×𝒏𝒖𝒍𝒍 +𝒂 𝒙,𝒚 ×𝒂 𝒙,𝒚
Our scheme = 5 pairingsState of the art = 4 pairings
Verifier𝒆(𝑨,𝑩)𝒆 𝑨,𝑵 = 𝒆(𝑪, 𝒉)
𝒆 𝑨, 𝒉 = 𝒆(𝒈,𝑩)
![Page 58: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/58.jpg)
Summary
Slide 22 of 22
• Introduce notion of updatable common reference strings.
• Design efficient updatable zk-SNARK.
• Show how to use the same global parameters to derive a CRS for any circuit of a given size.
Efficiency Table Universal String Quadratic Derived String Linear Deriver Cost Cubic Update Proofs 9 Group Elements Proof Size 3 Group Elements Verifier Time 5 Pairings
![Page 59: Updatable and Universal Common Reference Strings with ... · Reference String 1 Derived Common Reference String 2 Derived Common Reference String 3 Derived parameters embed circuit](https://reader034.fdocuments.us/reader034/viewer/2022051915/600757ec2486c72f433c26b4/html5/thumbnails/59.jpg)
Questions?