TY - GEN
T1 - Doubly-Efficient zkSNARKs Without Trusted Setup
AU - Wahby, Riad S.
AU - Tzialla, Ioanna
AU - Shelat, Abhi
AU - Thaler, Justin
AU - Walfish, Michael
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/7/23
Y1 - 2018/7/23
N2 - We present a zero-knowledge argument for NP with low communication complexity, low concrete cost for both the prover and the verifier, and no trusted setup, based on standard cryptographic assumptions. Communication is proportional to d log G (for d the depth and G the width of the verifying circuit) plus the square root of the witness size. When applied to batched or data-parallel statements, the prover's runtime is linear and the verifier's is sub-linear in the verifying circuit size, both with good constants. In addition, witness-related communication can be reduced, at the cost of increased verifier runtime, by leveraging a new commitment scheme for multilinear polynomials, which may be of independent interest. These properties represent a new point in the tradeoffs among setup, complexity assumptions, proof size, and computational cost. We apply the Fiat-Shamir heuristic to this argument to produce a zero-knowledge succinct non-interactive argument of knowledge (zkSNARK) in the random oracle model, based on the discrete log assumption, which we call Hyrax. We implement Hyrax and evaluate it against five state-of-the-art baseline systems. Our evaluation shows that, even for modest problem sizes, Hyrax gives smaller proofs than all but the most computationally costly baseline, and that its prover and verifier are each faster than three of the five baselines.
AB - We present a zero-knowledge argument for NP with low communication complexity, low concrete cost for both the prover and the verifier, and no trusted setup, based on standard cryptographic assumptions. Communication is proportional to d log G (for d the depth and G the width of the verifying circuit) plus the square root of the witness size. When applied to batched or data-parallel statements, the prover's runtime is linear and the verifier's is sub-linear in the verifying circuit size, both with good constants. In addition, witness-related communication can be reduced, at the cost of increased verifier runtime, by leveraging a new commitment scheme for multilinear polynomials, which may be of independent interest. These properties represent a new point in the tradeoffs among setup, complexity assumptions, proof size, and computational cost. We apply the Fiat-Shamir heuristic to this argument to produce a zero-knowledge succinct non-interactive argument of knowledge (zkSNARK) in the random oracle model, based on the discrete log assumption, which we call Hyrax. We implement Hyrax and evaluate it against five state-of-the-art baseline systems. Our evaluation shows that, even for modest problem sizes, Hyrax gives smaller proofs than all but the most computationally costly baseline, and that its prover and verifier are each faster than three of the five baselines.
KW - computationally sound proofs
KW - cryptographic protocols
KW - succinct arguments
KW - zero knowledge
UR - http://www.scopus.com/inward/record.url?scp=85051034586&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85051034586&partnerID=8YFLogxK
U2 - 10.1109/SP.2018.00060
DO - 10.1109/SP.2018.00060
M3 - Conference contribution
AN - SCOPUS:85051034586
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 926
EP - 943
BT - Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 39th IEEE Symposium on Security and Privacy, SP 2018
Y2 - 21 May 2018 through 23 May 2018
ER -