Paper 2012/095

Recursive Composition and Bootstrapping for SNARKs and Proof-Carrying Data

Nir Bitansky, Ran Canetti, Alessandro Chiesa, and Eran Tromer

Abstract

\emph{Succinct non-interactive arguments} (SNARGs) enable verifying NP statements with much lower complexity than required for classical NP verification (in fact, with complexity that is \emph{independent} of the NP language at hand). In particular, SNARGs provide strong solutions to the problem of verifiably delegating computation. Despite recent progress in the understanding and construction of SNARGs, there remain unattained goals. First, \emph{publicly-verifiable SNARGs} are only known either in the random oracle model, or in a model that allows expensive offline preprocessing. Second, known SNARGs require from the prover significantly more time or space than required for classical NP verification. We show that, assuming collision-resistant hashing, \emph{any} SNARG having a natural \emph{proof of knowledge} property (i.e., a SNARK) can be ``bootstrapped" to obtain a \emph{complexity-preserving} SNARK, i.e., one without expensive preprocessing and where the prover's time and space complexity is essentially the same as that required for classical NP verification. By applying our transformation to known publicly-verifiable SNARKs with expensive preprocessing, we obtain the first publicly-verifiable complexity-preserving SNARK in the plain model (and in particular, eliminate the expensive preprocessing), thereby attaining the aforementioned goals. We also show an analogous transformation for privately-verifiable SNARKs, assuming fully-homomorphic encryption. Curiously, our transformations do not rely on PCPs. At the heart of our transformations is \emph{recursive composition} of SNARKs and, more generally, new techniques for constructing and using \emph{proof-carrying data} (PCD) systems, which extend the notion of a SNARK to the distributed setting. Concretely, to bootstrap a given SNARK, we recursively compose the SNARK to obtain a ``weak'' PCD system for shallow distributed computations, and then use the PCD framework to attain stronger, complexity-preserving SNARKs and PCD systems.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Unknown where it was published
Contact author(s)
alexch @ csail mit edu
History
2012-12-28: last of 8 revisions
2012-02-24: received
See all versions
Short URL
https://ia.cr/2012/095
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2012/095,
      author = {Nir Bitansky and Ran Canetti and Alessandro Chiesa and Eran Tromer},
      title = {Recursive Composition and Bootstrapping for SNARKs and Proof-Carrying Data},
      howpublished = {Cryptology ePrint Archive, Paper 2012/095},
      year = {2012},
      note = {\url{https://eprint.iacr.org/2012/095}},
      url = {https://eprint.iacr.org/2012/095}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.