Cryptology ePrint Archive: Report 2017/1132
Doubly-efficient zkSNARKs without trusted setup
Riad S. Wahby and Ioanna Tzialla and abhi shelat and Justin Thaler and Michael Walfish
Abstract: We present a zero-knowledge argument for NP with low communication complexity,
low concrete cost for both the prover and the verifier, and no trusted setup,
based on standard cryptographic assumptions. Communication is proportional
to $d\cdot\log G $ (for $d$ the depth and $G$ the width of the verifying circuit) plus
the square root of the witness size. When applied to batched or data-parallel
statements, the prover's runtime is linear and the verifier's is sub-linear
in the verifying circuit size, both with good constants. In addition,
witness-related communication can be reduced, at the cost of increased
verifier runtime, by leveraging a new commitment scheme for multilinear
polynomials, which may be of independent interest. These properties represent
a new point in the tradeoffs among setup, complexity assumptions, proof size,
and computational cost.
We apply the Fiat-Shamir heuristic to this argument to produce a zero-knowledge
succinct non-interactive argument of knowledge (zkSNARK) in the random oracle
model, based on the discrete log assumption, which we call Hyrax. We implement
Hyrax and evaluate it against five state-of-the-art baseline systems. Our
evaluation shows that, even for modest problem sizes, Hyrax gives smaller
proofs than all but the most computationally costly baseline, and that its
prover and verifier are each faster than three of the five baselines.
Category / Keywords: cryptographic protocols / zero knowledge, succinct arguments, computationally-sound proofs
Original Publication (with major differences): IEEE Security & Privacy 2018
Date: received 22 Nov 2017, last revised 19 Apr 2018
Contact author: rsw at cs stanford edu
Available format(s): PDF | BibTeX Citation
Note: This version adds a link to the released source code.
Version: 20180419:162303 (All versions of this report)
Short URL: ia.cr/2017/1132
[ Cryptology ePrint archive ]