### Simulation-Extractable zk-SNARK with a Single Verification

Jihye Kim, Jiwon Lee, and Hyunok Oh

##### Abstract

The simulation-extractable zk-SNARK (SE-SNARK) introduces a security notion of non-malleability. The existing pairing-based zk-SNARKs designed from linear encoding are known to be vulnerable to algebraic manipulation of the proof. The latest SE-SNARKs check the proof consistency by increasing the proof size and the verification cost. In particular, the number of pairings increases almost doubles due to further verification. In this paper, we propose two novel SE-SNARK constructions with a single verification. The consistency check is subsumed in a single verification through employing a hash function. The proof size and verification time of the proposed SE-SNARK schemes are minimal in that it is the same as the state-of-the-art zk-SNARK without non-malleability. The proof in our SE-SNARK constructions comprises only three group elements (type III) in the QAP-based scheme and two group elements (type I) in the SAP-based scheme. The verification time in both requires only 3 pairings. The soundness of the proposed schemes is proven under the hash-algebraic knowledge (HAK) assumption and the (linear) collision-resistant hash assumption.

Available format(s)
Category
Cryptographic protocols
Publication info
Preprint. MINOR revision.
Keywords
pairing-based zk-SNARKsimulation-extractabilityquadratic arithmetic programsquare arithmetic program
Contact author(s)
jihyek @ kookmin ac kr
jiwonlee @ hanyang ac kr
hoh @ hanyang ac kr
History
2020-04-22: last of 5 revisions
See all versions
Short URL
https://ia.cr/2019/586

CC BY

BibTeX

@misc{cryptoeprint:2019/586,
author = {Jihye Kim and Jiwon Lee and Hyunok Oh},
title = {Simulation-Extractable zk-SNARK with a Single Verification},
howpublished = {Cryptology ePrint Archive, Paper 2019/586},
year = {2019},
note = {\url{https://eprint.iacr.org/2019/586}},
url = {https://eprint.iacr.org/2019/586}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.