Cryptology ePrint Archive: Report 2021/529

SnarkPack: Practical SNARK Aggregation

Nicolas Gailly and Mary Maller and Anca Nitulescu

Abstract: Zero-knowledge SNARKs (zk-SNARKs) are non-interactive proof systems with short and efficiently verifiable proofs that do not reveal anything more than the correctness of the statement. zk-SNARKs are widely used in decentralised systems to address privacy and scalability concerns. One of the main applications is the blockchain, were SNARKs are used to prove computations with private inputs and reduce on-chain footprint verification and transaction sizes.

A major drawback of such proof systems in practice is the requirement to run a trusted setup for the public parameters. Moreover, these parameters set an upper bound to the sizeof the computations or statement to be proven, which results in new scalability problems.

We design and implement SnarkPack, a new argument that further reduces the size of SNARK proofs by means of aggregation. Our goal is to provide an off-the-shelf solution that is practical in the following sense: (1) it is compatible with existing deployed SNARK systems, (2) it does not require any extra trusted setup.

SnarkPack is designed to work with Groth16 scheme and has logarithmic size proofs and a verifier that runs in logarithmic time in the number of proofs to be aggregated. Most importantly, SnarkPack reuses the public parameters from Groth16 system.

SnarkPack can aggregate 8192 proofs in 8.7s and verify them in 163ms, yielding a verification mechanism that is exponentially faster than batching and previous solutions in the field.SnarkPack can be deployed in blockchain applications that rely on many SNARK proofs such as Proof-of-Space or roll-up solutions.

Category / Keywords: implementation / public-key cryptography, SNARKs, proof aggregation, bilinear pairings

Date: received 21 Apr 2021, last revised 6 Sep 2021

Contact author: anca at protocol ai

Available format(s): PDF | BibTeX Citation

Version: 20210906:204002 (All versions of this report)

Short URL: ia.cr/2021/529


[ Cryptology ePrint archive ]