Paper 2021/710

VOProof: Efficient zkSNARKs from Vector Oracle Compilers

Abstract

The design of zkSNARKs is increasingly complicated and requires familiarity with a broad class of cryptographic and algebraic tools. This complexity in zkSNARK design also increases the difficulty in zkSNARK implementation, analysis, and optimization. To address this complexity, we develop a new workflow for designing and implementing zkSNARKs, called $$. In $$, the designer only needs to construct a \emph{Vector Oracle (VO) protocol} that is intuitive and straightforward to design, and then feeds this protocol to our \emph{VO compiler} to transform it into a fully functional zkSNARK. This new workflow conceals most algebraic and cryptographic operations inside the compiler, so that the designer is no longer required to understand these cumbersome and error prone procedures. Moreover, our compiler can be fine-tuned to compile one VO protocol into multiple zkSNARKs with different tradeoffs. We apply $$ to construct three general-purpose zkSNARKs targeting three popular representations of arithmetic circuits: the Rank-1 Constraint System (R1CS), the Hadamard Product Relation (HPR), and the $$ circuit. These zkSNARKs have shorter and more intuitive descriptions, thus are easier to implement and optimize compared to prior works. To evaluate their performance, we implement a Python framework for describing VO protocols and compiling them into working Rust code of zkSNARKs. Our evaluation shows that the $$-based zkSNARKs have competitive performance, especially in proof size and verification time, e.g., both reduced by roughly $$ compared to $$ (Chiesa et al., EUROCRYPT 2020). These improvements make the $$-based zkSNARKs more preferable in blockchain scenarios where the proof size and verification time are critical.

Note: Fix a confusing notation: use $$ instead of $$ for masking vectors.