Abstract
Among the zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARK), the simulation-extractable zk-SNARK (SE-SNARK) introduces a security notion of non-malleability. The existing pairing-based zk-SNARKs designed from linear encoding are known to be vulnerable to algebraic manipulation of the proof. The latest SE-SNARKs check the proof consistency by increasing the proof size and the verification cost. In particular, the number of pairings increases almost doubles due to further verification. In this article, we propose two novel SE-SNARK constructions with a single verification. The consistency check is subsumed in a single verification through employing a hash function. The proof size and verification time of the proposed SE-SNARK schemes are minimal in that it is the same as the state-of-the-art zk-SNARK without non-malleability. The proof in our SE-SNARK constructions comprises only three group elements (type III) in the QAP-based scheme and two group elements (type I) in the SAP-based scheme. The verification time in both requires only 3 pairings. The soundness of the proposed schemes is proven under the hash-algebraic knowledge (HAK) assumption and the (linear) collision-resistant hash assumption.
Highlights
The zero-knowledge succinct non-interactive argument of knowledge is an effective zero-knowledge proof system to prove a statement without revealing the witness, where the proof size and the verification cost are succinct
In order to prevent the malleability, Groth and Maller [5] introduced a simulation-extractability, a security notion for non-malleability of proofs. They defined a simulationextractable zk-SNARK (SE-SNARK), and proposed a construction based on the Groth’s zk-SNARK [1] to maintain the proof size as 3 group elements. Their construction relies on the representation of square arithmetic program (SAP), instead of quadratic arithmetic program (QAP) as in common zk-SNARKs; compared to the QAP, the SAP roughly doubles the circuit size which leads to doubling the common reference string (CRS) size and proving time
QAP-BASED SE-SNARK SCHEME we propose our first SE-SNARK construction based on the quadratic arithmetic program (QAP) representation, which achieves a proof size of 3 elements and a single verification
Summary
The zero-knowledge succinct non-interactive argument of knowledge (zk-SNARK) is an effective zero-knowledge proof system to prove a statement without revealing the witness, where the proof size and the verification cost are succinct. In the linear nature of pairing-based zk-SNARKs, the original check for the relation (i.e. a · b = c in QAP or a2 = c in SAP) is unable to detect algebraic modifications It is formally proved in [5] that SNARKs from linear encoding require at least 2 verifications to be simulation-extractable, which is reduced to the hard-decisional NP problem. We propose SE-SNARKs with a single verification, by applying the hash function to overcome the boundaries of existing SE-SNARKs. The idea is from the fact that blending the hash function into the encodings can provide a unique connection between proof elements; it eliminates the requirement for additional check for algebraic modifications.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.