Snarky Signatures Minimal Signatures of Knowledge from SimulationExtractable
Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs Jens Groth and Mary Maller University College London
Digital signature OK Signer Verifier
Schnorr signatures Signer Verifier
Signatures of knowledge Signer Verifier
Signature of knowledge algorithms •
Correctness OK
What you prove Standard signatures Signatures of knowledge • Hamiltonian cycle 0 1 0 Circuit SAT 1
Simulatability Damned, I did not learn the witness
Simulation-extractability Non-black-box extractor because we want succinctness!
Non-interactive zero-knowledge argument Common reference string Proof Zero-knowledge: Prover Nothing but truth revealed Soundness: Verifier Statement is true OK
NIZK argument algorithms •
Completeness OK
Zero-knowledge Damned, I did not learn the witness
Simulation-extractability
Signatures of knowledge imply simulationextractable NIZK arguments • • Completeness follows from correctness • Zero-knowledge follows from simulatability • Simulationextractability follows from simulationextractability
Simulation-extractable NIZK arguments and CRHFs imply signatures of knowledge •
Our contribution • SE-NIZK argument – Perfect completeness – Perfect zero-knowledge – Simulation-extractable SE-SNARK Simulation-extractable Succinct Non-interactive Argument of Knowledge • XPKE and Poly assumptions • Efficiency – Asymmetric (Type III) pairings – 3 group element proofs – Low computation
Arithmetic circuit •
Set of squaring constraints •
Polynomial rewriting •
Square arithmetic programs •
Prime order bilinear groups
SE-SNARK •
Assumptions •
Efficiency Construction Proof size Prover Verifier Eq. [BCTV 14] (zk-SNARK) [Groth 16] (zk-SNARK) This work (SE-SNARK) • Lower bounds – [Groth 16]: Pairing based zk-SNARKs cannot have 1 group element proofs – This work: Pairing based SE-SNARKs cannot have 2 group element proofs or just 1 verification equation
- Slides: 25