Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

Polymath: Groth16 Is Not the Limit

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2024 (CRYPTO 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14929))

Included in the following conference series:

Abstract

Shortening the argument (three group elements or 1536 / 3072 bits over the BLS12-381/BLS24-509 curves) of the Groth16 zk-SNARK for R1CS is a long-standing open problem. We propose a zk-SNARK Polymath for the Square Arithmetic Programming constraint system using the KZG polynomial commitment scheme. Polymath has a shorter argument (1408 / 1792 bits over the same curves) than Groth16. At 192-bit security, Polymath’s argument is nearly half the size, making it highly competitive for high-security future applications. Notably, we handle public inputs in a simple way. We optimized Polymath’s prover through an exhaustive parameter search. Polymath’s prover does not output \(\mathbb {G}_{2}\) elements, aiding in batch verification, SNARK aggregation, and recursion. Polymath’s properties make it highly suitable to be the final SNARK in SNARK compositions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 119.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    We adopt the standard additive bracket notation: there is a type-3 pairing \(\mathbb {G}_{1} \times \mathbb {G}_{2} \rightarrow \mathbb {G}_{T}\) and \([x]_{\iota } = x [1]_{\iota }\), where \([1]_{\iota }\) is a fixed generator of \(\mathbb {G}_{\iota }\) for \(\iota \in \{1, 2, T\}\).

  2. 2.

    There is currently no industry standard on the 192-level security level, so we just picked BLS24-509 as a well-known curve from the well-known BLS family. BLS24-509 satisfies \(|\mathbb {G}_{1}| = 512\), \(|\mathbb {G}_{2}| = 2048= 4 |\mathbb {G}_{1}|\), and \(|\mathbb {F}| = 256\) bits.

  3. 3.

    Recently, [40] proved the knowledge-soundness of KZG-based zk-SNARKs under falsifiable assumptions in the ROM. However, their constructions add overhead. We will leave the use of their methods for future work.

  4. 4.

    We use the notation of [29, 37] when talking about corresponding zk-SNARKs, but add “hats” to Groth16’s trapdoors. The notation for Polymath aligns with that in [37]. For example, \(\widehat{\alpha }\) in Groth16 corresponds to \(y^{\gamma }\) in [37] and Polymath.

  5. 5.

    Any small constant number c would suffice. A smaller c results in better efficiency, and \(c \ge 2\) is needed because we use SAP.

  6. 6.

    This holds in updatable SNARKs [16, 18, 25, 41]. Moreover, Polymath’s prover complexity depends more on n than \(m\) (see Table 1). Thus, increasing \(m\) is relatively unimportant.

  7. 7.

    Extracting the committed polynomial from solely the polynomial commitment is possible in the AGM but impossible in the AGMOS. In AGMOS, one has to open the polynomial commitment before extractability becomes possible.

  8. 8.

    See Eq. (15) for the deriviation of \(d_{\min }\) and \(d_{\max }\) in the general case.

  9. 9.

    While \(Y = X^{\sigma }\) is a “virtual” indeterminate, we feel that writing Y instead of \(X^{\sigma }\) makes the proof more readable.

  10. 10.

    More precisely, recall that \(\textsf{bnd}_{\textsf{a}}= 1\), \(\sigma = n + 3\), \(\alpha = -3\), \(\gamma = -5\), and \(d_{\min } = -5 n - 15\) and \(d_{\max } = 5 n + 7\) are as in Eq. (15). Given this setting, the exponents of X in \(\textsf{A}\), \(\textsf{B}\), \(\textsf{C}\) belong to the range \([d_{\min }, d_{\max }] = [\gamma \sigma , 2 n - 2 - \alpha \sigma ] = [-5, (n + 3), 5n + 7]\).

  11. 11.

    Using the computations in Footnote (See footnote 10) and the default setting, we can find that the exponents of X in \(\varphi (X)\) belong to the range \([2 d_{\min }, 2 d_{\max }] = [-10 n - 30, 10 n + 14]\).

  12. 12.

    The analysis of \(\varphi _{2 \gamma - \alpha } (X)\) and \(\varphi _{\gamma - \alpha } (X)\) is needed since, without it, one can only establish that \(\tilde{\mathbbm {z}}_{i} = \check{c}_{i} - 2 r_{\textsf{a}}(X) \check{a}_{i}\), that is, that it is a function of X. Hence, soundness would still hold but not necessarily special-soundness. On the other hand, fewer coefficients are critical, which will give more choices for \(\alpha \) and \(\gamma \). Some of the latter will result in better efficiency.

  13. 13.

    According to https://keccak.team/sw_performance.html, hashing with SHA3 takes less than 15 cycles per byte, which gives less than 30 units (30000 cycles) on Skylake to hash 2000 bytes.

References

  1. Abdolmaleki, B., Baghery, K., Lipmaa, H., Zajac, M.: A subversion-resistant SNARK. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part III. LNCS, vol. 10626, pp. 3–33. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-70700-6_1

  2. Abdolmaleki, B., Lipmaa, H., Siim, J., Zajac, M.: On subversion-resistant SNARKs. J. Cryptol. 34(3), 17 (2021). https://doi.org/10.1007/s00145-021-09379-y

    Article  MathSciNet  Google Scholar 

  3. Ambrona, M., Beunardeau, M., Schmitt, A.L., Toledo, R.R.: aPlonK: aggregated PlonK from multi-polynomial commitment schemes. In: Shikata, J., Kuzuno, H. (eds.) IWSEC 2023. LNCS, vol. 14128, pp. 195–213. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-41326-1_11

  4. Aranha, D.F., Pagnin, E., Rodríguez-Henríquez, F.: LOVE a pairing. In: Longa, P., Ràfols, C. (eds.) LATINCRYPT 2021. LNCS, vol. 12912, pp. 320–340. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-030-88238-9_16

  5. Attema, T., Fehr, S., Klooß, M.: Fiat-shamir transformation of multi-round interactive proofs. In: Kiltz, E., Vaikuntanathan, V. (eds.) TCC 2022, Part I. LNCS, vol. 13747, pp. 113–142. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22318-1_5

  6. Attema, T., Fehr, S., Klooß, M., Resch, N.: The fiat–shamir transformation of \(({\gamma }_{1},\ldots ,{\gamma }_{\mu })\)-special-sound interactive proofs. Tech. Rep. 2023/1945, IACR (2023). https://eprint.iacr.org/2023/1945

  7. Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribed embedding degrees. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 02. LNCS, vol. 2576, pp. 257–267. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36413-7_19

  8. Bellare, M., Fuchsbauer, G., Scafuro, A.: NIZKs with an untrusted CRS: security in the face of parameter subversion. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part II. LNCS, vol. 10032, pp. 777–804. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_26

  9. Belling, A., Soleimanian, A., Bégassat, O.: Recursion over public-coin interactive proof systems; faster hash verification. Cryptology ePrint Archive, Report 2022/1072 (2022). https://eprint.iacr.org/2022/1072

  10. Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Scalable zero knowledge via cycles of elliptic curves. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 276–294. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_16

  11. Bowe, S., Gabizon, A., Miers, I.: Scalable multi-party computation for zk-SNARK parameters in the random beacon model. Cryptology ePrint Archive, Report 2017/1050 (2017). https://eprint.iacr.org/2017/1050

  12. Brands, S.: Untraceable off-line cash in wallets with observers (extended abstract). In: Stinson, D.R. (ed.) CRYPTO’93. LNCS, vol. 773, pp. 302–318. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_26

  13. Bünz, B., Chiesa, A., Mishra, P., Spooner, N.: Recursive proof composition from accumulation schemes. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part II. LNCS, vol. 12551, pp. 1–18. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-64378-2_1

  14. Bünz, B., Fisch, B., Szepieniec, A.: Transparent SNARKs from DARK compilers. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part I. LNCS, vol. 12105, pp. 677–706. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-45721-1_24

  15. Bünz, B., Maller, M., Mishra, P., Tyagi, N., Vesely, P.: Proofs for inner pairing products and applications. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021, Part III. LNCS, vol. 13092, pp. 65–97. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-030-92078-4_3

  16. Campanelli, M., Faonio, A., Fiore, D., Querol, A., Rodríguez, H.: Lunar: A toolbox for more efficient universal and updatable zkSNARKs and commit-and-prove extensions. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021, Part III. LNCS, vol. 13092, pp. 3–33. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-030-92078-4_1

  17. Campanelli, M., Gailly, N., Gennaro, R., Jovanovic, P., Mihali, M., Thaler, J.: Testudo: linear time prover SNARKs with constant size proofs and square root size universal setup. In: Longa, P., Ràfols, C. (eds.) LATINCRYPT 2021. LNCS, vol. 12912, pp. 331–351. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-031-44469-2_17

  18. Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, P., Ward, N.P.: Marlin: preprocessing zkSNARKs with universal and updatable SRS. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part I. LNCS, vol. 12105, pp. 738–768. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-45721-1_26

  19. Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed coordinates. In: Ohta, K., Pei, D. (eds.) ASIACRYPT’98. LNCS, vol. 1514, pp. 51–65. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49649-1_6

  20. Costello, C., Stebila, D.: Fixed argument pairings. In: Abdalla, M., Barreto, P.S.L.M. (eds.) LATINCRYPT 2010. LNCS, vol. 6212, pp. 92–108. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14712-8_6

    Chapter  Google Scholar 

  21. Dao, Q., Grubbs, P.: Spartan and Bulletproofs are simulation-extractable (for free!). In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023, Part II. LNCS, vol. 14005, pp. 531–562. Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-30617-4_18

  22. Di Crescenzo, G., Lipmaa, H.: Succinct NP Proofs from an Extractability Assumption. In: Beckmann, A., Dimitracopoulos, C., Löwe, B. (eds.) Computability in Europe, CIE 2008. LNCS, vol. 5028, pp. 175–185. Springer, Heidelberg, Athens, Greece (2008)

    Google Scholar 

  23. Fuchsbauer, G.: Subversion-zero-knowledge SNARKs. In: Abdalla, M., Dahab, R. (eds.) PKC 2018, Part I. LNCS, vol. 10769, pp. 315–347. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-319-76578-5_11

  24. Fuchsbauer, G., Kiltz, E., Loss, J.: The algebraic group model and its applications. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 33–62. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-319-96881-0_2

  25. Gabizon, A., Williamson, Z.J., Ciobotaru, O.: PLONK: Permutations over Lagrange-bases for oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive, Report 2019/953 (2019). https://eprint.iacr.org/2019/953

  26. Gailly, N., Maller, M., Nitulescu, A.: SnarkPack: practical SNARK aggregation. In: Eyal, I., Garay, J.A. (eds.) FC 2022. LNCS, vol. 13411, pp. 203–229. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-18283-9_10

  27. Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_37

  28. Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_19

  29. Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016, Part II. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11

  30. Groth, J., Kohlweiss, M., Maller, M., Meiklejohn, S., Miers, I.: Updatable and universal common reference strings with applications to zk-SNARKs. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part III. LNCS, vol. 10993, pp. 698–728. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-319-96878-0_24

  31. Groth, J., Maller, M.: Snarky signatures: Minimal signatures of knowledge from simulation-extractable SNARKs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part II. LNCS, vol. 10402, pp. 581–612. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-63715-0_20

  32. Jager, T., Rupp, A.: The semi-generic group model and applications to pairing-based cryptography. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 539–556. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_31

  33. Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 177–194. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_11

  34. Kim, T., Barbulescu, R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 543–571. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_20

  35. Lee, J.: Dory: efficient, transparent arguments for generalised inner products and polynomial commitments. In: Nissim, K., Waters, B. (eds.) TCC 2021, Part II. LNCS, vol. 13043, pp. 1–34. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-030-90453-1_1

  36. Lipmaa, H.: Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 169–189. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_10

  37. Lipmaa, H.: A unified framework for non-universal SNARKs. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds.) PKC 2022, Part I. LNCS, vol. 13177, pp. 553–583. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-030-97121-2_20

  38. 1. Lipmaa, H.: Polymath: Groth16 Is Not The Limit. Tech. rep., IACR (2024). https://eprint.iacr.org/2024/

  39. Lipmaa, H., Parisella, R., Siim, J.: Algebraic group model with oblivious sampling. In: Rothblum, G.N., Wee, H. (eds.) TCC 2023, Part IV. LNCS, vol. 14372, pp. 363–392. Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-48624-1_14

  40. Lipmaa, H., Parisella, R., Siim, J.: Constant-Size zk-SNARKs in ROM from falsifiable assumptions. In: Joye, M., Leander, G. (eds.) EUROCRYPT 2024. LNCS, vol. 14656, pp. 34–64. Springer, Cham, Zürich, Switzerland (2024). https://doi.org/10.1007/978-3-031-58751-1_2

  41. Lipmaa, H., Siim, J., Zajac, M.: Counting vampires: from univariate sumcheck to updatable ZK-SNARK. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022, Part II. LNCS, vol. 13792, pp. 249–278. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22966-4_9

  42. Maller, M., Bowe, S., Kohlweiss, M., Meiklejohn, S.: Sonic: zero-knowledge SNARKs from linear-size universal and updatable structured reference strings. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) ACM CCS 2019. pp. 2111–2128. ACM Press (2019). https://doi.org/10.1145/3319535.3339817

  43. Micali, S.: CS proofs (extended abstracts). In: 35th FOCS. pp. 436–453. IEEE Computer Society Press (1994). https://doi.org/10.1109/SFCS.1994.365746

  44. Novakovic, A., Eagen, L.: On Proving Pairings. Tech. Rep. 2024/640, IACR (2024). https://eprint.iacr.org/2024/640

  45. Papamanthou, C., Shi, E., Tamassia, R.: Signatures of correct computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 222–242. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_13

  46. Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: 2013 IEEE Symposium on Security and Privacy. pp. 238–252. IEEE Computer Society Press (2013). https://doi.org/10.1109/SP.2013.47

  47. Ràfols, C., Zapico, A.: An algebraic framework for universal and updatable SNARKs. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part I. LNCS, vol. 12825, pp. 774–804. Springer, Heidelberg, Virtual Event (2021). https://doi.org/10.1007/978-3-030-84242-0_27

  48. Setty, S., Thaler, J., Wahby, R.: Customizable constraint systems for succinct arguments. Tech. Rep. 2023/552, IACR (2023). https://eprint.iacr.org/2023/552

  49. Stachowiak, G.: Proofs of knowledge with several challenge values. Cryptology ePrint Archive, Report 2008/181 (2008). https://eprint.iacr.org/2008/181

  50. Thaler, J.: Proofs, Arguments, and Zero-Knowledge, Foundations and Trends® in Privacy and Security, vol. 2. Now Publishers (2022)

    Google Scholar 

  51. Thorncharoensri, P., Huang, Q., Susilo, W., Au, M.H., Mu, Y., Wong, D.S.: Escrowed Deniable Identification Schemes. In: Slezak, D., Kim, T., Fang, W., Arnett, K.P. (eds.) FGIT-SecTech 2009. Communications in Computer and Information Science, vol. 58, pp. 234–241. Springer, Jeju Island, Korea (2009)

    Google Scholar 

  52. Xie, T., et al.: zkBridge: trustless cross-chain bridges made practical. In: Yin, H., Stavrou, A., Cremers, C., Shi, E. (eds.) ACM CCS 2022, pp. 3003–3017. ACM Press (2022). https://doi.org/10.1145/3548606.3560652

Download references

Acknowledgments

We thank Matteo Campanelli for useful comments.

Author information

Authors and Affiliations

  1. University of Tartu, Tartu, Estonia

    Helger Lipmaa

Authors
  1. Helger Lipmaa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Helger Lipmaa .

Editor information

Editors and Affiliations

  1. Boston University, Boston, MA, USA

    Leonid Reyzin

  2. University of Waterloo, Waterloo, ON, Canada

    Douglas Stebila

Rights and permissions

Reprints and permissions

Copyright information

© 2024 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lipmaa, H. (2024). Polymath: Groth16 Is Not the Limit. In: Reyzin, L., Stebila, D. (eds) Advances in Cryptology – CRYPTO 2024. CRYPTO 2024. Lecture Notes in Computer Science, vol 14929. Springer, Cham. https://doi.org/10.1007/978-3-031-68403-6_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-68403-6_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-68402-9

  • Online ISBN: 978-3-031-68403-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation