To appear at TCC iacr2020499 Benedikt Bünz 1 Stanford Alessandro Chiesa Pratyush Mishra Nick Spooner UC Berkeley Motivation Delegating a step nondeterministic computation ID: 934876
Download Presentation The PPT/PDF document "Proof-Carrying Data from Accumulation Sc..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Proof-Carrying Data from Accumulation SchemesTo appear at TCC ia.cr/2020/499
Benedikt Bünz
1
Stanford
Alessandro Chiesa, Pratyush Mishra, Nick Spooner
UC Berkeley
Slide2MotivationDelegating a
-step (nondeterministic) computation:
Option 1:
Monolithic proof
Issues:
(Typically) requires prover memory
Proving
steps requires
recomputing entire proof
Option 2: Incrementally-verifiable computation (IVC) [Val08]
Proof-carrying data (PCD) [CT10,BCCT13] generalizes this from path graph to any DAG
2
Slide3Applications of IVC/PCDSNARKs with small space and time complexity (‘complexity-preserving’) [BCCT13]
Succinct Blockchains (e.g. Coda [MS18], [KB20]) checks whether a new block is valid
Verifiable Delay Functions [BBBF19]e.g. verifying iterated hash functions
SNARKs for MapReduce [CTV15]
…
3
Slide4How do we construct IVC/PCD?[BCCT13]: SNARKs with succinct (polylog) verification imply IVC/PCD[COS20]: SNARKs with sublinear verification imply IVC/PCD (also in the post-quantum setting!)
Sublinear verification requirement restricts the SNARKs we can use Is sublinear verification required for IVC/PCD?[BGH19] suggests maybe not: they outline a novel approach to obtain IVC from a specific SNARK linear verification, and give details about important practical aspects (like elliptic curve cycles).
But they don’t provide a detailed construction or a security proof…
4
SNARK
= Succinct
Non-interactive
ARgument of Knowledge
Slide5Summary of our resultsWe introduce accumulation schemes and show that:Theorem 1. SNARKs with accumulation schemes imply IVC/PCD,
even without sublinear verification.Theorem 2. We can obtain SNARKs with accumulation schemes by combining a SNARK whose verification is sublinear relative to a primitive with an accumulation scheme for that primitive.
Theorem 3. Two popular polynomial commitment schemes have accumulation schemes.
5
standard model
random oracle model
Nothing to do with set accumulators!
Slide6[BCCT13]
PCD/IVC
Theorem 1
Theorem 2
SNARK relative to
Acc Scheme for
SNARK with Acc Scheme
Summary of results
6
Succinct-verifier SNARKs
We don’t know how to instantiate these in the standard model
Slide7New PCD/IVC constructions (heuristically)
SNARK w/ Acc Scheme
(in ROM)
Theorem 1
Theorem 2
SNARK relative to PC (in ROM)
[CHMMVW20]
Theorem 3
:
Acc
Schemes for PC (in ROM)SNARK with Acc Scheme(in standard model, heuristically)
RO heuristic
Summary of results
7
Slide8Background: IVC/PCD and recursive composition8
Slide9IVC definition
Completeness:
for all inputs
, witnesses
and proofs
,
Proof of knowledge:
for all efficient
, there is an efficient
extractor
s.t.
Efficiency:
9
Slide10SNARKs with preprocessing
Completeness
& (adaptive)
proof of knowledge
Sublinear proofs:
Optionally:
Sublinear verification:
10
Slide11IVC from recursive composition of SNARKs
[BCCT13, COS20]
11
Completeness:
Follows from SNARK completeness
Soundness:
Recursively extract transcript using SNARK knowledge soundness [BCCT13, COS20]
(Does not hold in ROM due to non-black-box use of
.)
Efficiency:
size of a SNARK proof for
…
Slide12We say
is the ‘recursion threshold’
Why sublinear verification? [BCCT13, COS20]
Briefly:
so that the verifier circuit
can check its own circuit! circuit for with
To
recurse
: need s.t.
can take input
i.e.
s.t.
I
for
Then
,
s.t.
What about SNARKs
without
sublinear verification?
12
Slide13New tool: Accumulation schemes13
Slide14Accumulation schemes: overview
accumulator
0/1
0/1
0/1
0/1
0/1
0/1
decider
0/1
does not grow with
cost of
cost of
14
Slide15Accumulation schemes: definitionAccumulation scheme for
is a triple
such that:
Completeness:
for all accumulators
, queries
,
Soundness: for all efficient adversaries ,
Efficiency:
the size of an accumulator is a
fixed
poly in security parameter
Note: we always have a
trivial
accumulation scheme
15
Slide16Accumulation scheme for
is a triple
such that:
Completeness:
for all
sets of
accumulators
, query sets ,
Soundness:
for all efficient adversaries
,
Efficiency:
the size of an accumulator is a
fixed
poly in security parameter
Note: we always have a
trivial
accumulation scheme
Accumulation schemes: definition
16
Slide17Theorem 1: IVC/PCD from accumulation schemes17
Slide18Theorem 1: IVC/PCD from accumulation
SNARK
Accumulation scheme ACC =
for
IVC/PCD
need not
be sublinear
must
be sublinear if is sublinear then trivial accumulation scheme sufficesif SNARK
, ACC are zero knowledge then so is PCDif SNARK,
ACC are post-quantum secure then so is PCDwe make non-black-box use of
does not hold in the ROM
18
Slide19Theorem 1: Construction
IVC.
Let
be a SNARK
Let
be an acc. scheme for
IVC proof
Completeness:
IVC.
(completeness of acc. scheme)
(completeness of SNARK)
IVC.
recursive circuit
does not
contain SNARK verifier
19
Slide20Theorem 1: Soundness
SNARK extractor
20
Slide21Theorem 1
SNARK
Accumulation scheme ACC =
for
IVC/PCD
IVC/PCD from accumulation: summary
How do we construct SNARKs with accumulation schemes?
21
Slide22Theorem 2: SNARKs with accumulation schemes22
Slide23Verifier
Predicate-efficient SNARKs
Verifier
b
Definition:
A SNARK
is
predicate-efficient wrt a predicate
if
the verifier
can be decomposed into
an expensive part
, and
a cheap part
b
Expensive to compute
Cheap to compute
23
Slide24Accumulation for predicate-efficient SNARKs
Theorem 2:
Suppose a SNARK is predicate-efficient wrt. a predicate
. Then,
has an accumulation scheme
the SNARK has an accumulation scheme
Prover
:
Verifier
:
Decider
:
Compute
.
Check that
Check that
.
Compute
.
Output new accumulator
Check that
.
24
Slide25Properties of
Security:
Proof idea:
Reduce security of
to security of
If
is quantum secure then so is If is zero-knowledge then so is
Efficiency:
verifier is
+ predicate-efficient runtime 25
Upshot is this significantly reduces the complexity of designing Accumulation schemes
Slide26Where to find predicate-efficient SNARKs?
26
Slide27A Popular Methodology for SNARKs
Compiler [BBB19, CHMMVW20]
Polynomial IOP/
AHP
Polynomial Commitment
(PC)
SNARK
Used to construct many popular SNARKs: Sonic [MBKM19], PLONK [GWC19], Marlin [CHMMVW20].
Sonic, PLONK, Marlin
[KZG10], [BBB19], Halo
27
Slide2828
Compiler [CHMMVW20]
Polynomial IOP/
AHP
Polynomial Commitment
(PC)
SNARK
Verifier
PC.Check
SNARK is predicate-efficient wrt.
PC.Check
!
A Popular Methodology for SNARKs
Slide29[CHMMVW20]
Accumulating SNARKs based on Polynomial Commitments
Compiler
AHP
PC
SNARK that is predicate-efficient wrt PC.Check
Accumulation Scheme for PC
Thm
2
Accumulation Scheme for SNARK
29
Slide30Theorem 3:Constructing Accumulation Schemes for Polynomial Commitments
30
Slide31Sender
Recap: Polynomial Commitments
PC.Commit
Commitment
Receiver
PC.Open
Opening point
Evaluation
, Proof
PC.Check
Decision bit
31
Slide32Accumulation Scheme for PCKZG
PC.Check
Proof size
pairings
PC.Check
Proof size
SRS:
PC.Commit(
)
PC.Open(
)
PC.Check(
)
Theorem:
There exists an accumulation scheme in the ROM for the PC
KZG
construction with the following properties:
Consider PC
KZG
, a PC scheme based the construction of [KZG10].
Accumulation Verifier
Accumulator size
Decider
mults
1 pairing
Accumulation Verifier
Accumulator size
Decider
1 pairing
No pairings in verifying accumulation!
32
Slide33PC.Check
Proof size
mults
PC.Check
Proof size
Theorem:
A variant of this protocol is an accumulation scheme in the ROM for PC
DL
with the following properties:
URS:
PC.Commit(
)
PC.Open(
)
PC.Check(
)
Consider PC
DL
, a PC scheme based on the inner product argument of
[BCCGP16, Bulletproofs, Halo].
(Security of PC
DL
depends on DL+RO.)
Accumulation Scheme for PC
DL
Accumulation Verifier
Accumulator size
Decider
mults
mults
Accumulation Verifier
Accumulator size
Decider
Halo [BGH19] describes a protocol for accumulating PC
DL
.
Verifying accumulation is exponentially faster than PC.Check!
33
Slide34PCD/IVC
Theorem 1
Theorem 2
PE-SNARK wrt
Acc Scheme for
SNARK with Acc Scheme
Summary: Theorems 1 and 2
34
Slide35Theorem 1
RO heuristic
Theorem 2
Theorem 1
RO heuristic
Theorem 2
PCD/IVC from bilinear groups
Trusted setup
Tiny proofs
No pairings in recursive circuit
PCD/IVC from standard groups
Transparent setup
Small proofs (<< [COS20])
Summary of PCD constructions
ACC for
ACC for
PE-SNARK wrt PC
PE-SNARK wrt PC
35
ROM
Standard model
More accumulation schemes from different assumptions with different properties?
Slide36Thanks!
ia.cr/2020/499
36
Slide3737