Boosting SNARKs and Rate-1 Barrier in Arguments of Knowledge

Cheng, Jiaqi; Goyal, Rishab

doi:10.4230/LIPIcs.ICALP.2025.56

Boosting SNARKs and Rate-1 Barrier in Arguments of Knowledge

Jiaqi Cheng University of Wisconsin - Madison, WI, USA Rishab Goyal

University of Wisconsin - Madison, WI, USA

Abstract

We design a generic compiler to boost any non-trivial succinct non-interactive argument of knowledge (SNARK) to full succinctness. Our results come in two flavors:

1.

For any constant $\epsilon>0$ , any SNARK with proof size $|\pi|<\frac{|\omega|}{\lambda^{\epsilon}}+\mathsf{poly}(\lambda,|x|)$ can be upgraded to a fully succinct SNARK, where all system parameters (such as proof/CRS sizes and setup/verifier run-times) grow as fixed polynomials in $\lambda$ , independent of witness size.
2.

Under an additional assumption that the underlying SNARK has as an efficient knowledge extractor, we further improve our result to upgrade any non-trivial SNARK. For example, we show how to design fully succinct SNARKs from SNARKs with proofs of length $|\omega|-\Omega(\lambda)$ , or $\frac{|\omega|}{1+\epsilon}+\mathsf{poly}(\lambda,|x|)$ , any constant $\epsilon>0$ .

Our result reduces the long-standing challenge of designing fully succinct SNARKs to designing arguments of knowledge that beat the trivial construction. It also establishes optimality of rate-1 arguments of knowledge (such as NIZKs [Gentry-Groth-Ishai-Peikert-Sahai-Smith; JoC’15] and BARGs [Devadas-Goyal-Kalai-Vaikuntanathan, Paneth-Pass; FOCS’22]), and suggests any further improvement is tantamount to designing fully succinct SNARKs, thus requires bypassing established black-box barriers [Gentry-Wichs; STOC’11].

Keywords and phrases:

SNARGs, RAM Delegation

Category:

Track A: Algorithms, Complexity and Games

Funding:

Rishab Goyal: Support for this research was provided by OVCRGE at UW-Madison with funding from the Wisconsin Alumni Research Foundation.

Copyright and License:

2012 ACM Subject Classification:

Theory of computation

\rightarrow

Computational complexity and cryptography

Editors:

Keren Censor-Hillel, Fabrizio Grandoni, Joël Ouaknine, and Gabriele Puppis

Series and Publisher:

Leibniz International Proceedings in Informatics, Schloss Dagstuhl – Leibniz-Zentrum für Informatik

1 Introduction

Succinct non-interactive arguments, commonly called SNARGs, are a central object in both theory and practice of numerous cryptographic systems today. Informally speaking, a SNARG for an $\boldsymbol{\mathrm{NP}}$ language $\mathcal{L}$ is an argument¹¹1In an argument system [11], soundness is only guaranteed against polynomial-time cheating provers. system that creates a short membership proof $\pi$ for any instance $x\in\mathcal{L}$ , given a corresponding $\boldsymbol{\mathrm{NP}}$ witness $\omega$ . In the study of SNARGs, a highly desirable goal is to achieve full succinctness for non-trivial $\boldsymbol{\mathrm{NP}}$ languages. That is, design membership proofs that are of fixed polynomial size and can be verified in fixed polynomial time, independent of witness size, $|\omega|$ , and the time taken to verify $x\in\mathcal{L}$ given $\omega$ . Applications of SNARGs are well spread across the literature [41] and even extend to popular systems such as blockchains [4].

Since early 90s, starting with seminal works of Kilian [32] and Micali [35], we have known that SNARGs are indeed realizable for $\boldsymbol{\mathrm{NP}}$ although in the idealized random oracle model [3]. Over the last decade, many more succinct SNARG schemes have been designed [6, 7, 22, 39, 23, 8, 5], however these rely on non-falsifiable assumptions [36]²²2The SNARG construction by Sahai-Waters [39] relies on indistinguishability obfuscation [2], which is also a non-falsifiable assumption [21]. Although, obfuscation is known to be instantiable from $2^{|x|}$ -hardness of standard cryptographic hardness assumptions [25]. A longstanding open problem in this area has been to design SNARGs for $\boldsymbol{\mathrm{NP}}$ in the standard model while reducing security to standard and falsifiable cryptographic assumptions. As it currently stands, only a handful constructions [10, 30, 1, 26, 16, 28, 9, 37, 27] for SNARGs have been designed from falsifiable assumptions in the standard model, despite over thirty years of research. All these constructions support proving membership only for a subclass of $\boldsymbol{\mathrm{NP}}$ .

The reason for such a huge disparity between provable SNARG constructions from non-falsifiable and standard cryptographic assumptions was studied in the seminal work of Gentry-Wichs [20]. The Gentry-Wichs result states that we cannot design SNARGs for all of $\boldsymbol{\mathrm{NP}}$ , while reducing their security to any falsifiable assumption via a polynomial-time “black-box reduction”.

In a black-box reduction, the reduction algorithm is only allowed to make “oracle” queries to a successful attacker, and it must break the underlying assumption without any additional description about the attacker. That is, a black-box reduction can not access the description of an attacker’s code, but only gets to see input/output behavior. In a non-black-box reduction, however, the reduction gets full access to the attacker, and can use the attacker’s code arbitrarily. Given most security proofs in modern cryptography typically only make black-box use of an attacker, thus this explains why SNARGs for $\boldsymbol{\mathrm{NP}}$ have been such an elusive target.

Gentry-Wichs also proved that designing slightly-succinct³³3Briefly, slight succinctness states the proof size is sublinear in the statement and witness length (i.e., $o(|x|+|\omega|)$ ). SNARGs also suffers from the same black-box reduction barriers. In this work, we study the following question:

Is bypassing this barrier for slightly-succinct SNARGs enough to bypass the barrier for fully-succinct SNARGs, the “gold-standard” succinctness?

In other words, we do not know whether designing fully-succinct SNARGs is much harder than designing slightly-succinct SNARGs. It is conceivable that there is a hierarchy of black-box barriers between SNARGs with differing levels of succinctness.

This work.

We answer the above question affirmatively. We design a new bootstrapping compiler to upgrade any slightly-succinct SNARG into a fully-succinct SNARG, as long as the SNARG satisfies knowledge soundness (i.e., it is a SNARK).

Throughout the sequel, when we write the SNARK proof system is $\delta$ -mild (for any $\delta>1$ ), then we mean that the proof size is $\delta$ factor smaller than the witness length (i.e., $|\pi|<\frac{|\omega|}{\delta}+\mathsf{poly}(\lambda,|x|)$ ). Moreover, we do not put any other succinctness/efficiency requirements on any other component of the proof system. For example, the CRS size could grow polynomially with the witness length or the circuit size of membership circuit. Concretely, we show:

Theorem 1 (Informal, see Corollary 16).

For any constant $\epsilon>0$ . Assuming RAM delegation, any $\lambda^{\epsilon}$ -mild SNARK for $\boldsymbol{\mathrm{NP}}$ can be turned into a fully-succinct SNARK for $\boldsymbol{\mathrm{NP}}$ .

Moreover, if we additionally assume that the underlying SNARK has a fast extractor, then we can perform bootstrap even “milder” SNARKs. We say a $\delta$ -mild SNARK has a fast extractor, if the extractor’s running time is at most a $\mathsf{poly}(\delta)$ multiplicative factor larger than the adversary’s running time. E.g., if $\delta$ is a constant, then the fast extractor’s running time is at most a constant times more than adversary’s running time. Concretely, we show.

Theorem 2 (Informal, see Corollary 17).

For any $\delta>1$ . Assuming RAM delegation, any $\delta$ -mild SNARK for $\boldsymbol{\mathrm{NP}}$ with fast extractors can be turned into a fully-succinct SNARK for $\boldsymbol{\mathrm{NP}}$ .

Combining above theorems with great recent progress on designing RAM delegation [15, 16, 24, 42, 28], we obtain:

Corollary 3 (Informal).

Assuming either $\mathsf{LWE}$ , or $\mathsf{DLIN}$ , or sub-exponential $\mathsf{DDH}$ , any $\delta$ -mild SNARK for $\boldsymbol{\mathrm{NP}}$ can be boosted to a fully-succinct SNARK for $\boldsymbol{\mathrm{NP}}$ , as long as $\delta=\lambda^{\epsilon}$ , or it has a fast extractor.

Discussion and interpreting our results

The above suggests that designing any non-trivial SNARG for $\boldsymbol{\mathrm{NP}}$ with knowledge soundness is sufficient to design a fully-succinct SNARG for $\boldsymbol{\mathrm{NP}}$ with knowledge soundness. Thus, a natural interpretation is that overcoming the Gentry-Wichs barrier for just non-trivial succinctness is enough to settle the fully-succinct SNARK problem, and there are no further technical barriers beyond designing non-trivial SNARKs.

Our result can also be viewed as a mild strengthening of Gentry-Wichs. As, by combining our results with [20], we can rule out existence of non-trivial SNARKs with poly-time black-box reduction to falsifiable assumptions. Currently, [20] only rules out slightly-succinct arguments, i.e. $|\pi|=o(|x|+|\omega|)$ , but we can rule out any $|\pi|=|\omega|-\Omega(\lambda)$ with fast extractors.

Another interpretation is that known constructions for various rate-1 arguments of knowledge (such as zero-knowledge, or batch arguments) are essentially optimal, and any further improvement is tantamount to designing fully-succinct SNARKs, thus bypassing [20]. That is, rate-1 NIZK [19] and rate-1 (se)BARGs [18, 38] are best possible arguments of knowledge, with a polynomial-time black-box reduction to falsifiable assumptions.

Finally, we remark that while our approach relies on a careful recursive extraction technique, our security reduction is oblivious to black-box or non-black-box nature of mild SNARK extractor. Although Campanelli et al. [12] proved impossibility of black-box extraction for adaptive knowledge soundness in the standard model, black-box extraction is possible in non-standard models. Thus, if a mild SNARK extractor needs black-box/non-black-box access to the cheating prover in the standard/non-standard model, then so does our fully-succinct SNARK extractor.

2 Technical Overview

A SNARK is a non-interactive proof system that allows a prover to convince the validity of a statement $x$ to a verifier, by providing a proof $\pi$ whose length is shorter than the witness length, $|\omega|$ . They are typically defined in the common reference string model. Given the $\mathsf{crs}$ , a prover processes a pair of instance-witness pair $(x,\omega)$ to produce a short proof $\pi$ . The verifier, on input $\mathsf{crs},x$ , and $\pi$ , outputs a bit to signal validity of proof. The standard notion of soundness states that a (polynomial-time) cheating prover, given $\mathsf{crs}$ , cannot find a instance-proof pair $(x,\pi)$ such that the verifier accepts, yet $x$ is invalid. In this work, we rely on the stronger knowledge soundness property. It states that there exists an efficient extractor $\mathcal{E}$ that can extract a valid witness $\omega$ from a cheating prover, given the instance $x$ , proof $\pi$ , and the cheating prover’s algorithm $\mathcal{P}$ .

Defining succintness in SNARKs

If we allow proof size to be as large as the witness, then a SNARK can be trivially designed. Simply, set the proof $\pi=\omega$ . Thus, succinctness is an essential property for SNARKs. To capture a meaningful notion of succinctness, we define the notion of $\delta$ -mildness to capture any non-trivial SNARK. We consider $\delta=\delta(\lambda,n,m)$ to be a function of security parameter $\lambda$ , instance length $|x|=n$ , and witness length $|\omega|=m$ . In words, the proofs generated by a $\delta$ -mild SNARK are (aymptotically) $\delta$ -multiplicative-factor shorter than the witness length, $m$ . Formally, we say a SNARK is $\delta$ -mild, iff it satisfies the following:

|\pi|=\frac{m}{\delta}+\mathsf{poly}(\lambda,n).

Note that any non-trivial SNARK is a $\delta$ -mild SNARK, for some $\delta>1$ . Similarly, a fully-succinct SNARK corresponds to a $m$ -mild SNARK (i.e., $\delta=m$ )⁴⁴4Technically, a SNARK is fully-succinct if $|\pi|=\mathsf{poly}(\lambda)$ , and does not grow with $n$ . However, by the folklore hash-and-prove paradigm, a SNARK with $|\pi|=\mathsf{poly}(\lambda,n)$ can be easily turned into SNARK with $|\pi|=\mathsf{poly}(\lambda)$ . with an additional property that $|\mathsf{crs}|$ is also a fixed polynomial in $\lambda$ , and does not scale with $n$ or $m$ .

In words, we define $\delta$ -mild SNARKs to capture the most general notion of non-trivial SNARKs, as we only require their proof size to be non-trivially smaller than witness length, but do not put any constraints on the CRS size or verification runtime, etc. The rest of the technical overview is divided into three parts, covering all our main results:

1.

Assuming RAM delegation, any $\delta$ -mild SNARK can be upgraded to have short CRS.
2.

Any $\lambda^{\epsilon}$ -mild SNARK with short CRS can be boosted to a fully-succinct SNARK for RAM, for any constant $\epsilon>0$ .
3.

Any $\delta$ -mild SNARK with $\gamma$ -fast extractors can be boosted to $\lambda^{\epsilon}$ -mild SNARK, as long as $\delta>1$ and $\gamma=\delta^{c}$ for some constant $c>0$ .

2.1 Shortening CRS in SNARKs via RAM Delegation

The first step of our generic compiler is to design a mild SNARK with a short CRS, where its size does not grow with the classical $\boldsymbol{\mathrm{NP}}$ verification but only instance and witness lengths. As we will see in the next stages of our compiler, starting with mild SNARKs with short CRS is extremely useful for iterative compositions. Towards the goal of shortening CRS, our main observation is that it suffices to compose a mild SNARK (with an extremely long CRS) with a fully-succinct SNARG for $\boldsymbol{\mathrm{P}}$ .

A SNARG for $\boldsymbol{\mathrm{P}}$ , more commonly regarded as RAM delegation [29, 10, 16, 14], is a proof system that lets a prover generate short proofs of correctness for deterministic computation. Thus, syntactically, they are defined same as general SNARK(G)s, except the witness is always empty. That is, a prover only takes $\mathsf{crs}$ and $x$ as inputs, and to verify $\pi$ , a verifier needs both $x$ and $\mathsf{crs}$ . The special property of (fully-succinct) RAM delegation is that $|\mathsf{crs}|,|\pi|$ and verification time grows only poly-logarithmically with $T$ . Here $T$ is the time taken to run the RAM machine (i.e., the membership circuit) on $x$ . Clearly, knowledge soundness and standard soundness notions are the same for RAM delegation, since the witness is empty.

The idea for composing mild SNARKs with RAM delegation is very simple. Given any $\delta$ -mild SNARK that lacks a short CRS, rather than asking the prover to prove validity of $x$ by using $\omega$ as a witness, ask the prover to prove validity of $x$ by using $\omega$ and $\mathsf{del}.\pi$ as a witness. That is, a prover first computes a RAM proof $\mathsf{del}.\pi$ as $\mathsf{del}.\pi\leftarrow\mathsf{del}.\mathsf{Prove}(\mathsf{del}.\mathsf{crs% },(x,\omega))$ . Next, it creates a mild SNARK proof $\pi$ for instance $x$ to prove that it knows $(\omega,\mathsf{del}.\pi)$ such that $\mathsf{del}.\mathsf{Verify}(\mathsf{del}.\mathsf{crs},(x,\omega),\mathsf{del}% .\pi)=1$ . By relying on succinctness of RAM delegation, we can improve the CRS size for $\delta$ -mild SNARK from $\mathsf{poly}(\lambda,|\mathcal{C}|,n,m)$ to $\mathsf{poly}(\lambda,\log|\mathcal{C}|,n,m)$ , where $\mathcal{C}$ is the membership circuit for language associated with $x$ . This is because the CRS size and verification time for RAM delegation only grows poly-logarithmically with $|\mathcal{C}|$ . Moreover, this transformation preserves knowledge soundness as well as $\delta$ -mildness of underlying SNARKs. For completeness, we provide this formally in Section 5.

An exciting line of recent works [15, 16, 31, 24, 42, 18, 38, 28] have designed RAM delegation from a variety of standard falsifiable assumptions such as LWE, $k$ -LIN, or sub-exponential DDH. Morover, Kalai et al. [28] established a fantastic result about boosting any non-trivial RAM delegation (with fast verification) to fully-succinct RAM delegation, under the existence of rate-1 string OT (known under many standard assumptions). Thus, we view short CRS as a very mild assumption for non-trivial SNARKs.

2.2 Fully-succinct SNARKs from $\lambda^{\epsilon}$ -mild SNARKs

The next step of our work is to design a generic compiler for boosting any $\lambda^{\epsilon}$ -mild SNARK to a fully-succinct SNARK, for any constant $\epsilon>0$ . Given that a mild-SNARK can be viewed as a mechanism to compress a witness $\omega$ into a verifiable encoding $\pi$ , a natural idea is to iteratively compose $\delta$ -mild SNARKs many times until we reach desired compression.

Specifically, let $\mathcal{C}$ be the circuit that verifies the $\boldsymbol{\mathrm{NP}}$ language $\mathcal{L}$ for which we want to design a SNARK, and $n,m\leq 2^{\lambda}$ be the corresponding instance-witness lengths. The process begins by initializing $\mathcal{C}_{0}$ as the circuit $\mathcal{C}$ for the language $\mathcal{L}$ , and sampling $\mathsf{crs}_{0}$ as the CRS for the mild SNARK corresponding to the circuit $\mathcal{C}_{0}$ . Next, we (iteratively) sample $\ell=\frac{\lambda}{\epsilon\log\lambda}$ many CRS $\mathsf{crs}_{1},\ldots,\mathsf{crs}_{\ell}$ for the (iteratively) defined languages $\mathcal{L}_{1},\ldots,\mathcal{L}_{\ell}$ , where the circuit $\mathcal{C}_{i+1}$ (corresponding to $\mathcal{L}_{i+1}$ ) is set as the verification circuit for the mild SNARK corresponding to $\mathcal{L}_{i}$ . That is, $\mathcal{C}_{i+1}$ has $\mathsf{crs}_{i}$ hardwired, and it accepts an instance $x$ if there exists a mild SNARK proof $\pi_{i}$ such that $(x,\pi_{i})$ is a valid proof-witness pair w.r.t. $\mathsf{crs}_{i}$ . Given $\mathsf{crs}_{1},\ldots,\mathsf{crs}_{\ell}$ , a prover can create a fully-succinct proof by iteratively running the mild SNARK prover as follows – first, generate $\pi_{0}$ as a SNARK proof for $x$ under $\mathsf{crs}_{0}$ using $\omega$ as witness; next, generate $\pi_{1}$ as a SNARK proof for $x$ under $\mathsf{crs}_{1}$ using $\pi_{0}$ as witness; and so on, until the proof size is below a fixed $\mathsf{poly}(\lambda)$ threshold.

Whenever $\delta=\lambda^{\epsilon}$ , then after about $\frac{\log m}{\epsilon\log\lambda}$ iterative applications of a mild SNARK prover, we obtain a proof $\pi_{\frac{\log m}{\epsilon\log\lambda}}$ of size at most $\mathsf{poly}(\lambda,n)$ . This achieves the desired goal of full-succinctness. Unfortunately, the above template doesn’t work!

CRS generation takes too long!

Recall that a $\delta$ -mild SNARK only guarantees that the proof size, $|\pi|$ , is smaller than $m$ , but it does not say anything about other parameters or algorithms. Thus, it is possible that CRS size and/or the verifier’s running time is greater than $|\omega|$ , or the time taken to check $\mathcal{C}(x,\omega)=1$ . In such scenarios, we cannot efficiently generate the full CRS. This is because, under $\mathsf{crs}_{i+1}$ , the prover proves that it has a mild SNARK proof $\pi_{i}$ for $x$ w.r.t. $\mathsf{crs}_{i}$ . Thus, the $(i+1)^{th}$ language membership circuit (for $\mathsf{crs}_{i+1}$ ) is the $i^{th}$ verification circuit (w.r.t. to $\mathsf{crs}_{i}$ ), and hence $|\mathsf{crs}_{i}|$ would grow with $|\mathcal{C}|,m,n$ and super-polynomially with $i$ .

A shorter CRS helps?

Recall that we already discussed how one can generically reduce the CRS size (as well as time needed to compute it) to only grow poly-logarithmically with $|\mathcal{C}|$ . Isn’t that enough to ensure the above template works? Unfortunately, the answer is no! This is because RAM delegation only brings down CRS size from $\mathsf{poly}(\lambda,|\mathcal{C}|,n,m)$ to $\mathsf{poly}(\lambda,\log|\mathcal{C}|,n,m)$ . But, for full-succinctness, our goal is to have the CRS size (as well as verification time) to grow only poly-logarithmically with $m$ . Thus, the question is how can we compose mild SNARKs such that verification time and CRS size does not grow with $m$ or $n$ ?

Tree-based composition

Our idea is to switch an iterative straightline composition of SNARKs with an iterative, but tree-based, composition of SNARKs. Broadly speaking, the intuition is similar to how composing hash functions in a tree-based fashion [33] is more efficient than a straightline iterated hashing approach [34, 17].A similar issue was faced by Bitansky et al. [7] in the context of designing Proof Carrying Data (PCD) [13] and complexity-preserving SNARKs. Although Bitansky et al. assumed existence of a fully-succinct SNARK (which is what we want to design here), the underlying technical approach is more general. Our intuition is that a similar approach is quite meaningful for boosting non-trivial SNARKs.

In order to correctly implement such an idea, we need to break down the entire computation needed to verify $x\in\mathcal{L}$ , given $\omega$ , into smaller pieces. Otherwise, tree-based composition will not give desired amount of succinctness/compression. Basically, by interpreting the entire computation of $\mathcal{C}(x,\omega)=1$ as a step-by-step computation in the RAM model, we can ensure that the size of computation for which we will use mild SNARKs is of fixed size. That is, let $\mathsf{cnfg}_{1},\ldots,\mathsf{cnfg}_{T}$ be the configuration of the RAM machine, corresponding to $\mathcal{C}(x,\omega)=1$ , where $T=\mathsf{poly}(\lambda)$ is the total running time. (A RAM machine configuration corresponds to the RAM memory, program state, and machine head at given time step.)

A prover runs a mild SNARK prover, at the base level of the tree, to prove that each step of the computation is correctly performed, i.e. $\mathsf{cnfg}_{i}\rightarrow\mathsf{cnfg}_{i+1}$ (here by “ $\rightarrow$ ” we denote one RAM computation step). Further, it accumulates these proofs iteratively (as we go up the tree) by running a mild SNARK prover to prove that two configurations $\mathsf{cnfg}_{i},\mathsf{cnfg}_{j}$ are consistent. By consistent, we mean that we can go from $\mathsf{cnfg}_{i}\to\mathsf{cnfg}_{j}$ after $(j-i)$ RAM computation steps. The intuition is that base level (i.e., level 0) we prove the configurations to be adjacent (i.e., 1 step apart), while for next level (i.e., level 1) we prove $\mathsf{cnfg}_{i},\mathsf{cnfg}_{j}$ are $2$ steps apart, and so on. Thus, at level $i$ , we prove the configurations to be $2^{i}$ steps apart. By continuously composing SNARKs for such step-by-step computations in a tree-based fashion, we can get around the succinctness problem. This is because the instance and witness size, for each mild SNARK proof computation, are always of fixed polynomial size, independent of $n, m, T$ as well as the level $i$ . Thus, the CRS size doesn’t grow anymore, and the resulting SNARK will be fully-succinct.

How to extract the witness in polynomial time?

Unfortunately, the above process brings up a major bottleneck. The problem is how to prove (knowledge) soundness of the above design? Soundness only states that $\pi_{0}$ (proof at the base level) is hard to compute if $x\notin\mathcal{L}$ . But, it does not say any of the iteratively computed proofs are hard to compute! Thus, we cannot rely on standard soundness, but need to use knowledge soundness. But this would mean we have to recursively run the extractor $\log T$ many times. Unfortunately, such a recursive extractor would not run in polynomial time, since the depth of the tree is $\log T=O(\log\lambda)$ .

While the above feels a pretty big problem, this can be easily resolved by simply increasing the arity of the tree (from $2$ to $\lambda$ ). That is, rather than proving the configurations to be $2^{i}$ steps apart (at level $i$ ), we will prove configurations to be $\lambda^{i}$ steps apart. With this change, the depth of the SNARK tree will be constant, $\log_{\lambda}T=O(1)$ (for any polynomial time computation). Thus, we can perform recursive extraction from any accepting proof, given a poly-time cheating prover. With this modification, we provide a more detailed sketch.

Boosting via SNARK tree

From here on, we assume we have a description of a RAM program $\mathcal{R}$ that verifies validity of instance-witness pair $(x,\omega)$ , rather than a fixed circuit $\mathcal{C}$ . $\mathcal{R}$ checks that validity of witness for an instance w.r.t. $\mathcal{L}$ .

The prover starts by computing all configurations for every computation step, and hashing down just the RAM memory portion for each step using a Merkle hash tree [33]. At the bottom level, the instance at each node consists of two consecutive pseudo-configurations $(\rho,\mathsf{state},i_{\mathsf{read}}),(\rho^{\prime},\mathsf{state}^{\prime}% ,i_{\mathsf{read}}^{\prime})$ , where $\rho$ is the memory digest, $\mathsf{state}$ is the program state, and $i_{\mathsf{read}}$ is the index of the bit read during that step (i.e., machine head location). We call this pseudo-configuration, because it only contains the digest of the memory instead of full memory. The witness includes the local read/write bit and the write index $b_{\mathsf{read}},b_{\mathsf{write}},i_{\mathsf{write}}$ , which can be used to verify the transition between the two configurations. It also includes the Merkle tree openings $u_{\mathsf{read}},u_{\mathsf{write}}$ for the read/write bits w.r.t. memory digest. Given the above, the language for the nodes at bottom level is as follows:

Instance: $(\rho,\mathsf{state},i_{\mathsf{read}})$ , $(\rho^{\prime},\mathsf{state}^{\prime},i_{\mathsf{read}}^{\prime})$ .
Witness: $b_{\mathsf{read}},b_{\mathsf{write}},i_{\mathsf{write}},u_{\mathsf{read}},u_{% \mathsf{write}}$ .
Check if the transition is valid, and the hash openings $u_{\mathsf{read}}$ and $u_{\mathsf{write}}$ , along with the memory hash values $\rho,\rho^{\prime}$ , the bits $b_{\mathsf{read}},b_{\mathsf{write}}$ , and memory indexes $i_{\mathsf{read}},i_{\mathsf{write}}$ are all consistent.

At all other levels, each node aggregates $\lambda$ nodes from the lower level (see Figure 1). The instance contains just two pseudo-configurations: the initial and final pseudo-configuration out of the $\lambda$ nodes. And, the witness includes all pseudo-configurations and their corresponding SNARK proofs of transitions. Basically, the prover proves that it knows a valid sequence of transitions between the two pseudo-configurations. Below, we describe the language for intermediate levels informally:

Instance: $(\rho_{1},\mathsf{state}_{1},i_{1,\mathsf{read}})$ , $(\rho_{\lambda+1},\mathsf{state}_{\lambda+1},i_{\lambda+1,\mathsf{read}})$ .
Witness: $\{\pi_{j}\}_{j\in[\lambda]}$ , $\{(\rho_{j},\mathsf{state}_{j},i_{j,\mathsf{read}})\}_{j\in[\lambda+1]}$ .
Check if the mild SNARK verifier accepts every pair of instance $((\rho_{j},\mathsf{state}_{j},i_{j,\mathsf{read}}),\allowbreak(\rho_{j+1},% \allowbreak\mathsf{state}_{j+1},\allowbreak i_{j+1,\mathsf{read}}))$ and proof $\pi_{j}$ for $j\in[\lambda]$ .

We highlight that all above languages have succinct description since the instance/witness sizes as well as size of the associated membership circuit for each language has a fixed polynomial size. Thus, this process can be iteratively carried out till the root of the tree. And, it ensures each individual CRS as well as the final proof size to be fully-succinct, i.e. independent of $n, m, T$ .

Figure 1: Level

i

and level

i+1

of the SNARK tree, and

\hat{\rho}

corresponds to a pseudo-configuration,

\hat{\rho}=(\rho,\mathsf{state},i_{\mathsf{read}})

, and

N=T/\lambda^{i}

.

Lastly, we can design a recursive extractor efficiently to prove knowledge soundness. The extractor first extracts a valid witness for the root node, and then it considers the extraction procedure that computes a valid witness for the root node as an attacker, and continues the recursive extraction procedure. Overall, by combining all the witnesses at the bottom level (leaves of the tree), the extractor can reconstruct a valid witness that satisfies the RAM computation. (Technically, the security argument also relies on the fact that the Merkle tree is secure, but we ignore that detail for the sake of simplicity.) Clearly, the running time of extractor faces a polynomial blow-up across each level of the tree (as the $i^{th}$ level extractor is treated as an attacker for $(i-1)^{th}$ level). However, as we discussed earlier, by designing trees with arity- $\lambda$ , the height of the SNARK tree remains constant, and as a result, the extractor’s runtime is polynomially bounded. Our compiler is formally presented in Section 3.

2.3 Boosting milder SNARKs

As a final step, we also show a generic compiler to boost any non-trivial SNARK, i.e., with any mildness parameter $\delta>1$ . However, unlike our previous compiler, we require an additional property from the underlying SNARK. To better understand this, let us first inspect what goes wrong if we simply use the previous compiler for such “milder” SNARKs.

Consider $\delta=1+\epsilon$ for some constant $\epsilon>0$ . To boost such a SNARK, we need a SNARK tree of depth around $\log_{1+\epsilon}T=O(\log\lambda)$ , where $T$ is the running time of the (non-deterministic) computation. Recall this is exactly the scenario where the recursive extraction strategy fails! This is precisely whe we considered trees of larger arity, to ensure the tree depth is constant. Unfortunately, if the underlying SNARKs mildness is lower than $\lambda^{\epsilon}$ , then we can no longer guarantee that a constant number of iterative SNARK compositions will be enough for achieving full-succinctness.

Our intuition is that if the extractor runs “sufficiently fast”, then this issue goes away. Thus, to resolve this issue, we introduce a notion of $\delta$ -mild SNARKs with fast extractors. Roughly, it says that the ratio between the extractor’s running time and the cheating prover’s running time is asymptotically equal to $\mathsf{poly}(\delta)$ . More formally, a $\delta$ -mild SNARK has a fast extractor if the extractor’s runtime is $\mathsf{poly}(\delta)\cdot|\mathcal{A}|+\mathsf{poly}(\lambda,n,m,|\pi|)$ . For such mild SNARKs, we can use our boosting compiler to design a fully-succinct SNARK by relying on $O(\log\lambda)$ -depth SNARK tree.

Although one could simply the above approach, we provide an alternate approach. Basically, we show that any $\delta$ -mild SNARK, with a fast extractor $\mathcal{E}$ , can be generically boosted to a $\lambda$ -mild SNARK, with an extractor $\mathcal{E}^{\prime}$ that runs in polynomial time. Very briefly, our approach is to compose such mild-SNARKs in a straightline iterated fashion. Note that this will be sufficient since our final goal is not to achieve a short CRS, but only a $\lambda$ -mild SNARK. This can be further boosted to full-succinctness by using our previous compilers. We describe this formally in Section 4.

2.4 Related Work, Open Questions, and Roadmap

Related Work

Recently, Kalai et al. [28] designed a generic compiler to boost any non-trivial (flexible) RAM SNARGs to fully-succinct (flexible) RAM SNARGs, under a very mild assumption of rate-1 string OT. Moreover, they showed a near equivalence between such flexible RAM SNARGs and batch arguments (BARGs) for $\boldsymbol{\mathrm{NP}}$ . One can view their result as a generic compiler for boosting any non-trivial SNARK for $\boldsymbol{\mathrm{P}}$ to a fully-succinct SNARK for $\boldsymbol{\mathrm{P}}$ ⁵⁵5Recall SNARKs and SNARGs are the same object for $\boldsymbol{\mathrm{P}}$ , since there is no witness.. Our work gives a matching boosting result for the non-deterministic class $\boldsymbol{\mathrm{NP}}$ .

Proof Carrying Data (PCD) [13] generalizes SNARGs to distributed computation. Their goal is for a group of participants in a distributed computation to create proofs of integrity and legitimacy for their respective (local) computations that can be combined to create a global proof of integrity and legitimacy of the entire distributed computation. PCDs are a significant generalization of Incrementally Verifiable Computations (IVC) [40]. IVCs can be simply viewed as PCD for straightline incremental computations (i.e., path graphs).

In a beautiful work, Bitansky et al. [7] developed new approaches for recursively composing SNARKs, and provided new techniques for constructing and using PCD. One of their central results was development of a bootstrapping mechanism for fully-succinct SNARKs with “expensive” preprocessing to design fully-succinct complexity-preserving SNARKs. By complexity-preserving, they meant that the prover’s time/space complexity is essentially the same as that required for classical $\boldsymbol{\mathrm{NP}}$ verification.

On a technical level, [7] relied on an elegant technique to recursively compose SNARKs over a tree-like structure. As discussed in the overview, our approach builds on their composition techniques. Apart from studying different problems, the key differences between our works are that we show that recursive composition works even for non-trivial SNARKs, while they relied on fully-succinct SNARKs. Moreover, a non-trivial SNARK verifier can be as large as some polynomial in the description of the classical $\boldsymbol{\mathrm{NP}}$ verification circuit, thus we had to rely on additional techniques such as RAM delegation, while this was needed by Bitansky et al. since they assumed full-succinct SNARKs.

Interestingly, by combining our results with [7], we obtain that any $\delta$ -mild SNARK, with either a fast extractor or $\delta=\lambda^{\epsilon}$ , is sufficient to design complexity-preserving SNARKs and PCDs.

Open questions

Our work leaves a lot of interesting questions for further research. We list out some of them below.

1.

Our appraoch crucially relies on knowledge soundness. A great problem is can we boost non-trivial SNARGs, without or with very weak extractability?
2.

We also need SNARKs to be adaptively sound. Another great question is to similar compilers assuming non-adapative soundness.
3.

To shorten the CRS size, we need to rely on efficient RAM delegation. Can this be avoided, or could we instead reduce to simpler assumptions such as CRHFs?
4.

Do there exist such boosting SNARK results for other classes, other than $\boldsymbol{\mathrm{P}}$ [28] and $\boldsymbol{\mathrm{NP}}$ (this work)?
5.

Our fully-succinct SNARKs have “fixed” multiplicative overhead in the time/space needed for computing the proof, compared to classical $\boldsymbol{\mathrm{NP}}$ verification. Can we make this optimal and only incur a “fixed” additive overhead?

Answering above questions will give us more insight in the study of SNARKs and related proof systems.

Roadmap

The rest of the paper is organized as follows. First, we describe our main boosting compiler for mild SNARKs (with short CRS) in Section 3. Later in Section 4, we show to boost even milder SNARKs, and finally, we describe how to use RAM delegation to shorten CRS in Section 5. Due to space constraints, preliminaries can be found in the full version.

3 Full Succinctness from Mild SNARKs with Short CRS

We start by establishing the concept of $\delta$ -mild SNARKs.

$\delta$ -Mild SNARK with succinct CRS

Consider the circuit satisfiability language. Let $\mathcal{C}$ be any boolean circuit $\{0,1\}^{n}\times\{0,1\}^{m}\to\{0,1\}$ that takes as input $x\in\{0,1\}^{n},\omega\in\{0,1\}^{m}$ and outputs a bit $\{0,1\}$ . We define the notion of $\delta$ -mild SNARKs for the circuit satisfiability language, where such SNARKs are defined identically to that as SNARKs for RAM, except the $\mathsf{Setup}$ algorithm takes description of circuit $\mathcal{C}$ , $n$ (in unary), and $m$ (in binary) as inputs. Next, we define $\delta$ -mildness and succinct CRS properties formally.

$\delta$ -mildness

Let $\delta$ be a function such that $\delta=\delta(\lambda,n,m)$ . A SNARK satisfies $\delta$ -mildness, if there exists a poly $p(\cdot)$ such that for every $\lambda\in\mathbb{N}$ , polynomial $n=n(\lambda),m=m(\lambda)$ , boolean circuit $\mathcal{C}=\{0,1\}^{n}\times\{0,1\}^{m}$ , $x\in\{0,1\}^{n}$ , $\omega\in\{0,1\}^{m}$ where $\mathcal{C}(x,\omega)=1$ , $\pi\leftarrow\mathsf{Prove}(\mathsf{crs},x,\omega)$ , it holds that

|\pi|\leq\frac{m}{\delta(\lambda,n,m)}+p(\lambda,n).

Succinct CRS

A SNARK has succinct CRS, if there exists a poly $p(\cdot)$ such that for every $\lambda\in\mathbb{N}$ , polynomial $n=n(\lambda),m=m(\lambda)$ , boolean circuit $\mathcal{C}=\{0,1\}^{n}\times\{0,1\}^{m}$ , $\mathsf{crs}\leftarrow\mathsf{Setup}(1^{\lambda},n,m,\mathcal{C})$ , it holds that $|\mathsf{crs}|\leq p(\lambda,\log|\mathcal{C}|,n,m)$ .

3.1 Fully-Succinct SNARKs from $\lambda^{\epsilon}$ -Mild SNARKs

We discuss how to build fully-succinct SNARK for any RAM Machine $\mathcal{R}$ with bounded running time from a $\lambda^{\epsilon}$ -mild SNARK and hash tree systems. Later, we show how to generically improve these to RAM Machines with unbounded running time.

Special Notation: Composite Hash Tree

We rely on a specialized notation that we call Composite Hash Trees. One may consider Composite Hash Tree as a set of $k$ Hash Trees, each assigned a section of input. For example, the hash value $h\leftarrow\mathsf{Hash}(\mathsf{hk},x)$ consists a number of $k$ hash values $h=(h_{1},\ldots,h_{k})$ where each value corresponds to one section of $x$ . As long as $k$ is a constant number, the efficiency and soundness properties all maintain from the original Hash Tree. The desired property from Composite Hash Tree is that the reading, opening, and writing at the $i$ -th section of string $x$ only depends on and affects $h_{i}$ . Composite Hash Tree overloads the syntax of Hash Tree, except for the following:

$\mathsf{Setup}(1^{\lambda},N_{1},\ldots,N_{k})\to\mathsf{hk}.$: The setup algorithm is modified to accept multiple inputs $N_{1},\ldots,N_{k}$ . The size of hash input is $\Sigma_{i=1}^{k}N_{i}$ . Input is considered as a number of $k$ continuous segments, where the $i$ -th segment is of size $N_{i}$ . It also sets hash key $\mathsf{hk}$ as a sequence of of $k$ independent hash keys: $\mathsf{hk}=(\mathsf{hk}_{1},\ldots,\mathsf{hk}_{k})$ .

We define the additional property of completeness: For every $\lambda,k,N_{1},\ldots,N_{k}\in\mathbb{N}$ , $x^{(i)}\in\{0,1\}^{N_{i}}$ for all $i\in[k]$ , $x=(x^{(1)},\ldots,x^{(k)})$ , and $\mathsf{hk}=(\mathsf{hk}_{1},\ldots,\mathsf{hk}_{k})\leftarrow\mathsf{Setup}(1% ^{\lambda},N_{1},\ldots,N_{k})$ ,

\Pr\left[\begin{array}[]{l}\mathsf{Hash}(\mathsf{hk},x)=(\mathsf{Hash}(\mathsf% {hk}_{i},x^{(1)}),\ldots,\mathsf{Hash}(\mathsf{hk}_{i},x^{(k)}))\\ \end{array}\right]=1.

For the rest of this section, we only rely on such Composite Hash Trees.

Our Fully-Succinct SNARK Construction

We rely on $\delta$ -mild SNARK $\Gamma=(\Gamma.\mathsf{Setup},\allowbreak\Gamma.\mathsf{Prove},\allowbreak% \Gamma.\mathsf{Verify})$ for $\delta\geq 2\lambda$ , and composite hash tree $\mathsf{H}=(\mathsf{H}.\mathsf{Setup},\mathsf{H}.\mathsf{Hash},\allowbreak% \mathsf{H}.\mathsf{Open},\mathsf{H}.\mathsf{Verify},\allowbreak\mathsf{H}.% \mathsf{Write},\mathsf{H}.\mathsf{Update})$ . Below is our design.

$\mathsf{Setup}(1^{\lambda},\mathcal{R},n,m,T,k)\to\mathsf{crs}.$

The setup algorithm follows these steps:

1. RAM machine $\mathcal{R}$ is as the following: $\mathcal{R}$ takes as input $(x,\omega)$ , running time of $\mathcal{R}$ is $T$ , and memory usage is capped at $k$ . Size of input $(x,\omega)$ is $n+m$ .

2. We then specify $\ell$ as $\ell=\lceil\frac{\log T}{\log\lambda}\rceil$ . We also specify the state transformation circuit of $\mathcal{R}$ as $\mathcal{C}^{\mathsf{RAM}}$ and the memory as $M=(M_{1},\ldots,M_{k})$ . It sets

\mathsf{hk}\leftarrow\mathsf{H}.\mathsf{Setup}(1^{\lambda},n,m,k-n-m).

The intuition is that the memory is splitted into three sections where the first two sections are used to record the input $x,\omega$ and the last section is used as a working tape. Then under the hash key $\mathsf{hk}=(\mathsf{hk}_{1},\mathsf{hk}_{2},\mathsf{hk}_{3})$ , hash value $h$ consists of three independent values $(h_{1},h_{2},h_{3})$ .

3. It generates a number of $\ell+1$ common reference strings: For all $i\in\{0,\ldots,\ell\}$ ,

\mathsf{crs}_{i}\leftarrow\Gamma.\mathsf{Setup}(1^{\lambda},1^{n_{i}},1^{m_{i}% },\mathcal{C}_{i}),

where $\mathcal{C}_{i}$ is defined as the following, and $n_{i}$ is the instance size, $m_{i}$ is the witness size for $\mathcal{C}_{i}$ .

4. It outputs $\mathsf{crs}=(\mathsf{hk},\mathsf{crs}_{0},\ldots,\mathsf{crs}_{\ell})$ .

Circuit $\mathcal{C}_{0}$ Instance: $(\rho,\mathsf{state},i_{\mathsf{read}})$ , $(\rho^{\prime},\mathsf{state}^{\prime},i_{\mathsf{read}}^{\prime})$ .
Witness: $b_{\mathsf{read}},b_{\mathsf{write}},i_{\mathsf{write}},u_{\mathsf{read}},u_{% \mathsf{write}}$ .
Hardwired: $\mathcal{C}^{\mathsf{RAM}}$ . Output: $\mathcal{C}_{0}$ outputs $1$ if and only if the followings are satisfied: $\blacksquare$ $\mathcal{C}^{\mathsf{RAM}}(\mathsf{state},b_{\mathsf{read}})=(\mathsf{state}^{% \prime},i_{\mathsf{read}}^{\prime},i_{\mathsf{write}},b_{\mathsf{write}})$ . $\blacksquare$ $\mathsf{H}.\mathsf{Verify}(\mathsf{hk},\rho,i_{\mathsf{read}},b_{\mathsf{read}% },u_{\mathsf{read}})=1$ . $\blacksquare$ $\mathsf{H}.\mathsf{Write}(\mathsf{hk},\rho,i_{\mathsf{write}},b_{\mathsf{write% }},u_{\mathsf{write}})=\rho^{\prime}$ .

For $i\in\{1,\ldots,\ell\}$ :

Circuit $\mathcal{C}_{i}$ Instance: $(\rho,\mathsf{state},i_{\mathsf{read}})$ , $(\rho^{\prime},\mathsf{state}^{\prime},i_{\mathsf{read}}^{\prime})$ .
Witness: $\{\pi_{j}\}_{j\in\lambda}$ , $\{(\rho,\mathsf{state},i_{\mathsf{read}})_{j}\}_{j\in[\lambda+1]}$ .
Hardwired: $\mathsf{crs}_{i-1}$ .
Output: $\mathcal{C}_{i}$ outputs $1$ if and only if: $\blacksquare$ $\Gamma.\mathsf{Verify}(\mathsf{crs}_{i-1},((\rho,\mathsf{state},i_{\mathsf{% read}})_{j},(\rho,\mathsf{state},i_{\mathsf{read}})_{j+1}),\pi_{j})=1$ , for all $j\in[\lambda]$ . $\blacksquare$ $(\rho,\mathsf{state},i_{\mathsf{read}})=(\rho_{1},\mathsf{state}_{1},i_{1})$ $\blacksquare$ $(\rho^{\prime},\mathsf{state}^{\prime},i_{\mathsf{read}}^{\prime})=(\rho_{% \lambda+1},\mathsf{state}_{\lambda+1},i_{\lambda+1})$

$\mathsf{Prove}(\mathsf{crs},x,\omega)\to\pi$

. The prover algorithm follows these steps:

1.

It simulates $\mathcal{R}$ step by step. Previously we specified the state transformation circuit of $\mathcal{R}$ as $\mathcal{C}^{\mathsf{RAM}}$ and the memory as $M$ . Since $\mathcal{R}$ has a maximum number of $T$ steps, the simulation process involves a total number of $T+1$ states. Recall definition of RAM machine where for each step of computation, the original local state $\mathsf{state}$ transforms into a new state $\mathsf{state}^{\prime}$ . Such transition involves an index to read $i_{\mathsf{read}}$ , the bit $b_{\mathsf{read}}$ at index $i_{\mathsf{read}}$ . It sets $\rho=\mathsf{H}.\mathsf{Hash}(\mathsf{hk},M)$ where $M=(M_{1},\ldots,M_{k})$ represents the whole memory at such state. When reading the bit $b_{\mathsf{read}}$ at index $i_{\mathsf{read}}$ , it simultaneously computes the opening $u_{\mathsf{read}}=\mathsf{H}.\mathsf{Open}(\mathsf{hk},M,i_{\mathsf{read}})$ . Then state transformation circuit $\mathcal{C}^{\mathsf{RAM}}$ takes $\mathsf{state}$ and $b_{\mathsf{read}}$ as input and outputs $\mathsf{state}^{\prime},i_{\mathsf{read}}^{\prime},i_{\mathsf{write}},b_{% \mathsf{write}}$ . It updates the bit at index $i_{\mathsf{write}}$ , setting $M^{\prime}_{i_{\mathsf{write}}}$ as $b_{\mathsf{write}}$ , and $M^{\prime}_{i}$ as $M_{i}$ for all $i\in[k]\setminus\{i_{\mathsf{write}}\}$ . It sets updated memory $M^{\prime}=(M^{\prime}_{1},\ldots,M^{\prime}_{k})$ . Next, it obtains updated hash value as $\rho^{\prime}=\mathsf{H}.\mathsf{Write}(\mathsf{hk},h,b_{\mathsf{write}},i_{% \mathsf{write}})$ .

It records $(\mathsf{state},i_{\mathsf{read}},b_{\mathsf{read}},\rho,u_{\mathsf{read}})_{i}$ , for $i\in[T+1]$ corresponding to the $i$ -th state. It records $(b_{\mathsf{write}},i_{\mathsf{write}},u_{\mathsf{write}})_{i}$ for $i\in[T]$ as the parameters of writing while going from $\mathsf{state}_{i}$ to $\mathsf{state}_{i+1}$ .

2.

For all $i\in[T]$ , it sets instance $x_{i}$ and witness $\omega_{i}$ as the following:

x_{i}=((\rho,\mathsf{state},i_{\mathsf{read}})_{i},(\rho,\mathsf{state},i_{% \mathsf{read}})_{i+1}),\omega_{i}=(b_{\mathsf{read}},b_{\mathsf{write}},i_{% \mathsf{write}},u_{\mathsf{read}},u_{\mathsf{write}})_{i}.

Then for all $i\in[T]$ , it generates $\pi_{i}\leftarrow\Gamma.\mathsf{Prove}(\mathsf{crs}_{0},x_{i},\omega_{i})$ .

3.

It generates a tree $G=(V,E)$ of $\ell+1$ levels, as the following: The top level is set as level $\ell$ and the bottom level is set as level $0$ . Level $0$ contains a number of $T$ nodes, and level $i$ contains approximately $\lambda^{\ell-i}$ nodes. Every node at levels $1,\ldots,\ell$ is connected to a number of $\lambda$ nodes at the lower level. Specifically, the $j$ -th node on level $i(1\leq i\leq\ell)$ has $\lambda$ child nodes: the $((j-1)\cdot\lambda+1)$ -th node, the $((j-1)\cdot\lambda+2)$ -th node, $\ldots$ , and the $(j\cdot\lambda)$ -th node on level $i-1$ . Since $T\leq\lambda^{\ell}$ , we assume without loss of generality that there is at most one node on level $\ell$ . Note that the graph $G$ has a tree structure, where each internal node has $\lambda$ child nodes.
4.

For each node $v\in V$ , it assigns of a pair of instance and proof to $v$ : $(\mathsf{inst}_{v},\mathsf{proof}_{v})$ . For the $i$ -th node at level $0$ (denoted as $v_{0,i}$ ), it assigns instance $\mathsf{inst}_{v_{0,i}}=x_{i}$ and proof $\mathsf{proof}_{v_{0,i}}=\pi_{i}$ to such node. Next, it assigns a pair of instance and proof to each node at level $1$ to $\ell$ .
5.

It starts from level $1$ . Each node $v$ at level $1$ has a sequence of $\lambda$ child nodes: $v_{1},\ldots,v_{\lambda}$ . It then takes instances $\mathsf{inst}_{v_{i}}$ and proofs $\mathsf{proof}_{v_{i}}$ for all $i\in[\lambda]$ . It parses instance $\mathsf{inst}_{v_{i}}$ as

$\mathsf{inst}_{v_{i}}=((\rho,\mathsf{state},i_{\mathsf{read}})_{i},(\rho,% \mathsf{state},i_{\mathsf{read}})_{i+1}).$

Then for all $i\in[\lambda+1]$ , it sets $z_{i}$ as $(\rho,\mathsf{state},i_{\mathsf{read}})_{i}$ . It generates proof

$\sigma=\Gamma.\mathsf{Prove}(\mathsf{crs}_{i},(z_{1},z_{\lambda+1}),(\{\sigma_% {i}\}_{i\in[\lambda]},\{z_{i}\}_{i\in[\lambda+1]})).$

It assigns $(z_{1},z_{\lambda+1})$ as the instance and $\sigma$ as the proof to such internal node:

$\mathsf{inst}_{v}=(z_{1},z_{\lambda+1}),\mathsf{proof}_{v}=\sigma.$
6.

It repeats step $5$ for level $2,3,\ldots,\ell$ .
7.

The root node is now assigned with the instances $(\rho,\mathsf{state},i_{\mathsf{read}})$ and $(\rho^{\prime},\mathsf{state}^{\prime},i_{\mathsf{read}}^{\prime})$ , along with the proof $\sigma$ . Recall that one may consider hash value as three independent values, such that $\rho=(\rho_{1},\rho_{2},\rho_{3})$ and $\rho^{\prime}=(\rho^{\prime}_{1},\rho^{\prime}_{2},\rho^{\prime}_{3})$ . The output is $\pi=(\rho_{2},\rho^{\prime},\sigma)$ .

$\mathsf{Verify}(\mathsf{crs},x,\pi)\to\{0,1\}$

. It first parses $\mathsf{crs}$ as $(\mathsf{hk},\mathsf{crs}_{0},\ldots,\mathsf{crs}_{\ell})$ and $\pi$ as $(\rho_{2},\rho^{\prime},\sigma)$ . It sets $\rho_{3}$ as an all zeros string. Remark $3.5$ in the full version says that hash value of an all zeros string is also a string of all zeros. This is a straightforward property that can be added to to any collision-resistant hash function. Thus, $\rho_{3}$ is equivalent to $\mathsf{H}.\mathsf{Hash}(\mathsf{hk}_{3},0^{k-n-m})$ , which allows the verifier to directly generate $\rho_{3}$ without evaluating the hash function. Next, it sets $\rho_{1}$ as $\mathsf{H}.\mathsf{Hash}(\mathsf{hk}_{1},x)$ , and $\rho$ as $(\rho_{1},\rho_{2},\rho_{3})$ . It then sets $\mathsf{state}$ as the starting state and $\mathsf{state}^{\prime}$ as the accepting state, and $i_{\mathsf{read}}$ as the reading bit’s index for the starting state, $i_{\mathsf{read}}^{\prime}$ as such index for the accepting state. Without loss of generality, we take $i_{\mathsf{read}}$ and $i_{\mathsf{read}}^{\prime}$ as fixed according to the definition of machine $\mathcal{R}$ . The verifier outputs

\Gamma.\mathsf{Verify}(\mathsf{crs}_{\ell},((\rho,\mathsf{state},i_{\mathsf{% read}}),(\rho^{\prime},\mathsf{state}^{\prime},i_{\mathsf{read}}^{\prime})),% \sigma).

Completeness

The completeness of the above design directly follows from the completeness of composite hash tree $H$ and $\delta$ -mild SNARK $\Gamma$ .

Efficiency

For all $i\in\{0,\ldots,\ell\}$ , we denote $n_{i}$ as instance size, $m_{i}$ as witness size, and $|\pi_{i}|$ as proof size for each individual node at level $i$ .

Lemma 4.

For all $i\in\{0,\ldots,\ell\}$ , $|\pi_{i}|\leq n_{0}+m_{0}+2\cdot p(\lambda,n_{0})$ , $m_{i}\leq\lambda\cdot(n_{0}+m_{0}+2\cdot p(\lambda,n_{0}))$ .

Proof.

We prove the lemma using induction.

Base Case $(i=0)$ .

By $\delta$ -mildness ( $\delta\geq 2\lambda)$ , we have $|\pi_{0}|\leq{m_{0}}/{(2\lambda)}+p(\lambda,n_{0})$ . Thus the base case satisfies the lemma.

Inductive Step $(1\leq i\leq\ell)$ .

Suppose that the Lemma holds for $i-1$ and we proceed to $i$ . By inductive hypothesis, $|\pi_{i-1}|$ is at most $n_{0}+m_{0}+i\cdot p(\lambda,n_{0})$ . We note that due to the design of our tree-style SNARK, instance at each level consists of $(\rho,\mathsf{state},i_{\mathsf{read}})$ and $(\rho^{\prime},\mathsf{state}^{\prime},i_{\mathsf{read}}^{\prime})$ , with uniform sizes across all levels. Therefore, $n_{0},\ldots,n_{\ell}$ are all equivalent. Given that the each witness at level $i$ consists of $\{\pi_{j}\}_{j\in\lambda}$ and $\{(\rho,\mathsf{state},i_{\mathsf{read}})_{j}\}_{j\in[\lambda+1]}$ which combines a number of $\lambda$ proofs and instances from level $i-1$ , witness size $m_{i}$ is bounded by the following:

\displaystyle m_{i}

\displaystyle\leq\lambda\cdot(n_{i-1}+|\pi_{i-1}|)\leq\lambda\cdot(n_{0}+m_{0}% +2\cdot p(\lambda,n_{0})).

By succinctness of $\Gamma$ , $|\pi_{i}|$ is at most:

\displaystyle|\pi_{i}|

\displaystyle\leq\frac{m_{i}}{2\lambda}+p(\lambda,n_{i})

\displaystyle\leq n_{0}+m_{0}+2\cdot p(\lambda,n_{0}).

Putting the above together completes the proof for the lemma. $\hfill\blacktriangleleft$

Lemma 5.

The prover’s running time is $T\cdot\mathsf{poly}(\lambda)$ where $T$ is the running time of $\mathcal{R}(x,\omega)$ .

Proof.

Since instance and witness at level $0$ only contain local parameters, by Lemma 4, we have $m_{i}\leq\mathsf{poly}(\lambda)$ for some universal polynomial $\mathsf{poly}(\cdot)$ and for all $i\in\{0,\ldots,\ell\}$ . Instance size $n_{i}=n_{0}$ and is also upper bounded by $\mathsf{poly}(\lambda)$ for all $i\in\{0,\ldots,\ell\}$ . Thus, prover’s running time at each node is bounded by $\mathsf{poly}(\lambda)$ for some universal $\mathsf{poly}(\cdot)$ . The overall running time of the prover is at most $T\cdot\mathsf{poly}(\lambda)$ since the total number of nodes in the data structure is linear in $T$ . $\hfill\blacktriangleleft$

Lemma 6.

The Setup algorithm’s running time is $\mathsf{poly}(\lambda)$ .

Proof.

The Setup algorithm of our design includes setting up hash key $\mathsf{hk}$ and $\Gamma$ CRS $\mathsf{crs}_{0},\ldots,\mathsf{crs}_{\ell}$ . The $\mathsf{hk}$ setup is fast. To learn the setup time of $\mathsf{crs}_{i}\leftarrow\Gamma.\mathsf{Setup}(1^{\lambda},1^{n_{i}},1^{m_{i}% },\mathcal{C}_{i})$ , we must understand circuit size $|\mathcal{C}_{i}|$ . Observe that $|C_{0}|=\mathsf{poly}(\lambda,n_{0},m_{0})$ , and $|C_{i}|=\mathsf{poly}(\lambda,|\mathsf{crs}_{i-1}|,n_{i},m_{i})$ for all $i\in[\ell]$ . By Lemma 4, it holds that for all $i\in\{0,\ldots,\ell\}$ , $m_{i},n_{i}\leq\mathsf{poly}(\lambda)$ for some universal polynomial $\mathsf{poly}(\cdot)$ . Thus, $|\mathcal{C}_{0}|=\mathsf{poly}(\lambda)$ . By succinct CRS property of $\Gamma$ , it holds that $|\mathsf{crs}_{i}|\leq\mathsf{poly}(\lambda,\log|\mathcal{C}_{i}|,n_{i},m_{i})$ for all $i\in[\ell]$ , which implies that $|\mathcal{C}_{i}|\leq\mathsf{poly}(\lambda,\log|\mathcal{C}_{i-1}|)$ . Thus $\forall i\in[\ell]$ , $|\mathcal{C}_{i}|\leq\mathsf{poly}(\lambda)$ for some universal polynomial $\mathsf{poly}(\cdot)$ . The overall Setup time is $\mathsf{poly}(\lambda)$ for $\ell=\frac{\log T}{\log\lambda}$ . $\hfill\blacktriangleleft$

Lemma 7.

Assume that $\Gamma$ is a $\delta$ -mild SNARK ( $\delta\geq 2\lambda)$ with short CRS, and $H$ is a Hash Tree, then the above design is a fully succinct SNARK.

Proof.

Following from our design, $\mathsf{crs}=(\mathsf{hk},\mathsf{crs}_{0},\ldots,\mathsf{crs}_{\ell})$ , where $\mathsf{hk}$ represents the hash key. Thus, $|\mathsf{hk}|\leq\mathsf{poly}(\lambda)$ by design of hash tree. Following from the analysis of Lemma 6, it holds that $|\mathsf{crs}_{i}|\leq\mathsf{poly}(\lambda,\log|\mathcal{C}_{i}|,n_{i},m_{i})% =\mathsf{poly}(\lambda)$ for some universal polynomial $\mathsf{poly}(\cdot)$ , and the overall CRS size satisfies $|\mathsf{crs}|\leq\mathsf{poly}(\lambda)$ for $\ell=\frac{\log T}{\log\lambda}$ . By Lemma 4, proof size also satisfies full succinctness, such that $|\pi|\leq\mathsf{poly}(\lambda)$ .

$\hfill\blacktriangleleft$

Soundness

The soundness analysis is as below.

Theorem 8.

Assuming that the mildly succinct SNARK scheme $\Gamma$ satisfies the adaptive proof of knowledge property, and the Hash Tree $\mathsf{H}$ satisfies soundness and collision-resistance, then the above SNARK scheme also satisfies the proof of knowledge property.

Proof.

Due to space constraints, the proof can be found in the full version. $\hfill\blacktriangleleft$

$\blacktriangleright$ Remark 9.

We remark that the above the bootstrapping process can be extended to a $\lambda^{\epsilon}$ -mild SNARK of proof size $\frac{m}{\lambda^{\epsilon}}+p(\lambda,n)$ for any constant $\epsilon>0$ . This immediately follows by composing a $\lambda^{\epsilon}$ -mild SNARK a number of $\lceil 2/\epsilon\rceil$ times: It gives us a $2\lambda$ -mild SNARK with proof size $\frac{m}{\lambda^{2}}+p^{\prime}(\lambda,n)\leq\frac{m}{2\lambda}+p^{\prime}(% \lambda,n)$ where $p^{\prime}(\lambda,n)\leq 2\cdot p(\lambda,n)$ .

$\blacktriangleright$ Remark 10.

We remark that our design of fully succinct SNARK for RAM with bounded running time can be readily extended to unbounded RAM: For RAM machine $\mathcal{R}$ of a maximum running time $2^{\lambda}$ , we apply RAM delegation scheme $\mathsf{del}$ to prove that $\mathcal{R}(x,\omega)=1$ : $\mathsf{del}.\pi\leftarrow\mathsf{del}.\mathsf{Prove}(\mathsf{del}.\mathsf{crs% },(x,\omega))$ . Next, define RAM machine $\mathcal{R}^{\prime}$ such that $\mathcal{R}^{\prime}(x,(\omega,\mathsf{del}.\pi))=1$ if and only if $\mathsf{del}.\mathsf{Verify}(\mathsf{del}.\mathsf{crs},(x,\omega),\mathsf{del}% .\pi)=1$ . By succinctness of RAM delegation, $\mathsf{del}.\mathsf{Verify}$ runs in time $\mathsf{poly}(\lambda,n,m)$ for a universal $\mathsf{poly}(\cdot,\cdot,\cdot)$ . By applying our SNARK for bounded RAM over $\mathcal{R}^{\prime}$ , we obtain a fully succinct SNARK for RAM with unbounded running time.

4 Full Succinctness from Milder SNARKs with Fast Extractors

In this section, we show to build fully-succinct SNARKs from milder SNARKs. Towards that goal, we introduce the notion of fast extractors.

$\gamma$ -Efficient Extractor

We say a SNARK has a $\gamma$ -efficient extractor, if the extractor $\mathcal{E}$ ’s running time grows as $\gamma\cdot|\mathcal{A}|+q(\lambda,n,m,|\pi|)$ , for $\gamma=\gamma(\lambda,n,m,|\pi|)$ and some poly $q(\cdot)$ . That is, $\gamma$ for an extractor $\mathcal{E}(\mathcal{A},\mathsf{crs},x,\pi)$ is defined as the (asymptotic) ratio of the extractor’s running time to the running time of attacker $\mathcal{A}$ .

4.1 Fullly Succinct SNARK from $(1+\epsilon)$ -Mild SNARK with $\gamma$ -Efficient Extractor

Assuming the existence of $(1+\epsilon)$ -mild SNARK $\Gamma=(\Gamma.\mathsf{Setup},\Gamma.\mathsf{Prove},\allowbreak\Gamma.\mathsf{% Verify})$ with a $\gamma$ -efficient extractor (and succinct CRS) for any $\epsilon,\gamma>0$ , we design a $\delta$ -mild SNARK for $\delta\geq 2\lambda$ :

$\mathsf{Setup}(1^{\lambda},1^{n},1^{m},\mathcal{C})\to\mathsf{crs}.$: It sets $\ell=2\cdot\lceil\frac{\log\lambda}{\log(1+\epsilon)}\rceil$ . For $i\in[\ell]$ , we set $\mathcal{C}_{i}$ as the following boolean circuit and $m_{i}$ as the witness size for such circuit. It generates $\mathsf{crs}_{i}=\Gamma.\mathsf{Setup}(1^{\lambda},1^{n},1^{m_{i}},\mathcal{C}% _{i})$ . It outputs $\mathsf{crs}=\{\mathsf{crs}_{1},\ldots,\mathsf{crs}_{\ell}\}$ .

Circuit $\mathcal{C}_{i}$ Instance: $x$ .
Witness: $\omega$ .
Hardwired: $\mathsf{crs}_{i-1}$ . $\blacksquare$ For $i=1$ , $\mathcal{C}_{i}$ outputs $\mathcal{C}(x,\omega)$ . $\blacksquare$ For $i\geq 2$ , $\mathcal{C}_{i}$ outputs $\Gamma.\mathsf{Verify}(\mathsf{crs}_{i-1},x,\omega)=1$ .
$\mathsf{Prove}(\mathsf{crs},x,\omega)\to\pi.$: It parses $\mathsf{crs}$ as above. It sets $\omega_{1}$ as $\omega_{1}\leftarrow\Gamma.\mathsf{Prove}(\mathsf{crs}_{1},x,\omega)$ . Next for all $i\in\{2,\ldots,\ell\}$ , it computes $\omega_{i}$ as $\Gamma.\mathsf{Prove}(\mathsf{crs}_{i},x,\omega_{i-1})$ . It outputs $\pi=\omega_{\ell}$ .
$\mathsf{Verify}(\mathsf{crs},x,\pi)\to\{0,1\}.$: It outputs $\Gamma.\mathsf{Verify}(\mathsf{crs}_{\ell},x,\pi)$ .

Completeness

The recursive composition inherits the completeness of $\Gamma$ .

Lemma 11.

Assuming that $\Gamma$ satisfies $(1+\epsilon)$ -mildness, then the above SNARK satisfies $2\lambda$ -mildness.

Proof.

The proof size of $(1+\epsilon)$ -mild SNARK is given as $m/(1+\epsilon)+p(\lambda,n)$ . By composing this mild SNARK $\ell=2\cdot\lceil\frac{\log\lambda}{\log(1+\epsilon)}\rceil$ times in the above construction, the resulting proof size becomes $|\pi|\leq m/\lambda^{2}+2\cdot p(\lambda,n)$ .

$\hfill\blacktriangleleft$

Theorem 12.

Assuming that $\Gamma$ satisfies $(1+\epsilon)$ -mildness with a $\gamma$ -efficient extractor $(\gamma>0)$ , then the above SNARK also satisfies adaptive proof of knowledge property, as long as $\gamma$ and $(1+\epsilon)$ are polynomially related such that $\gamma=(1+\epsilon)^{c}$ where $c$ is a constant.

Proof.

Due to space constraints, the proof can be found in the full version. $\hfill\blacktriangleleft$

Corollary 13.

Following from Lemma 7, Lemma 11, and Theorem 12, there exists a fully succinct SNARK assuming the existence of $(1+\epsilon)$ -mild SNARK with $\gamma-$ efficient extractor such that $\gamma=\mathsf{poly}(1+\epsilon)$ .

5 Mild SNARKs without Succinct CRS

Finally, we show how to use $\delta-$ mild SNARK and RAM delegation to design a $\delta-$ mild SNARK with succinct CRS.

Our construction

Let $\mathsf{del}=(\mathsf{del}.\mathsf{Setup},\mathsf{del}.\mathsf{Prove},\mathsf{% del}.\mathsf{Verify})$ be a RAM delegation scheme, and $\Gamma=(\Gamma.\mathsf{Setup},\allowbreak\Gamma.\mathsf{Prove},\Gamma.\mathsf{% Verify})$ be a $\delta$ -mild SNARK. Below we provide our construction:

$\mathsf{Setup}(1^{\lambda},1^{n},1^{m},\mathcal{C})\to\mathsf{crs}.$: Let $\mathcal{R}$ be the following RAM machine – $\mathcal{R}$ takes as input $(x,\omega)\in\{0,1\}^{n+m}$ and accepts if and only if $\mathcal{C}(x,\omega)=1$ . Running time of $\mathcal{R}$ is $T=\mathsf{poly}(|\mathcal{C}|)$ for some fixed polynomial $\mathsf{poly}(\cdot)$ , and input size is $n+m$ . The setup algorithms samples $\mathsf{del}.\mathsf{crs}\leftarrow\mathsf{del}.\mathsf{Setup}(1^{\lambda},% \mathcal{R},T,n+m).$

Let $|\mathsf{del}.\pi|$ denote the proof size generated by $\mathsf{del}$ using $\mathsf{del}.\mathsf{crs}$ and a valid instance-witness pair. Consider the following boolean circuit $\mathcal{C}^{\prime}=\{0,1\}^{n}\times\{0,1\}^{m+|\mathsf{del}.\pi|}\to\{0,1\}$ :

Circuit $\mathcal{C}^{\prime}$ Instance: It takes as input instance $x\in\{0,1\}^{n}$ .
Witness: It takes as input witness $(\omega,\mathsf{del}.\pi)\in\{0,1\}^{m+|\mathsf{del}.\pi|}$ .
Hardwired: It has $\mathsf{del}.\mathsf{crs}$ hardwired. $\blacksquare$ It outputs $\mathsf{del}.\mathsf{Verify}(\mathsf{del}.\mathsf{crs},(x,\omega),\mathsf{del}% .\pi)$ .

The setup algorithm samples $\Gamma.\mathsf{crs}$ as $\Gamma.\mathsf{crs}\leftarrow\Gamma.\mathsf{Setup}(1^{\lambda},1^{n},1^{m+|% \mathsf{del}.\pi|},\mathcal{C}^{\prime})$ . And, it outputs $\mathsf{crs}$ as $(\mathsf{del}.\mathsf{crs},\Gamma.\mathsf{crs})$ .
$\mathsf{Prove}(\mathsf{crs},x,\omega)\to\pi.$: It parses $\mathsf{crs}$ as above. First, it computes a RAM proof as $\mathsf{del}.\pi\leftarrow\mathsf{del}.\mathsf{Prove}(\mathsf{del}.\mathsf{crs% },(x,\omega))$ , and then it creates a mild SNARK proof as $\Gamma.\pi\leftarrow\Gamma.\mathsf{Prove}(\Gamma.\mathsf{crs},\allowbreak x,(% \omega,\mathsf{del}.\pi)).$ It outputs $\pi=\Gamma.\pi$ .
$\mathsf{Verify}(\mathsf{crs},x,\pi)\to\{0,1\}.$: It outputs $\Gamma.\mathsf{Verify}(\Gamma.\mathsf{crs},x,\pi)$ .

Completeness

The completeness of the above design follows from the completeness of RAM machine delegation scheme $\mathsf{del}$ and mild SNARK scheme $\Gamma$ .

Efficiency

We analyze the efficiency of the above design:

Lemma 14.

Assume that $\Gamma=(\Gamma.\mathsf{Setup},\Gamma.\mathsf{Prove},\Gamma.\mathsf{Verify})$ is a $\delta-$ mild SNARK for function $\delta(\lambda,n,m)$ with extractor $\Gamma.\mathcal{E}$ . Then for every $\lambda\in\mathbb{N}$ , polynomial $n=n(\lambda)$ , $m=m(\lambda)$ , boolean circuit $\mathcal{C}=\{0,1\}^{n}\times\{0,1\}^{m}$ , any $x\in\{0,1\}^{n}$ , and $\omega\in\{0,1\}^{m}$ such that $\mathcal{C}(x,\omega)=1$ , the following holds:

$\blacksquare$

For $\mathsf{crs}\leftarrow\mathsf{Setup}(1^{\lambda},1^{n},1^{m},\mathcal{C})$ , there exists a universal polynomial $\mathsf{poly}(\cdot,\cdot,\cdot,\cdot)$ such that $|\mathsf{crs}|\leq\mathsf{poly}(\lambda,\log|\mathcal{C}|,n,m)$ .
$\blacksquare$

For $\pi\leftarrow\mathsf{Prove}(\mathsf{crs},x,\omega)$ , there exists a universal polynomial $\mathsf{poly}(\cdot)$ such that $p^{\prime}(\cdot)=\mathsf{poly}(p(\cdot))$ , where $|\pi|\leq\frac{m}{\delta(\lambda,n,m)}+p^{\prime}(\lambda,n)$ .

Proof.

Due to space constraints, the proof can be found in the full version. $\hfill\blacktriangleleft$ By Lemma 14, our design satisfies both $\delta$ -mildness and succinct CRS properties.

Theorem 15.

Assume that the mild SNARK scheme $\Gamma$ satisfies adaptive proof of knowledge, and the RAM delegation scheme $\mathsf{del}$ is sound, then the above design of SNARK satisfies adaptive proof of knowledge.

Proof.

Due to space constraints, the proof can be found in the full version. $\hfill\blacktriangleleft$

Corollary 16.

Based on recent results about RAM delegation ([15, 16, 31, 24, 42, 18, 38, 28, 14]) and our SNARKs design (Lemma 7, Theorem 8, Remark 9, Lemma 14, and Theorem 15), the following holds: Assuming the existence of $\lambda^{\epsilon}$ -mild SNARKs without CRS succinctness requirement, and assuming either LWE, $k$ -LIN over pairing groups for any constant $k\in\mathbb{N}$ , or sub-exponential DDH over pairing-free groups, there exists fully succinct SNARKs.

Corollary 17.

By extending Corollary 16 using Corollary 13, we have: Assuming the existence of $(1+\epsilon)$ -mild SNARKs with $\gamma-$ efficient extractor for $\gamma=\mathsf{poly}(1+\epsilon)$ , and without CRS succinctness requirement, and assuming either LWE, $k$ -LIN over pairing groups for any constant $k\in\mathbb{N}$ , or sub-exponential DDH over pairing-free groups, there exists fully succinct SNARKs.

References

[1] Saikrishna Badrinarayanan, Yael Tauman Kalai, Dakshita Khurana, Amit Sahai, and Daniel Wichs. Succinct delegation for low-space non-deterministic computation. In Ilias Diakonikolas, David Kempe, and Monika Henzinger, editors, 50th Annual ACM Symposium on Theory of Computing, pages 709–721. ACM Press, June 2018. doi:10.1145/3188745.3188924.
[2] Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil P. Vadhan, and Ke Yang. On the (im)possibility of obfuscating programs. In Joe Kilian, editor, Advances in Cryptology – CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 1–18, Santa Barbara, CA, USA, august 19–23 2001. Springer Berlin Heidelberg, Germany. doi:10.1007/3-540-44647-8_1.
[3] Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In Dorothy E. Denning, Raymond Pyle, Ravi Ganesan, Ravi S. Sandhu, and Victoria Ashby, editors, ACM CCS 93: 1st Conference on Computer and Communications Security, pages 62–73. ACM Press, November 1993. doi:10.1145/168588.168596.
[4] Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. Zerocash: Decentralized anonymous payments from bitcoin. In 2014 IEEE Symposium on Security and Privacy, pages 459–474. IEEE Computer Society Press, May 2014. doi:10.1109/SP.2014.36.
[5] Nir Bitansky, Ran Canetti, Alessandro Chiesa, Shafi Goldwasser, Huijia Lin, Aviad Rubinstein, and Eran Tromer. The hunting of the SNARK. Journal of Cryptology, 30(4):989–1066, October 2017. doi:10.1007/s00145-016-9241-9.
[6] Nir Bitansky, Ran Canetti, Alessandro Chiesa, and Eran Tromer. From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In Shafi Goldwasser, editor, ITCS 2012: 3rd Innovations in Theoretical Computer Science, pages 326–349. Association for Computing Machinery, January 2012. doi:10.1145/2090236.2090263.
[7] Nir Bitansky, Ran Canetti, Alessandro Chiesa, and Eran Tromer. Recursive composition and bootstrapping for SNARKS and proof-carrying data. In Dan Boneh, Tim Roughgarden, and Joan Feigenbaum, editors, 45th Annual ACM Symposium on Theory of Computing, pages 111–120. ACM Press, June 2013. doi:10.1145/2488608.2488623.
[8] Nir Bitansky, Alessandro Chiesa, Yuval Ishai, Rafail Ostrovsky, and Omer Paneth. Succinct non-interactive arguments via linear interactive proofs. In Amit Sahai, editor, TCC 2013: 10th Theory of Cryptography Conference, volume 7785 of Lecture Notes in Computer Science, pages 315–333. Springer, Heidelberg, March 2013. doi:10.1007/978-3-642-36594-2_18.
[9] Zvika Brakerski, Maya Farber Brodsky, Yael Tauman Kalai, Alex Lombardi, and Omer Paneth. SNARGs for monotone policy batch NP. In Helena Handschuh and Anna Lysyanskaya, editors, Advances in Cryptology – CRYPTO 2023, Part II, volume 14082 of Lecture Notes in Computer Science, pages 252–283. Springer, Heidelberg, August 2023. doi:10.1007/978-3-031-38545-2_9.
[10] Zvika Brakerski, Justin Holmgren, and Yael Tauman Kalai. Non-interactive delegation and batch NP verification from standard computational assumptions. In Hamed Hatami, Pierre McKenzie, and Valerie King, editors, 49th Annual ACM Symposium on Theory of Computing, pages 474–482. ACM Press, June 2017. doi:10.1145/3055399.3055497.
[11] Gilles Brassard, David Chaum, and Claude Crépeau. Minimum disclosure proofs of knowledge. Journal of computer and system sciences, 37(2):156–189, 1988. doi:10.1016/0022-0000(88)90005-0.
[12] Matteo Campanelli, Chaya Ganesh, Hamidreza Khoshakhlagh, and Janno Siim. Impossibilities in succinct arguments: Black-box extraction and more. In Nadia El Mrabet, Luca De Feo, and Sylvain Duquesne, editors, AFRICACRYPT 23: 14th International Conference on Cryptology in Africa, volume 14064 of Lecture Notes in Computer Science, pages 465–489, Sousse, Tunisia, july 19–21 2023. Springer, Cham, Switzerland. doi:10.1007/978-3-031-37679-5_20.
[13] Alessandro Chiesa and Eran Tromer. Proof-carrying data and hearsay arguments from signature cards. In ICS, volume 10, pages 310–331, 2010. URL: http://conference.iiis.tsinghua.edu.cn/ICS2010/content/papers/25.html.
[14] Arka Rai Choudhuri, Sanjam Garg, Abhishek Jain, Zhengzhong Jin, and Jiaheng Zhang. Correlation intractability and SNARGs from sub-exponential DDH. In Helena Handschuh and Anna Lysyanskaya, editors, Advances in Cryptology – CRYPTO 2023, Part IV, volume 14084 of Lecture Notes in Computer Science, pages 635–668, Santa Barbara, CA, USA, august 20–24 2023. Springer, Cham, Switzerland. doi:10.1007/978-3-031-38551-3_20.
[15] Arka Rai Choudhuri, Abhishek Jain, and Zhengzhong Jin. Non-interactive batch arguments for NP from standard assumptions. In Tal Malkin and Chris Peikert, editors, Advances in Cryptology – CRYPTO 2021, Part IV, volume 12828 of Lecture Notes in Computer Science, pages 394–423, Virtual Event, August 2021. Springer, Heidelberg. doi:10.1007/978-3-030-84259-8_14.
[16] Arka Rai Choudhuri, Abhishek Jain, and Zhengzhong Jin. SNARGs for $\mathcal{P}$ from LWE. In 62nd Annual Symposium on Foundations of Computer Science, pages 68–79. IEEE Computer Society Press, February 2022. doi:10.1109/FOCS52979.2021.00016.
[17] Ivan Bjerre Damgård. A design principle for hash functions. In Conference on the Theory and Application of Cryptology, pages 416–427. Springer, 1989.
[18] Lalita Devadas, Rishab Goyal, Yael Kalai, and Vinod Vaikuntanathan. Rate-1 non-interactive arguments for batch-NP and applications. In 63rd Annual Symposium on Foundations of Computer Science, pages 1057–1068. IEEE Computer Society Press, October / November 2022. doi:10.1109/FOCS54457.2022.00103.
[19] Craig Gentry, Jens Groth, Yuval Ishai, Chris Peikert, Amit Sahai, and Adam D. Smith. Using fully homomorphic hybrid encryption to minimize non-interative zero-knowledge proofs. Journal of Cryptology, 28(4):820–843, October 2015. doi:10.1007/s00145-014-9184-y.
[20] Craig Gentry and Daniel Wichs. Separating succinct non-interactive arguments from all falsifiable assumptions. In Lance Fortnow and Salil P. Vadhan, editors, 43rd Annual ACM Symposium on Theory of Computing, pages 99–108. ACM Press, June 2011. doi:10.1145/1993636.1993651.
[21] Shafi Goldwasser and Yael Tauman Kalai. Cryptographic assumptions: A position paper. In Eyal Kushilevitz and Tal Malkin, editors, TCC 2016-A: 13th Theory of Cryptography Conference, Part I, volume 9562 of Lecture Notes in Computer Science, pages 505–522, Tel Aviv, Israel, january 10–13 2016. Springer Berlin Heidelberg, Germany. doi:10.1007/978-3-662-49096-9_21.
[22] Jens Groth. Short pairing-based non-interactive zero-knowledge arguments. In Masayuki Abe, editor, Advances in Cryptology – ASIACRYPT 2010, volume 6477 of Lecture Notes in Computer Science, pages 321–340. Springer, Heidelberg, December 2010. doi:10.1007/978-3-642-17373-8_19.
[23] Jens Groth. On the size of pairing-based non-interactive arguments. In Marc Fischlin and Jean-Sébastien Coron, editors, Advances in Cryptology – EUROCRYPT 2016, Part II, volume 9666 of Lecture Notes in Computer Science, pages 305–326. Springer, Heidelberg, May 2016. doi:10.1007/978-3-662-49896-5_11.
[24] James Hulett, Ruta Jawale, Dakshita Khurana, and Akshayaram Srinivasan. SNARGs for P from sub-exponential DDH and QR. In Orr Dunkelman and Stefan Dziembowski, editors, Advances in Cryptology – EUROCRYPT 2022, Part II, volume 13276 of Lecture Notes in Computer Science, pages 520–549. Springer, Heidelberg, May / June 2022. doi:10.1007/978-3-031-07085-3_18.
[25] Aayush Jain, Huijia Lin, and Amit Sahai. Indistinguishability obfuscation from well-founded assumptions. In Samir Khuller and Virginia Vassilevska Williams, editors, 53rd Annual ACM Symposium on Theory of Computing, pages 60–73. ACM Press, June 2021. doi:10.1145/3406325.3451093.
[26] Ruta Jawale, Yael Tauman Kalai, Dakshita Khurana, and Rachel Yun Zhang. SNARGs for bounded depth computations and PPAD hardness from sub-exponential LWE. In Samir Khuller and Virginia Vassilevska Williams, editors, 53rd Annual ACM Symposium on Theory of Computing, pages 708–721. ACM Press, June 2021. doi:10.1145/3406325.3451055.
[27] Zhengzhong Jin, Yael Kalai, Alex Lombardi, and Vinod Vaikuntanathan. SNARGs under LWE via propositional proofs. In 56th Annual ACM Symposium on Theory of Computing, pages 1750–1757. ACM Press, June 2024. doi:10.1145/3618260.3649770.
[28] Yael Kalai, Alex Lombardi, Vinod Vaikuntanathan, and Daniel Wichs. Boosting batch arguments and ram delegation. In Proceedings of the 55th Annual ACM Symposium on Theory of Computing, pages 1545–1552, 2023. doi:10.1145/3564246.3585200.
[29] Yael Tauman Kalai and Omer Paneth. Delegating RAM computations. In Martin Hirt and Adam D. Smith, editors, TCC 2016-B: 14th Theory of Cryptography Conference, Part II, volume 9986 of Lecture Notes in Computer Science, pages 91–118. Springer, Heidelberg, October / November 2016. doi:10.1007/978-3-662-53644-5_4.
[30] Yael Tauman Kalai, Omer Paneth, and Lisa Yang. How to delegate computations publicly. In Moses Charikar and Edith Cohen, editors, 51st Annual ACM Symposium on Theory of Computing, pages 1115–1124. ACM Press, June 2019. doi:10.1145/3313276.3316411.
[31] Yael Tauman Kalai, Vinod Vaikuntanathan, and Rachel Yun Zhang. Somewhere statistical soundness, post-quantum security, and SNARGs. In Kobbi Nissim and Brent Waters, editors, TCC 2021: 19th Theory of Cryptography Conference, Part I, volume 13042 of Lecture Notes in Computer Science, pages 330–368. Springer, Heidelberg, November 2021. doi:10.1007/978-3-030-90459-3_12.
[32] Joe Kilian. A note on efficient zero-knowledge proofs and arguments (extended abstract). In 24th Annual ACM Symposium on Theory of Computing, pages 723–732. ACM Press, May 1992. doi:10.1145/129712.129782.
[33] Ralph C. Merkle. A digital signature based on a conventional encryption function. In Carl Pomerance, editor, Advances in Cryptology – CRYPTO’87, volume 293 of Lecture Notes in Computer Science, pages 369–378. Springer, Heidelberg, August 1988. doi:10.1007/3-540-48184-2_32.
[34] Ralph Charles Merkle. Secrecy, authentication, and public key systems. Stanford university, 1979.
[35] Silvio Micali. Computationally sound proofs. SIAM Journal on Computing, 30(4):1253–1298, 2000. doi:10.1137/S0097539795284959.
[36] Moni Naor. On cryptographic assumptions and challenges (invited talk). In Dan Boneh, editor, Advances in Cryptology – CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages 96–109. Springer, Heidelberg, August 2003. doi:10.1007/978-3-540-45146-4_6.
[37] Shafik Nassar, Brent Waters, and David J Wu. Monotone policy bargs from bargs and additively homomorphic encryption. Cryptology ePrint Archive, 2023.
[38] Omer Paneth and Rafael Pass. Incrementally verifiable computation via rate-1 batch arguments. In 63rd Annual Symposium on Foundations of Computer Science, pages 1045–1056. IEEE Computer Society Press, October / November 2022. doi:10.1109/FOCS54457.2022.00102.
[39] Amit Sahai and Brent Waters. How to use indistinguishability obfuscation: deniable encryption, and more. In Symposium on Theory of Computing, STOC 2014, New York, NY, USA, May 31 - June 03, 2014, pages 475–484, 2014. doi:10.1145/2591796.2591825.
[40] Paul Valiant. Incrementally verifiable computation or proofs of knowledge imply time/space efficiency. In Ran Canetti, editor, TCC 2008: 5th Theory of Cryptography Conference, volume 4948 of Lecture Notes in Computer Science, pages 1–18. Springer, Heidelberg, March 2008. doi:10.1007/978-3-540-78524-8_1.
[41] Michael Walfish and Andrew J Blumberg. Verifying computations without reexecuting them. Communications of the ACM, 58(2):74–84, 2015. doi:10.1145/2641562.
[42] Brent Waters and David J. Wu. Batch arguments for sfNP and more from standard bilinear group assumptions. In Yevgeniy Dodis and Thomas Shrimpton, editors, Advances in Cryptology – CRYPTO 2022, Part II, volume 13508 of Lecture Notes in Computer Science, pages 433–463. Springer, Heidelberg, August 2022. doi:10.1007/978-3-031-15979-4_15.

[bib.bib1] [1] Saikrishna Badrinarayanan, Yael Tauman Kalai, Dakshita Khurana, Amit Sahai, and Daniel Wichs. Succinct delegation for low-space non-deterministic computation. In Ilias Diakonikolas, David Kempe, and Monika Henzinger, editors, 50th Annual ACM Symposium on Theory of Computing, pages 709–721. ACM Press, June 2018. doi:10.1145/3188745.3188924.

[bib.bib2] [2] Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil P. Vadhan, and Ke Yang. On the (im)possibility of obfuscating programs. In Joe Kilian, editor, Advances in Cryptology – CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 1–18, Santa Barbara, CA, USA, august 19–23 2001. Springer Berlin Heidelberg, Germany. doi:10.1007/3-540-44647-8_1.

[bib.bib3] [3] Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In Dorothy E. Denning, Raymond Pyle, Ravi Ganesan, Ravi S. Sandhu, and Victoria Ashby, editors, ACM CCS 93: 1st Conference on Computer and Communications Security, pages 62–73. ACM Press, November 1993. doi:10.1145/168588.168596.

[bib.bib4] [4] Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. Zerocash: Decentralized anonymous payments from bitcoin. In 2014 IEEE Symposium on Security and Privacy, pages 459–474. IEEE Computer Society Press, May 2014. doi:10.1109/SP.2014.36.

[bib.bib5] [5] Nir Bitansky, Ran Canetti, Alessandro Chiesa, Shafi Goldwasser, Huijia Lin, Aviad Rubinstein, and Eran Tromer. The hunting of the SNARK. Journal of Cryptology, 30(4):989–1066, October 2017. doi:10.1007/s00145-016-9241-9.

[bib.bib6] [6] Nir Bitansky, Ran Canetti, Alessandro Chiesa, and Eran Tromer. From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In Shafi Goldwasser, editor, ITCS 2012: 3rd Innovations in Theoretical Computer Science, pages 326–349. Association for Computing Machinery, January 2012. doi:10.1145/2090236.2090263.

[bib.bib7] [7] Nir Bitansky, Ran Canetti, Alessandro Chiesa, and Eran Tromer. Recursive composition and bootstrapping for SNARKS and proof-carrying data. In Dan Boneh, Tim Roughgarden, and Joan Feigenbaum, editors, 45th Annual ACM Symposium on Theory of Computing, pages 111–120. ACM Press, June 2013. doi:10.1145/2488608.2488623.

[bib.bib8] [8] Nir Bitansky, Alessandro Chiesa, Yuval Ishai, Rafail Ostrovsky, and Omer Paneth. Succinct non-interactive arguments via linear interactive proofs. In Amit Sahai, editor, TCC 2013: 10th Theory of Cryptography Conference, volume 7785 of Lecture Notes in Computer Science, pages 315–333. Springer, Heidelberg, March 2013. doi:10.1007/978-3-642-36594-2_18.

[bib.bib9] [9] Zvika Brakerski, Maya Farber Brodsky, Yael Tauman Kalai, Alex Lombardi, and Omer Paneth. SNARGs for monotone policy batch NP. In Helena Handschuh and Anna Lysyanskaya, editors, Advances in Cryptology – CRYPTO 2023, Part II, volume 14082 of Lecture Notes in Computer Science, pages 252–283. Springer, Heidelberg, August 2023. doi:10.1007/978-3-031-38545-2_9.

[bib.bib10] [10] Zvika Brakerski, Justin Holmgren, and Yael Tauman Kalai. Non-interactive delegation and batch NP verification from standard computational assumptions. In Hamed Hatami, Pierre McKenzie, and Valerie King, editors, 49th Annual ACM Symposium on Theory of Computing, pages 474–482. ACM Press, June 2017. doi:10.1145/3055399.3055497.

[bib.bib11] [11] Gilles Brassard, David Chaum, and Claude Crépeau. Minimum disclosure proofs of knowledge. Journal of computer and system sciences, 37(2):156–189, 1988. doi:10.1016/0022-0000(88)90005-0.

[bib.bib12] [12] Matteo Campanelli, Chaya Ganesh, Hamidreza Khoshakhlagh, and Janno Siim. Impossibilities in succinct arguments: Black-box extraction and more. In Nadia El Mrabet, Luca De Feo, and Sylvain Duquesne, editors, AFRICACRYPT 23: 14th International Conference on Cryptology in Africa, volume 14064 of Lecture Notes in Computer Science, pages 465–489, Sousse, Tunisia, july 19–21 2023. Springer, Cham, Switzerland. doi:10.1007/978-3-031-37679-5_20.

[bib.bib13] [13] Alessandro Chiesa and Eran Tromer. Proof-carrying data and hearsay arguments from signature cards. In ICS, volume 10, pages 310–331, 2010. URL: http://conference.iiis.tsinghua.edu.cn/ICS2010/content/papers/25.html.

[bib.bib14] [14] Arka Rai Choudhuri, Sanjam Garg, Abhishek Jain, Zhengzhong Jin, and Jiaheng Zhang. Correlation intractability and SNARGs from sub-exponential DDH. In Helena Handschuh and Anna Lysyanskaya, editors, Advances in Cryptology – CRYPTO 2023, Part IV, volume 14084 of Lecture Notes in Computer Science, pages 635–668, Santa Barbara, CA, USA, august 20–24 2023. Springer, Cham, Switzerland. doi:10.1007/978-3-031-38551-3_20.

[bib.bib15] [15] Arka Rai Choudhuri, Abhishek Jain, and Zhengzhong Jin. Non-interactive batch arguments for NP from standard assumptions. In Tal Malkin and Chris Peikert, editors, Advances in Cryptology – CRYPTO 2021, Part IV, volume 12828 of Lecture Notes in Computer Science, pages 394–423, Virtual Event, August 2021. Springer, Heidelberg. doi:10.1007/978-3-030-84259-8_14.

[bib.bib16] [16] Arka Rai Choudhuri, Abhishek Jain, and Zhengzhong Jin. SNARGs for $\mathcal{P}$ from LWE. In 62nd Annual Symposium on Foundations of Computer Science, pages 68–79. IEEE Computer Society Press, February 2022. doi:10.1109/FOCS52979.2021.00016.

[bib.bib17] [17] Ivan Bjerre Damgård. A design principle for hash functions. In Conference on the Theory and Application of Cryptology, pages 416–427. Springer, 1989.

[bib.bib18] [18] Lalita Devadas, Rishab Goyal, Yael Kalai, and Vinod Vaikuntanathan. Rate-1 non-interactive arguments for batch-NP and applications. In 63rd Annual Symposium on Foundations of Computer Science, pages 1057–1068. IEEE Computer Society Press, October / November 2022. doi:10.1109/FOCS54457.2022.00103.

[bib.bib19] [19] Craig Gentry, Jens Groth, Yuval Ishai, Chris Peikert, Amit Sahai, and Adam D. Smith. Using fully homomorphic hybrid encryption to minimize non-interative zero-knowledge proofs. Journal of Cryptology, 28(4):820–843, October 2015. doi:10.1007/s00145-014-9184-y.

[bib.bib20] [20] Craig Gentry and Daniel Wichs. Separating succinct non-interactive arguments from all falsifiable assumptions. In Lance Fortnow and Salil P. Vadhan, editors, 43rd Annual ACM Symposium on Theory of Computing, pages 99–108. ACM Press, June 2011. doi:10.1145/1993636.1993651.

[bib.bib21] [21] Shafi Goldwasser and Yael Tauman Kalai. Cryptographic assumptions: A position paper. In Eyal Kushilevitz and Tal Malkin, editors, TCC 2016-A: 13th Theory of Cryptography Conference, Part I, volume 9562 of Lecture Notes in Computer Science, pages 505–522, Tel Aviv, Israel, january 10–13 2016. Springer Berlin Heidelberg, Germany. doi:10.1007/978-3-662-49096-9_21.

[bib.bib22] [22] Jens Groth. Short pairing-based non-interactive zero-knowledge arguments. In Masayuki Abe, editor, Advances in Cryptology – ASIACRYPT 2010, volume 6477 of Lecture Notes in Computer Science, pages 321–340. Springer, Heidelberg, December 2010. doi:10.1007/978-3-642-17373-8_19.

[bib.bib23] [23] Jens Groth. On the size of pairing-based non-interactive arguments. In Marc Fischlin and Jean-Sébastien Coron, editors, Advances in Cryptology – EUROCRYPT 2016, Part II, volume 9666 of Lecture Notes in Computer Science, pages 305–326. Springer, Heidelberg, May 2016. doi:10.1007/978-3-662-49896-5_11.

[bib.bib24] [24] James Hulett, Ruta Jawale, Dakshita Khurana, and Akshayaram Srinivasan. SNARGs for P from sub-exponential DDH and QR. In Orr Dunkelman and Stefan Dziembowski, editors, Advances in Cryptology – EUROCRYPT 2022, Part II, volume 13276 of Lecture Notes in Computer Science, pages 520–549. Springer, Heidelberg, May / June 2022. doi:10.1007/978-3-031-07085-3_18.

[bib.bib25] [25] Aayush Jain, Huijia Lin, and Amit Sahai. Indistinguishability obfuscation from well-founded assumptions. In Samir Khuller and Virginia Vassilevska Williams, editors, 53rd Annual ACM Symposium on Theory of Computing, pages 60–73. ACM Press, June 2021. doi:10.1145/3406325.3451093.

[bib.bib26] [26] Ruta Jawale, Yael Tauman Kalai, Dakshita Khurana, and Rachel Yun Zhang. SNARGs for bounded depth computations and PPAD hardness from sub-exponential LWE. In Samir Khuller and Virginia Vassilevska Williams, editors, 53rd Annual ACM Symposium on Theory of Computing, pages 708–721. ACM Press, June 2021. doi:10.1145/3406325.3451055.

[bib.bib27] [27] Zhengzhong Jin, Yael Kalai, Alex Lombardi, and Vinod Vaikuntanathan. SNARGs under LWE via propositional proofs. In 56th Annual ACM Symposium on Theory of Computing, pages 1750–1757. ACM Press, June 2024. doi:10.1145/3618260.3649770.

[bib.bib28] [28] Yael Kalai, Alex Lombardi, Vinod Vaikuntanathan, and Daniel Wichs. Boosting batch arguments and ram delegation. In Proceedings of the 55th Annual ACM Symposium on Theory of Computing, pages 1545–1552, 2023. doi:10.1145/3564246.3585200.

[bib.bib29] [29] Yael Tauman Kalai and Omer Paneth. Delegating RAM computations. In Martin Hirt and Adam D. Smith, editors, TCC 2016-B: 14th Theory of Cryptography Conference, Part II, volume 9986 of Lecture Notes in Computer Science, pages 91–118. Springer, Heidelberg, October / November 2016. doi:10.1007/978-3-662-53644-5_4.

[bib.bib30] [30] Yael Tauman Kalai, Omer Paneth, and Lisa Yang. How to delegate computations publicly. In Moses Charikar and Edith Cohen, editors, 51st Annual ACM Symposium on Theory of Computing, pages 1115–1124. ACM Press, June 2019. doi:10.1145/3313276.3316411.

[bib.bib31] [31] Yael Tauman Kalai, Vinod Vaikuntanathan, and Rachel Yun Zhang. Somewhere statistical soundness, post-quantum security, and SNARGs. In Kobbi Nissim and Brent Waters, editors, TCC 2021: 19th Theory of Cryptography Conference, Part I, volume 13042 of Lecture Notes in Computer Science, pages 330–368. Springer, Heidelberg, November 2021. doi:10.1007/978-3-030-90459-3_12.

[bib.bib32] [32] Joe Kilian. A note on efficient zero-knowledge proofs and arguments (extended abstract). In 24th Annual ACM Symposium on Theory of Computing, pages 723–732. ACM Press, May 1992. doi:10.1145/129712.129782.

[bib.bib33] [33] Ralph C. Merkle. A digital signature based on a conventional encryption function. In Carl Pomerance, editor, Advances in Cryptology – CRYPTO’87, volume 293 of Lecture Notes in Computer Science, pages 369–378. Springer, Heidelberg, August 1988. doi:10.1007/3-540-48184-2_32.

[bib.bib34] [34] Ralph Charles Merkle. Secrecy, authentication, and public key systems. Stanford university, 1979.

[bib.bib35] [35] Silvio Micali. Computationally sound proofs. SIAM Journal on Computing, 30(4):1253–1298, 2000. doi:10.1137/S0097539795284959.

[bib.bib36] [36] Moni Naor. On cryptographic assumptions and challenges (invited talk). In Dan Boneh, editor, Advances in Cryptology – CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages 96–109. Springer, Heidelberg, August 2003. doi:10.1007/978-3-540-45146-4_6.

[bib.bib37] [37] Shafik Nassar, Brent Waters, and David J Wu. Monotone policy bargs from bargs and additively homomorphic encryption. Cryptology ePrint Archive, 2023.

[bib.bib38] [38] Omer Paneth and Rafael Pass. Incrementally verifiable computation via rate-1 batch arguments. In 63rd Annual Symposium on Foundations of Computer Science, pages 1045–1056. IEEE Computer Society Press, October / November 2022. doi:10.1109/FOCS54457.2022.00102.

[bib.bib39] [39] Amit Sahai and Brent Waters. How to use indistinguishability obfuscation: deniable encryption, and more. In Symposium on Theory of Computing, STOC 2014, New York, NY, USA, May 31 - June 03, 2014, pages 475–484, 2014. doi:10.1145/2591796.2591825.

[bib.bib40] [40] Paul Valiant. Incrementally verifiable computation or proofs of knowledge imply time/space efficiency. In Ran Canetti, editor, TCC 2008: 5th Theory of Cryptography Conference, volume 4948 of Lecture Notes in Computer Science, pages 1–18. Springer, Heidelberg, March 2008. doi:10.1007/978-3-540-78524-8_1.

[bib.bib41] [41] Michael Walfish and Andrew J Blumberg. Verifying computations without reexecuting them. Communications of the ACM, 58(2):74–84, 2015. doi:10.1145/2641562.

[bib.bib42] [42] Brent Waters and David J. Wu. Batch arguments for sfNP and more from standard bilinear group assumptions. In Yevgeniy Dodis and Thomas Shrimpton, editors, Advances in Cryptology – CRYPTO 2022, Part II, volume 13508 of Lecture Notes in Computer Science, pages 433–463. Springer, Heidelberg, August 2022. doi:10.1007/978-3-031-15979-4_15.

Boosting SNARKs and Rate-1 Barrier in Arguments of Knowledge

Abstract

Keywords and phrases:

Category:

Funding:

Copyright and License:

2012 ACM Subject Classification:

Related Version:

DOI:

Event:

Editors:

Series and Publisher:

1 Introduction

This work.

Theorem 1 (Informal, see Corollary 16).

Theorem 2 (Informal, see Corollary 17).

Corollary 3 (Informal).

Discussion and interpreting our results

2 Technical Overview

Defining succintness in SNARKs

2.1 Shortening CRS in SNARKs via RAM Delegation

2.2 Fully-succinct SNARKs from 𝝀ϵ-mild SNARKs

CRS generation takes too long!

A shorter CRS helps?

Tree-based composition

How to extract the witness in polynomial time?

Boosting via SNARK tree

2.3 Boosting milder SNARKs

2.4 Related Work, Open Questions, and Roadmap

Related Work

Open questions

Roadmap

3 Full Succinctness from Mild SNARKs with Short CRS

𝜹-Mild SNARK with succinct CRS

𝜹-mildness

Succinct CRS

3.1 Fully-Succinct SNARKs from 𝝀ϵ-Mild SNARKs

Special Notation: Composite Hash Tree

Our Fully-Succinct SNARK Construction

Completeness

Efficiency

Lemma 4.

Proof.

Base Case (𝒊=𝟎).

Inductive Step (𝟏≤𝒊≤ℓ).

Lemma 5.

Proof.

Lemma 6.

Proof.

Lemma 7.

Proof.

Soundness

Theorem 8.

Proof.

▶ Remark 9.

▶ Remark 10.

4 Full Succinctness from Milder SNARKs with Fast Extractors

𝜸-Efficient Extractor

4.1 Fullly Succinct SNARK from (𝟏+ϵ)-Mild SNARK with 𝜸-Efficient Extractor

Completeness

Lemma 11.

Proof.

Theorem 12.

Proof.

Corollary 13.

5 Mild SNARKs without Succinct CRS

Our construction

Completeness

Efficiency

Lemma 14.

Proof.

Theorem 15.

Proof.

Corollary 16.

Corollary 17.

References

2.2 Fully-succinct SNARKs from $\lambda^{\epsilon}$ -mild SNARKs

$\delta$ -Mild SNARK with succinct CRS

$\delta$ -mildness

3.1 Fully-Succinct SNARKs from $\lambda^{\epsilon}$ -Mild SNARKs

Base Case $(i=0)$ .

Inductive Step $(1\leq i\leq\ell)$ .

$\blacktriangleright$ Remark 9.

$\blacktriangleright$ Remark 10.

$\gamma$ -Efficient Extractor

4.1 Fullly Succinct SNARK from $(1+\epsilon)$ -Mild SNARK with $\gamma$ -Efficient Extractor