Groth16

Presentation: https://www.youtube.com/watch?v=1upt6GOdYXk

Introduction

Groth16 is a zk-SNARK construction introduced in 2016 by Jens Groth, characterized by its compact proof size of just 3 group elements and exceptionally fast verification speed. It is widely used in frameworks like circom and RISC0.

Background

Quardratic Arithmetic Protocol (QAP)

For a system where the number of instance variables is +1\ell + 1, the number of witness variables is mm - \ell (thus, the total number of variables is m+1m + 1), and the number of constraints is nn, R1CS can be represented as follows:

This R1CS system can be reduced to a Quadratic Arithmetic Program (QAP):

(i=0mai(X)zi)(i=0mbi(X)zi)i=0mci(X)zi=0modt(X)(\sum_{i = 0}^m a_i(X) \cdot z_i ) (\sum_{i = 0}^m b_i(X) \cdot z_i) - \sum_{i = 0}^m c_i(X) \cdot z_i = 0 \mod t(X)

where

  • ai(X)a_i(X): A polynomial such that ai(xj)=Aj,ia_i(x_j) = A_{j, i} where 0im0 \le i \le m and 0j<n0 \le j < n.

  • bi(X)b_i(X): A polynomial such that bi(xj)=Bj,ib_i(x_j) = B_{j, i} where 0im0 \le i \le m and 0j<n0 \le j < n.

  • ci(X)c_i(X): A polynomial such that ci(xj)=Cj,ic_i(x_j) = C_{j, i} where 0im0 \le i \le m and 0j<n0 \le j < n.

  • t(X)t(X): Xn1X^n - 1.

  • ziz_i: A variable, where 0im0 \le i \le m.

Here, degai(X)=degbi(X)=degci(X)=n1\deg a_i(X) = \deg b_i(X) = \deg c_i(X) = n - 1.

Then we can define h(X)h(X) as follows:

h(X)=(i=0mai(X)zi)(i=0mbi(X)zi)i=0mci(X)zit(X)h(X) = \frac{(\sum_{i = 0}^m a_i(X) \cdot z_i) (\sum_{i = 0}^m b_i(X) \cdot z_i) - \sum_{i = 0}^m c_i(X) \cdot z_i}{t(X)}

Where degh(X)=n2\deg h(X) = n - 2.

In BKSV20 and GR22 it is shown that for Groth16 there exists potential malleability on the public input unless certain linear independence requirements are met. An easy way to meet these requirements is to add additional constraints zi0=0z_i​⋅0=0 for all public inputs. This is done implicitly by the Arkworks and SnarkJS implementations. (it's taken from https://xn--2-umb.com/22/groth16/.) See also https://geometry.xyz/notebook/groth16-malleability!

Protocol Explanation

Key Generation

  1. Sample the toxic wastes α,β,γ,δ,x$F\alpha, \beta, \gamma, \delta, x \stackrel{\$}{\leftarrow} \mathbb{F} . They are called toxic wastes which can be used to create fake proofs which will be accepted by the verifier. So they should be discarded right after key generation, or generated through MPC(or Trusted Setup).

  2. Create a verifying key vk\mathsf{vk}.

vk=([α]1,[β]2,[γ]2,[δ]2,{[βai(x)+αbi(x)+ci(x)γ]1}i=0)\mathsf{vk} = \left([\alpha]_1, [\beta]_2, [\gamma]_2, [\delta]_2, \left\{ \left[ \frac{\beta a_i(x) + \alpha b_i(x) + c_i(x)}{\gamma} \right]_1 \right\}_{i = 0}^{\ell} \right)

  1. Create a proving key pk\mathsf{pk}.

pk=vk+([β]1,[δ]1,{[ai(x)]1}i=0m,{[bi(x)]1}i=0m,{[bi(x)]2}i=0m,{[βai(x)+αbi(x)+ci(x)δ]1}i=+1m,{[xit(x)δ]1}i=0n2)\mathsf{pk} = \mathsf{vk} + \left( \begin{align*} & [\beta]_1, [\delta]_1, \{ [a_i(x)]_1\}_{i=0}^{m}, \{ [b_i(x)]_1\}_{i=0}^{m}, \{ [b_i(x)]_2\}_{i=0}^{m}, \\ & \left\{ \left[\frac{\beta a_i(x) + \alpha b_i(x) + c_i(x)}{\delta} \right]_1 \right\}_{i = \ell + 1}^{m}, \left\{ \left[ \frac{x^i t(x)}{\delta} \right]_1 \right\}_{i = 0}^{n - 2} \end{align*} \right)

Computing h(X)

  1. Create a(X),b(X),c(X)a(X), b(X), c(X):

a(X)=j=0n1Lj(X)(i=0mAj,izi)b(X)=j=0n1Lj(X)(i=0mAj,izi)c(X)=j=0n1Lj(X)(i=0mAj,izi)a(X) = \sum_{j = 0}^{n-1} L_j(X) (\sum_{i = 0}^{m} A_{j, i} \cdot z_i) \\ b(X) = \sum_{j = 0}^{n-1} L_j(X) (\sum_{i = 0}^{m} A_{j, i} \cdot z_i) \\ c(X) = \sum_{j = 0}^{n-1} L_j(X) (\sum_{i = 0}^{m} A_{j, i} \cdot z_i) \\

where Lj(X)L_j(X) are lagrange basis polynomials.

  1. Evaluate a(X),b(X),c(X)a(X), b(X), c(X) on a coset domain:

a=(a(g0),,a(gn1))b=(b(g0),,b(gn1))c=(c(g0),,c(gn1))\bm{a} = (a(g^0), \dots, a(g^{n-1})) \\ \bm{b} = (b(g^0), \dots, b(g^{n-1})) \\ \bm{c} = (c(g^0), \dots, c(g^{n-1}))

where gi=(ηω)ig^i = (\eta \omega)^i. The reason why we compute on a coset domain is avoiding division by zero since t(ωj)=0t(\omega^j) = 0.

  1. Evaluate h\bm{h}:

h=(a(g0)b(g0)c(g0)t(η),,a(gn1)b(gn1)c(gn1)t(η))\bm{h} = \left(\frac{a(g^0)b(g^0) - c(g^0)}{t(\eta)}, \dots, \frac{a(g^{n - 1})b(g^{n - 1}) - c(g^{n - 1})}{t(\eta)}\right)

  1. Compute h(X)h(X):

h(X)=i=0n1Li(X)a(gi)b(gi)c(gi)t(η)h(X) = \sum_{i = 0}^{n-1} {L'}_i(X) \frac{a(g^i)b(g^i) - c(g^i)}{t(\eta)}

where Li(X){L'}_i(X) are lagrange basis polynomials on a coset domain.

To compute h(X)h(X), the costs are:

  • 3 IFFT operations of length nn

  • 3 FFT on a coset domain operation of length nn

  • 1 evaluations of length nn

  • IFFT on a coset domain operations of length n2n - 2 (This step can be removed by using Jordi's Trick.)

NOTE: (I)FFT operations on a coset domain implicitly include additional linear operations proportional to the domain size. The (I)FFT operations on a coset domain can be removed by using Jordi's Trick.

Proof Generation

Sample r,s$Fr, s \stackrel{\$}{\leftarrow} \mathbb{F} and generate the proof π=([A]1,[B]2,[C]1)\pi = ([A]_1, [B]_2, [C]_1).

[A]1=[α]1+i=0mzi[ai(x)]1+r[δ]1[B]2=[β]2+i=0mzi[bi(x)]2+s[δ]2[C]1=i=+1mzi[βai(x)+αbi(x)+ci(x)δ]1+i=0n2hi[xit(x)δ]1+s[A]1+r[B]1rs[δ]1[A]_1 = [\alpha]_1 + \sum_{i=0}^m z_i [a_i(x)]_1 + r [\delta]_1 \\ [B]_2 = [\beta]_2 + \sum_{i=0}^m z_i [b_i(x)]_2 + s [\delta]_2 \\ [C]_1 = \sum_{i = \ell + 1}^{m} z_i \left[ \frac{\beta a_i(x) + \alpha b_i(x) + c_i(x)}{\delta} \right]_1 + \sum_{i = 0}^{n - 2} h_i \left[ \frac{x^i t(x)}{\delta} \right]_1 + s[A]_1 + r[B]_1 - rs[\delta]_1

where hih_i are the coefficients of the h(X)h(X).

To generate a proof π\pi, the costs are:

  • For computing [A]1[\mathbb{A}]_1:

    • 1 MSM operation of length m+1m + 1 in G1\mathbb{G}_1

  • For computing [B]2[\mathbb{B}]_2:

    • 1 MSM operation of length m+1m + 1 in G2\mathbb{G}_2

  • For computing [C]1[\mathbb{C}]_1:

    • 1 MSM operation of length mm - \ell in G1\mathbb{G}_1

    • 1 MSM operation of length n1n − 1 in G1\mathbb{G}_1

    • 1 MSM operation of length m+1m + 1 in G1\mathbb{G}_1 (for [B]1[B]_1)

Jordi's Trick

To compute i=0n2hi[xit(x)δ]1\sum_{i = 0}^{n - 2} h_i \left[ \frac{x^i t(x)}{\delta} \right]_1 of the proof efficiently, consider the following setup:

i=0n2hi[xit(x)δ]1=[h(x)t(x)δ]1=[a(x)b(x)c(x)δ]1=i=02n2(a(ωi)b(ωi)c(ωi))[Li(x)δ]1\begin{align*} \sum_{i = 0}^{n - 2} h_i \left[ \frac{x^i t(x)}{\delta} \right]_1 &= \left[ \frac{h(x)t(x)}{\delta} \right]_1 \\ &= \left[ \frac{a(x)b(x) - c(x)}{\delta} \right]_1 \\ &= \sum_{i = 0}^{2n - 2} (a({\omega'}^i)b({\omega'}^i) - c({\omega'}^i)) \left[ \frac{{L'}_i(x)}{\delta} \right]_1 \end{align*}

Where ω\omega' be a 2n2n-th root of unity and ω\omega an nn-th root of unity. These satisfy:

(ωi)2n=(ω2i)n=(ωi)n=1({\omega'}^i)^{2n} = ({\omega'}^{2i})^n = (\omega^i)^n= 1

and Li(X){L'}_i(X) are lagrange basis polynomials.

Properties of a(X)b(X)c(X)a(X)b(X) - c(X)

i=02n2(a(ωi)b(ωi)c(ωi))[Li(x)δ]1\sum_{i = 0}^{2n - 2} (a({\omega'}^i)b({\omega'}^i) - c({\omega'}^i)) \left[ \frac{{L'}_i(x)}{\delta} \right]_1 can be divided into evaluations at even powers and odd powers.

i=02n2(a(ωi)b(ωi)c(ωi))[Li(x)δ]1=i=0n1(a(ω2i)b(ω2i)c(ω2i))[L2i(x)δ]1+i=0n2(a(ω2i+1)b(ω2i+1)c(ω2i+1))[L2i+1(x)δ]1\begin{align*} \sum_{i = 0}^{2n - 2} (a({\omega'}^i)b({\omega'}^i) - c({\omega'}^i)) \left[ \frac{{L'}_i(x)}{\delta} \right]_1 &= \sum_{i = 0}^{n - 1} (a({\omega'}^{2i})b({\omega'}^{2i}) - c({\omega'}^{2i})) \left[ \frac{{L'}_{2i}(x)}{\delta} \right]_1 \\ & + \sum_{i = 0}^{n - 2} (a({\omega'}^{2i + 1})b({\omega'}^{2i + 1}) - c({\omega'}^{2i + 1})) \left[ \frac{{L'}_{2i + 1}(x)}{\delta} \right]_1 \end{align*}

  1. Evaluation at even powers of ω\omega': For 0j<n0 \le j < n, evaluates to zero at even powers of ω\omega':

a(ω2j)b(ω2j)c(ω2j)=a(ωj)b(ωj)c(ωj)=0a({\omega'}^{2j})b({\omega'}^{2j}) - c({\omega'}^{2j}) = a({\omega}^{j})b({\omega}^{j}) - c({\omega}^{j}) = 0

This implies:

i=0n1(a(ω2i)b(ω2i)c(ω2i))[L2i(x)δ]1=0\sum_{i = 0}^{n - 1} (a({\omega'}^{2i})b({\omega'}^{2i}) - c({\omega'}^{2i})) \left[ \frac{{L'}_{2i}(x)}{\delta} \right]_1 = 0

  1. Evaluation at odd powers of ω\omega': For 0j<n0 \le j < n, given p(X)=p0+p1X++pn1Xn1p(X) = p_0 + p_1X + \cdots + p_{n-1}X^{n-1}, we can compute the evaluations at odd powers of ω\omega':

p(ω2j+1)=i=0n1pi(ω2j+1)i=i=0n1piωi(ω2j)i=i=0n1piωi(ωj)i=p(ωj)p({\omega'}^{2j + 1}) = \sum_{i =0}^{n-1} p_i ({\omega'}^{2j + 1})^i = \sum_{i=0}^{n-1} p_i {\omega'}^i ({\omega'}^{2j})^i = \sum_{i=0}^{n-1} p_i {\omega'}^i ({\omega}^{j})^i = p'({\omega}^{j})

Where p(X)=p0+p1ωX++pn1ωn1Xn1p'(X) = p_0 + p_1{\omega'}X + \cdots + p_{n-1}{\omega'}^{n-1}X^{n-1}.

This implies:

i=0n2(a(ω2i+1)b(ω2i+1)c(ω2i+1))[L2i+1(x)δ]1=i=0n2(a(ωi)b(ωi)c(ωi))[L2i+1(x)δ]1\sum_{i = 0}^{n - 2} (a({\omega'}^{2i + 1})b({\omega'}^{2i + 1}) - c({\omega'}^{2i + 1})) \left[ \frac{{L'}_{2i + 1}(x)}{\delta} \right]_1 = \sum_{i = 0}^{n - 2} (a'({\omega}^{i})b'({\omega}^{i}) - c'({\omega}^{i})) \left[ \frac{{L'}_{2i + 1}(x)}{\delta} \right]_1

Thus, the evaluations of a(X)b(X)c(X)a(X)b(X) - c(X) at odd powers of ω\omega' can be efficiently computed by combining FFT results of a(X),b(X),c(X)a'(X), b'(X), c'(X).

Optimizing h(X)h(X) in the Proving Key

To eliminate the IFFT of h(X)h(X), the term {[xit(x)δ]1}i=0n2\left\{ \left[ \frac{x^i t(x)}{\delta} \right]_1 \right\}_{i = 0}^{n - 2} in the proving key (pk) is replaced with {[L2i+1(x)δ]}i=0n2\left\{ \left[ \frac{{L'}_{2i + 1}(x)}{\delta} \right] \right\}_{i = 0}^{n - 2} :

i=0n2hi[xit(x)δ]1i=0n2(a(ωi)b(ωi)c(ωi))[L2i+1(x)δ]1\sum_{i = 0}^{n - 2} h_i \left[ \frac{x^i t(x)}{\delta} \right]_1 \rightarrow \sum_{i = 0}^{n - 2} (a'({\omega}^i)b'({\omega}^i) - c'({\omega}^i)) \left[ \frac{{L'}_{2i + 1}(x)}{\delta} \right]_1

Then computing h(X)h(X) is performed as follows:

  1. Create a(X),b(X),c(X)a(X),b(X),c(X):

a(X)=j=0n1Lj(X)(i=0mAj,izi)b(X)=j=0n1Lj(X)(i=0mAj,izi)c(X)=j=0n1Lj(X)(i=0mAj,izi)a(X) = \sum_{j = 0}^{n-1} L_j(X) (\sum_{i = 0}^{m} A_{j, i} \cdot z_i) \\ b(X) = \sum_{j = 0}^{n-1} L_j(X) (\sum_{i = 0}^{m} A_{j, i} \cdot z_i) \\ c(X) = \sum_{j = 0}^{n-1} L_j(X) (\sum_{i = 0}^{m} A_{j, i} \cdot z_i) \\

where Lj(X)L_j(X) are lagrange basis polynomials.

  1. Create a(X),b(X),c(X)a'(X),b'(X),c'(X):

a(X)=i=0n1aiωiXib(X)=i=0n1biωiXic(X)=i=0n1ciωiXia'(X) = \sum_{i =0}^{n-1} a_i {\omega'}^i X^i \\ b'(X) = \sum_{i =0}^{n-1} b_i {\omega'}^i X^i \\ c'(X) = \sum_{i =0}^{n-1} c_i {\omega'}^i X^i

where ω\omega' is 2n2n-th root of unity.

  1. Evaluate a(X),b(X),c(X)a'(X), b'(X), c'(X):

a=(a(ω0),,a(ωn1))b=(b(ω0),,b(ωn1))c=(c(ω0),,c(ωn1))\bm{a'} = (a'({\omega}^0), \dots, a'({\omega}^{n-1})) \\\bm{b'} = (b'({\omega}^0), \dots, b'({\omega}^{n-1})) \\\bm{c'} = (c'({\omega}^0), \dots, c'({\omega}^{n-1}))

where ω\omega is nn-th root of unity.

  1. Evaluate h\bm{h}:

h=(a(ω0)b(ω0)c(ω0),,a(ωn1)b(ωn1)c(ωn1))\bm{h} = (a'({\omega}^0)b'({\omega}^0) - c'({\omega}^0), \dots, a'({\omega}^{n - 1})b'({\omega}^{n - 1}) - c'({\omega}^{n - 1}))

To compute h\bm{h}, the costs are:

  • 3 IFFT operations of length nn

  • 3 FFT operation of length nn

  • 1 evaluations of length nn

Proof Verification

The verifier checks the proof using the pairing equation: (Note that the right hand side will be precomputed.)

e([A]1,[B]2)e(i=0zi[βai(x)+αbi(x)+ci(x)γ]1,[γ]2)e([C]1,[δ]2)=?e([α]1,[β]2)e([A]_1, [B]_2) \cdot e(\sum_{i=0}^\ell z_i \left[ \frac{\beta a_i(x) + \alpha b_i(x) + c_i(x)}{\gamma} \right]_1, [-\gamma]_2) \cdot e([C]_1, [-\delta]_2) \stackrel{?}=e([\alpha]_1, [\beta]_2)

Proof. Considering only the exponent part, the equation simplifies as follows:

AB=(α+i=0mziai(x)+rδ)(β+i=0mzibi(x)+sδ)=αβ+i=0mzi(βai(x)+αbi(x))+(i=0mziai(x))(i=0mzibi(x))i=0mzici(x)+h(x)t(x)+sδA+rδBrsδ2=αβ+i=0mzi(βai(x)+αbi(x)+ci(x))+h(x)t(x)+sδA+rδBrsδ2=αβ+i=0lzi(βai(x)+αbi(x)+ci(x))+i=l+1mzi(βai(x)+αbi(x)+ci(x))+h(x)t(x)+sδA+rδBrsδ2=αβ+i=0lzi(βai(x)+αbi(x)+ci(x))+δ(i=l+1mzi(βai(x)+αbi(x)+ci(x))δ+h(x)t(x)δ+sA+rBrsδ)C\begin{align*} AB &= (\alpha + \sum_{i = 0}^m z_i a_i(x) + r \delta) (\beta + \sum_{i = 0}^m z_i b_i(x) + s \delta) \\ &= \alpha \beta + \sum_{i = 0}^m z_i (\beta a_i(x) + \alpha b_i(x) ) + \underbrace{(\sum_{i = 0}^m z_i a_i(x))(\sum_{i = 0}^m z_i b_i(x))}_{\sum_{i=0}^m z_i c_i(x) + h(x) t(x)} + s \delta A + r \delta B - rs\delta^2 \\ &= \alpha \beta + \sum_{i = 0}^m z_i (\beta a_i(x) + \alpha b_i(x) + c_i(x)) + h(x)t(x) + s \delta A + r \delta B - rs\delta^2 \\ &= \alpha \beta + \sum_{i = 0}^l z_i (\beta a_i(x) + \alpha b_i(x) + c_i(x)) + \sum_{i = l + 1}^m z_i (\beta a_i(x) + \alpha b_i(x) + c_i(x)) + h(x) t(x) + s \delta A + r \delta B - rs\delta^2 \\ &= \alpha \beta + \sum_{i = 0}^l z_i (\beta a_i(x) + \alpha b_i(x) + c_i(x)) + \delta \underbrace{\left( \frac{\sum_{i = l + 1}^{m} z_i (\beta a_i(x) + \alpha b_i(x) + c_i(x))}{\delta} + \frac{h(x)t(x)}{\delta} + s A + r B - rs\delta \right)}_{C} \end{align*}

To verify a proof, the costs are:

  • 1 MSM operation of length \ell in G1\mathbb{G}_1

  • 3 pairing operations

Batch Proof Verification

Assume there are nn proofs. We denote each proof πi\pi_i for 0i<n0 \leq i < n as follows:

πi=([Ai]1,[Bi]2,[Ci]1)\pi_i = ([A_i]_1, [B_i]_2, [C_i]_1)

Using the random linear combination trick with θi$F\theta_i \stackrel{\$}\leftarrow \mathbb{F}, you can verify proofs in a batch:

i=0n1(e(θi[Ai]1,[Bi]2))e(i=0n1θi(j=0zj[βaj(x)+αbj(x)+cj(x)γ]1),[γ]2)e(i=0n1θi[Ci]1,[δ]2)=?(i=0n1θi)e([α]1,[β]2)\prod_{i=0}^{n-1} \left(e(\theta_i[A_i]_1, [B_i]_2) \right) \cdot e(\sum_{i=0}^{n-1} \theta_i \left(\sum_{j=0}^{\ell}z_j \left[ \frac{\beta a_j(x) + \alpha b_j(x) + c_j(x)}{\gamma} \right]_1\right), [\gamma]_2) \cdot e(\sum_{i=0}^{n-1}\theta_i[C_i]_1, [-\delta]_2) \stackrel{?}= \left(\prod_{i=0}^{n-1}\theta_i\right) e([\alpha]_1, [\beta]_2)

Proof.

From the single verification case, for 0i<n0 \leq i < n, we know that the following equation holds:

AiBi=αβ+j=0lzj(βaj(x)+αbj(x)+cj(x))+δCiA_iB_i = \alpha \beta + \sum_{j = 0}^l z_j (\beta a_j(x) + \alpha b_j(x) + c_j(x)) + \delta C_i

Multiplying both sides by θi\theta_i gives:

θiAiBi=θiαβ+θi(j=0lzj(βaj(x)+αbj(x)+cj(x)))+θiδCi\theta_iA_iB_i = \theta_i \alpha \beta + \theta_i \left(\sum_{j = 0}^l z_j (\beta a_j(x) + \alpha b_j(x) + c_j(x))\right) + \theta_i \delta C_i

Summing over i=0i = 0 to n1n - 1, we obtain:

i=0n1θiAiBi=(i=0n1θi)αβ+i=0n1θi(j=0lzj(βaj(x)+αbj(x)+cj(x)))+i=0n1θiδCi\sum_{i=0}^{n-1}\theta_i A_iB_i = \left(\sum_{i=0}^{n-1}\theta_i\right) \alpha \beta + \sum_{i=0}^{n-1}\theta_i \left(\sum_{j = 0}^l z_j (\beta a_j(x) + \alpha b_j(x) + c_j(x))\right) + \sum_{i=0}^{n-1}\theta_i \delta C_i

These are precisely the exponent parts in the batch verification equation.

To verify nn proofs, the costs are:

  • nn MSM operations of length \ell in G1\mathbb{G}_1

  • 3n+13n + 1 scalar multiplications in G1\mathbb{G}_1

  • n1n - 1 field multiplications

  • n+2n + 2 pairing operations

If each proof were verified individually, the process would require 3n3n expensive pairing operations. However, batch verification significantly reduces this cost.

Malleability

Malleability is a property of cryptographic systems or protocols where an attacker can modify a valid message or ciphertext into another valid message or ciphertext without needing to know the original plaintext. The modified message still appears valid under the cryptographic scheme, which can lead to vulnerabilities and unintended consequences.

Attack 1

An attacker selects y$Fy \stackrel{\$}{\leftarrow} \mathbb{F} and modifies the proof π=([A]1,[B]2,[C]1)\pi' = ([A']_1, [B']_2, [C']_1) as follows:

[A]1=y[A]1[B]2=y1[B]2[C]1=[C]1[A']_1 = y[A]_1 \\ [B']_2 = y^{-1}[B]_2 \\ [C']_1 = [C]_1

Even though the modified proof π\pi' differs from the original, it remains valid because AB=ABA'B' = AB.

Attack 2

An attacker selects y$Fy \stackrel{\$}{\leftarrow} \mathbb{F} and modifies π=([A]1,[B]2,[C]1)\pi' = ([A']_1, [B']_2, [C']_1) as folows:

[A]1=[A]1[B]2=[B]2+yδ[C]1=[C]1+y[A]1[A']_1 = [A]_1 \\ [B']_2 = [B]_2 + y \delta \\ [C']_1 = [C]_1 + y [A]_1

Proof. The validity of the modified proof π\pi' can be shown as:

AB=A(B+yδ)=AB+yδA=αβ+i=0lzi(βai(x)+αbi(x)+ci(x))+δC+yδA=αβ+i=0lzi(βai(x)+αbi(x)+ci(x))+δ(C+yA)C\begin{align*} A'B' &= A(B + y\delta) \\ &= AB + y\delta A \\ &= \alpha\beta + \sum_{i = 0}^l z_i (\beta a_i(x) + \alpha b_i(x) + c_i(x)) + \delta C + y \delta A \\ &= \alpha\beta + \sum_{i = 0}^l z_i (\beta a_i(x) + \alpha b_i(x) + c_i(x)) + \delta \underbrace{(C + y A)}_{C'} \end{align*}

Combining Attacks

By combining the two attacks above, a fresh proof for the same statement can be constructed, which is indistinguishable from the existing proofs. (The attacks above contains the same part of the proof.) The modified proof π=([A]1,[B]2,[C]1)\pi' = ([A']_1, [B']_2, [C']_1) is computed as follows (see GM17, BKSV20 and the Tachyon implementation):

[A]1=1r1[A]1[B]2=r1[B]2+r1r2[δ]2[C]1=[C]1+r2[A]1[A']_1 = \frac{1}{r_1}[A]_1 \\ [B']_2 = r_1 [B]_2 + r_1r_2[\delta]_2 \\ [C']_1 = [C]_1 +r_2 [A]_1

Proof. The modified proof π\pi' remains valid:

AB=1r1A(r1B+r1r2δ)=AB+r2δA=αβ+i=0lzi(βai(x)+αbi(x)+ci(x))+δC+r2δA=αβ+i=0lzi(βai(x)+αbi(x)+ci(x))+δ(C+r2A)C\begin{align*} A'B' &= \frac{1}{r_1}A(r_1B + r_1r_2\delta) \\ &= AB + r_2 \delta A \\ &= \alpha\beta + \sum_{i = 0}^l z_i (\beta a_i(x) + \alpha b_i(x) + c_i(x)) + \delta C + r_2 \delta A \\ &= \alpha\beta + \sum_{i = 0}^l z_i (\beta a_i(x) + \alpha b_i(x) + c_i(x)) + \delta \underbrace{(C + r_2 A)}_{C'} \end{align*}

Conclusion

Groth16 is a highly efficient zk-SNARK protocol that combines succinctness, fast verification, and strong zero-knowledge guarantees. Its compact proof size of just 3 group elements and (almost) constant-time verification make it a preferred choice for various privacy-preserving applications or proof compressions(STARK to SNARK).

References

Written by ryan Kim from A41

PreviousSNARKNextHyperPlonk

Last updated