SnarkPack: Practical SNARK Aggregation

Abstract

Zero-knowledge SNARKs (zk-SNARKs) are non-interactive proof systems with short and efficiently verifiable proofs that do not reveal anything more than the correctness of the statement. zk-SNARKs are widely used in decentralised systems to address privacy and scalability concerns.

A major drawback of such proof systems in practice is the requirement to run a trusted setup for the public parameters. Moreover, these parameters set an upper bound to the size of the computations or statements to be proven, which results in new scalability problems.

We design and implement SnarkPack, a new argument that further reduces the size of SNARK proofs by means of aggregation. Our goal is to provide an off-the-shelf solution that is practical in the following sense: (1) it is compatible with existing deployed SNARK systems, (2) it does not require any extra trusted setup.

SnarkPack is designed to work with Groth16 scheme and has logarithmic size proofs and a verifier that runs in logarithmic time in the number of proofs to be aggregated. Most importantly, SnarkPack reuses the public parameters from Groth16 system.

SnarkPack can aggregate 8192 proofs in 8.7 s and verify them in 163 ms, yielding a verification mechanism that is exponentially faster than other solutions. SnarkPack can be used in blockchain applications that rely on many SNARK proofs such as Proof-of-Space or roll-up solutions.

Appendices

A Cryptographic Primitives

1.1 A.1 SNARKs

Let \(\mathcal {R}\) be an efficiently computable binary relation which consists of pairs of the form (u, w). A Proof or Argument System for \(\mathcal {R}\) consists in a triple of \(\textsf{PPT}\) algorithms \(\varPi = (\textsf{Setup}, \textsf{Prove}, \textsf{Verify})\) defined as follows:

• \(\textsf{Setup}(1^\lambda , \mathcal {R}) \rightarrow \textsf{crs}\): takes a security parameter \(\lambda \) and a binary relation \(\mathcal {R}\) and outputs a common (structured) reference string \(\textsf{crs}\).

• \(\textsf{Prove}(\textsf{crs}, u, w) \rightarrow \pi \): on input \(\textsf{crs}\), a statement u and the witness w, outputs an argument \(\pi \).

• \(\textsf{Verify}(\textsf{crs}, u, \pi ) \rightarrow 1/0\): on input \(\textsf{crs}\), a statement u, and a proof \(\pi \), it outputs either 1 indicating accepting the argument or 0 for rejecting it.

We call \(\varPi \) a Succinct Non-interactive ARgument of Knowledge (SNARK) if further it is complete, succinct and satisfies Knowledge Soundness (also called Proof of Knowledge).

Non-black-box Extraction. The notion of Knowledge Soundness requires the existence of an extractor that can compute a witness whenever the prover \(\mathcal {A}\) produces a valid argument. The extractor we defined bellow is non-black-box and gets full access to the prover’s state, including any random coins. More formally, a SNARK satisfies the following definition:

Definition 1 (SNARK)

\(\varPi =(\textsf{Setup}, \textsf{Prove}, \textsf{Verify})\) is a SNARK for an NP language \(L_{\mathcal {R}}\) with corresponding relation \(\mathcal {R}\), if the following properties are satisfied.

• Completeness. For all \((x, w) \in \mathcal {R}\), the following holds:

  $$ \Pr \left( \begin{array}{l} \textsf{Verify}(\textsf{crs}, u, \pi ) = 1 \end{array} \left| \begin{array}{c} \textsf{crs}\leftarrow \textsf{Setup}(1^\lambda , \mathcal {R})\\ \pi \leftarrow \textsf{Prove}(\textsf{crs}, u, w) \end{array} \right) = 1 \right. $$

• Knowledge Soundness. For any \(\textsf{PPT}\) adversary \(\mathcal {A}\), there exists a \(\textsf{PPT}\) extractor \(\textsf{Ext}_\mathcal {A}\) such that the following probability is negligible in \(\lambda \):

  $$ \Pr \left( \begin{array}{l} \textsf{Verify}(\textsf{crs},u, \pi ) = 1 \\ \wedge \, \mathcal {R}(u, w) = 0 \end{array} \left| \begin{array}{c} \textsf{crs}\leftarrow \textsf{Setup}(1^\lambda , \mathcal {R})\\ ((u, \pi ); w) \leftarrow \mathcal {A}\Vert \chi _{\mathcal {A}}(\textsf{crs}) \end{array} \right) =\textsf{negl}\!\!\left( \lambda \right) . \right. $$

• Succinctness. For any u and w, the length of the proof \(\pi \) is given by \(\vert \pi \vert = \textsf{poly}(\lambda ) \cdot \textsf{polylog} (\vert u \vert + \vert w \vert )\).

Zero-Knowledge. A SNARK is zero-knowledge if it does not leak any information besides the truth of the statement. More formally:

Definition 2 (zk-SNARK)

A SNARK for a relation \(\mathcal {R}\) is a zk-SNARK if there exists a \(\textsf{PPT}\) simulator \((\mathcal {S}_1, \mathcal {S}_2)\) such that \(\mathcal {S}_1\) outputs a simulated common reference string \(\textsf{crs}\) and trapdoor \(\textsf{td}\); \(\mathcal {S}_2\) takes as input \(\textsf{crs}\), a statement u and \(\textsf{td}\), and outputs a simulated proof \(\pi \); and, for all \(\textsf{PPT}\) (stateful) adversaries \((\mathcal {A}_1,\mathcal {A}_2)\), for a state \(\textsf{st}\), the following is negligible in \(\lambda \):

$$\begin{aligned}{} & {} \left| \Pr \left( \begin{array}{l} (u, w) \in \mathcal {R}\, \wedge \\ \mathcal {A}_2 (\pi ,\textsf{st}) = 1 \end{array} \left| \begin{array}{l} \textsf{crs}\leftarrow \textsf{Setup}(1^\lambda )\\ (u, w, \textsf{st}) \leftarrow \mathcal {A}_1 ( 1^\lambda ,\textsf{crs}) \\ \pi \leftarrow \textsf{Prove}(\textsf{crs}, u, w) \end{array}\right. \right) \right. - \\{} & {} \qquad \qquad \qquad \qquad \left. \Pr \left( \begin{array}{l} (u, w) \in \mathcal {R}\, \wedge \\ \mathcal {A}_2 (\pi ,\textsf{st}) = 1 \end{array} \left| \begin{array}{l} (\textsf{crs}, \textsf{td}) \leftarrow \mathcal {S}_1(1^\lambda ) \\ (u, w,\textsf{st}) \leftarrow \mathcal {A}_1 ( 1^\lambda , \textsf{crs}) \\ \pi \leftarrow \mathcal {S}_2(\textsf{crs}, \textsf{td}, u) \end{array}\right. \right) \right| = \textsf{negl}\!\!\left( \lambda \right) . \end{aligned}$$

1.2 A.2 Commitment Schemes

A non-interactive commitment scheme allows a sender to create a commitment to a secret value. It may later open the commitment and reveal the value or some information about the value in a verifiable manner. More formally:

Definition 3 (Non-interactive Commitment)

A non-interactive commitment scheme is a pair of algorithms \(\textsf{Com}= ({\textsf{KG}}, \textsf{CM})\):

• \({\textsf{KG}}(1^\lambda ) \rightarrow \textsf{ck}\): given a security parameter \(\lambda \), it generates a commitment public key \(\textsf{ck}\). This \(\textsf{ck}\) implicitly specifies a message space \(M_\textsf{ck}\), a commitment space \(C_\textsf{ck}\) and (optionally) a randomness space \(R_\textsf{ck}\),. This algorithm is run by a trusted or distributed authority.

• \(\textsf{CM}(\textsf{ck}; m) \rightarrow C\): given \(\textsf{ck}\) and a message m, outputs a commitment C. This algorithm specifies a function \(\textsf{Com}_\textsf{ck}: M_\textsf{ck}\times \mathcal {R}_\textsf{ck}\rightarrow C_\textsf{ck}\). Given a message \(m \in M_\textsf{ck}\), the sender (optionally) picks a randomness \(\rho \in R_\textsf{ck}\) and computes the commitment \(C= \textsf{Com}_\textsf{ck}(m,\rho )\)

For deterministic commitments we simply use the notation \(C= \textsf{CM}(\textsf{ck}; m){:}{=}\textsf{Com}_\textsf{ck}(m)\), while for randomised ones we write .

A commitment scheme is asked to satisfy one or more of the following properties:

Binding Definition. It is computationally hard, for any \(\textsf{PPT}\) adversary \(\mathcal {A}\), to come up with two different openings \(m \ne m^* \in M_\textsf{ck}\) for the same commitment C. More formally:

Definition 4 (Computationally Binding Commitment)

A commitment scheme \(\textsf{Com}= ({\textsf{KG}}, \textsf{CM})\) is computationally binding if for any \(\textsf{PPT}\) adversary \(\mathcal {A}\), the following probability is negligible:

Hiding Definition. A commitment can be hiding in the sense that it does not reveal the secret value that was committed.

Definition 5 (Statistically Hiding Commitment)

A commitment scheme \(\textsf{Com}= ({\textsf{KG}}, \textsf{CM})\) is statistically hiding if it is statistically hard, for any \(\textsf{PPT}\) adversary \(\mathcal {A}=(\mathcal {A}_0, \mathcal {A}_1)\), to first generate two messages \(\mathcal {A}_0(\textsf{ck}) \rightarrow m_0, m_1 \in M_\textsf{ck}\) such that \(\mathcal {A}_1\) can distinguish between their corresponding commitments \(C_0\) and \(C_1\) where and .

1.3 A.3 Polynomial Commitments

Polynomial commitments (PCs) first introduced by [KZG10] are commitments for the message space \(\mathbb {F}^{\le d}[X]\), the ring of polynomials in X with maximum degree \(d \in \mathbb {N}\) and coefficients in the field \(\mathbb {F}=\mathbb {Z}_p\), that support an interactive argument of knowledge \(({\textsf{KG}}, \textsf{Open}, \textsf{Check})\) for proving the correct evaluation of a committed polynomial at a given point without revealing any other information about the committed polynomial.

A polynomial commitment scheme over a field family \(\mathcal {F}\) consists in 4 algorithms \(\textsf{PC}= ({\textsf{KG}},\textsf{CM},\textsf{Open},\textsf{Check})\) defined as follows:

• \({\textsf{KG}}(1^\lambda , d) \rightarrow (\textsf{ck}, \textsf{vk})\): given a security parameter \(\lambda \) fixing a field \(\mathcal {F}_\lambda \) family and a maximal degree d samples a group description \(\textsf{gk}\) containing a description of a field \(\mathbb {F}\in \mathcal {F}_{\lambda }\), and commitment and verification keys \((\textsf{ck}, \textsf{vk})\). We implicitly assume \(\textsf{ck}\) and \(\textsf{vk}\) each contain \(\textsf{gk}\).

• \(\textsf{CM}(\textsf{ck}; f(X)) \rightarrow C\): given \(\textsf{ck}\) and a polynomial \(f(X) \in \mathbb {F}^{\le d}[X]\) outputs a commitment C.

• \(\textsf{Open}(\textsf{ck}; C, x, y; f(X)) \rightarrow \pi \): given a commitment C, an evaluation point x, a value y and the polynomial \(f(X) \in \mathbb {F}[X]\), it output a prove \(\pi \) for the relation:

  $$ \mathcal {R}_{\textsf{kzg}} {:}{=}\left\{ \begin{matrix} (\textsf{ck}, C, x, y; f(X)) \end{matrix} \, : \, \begin{array}{r} C=\textsf{CM}\left( \textsf{ck}; f(X)\right) \\ ~\wedge ~\deg (f(X))\le d\\ ~\wedge ~ y=f(x) \end{array} \right\} $$

• \(\textsf{Check}(\textsf{vk}, C, x, y, \pi ) \rightarrow 1/0\): Outputs 1 if the proof \(\pi \) verifies and 0 if \(\pi \) is not a valid proof for the opening (C, x, y).

A polynomial commitment satisfy an extractable version of binding stated as follows:

Definition 6 (Computational Knowledge Binding)

For every \(\textsf{PPT}\) adversary \(\mathcal {A}\) that produces a valid proof \(\pi \) for statement C, x, y, i.e. such that \(\textsf{Check}(\textsf{vk}, C, x, y, \pi )=1\), there is an extractor \(\textsf{Ext}_\mathcal {A}\) that is able to output a pre-image polynomial f(X) with overwhelming probability:

1.4 A.4 KZG Polynomial Commitment

We describe the KZG Polynomial Commitment from [KZG10] which allows to check correctness of evaluation openings.

We recall the scheme \(\textsf{KZG}.\textsf{PC}= (\textsf{KZG}.{\textsf{KG}},\textsf{KZG}.\textsf{CM},\textsf{KZG}.\textsf{Open},\textsf{KZG}.\textsf{Check})\) defined over bilinear groups \(\textsf{gk}=(p,\mathbb {G}_1,\mathbb {G}_2, \mathbb {G}_T )\) with \(\mathbb {G}_1 =\langle g\rangle , \mathbb {G}_2 =\langle h \rangle \):

• \(\textsf{KZG}.{\textsf{KG}}(1^\lambda , n) \rightarrow (\textsf{ck}, \textsf{vk}_h)\): Set keys \(\textsf{ck}_g = \{g^{\alpha ^i}\}_{i=0}^{n-1}, \textsf{vk}_h = h^\alpha \).

• \(\textsf{KZG}.\textsf{CM}(\textsf{ck}_g; f(X)) \rightarrow C_f\): For \(f(X) = \sum _{i=0}^{n-1} f_i X^i\), computes \(C_f=\prod _{i=0}^{n-1} g^{f_i \alpha ^i} = g^{f(\alpha )} \).

• \(\textsf{KZG}.\textsf{Open}(\textsf{ck}_g; C_f, x, y; f(X)) \rightarrow \pi \): For an evaluation point x, a value y, compute the quotient polynomial

  $$q(X) = \displaystyle \frac{f(X) -y }{X-x}$$

  and output prove \(\pi {:}{=}C_q = \textsf{KZG}.\textsf{CM}(\textsf{ck}_g; q(X)) \).

• \(\textsf{KZG}.\textsf{Check}(\textsf{vk}_h = h^\alpha , C_f, x, y, \pi ) \rightarrow 1/0\): Check if

  $$e(C_f \cdot g^{-y}, h)=e(C_q, \textsf{vk}_h \cdot h^{-x} ).$$

The \(\textsf{KZG}.\textsf{PC}\) scheme works similarly for a pair of keys of the form \(\textsf{ck}_h = \{h^{\alpha ^i}\}_{i=0}^{n-1}, \textsf{vk}_g = g^\alpha \), by just swapping the values in the final pairing equation check to match the correct basis.

B Assumptions in GGM

1.1 B.1 ASSGP Assumption in GGM

Assumption 6 (ASSGP)

The (q, m)-Auxiliary Structured Single Group Pairing assumption holds for the bilinear group generator \(\mathcal {G}\) if for all \(~\textsf{PPT}\) adversaries \(\mathcal {A}\) we have, on the probability space \(~\textsf{gk}=(p,\mathbb {G}_1,\mathbb {G}_2, \mathbb {G}_T ) \leftarrow \mathcal {G}(1^\lambda )\), and the following

We can similarly define the dual assumption, by swapping \(\mathbb {G}_1\) and \(\mathbb {G}_2\) in the definition above.

Lemma 3

The (q, m)-ASSGP assumption holds in the generic group model.

Proof

Suppose \(\mathcal {A}\) is an adversary that on input \((\textsf{gk},\sigma , \textsf{aux})\), outputs \((A_0,\dots ,A_{q-1} ) \in \mathbb {G}_1^q\) such that \(\prod _{i=0}^{q-1} e(A_i,h^{a^i})=1_{\mathbb {G}_T} \) and \(\prod _{i=0}^{q-1} e(A_i,h^{b^i})=1_{\mathbb {G}_T} \). Then its GGM extractor outputs \(\alpha _i(X, Y) =\sum _{j=0}^{m} (x_j X^j+ y_{j} Y^j + c_j)\) for \(0 \le i <q\) then we have:

$$\begin{aligned}&\alpha _0(X, Y) + X \alpha _1(X, Y) + X^2 \alpha _2(X, Y) + \dots + X^{q-1} \alpha _{q-1}(X, Y) = 0 \end{aligned}$$

(1)

$$\begin{aligned}&\alpha _0(X, Y) + Y \alpha _1(X, Y) + Y^2 \alpha _2(X, Y) + \dots + Y^{q-1} \alpha _{q-1}(X, Y) = 0 \end{aligned}$$

(2)

Then we have:

$$\begin{aligned} \alpha _0(X, Y)&= - X \alpha _1(X, Y) - X^2 \alpha _2(X, Y) - \dots - X^{q-1} \alpha _{q-1}(X, Y) \end{aligned}$$

(3)

$$\begin{aligned} \alpha _0(X, Y)&= -Y \alpha _1(X, Y) - Y^2 \alpha _2(X, Y) - \dots - Y^{q-1} \alpha _{q-1}(X, Y) \end{aligned}$$

(4)

If we substract (4) and (3) we got

$$\begin{aligned} 0 =&(X-Y)\alpha _1(X, Y) +\dots +( X^{q-1}-Y^{q-1}) \alpha _{q-1}(X, Y) \end{aligned}$$

(5)

$$\begin{aligned} -(X-Y) \alpha _1(X, Y)=&( X^2-Y^2) \alpha _2(X, Y) +\dots +( X^{q-1}-Y^{q-1}) \alpha _{q-1}(X, Y) \end{aligned}$$

(6)

Now we can divide by \((X-Y)\) and obtain:

$$\begin{aligned} - \alpha _1(X, Y)=&(X+Y) \alpha _2(X, Y) +( X^2 +XY+ Y^2)\alpha _3(X, Y) + \dots + \nonumber \\&+(X^{q-2}+ YX^{q-3}+ \dots + Y^{q-3}X+ Y^{q-2})\alpha _{q-1}(X, Y) \end{aligned}$$

(7)

Substitute the expression of \(-\alpha _1(X, Y)\) in Eq. (3) and remark that all \(X^i \alpha _i(X, Y)\) terms are vanishing:

$$\begin{aligned} \alpha _0(X, Y) = XY [\alpha _2(X, Y) +(X+ Y)\alpha _3(X, Y) + \dots +(X^{q-3}+\dots + Y^{q-3})\alpha _{q-1}(X, Y)] \end{aligned}$$

(8)

This implies that either \(\alpha _0(X, Y)\) is a multiple of XY or \(\alpha _0(X, Y)=0\).

By the GGM assumption, we have that \(\alpha _0(X, Y)=0\).

We continue by replacing \(\alpha _0(X, Y)=0\) in Eq. (8):

$$\begin{aligned}{} & {} 0 = \alpha _2(X, Y) + \dots +(X^{q-3}+ X^{q-4}Y +\dots + Y^{q-3})\alpha _{q-1}(X, Y) \nonumber \\{} & {} - \alpha _2(X, Y) = (X+ Y)\alpha _3(X, Y) + \dots +(X^{q-3}+ \dots + Y^{q-3})\alpha _{q-1}(X, Y) \end{aligned}$$

(9)

Substitute the expression of \(-\alpha _2(X, Y)\) in Eq. (4) and remark that all \(Y^i \alpha _i(X, Y)\) terms are vanishing:

$$\begin{aligned} 0 = - Y \alpha _1(X, Y) - Y^2 [(X+ Y)\alpha _3(X, Y) + \dots +(X^{q-3}+ X^{q-4}Y +\nonumber \\ \dots + Y^{q-3})\alpha _{q-1}(X, Y)] -Y^3 \alpha _3(X, Y) -\dots - Y^{q-1} \alpha _{q-1}(X, Y) \end{aligned}$$

(10)

$$\begin{aligned} Y \alpha _1(X, Y)&= Y^2X \alpha _3(X, Y) \dots +(X^{q-3}Y^2 \dots + XY^{q-2})\alpha _{q-1}(X, Y) \nonumber \\ Y \alpha _1(X, Y)&= Y^2X [\alpha _3(X, Y) \dots +(X^{q-4} \dots + Y^{q-4})\alpha _{q-1}(X, Y)] \end{aligned}$$

(11)

This implies that either \(\alpha _1(X, Y)\) is a multiple of XY or \(\alpha _1(X, Y)=0\).

By the GGM assumption, we have that \(\alpha _1(X, Y)=0\).

We continue by replacing \(\alpha _1(X, Y)=0\) in Eq. (11):

$$\begin{aligned} 0\,=&\, \alpha _3(X, Y) + \dots (X^{q-4}+ X^{q-5}Y \dots + Y^{q-4})\alpha _{q-1}(X, Y) \nonumber \\ - \alpha _3(X, Y)&= (X^2 +XY+ Y^2)\alpha _4(X, Y)+ \dots \end{aligned}$$

(12)

And so on... till we show that \(\alpha _i(X, Y)=0 \ ~\forall i=0 \dots q-1\). We conclude that the adversarly produced vector \( (A_0,\dots ,A_{q-1} )=\textbf{1}_{\mathbb {G}_1} \).

1.2 B.2 ASDGP Assumption in GGM

Assumption 7

(ASDGP). The (q, m)-ASDGP assumption holds for the bilinear group generator \(~\mathcal {G}\) if for all \(~\textsf{PPT}\) adversaries \(\mathcal {A}\) we have, on the probability space \(~\textsf{gk}=(p,\mathbb {G}_1,\mathbb {G}_2, \mathbb {G}_T ) \leftarrow \mathcal {G}(1^\lambda )\), and the following probability is negligible in \(\lambda \):

Lemma 4

The (q, m)-ASDGP assumption holds in the generic group model.

Proof

Suppose \(\mathcal {A}\) is an adversary that on input \((\textsf{gk},\sigma , \textsf{aux})\), outputs \(\textbf{A}= (A_0, \dots ,A_{q-1} )\) and \(\textbf{B}= (B_0,\dots ,B_{q-1} ) \) such that:

$$\prod _{i=0}^{q-1} e(A_i,h^{a^i}) \prod _{i=q}^{2q-1} e(g^{a^i}, B_i) =1_{\mathbb {G}_T} \text { and }\prod _{i=0}^{q-1} e(A_i,h^{b^i}) \prod _{i=q}^{2q-1} e(g^{b^i}, B_i) =1_{\mathbb {G}_T}.$$

Then its GGM extractor outputs \(\alpha _i(X, Y) =\sum _{j=0}^{m} (x_j X^j+ y_{j} Y^j + c_j)\) and \(\beta _i(X, Y) =\sum _{j=0}^{m} (x_j X^j+ y_{j} Y^j + c_j)\) for \(0 \le i <q\) such that:

$$\begin{aligned}{} & {} \alpha _0(X, Y) + X \alpha _1(X, Y) + \dots + X^{q-1} \alpha _{q-1}(X, Y)+\nonumber \\{} & {} \qquad \qquad \qquad \qquad \qquad \qquad + X^q\beta _0(X,Y) + \dots + X^{2q-1}\beta _{q-1}(X,Y) = 0 \end{aligned}$$

(13)

$$\begin{aligned} \alpha _0(X, Y) + Y \alpha _1(X, Y)+ \dots + Y^{q-1} \alpha _{q-1}(X, Y) + \nonumber \\ + Y^q\beta _0(X,Y) + \dots + Y^{2q-1}\beta _{q-1}(X,Y) = 0 \end{aligned}$$

(14)

By substracting (14) and (13) we got

$$\begin{aligned} 0 = (X-Y)\alpha _1(X, Y) +\dots +( X^{q-1}-Y^{q-1}) \alpha _{q-1}(X, Y) +( X^{q}-Y^{q})\beta _q(X,Y) + \dots \end{aligned}$$

(15)

Now we can factor \((X-Y)\) and then divide by it and obtain:

$$\begin{aligned} - \alpha _1(X, Y)=&(X+Y) \alpha _2(X, Y) +( X^2 +XY+ Y^2)\alpha _3(X, Y) + \dots + \nonumber \\&+(X^{2q-2}+ YX^{2q-3}+ \dots + Y^{2q-3}X+ Y^{2q-2})\beta _{2q-1}(X, Y) \end{aligned}$$

(16)

Substitute \(-\alpha _1(X, Y)\) in Eq. (13) and remark that all \(X^i \alpha _i(X, Y), X^{q+i}\beta _{q+i}(X, Y)\) terms are vanishing:

$$\begin{aligned} \alpha _0(X, Y)&= X \left[ \sum _{i=2}^{q-1} \left( \sum _{j=0}^{i-1} X^{i-j-1}Y^{j}\right) \alpha _i(X, Y) + \sum _{i=q}^{2q-1}\left( \sum _{j=0}^{i-1} X^{i-j-1}Y^{j}\right) \beta _i(X, Y) \right] - \nonumber \\&- \sum _{i=2}^{q-1} X^i \alpha _i(X,Y) - \sum _{i=q}^{2q-1} X^i \beta _i(X, Y) \nonumber \\ \alpha _0(X, Y)&= X \left[ \sum _{i=2}^{q-1} \left( \sum _{j=1}^{i-1} X^{i-j-1}Y^{j}\right) \alpha _i(X, Y) + \sum _{i=q}^{2q-1}\left( \sum _{j=1}^{i-1} X^{i-j-1}Y^{j}\right) \beta _i(X, Y) \right] \nonumber \\ \alpha _0(X, Y)&= XY \left[ \sum _{i=2}^{q-1} \left( \sum _{j=1}^{i-1} X^{i-j-1}Y^{j-1}\right) \alpha _i(X, Y) + \sum _{i=q}^{2q-1}\left( \sum _{j=1}^{i-1} X^{i-j-1}Y^{j-1}\right) \beta _i(X, Y) \right] \end{aligned}$$

(17)

This implies that either \(\alpha _0(X, Y)\) is a multiple of XY or \(\alpha _0(X, Y)=0\).

By the GGM assumption, we have that \(\alpha _0(X, Y)=0\).

We continue by replacing \(\alpha _0(X, Y)=0\) in Eq. (17):

$$\begin{aligned} -\alpha _2(X, Y) = \sum _{i=3}^{q-1} \left( \sum _{j=1}^{i-1} X^{i-j-1}Y^{j-1}\right) \alpha _i(X, Y) + \sum _{i=q}^{2q-1}\left( \sum _{j=1}^{i-1} X^{i-j-1}Y^{j-1}\right) \beta _i(X, Y) \end{aligned}$$

(18)

Substitute the expression of \(-\alpha _2(X, Y)\) in Eq. (13) or (14) and remark that all terms \(X^i \alpha _i(X, Y), X^i \beta _i(X, Y)\) (respectively \(Y^i \alpha _i(X, Y), Y^i \beta _i(X, Y)\)) terms are vanishing.

And so on till we show that \(\alpha _i(X, Y)=0 \ ~\forall i=0 \dots q-1\) and \(\beta _i(X, Y)=0 ~\forall i=q \dots 2q-1 \).

We conclude that the adversarly produced vectors \( (A_0,\dots ,A_{q-1} )=\textbf{1}_{\mathbb {G}_1},(B_0,\dots ,B_{q-1} )=\textbf{1}_{\mathbb {G}_2} \).

C Groth16 Scheme

Let C be an arithmetic circuit over \(\mathbb {Z}_p\), with m wires and d multiplication gates. Groth16 scheme proves circuit satisfiability, using a Quadratic Arithmetic Program (QAP) characterisation. Briefly, a QAP as introduced by [GGPR13] is translating a circuit into an equivalent arithmetic relation that holds only if the circuit has a solution.

Fig. 1.

Groth16 Construction from QAP.

Let \(Q = \left( t(x), \{v_k(x), w_k(x), y_k(x)\}_{k=0}^m \right) \) be a Quadratic Arithmetic Program (QAP) which computes C. We denote by \(I_{io} = \{1, 2, \dots t \}\) the indices corresponding to the public input and public output values of the circuit wires and by \(I_{mid}=\{t +1, \dots m\}\), the wire indices corresponding to the private input and non-input, non-output intermediate values (for the witness).

We describe Groth \(=(\textsf{Setup}, \textsf{Prove}, \textsf{Verify}) \) scheme in [Gro16] that consists in 3 algorithms as per Fig. 1.

D Building Blocks for Aggregation

SRS. We need elements from two independent compatible Groth16 SRS:

• Common bilinear group description for both SRS: \(\textsf{gk}=(p,\mathbb {G}_1,\mathbb {G}_2, \mathbb {G}_T)\)

• Common group generators for both SRS: \(g \in \mathbb {G}_1, h \in \mathbb {G}_2\)

• First SRS with random evaluation point \(a \in \mathbb {Z}_p\) for:

  $$\textbf{v}_1 = (h,h^a,\dots ,h^{a^{n-1}}) \text { and } \textbf{w}_1 = (g^{a^n}, \dots , g^{a^{2n-1}})$$

• Second SRS with random evaluation point \(b \in \mathbb {Z}_p\) for:

  $$ \textbf{v}_2 = (h,h^b,\dots ,h^{b^{n-1}}) \text { and }\textbf{w}_2 = (g^{b^n},\dots ,g^{b^{2n-1}})$$

Pair Group Commitments. To instantiate our aggregated scheme, we use two new pairing commitment schemes. These schemes need to satisfy special properties (as discussed in Sect. 3) and they require structured commitment keys \(\textsf{ck}_s, \textsf{ck}_d\) of the form \( \textsf{ck}_s= (\textbf{v}_1, \textbf{v}_2), \textsf{ck}_d=(\textbf{v}_1, \textbf{w}_1, \textbf{v}_2, \textbf{w}_2)\). We then commit to vectors \(\textbf{A}\in \mathbb {G}_1^n, \textbf{B}\in \mathbb {G}_2^n\) as follows:

1. 1.

   Single group version \( \textsf{CM}_s(\textbf{A}) {:}{=}\textsf{CM}_s(\textsf{ck}_s;\textbf{A}) = (T_A, U_A)\) where

   $$\begin{aligned} T_A&= \textbf{A}* \textbf{v}_1 = e(A_0,h) e(A_1,h^a) \dots .e(A_{n-1},h^{a^{n-1}})\\ U_A&= \textbf{A}* \textbf{v}_2 = e(A_0,h) e(A_1,h^b)\dots .e(A_{n-1},h^{b^{n-1}}) \end{aligned}$$
2. 2.

   Double group version \(\textsf{CM}_d(\textbf{A}, \textbf{B}) {:}{=}\textsf{CM}_d(\textsf{ck}_d; \textbf{A}, \textbf{B}) = (T_{AB},U_{AB})\) where

   $$ T_{AB} = (\textbf{A} * \mathbf {v_1})(\mathbf {w_1} * \textbf{B}), \quad U_{AB} = (\textbf{A} * \mathbf {v_2})(\mathbf {w_2} * \textbf{B}) $$

IPP Protocols. One of the key building blocks for our aggregation protocol are generalized inner product arguments, called GIPA or IPP protocols. These protocols, as designed in [BMM+19], enable proving the correctness of a large class of inner products between vectors of group and/or field elements committed using (possibly distinct) doubly-homomorphic commitment schemes.

For our aggregation protocol, we need to instantiate two specialised cases of IPP – multi-exponentiation inner product (MIPP) and an target inner pairing product (TIPP) – using our new commitment schemes under structured references string, and thus, we obtain logarithmic verifier time.

1.1 D.1 Relation for \(\mathsf {MT\text {-}IPP}\)

Here we define the relation proven using the merged \(\mathsf {MT\text {-}IPP}\) argument. This is a conjunction of the two relations MIPP and TIPP:

• MIPP Relation. The multiexponentiation product relation:

  $$\begin{aligned}{} & {} \mathcal {R}_{\textsf{mipp}} {:}{=}\{ ((T_C, U_C), Z_C, r; \textbf{C}, \textbf{r}): Z_C= \textbf{C}*{\textbf{r}} ~\wedge \\{} & {} \qquad \qquad \qquad \qquad \qquad \qquad ~(T_C, U_C)= \textsf{CM}_s(\textsf{ck}_s; \textbf{C}) \wedge \textbf{r}=(r^{i})_{i=0}^{n-1} \}. \end{aligned}$$

• TIPP Relation. The target inner pairing relation:

  $$\begin{aligned}{} & {} \mathcal {R}_{\textsf{tipp}} {:}{=}\{ ((T_{AB}, U_{AB}), Z_{AB}, r; \textbf{A}, \textbf{B}): Z_{AB} = \textbf{A}* \textbf{B}^{\textbf{r}} ~\wedge \\{} & {} \qquad \qquad \qquad \qquad \qquad \qquad (T_{AB},U_{AB}) = \textsf{CM}_d(\textsf{ck}_d; \textbf{A}, \textbf{B})~\wedge ~\textbf{r}=(r^{i})_{i=0}^{n-1} \}, \end{aligned}$$

  where \((T_{AB}, U_{AB}) \in \mathbb {G}_T^2, ~ Z_{AB} = \textbf{A}* \textbf{B}^{\textbf{r}} \in \mathbb {G}_T,~\textbf{A}\in \mathbb {G}_1^n,~\textbf{B} \in \mathbb {G}_2^n, ~r \in \mathbb {Z}_p \).

• MT-IPP Relation. The merged \(\mathsf {MT\text {-}IPP}\) relation:

  $$\mathcal {R}_{\textsf{mt}} {:}{=}\left\{ \begin{array}{l} \big ( (T_{AB}, U_{AB}), (T_{C}, U_{C}), \\ ~ \qquad ~ \ ~ Z_{AB}, Z_C, r; \textbf{A}, \textbf{B}, \textbf{C}\big ) \end{array} \, : \, \begin{array}{c} (\textsf{CM}_d(\textbf{A}, \textbf{B}), Z_{AB}, r; \textbf{A}, \textbf{B}) \in \mathcal {R}_{\textsf{tipp}} \\ \wedge \\ (\textsf{CM}_s(\textbf{C}), Z_C, r; \textbf{C}) \in \mathcal {R}_{\textsf{mipp}} \end{array} \right\} $$

  for vectors \(\textbf{A}, \textbf{C}\in \mathbb {G}_1\) and \(\textbf{B}\in \mathbb {G}_2\).

E Final Commitment Keys

In this section, we will detail one step of the \(\mathsf {MT\text {-}IPP}\) protocol: Checking the correctness of the final commitment key, obtained after all “split & collapse” steps.

Recall that our scheme \(\mathsf {MT\text {-}IPP}\) achieves logarithmic proof size using a specially structured commitment scheme that allows the prover to use one new challenge \(x_j\) in each round of recursion to transform the commitments homomorphically. Because of this, the verifier must also perform a linear amount of work in rescaling the commitment keys (\(\textsf{ck}_s, \textsf{ck}_d \)). To avoid having the verifier rescale the commitment keys, our scheme apply the same trick as [DRZ20, BMM+19]: we do this by outsourcing the work of rescaling the commitment keys to the prover.

Then what is left is to convince a verifier that this rescaling was done correctly just by checking a succinct proof on the final keys.

Proof for Final Key. In our \(\mathsf {MT\text {-}IPP}\) scheme, the prover will compute the final commitment keys \(v_1, v_2, w_1',w_2'\) (the result of many rounds of rescaling/collapsing \(\textbf{v}_1, \textbf{v}_2, \textbf{w}_1', \textbf{w}_2'\) until the end of the loop) and then prove that they are well-formed.

This is possible due to the structure in the commitment keys. For ease of presentation, we will show how this proof works for a generic vector \(\textbf{v}\), where \(\textbf{v}= (v_1,v_2, \dots , v_{2^\ell }) = (g, g^{\alpha }, g^{\alpha ^2}, \dots g^{\alpha ^{n-1}})\). The other checks for the keys \(v_1, v_2\) and \(w_1, w_2\) work in an analogously fashion.

Let us first define the relation to be proven, i.e. the correctness of the final commitment key \(v \in \mathbb {G}_1\) given the initial key \(\textbf{v}\):

$$ \mathcal {R}_{\textsf{ck}} {:}{=}\left\{ (\textsf{gk}, v, f(X), \textsf{ck}_g = (\{g^{\alpha ^i}\}_{i=0}^{2n-2}, \textsf{vk}_h = h^\alpha ) ) : v = g^{f(\alpha )} \right\} $$

The argument for the relation \(\mathcal {R}_{\textsf{ck}}\) allows the verifier to check well-formedness of the final structured commitment key. The idea is simple: the final commitment key \(\textbf{v}\) is interpreted as a KZG polynomial commitment that the prover must open at a random point z. The verifier produces the challenge point \(z \in \mathbb {Z}_p\) and the prover provides a valid KZG opening proof of f(z) for the commitment v. The interaction can be removed using Fiat-Shamir heuristic via a collision-resistant hash to generate the challenge z. The proof of security of such a protocol is given in [BMM+19] in the algebraic group model. In a nutshell, an algebraic adversary that convinces a verifier of incorrect keys can extract a valid 2n-SDH instance by breaking knowledge-binding of \(\textsf{KZG}.\textsf{PC}\) polynomial commitment scheme.

We will use a polynomial commitment scheme (Definition A.3) that allows for openings of evaluations on a point and proving correctness of these openings. The concrete scheme is called \(\textsf{KZG}.\textsf{PC}\) and works for both groups \(\mathbb {G}_1\) and \(\mathbb {G}_2\) as described in Appendix A.4. The verification requires an evaluation of the corresponding polynomial and four pairing checks.

Polynomial Formula. We will show now, hot to define the correct polynomials to be committed under \(\textsf{KZG}.\textsf{PC}\) scheme in order to show that the final commitment keys were honestly generated.

Recall the structure of the 4 vectors \(\textbf{v}_1, \textbf{v}_2 \in \mathbb {G}_2\) and \( \textbf{w}_1, \textbf{w}_2 \in \mathbb {G}_1\) used for the commitment keys \(\textsf{ck}_s, \textsf{ck}_d\):

$$\begin{aligned} \textbf{v}_1&= (h,h^a,\dots ,h^{a^{n-1}}), \qquad \textbf{w}_1 = (g^{a^{n}}, \dots , g^{a^{2n-1}}), \qquad ~\mathbf {w'_1} {:}{=}\textbf{w}_1^{\textbf{r}^{-1}}\\ \textbf{v}_2&= (h,h^b,\dots ,h^{b^{n-1}}), \qquad \ \textbf{w}_2 = (g^{b^{n}},\dots ,g^{b^{2n-1}}), \qquad ~\mathbf {w'_2} {:}{=}\textbf{w}_2^{\textbf{r}^{-1}} \end{aligned}$$

We will show the formulae for the polynomials the two polynomials \(f_v(X)\) and \(f_w(X)\) that we used in our scheme MT-IPP for \(v_1, v_2\) and for \(w_1',w_2'\) are correct.

For ease of presentation, we state and prove the formula for a generic vector \( \textbf{v}= (v_1,v_2, \dots , v_{2^\ell }) = (g, g^{\alpha }, g^{\alpha ^2}, \dots g^{\alpha ^{2^\ell -1}})\) of length \(n= 2^\ell \) to which we apply the same rescaling as for the commitment keys \(\textsf{ck}_s, \textsf{ck}_d\). The specific formulae for \(\textbf{v}_1, \textbf{v}_2, \textbf{w}_1', \textbf{w}_2' \) are easy to deduce once we have a formula for \(\textbf{v}\).

Consider a challenge \(x_j\) for round j, where the total number of rounds is \(\ell \). Note that at each round j we split the sequence \(v_1,v_2, \dots , v_{n}\) in half and we use \(x_{j}\) to rescale first half and the second half of the vector recursively until we end up with a single value v.

We claim that the formula for some initial key \(\textbf{v}= (v_1=g,v_2 = g^\alpha , \dots , v_{n} =g^{\alpha ^{n -1}})\) and for a vector of challenges \( x_1 \dots x_{\ell -1}, x_{\ell }\) is:

$$v = g^{\prod _{j=0}^{\ell -1} (1 + x_{\ell -j} \alpha ^{2^{j}})}.$$

We will prove the general formula by induction:

• Step 1. Check the formula for \(\ell =1\) (initial commitment key \(\textbf{v}\) has two elements \(v_1, v_2\)):

  $$v = v_1 v_2^{x_1} = g^{1 + x_1 \alpha } = g^{\prod _{j=0}^{0} (1 + x_{\ell -j} \alpha ^{2^{j}})}.$$

• Step 2. Suppose the statement is true for \(\ell -1\). We prove it for \(\ell \).

On the first round, we have a challenge \(x_{1}\) and we rescale the commitment key \(\textbf{v}\) which has length \(n=2^{\ell }\) as follows:

\(\textbf{v}' = \textbf{v}_{[:2^{\ell -1}]} \circ \textbf{v}_{[2^{\ell -1}:]}^{x_{1}},\)

\(\textbf{v}' =(g \cdot g^{x_{1} \alpha ^{2^{\ell -1}}}, g^\alpha \cdot g^{x_{1}\alpha ^{{2^{\ell -1}+1}}}, g^{\alpha ^2} \cdot g^{x_{1}\alpha ^{2^{\ell -1}+2}}, \dots ).\)

We can write this differently as \(\textbf{v}'\)=\((v_1 v_1^{x_{1}\alpha ^{2^{\ell -1}}}, \dots v_{2^{\ell -1}} v_{2^{\ell -1}}^{x_{1}\alpha ^{2^{\ell -1}}}).\)

This gives us a nicely written commitment key after first round

$$\textbf{v}' = (v_1^{1+x_{1}\alpha ^{2^{\ell -1}}}, v_2^{1+x_{1}\alpha ^{2^{\ell -1}}}, \dots v_{2^{\ell -1}}^{1+ x_{1}\alpha ^{2^{\ell -1}}} )=\textbf{v}_{[:2^{\ell -1}]}^{1+ x_{1}\alpha ^{2^{\ell -1}}}.$$

We can apply the induction assumption for step \(\ell -1\) to \(\textbf{v}_{[:2^{\ell -1}]}\) which is a commitment key of length \(2^{\ell -1}\). This means the final key for \(\textbf{v}\) is:

$$v = \left( g^{\prod _{j=0}^{\ell -2} \big (1 + x_{\ell -j}\alpha ^{2^j} \big )} \right) ^{(1+ x_1\alpha ^{2^{\ell -1}})}= g^{\prod _{j=0}^{\ell -1} (1 + x_{\ell -j}\alpha ^{2^j})}.$$

Remark than in more generality, this can be written as:

$$v = v_1^{\prod _{j=0}^{\ell -1} (1 + x_{\ell -j}\alpha ^{2^j})}$$

Therefore, if we start with an initial key \(\textbf{w}= (w_1=g^{\alpha ^n}, w_2^{\alpha ^{n+1}} \dots , w_n =g^{\alpha ^{2n -1}})\), the final key w can be written as:

$$w = w_1^{\prod _{j=0}^{\ell -1} (1 + x_{\ell -j}\alpha ^{2^j})} = g^{\alpha ^n\prod _{j=0}^{\ell -1} (1 + x_{\ell -j}\alpha ^{2^j})} $$