SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge

  • Eli Ben-Sasson
  • Alessandro Chiesa
  • Daniel Genkin
  • Eran Tromer
  • Madars Virza
Conference paper

DOI: 10.1007/978-3-642-40084-1_6

Part of the Lecture Notes in Computer Science book series (LNCS, volume 8043)
Cite this paper as:
Ben-Sasson E., Chiesa A., Genkin D., Tromer E., Virza M. (2013) SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge. In: Canetti R., Garay J.A. (eds) Advances in Cryptology – CRYPTO 2013. Lecture Notes in Computer Science, vol 8043. Springer, Berlin, Heidelberg

Abstract

An argument system for NP is a proof system that allows efficient verification of NP statements, given proofs produced by an untrusted yet computationally-bounded prover. Such a system is non-interactive and publicly-verifiable if, after a trusted party publishes a proving key and a verification key, anyone can use the proving key to generate non-interactive proofs for adaptively-chosen NP statements, and proofs can be verified by anyone by using the verification key.

We present an implementation of a publicly-verifiable non-interactive argument system for NP. The system, moreover, is a zero-knowledge proof-of-knowledge. It directly proves correct executions of programs on TinyRAM, a nondeterministic random-access machine tailored for efficient verification. Given a program P and time bound T, the system allows for proving correct execution of P, on any input x, for up to T steps, after a one-time setup requiring \(\tilde{O}(|P| \cdot T)\) cryptographic operations. An honest prover requires \(\tilde{O}(|P| \cdot T)\) cryptographic operations to generate such a proof, while proof verification can be performed with only O(|x|) cryptographic operations. This system can be used to prove the correct execution of C programs, using our TinyRAM port of the GCC compiler.

This yields a zero-knowledge Succinct Non-interactive ARgument of Knowledge (zk-SNARK) for program executions, in the preprocessing model — a powerful solution for delegating NP computations, with several features not achieved by previously-implemented primitives.

Our approach builds on recent theoretical progress in the area. We present efficiency improvements and implementations of two main ingredients:
  1. 1

    Given a C program, we produce a circuit whose satisfiability encodes the correctness of execution of the program. Leveraging nondeterminism, the generated circuit’s size is merely quasilinear in the size of the computation. In particular, we efficiently handle arbitrary and data-dependent loops, control flow, and memory accesses. This is in contrast with existing “circuit generators”, which in the general case produce circuits of quadratic size.

     
  2. 2

    Given a linear PCP for verifying satisfiability of circuits, we produce a corresponding SNARK. We construct such a linear PCP (which, moreover, is zero-knowledge and very efficient) by building and improving on recent work on quadratic arithmetic programs.

     

Keywords

computationally-sound proofs succinct arguments zero-knowledge delegation of computation 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Eli Ben-Sasson
    • 1
  • Alessandro Chiesa
    • 2
  • Daniel Genkin
    • 1
  • Eran Tromer
    • 3
  • Madars Virza
    • 2
  1. 1.TechnionIsrael
  2. 2.MITUSA
  3. 3.Tel Aviv UniversityIsrael

Personalised recommendations