Scalable Zero Knowledge via Cycles of Elliptic Curves

  • Eli Ben-Sasson
  • Alessandro Chiesa
  • Eran Tromer
  • Madars Virza
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8617)


Non-interactive zero-knowledge proofs of knowledge for general NP statements are a powerful cryptographic primitive, both in theory and in practical applications. Recently, much research has focused on achieving an additional property, succinctness, requiring the proof to be very short and easy to verify. Such proof systems are known as zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARKs), and are desired when communication is expensive, or the verifier is computationally weak.

Existing zk-SNARK implementations have severe scalability limitations, in terms of space complexity as a function of the size of the computation being proved (e.g., running time of the NP statement’s decision program). First, the size of the proving key is quasilinear in the upper bound on the computation size. Second, producing a proof requires “writing down” all intermediate values of the entire computation, and then conducting global operations such as FFTs.

The bootstrapping technique of Bitansky et al. (STOC ’13), following Valiant (TCC ’08), offers an approach to scalability, by recursively composing proofs: proving statements about acceptance of the proof system’s own verifier (and correctness of the program’s latest step). Alas, recursive composition of known zk-SNARKs has never been realized in practice, due to enormous computational cost.

Using new elliptic-curve cryptographic techniques, and methods for exploiting the proof systems’ field structure and nondeterminism, we achieve the first zk-SNARK implementation that practically achieves recursive proof composition. Our zk-SNARK implementation runs random-access machine programs and produces proofs of their correct execution, on today’s hardware, for any program running time. It takes constant time to generate the keys that support all computation sizes. Subsequently, the proving process only incurs a constant multiplicative overhead compared to the original computation’s time, and an essentially-constant additive overhead in memory. Thus, our zk-SNARK implementation is the first to have a well-defined, albeit low, clock rate of “verified instructions per second”.


computationally-sound proofs proof-carrying data zero-knowledge elliptic curves 


  1. [Ajt96]
    Ajtai, M.: Generating hard instances of lattice problems. In: STOC 1996 (1996)Google Scholar
  2. [AM93]
    Atkin, A.O.L., Morain, F.: Elliptic curves and primality proving. Math. Comp (1993)Google Scholar
  3. [BCCT13]
    Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: Recursive composition and bootstrapping for SNARKs and proof-carrying data. In: STOC 2013 (2013)Google Scholar
  4. [BCG+13a]
    Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: SNARKs for C: Verifying program executions succinctly and in zero knowledge. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 90–108. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  5. [BCG+13b]
    Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: TinyRAM architecture specification v2.00 (2013), URL:
  6. [BCG+14]
    Ben-Sasson, E., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., Virza, M.: Zerocash: Decentralized anonymous payments from Bitcoin. In: SP 2014 (2014)Google Scholar
  7. [BCGT13a]
    Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E.: Fast reductions from RAMs to delegatable succinct constraint satisfaction problems. In: ITCS 2013 (2013)Google Scholar
  8. [BCGT13b]
    Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E.: On the concrete efficiency of probabilistically-checkable proofs. In: STOC 2013 (2013)Google Scholar
  9. [BCI+13]
    Bitansky, N., Chiesa, A., Ishai, Y., Paneth, O., Ostrovsky, R.: Succinct non-interactive arguments via linear interactive proofs. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 315–333. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  10. [BCTV14a]
    Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Scalable zero knowledge via cycles of elliptic curves. Cryptology ePrint Archive (2014)Google Scholar
  11. [BCTV14b]
    Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Succinct non-interactive zero knowledge for a von Neumann architecture. In: Security 2014 (2014),
  12. [BDSMP91]
    Blum, M., De Santis, A., Micali, S., Persiano, G.: Non-interactive zero-knowledge. SIAM J. Comp. (1991)Google Scholar
  13. [BEG+91]
    Blum, M., Evans, W., Gemmell, P., Kannan, S., Naor, M.: Checking the correctness of memories. In: FOCS 1991 (1991)Google Scholar
  14. [BFLS91]
    Babai, L., Fortnow, L., Levin, L.A., Szegedy, M.: Checking computations in polylogarithmic time. In: STOC 1991 (1991)Google Scholar
  15. [BFM88]
    Blum, M., Feldman, P., Micali Non-interactive, S.: zero-knowledge and its applications. In: STOC 1988 (1988)Google Scholar
  16. [BFR+13]
    Braun, B., Feldman, A.J., Ren, Z., Setty, S., Blumberg, A.J., Walfish, M.: Verifying computations with state. In: SOSP 2013 (2013)Google Scholar
  17. [BS10]
    Benger, N., Scott, M.: Constructing tower extensions of finite fields for implementation of pairing-based cryptography. In: Hasan, M.A., Helleseth, T. (eds.) WAIFI 2010. LNCS, vol. 6087, pp. 180–195. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  18. [BSW12]
    Boneh, D., Segev, G., Waters, B.: Targeted malleability: Homomorphic encryption for restricted computations. In: ITCS 2012 (2012)Google Scholar
  19. [CMT12]
    Cormode, G., Mitzenmacher, M., Thaler, J.: Practical verified computation with streaming interactive proofs. In: ITCS 2012 (2012)Google Scholar
  20. [CRR11]
    Canetti, R., Riva, B., Rothblum, G.N.: Practical delegation of computation using multiple servers. In: CCS 2011 (2011)Google Scholar
  21. [CT10]
    Chiesa, A., Tromer, E.: Proof-carrying data and hearsay arguments from signature cards. In: ICS 2010 (2010)Google Scholar
  22. [CT12]
    Chiesa, A., Tromer, E.: Proof-carrying data: Secure computation on untrusted platforms (high-level description). In: The Next Wave: The National Security Agency’s Review of Emerging Technologies (2012)Google Scholar
  23. [CTV13]
    Chong, S., Tromer, E., Vaughan, J.A.: Enforcing language semantics using proof-carrying data. ePrint 2013/513 (2013)Google Scholar
  24. [ES10]
    Enge, A., Sutherland, A.V.: Class invariants by the CRT method. In: Hanrot, G., Morain, F., Thomé, E. (eds.) ANTS-IX. LNCS, vol. 6197, pp. 142–156. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  25. [FST10]
    Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. Journal of Cryptology (2010)Google Scholar
  26. [GGH96]
    Goldreich, O., Goldwasser, S., Halevi, S.: Collision-free hashing from lattice problems. Technical report, ECCC TR95-042 (1996)Google Scholar
  27. [GGPR13]
    Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  28. [Gro10]
    Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  29. [KT08]
    Karabina, K., Teske, E.: On prime-order elliptic curves with embedding degrees k = 3, 4, and 6. In: van der Poorten, A.J., Stein, A. (eds.) ANTS-VIII 2008. LNCS, vol. 5011, pp. 102–117. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  30. [Lip12]
    Lipmaa, H.: Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 169–189. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  31. [Lip13]
    Lipmaa, H.: Succinct non-interactive zero knowledge arguments from span programs and linear error-correcting codes. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 41–60. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  32. [LMN10]
    Lauter, K., Montgomery, P.L., Naehrig, M.: An analysis of affine coordinates for pairing computation. In: Joye, M., Miyaji, A., Otsuka, A. (eds.) Pairing 2010. LNCS, vol. 6487, pp. 1–20. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  33. [Mic00]
    Micali, S.: Computationally sound proofs. SIAM J. Comp. (2000)Google Scholar
  34. [MNT01]
    Miyaji, A., Nakabayashi, M., Takano, S.: New explicit conditions of elliptic curve traces for FR-reduction. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences (2001)Google Scholar
  35. [NY90]
    Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: STOC 1990 (1990)Google Scholar
  36. [PGHR13]
    Parno, B., Gentry, C., Howell, J., Raykova, M.: Pinocchio: Nearly practical verifiable computation. In: Oakland 2013 (2013)Google Scholar
  37. [SBV+13]
    Setty, S., Braun, B., Vu, V., Blumberg, A.J., Parno, B., Walfish, M.: Resolving the conflict between generality and plausibility in verified computation. In: EuroSys 2013 (2013)Google Scholar
  38. [SBW11]
    Setty, S., Blumberg, A.J., Walfish, M.: Toward practical and unconditional verification of remote computations. In: HotOS 2011 (2011)Google Scholar
  39. [SMBW12]
    Setty, S., McPherson, M., Blumberg, A.J., Walfish, M.: Making argument systems for outsourced computation practical (sometimes). In: NDSS 2012 (2012)Google Scholar
  40. [Sut11]
    Sutherland, A.V.: Computing Hilbert class polynomials with the Chinese remainder theorem. Math. Comp. (2011)Google Scholar
  41. [Sut12]
    Sutherland, A.V.: Accelerating the CM method. LMS Journal of Computation and Mathematics (2012)Google Scholar
  42. [SVP+12]
    Setty, S., Vu, V., Panpalia, N., Braun, B., Blumberg, A.J., Walfish, M.: Taking proof-based verified computation a few steps closer to practicality. In: Security 2012 (2012)Google Scholar
  43. [Tha13]
    Thaler, J.: Time-optimal interactive proofs for circuit evaluation. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 71–89. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  44. [TRMP12]
    Thaler, J., Roberts, M., Mitzenmacher, M., Pfister, H.: Verifiable computation with massively parallel interactive proofs. CoRR (2012)Google Scholar
  45. [Val08]
    Valiant, P.: Incrementally verifiable computation or proofs of knowledge imply time/space efficiency. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 1–18. Springer, Heidelberg (2008)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Eli Ben-Sasson
    • 1
  • Alessandro Chiesa
    • 2
  • Eran Tromer
    • 3
  • Madars Virza
    • 2
  1. 1.TechnionHaifaIsrael
  2. 2.MITCambridgeUSA
  3. 3.Tel Aviv UniversityTel AvivIsrael

Personalised recommendations