Square Span Programs with Applications to Succinct NIZK Arguments

  • George Danezis
  • Cédric Fournet
  • Jens Groth
  • Markulf Kohlweiss
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8873)


We propose a new characterization of NP using square span programs (SSPs). We first characterize NP as affine map constraints on small vectors. We then relate this characterization to SSPs, which are similar but simpler than Quadratic Span Programs (QSPs) and Quadratic Arithmetic Programs (QAPs) since they use a single series of polynomials rather than 2 or 3.

We use SSPs to construct succinct non-interactive zero-knowledge arguments of knowledge. For performance, our proof system is defined over Type III bilinear groups; proofs consist of just 4 group elements, verified in just 6 pairings. Concretely, using the Pinocchio libraries, we estimate that proofs will consist of 160 bytes verified in less than 6 ms.


Square span program quadratic span program SNARKs non-interactive zero-knowledge arguments of knowledge 


  1. [AF07]
    Abe, M., Fehr, S.: Perfect NIZK with adaptive soundness. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 118–136. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  2. [BB08]
    Boneh, D., Boyen, X.: Short signatures without random oracles and the sdh assumption in bilinear groups. Journal of Cryptology 21(2), 149–177 (2008)CrossRefzbMATHMathSciNetGoogle Scholar
  3. [BCPR13]
    Bitansky, N., Canetti, R., Paneth, O., Rosen, A.: Indistinguishability obfuscation vs. auxiliary-input extractable functions: One must fall. IACR Cryptology ePrint Archive, Report 2013/641 (2013)Google Scholar
  4. [BGI+12]
    Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. Journal of the ACM 59(2), 6 (2012)CrossRefMathSciNetGoogle Scholar
  5. [BP04]
    Bellare, M., Palacio, A.: Towards plaintext-aware public-key encryption without random oracles. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 48–62. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. [BSCG+14]
    Ben-Sasson, E., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., Virza, M.: Zerocash: Practical decentralized anonymous e-cash from bitcoin. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy. IEEE (May 2014)Google Scholar
  7. [Dam91]
    Damgård, I.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992)Google Scholar
  8. [DFKP13]
    Danezis, G., Fournet, C., Kohlweiss, M., Parno, B.: Pinocchio coin: building zerocoin from a succinct pairing-based proof system. In: Franz, M., Holzer, A., Majumdar, R., Parno, B., Veith, H. (eds.) PETShop@CCS, pp. 27–30. ACM (2013)Google Scholar
  9. [GGH+13]
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS, pp. 40–49 (2013)Google Scholar
  10. [GGPR13]
    Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct nizks without pcps. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. [GOS12]
    Groth, J., Ostrovsky, R., Sahai, A.: New techniques for noninteractive zero-knowledge. Journal of the ACM 59(3), 11:1–11:35 (2012)Google Scholar
  12. [GPS08]
    Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discrete Applied Mathematics 156(16), 3113–3121 (2008)CrossRefzbMATHMathSciNetGoogle Scholar
  13. [Gro10]
    Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. [KW93]
    Karchmer, M., Wigderson, A.: On span programs. In: Proc. of the 8th IEEE Structure in Complexity Theory, pp. 102–111. IEEE Computer Society Press (1993)Google Scholar
  15. [Lip13]
    Lipmaa, H.: Succinct non-interactive zero knowledge arguments from span programs and linear error-correcting codes. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 41–60. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  16. [Lip14]
    Lipmaa, H.: Almost optimal short adaptive non-interactive zero knowledge. Cryptology ePrint Archive, Report 2014/396 (2014),
  17. [PHGR13]
    Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: Nearly practical verifiable computation. In: IEEE Symposium on Security and Privacy, pp. 238–252 (2013)Google Scholar
  18. [Val76]
    Valiant, L.G.: Universal circuits (preliminary report). In: STOC, pp. 196–203 (1976)Google Scholar
  19. [vEB81]
    van Emde Boas, P.: Another NP-complete partition problem and the complexity of computing short vectors in a lattice. Technical report (1981),

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • George Danezis
    • 1
  • Cédric Fournet
    • 2
  • Jens Groth
    • 1
  • Markulf Kohlweiss
    • 2
  1. 1.University College LondonUK
  2. 2.Microsoft ResearchUK

Personalised recommendations