1 Introduction

Since their introduction three decades ago, zero-knowledge proofs have been constructed in a variety of different models. Arguably the simplest setting is the Uniform Random String (URS) model, introduced by Blum, Feldman, and Micali [BFM88] and used heavily since [FLS99, Dam92, SP92, KP98, SCP00, GO14, Gro10a, GGI+15]. In the URS model both the prover and verifier have access to a string sampled uniformly at random and it enables the prover to send a single non-interactive zero-knowledge (NIZK) proof that convinces the verifier. This model is limited, however, so many newer NIZK proof systems are instead in the Common Reference String (CRS) model [CF01, Dam00, FF00, GOS12, GS12]. Here, the reference string must have some structure based on secret random coins (e.g., be of the form \(G^s, G^{s^2}, G^{s^3}, \ldots \)) and the secret (e.g., the value s) must be discarded after generation. This makes CRS generation an inherently trusted process.

Until recently, little consideration had been given to how to generate common reference strings in practice, and it was simply assumed that a trusted party could be found. The introduction of zk-SNARKs (zero-knowledge Succinct Non-interactive ARguments of Knowledge) in the CRS model [Gro10b], however, and subsequent academic and commercial usage has brought this issue front and center. In particular, zk-SNARKs are of considerable interest for cryptocurrencies given their usage in both Zcash [BCG+14], which relies on them in order to preserve privacy, and Ethereum, which recently integrated support for them [Buc17]. In these decentralized settings in which real monetary value is at stake, finding a party who can be widely accepted as trusted is nearly impossible.

Ben-Sasson et al. [BCG+15] and subsequently Bowe et al. [BGG17] examined the use of multi-party computation to generate a CRS, where only one out of n parties needs to be honest but the participants must be selected in advance. In concurrent work, Bowe et al. [BGM17] propose a protocol that avoids the pre-selection requirement and as a result scales to more participants. Both protocols, however, result in a CRS for a fixed circuit with a fixed set of participants. This raises issues about who the participants are and how they were selected, which are compounded by the fact that upgrades for increased performance or functionality require a new circuit and thus a new invocation of the protocol. This offers both renewed opportunities for adversarial subversion and loss of faith in the integrity of the parameters. Despite multi-party CRS generation, CRS setup (and particularly the cost it imposes on upgrading protocols), is thus a major obstacle to the practical deployment and usage of zk-SNARKs.

Motivated by this issue of trusted setup, several works have recently examined alternatives to CRS-based pre-processing SNARKS in the URS and random oracle model, despite the associated performance disadvantages. Current proposed alternatives [BSBHR18, WTas+17, AHIV17, BCG+17, BCC+16, BBB+18], either have proofs that even for modest circuit sizes, range into the hundreds of kilobytes or have verification times that are linear in the size of the circuit and make verification of large statements impractical for many applications. In contrast, (Quadratic Arithmetic Program) QAP-based zk-SNARKs offer quasi-constant-size proofs and verification times in the tens of milliseconds. Thus, modulo the barrier of having a trusted CRS setup, they are ideally suited to applications such as blockchains where space and bandwidth are highly constrained and proofs are expected to be verified many times in a performance-critical process.

Our contributions. To provide a middle ground between the fully trusted and fully subverted CRS models, we introduce and explore a new setup model for NIZK proofs: the updatable CRS model. In the updatable CRS model, any user can at any point choose to update the common reference string, provided that they also prove they have done the update correctly. If the proof of correctness verifies, then the new CRS resulting from the update can be considered trustworthy (i.e., uncorrupted) as long as either the old CRS or the updater was honest. If multiple users participate in this process, then it is possible to get a sequence of updates by different people over a period of time. If any one update is honest at any point in the sequence, then the scheme is sound.

We introduce our model for updatable zero-knowledge proofs in Sect. 3, where we also relate it to the classical CRS model (which we can think of as weaker) and the models for subversion-resistant proofs [BFS16, ABLZ17] (which we can think of as stronger).

Since Bellare et al. showed that it was impossible to achieve both subversion soundness and even standard zero-knowledge, it follows that it is also impossible to achieve subversion soundness and updatable zero-knowledge. With this in mind, we next explore the space of NIZK proofs that achieve subversion zero-knowledge (and thus updatable zero-knowledge) and updatable soundness.

We first observe that the original pairing-based zk-SNARK construction due to Groth [Gro10b] can be made updatably sound. His construction, however, has a quadratic-sized reference string, resulting in quadratic prover complexity. Our positive result in Sect. 5 provides a construction of an updatable QAP-based zk-SNARK that uses a quadratic-sized universal CRS, but allows for the derivation of linear-sized relation-dependent CRSs (and thus linear prover complexity). Because our universal CRS consists solely of monomials, our construction gets around our negative result in Sect. 6, which demonstrates that it is impossible to achieve updatable soundness for any pairing-based NIZK proof that relies on embedding non-monomials in the reference string (e.g., uses terms \(G^{s^2+s}\)). In particular, this shows that QAP-based zk-SNARKs such as Pinocchio [PHGR13] do not satisfy updatable soundness.

Applications. Updatable common reference strings are a natural model for parameter generation in a cryptocurrency, or other blockchain-based settings. Informally, in a blockchain, blocks of data are agreed upon by peers in a global network according to some consensus protocol, with different blocks of data being contributed by different users.

If each block (or one out of every n blocks) contains an update to the CRS performed by the creator of the block, then assuming the blockchain as a whole is correct, the CRS is sound. Indeed, we achieve a stronger property than the blockchain itself: assuming one single block was honestly generated, then the CRS is sound even if all other blocks are generated by dishonest parties.

While updatable security thus seems to be a natural fit for blockchain-based settings, there would be considerable work involved in making the construction presented in this paper truly practical. As our construction is compatible with several techniques designed to achieve efficiency (e.g., pruning of the blockchain) and does not require replication of the entire sequence of updated CRSs in order to perform verification, we believe this is a promising avenue for future research.

Knowledge assumptions. Our approach to proving that the updates are carried out correctly is to prove the existence of a correct CRS update under a knowledge extractor assumption. Knowledge assumptions define conditions under which extractors can retrieve the internal ‘knowledge’ of the adversary, in this case secret randomness used to update the CRS correctly. While less reassuring than standard model assumptions, the security of zk-SNARKs typically rely on knowledge assumptions anyway (and must be based on non-falsifiable assumptions [GW11]), and our construction is proven updatably sound under the same assumptions as those that are used to prove standard soundness. We assume that an adversary does not subvert our scheme by hiding a trapdoor in the groups. Choosing such elliptic curve groups is a contentious affair [BCC+14] and outside the scope of this paper, but one option for guaranteeing the adversary does not implant a trapdoor is to use a deterministic group generation algorithm.

Updatable CRS vs. URS model. The updatable CRS model is closer to the URS model than the CRS model, but it is important to acknowledge the differences. In the URS model, given a valid proof and a URS, a verifier only needs to be convinced that the URS was sampled at random (e.g. via a hash function in the random oracle model). An updatable CRS, in contrast, allows a skeptical verifier to trust proofs made with respect to a CRS that they themselves updated (or contributed to via a previous update). This is a weaker property than the URS model, as it cannot help with proofs formed before this update. On the other hand, updatable CRS schemes inherit the efficiency and expressiveness of the CRS model, without fully inheriting its reliance on a trusted setup.

2 Related Work

In addition to the works referenced in the introduction, we compare here with the research most closely related to our own.

In terms of acknowledging the potential for an adversary to compromise the CRS, Bellare, Fuchsbauer and Scafuro [BFS16] ask what security can be maintained for NIZK proofs when the CRS is subverted. They formalise the different notions of subversion resistance and then investigate their possibility. Using similar techniques to Goldreich et al. [GOP94], they show that soundness in this setting cannot be achieved at the same time as (standard) zero-knowledge. Building on the notions of Bellare et al., two recent papers [ABLZ17, Fuc17] discuss how to achieve subversion zero-knowledge for zk-SNARKs. None of these schemes, however, can avoid the impossibility result and they do not simultaneously preserve soundness and zero-knowledge under subversion.

Table 1. Comparison for pairing-based zk-SNARKs for boolean and arithmetic circuit satisfiability with \(\ell \)-element known circuit inputs, m wires, and n gates, of which \(n_\times \) are multiplication gates. \(\mathbb {G}\) means group elements in either source group, Ex means group exponentiations, \(M_{\mathbb {G}}\) means group multiplications, and P means pairings.
Full size table

The multi-string model by Groth and Ostrovsky [GO14] addresses the problem of subversion by designing protocols that require only the majority of the parties contributing multiple reference strings to be honest. Their construction gives statistically sound proofs but they are of linear size in both the number of reference strings and the size of the instance.

In terms of zk-SNARKs, some of the most efficient constructions in the literature [Lip13, PHGR13, BCTV14, DFGK14, Gro16, GM17] use the quadratic span program (QSP) or quadratic arithmetic program (QAP) approach of Gennaro et al. [GGPR13]. The issue with this approach when it comes to updatability is that it requires embedding arbitrary polynomials in the exponents of group elements in the common reference string. However, we show in Sect. 6 that if it is possible to update these polynomial embeddings, then it is possible to compute all the constituent monomials in the polynomials. Uncovering the underlying monomials, however, would completely break those zk-SNARKs, so QSP-based and QAP-based updatable zk-SNARKs require a fundamentally new technique.

Two early zk-SNARKs by Groth [Gro10b] and Lipmaa [Lip12] do, however, use only monomials. The main drawback of [Gro10b] is that it has a quadratic-sized CRS and quadratic prover computation, but it has a CRS that consists solely of monomials, and thus is updatable. Lipmaa still has quadratic prover computation, however he suggested the use of progression-free sets to construct NIZK arguments with a CRS consisting of \(n^{(1+o(1))}\) group elements. It uses progression-free sets to give an elegant product argument and a permutation argument, which are then combined to give a circuit satisfiability argument.

We give a performance comparison of pairing-based zk-SNARKs in Table 1, comparing the relative size of the CRS and the proof, and the computation required for the prover and verifier. We compare Groth’s original zk-SNARK, two representative QAP-based zk-SNARKs, and our updatable and specializable QAP-based zk-SNARK. As can be seen, our efficiency is comparable to the QAP-based schemes, but our universal reference string is not restricted to proving a pre-specified circuit. For the QAP-based SNARKs one could use Valiant’s universal circuit construction [Val76, LMS16] to achieve universality but this would introduce a \(\log n\) multiplicative overhead.We pose as an interesting open question whether updatable zk-SNARKs with a shorter universal CRS exist.

In concurrent work, Bowe et al. [BGM17] propose a two-phase protocol for the generation of a zk-SNARK reference string that is player-replaceable [GHM+17]. Like our protocol, the first phase of their protocol also computes monomials with parties operating in a similar one-shot fashion. However, there are several differences. First, their protocol does so under the stronger assumption of a random oracle, whereas we prove the security of our updatable zk-SNARK directly under the same assumptions as a trusted setup zk-SNARK. More significantly, to create a full CRS which does not have quadratic prover time, Bowe et al. require a second phase. As one party in each phase must be honest and the second phase depends on the first, the final CRS is not updatable. There is no way to increase the number of parties in the first phase after the second phase has started and, restarting the first phase means discarding the participants in the second phase. As a result, the protocol is still a multi-party computation to produce a fixed CRS with a fixed set of participants, albeit with the set of participants fixed midway through the protocol instead of at the start. In contrast, we produce a CRS with linear overhead from a quadratic-sized universal updatable CRS via an untrusted specialization process. Thus our CRS can be continuously updated without discarding past participation.

3 Defining Updatable and Universal CRS Schemes

In this section, we begin by presenting some notation and revisiting the basic definitions of non-interactive zero-knowledge proofs in the common reference string model, in which the reference string must be run by a trusted third party. We then present our new definitions for an updatable CRS scheme, which relaxes the CRS model by allowing the adversary to either fully generate the reference string itself, or at least contribute to its computation as one of the parties performing updates. In this our model is related to subversion-resistant proofs [BFS16], which we also present and compare to our own model.

3.1 Notation

If x is a binary string then |x| denotes its bit length. If S is a finite set then |S| denotes its size and \(x\mathrel {\xleftarrow {\$}}S\) denotes sampling a member uniformly from S and assigning it to x. We use \(\lambda \in \mathbb {N}\) to denote the security parameter and \(1^\lambda \) to denote its unary representation. We use \(\varepsilon \) to denote the empty string.

Algorithms are randomized unless explicitly noted otherwise. “PPT” stands for “probabilistic polynomial time” and “DPT” stands for “deterministic polynomial time.” We use \(y\leftarrow A(x;r)\) to denote running algorithm A on inputs x and random coins r and assigning its output to y. We write \(y\mathrel {\xleftarrow {\$}}A(x)\) or \(y\mathrel {\xleftarrow {r}} A(x)\) (when we want to refer to r later on) to denote \(y\leftarrow A(x;r)\) for r sampled uniformly at random. \(\mathcal {A}.{\mathsf {rt}}(\lambda )\), and sample \(r \mathrel {\xleftarrow {\$}}\{0,1\}^{\mathcal {A}.{\mathsf {rl}}(\lambda )}\).

We use code-based games in security definitions and proofs [BR06]. A game \(\mathsf {Sec}_\mathcal {A}(\lambda )\), played with respect to a security notion \(\mathsf {Sec}\) and adversary \(\mathcal {A}\), has a \(\textsc {main}\) procedure whose output is the output of the game. The notation \(\mathsf {Pr}[\mathsf {Sec}_\mathcal {A}(\lambda )]\) is used to denote the probability that this output is 1.

3.2 NIZK Proofs in the CRS Model

Let \(\mathsf {Setup}\) be a setup algorithm that takes as input a security parameter \(1^\lambda \) and outputs a common reference string \(\mathtt {crs}\) sampled from some distribution \(\mathcal {D}\). Let R be a polynomial time decidable relation with triples \((\mathtt {crs},\phi ,w)\). We say w is a witness to the instance \(\phi \) being in the relation defined by \(\mathtt {crs}\) when \((\mathtt {crs},\phi ,w)\in R\).

Non-interactive zero-knowledge (NIZK) proofs and arguments in the CRS model are comprised of three algorithms \((\mathsf {Setup}, \mathsf {Prove}, \mathsf {Verify})\), and satisfy completeness, zero-knowledge, and (knowledge) soundness. Perfect completeness requires that for all reference strings output by setup \(\mathtt {crs}\mathrel {\xleftarrow {\$}}\mathsf {Setup}(1^\lambda )\), whenever \((\mathtt {crs},\phi ,w)\in R\) we have that \(\mathsf {Verify}(\mathtt {crs}, \phi , \mathsf {Prove}(\mathtt {crs}, \phi , w)) = 1\). Soundness requires that an adversary cannot output a proof that verifies with respect to an instance not in the language, and knowledge soundness goes a step further and for any prover producing a valid proof there is an extractor \(\mathcal {X}\) that can extract a valid witness. Finally, zero knowledge requires that there exists a pair \((\mathsf {SimSetup},\mathsf {SimProve})\) such that an adversary cannot tell if it is given an honest CRS and honest proofs, or a simulated CRS and simulated proofs (in which the simulator does not have access to the witness, but does have a simulation trapdoor). We present these notions more formally below.

3.3 Updating Common Reference Strings

In our definitions we relax the CRS model by allowing the adversary to either fully generate the reference string itself, or at least contribute to its computation as one of the parties performing updates. Informally, we can think of this as having the adversary interact with the \(\mathsf {Setup}\) algorithm. More formally, we can define an updatable CRS scheme that consists of PPT algorithms \(\mathsf {Setup},\mathsf {Update}\) and a DPT algorithm \(\mathsf {VerifyCRS}\) that behave as follows:

  • \((\mathtt {crs},\rho )\mathrel {\xleftarrow {\$}}\mathsf {Setup}(1^\lambda )\) takes as input the security parameter and returns a common reference string and a proof of correctness.

  • \((\mathtt {crs}',\rho ') \mathrel {\xleftarrow {\$}}\mathsf {Update}(1^\lambda ,\mathtt {crs}, (\rho _i)_{i=1}^n)\) takes as input the security parameter, a common reference string, and a list of update proofs for the common reference string. It outputs an updated common reference string and a proof of the correctness of the update.

  • \(b \leftarrow \mathsf {VerifyCRS}(1^\lambda , \mathtt {crs},(\rho _i)_{i=1}^n)\) takes as input the security parameter, a common reference string, and a list of proofs. It outputs a bit indicating acceptance, \(b=1\), or rejection \(b=0\).

Definition 1

An updatable CRS scheme is perfectly correct if

  • for all \((\mathtt {crs},\rho )\mathrel {\xleftarrow {\$}}\mathsf {Setup}(1^\lambda )\) we have \(\mathsf {VerifyCRS}(1^\lambda ,\mathtt {crs},\rho )=1\);

  • for all \((\lambda ,\mathtt {crs},(\rho _i)_{i=1}^n)\) such that \(\mathsf {VerifyCRS}(1^\lambda ,\mathtt {crs},(\rho )_{i=1}^n)=1\) we have for \((\mathtt {crs}',\rho _{n+1})\mathrel {\xleftarrow {\$}}\mathsf {Update}(1^\lambda ,\mathtt {crs}, (\rho _i)_{i=1}^n)\) that \(\mathsf {VerifyCRS}(1^\lambda ,\mathtt {crs}',(\rho )_{i=1}^{n+1})=1\).

Please observe that a standard trusted setup is a special case of an updatable setup with \(\rho =\varepsilon \) as the update proof where the verification algorithm accepts anything. For a subversion-resistant setup the proof \(\rho \) can be considered as extra elements included in the CRS solely to make the CRS verifiable.

3.4 Security Properties

We recall the notions of zero-knowledge, soundness, and knowledge soundness associated with NIZK proof systems. In addition to considering the standard setting with a trusted reference string, we also capture the subversion-resistant setting, in which the adversary generates the reference string [BFS16, ABLZ17, Fuc17], and introduce our new updatable reference string setting.

For each security property, the game in the left column of Fig. 1 resembles the usual security game for zero-knowledge, soundness, and knowledge soundness. The difference is in the creation of the CRS \(\mathtt {crs}\), which is initially set to \(\bot \). We then model the process of generating the CRS as an interaction between the adversary and a setup oracle \(\mathcal {O}_\mathsf {s}\), at the end of which the oracle sets this value \(\mathtt {crs}\) and returns it to the adversary.

In principle, this process of creating the CRS can look like anything: it could be trusted, or even a more general MPC protocol. For the sake of this paper, however, we focus on three types of setup: (1) a trusted setup (\(\mathsf {T}\)) where the setup generator ignores the adversary when generating \(\mathtt {crs}\); (2) a subvertible setup (\(\mathsf {S}\)) where the setup generator gets \(\mathtt {crs}\) from the adversary and uses it after checking that it is well formed; and (3) a model in between that we call an updatable setup (\(\mathsf {U}\)). In this new model, an adversary can adaptively generate sequences of CRSs and arbitrarily interleave its own malicious updates into them. The only constraints on the final CRS are that it is well formed and that at least one honest participant has contributed to it by providing an update.

In the definition of zero-knowledge, we require the existence of a PPT simulator consisting of algorithms \((\mathsf {SimSetup},\mathsf {SimUpdate},\mathsf {SimProve})\) that share state with each other. The idea is that it can be used to simulate the generation of common reference strings and simulate proofs without knowing the corresponding witnesses.

Fig. 1.
figure 1

The left games define completeness, zero-knowledge (\(\mathsf {X}\text{- }\mathsf {ZK}\)), soundness (\(\mathsf {X}\text{- }\mathsf {SND}\)), and knowledge soundness (\(\mathsf {X}\text{- }\mathsf {KSND}\)). The right oracles define the notions \(\mathsf {X}\in \{\mathsf {T},\mathsf {U},\mathsf {S}\}\); i.e., trusted, updatable, and subvertible CRS setups. A complete game is constructed by using an oracle from the right side in the game on the left side.

Full size image

Definition 2

Let \(\mathrm {P}=(\mathsf {Setup},\mathsf {Update},\mathsf {VerifyCRS},\mathsf {Prove},\mathsf {Verify})\) be a non-interactive argument for the relation R. Then the argument is \({\mathsf {X}}\)-secure, for \({\mathsf {X}} \in \{{\mathsf {T}},{\mathsf {U}},{\mathsf {S}}\}\), if it satisfies each of the following:

  • \(\mathrm {P}\) is complete, if for all PPT algorithms \(\mathcal {A}\) the advantage \(|1-\Pr [\mathsf {COMP}_{\mathcal {A}}(\lambda )]|\) is negligible in \(\lambda \).

  • \(\mathrm {P}\) is \({\mathsf {X}}\)-zero-knowledge, if for all PPT algorithms \(\mathcal {A}\) there exists a simulator \(\mathsf {Sim}_{\mathcal {A}}=(\mathsf {SimSetup},\mathsf {SimUpdate},\mathsf {SimProve}_{\mathcal {A}})\) where the advantage \(|2\Pr [\mathsf {X}\text{- }\mathsf {ZK}_{\mathcal {A},\mathsf {Sim}_{\mathcal {A}}}(1^\lambda )=1]-1|\) is negligible in \(\lambda \).

  • \(\mathrm {P}\) is \({\mathsf {X}}\)-sound if for all PPT algorithms \(\mathcal {A}\) the probability \(\Pr [\mathsf {X}\text{- }\mathsf {SND}_{\mathcal {A}}(1^\lambda )=1]\) is negligible in \(\lambda \).

  • \(\mathrm {P}\) is \({\mathsf {X}}\)-knowledge-sound if for all PPT algorithms \(\mathcal {A}\) there exists a PPT extractor \(\mathcal {X}_{\mathcal {A}}\) such that the probability \(|\Pr [\mathsf {X}\text{- }\mathsf {KSND}_{\mathcal {A},\mathcal {X}_\mathcal {A}}(1^\lambda )|\) is negligible in \(\lambda \).

Moreover, if a definition holds with respect to an adversary with unbounded computation, we say it holds statistically, and if the advantage is exactly 0, we say it holds perfectly.

One of the main benefits of our model is its flexibility. For example, a slightly weaker but still trusted setup could be defined that would allow the adversary to pick some parameters (e.g., the number of gates in an arithmetic circuit or a specific finite field) and then run the setup on those. In addition to different types of setup assumptions, it also would be easy to incorporate additional security notions into this framework, such as simulation soundness.

Our definition of subversion-resistant security is adapted from that of Abdolmaleki et al. [ABLZ17], and our definition of update security is itself adapted from this definition. We stress that this new notion of setup security is necessary: while we prove that our construction in Sect. 5 satisfies subversion zero-knowledge, this is known to be mutually exclusive with subversion soundness [BFS16], so update security provides the middle ground in which we can obtain positive results. In terms of relating these notions, it is fairly straightforward that updatable security implies trusted security, and that subversion-resistant security implies updatable security (for all security notions).

The proofs for the following lemmas are included in the full version of the paper [GKM+18].

Lemma 1

A proof system that satisfies a security notion with updatable setup also satisfies the security notion with trusted setup.

Lemma 2

A proof system that satisfies a security notion with subvertible setup also satisfies the security notion with updatable setup.

3.5 Specializing Common Reference Strings

Consider a CRS for a universal relation that can be used to prove any arithmetic circuit is satisfiable. Instances of the relation specify both wiring and inputs freely. For a specific arithmetic circuit it is desirable to use the large CRS to derive a smaller circuit-specific CRS for a relation with fixed wiring but flexible inputs, as this might lead to more efficient prover and verifier algorithms. This can be seen as a form of pre-computation on the large CRS to get better efficiency, but there are conceptual advantages in giving the notion a name so in the following we formalize the idea of specializing a universal CRS.

Let \(\varPhi \) be a DPT decidable set of relations, with each relation \(R_\phi \in \varPhi \) being itself DPT decidable. The universal relation R for \(\varPhi \) defines a language with instances \(\phi =(R_\phi ,u)\) such that \(((R_\phi ,u),w)\in R\) if and only if \(R_\phi \in \varPhi \) and \((u,w)\in R_\phi \). We say that a setup generates specializable universal reference strings \(\mathtt {crs}\) for R if there exists a DPT algorithm \(\mathtt {crs}_{R_\phi } \leftarrow \textsf {Derive}^\star (\mathtt {crs},R_\phi )\) and algorithms \(\mathsf {Prove}\) and \(\mathsf {Verify}\) can be defined in terms of algorithms \(\pi \leftarrow \mathsf {Prove}^\star (\mathtt {crs}_{R_\phi },u,w)\) and \(b \leftarrow \mathsf {Verify}^\star (\mathtt {crs}_{R_\phi },u,\pi )\) as follows:

  • \(\mathsf {Prove}(\mathtt {crs},\phi ,w)\) parses \(\phi =(R_\phi ,u)\), asserts \(R_\phi \in \varPhi \), derives \(\mathtt {crs}_{R_\phi } \leftarrow \textsf {Derive}^\star (\mathtt {crs},R_\phi )\), and returns the proof generated by \(\mathsf {Prove}^\star (\mathtt {crs}_{R_\phi },u,w)\).

  • \(\mathsf {Verify}(\mathtt {crs},\phi ,\pi )\) first parses \(\phi =(R_\phi ,u)\), checks \(R_\phi \in \varPhi \), derives \(\mathtt {crs}_{R_\phi } \leftarrow \textsf {Derive}^\star (\mathtt {crs},R_\phi )\), and returns \(\mathsf {Verify}^\star (\mathtt {crs}_{R_\phi },u,\pi )\).

Existing zk-SNARKs for boolean and arithmetic circuit verification have different degrees of universality. Groth [Gro10b] is universal and works for any boolean circuit, i.e., the wiring of the circuit can be specified in the instance, while subsequent SNARKs such as [GGPR13] and descendants have reference strings that are for circuits with fixed wiring.

Schemes with specializable CRS derivation aim to achieve the generality of the former and the performance of the latter. As the \(\textsf {Derive}\) algorithm operates only on public information, it can be executed by protocol participants whenever necessary. This has two advantages. First, one can transform any attack against a prover and verifier employing a specialized CRS into an attack on the universal CRS and we thus do not need any special security notions. Second, it makes it easier to design efficient updatable schemes as being able to update the universal CRS that does not yet have a relation-dependent structure and publicly derive an efficient circuit-specific CRS after the update. We will exploit this in the second half of the paper, where we present an updatable zk-SNARK that avoids our own impossibility result in Sect. 6. We will employ a quadratic-size CRS that is universal for all QAPs, but then specialize it to obtain a linear-size CRS and linear-time prover computation.

4 Background

Let \(\mathcal {G}(1^\lambda )\) be a DPTFootnote 1 bilinear group generator that given the security parameter \(1^\lambda \) produces bilinear group parameters \(bp = (p, \mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T, e, G, H)\). \(\mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T\) are groups of prime order p with generators \(G\in \mathbb {G}_1\), \(H \in \mathbb {G}_2\) and \(e: \mathbb {G}_1\times \mathbb {G}_2\rightarrow \mathbb {G}_T\) is a non-degenerative bilinear map, which means \(e(G^a,H^b)= e(G,H)^{ab}\) and e(GH) generates \(\mathbb {G}_T\).

4.1 Knowledge and Computational Assumptions

The knowledge-of-exponent assumption (KEA) introduced by Damgård [Dam91] says that given \(G,\hat{G}=G^{\alpha }\) it is infeasible to create \(C,\hat{C}\) such that \(\hat{C}=C^{\alpha }\) without knowing an exponent c such that \(C=G^c\) and \(\hat{C}=\hat{G}^c\). Bellare and Palacio [BP04] extended this to the KEA3 assumption, which says that given \(G,G^\alpha ,G^s, G^{\alpha s}\) it is infeasible to create \(C,C^{\alpha }\) without knowing \(c_0,c_1\) such that \(C=G^{c_0}(G^s)^{c_1}\). This assumption has been used also in symmetric bilinear groups by Abe and Fehr [AF07], who called it the extended knowledge-of-exponent assumption.

The bilinear knowledge of exponent assumption (B-KEA), which Abdolmaleki et al. [ABLZ17] refer to as the BDH-KE assumption, generalizes further to asymmetric groups. It states that it is infeasible to compute \(C, \hat{C}\) such that \(e(C,\hat{G})=e(G,\hat{C})\) without knowing s such that \((C,\hat{C})=(G^s,\hat{G}^s)\). It corresponds to the special case of \(q=0\) of the q-power knowledge of exponent (q-PKE) assumption in asymmetric bilinear groups introduced by Groth [Gro10b].

We introduce the q-monomial knowledge assumption, as a generalization of q-PKE to multi-variate monomials. We note that our construction in Sect. 5 could be made uni-variate by employing higher powers which would allow the use of the ungeneralised q-PKE assumption.

Assumption 1

(The \(q(\lambda )\)-Monomial Knowledge Assumption (\(q(\lambda )\)-MK)). Let \(\varvec{a}=\{a_i(\varvec{X})\}_{i=1}^{n_a}\) and \(\varvec{b}=\{a_i(\varvec{X})\}_{i=1}^{n_b}\) be sets of n-variate monomials with the degree, the number of monomials \(n_a\), \(n_b\), and the number of variables n all bounded by \(q(\lambda )\). Let \(\mathcal {A}\) be an adversary and \(\mathcal {X}_\mathcal {A}\) be an extractor. Define the advantage \(\mathsf {Adv}^{\mathsf {MK}}_{\mathcal {G},q(\lambda ),\varvec{a}, \varvec{b},\mathcal {A},\mathcal {X}_\mathcal {A}}(\lambda ) = \Pr [\mathsf {MK}_{\mathcal {G},q(\lambda ),\varvec{a}, \varvec{b},\mathcal {A},\mathcal {X}_\mathcal {A}}(\lambda )]\) where \(\mathsf {MK}_{\mathcal {G},q(\lambda ),\varvec{a}, \varvec{b},\mathcal {A},\mathcal {X}_\mathcal {A}}\) is defined as

figure a

The \(\mathsf {MK}\) assumption holds relative to \(\mathcal {G}\) if for all PPT adversaries \(\mathcal {A}\) there exists a PPT extractor \(\mathcal {X}_\mathcal {A}\) such that \(\mathsf {Adv}_{\mathcal {G},q(\lambda ), \varvec{a}, \varvec{b},\mathcal {A},\mathcal {X}_\mathcal {A}}^{\mathsf {MK}}(\lambda )\) is negligible in \(\lambda \).

The following multi-variate computational assumption is closely related to the uni-variate q-bilinear gap assumption of Ghadafi and Groth [GG17] and is implied by the computational polynomial assumption of Groth and Maller [GM17].

Assumption 2

(The \(q(\lambda )\)-Monomial Computational Assumption (\(q(\lambda )\)-MC)). Let \(\varvec{a}=\{a_i(\varvec{X})\}_{i=1}^{n_a}\) and \(\varvec{b}=\{a_i(\varvec{X})\}_{i=1}^{n_b}\) be sets of n variate monomials with the degree, the number of monomials \(n_a\), \(n_b\), and the number of variables n all bounded by \(q(\lambda )\). Let \(\mathcal {A}\) be a PPT algorithm, and define the advantage \(\mathsf {Adv}_{\mathcal {G},q(\lambda ),\varvec{a}, \varvec{b},\mathcal {A}}^{\mathsf {MC}}(\lambda )\) \(=\) \(\Pr [{\mathsf {MC}}_{\mathcal {G},q(\lambda ),\varvec{a}, \varvec{b},\mathcal {A}}(\lambda )]\) where \({\mathsf {MC}}_{\mathcal {G}, q(\lambda ),\mathbf a, \mathbf b,\mathcal {A}}\) is defined as

figure b

The \(\mathsf {MC}\) assumption holds relative to \(\mathcal {G}\) if for all PPT adversaries \(\mathcal {A}\) we have \(\mathsf {Adv}_{\mathcal {G},q(\lambda ), \varvec{a}, \varvec{b},\mathcal {A}}^{\mathsf {MC}}(\lambda )\) is negligible in \(\lambda \).

4.2 A QAP-Based zk-SNARK Recipe

Here we describe a generalised approach for using Quadratic Arithmetic Programs (QAPs) to construct a SNARK scheme for arithmetic circuit satisfiability. A similar approach can be used with Quadratic Span Programs (QSPs). In both cases, zero-knowledge is obtained by ensuring that all of the commitments are randomised. We show in Sect. 6 that the recipe is unlikely to directly lead to updatable zk-SNARKs. However, by modifying the recipe in Sect. 5 we are able to construct updatable zk-SNARKs.

Arithmetic Circuits: Arithmetic circuits are a means to describe computations that consist solely of field additions and multiplications. We will now describe an arithmetic circuit over a field \(\mathbb {F}\) with n multiplication gates and m wires. Such a circuit consists of gates connected together by wires. The gates specify an operation (either addition or multiplication) and the wires contain values in \(\mathbb {F}\). Each gate has a left input wire and a right input wire leading into it, and an output wire leading from it. The circuit can have split wires i.e. the same wire leads into multiple gates. The circuit is satisfied if for every gate, the operation applied to the input wires is equal to the output wire.

Any NP relation can be described with a family of arithmetic circuits that decide which statement and witness pairs are included. In a relation described by an arithmetic circuit, an instance is defined by a value assignment to \(\ell \) fixed input wires. The witness is the values of the remaining \(m-\ell \) wires such that the arithmetic circuit is satisfied.

Fix the circuit: We label the n gates with unique distinct values \(r_1, \ldots , r_n\in \mathbb {F}\). We will convert the arithmetic circuit into equations over polynomials, and these values will serve as points on which formal polynomials representing the circuit will be evaluated.

Describe all m wires using three sets of m polynomials with degree at most \(n-1\). These polynomials determine for which gates each wire behaves as a left input wire, a right input wire, and an output wire. They also determine whether the wires have been split, and whether there are any additions before a wire is fed into a multiplication gate. The three sets of polynomials are: \(U = \{u_i(X)\}_{i=0}^m\) describes the left input wires; \(V = \{v_i(X)\}_{i=0}^m\) describes the right input wires; and \(W = \{w_i(X)\}_{i=0}^m\) describes the output wires. We will throughout the paper fix \(u_0(X)= v_0(X)= w_0(X) = 1\). The polynomials are designed such that they are equal to 1 at each of the values of the multiplication gates which they lead into/ out of and 0 at all other gate values.

Commit to wire values: Suppose there are m wires with values \((a_1, \ldots , a_m)\) and that the witness wires run from \(\{\ell +1, \ldots , m\}\). The common reference string includes the values

$$ \{ G^{u_i(x)}, G^{v_i(x)}, G^{w_i(x)}\}_{i = \ell +1}^m$$

for some x chosen at random. The commitment to the left input, right, and output wires will include the values

$$C_L = G^{\sum _{i=\ell +1}^m a_iu_i(x)}, \ C_R = G^{\sum _{i=\ell +1}^m a_iv_i(x)}, \ C_O =G^{\sum _{i=\ell +1}^m a_iw_i(x)}.$$

Prove that repeated wires are consistent: If a wire is split into two left inputs, there is no need to do anything because of the design of the wire polynomials. However, it is necessary to check that split wires that split into at least one left input wire and at least one right input wire are consistent. This is done by including terms in the common reference string of the form

$$\left\{ G^{\alpha _u u_i(x)+ \alpha _v v_i(x)} \right\} _{i = \ell +1}^m$$

for some unknown \(\alpha _u, \alpha _v\), and then requiring the prover to provide an element Y such that \(\alpha _u C_L + \alpha _v C_R = Y\). For some schemes \(\alpha _0 = \alpha _1\).

Prove that output wires are consistent with input wires: This can be done together with proving consistency of repeated wires. The common reference string includes terms of the form

$$\left\{ G^{\alpha _u u_i(x)+ \alpha _v v_i(x) + \alpha _w w_i(x)}\right\} _{i = \ell +1}^m$$

for some unknown \(\alpha _u, \alpha _v, \alpha _w\). The prover is required to provide an element Y such that \(\alpha _u C_L + \alpha _v C_R + \alpha _w C_O = Y\).

Prove the commitments are well formed: There are values in the common reference string that should not be included in the commitments generated by the prover, such as the \(\{a_i u_i(x)\}_{i=1}^\ell \) values related to the instance. This can be checked using the same approach as descried above for the consistency proof.

Prove that gates are evaluated correctly: Determine a quadratic polynomial equation that checks that the gates are evaluated correctly. There is a unique degree n polynomial t(X) which is equal to 0 at each of the gate values \((r_1, \ldots , r_n)\). Suppose that \(a_1, \ldots , a_m\) are the wire values. Then

$$\left( \sum _{i=0}^m a_iu_i(X) \right) \cdot \left( \sum _{i=0}^m a_iv_i(X) \right) - \sum _{i=0}^m a_iw_i(X) $$

is equal to 0 when evaluated at the gate values if and only if the multiplication gates are evaluated correctly. This polynomial expressions shares its zeros with t(X), which means that t(X) divides it. Hence the prover is required to show that at the unknown point x,

$$ \left( G^{\sum _{i=0}^\ell a_i u_i(x) } C_L \right) \otimes \left( G^{\sum _{i=0}^\ell a_iv_i(x) } C_R \right) = G^{t(x) + \sum _{i=0}^\ell a_iw_i(x) }C_O $$

for \(\otimes \) a function that finds the product of the values inside the two encodings.

5 An Updatable QAP-Based zk-SNARK

In this section we give a construction for an updatable QAP-based zk-SNARK that makes use of a universal reference string. We then prove it satisfies subversion zero knowledge and updatable knowledge soundness under the knowledge-of-exponent assumptions introduced in Sect. 4.

We let the security parameter \(1^\lambda \) (deterministically) determine parameters \( (d, m , \ell , bp), \) where \(bp = (p, \mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T, e, G, H)\), with \(\mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T\) groups of prime order p with generators \(G\in \mathbb {G}_1\), \(H\in \mathbb {G}_2\) and \(e: \mathbb {G}_1\times \mathbb {G}_2\rightarrow \mathbb {G}_T\) a non-degenerative bilinear map. Here d is the degree of the QAP, m is number of input variables, out of which \(\ell \) are part of the instance formed of public field elements to a QAP.

Recall from Sect. 4.2, a QAP for the given parameters is defined by polynomials \(\{u_i(x),v_i(x),w_i(x)\}_{i=0}^m\) of degree less than d, and t(x) of degree d. The QAP defines a relation \(R_{\mathrm{QAP}}\) containing pairs of instances and witnesses \((a_1,\ldots ,a_{\ell })\) and \((a_{\ell +1},\ldots ,a_m)\) such that, with \(a_0 = 1\),

$$\left( u_0(x)+\sum _{i=1}^ma_iu_i(x) \right) \cdot \left( v_0(x)+\sum _{i=1}^ma_iv_i(x) \right) \equiv w_0(x)+\sum _{i=1}^ma_iw_i(x) \bmod t(x).$$

The sequence of parameters indexed by the security parameter define a universal relation R consisting of all pairs of QAPs and instances as described above that have a matching witness. In the notation from Sect. 3.5 let \(\varPhi \) be all possible QAPs for the parameters, then the universal relation R for \(\varPhi \) contains instances \(\phi =\left( R_{\mathrm{QAP}},u=(a_1,\ldots ,a_{\ell })\right) \), with matching witnesses \(w=(a_{\ell +1},\ldots ,a_m)\).

5.1 Reworking the QAP Recipe

Our final scheme is formally given in Figs. 2 and 3. In this section we describe some of the technical ideas behind it. Due to our impossibility result in Sect. 6, many of the usual tricks behind the QAP-based approach are not available to us, which means we need something new. To obtain this we first switch to a multi-variate scheme, where the proof elements need to satisfy equations in the indeterminates X, Y, Z. We can then prove the well-formedness of our proof elements using a subspace argument for our chosen sums of witness QAP polynomials. Once we have that the proof elements are well formed, we show that the exponents of two of them multiply to get an exponent in the third proof element such that (1) the sum of all the terms where Y has given power j is equal to the QAP expression in the X indeterminate, and (2) the value \(Y^j\) is not given in the universal CRS. For our final scheme, we use \(j = 7\).

Fix the circuit: The circuit need only be fixed upon running the CRS derivation algorithm. At this point, the circuit is described as a QAP like that described in Sect. 4; i.e., for \(a_0 = 1\), the field elements \((a_1, \ldots , a_m) \in R_{\mathrm{QAP}}\) if and only if

$$ \left( \sum _{i=0}^m a_i u_i(X)\right) \cdot \left( \sum _{i=0}^m a_i v_i(X)\right) = \sum _{i=0}^m a_i w_i(X) + q(X) t(X) $$

for some degree \((d-2)\) polynomial q(X).

Prove the commitments are well formed: In our scheme an honest prover outputs group elements (ABC) such that

$$ \log (A) = \log (B) = q(x)y + \sum _{i=0}^m a_i(w_i(x) y^2 + u_i(x) y^3 + v_i(x) y^4) - y^5 - t(x) y^6. $$

Ensuring that \(\log (A) = \log (B)\) can be achieved with a pairing equation of the form \(e(A,H) = e(G,B)\). Thus we need to show only that A is of the correct form.

Usually, as described in Sect. 4, this is done by encoding only certain polynomials in the CRS and forcing computation to use linear combinations of elements in the CRS. Since we cannot do this and allow updates, we instead construct a new subspace argument. First we subtract out the known elements in the instance using a group element S which the verifier computes in order to obtain a new group element with the exponent

$$ q(x)y + \sum _{i=\ell +1}^m a_i(w_i(x) y^2 + u_i(x) y^3 + v_i(x) y^4). $$

Set M be the \((m+d-\ell )\times 4d\) matrix that contains the coefficients of \(\{(w_i(x) y^2 + u_i(x) y^3 + v_i(x) y^4)\}_{i=\ell +1}^m,\{x^i y\}_{i=0}^{d-1}\) with respect to monomials \(\{x^iy^j\}_{(i,j)=(0,1)}^{(d-1,4)}\). We denote these coefficients by \(m_l(x,y)= \sum _{i,j} M_{l,(i,j)} \cdot x^iy^j\), e.g., \(m_1(x,y)= \left( w_{\ell +1}(x) y^2 + u_{\ell +1}(x) y^3 + v_{\ell +1}(x) y^4\right) \). Then we set the corresponding null-matrix be N such that \(MN=0\). We address the rows of N by the corresponding monomial degrees in M. The columns of this matrix defines polynomials \(n_k(x,y) = \sum _{i,j} N_{(i,j),k} \cdot x^{d-i} y^{4-j}\), such that in the convolution of \(m_l(x,y) \cdot n_k(x,y)\) the (d, 4) degree terms disappear. If we introduce the variable z, and set \(\hat{N}=H^{\sum _k n_k(x,y)z^k}\), then the pairing \(e(A S,\hat{N})\) yields a target group element with 0 coefficients for all \(x^dy^4z^k\) terms exactly when A is chosen from the right subspace. Thus, given a CRS that does not contain any \(x^dy^4z^k\) terms for \(k>1\), and a verification equation that checks that, \((\log A + \log S) \cdot \log (\hat{N}) = \log C_1\) the prover can only compute the component \(C_1\) if A is correctly formed.

Prove that the QAP is satisfied: Assuming that A and B are of the correct form, we have that \(\log (A)\cdot \log (B)\) is equal to

$$\left( q(x)y + \sum _{i=0}^m a_i(w_i(x) y^2 + u_i(x) y^3 + v_i(x) y^4) - y^5 - t(x) y^6\right) ^2.$$

which, for terms involving \(y^7\), yields

$$t(x)q(x) - \sum _{i=0}^m a_i w_i(x) + \left( \sum _{i=0}^m a_i u_i(X)\right) \cdot \left( \sum _{i=0}^m a_i v_i(X)\right) .$$

The terms in other powers of y can be considered as computable garbage and are cancelled out in other proof components. The equation above is satisfied for some polynomial q(X) if and only if the QAP is satisfied. Thus, given a CRS that does not contain any \(y^7\) terms, and a verification equation that checks that, \(\log A \cdot \log B = \log C_2\) we ensure that the proof element \(C_2\) is computable if and only if the QAP is satisfied.

Remark 1

It is always possible to make everything univariate in x by choosing yz as suitable powers of x, but we find it conceptually easier and more readable to give them different names.

Derivation of a Linear Common Reference String: Astute readers may note that these techniques require the CRS to have quadratic set of monominals in order to compute the null matrix. We resolve this by providing an untrusted derive function which can be seen as a form of precomputation in order to find the linear common reference string for a fixed relation. Using the linear common reference string, our prover also makes a linear number of group exponentiations in the circuit size.

5.2 Updatability of the Universal Common Reference String

In this section we describe the universal common reference string and how to update it. We then prove that for any adversary that computes a valid common reference string, either through setup or through updates, we can extract the randomness it used. In Sect. 5.3, we show that – for our construction – proving security for an adversary that makes one update to a freshly generated CRS is equivalent to proving the full version of updatable security, in which an adversary makes all but one update in the sequence.

Fig. 2.
figure 2

The setup process, along with the algorithms to create updates, and verify the setups and updates.

Full size image

The universal CRS contains base G exponents \(\{x^iy^jz^k\}_{(i,j,k) \in S_1}\) where

$$ S_1 = \left( \begin{array}{c} \{(1,0,0),(0,1,0),(0,0,1)\} \\ \cup \{(i,j,0): i \in [0,2d], j \in [1,12], j \ne 7\} \\ \cup \{(i,j,k): i \in [0,2d], j \in [1,6], k \in [1,3d], (i,j) \ne (d,4) \} \\ \cup \{(i,j,6d): i \in [0,d], j \in [1,4]\} \end{array} \right) $$

and base H exponents \(\{x^iy^jz^k\}_{(i,j,k) \in S_2}\) where

$$ S_2 = \left( \begin{array}{c} \{(1,0,0),(0,1,0), (0,0,1), (0,0,6d)\}\\ \cup \{(i,j,0): i \in [0,d], j \in [1,6]\} \\ \cup \{(i,j,k): i \in [0,d], j \in [0,2], k \in [1,3d]\} \end{array} \right) . $$

We begin with two lemmas about completeness, proofs of which can be found in the full version of the paper.

Lemma 3

(Correctness of the CRS generation). The scheme is perfectly correct in the sense that

$$ \begin{array}{l} \Pr [(\mathtt {crs},\rho ) \leftarrow \mathsf {Setup}(1^\lambda ) : \mathsf {VerifyCRS}(1^\lambda ,\mathtt {crs},\rho ) = 1] = 1; \\ \\ \Pr \left[ \begin{array}{l} (\mathtt {crs}',\rho _{n+1}) \leftarrow \mathsf {Update}(1^\lambda ,\mathtt {crs},\{\rho _i\}_{i=1}^{n}) : \\ \mathsf {VerifyCRS}(1^\lambda ,\mathtt {crs},\{\rho _i\}_{i=1}^{n}) = 1 \wedge \mathsf {VerifyCRS}(1^\lambda ,\mathtt {crs}',\{\rho _i\}_{i=1}^{n+1})\ne 1 \end{array} \right] =1 \end{array}. $$

We now give two lemmas used to prove the full security of our construction and the update security of each component. These lemmas prove that even a dishonest updater needs to know their contribution to the trapdoor. Again, proofs can be found in the full version of the paper.

Lemma 4

(Trapdoor extraction for subvertible CRSs). Suppose that there exists a PPT adversary \(\mathcal {A}\) that outputs a \(\mathtt {crs},\rho \) such that \(\mathsf {VerifyCRS}(1^\lambda , \mathtt {crs},\rho ) = 1\) with non-negligible probability. Then, by the 0-\(\mathsf {MK}\) assumption (equivalent to the B-KEA assumption) there exists a PPT extractor \(\mathcal {X}\) that, given the random tape of \(\mathcal {A}\) as input, outputs (xyz) such that \((\mathtt {crs},\rho ) = \mathsf {Setup}(1^\lambda ; (x,y,z))\).

This lemma proves that even when given an honestly generated CRS as input, updaters need to know their contribution to the trapdoor. In this way security against the updater is linked to an honest CRS.

Lemma 5

(Trapdoor extraction for updatable CRSs). Suppose that there exists a PPT adversary \(\mathcal {A}\) such that given \((\mathtt {crs},\rho _1) \mathrel {\xleftarrow {\$}}\mathsf {Setup}(1^\lambda )\), \(\mathcal {A}\) queries \(\mathsf {U}\text{- }\mathcal {O}_\mathsf {s}\) on \((\mathsf {final},\mathtt {crs}',\{\rho _1,\rho _2\})\) where \(\mathsf {VerifyCRS}(R,\mathtt {crs}',\{\rho _1,\rho _2\}) = 1\) with non-negligible probability. Then, with \(\varvec{a} = \{X^iY^jZ^k : (i,j,k) \in S_1 \}\) and \(\varvec{b} = \{X^iY^jZ^k : (i,j,k) \in S_2\}\), the q-\(\mathrm {MK}\) and the q-\(\mathrm {MC}\) assumptions imply that there exists a PPT extractor \(\mathcal {X}\) that, given the randomness of \(\mathcal {A}\) as input, outputs \((\alpha ,\beta ,\gamma )\) such that \(\bar{A}_2 = G^\alpha \), \(\bar{B}_2 = G^\beta \), and \(\bar{C}_2 = G^\gamma \).

5.3 Single Adversarial Updates Imply Updatable Security

The following lemma relates updatable security to a model in which the adversary can make only a single update after an honest setup. This is because it is much cleaner to prove the security of our construction in this latter model (as we do in Theorem 4), but we would still like to capture the generality of the former.

We already know from Lemma 4 that it is possible to extract the adversary’s contribution to the trapdoor when the adversary generates the CRS itself, and from Lemma 5 that it is possible to extract it when the adversary updates an honest CRS. To collapse chains of honest updates into an honest setup it is convenient that the trapdoor contributions of \(\mathsf {Setup}\) and \(\mathsf {Update}\) commute in our scheme. As the trapdoor in our scheme consists of all the randomness used by these algorithms, we will from now on refer to chains of honest updates and (single) honest setups interchangeably.

Trapdoor contributions cannot just be commuted but also combined; that is, for \(\tau \), \(\tau '\) and \(\tau ''\), \(\mathsf {Update}'(1^\lambda ,\mathsf {Update}'(1^\lambda ,\mathsf {Setup}'(1^\lambda ; \tau ); \tau '); \tau '') = \mathsf {Setup}'(1^\lambda ; \tau \otimes \tau ' \otimes \tau '')\! =\! \mathsf {Update}'(1^\lambda ,\mathsf {Update}'(1^\lambda ,\mathsf {Setup}'(1^\lambda ; \tau ''); r'); r)\). Moreover, in our construction the proof \(\rho \) depends only on the relation and the randomness of the update algorithm. In particular it is independent of the reference string being updated. This enables the following simulation: Given the trapdoor \(\tilde{\tau }=(x,y,z)\) of \(\mathtt {crs}\), and the elements \((G_{1,0,0}, G_{0,1,0}, G_{0,0,1}, H_{1,0,0}, H_{0,1,0}, H_{0,0,1})\) of \(\mathtt {crs}'\) we can simulate a proof \(\rho _2 = (A_2,B_2,C_2,\bar{A}_2,\bar{B}_2,\bar{C}_2,\hat{A}_2,\hat{B}_2,\hat{C}_2)\) of \(\mathtt {crs}'\) being an update of \(\mathtt {crs}\) using \(A_2 \leftarrow G_{1,0,0}\), \(B_2 \leftarrow G_{0,1,0}\), \(C_2 \leftarrow G_{0,0,1}\), \(\bar{A}_2\leftarrow G_{1,0,0}^{x^{-1}}\), \(\bar{B}_2 \leftarrow G_{0,1,0}^{y^{-1}}\), \(\bar{C}_2\leftarrow G_{0,0,1}^{z^{-1}}\), \(\hat{A}_2 \leftarrow H_{1,0,0}^{x^{-1}}\), \(\hat{B}_2 \leftarrow H_{0,1,0}^{y^{-1}}\), \(\hat{C}_2\leftarrow H_{0,0,1}^{z^{-1}}\). We refer to this as \(\rho (\mathtt {crs}')^{\tau ^{-1}}\) in our reduction.

These properties together allow us to prove the result. We here give a detailed proof for knowledge soundness, as this is the most involved notion. Moreover, given that knowledge soundness implies soundness and we prove subversion zero-knowledge directly, it is the only notion we need.

Lemma 6

(Single adversarial updates imply full updatable knowledge soundness). If our construction is \(\mathsf {U}\text{- }\mathsf {KSND}\) secure for adversaries that can query on \(({\mathsf {\mathsf {Setup}}}, \emptyset )\) only once and then on \(({\mathsf {final}}, S)\) for a set S such that \(|S|\le 2\), then under the assumptions of Lemma 4 and Lemma 5 it is (fully) \(\mathsf {U}\text{- }\mathsf {KSND}\)-secure.

Proof

We need to show that when the advantage is negligible for all PPT adversaries \(\mathcal {B}\) with knowledge extractors \(\mathcal {X}_\mathcal {B}\) in the restricted game, then the advantage is negligible for all adversaries \(\mathcal {A}\) with knowledge extractors \(\mathcal {X}_\mathcal {A}\) in the unrestricted game.

In our representation we split \(\mathcal {A}\) into two stages \(\mathcal {A}_1\) and \(\mathcal {A}_2\), where the first stage ends with the successful query with intent \({\mathsf {final}}\) (i.e., the query that sets \(\mathtt {crs}\)). Let \(\mathcal {A}_1, \mathcal {A}_2\) be an adversary against the \(\mathsf {U}\text{- }\mathsf {KSND}\) game. Let \(\mathcal {B}\) be the following adversary against the restricted \(\mathsf {U}\text{- }\mathsf {KSND}\) game.

figure c

Our adversary \(\mathcal {B}\) can query its own oracle \(\mathsf {U}\text{- }\mathcal {O}_\mathsf {s}\) only once on the empty set, so it does this upfront to receive an honest reference string \(\mathtt {crs}_h\). It then picks randomness r and runs \(\mathcal {A}\) in a simulated environment in which \(\mathcal {B}\) itself answers oracle queries. We keep track of the randomness \(\mathcal {B}\) uses in the simulation in t.

\(\mathcal {B}\) embeds the honest reference string in every query with \({\mathsf {intent}}\ne {\mathsf {final}}\). For this we exploit the fact that CRSs in our scheme are fully re-randomizable. On setup queries (i.e., when \(S = \emptyset \)), we simply return a randomized \(\mathtt {crs}_h\).

On general update queries, \(\mathcal {B}\) additionally needs to compute a valid update proof \(\rho \). To do this, let \(\mathcal {C}\) be the algorithm that, given \(\mathtt {crs}_h\), runs \(\mathcal {A}\) and the simulated oracles up to the update query and returns \(\mathtt {crs}_n\). To extract the trapdoor for the set S, we use either the subversion trapdoor extractor \(\mathcal {X}_\mathcal {C}\) for adversary \(\mathcal {C}\) that is guaranteed to exist by Lemma 4 (if S does not contain randomized honest reference strings), or the update trapdoor extractor that is guaranteed to exist by Lemma 5 (if it does). This latter extractor provides the update trapdoor, with respect to \(\mathtt {crs}_h\), of the reference string \(\mathtt {crs}_n\) provided by the adversary. While \(\mathcal {A}\) can make use of values returned in prior queries, the randomness used by these queries is contained in t and thus also available to \(\mathcal {X}_{\mathcal {C}}\).

Next, \(\mathcal {A}\) finalizes n reference strings. Now, the goal of \(\mathcal {B}\) is to return a single update of \(\mathtt {crs}_h\), so it needs to compress the entire sequence of updates \(\{\rho _i\}_{i=\ell +1}^n\) into one. To extract the randomness that went into each individual update, \(\mathcal {B}\) builds adversaries \(\mathcal {D}_i\), \(i\in [\ell +1,n]\), from \(\mathcal {A}\) that return only \((\mathtt {crs}_i,\rho _i)\). By Lemma 5 there exist extractors \(\mathcal {X}_{\mathcal {D}_i}\) that extract only the randomness that went into these individual updates; i.e., \(\delta _i=(x_i,y_i,z_i)\) such that \(\rho _{i-1}, \mathtt {crs}_i = \mathsf {Update}(1^\lambda ,\mathtt {crs}_{i-1};\delta _{i})\). Using these extractors, \(\mathcal {B}\) computes \((\mathtt {crs}_h',\rho _h') \leftarrow \mathsf {Update}(1^\lambda ,\mathtt {crs}_h, \{\rho _h\}; \prod _{i=\ell +1}^n \delta _i)\), sets \(S \leftarrow \{\mathtt {crs}_h', \{\rho _h,\rho _h'\})\}\), and calls \(\mathcal {O}_{\mathsf {s}}({\mathsf {final}}, S)\) to finalize its own CRS. By construction, \(\mathtt {crs}_h'=\mathtt {crs}_n\). In the rest of the game \(\mathcal {B}\) behaves like \(\mathcal {A}\).

We build extractor \(\mathcal {X}_\mathcal {A}\) from the extractor \(\mathcal {X}_\mathcal {B}\) which is guaranteed to exist. In our definitions, knowledge extractors share state with setup algorithms. Here the main implication of this is that the extractor has access to the challenger’s randomness, and thus can re-execute the challenger to retrieve its internal state. \(\mathcal {X}_\mathcal {A}(r, t\Vert \tau )\) runs \(\mathcal {X}_{\mathcal {B}}(r\Vert t, \tau )\). Thus the construction of \(\mathcal {X}_\mathcal {A}\) simply uses \(\mathcal {X}_\mathcal {B}\) but shifts the randomness of the simulation into the randomness of the challenger. As the simulation is perfect, \(\mathcal {A}\) will behave identically. Furthermore, \(r\Vert t\) is a valid randomness string for \(\mathcal {B}\) and \(\mathcal {X}_{\mathcal {B}}\) receives input that is consistent with a restricted game with \(\mathcal {B}\). From this point onward \(\mathcal {B}\) behaves exactly like \(\mathcal {A}_2\). As \(\mathcal {B}\) has negligible success probability against \(\mathcal {X}_{\mathcal {B}}\) in the restricted \(\mathsf {U}\text{- }\mathsf {KSND}_{\mathcal {B},\mathcal {X}_\mathcal {B}}(1^\lambda )\) game, \(\mathcal {A}\) thus has negligible success probability against \(\mathcal {X}_{\mathcal {A}}\) in the unrestricted \(\mathsf {U}\text{- }\mathsf {KSND}_{\mathcal {A},\mathcal {X}_\mathcal {A}}(1^\lambda )\) game.    \(\square \)

5.4 The zk-SNARK Scheme

In this section we construct a zk-SNARK for \(\mathsf {QAP}\) satisfiability given the universal common reference string in Sect. 5.2. First we derive a \(\mathsf {QAP}\) specific CRS from the universal CRS with which we can construct efficient prove and verify algorithms.

Fig. 3.
figure 3

An updatable and specializable zk-SNARK for QAP

Full size image

Lemma 7

The derive algorithm is computable in polynomial time and the proof system has perfect completeness if \(\mathsf {QAP}\) is such that \(t(x)\ne y^{-1}\).

A proof of this lemma can be found in the full version of the paper [GKM+18].

Theorem 3

The proof system has perfect subversion zero-knowledge if \(\mathsf {QAP}\) is such that \(t(x)\ne y^{-1}\).

Proof

To prove subversion zero-knowledge, we need to both show the existence of an extractor \(\mathcal {X}_\mathcal {A}\), and describe a \(\mathsf {SimProve}\) algorithm that produces indistinguishable proofs when provided the extracted trapdoor (which it can compute given the randomness of both \(\mathcal {A}\) and the honest algorithms). The simulator knows xyz and picks \(r\leftarrow \mathbb {F}_p\) and sets \(A=G^r, B=H^r\) and \(C=G^{r^2+(r+y^5+t(x)y^6-\sum _{i=0}^\ell a_i(w_i(x)y^2+u_i(x)y^3+v_i(x)y^4))\cdot n(x,y,z)}\). The simulated proof has the same distribution as a real proof, since \(y\ne 0\) and \(t(x)\ne y^{-1}\) and thus the randomisation of A given in \(r(y-t(x)y^2)\) makes A uniformly random. Given A the verification equations uniquely determine BC. So both real and simulated proofs have uniformly random A and satisfy the equations. Consequently, subversion zero-knowledge follows from the extraction of the trapdoor, which can be extracted by Lemma 4.    \(\square \)

Theorem 4

The proof system has update knowledge soundness assuming the q-\(\mathrm {MK}\) and the q-\(\mathrm {MC}\) assumptions hold with \(\varvec{a} = \{X^iY^jZ^k : (i,j,k) \in S_1\}\) and \(\varvec{b} = \{X^iY^jZ^k : (i,j,k) \in S_2\}.\)

Proof

To prove this it suffices, by the results in Sect. 5.3, to prove security in the setting in which the adversary makes only one update to the CRS. Imagine we have a PPT adversary \(\mathcal {A}^{\mathsf {U}\text{- }\mathcal {O}_\mathsf {s}}\) that after querying \(\mathsf {U}\text{- }\mathcal {O}_\mathsf {s}\) on \((\mathsf {\mathsf {Setup}},\emptyset )\) to get \(\mathtt {crs}\), then queries on \((\mathsf {final},\mathtt {crs}',\{\rho ,\rho '\}))\), and outputs \(u,\pi \) that gets accepted; i.e., such that \(\mathsf {VerifyCRS}(R,\mathtt {crs}',\{\rho ,\rho '\}) = 1\), \(\mathtt {crs}_{\mathsf {QAP}}\leftarrow \mathsf {Derive}(\mathtt {crs}',\mathsf {QAP})\), and \(\mathsf {Verify}(\mathtt {crs}_{\mathsf {QAP}},u,\pi ) = 1\). Set \(a_0=1\) and parse the instance as \(u=(a_1,\ldots ,a_\ell )\) and the proof as (ABC). By Lemma 5, because the updated CRS verifies, there exists an extractor \(\mathcal {X}_\mathcal {A}\) that outputs \(\varvec{\tau } = (\alpha , \beta , \gamma )\) such that \(\mathsf {Update}(1^\lambda ,\mathtt {crs},\{\rho \};\varvec{\tau }) = (\mathtt {crs}',\rho ')\).

From the first verification equation we have \(e(A,H)=e(G,B)\), which means there is an \(a\in \mathbb {F}_p\) such that \(A=G^a\) and \(B=H^a\). From the q-\(\mathrm {MK}\) assumption there exists a PPT extractor \(\mathcal {X}_\mathcal {A}\) for \(\mathcal {A}\) that outputs field elements \(\{a_{i,j,k}\}_{(i,j,k) \in \{(0,0,0)\} \cup S_1}\) defining a formal polynomial a(XYZ) equal to

$$a_{0,0,0}+a_{1,0,0}X+\sum _{i=0,j=1}^{d,6}a_{i,j,0}X^iY^j+\sum _{i=0,j=0,k=1}^{2d,3,3d} a_{i,j,k}X^iY^jZ^k+a_{0,0,6d}Z^{6d}$$

such that \(B=H^{a(x,y,z)}\).

Taking the adversary and extractor together, we can see them as a combined algorithm that outputs ABC and the formal polynomial a(XYZ) such that \(A=G^{a(x,y,z)}\). By the q-\(\mathrm {MC}\) assumption this has negligible probability of happening unless a(XYZ) is in the span of \(\{0,0,0\} \cup S_1 \cap S_2\)

$$\begin{aligned} \left\{ 1,X,Z,\{X^iY^j\}_{i=0,j=1,j\ne 7}^{2d,12},\{X^iY^jZ^k\}_{i=0,j=1,k=1,(i,j)\ne (d,4)}^{2d,6,3d},\{X^iY^jZ^{6d}\}_{i=0,j=1}^{d,4}\right\} . \end{aligned}$$

This means

$$a(X,Y,Z)=a_{0,0,0}+a_{1,0,0}X+\sum _{i=0,j=1}^{d,6}a_{i,j,0}X^iY^j+\sum _{i=0,j=1,k=1}^{d,3,3d}a_{i,j,k}X^iY^jZ^k.$$

From the second verification equation we get \(C=G^{f(x,y,z)}\) where f(xyz) is given by

$$\begin{aligned} a(x,y,z)^2&+\Big (a(x,y,z)+\beta ^5y^5+t(\alpha x)\beta ^6y^6 \\&-\sum _{i=0}^\ell a_i(w_i(\alpha x)\beta ^2 y^2+u_i(\alpha x)\beta ^3 y^3+v_i(\alpha x)\beta ^4 y^4)\Big )\cdot n(\alpha x,\beta y,\gamma z). \end{aligned}$$

By the q-\(\mathrm {MC}\) assumption this means

$$\begin{aligned}&\quad a(X,Y,Z)^2+\Big (a(X,Y,Z)+\beta ^5 Y^5+t(\alpha X)\beta ^6 Y^6 \\&-\sum _{i=0}^\ell a_i(w_i(\alpha X)\beta ^2 Y^2+u_i(\alpha X)\beta ^3Y^3+v_i(\alpha X)\beta ^4 Y^4)\Big )\cdot (\gamma ^{6d} Z^{6d}+\sum _{k=1}^{3d-m+\ell }n_k(\alpha X,\beta Y)\gamma ^k Z^k) \end{aligned}$$

also belongs to the span of

$$\begin{aligned} \left\{ 1,X,Z,\{X^iY^j\}_{i=0,j=1,j\ne 7}^{2d,12},\{X^iY^jZ^k\}_{i=0,j=1,k=1,(i,j)\ne (d,4)}^{2d,6,3d},\{X^iY^jZ^{6d}\}_{i=0,j=1}^{d,4}\right\} . \end{aligned}$$

Set \(a_{i,j,k}' = \frac{a_{i,j,0}}{\alpha ^i \beta ^j \gamma ^k}\) and observe that

$$a(X,Y,Z) = \sum _{i,j,k} a_{i,j,k} X^i Y^j Z^k = \sum _{i,j,k} a_{i,j,k}'(\alpha X)^i (\beta Y)^j (\gamma Z)^k = a'(\alpha X,\beta Y, \gamma Z).$$

W.l.o.g. we can then rename the variables \(\alpha X\), \(\beta Y\), \(\gamma Z\) by XYZ to get that

$$\begin{aligned}&a'(X,Y,Z)^2+\Big (a'(X,Y,Z)+ Y^5+t(X)Y^6 \\&\quad -\sum _{i=0}^\ell a_i(w_i(X) Y^2+u_i(X)Y^3+v_i(X)Y^4)\Big )\cdot (Z^{6d}+\sum _{k=1}^{3d-m+\ell }n_k(X,Y)Z^k) \end{aligned}$$

The span has no monomials of the form \(X^iY^jZ^k\) for \(k>6d\). Looking at the sub-part \(a'(X,Y,Z)Z^{6d}\) we deduce that \(a_{i,j,k}'=0\) for all \(k \ne 0\), which means

$$a'(X,Y,Z)=a_{0,0,0}'+a_{1,0,0}X'+\sum _{i=0,j=1}^{d,6}a_{i,j,0}'X^iY^j.$$

There is also no \(Z^{6d}\) or \(XZ^{6d}\) monimials in the span, so we get \(a_{0,0,0}'=0\) and \(a_{1,0,0}'=0\). We are now left with

$$a'(X,Y,Z)=\sum _{i=0,j=1}^{d,6}a_{i,j,0}'X^iY^j.$$

Define q(X), p(XY) such that

$$\begin{aligned}q(X)\cdot Y+p(X,Y)\cdot Y^2=&\sum _{i=0,j=1}^{d,6}a_{i,j,0}'X^iY^j+Y^5+t(X)Y^6\\&-\sum _{i=0}^\ell a_i(w_i(X)Y^2+u_i(X)Y^3+v_i(X)Y^4).\end{aligned}$$

Looking at the remaining terms of the form \(X^iY^jZ^k\) we see that for \(k=0,\ldots ,3d-m+\ell \)

$$\left( q(X)\cdot Y+p(X,Y)\cdot Y^2\right) \cdot n_k(X,Y) \in \mathsf {span}\{X^iY^j\}_{i=0,j=1,(i,j)\ne (d,4)}^{2d,6}.$$

Since \(n_k(X,Y)\) has at most degree 2 in Y this implies \(p(X,Y)\cdot Y^2\cdot n_k(X,Y)\) has coefficient 0 for the term \(X^dY^4\). Recall the \(n_k(X,Y)\) polynomials had been constructed such that this is only possible if \(p(X,Y)\cdot Y^2\) can be written as

$$\sum _{i=\ell +1}^ma_i(w_i(X)Y^2+u_i(X)Y^3+v_i(X)Y^4)+r_1t(X)Y^2+r_2t(X)Y^3+r_3t(X)Y^4.$$

Finally, we look at terms of the form \(X^iY^7\). These do not exist in the span, so all the terms of that form in \(a(X,Y,Z)^2\) should sum to zero. This implies

$$\left( \begin{array}{c} q(X)\cdot Y + \sum \nolimits _{i=0}^ma_i(w_i(X)Y^2+u_i(X)Y^3+v_i(X)Y^4) \\ + r_1t(X)Y^2+r_2t(X)Y^3+r_3t(X)Y^4-Y^5-t(X)Y^6 \end{array}\right) ^2$$

should have no \(x^iY^7\) terms. This in turn implies

$$2\left( \begin{array}{c} \left( r_3\sum \nolimits _{i=0}^ma_iu_i(X)+r_2\sum \nolimits _{i=0}^ma_i v_i(X)-r_1-q(X)\right) \cdot t(X)\\ - \sum \nolimits _{i=0}^ma_iw_i(X)+\sum \nolimits _{i=0}^ma_iu_i(X)\cdot \sum \nolimits _{i=0}^ma_iv_i(X) \end{array} \right) =0$$

By definition of \(\mathsf {QAP}\) we now have that \((a_{\ell +1},\ldots ,a_m)\) is a witness for the instance \((a_1,\ldots ,a_\ell )\).    \(\square \)

6 Updating a Reference String Reveals the Monomials

In this section we show a negative result; namely, that for any updatable pairing-based NIZK with polynomials encoded into the common reference string, it must also be allowed (which often it is not) for an adversary to know encodings of the monomials that make up the polynomials. The reason for this is that from the encodings of the polynomials, we can construct an adversary that uses the update algorithm in order to extract the monomials. After describing our monomial extractor, we give one example (for the sake of brevity) of how to use our monomial extractor to break a QAP-based zk-SNARK, namely Pinocchio [PHGR13]. Due to the similarity in the approaches, however, we believe that the same techniques could be used to show that most other QSP/QAP-based zk-SNARKs in the literature also cannot be made updatable. As our universal CRS does consist of monomials, we can avoid this impossibility result yet still achieve linear-size specialized CRSs for proving specific relations.

Due to space constraints, we present our monomial extractor in the full version of the paper, which shows that if a NIZK scheme has an update algorithm, it can be used to extract all monomials from the common reference string. Intuitively, the existence of this monomial extractor would break most pairing-based NIZK proofs using QAPs or QSPs. This is because these arguments typically depend on the instance polynomials and the witness polynomials being linearly independent from each other. Here we give an example by demonstrating how to break the knowledge soundness of Pinocchio [PHGR13].

Example 1

(We cannot update the common reference string for Pinocchio). Consider the zk-SNARK in Pinocchio [PHGR13]. The scheme runs over a QAP relation described by

$$ R = \{(p, \mathbb {G}, \mathbb {G}_T, e), \{v_k(X), w_k(X), y_k(X)\}_{k=0}^m, t(X)\} $$

where t(X) is a degree n polynomial, \(u_k(X), v_k(X), w_k(X)\) are degree \(n-1\) polynomials and \((p, \mathbb {G}, \mathbb {G}_T, e)\) is a bilinear group. The instance \((c_1, \ldots , c_{\ell })\) is in the language if and only if there is a witness of the form \((c_{\ell +1}, \ldots , c_m)\) such that, where \(c_0\) is set to 1,

$$\left( \sum _{i=0}^m c_k u_k(X)\right) \cdot \left( \sum _{i=0}^m c_k v_k(X)\right) = \sum _{i=0}^m c_k w_k(X) + h(X)t(X)$$

for h(X) some degree \(n-1\) polynomial.

Here we switch to symmetric pairings, as Pinocchio was originally described in the symmetric setting (i.e. where \(\mathbb {G}_1= \mathbb {G}_2\).

The common reference string is given by

figure d

where \(r_u, r_v, s, \alpha _u, \alpha _v, \alpha _w, \beta , \gamma \) are random field elements and \(G \in \mathbb {G}\). Hence, for \(\mathtt {Ec}(x) = G^x\), there exists a matrix \(\hat{X}\) such that \(\mathtt {crs}= \hat{X} \mathtt {Ec}(\varvec{\tau })\) for

$$\begin{aligned} \begin{array}{ll} \varvec{\tau } = &{} \left( \begin{array}{l} \alpha _w, \gamma , \beta \gamma , \left\{ r_u r_v s^i, s^i\right\} _{i=0}^n, \\ \left\{ r_us^i, r_vs^i, r_u \alpha _u s^i, r_v \alpha _v s^i, r_u r_v \alpha _w s^i, r_u \beta s^i, r_v \beta s^i, r_u r_v \beta s^i\right\} _{i=0}^{n-1} \end{array} \right) \end{array}. \end{aligned}$$
(1)

Lemma 8

For \(\mathtt {crs}= G^{\varvec{\tau }}\) where \(\varvec{\tau }\) is as in (1), there exists an adversary that can find a verifying proof for any instance \((c_1, \ldots , c_\ell ) \in \mathbb {F}_p\).

Proof

The verifier in Pinocchio

$$ 0/1 \leftarrow \mathsf {Verify}(\mathtt {crs}; c_1, \ldots , c_{\ell }; A_1, A_2, A_3, B_1, B_2, B_3, H, Z) $$

returns 1 if and only the following equations are satisfied

$$\begin{aligned} e(G^{r_u\sum _{k=0}^{\ell }c_k u_k(s)} A_1, G^{r_v\sum _{k=0}^{ \ell }c_k v_k(s)} A_2) = e(G^{r_u r_v t(s)}, H) e(G^{r_u r_v\sum _{k=0}^{\ell }c_k w_k(s)}A_3, G) \end{aligned}$$
$$ e(B_1, G) = e(A_1, G^{\alpha _u}) $$
$$ e(B_2, G) = e(A_2, G^{\alpha _v}) $$
$$ e(B_3, G) = e(A_1, G^{\alpha _w}) $$
$$ e(Z, G^\gamma ) = e(A_1A_2A_3, G^{\beta \gamma }). $$

Suppose the adversary sets the degree \(n-1\) polynomials \(\nu (X), \omega (X), \xi (X)\) as

$$\begin{array}{l} \nu (X) \leftarrow \sum \nolimits _{k=0}^\ell c_k v_k(X) \\ \omega (X) \leftarrow \sum \nolimits _{k=0}^\ell c_k w_{k}X \\ \xi (X) \leftarrow \sum \nolimits _{k=0}^\ell c_k y_{k}(X) \\ \end{array} $$

It then sets the components H, \(A_1, A_2, A_3\) by

$$H = G, \ A_1 = G^{r_u s} G^{- r_u \nu (s)}, \ A_2 = G^{r_v s^{n-1}}G^{-r_v \omega (s^i)},$$
$$ \ A_3 = G^{- r_ur_v (t(s)- s^n) - r_ur_v \xi (s)}$$

Direct verification shows that \(A_1, A_2, A_3\) satisfy the first verification equation. Note that \(\varvec{\tau }\) does not include the value \(\alpha _w r_u r_v s^n\), so the final coefficient of t(s) cannot be included in \(A_3\), else the algorithm could not satisfy the fifth verification equation. Instead we include \(r_u s\) in \(A_1\) and \(r_v\) in \(A_2\), so that the LHS of the first verification equation returns the sole component not cancelled on the RHS: \(e(G,G)^{r_u r_v s^n}\).

To satisfy verification equations 24 the algorithm sets

$$B_1 = G^{\alpha _u r_u s} G^{-\alpha _u r_u\nu (s)}, \ B_2 = G^{\alpha _v r_v s^{n-1}} G^{- \alpha _v r_v \omega (s)},$$
$$\ B_3= G^{- \alpha _w r_ur_v(t(s) - s^n) - \alpha _w r_u r_v \xi (s)}$$

and to satisfy the fifth and final verification equation the algorithm sets

$$Z = G^{\beta r_u s}G^{\beta r_v s^{n-1}} G^{-\beta r_u\nu (s)} G^{-\beta r_v\omega (s)} G^{-\beta r_ur_v(t(s)-s^n) - \beta r_u r_v \xi (s)}.$$

We then have that \(\mathsf {Verify}(\mathtt {crs}; c_1, \ldots , c_\ell ; A_1, A_2, A_3, B_1, B_2, B_3, H, Z) = 1\).    \(\square \)

Theorem 5

If there exists an update algorithm for Pinocchio, then either the relation is easy or the scheme is not knowledge-sound.

Proof

Suppose that \(\mathtt {crs}\leftarrow \mathsf {Setup}(1^\lambda )\); i.e., \(\mathtt {crs}= \hat{X}G^{\varvec{\tau }}\) for \(\varvec{\tau }\) as in Eq. 1. Suppose that \((c_1, \ldots , c_\ell ) \in \mathbb {F}_p\).

The polynomials \(u_k(X), v_k(X),w_k(X)\) are Lagrange polynomials, meaning that each and every one of the components \(\varvec{\tau }\) are used in the \(\mathtt {crs}\). This means that the RREF of \(\hat{X}\), which we shall call \(\hat{R}\), is such that for \(1 \le i \le \mathrm{length}(\hat{R})\), there exists some j such that \(\hat{R}[i][j] \ne 0\). Hence by running \(\mathsf {MonoExtract}\), an adversary \(\mathcal {A}\) can calculate \(G^{\varvec{\tau }}\). By Lemma 8, the adversary \(\mathcal {A}\) can continue, and calculate a verifying proof for \((c_1, \ldots , c_\ell )\). Hence either there is a PPT extractor that can output a valid witness for any instance (meaning the language is easy), or there is no extractor and \(\mathcal {A}\) breaks knowledge-soundness.    \(\square \)