Skip to main content
Book cover

Annual Cryptology Conference

CRYPTO 2013: Advances in Cryptology – CRYPTO 2013 pp 90–108Cite as

SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 8043)

Abstract

An argument system for NP is a proof system that allows efficient verification of NP statements, given proofs produced by an untrusted yet computationally-bounded prover. Such a system is non-interactive and publicly-verifiable if, after a trusted party publishes a proving key and a verification key, anyone can use the proving key to generate non-interactive proofs for adaptively-chosen NP statements, and proofs can be verified by anyone by using the verification key.

We present an implementation of a publicly-verifiable non-interactive argument system for NP. The system, moreover, is a zero-knowledge proof-of-knowledge. It directly proves correct executions of programs on TinyRAM, a nondeterministic random-access machine tailored for efficient verification. Given a program P and time bound T, the system allows for proving correct execution of P, on any input x, for up to T steps, after a one-time setup requiring \(\tilde{O}(|P| \cdot T)\) cryptographic operations. An honest prover requires \(\tilde{O}(|P| \cdot T)\) cryptographic operations to generate such a proof, while proof verification can be performed with only O(|x|) cryptographic operations. This system can be used to prove the correct execution of C programs, using our TinyRAM port of the GCC compiler.

This yields a zero-knowledge Succinct Non-interactive ARgument of Knowledge (zk-SNARK) for program executions, in the preprocessing model — a powerful solution for delegating NP computations, with several features not achieved by previously-implemented primitives.

Our approach builds on recent theoretical progress in the area. We present efficiency improvements and implementations of two main ingredients:

  1. 1

    Given a C program, we produce a circuit whose satisfiability encodes the correctness of execution of the program. Leveraging nondeterminism, the generated circuit’s size is merely quasilinear in the size of the computation. In particular, we efficiently handle arbitrary and data-dependent loops, control flow, and memory accesses. This is in contrast with existing “circuit generators”, which in the general case produce circuits of quadratic size.

  2. 2

    Given a linear PCP for verifying satisfiability of circuits, we produce a corresponding SNARK. We construct such a linear PCP (which, moreover, is zero-knowledge and very efficient) by building and improving on recent work on quadratic arithmetic programs.

Keywords

  • computationally-sound proofs
  • succinct arguments
  • zero-knowledge
  • delegation of computation

Download conference paper PDF

References

  1. Almeida, J.B., Barbosa, M., Bangerter, E., Barthe, G., Krenn, S., Béguelin, S.Z.: Full proof cryptography: verifiable compilation of efficient zero-knowledge protocols. In: CCS 2012 (2012)

    Google Scholar 

  2. Bangerter, E., Barzan, S., Krenn, S., Sadeghi, A.-R., Schneider, T.: Bringing zero-knowledge proofs of knowledge to practice (2009)

    Google Scholar 

  3. Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. Journal of Computer and System Sciences 37(2), 156–189 (1988)

    MathSciNet  CrossRef  MATH  Google Scholar 

  4. Belenkiy, M., Camenisch, J., Chase, M., Kohlweiss, M., Lysyanskaya, A., Shacham, H.: Randomizable proofs and delegatable anonymous credentials. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 108–125. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  5. Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: Recursive composition and bootstrapping for SNARKs and proof-carrying data. In: STOC 2013 (2013)

    Google Scholar 

  6. Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: TinyRAM architecture specification v1.00 (2013), http://scipr-lab.org/tinyram

  7. Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E.: Fast reductions from RAMs to delegatable succinct constraint satisfaction problems. In: ITCS (2013)

    Google Scholar 

  8. Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E.: On the concrete efficiency of probabilistically-checkable proofs. In: STOC 2013 (2013)

    Google Scholar 

  9. Bitansky, N., Chiesa, A., Ishai, Y., Paneth, O., Ostrovsky, R.: Succinct non-interactive arguments via linear interactive proofs. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 315–333. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  10. Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: P-signatures and noninteractive anonymous credentials. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 356–374. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  11. Ben-David, A., Nisan, N., Pinkas, B.: FairplayMP: a system for secure multi-party computation. In: CCS 2008 (2008)

    Google Scholar 

  12. Beneš, V.E.: Mathematical theory of connecting networks and telephone traffic. Academic Press, New York (1965)

    MATH  Google Scholar 

  13. Bernstein, D.J.: Pippenger’s exponentiation algorithm (2002), http://cr.yp.to/papers/pippenger.pdf

  14. Babai, L., Fortnow, L., Levin, L.A., Szegedy, M.: Checking computations in polylogarithmic time. In: STOC 1991 (1991)

    Google Scholar 

  15. Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation. In: STOC 1988 (1988)

    Google Scholar 

  16. Boppana, R.B., Håstad, J., Zachos, S.: Does co-NP have short interactive proofs? Information Processing Letters 25(2), 127–132 (1987)

    MathSciNet  CrossRef  MATH  Google Scholar 

  17. Bellare, M., Palacio, A.: The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 273–289. Springer, Heidelberg (2004)

    CrossRef  Google Scholar 

  18. Ben-Sasson, E., Sudan, M.: Short PCPs with polylog query complexity. SIAM Journal on Computing 38(2) (2008)

    Google Scholar 

  19. Boyen, X., Waters, B.: Compact group signatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 427–444. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  20. Chase, M., Kohlweiss, M., Lysyanskaya, A., Meiklejohn, S.: Malleable proof systems and applications. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 281–300. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  21. Damgård, I.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992)

    Google Scholar 

  22. Dinur, I.: The PCP theorem by gap amplification. Journal of the ACM 54(3) (2007)

    Google Scholar 

  23. Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  24. Goldreich, O., Håstad, J.: On the complexity of interactive proofs with bounded communication. Information Processing Letters 67(4), 205–214 (1998)

    MathSciNet  CrossRef  Google Scholar 

  25. Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: STOC 1987 (1987)

    Google Scholar 

  26. Groth, J.: Non-interactive zero-knowledge arguments for voting. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 467–482. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  27. Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  28. Groth, J.: Short non-interactive zero-knowledge proofs. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 341–358. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  29. Gurevich, Y., Shelah, S.: Nearly linear time. In: Logic at Botik 1989, Symposium on Logical Foundations of Computer Science, pp. 108–118 (1989)

    Google Scholar 

  30. Gueron, S.: Intel advanced encryption standard (AES) instructions set (February 2012)

    Google Scholar 

  31. Goldreich, O., Vadhan, S., Wigderson, A.: On interactive proofs with a laconic prover. Computational Complexity 11(1/2), 1–53 (2002)

    MathSciNet  CrossRef  MATH  Google Scholar 

  32. Hada, S., Tanaka, T.: On the existence of 3-round zero-knowledge protocols. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 408–423. Springer, Heidelberg (1998)

    CrossRef  Google Scholar 

  33. Katz, J., Myers, S., Ostrovsky, R.: Cryptographic counters and applications to electronic voting. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 78–92. Springer, Heidelberg (2001)

    CrossRef  Google Scholar 

  34. Lipmaa, H.: Two simple code-verification voting protocols. Cryptology ePrint Archive, Report 2011/317 (2011)

    Google Scholar 

  35. Lipmaa, H.: Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 169–189. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  36. Micali, S.: Computationally sound proofs. SIAM Journal on Computing 30(4), 1253–1298 (2000); Preliminary version appeared in FOCS 1994 (1994)

    MathSciNet  CrossRef  MATH  Google Scholar 

  37. Malkhi, D., Nisan, N., Pinkas, B., Sella, Y.: Fairplay — a secure two-party computation system. In: SSYM 2004 (2004)

    Google Scholar 

  38. Moshkovitz, D., Raz, R.: Two-query PCP with subconstant error. Journal of the ACM 57, 1–29 (2008); Preliminary version appeared in FOCS 2008 (2008)

    MathSciNet  CrossRef  MATH  Google Scholar 

  39. Robson, J.M.: An O(T log T) reduction from RAM computations to satisfiability. Theoretical Computer Science 82(1), 141–149 (1991)

    MathSciNet  CrossRef  MATH  Google Scholar 

  40. Schnorr, C.-P.: Satisfiability is quasilinear complete in NQL. Journal of the ACM 25, 136–145 (1978)

    MathSciNet  CrossRef  MATH  Google Scholar 

  41. Stallman, R.M., and the GCC Developer Community: GNU compiler collection internals (2013), http://gcc.gnu.org/onlinedocs/gccint.pdf

  42. Wee, H.: On round-efficient argument systems. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 140–152. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Technion, Israel

    Eli Ben-Sasson & Daniel Genkin

  2. MIT, USA

    Alessandro Chiesa & Madars Virza

  3. Tel Aviv University, Israel

    Eran Tromer

Authors
  1. Eli Ben-Sasson
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alessandro Chiesa
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Daniel Genkin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Eran Tromer
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Madars Virza
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Boston University and Tel Aviv University, 111 Cummington Street, 02215, Boston, MA, USA

    Ran Canetti

  2. AT&T Labs – Research, Florham Park, NJ, USA

    Juan A. Garay

Rights and permissions

Reprints and Permissions

Copyright information

© 2013 International Association for Cryptologic Research

About this paper

Cite this paper

Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M. (2013). SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge. In: Canetti, R., Garay, J.A. (eds) Advances in Cryptology – CRYPTO 2013. CRYPTO 2013. Lecture Notes in Computer Science, vol 8043. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40084-1_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-40084-1_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-40083-4

  • Online ISBN: 978-3-642-40084-1

  • eBook Packages: Computer ScienceComputer Science (R0)