Abstract
Noninteractive arguments enable a prover to convince a verifier that a statement is true. Recently there has been a lot of progress both in theory and practice on constructing highly efficient noninteractive arguments with small size and low verification complexity, socalled succinct noninteractive arguments (SNARGs) and succinct noninteractive arguments of knowledge (SNARKs).
Many constructions of SNARGs rely on pairingbased cryptography. In these constructions a proof consists of a number of group elements and the verification consists of checking a number of pairing product equations. The question we address in this article is how efficient pairingbased SNARGs can be.
Our first contribution is a pairingbased (preprocessing) SNARK for arithmetic circuit satisfiability, which is an NPcomplete language. In our SNARK we work with asymmetric pairings for higher efficiency, a proof is only 3 group elements, and verification consists of checking a single pairing product equations using 3 pairings in total. Our SNARK is zeroknowledge and does not reveal anything about the witness the prover uses to make the proof.
As our second contribution we answer an open question of Bitansky, Chiesa, Ishai, Ostrovsky and Paneth (TCC 2013) by showing that linear interactive proofs cannot have a linear decision procedure. It follows from this that SNARGs where the prover and verifier use generic asymmetric bilinear group operations cannot consist of a single group element. This gives the first lower bound for pairingbased SNARGs. It remains an intriguing open problem whether this lower bound can be extended to rule out 2 group element SNARGs, which would prove optimality of our 3 element construction.
Keywords
 SNARKs
 Noninteractive zeroknowledge arguments
 Linear interactive proofs
 Quadratic arithmetic programs
 Bilinear groups
J. Groth—The research leading to these results has received funding from the European Research Council under the European Union’s Seventh Framework Programme (FP/20072013)/ERC Grant Agreement n. 307937 and the Engineering and Physical Sciences Research Council grant EP/J009520/1. This work was done in part while the author was visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant #CNS1523467.
Download conference paper PDF
1 Introduction
Goldwasser et al. [GMR89] introduced zeroknowledge proofs that enable a prover to convince a verifier that a statement is true without revealing anything else. They have three core properties:

Completeness: Given a statement and a witness, the prover can convince the verifier.

Soundness: A malicious prover cannot convince the verifier of a false statement.

Zeroknowledge: The proof does not reveal anything but the truth of the statement, in particular it does not reveal the prover’s witness.
Blum et al. [BFM88] extended the notion to noninteractive zeroknowledge (NIZK) proofs in the common reference string model. NIZK proofs are useful in the construction of noninteractive cryptographic schemes, e.g., digital signatures and CCAsecure public key encryption.
The amount of communication is an important performance parameter for zeroknowledge proofs. Kilian [Kil92] gave the first sublinear communication zeroknowledge argument that sends fewer bits than the size of the statement to be proved. Micali [Mic00] proposed sublinear size NIZK arguments by letting the prover in a communication efficient zeroknowledge argument compute the verifier’s challenges using a cryptographic function.
Groth et al. [GOS12, GOS06, Gro06, GS12] introduced pairingbased NIZK proofs, yielding the first linear size proofs based on standard assumptions. Groth [Gro10] combined these techniques with ideas from interactive zeroknowledge arguments [Gro09] to give the first constant size NIZK arguments. Lipmaa [Lip12] used an alternative construction based on progressionfree sets to reduce the size of the common reference string.
Groth’s constant size NIZK argument is based on constructing a set of polynomial equations and using pairings to efficiently verify these equations. Gennaro et al. [GGPR13] found an insightful construction of polynomial equations based on Lagrange interpolation polynomials yielding a pairingbased NIZK argument with a common reference string size proportional to the size of the statement and witness. They gave two types of polynomial equations: quadratic span programs for proving boolean circuit satisfiability and quadratic arithmetic programs for proving arithmetic circuit satisfiability. Lipmaa [Lip13] suggested more efficient quadratic span programs using error correcting codes, and Danezis et al. [DFGK14] refined quadratic span programs to square span programs that give NIZK arguments consisting of 4 group elements for boolean circuit satisfiability.
Following these theoretical advances there has been exciting work on building concrete implementations. Most efficient implementations refine the quadratic arithmetic program approach of Gennaro et al. [GGPR13] and combine it with a compiler producing a suitable quadratic arithmetic program that is equivalent to the statement to be proven [PHGR13, BCG+13, BCTV14b, CTV15, CFH+15].
One powerful motivation for building efficient noninteractive arguments is verifiable computation. A client can outsource a complicated computational task to a server in the cloud and get back the results. To convince the client that the computation is correct the server may include a noninteractive argument of correctness with the result. However, since the verifier does not have many computational resources this only makes sense if the argument is compact and computationally light to verify, i.e., it is a succinct noninteractive argument (SNARG) or a succinct noninteractive argument of knowledge (SNARK). While pairingbased SNARGs are efficient for the verifier, the computational overhead for the prover is still orders of magnitude too high to warrant use in outsourced computation [Wal15] and further efficiency improvements are needed. In their current state, SNARKs that are zeroknowledge already have uses when proving statements about private data though. Zeroknowledge SNARKs are for instance key ingredients in the virtual currency proposals Pinnocchio coin [DFKP13] and Zerocash [BCG+14].
In parallel with developments in pairingbased NIZK arguments there has been interesting work on understanding SNARKs. Gentry and Wichs [GW11] showed that SNARGs must necessarily rely on nonfalsifiable assumptions, and Bitansky et al. [BCCT12] proved designated verifier SNARKs exist if and only if extractable collisionresistant hash functions exist. Of particular interest in terms of efficiency is a series of works studying how SNARKs compose [Val08, BCCT13, BCTV14a]. They show among other things that a preprocessing SNARK with a long common reference string can be used to build a fully succinct SNARK with a short common reference string.
Bitansky et al. [BCI+13] give an abstract model of SNARKs that rely on linear encodings of field elements. Their information theoretic framework called linear interactive proofs (LIPs) capture proof systems where the prover is restricted to using linear operations in computing her messages. Given a LIP it can be converted to a publicly verifiable SNARK using pairingbased techniques or to a designated verifier using additively homomorphic encryption techniques.
1.1 Our Contribution
Succinct NIZK. We construct a NIZK argument for arithmetic circuit satisfiability where a proof consists of only 3 group elements. In addition to being small, the proof is also easy to verify. The verifier just needs to compute a number of exponentiations proportional to the statement size and check a single pairing product equation, which only has 3 pairings. Our construction can be instantiated with any type of pairings including Type III pairings, which are the most efficient pairings.
The argument has perfect completeness and perfect zeroknowledge. For soundness we take an aggressive stance and rely on a security proof in the generic bilinear group model in order to get optimal performance. This stance is partly justified by Gentry and Wichs [GW11] that rule out SNARGs based on standard falsifiable assumptions. However, following Abe et al. [AGOT14] we do provide a hedge against cryptanalysis by proving our construction secure in the symmetric pairing setting. For optimal efficiency it makes sense to use our NIZK argument in the asymmetric setting, however, by providing a security proof in the symmetric setting we get additional security: even if cryptanalytic advances yield a hitherto unknown efficiently computable isomorphism between the source groups this does not necessarily lead to a break of our scheme. We therefore have a unified NIZK argument that can be instantiated with any type of pairing, yielding both optimal efficiency and optimal generic bilinear group resilience.
We give a performance comparison for boolean circuit satisfiability in Table 1 and for arithmetic circuit satisfiability in Table 2 of the size of the common reference string (CRS), the size of the proof, the prover’s computation, the verifier’s computation, and the number of pairing product equations used to verify a proof. We perform better than the state of the art on all efficiency parameters.
In both comparisons the number of wires exceeds the number of gates, \(m\ge n\), since each gate has an output wire. We expect for typical cases that the statement size \(\ell \) will be small compared to m and n. In both tables, we have excluded the size of representing the relation for which we give proofs. In the boolean circuit satisfiability case, we are considering arbitrary fanin 2 logic gates. In the arithmetic circuit satisfiability case we work with fanin 2 multiplication gates where each input factor can be a weigthed sum of other wires. We assume each multiplication gate input depends on a constant number of wires; otherwise the cost of evaluating the relation itself may exceed the cost of the subsequent proof generation.
We note that [PHGR13] uses symmetric bilinear groups where \(\mathbb {G}_1=\mathbb {G}_2\) and we are therefore comparing with a symmetric bilinear group instantiation of our scheme, which saves n elements in the common reference string. However, in the implementation of their system, called Pinocchio, asymmetric pairings are used for better efficiency. The switch to asymmetric pairings only requires minor modifications, see e.g. [SVdV15].
Size matters. While the reduction in proof size to 3 group elements and the reduction in verification time is nice in itself, we would like to highlight that it is particularly important when composing SNARKs. [BCCT13, BCTV14a] show that preprocessing SNARKs with a long CRS can be composed to yield fully succinct SNARKs with a short CRS. The transformations split the statement into smaller pieces, prove each piece is correct by itself, and recursively construct proofs of knowledge of other proofs that jointly show the pieces are correct and fit together. In the recursive construction of proofs, it is extra beneficial when the proofs are small and easy to verify since the resulting statements “there exists a proof satisfying the verification equation...” become small themselves. So we gain both from the prover’s lower computation and from the fact that the statements in the recursive composition are smaller since we have a more efficient verification procedure for our SNARK. We estimate that in the scalable and fully succinct zeroknowledge SNARKs by BenSasson et al. [BCTV14a] that use two related elliptic curves to prove statements about each other, the prover’s computation will be reduced by up to an order of magnitude.
Technique. All pairingbased SNARKs in the literature follow a common paradigm where the prover computes a number of group elements using generic group operations and the verifier checks the proof using a number of pairing product equations. Bitansky et al. [BCI+13] formalize this paradigm through the definition of linear interactive proofs (LIPs). A linear interactive proof works over a finite field and the prover’s and verifier’s messages consist of vectors of field elements. It furthermore requires that the prover computes her messages using only linear operations. Once we have the LIP, it can then be compiled into a SNARK by executing the equations “in the exponent” using pairingbased cryptography. One source of our efficiency gain is that we design a LIP system for arithmetic circuits where the prover only sends 3 field elements. In comparison, the quadratic arithmetic programs by [GGPR13, PHGR13] correspond to LIPs where the prover sends 4 field elements.
A second source of efficiency gain compared to previous work is a more aggressive compilation of the LIP. Bitansky et al. [BCI+13] propose a transformation in the symmetric bilinear group setting, where each field element gets compiled into two group elements. They then use a knowledge of exponent assumption to argue that the prover knows the relevant field elements. A less conservative choice would be to compile each field element into a single group element. This improves efficiency but security requires stronger assumptions since we the scheme may be secure in the generic group model but we can no longer use the knowledge of exponent assumption. It is also possible to make a choice between these two extremes, Parno et al. [PHGR13] for instance have a LIP with 4 field elements, which gets compiled into 7 group elements. In this paper we have opted for maximal efficiency and compile each field element in the LIP into a single group element and argue security in the generic group model.
We prefer to work with asymmetric bilinear groups for their higher efficiency than symmetric bilinear groups. This means that there is more to the story than the number of field elements the prover sends in the LIP and the choice of how aggressive a compilation we use. When working with asymmetric bilinear groups, a field element can appear as an exponent in the first source group, the second source group, or both. Our LIP is carefully designed such that each field element gets compiled into a single source group element in order to minimize the proof size to 3 group elements in total.
Lower Bounds. Working towards ever more efficient noninteractive arguments, it is natural to ask what the minimal proof size is. We will show that pairingbased SNARGs with a single group element proof cannot exist. This result relates to an open question raised by Bitansky et al. [BCI+13], whether there are LIPs with a linear decision procedure for the verifier. Such a linear decision procedure would be quite useful; it could for instance enable the construction of SNARGs based on ElGamal encryption.
We answer this open problem negatively by proving that LIPs with a linear decision procedure do not exist. A consequence of this is that any pairingbased SNARG must pair group elements from the proof together to make the decision procedure quadratic instead of linear. Working over asymmetric bilinear groups we must therefore have elements in both source groups in order to do such a pairing. This rules out the existence of 1 group element SNARGs, regardless of whether it is zeroknowledge or not, and shows our NIZK argument has close to optimal proof size. It remains an intriguing open problem to completely close the gap by either constructing a SNARG with exactly one element from each source group \(\mathbb {G}_1\) and \(\mathbb {G}_2\), or alternatively rule out the existence of such a SNARG.
2 Preliminaries
Given two functions \(f,g:\mathbb {N}\rightarrow [0,1]\) we write \(f(\lambda )\approx g(\lambda )\) when \(f(\lambda )g(\lambda )=\lambda ^{\omega (1)}\). We say that f is negligible when \(f(\lambda )\approx 0\) and that f is overwhelming when \(f(\lambda )\approx 1\). We will use \(\lambda \) to denote a security parameter, with the intuition that as \(\lambda \) grows we would like to have stronger security.
We write \(y=A(x;r)\) when algorithm A on input x and randomness r, outputs y. We write \(y\leftarrow A(x)\) for the process of picking randomness r at random and setting \(y=A(x;r)\). We also write \(y\leftarrow S\) for sampling y uniformly at random from the set S. We will assume it is possible to sample uniformly at random from sets such as \(\mathbb {Z}_p\).
Following Abe and Fehr [AF07] we write \((y;z)\leftarrow (\mathcal {A}\parallel \mathcal {X}_{\mathcal {A}})(x)\) when \(\mathcal {A}\) on input x outputs y and \(\mathcal {X}_{\mathcal {A}}\) on the same input (including random coins) outputs z.
2.1 Bilinear Groups
We work with bilinear groups \((p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e)\) with the following properties:

\(\mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T\) are groups of prime order p

\(e:\mathbb {G}_1\times \mathbb {G}_2\rightarrow \mathbb {G}_T\) is a bilinear map, i.e., \(e(U^a,V^b)=e(U,V)^{ab}\)

If G is a generator for \(\mathbb {G}_1\) and H is a generator for \(\mathbb {G}_2\) then e(G, H) is a generator for \(\mathbb {G}_T\)

There are efficient algorithms for computing group operations, evaluating the bilinear map, deciding membership of the groups, deciding equality of group elements and sampling generators of the groups. We refer to these as the generic bilinear group operations.
There are many ways to set up bilinear groups both as symmetric bilinear groups where \(\mathbb {G}_1=\mathbb {G}_2\) and as asymmetric bilinear groups where \(\mathbb {G}_1\ne \mathbb {G}_2\). Galbraith et al. [GPS08] classify bilinear groups as Type I where \(\mathbb {G}_1=\mathbb {G}_2\), Type II where there is an efficiently computable nontrivial homomorphism \(\varPsi :\mathbb {G}_2\rightarrow \mathbb {G}_1\), and Type III where no such efficiently computable homomorphism exists in either direction between \(\mathbb {G}_1\) and \(\mathbb {G}_2\). Type III bilinear groups are the most efficient type of bilinear groups and hence the most relevant for practical applications. We give the lower bound for Type III bilinear groups and but our construction works without change for all 3 types of bilinear groups.
2.2 Noninteractive ZeroKnowledge Arguments of Knowledge
Let \(\mathcal {R}\) be a relation generator that given a security parameter \(\lambda \) in unary returns a polynomial time decidable binary relation R. For pairs \((\phi ,w)\in R\) we call \(\phi \) the statement and w the witness. We define \(\mathcal {R}_\lambda \) to be the set of possible relation \(\mathcal {R}\) may output given \(1^\lambda \). The relation generator may also output some side information, an auxiliary input z, which will be given to the adversary. An efficient prover publicly verifiable noninteractive argument for \(\mathcal {R}\) is a quadruple of probabilistic polynomial algorithms \((\mathsf{Setup},\mathsf{Prove},\mathsf{Vfy},\mathsf{Sim})\) such that

\((\sigma ,\tau )\leftarrow \mathsf{Setup}(R)\): The setup takes as input a security parameter \(\lambda \) and a relation \(R\in \mathcal {R}_\lambda \) and returns a common reference string \(\sigma \) and a simulation trapdoor \(\tau \) for the relation R.

\(\pi \leftarrow \mathsf{Prove}(R,\sigma ,\phi ,w)\): The prover algorithm takes as input a common reference string \(\sigma \) and \((\phi ,w)\in R\) and returns an argument \(\pi \).

\(0/1\leftarrow \mathsf{Vfy}(R,\sigma ,\phi ,\pi )\): The verification algorithm takes as input a common reference string \(\sigma \), a statement \(\phi \) and an argument \(\pi \) and returns 0 (reject) or 1 (accept).

\(\pi \leftarrow \mathsf{Sim}(R,\tau ,\phi )\): The simulator takes as input a simulation trapdoor and statement \(\phi \) and returns an argument \(\pi \).
Definition 1
We say \((\mathsf{Setup},\mathsf{Prove},\mathsf{Vfy})\) is a noninteractive argument for \(\mathcal {R}\) if it has perfect completeness and computational soundness as defined below.
Definition 2
We say \((\mathsf{Setup},\mathsf{Prove},\mathsf{Vfy},\mathsf{Sim})\) is a perfect noninteractive zeroknowledge argument of knowledge for \(\mathcal {R}\) if it has perfect completeness, perfect zeroknowledge and computational knowledge soundness as defined below.
Perfect completeness. Completeness says that, given any true statement, an honest prover should be able to convince an honest verifier. For all \(\lambda \in \mathbb {N}\), \(R\in \mathcal {R}_\lambda \), \((\phi ,w)\in R\)
Perfect zeroknowledge. An argument is zeroknowledge if it does not leak any information besides the truth of the statement. We say \((\mathsf{Setup},\mathsf{Prove},\mathsf{Vfy},\mathsf{Sim})\) is perfect zeroknowledge if for all \(\lambda \in \mathbb {N}, (R,z)\leftarrow \mathcal {R}(1^\lambda ), (\phi ,w)\in R\) and all adversaries \(\mathcal {A}\)
Computational soundness. We say \((\mathsf{Setup},\mathsf{Prove},\mathsf{Vfy},\mathsf{Sim})\) is sound if it is not possible to prove a false statement, i.e., convince the verifier if no witness exists. Let \(L_R\) be the language consisting of statements for which there exist matching witnesses in R. Formally, we require that for all nonuniform polynomial time adversaries \(\mathcal {A}\)
Computational knowledge soundness. Strengthening the notion of soundness, we call \((\mathsf{Setup},\mathsf{Prove},\mathsf{Vfy},\mathsf{Sim})\) an argument of knowledge if there is an extractor that can compute a witness whenever the adversary produces a valid argument. The extractor gets full access to the adversary’s state, including any random coins. Formally, we require that for all nonuniform polynomial time adversaries \(\mathcal {A}\) there exists a nonuniform polynomial time extractor \(\mathcal {X}_{\mathcal {A}}\) such that
Public verifiability and designated verifier proofs. We can naturally generalize the definition of a noninteractive argument by splitting \(\sigma \) into two parts \(\sigma _P\) and \(\sigma _V\) used by the prover and verifier respectively. We say the noninteractive argument is publicly verifiable when \(\sigma _V\) can be deduced from \(\sigma _P\). Otherwise we refer to it as a designated verifier argument. For designated verifier arguments it is possible to relax soundness and knowledge soundness such that the adversary only sees \(\sigma _P\) but not \(\sigma _V\).
SNARGs and SNARKs. A noninteractive argument where the verifier runs in polynomial time in \(\lambda +\phi \) and the proof size is polynomial in \(\lambda \) is called a preprocessing succinct noninteractive argument (SNARG) if it sound, and a preprocessing succinct argument of knowledge (SNARK) if it is knowledge sound. If we also restrict the common reference string to be polynomial in \(\lambda \) we say the noninteractive argument is a fully succinct SNARG or SNARK. Bitansky et al. [BCCT13] show that preprocessing SNARKs can be composed to yield fully succinct SNARKs. The focus of this paper is on preprocessing SNARKs.
Benign relation generators. Bitansky et al. [BCPR14] show that indistinguishability obfuscation implies that for every candidate SNARK there are auxiliary output distributions that enable the adversary to create a valid proof without it being possible to extract the witness. Assuming also public coin differing input obfuscation and other cryptographic assumptions, Boyle and Pass [BP15] strengthen this impossibility to show that there is an auxiliary output distribution that defeats witness extraction for all candidate SNARKs. These counter examples, however, rely on specific auxiliary input distributions. We will therefore in the following assume the relationship generator is benign in the sense that the relation and the auxiliary input are distributed in such a way that SNARKs can exist.
2.3 Quadratic Arithmetic Programs
Consider an arithmetic circuit consisting of addition and multiplication gates over a finite field \(\mathbb {F}\). We may designate some of the input/output wires as specifying a statement and use the rest of the wires in the circuit to define a witness. This gives us a binary relation R consisting of statement wires and witness wires that satisfy the arithmetic circuit, i.e., make it consistent with the designated input/output wires.
Generalizing arithmetic circuits, we may be interested in relations described by equations over a set of variables. Some of the variables correspond to the statement; the remaining variables correspond to the witness. The relation consists of statements and witnesses that satisfy all the equations. The equations will be over \(a_0=1\) and variables \(a_1,\ldots ,a_m\in \mathbb {F}\) and be of the form
where \(u_{i,q},v_{i,q},w_{i,q}\) are constants in \(\mathbb {F}\) specifying the qth equation.
We observe that addition and multiplication gates are special cases of such equations so such systems of arithmetic constraints do indeed generalize arithmetic circuits. A multiplication gate can for instance be described as \(a_i\cdot a_j=a_k\) (using \(u_i=1,v_j=1\) and \(w_k=1\) and setting the remaining constants for this gate to 0). Addition gates are handled for free in the sums defining the equations, i.e., if \(a_i+a_j=a_k\) and \(a_k\) is multiplied by \(a_\ell \), we may simply write \((a_i+a_j)\cdot a_\ell \) and skip the calculation of \(a_k\).
Following Gennaro et al. [GGPR13] we can reformulate the set of arithmetic constraints as a quadratic arithmetic program assuming \(\mathbb {F}\) is large enough. Given n equations we pick arbitrary distinct \(r_1,\ldots ,r_n\in \mathbb {F}\) and define \(t(x)=\prod _{q=1}^n(xr_q)\). Furthermore, let \(u_i(x),v_i(x),w_i(x)\) be degree \(n1\) polynomials such that
We now have that \(a_0=1\) and the variables \(a_1,\ldots ,a_m\in \mathbb {F}\) satisfy the n equations if and only if in each point \(r_1,\ldots ,r_q\)
Since t(X) is the lowest degree monomial with \(t(r_q)=0\) in each point, we can reformulate this condition as
Formally, we will be working with quadratic arithmetic programs R that have the following description
where \(\mathbb {F}\) describes a finite field, \(\mathrm {aux}\) is some auxiliary information, \(1\le \ell \le m\), \(u_i(X),v_i(X),w_i(X),t(X)\in \mathbb {F}[X]\) and \(u_i(X),v_i(X),w_i(X)\) have strictly lower degree than n, the degree of t(X). A quadratic arithmetic program with such a description defines the following binary relation, where we define \(a_0=1\),
We say \(\mathcal {R}\) is a quadratic arithmetic program generator if it generates relations of the form given above with fields of size larger than \(2^{\lambda 1}\).
Relations can arise in many different ways in practice. It may be that the relationship generator is deterministic or it may be that it is randomized. It may be that first the field \(\mathbb {F}\) is generated and then the rest of the relation is built on top of the field. Or it may be that the polynomials are specified first and then a random field is chosen. To get maximal flexibility we have chosen our definitions to be agnostic with respect to the exact way the field and the relation is generated, the different options can all be modelled by appropriate choices of relation generators.
Looking ahead, we will in our pairingbased NIZK arguments let the auxiliary information \(\mathrm {aux}\) specify a bilinear group. It may seem a bit surprising to make the choice of bilinear group part of the relation generator but this provides a better model of settings where the relation is built on top of an already existing bilinear group. Again, there is no loss of generality in this choice, one can think of a traditional setting where the relation is chosen first and then the bilinear group is chosen at random as the special case where the relation generator works in two steps, first choosing the relation and then picking a random bilinear group. Of course letting the relation generator pick the bilinear group is another good reason that we need to assume it is benign; an appropriate choice of bilinear group is essential for security.
2.4 Linear Interactive Proofs
Bitansky et al. [BCI+13] give a useful characterization of the information theoretic underpinning of recent SNARK constructions. A twomove algebraic linear interactive proof (LIP) of degree \((d_Q,d_D)\) for a relation generator \(\mathcal {R}\), where we assume the relations specify a finite field \(\mathbb {F}\), is a noninteractive argument system where the algorithms work as follows:

\((\varvec{\sigma },\varvec{\tau })\leftarrow \mathsf{Setup}(R)\): It creates an arithmetic circuit of multiplicative depth \(d_Q\) that takes as input randomness \(\varvec{r}\in \mathbb {F}^\mu \) and returns vectors \(\varvec{\sigma }\in \mathbb {F}^m\) and \(\varvec{\tau }\in \mathbb {F}^{n}\). We will for notational simplicity assume that \(\varvec{\sigma }\) always contains 1 as an entry such that there is no distinction between affine and linear functions of \(\varvec{\sigma }\).

\(\varvec{\pi }\leftarrow \mathsf{Prove}(R,\varvec{\sigma },\phi ,w)\): The prover operates in two stages:

–
First it runs \(\varPi \leftarrow \mathsf{ProofMatrix}(R,\phi ,w)\), where \(\mathsf{ProofMatrix}\) is a probabilistic polynomial time algorithm that generates a matrix \(\varPi \in \mathbb {F}^{k\times m}\).

–
Then it computes the proof as \(\varvec{\pi }=\varPi \varvec{\sigma }\).

–

\(0/1\leftarrow \mathsf{Vfy}(R,\varvec{\sigma },\phi ,\varvec{\pi })\): The verifier runs in two stages:

–
First it runs a deterministic polynomial time algorithm \(\varvec{t}\leftarrow \mathsf{Test}(R,\phi )\) to get an arithmetic circuit \(\varvec{t}:\mathbb {F}^{m+k}\rightarrow \mathbb {F}^{\eta }\) of multiplicative depth \(d_D\).

–
It then accepts the proof if and only if \(\varvec{t}(\varvec{\sigma },\varvec{\pi })=\varvec{0}\).

–
The degrees and dimensions \(d_Q,d_D,\mu ,m,n,k,\eta \) may be constants or polynomials in the security parameter \(\lambda \).
Definition 3
(Linear Interactive Proof). The tuple \((\mathsf{Setup},\mathsf{Prove},\mathsf{Vfy})\) is a linear interactive proof for \(\mathcal {R}\) if it has perfect completeness and statistical knowledge soundness against affine prover strategies as defined below.
Statistical knowledge soundness against affine prover strategies. An LIP has knowledge soundness against affine prover strategies if a witness can be extracted from a successful proof matrix \(\varPi \). More precisely, there is a polynomial time extractor \(\mathcal {X}\) such that for all adversaries \(\mathcal {A}\)
Noninteractive arguments from linear interactive proofs. LIPs are useful concepts because they can be compiled into publicly verifiable noninteractive arguments using pairings and designated verifier noninteractive arguments using Paillier encryption [BCI+13]. If we work in the pairing setting, the intuition is that an algebraic LIP of degree \((d_Q,2)\) can be executed “in the exponents”: The common reference string contains exponentiations of the field elements in \(\varvec{\sigma }\). The prover computes the proof as multiexponentiations of group elements, corresponding to linear operations on the field elements in \(\varvec{\sigma }\). The verifier checks the argument by verifying a number of pairing product equations (equations formed by multiplying together the results of pairings), which corresponds to checking quadratic equations in the exponents. We will see this methodology applied in the following section.
3 Constructions of Noninteractive Arguments
We will construct a pairingbased NIZK argument for quadratic arithmetic programs where proofs consist of only 3 group elements. We give the construction in two steps, first we construct a LIP, and then we convert the LIP into a pairingbased NIZK argument.
3.1 Linear Interactive Proofs for Quadratic Arithmetic Programs
We will now construct a LIP for quadratic arithmetic program generators that outputs relations of the form
The relation defines a language of statements \((a_1,\ldots ,a_{\ell })\in \mathbb {F}^{\ell }\) and witnesses \((a_{\ell +1},\ldots ,a_m)\in \mathbb {F}^{m\ell }\) such that with \(a_0=1\)
for some degree \(n2\) quotient polynomial h(X), where n is the degree of t(X).

\((\varvec{\sigma },\varvec{\tau })\leftarrow \mathsf{Setup}(R)\): Pick \(\alpha ,\beta ,\gamma ,\delta ,x\leftarrow \mathbb {F}^*\). Set \(\varvec{\tau }=(\alpha ,\beta ,\gamma ,\delta ,x)\) and
$$\begin{aligned} \varvec{\sigma }&=\left( \alpha ,\beta ,\gamma ,\delta ,\left\{ x^i\right\} _{i=0}^{n1},\left\{ \frac{\beta u_i(x)+\alpha v_i(x)+w_i(x)}{\gamma }\right\} _{i=0}^{\ell },\right. \\&\qquad \left. \left\{ \frac{\beta u_i(x)+\alpha v_i(x)+w_i(x)}{\delta }\right\} _{i=\ell +1}^{m}, \left\{ \frac{x^it(x)}{\delta }\right\} _{i=0}^{n2}\right) . \end{aligned}$$ 
\(\varvec{\pi }\leftarrow \mathsf{Prove}(R,\varvec{\sigma },a_1,\ldots ,a_m)\): Pick \(r,s\leftarrow \mathbb {F}\) and compute a \(3\times (m+2n+4)\) matrix \(\varPi \) such that \(\varvec{\pi }=\varPi \varvec{\sigma }=(A,B,C)\) where
$$\begin{aligned} A=\alpha +\sum _{i=0}^{m}a_iu_i(x)+r\delta \qquad \qquad B=\beta +\sum _{i=0}^{m}a_iv_i(x)+s\delta \end{aligned}$$$$\begin{aligned}C=\frac{\sum _{i=\ell +1}^m a_i\left( \beta u_i(x)+ \alpha v_i(x)+ w_i(x)\right) +h(x)t(x)}{\delta }+As+rBrs\delta .\end{aligned}$$ 
\(0/1\leftarrow \mathsf{Vfy}(R,\varvec{\sigma },a_1,\ldots ,a_\ell )\): Compute a quadratic multivariate polynomial \(\varvec{t}\) such that \(\varvec{t}(\varvec{\sigma },\varvec{\pi })=0\) corresponds to the test
$$\begin{aligned}A\cdot B=\alpha \cdot \beta + \frac{\sum _{i=0}^{\ell }a_i\left( \beta u_i(x)+ \alpha v_i(x)+ w_i(x)\right) }{\gamma }\cdot \gamma + C\cdot \delta .\end{aligned}$$Accept the proof if the test passes.

\(\varvec{\pi }\leftarrow \mathsf{Sim}(R,\varvec{\tau },a_1,\ldots ,a_\ell )\): Pick \(A,B\leftarrow \mathbb {F}\) and compute \(C=\frac{AB\alpha \beta \sum _{i=0}^{\ell }a_i\left( \beta u_i(x)+ \alpha v_i(x)+ w_i(x)\right) }{\delta }\). Return \(\varvec{\pi }=(A,B,C)\).
Before formally proving this is a LIP, let us give a little intuition behind the different components. The role of \(\alpha \) and \(\beta \) is to ensure A, B and C are consistent with each other in the choice of \(a_0,\ldots ,a_m\). The product \(\alpha \cdot \beta \) in the verification equation guarantees that A and B involve nontrivial \(\alpha \) and \(\beta \) components. This means the product \(A\cdot B\) involves a linear dependence on \(\alpha \) and \(\beta \), and we will later prove that this linear dependence can only be balanced out by C with a consistent choice of \(a_0,\ldots ,a_m\) in all three of A, B and C. The role of \(\gamma \) and \(\delta \) is to make the two latter products of the verification equation independent from the first product, by dividing the left factors with \(\gamma \) and \(\delta \) respectively. This prevents mixing and matching of elements intended for different products in the verification equation. Finally, we use r and s to randomize the proof to get zeroknowledge.
Theorem 1
The construction above yields a LIP with perfect completeness, perfect zeroknowledge and statistical knowledge soundness against affine prover strategies.
Proof
Perfect completeness is straightforward to verify. Perfect zeroknowledge follows from both real proofs and simulated proofs having uniformly random field elements A, B. These elements uniquely determine C through the verification equation, so real proofs and simulated proofs have identical probability distributions.
What remains is to demonstrate that for any affine prover strategy with nonnegligible success probability we can extract a witness. When using an affine prover strategy we have
for known field elements \(A_\alpha ,A_\beta ,A_\gamma ,A_\delta ,A_i\) and polynomials \(A(x),A_h(x)\) of degrees \(n1\) and \(n2\), respectively that correspond to the first row of the matrix \(\varPi \). We can write out B and C in a similar fashion from the second and third rows of \(\varPi \).
We now view the verification equation as an equality of multivariate Laurent polynomials. By the SchwartzZippel lemma the prover has negligible success probability unless the verification equation holds when viewing A, B and C as formal polynomials in indeterminates \(\alpha ,\beta ,\gamma ,\delta ,x\).
The terms with indeterminate \(\alpha ^2\) are \(A_{\alpha }B_{\alpha }\alpha ^2=0\), which means \(A_{\alpha }=0\) or \(B_{\alpha }=0\). Since \(AB=BA\) we can without loss of generality assume \(B_\alpha =0\). The terms with indeterminate \(\alpha \beta \) give us \(A_{\alpha }B_{\beta }+A_{\beta }B_{\alpha }=A_{\alpha }B_{\beta }=1\). This means \(AB=(AB_\beta )(A_\alpha B)\) so we can without loss of generality after rescaling assume \(A_{\alpha }=B_{\beta }=1\). The terms with indeterminate \(\beta ^2\) now give us \(A_{\beta }B_\beta =A_{\beta }=0\). We have now simplified A and B constructed by the adversary to be of the form
Next, let us consider the terms involving \(\frac{1}{\delta ^2}\). We have
showing either the left factor is 0 or the right factor is 0. By symmetry, let us without loss of generality assume \(\sum _{i=\ell +1}^mA_i\left( \beta u_i(x)+\alpha v_i(x)+w_i(x)\right) +t(x)A_t(x)=0\). The terms in \(\alpha \frac{\sum _{i=\ell +1}^mB_i\left( \beta u_i(x)+\alpha v_i(x)+w_i(x)\right) +B_h(x)t(x)}{\delta }=0\) now show us that also \(\sum _{i=\ell +1}^mB_i\left( \beta u_i(x)+\alpha v_i(x)+w_i(x)\right) +B_h(x)t(x)=0\).
The terms involving \(\frac{1}{\gamma ^2}\) give us
showing either the left factor is 0 or the right factor is 0. By symmetry, let us without loss of generality assume \(\sum _{i=0}^{\ell }A_i\left( \beta u_i(x)+\alpha v_i(x)+w_i(x)\right) =0\). The terms in \(\alpha \frac{\sum _{i=0}^mB_i\left( \beta u_i(x)+\alpha v_i(x)+w_i(x)\right) }{\gamma }=0\) now show us \(\sum _{i=0}^{\ell }B_i\left( \beta u_i(x)+\alpha v_i(x)+w_i(x)\right) =0\) as well.
The terms \(A_{\gamma }\beta \gamma =0\) and \(B_{\gamma }\alpha \gamma =0\) show us that \(A_{\gamma }=0\) and \(B_{\gamma }=0\). We now have
The remaining terms in the verification equation that involve \(\alpha \) give us \(\alpha B(x)=\sum _{i=0}^{\ell }a_i \alpha v_i(x)+\sum _{i=\ell +1}^mC_i\alpha v_i(x)\). The terms involving \(\beta \) give us \(\beta A(x)=\sum _{i=0}^{\ell }a_i \beta u_i(x)+\sum _{i=\ell +1}^mC_i\beta u_i(x)\). Defining \(a_i=C_i\) for \(i=\ell +1,\ldots ,m\) we now have
Finally, we look at the terms involving powers of x to get
This shows that \((a_{\ell +1},\ldots ,a_m)=(C_{\ell +1},\ldots ,C_m)\) is a witness for the statement \((a_1,\ldots ,a_{\ell })\). \(\square \)
2 field element LIPs. It is natural to ask whether the number of field elements the prover sends in the LIP can be reduced further. The square span programs of Danezis et al. [DFGK14] give rise to 2 field element LIPs for boolean circuit satisfiability. It is also possible to get a 2element LIP for arithmetic circuit satisfiability by rewriting the circuit into one that only uses squaring gates, each multiplication gate \(a\cdot b=c\) can be rewritten as a \((a+b)^2(ab)^2=4c\). When an arithmetic circuit only has squaring gates we get \(u_i(x)=v_i(x)\) for all i. By choosing \(r=s\) in the LIP, we now have that \(B=A+\beta \alpha \), so the prover only needs to send two elements A and C to make a convincing proof. Rewriting the arithmetic circuit to only use squaring gates may double the number of gates and also requires some additional wires for the subtraction of the squares, so the reduction of the size of the LIP comes at a significant computational cost though.
3.2 NIZK Arguments for Quadratic Arithmetic Programs
We will now give a pairingbased NIZK argument for quadratic arithmetic programs. We consider relation generators \(\mathcal {R}\) that return relations of the form
with \(p=\lambda \). The relation defines a field \(\mathbb {Z}_p\) and a language of statements \((a_1,\ldots ,a_{\ell })\in \mathbb {Z}_p^{\ell }\) and witnesses \((a_{\ell +1},\ldots ,a_m)\in \mathbb {Z}_p^{m\ell }\) such that with \(a_0=1\)
for some degree \(n2\) quotient polynomial h(X).
We will construct the pairingbased argument by using the LIP from the previous section “in the exponents”. An important design feature of the LIP is that the elements A, B and C are only used once in the verification equation and therefore it is easy to assign them to different source groups such that the verification equation can be carried out using a pairing product equation. Since pairingfriendly elliptic curves can be constructed such that the group element representations are smaller in \(\mathbb {G}_1\) than in \(\mathbb {G}_2\) [GPS08] we choose to assign A and C to the first source group and B to the second source group for maximal efficiency. This gives us the following NIZK argument.

\((\sigma ,\tau )\leftarrow \mathsf{Setup}(R)\): Pick arbitrary generators G and H for \(\mathbb {G}_1\) and \(\mathbb {G}_2\). Pick \(\alpha ,\beta ,\gamma ,\delta ,x \leftarrow \mathbb {Z}_p^*\). Define \(\tau =(\alpha ,\beta ,\gamma ,\delta ,x)\) and compute
$$\begin{aligned}\sigma =\left( \begin{array}{c} G^{\alpha },G^\beta , H^\beta ,H^\gamma ,G^{\delta },H^\delta ,\left\{ G^{x^i}\right\} _{i=0}^{n1},\left\{ H^{x^i}\right\} _{i=0}^{n1}\\ \left\{ G^{\frac{\beta u_i(x)+\alpha v_i(x)+w_i(x)}{\gamma }}\right\} _{i=0}^{\ell },\left\{ G^{\frac{\beta u_i(x)+\alpha v_i(x)+w_i(x)}{\delta }}\right\} _{i=\ell +1}^{m},\left\{ G^{\frac{x^it(x)}{\delta }}\right\} _{i=0}^{n2}\end{array}\right) .\end{aligned}$$ 
\(\pi \leftarrow \mathsf{Prove}(R,\sigma ,a_1,\ldots ,a_m)\): Pick \(r,s\leftarrow \mathbb {Z}_p\) and compute \(\pi =(A,B,C)\), where
$$\begin{aligned}A=G^{\alpha +\sum _{i=0}^{m}a_i u_i(x)+r\delta } \qquad \qquad B=H^{\beta +\sum _{i=0}^{m}a_iv_i(x)+s\delta }\end{aligned}$$$$\begin{aligned}C=G^{\frac{\sum _{i=\ell +1}^m a_i(\beta u_i(x)+ \alpha v_i(x)+ w_i(x))+h(x)t(x)}{\delta }+s\left( \alpha +\sum _{i=0}^ma_iu_i(x)\right) +r\left( \beta +\sum _{i=0}^ma_iv_i(x)\right) +rs\delta }.\end{aligned}$$ 
\(0/1\leftarrow \mathsf{Vfy}(R,\sigma ,a_1,\ldots ,a_\ell ,\pi )\): Parse \(\pi =(A,B,C)\in \mathbb {G}_1\times \mathbb {G}_2\times \mathbb {G}_1\). Accept the proof if and only if
$$\begin{aligned}e(A,B)=e(G^{\alpha },H^{\beta })e(G^{\frac{\sum _{i=0}^{\ell }a_i\left( \beta u_i(x)+\alpha v_i(x)+w_i(x)\right) }{\gamma }},H^{\gamma })e(C,H^{\delta }).\end{aligned}$$ 
\(\pi \leftarrow \mathsf{Sim}(R,\tau ,a_1,\ldots ,a_\ell )\): Pick \(r,s\leftarrow \mathbb {Z}_p\) and compute a simulated proof \(\pi =(A,B,C)\) as
$$\begin{aligned}A=G^{r} \qquad B=H^{s} \qquad C=G^{\frac{rs \alpha \beta \sum _{i=0}^{\ell } a_i\left( \beta u_i(x)+\alpha v_i(x)+w_i(x)\right) }{\delta }}.\end{aligned}$$
Theorem 2
The protocol given above is a noninteractive zeroknowledge argument with perfect completeness and perfect zeroknowledge. It has statistical knowledge soundness against adversaries that only use a polynomial number of generic bilinear group operations.
Proof
Perfect completeness follows by direct verification. Perfect zeroknowledge follows from the fact that both in real proofs and simulated proofs A, B are uniformly random group elements and through the verification equation uniquely determine C.
To see that we have statistical knowledge soundness against generic adversaries first note that any test the adversary can do on the common reference string corresponds to an equality test of Laurent polynomials. Either the polynomials match formally, or by the SchwartzZippel lemma there is negligible probability of them matching up over the random choices of \(\alpha ,\beta ,\gamma ,\delta ,x\). The adversary therefore has negligible probability of learning anything it did not already know about the common reference string using only generic group operations. What remains is the possibility that the adversary computes A, B and C as exponentiations of group elements to known field elements. This corresponds exactly to an affine prover strategy on the LIP “in the exponents” and by the knowledge soundness of the LIP we can extract a witness from these known field elements. \(\square \)
Efficiency. The proof size is 2 elements in \(\mathbb {G}_1\) and 1 element in \(\mathbb {G}_2\). The common reference string contains a description of the relation R, n elements in \(\mathbb {Z}_p\), \(m+2n+3\) elements in \(\mathbb {G}_1\), and \(n+3\) elements in \(\mathbb {G}_2\).
The verifier does not need to know the entire common reference string, it suffices to know
The verifier’s reference string only contains a description of the bilinear group, \(\ell +1\) elements in \(\mathbb {G}_1\), 2 elements in \(\mathbb {G}_2\), and 1 element in \(\mathbb {G}_T\).
The verification consists of checking that the proof consists of three appropriate group elements and checking a single pairing product equation. The verifier computes \(\ell \) exponentiations in \(\mathbb {G}_1\), a small number of group multiplications, and 3 pairings (assuming \(e(G^{\alpha },H^{\beta })\) is precomputed in the verifier’s reference string).
The prover has to compute the polynomial h(X). The prover can compute the polynomial evaluations
for \(q=1,\ldots ,n\). It depends on the relation how long time this computation takes; if it arises from an arithmetic circuit where each multiplication gate connects to a constant number of wires, the relation will be sparse and the computation will be linear in n. Since the polynomials have degree \(n1\) they are completely determined by these evaluation points. If \(r_1,\ldots ,r_n\) are roots of unity for a suitable prime p she can compute h(X) using standard Fast Fourier Transform techniques in \(O(n\log n)\) operations in \(\mathbb {Z}_p\). The prover can also compute the coefficients of \(\sum _{i=0}^ma_iu_i(X)\) and \(\sum _{i=0}^ma_iv_i(X)\) using FFT techniques. Having all the coefficients, the prover does \(m+3n\ell +3\) exponentiations in \(\mathbb {G}_1\) and \(n+1\) exponentiations in \(\mathbb {G}_2\).
Asymptotically the exponentiations are the dominant cost as the security parameter grows. However, in practice the multiplications that go into the FFT computations may be more costly for moderate security parameters and large statements. In that case, it may be worth to use a larger common reference string that contains precomputed \(G^{u_i(x)},G^{v_i(x)},H^{v_i(x)}\) elements for \(i=0,\ldots ,m\) such that A and B can be constructed directly instead of the prover having to compute the coefficients of \(\sum _{i=0}^ma_iu_i(X)\) and \(\sum _{i=0}^ma_iv_i(X)\) and then do the exponentiations. In the case of boolean circuits we have \(a_i\in \{0,1\}\) and the prover can with such precomputed elements just do m group multiplications for each when computing A and B. We have for this reason let the CRS be longer in Table 1 to get a low computational cost for the prover.
4 Lower Bounds for Noninteractive Arguments
It is an intriguing question how efficient noninteractive arguments can be. We will now give a lower bound showing that pairingbased noninteractive arguments must have proofs with at least 2 group elements if oneway functions exist. More precisely, we look at pairingbased arguments where the common reference string contains a description of a bilinear group and a number of group elements, the proof consists of a number of group elements computed by the prover using generic group operations, and the verifier checks the proof using generic bilinear group operations. We will show that for such pairingbased argument systems, the proof needs to have elements from both \(\mathbb {G}_1\) and \(\mathbb {G}_2\) if the language includes hard decisional problems as defined below.
Let us consider sampleable decisional problems for a relation R, where there are two sampling algorithms \(\mathsf{Yes}\) and \(\mathsf{No}\). \(\mathsf{Yes}\) samples statements and witnesses in the relation. \(\mathsf{No}\) samples statements outside the language \(L_R\) defined by the relation. We are interested in relations where it is hard to tell whether a statement \(\phi \) has been sampled by \(\mathsf{Yes}\) or \(\mathsf{No}\).
Definition 4
We say the relation generator \(\mathcal {R}\) has hard decisional problems if there are two efficient algorithms \(\mathsf{Yes}\) and \(\mathsf{No}\) such that for \((R,z)\leftarrow \mathcal {R}(1^\lambda )\) we have \(\mathsf{Yes}(R)\rightarrow (\phi ,w)\in R\) and \(\mathsf{No}(R)\rightarrow \phi \notin L_R\) with overwhelming probability, and for all nonuniform polynomial time distinguishers \(\mathcal {A}\)
If oneway functions exist, we can construct pseudorandom generators. A pseudorandom generator can be used to generate a pseudorandom string, a \(\mathsf{Yes}\)instance, with the seed being the witness. To get a \(\mathsf{No}\)instance we sample a uniform random string, which with overwhelming probability is not pseudorandom. If the relation R is NPcomplete, or just expressive enough to capture pseudorandom generators, then it has a hard decisional problem.
4.1 Linear Interactive Proofs Cannot Have Linear Decision Procedures
We will now prove that LIPs cannot have a linear decision procedure. This answers an open question raised by Bitansky et al. [BCI+13]. The result holds even if we consider designated verifier LIPs and instead of knowledge soundness only consider the weaker notion of soundness that we now define.
Definition 5
(Statistical Soundness Against Affine Prover Strategies). We say a LIP is (adaptively) sound against affine prover strategies if for all adversaries \(\mathcal {A}\)
Theorem 3
There are no 2move algebraic linear interactive proofs with a linear decision procedure for relation generators with hard decisional problems.
Proof
When the decision procedure is linear, the test \(\varvec{t}(\varvec{\sigma }_V,\varvec{\pi })=\varvec{0}\) can be rewritten as \(T\varPi \varvec{\sigma }_P=T'\varvec{\sigma }_V\), where the matrices \(T\in \mathbb {F}^{\eta \times k}\) and \(T'\in \mathbb {F}^{\eta \times m_V}\) can be efficiently computed from \(\varvec{t}\).
Let us now construct an adversary \(\mathcal {A}\) that given R and \(\phi \) has a good chance of determining whether \(\phi \) is sampled as a \(\mathsf{Yes}\)instance or a \(\mathsf{No}\)instance. First, \(\mathcal {A}\) repeatedly runs \((\phi _i,w_i)\leftarrow \mathsf{Yes}(R)\) and computes the matching proof and test matrices \(\varPi _i\) and \((T_i,T_i')\). Let V be the vector space generated by the tuples \((T_i\varPi _i,T_i')\). The adversary keeps sampling tuples until there is more than 50 % chance that a new tuple \((T_i\varPi _i,T_i')\) already belongs to V. We will in polynomial time with overwhelming probability sample such a vector space V since there are at most \(\eta (m_P+m_V)\) linearly independent tuples.
Now the adversary looks at the statement \(\phi \) that it is trying to classify as a \(\mathsf{Yes}\)instance or a \(\mathsf{No}\)instance. It computes the test matrices T and \(T'\) for \(\phi \) and then tries to solve \((T\varPi ,T')=\sum _ir_i(T_i\varPi _i,T_i')\) for \(\varPi \in \mathbb {F}^{k\times m_P}\) and \(r_i\in \mathbb {F}\). This is a system of linear equations and can therefore be solved efficiently. If a solution is found it guesses \(\phi \in L_R\) and if no solution is found it guesses \(\phi \notin L_R\).
Let us first analyze the case where \(\phi \in L_R\). Since this is a \(\mathsf{Yes}\)instance there is more than 50 % chance that there is a solution \(\varPi \) such that \((T\varPi ,T')\) belongs to the vector space V, so the adversary has 50 % chance of guessing \(\phi \in L_R\).
Next, let us analyze the case where \(\phi \notin L_R\). If we run the setup algorithm \((\varvec{\sigma }_P,\varvec{\sigma }_V,\varvec{\tau })\leftarrow \mathsf{Setup}(R)\) and \(\phi \notin L_R\) we have negligible probability for \(T\varPi \varvec{\sigma }_P=T'\varvec{\sigma }_V\). However, by completeness we have for all tuples in V that \(T_i\varPi _i\varvec{\sigma }_P=T_i'\varvec{\sigma }_V\). If there were a matrix \(\varPi \) such that \((T\varPi ,T')=\sum _ir_i(T_i\varPi ,T_i')\) we would have \(T\varPi \varvec{\sigma }_P=\sum _ir_iT_i\varPi _i\varvec{\sigma }_P=\sum _ir_iT_i'\varvec{\sigma }_V=T'\varvec{\sigma }_V\), so soundness implies this probability is negligible. The adversary guesses \(\phi \notin L_R\) with overwhelming probability. \(\square \)
4.2 Lower Bound for the Size of Generic PairingBased Noninteractive Arguments
We will now show that a generic pairingbased noninteractive argument over Type III groups must have elements in both \(\mathbb {G}_1\) and \(\mathbb {G}_2\). The intuition behind this argument is that if we have a unilateral argument with only elements in \(\mathbb {G}_1\) or only elements in \(\mathbb {G}_2\), then the verification equations become linear and the impossibility result for LIPs apply.
Before we get started with the proof, let us define some useful notation. Define for a vector \(\varvec{v}=(v_1,\ldots ,v_n)\) that \(G^{\varvec{v}}=(G^{v_1},\ldots ,G^{v_n})\). Define for a vector of group elements \(G^{\varvec{v}}\) and a matrix A that \((G^{\varvec{v}})^A=G^{\varvec{v}A}\). Also, define for two vectors of group elements \(e(G^{\varvec{v}},H^{\varvec{w}})=\prod _{i=1}^ne(G^{v_i},H^{w_i})\).
We will consider pairingbased argument systems \((\mathsf{Setup},\mathsf{Prove},\mathsf{Vfy})\) where the proofs consist of group elements and where the algorithms only use generic group operations. Let us be explicit about how such a system operates and the consequences of using generic group operations.

\((\sigma ,\tau )\leftarrow \mathsf{Setup}(R)\): The relation contains a description of a bilinear group \((p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e)\) and the common reference string contains group elements in \(\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T\). Let us fix generators G and H for \(\mathbb {G}_1\) and \(\mathbb {G}_2\) and write the vectors of group elements in \(\mathbb {G}_1,\mathbb {G}_2\) and \(\mathbb {G}_T\) as \(\varvec{\varSigma }_1=G^{\varvec{\sigma }_1}\), \(\varvec{\varSigma }_2=H^{\varvec{\sigma }_2}\) and \(\varvec{\varSigma }_T=e(G,H)^{\varvec{\sigma }_T}\). We want to avoid that the prover can learn nontrivial information about the discrete logarithms \(\varvec{\sigma }_1,\varvec{\sigma }_2,\varvec{\sigma }_T\) using generic bilinear group operations. An example of such a pathological case is a common reference string with group elements \(G,G^b\), where b is a bit. The prover can easily recover the bit b by guessing it and verifying the guess with generic group operations. We say the common reference string is disclosurefree if for any pairing product equation on the group elements in \(\varvec{\varSigma }_1,\varvec{\varSigma }_2\) and \(\varvec{\varSigma }_T\) it is possible with overwhelming probability to predict whether the equation holds or not, when we know the distribution of the common reference string but where we do not know the actual group elements.

\(\pi \leftarrow \mathsf{Prove}(R,\sigma ,\phi ,w)\): A prover using generic group operations and working on a disclosurefree common reference string has negligible chance of learning any nontrivial information about the common reference string group elements. This means her only viable mode of operation is to pick matrices \(\varPi _1,\varPi _2\) and \(\varPi _T\) and compute the proof by setting \(\pi =(\varvec{\psi }_1,\varvec{\psi }_2,\varvec{\psi }_T)\), where
$$\begin{aligned}\varvec{\psi }_1=\varvec{\varSigma }_1^{\varPi _1} \qquad \varvec{\psi }_2=\varvec{\varSigma }_2^{\varPi _2} \qquad \varvec{\psi }_T=\varvec{\varSigma }_T^{\varPi _T}.\end{aligned}$$ 
\(0/1\leftarrow \mathsf{Vfy}(R,\sigma ,\phi ,\pi )\): A verifier using generic group operations can only verify a proof by mapping \(\phi \) to matrices and vectors \(\{A_q,B_q,C_q,D_q,\varvec{e}_q,\varvec{f}_q\}_{q=1}^Q\) of elements in \(\mathbb {Z}_p\) and checking pairing product equations of the form
$$\begin{aligned}e(\varvec{\varSigma }_1^{A_q},\varvec{\varSigma }_2)e(\varvec{\psi }_1^{B_q},\varvec{\varSigma }_2)e(\varvec{\varSigma }_1^{C_q},\varvec{\psi }_2)e(\varvec{\psi }_1^{D_q},\varvec{\psi }_2)=\varvec{\varSigma }_T^{\varvec{e}_q}\cdot \varvec{\psi _T}^{\varvec{f}_q}.\end{aligned}$$
We note that there is no loss of generality in excluding multiexponentiation equations in \(\mathbb {G}_1\) or \(\mathbb {G}_2\); such equations can be translated to pairing product equations by pairing them with G or H.
We now get the following corollary to Theorem 3.
Corollary 1
A pairingbased noninteractive argument with a disclosurefree common reference string and algorithms using generic group operations cannot exist for relation generators with hard decisional problems unless the proofs have elements both in \(\mathbb {G}_1\) and \(\mathbb {G}_2\).
Proof
When the common reference string is disclosure free and the algorithms use generic operations they must work as outlined above. Taking discrete logarithms we get verification equations of the form
where \(\varvec{\psi }_1=G^{\varvec{\pi }_1}\) and \(\varvec{\psi }_2=H^{\varvec{\pi _2}}\) and \(\varvec{\psi }_T=e(G,H)^{\varvec{\pi }_T}\). If either \(\varvec{\pi }_1\) or \(\varvec{\pi }_2\) are empty, there are no \(\varvec{\pi }_1D_q\varvec{\pi }_2\) parts in the verification equations. Observe also that without loss of generality we can assume all the entries in the outer product of \(\varvec{\sigma }_1\) and \(\varvec{\sigma }_2\) are given in \(\varvec{\sigma }_T\) (this does not affect disclosurefreeness) so we can set \(A_q=0\) in every equation. This means all the verification equations are linear. Since the verification equations correspond to verifying a LIP “in the exponents” it follows from the impossibility of having LIPs with a linear decision procedure that the proof must have that both \(\varvec{\pi }_1\) and \(\varvec{\pi }_2\) are nontrivial and therefore that the proof has elements both in \(\mathbb {G}_1\) and \(\mathbb {G}_2\). \(\square \)
References
Abe, M., Fehr, S.: Perfect NIZK with adaptive soundness. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 118–136. Springer, Heidelberg (2007)
Abe, M., Groth, J., Ohkubo, M., Tibouchi, M.: Unified, minimal and selectively randomizable structurepreserving signatures. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 688–712. Springer, Heidelberg (2014)
Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: From extractable collision resistance to succinct noninteractive arguments of knowledge, and back again. In: Innovations in Theoretical Computer Science, pp. 326–349 (2012)
Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: Recursive composition and bootstrapping for SNARKS and proofcarrying data. In: STOC, pp. 111–120 (2013)
BenSasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: SNARKs for C: verifying program executions succinctly and in zero knowledge. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 90–108. Springer, Heidelberg (2013)
BenSasson, E., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., Virza, M.: Zerocash: decentralized anonymous payments from bitcoin. In: IEEE Symposium on Security and Privacy, pp. 459–474 (2014)
Bitansky, N., Chiesa, A., Ishai, Y., Ostrovsky, R., Paneth, O.: Succinct noninteractive arguments via linear interactive proofs. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 315–333. Springer, Heidelberg (2013)
Bitansky, N., Canetti, R., Paneth, O., Rosen, A.: On the existence of extractable oneway functions. In: STOC, pp. 505–514 (2014)
BenSasson, E., Chiesa, A., Tromer, E., Virza, M.: Scalable zero knowledge via cycles of elliptic curves. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 276–294. Springer, Heidelberg (2014)
BenSasson, E., Chiesa, A., Tromer, E., Virza, M.: Succinct noninteractive zero knowledge for a von Neumann architecture. In: USENIX, pp. 781–796 (2014)
Blum, M., Feldman, P., Micali, S.: Noninteractive zeroknowledge and its applications. In: STOC, pp. 103–112 (1988)
Boyle, E., Pass, R.: Limits of extractability assumptions with distributional auxiliary input. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 236–261. Springer, Heidelberg (2015). doi:10.1007/9783662488003_10
Costello, C., Fournet, C., Howell, J., Kohlweiss, M., Kreuter, B., Naehrig, M., Parno, B., Zahur, S.: Geppetto: versatile verifiable computation. In: IEEE Symposium on Security and Privacy, pp. 253–270 (2015)
Chiesa, A., Tromer, E., Virza, M.: Cluster computing in zero knowledge. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 371–403. Springer, Heidelberg (2015)
Danezis, G., Fournet, C., Groth, J., Kohlweiss, M.: Square span programs with applications to succinct NIZK arguments. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 532–550. Springer, Heidelberg (2014)
Danezis, G., Fournet, C., Kohlweiss, M., Parno, B.: Pinocchio coin: building zerocoin from a succinct pairingbased proof system. In: PETShopCCS (2013)
Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proofs. SIAM J. Comput. 18(1), 186–208 (1989)
Groth, J., Ostrovsky, R., Sahai, A.: Noninteractive zaps and new techniques for NIZK. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 97–111. Springer, Heidelberg (2006)
Groth, J., Ostrovsky, R., Sahai, A.: New techniques for noninteractive zeroknowledge. J. ACM 59(3), 11:1–11:35 (2012)
Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discrete Appl. Math. 156(16), 3113–3121 (2008)
Groth, J.: Simulationsound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006)
Groth, J.: Linear algebra with sublinear zeroknowledge arguments. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 192–208. Springer, Heidelberg (2009)
Groth, J.: Short pairingbased noninteractive zeroknowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010)
Groth, J., Sahai, A.: Efficient noninteractive proof systems for bilinear groups. SIAM J. Comput. 41(5), 1193–1232 (2012)
Gentry, C., Wichs, D.: Separating succinct noninteractive arguments from all falsifiable assumptions. In: STOC, pp. 99–108 (2011)
Kilian, J.: A note on efficient zeroknowledge proofs and arguments. In: STOC, pp. 723–732 (1992)
Lipmaa, H.: Progressionfree sets and sublinear pairingbased noninteractive zeroknowledge arguments. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 169–189. Springer, Heidelberg (2012)
Lipmaa, H.: Succinct noninteractive zero knowledge arguments from span programs and linear errorcorrecting codes. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 41–60. Springer, Heidelberg (2013)
Micali, S.: Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000)
Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: IEEE Symposium on Security and Privacy, pp. 238–252 (2013)
Schoenmakers, B., Veeningen, M., de Vreede, N.: Trinocchio: privacyfriendly outsourcing by distributed verifiable computation. In: Cryptology ePrint Archive, Report 2015/480 (2015)
Valiant, P.: Incrementally verifiable computation or proofs of knowledge imply time/space efficiency. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 1–18. Springer, Heidelberg (2008)
Walfish, M.: A wishlist for verifiable computation: an applied CS perspective. Presentation at the Securing Computation Workshop at the Simons Institute for the Theory of Computing, UC Berkeley (2015)
Acknowledgments
We thank Eran Tromer for interesting discussions about the performance of SNARK implementations and the anonymous reviewers for their helpful reviews.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 International Association for Cryptologic Research
About this paper
Cite this paper
Groth, J. (2016). On the Size of PairingBased Noninteractive Arguments. In: Fischlin, M., Coron, JS. (eds) Advances in Cryptology – EUROCRYPT 2016. EUROCRYPT 2016. Lecture Notes in Computer Science(), vol 9666. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783662498965_11
Download citation
DOI: https://doi.org/10.1007/9783662498965_11
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 9783662498958
Online ISBN: 9783662498965
eBook Packages: Computer ScienceComputer Science (R0)