@inproceedings{Maller:2019:SZS:3319535.3339817,
author = {Maller, Mary and Bowe, Sean and Kohlweiss, Markulf and Meiklejohn, Sarah},
title = {Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updatable Structured Reference Strings},
booktitle = {Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security},
series = {CCS '19},
year = {2019},
isbn = {978-1-4503-6747-9},
location = {London, United Kingdom},
pages = {2111--2128},
numpages = {18},
url = {http://doi.acm.org/10.1145/3319535.3339817},
doi = {10.1145/3319535.3339817},
acmid = {3339817},
publisher = {ACM},
address = {New York, NY, USA},
keywords = {updatability, zero-knowledge proofs},
}
Zero-knowledge proofs have become an important tool for addressing privacy and scalability concerns in cryptocurrencies and other applications. In many systems each client downloads and verifies every new proof, and so proofs must be small and cheap to verify. The most practical schemes require either a trusted setup, as in (pre-processing) zk-SNARKs, or verification complexity that scales linearly with the complexity of the relation, as in Bulletproofs. The structured reference strings required by most zk-SNARK schemes can be constructed with multi-party computation protocols, but the resulting parameters are specific to an individual relation. Groth et al. discovered a zk-SNARK protocol with a universal and updateable structured reference string, however the string scales quadratically in the size of the supported relations.
Here we describe a zero-knowledge SNARK, Sonic, which supports a universal and continually updateable structured reference string that scales linearly in size. Sonic proofs are constant size, and in the batch verification context the marginal cost of verification is comparable with the most efficient SNARKs in the literature. We also describe a generally useful technique in which untrusted ``helpersâ€™â€™ can compute advice which allows batches of proofs to be verified more efficiently.