Square Span Programs with Applications to
Succinct NIZK Arguments
George Danezis, University College London
Cédric Fournet, Microsoft Research
Jens Groth, University College London
Markulf Kohlweiss, Microsoft Research
Non-interactive zero-knowledge argument
Common reference string
Statement: 𝑥 ∈ 𝐿
𝑥, 𝑤 ∈ 𝑅𝐿
OK
Proof: 
Zero-knowledge:
Prover
Nothing but truth revealed
Soundness:
Verifier
Statement is true
Applications
NIZK arguments guarantee
honesty (soundness), yet
also preserve privacy (zeroknowledge)
Our contribution
• NIZK argument
– Perfect correctness
– Perfect zero-knowledge
– Computational soundness
• Knowledge extractor assumptions using pairings
• Conceptually simple
– New characterization of NP as Square Span Programs
• Small size
– Four group element proofs
Technical path
• Relation 𝑅𝐿 for NP-language 𝐿 given by circuit 𝐶𝑅
𝑎1
𝑎2
𝑎3
𝑎4
• Characterize satisfiability of 𝐶𝑅 as constraints
𝑎𝑉 ∈ {0,2}𝑑
• Rewrite constraints as square span program
𝑡 𝑥
divides
∑𝑎𝑖 𝑣𝑖 𝑥
2
−1
• Succinct NIZK argument for square span program
𝜋 = (𝐻, 𝐵𝑤 , 𝑉𝑤 , 𝑉)
Example
• Consider circuit with single XOR-gate 𝑎0 = 𝑎1 ⊕ 𝑎2
• Satisfiability corresponds to the constraints
𝑎1 , 𝑎2 ∈ 0,1
1 + 𝑎1 + 𝑎2 ∈ {0,2}
• Which we can write
0 0 1
𝑎𝑉 = 1, 𝑎1 , 𝑎2 2 0 1 ∈ 0,2 3
0 2 1
• This is satisfied if and only if for all columns 𝑉𝑗
𝑎𝑉𝑗 − 1
2
=1
Example continued
• Define
𝑡 𝑥 = 𝑥 + 1 𝑥 − 1 𝑥 𝑣0 𝑥 = −𝑥 2
𝑣1 𝑥 = 1 − 𝑥
𝑣2 𝑥 = 1 + 𝑥
• Chosen such that
𝑣0 −1 𝑣0 1
𝑣0 (0)
−1 −1 0
𝑣1 −1
𝑣1 1
𝑣1 (0) = 2
0 1
0
2 1
𝑣2 (−1) 𝑣2 (1) 𝑣2 (0)
• Then 𝑎𝑉𝑗 − 1
𝑡 𝑥 divides
2
= 1 for all 𝑗 if and only if
𝑣0 𝑥 + 𝑎1 𝑣1 𝑥 + 𝑎2 𝑣2 𝑥
2
−1
• Using techniques presented later we can use the
latter equation in an NIZK argument
Characterizing circuit satisfiability as a set of
integer constraints
𝑎
4
𝑎0
𝑎1
• Consider a circuit
𝑎2
with wires 𝑎0 , … , 𝑎𝑚 𝑎3
• The circuit is satisfiable if all wires 𝑎𝑖 ∈ {0,1}, and
they respect all the gates, and the output is 1
• Write the wires as a vector 𝑎 = 𝑎0 , 𝑎1 , … , 𝑎𝑚
The condition 𝑎𝑖 ∈ 0,1 can be written 𝑎𝐼 ∈ 0,1 𝑚+1
– Could omit trivial checks, e.g., we know 𝑎0 = 1 for satisfied
circuit and we may know some inputs 𝑎1 , … , 𝑎ℓ ∈ {0,1}
Linearization of the gates
• Fan-in 2 gates can be linearized
– For the XOR-gate we have for 𝑎, 𝑏, 𝑐 ∈ {0,1}
𝑎 ⊕ 𝑏 = 𝑐 if and only if 𝑎 + 𝑏 + 𝑐 ∈ 0,2
– For the NAND-gate we have for 𝑎, 𝑏, 𝑐 ∈ 0,1
¬ 𝑎 ∧ 𝑏 = 𝑐 if and only if 𝑎 + 𝑏 + 2c − 2 ∈ {0,1}
• In our paper we show that by multiplying some
equations by 2, we can write all non-trivial fan-in 2
gates on the form 𝛼𝑎 + 𝛽𝑏 + 𝛾𝑐 + 𝛿 ∈ {0,2}
Characterizing circuit satisfiability as
constraints on an affine map
• We write the gate equations in a matrix 𝐺 such
that the wires respect the 𝑛 gates if and only if
𝑎𝐺 ∈ 0,2 𝑛
• Combined with the constraint 𝑎𝐼 ∈ {0,1}𝑚+1 we get
the circuit is satisfiable if and only if
𝑎𝑉 = 𝑎 2𝐼|𝐺 ∈ {0,2}𝑚+𝑛+1
• The constants are small, so the equivalence with
circuit satisfiability also holds over 𝒁𝑝 for 𝑝 ≥ 8
Technical path
• Relation 𝑅𝐿 for NP-language 𝐿 given by circuit 𝐶𝑅
𝑎1
𝑎2
𝑎3
𝑎4
• Characterize satisfiability of 𝐶𝑅 as constraints
𝑎𝑉 ∈ {0,2}𝑑
• Rewrite constraints as square span program
𝑡 𝑥
divides
∑𝑎𝑖 𝑣𝑖 𝑥
2
−1
• Succinct NIZK argument for square span program
𝜋 = (𝐻, 𝐵𝑤 , 𝑉𝑤 , 𝑉)
Square span program
Quadratic span programs
• A square span program consists of polynomials
Two sequences of polynomials:
𝑣0 𝑥 , … , 𝑣𝑚𝑡(𝑥)
𝑥 divides
, 𝑡(𝑥) with
𝑣𝑖 𝑖𝑥𝑤𝑖 (𝑥)
< deg 𝑡 𝑥 =
∑𝑎𝑖 𝑣deg
𝑖 𝑥 ⋅ ∑𝑏
𝑑
Quadratic arithmetic programs
sequences
polynomials
• We sayThree
a square
spanofprogram
over 𝒁𝑝 accepts an
𝑡(𝑥) divides ∑𝑎ℓ𝑖 𝑣𝑖 𝑥 ⋅ ∑𝑏𝑖 𝑤𝑖 𝑥 − ∑𝑐𝑖 𝑦𝑖 (𝑥)
input 𝑎1 , … , 𝑎ℓ ∈ 0,1 if and only if there exists
𝑎ℓ+1 , … , 𝑎𝑚 ∈ 𝒁𝑝 such that
2
𝑚
𝑡 𝑥
divides
𝑎𝑖 𝑣𝑖 𝑥
𝑖=0
−1
using 𝑎0 = 1
• We say a square span program accepts a language
From affine map constraints to SSPs
• Earlier
𝑎1
𝑎2
𝑎3
𝑎4
𝑎𝑉 ∈ {0,2}𝑑 over 𝒁𝑝
• Pick distinct points 𝑟1 , … , 𝑟𝑑 ∈ 𝒁𝑝
• Define 𝑡 𝑥 = ∏(𝑥 − 𝑟𝑗 )
• Define 𝑣0′ (𝑥), 𝑣1 𝑥 , … , 𝑣𝑚 (𝑥) such that
𝑣0 ′ 𝑟1 … 𝑣0 ′(𝑟𝑑 )
⋮
⋱
⋮
=𝑉
𝑣𝑚 (𝑟1 ) … 𝑣𝑚 (𝑟𝑑 )
and 𝑣0 𝑥 = 𝑣0′ 𝑥 − 1
Why does the square span program work?
• We want for all columns 𝑗 that 𝑎𝑉𝑗 ∈ {0,2} or
equivalently that 𝑎𝑉𝑗 − 1 ∈ {−1,1} (over 𝒁𝑝 )
• By the choice of polynomials 𝑣0 𝑥 , … , 𝑣𝑚 (𝑥) we
have ∑𝑎𝑖 𝑣𝑖 𝑟𝑗 = 𝑎𝑉𝑗 − 𝑎0 1 = 𝑎𝑉𝑗 − 1
• This gives us the condition ∑𝑎𝑖 𝑣𝑖 𝑟𝑗
• So 𝑎𝑉 ∈ 0,2
𝑑
2
=1
if and only if all 𝑟𝑗 are roots in the
polynomial ∑𝑎𝑖 𝑣𝑖 𝑥
2
−1
• I.e., 𝑡 𝑥 = ∏(𝑥 − 𝑟𝑗 ) divides
∑𝑎𝑖 𝑣𝑖 𝑥
2
−1
Technical path
• Relation 𝑅𝐿 for NP-language 𝐿 given by circuit 𝐶𝑅
𝑎1
𝑎2
𝑎3
𝑎4
• Characterize satisfiability of 𝐶𝑅 as constraints
𝑎𝑉 ∈ {0,2}𝑑
• Rewrite constraints as square span program
𝑡 𝑥
divides
∑𝑎𝑖 𝑣𝑖 𝑥
2
−1
• Succinct NIZK argument for square span program
𝜋 = (𝐻, 𝐵𝑤 , 𝑉𝑤 , 𝑉)
Prime order bilinear groups
• Gen(1𝑘 ) generates (𝑝, G, G, G 𝑇 , 𝑒)
• G, G, G 𝑇 finite cyclic groups of prime order 𝑝
• Pairing 𝑒: G × G → G 𝑇
– 𝑒
𝑈𝑎 , 𝑉 𝑏
= 𝑒 𝑈, 𝑉
𝑎𝑏
– G = 𝐺 , G = 𝐻 , G 𝑇 = ⟨𝑒 𝐺, 𝐺 ⟩
• Deciding group membership, group operations,
and bilinear pairing efficiently computable
16
• Statement: (𝑎1 , … , 𝑎ℓ ) accepted by SSP
• Common reference string: 𝛽, 𝑠 ← 𝒁𝑝
𝑠𝑑
𝑠𝑑
(𝐺, 𝐺, … , 𝐺 , 𝐺 , 𝐺𝛽𝑣ℓ+1 𝑠 , … , 𝐺𝛽𝑣𝑚 𝑠 , 𝐺𝛽𝑡 𝑠 , 𝐺, 𝐺𝛽 )
• Argument: Pick 𝛿 ← 𝒁𝑝 and compute ℎ(𝑥) such that
ℎ 𝑥 𝑡 𝑥 = ∑𝑎𝑖 𝑣𝑖
𝑥
+ 𝛿𝑡 𝑥
2
Compute 𝜋 = (𝐻, 𝑉𝑤 , 𝐵𝑤 , 𝑉) as
𝐵𝑤 = 𝐺𝛽(∑𝑖>ℓ 𝑎𝑖 𝑣𝑖 𝑠 +𝛿𝑡 𝑠 ) 𝐻 = 𝐺ℎ 𝑠
𝑉𝑤 = 𝐺 ∑𝑖>ℓ 𝑎𝑖 𝑣𝑖 𝑠 +𝛿𝑡 𝑠
𝑉 = 𝐺 ∑𝑎𝑖 𝑣𝑖
−1
𝑠 +𝛿𝑡 𝑠
• Verification: Compute 𝑉 = 𝐺 ∑𝑖≤ℓ 𝑎𝑖 𝑣𝑖 𝑠 𝑉𝑤 and check
𝑒 𝑉, 𝐺 = 𝑒 𝐺, 𝑉
𝑒 𝑉𝑤 , 𝐺𝛽 = 𝑒 𝐵𝑤 , 𝐺
𝑒
𝐻, 𝐺 𝑡 𝑠
= 𝑒(𝑉, 𝑉)𝑒 𝐺, 𝐺
−1
Succinct NIZK argument
•
•
•
•
Pinocchio
Argument: 8 elements
Perfect correctness
Computation: Better
when statements involve
Perfect zero-knowledge
Computational soundness additions or
multiplications instead of
– Assuming d-PKE, d-PDH, and d-TSDH
assumptions
fan-in 2 gates
since it is
based on quadratic
Succinct
– 4 group elements ≈ 160 bytes arithmetic programs
• Efficient
– Prover: 𝑂(𝑑 log 𝑑) multiplications and 3 exponentiations
– Verifier: ℓ + 1 multiplications and 6 pairings ≈ 6ms
Summary
• Introduced square span programs
– Conceptually simple type of quadratic span programs
• Showed they are NP-complete
𝑎1
𝑎2
𝑎3
𝑎4
𝑎𝑉 ∈ {0,2}𝑑
𝑡 𝑥
divides
• Succinct NIZK argument
– 4 group elements 𝜋 = (𝐻, 𝑉𝑤 , 𝐵𝑤 , 𝑉)
∑𝑎𝑖 𝑣𝑖 𝑥
2
−1