SNARKs are becoming very popular in real-world applications such as delegated computation or blockchain systems: An example of early practical use case, Zerocash showed how that we can deploy zk-SNARKs in distributed ledgers to achieve payment systems with strong privacy guarantees. More recent zk-SNARK use cases are in Ethereum smart contracts for boosting scalability and privacy. Another example of SNARK application is the Filecoin System that implements a decentralized storage solution for the internet. To date, the Filecoin Network is the largest SNARK system in production, producing and verifying over 5 million SNARKs on a daily basis.
Due to their rapid and massive adoption, the SNARKs schemes used today start facing new challenges: the generation of trusted setups requires complicated ceremonies, proving large statements has significant overhead, verifying multiple proofs is expensive even with batching, so many blockchain systems have therefore scalability issues.
Span of this effort: 2021
In this work, we look into reducing proof size and verifier time for SNARKs even further in order to meet these significant scalability requirements.
We design SnarkPack:
- an argument that allows to aggregate n Groth16 zk-SNARKs with a O(log n) proof size and O(log n) verifier time.
- it is based on a trusted setup that can be constructed from two different ceremonies (e.g. the so-called ”powers of tau” for Zcash [zca18] and Filecoin [Fil20])
- we focus on Groth16 proofs and tailor optimisations for this case, since it is the most popular scheme among practitioners.
SnarkPack is the first real-world aggregation system that can be used in blockchains applications to reduce the on-chain work by employing verifiable outsourcing to process a large number of proofs off-chain. This applies broadly to any system that needs to delegate batches of state updates to an untrusted server.
- Academic paper: eprint.iacr.org/2021/529
- Implementation for Filecoin: Library bellperson
- Talk accepted to RWC22:
- Paper accepted at Financial Crypto2022
@Anca Nitulescu (DRI), @nikkolasg g,