ACE Seminar: Aurora: Transparent zkSNARKs for R1CS

Speaker: Nick Spooner

Date/Time: 17-Dec-2018, 16:00 UTC

Venue: Robert 3.09



Pairing-based zkSNARKs, such as those used in the zCash protocol, have many advantages: they are non-interactive, short (a few hundred bytes), and cheap to verify (a few milliseconds). Unfortunately, they also have major downsides in terms of security: they rely on relatively heavy asymmetric cryptography (and are, in particular, not post-quantum secure) and, more seriously, they rely on trusted parameter generation for security. A major open problem in this area is to design zero knowledge arguments which share the advantages of pairing-based SNARKs but avoid these downsides. In this work we present Aurora, a zkSNARK for R1CS which is secure in the random oracle model (with no additional assumptions). Since Aurora uses only symmetric cryptography, it is plausibly post-quantum secure and requires no trusted setup (i.e., it is transparent). We design, analyse and implement the protocol, and show that for circuit problems it achieves better proof length and verification time than Ligero and STARK. Underlying the protocol is an interactive oracle proof of linear size and logarithmic query complexity, which relies on a novel protocol for a univariate version of the sum check problem.


Nick Spooner is a PhD student at UC Berkeley, advised by Alessandro Chiesa. His work focuses on the application of algebraic techniques to zero knowledge proof systems. His interests include interactive proof systems, zero knowledge, coding theory and computational complexity.

Add to Calendar

This page was last modified on 27 Mar 2014.