Difference between revisions of "Groth16"
Jump to navigation
Jump to search
(Created page with "Key points about Groth16: * It is pairing based") |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
Key points about Groth16: | Key points about Groth16: | ||
| − | * It is pairing based | + | * Uses Asymmetric Bilinear Pairings (can be instantiated with any type of pairings). Asymmetric setting is more efficient. |
| + | * It is a NIZK for Artithmetic Satisfiability. | ||
| + | * The Proof only needs 3 group elements. | ||
| + | * The Verifier only needs to check a single pairing equation and compute a number of exponentiations proportional to the statement size. | ||
| + | * Perfect completeness and perfect zero-knowledge. | ||
| + | * Relies on a security proof in the generic bilinear group. | ||
| + | |||
| + | How it Works: | ||
| + | All pairing-based SNARKs follow a common method: | ||
| + | * Prover computes a number of group elements using generic group operations | ||
| + | * Verifier checks proof using pairing product equations | ||
| + | Bitansky et al. formalize the above method into LIPs. | ||
| + | In Groth16, a LIP system for arithmetic circuits is designed where te prover only sends 3 field elements. | ||
| + | Performance: | ||
Latest revision as of 13:17, 14 October 2020
Key points about Groth16:
- Uses Asymmetric Bilinear Pairings (can be instantiated with any type of pairings). Asymmetric setting is more efficient.
- It is a NIZK for Artithmetic Satisfiability.
- The Proof only needs 3 group elements.
- The Verifier only needs to check a single pairing equation and compute a number of exponentiations proportional to the statement size.
- Perfect completeness and perfect zero-knowledge.
- Relies on a security proof in the generic bilinear group.
How it Works: All pairing-based SNARKs follow a common method:
- Prover computes a number of group elements using generic group operations
- Verifier checks proof using pairing product equations
Bitansky et al. formalize the above method into LIPs. In Groth16, a LIP system for arithmetic circuits is designed where te prover only sends 3 field elements. Performance:
