Doubly-efficient zkSNARKs without trusted setup

We present a zero-knowledge argument for NP withlow communication complexity, low concrete cost for both theprover and the verifier, and no trusted setup, based on standardcryptographic assumptions (DDH). Specifically, communicationis proportional to at most the square root of the witness size, plusd ·log(G), for d the depth andG the width of the verifying circuit.Moreover, witness-related communication can be reduced belowsquare root, at the cost of increased verifier runtime. Whenapplied to batched or data-parallel statements, the prover’sruntime is linear and the verifier’s is sub-linear in the verifyingcircuit size, both with good constants. Together, these propertiesrepresent a new point in the tradeoffs among setup, complexityassumptions, proof size, and computational cost.Our argument is public coin, so we apply the Fiat-Shamirheuristic to produce a zero-knowledge succinct non-interactiveargument of knowledge (zkSNARK), which we call Hyrax. Weevaluate Hyrax on three benchmarks: SHA-256 Merkle trees,image transformation, and matrix multiplication. We find thatHyrax’s proofs are 2–10× smaller than prior work with similarproperties, and that Hyrax scales to 6–27× larger circuits than ahighly-optimized prior system that requires trusted setup.