Simulation Extractable Versions of Groth’s zk-SNARK Revisited

Among various NIZK arguments, zk-SNARKs are the most efficient constructions in terms of proof size and verification which are two critical criteria for large scale applications. Currently, Groth’s construction, \(\textsf {Groth16}\), from Eurocrypt’16 is the most efficient and widely deployed one. However, it is proven to achieve only knowledge soundness, which does not prevent attacks from the adversaries who have seen simulated proofs. There has been considerable progress in modifying \(\textsf {Groth16}\) to achieve simulation extractability to guarantee the non-malleability of proofs. We revise the Simulation Extractable (SE) version of \(\textsf {Groth16}\) proposed by Bowe and Gabizon that has the most efficient prover and \(\mathsf {crs}\) size among the candidates, although it adds Random Oracle (RO) to the original construction. We present a new version which requires 4 parings in the verification, instead of 5. We also get rid of the RO at the cost of a collision resistant hash function and a single new element in the \(\mathsf {crs}\). Our construction is proven in the generic group model and seems to result in the most efficient SE variant of \(\textsf {Groth16}\) in most dimensions.