Simulation-Extractable zk-SNARK With a Single Verification

Among the zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARK), the simulation-extractable zk-SNARK (SE-SNARK) introduces a security notion of non-malleability. The existing pairing-based zk-SNARKs designed from linear encoding are known to be vulnerable to algebraic manipulation of the proof. The latest SE-SNARKs check the proof consistency by increasing the proof size and the verification cost. In particular, the number of pairings increases almost doubles due to further verification. In this article, we propose two novel SE-SNARK constructions with a single verification. The consistency check is subsumed in a single verification through employing a hash function. The proof size and verification time of the proposed SE-SNARK schemes are minimal in that it is the same as the state-of-the-art zk-SNARK without non-malleability. The proof in our SE-SNARK constructions comprises only three group elements (type III) in the QAP-based scheme and two group elements (type I) in the SAP-based scheme. The verification time in both requires only 3 pairings. The soundness of the proposed schemes is proven under the hash-algebraic knowledge (HAK) assumption and the (linear) collision-resistant hash assumption.


I. INTRODUCTION
The zero-knowledge succinct non-interactive argument of knowledge (zk-SNARK) is an effective zero-knowledge proof system to prove a statement without revealing the witness, where the proof size and the verification cost are succinct. In particular, the pairing-based zk-SNARKs [1], [2] are well-known for their constant-sized proof and constant-time verification, which make them a suitable choice for various applications including blockchain [3], [4]. Especially, the Groth's protocol [1] is accepted as a current standard for pairing-based SNARKs, which has a minimal proof size of 3 group elements and requires 3 pairings in verification.
One main concern in the pairing-based zk-SNARKs is that the proofs are vulnerable to the algebraic manipulation; since the proof elements possess an algebraic structure of linear encoding, it is possible to create a new proof from arbitrary The associate editor coordinating the review of this manuscript and approving it for publication was Wei Huang . proofs without knowing the witness. For instance, in Groth's protocol [1] where the simplified version of the proof consists of three elements (G a , H b , G c ) satisfying a · b = c, an adversary can forge a new proof by using a random r while preserving the algebraic relation as (G ar , H br −1 , G c ) or (G a , H b+r , G c+ar ).
In order to prevent the malleability, Groth and Maller [5] introduced a simulation-extractability, a security notion for non-malleability of proofs. They defined a simulationextractable zk-SNARK (SE-SNARK), and proposed a construction based on the Groth's zk-SNARK [1] to maintain the proof size as 3 group elements. However, their construction relies on the representation of square arithmetic program (SAP), instead of quadratic arithmetic program (QAP) as in common zk-SNARKs; compared to the QAP, the SAP roughly doubles the circuit size which leads to doubling the common reference string (CRS) size and proving time. In short, Groth and Maller construction [5] sacrifices the CRS size and proving time to gain simulation-extractability. VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ To avoid this inefficiency, Bowe and Gabizon [6] restored the QAP representation in the SE-SNARK by applying an elliptic curve hashing [7] to the Groth's protocol [1]. However, they had to pay the price of proof size as 5 elements; 2 additional elements are required to check the consistency of hashed elements. The proof size can be a crucial cost for size-sensitive blockchains such as Zcash [3] where each transaction requires a proof.
Most recently, Lipmaa [8] improved the result further, by proposing an SE-SNARK for QAP which has a proof size of 4 elements. His construction adds a special tag and a trapdoor for the simulation-extractability, and compresses them into a single additional argument which cannot be algebraically manipulated without the knowledge of witnesses. The result of 4 elements is close enough to the 3 elements in Groth's protocol [1], but it is still paying the price of one additional proof element.
Another crucial price is that all the SE-SNARKs, including the schemes above [5], [6], [8], require an additional check in the verification. In the linear nature of pairing-based zk-SNARKs, the original check for the relation (i.e. a · b = c in QAP or a 2 = c in SAP) is unable to detect algebraic modifications. It is formally proved in [5] that SNARKs from linear encoding require at least 2 verifications to be simulation-extractable, which is reduced to the hard-decisional NP problem. Hence, the SE-SNARK verifications suffer from additional pairings; [5], [6], and [8] all require 2 additional pairings along with the original relation check which consists of 3 pairings. It almost doubles the cost of the verification, which is not desirable for applications where verification occurs frequently in the resource-limited clients.
In this article, we propose SE-SNARKs with a single verification, by applying the hash function to overcome the boundaries of existing SE-SNARKs. The idea is from the fact that blending the hash function into the encodings can provide a unique connection between proof elements; it eliminates the requirement for additional check for algebraic modifications. In [6] which also applies a hash function, an additional verification is still required since the hash output is an independent element which should be checked afterwards. On the other hand, if we combine the hash output into the encoding itself (i.e. secret exponents), the additional check is unnecessary since proof elements are already determined as a unique tuple. Specifically, in the simplified proof (G a , H b , G c ) of Groth's protocol [1], let c include the hash values of each input G a and H b ; then G c is determined as a unique element tightly connected to G a and H b . In this case, when G a or H b is (algebraically) modified, c should be also modified accordingly to satisfy the original relation. 1,2 1 Since the hash is applied before the encoding, we can adopt any standard hash (e.g. SHA-3) unlike [6] which requires a hash function to map an input into an elliptic curve. 2 Notice that the boundary of 2 verifications from [5] is not applicable to our construction; the hash output in c prevents the construction from being included in SNARKs from linear encodings.
We construct two versions of SE-SNARK: a QAP-based construction and an SAP-based construction, both with a single verification which reduces the verification time from 5 pairings to 3 pairings compared to the existing SE-SNARKs [5], [6], [8]. Our QAP-based construction achieves a proof size of 3 elements, which does not require any additional element as in [6], [8] or sacrifice CRS size as in [5]. Our SAP-based construction achieves a proof size of 2 elements, which surpasses the proof boundary of 3 elements in [5]. Both of our constructions accomplish simulation-extractability with a minimal proof size and verification time among the existing SE-SNARKs [5], [6], [8]. The security of our SE-SNARKs is based on the hash-algebraic knowledge (HAK) assumption from [8] and the existence of the (linear) collision-resistant hash function; the SAP-based scheme requires a collision-resistant function (CR), while the QAP-based scheme requires a linear collision-resistant hash function (LCR), a variant of the collision-resistant hash function. Both CR and LCR can be implemented from the standard hash function such as SHA2. In the security viewpoint, the existence of LCR is at least weaker than the discrete log assumption in the random oracle model. The complete version of the constructions is more complicated than the intuition and described in section V. Table 1 compares the size and computation performance of SNARKs, including Groth's zk-SNARK [1] (without simulation-extractability) and various SE-SNARKs. Our QAP-based SE-SNARK achieves 3 proof elements (type III); it does not sacrifice any price for simulation-extractability from Groth's protocol [1]. Also, our SAP-based SE-SNARK achieves 2 proof elements (type I), which is more efficient (one less proof element and two less pairings in verification) than Groth and Maller's SAP-based SE-SNARK [5].
The rest of this article proceeds as follows. Section II organizes related works on zk-SNARKs. Section III introduces some preliminary backgrounds, and section IV introduces security assumptions. In section V, we propose a QAP-based SE-SNARK construction. In section VI, we propose an SAP-based SE-SNARK construction. In section VII, we conclude.

II. RELATED WORK
In the history of proof systems and verifiable computations, there are various NIZK arguments with different types which do not leverage QSP (Quadratic Span Program) or QAP (Quadratic Arithmetic Program) circuits [9]- [15]. A well-known branch comes from the sum-check protocol [9], which gains a sublinear proof from the Fiat-Shamir transformation [16]. Nonetheless, they do not support the constant time verification; the verification time is sublinear to the size of the circuits.
Since Gennaro et al. [17] introduced the Quadratic Span Program(QSP) and Quadratic Arithmetic Program(QAP), zk-SNARK gained a constant proof size and verification. In 2013, Parno et al. [2] proposed a zk-SNARK scheme called Pinocchio and provided a first practical implementation of TABLE 1. The comparison of SE-SNARKs, based on arithmetic circuit satisfiability with l element instances, m wires, and n multiplication gates. Since SAP uses squaring gates, 2n squaring gates and 2m wires are considered instead of n multiplication gates and m wires; Units: G stands for group elements, E stands for exponentiations and P stands for pairings. zk-SNARK. After Pinocchio, many works added and enhanced some functionalities, such as multiple-function control, additional anonymity for the I/O, or proof scalability [18]- [23].
Later, Groth [1] proposed a more efficient zk-SNARK scheme. Compared with Pinocchio [2], the proof size was reduced from 8 group elements to 3 group elements. Also the number of pairing operations required to verify the proof was reduced from 11 to 3. Recently these SNARK protocols are implemented as an open source [24], [25] to be used in real applications. By exploiting the short proof sizes and the short verification times, zk-SNARK can be used as a key component in various cryptographic applications such as anonymous cryptocurrencies [3], [26], [27].
Zerocash [3], one of the anonymous cryptocurrencies based on blockchain technology, utilized a zk-SNARK to hide transaction information and to provide an efficient verification process. However, since zk-SNARKs [1], [2] do not provide simulation-extractability, zerocash has to add extra cryptographic primitives such as one-time signatures to avoid malleability attacks.
The SE-SNARK scheme [5] defines and provides the simulation-extractable SNARK (SE-SNARK), with a similar notion to the Signatures of knowledge [28]. While maintaining an efficient proof size of [1], it can prevent the malleability attacks due to the simulation-extractability.
Recently, Bowe and Gabizon [6] put an effort to make Groth's scheme [1] simulation-extractable by utilizing random oracle model, with additional hash in proofs and verification. However, the proof size and verification equations in their scheme is 5 group elements and 2 equations which is inefficient compared to [5]. And the security is proven in random oracle model. Lipmaa proposes a simulation-extractable SNARK scheme without using random oracle model [8]. The security of the proposed scheme is proven under a new security assumption called subversion algebraic knowledge (SAK) assumption in which if an adversary A outputs a group element then A should know each exponent of known group elements or randomly generated group elements to build the group element. In the proposed scheme, the proof size is reduced to 4 group elements and 2 verification equations are required while QAP is supported.

III. PRELIMINARIES A. NOTATION
We denote the security parameter with λ ∈ N. For functions (1) . A function f is negligible if f (λ) ≈ 0. We implicitly assume that the security parameter is available to all participants and the adversary. If S is a set, x $ ← S denotes the process of selecting x uniformly at random in S. If A is a probabilistic algorithm, x ← A(·) denotes the process of running A on some proper input and returning output x.
We define that trans A includes all of A's inputs and outputs, including random coins for an algorithm A. We use games in security definitions and proofs. A game G has a main procedure whose output is the output of the game. The notation Pr[G] denotes the probability that the output is 1.

B. RELATIONS
Given a security parameter 1 λ , a relation generator R returns a polynomial time decidable relation R ← R(1 λ ). For (φ, w) ∈ R we say that w is a witness to the instance φ being in the relation. We denote with R λ the set of possible relations that R(1 λ ) might output.

C. ZERO-KNOWLEDGE SUCCINCT NON-INTERACTIVE ARGUMENTS OF KNOWLEDGE
Definition 1: A zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARK) for R is a set of four algorithms Arg = (Setup, Prove, Vfy, SimProve) working as follows: algorithm which receives a relation R ∈ R λ as input and outputs a common reference string crs and a simulation trapdoor τ .
• π ← Prove(crs, φ, w): the prover algorithm is a PPT algorithm which receives a common reference string crs as input for a relation R and (φ, w) ∈ R and outputs a proof π.
• 0/1 ← Vfy(crs, φ, π): the verifier algorithm is a deterministic polynomial time algorithm which receives a common reference string crs, an instance φ and a proof π as input and outputs 0 (reject) or 1 (accept).
Computational Knowledge Soundness: Computational knowledge soundness says that the prover must know a witness and the witness can be efficiently extracted from the prover by a knowledge extractor. Proof of knowledge requires that there must exist an extract χ A given the same input of A outputs a valid witness for every adversarial prover A generating an accepting proof. Formally, An argument system Arg is computationally considered as knowledge sound if there exists a PPT extractor χ A for any PPT adversary A, such that Adv sound Arg,A,χ A (λ) ≈ 0. Perfect Zero-Knowledge: Perfect zero-knowledge states that the system does not reveal any information except the truth of the instance. This is modelled by a simulator which can generate simulated proofs using some trapdoor information without knowing the witness. Formally, we define Adv zk Arg, is defined as follows: The argument system is perfectly zero-knowledge if for all PPT adversaries A, Adv zk Arg,A (λ) = 0. Succinctness: Succinctness states that the argument generates the proof of which size is polynomial in the security parameter, and of which the verifier's computation time is polynomial in the security parameter and in the instance size.

Definition 2: A simulation-extractable SNARK system
(SE-SNARK) for R is a zk-SNARK system (Setup, Prove, Vfy, SimProve) with simulation-extractability as following: Simulation-Extractability [5]: Simulation-extractability states that for any adversary A that sees a simulated proof for a false instance cannot modify the proof into another proof for a false instance. Non-malleability of proofs prevents cheating in the presence of simulated proofs. Formally, we define Adv An argument is simulation-extractable if for any PPT adversary A, there exists a PPT extractor χ A such that Adv We note that simulation-extractability implies knowledge soundness, since simulation-extractability corresponds to knowledge soundness where the adversary is allowed to use the simulation oracle SimProve.
When knowledge soundness and simulation-extractability are applied for a succinct argument, extractors are inherently non-black-box. As in [5] we assume the relationship generator is benign, 3 such that the relation (including the potential auxiliary inputs) is distributed in such a way that the SNARK can be simulation-extractable.

IV. BILINEAR GROUPS AND ASSUMPTIONS
A bilinear group generator BG receives a security parameter as input and outputs a bilinear group (p, G 1 , G 2 , G T , e, G,H ). G 1 , G 2 , G T are groups of prime order p with generator G ∈ G 1 , H ∈ G 2 , and a bilinear map e : H ) ab and e(G, H ) generates G T ).

A. POWER KNOWLEDGE OF EXPONENT ASSUMPTION
We define q-power knowledge of exponent assumption. 3 The non-falsifiable knowledge of exponent assumption is a necessary ingredient in building a SNARK with witness extraction. In Bitansky's analysis [29], [30], there are some counter examples and observations; auxiliary inputs may affect the extraction of the witness in extractable one-way functions. However they also observe that the extractability still holds with respect to common auxiliary input that is taken from specific distributions that may be conjectured to be ''benign'', e.g. the uniform distribution. [31]): The q-power knowledge of exponent assumption holds for G 1 , G 2 if for all A there exists a non-uniform PPT extractor χ A such that

B. HASH-ALGEBRAIC KNOWLEDGE ASSUMPTION
Lipmaa proposes a new knowledge assumption called hash-algebraic knowledge (HAK) assumption [8], which simply gives an adversary an additional ability to hash any element from the algebraic group model. In algebraic knowledge assumption, one assumes that each PPT algorithm is algebraic in the following sense. Assume that there are unknown exponents. Let x i be a polynomial using the unknown exponents. Let G x be a vector of G x i . Similarly, let G y be a vector of G y i where y i is a polynomial using the unknown exponents. If the adversary A's input includes G x and no other elements from the group G 1 and A outputs group elements G y , then A knows matrices N, such that A group G 1 is algebraic if every PPT algorithm A that obtains inputs from G 1 and outputs elements in G 1 is algebraic.
Furthermore, Lipmaa pointed out that the restriction that adversaries are algebraic is not valid in situations where the adversary can create new random group elements by say using elliptic curve hashing [7]. So he models this capability by allowing the adversary to create additional group elements G q for which she does not know discrete logarithms of exponent q i or vector q. It is required that G q (but not necessarily q) can be extracted from the adversary, such that In addition, G q must be sampled from a public distribution D . A PPT algorithm A is called as hash-algebraic (in G 1 ) if there exists a PPT extractor χ A , s.t. for any PPT sampleable distribution D and any distribution D with min-entropy ω(log λ), Adv hak Finally, we define the following D − HAK assumption in G 1 : Definition 4 (D − HAK Assumption in G 1 [8]): For each PPT A that obtains inputs, distributed according to the distribution D, there exists an extractor that outputs G q and N such that G q ∼ D for some distribution D of high min-entropy. More precisely, Adv hak G ι ,D,D ,A (λ) ≈ 0 for each PPT adversary A and each distribution D of min-entropy ω(log λ).

C. LINEAR COLLISION-RESISTANT HASH FUNCTION
We define collision-resistance and linear collision-resistance of a hash function.
Definition 5 (Collision-Resistance): H : X → Y is a collision-resistant hash function if for all PPT adversary A, Furthermore, it is difficult to find any collision for various equations in many collision-resistant hash functions like SHA2. Specifically for our purpose, we define a variant of a collision-resistant hash function called a linear collisionresistant hash function where it is hard to find non-trivial Any cryptographical hash functions such as SHA2, and Ajtai hash [32] which are used as a collision-resistant hash function can be also adopted as a linear collision-resistant hash function by treating input and output elements as strings if the output string is remapped in Z p .
It is difficult to analyze the exact security level of the linear collision-resistance. At least, we prove that the linear collision-resistance is as hard as the discrete log problem in the idealized hash function. In other words, given a random oracle H, if we can find linear collision then we can break a discrete log problem.
Lemma 1 : For given (H, G 1 , G 2 ) where H is a random oracle, if there is a PPT A such that Adv LCR H (A) is non-negligible then there is a PPT algorithm B to compute Dlog G 1 (G 2 ) with non-negligible probability. Proof: . By rewinding the hash query for v, we provide a different hash value of w for v to A. Then A outputs a valid (y, y ) Since we know x, x , y, y , we can compute Dlog G 1 (G 2 ) which is x−y y −x . VOLUME 8, 2020

V. QAP-BASED SE-SNARK SCHEME
In this section, we propose our first SE-SNARK construction based on the quadratic arithmetic program (QAP) representation, which achieves a proof size of 3 elements and a single verification. Before presenting the formal construction, we briefly explain the main idea behind the scheme to achieve simulation-extractability without an additional check in section V-A. Then we introduce the formal definition of QAP in section V-B, and present the formal construction in section V-C.

A. MAIN IDEA
As an example of how standard zk-SNARK can be modified, suppose for an instance φ that (A, B, C) (= (G a , H b , G c )) are three group elements in a proof that satisfies the verification equations of Groth's zk-SNARK [1]. Then for a known polynomial f in φ and some secret α, β, γ , δ.
There are two methods to generically randomize a proof A, B, C that satisfies (1). An adversary can set either In the proposed approach, we devise a new way to neutralize the two attacks using the hash of A and B in C. The verification equation is required to detect the changes of A and B. We insert multiplications of a and hash of A, and b and hash of B in c. Hence, an adversary should know a and b to change A and B in the revised proof.
The left pairing in (1) changes to e(AG δH(A) , BH H(B) ), and C is revised to satisfy (1) as following: where A = G a , B = H b , and H is a linear collision-resistant hash function like SHA.
According to the revised C , the verification is revised by adding proper additional terms to A and B as follows:

B. QUADRATIC ARITHMETIC PROGRAMS
In our SE-SNARK, we will formally adopt the quadratic arithmetic programs (QAP) [1], [17] in a relation R, which is as follows: The bilinear group (p, G 1 , G 2 , G T , e) defines the finite field Z p , 1 ≤ l ≤ m, and the polynomials u i (X ), v i (X ), w i (X ) represent each linearly independent polynomial set in the QAP with the definition below: where u i (X ), v i (X ), w i (X ) have a strictly lower degree than n, which is the degree of t(X ). By defining s 0 as 1, the following definition describes the relation R.
We say R is a relation generator for the QAP, given the relation R with field size larger than 2 λ−1 .

D. SECURITY PROOF
The QAP-based SE-SNARK protocol is a non-interactive zero-knowledge argument of knowledge with perfect completeness and perfect zero-knowledge. It is simulationextractable (implying it also has knowledge soundness) provided that the HAK (hash-algebraic knowledge) assumption holds, and a linear collision-resistant hash exists.
Proof (PERFECT COMPLETENESS): We demonstrate that the prover can compute the proof (A, B, C) as described from the common reference string. Let h 1 = H(A) and h 2 = H(B). The prover can compute the coefficients of Now, the proof elements can be computed as follows: + sa + rb−rs + δah 2 + bh 1 + δh 1 h 2 Here we show that the verification equation holds.
Taking discrete logarithms, checking the verification equation is equivalent to showing that Note that since the vector (s l+1 , . . . , s m ) is a valid witness for the instance (s 1 , . . . , s l ), ( m i=0 s i u i (X ))( m i=0 s i v i (X )) = m i=0 s i w i (X ) + h(X )t(X ) for all X ∈ Z p . ZERO-KNOWLEDGE: For the zero-knowledge, notice that the construction already provides the simulation SimProve which always produces verifying proofs. It can be observed that we obtain the same distribution over the real proof and the simulated proof, with the choice of random r, s in real proofs and the choice of random µ, ν in simulated proofs. SIMULATION-EXTRACTABILITY: Assume that adversary A succeeds to forge a proof (A, B, C).
Our common reference string consists of group generators G, H raised to exponents that are polynomials in X α , X β , X γ , X δ , X x evaluated on secret values α, β, γ , δ, x. Moreover, whenever A queries the simulation oracle, it gets back a simulated proof of (A i , , which is a set of three group elements that can be computed by raising G,H to polynomials in indeterminates X α , X β , X γ , X δ , X x , X µ 1 , X ν 1 , . . . , X µ q , X ν q where we plug in randomly generated µ 1 , ν 1 , . . . , µ q , ν q for the latter ones. VOLUME 8, 2020 By D − HAK , given a proof π = (G a , H b , G c ), we can extract a(X), b(X), and c(X) where X is an indeterminates vector. Note that X λ j (X ρ j ) denotes an indeterminate to obtain G λ j (H ρ j ) which is a randomly created group element by an adversary in G 1 (G 2 ) where λ j (ρ j ) is unknown. Then the possible a(X), b(X), and c(X) are as follows: a(X), b(X), and c(X) should satisfy the following verification equation.
We will now show that in order to satisfy the formal polynomials equations above, either the adversary must recycle an instance and a proof, or alternatively χ A manages to extract a witness.
First, suppose we have some a A k = 0. Since there is no X β X µ k in the right form, b β = 0. Moreover, since there is no Since there is no X α X ν k in the right form, a α = 0. Since there are only X α X ν k , X ν k , and X µ k X ν k related with X ν k in the right form, a(X) = a 0 + a A k X µ k .
Plugging this into (5) gives us, The only way this is possible is by setting Since there is no X α X β in the left form, c C k = 1. Finally, we obtain the following equation.
Since H is linear collision-resistant, it is hard to find non trivial −a 0 and a A k . Hence a 0 = 0, and a A k = 1. Similarly, Since there is (b δ + h 2 )a A k X δ X µ k in the left form, and there is h 2 X δ X µ k in the right form, Since H is collision-resistant, it is hard to find non trivial b 0 such that H( In addition, since H is linear collision-resistant, it is hard to Consequently, a(X) = X µ k and b(X) = X ν k . Since u i (X x ) l i=1 are linearly independent, we see for i = 1, . . . , l that s i = s k,i . In other words, the adversary has recycled the k-th instance π = π k and the proof (A, B, C) = (A k , B k , C k ). The same conclusion is obtained if b B k = 0.
Next, suppose for all j = 1, . . . , q that a A j = b B j = 0. Then c C j = c A j = 0 since there is no X µ j in the left form. Since there is X α X β in the right form, a α b β = 1.
In the right form of (5), there are only X β , X β X γ , X β X α , and since there is no X α X ρ j in the right form. We are now left with In (5), Define for i = l + 1, . . . , m that s i = c s i . The terms involving X β X γ X i x now give us b β n−1 i=0 a γ x i X i x = m i=0 s i u i (X x ) in the left form. In addition, the terms involving Defining h(X x ) = n−1 i=0 c γ 2 tx i X i x we see that this means (s l+1 , . . . , s m ) is a witness for the instance (s 1 , . . . , s l ) (the extracted witness may be one of many possible valid witnesses).

VI. SAP-BASED SE-SNARK SCHEME
In the previous section, we propose an efficient SE-SNARK scheme with three group elements as a proof. Now it is interesting to observe whether it is possible to build a similar SE-SNARK scheme with two group elements if adopting Type I pairing instead of Type III pairing. Since each multiplication gate a·b = c can be transformed to (a+b) 2 −(a−b) 2 = 4c as a square arithmetic program (SAP), it is possible to get a 2-element for boolean circuit satisfiability by changing a multiplication gate to two squaring gates.

A. SQUARE ARITHMETIC PROGRAMS
In the SE-SNARK with two group elements, we will work with square arithmetic programs (SAP) R, with the definitions adopted from [5].
The bilinear group (p, G, G T , e) defines the finite field Z p , 1 ≤ l ≤ m, and the polynomials u i (X ), w i (X ) represent each linearly independent polynomial set in the SAP with the definition below: where u i (X ), w i (X ) have a strictly lower degree than n, which is the degree of t(X ). By defining s 0 as 1, the following definition describes the relation R.
We say R is a relation generator for the SAP, given the relation R with a field size larger than 2 λ−1 .

B. CONSTRUCTION
In this section, we propose a scheme with two group elements as a proof in a symmetric group using SAP.

C. SECURITY PROOF
The SAP-based SE-SNARK protocol is a non-interactive zero-knowledge argument of knowledge with perfect completeness and perfect zero-knowledge. It is simulationextractable (implying it also has knowledge soundness) provided that the D − HAK assumption holds and a collision-resistant hash function exists. Proof (PERFECT COMPLETENESS): First, we state that the prover can compute the proof (A, C) as described from the common reference string. The prover can compute the coefficients of It can now compute the proof elements as This computation provides us the proof elements specified in the construction Here we show that the verification equation holds.
Taking discrete logarithms, this is equivalent to showing that where A = G a , and C = G c . Note that since the vector (s l+1 , . . . , s m ) is a valid witness for the instance (s 1 , . . . , s l ), ( m i=0 s i u i (X )) 2 = m i=0 s i w i (X ) + h(X )t(X ) for all X ∈ Z p . ZERO-KNOWLEDGE: The zero-knowledge is similar to the proof in V-D; the SimProve in the algorithm provides the proof simulation, which is sufficient for the zero-knowledge. SIMULATION-EXTRACTABILITY: By D − HAK assumption, there is an extractor and a(X), and c(X) are extracted as following: Then by the verification equation, the following equation should hold.
(a(X) + δH(A)) · a(X) = X 2 α + X γ l i=0 s i (X γ w i (X x ) + 2 X α u i (X x )) + c(X) (6) We will now show that in order to satisfy the formal polynomials equations above, either the adversary must recycle an instance and a proof, or alternatively a witness is extracted. First, suppose we have some a A k = 0. Since there are only X µ k , X µ k X δ , and X 2 µ k related with X µ k and there is no X 2 δ in the right form, a(X) = a 0 + a A k X µ k . Plugging this into (6) gives us, (a 0 + a A k X µ k + X δ H(A))(a 0 + a A k X µ k ) = X 2 α + X γ l i=0 a s i (X γ w i (X x ) + 2X α u i (X x )) + c(X) The only way this is possible is by setting Since there is no X 2 α in the left form, c C k = 1. In addition, since there is a 2 A k X 2 µ k in the left form, a 2 A k = c C k = 1, and a A k = 1 or −1. If we consider X δ X µ k then a A k H(A)X δ X µ k = H(A k )X δ X µ k . Hence a A k H(A) = H(A k ), and a A k H(G a 0 A a A k k ) = H(A k ). Assume that a A k = −1. Let c = −H(A k ) and z = G a 0 A a A k k . Since A k is given, c is a given value. The problem is to find a preimage of c such that H (z) = c, which is hard for collision resistant hash. Therefore a A k = 1. The problem is to find a 0 such that H(G a 0 A k ) = H(A k ). Since it is hard to find G a 0 A k = A k , a 0 = 0. Since u i (X x ) l i=1 are linearly independent, we see for i = 1, . . . , l that s i = s k,i . In other words, the adversary has recycled the k-th instance π = π k and proof (A, C) = (A k , C k ).
Next, suppose for all j = 1, . . . , q that a A j = 0. Then c C j = c A j = 0 since there is no X µ j in the left form. Since there is X 2 α in the right form, a 2 α = 1. In the right form, there are only X α , X 2 α , X α X γ , X α X δ , and X α u i (X x ) related with X α and there is no X 2 δ , a(X) = a 0 + a α X α + n−1 i=0 a γ x i X γ X i x . We are now left with c(X) = c 0 + c α X α + c δ X δ + c αδ X α X δ In (6), × (a α X α + a 0 + n−1 i=0 a γ x i X γ X i x ) = X 2 α + X γ l i=0 a s i (X γ w i (X x ) + 2X α u i (X x )) + c 0 + c α X α + c δ X δ + c αδ X α X δ VOLUME 8, 2020 Define for i = l + 1, . . . , m that s i = c s i . The terms involving X α X γ X i x now give us a α n−1 i=0 a γ x i X i x = m i=0 s i u i (X x ). Finally, the terms involving X 2 γ produce Defining h(X x ) = n−1 i=0 c γ 2 tx i X i x we see that this means that (s l+1 , . . . , s m ) is a witness for the instance (s 1 , . . . , s l ) (the extracted witness may be one of many possible valid witnesses).

VII. CONCLUSION
In this article, we propose two simulation-extractable succinct non-interactive arguments of knowledge (SE-SNARK) constructions, which achieve minimal proof size and a single verification. Our first construction is based on the quadratic arithmetic program (QAP) representation, with a proof size of 3 group elements (type III). The other construction is based on the square arithmetic program (SAP) representation, with a proof size of 2 group elements (type I). The security of our schemes are proven under the hash-algebraic knowledge (HAK) assumption and the (linear) collision-resistant hash function.