SNARKs & QA-NIZKs with a Subverted...
36
SNARKs & QA-NIZKs with a Subverted Setup Behzad Abdolmaleki University of Tartu, Estonia 26.011.2019 / UT Wien, Vienna
Transcript of SNARKs & QA-NIZKs with a Subverted...
SNARKs & QA-NIZKs with a Subverted Setup
Behzad Abdolmaleki
University of Tartu, Estonia
26.011.2019 / UT Wien, Vienna
36\
Interactive Proofs
2
OK, xLWitness w
(x,w) RL
I am the doctor! pk
pk, sk
Prove it!
sk
Prover wants to convince Verifier that x has some
property (i.e. “I am the doctor!” Or “x is in language L”)
Commit
Challenge
Responds
36\ 3
Non-Interactive Proofs
ProofOK, xLWitness w
(x,w) RL
Prover wants to convince Verifier that “𝑥 is in language L”.
Non-Interactive proofs usually are constructed in two models:
Random Oracle (RO) Model [Micali 94]
Commit
Challenge
Responds
Common Reference String (CRS)
Model
P V
ProofP V
CRS
P VCom, Hash(Com), Responds
- Trusted Third Party (TTP) generates CRS
36\
Non-interactive Zero-knowledge (NIZK)
4
x ∈ L, w
π = P (x, w)
CorrectnessSoundnessZero-knowledge
36\
Non-interactive Zero-knowledge
PRIViLEDGE 5
x ∈ L, w
π = P (x, w)
36\
Non-interactive Zero-knowledge
PRIViLEDGE 6
x ∈ L, w
π = P (x, w)
● P should be able to compute π only when knowing valid w
● Sim should be able to compute π without knowing w
● Sim must have some extra power
36\
NIZK in CRS model
7
x ∈ L, w
π = P (crs , x, w)
crs, td
Imag
inar
y gu
y
36\
Special Type of NIZKs: zk-SNARKs
8
OK, xL
Witness w
(x,w) RL
(CRS, td) ←CRSGen(1𝑛)
proof ←Prove(CRS, witness)
proof
{1, 0} ←Verify(CRS, word, proof)
We are interested to make them succinct as much as possible.
Succinct: Small size of proof and low verification complexity
[Groth 2010] [Lipmaa 2012] [Gennaro GentryParno Raykova 2013]
Proof = 3 group elements
[Groth 2016]
36\
Inventions in NIZK: zk-SNARKs
9
for whole NP without costly reductions
For known arithmetic circuit C & partially unknown x, y = C (x)
Very strong (non-black-box) cryptographic assumptions
Knowledge assumption: if P outputted x then P must know y[Gentry Wichs 2011]: non-black-box assumptions needed
The CRS depends on concrete circuit
need to generate new CRS for each circuit!
Applications: verifiable computation, privacy-preserving cryptocurrencies, …
What If CRS Generator is
Malicious ?
10
36\11
Subversion security: Trust issues
π = P (crs , x, w)
x, w x
V (crs, x, π) ?
Interested in zero knowledgecrs should contain trusted crszk
Interested in soundnesscrs should contain trusted crssnd
Need to trust crszkNeed to trust crssnd
(crszk, crssnd), td
36\12
Subversion security: Trust issues
π = P (crs , x, w)
x, w x
V (crs, x, π) ?
Subversion ZK: zero knowledge even if CRS creator is malicious
Subversion SND: soundness even if CRS creator is malicious
Interested in zero knowledgecrs should contain trusted crszk
Interested in soundnesscrs should contain trusted crssnd
Research direction: minimize the needed trust
Need to trust crszkNeed to trust crssnd
(crszk, crssnd), td
36\13
Sub-ZK in CRS model
x ∈ L, w
π = P (crs, x, w)
crs, td
If crs creator is malicious, there is no guarantee that:• crs is correct• td exists • crs is from correct distribution
Imag
inar
y gu
y
36\14
Impossibility Result
● [Bellare, Fuchsbauer, Scafuro 2016]
●
● [Abdolmaleki, Baghery, Lipmaa, Zajac 2017]● Efficient SND + Sub-ZK SNARK for NP
● Asiacrypt 2017 “top three” paper
● [Fuchsbauer 2018]: related/improved constructions
WI ZK Sub-ZK
SND Possible Possible Possible
Sub-SND Possible Impossible Impossible
36\
[ABLZ17] recipe for Sub-ZK SNARK
15
Design a public algorithm CV for checking crs is correct If CV(crs) = 1: there exists some td
Proving Sub-ZKIf CV(crs) = 0: no need to simulateIf CV(crs) = 1:
Use extractor Ext to recover (unique) td from crsSimulate by using extracted ExtExt exists by assumption
36\
Sub-ZK SNARK
16
OK, xLWitness w
(x,w) RL
(CRS, td) ←CRSGen(1𝑛)
36\
Sub-ZK SNARK
17
OK, xLWitness w
(x,w) RL
(CRS, td) ←CRSGen(1𝑛)
proof ←Prove(CRS, witness)
proof
{1, 0} ←Verify(CRS, word, proof)
If 1 ← CV(crs)
Then
36\
Summary of SNARK Branch
18
…
ZK proofs
Interactive Non-interactive
CRS ModelRandom Oracle Model
Privacy-preserving technologies
… zk-SNARKs
Subversion zk-SNARKsUpdatable zk-SNARKs
Privacy-preserving Coins (Zcash,…),Smart Contracts (HAWK,…),E-voting ….
More Faster NIZKs for Linear Language:
19
Quasi-Adaptive NIZK (QA-NIZK)
36\
Quasi-Adaptive NIZK
20
OK, xLWitness w
(x,w) RL
CRS
proof
|Proof | = 1 group element
[Roy-Julta Asiacrypt2013] [Roy-Julta Crypto2014] [Kilts-Wee Eurocrypt2015]
Language parameter ρ is chosen before the CRS ρ cannot adaptively depend on the CRS Usually, ρ = some public key
ρ
•Applications in constructing efficient cryptographic primitives
(commitment schemes, IBE, signature schemes, …)
36\
QA-NIZK
21
● “ [Kiltz, Wee 2015]● most efficient known QA-NIZK for SUBSPACE
language
● Task of QA-NIZK for SUBSPACE:
● Fix language parameter ρ 1 ∈ 𝐺𝑛 × 𝑚
● Prove in zero knowledge that [ 𝑥]1= ρ 1𝑤 for some 𝑤 ∈ ℤ𝑝
𝑚
𝐿 = 𝑥 1 ∈ 𝐺1𝑛 | ∃ 𝑤 ∈ ℤ𝑝
𝑚 𝑠. 𝑡 [ 𝑥]1 = ρ 1𝑤
36\22
Our recipe: Sub-QA-NIZK [ALSZ18]
● Design a public algorithm PKV for checking crs is correct
● If PKV(ρ, crs ) = 1: there exists some td
● Proving Sub-ZK
● If PKV(ρ, crs ) = 0: no need to simulate
● If PKV(ρ, crs ) = 1:
● Use extractor Ext to recover td from crs Simulate by using
extracted Ext
● Ext exists by KWKE assumption.
Extraction of td requires non-black-box “knowledge assumption”
36\23
Our recipe: Sub-QA-NIZK [ALSZ18]
● Design a public algorithm PKV for checking crs is correct
● If PKV(ρ, crs ) = 1: there exists some td
● Proving Sub-ZK
● If PKV(ρ, crs ) = 0: no need to simulate
● If PKV(ρ, crs ) = 1:
● Use extractor Ext to recover td from crs Simulate by using
extracted Ext
● Ext exists by KWKE assumption.
Extraction of td requires non-black-box “knowledge assumption”
Weakness of the current Sub-QANIZK and open problems:
The PKV is not general and for different security parameter one needs to define a new algorithm PKV.
It only works for some especial construction and for extraction it needs some invertible matrix (crs elements)
It does not fit with Simulation Sound Extractable property
36\24
Recent Inventions in NIZK
SNARK QA-NIZK
succinct non-interactive argument of knowledge
quasi-adaptive non-interactive zero knowledge
36\25
Recent Inventions in NIZK
SNARK Succinct QA-NIZK
Versatility Whole NP Limited class of languages
Efficiency 3 group elements 1 group element
Assumptions Non-black-box (knowledge) Very standard
[Groth 2010],[Lipmaa 2012],[Gennaro Gentry Parno Raykova 2013],[Parno Howell Gentry Raykova 2013],[Groth 2016],[Groth Maller 2017],[Abdolmaleki Baghery Lipmaa Zajac 2017],…
[Jutla Roy 2013],[Libert Peters Joye Yung 2014],[Jutla Roy 2014],[Abdalla Benhamouda Pointcheval 2015],
[Kiltz-Wee 2015],[González Hevia Ràfols 2015],[Libert Peters Joye Yung 2014],[Abdolmaleki Lipmaa Siim Zajac eprit2018-19],
Sub-zk-SNARKSub-zk-QA-NIZK
36\
The Tree of Succinct NIZK
26
NIZK in CRS Model
zk-SNARKs
Sub- zk-SNARKs[ABLZ17] [Fuc17]
Updatable zk-SNARKs[GKM+18]
QA-NIZKs
Updatable QANIZKs[Lipmaa18]
Sub-QANIZKs[ALSZ18]
Simulation Sound Extractable (SSE) zk-SNARKs
COCO Framework[DS19] Framework
?
36\
The Tree of Succinct NIZK
27
NIZK in CRS Model
zk-SNARKs
Sub- zk-SNARKs[ABLZ17] [Fuc17]
Updatable zk-SNARKs[GKM+18]
QA-NIZKs
Updatable QANIZKs[Lipmaa18]
Sub-QANIZKs[ALSZ18]
Simulation Sound Extractable (SSE) zk-SNARKs
COCO Framework[DS19] Framework
(SSE)-sub-QA-NIZK(Join with Daniel)
?
Ad-Hoc based
Ad-Hoc based
Modular based:Modular Constructions of Updatable QANIZKs
(Join with Daniel)
36\
The Tree of Succinct NIZK
28
NIZK in CRS Model
zk-SNARKs
Sub- zk-SNARKs[ABLZ17] [Fuc17]
Updatable zk-SNARKs[GKM+18]
QA-NIZKs
Updatable QANIZKs[Lipmaa18]
Sub-QANIZKs[ALSZ18]
Simulation Sound Extractable (SSE) zk-SNARKs
COCO Framework[DS19] Framework
(SSE)-sub-QA-NIZK(Join with Daniel to ACMAsiaCCS2020)
?
Ad-Hoc based
Ad-Hoc based
Modular based:Modular Constructions of Updatable QANIZKs
(Join with Daniel to PKC2020)
Framework SSE - zk-SNARKs
- Sub zk-SNARKs- Updatable zk-SNARKs
(Join with Sebastian and Daniel)
Just in one slide!
36\
The Tree of Succinct NIZK
29
NIZK in CRS Model
zk-SNARKs
Sub- zk-SNARKs[ABLZ17] [Fuc17]
Updatable zk-SNARKs[GKM+18]
QA-NIZKs
Updatable QANIZKs[Lipmaa18]
Sub-QANIZKs[ALSZ18]
Simulation Sound Extractable (SSE) zk-SNARKs
COCO Framework[DS19] Framework
(SSE)-sub-QA-NIZK(Join with Daniel to ACMAsiaCCS2020)
?
Ad-Hoc based
Ad-Hoc based
Modular based:Modular Constructions of Updatable QANIZKs
(Join with Daniel to PKC2020)
Framework SSE - zk-SNARKs
- Sub zk-SNARKs- Updatable zk-SNARKs
(Join with Sebastian and Daniel to S&P2020)
Just in one slide!Post-Quantum zk-SNARKsPost-Quantum QA-NIZKs
? Designated Verifier zk-SNARKs:-[GMNO18]-[Anca19]
36\
Framework SE (Sub & Updatable) zk-SNARK
30
(Join with Sebastian and Daniel)
(sub & updatable) zk-SNARK
− L𝐬𝐧𝐚𝐫𝐤 = { x,w ∈ 𝑅}− CRSsnark
𝐿′ = { 𝑥, 𝑤 ∈ 𝑅 ⋁ 𝑐𝑝𝑘 = 𝑝𝑘. 𝑓 𝑐𝑠𝑘 − 𝑠𝑘 }
SE zk-SNARK SE sub zk-SNARK SE updatable zk-SNARK
Updatable Signature
𝑥′ = (𝑥, 𝑐𝑝𝑘, 𝑝𝑘) , 𝑤′ = (𝑤, 𝑐𝑠𝑘 − 𝑠𝑘)
𝐶𝑅𝑆′ = (𝑐𝑟𝑠𝑠𝑛𝑎𝑟𝑘 , 𝑝𝑘, 𝑐𝑝𝑘)
36\
Post-Quantum zk-SNARKs
31
NIZK in CRS Model
Post-Quantum zk-SNARKsPost-Quantum QA-NIZKs
? Designated Verifier zk-SNARKs:-[GMNO18]-[Anca19]
36\
Lattice Based (Designated Verifier) zk-SNARKs
32
Dlog group based SNARK
CRS = (𝑔𝛼 , 𝑔𝛽 , . . .)
P(crs, x, w) V(crs, x, 𝜋)
𝜋 = (𝑔𝐴, 𝑔𝐵 , 𝑔𝐶)𝜋
𝑒 𝑔1𝐴, 𝑔2
𝐵 = 𝑒 𝑔1𝐶 , 𝑔2
…
Lattice-based SNARK
Paring property
CRS = (E 𝛼 , 𝐸 𝛽 , . . .)
36\
Lattice Based (Designated Verifier) zk-SNARKs
33
Dlog group based SNARK
CRS = (𝑔𝛼 , 𝑔𝛽 , . . .)
P(crs, x, w) V(crs, x, 𝜋)
𝜋 = (𝑔𝐴, 𝑔𝐵 , 𝑔𝐶)𝜋
𝑒 𝑔1𝐴, 𝑔2
𝐵 = 𝑒 𝑔1𝐶 , 𝑔2
…
Lattice-based SNARK
CRS = (En 𝛼 , 𝐸𝑛 𝛽 , . . .)
P(crs, x, w) V(crs, x, 𝜋)
𝝅 = (𝐸𝑛 𝐴 ,𝐸𝑛 𝐵 ,𝐸𝑛(𝐶))
𝜋
𝑒 𝑔1𝐴, 𝑔2
𝐵 = 𝑒 𝑔1𝐶 , 𝑔2
…
Paring property
sk𝐸𝑛
𝐷𝑠𝑘 𝜋 , 𝐷𝑠𝑘 𝑐𝑟𝑠 ∶ 𝐴. 𝐵 = 𝐶. (… . )
Designated Verifier
CRS = (E 𝛼 , 𝐸 𝛽 , . . .)
36\
The Tree of Post-Quantum zk-SNARKs
34
Succinct NIZK in CRS Model
Post-Quantum zk-SNARKsPost-Quantum QA-NIZKs
? zk-SNARKs[GMNO18]:- Designated Verifier - Proof Size = 5 cipher text- SSP based (Boolean circuit)
zk-SNARKs[Anca19]:- Designated Verifier - Proof Size = 2 cipher text- SPA based (Arithmetic circuit)
Publicly verifiable zk-SNARKs ?
Subversion zk-SNARKs?SE zk-SNARKs
?
Updatable zk-SNARKs ?
Updatable QA-NIZK
SE QA-NIZK
subversion QA-NIZK
36\
Reference
35
[ABL+ 17] B. Abdolmaleki, K. Baghery, H. Lipmaa, and M. Zajac. A subversion-resistant SNARK. In ASIACRYPT (3), volume 10626 of LNCS, pages 3–33. Springer, 2017.
B. Abdolmaleki, S. Ramacher, and D. Slamanig. Lift-and-Sift: obtaining simulation extractable subversion and updatable snarks generically. Cryptology ePrintArchive, Report 2020/062, 2020. https://eprint.iacr.org/2020/062.
[ARS20]
G. Fuchsbauer. Subversion-zero-knowledge snarks. In PKC (1), volume 10769 of LNCS, pages 315–347. Springer, 2018.
[Fuc18]
H. Lipmaa. Simulation-extractable snarks revisited. Cryptology ePrint Archive, Report 2019/612, 2019. https://eprint.iacr.org/2019/612.
[Lip19]
B. Abdolmaleki, H. Lipmaa, J. Siim and M. Zajac. Cryptology ePrint Archive, Report 2018/877, 2018. https://eprint.iacr.org/2018/877}
[ALSZ18]
Cryptology ePrint Archive, Report 2018/877
Thank you
European Union's H2020European Union's H2020
