Abstract
While NIZK arguments in the CRS model are widely studied, the question of what happens when the CRS is subverted has received little attention. In ASIACRYPT 2016, Bellare, Fuchsbauer, and Scafuro showed the first negative and positive results, proving also that it is impossible to achieve subversion soundness and (even non-subversion) zero knowledge at the same time. On the positive side, they constructed a sound and subversion-zero knowledge (Sub-ZK) non-succinct NIZK argument for NP. We consider the practically very relevant case of zk-SNARKs. We make Groth’s zk-SNARK for Circuit-SAT from EUROCRYPT 2016 computationally knowledge-sound and perfectly composable Sub-ZK with minimal changes. We only require the CRS trapdoor to be extractable and the CRS to be publicly verifiable. To achieve the latter, we add some new elements to the CRS and construct an efficient CRS verification algorithm. We also provide a definitional framework for knowledge-sound and Sub-ZK SNARKs.
Similar content being viewed by others
Notes
[3] investigates Sub-ZK QA-NIZKs, where languages are parameterized. Sub-ZK QA-NIZKs are out of the scope of this paper since one needs also consider the parameter subversion. However, their impossibility result works also in the case of Sub-ZK SNARKs.
Lipmaa [41] has showed recently how to minimally modify Groth’s SNARK so that it only has two trapdoors.
References
B. Abdolmaleki, K. Baghery, H. Lipmaa, and M. Zajac, A subversion-resistant SNARK, in T. Takagi and T. Peyrin, (eds.), ASIACRYPT 2017, Part III, vol. 10626 of LNCS, (Springer, Heidelberg, 2017), pp. 3–33. https://doi.org/10.1007/978-3-319-70700-6_1
B. Abdolmaleki, K. Baghery, H. Lipmaa, and M. Zajac. A subversion-resistant SNARK. Cryptology ePrint Archive, Report 2017/599, (2017). http://eprint.iacr.org/2017/599
B. Abdolmaleki, H. Lipmaa, J. Siim, and M. Zajac. On QA-NIZK in the BPK model, in A. Kiayias, M. Kohlweiss, P. Wallden, and V. Zikas, eds, PKC 2020, Part I, vol. 12110 of LNCS, (Springer, Heidelberg, 2020), pp. 590–620. https://doi.org/10.1007/978-3-030-45374-9_20
D. Boneh, X. Boyen, and E.-J. Goh. Hierarchical identity based encryption with constant size ciphertext, in R. Cramer, (ed.), EUROCRYPT 2005, vol. 3494 of LNCS, (Springer, Heidelberg, 2005), pp. 440–456. https://doi.org/10.1007/11426639_26
E. Ben-Sasson, A. Chiesa, D. Genkin, E. Tromer, and M. Virza. SNARKs for C: verifying program executions succinctly and in zero knowledge, in R. Canetti, J.A. Garay, (eds.), CRYPTO 2013, Part II, vol. 8043 of LNCS, (Springer, Heidelberg, 2013). https://doi.org/10.1007/978-3-642-40084-1_6
E. Ben-Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, and M. Virza. Zerocash: Decentralized anonymous payments from bitcoin, in 2014 IEEE Symposium on Security and Privacy, (IEEE Computer Society Press, 2014), pp. 459–474. https://doi.org/10.1109/SP.2014.36
N. Bitansky, R. Canetti, O. Paneth, and A. Rosen. On the existence of extractable one-way functions, in D.B. Shmoys, (ed.), 46th ACM STOC, (ACM Press, May/June 2014), pp. 505–514. https://doi.org/10.1145/2591796.2591859
E. Ben-Sasson, A. Chiesa, E. Tromer, and M. Virza. Succinct non-interactive zero knowledge for a von neumann architecture, in K. Fu and J. Jung, (eds.), USENIX Security 2014, (USENIX Association, 2014), pp. 781–796
M. Blum, P. Feldman, and S. Micali. Non-interactive zero-knowledge and its applications (extended abstract), in 20th ACM STOC, (ACM Press, May 1988), pp. 103–112. https://doi.org/10.1145/62212.62222
M. Bellare, G. Fuchsbauer, and A. Scafuro. NIZKs with an untrusted CRS: security in the face of parameter subversion, in J.H. Cheon and T. Takagi, (eds.), ASIACRYPT 2016, Part II, vol. 10032 of LNCS, (Springer, Heidelberg, 2016), pp. 777–804. https://doi.org/10.1007/978-3-662-53890-6_26
M. Bellare, J.A. Garay, and T. Rabin. Batch verification with applications to cryptography and checking, in C.L. Lucchesi and A.V. Moura, (eds.), LATIN 1998, vol. 1380 of LNCS, (Springer, Heidelberg, 1998), pp. 170–191
S. Bowe. BLS12-381: New zk-SNARK Elliptic Curve Construction. Blog post, https://blog.z.cash/new-snark-curve/, last accessed in July, 2018, March 11 (2017)
D.R.L. Brown. The exact security of ECDSA. Contributions to IEEE P1363a, (2001). http://grouper.ieee.org/groups/1363/
R. Canetti, O. Goldreich, S. Goldwasser, and S. Micali. Resettable zero-knowledge (extended abstract), in 32nd ACM STOC, (ACM Press, 2000), pp. 235–244. https://doi.org/10.1145/335305.335334
I. Damgård. Towards practical public key systems secure against chosen ciphertext attacks, in J. Feigenbaum, (ed.), CRYPTO’91, volume 576 of LNCS, (Springer, Heidelberg, 1992), pp. 445–456. https://doi.org/10.1007/3-540-46766-1_36
G. Danezis, C. Fournet, J. Groth, and M. Kohlweiss. Square span programs with applications to succinct NIZK arguments, in P. Sarkar and T. Iwata, (eds), ASIACRYPT 2014, Part I, volume 8873 of LNCS, (Springer, Heidelberg, 2014), pp. 532–550. https://doi.org/10.1007/978-3-662-45611-8_28
G. Danezis, C. Fournet, M. Kohlweiss, and B. Parno. Pinocchio coin: building zerocoin from a succinct pairing-based proof system. pp. 27–30, Berlin, Germany, (2013). ACM
G. Di Crescenzo and H. Lipmaa. Succinct NP proofs from an extractability assumption, in A. Beckmann, C. Dimitracopoulos, and B. Löwe, editors, Computability in Europe, CIE 2008, volume 5028 of LNCS, pp. 175–185, Athens, Greece, June 15–20, (2008). Springer, Heidelberg
A. Escala, G. Herold, E. Kiltz, C. Ràfols, and J. Villar. An algebraic framework for Diffie-Hellman assumptions, in R. Canetti and J.A. Garay, (eds.), CRYPTO 2013, Part II, volume 8043 of LNCS, (Springer, Heidelberg, 2013), pp. 129–147. https://doi.org/10.1007/978-3-642-40084-1_8
G. Fuchsbauer, E. Kiltz, and J. Loss. The algebraic group model and its applications, in H. Shacham and A. Boldyreva, (eds), CRYPTO 2018, Part II, volume 10992 of LNCS, (Springer, Heidelberg, 2018), pp. 33–62. https://doi.org/10.1007/978-3-319-96881-0_2
P. Fauzi, H. Lipmaa, and M. Zajac. A shuffle argument secure in the generic model, in J.H. Cheon and T. Takagi, (eds.), ASIACRYPT 2016, Part II, volume 10032 of LNCS, (Springer, Heidelberg, 2016), pp. 841–872. https://doi.org/10.1007/978-3-662-53890-6_28
G. Fuchsbauer and M. Orrù. Non-interactive zaps of knowledge, in B. Preneel and F. Vercauteren, (eds.), ACNS 18, volume 10892 of LNCS, (Springer, Heidelberg, 2018), pp. 44–62. https://doi.org/10.1007/978-3-319-93387-0_3
G. Fuchsbauer. Subversion-zero-knowledge SNARKs, in M. Abdalla and R. Dahab, (eds.), PKC 2018, Part I, volume 10769 of LNCS, (Springer, Heidelberg, 2018), pp. 315–347. https://doi.org/10.1007/978-3-319-76578-5_11
A. Gabizon. On the security of the BCTV pinocchio zk-SNARK variant. Cryptology ePrint Archive, Report 2019/119, (2019). https://eprint.iacr.org/2019/119
R. Gennaro, C. Gentry, and B. Parno. Non-interactive verifiable computing: Outsourcing computation to untrusted workers, in T. Rabin, (ed.), CRYPTO 2010, volume 6223 of LNCS, (Springer, Heidelberg, 2010), pp. 465–482. https://doi.org/10.1007/978-3-642-14623-7_25
R. Gennaro, C. Gentry, B. Parno, and M. Raykova. Quadratic span programs and succinct NIZKs without PCPs, in T. Johansson and P.Q. Nguyen, (eds.), EUROCRYPT 2013, volume 7881 of LNCS, (Springer, Heidelberg, 2013), pp. 626–645. https://doi.org/10.1007/978-3-642-38348-9_37
J. Groth, M. Kohlweiss, M. Maller, S. Meiklejohn, and I. Miers. Updatable and universal common reference strings with applications to zk-SNARKs, in H. Shacham and A. Boldyreva, (eds.), CRYPTO 2018, Part III, volume 10993 of LNCS, (Springer, Heidelberg, 2018), pp. 698–728. https://doi.org/10.1007/978-3-319-96878-0_24
O. Goldreich and Y. Oren. Definitions and properties of zero-knowledge proof systems. Journal of Cryptology, 7(1):1–32, 1994. https://doi.org/10.1007/BF00195207
J. Groth, R. Ostrovsky, and A. Sahai. Non-interactive zaps and new techniques for NIZK, in C.a Dwork, (ed.), CRYPTO 2006, volume 4117 of LNCS, (Springer, Heidelberg, August 2006), pp. 97–111. https://doi.org/10.1007/11818175_6
S.D. Galbraith, K.G. Paterson, and N.P. Smart. Pairings for cryptographers. Discrete Appl. Math., 156(16):3113–3121 (2008)
J. Groth. Simulation-sound NIZK proofs for a practical language and constant size group signatures, in X. Lai and K. Chen, (eds.), ASIACRYPT 2006, volume 4284 of LNCS, (Springer, Heidelberg, 2006), pp. 444–459. https://doi.org/10.1007/11935230_29
J. Groth. Short pairing-based non-interactive zero-knowledge arguments, in M. Abe, (ed.), ASIACRYPT 2010, volume 6477 of LNCS, (Springer, Heidelberg, 2010), pp. 321–340. https://doi.org/10.1007/978-3-642-17373-8_19
J. Groth. On the size of pairing-based non-interactive arguments, in M. Fischlin and J.-S. Coron, (eds.), EUROCRYPT 2016, Part II, volume 9666 of LNCS, (Springer, Heidelberg, 2016), pp. 305–326. https://doi.org/10.1007/978-3-662-49896-5_11
C. Gentry and D. Wichs. Separating succinct non-interactive arguments from all falsifiable assumptions, in L. Fortnow and S.P. Vadhan, (eds.), 43rd ACM STOC, (ACM Press, 2011), pp. 99–108. https://doi.org/10.1145/1993636.1993651
T. Icart. How to hash into elliptic curves, in S. Halevi, editor, CRYPTO 2009, volume 5677 of LNCS, (Springer, Heidelberg, 2009), pp. 303–316. https://doi.org/10.1007/978-3-642-03356-8_18
C.S. Jutla and A. Roy. Shorter quasi-adaptive NIZK proofs for linear subspaces, in K. Sako and P. Sarkar, (eds.), ASIACRYPT 2013, Part I, volume 8269 of LNCS, (Springer, Heidelberg, 2013), pp. 1–20. https://doi.org/10.1007/978-3-642-42033-7_1
A.E. Kosba, A. Miller, E. Shi, Z. Wen, and C. Papamanthou. Hawk: the blockchain model of cryptography and privacy-preserving smart contracts, in 2016 IEEE Symposium on Security and Privacy, (IEEE Computer Society Press, 2016), pp. 839–858. https://doi.org/10.1109/SP.2016.55
H. Lipmaa. Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments, in R. Cramer, (ed.), TCC 2012, volume 7194 of LNCS, (Springer, Heidelberg, 2012), pp. 169–189. https://doi.org/10.1007/978-3-642-28914-9_10
H. Lipmaa. Succinct non-interactive zero knowledge arguments from span programs and linear error-correcting codes, in K. Sako and P. Sarkar, (eds.), ASIACRYPT 2013, Part I, volume 8269 of LNCS, (Springer, Heidelberg, 2013), pp. 41–60. https://doi.org/10.1007/978-3-642-42033-7_3
H. Lipmaa. Prover-efficient commit-and-prove zero-knowledge SNARKs, in D. Pointcheval, A. Nitaj, and T. Rachidi, (eds.), AFRICACRYPT 16, volume 9646 of LNCS, (Springer, Heidelberg, 2016), pp. 185–206. https://doi.org/10.1007/978-3-319-31517-1_10
H. Lipmaa. Simulation-Extractable ZK-SNARKs Revisited. Technical Report 2019/612, IACR, May 31, 2019. https://eprint.iacr.org/2019/612, updated on 8 Feb 2020
U.M. Maurer. Abstract models of computation in cryptography (invited paper), in N.P. Smart, (ed.), 10th IMA International Conference on Cryptography and Coding, volume 3796 of LNCS, (Springer, Heidelberg, 2005), pp. 1–12
S. Micali and L. Reyzin. Soundness in the public-key model, in J. Kilian, (ed.), CRYPTO 2001, volume 2139 of LNCS, (Springer, Heidelberg, August 2001), pp. 542–565. https://doi.org/10.1007/3-540-44647-8_32
V. I. Nechaev. Complexity of a determinate algorithm for the discrete logarithm. Mathematical Notes, 55(2):165–172, 1994.
B. Parno, J. Howell, C. Gentry, and M. Raykova. Pinocchio: nearly practical verifiable computation, in 2013 IEEE Symposium on Security and Privacy, (IEEE Computer Society Press, May 2013), pp. 238–252. https://doi.org/10.1109/SP.2013.47
J.T. Schwartz. Fast probabilistic algorithms for verification of polynomial identities. Journal of the ACM, 27(4):701–717, 1980.
V. Shoup. Lower bounds for discrete logarithms and related problems, in W. Fumy, (ed.), EUROCRYPT’97, volume 1233 of LNCS, (Springer, Heidelberg, 1997), pp. 256–266. https://doi.org/10.1007/3-540-69053-0_18
J. Stern, D. Pointcheval, J. Malone-Lee, and N.P. Smart. Flaws in applying proof methodologies to signature schemes, in M. Yung, (ed.), CRYPTO 2002, volume 2442 of LNCS, (Springer, Heidelberg, 2002), pp. 93–110. https://doi.org/10.1007/3-540-45708-9_7
R. Zippel. Probabilistic Algorithms for Sparse Polynomials, in E.W. Ng, (ed.), EUROSM 1979, volume 72 of LNCS, (Marseille, France, 1979. Springer, Heidelberg), pp. 216–226
Acknowledgements
We thank Karim Baghery for his contribution to the conference version of the current paper. Most of this work was done while the authors were working at the University of Tartu, Estonia. This work was partially supported by the Estonian Research Council grant (PRG49) and by the European Union’s Horizon 2020 research and innovation program under grant agreement No. 780477 (project PRIViLEDGE).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Masayuki Abe.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
An earlier version of this paper, [1], was published at Asiacrypt 2017. The current version has been significantly modified.
Changes Compared to the Conference Version
Changes Compared to the Conference Version
This version of the paper contains several new results compared to the conference and fixes couple of small errors that occured in the conference version. We briefly list them below.
-
1.
Improvements in the definitional framework:
-
Divided subversion-completeness into completeness and CRS verifiability.
-
In the composable Sub-ZK definition, we now allow the adversary to pick \((\mathsf {x}, \mathsf {w})\) adaptively based on the CRS.
-
Changed non-uniform adversary to uniform in the composable Sub-ZK definition (we provide a long discussion after the definition explaining this change).
-
The conference version contained an additional definition of Sub-ZK, which had a computationally unbounded extractor. We have omitted this definition in the current version since it is unclear whether it provides the correct privacy level. In general, the simulator should not be unbounded, and the extractor can be thought of as a part of the simulator.
-
Renamed Sub-GBGM to GBGM-H and statistical CRS trapdoor extractability to trapdoor extractability.
-
-
2.
Section 5 contains new generic results for achieving composable Sub-ZK. Namely, we prove that if an argument is perfectly zero knowledge in the (trusted) CRS model and satisfies the notion of trapdoor extractability, then it has composable Sub-ZK.
-
3.
We construct two versions of the Sub-ZK SNARK. The first version is trapdoor extractable and uses the general result from Sect. 5. The second version is more efficient but requires a different proof strategy. Compared to the construction in the conference version, CRS of the second argument is shorter by approximately n group elements, and the \({\mathsf {CV}}\) algorithm is also more efficient.
-
4.
The full version [2] of the conference version contains details on implementation and performance. We removed it from the current version since the implementation is incompatible with the newest version of libsnark library.
-
5.
Fixed several small errors and updated the related/subsequent work section (see Sect. 2) with some of the intermediate results.
Rights and permissions
About this article
Cite this article
Abdolmaleki, B., Lipmaa, H., Siim, J. et al. On Subversion-Resistant SNARKs. J Cryptol 34, 17 (2021). https://doi.org/10.1007/s00145-021-09379-y
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s00145-021-09379-y