Updatable and Universal Common Reference Strings with Applications to zk-SNARKs

By design, existing (pre-processing) zk-SNARKs embed a secret trapdoor in a relation-dependent common reference strings (CRS). The trapdoor is exploited by a (hypothetical) simulator to prove the scheme is zero knowledge, and the secret-dependent structure facilitates a linear-size CRS and linear-time prover computation. If known by a real party, however, the trapdoor can be used to subvert the security of the system. The structured CRS that makes zk-SNARKs practical also makes deploying zk-SNARKS problematic, as it is difficult to argue why the trapdoor would not be available to the entity responsible for generating the CRS. Moreover, for pre-processing zk-SNARKs a new trusted CRS needs to be computed every time the relation is changed.

[1]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[2]  Adi Shamir,et al.  Multiple NonInteractive Zero Knowledge Proofs Under General Assumptions , 1999, SIAM J. Comput..

[3]  Jens Groth,et al.  On the Size of Pairing-Based Non-interactive Arguments , 2016, EUROCRYPT.

[4]  Jens Groth,et al.  Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs , 2017, IACR Cryptol. ePrint Arch..

[5]  Eli Ben-Sasson,et al.  Secure Sampling of Public Parameters for Succinct Zero Knowledge Proofs , 2015, 2015 IEEE Symposium on Security and Privacy.

[6]  Helger Lipmaa,et al.  A Subversion-Resistant SNARK , 2017, ASIACRYPT.

[7]  Marc Fischlin,et al.  Efficient Non-malleable Commitment Schemes , 2000, Journal of Cryptology.

[8]  Eli Ben-Sasson,et al.  Scalable, transparent, and post-quantum secure computational integrity , 2018, IACR Cryptol. ePrint Arch..

[9]  Silvio Micali,et al.  Algorand: Scaling Byzantine Agreements for Cryptocurrencies , 2017, IACR Cryptol. ePrint Arch..

[10]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[11]  Helger Lipmaa,et al.  Succinct Non-Interactive Zero Knowledge Arguments from Span Programs and Linear Error-Correcting Codes , 2013, IACR Cryptol. ePrint Arch..

[12]  Georg Fuchsbauer,et al.  NIZKs with an Untrusted CRS: Security in the Face of Parameter Subversion , 2016, IACR Cryptol. ePrint Arch..

[13]  Ian Miers,et al.  Scalable Multi-party Computation for zk-SNARK Parameters in the Random Beacon Model , 2017, IACR Cryptol. ePrint Arch..

[14]  Serge Fehr,et al.  Perfect NIZK with Adaptive Soundness , 2007, TCC.

[15]  Yuval Ishai,et al.  Ligero: Lightweight Sublinear Arguments Without a Trusted Setup , 2017, Designs, Codes and Cryptography.

[16]  Abhi Shelat,et al.  Doubly-Efficient zkSNARKs Without Trusted Setup , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[17]  A. D. Santis,et al.  Zero-Knowledge Proofs of Knowledge Without Interaction (Extended Abstract) , 1992, FOCS 1992.

[18]  Joe Kilian,et al.  An Efficient Noninteractive Zero-Knowledge Proof System for NP with General Assumptions , 1998, Journal of Cryptology.

[19]  Ivan Damgård,et al.  Non-Interactive Circuit Based Proofs and Non-Interactive Perfect Zero-knowledge with Proprocessing , 1992, EUROCRYPT.

[20]  Jens Groth,et al.  Short Pairing-Based Non-interactive Zero-Knowledge Arguments , 2010, ASIACRYPT.

[21]  Payman Mohassel,et al.  Valiant's Universal Circuit: Improvements, Implementation, and Applications , 2016, IACR Cryptol. ePrint Arch..

[22]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[23]  Rafail Ostrovsky,et al.  Computational Complexity and Knowledge Complexity , 1994, Electron. Colloquium Comput. Complex..

[24]  Amit Sahai,et al.  Efficient Noninteractive Proof Systems for Bilinear Groups , 2008, SIAM J. Comput..

[25]  Rafail Ostrovsky,et al.  Computational complexity and knowledge complexity (extended abstract) , 1994, STOC '94.

[26]  Jens Groth,et al.  Short Non-interactive Zero-Knowledge Proofs , 2010, ASIACRYPT.

[27]  Rafail Ostrovsky,et al.  New Techniques for Noninteractive Zero-Knowledge , 2012, JACM.

[28]  Alfredo De Santis,et al.  Zero-knowledge proofs of knowledge without interaction , 1992, Proceedings., 33rd Annual Symposium on Foundations of Computer Science.

[29]  Rafail Ostrovsky,et al.  Cryptography in the Multi-string Model , 2007, Journal of Cryptology.

[30]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[31]  Yuval Ishai,et al.  Using Fully Homomorphic Hybrid Encryption to Minimize Non-interative Zero-Knowledge Proofs , 2015, Journal of Cryptology.

[32]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, STOC '11.

[33]  Jens Groth,et al.  Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability , 2017, IACR Cryptol. ePrint Arch..

[34]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[35]  Matthew Green,et al.  A multi-party protocol for constructing the public parameters of the Pinocchio zk-SNARK , 2018, IACR Cryptol. ePrint Arch..

[36]  Helger Lipmaa,et al.  Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments , 2012, TCC.

[37]  Manuel Blum,et al.  Non-Interactive Zero-Knowledge and Its Applications (Extended Abstract) , 1988, STOC 1988.

[38]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[39]  Georg Fuchsbauer,et al.  Subversion-Zero-Knowledge SNARKs , 2018, Public Key Cryptography.

[40]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[41]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[42]  Jens Groth,et al.  Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting , 2016, EUROCRYPT.

[43]  Daniel J. Bernstein,et al.  How to manipulate curve standards: a white paper for the black hat , 2014, IACR Cryptol. ePrint Arch..

[44]  Giovanni Di Crescenzo,et al.  Necessary and Sufficient Assumptions for Non-iterative Zero-Knowledge Proofs of Knowledge for All NP Relations , 2000, ICALP.

[45]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[46]  Eli Ben-Sasson,et al.  Scalable Zero Knowledge Via Cycles of Elliptic Curves , 2014, Algorithmica.

[47]  Jens Groth,et al.  Towards a Classification of Non-interactive Computational Assumptions in Cyclic Groups , 2017, ASIACRYPT.

[48]  Leslie G. Valiant,et al.  Universal circuits (Preliminary Report) , 1976, STOC '76.

[49]  Mihir Bellare,et al.  Towards Plaintext-Aware Public-Key Encryption Without Random Oracles , 2004, ASIACRYPT.

[50]  George Danezis,et al.  Square Span Programs with Applications to Succinct NIZK Arguments , 2014, ASIACRYPT.