C ∅ C ∅ : A Framework for Building Composable Zero-Knowledge Proofs

Non-interactive zero-knowledge proofs are a powerful cryptographic primitive used in privacypreserving protocols. We design and build C∅C∅, the first system enabling developers to build efficient, composable, non-interactive zero-knowledge proofs for generic, user-defined statements. C∅C∅ extends state-of-the-art SNARK constructions by applying known strengthening transformations to yield UC-composable zero-knowledge proofs suitable for modular use in larger cryptographic protocols. To attain fast practical performance, C∅C∅ includes a library of several “SNARK-friendly” cryptographic primitives. These primitives are used in the strengthening transformations in order to reduce the overhead of achieving composable security. Our open-source library of optimized arithmetic circuits for these functions are up to 40× more efficient than standard implementations and are thus of independent interest for use in other NIZK projects. Finally, we evaluate C∅C∅ on applications such as anonymous credentials, private smart contracts, and nonoutsourceable proof-of-work puzzles and demonstrate 5× to 8× speedup in these application settings compared to naive implementations.

[1]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[2]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[3]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[4]  S. Micali,et al.  Noninteractive Zero-Knowledge , 1990, SIAM J. Comput..

[5]  Arjen K. Lenstra,et al.  Using Cyclotomic Polynomials to Construct Efficient Discrete Logarithm Cryptosystems Over Finite Fields , 1997, ACISP.

[6]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[7]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[8]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[9]  Rafail Ostrovsky,et al.  Robust Non-interactive Zero Knowledge , 2001, CRYPTO.

[10]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[11]  Ran Canetti,et al.  Universal Composition with Joint State , 2003, CRYPTO.

[12]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[13]  Rafail Ostrovsky,et al.  Perfect Non-Interactive Zero Knowledge for NP , 2006, IACR Cryptol. ePrint Arch..

[14]  Jan Camenisch,et al.  Compact E-Cash , 2005, EUROCRYPT.

[15]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[16]  Jens Groth,et al.  Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures , 2006, ASIACRYPT.

[17]  Ran Canetti,et al.  Universally Composable Security with Global Setup , 2007, TCC.

[18]  Michael Schneider,et al.  Estimating the Security of Lattice-based Cryptosystems , 2010, IACR Cryptol. ePrint Arch..

[19]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[20]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, IACR Cryptol. ePrint Arch..

[21]  Daniele Micciancio Lattice-Based Cryptography , 2011, Encyclopedia of Cryptography and Security.

[22]  Scott A. Rotondo Trusted Computing Group , 2011, Encyclopedia of Cryptography and Security.

[23]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[24]  Yongge Wang,et al.  Public Key Cryptography Standards: PKCS , 2012, ArXiv.

[25]  Nir Bitansky,et al.  From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again , 2012, ITCS '12.

[26]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[27]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[28]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[29]  George Danezis,et al.  Pinocchio coin: building zerocoin from a succinct pairing-based proof system , 2013, PETShop '13.

[30]  Eli Ben-Sasson,et al.  Fast reductions from RAMs to delegatable succinct constraint satisfaction problems: extended abstract , 2013, ITCS '13.

[31]  Antoine Joux,et al.  The Special Number Field Sieve in 𝔽pn - Application to Pairing-Friendly Constructions , 2013, Pairing.

[32]  Eli Ben-Sasson,et al.  SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge , 2013, CRYPTO.

[33]  Jason Smith,et al.  The SIMON and SPECK Families of Lightweight Block Ciphers , 2013, IACR Cryptol. ePrint Arch..

[34]  Steven Myers,et al.  ANONIZE: A Large-Scale Anonymous Survey System , 2014, 2014 IEEE Symposium on Security and Privacy.

[35]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[36]  Ingrid Verbauwhede,et al.  Chaskey: An Efficient MAC Algorithm for 32-bit Microcontrollers , 2014, Selected Areas in Cryptography.

[37]  Jonathan Katz,et al.  ALITHEIA: Towards Practical Verifiable Graph Processing , 2014, CCS.

[38]  Elaine Shi,et al.  TRUESET: Nearly Practical Verifiable Set Computations , 2014, IACR Cryptol. ePrint Arch..

[39]  Eli Ben-Sasson,et al.  Scalable Zero Knowledge Via Cycles of Elliptic Curves , 2014, Algorithmica.

[40]  Eli Ben-Sasson,et al.  Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture , 2014, USENIX Security Symposium.

[41]  Antoine Joux,et al.  A Heuristic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic , 2014, EUROCRYPT.

[42]  Jason Smith,et al.  SIMON and SPECK: Block Ciphers for the Internet of Things , 2015, IACR Cryptol. ePrint Arch..

[43]  Jonathan Katz,et al.  IntegriDB: Verifiable SQL for Outsourced Databases , 2015, CCS.

[44]  Elaine Shi,et al.  Nonoutsourceable Scratch-Off Puzzles to Discourage Bitcoin Mining Coalitions , 2015, CCS.

[45]  Martin R. Albrecht,et al.  On the concrete hardness of Learning with Errors , 2015, J. Math. Cryptol..

[46]  The Ring of Gyges : Using Smart Contracts for Crime , 2015 .

[47]  Jon Howell,et al.  Geppetto: Versatile Verifiable Computation , 2015, 2015 IEEE Symposium on Security and Privacy.

[48]  Andrew J. Blumberg,et al.  Verifying computations without reexecuting them , 2015, Commun. ACM.

[49]  Eran Tromer,et al.  Cluster Computing in Zero Knowledge , 2015, EUROCRYPT.

[50]  Thorsten Kleinjung,et al.  On the discrete logarithm problem in finite fields of fixed characteristic , 2015, IACR Cryptol. ePrint Arch..

[51]  Zuocheng Ren,et al.  Efficient RAM and control flow in verifiable outsourced computation , 2015, NDSS.

[52]  Michael Backes,et al.  ADSNARK: Nearly Practical and Privacy-Preserving Proofs on Authenticated Data , 2015, 2015 IEEE Symposium on Security and Privacy.

[53]  Martin R. Albrecht,et al.  On the complexity of the BKW algorithm on LWE , 2012, Des. Codes Cryptogr..

[54]  Cédric Fournet,et al.  Cinderella: Turning Shabby X.509 Certificates into Elegant Anonymous Credentials with the Magic of Verifiable Computation , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[55]  Matthew Green,et al.  Accountable Privacy for Decentralized Anonymous Payments , 2016, Financial Cryptography.

[56]  Elaine Shi,et al.  Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[57]  Dario Fiore,et al.  On the (In)Security of SNARKs in the Presence of Oracles , 2016, TCC.

[58]  M. Videau,et al.  Collecting relations for the Number Field Sieve in GF p p 6 q , 2016 .

[59]  Pierrick Gaudry,et al.  Collecting relations for the Number Field Sieve in GF(p6) , 2016, IACR Cryptol. ePrint Arch..