subversion-resistant zero knowledge › ~fuchsbau › pariscryptoday.pdf · subversion-resistant...
TRANSCRIPT
![Page 1: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/1.jpg)
Subversion-Resistant Zero Knowledge
Georg Fuchsbauer
ECRYPT-NET Workshop on Crypto for the Cloud & Implementation
27 June 2017
joint work with Mihir Bellare
and Alessandra Scafuro
![Page 2: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/2.jpg)
Content of this talk
• M. Bellare, G. F., A. Scafuro:NIZKs with an Untrusted CRS:
Security in the Face of Parameter SubversionASIACRYPT ’16 (eprint 2016/372)
• G. F.: Subversion-zero-knowledge SNARKseprint 2017/587
![Page 3: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/3.jpg)
Motivation
• 2013
• compromised security not covered by standard model
• here: parameter subversion
![Page 4: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/4.jpg)
Motivation
• 2013
• compromised security not covered by standard model
• here: parameter subversion
• Example: Dual EC RNG
– “trusted” parameters P,Q
– ISO standard; NSA paid RSA $10 million
– knowledge of logQ P ⇒ predictable [ShuFer07]
⇒ break TLS [CFN+14]
![Page 5: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/5.jpg)
Motivation
• 2013
• compromised security not covered by standard model
• here: parameter subversion
• goal: subversion resistance
• this work: NIZK, relies on common reference string ( )
• example: zk-SNARK parameters
for Zerocash ( ) [BCG+14]
![Page 6: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/6.jpg)
Related work
NIZK
• 2-move ZK protocols [BLV03, Pass03, BP04, BCPR14]
• NIZK in bare PK model [Wee07]
• CRS via multiparty computation [KKZZ14, BSCG+15]
• UC w/ adv. CRS [CPs07], multiple CRSs [GO07, GGJS11]
![Page 7: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/7.jpg)
Related work
NIZK
• 2-move ZK protocols [BLV03, Pass03, BP04, BCPR14]
• NIZK in bare PK model [Wee07]
• CRS via multiparty computation [KKZZ14, BSCG+15]
• UC w/ adv. CRS [CPs07], multiple CRSs [GO07, GGJS11]
Subversion
• Algorithm-substitution attacks [BPR14, AMV15]
• Kleptography [YY96, YY97], cliptography [RTYZ16]
• Backdoored blockciphers [RP97, PG97, Pat99]
![Page 8: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/8.jpg)
Non-interactive proofs
Prover: x,w Verifier: x
π
X/×
crs• let L ∈ NP• prove x ∈ L
![Page 9: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/9.jpg)
Non-interactive proofs
Prover: x,w Verifier: x
π
Soundness:
π X⇒ x ∈ L
crs
![Page 10: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/10.jpg)
Non-interactive proofs
Prover: x,w Verifier: x
Witness-indistinguishability:
π[w] ≈ π[w′]
π
crs
![Page 11: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/11.jpg)
Non-interactive proofs
Prover: x,w Verifier: x
π
crs
Simulator: x,w×
crs ′
π′
Zero-knowledge:
![Page 12: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/12.jpg)
Non-interactive proofs
Prover: x,w Verifier: x
π
crs
Zero-knowledge: ≈
Simulator: x,w×
crs ′
π′
![Page 13: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/13.jpg)
Subversion-resistant NI proofs
Prover: x,w Verifier: x
π
Subversion Soundness:
π X⇒ x ∈ L
crs
![Page 14: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/14.jpg)
Subversion-resistant NI proofs
Prover: x,w Verifier: x
π
Subversion WI:
π[w] ≈ π[w′]
crs
![Page 15: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/15.jpg)
Non-interactive proofs
Prover: x,w Verifier: x
π
crs
Zero-knowledge: ≈
Simulator: x,w×
crs ′
π′
![Page 16: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/16.jpg)
Subversion-resistant NI proofs
Prover: x,w Verifier: x
π
crs
Simulator: x,w×
crs ′,$′
π′
$
Subversion ZK: ≈
![Page 17: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/17.jpg)
Subversion-resistant NI proofs
Prover: x,w Verifier: x
π
crs
Simulator: x,w×π′
$
∀ ∃ ∀ :
(crs, $,
)≈(crs ′, $′,
)
![Page 18: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/18.jpg)
Our results
S-SND S-ZK S-WI
SND ZK WI
? ? ?
-
-
![Page 19: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/19.jpg)
Our results
S-SND S-ZK S-WI
SND ZK WI
? ? ?
-
-
![Page 20: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/20.jpg)
Our results
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
![Page 21: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/21.jpg)
Our results
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• X —
Prover: x,w Verifier: x
w
w witness for x?
![Page 22: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/22.jpg)
Our results
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• X —
Prover: x,w Verifier: x
ε
X
![Page 23: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/23.jpg)
Our results
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• • • ? ? ?
![Page 24: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/24.jpg)
Our results
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• • ×
x, π
Breaking S-SND:
π X ∧ x /∈ L
crs
(if L is non-trivial)
![Page 25: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/25.jpg)
Our results
x, π′
Breaking S-SND:
π X ∧ x /∈ L
crs ′
(if L is non-trivial)
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• • ×
![Page 26: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/26.jpg)
Our results
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• • ו • • • ?
![Page 27: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/27.jpg)
Our results
Non-interactive Zaps [GOS06]
• NI WI proofs
• without CRS
No CRS ⇒ subversion-resistant
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• • ו • • • ?
![Page 28: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/28.jpg)
Our results
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• • ו • • • X DLin
• • • • • ?
![Page 29: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/29.jpg)
Our results
• implies 2-move ZK (verifier chooses CRS)
⇒ only achieved under extractability assumpt’s [BCPR14]
• construction under new knowledge of exponent assumption
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• • ו • • • X DLin
• • • • • ?
![Page 30: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/30.jpg)
Achieving SND + S-ZK
π∀ ∃ :
(crs, $,
)≈(crs ′, $′,
)
![Page 31: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/31.jpg)
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
KEA: ∀ (g, h)→ → (gs, hs)
π∀ ∃ :
![Page 32: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/32.jpg)
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
KEA: ∀ (g, h)→ → (gs, hs)
∃ → → s
π∀ ∃ :
![Page 33: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/33.jpg)
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
KEA: ∀ (g, h)→ → (gs, hs)
∃ → → s
checkable via pairing:e(gs, h) = e(g, hs)
π∀ ∃ :
![Page 34: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/34.jpg)
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
KEA: ∀ (g, h)→ → (gs, hs)
∃ → → s
idea:
crs
trapdoor
π∀ ∃ :
![Page 35: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/35.jpg)
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
KEA: ∀ (g, h)→ → (gs, hs)
∃ → → s
Prove: x ∈ L ∨ “I know s”
idea:
crs
trapdoor
Zap!
π∀ ∃ :
![Page 36: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/36.jpg)
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
KEA: ∀ (g, h)→ → (gs, hs)
∃ → → s
Prove: x ∈ L ∨ “I know s”
idea:
crs
trapdoor
who chooses h?
π∀ ∃ :
![Page 37: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/37.jpg)
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
DH-KEA: ∀ → (gs, hs, h = gη)
∃ → → s OR → η
Prove: x ∈ L ∨ “I know s or η”
π∀ ∃ :
![Page 38: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/38.jpg)
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
crs = (gs, hs, h = gη)
Prove: x ∈ L ∨ “I know s or η”
prove knowledge how?
π∀ ∃ :
![Page 39: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/39.jpg)
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
crs = (gs, hs, h = gη)
Prove: x ∈ L ∨ “I know s or η”
prove knowledge how?Enc(pk, s)
π∀ ∃ :
![Page 40: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/40.jpg)
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
crs = (gs, hs, h = gη)
Prove: x ∈ L ∨ “I know s or η”
prove knowledge how?Enc(pk, s)pk
?
π∀ ∃ :
![Page 41: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/41.jpg)
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
crs = (gs, hs, h = gη)
Prove: x ∈ L ∨ “I know s or η”
prove knowledge how?Enc(pk, s)pk
π∀ ∃ :
![Page 42: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/42.jpg)
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
crs = (gs, hs, h = gη)
Prove: x ∈ L ∨ “I know s or η”
prove knowledge how?Enc(pk, s)pk
π∀ ∃ :
make sk extractable
![Page 43: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/43.jpg)
Results for NIZKs
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• • ו • • • X DLin
• • • • • X DH-KEA
![Page 44: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/44.jpg)
Results for NIZKs
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• • ו • • • X DLin
• • • • • X DH-KEA
• • • • X NIZK
![Page 45: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/45.jpg)
SNARKs
Succinct Non-interactiveARgument of Knowledge
• succinct:
|π| independent of |x| and |w|
• proves knowledge of w
![Page 46: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/46.jpg)
Arguments of knowledge
Prover: x,w Verifier: x
π
crs
Soundness:
π X⇒ x ∈ L
![Page 47: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/47.jpg)
Arguments of knowledge
Verifier: x
π
Knowledge Soundness:
∃ extractor:
π X⇒ w extracted
crs
w
Prover: x,w
![Page 48: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/48.jpg)
Applications of SNARKs
• Outsourcing of computation
x
f(x), π
![Page 49: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/49.jpg)
Applications of SNARKs
• Outsourcing of computation
x
f(x), π
• Anonymous cryptocurrencies: Zerocash [BCGGMTV’14]
• coin is commitment to serial number
![Page 50: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/50.jpg)
Applications of SNARKs
• Outsourcing of computation
x
f(x), π
• Anonymous cryptocurrencies: Zerocash [BCGGMTV’14]
• coin is commitment to serial number
• transaction – creates new coins; reveals spent serial no.’s
– proves that everything done correctly
S
π
![Page 51: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/51.jpg)
Subversion resistance
• SNARKs are perfect zero-knowledge
• but not subversion-sound
(CRS contains simulation trapdoor)
![Page 52: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/52.jpg)
Subversion resistance
• SNARKs are perfect zero-knowledge
• but not subversion-sound
(CRS contains simulation trapdoor)
Subversion zero-knowledge?
![Page 53: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/53.jpg)
Subversion resistance
• SNARKs are perfect zero-knowledge
• but not subversion-sound
(CRS contains simulation trapdoor)
Subversion zero-knowledge?
DH-KEA: ∀ → (gs, gt, gst)
∃ → → s OR → t
Yes! under new KE assumption
![Page 54: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/54.jpg)
Subversion resistance
• SNARKs are perfect zero-knowledge
• but not subversion-sound
(CRS contains simulation trapdoor)
Subversion zero-knowledge?
SKE: ∀ →(g, gs, gs
2)∃ → → s
Yes! under new KE assumption
![Page 55: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/55.jpg)
Approach
• CRS for SNARKs:(g, gs, gs
2
, . . . , gsd
,{gpj(s)
}j,{gαi
∑k βkpj,k(s)
}i,j, . . .
)for random s, αi, βk, . . .
![Page 56: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/56.jpg)
Approach
• CRS for SNARKs:(g, gs, gs
2
, . . . , gsd
,{gpj(s)
}j,{gαi
∑k βkpj,k(s)
}i,j, . . .
)for random s, αi, βk, . . .
• Check of consistency?
e(gs
2
, h)= e(gs, hs
)e(gαpj(s), h
)= e(∏
i(gsi)pj,i , hα
)
![Page 57: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/57.jpg)
Approach
• CRS for SNARKs:(g, gs, gs
2
, . . . , gsd
,{gpj(s)
}j,{gαi
∑k βkpj,k(s)
}i,j, . . .
)for random s, αi, βk, . . .
• Check of consistency?
e(gs
2
, h)= e(gs, hs
)e(gαpj(s), h
)= e(∏
i(gsi)pj,i , hα
)• Simulation? extraction of s
but no other values
X
![Page 58: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/58.jpg)
SNARK 1 & 2
• Gennaro et al.’s original SNARKs [GGPR13]
symm. bilin. grps, π ∈ G9
– QSP-based (boolean circuits)
– QAP-based (arithmetic circuits)
![Page 59: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/59.jpg)
SNARK 1 & 2
• Gennaro et al.’s original SNARKs [GGPR13]
symm. bilin. grps, π ∈ G9
– QSP-based (boolean circuits)
– QAP-based (arithmetic circuits)
• CRS checkable?
• Proofs simulatable with s?
![Page 60: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/60.jpg)
SNARK 1 & 2
• Gennaro et al.’s original SNARKs [GGPR13]
symm. bilin. grps, π ∈ G9
– QSP-based (boolean circuits)
– QAP-based (arithmetic circuits)
• CRS checkable?
• Proofs simulatable with s?
X
X⇒ subversion zero knowledge
![Page 61: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/61.jpg)
SNARK 3
• Optimized Pinocchio [PHGR13, BCTV14]
asymm. bilin. grps, π ∈ G71 ×G2
– QAP-based (arithmetic circuits)
– underly
![Page 62: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/62.jpg)
SNARK 3
• Optimized Pinocchio [PHGR13, BCTV14]
asymm. bilin. grps, π ∈ G71 ×G2
– QAP-based (arithmetic circuits)
– underly
• CRS checkable?
• Proofs simulatable with s?
×
![Page 63: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/63.jpg)
SNARK 3
• Optimized Pinocchio [PHGR13, BCTV14]
asymm. bilin. grps, π ∈ G71 ×G2
– QAP-based (arithmetic circuits)
– underly
X×
⇒ add 4 group elements
• CRS checkable?
• Proofs simulatable with s? X⇒ subversion zero knowledge
![Page 64: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/64.jpg)
SNARK 4
• Danezis et al.’s SNARKs [DFGK14]
asymm. bilin. grps, π ∈ G31 ×G2
– SSP-based (boolean circuits)
![Page 65: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/65.jpg)
SNARK 4
• Danezis et al.’s SNARKs [DFGK14]
asymm. bilin. grps, π ∈ G31 ×G2
– SSP-based (boolean circuits)
• CRS checkable?
• Proofs simulatable with s?
XX
⇒ subversion zero knowledge
![Page 66: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/66.jpg)
SNARK 5
• Groth’s SNARKs [Groth16]
asymm. bilin. grps, π ∈ G21 ×G2
– QAP-based (arithmetic circuits)
– knwl-snd in generic grp model
![Page 67: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/67.jpg)
SNARK 5
• Groth’s SNARKs [Groth16]
asymm. bilin. grps, π ∈ G21 ×G2
– QAP-based (arithmetic circuits)
– knwl-snd in generic grp model
ו CRS checkable?
• Proofs simulatable with s?
X
![Page 68: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/68.jpg)
SNARK 5
• Groth’s SNARKs [Groth16]
asymm. bilin. grps, π ∈ G21 ×G2
– QAP-based (arithmetic circuits)
– knwl-snd in generic grp model
X
×⇒ extract more under SKE
⇒ simulate
• CRS checkable?
• Proofs simulatable with s?
X
⇒ subv. ZK
![Page 69: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/69.jpg)
Zcash
Is Zcash anonymous if parameters set up maliciously?
• uses SNARK w/o checkable CRS
• parameters set up using MPC [BCGTV15]
– uses ROM proofs to prove correctness
![Page 70: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/70.jpg)
Summary SNARKs
• [GGPR13], QSP:
• [GGPR13], QAP:
• [BCTV14]:
• [DFGK14]:
• [Groth16]:
subversion-ZK
subversion-ZK
subversion-ZK after extending CRS
subversion-ZK
subversion-ZK
Assuming SKE:
![Page 71: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/71.jpg)
Zcash
Is Zcash anonymous if parameters set up maliciously?
• uses SNARK w/o checkable CRS
• parameters set up using MPC [BCGTV15]
– uses ROM proofs to prove correctness
⇒ CRS checkable ⇒ proofs simulatable
X X
![Page 72: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/72.jpg)
Zcash
Is Zcash anonymous if parameters set up maliciously?
• uses SNARK w/o checkable CRS
• parameters set up using MPC [BCGTV15]
– uses ROM proofs to prove correctness
⇒ CRS checkable ⇒ proofs simulatable
X
Zcash is subversion-anonymous in the ROM(if users verify CRS correctness)
X
![Page 73: Subversion-Resistant Zero Knowledge › ~fuchsbau › ParisCryptoDay.pdf · Subversion-Resistant Zero Knowledge Georg Fuchsbauer ECRYPT-NET Workshop on Crypto for the Cloud & Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f1083e87e708231d4497d78/html5/thumbnails/73.jpg)
QUESTIONS?
THANK YOU!