Subversion-Zero-Knowledge SNARKs
نویسنده
چکیده
Subversion zero knowledge for non-interactive proof systems demands that zero knowledge (ZK) be maintained even when the common reference string (CRS) is chosen maliciously. SNARKs are proof systems with succinct proofs, which are at the core of the cryptocurrency Zcash, whose anonymity relies on ZK-SNARKs; they are also used for ZK contingent payments in Bitcoin. We show that under a plausible hardness assumption, the most efficient SNARK schemes proposed in the literature, including the one underlying Zcash and contingent payments, satisfy subversion ZK or can be made to at very little cost. In particular, we prove subversion ZK of the original SNARKs by Gennaro et al. and the almost optimal construction by Groth; for the Pinocchio scheme implemented in libsnark we show that it suffices to add 4 group elements to the CRS. We also argue informally that Zcash is anonymous even if its parameters were set up maliciously.
منابع مشابه
A Subversion-Resistant SNARK
While succinct non-interactive zero-knowledge arguments of knowledge (zk-SNARKs) are widely studied, the question of what happens when the CRS has been subverted has received little attention. In ASIACRYPT 2016, Bellare, Fuchsbauer and Scafuro showed the first negative and positive results in this direction, proving also that it is impossible to achieve subversion soundness and (even non-subver...
متن کاملProver-efficient commit-and-prove zero-knowledge SNARKs
Zk-SNARKs (succinct non-interactive zero-knowledge arguments of knowledge) are needed in many applications. Unfortunately, all previous zk-SNARKs for interesting languages are either inefficient for prover, or are non-adaptive and based on an commitment scheme that does depend both on the prover’s input and on the language, i.e., they are not commit-and-prove (CaP) SNARKs. We propose a prooffri...
متن کاملOn the (In)Security of SNARKs in the Presence of Oracles
In this work we study the feasibility of knowledge extraction for succinct non-interactive arguments of knowledge (SNARKs) in a scenario that, to the best of our knowledge, has not been analyzed before. While prior work focuses on the case of adversarial provers that may receive (statically generated) auxiliary information, here we consider the scenario where adversarial provers are given acces...
متن کاملPOSTER: Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture
We build a system that can prove, in zero knowledge, the correct executions of programs on a 32-bit RISC machine. The proofs are succinct: short and easy to verify. All previous implementations of zero-knowledge proof systems with succinct proofs (also known as zk-SNARKs) require the proof system’s keys to be regenerated for each distinct program; this is costly and requires the intervention of...
متن کاملScalable Multi-party Computation for zk-SNARK Parameters in the Random Beacon Model
Zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARKs) have emerged as a valuable tool for verifiable computation and privacy preserving protocols. Currently practical schemes require a common reference string (CRS) to be constructed in a one-time setup for each statement. Ben-Sasson, Chiesa, Green, Tromer and Virza [5] devised a multi-party protocol to securely compute such...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2017