subversion-resistant zero knowledge › ~fuchsbau › pariscryptoday.pdf · subversion-resistant...
TRANSCRIPT
Subversion-Resistant Zero Knowledge
Georg Fuchsbauer
ECRYPT-NET Workshop on Crypto for the Cloud & Implementation
27 June 2017
joint work with Mihir Bellare
and Alessandra Scafuro
Content of this talk
• M. Bellare, G. F., A. Scafuro:NIZKs with an Untrusted CRS:
Security in the Face of Parameter SubversionASIACRYPT ’16 (eprint 2016/372)
• G. F.: Subversion-zero-knowledge SNARKseprint 2017/587
Motivation
• 2013
• compromised security not covered by standard model
• here: parameter subversion
Motivation
• 2013
• compromised security not covered by standard model
• here: parameter subversion
• Example: Dual EC RNG
– “trusted” parameters P,Q
– ISO standard; NSA paid RSA $10 million
– knowledge of logQ P ⇒ predictable [ShuFer07]
⇒ break TLS [CFN+14]
Motivation
• 2013
• compromised security not covered by standard model
• here: parameter subversion
• goal: subversion resistance
• this work: NIZK, relies on common reference string ( )
• example: zk-SNARK parameters
for Zerocash ( ) [BCG+14]
Related work
NIZK
• 2-move ZK protocols [BLV03, Pass03, BP04, BCPR14]
• NIZK in bare PK model [Wee07]
• CRS via multiparty computation [KKZZ14, BSCG+15]
• UC w/ adv. CRS [CPs07], multiple CRSs [GO07, GGJS11]
Related work
NIZK
• 2-move ZK protocols [BLV03, Pass03, BP04, BCPR14]
• NIZK in bare PK model [Wee07]
• CRS via multiparty computation [KKZZ14, BSCG+15]
• UC w/ adv. CRS [CPs07], multiple CRSs [GO07, GGJS11]
Subversion
• Algorithm-substitution attacks [BPR14, AMV15]
• Kleptography [YY96, YY97], cliptography [RTYZ16]
• Backdoored blockciphers [RP97, PG97, Pat99]
Non-interactive proofs
Prover: x,w Verifier: x
π
X/×
crs• let L ∈ NP• prove x ∈ L
Non-interactive proofs
Prover: x,w Verifier: x
π
Soundness:
π X⇒ x ∈ L
crs
Non-interactive proofs
Prover: x,w Verifier: x
Witness-indistinguishability:
π[w] ≈ π[w′]
π
crs
Non-interactive proofs
Prover: x,w Verifier: x
π
crs
Simulator: x,w×
crs ′
π′
Zero-knowledge:
Non-interactive proofs
Prover: x,w Verifier: x
π
crs
Zero-knowledge: ≈
Simulator: x,w×
crs ′
π′
Subversion-resistant NI proofs
Prover: x,w Verifier: x
π
Subversion Soundness:
π X⇒ x ∈ L
crs
Subversion-resistant NI proofs
Prover: x,w Verifier: x
π
Subversion WI:
π[w] ≈ π[w′]
crs
Non-interactive proofs
Prover: x,w Verifier: x
π
crs
Zero-knowledge: ≈
Simulator: x,w×
crs ′
π′
Subversion-resistant NI proofs
Prover: x,w Verifier: x
π
crs
Simulator: x,w×
crs ′,$′
π′
$
Subversion ZK: ≈
Subversion-resistant NI proofs
Prover: x,w Verifier: x
π
crs
Simulator: x,w×π′
$
∀ ∃ ∀ :
(crs, $,
)≈(crs ′, $′,
)
Our results
S-SND S-ZK S-WI
SND ZK WI
? ? ?
-
-
Our results
S-SND S-ZK S-WI
SND ZK WI
? ? ?
-
-
Our results
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
Our results
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• X —
Prover: x,w Verifier: x
w
w witness for x?
Our results
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• X —
Prover: x,w Verifier: x
ε
X
Our results
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• • • ? ? ?
Our results
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• • ×
x, π
Breaking S-SND:
π X ∧ x /∈ L
crs
(if L is non-trivial)
Our results
x, π′
Breaking S-SND:
π X ∧ x /∈ L
crs ′
(if L is non-trivial)
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• • ×
Our results
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• • ו • • • ?
Our results
Non-interactive Zaps [GOS06]
• NI WI proofs
• without CRS
No CRS ⇒ subversion-resistant
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• • ו • • • ?
Our results
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• • ו • • • X DLin
• • • • • ?
Our results
• implies 2-move ZK (verifier chooses CRS)
⇒ only achieved under extractability assumpt’s [BCPR14]
• construction under new knowledge of exponent assumption
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• • ו • • • X DLin
• • • • • ?
Achieving SND + S-ZK
π∀ ∃ :
(crs, $,
)≈(crs ′, $′,
)
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
KEA: ∀ (g, h)→ → (gs, hs)
π∀ ∃ :
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
KEA: ∀ (g, h)→ → (gs, hs)
∃ → → s
π∀ ∃ :
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
KEA: ∀ (g, h)→ → (gs, hs)
∃ → → s
checkable via pairing:e(gs, h) = e(g, hs)
π∀ ∃ :
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
KEA: ∀ (g, h)→ → (gs, hs)
∃ → → s
idea:
crs
trapdoor
π∀ ∃ :
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
KEA: ∀ (g, h)→ → (gs, hs)
∃ → → s
Prove: x ∈ L ∨ “I know s”
idea:
crs
trapdoor
Zap!
π∀ ∃ :
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
KEA: ∀ (g, h)→ → (gs, hs)
∃ → → s
Prove: x ∈ L ∨ “I know s”
idea:
crs
trapdoor
who chooses h?
π∀ ∃ :
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
DH-KEA: ∀ → (gs, hs, h = gη)
∃ → → s OR → η
Prove: x ∈ L ∨ “I know s or η”
π∀ ∃ :
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
crs = (gs, hs, h = gη)
Prove: x ∈ L ∨ “I know s or η”
prove knowledge how?
π∀ ∃ :
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
crs = (gs, hs, h = gη)
Prove: x ∈ L ∨ “I know s or η”
prove knowledge how?Enc(pk, s)
π∀ ∃ :
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
crs = (gs, hs, h = gη)
Prove: x ∈ L ∨ “I know s or η”
prove knowledge how?Enc(pk, s)pk
?
π∀ ∃ :
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
crs = (gs, hs, h = gη)
Prove: x ∈ L ∨ “I know s or η”
prove knowledge how?Enc(pk, s)pk
π∀ ∃ :
Achieving SND + S-ZK
(crs, $,
)≈(crs ′, $′,
)
crs = (gs, hs, h = gη)
Prove: x ∈ L ∨ “I know s or η”
prove knowledge how?Enc(pk, s)pk
π∀ ∃ :
make sk extractable
Results for NIZKs
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• • ו • • • X DLin
• • • • • X DH-KEA
Results for NIZKs
Standard Subversion-resistant Possible? Assumpt’s:
SND ZK WI S-SND S-ZK S-WI
• • ו • • • X DLin
• • • • • X DH-KEA
• • • • X NIZK
SNARKs
Succinct Non-interactiveARgument of Knowledge
• succinct:
|π| independent of |x| and |w|
• proves knowledge of w
Arguments of knowledge
Prover: x,w Verifier: x
π
crs
Soundness:
π X⇒ x ∈ L
Arguments of knowledge
Verifier: x
π
Knowledge Soundness:
∃ extractor:
π X⇒ w extracted
crs
w
Prover: x,w
Applications of SNARKs
• Outsourcing of computation
x
f(x), π
Applications of SNARKs
• Outsourcing of computation
x
f(x), π
• Anonymous cryptocurrencies: Zerocash [BCGGMTV’14]
• coin is commitment to serial number
Applications of SNARKs
• Outsourcing of computation
x
f(x), π
• Anonymous cryptocurrencies: Zerocash [BCGGMTV’14]
• coin is commitment to serial number
• transaction – creates new coins; reveals spent serial no.’s
– proves that everything done correctly
S
π
Subversion resistance
• SNARKs are perfect zero-knowledge
• but not subversion-sound
(CRS contains simulation trapdoor)
Subversion resistance
• SNARKs are perfect zero-knowledge
• but not subversion-sound
(CRS contains simulation trapdoor)
Subversion zero-knowledge?
Subversion resistance
• SNARKs are perfect zero-knowledge
• but not subversion-sound
(CRS contains simulation trapdoor)
Subversion zero-knowledge?
DH-KEA: ∀ → (gs, gt, gst)
∃ → → s OR → t
Yes! under new KE assumption
Subversion resistance
• SNARKs are perfect zero-knowledge
• but not subversion-sound
(CRS contains simulation trapdoor)
Subversion zero-knowledge?
SKE: ∀ →(g, gs, gs
2)∃ → → s
Yes! under new KE assumption
Approach
• CRS for SNARKs:(g, gs, gs
2
, . . . , gsd
,{gpj(s)
}j,{gαi
∑k βkpj,k(s)
}i,j, . . .
)for random s, αi, βk, . . .
Approach
• CRS for SNARKs:(g, gs, gs
2
, . . . , gsd
,{gpj(s)
}j,{gαi
∑k βkpj,k(s)
}i,j, . . .
)for random s, αi, βk, . . .
• Check of consistency?
e(gs
2
, h)= e(gs, hs
)e(gαpj(s), h
)= e(∏
i(gsi)pj,i , hα
)
Approach
• CRS for SNARKs:(g, gs, gs
2
, . . . , gsd
,{gpj(s)
}j,{gαi
∑k βkpj,k(s)
}i,j, . . .
)for random s, αi, βk, . . .
• Check of consistency?
e(gs
2
, h)= e(gs, hs
)e(gαpj(s), h
)= e(∏
i(gsi)pj,i , hα
)• Simulation? extraction of s
but no other values
X
SNARK 1 & 2
• Gennaro et al.’s original SNARKs [GGPR13]
symm. bilin. grps, π ∈ G9
– QSP-based (boolean circuits)
– QAP-based (arithmetic circuits)
SNARK 1 & 2
• Gennaro et al.’s original SNARKs [GGPR13]
symm. bilin. grps, π ∈ G9
– QSP-based (boolean circuits)
– QAP-based (arithmetic circuits)
• CRS checkable?
• Proofs simulatable with s?
SNARK 1 & 2
• Gennaro et al.’s original SNARKs [GGPR13]
symm. bilin. grps, π ∈ G9
– QSP-based (boolean circuits)
– QAP-based (arithmetic circuits)
• CRS checkable?
• Proofs simulatable with s?
X
X⇒ subversion zero knowledge
SNARK 3
• Optimized Pinocchio [PHGR13, BCTV14]
asymm. bilin. grps, π ∈ G71 ×G2
– QAP-based (arithmetic circuits)
– underly
SNARK 3
• Optimized Pinocchio [PHGR13, BCTV14]
asymm. bilin. grps, π ∈ G71 ×G2
– QAP-based (arithmetic circuits)
– underly
• CRS checkable?
• Proofs simulatable with s?
×
SNARK 3
• Optimized Pinocchio [PHGR13, BCTV14]
asymm. bilin. grps, π ∈ G71 ×G2
– QAP-based (arithmetic circuits)
– underly
X×
⇒ add 4 group elements
• CRS checkable?
• Proofs simulatable with s? X⇒ subversion zero knowledge
SNARK 4
• Danezis et al.’s SNARKs [DFGK14]
asymm. bilin. grps, π ∈ G31 ×G2
– SSP-based (boolean circuits)
SNARK 4
• Danezis et al.’s SNARKs [DFGK14]
asymm. bilin. grps, π ∈ G31 ×G2
– SSP-based (boolean circuits)
• CRS checkable?
• Proofs simulatable with s?
XX
⇒ subversion zero knowledge
SNARK 5
• Groth’s SNARKs [Groth16]
asymm. bilin. grps, π ∈ G21 ×G2
– QAP-based (arithmetic circuits)
– knwl-snd in generic grp model
SNARK 5
• Groth’s SNARKs [Groth16]
asymm. bilin. grps, π ∈ G21 ×G2
– QAP-based (arithmetic circuits)
– knwl-snd in generic grp model
ו CRS checkable?
• Proofs simulatable with s?
X
SNARK 5
• Groth’s SNARKs [Groth16]
asymm. bilin. grps, π ∈ G21 ×G2
– QAP-based (arithmetic circuits)
– knwl-snd in generic grp model
X
×⇒ extract more under SKE
⇒ simulate
• CRS checkable?
• Proofs simulatable with s?
X
⇒ subv. ZK
Zcash
Is Zcash anonymous if parameters set up maliciously?
• uses SNARK w/o checkable CRS
• parameters set up using MPC [BCGTV15]
– uses ROM proofs to prove correctness
Summary SNARKs
• [GGPR13], QSP:
• [GGPR13], QAP:
• [BCTV14]:
• [DFGK14]:
• [Groth16]:
subversion-ZK
subversion-ZK
subversion-ZK after extending CRS
subversion-ZK
subversion-ZK
Assuming SKE:
Zcash
Is Zcash anonymous if parameters set up maliciously?
• uses SNARK w/o checkable CRS
• parameters set up using MPC [BCGTV15]
– uses ROM proofs to prove correctness
⇒ CRS checkable ⇒ proofs simulatable
X X
Zcash
Is Zcash anonymous if parameters set up maliciously?
• uses SNARK w/o checkable CRS
• parameters set up using MPC [BCGTV15]
– uses ROM proofs to prove correctness
⇒ CRS checkable ⇒ proofs simulatable
X
Zcash is subversion-anonymous in the ROM(if users verify CRS correctness)
X
QUESTIONS?
THANK YOU!