subversion-resistant zero knowledge › ~fuchsbau › pariscryptoday.pdf · subversion-resistant...

Subversion-Resistant Zero Knowledge

Georg Fuchsbauer

ECRYPT-NET Workshop on Crypto for the Cloud & Implementation

27 June 2017

joint work with Mihir Bellare

and Alessandra Scafuro

Content of this talk

• M. Bellare, G. F., A. Scafuro:NIZKs with an Untrusted CRS:

Security in the Face of Parameter SubversionASIACRYPT ’16 (eprint 2016/372)

• G. F.: Subversion-zero-knowledge SNARKseprint 2017/587

Motivation

• 2013

• compromised security not covered by standard model

• here: parameter subversion

Motivation

• 2013



• Example: Dual EC RNG

– “trusted” parameters P,Q

– ISO standard; NSA paid RSA $10 million

– knowledge of logQ P ⇒ predictable [ShuFer07]

⇒ break TLS [CFN+14]

Motivation

• 2013



• goal: subversion resistance

• this work: NIZK, relies on common reference string ( )

• example: zk-SNARK parameters

for Zerocash ( ) [BCG+14]

Related work

NIZK

• 2-move ZK protocols [BLV03, Pass03, BP04, BCPR14]

• NIZK in bare PK model [Wee07]

• CRS via multiparty computation [KKZZ14, BSCG+15]

• UC w/ adv. CRS [CPs07], multiple CRSs [GO07, GGJS11]

Related work

NIZK

• 2-move ZK protocols [BLV03, Pass03, BP04, BCPR14]

• NIZK in bare PK model [Wee07]

• CRS via multiparty computation [KKZZ14, BSCG+15]

• UC w/ adv. CRS [CPs07], multiple CRSs [GO07, GGJS11]

Subversion

• Algorithm-substitution attacks [BPR14, AMV15]

• Kleptography [YY96, YY97], cliptography [RTYZ16]

• Backdoored blockciphers [RP97, PG97, Pat99]

Non-interactive proofs

Prover: x,w Verifier: x

π

X/×

crs• let L ∈ NP• prove x ∈ L



π

Soundness:

π X⇒ x ∈ L

crs



Witness-indistinguishability:

π[w] ≈ π[w′]

π

crs



π

crs

Simulator: x,w×

crs ′

π′

Zero-knowledge:



π

crs

Zero-knowledge: ≈

Simulator: x,w×

crs ′

π′

Subversion-resistant NI proofs


π

Subversion Soundness:

π X⇒ x ∈ L

crs



π

Subversion WI:

π[w] ≈ π[w′]

crs



π

crs

Zero-knowledge: ≈

Simulator: x,w×

crs ′

π′



π

crs

Simulator: x,w×

crs ′,$′

π′

$

Subversion ZK: ≈



π

crs

Simulator: x,w×π′

$

∀ ∃ ∀ :

(crs, $,

)≈(crs ′, $′,

)

Our results

S-SND S-ZK S-WI

SND ZK WI

? ? ?

-

-

Our results

Standard Subversion-resistant Possible? Assumpt’s:

SND ZK WI S-SND S-ZK S-WI

Our results



• X —


w

w witness for x?

Our results



• X —


ε

X

Our results



• • • ? ? ?

Our results



• • ×

x, π

Breaking S-SND:

π X ∧ x /∈ L

crs

(if L is non-trivial)

Our results

x, π′

Breaking S-SND:

π X ∧ x /∈ L

crs ′

(if L is non-trivial)



• • ×

Our results



• • ×• • • • ?

Our results

Non-interactive Zaps [GOS06]

• NI WI proofs

• without CRS

No CRS ⇒ subversion-resistant



• • ×• • • • ?

Our results



• • ×• • • • X DLin

• • • • • ?

Our results

• implies 2-move ZK (verifier chooses CRS)

⇒ only achieved under extractability assumpt’s [BCPR14]

• construction under new knowledge of exponent assumption



• • ×• • • • X DLin

• • • • • ?

Achieving SND + S-ZK

π∀ ∃ :

(crs, $,

)≈(crs ′, $′,

)


(crs, $,

)≈(crs ′, $′,

)

KEA: ∀ (g, h)→ → (gs, hs)

π∀ ∃ :


(crs, $,

)≈(crs ′, $′,

)

KEA: ∀ (g, h)→ → (gs, hs)

∃ → → s

π∀ ∃ :


(crs, $,

)≈(crs ′, $′,

)

KEA: ∀ (g, h)→ → (gs, hs)

∃ → → s

checkable via pairing:e(gs, h) = e(g, hs)

π∀ ∃ :


(crs, $,

)≈(crs ′, $′,

)

KEA: ∀ (g, h)→ → (gs, hs)

∃ → → s

idea:

crs

trapdoor

π∀ ∃ :


(crs, $,

)≈(crs ′, $′,

)

KEA: ∀ (g, h)→ → (gs, hs)

∃ → → s

Prove: x ∈ L ∨ “I know s”

idea:

crs

trapdoor

Zap!

π∀ ∃ :


(crs, $,

)≈(crs ′, $′,

)

KEA: ∀ (g, h)→ → (gs, hs)

∃ → → s

Prove: x ∈ L ∨ “I know s”

idea:

crs

trapdoor

who chooses h?

π∀ ∃ :


(crs, $,

)≈(crs ′, $′,

)

DH-KEA: ∀ → (gs, hs, h = gη)

∃ → → s OR → η

Prove: x ∈ L ∨ “I know s or η”

π∀ ∃ :


(crs, $,

)≈(crs ′, $′,

)

crs = (gs, hs, h = gη)


prove knowledge how?

π∀ ∃ :


(crs, $,

)≈(crs ′, $′,

)



prove knowledge how?Enc(pk, s)

π∀ ∃ :


(crs, $,

)≈(crs ′, $′,

)



prove knowledge how?Enc(pk, s)pk

?

π∀ ∃ :


(crs, $,

)≈(crs ′, $′,

)




π∀ ∃ :


(crs, $,

)≈(crs ′, $′,

)




π∀ ∃ :

make sk extractable

Results for NIZKs



• • ×• • • • X DLin

• • • • • X DH-KEA

Results for NIZKs



• • ×• • • • X DLin

• • • • • X DH-KEA

• • • • X NIZK

SNARKs

Succinct Non-interactiveARgument of Knowledge

• succinct:

|π| independent of |x| and |w|

• proves knowledge of w

Arguments of knowledge


π

crs

Soundness:

π X⇒ x ∈ L

Arguments of knowledge

Verifier: x

π

Knowledge Soundness:

∃ extractor:

π X⇒ w extracted

crs

w

Prover: x,w

Applications of SNARKs

• Outsourcing of computation

x

f(x), π



x

f(x), π

• Anonymous cryptocurrencies: Zerocash [BCGGMTV’14]

• coin is commitment to serial number



x

f(x), π

• Anonymous cryptocurrencies: Zerocash [BCGGMTV’14]

• coin is commitment to serial number

• transaction – creates new coins; reveals spent serial no.’s

– proves that everything done correctly

S

π

Subversion resistance

• SNARKs are perfect zero-knowledge

• but not subversion-sound

(CRS contains simulation trapdoor)





Subversion zero-knowledge?






DH-KEA: ∀ → (gs, gt, gst)

∃ → → s OR → t

Yes! under new KE assumption






SKE: ∀ →(g, gs, gs

2)∃ → → s

Yes! under new KE assumption

Approach

• CRS for SNARKs:(g, gs, gs

2

, . . . , gsd

,{gpj(s)

}j,{gαi

∑k βkpj,k(s)

}i,j, . . .

)for random s, αi, βk, . . .

Approach


2

, . . . , gsd

,{gpj(s)

}j,{gαi

∑k βkpj,k(s)

}i,j, . . .


• Check of consistency?

e(gs

2

, h)= e(gs, hs

)e(gαpj(s), h

)= e(∏

i(gsi)pj,i , hα

)

Approach


2

, . . . , gsd

,{gpj(s)

}j,{gαi

∑k βkpj,k(s)

}i,j, . . .


• Check of consistency?

e(gs

2

, h)= e(gs, hs

)e(gαpj(s), h

)= e(∏

i(gsi)pj,i , hα

)• Simulation? extraction of s

but no other values

X

SNARK 1 & 2

• Gennaro et al.’s original SNARKs [GGPR13]

symm. bilin. grps, π ∈ G9

– QSP-based (boolean circuits)

– QAP-based (arithmetic circuits)

SNARK 1 & 2





• CRS checkable?

• Proofs simulatable with s?

SNARK 1 & 2





• CRS checkable?


X

X⇒ subversion zero knowledge

SNARK 3

• Optimized Pinocchio [PHGR13, BCTV14]

asymm. bilin. grps, π ∈ G71 ×G2


– underly

SNARK 3




– underly

• CRS checkable?


×

SNARK 3




– underly

X×

⇒ add 4 group elements

• CRS checkable?

• Proofs simulatable with s? X⇒ subversion zero knowledge

SNARK 4

• Danezis et al.’s SNARKs [DFGK14]


– SSP-based (boolean circuits)

SNARK 4

• Danezis et al.’s SNARKs [DFGK14]


– SSP-based (boolean circuits)

• CRS checkable?


XX

⇒ subversion zero knowledge

SNARK 5

• Groth’s SNARKs [Groth16]



– knwl-snd in generic grp model

SNARK 5





×• CRS checkable?


X

SNARK 5





X

×⇒ extract more under SKE

⇒ simulate

• CRS checkable?


X

⇒ subv. ZK

Zcash

Is Zcash anonymous if parameters set up maliciously?

• uses SNARK w/o checkable CRS

• parameters set up using MPC [BCGTV15]

– uses ROM proofs to prove correctness

Summary SNARKs

• [GGPR13], QSP:

• [GGPR13], QAP:

• [BCTV14]:

• [DFGK14]:

• [Groth16]:

subversion-ZK

subversion-ZK

subversion-ZK after extending CRS

subversion-ZK

subversion-ZK

Assuming SKE:

Zcash





⇒ CRS checkable ⇒ proofs simulatable

X X

Zcash





⇒ CRS checkable ⇒ proofs simulatable

X

Zcash is subversion-anonymous in the ROM(if users verify CRS correctness)

X

QUESTIONS?

THANK YOU!

subversion-resistant zero knowledge › ~fuchsbau › pariscryptoday.pdf · subversion-resistant...

Documents