Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
SpringerLink
Log in

Snarky Ceremonies

  • Conference paper
  • First Online:
Advances in Cryptology – ASIACRYPT 2021 (ASIACRYPT 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13092))

Abstract

Succinct non-interactive arguments of knowledge (SNARKs) have found numerous applications in the blockchain setting and elsewhere. The most efficient SNARKs require a distributed ceremony protocol to generate public parameters, also known as a structured reference string (SRS). Our contributions are two-fold:

  • We give a security framework for non-interactive zero-knowledge arguments with a ceremony protocol.

  • We revisit the ceremony protocol of Groth’s SNARK [Bowe et al., 2017]. We show that the original construction can be simplified and optimized, and then prove its security in our new framework. Importantly, our construction avoids the random beacon model used in the original work.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    It is desirable for a setup ceremony to avoid dependence on setups as much as possible—we spurn random beacons but embrace random oracles.

  2. 2.

    Note that one can independently prove subversion ZK [2, 17].

  3. 3.

    Similarly to the universal updatability notions that share the same “independence”, e.g. [36], \(\mathsf {srs}_u\) still formally depends on the maximum size of the circuit, which can nevertheless be made large enough to be practically universal.

  4. 4.

    https://github.com/grnet/snarky.

  5. 5.

    The latter can be derived from the former elements of the list, and is added to \(\mathsf {view}_\mathcal {A}\) for convenience.

  6. 6.

    We disallow subversion of \(\mathsf {p}\) in this paper but in real life systems also this part of the setup needs scrutiny. This is arguable easier since usually \(\mathsf {p}\) is trapdoor free.

  7. 7.

    See the description of Groth16 SRS, which has \(1/\delta \) in some SRS elements.

  8. 8.

    The polynomial p(X) is introduced only in the scope of this example, and is not related to QAP.

  9. 9.

    Our Groth16 SRS follows [12] and not the original [25]. It additionally contains \(\{H^{x^i}\}_{i = n- 2}^{2n- 2}\), \(\{H^{\alpha x^i}\}_{i = 1}^{n- 1}\), and \(\{H^{\beta x^i}\}_{i=1}^{n-1}\).

  10. 10.

    This generality simplifies our model. In practice \(\mathsf {srs}_s\) can be derived using \(\mathsf {Specialize}\) only once just before starting phase 2.

  11. 11.

    If \(\hat{Z}_\iota \) is not equal \(Z_\iota \prod \iota ^\mathcal {A}_j\) as a function we have \(\hat{Z}_\iota (\varPsi ) - Z_\iota \prod \iota ^\mathcal {A}_j\ne 0\) but \(\hat{Z}_\iota (\psi ) - z_\iota \prod \iota ^\mathcal {A}_j \equiv 0\) for \(\iota \in \{x,\alpha ,\beta ,\delta \}\), and we break the \((2n-1,2n-2)\)-edlog problem as in Lemma 6.

  12. 12.

    The form of the proof-independent parts of the verification equation is due to our critical-step-simulation strategy that we introduce in \(\mathsf {Game}_1\). That is, these values they only depend on the challenge variables \(Z_\iota \) plus last adversarial trapdoors (e.g. \(\prod \alpha ^\mathcal {A}_i\) etc.). This is where guessing the last query really helps: otherwise these terms would also depend on \(\varPsi _1\), e.g. on \(\vec {T}\).

References

  1. Abdolmaleki, B., Baghery, K., Lipmaa, H., Siim, J., Zając, M.: UC-secure CRS generation for SNARKs. In: Buchmann, J., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2019. LNCS, vol. 11627, pp. 99–117. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-23696-0_6

    Chapter  Google Scholar 

  2. Abdolmaleki, B., Baghery, K., Lipmaa, H., Zając, M.: A subversion-resistant SNARK. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part III. LNCS, vol. 10626, pp. 3–33. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_1

    Chapter  Google Scholar 

  3. Baghery, K., Kohlweiss, M., Siim, J., Volkhov, M.: Another look at extraction and randomization of Groth’s zk-SNARK. Cryptology ePrint Archive, Report 2020/811 (2020). https://eprint.iacr.org/2020/811

  4. Bauer, B., Fuchsbauer, G., Loss, J.: A classification of computational assumptions in the algebraic group model. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part II. LNCS, vol. 12171, pp. 121–151. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_5

    Chapter  Google Scholar 

  5. Bellare, M., Fuchsbauer, G., Scafuro, A.: NIZKs with an untrusted CRS: security in the face of parameter subversion. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part II. LNCS, vol. 10032, pp. 777–804. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_26

    Chapter  MATH  Google Scholar 

  6. Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE Computer Society Press, May 2014

    Google Scholar 

  7. Ben-Sasson, E., Chiesa, A., Green, M., Tromer, E., Virza, M.: Secure sampling of public parameters for succinct zero knowledge proofs. In: 2015 IEEE Symposium on Security and Privacy, pp. 287–304. IEEE Computer Society Press, May 2015

    Google Scholar 

  8. Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Succinct non-interactive zero knowledge for a von neumann architecture. In: Fu, K., Jung, J. (eds.) USENIX Security 2014, pp. 781–796. USENIX Association, August 2014

    Google Scholar 

  9. Boneh, D., Bonneau, J., Bünz, B., Fisch, B.: Verifiable delay functions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, , Part I. LNCS, vol. 10991, pp. 757–788. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_25

    Chapter  Google Scholar 

  10. Bowe, S., Chiesa, A., Green, M., Miers, I., Mishra, P., Wu, H.: ZEXE: Enabling decentralized private computation. In: 2020 IEEE Symposium on Security and Privacy, pp. 947–964. IEEE Computer Society Press, May 2020

    Google Scholar 

  11. Bowe, S., Gabizon, A., Green, M.D.: A multi-party protocol for constructing the public parameters of the Pinocchio zk-SNARK. Cryptology ePrint Archive, Report 2017/602 (2017). http://eprint.iacr.org/2017/602

  12. Bowe, S., Gabizon, A., Miers, I.: Scalable multi-party computation for zk-SNARK parameters in the random beacon model. Cryptology ePrint Archive, Report 2017/1050 (2017). http://eprint.iacr.org/2017/1050

  13. Bünz, B., Maller, M., Mishra, P., Vesely, N.: Proofs for inner pairing products and applications. Cryptology ePrint Archive, Report 2019/1177 (2019). https://eprint.iacr.org/2019/1177

  14. Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press, October 2001

    Google Scholar 

  15. Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: preprocessing zkSNARKs with universal and updatable SRS. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part I. LNCS, vol. 12105, pp. 738–768. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_26

    Chapter  Google Scholar 

  16. Danezis, G., Fournet, C., Groth, J., Kohlweiss, M.: Square span programs with applications to succinct NIZK arguments. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 532–550. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_28

    Chapter  Google Scholar 

  17. Fuchsbauer, G.: Subversion-zero-knowledge SNARKs. In: Abdalla, M., Dahab, R. (eds.) PKC 2018, Part I. LNCS, vol. 10769, pp. 315–347. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_11

    Chapter  Google Scholar 

  18. Fuchsbauer, G., Kiltz, E., Loss, J.: The algebraic group model and its applications. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 33–62. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_2

    Chapter  Google Scholar 

  19. Fuchsbauer, G., Plouviez, A., Seurin, Y.: Blind Schnorr signatures and signed ElGamal encryption in the algebraic group model. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part II. LNCS, vol. 12106, pp. 63–95. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_3

    Chapter  Google Scholar 

  20. Gabizon, A.: On the security of the BCTV pinocchio zk-SNARK variant. Cryptology ePrint Archive, Report 2019/119 (2019). https://eprint.iacr.org/2019/119

  21. Gabizon, A., Williamson, Z.J., Ciobotaru, O.: PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive, Report 2019/953 (2019). https://eprint.iacr.org/2019/953

  22. Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_37

    Chapter  Google Scholar 

  23. Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems (extended abstract). In: 17th ACM STOC, pp. 291–304. ACM Press, May 1985

    Google Scholar 

  24. Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_19

    Chapter  Google Scholar 

  25. Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part II. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11

    Chapter  Google Scholar 

  26. Groth, J., Kohlweiss, M., Maller, M., Meiklejohn, S., Miers, I.: Updatable and universal common reference strings with applications to zk-SNARKs. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part III. LNCS, vol. 10993, pp. 698–728. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_24

    Chapter  Google Scholar 

  27. Han, R., Yu, J., Lin, H.: RandChain: decentralised randomness beacon from sequential proof-of-work. Cryptology ePrint Archive, Report 2020/1033 (2020). https://eprint.iacr.org/2020/1033

  28. Hanke, T., Movahedi, M., Williams, D.: Dfinity technology overview series, consensus system. arXiv preprint arXiv:1805.04548 (2018). https://arxiv.org/abs/1805.04548

  29. Kerber, T., Kiayas, A., Kohlweiss, M.: Composition with knowledge assumptions. Cryptology ePrint Archive, Report 2021/165 (2021). https://eprint.iacr.org/2021/165

  30. Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_12

    Chapter  Google Scholar 

  31. Kosba, A.E., Miller, A., Shi, E., Wen, Z., Papamanthou, C.: Hawk: the blockchain model of cryptography and privacy-preserving smart contracts. In: 2016 IEEE Symposium on Security and Privacy, pp. 839–858. IEEE Computer Society Press, May 2016

    Google Scholar 

  32. Kosba, A.E., Papadopoulos, D., Papamanthou, C., Song, D.: MIRAGE: succinct arguments for randomized algorithms with applications to universal zk-SNARKs. In: Capkun, S., Roesner, F. (eds.) USENIX Security 2020, pp. 2129–2146. USENIX Association, August 2020

    Google Scholar 

  33. Lee, J., Choi, J., Kim, J., Oh, H.: SAVER: snark-friendly, additively-homomorphic, and verifiable encryption and decryption with rerandomization. Cryptology ePrint Archive, Report 2019/1270 (2019). https://eprint.iacr.org/2019/1270

  34. Lipmaa, H.: Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 169–189. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_10

    Chapter  Google Scholar 

  35. Maller, M.: A proof of security for the sapling generation of zk-SNARK parameters in the generic group model (2018). https://github.com/zcash/sapling-security-analysis/blob/master/MaryMallerUpdated.pdf. Accessed 26 Feb 2020

  36. Maller, M., Bowe, S., Kohlweiss, M., Meiklejohn, S.: Sonic: zero-knowledge SNARKs from linear-size universal and updatable structured reference strings. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) ACM CCS 2019, pp. 2111–2128. ACM Press, November 2019

    Google Scholar 

  37. Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: 2013 IEEE Symposium on Security and Privacy, pp. 238–252. IEEE Computer Society Press, May 2013

    Google Scholar 

  38. Pietrzak, K.: Simple verifiable delay functions. In: Blum, A. (ed.) ITCS 2019, vol. 124, pp. 60:1–60:15. LIPIcs, January 2019

    Google Scholar 

  39. Wesolowski, B.: Efficient verifiable delay functions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part III. LNCS, vol. 11478, pp. 379–407. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_13

    Chapter  Google Scholar 

Download references

Acknowledgements

This work has been supported in part by the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 780477 (project PRIViLEDGE). Janno Siim was additionally supported by the Estonian Research Council grant PRG49. An early version of this work [35] included a Sapling security proof that was funded by the Electric Coin Company.

Author information

Authors and Affiliations

  1. IOHK, Edinburgh, UK

    Markulf Kohlweiss

  2. The University of Edinburgh, Edinburgh, UK

    Markulf Kohlweiss & Mikhail Volkhov

  3. Ethereum Foundation, London, UK

    Mary Maller

  4. University of Tartu, Tartu, Estonia

    Janno Siim

Authors
  1. Markulf Kohlweiss
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mary Maller
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Janno Siim
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mikhail Volkhov
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Markulf Kohlweiss .

Editor information

Editors and Affiliations

  1. NTT Corporation, Tokyo, Japan

    Mehdi Tibouchi

  2. Nanyang Technological University, Singapore, Singapore

    Huaxiong Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kohlweiss, M., Maller, M., Siim, J., Volkhov, M. (2021). Snarky Ceremonies. In: Tibouchi, M., Wang, H. (eds) Advances in Cryptology – ASIACRYPT 2021. ASIACRYPT 2021. Lecture Notes in Computer Science(), vol 13092. Springer, Cham. https://doi.org/10.1007/978-3-030-92078-4_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-92078-4_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-92077-7

  • Online ISBN: 978-3-030-92078-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation