Subversion-Resistant Zero Knowledge

Size: px

Start display at page:

Download "Subversion-Resistant Zero Knowledge"

Franklin Horn
5 years ago
Views:

1 Subversion-Resistant Zero Knowledge Georg Fuchsbauer joint work with Mihir Bellare and Alessandra Scafuro ECRYPT-NET Workshop on Crypto for the Cloud & Implementation 27 June 2017

2 Content of this talk M. Bellare, G. F., A. Scafuro: NIZKs with an Untrusted CRS: Security in the Face of Parameter Subversion ASIACRYPT 16 (eprint 2016/372) G. F.: Subversion-zero-knowledge SNARKs eprint 2017/587

3 Motivation 2013 compromised security not covered by standard model here: parameter subversion

4 Motivation 2013 compromised security not covered by standard model here: parameter subversion Example: Dual EC RNG trusted parameters P, Q ISO standard; NSA paid RSA $10 million knowledge of log Q P predictable [ShuFer07] break TLS [CFN + 14]

5 Motivation 2013 compromised security not covered by standard model here: parameter subversion goal: subversion resistance this work: NIZK, relies on common reference string ( ) example: zk-snark parameters for Zerocash ( ) [BCG + 14]

6 Related work NIZK 2-move ZK protocols [BLV03, Pass03, BP04, BCPR14] NIZK in bare PK model [Wee07] CRS via multiparty computation [KKZZ14, BSCG + 15] UC w/ adv. CRS [CPs07], multiple CRSs [GO07, GGJS11]

7 Related work NIZK 2-move ZK protocols [BLV03, Pass03, BP04, BCPR14] NIZK in bare PK model [Wee07] CRS via multiparty computation [KKZZ14, BSCG + 15] UC w/ adv. CRS [CPs07], multiple CRSs [GO07, GGJS11] Subversion Algorithm-substitution attacks [BPR14, AMV15] Kleptography [YY96, YY97], cliptography [RTYZ16] Backdoored blockciphers [RP97, PG97, Pat99]

8 Non-interactive proofs let L N P prove x L crs π / Prover: x, w Verifier: x

9 Non-interactive proofs crs π Soundness: π x L Prover: x, w Verifier: x

10 Non-interactive proofs crs π Witness-indistinguishability: π[w] π[w ] Prover: x, w Verifier: x

11 Non-interactive proofs crs Prover: x, w π Zero-knowledge: crs π Simulator: x, w Verifier: x

12 Non-interactive proofs crs π Zero-knowledge: Prover: x, w crs π Simulator: x, w Verifier: x

13 Subversion-resistant NI proofs crs π Subversion Soundness: π x L Prover: x, w Verifier: x

14 Subversion-resistant NI proofs π crs Subversion WI: π[w] π[w ] Prover: x, w Verifier: x

15 Non-interactive proofs crs π Zero-knowledge: Prover: x, w crs π Simulator: x, w Verifier: x

16 Subversion-resistant NI proofs $ crs π Subversion ZK: Prover: x, w crs,$ π Simulator: x, w Verifier: x

17 Subversion-resistant NI proofs $ crs π : ( crs, $, ) ( crs, $, ) Prover: x, w π Simulator: x, w Verifier: x

18 Our results S-SND S-ZK S-WI SND ZK WI

19 Our results S-SND S-ZK S-WI SND ZK WI

20 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI

21 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI w w witness for x? Prover: x, w Verifier: x

22 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI ε Prover: x, w Verifier: x

23 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI???

24 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI (if L is non-trivial) crs x, π Breaking S-SND: π x / L

25 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI crs x, π (if L is non-trivial) Breaking S-SND: π x / L

26 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI?

27 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI? Non-interactive Zaps [GOS06] NI WI proofs without CRS No CRS subversion-resistant

28 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI DLin?

29 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI DLin? implies 2-move ZK (verifier chooses CRS) only achieved under extractability assumpt s [BCPR14] construction under new knowledge of exponent assumption

30 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, )

31 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) KEA: (g, h) (g s, h s )

32 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) KEA: (g, h) (g s, h s ) s

33 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) KEA: (g, h) (g s, h s ) s checkable via pairing: e(g s, h) = e(g, h s )

34 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) KEA: (g, h) (g s, h s ) s idea: crs trapdoor

35 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) KEA: (g, h) (g s, h s ) s idea: crs trapdoor Zap! Prove: x L I know s

36 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) KEA: (g, h) (g s, h s ) s idea: crs trapdoor who chooses h? Prove: x L I know s

37 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) DH-KEA: (g s, h s, h = g η ) s OR η Prove: x L I know s or η

38 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) crs = (g s, h s, h = g η ) prove knowledge how? Prove: x L I know s or η

39 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) crs = (g s, h s, h = g η ) Enc(pk, s) prove knowledge how? Prove: x L I know s or η

40 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) pk? Enc(pk, s) crs = (g s, h s, h = g η ) prove knowledge how? Prove: x L I know s or η

41 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) crs = (g s, h s, h = g η ) pk Enc(pk, s) prove knowledge how? Prove: x L I know s or η

42 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) crs = (g s, h s, h = g η ) pk Enc(pk, s) make sk extractable prove knowledge how? Prove: x L I know s or η

43 Results for NIZKs Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI DLin DH-KEA

44 Results for NIZKs Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI DLin DH-KEA NIZK

45 SNARKs Succinct Non-interactive ARgument of Knowledge succinct: π independent of x and w proves knowledge of w

46 Arguments of knowledge crs π Soundness: π x L Prover: x, w Verifier: x

47 Arguments of knowledge crs π Prover: x, w Knowledge Soundness: extractor: π w extracted w Verifier: x

48 Applications of SNARKs Outsourcing of computation x f(x), π

49 Applications of SNARKs Outsourcing of computation x f(x), π Anonymous cryptocurrencies: Zerocash [BCGGMTV 14] coin is commitment to serial number

commitment to serial number transaction creates new coins;

50 Applications of SNARKs Outsourcing of computation x f(x), π Anonymous cryptocurrencies: Zerocash [BCGGMTV 14] coin is commitment to serial number transaction creates new coins; reveals spent serial no. s proves that everything done correctly S π

51 Subversion resistance SNARKs are perfect zero-knowledge but not subversion-sound (CRS contains simulation trapdoor)

52 Subversion resistance SNARKs are perfect zero-knowledge but not subversion-sound (CRS contains simulation trapdoor) Subversion zero-knowledge?

53 Subversion resistance SNARKs are perfect zero-knowledge but not subversion-sound (CRS contains simulation trapdoor) Subversion zero-knowledge? Yes! under new KE assumption DH-KEA: (g s, g t, g st ) s OR t

54 Subversion resistance SNARKs are perfect zero-knowledge but not subversion-sound (CRS contains simulation trapdoor) Subversion zero-knowledge? Yes! under new KE assumption SKE: ( g, g s, g s2 ) s

55 Approach CRS for SNARKs: ( g, g s, g s2,..., g sd, { g p j (s) } j, { g α i k β kp j,k (s) } i,j,... ) for random s, α i, β k,...

56 Approach CRS for SNARKs: ( g, g s, g s2,..., g sd, { g p j (s) } j, { g α i k β kp j,k (s) } i,j,... ) for random s, α i, β k,... Check of consistency? e ( g s2, h ) = e ( g s, h s) e ( g αp j(s), h ) = e ( i (gsi ) p j,i, h α)

57 Approach CRS for SNARKs: ( g, g s, g s2,..., g sd, { g p j (s) } j, { g α i k β kp j,k (s) } i,j,... ) for random s, α i, β k,... Check of consistency? e ( g s2, h ) = e ( g s, h s) e ( g αp j(s), h ) = e ( i (gsi ) p j,i, h α) Simulation? extraction of s but no other values

58 SNARK 1 & 2 Gennaro et al. s original SNARKs [GGPR13] symm. bilin. grps, π G 9 QSP-based (boolean circuits) QAP-based (arithmetic circuits)

59 SNARK 1 & 2 Gennaro et al. s original SNARKs [GGPR13] symm. bilin. grps, π G 9 QSP-based (boolean circuits) QAP-based (arithmetic circuits) CRS checkable? Proofs simulatable with s?

60 SNARK 1 & 2 Gennaro et al. s original SNARKs [GGPR13] symm. bilin. grps, π G 9 QSP-based (boolean circuits) QAP-based (arithmetic circuits) CRS checkable? Proofs simulatable with s? subversion zero knowledge

61 SNARK 3 Optimized Pinocchio [PHGR13, BCTV14] asymm. bilin. grps, π G 7 1 G 2 QAP-based (arithmetic circuits) underly

62 SNARK 3 Optimized Pinocchio [PHGR13, BCTV14] asymm. bilin. grps, π G 7 1 G 2 QAP-based (arithmetic circuits) underly CRS checkable? Proofs simulatable with s?

63 SNARK 3 Optimized Pinocchio [PHGR13, BCTV14] asymm. bilin. grps, π G 7 1 G 2 QAP-based (arithmetic circuits) underly CRS checkable? add 4 group elements Proofs simulatable with s? subversion zero knowledge

64 SNARK 4 Danezis et al. s SNARKs [DFGK14] asymm. bilin. grps, π G 3 1 G 2 SSP-based (boolean circuits)

65 SNARK 4 Danezis et al. s SNARKs [DFGK14] asymm. bilin. grps, π G 3 1 G 2 SSP-based (boolean circuits) CRS checkable? Proofs simulatable with s? subversion zero knowledge

66 SNARK 5 Groth s SNARKs [Groth16] asymm. bilin. grps, π G 2 1 G 2 QAP-based (arithmetic circuits) knwl-snd in generic grp model

67 SNARK 5 Groth s SNARKs [Groth16] asymm. bilin. grps, π G 2 1 G 2 QAP-based (arithmetic circuits) knwl-snd in generic grp model CRS checkable? Proofs simulatable with s?

68 SNARK 5 Groth s SNARKs [Groth16] asymm. bilin. grps, π G 2 1 G 2 QAP-based (arithmetic circuits) knwl-snd in generic grp model CRS checkable? Proofs simulatable with s? extract more simulate under SKE subv. ZK

69 Zcash Is Zcash anonymous if parameters set up maliciously? uses SNARK w/o checkable CRS parameters set up using MPC [BCGTV15] uses ROM proofs to prove correctness

70 Summary SNARKs Assuming SKE: [GGPR13], QSP: [GGPR13], QAP: [BCTV14]: [DFGK14]: [Groth16]: subversion-zk subversion-zk subversion-zk after extending CRS subversion-zk subversion-zk

71 Zcash Is Zcash anonymous if parameters set up maliciously? uses SNARK w/o checkable CRS parameters set up using MPC [BCGTV15] uses ROM proofs to prove correctness CRS checkable proofs simulatable

72 Zcash Is Zcash anonymous if parameters set up maliciously? uses SNARK w/o checkable CRS parameters set up using MPC [BCGTV15] uses ROM proofs to prove correctness CRS checkable proofs simulatable Zcash is subversion-anonymous in the ROM (if users verify CRS correctness)

73 THANK YOU! QUESTIONS?

Subversion-zero-knowledge SNARKs

An extended abstract of this work appears in PKC 18. This is the full version. Subversion-zero-knowledge SNARKs Georg Fuchsbauer 1 Abstract Subversion zero knowledge for non-interactive proof systems demands