Simulation-Extractable zk-SNARK with a Single Verification

This revised paper improves the previous simulation-extractable zk-SNARK (SE-SNARK) in terms of performance efficiency and the security. It removes the G_2 operation in verification, without degrading performance and size, and analyze the security of the nested hash collision more deeply to strengthen the security. The simulation-extractable zk-SNARK (SE-SNARK) introduces a security notion of non-malleability. The existing pairing-based zk-SNARKs designed from linear encoding are known to be vulnerable to algebraic manipulation of the proof. The latest SE-SNARKs check the proof consistency by increasing the proof size and the verification cost. In particular, the number of pairings increases almost doubles due to further verification. In this paper, we propose two novel SE-SNARK constructions with a single verification. The consistency check is subsumed in a single verification through employing a hash function. The proof size and verification time of the proposed SE-SNARK schemes are minimal in that it is the same as the state-of-the-art zk-SNARK without non-malleability. The proof in our SE-SNARK constructions comprises only three group elements (type III) in the QAP-based scheme and two group elements (type I) in the SAP-based scheme. The verification time in both requires only 3 pairings. The soundness of the proposed schemes is proven under the hash-algebraic knowledge (HAK) assumption and the collision-resistant hash assumption

Usalduse vähendamine ja turvalisuse parandamine zk-SNARK-ides ja kinnitusskeemides

Väitekirja elektrooniline versioon ei sisalda publikatsioonezk-SNARK-id on tõhusad ja praktilised mitteinteraktiivsed tõestussüsteemid, mis on konstrueeritud viitestringi mudelis ning tänu kompaktsetele tõestustele ja väga tõhusale verifitseeritavusele on need laialdaselt kasutusele võetud suuremahulistes praktilistes rakendustes. Selles töös uurime zk-SNARK-e kahest vaatenurgast: nende usalduse vähendamine ja turvalisuse tugevdamine. Esimeses suunas uurime kui palju saab vähendada usaldust paaristuspõhiste zk-SNARK-ide puhul ilma nende tõhusust ohverdamata niiviisi, et kasutajad saavad teatud turvataseme ka siis kui seadistusfaas tehti pahatahtlikult või kui avalikustati seadistusfaasi salajane teave. Me pakume välja mõned tõhusad konstruktsioonid, mis suudavad takistada zk-SNARK-i seadistusfaasi ründeid ja mis saavutavad senisest tugevama turvataseme. Näitame ka seda, et sarnased tehnikad võimaldavad leevendada usaldust tagauksega kinnitusskeemides, mis on krüptograafiliste primitiivide veel üks silmapaistev perekond ja mis samuti nõub usaldatud seadistusfaasi. Teises suunas esitame mõned tõhusad konstruktsioonid, mis tagavad parema turvalisuse minimaalsete lisakuludega. Mõned esitatud konstruktsioonidest võimaldavad lihtsustada praegusi TK-turvalisi protokolle, nimelt privaatsust säilitavate nutilepingusüsteemide Hawk ja Gyges konstruktsiooni, ja parandada nende tõhusust. Uusi konstruktsioone saab aga otse kasutada uutes protokollides, mis soovivad kasutada zk-SNARK-e. Osa väljapakutud zk-SNARK-e on implementeeritud teegis Libsnark ja empiirilised tulemused kinnitavad, et usalduse vähendamiseks või suurema turvalisuse saavutamiseks on arvutuslikud lisakulud väikesed.Zero-knowledge Succinct Non-interactive ARguments of Knowledge (zk-SNARKs) are an efficient family of NIZK proof systems that are constructed in the Common Reference String (CRS) model and due to their succinct proofs and very efficient verification, they are widely adopted in large-scale practical applications. In this thesis, we study zk-SNARKs from two perspectives, namely reducing trust and improving security in them. In the first direction, we investigate how much one can mitigate trust in pairing-based zk-SNARKs without sacrificing their efficiency. In such constructions, the parties of protocol will obtain a certain level of security even if the setup phase was done maliciously or the secret information of the setup phase was revealed. As a result of this direction, we present some efficient constructions that can resist against subverting of the setup phase of zk-SNARKs and achieve a certain level of security which is stronger than before. We also show that similar techniques will allow us to mitigate the trust in the trapdoor commitment schemes that are another prominent family of cryptographic primitives that require a trusted setup phase. In the second direction, we present some efficient constructions that achieve more security with minimal overhead. Some of the presented constructions allow to simplify the construction of current UC-secure protocols and improve their efficiency. New constructions can be directly deployed in any novel protocols that aim to use zk-SNARKs. Some of the proposed zk-SNARKs are implemented in Libsnark, the state-of-the-art library for zk-SNARKs, and empirical experiences confirm that the computational cost to mitigate the trust or to achieve more security is practical.https://www.ester.ee/record=b535927

On Privacy Preserving Blockchains and zk-SNARKs

Viimastel aastatel on krüptoraha ja plokiahela tehnoloogia leidnud suurt tähelepanu nii kaubanduslikust kui ka teaduslikust vaatenurgast. Krüptoraha kujutab endast digitaalseid münte, mis kasutades krüptograafilisi vahendeid võimaldab turvalisi tehinguid võrdvõrkudes. Bitcoin on kõige tuntum krüptoraha, mis võimaldab otsetehinguid kasutajate pseudonüümide vahel ilma, et oleks vaja kolmandaid osapooli. Paraku kui kasutaja pseudonüüm on seotud tema identiteediga, on kõik tema tehingud jälgitavad ning kaob privaatsus.Selle lahendamiseks on välja pakutud erinevaid privaatsust säilitavaid krüptorahasi, mis kasutavad anonüümsete tehingute saavutamiseks krüptograafilisi tööriistu. Zerocash on üks populaarseimatest privaatsetest krüptorahadest, mis kasutab iga tehingu allika, sihtkoha ja väärtuse varjamiseks nullteadmustõestust.Antud töö koosneb kahest peamisest osast.Esimeses osas kirjeldame, pärast lühikest ülevaadet mõnest privaatsest krüptorahast (Bitcoin, Monero ja Zerocoin), Zerocashi konstruktsiooni ja anname intuitsiivse seletuse selle tööpõhimõttele. Me tutvustame kasutuselevõetud primitiive ja arutleme iga primitiivi rolli üle mündi konstruktsioonis. Erilist tähelepanu pöörame kompaktsetele nullteadmustõestusetele (zk-SNARKidele), millel on peamine roll Zerocashis.Kuna nullteadmustõestus on niivõrd olulisel kohal Zerocashis (ja teistes privaatsetes rakendustes) siis töö teises osas pakume välja uue variatsiooni Grothi 2016. aasta zk-SNARKile, mis on seni kõige tõhusam.Erinevalt Grothi konstruktsioonist, meie variatsioonis ei ole võimalik tõestusi modifitseerida.Muudatused mõjutavad nullteadmustõestuse tõhusust vaid minimaalselt ning meie konstruktsioon on kiirem kui Grothi ja Malleri 2017. nullteadmustõestus, mis samuti välistab muudetavuse.During last few years, along with blockchain technology, cryptocurrencies have found huge attention from both commercial and scientific perspectives. Cryptocurrencies are digital coins which use cryptographic tools to allow secure peer-to-peer monetary transactions. Bitcoin is the most well-known cryptocurrency that allows direct payments between pseudonyms without any third party. If a user's pseudonym is linked to her identity, all her transactions will be traceable, which will violate her privacy. To address this, various privacy-preserving cryptocurrencies have been proposed that use different cryptographic tools to achieve anonymous transactions. Zerocash is one of the most popular ones that uses zero-knowledge proofs to hide the source, destination and value of each transaction. This thesis consists of two main parts. In the first part, after a short overview of some cryptocurrencies (precisely Bitcoin, Monero and Zerocoin), we will explain the construction of Zerocash cryptocurrency and discuss the intuition behind the construction. More precisely, we will introduce the deployed primitives and will discuss the role of each primitive in the construction of the coin. In particular, we explain zero-knowledge Succinct Non-Interactive Arguments of Knowledge (a.k.a. zk-SNARKs) that play the main role in achieving strong privacy in Zerocash. Due to the importance of zk-SNARKs in privacy-preserving applications, in the second part of the thesis, we will present a new variation of Groth's 2016 zk-SNARK that currently is the most efficient pairing-based scheme. The main difference between the proposed variation and the original one is that unlike the original version, new variation guarantees non-malleability of generated proofs. Our analysis shows that the proposed changes have minimal effects on the efficiency of the original scheme and particularly it outperforms Groth and Maller's 2017 zk-SNARK that also guarantees non-malleability of proofs

Mitte-interaktiivsed nullteadmusprotokollid nõrgemate usalduseeldustega

Väitekirja elektrooniline versioon ei sisalda publikatsiooneTäieliku koosluskindlusega (TK) kinnitusskeemid ja nullteadmustõestused on ühed põhilisemad krüptograafilised primitiivid, millel on hulgaliselt päriselulisi rakendusi. (TK) Kinnitusskeem võimaldab osapoolel arvutada salajasest sõnumist kinnituse ja hiljem see verifitseeritaval viisil avada. Täieliku koosluskindlusega protokolle saab vabalt kombineerida teiste täieliku koosluskindlusega protokollidega ilma, et see mõjutaks nende turvalisust. Nullteadmustõestus on protokoll tõestaja ja verifitseerija vahel, mis võimaldab tõestajal veenda verifitseerijat mingi väite paikapidavuses ilma rohkema informatsiooni lekitamiseta. Nullteadmustõestused pakuvad suurt huvi ka praktilistes rakendustes, siinkohal on olulisemateks näideteks krüptorahad ja hajusandmebaasid üldisemalt. Siin on eriti asjakohased just lühidad mitteinteraktiivsed nullteadmustõestused (SNARKid) ning kvaasiadaptiivsed mitteinteraktiivsed nullteadmustõestused (QA-NIZKid). Mitteinteraktiivsetel nullteadmustõestustel juures on kaks suuremat praktilist nõrkust. Esiteks on tarvis usaldatud seadistusfaasi osapoolte ühisstringi genereerimiseks ja teiseks on tarvis täielikku koosluskindlust. Käesolevas doktoritöös me uurime neid probleeme ja pakume välja konkreetseid konstruktsioone nende leevendamiseks. Esmalt uurime me õõnestuskindlaid SNARKe juhu jaoks, kus seadistusfaasi ühisstring on õõnestatud. Me konstrueerime õõnestuskindla versiooni seni kõige tõhusamast SNARKist. Samuti uurime me QA-NIZKide õõnestuskindlust ja konstrueerime kõige efektiivsemate QA-NIZKide õõnestuskindla versiooni. Mis puutub teise uurimissuunda, nimelt täielikku koosluskindlusesse, siis sel suunal kasutame me pidevaid projektiivseid räsifunktsioone. Me pakume välja uue primitiivi, kus eelmainitud räsifunktsioonid on avalikult verifitseeritavad. Nende abil me konstrueerime seni kõige tõhusama mitteinteraktiivse koosluskindla kinnitusskeemi. Lõpetuseks me töötame välja uue võtte koosluskindlate kinnitusskeemide jaoks, mis võimaldab ühisarvutuse abil luua nullteadmustõestuste ühisstringe.Quite central primitives in cryptographic protocols are (Universally composable (UC)) commitment schemes and zero-knowledge proofs that getting frequently employed in real-world applications. A (UC) commitment scheme enables a committer to compute a commitment to a secret message, and later open it in a verifiable manner (UC protocols can seamlessly be combined with other UC protocols and primitives while the entire protocol remains secure). A zero-knowledge proof is a protocol usually between a prover and a verifier that allows the prover to convince the verifier of the legality of a statement without disclosing any more information. Zero-knowledge proofs and in particular Succinct non-interactive zero-knowledge proofs (SNARKs) and quasi adaptive NIZK (QA-NIZK) are of particular interest in the real-world applications, with cryptocurrencies or more generally distributed ledger technologies being the prime examples. The two serious issues and the main drawbacks of the practical usage of NIZKs are (i) the demand for a trusted setup for generating the common reference string (CRS) and (ii) providing the UC security. In this thesis, we essentially investigate the aforementioned issues and propose concrete constructions for them. We first investigate subversion SNARKs (Sub zk-SNARKs) when the CRS is subverted. In particular, we build a subversion of the most efficient SNARKs. Then we initiate the study of subversion QA-NIZK (Sub-QA-NIZK) and construct subversion of the most efficient QA-NIZKs. For the second issue, providing UC-security, we first using hash proof systems or smooth projective hash functions (SPHFs), we introduce a new cryptographic primitive called publicly computable SPHFs (PC-SPHFs) and construct the currently most efficient non-interactive UC-secure commitment. Finally, we develop a new technique for constructing UC-secure commitments schemes that enables one to generate CRS of NIZKs by using MPC in a UC-secure mannerhttps://www.ester.ee/record=b535926

Practical Zero-Knowledge Arguments from Structured Reference Strings

Zero-knowledge proofs have become an important tool for addressing privacy and scalability concerns in cryptographic protocols. For zero-knowledge proofs used in blockchain applications, it is desirable to have small proof sizes and fast verification. Yet by design, existing constructions with these properties such as zk-SNARKs also have a secret trapdoor embedded in a relation dependent structured reference string (SRS). Knowledge of this trapdoor suffices to break the security of these proofs. The SRSs required by zero-knowledge proofs are usually constructed with multiparty computation protocols, but the resulting parameters are specific to each individual circuit. In this thesis, we propose a model for constructing zero-knowledge arguments (i.e. zero-knowledge proofs with computational soundness) in which the generation of the SRS is directly considered in the security analysis. In our model the same SRS can be used across multiple applications. Further, the model is updatable i.e. users can update the universal SRS and the SRS is considered secure provided at least one of these users is honest. We propose two zero-knowledge arguments with updatable and universal SRSs, as well as a third which is neither updatable nor universal, but which through similar techniques achieves simulation extractability. The proposed arguments are practical, with proof sizes never more than a constant number of group elements. Verification for two of our constructions consist of a small number of pairing operations. For our other construction, which has the desirable property of a linear sized updatable and universal SRS, we describe efficient batching techniques so that verification is fast in the amortised setting

On Subversion-Resistant SNARKs

While NIZK arguments in the CRS model are widely studied, the question of what happens when the CRS was subverted has received little attention. In ASIACRYPT 2016, Bellare, Fuchsbauer, and Scafuro showed the first negative and positive results in the case of NIZK, proving also that it is impossible to achieve subversion soundness and (even non-subversion) zero-knowledge at the same time. On the positive side, they constructed an involved sound and subversion-zero-knowledge (Sub-ZK) non-succinct NIZK argument for NP. We consider the practically very relevant case of zk-SNARKs. We make Groth\u27s zk-SNARK for \textsc{Circuit-SAT} from EUROCRYPT 2016 computationally knowledge-sound and perfectly composable Sub-ZK with minimal changes. We only require the CRS trapdoor to be extractable and the CRS to be publicly verifiable. To achieve the latter, we add some new elements to the CRS and construct an efficient CRS verification algorithm. We also provide a definitional framework for knowledge-sound and Sub-ZK SNARKs

Privacy-preserving Identity Management System

Recently, a self-sovereign identity model has been researched actively as an alternative to the existing identity models such as a centralized identity model, federated identity model, and user-centric model. The self-sovereign identity model allows a user to have complete control of his identity. Meanwhile, the core component of the self-sovereign identity model is data minimization. The data minimization signifies that the extent of the exposure of user private identity should be minimized. As a solution to data minimization, zero-knowledge proofs can be grafted to the self-sovereign identity model. Specifically, zero-knowledge Succinct Non-interactive ARgument of Knowledges(zk-SNARKs) enables proving the truth of the statement on an arbitrary relation. In this paper, we propose a privacy-preserving self-sovereign identity model based on zk-SNARKs to allow any type of data minimization beyond the selective disclosure and range proof. The security of proposed model is formally proven under the security of the zero-knowledge proof and the unforgeability of the signature in the random oracle model. Furthermore, we optimize the proving time by checking the correctness of the commitment outside of the proof relation for practical use. The resulting scheme improves proving time for hash computation (to verify a commitment input) from 0.5 s to about 0.1 ms on a 32-bit input

Practical Witness-Key-Agreement for Blockchain-based Dark Pools Financial Trading

We introduce a new cryptographic scheme, Witness Key Agreement (WKA), that allows a party to securely agree on a secret key with a counter party holding publicly committed information only if the counter party also owns a secret witness in a desired (arithmetic) relation with the committed information. Our motivating applications are over-the-counter (OTC) markets and dark pools, popular trading mechanisms. In such pools investors wish to communicate only to trading partners whose transaction conditions and asset holdings satisfy some constraints. The investor must establish a secure, authenticated channel with eligible traders where the latter committed information matches a desired relation. At the same time traders should be able to show eligibility while keeping their financial information secret. We construct a WKA scheme for languages of statements proven in the designated-verifier Succinct Zero-Knowledge Non-Interactive Argument of Knowledge Proof System (zk-SNARK). We illustrate the practical feasibility of our construction with some arithmetic circuits of practical interest by using data from US$ denominated corporate securities traded on Bloomberg Tradebook