Lift-and-Shift: Obtaining Simulation Extractable Subversion and Updatable SNARKs Generically

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security Pub Date : 2020-10-30 DOI:10.1145/3372297.3417228

B. Abdolmaleki, Sebastian Ramacher, Daniel Slamanig

{"title":"Lift-and-Shift: Obtaining Simulation Extractable Subversion and Updatable SNARKs Generically","authors":"B. Abdolmaleki, Sebastian Ramacher, Daniel Slamanig","doi":"10.1145/3372297.3417228","DOIUrl":null,"url":null,"abstract":"Zero-knowledge proofs and in particular succinct non-interactive zero-knowledge proofs (so called zk-SNARKs) are getting increasingly used in real-world applications, with cryptocurrencies being the prime example. Simulation extractability (SE) is a strong security notion for zk-SNARKs which informally ensures non-malleability of proofs. The high importance of this property is acknowledged by leading companies in this field such as Zcash and underpinned by various attacks against the malleability of cryptographic primitives in the past. Another problematic issue for the practical use of zk-SNARKs is the requirement of a fully trusted setup, as especially for large-scale decentralized applications finding a trusted party that runs the setup is practically impossible. Quite recently, the study of approaches to relax or even remove the trust in the setup procedure, and in particular subversion as well as updatable zk-SNARKs (with latter being the most promising approach), has been initiated and received considerable attention since then. Unfortunately, so far SE-SNARKs with the aforementioned properties are only constructed in an ad-hoc manner and no generic techniques are available. In this paper, we are interested in such generic techniques and therefore firstly revisit the only available lifting technique due to Kosba et al. (called COCO) to generically obtain SE-SNARKs. By exploring the design space of many recently proposed SNARK- and STARK-friendly symmetric-key primitives we thereby achieve significant improvements in the prover computation and proof size. Unfortunately, the COCO framework as well as our improved version (called OCOCO) is not compatible with updatable SNARKs. Consequently, we propose a novel generic lifting transformation called LAMASSU. It is built using different underlying ideas compared to COCO (and OCOCO). In contrast to COCO it only requires key-homomorphic signatures (which allow to shift keys) covering well studied schemes such as Schnorr or ECDSA. This makes LAMASSU highly interesting, as by using the novel concept of so called updatable signatures, which we introduce in this paper, we can prove that LAMASSU preserves the subversion and in particular updatable properties of the underlying zk-SNARK. This makes LAMASSU the first technique to also generically obtain SE subversion and updatable SNARKs. As its performance compares favorably to OCOCO, LAMASSU is an attractive alternative that in contrast to COCO is only based on well established cryptographic assumptions.","PeriodicalId":20481,"journal":{"name":"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","volume":"53 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2020-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"29","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3372297.3417228","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 29

Abstract

Zero-knowledge proofs and in particular succinct non-interactive zero-knowledge proofs (so called zk-SNARKs) are getting increasingly used in real-world applications, with cryptocurrencies being the prime example. Simulation extractability (SE) is a strong security notion for zk-SNARKs which informally ensures non-malleability of proofs. The high importance of this property is acknowledged by leading companies in this field such as Zcash and underpinned by various attacks against the malleability of cryptographic primitives in the past. Another problematic issue for the practical use of zk-SNARKs is the requirement of a fully trusted setup, as especially for large-scale decentralized applications finding a trusted party that runs the setup is practically impossible. Quite recently, the study of approaches to relax or even remove the trust in the setup procedure, and in particular subversion as well as updatable zk-SNARKs (with latter being the most promising approach), has been initiated and received considerable attention since then. Unfortunately, so far SE-SNARKs with the aforementioned properties are only constructed in an ad-hoc manner and no generic techniques are available. In this paper, we are interested in such generic techniques and therefore firstly revisit the only available lifting technique due to Kosba et al. (called COCO) to generically obtain SE-SNARKs. By exploring the design space of many recently proposed SNARK- and STARK-friendly symmetric-key primitives we thereby achieve significant improvements in the prover computation and proof size. Unfortunately, the COCO framework as well as our improved version (called OCOCO) is not compatible with updatable SNARKs. Consequently, we propose a novel generic lifting transformation called LAMASSU. It is built using different underlying ideas compared to COCO (and OCOCO). In contrast to COCO it only requires key-homomorphic signatures (which allow to shift keys) covering well studied schemes such as Schnorr or ECDSA. This makes LAMASSU highly interesting, as by using the novel concept of so called updatable signatures, which we introduce in this paper, we can prove that LAMASSU preserves the subversion and in particular updatable properties of the underlying zk-SNARK. This makes LAMASSU the first technique to also generically obtain SE subversion and updatable SNARKs. As its performance compares favorably to OCOCO, LAMASSU is an attractive alternative that in contrast to COCO is only based on well established cryptographic assumptions.

查看原文本刊更多论文

提升和转移:获得模拟可提取的颠覆和可更新的snark

零知识证明，特别是简洁的非交互式零知识证明(即所谓的zk-SNARKs)在现实世界的应用中越来越多地使用，加密货币就是一个主要的例子。模拟可提取性(SE)是zk- snark的一个强大的安全概念，它非正式地保证了证明的不可延展性。这一属性的高度重要性得到了该领域的领先公司(如Zcash)的认可，并且在过去针对加密原语延展性的各种攻击中得到了支持。zk- snark实际使用的另一个问题是对完全可信设置的要求，特别是对于大型分散应用程序来说，找到运行该设置的受信任方实际上是不可能的。最近，人们开始研究在安装过程中放松甚至消除信任的方法，特别是subversion和可更新的zk- snark(后者是最有前途的方法)，并从那时起受到了相当大的关注。不幸的是，到目前为止，具有上述属性的se - snark只是以一种特殊的方式构建的，没有通用的技术可用。在本文中，我们对这种通用技术感兴趣，因此首先回顾了Kosba等人(称为COCO)的唯一可用的提升技术，以通用地获得se - snark。通过探索许多最近提出的SNARK和stark友好的对称密钥原语的设计空间，我们因此在证明者计算和证明大小方面取得了重大改进。不幸的是，COCO框架以及我们的改进版本(称为OCOCO)与可更新的snark不兼容。因此，我们提出了一种新的通用提升变换，称为LAMASSU。与COCO(和OCOCO)相比，它使用不同的底层思想构建。与COCO相反，它只需要密钥同态签名(允许转移密钥)，覆盖了像Schnorr或ECDSA这样研究得很好的方案。这使得LAMASSU非常有趣，因为通过使用我们在本文中引入的所谓可更新签名的新概念，我们可以证明LAMASSU保留了底层zk-SNARK的subversion，特别是可更新属性。这使得LAMASSU成为第一个通用地获得SE subversion和可更新snark的技术。由于其性能优于OCOCO, LAMASSU是一个有吸引力的替代方案，与COCO相比，它仅基于完善的加密假设。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

自引率

0.00%

发文量