on the in security of snark s
play

On the (In)security of SNARK s in the Presence of Oracles Anca - PowerPoint PPT Presentation

Oct 07, 2022 •96 likes •686 views

On the (In)security of SNARK s in the Presence of Oracles Anca Nitulescu, Dario Fiore cole Normale Suprieure, CNRS and INRIA, Paris, France Delegate NP computation m Delegate NP computation m Proof ? Arguments of knowledge Succinct

  1. On the (In)security of SNARK s in the Presence of Oracles Anca Nitulescu, Dario Fiore École Normale Supérieure, CNRS and INRIA, Paris, France

  2. Delegate NP computation m

  3. Delegate NP computation m Proof ?

  4. Arguments of knowledge

  5. Succinct Non-Interactive Arguments of Knowledge Efficiency Succinctness Non - Interactivity

  6. SECURITY: PROOF OF KNOWLEDGE crs, aux crs, aux

  7. Non-Black-Box Extraction crs, aux crs, aux Adversary extractor SNARK

  8. Overview Starting Point ● Protocols with SNARKs ● Security proofs: settings where extraction is problematic ● Need of new security notion: O-SNARK Study of O-SNARKs ● Impossibility result ● Some “restrictive” instantiations from classical SNARKs ● Applications where O-SNARK is useful

  9. Case Study Application Proving Knowledge of Signatures (m, σ) m sk

  10. Case Study Application Proving Knowledge of Signatures (m, σ) (m, σ) {(m, σ)}

  11. Case Study Application Proving Knowledge of Signatures SNARK SNARK ∃ (m, σ) Vfy(m,σ)=1 P(m)=1

  12. Case Study Application Proving Knowledge of Signatures SNARK P(m)=1 Ver(m, σ)=1 (m, σ)

  13. Case Study Application Proving Knowledge of Signatures Security Proof ? SNARK

  14. Security Proof Unforgeability of Σ Proof of knowledge of Π R m (m, σ) π ∃ (m, σ) Vfy(vk,m,σ)=1 P(m)=1 KeyGen(λ): (sk, vk) Gen(λ): crs Sign(sk, m): σ Prove(crs, y, (m, σ)): π Vfy(vk, m, σ): 0 / 1 Ver(vk, y, π): 0 / 1

  15. Security Proof Breaks proof of (m*, σ*) knowledge of Π SNARK P(m*)=0 / Type I π Vfy(m*, σ*)=0 (m*, σ*)

  16. Security Proof Forgery on Σ ! (m*, σ*) P(m*)=1 SNARK SNARK Vfy(m*, σ*)=1 Type II π (m*, σ*) (m*, σ*)

  17. Security Proof SNARK Oracle cheating Σ- Forger prover

  18. Security Proof Σ Π crs, vk vk crs, aux crs←$

  19. Security Proof m Σ Π m vk crs, aux

  20. Security Proof Σ Π m m,σ vk crs, aux

  21. Security Proof Σ Π (m, σ) m,σ vk crs, aux

  22. Security Proof SNARK (m*, σ*) m*, σ* P(m*)=1

  23. Security Proof extractor SNARK (m*, σ*) m*, σ* P(m*)=1 Forgery !

  24. Extraction with Oracles ? Standard Proof of Knowledge crs, aux crs, aux SNARK m*,σ* (m*, σ*) P(m*)=1

  25. Extraction? crs, aux crs, aux SNARK ? (m*, σ*) P(m*)=1

  26. Extraction? crs, aux crs, aux SNARK (m*, σ*) P(m*)=1

  27. Non-Black-Box Extraction crs, aux m

  28. Non-Black-Box Extraction crs, aux m sk

  29. Non-Black-Box Extraction sk ? crs, aux sk Σ- Forger m sk crs, aux sk

  30. Our Contributions PROTOCOLS: Tool to prove knowledge -> SNARK Main problem -> Security proofs with ORACLEs

  31. Our Contributions -SNARK SOLUTION: New security notion -> O-SNARK Proof of knowledge -> Extraction with ORACLEs

  32. Our Contributions Σ p -SNARK STUDY: Impossibility -> Extraction is NOT feasible for all ORACLEs

  33. Our Contributions Σ p -SNARK Good news: O-SNARKs exist! -> constructions -> applications

  34. O-SNARK Definition qt crs, aux crs, aux

  35. Impossibility Theorem

  36. SNARK Π for NP Signature Scheme Σ Σ Π m m, σ R π (h, x), w h(w) = x KeyGen(λ): (sk, vk) Gen(λ): crs Sign(sk, m): σ = Σ (m) Prove(crs, (h, x), w): π Vfy(vk, m, σ): 0 / 1 Ver(vk, (h, x), π): 0 / 1

  37. Σ p counterexample signature scheme regular signing I m σ = Σ (m)

  38. Σ p counterexample signature scheme m σ = Σ (m) I sampling hash preimage h ← II w ← {0,1}* x = h(w)

  39. Σ p counterexample signature scheme interpreting m as a program m σ = Σ (m) I III m P( ⋅ , ⋅ ) h ← II w ← {0,1}* x = h(w)

  40. Σ p counterexample signature scheme m P( ⋅ , ⋅ ) m σ = Σ (m) I III proving knowledge of preimage h ← IV II w ← {0,1}* x = h(w) P (x, w) π |π|<p(λ)

  41. Σ p counterexample signature scheme m P( ⋅ , ⋅ ) m σ = Σ (m) I III P (x, w) π h ← IV II w ← {0,1}* x = h(w) |π|<p(λ)

  42. Σ p counterexample signature scheme m → σ*

  43. Σ p counterexample signature scheme m → σ* σ σ ← Σ (m) Σ

  44. Σ p counterexample signature scheme m → σ* σ h h ←

  45. Σ p counterexample signature scheme m → σ* w ← {0,1}* σ h x x = h(w)

  46. Σ p counterexample signature scheme m → σ* σ h x π P

  47. Σ p counterexample signature scheme σ* σ h x π

  48. Non-Existence of Extractors for O Σ p Π query m = Prove( crs, ⋅ , ⋅ ) σ* = (σ, h, x, π) answer π = Prove( crs, (h, x), w )

  49. O-SNARK Adversary Π ((h, x), π) query m = Prove( crs, ⋅ , ⋅ ) σ* = (σ, h, x, π) answer π = Prove( crs, (h, x), w )

  50. Target Collision Resistance Adversary query m Π answer

  51. Target Collision Resistance Adversary ((h, x), π) Π π = Prove( crs, (h, x), w )

  52. Non-Existence of Extractors for O Σ p Target Collision on h

  53. Σ p Existence of O-SNARK ● O-SNARK s do not exist for all Oracles ● Overcome the impossibility? ● “Break” the adaptive power of the adversary

  54. Existence of O-SNARK Random Oracle Model ● Micali’s CS proofs are O-SNARKs in ROM ● Hash & Sign Oracles allow O-SNARKs Standard Model ● Signing oracles with polynomial message space ● Non-Adaptive O-SNARKs: queries declared in advance

  55. Applications of O-SNARK ● Succinct Functional Signatures [BGI14] ● Homomorphic Signatures [BF11] ● SNARKs on Authenticated Data [BBFR15]

  56. Open Questions ● Artificial counterexamples: Find “more natural” ones? ● For what classes of signature oracles O-SNARKs exist? ● Find other “ benign ” Oracles that allow O-SNARKs?

  57. Summary Starting Point ● Protocols with SNARKs ● Security proofs: settings where NO extraction -SNARK ● New security notion: O-SNARK Study of O-SNARKs Σ p ● Impossibility result for Σ p ● Some “restrictive” instantiations from SNARKs ● Applications where O-SNARK is useful

  58. Thank you

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Hunting of the SNARK Nir Bitansky Ran Canetti Alessandro Chiesa Eran Tromer Succint

The Hunting of the SNARK Nir Bitansky Ran Canetti Alessandro Chiesa Eran Tromer Succint

The Hunting of the SNARK Nir Bitansky Ran Canetti Alessandro Chiesa Eran Tromer Succint Noninteractive Argument of Knowledge Kilian '92 Micali '00 Aiello Bhatt Ostrovsky Rajagopalan '00 Dwork Langberg Naor Nissim Reingold '04 Di Crescenzo

567 views • 14 slides
On the Security and Privacy of delegated computation Anca Nitulescu DI ENS - Cascade Outline

On the Security and Privacy of delegated computation Anca Nitulescu DI ENS - Cascade Outline

On the Security and Privacy of delegated computation Anca Nitulescu DI ENS - Cascade Outline Directions SNARKs Motivation Introduction Quantum SNARKs Arguments of Difficulties Knowledge Cloud Applications Computation SNARK Open

746 views • 61 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann &amp; Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday &amp; Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
COMP26120: Algorithms and Imperative Programming Lecture C5: C - You Asked For It, You Got It

COMP26120: Algorithms and Imperative Programming Lecture C5: C - You Asked For It, You Got It

COMP26120: Algorithms and Imperative Programming Lecture C5: C - You Asked For It, You Got It Pete Jinks School of Computer Science, University of Manchester Autumn 2010 COMP26120 Lecture C5 1/34 Lewis Carroll The Hunting of the Snark

737 views • 40 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the presence of certain language features (e.g. indirect calls) it is nontrivial to predict accurately how control may flow at execution time the nave

594 views • 42 slides
t t R

t t R

r r t s t t r r t t

639 views • 35 slides
Neutrino energy reconstruction in presence of missing energy ProtoDUNEs Science Workshop - Cern

Neutrino energy reconstruction in presence of missing energy ProtoDUNEs Science Workshop - Cern

Neutrino energy reconstruction in presence of missing energy ProtoDUNEs Science Workshop - Cern June 28 th , 2016 Ornella Palamara Fermilab &amp; Yale University* * on leave of absence from INFN, Laboratori Nazionali del Gran Sasso, Italy 1

530 views • 24 slides
Color superfluidity of neutral ultracold fermions in the presence of color-orbit and color-flip

Color superfluidity of neutral ultracold fermions in the presence of color-orbit and color-flip

Color superfluidity of neutral ultracold fermions in the presence of color-orbit and color-flip fields Carlos A. R. Sa de Melo Georgia Institute of Technology Yukawa Institute for Theoretical Physics Kyoto, November 8 th , 2017 1

933 views • 61 slides
Quadrature Domains and Equilibrium on the Sphere Alan Legg Department of Mathematical Sciences,

Quadrature Domains and Equilibrium on the Sphere Alan Legg Department of Mathematical Sciences,

Quadrature Domains and Equilibrium on the Sphere Alan Legg Department of Mathematical Sciences, Purdue Fort Wayne MWAA October 7, 2018 Alan Legg Quadrature Domains and Equilibrium on the Sphere This talk will represent work with P. Dragnev,

840 views • 81 slides
GANT eduPKI in 3 Slides Servicing GANT Services Reimer Karlsen-Masur, DFN-CERT Services GmbH

GANT eduPKI in 3 Slides Servicing GANT Services Reimer Karlsen-Masur, DFN-CERT Services GmbH

GANT eduPKI in 3 Slides Servicing GANT Services Reimer Karlsen-Masur, DFN-CERT Services GmbH GN3+ TLs meet the PMO Meeting DANTE, Cambridge / UK, 26.03.2013 Slides &amp; Related Materials @ https://www.edupki.org connect

449 views • 6 slides
A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed

A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed

A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research International Symposium on Grids &amp; Clouds 2016 15 March 2016 Academia Sinica, Taipei, Taiwan Eisaku

503 views • 17 slides
How to Code Policies in iRODS Arcot (Raja) Rajasekar Reagan Moore DICE Center/SILS/RENCI

How to Code Policies in iRODS Arcot (Raja) Rajasekar Reagan Moore DICE Center/SILS/RENCI

How to Code Policies in iRODS Arcot (Raja) Rajasekar Reagan Moore DICE Center/SILS/RENCI University of North Carolina Chapel Hill, NC, USA. Introduction How Policy Is Invoked? Policy Points Where Policy is Invoked in iRODS

690 views • 31 slides

More recommend