On the (In)security of SNARK s in the Presence of Oracles Anca - - PowerPoint PPT Presentation

Anca Nitulescu, Dario Fiore

in the Presence of Oracles

On the (In)security of SNARKs

École Normale Supérieure, CNRS and INRIA, Paris, France

Delegate NP computation

m

m

Delegate NP computation Proof ?

Arguments of knowledge

Efficiency Succinctness Non - Interactivity Succinct Non-Interactive Arguments

• f Knowledge

SECURITY: PROOF OF KNOWLEDGE crs, aux crs, aux

Non-Black-Box Extraction

extractor

SNARK

crs, aux crs, aux Adversary

Overview

Starting Point

• Protocols with SNARKs
• Security proofs: settings where extraction is problematic
• Need of new security notion: O-SNARK

Study of O-SNARKs

• Impossibility result
• Some “restrictive” instantiations from classical SNARKs
• Applications where O-SNARK is useful

(m, σ) sk

Case Study Application

Proving Knowledge of Signatures m

(m, σ) (m, σ) {(m, σ)}

Case Study Application

Proving Knowledge of Signatures

∃ (m, σ) Vfy(m,σ)=1 P(m)=1 SNARK SNARK

Case Study Application

Proving Knowledge of Signatures

P(m)=1 Ver(m, σ)=1 (m, σ) SNARK

Case Study Application

Proving Knowledge of Signatures

Security Proof ?

SNARK

Case Study Application

Proving Knowledge of Signatures

(m, σ) m π

KeyGen(λ): (sk, vk) Sign(sk, m): σ Vfy(vk, m, σ): 0 / 1 Gen(λ): crs Prove(crs, y, (m, σ)): π Ver(vk, y, π): 0 / 1

Unforgeability of Σ Proof of knowledge of Π

Security Proof

∃ (m, σ) Vfy(vk,m,σ)=1 P(m)=1

R

P(m*)=0 / Vfy(m*, σ*)=0

Type I

(m*, σ*) SNARK (m*, σ*)

π

Security Proof

Breaks proof of knowledge of Π

P(m*)=1 Vfy(m*, σ*)=1 (m*, σ*)

Type II

SNARK (m*, σ*) SNARK (m*, σ*)

π

Forgery on Σ!

Security Proof

Σ- Forger

SNARK Oracle

cheating prover

Security Proof

Σ

vk crs, vk crs, aux crs←$

Π Security Proof

Σ

vk

Π

m

m

crs, aux

Security Proof

Σ

vk

Π

m,σ

crs, aux m

Security Proof

Σ

vk

Π

crs, aux

m,σ

(m, σ)

Security Proof

m*, σ*

SNARK

(m*, σ*) P(m*)=1

Security Proof

m*, σ* extractor

Forgery ! SNARK

(m*, σ*) P(m*)=1

Security Proof

crs, aux crs, aux

SNARK

(m*, σ*) P(m*)=1

m*,σ*

Standard Proof of Knowledge

Extraction with Oracles ?

crs, aux crs, aux

SNARK

(m*, σ*) P(m*)=1

?

Extraction?

crs, aux crs, aux

SNARK

(m*, σ*) P(m*)=1

Extraction?

crs, aux

m Non-Black-Box Extraction

crs, aux

m Non-Black-Box Extraction

sk

Σ- Forger

crs, aux sk sk ?

Non-Black-Box Extraction

crs, aux sk

m sk

PROTOCOLS: Tool to prove knowledge -> SNARK Main problem -> Security proofs with ORACLEs

Our Contributions

• SNARK

SOLUTION: New security notion -> O-SNARK Proof of knowledge -> Extraction with ORACLEs

Our Contributions

• SNARK

Σp STUDY: Impossibility -> Extraction is NOT feasible for all ORACLEs

Our Contributions

• SNARK

Σp Good news: O-SNARKs exist!

• > constructions
• > applications

Our Contributions

O-SNARK Definition

crs, aux crs, aux qt

Impossibility

Theorem

KeyGen(λ): (sk, vk) Sign(sk, m): σ =Σ(m) Vfy(vk, m, σ): 0 / 1 Gen(λ): crs Prove(crs, (h, x), w): π Ver(vk, (h, x), π): 0 / 1 Signature Scheme Σ m, σ m

Σ

SNARK Π for NP π

Π

R (h, x), w h(w) = x

m σ =Σ(m) I

Σp counterexample signature scheme

regular signing

h ← w ← {0,1}* x = h(w) II I

sampling hash preimage

m σ =Σ(m)

Σp counterexample signature scheme

III II I m P(⋅,⋅)

interpreting m as a program h ← w ← {0,1}* x = h(w)

m σ =Σ(m)

Σp counterexample signature scheme

P(x, w) π |π|<p(λ) III II IV I

proving knowledge of preimage

m P(⋅,⋅) m σ =Σ(m)

h ← w ← {0,1}* x = h(w)

Σp counterexample signature scheme

P(x, w) π III II IV I m P(⋅,⋅) m σ =Σ(m)

h ← w ← {0,1}* x = h(w)

Σp counterexample signature scheme

|π|<p(λ)

m → σ*

Σp counterexample signature scheme

m → σ*

σ σ ← Σ(m) Σ

Σp counterexample signature scheme

σ h h ←

m → σ*

Σp counterexample signature scheme

σ x h

w ← {0,1}* x = h(w)

m → σ*

Σp counterexample signature scheme

σ π h x

m → σ*

P

Σp counterexample signature scheme

σ π h x

σ*

Σp counterexample signature scheme

m = Prove( crs, ⋅ , ⋅ ) σ* = (σ, h, x, π) π = Prove( crs, (h, x), w )

query answer

Π

Non-Existence of Extractors for OΣp

m = Prove( crs, ⋅ , ⋅ ) σ* = (σ, h, x, π) π = Prove( crs, (h, x), w )

query answer

Π

((h, x), π)

O-SNARK Adversary

m

Π

query answer Target Collision Resistance Adversary

π = Prove( crs, (h, x), w )

((h, x), π) Π

Target Collision Resistance Adversary

Non-Existence of Extractors for OΣp Target Collision on h

• Overcome the impossibility?
• O-SNARKs do not exist for all Oracles

Σp

• “Break” the adaptive power of the adversary

Existence of O-SNARK

Existence of O-SNARK

Random Oracle Model

• Micali’s CS proofs are O-SNARKs in ROM
• Hash & Sign Oracles allow O-SNARKs

Standard Model

• Signing oracles with polynomial message space
• Non-Adaptive O-SNARKs: queries declared in advance

• Succinct Functional Signatures [BGI14]
• Homomorphic Signatures [BF11]
• SNARKs on Authenticated Data [BBFR15]

Applications of O-SNARK

• Artificial counterexamples: Find “more natural” ones?
• For what classes of signature oracles O-SNARKs exist?
• Find other “benign” Oracles that allow O-SNARKs?

Open Questions

Starting Point

• Protocols with SNARKs
• Security proofs: settings where NO extraction
• New security notion: O-SNARK

Study of O-SNARKs

• Impossibility result for Σp
• Some “restrictive” instantiations from SNARKs
• Applications where O-SNARK is useful
• SNARK

Σp

Summary

Thank you