Updatable and Universal Common Reference Strings with Applications - PowerPoint PPT Presentation

Updatable and Universal Common Reference Strings with Applications to zk-SNARKs Jens Groth, Markulf Kohlweiss, Mary Maller, Sarah Meiklejohn, Ian Miers. Crypto - 23/08/2018

Our Goal Find a better method than trusted setups for generating the public parameters for zk-SNARKs. Slide 1 of 22

What are zk-SNARKs? Zero-Knowledge Succinct Non- interactive ARgument of Knowledge. Very small Verification Requires KoE proofs. is fast. trusted setup. assumptions. Slide 2 of 22

What are zk-SNARKs? Zero-Knowledge Succinct Non- interactive ARgument of Knowledge. Very small Verification Requires KoE proofs. is fast. trusted setup . assumptions. Slide 2 of 22

When to use zk-SNARKs? • When lots of the same problem need to be proven over and over and over. • The verifier has limited time and space. Great for blockchains! Slide 3 of 22

zk-SNARKS have Trapdoors • Proofs are generated and verified using a shared common reference string. • Whoever generated the reference string may keep some trapdoor information that can be used to simulate proofs. The trapdoor can The trapdoor be used to break cannot be used to integrity (all the break privacy (most time) . of the time). Slide 3 of 22

zk-SNARKS have Trapdoors • Proofs are generated and verified using a shared common reference string. • Whoever generated the reference string may keep some trapdoor information that can be used to simulate proofs. We design a setup process more suited to zk-SNARKs used in distributed systems. The trapdoor can The trapdoor be used to break cannot be used to integrity (all the break privacy (most time) . of the time). Slide 3 of 22

Our Contributions Updatable trust Efficient new model zk-SNARK Null-Space Universal setup Argument. Ingredients: 1) Knowledge Assumptions 2) q-type Assumptions 3) Quadratic Arithmetic Programs Slide 4 of 22

What is zero-knowledge? • Prover aims to convince verifier that they know a secret while revealing no information about the secret. Common Reference Prover cannot Verifier learns the String create proof truth, the whole without the secret. proof, and nothing but its truth. Proof of knowledge Prover Verifier of a secret. Slide 5 of 22

What is zero-knowledge? • Prover aims to convince verifier that they know a secret while revealing no information about the secret. Common Reference Prover cannot Verifier learns the String create proof truth, the whole without the secret. proof, and nothing but its truth. Proof of knowledge Prover Verifier of a secret. Unlike other zero-knowledge systems, hard to prevent trapdoor being leaked in zk-SNARKs. Slide 5 of 22

Our Goal • SNARKs cannot be zero-knowledge without a trapdoor existing. • Aim for subversion zero-knowledge. • Aim for middle ground between trusted setup and subversion soundness. Slide 7 of 22

Our Goal Verifier learns • SNARKs cannot be zero-knowledge without nothing from the proof even if it a trapdoor existing. knows a trapdoor. CRS • Aim for subversion zero-knowledge. • Aim for middle ground between trusted setup and subversion soundness. Verifier Slide 7 of 22

Our Goal • SNARKs cannot be zero-knowledge without a trapdoor existing. CRS • Aim for subversion zero-knowledge. • Aim for middle ground between trusted setup and non-existent trapdoor. Prover with a Prover trapdoor can create proofs without the secret, but hard to get the trapdoor. Slide 7 of 22

But don’t we have NIZKs without Setup? • In random oracle model, can generate an unstructured CRS for which nobody knows the trapdoor. • But zk-SNARKs rely on structured CRS for efficiency. Slide 8 of 22

What’s so scandalous about a trusted setup? • Example: Zcash ran a trusted setup in 2016 and in 2018. • If the trapdoor was not properly disposed of two years ago, then some people might be able to print money at will. • There is no way of knowing whether the setup was compromised or not. 1 ZEC, 2 ZEC, 3 ZEC, 4…. Slide 9 of 22

What’s so scandalous about a trusted setup? • The output of each trusted setup can only be used to prove the exact circuit it was designed for. • Performing one trusted setup per application may result in each trusted setup receiving less and less scrutiny. Trusted Application 1 CRS 1 Setup 1 Trusted Application 2 CRS 2 Setup 2 Trusted Application 3 CRS 3 Setup 3 Slide 10 of 22

Our Contributions Updatable trust Efficient new model zk-SNARK Null-Space Universal setup Argument. Ingredients: 1) Knowledge Assumptions 2) q-type Assumptions 3) Quadratic Arithmetic Programs

Updatable Setups for zk-SNARKs • In theory, one honest party runs the setup, and the scheme is secure. • In practice, a few parties to run the setup, if one is honest then the scheme is secure. • In our work, continuously add more parties to the setup, if one is honest at any point in time then the scheme is secure. Theory Here is the output of the setup procedure. Why should I trust you? Slide 11 of 22

Updatable Setups for zk-SNARKs • In theory, one honest party runs the setup, and the scheme is secure. • In practice, a few parties to run the setup, if one is honest then the scheme is secure. • In our work, continuously add more parties to the setup, if one is honest at any point in time then the scheme is secure. Practice Here is the output of the setup procedure. Why should I trust any of you? Slide 11 of 22

Updatable Setups for zk-SNARKs • In theory, one honest party runs the setup, and the scheme is secure. • In practice, a few parties to run the setup, if one is honest then the scheme is secure. • In our work, continuously add more parties to the setup, if one is honest at any point in time then the scheme is secure. Here is the new output of the This work setup procedure. Here is the output of the setup procedure. Why should I trust any of you?

Updatable Setups for zk-SNARKs • In theory, one honest party runs the setup, and the scheme is secure. • In practice, a few parties to run the setup, if one is honest then the scheme is secure. • In our work, continuously add more parties to the setup, if one is honest at any point in time then the scheme is secure. Here is the new output of the This work setup procedure. Here is the output of the setup procedure. No longer really a setup Why should I trust any of you?

Trusted Setup vs Updates? Trusted Setup Updatable CRS • Setup be completed before the • Parameters can be updated system goes live. at any point. • Secure provided a single honest • Secure at any point after an user participates. honest user has participated. Slide 12 of 22

When can we update? SNARKs have secrets in the exponent • Exponents contain hidden polynomial evaluations. • We can update monomials. Slide 12 of 22

Updating Monomials is Easy 𝑕 𝑦 1 𝑦 2 𝑕 𝑦 1 𝑕 𝑦 1 𝑦 2 𝑦 3 etc. Proof of Proof of Proof of knowledge knowledge knowledge of 𝒚 𝟒 of 𝒚 𝟑 of 𝒚 𝟐 Slide 13 of 22

Could use Groth or Lipmaa? CRS only uses monomials. At the sacrifice of quasi-linear prover time? These schemes have quadratic provers. Slide 14 of 22

Updating Polynomials is Hard • Secrets inside the global parameters were correlated, and once a correlated secret is inside the global parameters it cannot be changed. Correlated randomness is hidden with uncorrelated randomness. Slide 15 of 22

Updating Polynomials is Hard 𝑕 𝑔 𝑦 𝜀 • CRS contains polynomials. • Any adversary that can update 𝑕 𝑔 𝑦 𝜀 can extract monomials 𝑕 1 , 𝑕 𝑦𝜀 , 𝑕 𝑦 2 𝜀 , … , 𝑕 𝑦 𝑜 𝜀 . • Cannot rely on hidden polynomials. Previous schemes rely on hidden polynomials for security. Slide 16 of 22

Updating Polynomials is Hard 𝑕 𝑔 𝑦 𝜀 • CRS contains polynomials. • Any adversary that can update 𝑕 𝑔 𝑦 𝜀 can extract monomials 𝑕 1 , 𝑕 𝑦𝜀 , 𝑕 𝑦 2 𝜀 , … , 𝑕 𝑦 𝑜 𝜀 . • Cannot rely on hidden polynomials. We prove this. Previous schemes rely on hidden polynomials for security. Slide 16 of 22

Updating Polynomials is Hard 𝑕 𝑔 𝑦 𝜀 • CRS contains polynomials. • Any adversary that can update 𝑕 𝑔 𝑦 𝜀 can extract monomials 𝑕 1 , 𝑕 𝑦𝜀 , 𝑕 𝑦 2 𝜀 , … , 𝑕 𝑦 𝑜 𝜀 . • Cannot rely on hidden polynomial evaluations. Previous schemes rely on hidden polynomials for security. Slide 16 of 22

Our Contributions Updatable trust Efficient new model zk-SNARK Null-Space Universal setup Argument. Ingredients: 1) Knowledge Assumptions 2) q-type Assumptions 3) Quadratic Arithmetic Programs

What tricks to we use? • We start with more global parameters, with monomials inside, from which we derive a smaller set of derived parameters. The derive algorithm can be run by any party. Global Common Derive Derived Common Reference String 1 Reference String 1 Update 1 Global parameters Derive independent Global Common Derived Common Reference String 2 Reference String 2 of circuit. Update 2 Derive Derived Common Global Common Reference String 3 Reference String 3 Slide 17 of 22