LiGuan Wang,Yuan Li,ShuangJun Zhang,DongLiang Cai,HaiBin Kan

DOI: https://doi.org/10.1007/s11431-023-2580-5

2024-08-27

Science China Technological Sciences

Abstract:The famous zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARK) was proposed by Groth in 2016. Typically, the construction is based on quadratic arithmetic programs which are highly efficient concerning the proof length and the verification complexity. Since then, there has been much progress in designing zk-SNARKs, achieving stronger security, and simulated extractability, which is analogous to non-malleability and has broad applications. In this study, following Groth's pairing-based zk-SNARK, a simulation extractability zk-SNARK under the random oracle model is constructed. Our construction relies on a newly proposed property named target linearly collision-resistant, which is satisfied by random oracles under discrete logarithm assumptions. Compared to the original Groth16 zk-SNARK, in our construction, both parties are allowed to use such a random oracle, aiming to get the same random number. The resulting proof consists of 3 group elements and only 1 pairing equation needs to be verified. Compared to other related works, our construction is shorter in proof length and simpler in verification while preserving simulation extractability. The results also extend to achieve subversion zero-knowledge SNARKs.

materials science, multidisciplinary,engineering

Zhelei Zhou,Bingsheng Zhang,Yuan Chen,Jiaqi Li,Yajin Zhou,Yibiao Lu,Kui Ren,Phuc Thai,Hong-Sheng Zhou

DOI: https://doi.org/10.3233/JCS-210167

2022-01-01

Journal of Computer Security

Abstract:Non-interactive zero-knowledge proof or argument (NIZK) systems are widely used in many security sensitive applications to enhance computation integrity, privacy and scalability. In such systems, a prover wants to convince one or more verifiers that the result of a public function is correctly computed without revealing the (potential) private input, such as the witness. In this work, we introduce a new notion, called scriptable SNARK, where the prover and verifier(s) can specify the function (or language instance) to be proven via a script. We formalize this notion in UC framework and provide a generic trusted hardware based solution. We then instantiate our solution in both SGX and Trustzone with Lua script engine. The system can be easily used by typical programmers without any cryptographic background. The benchmark result shows that our solution is better than all the known SNARK proof systems w.r.t. prover's running time (1000 times faster), verifier's running time, and the proof size. In addition, we also give a lightweight scriptable SNARK protocol for hardware with limited state, e.g., Theta(lambda) bits. Finally, we show how the proposed scriptable SNARK can be readily deployed to solve many well-known problems in the blockchain context, e.g. verifier's dilemma, fast joining for new players, etc.

Huayi Qi,Ye Cheng,Minghui Xu,Dongxiao Yu,Haipeng Wang,Weifeng Lyu

DOI: https://doi.org/10.1109/tc.2023.3235975

IF: 3.183

2023-01-01

IEEE Transactions on Computers

Abstract:Zero-Knowledge Succinct Non-Interactive Argument of Knowledge (zk-SNARK) is a practical zero-knowledge proof system for Rank-1 Constraint Satisfaction (R1CS), enabling privacy preservation and addressing the previous scalability concerns on zero-knowledge proofs. Existing constructions of zk-SNARKs require huge memory overhead to generate proofs in that the size of the zk-SNARK circuit can be large even for a very simple use case, which limits the applications for regular resource-constrained users. To reduce the memory utilization of zk-SNARKs, this paper presents a hash-based method “Split”. Concretely, Split intends to partition the zk-SNARK circuits so that components can be processed sequentially while ensuring strong security properties leveraging hash circuits. As a zk-SNARK circuit is partitioned, obsolete variables are no longer preserved in the memory. We further propose an enhanced Split as $n$n-Split, which leads to better optimization by properly choosing multiple splits. Our experimental results validate the effectiveness and efficiency of Split in conserving memory usage for resource-constrained provers as long as the circuit can be partitioned to a Good Split, indicating that via Split zk-SNARKs can be brought one step closer to practical applications.

engineering, electrical & electronic,computer science, hardware & architecture

Mohammed Alghazwi,Tariq Bontekoe,Leon Visscher,Fatih Turkmen

2024-07-27

Abstract:Non-interactive zero-knowledge (NIZK) proofs of knowledge have proven to be highly relevant for securely realizing a wide array of applications that rely on both privacy and correctness. They enable a prover to convince any party of the correctness of a public statement for a secret witness. However, most NIZKs do not natively support proving knowledge of a secret witness that is distributed over multiple provers. Previously, collaborative proofs [51] have been proposed to overcome this limitation. We investigate the notion of composability in this setting, following the Commit-and-Prove design of LegoSNARK [17]. Composability allows users to combine different, specialized NIZKs (e.g., one arithmetic circuit, one boolean circuit, and one for range proofs) with the aim of reducing the prove generation time. Moreover, it opens the door to efficient realizations of many applications in the collaborative setting such as mutually exclusive prover groups, combining collaborative and single-party proofs and efficiently implementing publicly auditable MPC (PA-MPC). We present the first, general definition for collaborative commit-and-prove NIZK (CP-NIZK) proofs of knowledge and construct distributed protocols to enable their realization. We implement our protocols for two commonly used NIZKs, Groth16 and Bulletproofs, and evaluate their practicality in a variety of computational settings. Our findings indicate that composability adds only minor overhead, especially for large circuits. We experimented with our construction in an application setting, and when compared to prior works, our protocols reduce latency by 18-55x while requiring only a fraction (0.2%) of the communication.

Cryptography and Security

Yunlei Zhao,Robert Deng,Binyu Zang,Yiming Zhao

2005-01-01

Abstract:Zero-knowledge (ZK) plays a central role in the field of modern cryptography and is a very powerful tool for constructing various cryptographic protocols, especially cryptographic protocols in E-commerce. Unfortunately, most ZK protocols are for general NP languages with going through general NP-reductions, and thus cannot be directly employed in practice. On the other hand, a large number of protocols, named ∑-protocols, are developed in industry and in the field of applied cryptography for specific number-theoretic languages (e.g. DLP and RSA), which preserves the ZK property only with respect to honest verifiers (i.e., they are not real ZK) but are highly practical. In this work, we show a generic yet practical transformation from ∑-protocols to practical (real) ZK arguments without general NP-reductions under either the DLP or RSA assumptions. © Springer-Verlag Berlin Heidelberg 2005.

Stefanos Chaliasos,Jens Ernstberger,David Theodore,David Wong,Mohammad Jahanara,Benjamin Livshits

2024-07-12

Abstract:Zero-knowledge proofs (ZKPs) have evolved from being a theoretical concept providing privacy and verifiability to having practical, real-world implementations, with SNARKs (Succinct Non-Interactive Argument of Knowledge) emerging as one of the most significant innovations. Prior work has mainly focused on designing more efficient SNARK systems and providing security proofs for them. Many think of SNARKs as "just math," implying that what is proven to be correct and secure is correct in practice. In contrast, this paper focuses on assessing end-to-end security properties of real-life SNARK implementations. We start by building foundations with a system model and by establishing threat models and defining adversarial roles for systems that use SNARKs. Our study encompasses an extensive analysis of 141 actual vulnerabilities in SNARK implementations, providing a detailed taxonomy to aid developers and security researchers in understanding the security threats in systems employing SNARKs. Finally, we evaluate existing defense mechanisms and offer recommendations for enhancing the security of SNARK-based systems, paving the way for more robust and reliable implementations in the future.

Cryptography and Security

Wei Liu,Jian Weng,Bingsheng Zhang,Kai He,Junjie Huang

DOI: https://doi.org/10.1016/j.ins.2022.09.026

IF: 8.1

2022-01-01

Information Sciences

Abstract:Non-interactive zero-knowledge (NIZK) proof systems are very useful for statement verification without interaction in cryptography; they entail just one message, called the proof, that convinces the verifier of the truth of the statement without leaking any extra information. Many NIZK proof systems are related to quadratic residuosity languages and follow three main steps. First, the prover and the verifier sample a common reference string (CRS) in some particular form. Second, the prover proves that n is a Blum integer (BL , n = p 1 t 1 · p 2 t 2, where p 1 and p 2 are different primes both congruent to 3 modulo 4, and t 1 and t 2 are odd). Third, various statements (e.g., NQR n , OR n , AND n , T ( k , t ), and 3 SAT) can be proven by the prover based on the properties of BL . In this study, we improve the NIZK proof system for n ∈ BL based on the special distribution of the square roots modulo n and embed this proof in the third step. Moreover, we show that the CRS can be sampled more efficiently using the improved process.

Moti Yung,Yunlei Zhao

DOI: https://doi.org/10.1007/978-3-540-72540-4_8

2007-01-01

Abstract:We present a generic construction for constant-round concurrently sound resettable zero-knowledge (rZK-CS) arguments for NP in the bare public-key (BPK) model under any (sub-exponentially strong) one-way function (OWF), which is a traditional assumption in this area. The generic construction in turn allows round-optimal implementation for NP still under general assumptions, and can be converted into a highly practical instantiation (under specific number-theoretic assumptions) for any language admitting Sigma-protocols. Further, the rZK-CS arguments developed in this work also satisfy a weak (black-box) concurrent knowledge-extract ability property as proofs of knowledge, in which case some super-polynomial-time assumption is intrinsic.

Huang Guifang,Lin Dongdai

DOI: https://doi.org/10.23919/cje.2009.10138270

2009-01-01

Abstract:In asynchronous network communication, non-malleability is required to resist against man-in-the-middle attack. Based on the existence of one-way permutation, we propose two unbounded non-malleable Non-interactive zero knowledge (NIZK) protocols. Firstly, by using NIZK argument of knowledge instead of Omega-protocol as a building block, we transform 5-rounds concurrent non-malleable zero knowledge argument in the Common reference string (CRS) model([15]) to non-malleable NIZK argument. The transformation achieves optimal round efficiency in the same model. Secondly, we simplify the second scheme in CRYPO'01([8]) by using the technique hidden unduplicatable set selection. In the simplified scheme, the CRS is much shorter and statements to be proved in the two NIZK sub-protocols are simplified.

Yunlei Zhao,Robert H. Deng,Binyu Zang,Yiming Zhao

DOI: https://doi.org/10.1007/11600930_28

2005-01-01

Abstract:Zero-knowledge (ZK) plays a central role in the field of modern cryptography and is a very powerful tool for constructing various cryptographic protocols, especially cryptographic protocols in E-commerce. Unfortunately, most ZK protocols are for general \(\mathcal{NP}\) languages with going through general \(\mathcal{NP}\)-reductions, and thus cannot be directly employed in practice. On the other hand, a large number of protocols, named Σ-protocols, are developed in industry and in the field of applied cryptography for specific number-theoretic languages (e.g. DLP and RSA), which preserves the ZK property only with respect to honest verifiers (i.e., they are not real ZK) but are highly practical. In this work, we show a generic yet practical transformation from Σ-protocols to practical (real) ZK arguments without general \(\mathcal{NP}\)-reductions under either the DLP or RSA assumptions.

Hanze Guo,Yebo Feng,Cong Wu,Zengpeng Li,Jiahua Xu

2024-09-03

Abstract:With the rapid development of Zero-Knowledge Proofs (ZKPs), particularly Succinct Non-Interactive Arguments of Knowledge (SNARKs), benchmarking various ZK tools has become a valuable task. ZK-friendly hash functions, as key algorithms in blockchain, have garnered significant attention. Therefore, comprehensive benchmarking and evaluations of these evolving algorithms in ZK circuits present both promising opportunities and challenges. Additionally, we focus on a popular ZKP application, privacy-preserving transaction protocols, aiming to leverage SNARKs' cost-efficiency through "batch processing" to address high on-chain costs and compliance issues. To this end, we benchmarked three SNARK proving systems and five ZK-friendly hash functions, including our self-developed circuit templates for Poseidon2, Neptune, and GMiMC, on the bn254 curve within the circom-snarkjs framework. We also introduced the role of "sequencer" in our SNARK-based privacy-preserving transaction scheme to enhance efficiency and enable flexible auditing. We conducted privacy and security analyses, as well as implementation and evaluation on Ethereum Virtual Machine (EVM)-compatible chains. The results indicate that Poseidon and Poseidon2 demonstrate superior memory usage and runtime during proof generation under Groth16. Moreover, compared to the baseline, Poseidon2 not only generates proofs faster but also reduces on-chain costs by 73% on EVM chains and nearly 26% on Hedera. Our work provides a benchmark for ZK-friendly hash functions and ZK tools, while also exploring cost efficiency and compliance in ZKP-based privacy-preserving transaction protocols.

Cryptography and Security

Armando Cruz

2024-01-06

Abstract:Zero-knowledge proofs (zk-Proofs) are communication protocols by which a prover can demonstrate to a verifier that it possesses a solution to a given public problem without revealing the content of the solution. Arbitrary computations can be transformed into an interactive zk-Proof so anyone is convinced that it was executed correctly without knowing what was executed on, having huge implications for digital currency. Despite this, interactive proofs are not suited for blockchain applications but novel protocols such as zk-SNARKs have made zero-knowledge ledgers like Zcash possible. This project builds upon Wolfram's ZeroKnowledgeProofs paclet and implements a zk-SNARK compiler based on Pinocchio protocol.

Cryptography and Security

Jiaheng Zhang,Tiancheng Xie,Yupeng Zhang,Dawn Song

DOI: https://doi.org/10.1109/sp40000.2020.00052

2020-05-01

Abstract:We present a new succinct zero knowledge argument scheme for layered arithmetic circuits without trusted setup. The prover time is O(C + nlogn) and the proof size is O(D logC +log2 n) for a D-depth circuit with n inputs and C gates. The verification time is also succinct, O(D logC + log2 n), if the circuit is structured. Our scheme only uses lightweight cryptographic primitives such as collision-resistant hash functions and is plausibly post-quantum secure. We implement a zero knowledge argument system, Virgo, based on our new scheme and compare its performance to existing schemes. Experiments show that it only takes 53 seconds to generate a proof for a circuit computing a Merkle tree with 256 leaves, at least an order of magnitude faster than all other succinct zero knowledge argument schemes. The verification time is 50ms, and the proof size is 253KB, both competitive to existing systems. Underlying Virgo is a new transparent zero knowledge verifiable polynomial delegation scheme with logarithmic proof size and verification time. The scheme is in the interactive oracle proof model and may be of independent interest.

Moti Yung,Yunlei Zhao

2006-01-01

Abstract:We present constant-round concurrently knowledge-extractable black-box resettable zero-knowledge (rZK-CKE) arguments forNP in the bare public-key (BPK) model. We give minimal (sub-exponential) hardness assumption based protocols as well as round-optimal protocols (still under general hardness assumptions). To our knowledge, our protocols are the first ZK protocols that provably provide both resettable/concurrent prover security and concurrent verifier security in public-key models. Here, the notion of concurrent knowledge-extractability roughly means that no malicious polynomial-time prover can convince an honest verifier of any (whether false or true) statement without “knowing” a corresponding NP-witness even by concurrently interleaving interactions in public-key models when verifiers register public-keys. We show that concurrent knowledge-extractability is strictly stronger than “concurrent soundness” (under any sub-exponentially strong one-way permutation) for concurrently proving NP statements to honest verifiers with public-keys. In particular, we show that previous concurrent zero-knowledge protocols in the BPK model that achieved concurrent soundness security and are also traditional arguments of knowledge actually fail to satisfy this stronger security notion (this is demonstrated by concrete attacks). Our work deepens the understanding of the subtleties of concurrent verifier security in public-key settings, and may serve as building blocks in designing other round-efficient concurrently secure protocols in public-key models that use, in particular, argument of knowledge (AOK) protocols as building blocks. RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu Software School, School of Information Science and Engineering, Fudan University, Shanghai 200433, China.

Helger Lipmaa,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-32928-9_27

2013-01-01

Journal of Computer Security

Abstract:We propose a new non-interactive perfect zero-knowledge NIZK shuffle argument that, when compared with the only previously known efficient NIZK shuffle argument by Groth and Lu, has a small constant factor times smaller computation and communication, and is based on more standard computational assumptions. Differently from Groth and Lu who only prove the co-soundness of their argument under purely computational assumptions, we prove computational soundness under a necessary knowledge assumption. We also present a general transformation that results in a shuffle argument that has a quadratically smaller common reference string CRS and a small constant factor times longer argument than the original shuffle. This can be interpreted as a general technique of decreasing the offline cost of an arbitrary shuffle argument.

Oussama Amine,Karim Baghery,Zaira Pindado,Carla Ràfols

DOI: https://doi.org/10.1007/s10207-023-00750-7

Abstract:Zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARKs) are the most efficient proof systems in terms of proof size and verification. Currently, Groth's scheme from EUROCRYPT 2016, Groth 16 , is the state-of-the-art and is widely deployed in practice. Groth 16 is originally proven to achieve knowledge soundness, which does not guarantee the non-malleability of proofs. There has been considerable progress in presenting new zk-SNARKs or modifying Groth 16 to efficiently achieve strong Simulation extractability, which is shown to be a necessary requirement in some applications. In this paper, we revise the Random oracle based variant of Groth 16 proposed by Bowe and Gabizon, BG18, the most efficient one in terms of prover efficiency and CRS size among the candidates, and present a more efficient variant that saves 2 pairings in the verification and 1 group element in the proof. This supersedes our preliminary construction, presented in CANS 2020 (Baghery et al. in CANS 20, volume 12579 of LNCS, Springer, Heidelberg. pp 453-461, 2020), which saved 1 pairing in the verification, and was proven in the generic group model. Our new construction also improves on BG18 in that our proofs are in the algebraic group model with Random Oracles and reduces security to standard computational assumptions in bilinear groups (as opposed to using the full power of the generic group model (GGM)). We implement our proposed simulation extractable zk-SNARK (SE zk-SNARK) along with BG18 in the Arkworks library, and compare the efficiency of our scheme with some related works. Our empirical experiences confirm that our SE zk-SNARK is more efficient than all previous simulation extractable (SE) schemes in most dimensions and it has very close efficiency to the original Groth 16 .

Ruta Jawale,Dakshita Khurana

2024-09-25

Abstract:A non-interactive ZK (NIZK) proof enables verification of NP statements without revealing secrets about them. However, an adversary that obtains a NIZK proof may be able to clone this proof and distribute arbitrarily many copies of it to various entities: this is inevitable for any proof that takes the form of a classical string. In this paper, we ask whether it is possible to rely on quantum information in order to build NIZK proof systems that are impossible to clone. We define and construct unclonable non-interactive zero-knowledge arguments (of knowledge) for NP, addressing a question first posed by Aaronson (CCC 2009). Besides satisfying the zero-knowledge and argument of knowledge properties, these proofs additionally satisfy unclonability. Very roughly, this ensures that no adversary can split an honestly generated proof of membership of an instance $x$ in an NP language $\mathcal{L}$ and distribute copies to multiple entities that all obtain accepting proofs of membership of $x$ in $\mathcal{L}$. Our result has applications to unclonable signatures of knowledge, which we define and construct in this work; these non-interactively prevent replay attacks.

Cryptography and Security,Quantum Physics

Yuncong Zhang,Ren Zhang,Geng Wang,Dawu Gu

2021-01-01

Abstract:The construction of zkSNARKs involves designing a Polynomial IOP that matches with the constraint system for which it proves membership. Designing this Polynomial IOP is a challenging task because the constraint system is typically not expressed in terms of polynomials but in terms of matrices and vectors. To mitigate mismatch, we propose a new methodology for the first step in SNARK construction, that first designs a matching Vector Oracle protocol before compiling it into a Polynomial IOP. The native first-class citizens of the Vector Oracle protocol are vectors; and by virtue of matching with the language of the arithmetic constraint system, Vector Oracle protocols are more intuitive to design and analyze. The Vector-Oracle-to-PIOP compilation procedure is protocol-independent, allowing us to present and optimize it as a standalone component, leading to the discovery of a series of acceleration techniques. We apply our methodology to construct three zkSNARKs, each targeting a constraint system: the Rank-1 Constaint System (R1CS), the Hadamard Product Relation (HPR), and a modified PLONK circuit. All three zkSNARKs achieve shorter proofs and/or smaller verification costs compared to the state-of-the-art constructions targeting the same constraint systems. Specifically, VCProof/R1CS defeats Marlin in proof size, with a slightly higher verification cost; VCProof/HPR and VCProof/POV outperform Sonic and PLONK, respectively, in both proof sizes and verification costs. In particular, the proof of VCProof/POV has only two field elements and six group elements, thus becoming the shortest among all existing universal-setup zkSNARKs.

Hongrui Cui,Kaiyi Zhang,Yu Chen,Zhen Liu,Yu Yu

DOI: https://doi.org/10.1007/978-3-030-88428-4_17

2021-01-01

Abstract:With the rapid development of distributed computing, the traditional zero-knowledge proofs (ZKP) are becoming less adequate for privacy-preserving applications in the distributed setting. Take "double financing" as an example: multiple financial providers jointly prove that the sum of their committed values is no more than a given threshold, which generalizes the "range proof" to the multiple-prover setting. Therefore, traditional zero-knowledge proof does not seemingly lend itself to this problem on its own. We identify and fill this gap by formalizing the ZKP system in the multi-prover setting (MPZK) that proves arbitrary NP statements with distributed witnesses. Our MPZK system offers zero-knowledge as long as one prover is honest (while others can collude arbitrarily), and thus is applicable to "double financing" , "credit checking" , and various other multi-prover applications. We then propose a generic black-box construction from multiparty computation, referred to as "MPC-in-Multi-Heads" , and prove its security under the simulation-based paradigm. We also offer a proof-of-concept implementation and present its experimental results.