Skip to main content

Succinct Scriptable NIZK via Trusted Hardware

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12972)

Abstract

Non-interactive zero-knowledge proof or argument (NIZK) systems are widely used in many security sensitive applications to enhance computation integrity, privacy and scalability. In such systems, a prover wants to convince one or more verifiers that the result of a public function is correctly computed without revealing the (potential) private input, such as the witness. In this work, we introduce a new notion, called succinct scriptable NIZK, where the prover and verifier(s) can specify the function (or language instance) to be proven via a script. We formalize this notion is UC framework and provide a generic trusted hardware based solution. We then instantiate our solution in both SGX and Trustzone with Lua script engine. The system can be easily used by typical programmers without any cryptographic background. The benchmark result shows that our solution is better than all the known NIZK proof systems w.r.t. prover’s running time (1000 times faster), verifier’s running time, and the proof size. Finally, we show how the proposed scriptable succinct NIZK can be readily deployed to solve many well-known problems in the blockchain context, e.g. verifier’s dilemma, fast joining for new players, etc..

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88418-5_21
  • Chapter length: 22 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88418-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.

Notes

  1. 1.

    The enclave also has a GetQEInfo function to receive the target information of QE. It is omitted for simplicity.

  2. 2.

    In fact, there are 56 bits reserved area, whose default value is 0 in the attributes field. Hence, the size can be further reduced by 56 bits.

References

  1. Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: Lightweight sublinear arguments without a trusted setup. In: ACM CCS 2017, pp. 2087–2104 (2017)

    Google Scholar 

  2. Baumann, A., Peinado, M., Hunt, G.: Shielding applications from an untrusted cloud with haven. ACM Trans. Comput. Syst. (TOCS) 33(3), 8 (2015)

    CrossRef  Google Scholar 

  3. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/046 (2018). https://eprint.iacr.org/2018/046

  4. Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: SNARKs for C: verifying program executions succinctly and in zero knowledge. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 90–108. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_6

    CrossRef  MATH  Google Scholar 

  5. Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Succinct non-interactive zero knowledge for a von neumann architecture. In: USENIX Security 2014, pp. 781–796 (2014)

    Google Scholar 

  6. Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: 20th ACM STOC, pp. 103–112 (2019)

    Google Scholar 

  7. Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12

    CrossRef  MATH  Google Scholar 

  8. Brickell, E., Li, J.:Enhanced privacy id from bilinear pairing for hardware authentication and attestation. In: 2010 IEEE Second International Conference on Social Computing, pp. 768–775 (2010)

    Google Scholar 

  9. Van Bulck, jJ., et al.: Foreshadow: extracting the keys to the intel sgx kingdom with transient out-of-order execution. In: USENIX Security Symposium (2018)

    Google Scholar 

  10. Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334 (2018)

    Google Scholar 

  11. Danezis, G., Fournet, C., Groth, J., Kohlweiss, M.: Square span programs with applications to succinct NIZK arguments. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 532–550. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_28

    CrossRef  Google Scholar 

  12. Dinh, T.T.A., Saxena, P., Chang, E.C., Ooi, B.C., Zhang, C.: M2R: enabling stronger privacy in MapReduce computation. In: USENIX Security 2015, pp. 447–462 (2015)

    Google Scholar 

  13. ECRYPT. ebacs: Ecrypt benchmarking of cryptographic systems (2018). https://bench.cr.yp.to/results-hash.html, Accessed 11 May 2019

  14. Fisch, B., Vinayagamurthy, D., Boneh, D., Gorbunov, S.: IRON: functional encryption using intel SGX. In: ACM CCS 2017, pp. 765–782 (2017)

    Google Scholar 

  15. Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_37

    CrossRef  Google Scholar 

  16. Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: 43rd ACM STOC, pp. 99–108 (2011)

    Google Scholar 

  17. Giacomelli, I., Madsen, J., Orlandi, C.: ZKBoo: Faster zero-knowledge for boolean circuits. Cryptology ePrint Archive, Report 2016/163 (2016). http://eprint.iacr.org/2016/163

  18. Goldreich, O., Oren, Y.: Definitions and properties of zero-knowledge proof systems. J. Cryptol. 7(1), 1–32 (1994). https://doi.org/10.1007/BF00195207

    MathSciNet  CrossRef  MATH  Google Scholar 

  19. Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: interactive proofs for muggles. In: 40th ACM STOC, pp. 113–122 (2015)

    Google Scholar 

  20. Groth, J.: Fully anonymous group signatures without random oracles. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 164–180. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_10

    CrossRef  Google Scholar 

  21. Groth, J.: Efficient zero-knowledge arguments from two-tiered homomorphic commitments. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 431–448. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_23

    CrossRef  Google Scholar 

  22. Groth, J., Kohlweiss, M., Maller, M., Meiklejohn, S., Miers, I.: Updatable and universal common reference strings with applications to zk-SNARKs. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 698–728. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_24

    CrossRef  Google Scholar 

  23. Ishai, Y., Kushilevitz, E., Ostrovsky, R.: Efficient arguments without short pcps. In: Twenty-Second Annual IEEE Conference on Computational Complexity (CCC’07), pp. 278–291 (2007)

    Google Scholar 

  24. Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: 39th ACM STOC, pp. 21–30 (2007)

    Google Scholar 

  25. Johnson, S.P., Scarlata, V.R., Rozas, C.V., Brickell, E., McKeen, F.; Intel sgx: epid provisioning and attestation services. Intel (2016)

    Google Scholar 

  26. SCIPR Lab. libsnark: a c++ library for zksnark proofs (2019)

    Google Scholar 

  27. Lipmaa, H., Mohassel, P., Sadeghian, S.: Valiant’s universal circuit: Improvements, implementation, and applications. Cryptology ePrint Archive, Report 2016/017 (2016). https://eprint.iacr.org/2016/017

  28. Lipp, M., Gruss, D., Spreitzer, R., Maurice, C., Mangard, S.: ARMageddon: cache attacks on mobile devices. In: USENIX Security 2016, pp. 549–564 (2016)

    Google Scholar 

  29. Maller, M., Bowe, S., Kohlweiss, M., Meiklejohn, S.: Sonic: zero-knowledge snarks from linear-size universal and updateable structured reference strings. IACR Cryptology ePrint Arch. 2019, 99 (2019)

    Google Scholar 

  30. McCune, J.M., Parno, B.J., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: an execution infrastructure for tcb minimization. In: ACM SIGOPS Operating Systems Review, vol. 42, pp. 315–328. ACM (2008)

    Google Scholar 

  31. Ohrimenko, O., Costa, M., Fournet, C., Gkantsidis, C., Kohlweiss, M., Sharma, D.: Observing and preventing leakage in MapReduce. In: ACM CCS 2015, pp. 1570–1581 (2015)

    Google Scholar 

  32. Ohrimenko, O., et al.: Oblivious multi-party machine learning on trusted processors. In: USENIX Security 2016, pp. 619–636 (2016)

    Google Scholar 

  33. Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: 2013 IEEE Symposium on Security and Privacy, pp. 238–252 (2013)

    Google Scholar 

  34. Pires, R., Gavril, D., Felber, P., Onica, E., Pasin, M.: A lightweight mapreduce framework for secure processing with sgx. In: Proceedings of the 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGrid 2017, pp. 1100–1107 (2017)

    Google Scholar 

  35. Reingold, O., Rothblum, G.N., Rothblum, R.D.: Constant-round interactive proofs for delegating computation. In: 48th ACM STOC, pp. 49–62 (2019)

    Google Scholar 

  36. Schuster, F., et al.: VC3: trustworthy data analytics in the cloud using SGX. In: 2015 IEEE Symposium on Security and Privacy, pp. 38–54 (2015)

    Google Scholar 

  37. Suh, G.E., Clarke, D., Gassend, B., Van Dijk, M., Devadas, S.: Aegis: architecture for tamper-evident and tamper-resistant processing. In: ACM International Conference on Supercomputing 25th Anniversary Volume, pp. 357–368. ACM (2014)

    Google Scholar 

  38. Tramer, F., Zhang, F., Lin, H., Hubaux, J., Juels, A., Shi, E.: Sealed-glass proofs: using transparent enclaves to prove and sell knowledge. In: Euro S&P 2017, pp. 19–34 (2017)

    Google Scholar 

  39. Valiant, L.G.: Universal circuits (preliminary report). In: Proceedings of the Eighth Annual ACM Symposium on Theory of Computing, STOC 1976, pp. 196–203 (1976)

    Google Scholar 

  40. Valiant, P.: Incrementally verifiable computation or proofs of knowledge imply time/space efficiency. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 1–18. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_1

    CrossRef  MATH  Google Scholar 

  41. Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly-efficient zkSNARKs without trusted setup. In: 2018 IEEE Symposium on Security and Privacy, pp. 926–943 (2018)

    Google Scholar 

  42. Zhang, Y., Genkin, D., Katz, J., Papadopoulos, D., Papamanthou, C.: vSQL: verifying arbitrary SQL queries over dynamic outsourced databases. In: 2017 IEEE Symposium on Security and Privacy, pp. 863–880 (2017)

    Google Scholar 

Download references

Acknowledgement

Bingsheng Zhang is supported by the Key (Keygrant) Project of Chinese Ministry of Education. (No. 2020KJ010201) and the National Natural Science Foundation of China (Grant No. 62072401). Hong-Sheng Zhou and Phuc Thai are supported by NSF grant CNS-1801470, a Google Faculty Research Award and a research gift from Ergo Platform. Yajin Zhou and Kui Ren are also supported by the Open Project Program of Key Laboratory of Blockchain and Cyberspace Governance of Zhejiang Province. Yajin Zhou is the corresponding author.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Bingsheng Zhang .

Editor information

Editors and Affiliations

A SGX implementation

A SGX implementation

As we mentioned in Sect. 6, our SGX-based prototype is implemented in C++ using the Intel(R) SGX SDK v2.5 for Linux. Our implementation is built on top of [34], and we added OpenSSL lib functions for common cryptographic primitives, such as SHA256, ECDSA, etc. Since system call is not allowed in enclave, we also simulated a simple file system to support the Lua interpreter. The size of the compiled enclave binary is approximately 3.2 MB.

Up on execution, the prover first creates an instance of the Lua script engine enclave in the SGX and transfers the target information of QE into the Lua script engine enclave, which will be used later to generate the report for QE. The prover then produces his proof by calling specific function interface of the enclave, \(\mathsf {VerifySign}\), taking the script \(\mathcal C \) and the public input \(\mathsf {Input}_{\mathrm {pub}}\) as the arguments of the function. In our prototype, the script \(\mathcal C \) and statement \(\mathsf {Input}_{\mathrm {pub}}\) are pre-loaded into the simulated filesystem. After loading \(\mathsf {Input}_{\mathrm {priv}}\) from the prover and putting it into the simulated filesystem, the enclave invokes the Lua interpreter to process the script \(y\leftarrow \mathcal C (\mathsf {Input}_{\mathrm {pub}},\mathsf {Input}_{\mathrm {priv}})\), where the script can access the statement and witness through Lua file operations. Note that Lua heap size need to be predefined while compiling the Lua script engine enclave, such as 32 MB, which restrict the class of script it can support.

After the script execution, the enclave hashes \(h:=\mathsf {hash}(\mathcal C,\mathsf {Input}_{\mathrm {pub}},\mathsf {Input}_{\mathrm {priv}})\) and then put \((\mathsf {tag},h)\) in to the \(\mathsf {REPORTDATA}\) field of the report structure, and generate the report \(r(\mathsf {tag},h)\) for QE to sign. The prover will then fetch the report \(r(\mathsf {tag},h)\) and send it together with signature revocation list (which can be obtained from the Intel IAS and SPID (which is assigned by the Intel IAS when user registers to the Intel IAS) to the QE. The QE will verify the report using its report key and compute an non-revoked proof for the signature revocation list, generating a quote consisting of the \(\mathsf {ReportBody}\) field of the report, the non-revoke proof and some other necessary information. The prover then will send the quote to the Intel IAS server for attestation verification report.

Table 2. QuoteBody structure

Reducing Proof Size. Naively, the prover can send the entire signed attestation verification report as the NIZK proof. The proof size is 731 Bytes (IAS report size) \(+\) 256 Bytes (the signature size). To reduce proof size, we observe that Intel’s signature is signed on top of the hash of the attestation verification report, so the prover does not need to give the entire report as a part of the proof as far as the verifier can reproduce the hash of the report. However, the verifier is interested in some field of in the \(\mathsf {isvEnclaveQuoteBody}\), such as \(\mathsf {REPORTDATA}\). Notice that SHA256 uses Merkle-Damgård structure, i.e., the final hash digest is calculated by iteratively calling a compression function over trunks of the signing document. Therefore, the prover can give the partial hash digest of the first part of the signing report, including ID, timestamp, version, \(\mathsf {isvEnclaveQuoteStatus}\). The \(\mathsf {isvEnclaveQuoteBody}\) structure is shown in Table 2. The verifier is only interested in the five fields marked in grey background, and they can be reconstructed from the public input of the verifier. Moreover, currently, all the reserved fields must be 0. Moreover, the verifier also wants to check \(\mathsf {isvEnclaveQuoteStatus} = \mathsf {OK}\); nevertheless, we observe that the attestation verification report whose \(\mathsf {isvEnclaveQuoteStatus} = \mathsf {OK}\) has a fixed length n. Otherwise, the length of the attestation verification report is different from n. Based on that observation, we can regard the length n as another public input of the verifier. Then when the verifier receives a proof, he/she can check whether the \(\mathsf {isvEnclaveQuoteStatus}\) field of the associated attestation verification report is \(\mathsf {OK}\) by putting the length n into the end of the report as the total hashed length. then if the \(\mathsf {isvEnclaveQuoteStatus}\) field is not \(\mathsf {OK}\), the report hash is not aligned probably, resulting a wrong hash digest.

We let the prover give the partial hash digest until \(\mathsf {misc\_select}\) field. Denote the partial hash digest of the report as ph. The prover needs to provide the \(\mathsf {attributes}\) field, denoted as \(\mathsf {attr}\), which is 16 BytesFootnote 2. The proof is \((ph,\mathsf {attr}, \sigma )\). The verifier can use reconstruct the hash of the report and then check the validity of the signature. The proof size is now reduced to 41 Bytes \(+\) 256 Bytes ( the signature size), which is 297 Bytes.

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Zhang, B. et al. (2021). Succinct Scriptable NIZK via Trusted Hardware. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham. https://doi.org/10.1007/978-3-030-88418-5_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88418-5_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88417-8

  • Online ISBN: 978-3-030-88418-5

  • eBook Packages: Computer ScienceComputer Science (R0)