Skip to main content
SpringerLink
Log in

Simulation Extractability in Groth’s zk-SNARK

  • Conference paper
  • First Online:
Data Privacy Management, Cryptocurrencies and Blockchain Technology (DPM 2019, CBT 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11737))

Abstract

A Simulation Extractable (SE) zk-SNARK enables a prover to prove that she knows a witness for an instance in a way that the proof: (1) is succinct and can be verified very efficiently; (2) does not leak information about the witness; (3) is simulation-extractable -an adversary cannot come out with a new valid proof unless it knows a witness, even if it has already seen arbitrary number of simulated proofs. Non-malleable succinct proofs and very efficient verification make SE zk-SNARKs an elegant tool in various privacy-preserving applications such as cryptocurrencies, smart contracts and etc. In Eurocrypt 2016, Groth proposed the most efficient pairing-based zk-SNARK in the CRS model, but its proof is vulnerable to the malleability attacks. In this paper, we show that one can efficiently achieve simulation extractability in Groth’s zk-SNARK by some changes in the underlying language using an OR construction. Analysis and implementations show that in practical cases overload has minimal effects on the efficiency of original scheme which currently is the most efficient zk-SNARK. In new construction, proof size is extended with one element from \({\mathbb {G}}_1\), one element from \({\mathbb {G}}_2\), plus a bit string that totally is less than 256 bytes for 128-bit security. Its verification is dominated with 4 pairings which is the most efficient verification among current SE zk-SNARKs .

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In non-black-box extraction, extractor \(\mathsf {ext}_{{\mathcal {A}}}\) needs to get full access to the source code and random coins of adversary \({\mathcal {A}}\) to be able to extract the witness. But in black-box extraction, one can extract the witnesses straightforwardly from the proof using CRS trapdoors [Bag19].

  2. 2.

    For instance, in the verification equations that have paring structure such as \({a}\bullet {b}= c\), where \({a}\) and \({b}\) are proof elements from \({\mathbb {G}}_1\) and \({\mathbb {G}}_2\) with prime orders, one can see that such verification equation will be satisfied also for new proof elements such as \({a}'= {a}^r\) and \({b}'={b}^{1/r}\), for arbitrary \(r\leftarrow {\mathbb {Z}}_{p}\).

  3. 3.

    Their initial circuit had \(\approx 4 \times 10^6\) gates, but recently they optimized the system and reduced the number of gates to \(\approx 2 \times 10^6\), but still it is very larger than \(\approx 50\times 10^3\).

  4. 4.

    Intuitively, some part of their changes play the role of a one-time secure signature scheme, but add two pairings to the verification of original scheme.

  5. 5.

    The value \(\lambda = 99\) takes account recent cryptanalysis of the Barreto-Naehrig curves by Kim and Barbulescu [KB16, BD17]. One can use different settings for 128-bit security. Since we use the library libsnark [BCTV13] that currently offers the mentioned security level, we just refer the reader to [KB16, BD17] for more discussion.

  6. 6.

    It has 25.538 gates in the \(\mathtt {xjsnark}\) library, https://github.com/akosba/xjsnark.

  7. 7.

    As shown in [BB08], by taking hash of input message the signature scheme can be used to sign arbitrary messages in \(\{0,1\}^*\).To do so, a collision resistant hash function \(H: \{0,1\}^* \rightarrow \{0, \dots , 2^b\}\) such that \(2^b < p\) is sufficient [BB08]. By considering recent analysis on Barreto-Naehrig curves by Kim and Barbulescu [BD17], one can use different settings for various security levels which would need to use different hash functions for signing arbitrary messages in [BB08] signature scheme.

  8. 8.

    Available on https://github.com/scipr-lab/libsnark.

References

  1. Abdolmaleki, B., Baghery, K., Lipmaa, H., Siim, J., Zając, M.: UC-secure CRS generation for SNARKs. In: Buchmann, J., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2019. LNCS, vol. 11627, pp. 99–117. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-23696-0_6

    Chapter  Google Scholar 

  2. Abdolmaleki, B., Baghery, K., Lipmaa, H., Zając, M.: A subversion-resistant SNARK. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 3–33. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_1

    Chapter  Google Scholar 

  3. Baghery, K.: On the efficiency of privacy-preserving smart contract systems. In: Buchmann, J., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2019. LNCS, vol. 11627, pp. 118–136. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-23696-0_7

    Chapter  Google Scholar 

  4. Boneh, D., Boyen, X.: Short signatures without random oracles and the SDH assumption in bilinear groups. J. Cryptol. 21(2), 149–177 (2008)

    Article  MathSciNet  Google Scholar 

  5. Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE Computer Society Press, May 2014

    Google Scholar 

  6. Bitansky, N., Canetti, R., Paneth, O., Rosen, A.: On the existence of extractable one-way functions. In: Shmoys, D.B. (ed.) 46th ACM STOC, pp. 505–514. ACM Press, May/June 2014

    Google Scholar 

  7. Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Succinct non-interactive arguments for a von neumann architecture. Cryptology ePrint Archive, Report 2013/879 (2013). http://eprint.iacr.org/2013/879

  8. Barbulescu, R., Duquesne, S.: Updating key size estimations for pairings. Cryptology ePrint Archive, Report 2017/334 (2017). http://eprint.iacr.org/2017/334

  9. Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: 20th ACM STOC, pp. 103–112. ACM Press, May 1988

    Google Scholar 

  10. Bowe, S., Gabizon, A.: Making groth’s zk-snark simulation extractable in the random oracle model. IACR Cryptol. ePrint Arch. 2018, 187 (2018)

    Google Scholar 

  11. Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. Cryptology ePrint Archive, Report 2005/133 (2005). http://eprint.iacr.org/2005/133

  12. Damgård, I.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_36

    Chapter  Google Scholar 

  13. De Santis, A., Di Crescenzo, G., Ostrovsky, R., Persiano, G., Sahai, A.: Robust non-interactive zero knowledge. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 566–598. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_33

    Chapter  Google Scholar 

  14. Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_37

    Chapter  Google Scholar 

  15. Groth, J., Maller, M.: Snarky signatures: minimal signatures of knowledge from simulation-extractable SNARKs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 581–612. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_20

    Chapter  Google Scholar 

  16. Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_19

    Chapter  Google Scholar 

  17. Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11

    Chapter  Google Scholar 

  18. Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: Fortnow, L., Vadhan, S.P. (eds.) 43rd ACM STOC, pp. 99–108. ACM Press, June 2011

    Google Scholar 

  19. Hess, F., Smart, N.P., Vercauteren, F.: The eta pairing revisited. Cryptology ePrint Archive, Report 2006/110 (2006). http://eprint.iacr.org/2006/110

  20. Juels, A., Kosba, A.E., Shi, E.: The ring of gyges: investigating the future of criminal smart contracts. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 16, pp. 283–295. ACM Press, October 2016

    Google Scholar 

  21. Kim, T., Barbulescu, R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 543–571. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_20

    Chapter  Google Scholar 

  22. Kim, J., Lee, J., Oh, H.: QAP-based simulation-extractable SNARK with a single verification. Cryptology ePrint Archive, Report 2019/586 (2019). https://eprint.iacr.org/2019/586

  23. Kosba, A.E., Miller, A., Shi, E., Wen, Z., Papamanthou, C.: Hawk: the blockchain model of cryptography and privacy-preserving smart contracts. In: 2016 IEEE Symposium on Security and Privacy, pp. 839–858. IEEE Computer Society Press, May 2016

    Google Scholar 

  24. Kosba, A.E., et al.: C\(\emptyset \)C\(\emptyset \): A Framework for Building Composable Zero-Knowledge Proofs. Technical report 2015/1093, 10 November 2015. http://eprint.iacr.org/2015/1093. Accessed 9 Apr 2017

  25. Lamport, L.: Constructing digital signatures from a one-way function. Technical report SRI-CSL-98, SRI International Computer Science Laboratory, October 1979

    Google Scholar 

  26. Lipmaa, H.: Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 169–189. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_10

    Chapter  Google Scholar 

  27. Lipmaa, H.: Simulation-extractable SNARKs revisited. Cryptology ePrint Archive, Report 2019/612 (2019). http://eprint.iacr.org/2019/612

  28. Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: 2013 IEEE Symposium on Security and Privacy, pp. 238–252. IEEE Computer Society Press, May 2013

    Google Scholar 

Download references

Acknowledgments

The authors were supported by the European Union’s Horizon 2020 research and innovation programme under grant agreements No 780477 (project PRIViLEDGE), and by the Estonian Research Council grant (PRG49).

Author information

Authors and Affiliations

  1. University of Tartu, Tartu, Estonia

    Shahla Atapoor & Karim Baghery

Authors
  1. Shahla Atapoor
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Karim Baghery
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Karim Baghery .

Editor information

Editors and Affiliations

  1. Universitat Oberta de Catalunya, Barcelona, Spain

    Cristina Pérez-Solà

  2. Universitat Autonoma de Barcelona, Bellaterra, Spain

    Guillermo Navarro-Arribas

  3. University of Luxembourg, Esch-sur-Alzette, Luxembourg

    Alex Biryukov

  4. Institut Mines-Télécom, Evry, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Atapoor, S., Baghery, K. (2019). Simulation Extractability in Groth’s zk-SNARK. In: Pérez-Solà, C., Navarro-Arribas, G., Biryukov, A., Garcia-Alfaro, J. (eds) Data Privacy Management, Cryptocurrencies and Blockchain Technology. DPM CBT 2019 2019. Lecture Notes in Computer Science(), vol 11737. Springer, Cham. https://doi.org/10.1007/978-3-030-31500-9_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-31500-9_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-31499-6

  • Online ISBN: 978-3-030-31500-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation