Cryptology ePrint Archive: Report 2017/587

Subversion-zero-knowledge SNARKs

Georg Fuchsbauer

Abstract: At Asiacrypt 2016 Bellare, Fuchsbauer and Scafuro introduced the notion of subversion zero knowledge for non-interactive proof systems, demanding that zero knowledge (ZK) is maintained even when the common reference string is chosen maliciously. Succinct non-interactive arguments of knowledge (SNARKs) are proof systems with short and efficiently verifiable proofs, which were introduced for verifiable computation. They are deployed in cryptocurrencies such as Zcash, which guarantees user anonymity assuming zero-knowledge SNARKs. We show that under a plausible hardness assumption, the most efficient SNARK schemes proposed in the literature, including the one underlying Zcash, satisfy subversion ZK or can be made to at very little cost. We argue that Zcash is thus anonymous even if its parameters were set up maliciously.

Category / Keywords: cryptographic protocols / SNARKs, subversion-resistance, zero knowledge, Zcash

Date: received 16 Jun 2017

Contact author: fuchsbau at di ens fr

Available format(s): PDF | BibTeX Citation

Version: 20170620:153555 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]