Cryptology ePrint Archive: Report 2017/587

Subversion-zero-knowledge SNARKs

Georg Fuchsbauer

Abstract: Subversion zero knowledge for non-interactive proof systems demands that zero knowledge (ZK) be maintained even when the common reference string (CRS) is chosen maliciously. SNARKs are proof systems with succinct proofs, which are at the core of the cryptocurrency Zcash, whose anonymity relies on ZK-SNARKs, and they are used for ZK contingent payments in Bitcoin.

We show that under a plausible hardness assumption, the most efficient SNARK schemes proposed in the literature, including the one underlying Zcash and contingent payments, satisfy subversion ZK or can be made to at very little cost. In particular, we prove subversion ZK of the original SNARKs by Gennaro et al. and the most efficient construction by Groth from last year; for the Pinocchio scheme implemented in libsnark we show that it suffices to add 4 group elements to the CRS. We also argue that Zcash is anonymous even if its parameters were set up maliciously.

Category / Keywords: cryptographic protocols / SNARKs, subversion-resistance, zero knowledge, Zcash

Date: received 16 Jun 2017, last revised 16 Oct 2017

Contact author: fuchsbau at di ens fr

Available format(s): PDF | BibTeX Citation

Note: discussion of concurrent work; improved presentation

Version: 20171016:115724 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]