Paper 2019/1162

Subversion-Resistant Simulation (Knowledge) Sound NIZKs

Karim Baghery


In ASIACRYPT 2016, Bellare, Fuchsbauer, and Scafuro studied the security of non-interactive zero-knowledge (NIZK) arguments in the face of parameter subversion. They showed that achieving subversion soundness (soundness without trusting to the third party) and standard zero-knowledge is impossible at the same time. On the positive side, in the best case, they showed that one can achieve subversion zero-knowledge (zero-knowledge without trusting to the third party) and soundness at the same time. In this paper, we show that one can amplify their best positive result and construct NIZK arguments that can achieve subversion zero-knowledge and $\textit{simulation}$ (knowledge) soundness at the same time. Simulation (knowledge) soundness is a stronger notion in comparison with (knowledge) soundness, as it also guarantees non-malleability of proofs. Such a stronger security guarantee is a must in practical systems. To prove the result, we show that given a NIZK argument that achieves Sub-ZK and (knowledge) soundness, one can use an OR-based construction to define a new language and build a NIZK argument that will guarantee Sub-ZK and $\textit{simulation}$ (knowledge) soundness at the same time. We instantiate the construction with the state-of-the-art zk-SNARK proposed by Groth [Eurocrypt 2016] and obtain an efficient SNARK that guarantees Sub-ZK and simulation knowledge soundness.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Minor revision. 17th IMA International Conference on Cryptography and Coding - IMA CC 2019
NIZKsubversion zero-knowledgezk-SNARKsimulation extractabilityCRS model
Contact author(s)
karim baghery @ ut ee
2019-10-07: received
Short URL
Creative Commons Attribution


      author = {Karim Baghery},
      title = {Subversion-Resistant Simulation (Knowledge) Sound {NIZKs}},
      howpublished = {Cryptology ePrint Archive, Paper 2019/1162},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.