Paper 2020/1435

Publicly Verifiable Zero Knowledge from (Collapsing) Blockchains

Alessandra Scafuro and Luisa Siniscalchi and Ivan Visconti

Abstract

In TCC 2017 Goyal and Goyal proposed the first -- and currently only-- construction of a publicly verifiable zero-knowledge  (pvZK) proof system that leverages a blockchain as a setup assumption. Such construction can be instantiated only through proof-of-stake blockchains and  presents a few more limitations and assumptions:   (1)  the adversary can only perform static corruption of the stakeholders,   (2) keys of the stakeholders must also allow for encryption, and  (3) honest stakeholders must never leak their secret keys  (even when no stake is left with respect to those keys). In this work, we first show that, even if all the above limitations/assumptions hold,  a malicious verifier could still violate the zero-knowledge property by leveraging smart contracts. We show an  ``attack of the clones''  that allows a malicious verifier to clone some of the stakeholder capabilities via a smart contract that is designed after the proof is received from the prover. This leaves open the question of constructing publicly verifiable zero-knowledge proofs from blockchains. Moreover, it raises the issue of using blockchains as setup assumptions since they evolve over time and could even become unreliable in the future. Then, we provide a publicly verifiable zero-knowledge proof system,  based on any blockchain (i.e., not only proof-of-stake) that, very roughly, satisfies the following unpredictability property.  Sufficiently many future honest blocks added to the blockchain contain a high min-entropy string in a specific location (e.g., a new wallet for cashing the mining reward). Our proof system is secure against a verifier/prover that can corrupt blockchain players adaptively. In particular,  it remains zero knowledge even if the blockchain eventually collapses and all blockchain players are controlled by the zero-knowledge adversary.