## Cryptology ePrint Archive: Report 2020/364

Unbounded Simulation-Sound Subversion Resistant Quasi-Adaptive NIZK Proofs and Applications to Modular zk-SNARKs

Abstract: Quasi-adaptive non-interactive zero-knowledge (QA-NIZK) proofs are NIZK proofs where the common reference string (CRS) is allowed to depend on the language and they can be very efficient for specific languages. Thus, they are for instance used within the LegoSNARK toolbox (Campanelli et. al ACM CCS'19) as SNARKs for linear subspace languages. Recently, there has been an increasing interest to reduce trust in the generator of the CRS, as a fully trusted party is usually hard to find for real-world applications. One important line of work in this direction is subversion zero-knowledge (Bellare et al. ASIACRYPT'16), where the zero-knowledge property even holds when the CRS is generated maliciously.

In this paper, we investigate QA-NIZKs in the aforementioned setting. First, we analyze the security of the most efficient QA-NIZK constructions of Kiltz and Wee (EUROCRYPT'15) and the asymmetric QA-NIZKs by Gonzalez et al. (ASIACRYPT'15) when the CRS is subverted and propose subversion versions of them. Secondly, for the first time, we construct l-time simulation sound and unbounded simulation sound subversion QA-NIZK. Thirdly, we show how to integrate our subversion QA-NIZKs into the LegoSNARK toolbox, where subversion resistance is not yet considered. Our results together with recent subversion zk-SNARKS (Abdolmaleki et al. ASIACRYPT'17; Fuchsbauer PKC'18, Lipmaa EPRINT'19), are an important step towards a subversion variant of the LegoSNARK toolbox. Finally, we believe that our (SS) subversion QA-NIZKs will be of interest beyond the aforementioned application.

Category / Keywords: cryptographic protocols / Simulation soundness, QA-NIZK, subversion zero-knowledge, modular zk-SNARKs