Another Look at Extraction and Randomization of Groth's zk-SNARK

Karim Baghery, Markulf Kohlweiss, Janno Siim, and Mikhail Volkhov

Abstract

Due to the simplicity and performance of zk-SNARKs they are widely used in real-world cryptographic protocols, including blockchain and smart contract systems. Simulation Extractability (SE) is a necessary security property for a NIZK argument to achieve Universal Composability (UC), a common requirement for such protocols. Most of the works that investigated SE focus on its strong variant which implies proof non-malleability. In this work we investigate a relaxed weaker notion, that allows proof randomization, while guaranteeing statement non-malleability, which we argue to be a more natural security property. First, we show that it is already achievable by Groth16, arguably the most efficient and widely deployed SNARK nowadays. Second, we show that because of this, Groth16 can be efficiently transformed into a black-box weakly SE NIZK, which is sufficient for UC protocols. To support the second claim, we present and compare two practical constructions, both of which strike different performance trade-offs: * Int-Groth16 makes use of a known transformation that encrypts the witness inside the SNARK circuit. We instantiate this transformation with an efficient SNARK-friendly encryption scheme. * Ext-Groth16 is based on the SAVER encryption scheme (Lee et al.) that plugs the encrypted witness directly into the verification equation, externally to the circuit. We prove that Ext-Groth16 is black-box weakly SE and, contrary to Int-Groth16, that its proofs are fully randomizable.

Note: Updated from technical report to an extended version.

Available format(s)
Category
Cryptographic protocols
Publication info
Preprint. MINOR revision.
Keywords
zero knowledgeNIZKzk-SNARKsimulation extractabilityQAPalgebraic group model
Contact author(s)
mikhail volkhov @ ed ac uk
History
2020-10-06: last of 5 revisions
See all versions
Short URL
https://ia.cr/2020/811

CC BY

BibTeX

@misc{cryptoeprint:2020/811,
author = {Karim Baghery and Markulf Kohlweiss and Janno Siim and Mikhail Volkhov},
title = {Another Look at Extraction and Randomization of Groth's zk-SNARK},
howpublished = {Cryptology ePrint Archive, Paper 2020/811},
year = {2020},
note = {\url{https://eprint.iacr.org/2020/811}},
url = {https://eprint.iacr.org/2020/811}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.