TY - GEN
T1 - Secure sampling of public parameters for succinct zero knowledge proofs
AU - Ben-Sasson, Eli
AU - Chiesa, Alessandro
AU - Green, Matthew
AU - Tromer, Eran
AU - Virza, Madars
N1 - Publisher Copyright:
© 2015 IEEE.
PY - 2015/7/17
Y1 - 2015/7/17
N2 - Non-interactive zero-knowledge proofs (NIZKs) are a powerful cryptographic tool, with numerous potential applications. However, succinct NIZKs (e.g., zk-SNARK schemes) necessitate a trusted party to generate and publish some public parameters, to be used by all provers and verifiers. This party is trusted to correctly run a probabilistic algorithm (specified by the the proof system) that outputs the public parameters, and publish them, without leaking any other information (such as the internal randomness used by the algorithm), violating either requirement may allow malicious parties to produce convincing 'proofs' of false statements. This trust requirement poses a serious impediment to deploying NIZKs in many applications, because a party that is trusted by all users of the envisioned system may simply not exist. In this work, we show how public parameters for a class of NIZKs can be generated by a multi-party protocol, such that if at least one of the parties is honest, then the result is secure (in both aforementioned senses) and can be subsequently used for generating and verifying numerous proofs without any further trust. We design and implement such a protocol, tailored to efficiently support the state-of-the-art NIZK constructions with short and easy-to-verify proofs (Parno et al. IEEE S&P '13, Ben-Sasson et al. USENIX Sec '14, Danezis et al., ASIACRYPT '14). Applications of our system include generating public parameters for systems such as Zero cash (Ben-Sasson et al. IEEE S&P '13) and the scalable zero-knowledge proof system of (Ben-Sasson et al. CRYPTO '14).
AB - Non-interactive zero-knowledge proofs (NIZKs) are a powerful cryptographic tool, with numerous potential applications. However, succinct NIZKs (e.g., zk-SNARK schemes) necessitate a trusted party to generate and publish some public parameters, to be used by all provers and verifiers. This party is trusted to correctly run a probabilistic algorithm (specified by the the proof system) that outputs the public parameters, and publish them, without leaking any other information (such as the internal randomness used by the algorithm), violating either requirement may allow malicious parties to produce convincing 'proofs' of false statements. This trust requirement poses a serious impediment to deploying NIZKs in many applications, because a party that is trusted by all users of the envisioned system may simply not exist. In this work, we show how public parameters for a class of NIZKs can be generated by a multi-party protocol, such that if at least one of the parties is honest, then the result is secure (in both aforementioned senses) and can be subsequently used for generating and verifying numerous proofs without any further trust. We design and implement such a protocol, tailored to efficiently support the state-of-the-art NIZK constructions with short and easy-to-verify proofs (Parno et al. IEEE S&P '13, Ben-Sasson et al. USENIX Sec '14, Danezis et al., ASIACRYPT '14). Applications of our system include generating public parameters for systems such as Zero cash (Ben-Sasson et al. IEEE S&P '13) and the scalable zero-knowledge proof system of (Ben-Sasson et al. CRYPTO '14).
KW - distributed key generation
KW - succinct non-interactive arguments
KW - zero knowledge
UR - http://www.scopus.com/inward/record.url?scp=84945197063&partnerID=8YFLogxK
U2 - 10.1109/SP.2015.25
DO - 10.1109/SP.2015.25
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:84945197063
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 287
EP - 304
BT - Proceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 36th IEEE Symposium on Security and Privacy, SP 2015
Y2 - 18 May 2015 through 20 May 2015
ER -