Abstract / Description of output
By design, existing (pre-processing) zk-SNARKs embed a secret trapdoor in a relation-dependent common reference strings (CRS). The trapdoor is exploited by a (hypothetical) simulator to prove the scheme is zero knowledge, and the secret-dependent structure facilitates a linear-size CRS and linear-time prover computation. If known by a real party, however, the trapdoor can be used to subvert the security of the system. The structured CRS that makes zk-SNARKs practical also makes deploying zk-SNARKS problematic, as it is difficult to argue why the trapdoor would not be available to the entity responsible for generating the CRS. Moreover, for pre-processing zk-SNARKs a new trusted CRS needs to be computed every time the relation is changed.
In this paper, we address both issues by proposing a model where a number of users can update a universal CRS. The updatable CRS model guarantees security if at least one of the users updating the CRS is honest. We provide both a negative result, by showing that zk-SNARKs with private secret-dependent polynomials in the CRS cannot be updatable, and a positive result by constructing a zk-SNARK based on a CRS consisting only of secret-dependent monomials. The CRS is of quadratic size, is updatable, and is universal in the sense that it can be specialized into one or more relation-dependent CRS of linear size with linear-time prover computation.
In this paper, we address both issues by proposing a model where a number of users can update a universal CRS. The updatable CRS model guarantees security if at least one of the users updating the CRS is honest. We provide both a negative result, by showing that zk-SNARKs with private secret-dependent polynomials in the CRS cannot be updatable, and a positive result by constructing a zk-SNARK based on a CRS consisting only of secret-dependent monomials. The CRS is of quadratic size, is updatable, and is universal in the sense that it can be specialized into one or more relation-dependent CRS of linear size with linear-time prover computation.
| Original language | English |
|---|---|
| Title of host publication | Advances in Cryptology – CRYPTO 2018 |
| Subtitle of host publication | 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2018, Proceedings, Part III |
| Editors | Hovav Shacham, Alexandra Boldyreva |
| Place of Publication | Santa Barbara, CA, USA |
| Publisher | Springer, Cham |
| Pages | 698-728 |
| Number of pages | 31 |
| ISBN (Electronic) | 978-3-319-96878-0 |
| ISBN (Print) | 978-3-319-96877-3 |
| DOIs | |
| Publication status | Published - 24 Jul 2018 |
| Event | 38th International Cryptology Conference - University of California, Santa Barbara (UCSB), Santa Barbara, United States Duration: 19 Aug 2018 → 23 Aug 2018 https://crypto.iacr.org/2018/index.html https://crypto.iacr.org/2018/index.html |
Publication series
| Name | Lecture Notes in Computer Science (LNCS) |
|---|---|
| Publisher | Springer, Cham |
| Volume | 10993 |
| ISSN (Print) | 0302-9743 |
| ISSN (Electronic) | 1611-3349 |
Conference
| Conference | 38th International Cryptology Conference |
|---|---|
| Abbreviated title | CRYPTO 2018 |
| Country/Territory | United States |
| City | Santa Barbara |
| Period | 19/08/18 → 23/08/18 |
| Internet address |
Fingerprint
Dive into the research topics of 'Updatable and Universal Common Reference Strings with Applications to zk-SNARKs'. Together they form a unique fingerprint.Profiles
-
Markulf Kohlweiss
- School of Informatics - Senior Lecturer in Security and Privacy
- Laboratory for Foundations of Computer Science
- Foundations of Computation
Person: Academic: Research Active , Academic: Research Active (Teaching)