On the (In)security of SNARK s in the Presence of Oracles Anca - PowerPoint PPT Presentation

On the (In)security of SNARK s in the Presence of Oracles Anca Nitulescu, Dario Fiore École Normale Supérieure, CNRS and INRIA, Paris, France

Delegate NP computation m

Delegate NP computation m Proof ?

Arguments of knowledge

Succinct Non-Interactive Arguments of Knowledge Efficiency Succinctness Non - Interactivity

SECURITY: PROOF OF KNOWLEDGE crs, aux crs, aux

Non-Black-Box Extraction crs, aux crs, aux Adversary extractor SNARK

Overview Starting Point ● Protocols with SNARKs ● Security proofs: settings where extraction is problematic ● Need of new security notion: O-SNARK Study of O-SNARKs ● Impossibility result ● Some “restrictive” instantiations from classical SNARKs ● Applications where O-SNARK is useful

Case Study Application Proving Knowledge of Signatures (m, σ) m sk

Case Study Application Proving Knowledge of Signatures (m, σ) (m, σ) {(m, σ)}

Case Study Application Proving Knowledge of Signatures SNARK SNARK ∃ (m, σ) Vfy(m,σ)=1 P(m)=1

Case Study Application Proving Knowledge of Signatures SNARK P(m)=1 Ver(m, σ)=1 (m, σ)

Case Study Application Proving Knowledge of Signatures Security Proof ? SNARK

Security Proof Unforgeability of Σ Proof of knowledge of Π R m (m, σ) π ∃ (m, σ) Vfy(vk,m,σ)=1 P(m)=1 KeyGen(λ): (sk, vk) Gen(λ): crs Sign(sk, m): σ Prove(crs, y, (m, σ)): π Vfy(vk, m, σ): 0 / 1 Ver(vk, y, π): 0 / 1

Security Proof Breaks proof of (m*, σ*) knowledge of Π SNARK P(m*)=0 / Type I π Vfy(m*, σ*)=0 (m*, σ*)

Security Proof Forgery on Σ ! (m*, σ*) P(m*)=1 SNARK SNARK Vfy(m*, σ*)=1 Type II π (m*, σ*) (m*, σ*)

Security Proof SNARK Oracle cheating Σ- Forger prover

Security Proof Σ Π crs, vk vk crs, aux crs←$

Security Proof m Σ Π m vk crs, aux

Security Proof Σ Π m m,σ vk crs, aux

Security Proof Σ Π (m, σ) m,σ vk crs, aux

Security Proof SNARK (m*, σ*) m*, σ* P(m*)=1

Security Proof extractor SNARK (m*, σ*) m*, σ* P(m*)=1 Forgery !

Extraction with Oracles ? Standard Proof of Knowledge crs, aux crs, aux SNARK m*,σ* (m*, σ*) P(m*)=1

Extraction? crs, aux crs, aux SNARK ? (m*, σ*) P(m*)=1

Extraction? crs, aux crs, aux SNARK (m*, σ*) P(m*)=1

Non-Black-Box Extraction crs, aux m

Non-Black-Box Extraction crs, aux m sk

Non-Black-Box Extraction sk ? crs, aux sk Σ- Forger m sk crs, aux sk

Our Contributions PROTOCOLS: Tool to prove knowledge -> SNARK Main problem -> Security proofs with ORACLEs

Our Contributions -SNARK SOLUTION: New security notion -> O-SNARK Proof of knowledge -> Extraction with ORACLEs

Our Contributions Σ p -SNARK STUDY: Impossibility -> Extraction is NOT feasible for all ORACLEs

Our Contributions Σ p -SNARK Good news: O-SNARKs exist! -> constructions -> applications

O-SNARK Definition qt crs, aux crs, aux

Impossibility Theorem

SNARK Π for NP Signature Scheme Σ Σ Π m m, σ R π (h, x), w h(w) = x KeyGen(λ): (sk, vk) Gen(λ): crs Sign(sk, m): σ = Σ (m) Prove(crs, (h, x), w): π Vfy(vk, m, σ): 0 / 1 Ver(vk, (h, x), π): 0 / 1

Σ p counterexample signature scheme regular signing I m σ = Σ (m)

Σ p counterexample signature scheme m σ = Σ (m) I sampling hash preimage h ← II w ← {0,1}* x = h(w)

Σ p counterexample signature scheme interpreting m as a program m σ = Σ (m) I III m P( ⋅ , ⋅ ) h ← II w ← {0,1}* x = h(w)

Σ p counterexample signature scheme m P( ⋅ , ⋅ ) m σ = Σ (m) I III proving knowledge of preimage h ← IV II w ← {0,1}* x = h(w) P (x, w) π |π|<p(λ)

Σ p counterexample signature scheme m P( ⋅ , ⋅ ) m σ = Σ (m) I III P (x, w) π h ← IV II w ← {0,1}* x = h(w) |π|<p(λ)

Σ p counterexample signature scheme m → σ*

Σ p counterexample signature scheme m → σ* σ σ ← Σ (m) Σ

Σ p counterexample signature scheme m → σ* σ h h ←

Σ p counterexample signature scheme m → σ* w ← {0,1}* σ h x x = h(w)

Σ p counterexample signature scheme m → σ* σ h x π P

Σ p counterexample signature scheme σ* σ h x π

Non-Existence of Extractors for O Σ p Π query m = Prove( crs, ⋅ , ⋅ ) σ* = (σ, h, x, π) answer π = Prove( crs, (h, x), w )

O-SNARK Adversary Π ((h, x), π) query m = Prove( crs, ⋅ , ⋅ ) σ* = (σ, h, x, π) answer π = Prove( crs, (h, x), w )

Target Collision Resistance Adversary query m Π answer

Target Collision Resistance Adversary ((h, x), π) Π π = Prove( crs, (h, x), w )

Non-Existence of Extractors for O Σ p Target Collision on h

Σ p Existence of O-SNARK ● O-SNARK s do not exist for all Oracles ● Overcome the impossibility? ● “Break” the adaptive power of the adversary

Existence of O-SNARK Random Oracle Model ● Micali’s CS proofs are O-SNARKs in ROM ● Hash & Sign Oracles allow O-SNARKs Standard Model ● Signing oracles with polynomial message space ● Non-Adaptive O-SNARKs: queries declared in advance

Applications of O-SNARK ● Succinct Functional Signatures [BGI14] ● Homomorphic Signatures [BF11] ● SNARKs on Authenticated Data [BBFR15]

Open Questions ● Artificial counterexamples: Find “more natural” ones? ● For what classes of signature oracles O-SNARKs exist? ● Find other “ benign ” Oracles that allow O-SNARKs?

Summary Starting Point ● Protocols with SNARKs ● Security proofs: settings where NO extraction -SNARK ● New security notion: O-SNARK Study of O-SNARKs Σ p ● Impossibility result for Σ p ● Some “restrictive” instantiations from SNARKs ● Applications where O-SNARK is useful

Thank you