<p>Zero-knowledge succinct non-interactive argument of knowledge (zk-SNARK) is a kind of proof system that enables a prover to convince a verifier that an NP statement is true efficiently. In the last decade, various studies made a lot of progress in constructing more efficient and secure zk-SNARKs. This work advances the construction of designated-verifier zk-SNARKs, a class of proof systems where only the indicated verifier, possessing a secret verification state, can be convinced by the proof. While a common approach to building such systems, encrypting the publicly-verifiable proof with a public key and treating the secret key as the verification state, was proposed in prior work (Bitansky <i>et al</i>., TCC 2013), it has limitations such as a reliance on complex trusted setups and costly common reference strings. Furthermore, the designated-verifier property of such designs collapses if the secret verification state is exposed. To address these issues, we first introduce a strengthened security model for designated-verifier zk-SNARKs that accounts for potential leakage of the secret verification state. We then propose a novel construction for "strong" designated-verifier zk-SNARKs. Our technique, drawing inspiration from two-party ring signatures, does not require encryption and universally applicable to any public-verifiable zk-SNARK, transforming it into a designated-verifiable variant. Neverless, optional and independent encryption can still be applied to ensure proof secrecy. We formalize our scheme under the circuit satisfiability problem, provide an implementation in constraint-based circuit description language Circom, and present experimental results that validate its practical efficacy across different kinds of underlying zk-SNARK systems.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Designated-verifier zk-SNARKs made easy

  • Chen Li,
  • Fangguo Zhang

摘要

Zero-knowledge succinct non-interactive argument of knowledge (zk-SNARK) is a kind of proof system that enables a prover to convince a verifier that an NP statement is true efficiently. In the last decade, various studies made a lot of progress in constructing more efficient and secure zk-SNARKs. This work advances the construction of designated-verifier zk-SNARKs, a class of proof systems where only the indicated verifier, possessing a secret verification state, can be convinced by the proof. While a common approach to building such systems, encrypting the publicly-verifiable proof with a public key and treating the secret key as the verification state, was proposed in prior work (Bitansky et al., TCC 2013), it has limitations such as a reliance on complex trusted setups and costly common reference strings. Furthermore, the designated-verifier property of such designs collapses if the secret verification state is exposed. To address these issues, we first introduce a strengthened security model for designated-verifier zk-SNARKs that accounts for potential leakage of the secret verification state. We then propose a novel construction for "strong" designated-verifier zk-SNARKs. Our technique, drawing inspiration from two-party ring signatures, does not require encryption and universally applicable to any public-verifiable zk-SNARK, transforming it into a designated-verifiable variant. Neverless, optional and independent encryption can still be applied to ensure proof secrecy. We formalize our scheme under the circuit satisfiability problem, provide an implementation in constraint-based circuit description language Circom, and present experimental results that validate its practical efficacy across different kinds of underlying zk-SNARK systems.