• PDF / 308,351 Bytes
• 14 Pages / 439.37 x 666.142 pts Page_size
• 102 Downloads / 146 Views

DOWNLOAD

REPORT

Zcash, Boulder, USA {info,ariel}@z.cash, [email protected] 2 Johns Hopkins University, Baltimore, USA

Abstract. Recent efficient constructions of zero-knowledge Succinct Non-interactive Arguments of Knowledge (zk-SNARKs), require a setup phase in which a common-reference string (CRS) with a certain structure is generated. This CRS is sometimes referred to as the public parameters of the system, and is used for constructing and verifying proofs. A drawback of these constructions is that whomever runs the setup phase subsequently possesses trapdoor information enabling them to produce fraudulent pseudoproofs. Building on a work of Ben-Sasson, Chiesa, Green, Tromer and Virza [BCG+15], we construct a multi-party protocol for generating the CRS of the Pinocchio zk-SNARK [PHGR16], such that as long as at least one participating party is not malicious, no party can later construct fraudulent proofs except with negligible probability. The protocol also provides a strong zero-knowledge guarantee even in the case that all participants are malicious. This method has been used in practice to generate the required CRS for the Zcash cryptocurrency blockchain.

1

Introduction

The recently deployed Zcash cryptocurrency supports shielded (private) transactions where sender, receiver and amount are not revealed; and yet, an outside observer can still distinguish between a valid and non-valid transaction. The “cryptographic engine” that enables these shielded transactions is a zeroknowledge Succinct Non-interactive Argument of Knowledge (zk-SNARK); currently, Zcash uses the Pinocchio zk-SNARK [PHGR16], or more precisely, the variant of it described in [BCTV14] as implemented in libsnark [lib]. A potential weakness of Zcash, is that if anybody obtained the trapdoor information corresponding to the Common Reference String (CRS) used for constructing and verifying the SNARKs, they could forge unlimited amounts of the currency, potentially without anyone detecting they are doing so. Motivated by this, Zcash generated the required CRS in an elaborate “ceremony” [Wil] to reduce the chance of this happening. The purpose of this technical c International Financial Cryptography Association 2019  A. Zohar et al. (Eds.): FC 2018 Workshops, LNCS 10958, pp. 64–77, 2019. https://doi.org/10.1007/978-3-662-58820-8_5

A Multi-party Protocol for Constructing the Public Parameters

65

report is to give a detailed description of the multi-party protocol that was used in the ceremony. Our Results: Ben-Sasson, Chiesa, Green, Tromer and Virza [BCG+15] presented a generic method for computing CRSs of zk-SNARKs in a multi-party protocol, with the property that only if all players collude together they can reconstruct the trapdoor, or, more generally, deduce any other useful information beyond the resultant CRS. Based on [BCG+15], we devise an arguably simpler method for generating the CRS of the Pinocchio zk-SNARK [PHGR16] with a similar security guarantee: Namely, given that the CRS generated by the protocol is later used to verify proofs; a party

Recommend Documents

Psychometric evaluation of the Pinocchio Illusion Questionnaire

162 77 441KB

Research on Constructing Innovative Experimental Platform for Public Health

133 57 8MB

Multiparty Authoritarian Regimes in the Literature

176 77 2MB

Making Brazil Work Checking the President in a Multiparty System

148 79 2MB

Text mining for the evaluation of public services: the case of a public bike-sharing system

203 82 868KB

Efficient Public-Key Distance Bounding Protocol

174 83 32MB

The Art and Science of Constructing a Memristor Model

150 84 435KB

Enhancing Public Procurement in the European Union Through Constructing and Exploiting an Integrated Knowledge Graph

152 13 80MB

Multiparty Key Agreement for Wireless Networks

172 15 49MB

Alternative Method for Incrementally Constructing the FP-Tree

172 32 483KB

Constructing a Critical Lens

166 95 3MB

Binary AMD Circuits from Secure Multiparty Computation

176 79 19MB