Real-world Universal zkSNARKs are non-malleable
发表信息
作者
- Antonio Faonio
- Dario Fiore
- Luigi Russo
笔记
Simulation extractability is a strong security notion of zkSNARKs that guarantees that an attacker who produces a valid proof must know the corresponding witness, even if the attacker had prior access to proofs generated by other users. Notably, simulation extractability implies that proofs are non-malleable and is of fundamental importance for applications of zkSNARKs in distributed systems. In this work, we study sufficient and necessary conditions for constructing simulation-extractable universal zkSNARKs via the popular design approach based on compiling polynomial interactive oracle proofs (PIOP). Our main result is the first security proof that popular universal zkSNARKs, such as PLONK and Marlin, as deployed in the real world, are simulation-extractable. Our result fills a gap left from previous work (Faonio et al. TCC’23, and Kohlweiss et al. TCC’23) which could only prove the simulation extractability of the “textbook” versions of these schemes and does not capture their optimized variants, with all the popular optimization tricks in place, that are eventually implemented and deployed in software libraries.
模拟可提取性(simulation extractability)是零知识简洁非交互式知识论证(zkSNARKs)的一个强安全性概念,它保证即使攻击者事先能够访问其他用户生成的证明,任何能够产生有效证明的攻击者也必须知道相应的证据(witness)。值得注意的是,模拟可提取性意味着证明是不可篡改的,这对于zkSNARKs在分布式系统中的应用具有根本重要性。
在本研究中,我们研究了通过基于编译多项式交互式预言证明(polynomial interactive oracle proofs, PIOP)的流行设计方法构建模拟可提取通用zkSNARKs的充分必要条件。我们的主要研究成果是首次为现实世界中部署的流行通用zkSNARKs(如PLONK和Marlin)提供了安全性证明,证明它们具有模拟可提取性。我们的研究成果填补了之前研究工作(Faonio等人TCC’23和Kohlweiss等人TCC’23)留下的空白,因为先前的研究只能证明这些方案的”教科书版本”的模拟可提取性,而无法涵盖最终在软件库中实现和部署的、包含所有流行优化技巧的优化变体。