PROFET


SoK Paper at 3rd ZKProof (Online) Workshop

March 25, 2020 | 1 Minute Read

Our SoK (Systematization of Knowledge) paper on lifting transformations for simulation extractable subversion and updatable SNARKs (based upon this recent paper) will be presented at the 3rd ZKProof Workshop, which due to COVID-19 will be held as a sequence of online workshops.


Behzad Abdolmaleki, Sebastian Ramacher, Daniel Slamanig: SoK: Lifting Transformations for Simulation Extractable Subversion and Updatable SNARKs. 3rd ZKProof Online Workshop, April - May 2020, Globally.

Abstract: Zero-knowledge proofs and in particular succinct non-interactive zero-knowledge proofs (so called zk-SNARKs) are getting increasingly used in real-world applications, with cryptocurrencies being the prime example. Simulation extractability (SE) is a strong security notion of zk-SNARKs which informally ensures non-malleability of proofs, which is considered highly important in practical applications. Another problematic issue for the practical use of zk-SNARKs is the requirement of a fully trusted setup, as especially for large-scale decentralized applications finding a trusted party that runs the setup is practically impossible. Quite recently, the study of approaches to relax or even remove the trust in the setup procedure, and in particular subversion as well as updatable zk-SNARKs (with latter being the most promising approach), has been initiated and received considerable attention since then. Unfortunately, so far SE-SNARKs with aforementioned properties are only constructed in an ad-hoc manner and no generic techniques are available. In this SoK paper we present the state-of-the-art in generic techniques to obtain SE subversion and updatable SNARKs. In particular, we present a revisited version of the lifting technique due to Kosba et al. (called C0C0). This revisited version called OC0C0~explores the design space of many recently proposed SNARK- and STARK-friendly symmetric-key primitives. While C0C0 and OC0C0 are compatible with subversion SNARKs, they are not compatible with updatable SNARKs. Then, we present another lifting transformation called Lamassu, which is build upon key-homomorphic signatures as well as so called updatable signatures. Lamassu preserves the subversion and in particular updatable properties of the underlying zk-SNARK. Finally, we present an comprehensive comparison of these lifting transformations with ad-hoc techniques as well as a discussion of many aspects regarding the instantiation of the techniques.