Secure Sampling of Public Parameters for Succinct Zero Knowledge Proofs
2015 IEEE Symposium on Security and Privacy
Non-interactive zero-knowledge proofs (NIZKs) are a powerful cryptographic tool, with numerous potential applications. However, succinct NIZKs (e.g., zk-SNARK schemes) necessitate a trusted party to generate and publish some public parameters, to be used by all provers and verifiers. This party is trusted to correctly run a probabilistic algorithm (specified by the the proof system) that outputs the public parameters, and publish them, without leaking any other information (such as the internal
... randomness used by the algorithm); violating either requirement may allow malicious parties to produce convincing "proofs" of false statements. This trust requirement poses a serious impediment to deploying NIZKs in many applications, because a party that is trusted by all users of the envisioned system may simply not exist. In this work, we show how public parameters for a class of NIZKs can be generated by a multi-party protocol, such that if at least one of the parties is honest, then the result is secure (in both aforementioned senses) and can be subsequently used for generating and verifying numerous proofs without any further trust. We design and implement such a protocol, tailored to efficiently support the state-of-the-art NIZK constructions with short and easy-to-verify proofs (Parno et al. IEEE S&P '13; Danezis et al. ASIACRYPT '14). Applications of our system include generating public parameters for systems such as Zerocash and the scalable zero-knowledge proof system of (Ben-Sasson et al. CRYPTO '14). 1 Sometimes a property stronger than soundness is required: proof of knowledge ,  , which guarantees that, whenever the verifier is convinced, not only can he deduce that a witness exists, but also that the prover knows one such witness. IEEE Symposium on Security and Privacy © 2015, Eli Ben-Sasson. Under license to IEEE.