mining for privacy: how to bootstrap a snarky blockchain · 2021. 1. 29. · in their updates, and...

Mining for PrivacyHow to Bootstrap a Snarky Blockchain

Thomas Kerber Aggelos Kiayias and Markulf Kohlweiss

The University of Edinburgh and IOHKpaperstkerberorg akiayiasedacuk mkohlweiedacuk

Abstract Non-interactive zero-knowledge proofs and more specificallysuccinct non-interactive zero-knowledge arguments (zk-SNARKs) havebeen proven to be the ldquoSwiss army kniferdquo of the blockchain and dis-tributed ledger space with a variety of applications in privacy interop-erability and scalability Many commonly used SNARK systems rely ona structured reference string the secure generation of which turns outto be their Achilles heel If the randomness used for the generation isknown the soundness of the proof system can be broken with devastat-ing consequences for the underlying blockchain system that utilises themIn this work we describe and analyse for the first time a blockchainmechanism that produces a secure SRS with the characteristic that se-curity is shown under comparable conditions to the blockchain protocolitself Our mechanism makes use of the recent discovery of updateablestructured reference strings to perform this secure generation in a fullydistributed manner In this way the SRS emanates from the normal op-eration of the blockchain protocol itself without the need of additionalsecurity assumptions or off-chain computation andor verification Weprovide concrete guidelines for the parameterisation of this setup whichallows for the completion of a secure setup in a reasonable period of timeWe also provide an incentive scheme that when paired with the updatemechanism properly incentivises participants into contributing to securereference string generation

1 Introduction

In the domain of distributed ledgers non-interactive zero-knowledge proofs havemany interesting applications In particular they have been successfully usedto introduce privacy into these inherently public peer-to-peer systems Mostnotably Zerocash [4] demonstrates their usefulness in the creation of privatecurrencies Beyond this there are numerous suggestions [28 24 33] to apply thesame technology to smart contracts for increased privacy Beyond privacy otherapplications of zero knowledge include blockchain interoperability eg [20] andscalability eg [11]

For the practical efficiency of these designs two things are paramount Thesuccinctness of proofs and the speed of verifying these proofs The distributednature of the ledgers mandates that a large number of users store and verify eachproof made rendering many zero-knowledge proof systems not fit for purpose

Research into so-called zk-SNARKs [30 21 23 22 29] aims at optimisingexactly these features with proof sizes typically under a kilobyte and verifi-cation times in the milliseconds It is a well-known fact that non-interactivezero-knowledge requires some shared randomness or a common reference stringFor many succinct systems [30 21 23 22 29] a stronger property is necessaryNot only is a shared random value needed but it must adhere to a specificstructure Such structured reference strings (or SRS) typically consist of relatedgroup elements gxi for all i isin Zn for instance

The obvious way of sampling such a reference string from public randomnessreveals the exponents used ndash and knowledge of these values breaks the sound-ness of the proof system itself To make matters worse the security of thesesystems typically relies (among others) on knowledge of exponent assumptionswhich state that to create group elements related in such a way requires knowingthe underlying exponents and hence any SRS sampler will have to ldquoknowrdquo theexponents used and be trusted to erase them becoming effectively a single pointof failure for the underlying system While secure multi-party computation canbe and has been used to reduce the trust placed on such a setup process [35]the selection of the participants for the secure computation and the verificationof the generation of the SRS by the MPC protocol retain an element of central-isation Using an MPC setup remains a controversial element in the setup of adecentralised system that requires SNARKs

Recent work has found succinct zero-knowledge proof systems with updateablereference strings [22 29] In these systems given a reference string it is possibleto produce an updated reference string such that knowing the trapdoor of thenew string requires both knowing the trapdoor of the old string and knowingthe randomness used in the update [22] conjectured that a blockchain protocolmay be used to securely generate such a reference string Nevertheless the exactblockchain mechanism that produces the SRS and the description of the securityguarantees it can offer has so far remained elusive

11 Our Contributions

In this work we describe and analyse for the first time a blockchain mechanismthat produces a secure SRS with the characteristic that security is shown forsimilar conditions under which the blockchain protocol is proven to be secureNotably different we make implicit use of secure erasure and require honestmajority only during a specific initialisation period The SRS then emanatesfrom the normal operation of the blockchain protocol itself without the need ofadditional security assumptions or off-chain computation andor verification

We rely primarily on the chain quality property of ldquoNakamoto-stylerdquo ledgers[17] ndash distributed ledgers in which a randomised process selects which user mayappend a block to an already established chain Such ledgers rely on an honestmajority of hashing power (or some other resource) ndash and can be shown toguarantee a chain quality property which suggests that any sufficiently longchain segment will have some blocks created by an honest user cf [17 31 18]

2

Our construction described in Section 3 integrates reference string updatesinto the block creation process but we face additional difficulties due to up-date calculation being a computationally heavy operation (albeit contrary tobrute-force hashing useful) The issues arising from this are two fold Firstlyan adversarial party can take shortcuts by supplying a low amount of entropyin their updates and try to utilise this additional mining power to subvert thereference string which potentially has a large benefit for the adversary Secondlyeven non-colluding rational block creators may be incentivised to use bad ran-domness which would reduce or remove any security benefits of the updates Ourwork addresses both of these issues

We prove formally that our mechanism produces a secure reference string inAppendix F by providing an analysis in the universal composition framework[12] Furthermore in Section 4 we demonstrate via experimental analysis howto concretely parameterise a proof-of-work ledger to ensure that an adversarywhich takes shortcuts (while honest users do not) will still fail in subverting thereference string The concrete results provided in our experimental section canbe used to inform the selection of parameters in order to run our reference stringgeneration mechanism in live blockchain systems

We further introduce an incentive scheme in Section 5 which ensures thatrational participants in the protocol who intend to maximise their profits willavoid low-entropy attacks In short the incentive mechanism mandates that arandom fraction of update contributors in the final chain will be asked to revealtheir trapdoor which will be verified to be the output of a random oracle bythe underlying ledger rules Only if a user can demonstrate that their updateis indeed random do they receive a suitably determined reward for their effortCareful choice of the reward assignment enables us to demonstrate that rationalparticipants will utilise high entropy exponents thus contributing to the SRScomputation

12 Related Work

Beyond the obvious relation to the works introducing updateable reference stringsin [22 29] (most notably Sonic [29] which we follow closely in our instantiationin Appendix A) there have been attempts of practically answering the questionof how to securely generate reference strings These have been in a setting wherethe string is not updateable

Notably [7] describes the mechanism used by Sprout the first version ofZcash during the initial setup of the cryptocurrencyrsquos SRS It uses multi-partycomputation to generate a reference string with a root of trust on the ini-tial group of people participating Due to performance constraints on the MPCprotocol the set of parties participating is relatively small although only thehonesty of a single participating party is required

For the Sapling version of Zcash a different approach was used when their ref-erence string was replaced (due to an upgrade of the zero-knowledge statementand proof system used) Their second CRS generation mechanism describedin [8] uses a multiple-phase round-robin mechanism to generate a reference string

3

for Grothrsquos zk-SNARK [21] They utilise a random beacon to ensure the uniformdistribution of the result and a coordinator to perform deterministic auxiliarycomputations

A great deal of work has also gone into the design of non-interactive zero-knowledge which does not require structure in itrsquos references such as DARK [10]STARKs [3] and Bulletproofs [9] While these pose a promising alternative whichdoes not require the techniques used in this work leveraging updatability ofreference strings may permit greater efficiency without additional security as-sumptions and may be useful in instantiating generic constructions such as thepolynomial commitments-based Halo Infinite [5]

2 Updateable Structured Reference Strings

While updateable structured reference strings (uSRSs) are modelled in the workswe are building on [29 Section 32] we model their security in the setting ofuniversal composability (UC) [12] Here a uSRS is a reference string with anunderlying trapdoor τ which has had a structure function S imposed on itS(τ) is the reference string itself while τ is not revealed to the adversary InAppendix A we prove that Sonic [29] (with small modifications for extraction asdescribed in Subsection 22) satisfies all the properties we require in this sectionOur main proof is independent of the Sonic protocol however and applies to anyupdateable reference string scheme satisfying the properties laid out in the restof this section

21 Standard Requirements

A uSRS scheme S consists of a trapdoor domain T an initial trapdoor τ0 aset P of permissible (and invertible) permutations over T (ie bijective func-tions whose domain and codomain is T ) and a structure function S with thedomain T We require P to include the identity function id and to be closedunder function composition forallp1 p2 isin P p1 p2 isin P An efficient permuta-tion lifting dagger should exist such that for any permutation p isin P and τ isin T pdagger(S(τ)) = S(p(τ)) Finally there must exist algorithms ρlarr ProveUpd(S(τ) p)and b larr VerifyUpd(S(τ) ρ S(p(τ))) for creating and verifying update proofsrespectively The format of these update proofs is not specified however thefollowing constraints must be met

1 Correctness Applying an honestly generated update proof will verify forallp isinP τ isin T VerifyUpd(S(τ)ProveUpd(S(τ) p) S(p(τ)))

2 Structure preservation Applying any valid update is equivalent to ap-plying some permutation p isin P on the trapdoor forallρ τ srsprime VerifyUpd(S(τ)ρ srsprime) =rArr existp isin P srsprime = S(p(τ))

3 Update uniformity Applying a random permutation is equivalent to se-lecting a new random trapdoor Let D be the uniform distribution over T and for all τ isin T let Dτ be the uniform distribution over the multiset p(τ) | p isin P Then forallτ isin T D = Dτ

4

We define a corresponding UC functionality FuSRS which provides a referencestring S(p(τH)) which the adversary can influence by providing the permutationp isin P given only S(τH) as input for a randomly sampled τH isin T

Functionality FuSRS

The updateable structured reference string functionality FuSRS allows the adver-sary to update a reference string by applying a permutation from a set of permis-sible permutations P

The functionality is parameterised by a trapdoor domain T a structure func-tion S and a set of permissible permutations P over T

State variables and initialisation valuesVariable DescriptionτH = perp The honest part of the trapdoorτ = perp The trapdoor

When receiving a message honest-srs from Aif τH = perp then let τH

Rlarrminus Treturn S(τH)

When receiving a message srs from a party φquery A with (permute φ) and receive the reply pif τ = perp then

assert p isin P and τH 6= perplet τ larr p(τH)

return S(τ)

We believe this functionality to be of independent interest and it is notexplicitly tied to our implementation Notably while we use a distributed ledgeras a weak form of a broadcast channel other broadcasts can be consideredwithout modification to this functionality While as presented the functionalitydoes not dictate any specific usage we conjecture that when parameterised withan appropriate structure function and permutation set it can be used to securelyinstantiate updateable SRS-based SNARKs such as Sonic [29] Marlin [13] orPlonk [16] Due to the UC setting this would require additional lifting to enableUC knowledge extraction such as that of CemptyCempty [27]

22 Simulation Requirements

In addition to the basic properties of correctness structure preservation andupdate uniformity any simulator wishing to help realise FuSRS via updates willneed to have access to two additional properties

1 Update proof simulation From an initial SRS S(τ) for which the simula-tor knows the trapdoor it can produce a valid update to any (correctly struc-tured) SRS Formally existSρforallτ1 τ2 isin T VerifyUpd(S(τ1)Sρ(τ1 S(τ2)) S(τ2))where Sρ is a PPT algorithm

5

2 Permutation extraction The simulator must be capable of extracting thepermutation p underlying any valid adversarial update proof

The most natural method to achieve permutation extraction would be usingwhite-box extractors as the updates themselves typically rely on some formof knowledge assumption such as knowledge-of-exponent However white-boxextractors cannot be used in UC proofs Instead we will assume that the updateproof is proven to correspond to a specific trapdoor through a lower-level NIZKCrucially this lower-level NIZK should not require a structured reference stringand rely only on a common random string or a random oracle Fortunately itis not subject to stringent efficiency requirements as Section 4 demonstrates

Specifically we assume that the basic update proof ρ is a statement in aNIZK relation R where the witness is an encoding of the corresponding permu-tation p We require each update proof to have one and only one correspondingpermutation formally expressed by requiring R to be a bijection This resultsin a straightforward modification to the ProveUpd and VerifyUpd algorithmsthat permits the extraction of the underlying permutations even in the UC set-ting ProveUpd also creates a NIZK proof π of (ρ p) and returns (ρ π) WhileVerifyUpd returns true only if this newly embedded NIZK proof also verifies

The addition of this NIZK trivially preserves all security properties includingcorrectness due to the definition of R

Definition 1 A uSRS scheme is permutation extractable if the relation

R = (ProveUpd(S(τ) p) p) | τ isin T p isin P

is a bijection and in NP

We show in Appendix A that the relation required for the case of Sonic [29]can be efficiently constructed and leave the question of how to achieve extractionwithout the reliance on a further NIZK to future work

3 Building uSRS from Chain Quality

This section shows how to securely initialise a uSRS using a distributed ledgerby requiring block creators to perform updates on an evolving uSRS duringan initial setup period After waiting for agreement on the final uSRS it canbe safely used To formally model this approach we discuss the ideal and realworlds used in our simulation proof Both worlds have access to a ledger howeverthe ideal worldrsquos ledger is independent of the reference string (which is insteadprovided by the independent FuSRS functionality) while the real worldrsquos ledgeris programmed to generate it using updates

31 High-Level Overview

This basic premise of this paper relies on Nakamoto-style ledgersrsquo basic meansof operation Different users can extend a chain of blocks if they can satisfy some

6

condition with this condition being associated with a type of hardness whichensures attackers are limited in the number of extensions they can performGiven such a structure we associate a uSRS update with each block prior toa time δ1 This time is selected such that the security properties of the ledgerensure at least one of the blocks is honest in each competitive chain at this point

In our modelling we construct this from a ledger functionality with an addi-tional leadership state which is derived from information miners embed in theirblocks Specifically for our case these encode uSRS updates We leave this suffi-ciently general to allow other uses as well The basic idea is to show that a ledgerwhich performs uSRS updates in its leadership state is equivalent to one whichdoesnrsquot but is accompanied by the FuSRS functionality They make up our realand ideal worlds respectively After time δ1 users wait a further time period δ2until common prefix ensures that all parties agree on the reference string

While ledger functionalities are often treated as global our approach effec-tively constructs one ledger from another ndash the ledger is not a dependency ofour protocol but a component In this context globality is irrelevant as theenvironment already has direct access to the functionality We expect protocolsbuilding on the ledger to use it in a global fashion however The same is nottrue for the uSRS ndash most usages will likely rely on the simulator being able toextract its trapdoor

32 Our Ledger Abstraction

Our construction of the updateable structured reference string functionality re-lies heavily on the properties of common prefix chain quality and chain growthdefined in the ldquoBitcoin backbonerdquo analysis by Garay et al [17] for Nakamoto-style consensus algorithms Despite our use in the section title we make use ofall three properties not just that of chain quality We emphasise chain quality asit is the property central to ensuring an honest update has occurred We brieflyand informally restate the three properties

ndash Common prefix Given the current chains Π1 and Π2 of two parties andremoving k blocks from the first it is a prefix of the second Πdk1 ≺ Π2

ndash Chain quality For any partyrsquos current chain Π any consecutive l blocksin this chain will include micro blocks created by an honest party

ndash Chain growth If a partyrsquos chain is of length c then s time slots later itwill be at least of length c+ γ

These parameters determine the length of the two phases of our protocol In thefirst phase we construct the reference string itself from the liveness parameter(assuming micro ge 1) and in the second phase we wait until this reference stringhas propagated to all users The length of the first phase is at least δ1 ge dlγminus1esand that of the second at least δ2 ge dkγminus1es Combined they make up the totaluSRS generation delay δ ge (dlγminus1e+ dkγminus1e)s

We assume a ledger which guarantees the backbone properties formally de-scribed in Appendix B1 While we do not prove any specific existing proof-of-work ledger (or those based on a different leader-selection mechanism) formally

7

UC-realise this specific formalisation we argue all ledgers with ldquoNakamoto-stylerdquo(as opposed to BFT-style) consensus do so in Appendix B2 Our functionalityfurther depends on a global clock Gclock defined in Appendix E1 For the pur-poses of this paper it is sufficient that this is a beacon providing monotonicallyincreasing values representing the current time to any party requesting them

In addition to this we assume each block created can contain additional in-formation provided by its creator (the ldquominerrdquo) which can be aggregated toconstruct a ldquoleader staterdquo Each created block is associated with an update aand the ledger is parameterised by two procedures Gen and Apply which de-scribe the honest selection of updates and the semantics of updates respectivelyLooking forward these utilise ProveUpd and VerifyUpd internally although theformalism is sufficiently general to allow usage of the leader state for other par-allel purposes The exact parameters differ in our ideal and real world with theideal world ldquohidingrdquo the uSRS updates Additionally the real world adds time-sensitivity It does nothing to the SRS after the setup period Gen is randomisedtakes a leader state σ and the current time t as inputs and produces an updatea Apply takes a leader state σ an update a and an update time t and returnsa successor state σprime σprime = Apply(σ (a t)) For a chain the leader state may becomputed by sequentially applying all updates in the chain starting from aninitial state empty

The adversary controls when and which party creates a new block as well asthe transactions each new block contains (provided it does not violate the back-bone properties) For transactions created by a corrupted party the adversarycan further control the blockrsquos timestamp (within the reasonable limits of notbeing in the future and being after the previous block) and the desired updatea itself For honest parties updates Gen is used insteadThe UC interfaces our ledger provides are

ndash submit Submitting new transactions for the ledgerndash read Reading the confirmed sequence of transactionsndash projection Reading the current chainrsquos sequence of (potentially uncon-

firmed) transactionsndash leader-state Reading the confirmed leader statendash advance The adversary switches a party to a longer chainndash extend The adversary instructs a party to create a block

While this ledger abstraction is not the focus of this paper we believe it to be ofindependent interest in cases where finer control over minerrsquos actions or betteraccess to the competing chains is desired

33 The Ideal World

Our ideal world consists of two functionalities composed in parallel (by whichwe mean the environment may address either and they do not interact) Thefirst is a variant of FuSRS with the modification that it cannot be addressedby honest parties before δ time slots have passed Formally this modification ismade with a wrapper functionality Wdelay(F δ) described in Appendix E4

8

The second is the Nakamoto-style ledger functionality parameterised witharbitrary leader-state generation and application procedures which are also par-tially used in the hybrid world Gen = GenIdeal and Apply = ApplyIdeal and thefollowing ledger parameters

1 A common prefix parameter k2 Chain quality parameters micro and l3 Chain growth parameters γ and s

Formally then our ideal world consists of the pair (Wdelay(δFuSRS)F idealnakLedger)

as well as the global functionality Gclock

34 The Hybrid World

In our hybrid world we use a uSRS scheme S with algorithms ProveUpdVerifyUpd the structure function S permissible permutations P permutationlifting dagger initial trapdoor τ0 The hybrid world consists of a separate Nakamoto-style ledger F real

nakLedger a NIZK functionality FRNIZK and the global clock GclockThe ledger is then parameterised by the same chain parameters as those in theideal world and the following leader-state procedures

procedure Apply((srs σideal) ((srsprime ρ π aideal) t))if srs = empty then let srslarr S(τ0)if t le δ1 and VerifyUpd(srs ρ srsprime) then

send (verify ρ π) to FRNIZK and receive the reply bif b then

let srslarr srsprimereturn (srsApplyIdeal(σideal aideal t))

procedure Gen((srs σideal) t)if t gt δ1 then

return (ε ε εGenIdeal(σideal t))else

let p Rlarrminus P ρlarr ProveUpd(srs p)send (prove ρ p) to FRNIZK and receive the reply πreturn (pdagger(srs) ρ πGenIdeal(σideal t))

Note that these parameterising algorithms use FRNIZK and are therefore the rea-son the ledger depends on this hybrid functionality

Key here is that once a block is received after the initial chain quality periodany reference string update it may declare is no longer carried out ndash at this pointthe uSRS is not necessarily stable as the chain may still be reorganised butshould not change for this particular chain Further these procedures alwaysmimic the ideal-world behaviour extending it rather than replacing it Thisdemonstrates the composability of allowing block leaders to produce updatesOne system using updates for security does not impact other parallel uses of theleadership state

There is little additional work to be done to UC-emulate the ideal-worldbehaviour besides ensuring that queries are routed appropriately especially howthe reference string is queried in the hybrid world We describe this with a

9

small ldquoadaptorrdquo protocol in Appendix C ledger-adaptor This forwards mostqueries and treats uSRS queries as querying the appropriate part of the leaderstate after time δ and by ignoring them before Formally our real world consistsof the global clock Gclock and the system ledger-adaptor(δF real

nakLedger(FRNIZK))

35 Alternative Usage of Gclock

In both worlds Gclock is used to determine the cutoff point after which thereference string is deemed secure A simple alternative to this usage of the clockis to instead rely on the length of the chain for this purpose We did not makethis choice as it complicates the ideal world The delay wrapper would have tocommunicate with the ideal world ledger and query it for the length of partiesrsquochains We do not regard a clock as a significant additional assumption howeverlittle of the remainder of this paper differs if chain lengths are used instead Evenin this case a clock is present to guarantee liveness although it is used only toconstrain the adversary

36 UC Emulation

Our security is derived through UC-emulation stated in the following theorem

Theorem 1 For any updateable reference string scheme S satisfying cor-rectness structure preservation update uniformity update simulation with Sρand permutation extraction ledger-adaptor (in the (F real

nakLedgerFRNIZK)-hybridworld parameterised as in Subsection 34) UC-emulates the pair of functionali-ties (F ideal

nakLedgerWdelay(δFuSRS)) parameterised as in Subsection 33 in the pres-ence of the global clock functionality Gclock with the simulator Sledger-adaptor

A full security proof of Theorem 1 may be found in Appendix F and the simu-lator Sledger-adaptor may be found in Appendix D

4 Implementation and Parameter Selection

We have implemented [25] Sonicrsquos update mechanism (described in Appendix A)and using this provide performance estimates for SRS generation in a live block-chain network Further we simulate the optimal adversarial attack strategyand demonstrate how this may be used to select optimal parameters for thesecure generation of reference strings We demonstrate that for currently typicalapplications these parameters are practical for real-world usage

While we have not modified a full blockchain client to utilise this extendedconsensus we discuss the impact it would have on each of the following points

ndash block verificationndash block generationndash chain reorganisationndash network usage

10

ndash local storage

While the Bitcoin backbone paper [17] provides bounds on chain parameters ingiven situations these have three main drawbacks in the context of this paper

1 The bounds are not tight2 The criteria for security is stricter than required It asserts liveness and

persistence are never violated while this paper only requires them in a fewselect cases

3 The analysis is in the synchronous model ndash while the generation and verifi-cation of reference strings can take a significant amount of time

To obtain sensible parameters to generate reference strings we measure the timetaken for computing and verifying updates and factor this processing overheadinto a simulation of the optimal adversarial strategy to subvert the SRS gener-ation procedure

The implementation and numbers provided for execution time and storageuse the commonly used BLS12-381 curve pair Circuits which have been practi-cally deployed tend to require a depth of at most half a million so we will oftenassume a Sonic uSRS depth of 500000 All data shown is available at [25] andmay be reproduced with the provided source code

41 Execution Time of uSRS Operations

We tested our implementation of the uSRS generation mechanism on an AMDRyzen 7 2700X 8-core processor with hyper-threading enabled This processoris a standard consumer-grade CPU ndash in proof-of-work mining it is likely thatminers will have access to better hardware All operations have been paral-lelised and the verification operation has been additionally optimised to use lesspairing operations The workload especially for uSRS generation is also highlyparallelisable (consisting of primarily a large number of group exponentiations)suggesting further improvements by utilising GPUs and clusters of machines arepossible If such improvements are applied the total time delay required for thesecure generation procedure as well as the optimal intended block time could bereduced proportionally to the increase in parallelisation assuming paralellisationacross 10 machines could reduce both by an order of magnitude for instance

We measured the time taken for create and verify a uSRS update in relationto the uSRS depth in Figure 1 For our NIZK we use a UC-secure Fischlinproof described in Appendix A3 We measure the overhead of these proofs tobe 23956ms for proving and 1567ms for verifying (a Fiat-Shamir proof of thesame type was measured to 0921ms and 0870ms respectively) using SHA-3 inplace of a random oracle For larger dimensions of reference strings neither havemuch impact on the total runtime

Finally we implemented aggregate updates The bulk of Sonicrsquos update ver-ification procedure is concerned with verifying the structure of the referencestring while a few parts of it verify that it is an exponentiation of the previousstring By retaining only the latter parts a series of updates can be verified

11

almost as quickly as a single update The verification of aggregate proofs has anoverhead of 1634ms per update included in the aggregate The bulk of this costarises from the verification of the Fischlin proof This allows for even large chainreorganisations to be quickly verified

20 24 28 212 216 220

10minus1

100

101

102

103

d

Executio

ntim

e(s)

GenerationVerification

Fig 1 The time taken to produce and verify uSRS updates

42 Simulating the Optimal Attack Strategy

The mechanism we have presented in this paper operates in two phases In thefirst phase the adversary has the chance to subvert the reference string while inthe second phase it can carry out a denial of service attack potentially convincingusers that an incorrect (but not subverted) reference string is the canonical one

For the first phase the adversaryrsquos optimal strategy is to mine entirely in-dependently from any honest activity the adversary cannot adopt any honestblock ndash doing so would break the subversion of its reference string Further theadversary has no reason to share any of its own blocks except if it reached thethreshold of having a fully valid subverted reference string ndash it only gives thehonest network a chance to catch up in the case that the adversary is aheadThis allows for a straightforward simulation of the consensus protocol The prob-ability of either honest parties or the adversary creating an individual block isexponentially distributed In addition to this honest parties have a fixed pro-cessing overhead before they may start mining This may include a networkingdelay but more crucially it includes the time taken to verify a newly receivedblockrsquos uSRS update and to produce the subsequent update We assume that

12

the adversary can bypass large parts of this overhead by virtue of network dom-inance by skipping verification and by producing reference string updates withsmall (and therefore insecure) exponents

The overhead manifests as shifting the honest partyrsquos exponential distribu-tion for block generation by a fixed constant More precisely we parameteriseeach experiment by

ndash The intended time between blocks bndash The combined networking and update overhead dndash The fraction of adversarial mining power α

Of these three d can be seen as fixed depending on the depth of the uSRS beinggenerated and the corresponding speed of verification and update generationFor simplicity we assume a uSRS depth of 500000 which corresponds to d beingapproximately 250 seconds on our single-CPU setup

We draw the time of the next adversarial block from the exponential distribu-tion with λ = αb and the next honest block from the exponential distributionwith λ = (1minusα)b shifted to the right by d (ie the probability density is 0 forx lt d) The simulation is then advanced to the lesser of the two times whichis resampled from the same distribution The number of times the adversary orthe honest parties have extended their chain is counted and the honest partieswin at any point if and only if the honest chain is longer than the adversarialchain

We run one million experiments in parallel either up to a fixed end time oruntil a large enough fraction of the experiments end in honest victory We referto the probability of an adversarial success as the probability of subversion εFigure 2 demonstrates that for a fixed d a tradeoff exists between the targettime between blocks b and the time until any given subversion threshold ε ismet

A practical limit of this simulation approach is that it cannot by itself de-termine the length of time needed to wait until ε is negligible for most typicalsecurity parameters We can however observe that for fixed parameters ε de-creases approximately exponentially as time passes as seen in Figure 3 outsideof a brief initial window

While the second phase ndash that where the adversary attempts to create dis-agreement as to which reference string is the canonical one ndash may initially seemdifferent its optimal strategy is identical as it essentially wishes to create aslong as possible a fork starting one block prior to the end of the first phase (toselect a different reference string) As creating the longest fork forking at thispoint does not allow the adversary to accept honest blocks after it nor givesthe adversary a reason to share its blocks the adversarial strategy ndash and thisanalysis ndash is the same

43 Storage and Network Usage

A Sonic reference string consists of 4d+ 1 elements in G1 and 4d+ 2 elements inG2 For the commonly used BLS12-381 curve pair G1 elements have a storage

13

0 20 40 60 80 100

10minus1

100

101

102

Intended time between blocks b (min)

Pha

se1leng

thδ 1

(days)

α = 45 ε = 10minus5

α = 33 ε = 10minus4

α = 1 ε = 10minus3

Fig 2 The time required to generate a secure uSRS as a function of the intendedtime between blocks This depends on the proportion of adversarial mining power αand the bound ε on the probablity of subversion Each data point represents the timeuntil at most a fraction of ε of one million parallel experiments ended in adversarialvictory Values are given assuming d = 250s and both axes scale linearly to d

0 100 200 300 400 500

2minus6

2minus5

2minus4

2minus3

2minus2

2minus1

20

Time (multiples of b)

Proba

bilityof

subv

ersion

ε

α = 45α = 33α = 1

Fig 3 The probability of the reference string being subverted ε as a function of thetime passed in multiples of the intended time between blocks b This depends on theproportion of adversarial mining power α and the compound overhead d b is selectedto be approximately at the minimum seen in Figure 2 with d = 15b d = 4b andd = 2b for the α = 45 33 and 1 respectively

14

requirement of 48 bytes each and G2 elements of 96 bytes each An updateproof includes an additional two G1 elements and a Fischlin proof which itselfconsists of twelve iterations each with 2 elements in Flowastq (each of which requires32 bytes to store) two elements of G1 and a 16-bit nonce Each part of anaggregate update has an additional two G2 elements

As it is not necessary to retain intermediate reference strings and aggregateupdates are sufficient for a chain of length l and with an uSRS depth of d thisis a storage requirement of 576d+ 288 bytes for the uSRS itself and l middot (2 middot 48 +2 middot 96 + 12 middot (2 middot 32 + 2 middot 48 + 2)) = 2 232l bytes for storing updates

For 500000 gates and chains of length 20000 this corresponds to a totalstorage requirement of 318MiB with the reference string itself being the largestpart at 275MiB Although this is quite manageable as a storage requirementit must be considered that the SRS itself (and a single update of around 2KiB)has to be re-transmitted with each block While at the common home-internetupload speed of 10Mbs a block would take slightly under 4 minutes to transmitit is reasonable to assume that miners would invest in high-grade connections tooffset the chance of their block being replaced with a competitors Speeds up to10Gbs are commercially available which would reduce the transmission timeto under a second

One remaining issue is that of denial-of-service The receipt and verificationof a reference string is costly and should therefore only be done after a blockrsquosproof-of-work has been received which should depend on a commitment to thesubsequently sent reference string ndash such as the update proof itself An attackercan still perform a limited denial of service attack with blocks they legitimatelymined ndash however this uses no more resources in verification than a legitimateblock would

44 Conclusion

Figure 2 provides insight into the space of tradeoffs which can be made for thesecure generation of reference strings While the secure generation of a referencestring is possible even for a small honest majority the time required to do sois much higher than for a more relaxed setting with δ1 being approximatelythree months for α = 45 in contrast to around two days for α = 33 The fullsetup is double this six months for α = 45 and four days for α = 33 Perhapssurprisingly the desired probability of subversion ε has a more muted effect onthe required setup time

The minima observed for δ1 suggest that simply deploying this system onexisting blockchain systems as they are currently parameterised is unwise Mostblockchains emphasise small values of b to enable transactions to settle quicklywith even notoriously slow chains such as Bitcoin having values on the lower endof our scale This is directly linked to the compound overhead of verification andupdate generation ndash when b is small the adversary can better use its advantageof bypassing large parts of the verification and update procedure As previouslynoted there is a lot of room for speedup by assuming miners use greater com-

15

putation power ndash if each miner used ten machines even the α = 45 case wouldbe reduced to under a month in total

5 Low-Entropy Update Mitigation

While our analysis indicates that in a Byzantine honest majority setting ourprotocol produces a trustworthy reference string it also asks participants todedicate computational resources to updates It follows that in a rational settingplayers need to be properly incentivised to follow the protocol We emphasisethat the rational setting is not the focus of this paper and optimistically in asetting where the majority of miners are rational and a small fraction honest thefew honest blocks are sufficient to eliminate the issue described in this section

For Sonic a protocol deviation exists that breaks the security of the referencestring By choosing the exponent in a specific low-entropy fashion (eg y = 2l)the computation of the update which primarily relies on repeated squaring canbe done significantly faster More generally some permutations in P may be moreefficiently computable In more detail instead of using a random permutation pa specific choice is made that eases the computation of srsprime ndash in the most extremecase for any uSRS scheme the update for p = id is trivial

51 Proposed Construction

In order to facilitate a mitigation for this class of attacks we will need to assumean additional property of the underlying ledger in particular it must provide aldquoresettablerdquo randomness beacon With each advance operation (where adver-sary must be restricted in how often it may do such advance queries) a randombeacon value is sampled in a variable bcn and is associated with the correspond-ing block Beacons of this kind are often easily available for instance by hashingthe proof-of-work [6] and are inherent in many proof-of-stake designs Priorwork [14] demonstrates that such beacon values allow for the adversary to biasthem only by ldquoresettingrdquo it at most a certain number of times say t beforethey are fixed by entering the ledgerrsquos confirmed state with the exact value of tdepending on the chain parameters

We can then amend Gen to derive its random values from the random oracleby sending the query (bcn nonce) to FRO where nonce is a randomly selectednonce and bcn is the previous blockrsquos beacon value The response is used toindex the set of trapdoor permutations P choosing the result p and the nonceis stored by miners locally and kept private We adapt the Phase 1 period δ1 sothat at least lprime = l(1minus θ)minus1 + c blocks will be produced where θ and c are newsecurity parameters (to be discussed below) Next after Phase 2 ends we canbe sure that the beacon value associated with the end of Phase 1 has been resetat most t times

We extract from bcn lprime biased coins each with probability θ For each blockif the corresponding coin is 1 it is required to reveal its randomness within aperiod of time at least as long as the liveness parameter Specifically a party

16

which created one of the selected blocks may reveal its nonce If its updatematches this nonce the party receives an additional reward of value R times thestandard block reward

While this requires a stricter chain quality property with the ledger func-tionality instead enforcing that one of these l non-opened updates are honestwe sketch why this property still holds in the next section

52 Security Intuition

Consider now a rational miner with hashing power α We know that at bestusing an underlying blockchain like Bitcoin the relative rewards such a minermay expect are at most α(1minus α) in expectation this assumes a selfish miningstrategy that wins all network races against the other rational participants Nowconsider a miner who uses low entropy exponents to save on computational poweron created blocks and as a result boosts their hashing power α to an increasedrelative hashing power of αprime gt α The attacker can further try to influence theblockchain by forking and selectively disclosing blocks which has the effect ofresetting the bcn value to a preferred one To see that the impact of this isminimal we prove the following lemma

Lemma 1 Consider a mapping ρ 7rarr 0 1lprime that generates lprime independent bi-ased coin flips each with probability θ when ρ is uniformly selected Considerany fixed n le lprime positions and suppose an adversary gets to choose any one outof t independent draws of the mappingrsquos random input with the intention to in-crease the number of successes in the n positions The probability of obtainingmore than n(1 + ε)θ successes is exp(minusΩ(ε2θn) + ln t)

Proof In case t = 1 result follows from a Chernoff bound on the event E definedas obtaining more than n(1 + ε)θ successes and has probability exp(minusΩ(ε2θn))Given that each reset is an independent draw of the same experiment by apply-ing a union bound we obtain the lemmarsquos statement ut

The optimal strategy of a miner utilising low-entropy attacks is to minimisethe number of blocks of other miners are chosen to increase its relative rewardLemma 1 demonstrates that at most a factor of (1+ ε)minus1 damage can be done inthis way Regardless of whether a miner utilises low-entropy attacks or not theiroptimal strategy beyond this is selfish mining in the low-entropy attack miningin expectation lprimeαprime(1 minus αprime) blocks [17] A rational miner utilising low-entropyattacks will not gain any additional rewards while a miner not doing so willgain at least lprimeα(1minusα)(1+ε)minus1θR rewards from revealing their randomness byLemma 1 It follows that for a rational miner this strategy can be advantageousto plain selfish mining only in case

αprime

1minus αprime gt (1 + θ(1 + ε)minus1R) α

1minus αIf we assume a miner can increase their effective hash rate by a factor of cusing low-entropy exponents then their advantage in the low entropy case is

17

αprime = αc(αc + β) where β = 1 minus α is the relative mining power of all otherminers If follows that the miner benefits if and only if

αcαc+β middot

αc+ββ gt (1 + θ(1 + ε)minus1R)αβ

lArrrArr c gt 1 + θ(1 + ε)minus1R

If we adopt a sufficiently large intended time interval between blocks it is possibleto bound the relative savings of a selfish miner using low-entropy exponentsfollowing the parameterisation of Subsection 42 if a selfish miner using suchexponents can improve their hashing power by at most a multiplicative factor cthen we can mitigate such attack by setting R to (cminus 1)(θ(1 + ε)minus1)

6 Discussion

While the clean generation of a new reference string from a ledger protocol isitself useful real-world situations are likely to be more complex In this sectionwe discuss practical adjustments that may be made

61 Upgrading Reference Strings

As distributed ledgers are typically long-lived and may well outlive any referencestring used within it ndash or have been running before a reference string was neededIndeed the Zcash protocol has seen upgrades in its reference string A referencestring being replaced with a new one is innocuous without further context how-ever it is important to consider how they are usually used in zero-knowledgeproofs If the proof they are used in is stateless upgrading from an insecure to asecure reference string behaves as one may naively expect It ensures that afterthe upgrade security properties hold

In the example of Zcash which runs a variant of the Zerocash [4] protocolthe situation is more muddy Zerocash makes stateful zero-knowledge proofsSuppose a user is sceptical of the security of the initial setup ndash and there is goodreason to be [34] ndash but is convinced the second reference string is secure Is sucha user able to use Zcash with confidence in its security

Had Zcash not had safeguards in place the answer would be no While theprotocol may operate as intended currently and the user can be convinced ofthat due to the stateful nature of the proofs the user cannot be convincedof the correctness of this state The Zcash cryptocurrency did employ similarsafeguards to those we outline below We stress the importance of such here asnot every project may have the same foresight

Specifically for a Zerocash-based system an original reference stringrsquos back-door could have been used to create mismatched transactions and to effectivelyldquomintrdquo large coins illicitly This process is undetectable at the time and theminted coins would persist across a reference string upgrade Our fictitious usermay therefore be rightfully suspicious as to the value of any coins he is sold ndashthey may be a part of an almost infinite pool

18

Such an attack once carried out (especially against a currency) is hard to re-cover from ndash it is impossible to identify ldquolegitimaterdquo owners of the currency evenif the private transaction history were deanonymised and the culprit identifiedThe culprit may have traded whatever he created already Simply invalidatingthe transaction would therefore harm those he traded with not himself In anextreme case if he traded one-to-one with legitimate owners of the currency hewould succeed in effectively stealing the honest users funds If such an attackis identified the community has two unfortunate options Annul the funds ofpotentially legitimate users or accept a potentially large amount of inflation

We may assume a less grim scenario however Suppose we are reasonablyconfident in the security of our old reference string but we are more confident ofthe new one Is it possible to convince users that we have genuinely upgraded oursecurity We suggest the usage of a type of firewalling property Such propertiesare common in the domain of cross-chain transfers [20] and are designed toprevent a catastrophic failure on one chain damaging another

For monetary transfers the firewall would guarantee an upper-bound of fundswas not exceeded Proving the firewall property is preserved is easy if a smallloss of privacy is accepted ndash each private coin being re-minted before it can beused after the upgrade during which time its value must be declared Assumingeverything operates fine and the firewall property is not violated users interact-ing with the post-firewall state can be confident as to the upper bound of fundsavailable Further attacks on the system can be identified If an attacker mintstoo many coins eventually the firewall property will be violated indicating thattoo many coins were in circulation ndash bringing the question of how to handle thissituation with it We believe that a firewall property does however give peace ofmind to users of the system and is a practical means to assuage concerns aboutthe security of a system which once had a questionable reference string

In Zcash a soft form of such firewalling is available in that funds are splitacross several ldquopoolsrdquo each of which uses a different proving mechanism Thetotal value of each pool can be observed and values under zero would be consid-ered a cause for alarm and rejected Zcash use the terminology ldquoturnstilesrdquo [36]and no attacks have been observed through them

A further consideration for live systems is that as Subsection 42 shows thetime required strongly depends on the frequency between blocks This may con-flict with other considerations for selecting the block time ndash a potential solutionfor this is to only perform updates on ldquosuperblocksrdquo blocks which meet a higherproof-of-work (or other selection mechanism) criteria than usual

62 The Root of Trust

An important question for all protocols in the distributed ledger setting iswhether a user entering the system at some point during its runtime can beconvinced to trust in its security Early proof-of-stake protocols such as [26]did poorly at this and were subject to ldquostake-bleedingrdquo attacks [19] for instancendash effectively meaning new users could not safely join the network

19

For reference strings if a newly joining user is prepared to accept that thehonest majority assumption holds they may trust the security of the referencestring as per Theorem 1 There is a curious difference to the security of theconsensus protocol however to trust the consensus ndash at least for proof-of-workbased protocols ndash it is most important to trust a current honest majority asthese protocols are assumed to be able to recover from dishonest majorities atsome point in their past The security of the reference string on the other handonly relies on assuming honest majority during the initial δ time units This maybecome an issue if a large period of time passes ndash why should someone trust theintentions of users during a different age

In practice it may make sense to ldquorefreshrdquo a reference string regularly torenew faith in it It is tempting to instead continuously perform updates howeveras noted in Subsection 61 this does not necessarily increase faith in a statefulsystem although is can remove the ldquohistoricalrdquo part from the honest majorityrequirement when used with stateless proofs

Most subversion attacks are detectable ndash they require lengthy forks whichare unlikely to occur during a legitimate execution In an optimistic case whereno attack is attempted this may provide an additional level of confirmation ifthere are no widespread claims of large forks during the initial setup then thereference string is likely secure (barring large-scale out-of-band censorship) Aflip side to this is that it may be a lot easier to sow doubt however as there isno way to prove this A malicious actor could create a fork long after the initialsetup and claim that it is evidence of an attack to undermine the credibility ofthe system

63 Applications to Non-Updateable SNARKs

Updateable SNARK schemes have two distinct advantages which our protocolmakes use of First they have an explicit update procedure which allows a partyφ to replace a reference string whose security depends on some assumption Awith one whose security depends on Aor (φ is honest) Second they can survivewith a partially biased reference string a fact which we donrsquot use directly in thispaper however the functionality FuSRS we provide permits rejection samplingencoding it into the ideal world

The lack of an update algorithm can be resolved for some zk-SNARKs suchas [21] by the existence of a weaker property In two phases the referencestring can be constructed with (potentially different) parties performing round-robin updates (also group exponentiations) in each phase This approach is alsodetailed in [8] and it implies a natural translation to our protocol in which thefirst phase is replaced with two phases of the same length performing the firstand second phase updates respectively

The security of partially biased references strings has not been sufficientlyanalysed for non-updateable SNARKs however this weakness can be mitigatedFollowing [8] it is possible to use a pure random beacon (as opposed to theresettable one used in Section 5) to create a ldquopurerdquo reference string from theldquoimpurerdquo one presented so far To sketch the design The random beacon would

20

be queried after time δ and the randomness used to select a trapdoor per-mutation over the reference string This would then be applied by each partyindependently arriving at the same ndash randomly distributed ndash reference string

As this is not required for updateable SRS schemes we did not perform thisanalysis in depth However the approach to the simulation would be to performthe SRS generation identically and then program the random beacon to invertall permutations applied to the honest reference string Since this includes theone honest permutation applied on every honest update this is indistinguishablefrom a random value to the adversary It is worth noting that the requirementof a random beacon is on the stronger side of requirements especially as itshould itself not allow adversarial influence to provide the desired advantageApproaches using block hashes for randomness introduce exactly the limitedinfluence which we are attempting to remove

7 Acknowledgements

The second and third author were partially supported by the EU Horizon 2020project PRIVILEDGE 780477 We thank Eduardo Morais for providing dataon the required depth of reference strings for Zcashrsquos Sapling protocol

Bibliography

[1] Christian Badertscher Peter Gazi Aggelos Kiayias Alexander Russell andVassilis Zikas Ouroboros genesis Composable proof-of-stake blockchainswith dynamic availability In David Lie Mohammad Mannan MichaelBackes and XiaoFeng Wang editors ACM CCS 2018 pages 913ndash930 ACMPress October 2018

[2] Christian Badertscher Ueli Maurer Daniel Tschudi and Vassilis Zikas Bit-coin as a transaction ledger A composable treatment In Jonathan Katz andHovav Shacham editors CRYPTO 2017 Part I volume 10401 of LNCSpages 324ndash356 Springer Heidelberg August 2017

[3] Eli Ben-Sasson Iddo Bentov Yinon Horesh and Michael Riabzev Scalabletransparent and post-quantum secure computational integrity CryptologyePrint Archive Report 2018046 2018 httpseprintiacrorg2018046

[4] Eli Ben-Sasson Alessandro Chiesa Christina Garman Matthew Green IanMiers Eran Tromer and Madars Virza Zerocash Decentralized anonymouspayments from bitcoin In 2014 IEEE Symposium on Security and Privacypages 459ndash474 IEEE Computer Society Press May 2014

[5] Dan Boneh Justin Drake Ben Fisch and Ariel Gabizon Halo infinite Re-cursive zk-snarks from any additive polynomial commitment scheme Cryp-tology ePrint Archive Report 20201536 2020 httpseprintiacrorg20201536

21

[6] Joseph Bonneau Jeremy Clark and Steven Goldfeder On bitcoin as apublic randomness source Cryptology ePrint Archive Report 201510152015 httpeprintiacrorg20151015

[7] Sean Bowe Ariel Gabizon and Matthew D Green A multi-party protocolfor constructing the public parameters of the pinocchio zk-SNARK In AvivZohar Ittay Eyal Vanessa Teague Jeremy Clark Andrea Bracciali Fed-erico Pintore and Massimiliano Sala editors FC 2018 Workshops volume10958 of LNCS pages 64ndash77 Springer Heidelberg March 2019

[8] Sean Bowe Ariel Gabizon and Ian Miers Scalable multi-party computationfor zk-SNARK parameters in the random beacon model Cryptology ePrintArchive Report 20171050 2017 httpeprintiacrorg20171050

[9] Benedikt Buumlnz Jonathan Bootle Dan Boneh Andrew Poelstra PieterWuille and Greg Maxwell Bulletproofs Short proofs for confidential trans-actions and more In 2018 IEEE Symposium on Security and Privacy pages315ndash334 IEEE Computer Society Press May 2018

[10] Benedikt Buumlnz Ben Fisch and Alan Szepieniec Transparent SNARKsfrom DARK compilers In Anne Canteaut and Yuval Ishai editors EU-ROCRYPT 2020 Part I volume 12105 of LNCS pages 677ndash706 SpringerHeidelberg May 2020

[11] Vitalik Buterin On-chain scaling to potentially 500 txsec throughmass tx validation httpsethresearchton-chain-scaling-to-potentially-500-tx-sec-through-mass-tx-validation3477

[12] Ran Canetti Universally composable security A new paradigm for crypto-graphic protocols In 42nd FOCS pages 136ndash145 IEEE Computer SocietyPress October 2001

[13] Alessandro Chiesa Yuncong Hu Mary Maller Pratyush Mishra NoahVesely and Nicholas P Ward Marlin Preprocessing zksnarks with uni-versal and updatable SRS In Anne Canteaut and Yuval Ishai editorsAdvances in Cryptology - EUROCRYPT 2020 - 39th Annual InternationalConference on the Theory and Applications of Cryptographic TechniquesZagreb Croatia May 10-14 2020 Proceedings Part I volume 12105 ofLecture Notes in Computer Science pages 738ndash768 Springer 2020

[14] Bernardo David Peter Gazi Aggelos Kiayias and Alexander RussellOuroboros praos An adaptively-secure semi-synchronous proof-of-stakeblockchain In Jesper Buus Nielsen and Vincent Rijmen editors EURO-CRYPT 2018 Part II volume 10821 of LNCS pages 66ndash98 Springer Hei-delberg April May 2018

[15] Marc Fischlin Communication-efficient non-interactive proofs of knowledgewith online extractors In Victor Shoup editor CRYPTO 2005 volume3621 of LNCS pages 152ndash168 Springer Heidelberg August 2005

[16] Ariel Gabizon Zachary J Williamson and Oana Ciobotaru Plonk Per-mutations over lagrange-bases for oecumenical noninteractive arguments ofknowledge Cryptology ePrint Archive Report 2019953 2019 httpseprintiacrorg2019953

[17] Juan A Garay Aggelos Kiayias and Nikos Leonardos The bitcoin back-bone protocol Analysis and applications In Elisabeth Oswald and Marc

22

Fischlin editors EUROCRYPT 2015 Part II volume 9057 of LNCS pages281ndash310 Springer Heidelberg April 2015

[18] Juan A Garay Aggelos Kiayias and Nikos Leonardos The bitcoin back-bone protocol with chains of variable difficulty In Jonathan Katz andHovav Shacham editors CRYPTO 2017 Part I volume 10401 of LNCSpages 291ndash323 Springer Heidelberg August 2017

[19] Peter Gaži Aggelos Kiayias and Alexander Russell Stake-bleeding attackson proof-of-stake blockchains Cryptology ePrint Archive Report 20182482018 httpseprintiacrorg2018248

[20] Peter Gazi Aggelos Kiayias and Dionysis Zindros Proof-of-stakesidechains In 2019 IEEE Symposium on Security and Privacy pages 139ndash156 IEEE Computer Society Press May 2019

[21] Jens Groth On the size of pairing-based non-interactive arguments In MarcFischlin and Jean-Seacutebastien Coron editors EUROCRYPT 2016 Part IIvolume 9666 of LNCS pages 305ndash326 Springer Heidelberg May 2016

[22] Jens Groth Markulf Kohlweiss Mary Maller Sarah Meiklejohn and IanMiers Updatable and universal common reference strings with applica-tions to zk-SNARKs In Hovav Shacham and Alexandra Boldyreva editorsCRYPTO 2018 Part III volume 10993 of LNCS pages 698ndash728 SpringerHeidelberg August 2018

[23] Jens Groth and Mary Maller Snarky signatures Minimal signatures ofknowledge from simulation-extractable SNARKs In Jonathan Katz andHovav Shacham editors CRYPTO 2017 Part II volume 10402 of LNCSpages 581ndash612 Springer Heidelberg August 2017

[24] Ari Juels Ahmed E Kosba and Elaine Shi The ring of Gyges Investi-gating the future of criminal smart contracts In Edgar R Weippl StefanKatzenbeisser Christopher Kruegel Andrew C Myers and Shai Halevieditors ACM CCS 2016 pages 283ndash295 ACM Press October 2016

[25] Thomas Kerber Implementations to accompany mining for privacyGitHub 2020 httpsgithubcomtkerberpistis-impl

[26] Aggelos Kiayias Alexander Russell Bernardo David and RomanOliynykov Ouroboros A provably secure proof-of-stake blockchain proto-col In Jonathan Katz and Hovav Shacham editors CRYPTO 2017 Part Ivolume 10401 of LNCS pages 357ndash388 Springer Heidelberg August 2017

[27] Ahmed Kosba Zhichao Zhao Andrew Miller Yi Qian Hubert Chan Char-alampos Papamanthou Rafael Pass abhi shelat and Elaine Shi CemptycemptyA framework for building composable zero-knowledge proofs Cryptol-ogy ePrint Archive Report 20151093 2015 httpseprintiacrorg20151093

[28] Ahmed E Kosba Andrew Miller Elaine Shi Zikai Wen and CharalamposPapamanthou Hawk The blockchain model of cryptography and privacy-preserving smart contracts In 2016 IEEE Symposium on Security andPrivacy pages 839ndash858 IEEE Computer Society Press May 2016

[29] Mary Maller Sean Bowe Markulf Kohlweiss and Sarah Meiklejohn SonicZero-knowledge SNARKs from linear-size universal and updatable struc-tured reference strings In Lorenzo Cavallaro Johannes Kinder XiaoFeng

23

Wang and Jonathan Katz editors ACM CCS 2019 pages 2111ndash2128 ACMPress November 2019

[30] Bryan Parno Jon Howell Craig Gentry and Mariana Raykova Pinoc-chio Nearly practical verifiable computation In 2013 IEEE Symposium onSecurity and Privacy pages 238ndash252 IEEE Computer Society Press May2013

[31] Rafael Pass Lior Seeman and abhi shelat Analysis of the blockchain pro-tocol in asynchronous networks In Jean-Seacutebastien Coron and Jesper BuusNielsen editors EUROCRYPT 2017 Part II volume 10211 of LNCS pages643ndash673 Springer Heidelberg April May 2017

[32] Claus-Peter Schnorr Efficient identification and signatures for smart cardsIn Gilles Brassard editor CRYPTOrsquo89 volume 435 of LNCS pages 239ndash252 Springer Heidelberg August 1990

[33] Samuel Steffen Benjamin Bichsel Mario Gersbach Noa Melchior PetarTsankov and Martin T Vechev zkay Specifying and enforcing data privacyin smart contracts In Lorenzo Cavallaro Johannes Kinder XiaoFengWangand Jonathan Katz editors ACM CCS 2019 pages 1759ndash1776 ACM PressNovember 2019

[34] Josh Swihart Benjamin Winston and Sean Bowe Zcash coun-terfeiting vulnerability successfully remediated ECC Blog Febru-ary 2019 httpselectriccoincoblogzcash-counterfeiting-vulnerability-successfully-remediated

[35] Zcash Parameter generation httpszcashtechnologyparamgen2018

[36] Zcash Address and value pools in Zcash httpszcashreadthedocsioenlatestrtd_pagesaddresseshtmlturnstiles 2019

A The Sonic uSRS

Sonicrsquos uSRS [29 Section 43] consists of a series of exponentiations of groupelements in pairing groups G1 and G2 of prime order q where a bilinear pairinge G1 times G2 rarr GT exists Specifically given generators g isin G1 h isin G2 and adepth parameter d isin Zq the SRS has a trapdoor of (α x) isin Flowast2q with τ0 = (1 1)

The corresponding structure function is defined as

S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)

A1 Specification of Sonic Updates

We omit the e(g hα) term presented in Sonic as this can be computed fromthe rest of the SRS and is therefore immaterial to the update procedure Thepermitted trapdoor permutations are field multiplications

P = (α x) 7rarr (αβ xy) | (β y) isin Flowast2q

24

Correspondingly dagger exponentiates group elements

p = (α x) 7rarr (αβ xy) =rArr

pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0

)Observe that field multiplications over α or x can efficiently be applied to thecorresponding structure through exponentiation g(αxi)βyi = (gαxi)βyi The fullupdate proof procedure is as follows

procedure ProveUpd(srs p)let (β y)larr p((1 1))return (gy gβy π)

The verification procedure ensures correct computation by checking the consis-tency of various pairing computations

procedure VerifyUpd(srs ρ srsprime)let (Gi Hi H

primeidi=minusd Gprimeidi=minusdi 6=0)larr srs

let (Ii Ji J primeidi=minusd I primeii=minusdi6=0)larr srsprimelet (AB π)larr ρif e(I prime1 h) 6= e(BH prime1) or e(g J prime1) 6= e(BH prime1) or e(I1 h) 6= e(AH1) or e(g J1) 6=e(AH1) or I0 6= g or J0 6= h thenreturn 0

for i = minusd to d doif not(i = d or e(Ii J1) = e(I1 Ji) = e(Ii+1 h) =e(g Ji+1)) or not(e(Ii J prime0) = e(g J primei)) or(i 6= 0 and note(Ii J prime0) = e(I primei h)) thenreturn 0

return 1

A2 Satisfaction of Security Properties

Theorem 2 Sonic as described in Appendix A1 is an updatable referencestring scheme satisfying correctness structure preservation update uniformityupdate extraction permutation extraction and permutation lifting

Proof We prove each property individually

Correctness Follows from all pairing checks being satisfied ut

Structure preservation Suppose a structured input S(τ) and an update proofρ and a new SRS srsprime where

S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25

If VerifySRS returns 1 we know all of the following hold due to the conditionschecked

ndash e(gl1 h) = e(g hn1) = e(gβy hαx)ndash e(gk1 h) = e(g hm1) = e(gy hx)ndash foralli isin [minusd d) e(gki hm1) = e(gk1 hmi) = e(gki+1 h) = e(g hmi+1)ndash foralli isin [minusd d] e(gki hn0) = e(g hni)ndash foralli isin [minusd d] 0 e(gki hn0) = e(gli h)

As e(g h) is a generator over GT and each of the above can be expressed as anequality of exponentiations of the form e(g h)a = e(g h)b we simplify these toequalities within Flowastq of their exponents

ndash l1 = n1 = αβxy

ndash k1 = m1 = xy

ndash foralli isin [minusd d) kim1 = k1mi = ki+1 = mi+1ndash foralli isin [minusd d] kin0 = nindash foralli isin [minusd d] 0 kin0 = li

It follows directly that n0 = αβ ki = mi = (xy)i and li = ni = αβ(xy)iAs a result srsprime matches exactly the structured reference string S((αβ xy)) =pdagger(S(τ)) ut

Update uniformity Let τ = (α x) p Rlarrminus P is defined by a multiplication with twouniformly sampled field elements in β y Rlarrminus Flowastq such that the trapdoor p(τ) =(αβ xy) Due to multiplication in prime fields with a fixed element (here α andx) being a bijective functions the result (αβ xy) is also distributed uniformly atrandom in Flowast2q therefore being indistinguishable from a new randomly sampledtrapdoor ut

Update proof simulation We present the following simulation algorithmprocedure Sρ((α x) srs)

(Gi Hi Hprimeidi=minusd Gprimeidi=minusdi6=0)larr srs

return(G

(xminus1)1 G

prime(xminus1)(αminus1)1

)This utilises only a small number of efficient group operations and is thereforePPT As the VerifyUpd pairing checks all succeed the returned update proof willverify ut

Permutation Extraction Observe that

R((AB) p) lArrrArr let (a b) = p((1 1)) in A = ga andB = gb

A straightforward encoding of p is the pair of field elements (a b) This relationis clearly in NP and is also a bijection due to the relation of G1 and Flowastq ut

26

A3 Instantiating FRNIZK

We can employ Fischlinrsquos transform [15] in combination with a simple sigmaprotocol to prove knowledge of pairs of exponents Specifically we propose theparallel composition of two Schnorr proofs of knowledge of exponent [32] Itis important to treat these as a single proof and not two separate proofs asthe latter would enable the adversary to create proofs which are only partiallyextractable We posit that these would still allow for simulation however thesimulator would be tasked with a more difficult and implementation specificbook-keeping

B The Nakamoto Ledger

The basic functionality of this ledger allows the submission of transactions andretrieving each of the followingndash A confirmed prefix of the ledger statendash A ldquoprojectionrdquo of the ledger state ndash ie what the local state will approach

if there is no chain reorganisationndash The confirmed ldquoleader staterdquo which models the mechanism used for the SRS

generation

When any of these values is queried the functionality ensures that liveness andchain quality properties still hold The adversary further has the power to in-struct the creation of a new block on behalf of any party and to instruct anyparty to adopt a different chain In both cases the functionality ensures thatthe common prefix property is preserved The adversary has full control over thecontents of both honest and adversarial blocks as well as their order

B1 Functionality Definition

Functionality FnakLedger

A ledger following a Nakamoto-style consensus with each party having a projectedchain a prefix of which is common to all parties Common prefix chain qualityand chain growth are guaranteed

State variables and initialisation valuesVariable Description

Π = φ 7rarr ε Mapping of parties to projected ledger statesT = empty Multiset of submitted transactions

hon = empty Mapping of block ids to 1 if they are honest or 0 if not

When receiving a message (submit tx) from a party φsend read to Gclock and receive the reply tlet T larr T cup (tx t)query A with (transaction tx t)

When receiving a message read from a party φ

27

assert liveness(φ) and chainQuality(φ)return map(proj1 txs(Π(φ)dk))

When receiving a message projection from a party φassert liveness(φ) and chainQuality(φ)return map(proj1 txs(Π(φ)))

When receiving a message leader-state from a party φassert liveness(φ) and chainQuality(φ)let ~alarr map(λ(middot a middot t) (a t) Π(φ)dk)return foldl(Applyempty~a)

When receiving a message (extend φ B t a) from Asend read to Gclock and receive the reply tprime

let id Rlarrminus 0 1κif φ isin H then

let ~alarr map(λ(middot a middot t) (a t) Π(φ))let σ larr foldl(Applyempty~a)let a Rlarrminus Gen(σ tprime)let tlarr tprime let hon(id)larr 1

elselet hon(id)larr 0if tprime lt t then let tlarr tprime

else if existtprimeprime (middot middot middot tprimeprime) = last(Π(φ)) and tprimeprime gt t then let tlarr tprimeprime

let Π(φ)larr Π(φ) (B a id t)assert forallφprime isin P Π(φ)dk ≺ Π(φprime)return (B a id t)

When receiving a message (advance φΣprime) from Aassert existφprime isin P Σprime ≺ Π(φprime)assert forallφprime isin P Σprimedk ≺ Π(φprime) andΠ(φprime)dk ≺ Σprimelet Π(φ)larr Σprime

Helper proceduresfunction txs(Πφ)

let ~B larr map(proj1 Πφ)return concat( ~B)

procedure liveness(φ)send read to Gclock and receive the reply tif existt0 lt t |[ tb | (middot middot middot tb) isin Π(φ) t0 minus s le tb lt t0 ]|lt γ and t0 minus s ge 0 thenreturn perp

return forall(tx tprime) isin T tprime + d(l + k)γminus1es gt t or (tx tprime) isin txs(Π(φ)dk)procedure chainQuality(φ)

let ~idlarr map(proj3 Π(φ)dk)return foralli isin Z|~a|minusl

(sumjisinZl

ids(~idi+j))ge microl

In order to judge chain growth this functionality needs access to a simple globalclock given in Appendix E1

28

B2 Relation to Existing Protocols

Existing UC treatments of Nakamoto-style ledgers such as [1 2] already providefunctionalities which provide persistence and liveness guarantees Moreover theprotocols used in their implementation have been independently shown to satisfythe properties of common prefix chain quality and chain growth

Given similar assumptions such as a limited random oracle and a syn-chronous or semi-synchronous network these protocols will also fit the FnakLedgerfunctionality presented above Notably the UC-proof of these ledgers relies onfirst proving these three chain properties then proving persistence and livenessand finally concluding that these satisfy their ledger functionalityFnakLedger exposes more of the internals of the protocol ndash the fact that there is

a chain selection process and that this is subject to the constraints of commonprefix chain quality and chain growth ndash but otherwise does not greatly changethe ideal world behaviour

Due to this strengthened functionality being designed to merely expose moreof the well-understood protocol properties we conjecture that UC implementa-tions which have a proof relying on the three Nakamoto chain properties can beused to realise FnakLedger with a large part of the proof applying directly

C The Adaptor Protocol

We provide a small protocol which adapts the honest interface of the Nakamotoledger to match that of the ideal world ndash specifically ensuring the leadershipstate seen matches the ideal worldrsquos and that the SRS is read only if sufficienttime has passed

Protocol ledger-adaptor

The protocol adaptor fits the interface of F realnakLedger to match those of FuSRS and

F idealnakLedger It operates in the (F real

nakLedgerGclock)-hybrid world

When receiving a message (submit tx) from a party φsend (submit tx) to F real

nakLedger

When receiving a message read from a party φsend read to F real

nakLedger and receive the reply txsreturn txs

When receiving a message projection from a party φsend projection to F real


When receiving a message leader-state from a party φsend leader-state to F real

nakLedger and receive the reply (middot σideal)return σideal

When receiving a message srs from a party φsend read to Gclock and receive the reply t

29

if t lt δ then return perpelse

send leader-state to F realnakLedger and

receive the reply (srs middot)return srs

Forward submit read and projection queries to F realnakLedger

D The Simulator

Simulator Sledger-adaptor

The simulator between the protocol adaptor over F realnakLedger and F ideal

nakLedger andFuSRS It operates in the Gclock-hybrid world

State variables and initialisation valuesVariable DescriptionF simul

nakLedger A simulation of the hybrid-world ledgerFRNIZK A simulation of the low-level NIZK functionality

A = empty Map from honest updates to the applied permutation

When receiving a message (transaction tx t) from F idealnakLedger

simulate sending (submit tx) to F simulnakLedger

When receiving a message (submit tx) from A for F realnakLedger

send (submit tx) to F idealnakLedger

When receiving a message (permute φ) from FuSRSsimulate sending leader-state to F simul

nakLedgerthrough φ andreceive the reply (srs middot)

let ~alarr map(proj2F simulnakLedgerΠ(φ))

return Xp(~a)When receiving a message (extend φ B t a) from A for F real

nakLedgersend read to Gclock and receive the reply tprime

if φ isin H and tprime le dlγminus1es thenlet ~alarr map(proj2F simul

nakLedgerΠ(φ))let (srs middot)larr foldl(Applyempty~a)let plarr Xp(~a)if pminus1dagger(srs) 6= S(τ0) then

We cannot extract a trapdoor the SRS is already securelet pprime Rlarrminus P ρlarr ProveUpd(srs pprime)let srsprime larr pprimedagger(srs)simulate sending (prove ρ pprime) to FRNIZK and

receive the reply πelse

30

We produce an update to match a random initial SRSlet τ larr p(τ0)let pprime Rlarrminus Psend honest-srs to FuSRS and

receive the reply srsHlet srsprime larr pprimedagger(srsH)let ρlarr Sρ(p(τ) srsprime)query A with (prove ρ) and receive the reply π

satisfying π 6= perpand(ρ π) isin FRNIZKΠand(middot π) isin FRNIZKΠ else samplingfrom 0 1κ

let FRNIZKΠ larr FRNIZKΠ cup (ρ π)let A(ρ)larr p

let aideal larr perpelse if φ isin H then

let srsprime ρ π larr εlet aideal larr perp

else let (srsprime ρ π aideal)larr a

send (extend φ B t aideal) to F idealnakLedger and

receive the reply (B aideal id t)if φ isin H then

let F simulnakLedgerhon(id)larr 1

elselet F simul

nakLedgerhon(id)larr 0let F simul

nakLedgerΠ(φ)larr F simulnakLedgerΠ(φ) (B (srsprime ρ π aideal) id t)

assert forallφprime isin P F simulnakLedgerΠ(φ)dk ≺ F simul

nakLedgerΠ(φprime)return (B (srsprime ρ π aideal) id t)

When receiving a message (advance φΣprime) from A for F realnakLedger

simulate sending (advance φΣprime) to F simulnakLedger

Remove SRS updates from Σprime

let Σprime larr map(λ(B (middot middot middot aideal) t) (B aideal t) Σ)send (advance φΣprime) to F ideal

nakLedger

Forward requests to FRNIZK and all other adversarial messages for F realnakLedger to

F simulnakLedger

Helper proceduresprocedure Xp(~a)

let plarr idlet srs = S(τ0)for (srsprime ρ π middot) in ~a do

Skip invalid updatesif notVerifyUpd(srs ρ srsprime) or (ρ π) isin FRNIZKΠ then continuelet srslarr srsprimeif (ρ π) isin FRNIZKW then

let plarr FRNIZKW ((ρ π)) pelse if ρ isin A then

31

The update is honest Start with its permutationlet plarr A(ρ)

else A witness-less adversarial update was encounteredabort

return p

E Minor UC Functionalities

E1 The Global Clock

Functionality Gclock

The global clock allows parties to agree on some discrete notion of time

State variables and initialisation valuesVariable Descriptiont = 0 Current timeT = empty TimekeepersA = empty Agreements to advance

When receiving a message register from a party φlet T larr T cup φ

When receiving a message deregister from a party φlet T larr T φ

When receiving a message update from a party φlet A(φ)larr gtif forallφ isin T A(φ) then

let tlarr t+ 1Alarr λφ perpquery A with tick-tock

When receiving a message read from a party φreturn t

E2 Non-Interactive Zero-Knowledge

Functionality FRNIZK

The (malleable) non-interactive zero-knowledge functionality FRNIZK allows provingof statements in an NP relation R

32

State variables and initialisation valuesVariable DescriptionW = empty Mapping of statementproof pairs to witnessesΠ = empty Set of statementproof pairsΠ = empty Set of known invalid statementproof pairs

When receiving a message (prove x w) from a party φif notxRw then

return perpquery A with (prove x) and receive the reply π

satisfying π 6= perp and (x π) isin Π and (middot π) isin Π else sampling from 0 1κlet Π larr Π cup (x π)W (x π)larr wreturn π

When receiving a message (maul x π πprime) from Aif (x π) isin Π then

let Π larr Π cup (x πprime)let W (x πprime)larrW (x π)

When receiving a message (verify x π) from a party φif (x π) isin Π cupΠ and π 6= perp then

query A with (verify x π) The adversary has been given a chance to prove the statement It didnrsquot take itif (x π) isin Π cupΠ then

let Π larr Π cup (x π)return (x π) isin Π

E3 Random Oracle

Functionality FRO

The random oracle functionality FRO returns a uniform random value in 0 1κfor each input

State variables and initialisation valuesVariable DescriptionH = empty A map from inputs to (fixed) outputs

When receiving a message (query x) from a party φ

if x isin H then let H(x) Rlarrminus 0 1κreturn H(x)

E4 Delay Wrapper

33

Functionality Wdelay(δF)

The wrapper functionality Wdelay(δF) of F accepts honest inputs only after δtime slots

When receiving a message M from a party φsend read to Gclock and receive the reply tif t lt δ and φ isin H then return perpelse

send M to F and receive the reply yreturn y

F Security Analysis

As for any UC proof we require a simulator which ensures the ideal worldbehaves indistinguishably from the real world Our simulator Sledger-adaptor isformally described in Appendix D Intuitively this simulator ensures that thereal and ideal worldrsquos ledgers are equivalent and that the real world uSRS isequal to the uSRS produced in the ideal world

In order to achieve this the simulator ensures that the initial honest referencestring provided by FuSRS is the basis of the uSRS of a simulated execution ofthe real-world protocol Doing so relies primarily on three things First thesimulatorrsquos ability to extract the permutation from any adversarial referencestring update Second the simulatorrsquos ability to given the adversarial trapdoorsthen produce a valid ldquohonestrdquo update which ensures the reference string is arandom permutation of the ideal-world honest string S(τH) And finally thesimulatorrsquos knowledge that the final reference string in its simulation will haveat least one honest update

The simulator observes each of the competing chains and when the firsthonest update occurs in each coerces the simulated update into a permutationof the ideal honest reference string For each subsequent honest update thesimulator performs the update normally remembering the randomness usedCombined with extracting from adversarial updates the simulator either knowsthe entire trapdoor of the reference string (if there was no honest update) orall except for the first honest update By the backbone properties enforced byFnakLedger the simulator knows that the first case will not apply and that onlyone prefix of valid updates will exist after δ time has passed As a result thesimulator knows exactly which permutation to apply to the honest ideal referencestring to match the real worldrsquos result

As FuSRS only provides a single honest SRS the simulator applies a randompermutation to this for each initial honest update ensuring that the updates ofdifferent chains remain unlinkable

We will prove UC-emulation and will therefore refer to the ideal and realworlds frequently throughout the proof Beyond this the simulator locally sim-ulates the NIZK functionality and the ledger functionality To be clear which

34

functionality we are talking about at any point we will use F idealnakLedger F simul

nakLedgerand F real

nakLedger to refer to the ideal simulated and real ledgers respectively Werefer to the real-world NIZK functionality as FRNIZK and the simulted NIZK asSledger-adaptorFRNIZK The notation Fx is used to mean ldquothe variable x withinthe functionality Frdquo ndash it is also used to refer to the ideal trapdoor FuSRSτH

Our simulator which we assume is provided with the update simulation algo-rithm Sρ and can extract permutations from adversarial updates via a simulatedNIZK is equipped with a helper function Xp Given a series of updates Xp com-putes the permutation applied to the reference stringrsquos trapdoor as far back aspossible It receives as inputs the sequence of updates ~a and has access to amapping W from NIZK statements and proofs to corresponding witnesses (asfar as the simulator knows them) and a mapping A from honest updates to thepermutation applied to the honest SRS It returns a permutation in P whichcan be applied either to the initial trapdoor τ0 or the initial honest trapdoorτH to create the same SRS as the sequence of updates We prove this in thefollowing auxiliary lemma that will be used in the proof of our main theorem

Lemma 2 In the ideal-world execution of Sledger-adaptor Xp(~a) outputs a per-mutation p isin P such that its inverse applied to the underlying trapdoor of theSRS generated from the given sequence of updates ~a is either the initial trapdoorτ0 or the honest trapdoor τH

Proof The output of Xp is either id a permutation in the mapping A a permu-tation recorded by the simulated NIZK or a series of function compositions ofthe above As only permutations in P are stored in A id isin P and as P is closedunder composition the returned permutation is in P The permutation appliedcorresponds directly to how the underlying trapdoor of the uSRS is updated bylongest suffix of updates in ~a for which the trapdoor is known ndash ie the trapdoorpermutation is recorded in FRNIZKW or a permutation of the honest trapdooris recorded in A When this isnrsquot the case the update is skipped and the trap-door reset ensuring that any trapdoors preceeding a non-extractable value areignored The case that the trapdoors are known for all of the updates is trivialas by definition inverting this permutation will result in the initial trapdoor τ0

If however at any point the trapdoor is not recorded in FRNIZKW (despiteVerifyUpd succeeding) at this point the trapdoor must be honestly generatedAs this update was not skipped the NIZK proofs associated with it must verifyThe only way for the proofs to verify and the NIZK functionality not to haverecorded the corresponding witnesses however is that the simulator added theproof manually to the NIZKrsquos set of valid proofs This only happens at one pointndash when creating simulated NIZK proofs to accompany simulated update proofswhich is used only for random permutations applied to the honest referencestring While (if the adversary is capable of inverting the structure function)multiple honest updates may exist in the same chain if at least one of themis a replayed update the last such effectively ldquoresetsrdquo the reference string to aknown permutation of the honest reference string

35

Finally we note that for this witness-less update the remaining trapdoordefines a permutation of FuSRSτH Algorithm Xp extracts the trapdoors from allsubsequent updates to compute the permutation applied to this honest trapdoorndash ensuring precisely that inverting this permutation results in FuSRSτH ut

Proof (of Theorem 1) If the environment can distinguish between these worldsthere must exist a minimal series of interactions the environment combinedwith its adversary can make to cause the other UC ITMs to behave sufficientlydifferently to allow distinguishing We will show that for any interaction theenvironment makes it will not learn enough information to distinguish the twoworlds and therefore that across all (polynomially many) interactions it alsocannot distinguish First we consider what actions the adversaryenvironmentpair can take The interactions fall into the following categories1 Honest or adversarial submit read leader-state or projection queries2 Interactions with FRNIZK or Gclock3 advance queries4 extend queries5 srs queriesWe will establish the following invariants throughout the execution of the UCsecurity gamendash Gclock has the same internal state in both the real and ideal worldsndash Sledger-adaptorFRNIZK has the same internal state as the real-world FRNIZK

except that it does not know the witnesses for honestly generated proofs ortheir mauled variants

ndash Sledger-adaptorF simulnakLedger has the same internal state as the real-world ledger

F realnakLedger and differs from the ideal-world ledger F ideal

nakLedger only in that allstate updates contain an addition SRS update term

Ledger reads and submissions Given these invariants it is clear that the envi-ronment cannot distinguish given the results of read and projection queries ndashthey must return the same value Further as the adaptor protocol strips the SRScomponent from the leader state and the ideal worldrsquos leader state is preciselydefined as being without this component it is clear that also leader-statequeries will be indistinguishable (even if made directly by the adversary sincethese are answered by F simul

nakLedger) For submit queries by either the environmentor the adversary both worlds will add the transaction with the current times-tamp to their ledgerrsquos submitted transactions and will notify the adversaryonce and return the transaction together with the timestamp This does notreveal any information to the environment which could be used to distinguish

Queries to other functionalities Likewise FRNIZK queries clearly will not permitthe environment to distinguish or invalidate the above mentioned invariants ndashthey do not go beyond the NIZK functionality and this does not read ndash onlyupdate ndash the witness map Similarly for Gclock as this exists in both worldsand is not manipulated by the simulator (or any other entity) beyond read-onlyoperations it will behave identically

36

advance queries The simulator first simulates advancing a specified partyrsquosledger state on F simul

nakLedger If this succeeds the simulator knows that the ad-vancement will succeed in the ideal world as well where the ledger state is lessconstrained It removes the SRS updates from the ledger state being switched toand issues a corresponding advance query to F ideal

nakLedger If the simulated advancedoes not succeed it will also have failed in the real world execution both of whichwill abort If the update succeeds the invariant between the various ledger statesis preserved ndash up to the lack of SRS updates in the ideal world they are thesame If the update fails both worlds terminate execution

(extend φB t a) queries Let us first detail the function of extend queriesCalled by the adversary if the party parameter φ represents an honest partythe query runs Gen to generate a new update a to apply to this partyrsquos view ofthe leadership state If the party is adversarial on the other hand an adversary-supplied update parameter a is used instead With the timestamp t (or theaccurate time for honestly created blocks) block content B state update a anda randomly sampled ID a new block is created and appended to φrsquos projectedchain Finally it is asserted that the common prefix property still holds

Once the simulator intercepts such a query it needs to ensure not only thatthe same extends are carried out in the simulated and ideal ledgers but alsothat honest SRS updates are (when necessary) sourced from the FuSRS function-ality In the case that the party extending the chain is adversarial this is simplendash split the adversarial real world update a into an SRS update and an ideal-worldupdate (it is worth noting that these need not be valid) and forward only theideal-world update in an extend query to F ideal

nakLedger This already results in thereal and ideal ledgers satisfying the invariant leaving the simulated ledger Forthis the simulator manually inserts the ID returned from the ideal-world ledgerinserts the new block and asserts the same common prefix condition as the realworld does ensuring these two ledgers are in the same state and ndash crucially ndashabort under the same conditions The returned value is identical to that returnedin the real world

For honest updates things are more complex If the current time is afterwhen honest SRS updates are performed the honest SRS update is set to εas in the real world Otherwise the SRS is reconstructed from the partyrsquos cur-rent projected ledger view and the simulator attempts to extract the trapdoorpermutation from this SRS If it succeeds in extracting the entire trapdoor thesimulator ensures it is updated such that it can no longer do so It updates theuSRS to a permutation of the honest uSRS FuSRSτH by first applying a freshpermutation to it recording this in the map A and creating the correspondingupdate proof using Sρ

By the update uniformity property this is indistinguishable from the resultof Gen which the environment expects In case the full trapdoor cannot be ex-tracted Gen is used to generate the ldquohonestrdquo SRS update ensuring the simulatorknows the trapdoor for this update as well (as it retains the NIZK witness used)Finally the ideal ledger is sent an extend query with aideal set to perp Execu-tion proceeds as in the adversarial case with the SRS part of the update being

37

distributed equally in the real and simulated ledgers and the ideal-world com-ponent being generated directly by the ideal world functionality (and thereforealso being distributed the same as in the real world which samples from thesame distribution)

srs queries Finally a user may query the SRS If this happens before time δboth worlds return perp ndash the delay wrapper does so in the ideal world and theadaptor protocol does so in the real world Otherwise the real world reconstructsthe leadership state and returns only the SRS component while the ideal worldqueries the simulator for a trapdoor permutation and if the SRS is not yetfinalised applies it to the honest SRS

Recall that after every extension FnakLedger ensures that the common prefixproperty holds Further once a partyrsquos projected ledger state has some commonprefix this is only ever extended ndash either by extending the whole projection (inextend) or by switching to a different one with the same prefix (in advance)After time δ if chain quality and liveness hold we can split each partyrsquos projectedchain into two parts Blocks with a timestamp at or before the time δ1 and thosewith a timestamp after it As extend enforces timestamps to be monotonicallyincreasing these concatenate to form the entire chain By the chain growthproperty and as it is at least time δ we know that the first part contains atleast l blocks and the second at least k blocks Chain quality ensures that thefirst part contains at least micro honest blocks while Apply ignores updates with atimestamps after δ1 Combined these facts imply that for any party the validSRS updates taken from their stable chain are identical

After the first SRS query both the ideal and real worlds will not change whatvalue they return the former because it has then recorded the final trapdoor andthe latter because the common prefix containing valid reference string updatescannot change The first query is therefore the most interesting

From Lemma 2 we know that the permutation p extracted by the simulatorwhen it is queried for the SRS permutation will inverted and applied to theSRSrsquo underlying trapdoor either result in τ0 or FuSRSτH From the above weknow that the SRS the simulator is extracting from matches that which honestparties generate ndash containing at least one honest update (by chain quality) Asthe first honest update in any chain is extracted from a FuSRS-provided referencestring (and by the correctness property it is valid) it cannot be τ0 Thereforethe simulator by providing p to FuSRS satisfies its requirements of a permissiblepermutation in P and ensures that once the permutation is applied the sameSRS is returned S(p(τH)) = S(p(pminus1(τ))) = S(τ)

In the above we have brushed aside the issue of aborts however these arealso simple to deal with FuSRS aborts if given an invalid permutation which thesimulator does not do In the real world if liveness or chain quality are violatedFnakLedger aborts In each query the simulator ensures that the same query isrun against the simulated ledger ensuring that both will abort under the sameconditions This is the primary purpose for which FuSRS asks for a permutationon each invocation despite only using it on the first as well as why it suppliesthe identity of the calling party ut

38

As it is possible to construct (non-succinct) non-interactive zero-knowledgefrom a random oracle we can remove the requirement on FRNIZK and insteadrely on a random oracle FRO (formally described in Appendix E3) As almostall constructions of Nakamoto-style ledgers are in the random oracle model ourusage of a low-level NIZK is not a major additional assumption

Corollary 1 For any updateable reference string scheme S it is possi-ble to realise the pair of functionalities (F ideal

nakLedgerWdelay(δFuSRS)) in the(F real

nakLedgerFRO)-hybrid world and in the presence of Gclock

39

Mining for Privacy How to Bootstrap a Snarky Blockchain

Research into so-called zk-SNARKs [30 21 23 22 29] aims at optimisingexactly these features with proof sizes typically under a kilobyte and verifi-cation times in the milliseconds It is a well-known fact that non-interactivezero-knowledge requires some shared randomness or a common reference stringFor many succinct systems [30 21 23 22 29] a stronger property is necessaryNot only is a shared random value needed but it must adhere to a specificstructure Such structured reference strings (or SRS) typically consist of relatedgroup elements gxi for all i isin Zn for instance

The obvious way of sampling such a reference string from public randomnessreveals the exponents used ndash and knowledge of these values breaks the sound-ness of the proof system itself To make matters worse the security of thesesystems typically relies (among others) on knowledge of exponent assumptionswhich state that to create group elements related in such a way requires knowingthe underlying exponents and hence any SRS sampler will have to ldquoknowrdquo theexponents used and be trusted to erase them becoming effectively a single pointof failure for the underlying system While secure multi-party computation canbe and has been used to reduce the trust placed on such a setup process [35]the selection of the participants for the secure computation and the verificationof the generation of the SRS by the MPC protocol retain an element of central-isation Using an MPC setup remains a controversial element in the setup of adecentralised system that requires SNARKs

Recent work has found succinct zero-knowledge proof systems with updateablereference strings [22 29] In these systems given a reference string it is possibleto produce an updated reference string such that knowing the trapdoor of thenew string requires both knowing the trapdoor of the old string and knowingthe randomness used in the update [22] conjectured that a blockchain protocolmay be used to securely generate such a reference string Nevertheless the exactblockchain mechanism that produces the SRS and the description of the securityguarantees it can offer has so far remained elusive

11 Our Contributions

In this work we describe and analyse for the first time a blockchain mechanismthat produces a secure SRS with the characteristic that security is shown forsimilar conditions under which the blockchain protocol is proven to be secureNotably different we make implicit use of secure erasure and require honestmajority only during a specific initialisation period The SRS then emanatesfrom the normal operation of the blockchain protocol itself without the need ofadditional security assumptions or off-chain computation andor verification

We rely primarily on the chain quality property of ldquoNakamoto-stylerdquo ledgers[17] ndash distributed ledgers in which a randomised process selects which user mayappend a block to an already established chain Such ledgers rely on an honestmajority of hashing power (or some other resource) ndash and can be shown toguarantee a chain quality property which suggests that any sufficiently longchain segment will have some blocks created by an honest user cf [17 31 18]

2




12 Related Work




3










4


Functionality FuSRS








return S(τ)





5













6











7







33 The Ideal World


8





34 The Hybrid World












9


nakLedger(FRNIZK))



36 UC Emulation










10

ndash local storage











11


20 24 28 212 216 220

10minus1

100

101

102

103

d

Executio

ntim

e(s)






12











13

0 20 40 60 80 100

10minus1

100

101

102


Pha

se1leng

thδ 1

(days)

α = 45 ε = 10minus5

α = 33 ε = 10minus4

α = 1 ε = 10minus3


0 100 200 300 400 500

2minus6

2minus5

2minus4

2minus3

2minus2

2minus1

20


Proba

bilityof

subv

ersion

ε

α = 45α = 33α = 1


14





44 Conclusion



15









16








αprime



17


αcαc+β middot




6 Discussion







18








19








20



7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39





12 Related Work




3










4


Functionality FuSRS








return S(τ)





5













6











7







33 The Ideal World


8





34 The Hybrid World












9


nakLedger(FRNIZK))



36 UC Emulation










10

ndash local storage











11


20 24 28 212 216 220

10minus1

100

101

102

103

d

Executio

ntim

e(s)






12











13

0 20 40 60 80 100

10minus1

100

101

102


Pha

se1leng

thδ 1

(days)

α = 45 ε = 10minus5

α = 33 ε = 10minus4

α = 1 ε = 10minus3


0 100 200 300 400 500

2minus6

2minus5

2minus4

2minus3

2minus2

2minus1

20


Proba

bilityof

subv

ersion

ε

α = 45α = 33α = 1


14





44 Conclusion



15









16








αprime



17


αcαc+β middot




6 Discussion







18








19








20



7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39











4


Functionality FuSRS








return S(τ)





5













6











7







33 The Ideal World


8





34 The Hybrid World












9


nakLedger(FRNIZK))



36 UC Emulation










10

ndash local storage











11


20 24 28 212 216 220

10minus1

100

101

102

103

d

Executio

ntim

e(s)






12











13

0 20 40 60 80 100

10minus1

100

101

102


Pha

se1leng

thδ 1

(days)

α = 45 ε = 10minus5

α = 33 ε = 10minus4

α = 1 ε = 10minus3


0 100 200 300 400 500

2minus6

2minus5

2minus4

2minus3

2minus2

2minus1

20


Proba

bilityof

subv

ersion

ε

α = 45α = 33α = 1


14





44 Conclusion



15









16








αprime



17


αcαc+β middot




6 Discussion







18








19








20



7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39



Functionality FuSRS








return S(τ)





5













6











7







33 The Ideal World


8





34 The Hybrid World












9


nakLedger(FRNIZK))



36 UC Emulation










10

ndash local storage











11


20 24 28 212 216 220

10minus1

100

101

102

103

d

Executio

ntim

e(s)






12











13

0 20 40 60 80 100

10minus1

100

101

102


Pha

se1leng

thδ 1

(days)

α = 45 ε = 10minus5

α = 33 ε = 10minus4

α = 1 ε = 10minus3


0 100 200 300 400 500

2minus6

2minus5

2minus4

2minus3

2minus2

2minus1

20


Proba

bilityof

subv

ersion

ε

α = 45α = 33α = 1


14





44 Conclusion



15









16








αprime



17


αcαc+β middot




6 Discussion







18








19








20



7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39














6











7







33 The Ideal World


8





34 The Hybrid World












9


nakLedger(FRNIZK))



36 UC Emulation










10

ndash local storage











11


20 24 28 212 216 220

10minus1

100

101

102

103

d

Executio

ntim

e(s)






12











13

0 20 40 60 80 100

10minus1

100

101

102


Pha

se1leng

thδ 1

(days)

α = 45 ε = 10minus5

α = 33 ε = 10minus4

α = 1 ε = 10minus3


0 100 200 300 400 500

2minus6

2minus5

2minus4

2minus3

2minus2

2minus1

20


Proba

bilityof

subv

ersion

ε

α = 45α = 33α = 1


14





44 Conclusion



15









16








αprime



17


αcαc+β middot




6 Discussion







18








19








20



7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39












7







33 The Ideal World


8





34 The Hybrid World












9


nakLedger(FRNIZK))



36 UC Emulation










10

ndash local storage











11


20 24 28 212 216 220

10minus1

100

101

102

103

d

Executio

ntim

e(s)






12











13

0 20 40 60 80 100

10minus1

100

101

102


Pha

se1leng

thδ 1

(days)

α = 45 ε = 10minus5

α = 33 ε = 10minus4

α = 1 ε = 10minus3


0 100 200 300 400 500

2minus6

2minus5

2minus4

2minus3

2minus2

2minus1

20


Proba

bilityof

subv

ersion

ε

α = 45α = 33α = 1


14





44 Conclusion



15









16








αprime



17


αcαc+β middot




6 Discussion







18








19








20



7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39








33 The Ideal World


8





34 The Hybrid World












9


nakLedger(FRNIZK))



36 UC Emulation










10

ndash local storage











11


20 24 28 212 216 220

10minus1

100

101

102

103

d

Executio

ntim

e(s)






12











13

0 20 40 60 80 100

10minus1

100

101

102


Pha

se1leng

thδ 1

(days)

α = 45 ε = 10minus5

α = 33 ε = 10minus4

α = 1 ε = 10minus3


0 100 200 300 400 500

2minus6

2minus5

2minus4

2minus3

2minus2

2minus1

20


Proba

bilityof

subv

ersion

ε

α = 45α = 33α = 1


14





44 Conclusion



15









16








αprime



17


αcαc+β middot




6 Discussion







18








19








20



7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39






34 The Hybrid World












9


nakLedger(FRNIZK))



36 UC Emulation










10

ndash local storage











11


20 24 28 212 216 220

10minus1

100

101

102

103

d

Executio

ntim

e(s)






12











13

0 20 40 60 80 100

10minus1

100

101

102


Pha

se1leng

thδ 1

(days)

α = 45 ε = 10minus5

α = 33 ε = 10minus4

α = 1 ε = 10minus3


0 100 200 300 400 500

2minus6

2minus5

2minus4

2minus3

2minus2

2minus1

20


Proba

bilityof

subv

ersion

ε

α = 45α = 33α = 1


14





44 Conclusion



15









16








αprime



17


αcαc+β middot




6 Discussion







18








19








20



7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39



nakLedger(FRNIZK))



36 UC Emulation










10

ndash local storage











11


20 24 28 212 216 220

10minus1

100

101

102

103

d

Executio

ntim

e(s)






12











13

0 20 40 60 80 100

10minus1

100

101

102


Pha

se1leng

thδ 1

(days)

α = 45 ε = 10minus5

α = 33 ε = 10minus4

α = 1 ε = 10minus3


0 100 200 300 400 500

2minus6

2minus5

2minus4

2minus3

2minus2

2minus1

20


Proba

bilityof

subv

ersion

ε

α = 45α = 33α = 1


14





44 Conclusion



15









16








αprime



17


αcαc+β middot




6 Discussion







18








19








20



7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39


ndash local storage











11


20 24 28 212 216 220

10minus1

100

101

102

103

d

Executio

ntim

e(s)






12











13

0 20 40 60 80 100

10minus1

100

101

102


Pha

se1leng

thδ 1

(days)

α = 45 ε = 10minus5

α = 33 ε = 10minus4

α = 1 ε = 10minus3


0 100 200 300 400 500

2minus6

2minus5

2minus4

2minus3

2minus2

2minus1

20


Proba

bilityof

subv

ersion

ε

α = 45α = 33α = 1


14





44 Conclusion



15









16








αprime



17


αcαc+β middot




6 Discussion







18








19








20



7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39



20 24 28 212 216 220

10minus1

100

101

102

103

d

Executio

ntim

e(s)






12











13

0 20 40 60 80 100

10minus1

100

101

102


Pha

se1leng

thδ 1

(days)

α = 45 ε = 10minus5

α = 33 ε = 10minus4

α = 1 ε = 10minus3


0 100 200 300 400 500

2minus6

2minus5

2minus4

2minus3

2minus2

2minus1

20


Proba

bilityof

subv

ersion

ε

α = 45α = 33α = 1


14





44 Conclusion



15









16








αprime



17


αcαc+β middot




6 Discussion







18








19








20



7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39












13

0 20 40 60 80 100

10minus1

100

101

102


Pha

se1leng

thδ 1

(days)

α = 45 ε = 10minus5

α = 33 ε = 10minus4

α = 1 ε = 10minus3


0 100 200 300 400 500

2minus6

2minus5

2minus4

2minus3

2minus2

2minus1

20


Proba

bilityof

subv

ersion

ε

α = 45α = 33α = 1


14





44 Conclusion



15









16








αprime



17


αcαc+β middot




6 Discussion







18








19








20



7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39


0 20 40 60 80 100

10minus1

100

101

102


Pha

se1leng

thδ 1

(days)

α = 45 ε = 10minus5

α = 33 ε = 10minus4

α = 1 ε = 10minus3


0 100 200 300 400 500

2minus6

2minus5

2minus4

2minus3

2minus2

2minus1

20


Proba

bilityof

subv

ersion

ε

α = 45α = 33α = 1


14





44 Conclusion



15









16








αprime



17


αcαc+β middot




6 Discussion







18








19








20



7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39






44 Conclusion



15









16








αprime



17


αcαc+β middot




6 Discussion







18








19








20



7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39










16








αprime



17


αcαc+β middot




6 Discussion







18








19








20



7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39









αprime



17


αcαc+β middot




6 Discussion







18








19








20



7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39



αcαc+β middot




6 Discussion







18








19








20



7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39









19








20



7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39









20



7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39




7 Acknowledgements


Bibliography






21













22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39














22














23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39















23









A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39










A The Sonic uSRS



S((α x)) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)




24



pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39




pdagger =(Gi Hi H

primeidi=minusd G

primeidi=minusdi6=0

)7rarr(

Gyi

i Hyi

i Hprimeβyi

i

di=minusd

Gprimeβy

i

i

di=minusdi6=0








return 1






S(τ) =(

gxi

hxi

hαxidi=minusd

gαx

idi=minusdi6=0

)srsprime =

(gki hmi hni

di=minusd

glidi=minusdi6=0

)ρ = (gy gβy)

25





ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39






ndash k1 = m1 = xy






return(G

(xminus1)1 G






26






generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39







generation










27
















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39

















(sumjisinZl



28













nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39














nakLedger








29





D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39






D The Simulator




















30











elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39












elselet F simul









nakLedger


F simulnakLedger





31



return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39




return p


E1 The Global Clock












32










E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39











E3 Random Oracle

Functionality FRO





E4 Delay Wrapper

33





F Security Analysis






34


nakLedgerand F real






35










36









37







38





39






F Security Analysis






34


nakLedgerand F real






35










36









37







38





39



nakLedgerand F real






35










36









37







38





39











36









37







38





39










37







38





39








38





39






39


mining for privacy: how to bootstrap a snarky blockchain · 2021. 1. 29. · in their updates, and...

Documents