Malicious Security in Collaborative zkSNARKs: More than Meets the Eye
Bhaskar Roberts
VideoAbstract:
Collaborative zkSNARKs (Ozdemir and Boneh, USENIX’22) are a multiparty variant of zkSNARKs where multiple provers, each holding a private input, jointly compute a zkSNARK to prove the correctness of some computation over their inputs. The key security requirement is that the inputs of the honest parties must remain hidden from the view of the corrupted parties.
A sequence of works have proposed efficient constructions of collaborative zkSNARKs for several widely-used zkSNARKs. All of these constructions follow a common design template, aimed towards avoiding non-black-box use of cryptography. In this work, we revisit this design template.
First, we find that achieving malicious security for collaborative zk-SNARKs requires care. Via concrete attacks, we highlight two delicate points in the general design template that can lead to violation of input privacy, if not addressed properly. We also propose best practices for mitigation.
Second, in the honest-majority setting, we show that for some of the most widely-used zkSNARKs, surprisingly, it suffices to use semi-honest MPC for proof computation given shares of a valid “extended” witness. In particular, we show that with some minor changes, existing semi-honest protocols are already secure against malicious adversaries.
Bio:
Bhaskar is a PhD student in computer science at Berkeley advised by Sanjam Garg and Umesh Vazirani. He designs cryptographic schemes for quantum computers that provide greater security than classical schemes could ever achieve. As an undergrad at Princeton, he studied electrical engineering with a minor in applied math, and mainly did research with Mark Zhandry.