NIZKs with an Untrusted CRS: Security in the Face of Parameter Subversion

Motivated by the subversion of “trusted” public parameters in mass-surveillance activities, this paper studies the security of NIZKs in the presence of a maliciously chosen common reference string. We provide definitions for subversion soundness, subversion witness indistinguishability and subversion zero knowledge. We then provide both negative and positive results, showing that certain combinations of goals are unachievable but giving protocols to achieve other combinations. 1 Department of Computer Science & Engineering, University of California San Diego, USA. Email: mihir @eng.ucsd.edu. URL: cseweb.ucsd.edu/~mihir/. Supported in part by NSF grant CNS-1228890, NSF grant CNS1526801, ERC Project ERCC FP7/615074 and a gift from Microsoft corporation. This work was done in part while visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant CNS-1523467. 2 Inria, Ecole Normale Supérieure, CNRS and PSL Research University, Paris, France. Email: georg.fuchsbauer @ens.fr. URL: http://www.di.ens.fr/~fuchsbau/. Computer Science Departments, Boston University and Northeastern University. Email: [email protected]. URL: http://cs-people.bu.edu/scafuro/. Supported in part by NSF grants CNS-1347350, CNS-1413964, CNS-1012798 and CNS-1414119. This work was done in part while visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant CNS-1523467.