Symbolic Malleable Zero-knowledge Proofs

Zero-knowledge (ZK) proofs have become a central building block for a variety of modern security protocols, e.g., as ZK-SNARKs in Pinocchio (IEEE S&P 2013) and ADSNARK (IEEE S&P 2015). One of the reasons is that modern ZK constructions, such as the Groth-Sahai proof system, offer novel types of cryptographic flexibility: a participant is able to re-randomize existing ZK proofs to achieve, for instance, message unlinkability in anonymity protocols; she can hide public parts of a ZK proof statement to meet her specific privacy requirements; and she can logically compose ZK proofs in order to construct new proof statements. ZK proof systems that permit these transformations are called malleable. However, since these transformations are accessible also to the adversary, analyzing the security of these protocols requires one to cope with a much more comprehensive attacker model – a challenge that automated protocol analysis thus far has not been capable of dealing with. In this work, we introduce the first symbolic abstraction of malleable ZK proofs. We further prove the computational soundness of our abstraction with respect to observational equivalence, which enables the computationally sound verification of privacy properties. Finally, we show that our symbolic abstraction is suitable for ProVerif, a state-of-the-art cryptographic protocol verifier, by verifying an improved version of the anonymous webs of trust protocol.