This article was first published on Zcash
The engineering and cryptography team at Zcash makes very large efforts to minimize risk. This is always a positive thing, but perhaps even more crucial when using very new cryptography. Auditing is an important tool for this. One of the auditors we hired is Mary Maller, a Ph.D. student of Sarah Meiklejohn and Jens Groth at University College London—and currently one of the leading experts in the world on zk-SNARKs. In this post we announce an independent proof of security by Mary for a crucial component in the Sapling upgrade: The MPC protocol that was used to generate the zk-SNARK parameters.
The protocol was initially presented in a paper [BGM] of Sean Bowe, Ian Miers and I. Mary’s work gives us an additional independent data point that the MPC protocol and zk-SNARK we are using are provably secure.
The zk-SNARK in Sapling was designed by Jens Groth [Groth16]. However, the structure of [Groth16]’s parameters doesn’t allow for them to be computed in an MPC without* the players exposing their secret randomness. For this reason [BGM] looks at a version of [Groth16] where auxiliary elements are added to the SNARK parameters to make them more “MPC friendly”—these are exactly the elements that were computed in the Powers of Tau ceremony.
[Groth16] proves SNARK security in what is called the Generic Group Model. [BGM] proves access to these auxiliary elements does not give such a generic group adversary any additional power to create fraudulent proofs. Independently verifying that adding these elements to the parameters does not break the zk-SNARK security was the original scope of Mary’s work; this is a most crucial point where we are very happy to have independent verification.
Her paper continues by showing, using different methods than [BGM], that a party controlling all but one of the participants in ...
To keep reading, please go to the original article at: