Comment on page
Security Model

The robust security framework that underlies zkMe.
Notations
zk-SNARK
Let R=(c,x)R={(c,x)}R=(c,x)
 be a polynomial relation of statements ccc
 and witness xxx
. A zk-SNARK Π\PiΠ
 for RRR
 is composed of the following 3 polynomial time algorithms: Setup,Prove,Verify\mathsf{Setup,Prove,Verify} Setup,Prove,Verify
 and works as follows. It satisfies completeness, succinctness, computational zero knowledge and simulation extractability.
​Setup(1λ,C)→crs\mathsf{Setup}(1^\lambda, C)\rightarrow \mathsf{crs}Setup(1λ,C)→crs
 : It takes the security parameter λ\lambdaλ
 and a circuit CCC
 as input, and generates a common reference string crs\mathsf{crs}crs
 .
​Prove(crs,c,x)→π\mathsf{Prove}({\mathsf{crs},c,x)}\rightarrow \piProve(crs,c,x)→π
 : It takes a public input (statement) c and a private input (witness) x and generates and returns proof π\piπ
, where (c,x)∈RC(c,x) \in R_C(c,x)∈RC​
 and RCR_CRC​
 is a relation defined by CCC
.
​Verify(crs,c,π)→{0/1}\mathsf{Verify}({\mathsf{crs},c,\pi)} \rightarrow \lbrace 0/1 \rbraceVerify(crs,c,π)→{0/1}
 : This algorithm verifies proof π\piπ
 with regard to public input c. It returns 1 if the proof is verified successfully and 0 otherwise.
Completeness: An honest prover with a valid witness can always convince an honest Verifier for a given security parameter λ\lambdaλ
 and arithmetic circuit CCC
. i.e:
Pr⁡[Verify⁡(crs,π,c)=1crs←Setup(1λ,C)π←Prove(crs,c,x)]=1\operatorname{Pr}\left[\begin{array}{l|l} \operatorname{\mathsf{Verify}}(\mathsf{crs}, \pi, c)=1 & \begin{array}{l} \mathsf{crs} \leftarrow \mathsf{Setup}\left(1^{\lambda}, C\right) \\ \pi \leftarrow \mathsf{Prove}(\mathsf{crs}, c, x) \end{array} \end{array}\right]=1Pr[Verify(crs,π,c)=1​crs←Setup(1λ,C)π←Prove(crs,c,x)​​]=1
Succinctness: The size of a zk-SNARK proof π\piπ
 about CCC
 is short, unrelated to the complexity of CCC
. In addition, the Verify\mathsf{Verify}Verify
 algorithm is a deterministic polynomial time algorithm, also unrelated to the complexity of CCC
.
Computational Zero Knowledge: A valid proof π\piπ
 is computationally zero knowledge if it does not leak any information about the witness to PPT adversary A\mathcal{A}A
. More formally, for any PPT A\mathcal{A}A
, a simulated algorithm Setup^\widehat{\mathsf{Setup}}Setup​
 can produce a common reference string crs\mathsf{crs}crs
 and a trapdoor τ\tauτ
,which is used in Prove^\widehat{\mathsf{Prove}}Prove
 to produce a simulated proof π^\hat{\pi}π^
. This simulated proof π^\hat{\pi}π^
 is indistinguishable from a honestly generated proof. Computational Zero Knowledge means the honestly generated proof is zero-knowledge since the simulated proof does not contain any information about the witness. Pr⁡[A(crs,π,c)=1crs←Setup(1λ,C) π←Prove(crs,c,x)]≃Pr⁡[A(crs^,π^,c)=1(crs^,τ)←Setup^(1λ,C) π^←Prove^(crs^,τ,c)]\operatorname{Pr}\left[\begin{array}{l|l} \mathcal{A}(\mathsf{crs}, \pi, c)=1 & \begin{array}{l} \mathsf{crs} \leftarrow \mathsf{Setup}\left(1^{\lambda}, C\right) \ \pi \leftarrow \mathsf{Prove}(\mathsf{crs}, c, x) \end{array} \end{array}\right] \simeq \operatorname{Pr}\left[\begin{array}{l|l} \mathcal{A}(\widehat{\mathsf{crs}}, \hat{\pi}, c)=1 & \begin{array}{l} (\widehat{\mathsf{crs}}, \tau) \leftarrow \widehat{\mathsf{Setup}}\left(1^{\lambda}, C\right) \ \hat{\pi} \leftarrow \widehat{\mathsf{Prove}}(\widehat{\mathsf{crs}}, \tau, c) \end{array} \end{array}\right] Pr[A(crs,π,c)=1​crs←Setup(1λ,C) π←Prove(crs,c,x)​​]≃Pr[A(crs,π^,c)=1​(crs,τ)←Setup​(1λ,C) π^←Prove(crs,τ,c)​​]
​
Simulation Extractability: The simulator can extract a witness from a proof generated by PPT adversary A\mathcal{A}A
 even after A\mathcal{A}A
 is allowed to use the simulation oracle and has seen many simulated proofs, which imply knowledge soundness. This property ensures that the prover knows a valid witness if he can produce a valid proof. For every PPT adversary A\mathcal{A}A
, there exist simulator algorithms Setup^\widehat{\mathsf{Setup}}Setup​
 and Prove^\widehat{\mathsf{Prove}}Prove
 a probabilistic polynomial-time witness extractor X\mathcal{X}X
, such that the following probability is negligible:
Pr⁡[(c,x)∉RC(crs^,τ)←Setup^(1λ,C)(c,π)∉Q(c,π)←AProve^(crs^,τ,⋅)(crs^)Verify(crs^,π,c)=1x←X(transA)]\operatorname{Pr}\left[\begin{array}{l|l} (c, x) \notin \mathcal{R}_{C} & (\widehat{\mathsf{crs}}, \tau) \leftarrow \widehat{\mathsf{Setup}}\left(1^{\lambda}, C\right) \\ (c, \pi) \notin \mathcal{Q} & (c, \pi) \leftarrow \mathcal{A}^{\widehat{\mathsf{Prove}}}(\widehat{\mathsf{crs}}, \tau, \cdot)(\widehat{\mathsf{crs}}) \\ \mathsf{Verify}(\widehat{\mathsf{crs}}, \pi, c)=1 & x \leftarrow \mathcal{X}\left(\mathsf{trans}_{\mathcal{A}}\right) \end{array}\right]Pr⎣⎡​(c,x)∈/RC​(c,π)∈/QVerify(crs,π,c)=1​(crs,τ)←Setup​(1λ,C)(c,π)←AProve(crs,τ,⋅)(crs)x←X(transA​)​⎦⎤​
2-party ECDSA
The signing private key is split into key shares: one for the Issuer, one for the Holder, and one for the Regulator (where applicable). Only the three of them working together can sign the message. The signature on the 2-ECDSA cannot be forged by any PPT adversary A\mathcal{A}A
. The decryption private key is split into two key shares, one for the zk-SNARK and one for the Holder.
The ideal functionality F\mathcal{F}F
 for zkMe
We design the zkMe network by combining all the preliminaries (see sequence diagram above) and describe the ideal functionality as follows:
​F.setup(⋅)\mathcal{F}.setup(\cdot) F.setup(⋅)
​
      Initialize the public parameters pppppp
  
      Decide on kyc template T:=(Q,c,addkyc)\mathcal{T}:=(\mathcal{Q}, c, add_{kyc})T:=(Q,c,addkyc​)
  
      Publish (pp,T)(pp,\mathcal{T})(pp,T)
​
​F.registry(pp,sk1,sk2,tesk1,tesk2)→(pkE,pkSSI,AddSSI,pkTE)\mathcal{F}.registry(pp, sk_1, sk_2, tesk_1, tesk_2) \rightarrow (pk_{E},pk_{SSI},Add_{SSI},pk_{TE})F.registry(pp,sk1​,sk2​,tesk1​,tesk2​)→(pkE​,pkSSI​,AddSSI​,pkTE​)
​
      Generate key shares  
      User selects random sk1,tesk1sk_1, tesk_1sk1​,tesk1​
. Zkme selects random sk2,tesk2sk_2, tesk_2sk2​,tesk2​
.  
      Two parties runs ComputeGlobalPubKey(sk1,sk2)→pkSSI\mathsf{ComputeGlobalPubKey}(sk_1, sk_2) \rightarrow pk_{SSI}ComputeGlobalPubKey(sk1​,sk2​)→pkSSI​
  
      User runs ComputePubKey(sk1)→pkE\mathsf{ComputePubKey}(sk_1) \rightarrow pk_{E}ComputePubKey(sk1​)→pkE​
  
      Two parties runs ComputeGlobalPubKey(tesk1,tesk2)→pkTE\mathsf{ComputeGlobalPubKey}(tesk_1, tesk_2) \rightarrow pk_{TE}ComputeGlobalPubKey(tesk1​,tesk2​)→pkTE​
  
      Publish (pkSSI,pkE,pkTE)(pk_{SSI},pk_{E},pk_{TE})(pkSSI​,pkE​,pkTE​)
​
​F.mintSSISBT(⋅)\mathcal{F}.mintSSISBT(\cdot) F.mintSSISBT(⋅)
​
      Client scans the document into IDdata  
      queries the kyc question set C\mathcal{C}C
 and proving keys  
      runs
      ThresholdEncrypt(pkTE,IDdata)→encid \mathsf{ThresholdEncrypt}(pk_{TE},IDdata) \rightarrow enc_{id}ThresholdEncrypt(pkTE​,IDdata)→encid​
  
      Encrypt(pkE,tesk1)→enct1 \mathsf{Encrypt}(pk_{E},tesk_{1}) \rightarrow enc_{t1}Encrypt(pkE​,tesk1​)→enct1​
  
      ProveAll(IDdata,C,pk)→{πi}i∈[C]\mathsf{ProveAll}(IDdata,\mathcal{C},pk) \rightarrow \lbrace \pi_i \rbrace_{i \in [\mathcal{C}]}ProveAll(IDdata,C,pk)→{πi​}i∈[C]​
  
      Sends (C,{πi}i∈[C],encid,enct1)(\mathcal{C},\lbrace \pi_i \rbrace_{i \in [\mathcal{C}]},enc_{id},enc_{t1})(C,{πi​}i∈[C]​,encid​,enct1​)
 to server
​F.transferSBT(⋅)\mathcal{F}.transferSBT(\cdot) F.transferSBT(⋅)
​
      Client downloads enct1enc_{t1}enct1​
 from SBTssiSBT_{ssi}SBTssi​
, and runs
      Decrypt(sk1,enct1)→tesk1 \mathsf{Decrypt}(sk_{1},enc_{t1}) \rightarrow tesk_{1}Decrypt(sk1​,enct1​)→tesk1​
  
      ComputeCapsule(skassert,tesk1)→capsule \mathsf{ComputeCapsule}(sk_{assert},tesk_{1}) \rightarrow capsuleComputeCapsule(skassert​,tesk1​)→capsule
  
       Sends capsulecapsulecapsule
 to server  
       Server calls mint(encC,encπ,capsule)→SBTassert\mathsf{mint}(enc_{\mathcal{C}}, enc_{\pi},capsule)\rightarrow SBT_{assert}mint(encC​,encπ​,capsule)→SBTassert​
​
​F.showSBT(⋅)\mathcal{F}.showSBT(\cdot) F.showSBT(⋅)
​
      Client downloads capsulecapsulecapsule
 from SBTassetSBT_{asset}SBTasset​
, and runs  
      ComputeRK(skasset,pkproject)→rk \mathsf{ComputeRK}(sk_{asset},pk_{project}) \rightarrow rkComputeRK(skasset​,pkproject​)→rk
  
       Sends rkrkrk
 to server.  Server calls ReEncrypt(SBTasset,rk,targetProject)→rk \mathsf{ReEncrypt}(SBT_{asset},rk, targetProject) \rightarrow rkReEncrypt(SBTasset​,rk,targetProject)→rk
​
​F.verifyShow(⋅)\mathcal{F}.verifyShow(\cdot) F.verifyShow(⋅)
​
      DApp watches the event and gets rkrkrk
 , and runs
      PDecrypt(skproject,rk)→tesk1 \mathsf{PDecrypt}(sk_{project}, rk) \rightarrow tesk_1PDecrypt(skproject​,rk)→tesk1​
  
      ThresholdDecrypt(tesk1,encC,encπ)→({quesi}i∈[C],{πi}i∈[C]) \mathsf{ThresholdDecrypt}(tesk_1,enc_{\mathcal{C}}, enc_{\pi}) \rightarrow (\lbrace ques_i \rbrace_{i \in [\mathcal{C}]}, \lbrace \pi_i \rbrace_{i \in [\mathcal{C}]})ThresholdDecrypt(tesk1​,encC​,encπ​)→({quesi​}i∈[C]​,{πi​}i∈[C]​)
  
       If VerifyAll(C,{πi}i∈[C])==1\mathsf{VerifyAll}(\mathcal{C},\lbrace \pi_i \rbrace_{i \in [\mathcal{C}]}) == 1VerifyAll(C,{πi​}i∈[C]​)==1
, authorization checking
Security Proof
Theorem 1:                                                                                                                                           
If the zk-SNARK scheme Π\PiΠ
 satisfies Completeness and Computational Zero Knowledge, the 2-party threshold encryption scheme is secure against chosen-plaintext attacks, then the proposed zk-SNARK provides zk-SNARK.
Proof of Theorem 1:
We adopt the standard hybrid argument to prove Theorem 1 by showing that our zkMe network securely realizes the ideal functionality F.mintSSISBT(⋅)\mathcal{F}.mintSSISBT(\cdot) F.mintSSISBT(⋅)
. Let Real\mathcal{Real}Real
 be a random variable representing the joint view of zkme server and nodes in blockchain. If there exists a PPT simulator Sim\mathcal{Sim}Sim
 such that the output of Sim\mathcal{Sim}Sim
 is computationally indistinguishable from the output of Real\mathcal{Real}Real
.  
Hybrid_0: Hybrid_0 is a real view where PPT adversary A\mathcal{A}A
 tries to find the identity information of wid.                                                                                                             
Hybrid_1: Hybrid_1 is identical to Hybrid_0, except that the simulated wid runs              ThresholdEncrypt(pkTE,r)→P \mathsf{ThresholdEncrypt}(pk_{TE},r) \rightarrow \mathbb{P}ThresholdEncrypt(pkTE​,r)→P
 where r rr
 is uniformly random. Since only the content of encidenc_{id}encid​
 is changed, the ThresholdEncrypt function is secure against chose-plaintext attacks, Hybrid_1 is indistinguishable from Hybrid_0.                                                                   
Hybrid_2: Hybrid_2 is identical to Hybrid_1, except that the simulated wid runs ProveAll(IDdata′,B,pk)→{πi′}i∈[B]\mathsf{ProveAll}(IDdata',\mathcal{B},pk) \rightarrow \lbrace \pi_i' \rbrace_{i \in [\mathcal{B}]}ProveAll(IDdata′,B,pk)→{πi′​}i∈[B]​
 where B\mathcal{B}B
 has the same amount of questions as C\mathcal{C}C
 and the distribution of B\mathcal{B}B
 is uniformly random and every πi′\pi_i'πi′​
 is correctly generated against the question in B\mathcal{B}B
. Since only the content of C\mathcal{C}C
 and {πi}i∈[C]\lbrace \pi_i \rbrace_{i \in [\mathcal{C}]}{πi​}i∈[C]​
 is changed, the zk-SNARK satisfies Completeness and Computational Zero Knowledge, all {πi′}i∈[B]\lbrace \pi_i' \rbrace_{i \in [\mathcal{B}]}{πi′​}i∈[B]​
 are verified valid, Hybrid_2 is indistinguishable from Hybrid_1.                                                                   
Hybrid_3: Hybrid_3 is identical to Hybrid_2, except that the simulated zkme server runs ThresholdEncryptAll(pkTE,{quesi}i∈[B])→encB \mathsf{ThresholdEncryptAll}(pk_{TE},\lbrace ques_i \rbrace_{i \in [\mathcal{B}]}) \rightarrow enc_{\mathcal{B}}ThresholdEncryptAll(pkTE​,{quesi​}i∈[B]​)→encB​
. Since only the content of C\mathcal{C}C
 and encCenc_{\mathcal{C}}encC​
 is changed, the ThresholdEncrypt function is secure against chose-plaintext attacks, Hybrid_3 is indistinguishable from Hybrid_2.  
Hybrid_4: Hybrid_3 is identical to Hybrid_3, except that the simulated zkme server runs ThresholdEncryptAll(pkTE,{πi′}i∈[B])→encπ′ \mathsf{ThresholdEncryptAll}(pk_{TE}, \lbrace \pi_i' \rbrace_{i \in [\mathcal{B}]}) \rightarrow enc_{\pi}'ThresholdEncryptAll(pkTE​,{πi′​}i∈[B]​)→encπ′​
, where {πi′}i∈[B]\lbrace \pi_i' \rbrace_{i \in [\mathcal{B}]}{πi′​}i∈[B]​
 are independent with {πi}i∈[C]\lbrace \pi_i \rbrace_{i \in [\mathcal{C}]}{πi​}i∈[C]​
. Since only the content of encπenc_{\mathcal{\pi}}encπ​
 is changed, the ThresholdEncrypt function is secure against chose-plaintext attacks, Hybrid_4 is indistinguishable from Hybrid_3.  
The argument proves that there is a simulator Sim\mathcal{Sim}Sim
 sampled from the distribution described above so that its output is computationally indistinguishable from the output of Real\mathcal{Real}Real
. Hence, our scheme can provide anonymity.
Theorem 2: 
If the zkMe client provides a trusted execution environment, the public blockchain is immutable, the commitment scheme is binding, then the proposed zk-SNARK provides unforgeability.
Proof of Theorem 2:
We also adopt the standard hybrid argument to prove Theorem 2, where the probability that PPT adversary A\mathcal{A}A
 succeeds in breaking unforgeability becomes negligible.  
Hybrid_0: Hybrid_0 is a real view where PPT adversary A\mathcal{A}A
 tries to mint SBT with fake document and transfer others' SBT_ssi to his/her asset wallet.  
Hybrid_1: Hybrid_1 is identical to Hybrid_0, except that A\mathcal{A}A
 constructs the fake document and shows it to zkme client. Since the zkme client provides a trusted execution environment, any forged document can not pass validation. Hybrid_1 is indistinguishable from Hybrid_0.  
Hybrid_2: Hybrid_2 is identical to Hybrid_1, except that A\mathcal{A}A
 constructs the ciphertext and proof (encC′,encπ′)(enc_{\mathcal{C}'}, enc_{\pi'})(encC′​,encπ′​)
 based on fake question set and modifies the data in SSI blockchain. Since the public blockchain is immutable. A\mathcal{A}A
 cannot change the verified ciphertext data (encC,encπ)(enc_{\mathcal{C}}, enc_{\pi})(encC​,encπ​)
 of SBTssiSBT_{ssi}SBTssi​
 in SSI blockchain. Hybrid_2 is indistinguishable from Hybrid_1.  
Hybrid_3: Hybrid_3 is identical to Hybrid_2, except that colluder constructs the capsule′capsule'capsule′
 based on skAsk_{\mathcal{A}}skA​
 and tries to transfer his/her SBT to asset wallet A\mathcal{A}A
. Since the commitment scheme is binding. It can be detected by mint server if the private key of asset wallet is not bound to public key of SSI wallet. The asset wallet of A\mathcal{A}A
 can not receive the SBT from other ones. Hybrid_3 is indistinguishable from Hybrid_2.  Hence, under these assumptions of Theorem 2, the proposed system provides the unforgeability property.
Theorem 3: 
If the zkMe client provides a trusted execution environment, the (k, n)-threshold SSS is correct, the decentralized storage is immutable, then the designed zkMe network provides traceability.
Proof of Theorem 3
We also adopt the standard hybrid argument to prove Theorem 3, where the probability that PPT adversary A\mathcal{A}A
 succeeds in breaking traceability becomes negligible.  
Hybrid_0: Hybrid_0 is a real view where PPT adversary A\mathcal{A}A
 tries to stop the regulator committee to trace back the real IDdata.  
Hybrid_1: Hybrid_1 is identical to Hybrid_0, except that A\mathcal{A}A
 constructs the fake ciphertext encid′ enc_{id'}encid′​
 where plaintext is fake identity data IDdata′IDdata'IDdata′
. Since the zkme client provides a trusted execution environment, any forged document can not pass validation. Hybrid_1 is indistinguishable from Hybrid_0.  
Hybrid_2: Hybrid_2 is identical to Hybrid_1, except that A\mathcal{A}A
 generates the ciphertext encid′enc_{id'}encid′​
 and tries to replace the data encidenc_{id}encid​
 in IPFS. Since the decentralized storage is immutable. A\mathcal{A}A
 cannot change the data encidenc_{id}encid​
 in IPFS. Hybrid_2 is indistinguishable from Hybrid_1.  
Hybrid_3: Hybrid_3 is identical to Hybrid_2, except that A\mathcal{A}A
 tries to break the correctness property of the (k, n)-threshold SSS.. Since the (k, n)-threshold SSS is correct. Hybrid_3 is indistinguishable from Hybrid_2.  
Hence, under these assumptions of Theorem 3, the proposed system provides the traceability property.