Comment on page
Security Model
The robust security framework that underlies zkMe.
Let
be a polynomial relation of statements
and witness
. A zk-SNARK
for
is composed of the following 3 polynomial time algorithms:
and works as follows. It satisfies completeness, succinctness, computational zero knowledge and simulation extractability.
: It takes the security parameter
and a circuit
as input, and generates a common reference string
.
: It takes a public input (statement) c and a private input (witness) x and generates and returns proof
, where
and
is a relation defined by
.
: This algorithm verifies proof
with regard to public input c. It returns 1 if the proof is verified successfully and 0 otherwise.
- Completeness: An honest prover with a valid witness can always convince an honest Verifier for a given security parameterand arithmetic circuit. i.e:
- Succinctness: The size of a zk-SNARK proofaboutis short, unrelated to the complexity of. In addition, thealgorithm is a deterministic polynomial time algorithm, also unrelated to the complexity of.
- Computational Zero Knowledge: A valid proofis computationally zero knowledge if it does not leak any information about the witness to PPT adversary. More formally, for any PPT, a simulated algorithmcan produce a common reference stringand a trapdoor,which is used into produce a simulated proof. This simulated proofis indistinguishable from a honestly generated proof. Computational Zero Knowledge means the honestly generated proof is zero-knowledge since the simulated proof does not contain any information about the witness.
- Simulation Extractability: The simulator can extract a witness from a proof generated by PPT adversaryeven afteris allowed to use the simulation oracle and has seen many simulated proofs, which imply knowledge soundness. This property ensures that the prover knows a valid witness if he can produce a valid proof. For every PPT adversary, there exist simulator algorithmsanda probabilistic polynomial-time witness extractor, such that the following probability is negligible:
The signing private key is split into key shares: one for the Issuer, one for the Holder, and one for the Regulator (where applicable). Only the three of them working together can sign the message. The signature on the 2-ECDSA cannot be forged by any PPT adversary
. The decryption private key is split into two key shares, one for the zk-SNARK and one for the Holder.
We design the zkMe network by combining all the preliminaries (see sequence diagram above) and describe the ideal functionality as follows:
-
Initialize the public parameters
Decide on kyc template
Publish
-
Generate key shares
User selects random
. Zkme selects random
.
Two parties runs
User runs
Two parties runs
Publish
-
Client scans the document into IDdata
queries the kyc question set
and proving keys
runs
Sends
to server
-
Client downloads
from
, and runs
Sends
to server
Server calls
-
Client downloads
from
, and runs
Sends
to server. Server calls
-
DApp watches the event and gets
, and runs
If
, authorization checking
If the zk-SNARK scheme
satisfies Completeness and Computational Zero Knowledge, the 2-party threshold encryption scheme is secure against chosen-plaintext attacks, then the proposed zk-SNARK provides zk-SNARK.
We adopt the standard hybrid argument to prove Theorem 1 by showing that our zkMe network securely realizes the ideal functionality
. Let
be a random variable representing the joint view of zkme server and nodes in blockchain. If there exists a PPT simulator
such that the output of
is computationally indistinguishable from the output of
.
Hybrid_0: Hybrid_0 is a real view where PPT adversary
tries to find the identity information of wid.
Hybrid_1: Hybrid_1 is identical to Hybrid_0, except that the simulated wid runs
where
is uniformly random. Since only the content of
is changed, the ThresholdEncrypt function is secure against chose-plaintext attacks, Hybrid_1 is indistinguishable from Hybrid_0.
Hybrid_2: Hybrid_2 is identical to Hybrid_1, except that the simulated wid runs
where
has the same amount of questions as
and the distribution of
is uniformly random and every
is correctly generated against the question in
. Since only the content of
and
is changed, the zk-SNARK satisfies Completeness and Computational Zero Knowledge, all
are verified valid, Hybrid_2 is indistinguishable from Hybrid_1.
Hybrid_3: Hybrid_3 is identical to Hybrid_2, except that the simulated zkme server runs
. Since only the content of
and
is changed, the ThresholdEncrypt function is secure against chose-plaintext attacks, Hybrid_3 is indistinguishable from Hybrid_2.
Hybrid_4: Hybrid_3 is identical to Hybrid_3, except that the simulated zkme server runs
, where
are independent with
. Since only the content of
is changed, the ThresholdEncrypt function is secure against chose-plaintext attacks, Hybrid_4 is indistinguishable from Hybrid_3.
The argument proves that there is a simulator
sampled from the distribution described above so that its output is computationally indistinguishable from the output of
. Hence, our scheme can provide anonymity.
If the zkMe client provides a trusted execution environment, the public blockchain is immutable, the commitment scheme is binding, then the proposed zk-SNARK provides unforgeability.
We also adopt the standard hybrid argument to prove Theorem 2, where the probability that PPT adversary
succeeds in breaking unforgeability becomes negligible.
Hybrid_0: Hybrid_0 is a real view where PPT adversary
tries to mint SBT with fake document and transfer others' SBT_ssi to his/her asset wallet.
Hybrid_1: Hybrid_1 is identical to Hybrid_0, except that
constructs the fake document and shows it to zkme client. Since the zkme client provides a trusted execution environment, any forged document can not pass validation. Hybrid_1 is indistinguishable from Hybrid_0.
Hybrid_2: Hybrid_2 is identical to Hybrid_1, except that
constructs the ciphertext and proof
based on fake question set and modifies the data in SSI blockchain. Since the public blockchain is immutable.
cannot change the verified ciphertext data
of
in SSI blockchain. Hybrid_2 is indistinguishable from Hybrid_1.
Hybrid_3: Hybrid_3 is identical to Hybrid_2, except that colluder constructs the
based on
and tries to transfer his/her SBT to asset wallet
. Since the commitment scheme is binding. It can be detected by mint server if the private key of asset wallet is not bound to public key of SSI wallet. The asset wallet of
can not receive the SBT from other ones. Hybrid_3 is indistinguishable from Hybrid_2. Hence, under these assumptions of Theorem 2, the proposed system provides the unforgeability property.
If the zkMe client provides a trusted execution environment, the (k, n)-threshold SSS is correct, the decentralized storage is immutable, then the designed zkMe network provides traceability.
We also adopt the standard hybrid argument to prove Theorem 3, where the probability that PPT adversary
succeeds in breaking traceability becomes negligible.
Hybrid_0: Hybrid_0 is a real view where PPT adversary
tries to stop the regulator committee to trace back the real IDdata.
Hybrid_1: Hybrid_1 is identical to Hybrid_0, except that
constructs the fake ciphertext
where plaintext is fake identity data
. Since the zkme client provides a trusted execution environment, any forged document can not pass validation. Hybrid_1 is indistinguishable from Hybrid_0.
Hybrid_2: Hybrid_2 is identical to Hybrid_1, except that
generates the ciphertext
and tries to replace the data
in IPFS. Since the decentralized storage is immutable.
cannot change the data
in IPFS. Hybrid_2 is indistinguishable from Hybrid_1.
Hybrid_3: Hybrid_3 is identical to Hybrid_2, except that
tries to break the correctness property of the (k, n)-threshold SSS.. Since the (k, n)-threshold SSS is correct. Hybrid_3 is indistinguishable from Hybrid_2.
Hence, under these assumptions of Theorem 3, the proposed system provides the traceability property.
Last modified 2mo ago