While NIZK arguments in the CRS model are widely studied, the question of what happens when the CRS is subverted has received little attention. In ASIACRYPT 2016, Bellare, Fuchsbauer, and Scafuro showed the first negative and positive results, proving also that it is impossible to achieve subversion soundness and (even non-subversion) zero knowledge at the same time. On the positive side, they constructed a sound and subversion-zero knowledge (Sub-ZK) non-succinct NIZK argument for NP. We consider the practically very relevant case of zk-SNARKs. We make Groth’s zk-SNARK for Circuit-SAT from EUROCRYPT 2016 computationally knowledge-sound and perfectly composable Sub-ZK with minimal changes. We only require the CRS trapdoor to be extractable and the CRS to be publicly verifiable. To achieve the latter, we add some new elements to the CRS and construct an efficient CRS verification algorithm. We also provide a definitional framework for knowledge-sound and Sub-ZK SNARKs.

尽管对CRS模型中的NIZK参数进行了广泛研究，但颠覆CRS时会发生什么的问题却很少受到关注。在ASIACRYPT 2016中，Bellare，Fuchsbauer和Scafuro展示了第一个负面和正面结果，也证明了不可能同时获得颠覆性和（甚至非颠覆性）零知识。从积极的方面来说，他们为NP构建了一个声音和零颠覆性零知识（Sub-ZK）非简洁的NIZK论据。我们考虑zk-SNARK的实际非常相关的情况。我们制作Groth的zk-SNARK for Circuit-SAT来自EUROCRYPT 2016，具有计算知识，可完美组合的Sub-ZK，且变化最小。我们只要求CRS活板门是可提取的，而CRS必须是可公开验证的。为了实现后者，我们在CRS中添加了一些新元素，并构造了有效的CRS验证算法。我们还提供了用于知识健全和Sub-ZK SNARK的定义框架。