Zero-knowledge proofs allow a prover to convince a verifier of the validity of a statement without revealing anything else. Non-interactive zero-knowledge (NIZK) proofs are a central concept in cryptography, which relies on parameters that must be set up in a trusted way. Motivated by the subversion of “trusted” public parameters in mass-surveillance activities, we study the security of NIZK proofs in the face of parameter subversion. We investigate which security properties of NIZK proofs can be salvaged when the parameters are set up maliciously.

We then turn to SNARKs, which are proof systems with short and efficiently verifiable proofs. Motivated by outsourcing of computation, they let an untrusted server attach a short proof that the result was computed correctly. Zero-knowledge SNARKs are today used e.g. in anonymous cryptocurrencies such as Zcash. We prove that many ZK-SNARK schemes proposed in the literature are in fact subversion-ZK or can be made at little cost and show that Zcash is anonymous even if the parameter setup was subverted.