Prastudy Fauzi, HelgerLipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016

Transcription

1 Prastudy Fauzi, HelgerLipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016

2 A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification time more critical Soundness proof in the Generic Bilinear Group Model Very complicated machine-assisted proof Use computer algebra to solve systems of polyn. eq. Esp. to find Gröbner bases Enables proof verification by practitioners

3 Anonymity Correctness Data is public (Data, source) is private

4 π, r ψ,s sk d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) d 3 =c π(3) e 2 =d ψ(2) e 3 =d ψ(3) m ψ(π(1)) m ψ(π(2)) m ψ(π(3)) Encryption protects against eavesdropping on the Internet Private against each individual server Not yet correct: what if a server cheats?

5 pk, π, r proof pk, ψ,s proof sk d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) d 3 =c π(3) e 2 =d ψ(2) e 3 =d ψ(3) m ψ(π(1)) m ψ(π(2)) m ψ(π(3)) Prove that shuffling was correct, send proof to the next server Verify all previous proofs, shuffle, create your own proof Verify all proofs

6 Shuffle argument: efficient zero knowledge argument of correctness of shuffling Many shuffles in the random oracle model exist Several of them are quite efficient Existing CRS model arguments much less efficient

7 Assumption proposed in that paper, proof in GBGM Assmpt. proposed 2010+, but not in that paper, proof in GBGM L-Zhang (2012) Fauzi-L (2016) Fauzi-L-Zajac CRS length 7n + 6 8n n + 14 Communic. 12n n + 2 7n + 3 P comp. (units) V comp. (units) GBGM? PSDL, DLIN (comp.) KE, PKE (knowledge) TSDH, PCDH, PSP (comp.) 2x PKE (knowledge) Soundness Full Culpable Full Pure GBGM n: number of ciphertexts (say 100,000) 1 unit = n million machine cycles According to speed records on BN curves

8 td crs Sim(crs,td,x)=π: Proof of x L x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects

9 Correctness Soundness Zero knowledge (privacy) td crs Sim(crs,td,x)=π: Proof of x L x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects

10 Three cyclic groups of the same order q: G 1, G 2, G T Generators g 1 of G 1, g 2 of G 2, g T of G T Bilinear map: e: G 1 x G 2 G T Requirements: Efficiently computable Non-degeneracy: e (g 1, g 2 ) 1 Bilinearity: e (g 1a, g 2b ) = e (g 1, g 2 ) ab

11 Inverting pairings should be hard Given e (A, B), compute either A or B Analogous to DL: given g a, compute a What else should be hard?

12 People disagree A few hundred (thousand?) known pairing-related hardness assumptions Each of them has to be cryptanalysed Easiest sanity check: does this assumption hold in the generic model?

13 Protocol Assumption 1 (known) Assumption m (known) Assumption m+1 (new) Assumption m+m (new) Generic Model Pro: nice if m is not big, or most assumptions are well-known, or Con: each arrow might mean a loss in efficiency

14 Protocol Generic Model Con: proof in GGM is only for restricted adversaries Pro: only one arrow, thus smaller loss in efficiency

15 Meta-Assumption: adversary only has access to group operations, bilinear map, equality tests Each computed element in G i (i=1, 2) is product of two already known elements Recursively, DL of each computed element is a known polynomial of some indeterminates Note: we do not handle G T as a generic group

16 Polynomials (TTP knows X) Linear combinations (only group operation) Quadratic tests (can use bilinear map) X 1 V 1 (X)=Σ ij b 1ij h 1i (X) h 2i (X)=0 {[f 1i (X)] 1 } {[g 1i (X) =Σ i a 1i f 1i (X)] 1 } {[f 2i (X)] 2 } {[g 2i (X) =Σ i a 2i f 2i (X)] 1 } V u (X)=Σ ij b uij h 1i (X) h 2i (X)=0 X s Random variables (TTP) CRS (TTP) Outputs in argument (adversary) Verifications (verifier) {h ji } = {f ji, h ji }

17 jth verification equation ascertains V j (X) = 0 Solve system of polynomial equations {V j (X) = 0} in coefficients a ji chosen by the adversary Show that solution s coefficients are nice = restricted to be as in the honest case

18 Decomposing: Write down main building blocks you need to prove in argument Each subargument should be efficiently verifiable (by a single pairing) Ascertain each subargument is sound independently CRS composition: Compose CRS-s of individual subarguments together, getting one big CRS

19 Soundness check: Is the composed protocol sound? Subarguments get extra inputs in CRS If not: introduce new random variables that guarantee CRS elements are used in only correct subarguments, reiterate

20 Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument : Prover proves she used the committed permutation to shuffle ciphertexts Validity argument : Prover proves each ciphertext has been formed correctly Correctly: so that the soundness proof goes through

21 Lemma. A matrix is permutation matrix iff 1. It is stochastic // rows sum to (1,, 1) 2. Each row is 1-sparse At most one coefficient is non-zero

22 Commitment: [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs [π(x)] 1 = [((a I P I (X) + P 0 (X) + rx ρ ) 2-1) / X ρ ] 1 Verification equation: Pi (X) are linearly independent, well-chosen polynomials V (X) := (A 1 (X) + X α + P 0 (X)) (A 2 (X) - X α + P 0 (X)) - π(x) X ρ (1 - X α ) 2 = 0

23 In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + π (X) = Σ π i P i (X) + π ρ X ρ + π α (X α + P 0 (X)) + π 1 P 0 (X) + Verification equation states V(X) = (A 1 (X) + X α + P 0 (X)) (A 2 (X) - X α + P 0 (X)) - π(x) X ρ (1 - X α ) 2 = 0 Goal: find coefficients s.t. verification equation is satisfied CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )

24 Goal: find coefficients s.t. V (X) = 0 Step 1: V (X) = 0 iff each coefficient [X j α X ρk ] V (X) = 0 This is a system of polynomial equations and a nasty one of more than 20 polynomial equations

25

26 Used a mixture of computer algebra system and manual labor 1. Use linear independence of P i (X) to split some coefficients 2. Construct Gröbner basis of system of polynomial equations Needs(?) a CAS 3. Solve the Gröbner basis Can be done manually or by using CAS Obtain that A i (X) = a I P I (X) => Sound

27