Homomorphic Trapdoor Commitments to Group Elements

Transcription

1 Homomorphc Trapdoor Commtments to Group Elements Jens Groth Unversty College London Abstract We present homomorphc trapdoor commtments to group elements. In contrast, prevous homomorphc trapdoor commtment schemes only allow the messages to be exponents. Our commtment schemes are length-reducng, we can make a short commtment to many group elements at once, and they are perfectly hdng and computatonally bndng. The commtment schemes are based on groups wth a blnear map. We can commt to elements from a base group, whereas the commtments belong to the target group. We present two constructons based on smple computatonal ntractablty assumptons, whch we call respectvely the double parng assumpton and the smultaneous trple parng assumpton. Whle the assumptons are new, we demonstrate that they are mpled by well-known assumptons; respectvely the decson Dffe-Hellman assumpton and the decson lnear assumpton. Keywords: Homomorphc trapdoor commtment, blnear groups, double parng assumpton, smultaneous trple parng assumpton. 1 Introducton A non-nteractve commtment scheme makes t possble to create a commtment c to a secret message m. The commtment hdes the message, but we may later dsclose m and demonstrate that c was a commtment to m by revealng the randomness r used when creatng t. Revealng the message and the randomness s called openng the commtment. It s essental that once a commtment s made, t s bndng. Bndng means that t s nfeasble to fnd two openngs of the same commtment to two dfferent messages. In ths paper, we are nterested n publc-key commtments wth some useful features. Frst, we want the commtment scheme to have a trapdoor property. In normal operaton the commtment scheme s bndng, however, f we know a secret trapdoor tk assocated wth the publc commtment key ck, then t s possble to create commtments that can be opened to any message. We note that the trapdoor property mples that the commtment hdes the message. Second, we want the commtment scheme to be homomorphc. Homomorphc means that messages and commtments belong to abelan groups and f we multply two commtments, we get a new commtment that contans the product of the two messages. Thrd, we want to commtment scheme to be length reducng,.e. the commtment s shorter than the message. Related work. There are many examples of homomorphc commtments. Homomorphc cryptosystems such as ElGamal ElG85, Okamoto-Uchyama OU98, Paller Pa99, BGN BGN05 or Lnear Encrypton BBS04 can be seen as homomorphc commtment schemes that are perfectly bndng and computatonally hdng. Commtments based on homomorphc encrypton can be converted nto computatonally bndng and perfectly hdng homomorphc commtments, see for 1

2 nstance the mxed commtments of Damgård and Nelsen DN02 and the commtment schemes used by Groth, Ostrovsky and Saha GOS06, Boyen and Waters BW06, Groth Gro06 and Groth and Saha GS08. Even for the perfectly hdng varaton of these commtment schemes, the sze of a commtment s larger than the sze of a message though. Ths length-ncrease follows from the fact that the underlyng buldng block s a cryptosystem and a cphertext must be large enough to accommodate the message. There are also drect constructons of homomorphc trapdoor commtment schemes such as Gullou and Qusquater commtments GQ88 and Pedersen commtments Ped91. Pedersen commtments are one of the most used commtment schemes n the feld of cryptography. The publc key conssts of two group elements g, h belongng to a group of prme order q and we commt to a message m Z q by computng c = g m h t, where t Z q s a randomly chosen randomzer. Pedersen commtments are perfectly hdng wth a trapdoor and f the dscrete logarthm problem s hard they are computatonally bndng. There are many varants of the Pedersen commtment scheme. Fujsak and Okamoto FO97 and Damgård and Fujsak DF02 for nstance suggest a varant where the messages can be arbtrary ntegers. There s an mportant generalzaton of the Pedersen commtment scheme that makes t possble to commt to many messages at once. The publc key conssts of m+1 group elements γ 1,..., γ m, h and we compute a commtment to (m 1,..., m m ) as c = h t m γm. Ths commtment scheme s length-reducng snce we only use one group element to commt to m messages, a feature that has been found useful n contexts such as mx-nets/votng, dgtal credentals, blnd sgnatures and zero-knowledge proofs FS01, Nef01, Bra00, KZ06, Lp03. Common for all the homomorphc trapdoor commtment schemes 1 we mentoned above s that they are homomorphc wth respect to addton n a rng or a feld. However, n publc-key cryptography t s common to work over groups that are not rngs or felds and often t s useful to commt to group elements from such groups. Of course, f we know the dscrete logarthms of the group elements we want to commt to, we can use the Pedersen commtment scheme to commt to the dscrete logarthms. In general, we cannot expect to know the dscrete logarthms of the group elements that we want to commt to though, leavng us wth the open problem of constructng homomorphc trapdoor commtments to group elements. Our contrbuton. The contrbuton of ths paper s the constructon of homomorphc trapdoor commtment schemes for group elements. The commtment schemes are perfectly hdng, perfectly trapdoor and computatonally bndng. We stress that we can commt to arbtrary group elements and trapdoor-open to arbtrary group elements, even f we do not know the dscrete logarthms of these group elements. Moreover, the commtment schemes have the addtonal advantage of beng length-reducng, we can commt to multple group elements wth one short commtment. Our constructons are based on blnear groups. These are groups G 1, G 2, G T wth a blnear map e : G 1 G 2 G T. Messages and randomzers wll be elements from G 2, whereas the commtments wll consst of a few group elements n G T. An advantage of our commtment schemes s that the constructons are very smple. In one constructon, the publc key conssts of n + 1 group elements (g r, g 1,..., g n ) from G 1 and we commt to m 1,..., m n G 2 by choosng r G 2 at random and computng the commtment c = e(g r, r) e(g, m ). 1 Boyen and Waters BW06, Groth Gro06 and Groth and Saha GS08 use homomorphc commtments to group elements, but do they do not have a trapdoor property that makes t possble to open them to arbtrary group elements. Moreover, those commtments suffer from beng length-ncreasng. 2

3 In the other constructon, the publc key conssts of 2n + 4 group elements (g r, h r, g s, h s, g 1, h 1,..., g n, h n ) from G 1 and the commtment conssts of pckng r, s at random from G 2 and computng the commtment (c, d) as c = e(g r, r)e(g s, s) e(g, m ) and d = e(h r, r)e(h s, s) e(h, m ). The commtment schemes are computatonally bndng assumng the double parng assumpton respectvely the smultaneous trple parng assumpton hold. The double parng assumpton says that gven a random couple (g r, g t ) from G 1 t s computatonally nfeasble to fnd non-trval group elements r, t G 2 so e(g r, r)e(g t, t) = 1. The smultaneous trple parng assumpton says that gven two random trples (g r, g s, g t ) and (h r, h s, h t ) from G 1 t s computatonally nfeasble to fnd non-trval group elements r, s, t G 2 so e(g r, r)e(g s, s)e(g t, t) = 1 and e(h r, r)e(h s, s)e(h t, t) = 1. We wll show that the decson Dffe-Hellman assumpton n G 1 mples the double parng assumpton and perhaps surprsngly that the decson lnear assumpton BBS04 n G 1 mples the smultaneous trple parng assumpton. Applcatons. As an example of the usage of our commtment schemes, we consder n Secton 5 the case of commttng to Pedersen commtments. Pedersen commtments, allow the commtment to multple values m 1,..., m m Z p as h t m γm. A Pedersen commtment s tself just a group element, and we can therefore use our commtment schemes to commt to multple Pedersen commtments. Snce our commtment schemes are homomorphc and the Pedersen commtment scheme s homomorphc, ther combnaton s also homomorphc. We get a homomorphc trapdoor commtment scheme to mn elements from Z p. In contrast wth the Pedersen commtment scheme, however, the publc key of our scheme s only O(m + n) group elements and t turns out that there are honest verfer zero-knowledge arguments of knowledge of the commtted values wth complexty O(m + n) feld elements. Such an effcent homomorphc trapdoor commtment scheme may n turn be a useful component n constructng more advanced zero-knowledge arguments. One can for nstance reduce the communcaton complexty of Groth s Gro09 sub-lnear sze zero-knowledge argument for crcut satsfablty from C 1 2 group elements to C 1 3 group elements, although the detals of the constructon are beyond the scope of ths paper. 2 Defntons Notaton. Algorthms n our commtment schemes take a securty parameter k as nput wrtten n unary. For smplcty we wll sometmes omt wrtng the securty parameter explctly, assumng k can be deduced from the other nputs. All our algorthms wll be probablstc polynomal tme algorthms. We wrte y = A(x; r), when A on nput x and randomness r outputs y. We wrte y A(x), for the process of pckng randomness r at random and settng y = A(x; r). We also wrte y S for samplng y unformly at random from the set S. When defnng securty, we assume that there s an adversary attackng our schemes. The adversary s modeled as a nonunform polynomal tme stateful algorthm. By stateful, we mean that we do not need to gve t the same nput twce, t remembers from the last nvocaton what ts state was. Ths makes the notaton a lttle smpler, snce we do not need to explctly wrte out the transfer of state from one 3

4 nvocaton to the next. Gven two functons f, g : N 0; 1 we wrte f(k) g(k) when there s neglgble dfference,.e., f(k) g(k) = k ω(1). 2.1 Commtments A commtment scheme s a protocol between Alce and Bob that allows Alce to commt to a secret message m. Later Alce may open the commtment and reveal to Bob that she commtted to m. Commtment schemes must be bndng and hdng. Bndng means that Alce cannot change her mnd, a commtment can only be opened to one message m. Hdng means that Bob does not learn whch message Alce commtted to. In ths paper, we wll focus on non-nteractve commtment schemes. In a non-nteractve commtment scheme, Alce computes the commtment herself and sends t to Bob. The openng process s also non-nteractve, t smply conssts of Alce sendng the message and the randomness she used when creatng the commtment to Bob. Bob can now run the commtment protocol hmself to check that ndeed ths was the message Alce had commtted to. A non-nteractve commtment scheme conssts of three polynomal tme algorthms (G, K, com). G s a probablstc setup algorthm that takes as nput the securty parameter k and outputs some setup nformaton gk. The setup nformaton gk can for nstance descrbe a fnte group over whch we are workng, but t could also just be the securty parameter wrtten n unary so there s no loss of generalty n ncludng a setup algorthm. We nclude an explct algorthm for the setup because when desgnng cryptographc protocols we often need the commtment scheme to work wth an exstng fnte group. K s a probablstc algorthm that takes as nput the setup gk and generates a commtment key ck and a trapdoor key tk. The commtment key ck specfes a message space M ck, a randomzer space R ck and a commtment space C ck. We assume t s easy to verfy membershp of the message space, randomzer space and the commtment space and t s possble to sample randomzers unformly at random from R ck. The algorthm com takes as nput the commtment key ck, a message m from the message space, a randomzer r from the randomzer space and outputs a commtment c n the commtment space. We are nterested n constructng homomorphc trapdoor commtments. By homomorphc, we mean that M ck, R ck, C ck are groups wth the property that f we multply two commtments, then we get a commtment to the product of the messages. By trapdoor we mean that gven the secret trapdoor key generated by the key generator, t s possble to open a commtment to any message. For ths purpose, we have two addtonal probablstc polynomal tme algorthms Tcom and Topen. Tcom takes the trapdoor tk as nput and outputs an equvocal commtment c and an equvocaton key ek. Topen on nput ek, c and a message m M ck creates an openng r R ck of the commtment, so c = com ck (m; r). Defnton 1 (Homomorphc trapdoor commtment scheme) A homomorphc trapdoor commtment scheme conssts of a quntuple of algorthms (G, K, com, Tcom, Topen) as descrbed above, such that (G, K, com) s hdng and bndng and homomorphc and (G, K, com, Tcom, Topen) has a perfect trapdoor property as defned below. Defnton 2 (Perfect hdng) The trple (G, K, com) s perfectly hdng f for all stateful adversares A we have Pr gk G(1 k ); (ck, tk) K(gk); (m 0, m 1 ) A(gk, ck); c com ck (m 0 ) : A(c) = 1 = Pr gk G(1 k ); (ck, tk) K(gk); (m 0, m 1 ) A(gk, ck); c com ck (m 1 ) : A(c) = 1, where we requre that A outputs m 0, m 1 that belong to M ck. 4

5 Defnton 3 (Computatonal bndng) The trple (G, K, com) s computatonally bndng f for all non-unform polynomal tme stateful adversares A we have Pr gk G(1 k ); (ck, tk) K(gk); (m 0, m 1, r 0, r 1 ) A(gk, ck) : m 0 = m 1 com ck (m 0 ; r 0 ) = com ck (m 1 ; r 1 ) 0, where we requre that A outputs m 0, m 1 M ck and r 0, r 1 R ck. Defnton 4 (Perfect trapdoor) The quntuple (G, K, com, Tcom, Topen) s perfectly trapdoor f for all stateful adversares A we have Pr gk G(1 k ); (ck, tk) K(gk); m A(gk, ck); r R ck ; c = com ck (m; r) : A(c, r) = 1 = Pr gk G(1 k ); (ck, tk) K(gk); m A(gk, ck); (c, ek) Tcom ck (tk); r Topen ek (c, m) : A(c, r) = 1, where A outputs m M ck. We note that the perfect trapdoor property mples that the commtment scheme s perfectly hdng, snce a commtment s perfectly ndstngushable from an equvocal commtment that can be opened to any message. Defnton 5 (Homomorphc) The commtment scheme (G, K, com) s homomorphc f K always outputs ck descrbng groups M ck, R ck, C ck, whch we wll wrte multplcatvely, such that for all m, m M ck, r, r C ck we have 3 Foundaton com ck (m; r)com ck (m; r ) = com ck (mm ; rr ). Blnear groups. Let G be a probablstc polynomal tme algorthm that generates (p, G 1, G 2, G T, e) G(1 k ) such that p s a k-bt prme G 1, G 2, G T are cyclc groups of order p e : G 1 G 2 G T s a non-degenerate blnear map so e(γ 1, γ 2 ) generates G T f γ 1, γ 2 generate G 1 and G 2 γ 1 G 1, γ 2 G 2, a, b Z p we have e(γ a 1, γb 2 ) = e(γ 1, γ 2 ) ab Group operatons, evaluaton of the blnear map, samplng of generators and membershp of G 1, G 2, G T are all effcently computable. Double parng assumpton. The securty of our frst commtment scheme wll be based on the double parng assumpton. The double parng problem s gven random elements g r, g t G 1 to fnd a non-trval couple (r, t) G 2 2 such that e(g r, r)e(g t, t) = 1. 5

6 Defnton 6 We say the double parng assumpton holds for the blnear group generator G f for all non-unform polynomal tme adversares A we have Pr gk = (p, G 1, G 2, G T, e) G(1 k ); g r, g t G 1 ; (r, t) A(gk, g r, g t ) : (r, t) G 2 2 {(1, 1)} e(g r, r)e(g t, t) = 1 0. We remark that the double parng assumpton can only hold when there s no non-trval effcently computable homomorphsm ψ : G 1 G 2, snce otherwse choosng r = ψ(g t ) and t = ψ(g r ) would break the assumpton. Smultaneous trple parng assumpton. The securty of our second commtment scheme wll be based on the smultaneous trple parng assumpton. The smultaneous trple parng problem s gven random elements g r, h r, g s, h s, g t, h t G 1 to fnd a non-trval trple (r, s, t) G 3 2 such that e(g r, r)e(g s, s)e(g t, t) = 1 and e(h r, r)e(h s, s)e(h t, t) = 1. Defnton 7 (Smultaneous trple parng assumpton) We say the smultaneous trple parng assumpton holds for the blnear group generator G f for all non-unform polynomal tme adversares A we have Pr gk = (p, G 1, G 2, G T, e) G(1 k ); g r, h r, g s, h s, g t, h t G 1 ; (r, s, t) A(gk, g r, h r, g s, h s, g t, h t ) : (r, s, t) G 3 2 {(1, 1, 1)} e(g r, r)e(g s, s)e(g t, t) = 1 e(h r, r)e(h s, s)e(h t, t) = 1 0. Unlke the double parng assumpton, the smultaneous trple parng assumpton may hold even f there s an effcently computable homomorphsm ψ : G 1 G 2, and for that matter even f G 1 = G Securty Analyss of the Double Parng Assumpton The double parng assumpton s a new assumpton. To gan confdence n the double parng assumpton, we wll now show that t s mpled by the decson Dffe-Hellman assumpton n G 1. Defnton 8 (Decson Dffe-Hellman assumpton) The decson Dffe-Hellman assumpton holds n G 1 for G f for all non-unform polynomal tme adversares A we have Pr gk = (p, G 1, G 2, G T, e) G(1 k ) ; g r, g t G 1 ; ρ Z p : A(gk, g r, g s, gr ρ, g ρ t ) = 1 Pr gk = (p, G 1, G 2, G T, e) G(1 k ) ; g r, g t G 1 ; ρ, τ Z p : A(gk, g r, g t, gr ρ, gt τ ) = 1. Theorem 9 If the decson Dffe-Hellman holds n G 1 for G, then the double parng holds for G. Proof. We wll show that an adversary A that breaks the double parng assumpton wth probablty ε(k) can be used to buld a decson Dffe-Hellman adversary B that has advantage ε(k) 3/p n breakng the decson Dffe-Hellman problem. Gven a Dffe-Hellman challenge (gk, g r, g t, gr ρ, gt τ ), where τ may be random or may be equal to ρ, B gves the challenge (gk, g r, g t ) to A. A outputs a par (r, t) n response. B outputs 1 f (r, t) s a non-trval par so e(g r, r)e(g t, t) = 1 and e(gr ρ, r)e(gt τ, t) = 1, otherwse B outputs 0. Let us look at the frst dstrbuton (gk, g r, g t, gr ρ, g ρ t ). There s ε(k) chance for A outputtng a non-trval par so e(g r, r)e(g t, t) = 1, n whch case we wll also have e(gr ρ, r)e(g ρ t, t) = 1. So here B has probablty ε(k) of outputtng 1. Let us now look at the second dstrbuton (gk, g r, g t, gr ρ, gt τ ). There s less than 3/p chance of g r = 1, g t = 1 or ρ = τ. In case g r = 1, g t = 1 and ρ = τ, there s no non-trval couple r, t such that e(g r, r)e(g t, t) = 1 and e(gr ρ, r)e(gt τ, t) = 1. 6

7 3.2 Securty Analyss of the Smultaneous Trple Parng Assumpton To gan confdence n the smultaneous trple parng assumpton, we wll explore ts relatonshp wth other cryptographc assumptons. Frst, we wll show that the smultaneous trple parng assumpton follows from a computatonal hardness assumpton called the smultaneous parng assumpton ntroduced by Groth and Lu GL07. Groth and Lu proved that the smultaneous parng assumpton s secure n the generc group model and snce the securty reducton only uses generc group operatons ths mples that the smultaneous trple parng assumpton s secure n the generc group model. 2 Second, we wll show that the smultaneous trple parng assumpton follows from the decson lnear assumpton BBS04. Relaton to the smultaneous parng assumpton. The smultaneous parng problem s gven g, g 1 = g x 1, h 1 = g x2 1,..., gn = g xn, h n = g x2 n G1 for random x 1,..., x n Z p fnd a non-trval set of elements μ 1,..., μ n G 2 such that e(g, μ ) = 1 e(h, μ ) = 1. Defnton 10 (Smultaneous parng assumpton) The smultaneous parng assumpton holds for G f for all non-unform polynomal tme adversares A we have Pr gk = (p, G 1, G 2, G T, e) G(1 k ); x 1,..., x n Z p ; g G 1 {1}; g 1 = g x 1, h 1 = g x2 1,..., g1 = g xn, h n = g x2 n; (μ 1,..., μ n ) A(gk, g 1, h 1,..., g n, h n ) : e(g, μ ) = 1 e(h, μ ) = 1 : μ = 1 0. Theorem 11 If the smultaneous parng assumpton wth n = 3 holds for G, then the smultaneous trple parng assumpton holds for G. Proof. Suppose we have an adversary A that breaks the smultaneous trple parng assumpton wth probablty ε(k). We wll show how to construct an adversary B that breaks the smultaneous parng assumpton for n = 3 wth probablty hgher than ε(k) 6/p. Gven a random smultaneous parng problem nstance (gk, g 1, h 1, g 2, h 2, g 3, h 3 ) the adversary B pcks at random ρ, σ, τ Z p and computes g r = g ρ 1 h r = h ρ 1 g s = g σ 2 h s = h σ 2 g t = g τ 3 h t = h τ 3. If g 1 = 1, g 2 = 1 or g 3 = 1 t s trval to solve the smultaneous parng problem. Provded the dscrete logarthms of g 1, g 2, g 3 are non-trval,.e., x 1 = 1, x 2 = 1, x 3 = 1, we get a random dstrbuton of 6 group elements n G {1}, whch has statstcal dstance less than 6/p from a random sx-tuple of group elements n G 1. The adversary now runs A on (gk, g r, h r, g s, h s, g t, h t ) and gets an non-trval smultaneous trple parng soluton (r, s, t) wth probablty hgher than ε(k) 6/p. We have e(g r, r)e(g s, s)e(g t, t) = e(g 1, r ρ )e(g 2, s σ )e(g 3, t τ ) = 1 e(h r, r)e(h s, s)e(h t, t) = e(h 1, r ρ )e(h 2, s σ )e(h 3, t τ ) = 1, 2 Groth and Lu GL07 ntroduced the smultaneous parng assumpton n the settng, where G 1 = G 2. We adapt t n a straghtforward way to the more general case, where G 1 and G 2 may be two dfferent groups. The generc group securty n the settng G 1 = G 2 mples generc group securty n the settng where G 1 and G 2 may be dfferent. 7

8 so (r ρ, s σ, t τ ) s a non-trval soluton to the smultaneous parng problem. Relaton to the decson lnear assumpton. The decson lnear problem s to decde whether a tuple (g 1, g 2, g 3, g ρ 1, gσ 2, gτ 3 ) has τ = ρ + σ or τ s random. Defnton 12 (Decson lnear assumpton) The decson lnear assumpton holds n G 1 for G f for all non-unform polynomal tme adversares A we have: Pr gk = (p, G 1, G 2, G T, e) G(1 k ) ; g 1, g 2, g 3 G 1 ; ρ, σ Z p : A(gk, g 1, g 2, g 3, g ρ 1, gσ 2, g ρ+σ 3 ) = 1 Pr gk = (p, G 1, G 2, G T, e) G(1 k ) ; g 1, g 2, g 3 G 1 ; ρ, σ, τ Z p : A(gk, g 1, g 2, g 3, g ρ 1, gσ 2, g3) τ = 1. Theorem 13 The smultaneous trple parng assumpton holds for G, f the decson lnear assumpton holds n G 1 for G. Proof. We wll show how to convert an adversary A that breaks the smultaneous trple parng assumpton wth probablty ε(k) nto an adversary B that breaks the decson lnear assumpton wth more than ε(k) 9/p chance. On a decson lnear challenge (gk, g 1, g 2, g 3, h 1, h 2, h 3 ), B pcks α, β Z p at random, sets g r = g 1, h r = h 1, g s = g 2, h s = h 2, g t = g 2 3g α 1 g β 2, h t = h 3 h α 1 h β 2 and runs (r, s, t) A(gk, g r, h r, g s, h s, g t, h t ). B returns 1 f r, s, t s a non-trval soluton to e(g r, r)e(g s, s)e(g t, t) = 1 e(h r, r)e(h s, s)e(h t, t) e(g 1, rt α )e(g 3, t) = 1 e(g 2, rt β )e(g 3, t) = 1, and else t returns 0. Let us now analyze the success probablty of B. It s gven a challenge (gk, g 1, g 2, g 3, g ρ 1, gσ 2, gτ 3 ), where τ = ρ + σ or τ s random. If e(g r, r)e(g s, s)e(g t, t) = 1 e(h r, r)e(h s, s)e(h t, t) = 1 we get ( )( ) e(g 1, rt α )e(g 3, t) e(g 2, st β )e(g 3, t) = 1 ( ) ρ ( σ e(g 1, rt α )e(g 3, t) e(g 2, st β )e(g 3, t)) = e(g3, t ρ+σ τ ). In case τ = ρ+σ, there s more than ε(k) 4/p chance of outputtng 1. To see ths, observe that g 1 = 1, g 2 = 1, g 3 = 1, ρ = σ gves a random smultaneous trple challenge wth these restrctons. Snce the probablty of ths condton falng s less than 4/p on a random smultaneous trple challenge we get more than ε(k) 4/p chance of A outputtng a non-trval soluton r, s, t. Wth ρ = σ and τ = ρ+σ, the two equaltes above tell us that e(g 1, rt α )e(g 3, t) = 1 and e(g 2, st β )e(g 3, t) = 1. We conclude that when τ = ρ + σ we get a probablty of more than ε(k) 4/p of outputtng 1. Suppose now τ s pcked at random. If g 1 = 1, g 2 = 1, g 3 = 1, ρ = σ, τ = ρ + σ a soluton r, s, t wth e(g 1, rt α )e(g 3, t) = 1 and e(g 2, st β )e(g 3, t) = 1 would mply t = 1. Ths n turn mples r = 1 and s = 1, leadng us to conclude that r, s, t s trval. Snce the chance of g 1 = 1 g 2 = 1 g 3 = 1 ρ = σ τ = ρ + σ s less than 5/p, there s less than 5/p chance of outputtng 1, when τ s chosen at random. 8

9 4 Homomorphc Trapdoor Commtments to Group Elements We wll now present the homomorphc trapdoor commtment schemes. The setup algorthm generates a blnear group (p, G 1, G 2, G T, e). The commtment schemes permts commttng to n group elements from G Commtments based on the Double Parng Assumpton We have message space M ck = G n 2, randomzer space R ck = G 2 and commtment space C ck = G T, where each of them are nterpreted as a group usng entry-wse multplcaton. Setup: On nput 1 k return gk = (p, G 1, G 2, G T, e) G(1 k ). Key generator: On nput gk pck at random g r G 1 {1} and x 1,..., x n Z p and defne g 1 = g x 1 r,, g n = gr xn. The commtment key s ck = (gk, g r, g 1,..., g n ) and the trapdoor key s tk = (gk, x 1,..., x n ). Commtment: Usng commtment key ck on nput message (m 1,..., m n ) G n 2 r G 2. The commtment s gven by c = e(g r, r) e(g, m ). pck randomzer Trapdoor commtment: Usng commtment key ck and trapdoor key tk generate an equvocal commtment c G T by pckng r G 2 and computng c = e(g r, r) The correspondng equvocaton key s ek = (tk, r). Trapdoor openng: On an equvocal commtment c G T to a message (m 1,..., m n ) G n 2 usng the equvocaton key ek, compute and return the trapdoor openng r = r n m x. Theorem 14 (G, K, com, Tcom, Topen) descrbed above s a homomorphc trapdoor commtment scheme to n group elements. It s perfectly trapdoor and assumng the double parng assumpton holds for G the commtment scheme s computatonally bndng. Proof. Let us frst prove the commtment scheme s homomorphc. The message space s G n 2, the randomzer space s G 2 and the commtment space s G T, whch wth entry-wse multplcaton all are fnte abelan groups. Gven a commtment key ck = (gk, g r, g 1,..., g n ) t s straghtforward to check the homomorphc property. For all (m 1,..., m n ), (m 1,..., m n) G n 2 and all r, r G 2 we have e(g r, r) e(g, m ) e(g r, r ) e(g, m ) = e(g r, rr ) e(g, m m ). Next, we wll prove that the commtment scheme has the perfect trapdoor property. By constructon, g r = 1 so both real commtments and trapdoor commtments are dstrbuted unformly at random n G T, because of ther e(g r, r) factor where r s chosen randomly from G 2. The fact that g r = 1 also mples that for any commtment c and set of messages (m 1,..., m n ) G n 2 there s a unque randomzer r G 2 so c = e(g r, r) n e(g, m ). To conclude the proof for the perfect trapdoor property, we therefore just need to show that the trapdoor openng algorthm gves the correct openng r of the commtment. Ths follows from e(g r, r ) e(g, m ) = e(g r, r m x ) 9 e(g x r, m ) = e(g r, r) = c.

10 Fnally, we wll prove that the commtment scheme s computatonally bndng f the double parng assumpton holds for G. More precsely, we wll show that f A has probablty ε(k) of breakng the bndng property, then there s an algorthm B that breaks the double parng assumpton wth at least ε(k) 4/p chance. Let (gk, g r, g t ) be a random double parng challenge gven to B. If g r = 1, g t = 1 t selects ρ 1, τ 1,..., ρ n, τ n Z p and computes g 1 = g ρ 1 r g τ 1 t,..., g n = gr ρn gt τn. It runs A on (ck, g r, g 1,..., g n ) and wth more than ε(k) 1/p probablty t gets two dfferent openngs to the same commtment. If the openngs are m 1,..., m n, r and m 1,..., m n, r, we have by the homomorphc property of the commtment scheme that e(g r, r 1 r ) n e(g, m 1 m ) = 1. Defnng μ 1 = m 1 1 m 1,..., μ n = m 1 n m n ths means we have e(g r, r 1 r ) n e(g, μ ) where at least one μ = 1. Ths mples e(g r, r 1 r ) e(g ρ r g τ t, μ ) = e(g r, r 1 r μ ρ )e(g t, μ τ ) = 1. Ths breaks the double parng assumpton unless r 1 r n μρ = 1 and n μτ = 1 at the same tme. However, snce the ρ s are perfectly hdden by the τ s, we have no more than 1/p chance of the latter equalty holdng when there s some μ = 1. There s less than 2/p chance of g r = 1 or g t = 1. If g r = 1 and g t = 1 we have at least ε(k) 2/p chance of breakng the double parng assumpton. We conclude that B has more than ε(k) 4/p chance of breakng the double parng assumpton. 4.2 Commtments based on the Smultaneous Trple Parng Assumpton We have message space M ck = G n 2, randomzer space R ck = G 2 2 and commtment space C ck = G 2 T, where each of them are nterpreted as a group usng entry-wse multplcaton. Setup: On nput 1 k return gk = (p, G 1, G 2, G T, e) G(1 k ). Key generator: On nput gk pck at random g G 1 {1} and x r, y r, x s, y s, x 1, y 1,..., x n, y n Z p such that x r y s = x s y r and defne g r = g xr h r = g yr g s = g xs h s = g ys g 1 = g x 1 h 1 = g y 1 g n = g xn h n = g yn. The commtment key s ck = (gk, g r, h r, g s, h s, g 1, h 1,..., g n, h n ) and the trapdoor key s tk = (gk, g, x r, x s, y r, y s, x 1, y 1,..., x n, y n ). Commtment: Usng commtment key ck on nput message (m 1,..., m n ) G n 2 (r, s) G 2 2. The commtment s (c, d) G2 T gven by pck randomzer c = e(g r, r)e(g s, s) e(g, m ) d = e(h r, r)e(h s, s) e(h, m ). Trapdoor commtment: Usng commtment key ck and trapdoor key tk, generate an equvocal commtment (c, d) G 2 T by pckng (r, s) G2 2 and computng c = e(g r, r)e(g s, s) and d = e(h r, r)e(h s, s). The correspondng equvocaton key s ek = (tk, r, s). 10

11 Trapdoor openng: To trapdoor open an equvocal commtment (c, d) G 2 T (m 1,..., m n ) G n 2 usng the equvocaton key ek, compute a = r xr s xs n Snce x r y s = x s y r we can compute ( α β γ δ Compute m x and b = r yr s ys ) ( ) 1 xr x = s. y r y s r = a α b β and s = a γ b δ. Return the openng (r, s ) of (c, d) to message (m 1,..., m n ). m y. to a message Theorem 15 (G, K, com, Tcom, Topen) descrbed above s a homomorphc trapdoor commtment scheme to n group elements. It has the perfect trapdoor property and assumng the smultaneous trple parng assumpton holds for G the commtment scheme s computatonally bndng. Proof. Let us frst prove the commtment scheme s homomorphc. The message space s G n 2, the randomzer space s G 2 2 and the commtment space s G2 T, whch wth entry-wse multplcaton all are fnte abelan groups. Gven a commtment key ck = (gk, g r, h r, g s, h s, g 1, h 1,..., g n, h n ) t s straghtforward to check the homomorphc property. For all (m 1,..., m n ), (m 1,..., m n) G n 2 and all (r, s), (r, s ) G 2 2 we have e(g r, r)e(g s, s) e(g, m ) e(g r, r )e(g s, s ) e(g, m ) = e(g r, rr )e(g s, ss ) e(g, m m ) e(h r, r)e(h s, s) e(h, m ) e(h r, r )e(h s, s ) e(h, m ) = e(h r, rr )e(h s, ss ) e(h, m m ) Next, we wll prove that the commtment scheme has the perfect trapdoor property. By constructon, x r y s = x s y r so (x r, y r ) and (x s, y s ) are lnearly ndependent n Z 2 p. We can deduce from ths that both real commtments and trapdoor commtments are dstrbuted unformly at random n G 2 T, because of ther e(g r, r)e(g s, s) and e(h r, r)e(h s, s) factors where r, s are chosen randomly from G 2. The lnear ndependence of (x r, y r ) and (x s, y s ) also mples that for any par (c, d) G 2 T and a set of messages (m 1,..., m n ) G n 2 there s a unque randomzer (r, s) G2 2 so c = e(g r, r)e(g s, s) e(g, m ) d = e(h r, r)e(h s, s) e(h, m ). To conclude the proof for the perfect trapdoor property, we therefore just need to show that the trapdoor openng algorthm gves the correct openng (r, s ) of the commtment. Snce ( ) ( ) ( ) xr x s α β 1 0 =, γ δ 0 1 we have y r y s e(g r, r )e(g s, s ) = e(g xr, a α b β )e(g xs, a γ b δ ) = e(g, a xrα+xsγ )e(g, b xrβ+xsδ ) = e(g, a) e(h r, r )e(h s, s ) = e(g yr, a α b β )e(g ys, a γ b δ ) = e(g, a yrα+ysγ )e(g, b yrβ+ysδ ) = e(g, b). 11

12 By pluggng n a = r xr s xs n m x e(g r, r )e(g s, s ) and b = r yr s ys n m y e(g, m ) = e(g, r xr s xs ) we get e(g, m x x ) = e(g r, r)e(g s, s) = c e(h r, r )e(h s, s ) e(h, m ) = e(g, r yr s ys ) e(g, m y y ) = e(h r, r)e(h s, s) = d, as we wanted. Fnally, we wll prove that the commtment scheme s computatonally bndng f the smultaneous trple parng assumpton holds for G. More precsely, we wll show that f A has probablty ε(k) of breakng the bndng property, then there s an algorthm B that breaks the smultaneous trple parng assumpton wth at least ε(k) 3/p chance. Let (gk, g r, g s, g t, h r, h s, h t ) be a random smultaneous trple parng challenge for B. We pck at random ρ 1, σ 1, τ 1,..., ρ n, σ n, τ n Z p and defne g 1, h 1,..., g n, h n by g = g ρ r g σ s g τ t h = h ρ r h σ s h τ t. If (x r, y r ) and (x s, y s ) are lnearly ndependent n Z 2 p all these group elements are randomly dstrbuted n G 1. Ths means ck = (gk, g r, h r, g s, h s, g 1, h 1,..., g n, h n ) has the same dstrbuton as commtment keys generated by K. B gves ths ck to A and n case x r y s = x s y r t has ε(k) probablty of gettng two dfferent messages (m 1,..., m n ), (m 1,..., m n) and randomzers (r, s), (r, s ) so com ck (m 1,..., m n ; r, s) = com ck (m 1,..., m n; r, s ). Defne μ 1 = m 1 m 1 1,..., μ n = m nm 1 n and r = r r 1, s = s s 1. By the homomorphc property of the commtment scheme we have com ck (μ 1,..., μ n ; r, s ) = (1, 1). Ths gves us e(g r, r )e(g s, s ) e(h r, r )e(h s, s ) e(g, μ ) = e(g r, r e(h, μ ) = e(h r, r n n μ ρ )e(g s, s μ ρ )e(h s, s μ σ )e(g t, μ σ )e(h t, μ τ ) = 1 μ τ ) = 1. Snce (m 1,..., m n ) and (m 1,..., m n) are dfferent, there s at least one μ = 1. Recall g = g ρ r g σ s g τ t and h = h ρ r h σ s h τ t for random ρ, σ, τ Z p. Wth (x r, y r ) and (x s, y s ) lnearly ndependent n Z 2 p there s for any τ a unque par (ρ, σ ) Z2 p that would yeld g, h. Ths means from A s perspectve τ s a perfectly hdden random value n Z p. The probablty that n μτ = 1 s therefore at most 1/p. Condtoned on x r y s = x s y r the adversary B breaks the smultaneous trple parng problem wth probablty ε(k) 1/p. There s less than 2/p chance for the dscrete logarthms satsfyng x r y s = x s y r. We conclude that B has more than ε(k) 3/p chance of (r n μρ, s n μσ, n μτ ) beng a non-trval soluton to the smultaneous trple parng problem. 5 Commttng to Commtments Recall the Pedersen commtment to multple elements from Z p. The publc key conssts of γ 1,..., γ m, h and we commt to x 1,..., x m Z p by computng c = h t m γx for t Z p. The Pedersen commtment s a homomorphc perfectly hdng trapdoor commtment. It s computatonally bndng assumng the dscrete logarthm problem s hard. 12

13 Snce Pedersen commtments are group elements, we can use the commtment schemes from ths paper to commt to multple Pedersen commtments. More precsely, we can set up the Pedersen commtments n G 2 and now use our commtment scheme to commt to n Pedersen commtments at once. Snce each Pedersen commtment can hold m elements from Z p, ths means we have a commtment to mn elements from Z p usng ths technque. The publc key sze s O(m + n) group elements, so unlke the Pedersen commtment scheme by tself ths combned commtment scheme has a sub-lnear sze commtment key. Snce our commtment scheme s homomorphc wth respect to the Pedersen commtments n G 2 and the Pedersen commtments are homomorphc wth respect to the feld elements n Z p, the combned commtment scheme s homomorphc wth respect to the feld elements n Z p. Moreover, snce the Pedersen commtment scheme s a perfectly hdng trapdoor commtment scheme, our combned commtment scheme s also a perfectly hdng trapdoor commtment scheme. The bndng property reles on the dscrete logarthm assumpton n G 2 and ether the double parng assumpton or the smultaneous trple parng assumpton n G Honest Verfer Zero-Knowledge Argument of Knowledge for the Combned Commtment Scheme Whle reducng the key sze for homomorphc commtments s nterestng n ts own rght, another concern that comes up n practce s that the openng of the commtment s large. We wll now show that the combned commtment schemes have effcent 3-move honest verfer zero-knowledge arguments of knowledge, whch n some applcatons means that we do not have to reveal the entre openng. Ths stands n contrast to the standard Pedersen commtment to multple messages, where all known practcal zero-knowledge arguments of knowledge have a sze that grows lnearly n the number of feld elements we have commtted to. It s possble to gve smlar types of effcent arguments for statements such as all the commtted values beng 0 or the commtted values havng a partcular sum. We wll wrte ck for the commtment key for our commtment scheme, whch can be ether one of the two schemes we have proposed n the paper, and let γ 1,..., γ m, h be the commtment key for the Pedersen commtment. The statement s a commtment c C ck and the prover wants to gve an argument of knowledge of the contents of c. The prover s prvate nput conssts of r R ck and t 1,..., t n Z p and m 11,..., m mn Z p so c = com ck (c 1,..., c n ; r), where c j = h t j m γm j. The argument runs as follows. 1. The prover pcks t, d 1,..., d m Z p and computes c d = h t m γd. The prover also pcks t 1,..., t n and computes c j = j. ht Fnally, the prover pcks r R ck and computes c = com ck (c 1,..., c n; r ). The prover sends (c d, c ) to the verfer. 2. The verfer sends the prover random challenges e, e 1,..., e n Z p. 3. The prover answers wth r = r e r, c 1 = ce 1 c 1,..., c n = c e nc n and t = e n j=1 e jt j + n j=1 e jt j + t, m 1 = d 1 + e n j=1 e jm 1j,..., m m = d m + e n j=1 e jm mj. 4. The verfer accepts the argument f c e c = com ck (c 1,..., c n; r ) and c d n j=1 (c j )e j = h t m γm. The complexty of ths argument s roughly n or 2n parngs, m + n exponentatons and mn multplcatons for the prover, and n or 2n parngs and n + m exponentatons for the verfer. The communcaton s roughly 2n + m group and feld elements. In other words, t s n all aspects sgnfcantly shorter and faster than the process of commttng, openng, and verfyng the openng of the commtment. 13

14 Theorem 16 The protocol s a 3-move honest verfer zero-knowledge argument of knowledge of the contents of the commtment c. Proof. The protocol clearly has 3 moves and t can be verfed by nspecton that the argument gven above has perfect completeness. We wll now show that the protocol has perfect specal honest verfer zero-knowledge. By ths we mean that gven a challenge e, e 1,..., e n t s possble to perfectly smulate the entre argument. The smulaton works as follows, the smulator pcks random commtments c 1,..., c n and randomzer r and computes c = c e com ck (c 1,..., c n; r ). It also pcks m 1,..., m n and t at random and computes c d = h t m γm n j=1 (c j ) e j. The smulated argument s (c d, c, e, e 1,..., e n, r, c 1,..., c n, t, m 1,..., m m ). To see ths s a perfect smulaton when the challenge s e, e 1,..., e n, observe that both n a real argument and n a smulated argument the values r, c 1,..., c n and t, m 1,..., m m are unformly random. Condtoned on these values, both c and c d can be determned unquely. Real arguments and smulated arguments are therefore dentcally dstrbuted. Fnally, we wll show that the protocol s an argument of knowledge. Consder an adversary A that has probablty of ε(k) of makng an acceptable argument, we wll show that there s a black-box wtness-extended emulator B that has success-probablty ε(k) of answerng a random challenge e, e 1,..., e n and at the same tme outputtng an openng of the commtment. B runs A on the random challenges e, e 1,..., e n. If A fals to produce an acceptable argument, we are done. However, wth probablty ε(k) t does produce an acceptng argument on the challenge, and B needs to extract an openng of the commtment. B rewnds A to the pont where t has sent the ntal message and selects new random challenges e, e 1,..., e n (t s possble, although unlkely, that the same challenge wll repeat) untl t has 2n + 1 acceptable arguments wth the same ntal message c d, c. Snce A has probablty ε(k) chance of makng an acceptng argument n the frst place, and collectng 2n + 1 acceptable arguments wll take an average of 2n+1 ε(k) rewnds, we get that on average B uses 2n + 1 runs of A. Let us now look at acceptng challenges collected by B. Snce B runs an expected 2n + 1 runs of A, whch s expected polynomal tme, there s an overwhelmng probablty that two of the acceptng argument use dfferent e. Pckng two dfferent challenges e = ˆe we get two equatons c e c = com ck (c 1,..., c n; r ) and cˆe = com ck ( ˆc 1,..., cˆ n ; ˆr ). From ths we can compute an openng of c and then compute an openng of c. By the bndng property of the commtment scheme, these openngs wll be used by A n all the acceptng arguments when answerng the challenges. Consder now the second part of the verfcaton. We have all the acceptng arguments satsfy n c d (c j=1 j ) e j = c d (c e jc j) e j = c 1 d j=1 j=1 c ee j j (c j) e j = h t Wth overwhelmng probablty the 2n + 1 challenge vectors (1, ee 1,..., ee n, e 1,..., e n ) are lnearly ndependent. The 2n + 1 equatons gven by the acceptng arguments then make t possble to extract openngs of all the commtments c 1,..., c n. We conclude that the s neglgble probablty for A makng a vald argument, yet B not beng able to extract an openng of c. References j=1 m γ m. BBS04 Dan Boneh, Xaver Boyen, and Hovav Shacham. Short group sgnatures. In CRYPTO, volume 3152 of Lecture Notes n Computer Scence, pages 41 55,

15 BGN05 Dan Boneh, Eu-Jn Goh, and Kobb Nssm. Evaluatng 2-DNF formulas on cphertexts. In TCC, volume 3378 of Lecture Notes n Computer Scence, pages , Bra00 BW06 DF02 DN02 ElG85 FO97 FS01 GL07 Stefan Brands. Rethnkng Publc Key Infrastructures and Dgtal Certfcates; Buldng n Prvacy. MIT Press, Xaver Boyen and Brent Waters. Compact group sgnatures wthout random oracles. In EUROCRYPT, volume 4004 of Lecture Notes n Computer Scence, pages , Ivan Damgård and Echro Fujsak. A statstcally-hdng nteger commtment scheme based on groups wth hdden order. In ASIACRYPT, volume 2501 of Lecture Notes n Computer Scence, pages , Ivan Damgård and Jesper Buus Nelsen. Perfect hdng and perfect bndng unversally composable commtment schemes wth constant expanson factor. In CRYPTO, volume 2442 of Lecture Notes n Computer Scence, pages , Full paper avalable at Taher ElGamal. A publc key cryptosystem and a sgnature scheme based on dscrete logarthms. IEEE Transactons on Informaton Theory, 31(4): , Echro Fujsak and Tatsuak Okamoto. Statstcal zero knowledge protocols to prove modular polynomal relatons. In CRYPTO, volume 1294 of Lecture Notes n Computer Scence, pages 16 30, Jun Furukawa and Kazue Sako. An effcent scheme for provng a shuffle. In CRYPTO, volume 2139 of Lecture Notes n Computer Scence, pages , Jens Groth and Steve Lu. A non-nteractve shuffle wth parng based verfablty. In ASIACRYPT, volume 4833 of Lecture Notes n Computer Scence, pages 51 67, GOS06 Jens Groth, Rafal Ostrovsky, and Amt Saha. Non-nteractve zaps and new technques for NIZK. In CRYPTO, volume 4117 of Lecture Notes n Computer Scence, pages , GQ88 Lous C. Gullou and Jean-Jacques Qusquater. A practcal zero-knowledge protocol ftted to securty mcroprocessor mnmzng both trasmsson and memory. In EUROCRYPT, volume 330 of Lecture Notes n Computer Scence, pages , Gro06 Jens Groth. Smulaton-sound NIZK proofs for a practcal language and constant sze group sgnatures. In ASIACRYPT, volume 4248 of Lecture Notes n Computer Scence, pages , Full paper avalable at jg/nizkgroupsgnfull.pdf. Gro09 Jens Groth. Lnear algebra wth sub-lnear zero-knowledge arguments. In CRYPTO, volume 5677 of Lecture Notes n Computer Scence, pages , GS08 KZ06 Jens Groth and Amt Saha. Effcent non-nteractve proof systems for blnear groups. In EUROCRYPT, volume 4965 of Lecture Notes n Computer Scence, pages , Full paper avalable at Aggelos Kayas and Hong-Sheng Zhou. Concurrent blnd sgnatures wthout random oracles. In SCN, volume 4116 of Lecture Notes n Computer Scence, pages 49 62,

16 Lp03 Nef01 OU98 Helger Lpmaa. On dophantne complexty and statstcal zero-knowledge arguments. In ASIACRYPT, volume 2894 of Lecture Notes n Computer Scence, pages , C. Andrew Neff. A verfable secret shuffle and ts applcaton to e-votng. In ACM CCS, pages , Tatsuak Okamoto and Shgenor Uchyama. A new publc-key cryptosystem as secure as factorng. In EUROCRYPT, volume 1403 of Lecture Notes n Computer Scence, pages , Pa99 Pascal Paller. Publc-key cryptosystems based on composte resduosty classes. In EUROCRYPT, volume 1592 of Lecture Notes n Computer Scence, pages , Ped91 Torben P. Pedersen. Non-nteractve and nformaton-theoretc secure verfable secret sharng. In CRYPTO, volume 576 of Lecture Notes n Computer Scence, pages ,