Systèmes de preuve Groth-Sahai et applications

Transcription

1 Systèmes de preuve Groth-Sahai et applications Damien Vergnaud École normale supérieure C.N.R.S. I.N.R.I.A. 22 octobre 2010 Séminaire CCA D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 1 / 44

2 Pairings and Advances in Cryptology for E-cash French ANR Project (2007 Télécommunications) 4 years Partners Cryptolog International ENS Gemalto LIX ST-Ericsson Orange Labs R&D (coordinator) Université de Caen D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 2 / 44

3 The Concept of E-cash Bank Alice Shop D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 3 / 44

4 The Concept of E-cash Bank Alice Shop D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 3 / 44

5 The Concept of E-cash Bank Alice Shop D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 3 / 44

6 The Concept of E-cash Bank Alice Shop D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 3 / 44

7 Desirable Properties of E-cash Off-line: bank not present at the time of payment Traceability of double spenders: each time a user spends a coin more than once he will be detected Anonymity: if a user does not spend a coin twice, she remains anonymous Fairness: perfect anonymity enables perfect crimes an authority can trace coins that were acquired illegally. Transferability: received e-cash can be spend without involving the bank fundamental property of regular cash Chaum and Pederson (1992) impossible without increasing the coin size D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 4 / 44

8 Desirable Properties of E-cash Off-line: bank not present at the time of payment Traceability of double spenders: each time a user spends a coin more than once he will be detected Anonymity: if a user does not spend a coin twice, she remains anonymous Fairness: perfect anonymity enables perfect crimes an authority can trace coins that were acquired illegally. Transferability: received e-cash can be spend without involving the bank fundamental property of regular cash Chaum and Pederson (1992) impossible without increasing the coin size D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 4 / 44

9 Desirable Properties of E-cash Off-line: bank not present at the time of payment Traceability of double spenders: each time a user spends a coin more than once he will be detected Anonymity: if a user does not spend a coin twice, she remains anonymous Fairness: perfect anonymity enables perfect crimes an authority can trace coins that were acquired illegally. Transferability: received e-cash can be spend without involving the bank fundamental property of regular cash Chaum and Pederson (1992) impossible without increasing the coin size D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 4 / 44

10 The Concept of Transferable E-cash Bank Alice Bob Shop D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 5 / 44

11 Contents 1 Introduction 2 Groth-Sahai proof system Non-interactive Zero-Knowledge proofs Bilinear maps Groth-Ostrovsky-Sahai Groth-Sahai (2008) 3 Application: Transferable E-Cash Design principle Partially-Blind Certification Transferable Anonymous Constant-Size Fair E-Cash from Certificates 4 Conclusion D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 6 / 44

12 Zero-Knowledge Proof Systems Goldwasser, Micali and Rackoff introduced interactive zero-knowledge proofs in 1985 the paper was rejected a couple of times... then they won the Gödel award for it proofs that reveal nothing other than the validity of assertion being proven Central tool in study of cryptographic protocols Anonymous credentials Online voting... D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 7 / 44

13 Zero-Knowledge Proof Systems Goldwasser, Micali and Rackoff introduced interactive zero-knowledge proofs in 1985 the paper was rejected a couple of times... then they won the Gödel award for it proofs that reveal nothing other than the validity of assertion being proven Central tool in study of cryptographic protocols Anonymous credentials Online voting... D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 7 / 44

14 Zero-Knowledge Proof Systems Goldwasser, Micali and Rackoff introduced interactive zero-knowledge proofs in 1985 the paper was rejected a couple of times... then they won the Gödel award for it proofs that reveal nothing other than the validity of assertion being proven Central tool in study of cryptographic protocols Anonymous credentials Online voting... D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 7 / 44

15 Zero-knowledge Interactive Proof Alice Bob interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: if S is true, the honest verifier will be convinced of this fact 2 Soundness: if S is false, no cheating prover can convince the honest verifier that it is true 3 Zero-knowledge: if S is true, no cheating verifier learns anything other than this fact. (weaker version: Witness indistinguishability) D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 8 / 44

16 Zero-knowledge Interactive Proof Alice Bob interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: if S is true, the honest verifier will be convinced of this fact 2 Soundness: if S is false, no cheating prover can convince the honest verifier that it is true 3 Zero-knowledge: if S is true, no cheating verifier learns anything other than this fact. (weaker version: Witness indistinguishability) D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 8 / 44

17 Non-interactive Zero-knowledge Proof Alice Bob non-interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: S is true verifier will be convinced of this fact 2 Soundness: S is false no cheating prover can convince the verifier that S is true 3 Zero-knowledge: S is true no cheating verifier learns anything other than this fact. (weaker version: Witness indistinguishability) D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 9 / 44

18 History of NIZK Proofs Inefficient NIZK Blum-Feldman-Micali, Damgard, Killian-Petrank, Feige-Lapidot-Shamir, De Santis-Di Crescenzo-Persiano, Alternative: Fiat-Shamir heuristic transforms interactive ZK proof into NIZK But there are examples of insecure Fiat-Shamir transformation Groth-Ostrovsky-Sahai, Groth-Sahai, D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 10 / 44

19 History of NIZK Proofs Inefficient NIZK Blum-Feldman-Micali, Damgard, Killian-Petrank, Feige-Lapidot-Shamir, De Santis-Di Crescenzo-Persiano, Alternative: Fiat-Shamir heuristic transforms interactive ZK proof into NIZK But there are examples of insecure Fiat-Shamir transformation Groth-Ostrovsky-Sahai, Groth-Sahai, D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 10 / 44

20 History of NIZK Proofs Inefficient NIZK Blum-Feldman-Micali, Damgard, Killian-Petrank, Feige-Lapidot-Shamir, De Santis-Di Crescenzo-Persiano, Alternative: Fiat-Shamir heuristic transforms interactive ZK proof into NIZK But there are examples of insecure Fiat-Shamir transformation Groth-Ostrovsky-Sahai, Groth-Sahai, D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 10 / 44

21 History of NIZK Proofs Inefficient NIZK Blum-Feldman-Micali, Damgard, Killian-Petrank, Feige-Lapidot-Shamir, De Santis-Di Crescenzo-Persiano, Alternative: Fiat-Shamir heuristic transforms interactive ZK proof into NIZK But there are examples of insecure Fiat-Shamir transformation Groth-Ostrovsky-Sahai, Groth-Sahai, D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 10 / 44

22 Applications of NIZK Proofs Fancy signature schemes group signatures ring signatures... Efficient non-interactive proof of correctness of shuffle Non-interactive anonymous credentials CCA-2-secure encryption schemes Identification E-cash... D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 11 / 44

23 Composite order bilinear structure: What? (e, G, G T, g, n) bilinear structure: G, G T multiplicative groups of order n = pq n = RSA integer g = G e : G G G T e(g, g) = G T e(g a, g b ) = e(g, g) ab, a, b Z deciding group membership, group operations, efficiently computable. bilinear map D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 12 / 44

24 Composite order bilinear structure: How? Groups are instantiated using supersingular elliptic curves E over finite fields F l, l mod 1(modn) prime. Groups are very large: N to prevent factoring attack. Pairings are slow: usual pairing-based crypto G E(F l ) 160 bits (prime-order MNT curve) G T F l 1024 bits 6 3 ms pairing composite-order groups G E(F l ) 1024 bits (supersingular curve) G T F l 2048 bits ms pairing Conclusion: composite-order elliptic curves negates many advantages of ECC D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 13 / 44

25 Composite order bilinear structure: Why? 1 Deciding Diffie-Hellman tuples: given (g, g a, g b, g c ) G 4 c = ab e(g a, g b ) = e(g, g c ) 2 If h q = 1: for all v G e(h, v) q = 1 e(g a h b, g) q = e(g, g) a Applications: Somewhat homomorphic encryption, Traitor tracing, Ring and group signatures, Attribute-based encryption, Fully secure HIBE,... D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 14 / 44

26 Composite order bilinear structure: Why? 1 Deciding Diffie-Hellman tuples: given (g, g a, g b, g c ) G 4 c = ab e(g a, g b ) = e(g, g c ) 2 If h q = 1: for all v G e(h, v) q = 1 e(g a h b, g) q = e(g, g) a Applications: Somewhat homomorphic encryption, Traitor tracing, Ring and group signatures, Attribute-based encryption, Fully secure HIBE,... D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 14 / 44

27 Composite order bilinear structure: Why? 1 Deciding Diffie-Hellman tuples: given (g, g a, g b, g c ) G 4 c = ab e(g a, g b ) = e(g, g c ) 2 If h q = 1: for all v G e(h, v) q = 1 e(g a h b, g) q = e(g, g) a Applications: Somewhat homomorphic encryption, Traitor tracing, Ring and group signatures, Attribute-based encryption, Fully secure HIBE,... D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 14 / 44

28 Boneh-Goh-Nissim Encryption Scheme Public key: (e, G, G T, n) bilinear structure with n = pq g, h G with ord(h) = q. Secret key: p, q Encryption: c = g m h r (r R Z n ) Decryption: c q = (g m h r ) q = g mq h qr = (g q ) m (+ discrete log) IND-CPA-secure under the: Subgroup Membership Assumption Hard to distinguish h G of order q from random h of order n D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 15 / 44

29 Boneh-Goh-Nissim Commitment Scheme Public key: (e, G, G T, n) bilinear structure with n = pq g, h G with ord(h) = q. Commitment: c = g m h r (r R Z n ) Perfectly binding: unique m mod p Computationally hiding: indistinguishable from h of order n Addition: (g a h r ) (g b h s ) = g a+b h r+s Multiplication: e(g a h r, g b h s ) = e(g a, g b )e(h r, g b )e(g a, h s )e(h r, h s ) = e(g, g) ab e(h, g as+rb h rs ) D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 16 / 44

30 Groth-Ostrovsky-Sahai: NIZK Proof for Circuit SAT Groth, Ostrovsky and Sahai (2006) Perfect completeness, perfect soundness, computational zero-knowledge for NP Common reference string: O(k) bits Proof: O( C k) bits Circuit-SAT is NP-complete w 1 w 4 w 2 w 3 1 Idea: Commit w i using BGN encryption Prove the validity using homomorphic properties D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 17 / 44

31 NIZK Proof for Circuit SAT g w1 h r1 = c 1 g w2 h r2 = c 2 c 4 = g w4 h r4 g w3 h r3 = c 3 g 1 Prove w i {0, 1} for i {1, 2, 3, 4} Prove w 4 = (w 1 w 2 ) Prove 1 = (w 3 w 4 ) D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 18 / 44

32 Proof for c Containing 0 or 1 w mod p {0, 1} w(w 1) = 0 mod p For c = g w h r we have e(c, cg 1 ) = e(g w h r, g w 1 h r ) = e(g w, g w 1 )e(h r, g w 1 )e(g w, h r )e(h r, h r ) = e(g, g) w(w 1) e(h, (g 2w 1 h r ) r ) }{{} π π = g 2w 1 h r = proof that c contains 0 or 1 modp. (c detemines w uniquely modp since ord(h) = q) Randomizable proof! D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 19 / 44

33 Proof for c Containing 0 or 1 w mod p {0, 1} w(w 1) = 0 mod p For c = g w h r we have e(c, cg 1 ) = e(g w h r, g w 1 h r ) = e(g w, g w 1 )e(h r, g w 1 )e(g w, h r )e(h r, h r ) = e(g, g) w(w 1) e(h, (g 2w 1 h r ) r ) }{{} π π = g 2w 1 h r = proof that c contains 0 or 1 modp. (c detemines w uniquely modp since ord(h) = q) Randomizable proof! D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 19 / 44

34 A Simple Observation b 0 b 1 b 2 b 0 + b 1 + 2b b 2 = (b 0 b 1 ) b 0 + b 1 + 2b 2 2 {0, 1} D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 20 / 44

35 A Simple Observation b 0 b 1 b 2 b 0 + b 1 + 2b b 2 = (b 0 b 1 ) b 0 + b 1 + 2b 2 2 {0, 1} D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 20 / 44

36 Proof for NAND-gate g w1 h r1 = c 1 g w2 h r2 = c 2 c 4 = g w4 h r4 g w3 h r3 = c 3 g 1 Given c 1, c 2 and c 4 commitments for bits w 1, w 2, w 4 Wish to prove w 4 = (w 1 w 2 ). i.e. w 1 + w 2 + 2w 4 2 {0, 1} We have c 1 c 2 c 2 4 g 2 = (g w0 h r0 ) (g w1 h r1 ) (g w4 h r4 ) 2 g 2 = g w0+w1+2w4 2 h r0+r1+2r4 Prove that c 1 c 2 c 2 4 g 2 contains 0 or 1 D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 21 / 44

37 NIZK Proof for Circuit SAT g w1 h r1 = c 1 g w2 h r2 = c 2 c 4 = g w4 h r4 g w3 h r3 = c 3 g 1 Prove w i {0, 1} for i {1, 2, 3, 4} 2k bits Prove w 4 = (w 1 w 2 ) k bits Prove 1 = (w 3 w 4 ) k bits CRS size: 3k bits Proof size: (2 W + C )k bits D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 22 / 44

38 Groth-Ostrowsky-Sahai is ZK Subgroup Membership Assumption Hard to distinguish h G of order q from random h of order n Simulation simulated CRS h of order n by choosing g = h τ the simulation trapdoor is τ perfectly hiding trapdoor commitments g 1 h r1 = c 1 g 1 h r2 = c 2 c 4 = g 1 h r4 g 1 h r3 = c 3 g 1 D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 23 / 44

39 Groth-Ostrowsky-Sahai is ZK Subgroup Membership Assumption Hard to distinguish h G of order q from random h of order n Simulation simulated CRS h of order n by choosing g = h τ the simulation trapdoor is τ perfectly hiding trapdoor commitments g 1 h r1 = c 1 g 1 h r2 = c 2 c 4 = g 1 h r4 g 1 h r3 = c 3 g 1 D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 23 / 44

40 Groth-Ostrowsky-Sahai is ZK Subgroup Membership Assumption Hard to distinguish h G of order q from random h of order n Simulation simulated CRS h of order n by choosing g = h τ the simulation trapdoor is τ perfectly hiding trapdoor commitments g 1 h r1 = c 1 g 1 h r2 = c 2 c 4 = g 1 h r4 g 1 h r3 = c 3 g 1 D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 23 / 44

41 Groth-Ostrowsky-Sahai is ZK Witness-indistinguishable 0/1-proof c 1 = g 1 h r1 π 1 = (gh r 1 ) r 1 is the proof that c 1 contains 1 c 1 = g 1 h r1 = g 0 gh r1 = g 0 h τ+r1 π 0 = (g 1 h τ+r 1 ) τ+r 1 is the proof that c 1 contains 0 π 0 = (g 1 h τ+r1 ) τ+r1 = (g 1 h τ ) τ+r1 (h r ) r+τ = (h r+τ ) r = (g 1 h r ) r = π 1 Witness-indistinguishable NAND-proof We have c 1 c 2 c4 2 g 2 = (g 1 h r1 ) (g 1 h r2 ) (g 1 h r4 ) 2 g 2 = g 2 h r0+r1+2r4 = g 1 h τ+r1+r2+2r4 Computational ZK Subgroup membership assumption D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 24 / 44

42 Groth-Ostrovsky-Sahai: Summary Perfect completeness and soundness, computational zero-knowledge for NP Idea: Commit bits using BGN encryption Prove the validity using homomorphic properties Plug the commitments c in the equations and provide additionnal group element π to check the validity e(g w, g w g 1 ) = 1 e(c, cg 1 ) = e(h, π) Common reference string: O(k) bits Proof: O( C k) bits D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 25 / 44

43 Groth-////////////// Ostrovsky-Sahai: Summary Perfect completeness and soundness, computational zero-knowledge for NP Idea: Commit bits using BGN encryption Prove the validity using homomorphic properties Plug the commitments c in the equations and provide additionnal group element π to check the validity e(g w, g w g 1 ) = 1 e(c, cg 1 ) = e(h, π) Common reference string: O(k) bits Proof: O( C k) bits D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 25 / 44

44 Groth-////////////// Ostrovsky-Sahai: Summary witness-indistinguishability Perfect completeness and soundness,//////////////////// computational///////////////////////// zero-knowledge for NP Idea: Commit bits using BGN encryption Prove the validity using homomorphic properties Plug the commitments c in the equations and provide additionnal group element π to check the validity e(g w, g w g 1 ) = 1 e(c, cg 1 ) = e(h, π) Common reference string: O(k) bits Proof: O( C k) bits D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 25 / 44

45 Groth-////////////// Ostrovsky-Sahai: Summary witness-indistinguishability Perfect completeness and soundness,//////////////////// computational///////////////////////// zero-knowledge for ///// NP algebraic languages Idea: Commit bits using BGN encryption Prove the validity using homomorphic properties Plug the commitments c in the equations and provide additionnal group element π to check the validity e(g w, g w g 1 ) = 1 e(c, cg 1 ) = e(h, π) Common reference string: O(k) bits Proof: O( C k) bits D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 25 / 44

46 Groth-////////////// Ostrovsky-Sahai: Summary witness-indistinguishability Perfect completeness and soundness,//////////////////// computational///////////////////////// zero-knowledge for ///// NP algebraic languages Idea: group elements Commit ////// bits using BGN encryption Prove the validity using homomorphic properties Plug the commitments c in the equations and provide additionnal group element π to check the validity e(g w, g w g 1 ) = 1 e(c, cg 1 ) = e(h, π) Common reference string: O(k) bits Proof: O( C k) bits D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 25 / 44

47 Groth-////////////// Ostrovsky-Sahai: Summary witness-indistinguishability Perfect completeness and soundness,//////////////////// computational///////////////////////// zero-knowledge for ///// NP algebraic languages Idea: group elements Commit ////// bits using /////// BGN encryption Prove the validity using homomorphic properties Plug the commitments c in the equations and provide additionnal group element π to check the validity e(g w, g w g 1 ) = 1 e(c, cg 1 ) = e(h, π) Common reference string: O(k) bits Proof: O( C k) bits D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 25 / 44

48 Groth-////////////// Ostrovsky-Sahai: Summary witness-indistinguishability Perfect completeness and soundness,//////////////////// computational///////////////////////// zero-knowledge for ///// NP algebraic languages Idea: group elements Commit ////// bits using /////// BGN encryption Prove the validity using homomorphic properties Plug the commitments c in the equations and provide additionnal group element π to check the validity e(g w, g w g 1 ) = 1 e(c, cg 1 ) = e(h, π) Common reference string: O(k) bits Proof: /////////// O( C k) bits O( E k) D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 25 / 44

49 Symmetric bilinear structure (e, G, G T, g, p) bilinear structure: G, G T multiplicative groups of order p p = prime integer g = G e : G G G T e(g, g) = G T e(g a, g b ) = e(g, g) ab, a, b Z deciding group membership, group operations, efficiently computable. bilinear map D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 26 / 44

50 Boneh-Boyen-Shacham Encryption Scheme Public key: (e, G, G T, p) g, u = g x, v = g y G Secret key: x, y Encryption: (c 1, c 2, c 3 ) = (u α, v β, mg α+β ) (α, β R Z p ) Decryption: c 3 /(c 1/x 1 c 1/y 2 ) = m IND-CPA-secure under the: Decision Linear Assumption given (u, v, g, u α, v β ), Hard to distinguish g α+β from random D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 27 / 44

51 Boneh-Boyen-Shacham Commitment Scheme Public key: (e, G, G T, p) g, u, v G Commitment: (c 1, c 2, c 3 ) = (u α, v β, mg α+β ) (α, β R Z p ) Perfectly binding: unique m G Computationally hiding: indistinguishable from random g Addition: (c 1, c 2, c 3 ) (c 1, c 2, c 3 ) = (uα+α, v β+β, mg α+α +β+β ) D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 28 / 44

52 Groth-Sahai Proof System Groth-Sahai Proof System Pairing product equation (PPE): for variables X 1,..., X n G n n n (E) : e(a i, X i ) e(x i, X j ) γ i,j i=1 i=1 j=1 = t T determined by A i G, γ i,j Z p and t T G T. Groth-Sahai WI proofs that elements in G that were committed to satisfy PPE Assumption DLIN SD Variables G 3 1 PPE 9 1 (Linear) 3 1 Verification 12n + 27 P n + 1 P O. Blazy, G. Fuchsbauer, M. Izabachène, A. Jambert, H. Sibert, D. V. Batch Groth-Sahai. ACNS 2010 D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 29 / 44

53 Groth-Sahai Proof System Groth-Sahai Proof System Pairing product equation (PPE): for variables X 1,..., X n G n n n (E) : e(a i, X i ) e(x i, X j ) γ i,j i=1 i=1 j=1 = t T determined by A i G, γ i,j Z p and t T G T. Groth-Sahai WI proofs that elements in G that were committed to satisfy PPE Assumption DLIN SD Variables G 3 1 PPE 9 1 (Linear) 3 1 Verification 12n + 27 P n + 1 P O. Blazy, G. Fuchsbauer, M. Izabachène, A. Jambert, H. Sibert, D. V. Batch Groth-Sahai. ACNS 2010 D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 29 / 44

54 Groth-Sahai Proof System Groth-Sahai Proof System Pairing product equation (PPE): for variables X 1,..., X n G n n n (E) : e(a i, X i ) e(x i, X j ) γ i,j i=1 i=1 j=1 = t T determined by A i G, γ i,j Z p and t T G T. Groth-Sahai WI proofs that elements in G that were committed to satisfy PPE Assumption DLIN SD Variables G 3 1 PPE 9 1 (Linear) 3 1 Verification 3n + 6 P n + 1 P O. Blazy, G. Fuchsbauer, M. Izabachène, A. Jambert, H. Sibert, D. V. Batch Groth-Sahai. ACNS 2010 D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 29 / 44

55 Groth-Sahai Proof System: NIWI Properties: n n n (E) : e(a i, X i ) e(x i, X j ) γ i,j = t T i=1 i=1 j=1 Setup on input the bilinear group output a commitment key ck Com on input ck, X G, randomness ρ output commitment c X to X Prove on input ck, (X i, ρ i ) i=1,...,n and (E) output a proof φ Verify on input ck, c Xi, (E) and φ output 0 or 1 correctness honestly generated proofs are accepted by Verify soundness ExtSetup outputs (ck, ek) s.t. given c Xi and φ s.t. Verify(ck, c Xi, E, π) = 1 then Extract(ek, c Xi ) returns X that satisfies (E) witness-indistinguishability WISetup outputs ck indist. from ck s.t. Com produces statistically hiding commitments Given (X i, ρ i ), (X i, ρ i ) s.t. Com(ck, X i, ρ i ) = Com(ck, X i, ρ i ) and X i and X i satisfy E then Prove(ck, X i, ρ i ) Prove(ck, X i, ρ i ) i D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 30 / 44

56 Groth-Sahai Proof System: NIWI Properties: n n n (E) : e(a i, X i ) e(x i, X j ) γ i,j = t T i=1 i=1 j=1 Setup on input the bilinear group output a commitment key ck Com on input ck, X G, randomness ρ output commitment c X to X Prove on input ck, (X i, ρ i ) i=1,...,n and (E) output a proof φ Verify on input ck, c Xi, (E) and φ output 0 or 1 correctness honestly generated proofs are accepted by Verify soundness ExtSetup outputs (ck, ek) s.t. given c Xi and φ s.t. Verify(ck, c Xi, E, π) = 1 then Extract(ek, c Xi ) returns X that satisfies (E) witness-indistinguishability WISetup outputs ck indist. from ck s.t. Com produces statistically hiding commitments Given (X i, ρ i ), (X i, ρ i ) s.t. Com(ck, X i, ρ i ) = Com(ck, X i, ρ i ) and X i and X i satisfy E then Prove(ck, X i, ρ i ) Prove(ck, X i, ρ i ) i D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 30 / 44

57 Groth-Sahai Proof System: NIWI Properties: n n n (E) : e(a i, X i ) e(x i, X j ) γ i,j = t T i=1 i=1 j=1 Setup on input the bilinear group output a commitment key ck Com on input ck, X G, randomness ρ output commitment c X to X Prove on input ck, (X i, ρ i ) i=1,...,n and (E) output a proof φ Verify on input ck, c Xi, (E) and φ output 0 or 1 correctness honestly generated proofs are accepted by Verify soundness ExtSetup outputs (ck, ek) s.t. given c Xi and φ s.t. Verify(ck, c Xi, E, π) = 1 then Extract(ek, c Xi ) returns X that satisfies (E) witness-indistinguishability WISetup outputs ck indist. from ck s.t. Com produces statistically hiding commitments Given (X i, ρ i ), (X i, ρ i ) s.t. Com(ck, X i, ρ i ) = Com(ck, X i, ρ i ) and X i and X i satisfy E then Prove(ck, X i, ρ i ) Prove(ck, X i, ρ i ) i D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 30 / 44

58 Groth-Sahai Proof System: NIZK such equations are not known to always have NIZK proofs auxiliary variables and equations have to be introduced. If t T = n j=1 e(g j, h j ) for known g 1,..., g n, h 1,..., h n G, the simulator can prove that n e(a i, X i ) i=1 n n n e(x i, X j ) a ij = e(g j, Y j ) i=1 j=1 and that introduced variables Y 1,..., Y n satisfy the linear equations Y j = h j. j=1 D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 31 / 44

59 Contents 1 Introduction 2 Groth-Sahai proof system Non-interactive Zero-Knowledge proofs Bilinear maps Groth-Ostrovsky-Sahai Groth-Sahai (2008) 3 Application: Transferable E-Cash Design principle Partially-Blind Certification Transferable Anonymous Constant-Size Fair E-Cash from Certificates 4 Conclusion D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 32 / 44

60 Transferable Fair E-cash: Cast of characters Users Alice Bob Users: withdraw, transfer or spend coins (registered to a system manager S) D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 33 / 44

61 Transferable Fair E-cash: Cast of characters Users Alice Bob Shop Shop: to which coins are spent D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 33 / 44

62 Transferable Fair E-cash: Cast of characters Users Alice Bob Shop Bank Bank B: issue coins D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 33 / 44

63 Transferable Fair E-cash: Cast of characters Users Alice Bob Shop Bank Double-spending detector Double-spending detector D: check (on deposit) if a coin has already been spent (coins can be easily duplicated copies of cash should not be spendable.) D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 33 / 44

64 Transferable Fair E-cash: Cast of characters Users Alice Bob Shop Bank Double-spending detector Tracer Tracer T : trace coins, revoke anonymity and identify double-spenders. D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 33 / 44

65 Transferable E-cash: Our Construction in our scheme, coins are transferable while remaining constant in size we circumvent the impossibility with a new method to trace double spenders: users keep receipts when receiving coins (instead of storing all information about transfers inside the coin) anonymous w.r.t. an entity issuing coins and able to detect double spendings. the construction: our new primitive + the Groth-Sahai proof system G. Fuchsbauer, D. Pointcheval, D. V. Transferable Constant-Size Fair E-Cash. CANS 2009 D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 34 / 44

66 Group Signatures introduced by Chaum and van Heyst (1991). allows members of a group to sign messages anonymity: no one can determine the identity of the signer. traceability: possible to open signature find out which group members produces it tracing authority holding some trapdoor information attractive for many specialized applications, such as e-cash, voting... D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 35 / 44

67 A New Primitive: Partially-Blind Certification = 4-tuple of (interactive) PPTs: Setup: k (pk, sk) Sign and User are interactive PPTs s.t.: User: pk (σ, τ) or Sign: sk completed or not-completed (certificate issuing protocol) Verif: (pk, (σ, τ)) accept or reject. 1 (σ, τ) = certificate for pk 2 τ = blind component of the certificate. 3 Properties: correctness partial blindness: τ is only known to the user and cannot be associated to a particular protocol execution by the issuer unforgeability: from m runs of the protocol, it is impossible to derive more than m valid certificates D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 36 / 44

68 A New Primitive: Partially-Blind Certification = 4-tuple of (interactive) PPTs: Setup: k (pk, sk) Sign and User are interactive PPTs s.t.: User: pk (σ, τ) or Sign: sk completed or not-completed (certificate issuing protocol) Verif: (pk, (σ, τ)) accept or reject. 1 (σ, τ) = certificate for pk 2 τ = blind component of the certificate. 3 Properties: correctness partial blindness: τ is only known to the user and cannot be associated to a particular protocol execution by the issuer unforgeability: from m runs of the protocol, it is impossible to derive more than m valid certificates D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 36 / 44

69 Computational assumptions Boneh and Boyen (2004) Strong Diffie-Hellman )(SDH) problem given (g, g γ, g γ2,..., g γq ) G q+1 output (x, g 1 γ+x Z p G. ) (I) [g, g γ γ+x G] + q 1 pairs (x i, g 1 i Z p G new pair. (II) [g, g γ, k G] + q 1 triples ( x i, y i, (kg y i ) 1 γ+x i ) Z 2 p G, new triple. Boyen Waters (2007) Hidden SDH problem (variant of (I)): x i (g x i, h x i ) and the goal is to output a new triple (g x, h x, g 1 γ+x ). New assumption Double Hidden SDH problem (variant of (II)): Definition (q-double Hidden Strong Diffie-Hellman (DHSDH)) The following problem is intractable: given (g, h, k, Γ = g γ ) G 4 and q 1 (g x i, h x i, g y i, h y i, (kg y i ) 1 γ+x i ) with x i, y i Z p, output a new tuple ) (g x, h x, g y, h y, (kg y ) 1 γ+x D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 37 / 44

70 Computational assumptions Boneh and Boyen (2004) Strong Diffie-Hellman )(SDH) problem given (g, g γ, g γ2,..., g γq ) G q+1 output (x, g 1 γ+x Z p G. ) (I) [g, g γ γ+x G] + q 1 pairs (x i, g 1 i Z p G new pair. (II) [g, g γ, k G] + q 1 triples ( x i, y i, (kg y i ) 1 γ+x i ) Z 2 p G, new triple. Boyen Waters (2007) Hidden SDH problem (variant of (I)): x i (g x i, h x i ) and the goal is to output a new triple (g x, h x, g 1 γ+x ). New assumption Double Hidden SDH problem (variant of (II)): Definition (q-double Hidden Strong Diffie-Hellman (DHSDH)) The following problem is intractable: given (g, h, k, Γ = g γ ) G 4 and q 1 (g x i, h x i, g y i, h y i, (kg y i ) 1 γ+x i ) with x i, y i Z p, output a new tuple ) (g x, h x, g y, h y, (kg y ) 1 γ+x D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 37 / 44

71 Computational assumptions Boneh and Boyen (2004) Strong Diffie-Hellman )(SDH) problem given (g, g γ, g γ2,..., g γq ) G q+1 output (x, g 1 γ+x Z p G. ) (I) [g, g γ γ+x G] + q 1 pairs (x i, g 1 i Z p G new pair. (II) [g, g γ, k G] + q 1 triples ( x i, y i, (kg y i ) 1 γ+x i ) Z 2 p G, new triple. Boyen Waters (2007) Hidden SDH problem (variant of (I)): x i (g x i, h x i ) and the goal is to output a new triple (g x, h x, g 1 γ+x ). New assumption Double Hidden SDH problem (variant of (II)): Definition (q-double Hidden Strong Diffie-Hellman (DHSDH)) The following problem is intractable: given (g, h, k, Γ = g γ ) G 4 and q 1 (g x i, h x i, g y i, h y i, (kg y i ) 1 γ+x i ) with x i, y i Z p, output a new tuple ) (g x, h x, g y, h y, (kg y ) 1 γ+x D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 37 / 44

72 Partially-Blind Certification: Instantiation public parameters: (p, G, G T, e, G) a bilinear group and g, h, k G signer s key pair: sk := ω Z p and pk = Ω := g ω. certificate: x, y Z p { Crt(ω ; x, y) := A = (kg y ) 1 ω+x X = g x Y = g y X = h x Y = h y with σ := (A, X, X, Y ) and the blind component τ := Y G. It satisfies: e(x, H) = e(g, X ) e(y, H) = e(g, Y ) e(a, Ω X ) = e(k Y, G) D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 38 / 44

73 Partially-Blind Certification: Instantiation public parameters: (p, G, G T, e, G) a bilinear group and g, h, k G signer s key pair: sk := ω Z p and pk = Ω := g ω. certificate: x, y Z p { Crt(ω ; x, y) := A = (kg y ) 1 ω+x X = g x Y = g y X = h x Y = h y with σ := (A, X, X, Y ) and the blind component τ := Y G. It satisfies: e(x, H) = e(g, X ) e(y, H) = e(g, Y ) e(a, Ω X ) = e(k Y, G) D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 38 / 44

74 Partially-Blind Certification: Instantiation (1) User Choose r, y 1 Z p, compute and send: R 1 := (kg y1 ) r, T := g r and ZKPK of r and y 1 satisfying the relations (2) Sign Choose x, y 2 Z p and compute R := R 1 T y2 (note that R = (Kg y ) r with y := y 1 + y 2.) Send ( S 1 := R 1 ω+x, S 2 := g x, S 3 := h x, S 4 := g y2, S 5 := H y2 ) (3) User Check whether (S 1, S 2, S 3, S 4, S 5 ) is correctly formed: e(s 2, H) = e(g, S 3 ) e(s 4, H) = e(g, S 5 ) e(s 1, Ω S 2 ) = e(r, G) If so, compute a certificate DHSDH assumption unforgeable. DLIN assumption partially blind. A := S 1 r 1, X := S 2, X := S 3 Y := g y 1 S 4 = g y, Y := h y 1 S 5 = h y D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 39 / 44

75 Partially-Blind Certification: Instantiation (1) User Choose r, y 1 Z p, compute and send: R 1 := (kg y1 ) r, T := g r and ZKPK of r and y 1 satisfying the relations (2) Sign Choose x, y 2 Z p and compute R := R 1 T y2 (note that R = (Kg y ) r with y := y 1 + y 2.) Send ( S 1 := R 1 ω+x, S 2 := g x, S 3 := h x, S 4 := g y2, S 5 := H y2 ) (3) User Check whether (S 1, S 2, S 3, S 4, S 5 ) is correctly formed: e(s 2, H) = e(g, S 3 ) e(s 4, H) = e(g, S 5 ) e(s 1, Ω S 2 ) = e(r, G) If so, compute a certificate DHSDH assumption unforgeable. DLIN assumption partially blind. A := S 1 r 1, X := S 2, X := S 3 Y := g y 1 S 4 = g y, Y := h y 1 S 5 = h y D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 39 / 44

76 Partially-Blind Certification: Instantiation (1) User Choose r, y 1 Z p, compute and send: R 1 := (kg y1 ) r, T := g r and ZKPK of r and y 1 satisfying the relations (2) Sign Choose x, y 2 Z p and compute R := R 1 T y2 (note that R = (Kg y ) r with y := y 1 + y 2.) Send ( S 1 := R 1 ω+x, S 2 := g x, S 3 := h x, S 4 := g y2, S 5 := H y2 ) (3) User Check whether (S 1, S 2, S 3, S 4, S 5 ) is correctly formed: e(s 2, H) = e(g, S 3 ) e(s 4, H) = e(g, S 5 ) e(s 1, Ω S 2 ) = e(r, G) If so, compute a certificate DHSDH assumption unforgeable. DLIN assumption partially blind. A := S 1 r 1, X := S 2, X := S 3 Y := g y 1 S 4 = g y, Y := h y 1 S 5 = h y D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 39 / 44

77 Partially-Blind Certification: Instantiation (1) User Choose r, y 1 Z p, compute and send: R 1 := (kg y1 ) r, T := g r and ZKPK of r and y 1 satisfying the relations (2) Sign Choose x, y 2 Z p and compute R := R 1 T y2 (note that R = (Kg y ) r with y := y 1 + y 2.) Send ( S 1 := R 1 ω+x, S 2 := g x, S 3 := h x, S 4 := g y2, S 5 := H y2 ) (3) User Check whether (S 1, S 2, S 3, S 4, S 5 ) is correctly formed: e(s 2, H) = e(g, S 3 ) e(s 4, H) = e(g, S 5 ) e(s 1, Ω S 2 ) = e(r, G) If so, compute a certificate DHSDH assumption unforgeable. DLIN assumption partially blind. A := S 1 r 1, X := S 2, X := S 3 Y := g y 1 S 4 = g y, Y := h y 1 S 5 = h y D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 39 / 44

78 Transferable Constant-Size Fair E-Cash the core of a coin in our system is a partially-blind certificate. Withdrawal: partially blind issuing the bank does not know C 5. Spend/Transfer: the user commit to the coin and prove validity. Transfer re-randomize the encryption unlinkable anonymity. Double-spending detection: the detector has the decryption key to compare encrypted certificates. does not guarantee user anonymity when bank and detector cooperate. C 5 is thus encrypted under a different key than the rest the detector gets only the key to decrypt C 5, which suffices to detect double spending. Traceability: the receipts, given when transferring coins, are group signatures on them Double-spender identification: the tracer follows backwards the paths the certificate took before reaching the spender, by opening the receipts. A user that spent or transferred a coin twice is then unable to show two receipts. D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 40 / 44

79 Transferable Constant-Size Fair E-Cash the core of a coin in our system is a partially-blind certificate. Withdrawal: partially blind issuing the bank does not know C 5. Spend/Transfer: the user commit to the coin and prove validity. Transfer re-randomize the encryption unlinkable anonymity. Double-spending detection: the detector has the decryption key to compare encrypted certificates. does not guarantee user anonymity when bank and detector cooperate. C 5 is thus encrypted under a different key than the rest the detector gets only the key to decrypt C 5, which suffices to detect double spending. Traceability: the receipts, given when transferring coins, are group signatures on them Double-spender identification: the tracer follows backwards the paths the certificate took before reaching the spender, by opening the receipts. A user that spent or transferred a coin twice is then unable to show two receipts. D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 40 / 44

80 Transferable Constant-Size Fair E-Cash the core of a coin in our system is a partially-blind certificate. Withdrawal: partially blind issuing the bank does not know C 5. Spend/Transfer: the user commit to the coin and prove validity. Transfer re-randomize the encryption unlinkable anonymity. Double-spending detection: the detector has the decryption key to compare encrypted certificates. does not guarantee user anonymity when bank and detector cooperate. C 5 is thus encrypted under a different key than the rest the detector gets only the key to decrypt C 5, which suffices to detect double spending. Traceability: the receipts, given when transferring coins, are group signatures on them Double-spender identification: the tracer follows backwards the paths the certificate took before reaching the spender, by opening the receipts. A user that spent or transferred a coin twice is then unable to show two receipts. D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 40 / 44

81 Transferable Constant-Size Fair E-Cash the core of a coin in our system is a partially-blind certificate. Withdrawal: partially blind issuing the bank does not know C 5. Spend/Transfer: the user commit to the coin and prove validity. Transfer re-randomize the encryption unlinkable anonymity. Double-spending detection: the detector has the decryption key to compare encrypted certificates. does not guarantee user anonymity when bank and detector cooperate. C 5 is thus encrypted under a different key than the rest the detector gets only the key to decrypt C 5, which suffices to detect double spending. Traceability: the receipts, given when transferring coins, are group signatures on them Double-spender identification: the tracer follows backwards the paths the certificate took before reaching the spender, by opening the receipts. A user that spent or transferred a coin twice is then unable to show two receipts. D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 40 / 44

82 Transferable Constant-Size Fair E-Cash the core of a coin in our system is a partially-blind certificate. Withdrawal: partially blind issuing the bank does not know C 5. Spend/Transfer: the user commit to the coin and prove validity. Transfer re-randomize the encryption unlinkable anonymity. Double-spending detection: the detector has the decryption key to compare encrypted certificates. does not guarantee user anonymity when bank and detector cooperate. C 5 is thus encrypted under a different key than the rest the detector gets only the key to decrypt C 5, which suffices to detect double spending. Traceability: the receipts, given when transferring coins, are group signatures on them Double-spender identification: the tracer follows backwards the paths the certificate took before reaching the spender, by opening the receipts. A user that spent or transferred a coin twice is then unable to show two receipts. D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 40 / 44

83 Contents 1 Introduction 2 Groth-Sahai proof system Non-interactive Zero-Knowledge proofs Bilinear maps Groth-Ostrovsky-Sahai Groth-Sahai (2008) 3 Application: Transferable E-Cash Design principle Partially-Blind Certification Transferable Anonymous Constant-Size Fair E-Cash from Certificates 4 Conclusion D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 41 / 44

84 Group Signatures with verifier-local revocation Boneh and Shacham (2004) concept of group signatures with verifier-local revocation (VLR) revocation messages are only sent to signature verifiers we present the first efficient VLR group signature with a security proof in the standard model it provides backward unlinkability previously issued signatures remain anonymous even after the signer s revocation B. Libert, D. V. Group Signatures with Verifier-Local Revocation and Backward Unlinkability in the Standard Model. CANS 2009 D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 42 / 44

85 Fair Blind Signatures Chaum (1983) concept of blind signatures allow a user to obtain a signature on a message hidden to the signer a user cannot obtain more signatures than those issued by the signer Stadler, Piveteau and Camenisch (1995) Fair blind signatures allow an authority to revoke anonymity we present the first construction in the standard model G. Fuchsbauer, D. V. Fair Blind Signatures without Random Oracles. Africacrypt 2010 D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 43 / 44

86 Conclusion Groth-Sahai framework for NIWI/NIZK proofs Applications Non-frameable group signatures Efficient (offline) e-cash system Group signatures with VLR Fair blind signatures Ongoing work (Non-interactive) Receipt-Free E-voting (Round-optimal) Blind Signatures (under classical assumption) D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct. 22nd 2010, Paris 44 / 44