CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16

Similar documents
A More Efficient Computationally Sound Non-Interactive Zero-Knowledge Shuffle Argument

Lattice-Based Non-Interactive Arugment Systems

CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11

CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12

A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL

Non-interactive Zaps and New Techniques for NIZK

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

From Secure MPC to Efficient Zero-Knowledge

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle

Prastudy Fauzi, HelgerLipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Generalizing Efficient Multiparty Computation

Computing on Encrypted Data

Additive Combinatorics and Discrete Logarithm Based Range Protocols

AUTHORIZATION TO LEND AND REPRODUCE THE THESIS

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

Sub-linear Blind Ring Signatures without Random Oracles

CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 2

Groth Sahai proofs revisited

Linear Multi-Prover Interactive Proofs

Practical Round-Optimal Blind Signatures in the Standard Model

CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 2

Lecture 15 - Zero Knowledge Proofs

Non-Interactive Zero-Knowledge Proofs of Non-Membership

CMSC 858K Introduction to Secure Computation October 18, Lecture 19

Disjunctions for Hash Proof Systems: New Constructions and Applications

Cryptography in the Multi-string Model

A Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System

Lecture Notes 20: Zero-Knowledge Proofs

Systèmes de preuve Groth-Sahai et applications

Lecture 3: Interactive Proofs and Zero-Knowledge

Lecture 16: Public Key Encryption:II

Efficient Cryptographic Primitives for. Non-Interactive Zero-Knowledge Proofs. and Applications

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Implicit Zero-Knowledge Arguments and Applications to the Malicious Setting

Policy-based Signature

Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures

Universally Composable Adaptive Oblivious Transfer

Evaluating 2-DNF Formulas on Ciphertexts

Commuting Signatures and Verifiable Encryption

Question 1. The Chinese University of Hong Kong, Spring 2018

Black-Box Accumulation: Collecting Incentives in a Privacy-Preserving Way

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Fully-secure Key Policy ABE on Prime-Order Bilinear Groups

On the (Im)possibility of Projecting Property in Prime-Order Setting

Round-Efficient Multi-party Computation with a Dishonest Majority

Efficient Culpably Sound NIZK Shuffle Argument without Random Oracles

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

4-3 A Survey on Oblivious Transfer Protocols

A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles

Subversion-Resistant Zero Knowledge

Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups

Secure Equality and Greater-Than Tests with Sublinear Online Complexity

Garbled Protocols and Two-Round MPC from Bilinear Maps

Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle

Advanced Topics in Cryptography

Introduction to Cryptography Lecture 13

Efficient Fully-Leakage Resilient One-More Signature Schemes

How many rounds can Random Selection handle?

Extractable Perfectly One-way Functions

Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

On the Amortized Complexity of Zero Knowledge Protocols for Multiplicative Relations

Cryptographical Security in the Quantum Random Oracle Model

Introduction to Cryptography. Lecture 8

Provable security. Michel Abdalla

Lecture 28: Public-key Cryptography. Public-key Cryptography

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

CMSC 858K Advanced Topics in Cryptography March 4, 2004

Signatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version)

Delayed-Input Non-Malleable Zero Knowledge and Multi-Party Coin Tossing in Four Rounds

Public-Key Encryption: ElGamal, RSA, Rabin

Multiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011

Improved Zero-knowledge Protocol for the ISIS Problem, and Applications

Practical Verifiable Encryption and Decryption of Discrete Logarithms

Non-interactive zero-knowledge proofs in the quantum random oracle model

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Lossy Trapdoor Functions and Their Applications

Graded Encoding Schemes from Obfuscation

Round Optimal Blind Signatures

1 Secure two-party computation

Katz, Lindell Introduction to Modern Cryptrography

6.897: Selected Topics in Cryptography Lectures 11 and 12. Lecturer: Ran Canetti

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

1 Number Theory Basics

Introduction to Modern Cryptography Lecture 11

Essam Ghadafi CT-RSA 2016

Encryption Switching Protocols Revisited: Switching modulo p

Minimal Assumptions for Efficient Mercurial Commitments

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

The Exact Round Complexity of Secure Computation

Efficient Protocols for Set Membership and Range Proofs

Interactive and Noninteractive Zero Knowledge Coincide in the Help Model

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Additive Conditional Disclosure of Secrets

Smooth Projective Hash Function and Its Applications

Graded Encoding Schemes from Obfuscation

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Transcription:

CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu

UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols Pairing-based cryptography

THIS TIME Pairing-based NIZK in the CRS model An example of Groth-Sahai proofs: efficient NIZK proofs for algebraic relations

BACKGROUND READING Jens Groth, Amit Sahai. Efficient Noninteractive Proof Systems for Bilinear Groups. SIAM Journal on Computing, 2012 Alex Escala, Jens Groth. Fine-Tuning Groth- Sahai Proofs. PKC 2015

REMINDER: PAIRINGS Pairing: function ê: G 1 G 2 G T that satisfies Bilinearity: ê (ag 1, bg 2 ) = ab ê (g 1, g 2 ) ê ([a] 1, [b] 2 ) = [ab] T Non-degenerative: ê ([a] 1, [b] 2 ) 0 if a, b 0, g i 0 Efficiently computable Setup (1 κ ) returns (p, G 1, G 2, G T, ê) Basic fact of pairings: ê ([a] 1, [b] 2 ) = ê ([c] 1, [d] 2 ) <=> ab = cd

REMINDER: NIZK td x Simulator π P(crs, td, x) crs Output Ver(crs, x, π) x, ω π P(crs, x, ω) x, π Output Ver(crs, x, π) Output Ver(crs, x, π)

GROTH-SAHAI PROOFS Let Com be a commitment scheme Goal (general): Given A i = Com (a i ), verify that various algebraic equations hold between a i a i can be either a group element (a i ) or integer Example goal: for A i = Com(a i ), B i = Com(b i ), it holds that C = Com(Σb i a i )

GROTH-SAHAI PROOFS Only hardness assumption: The commitment scheme is secure Several instantiations known (XDH, DLIN,...) Variant 0: Com is perfectly binding/comp. hiding Perfectly sound/computationally NIZK Variant 1: Com is comp. binding/perfectly hiding Computationally sound/perfectly NIZK

DUAL-MODE COMMITMENTS Use Com with CRS from one of two different distributions crs 0 ("binding") or crs 1 ("hiding") Theorem: crs 0 and crs 1 are indistinguishable crs 0 crs 1 Theorem: Com[crs 0 ] is perfectly binding Theorem: Com[crs 1 ] is perfectly hiding and trapdoor The only difference is in the CRS. The rest of Com is the same in both cases

DUAL-MODE COMMITMENTS Use Com with CRS from one of two different distributions crs 0 ("binding") or crs 1 ("hiding") Theorem: crs 0 and crs 1 are indistinguishable crs 0 crs 1 Theorem: Com[crs 0 ] is perfectly binding Theorem: Com[crs 1 ] is perfectly hiding and trapdoor Corollary. Com[crs 0 ] is computationally hiding Corollary. Com[crs 1 ] is computationally binding

COM[CRS0] IS COMP. BINDING (CHECK AT HOME) Lemma. If crs 0 and crs 1 are computationally indistinguishable, and Com[crs 0 ] is perfectly binding, then Com[crs 0 ] is computationally binding. Proof: Assume that Com[crs 0 ] is not comp. binding. Thus, there adv. A that can on input crs 0 produce (C, m, r, m*, r*), s.t. C = Com (m; r) = Com (m*; r*), m* m, with probability ε Α. Assume Com[crs 0 ] is perf. binding. We construct adv. B that distinguishes crs 0 and crs 1 with probability ε Β ε Α / 2 + 1 / 4. B is given as an input crs i for i {0, 1}. B sends crs i to A. If A succeeds, then B outputs i* 0, otherwise B outputs i* 0. ε B = Pr[i* = i] = Pr[i* = 0 i = 0] Pr[i = 0] + Pr[i* = 1 i = 1] Pr[i = 1] = (Pr[i* = 0 i = 0] + Pr[i* = 1 i = 1]) / 2 = (Pr[A succeeds i = 0] + (1 - Pr[A succeeds i = 1])) / 2 = ε Α / 2 + 1 / 2-1 / 4 = ε Α / 2 + 1 / 4

GS PROOFS: IDEA Use Com with CRS from one of two different distributions crs 0 ("binding") or crs 1 ("hiding") crs 0 and crs 1 are indistinguishable crs 0 crs 1 GS proofs with Com[crs 0 ] are perfectly sound GS proofs with Com[crs 1 ] are perfectly zero-knowledge GS proofs with Com[crs 0 ] are computationally zero-knowledge GS proofs with Com[crs 1 ] are computationally sound

DMC: TECHNICALITIES We need two separate commitment schemes: DMC G, to commit to group elements and DMC E, to commit to exponents DMC G and DMC E have to play well together Due to this and DMC requirements, DMC G / DMC E are somewhat complicated

DIFFERENT INSTANTIATIONS Different instantiations of DMC E /DMC G are known based on say XDH, DLIN, SH assumptions We will describe DMC E /GS proof with XDH thus we need to use asymmetric pairings Will not have time to describe DMC G, DLIN/SH setting proofs,...

DDH: DIFFERENT VIEW Denote G = (g 1, h), E = (E 1, E 2 ) X = (g 1, h, E 1, E 2 ) is a DDH tuple iff E = G for some scalar a iff E and G are linearly dependent Corollary 1. X=(g 1, h, E 1, E 2 ) is not a DDH tuple iff {G, E} is a basis of the vector space V = G 1 2 E G E G not DDH DDH

DDH: DIFFERENT VIEW X=(g 1, h, E 1, E 2 ) is a DDH tuple iff E = G for some scalar a iff E and G are linearly dependent Corollary 2. B is a DDH tuple => each vector c <G> can be written nonuniquely as c 1 G + c 2 E while c <G> cannot be written as c 1 G + c 2 E B is not a DDH tuple => each vector c V can be written uniquely as c 1 G + c 2 E E unique (c 1,c 2 )C=c 1 G + c 2 E G (c 1,c 2 )C c 1 G + c 2 E G ( c 1 c 2 )C=c 1 G + c 2 E E not DDH DDH

DMCE: IDEA We need to create crs 0 and crs 1 that are computationally indistinguishable under XDH Idea: let crs χ = (gk, g 1, h, E 1, E 2 ), where each vector c V can be written uniquely as c 1 G + c 2 E (g 1, h, E 1, E 2 ) is not a DDH tuple if χ = 0 indistinguishable under XDH assumption (g 1, h, E 1, E 2 ) is a DDH tuple if χ = 1 each vector c <G> can be written non-uniquely as c 1 G + c 2 E while c <G> cannot be written as c 1 G + c 2 E

DMC FOR EXPONENTS 1. // χ = hiding mode? 1 : 0 2. gk Setup (1 κ ) 3. g 1 G 1, x,y Z p 4. G [(1, x)] 1 5. E yg + [(0, 1 - χ)] 1 6. crs χ (gk, G, E) 7. td y crs χ, (m, r) crs χ c = Com (m; r) me + rg χ = 0: (g 1, h, E 1, E 2 ) is not a DDH tuple. χ = 1: (g 1, h, E 1, E 2 ) is a DDH tuple. crs 0 crs 1 due to XDH assumption. crs χ crs χ c Store c Open: (m, r) Note: Com (1; 0) = E

PERFECT BINDING WITH CRS 0 crs 0 = (gk, G = [(1, x)]₁, E yg + [(0, 1)] 1 Com (m; r) = me + rg = [(my + r, m + (my + r)x)] 1 = Elgamal (m; my + r) // r is random Thus perfectly binding and computationally hiding

PERFECT HIDING WITH CRS 1 crs 0 = (gk, G = [(1, x)]₁, E yg Com (m; r) = me + rg = (my + r)g random element of <G> Perfectly hiding since r is random Since crs 0 crs 1, and DMCE[crs 0 ] is perfectly binding => this version is computationally binding under XDH

TRAPDOOR WITH CRS 1 crs 1 = ( gk, G = [(1, x)] 1, E yg) Com (m; r) = me + rg = (my + r)g Set td y Given td and m*, compute r* such that my + r = m*y + r* Com (m*; r*) = (m*y + r*)g = (my + r)g = Com (m; r) Clearly trapdoor

DMCE SECURITY: THEOREM Theorem. Assume XDH holds. DMC E is either perfectly binding and computationally hiding (if crs 0 is used), or computationally binding, perfectly hiding, and trapdoor (if crs 1 is used). Proof. Given on previous pages.

FIRST GROTH-SAHAI PROOF Goal: Given Z i = Com (z i ; r i ) G 1 2 and A i, T G 2 Z i, A i, T are public Construct NIZK proof that z i A i = T Denote (A, B) C := (A C, B C) Bilinear operation! The first argument of is a commitment G 1 2

FIRST GROTH-SAHAI PROOF Goal: given Z i = Com(z i ; r i ), A i, T, prove that z i A i = 1 T (*) The basic idea is always similar Use commitments instead of messages, and additions/bilinear operations in different algebraic domain show that if randomness is zero then (Com (z i ; 0) A i ) = Com (1; 0) T Both and are bilinear operations For any randomness: to prove (*), derive π G 2 from (Com (z i ; r i ) A i ) = Com (1; 0) T + (, ) π order important: asymmetric pairings π compensates for added randomness

VERIFICATION WITHOUT PRIVACY First, consider the case without privacy Z i = Com(z i ; 0) = z i E + 0G (Com(z i ; 0) A i ) = (z i E A i ) Com (1; 0) = E = E ( z i A i ) = E T Thus (Com (z i ; 0) A i ) = Com (1; 0) T

GENERAL CASE WITH RANDOMNESS Recall: crs χ = (gk, G [(1, x)] 1, E yg + [(0, 1 - χ)] 1 Z i = Com(z i ; r i ) = z i E + r i G (Z i A i ) = ((z i E + r i G) Aᵢ) = E ( z i A i ) + G ( r i A i ) = T =: π

GS PROOF OF Z I A I = T 1. // χ = [hiding mode] 2. gk Setup (1 κ ) 3. g 1 G 1, x,y Z p 4. G [(1, x)] 1 5. E yg + [(0, 1 - χ)] 1 6. crs χ (gk, G, E) 7. td y crs χ crs χ crs χ, ({A i, Z i }, T), ({z i, r i }) crs χ, ({A i, Z i }, T) π r i A i G 2 π Accept if (Z i A i ) = E T + G π

SOUNDNESS WITH CRS 0 crs 0 = (gk, G = [(1, x)]₁, E yg + [(0, 1)] 1 Assume Z i = Com (z i ; r i ) = z i E + r i G for some z i Component-wise verification: ((z i E 1 + r i g 1 ) A i ) = E 1 T + g 1 π (Z i A i ) = E T + G π ((z i E 2 + r i h ) A i ) = E 2 T + h π (( z i g 1 + 0) A i ) = g 1 T + 0 x Second - x first Thus g 1 z i A i = g 1 T Thus z i A i = T, as needed

ZERO KNOWLEDGE WITH CRS 1 crs 1 = (gk, G = [(1, x)]₁, E yg Trapdoor com.: Com (1; 0) = E = yg = Com (0; y) Simulator writes Z i = Com (z i *; r i *) for z i * = 0 and some r i * Basic idea: the simulator creates a GS proof that z i *A i - t*t = 0, where t* is an opening of comm. E Since prover has z i * = z i, t* = 1, the prover must be honest Simulator, knowing y, can take z i * = t* = 0

ZERO KNOWLEDGE crs 1 = (gk, G = [(1, x)]₁, E yg Com (1; 0) = E = yg = Com (0; y) Simulator writes Z i = Com(0; r i *) = r i *G Simulator creates π* r i *A i - yt // GS proof for 0A i - 0T = 0 Verification succeeds: G π* = G ( r i *A i - yt) = (r i *G A i ) - yg T = (Z i A i ) - E T

SIMULATING PROOF OF ZᵢAᵢ = T 1. // χ = [hiding mode] 2. gk Setup (1 κ ) 3. g 1 G 1, x,y Z p 4. G [(1, x)] 1 5. E yg + [(0, 1 - χ)] 1 6. crs χ (gk, G, E) 7. td y crs χ, td crs χ crs χ, td, ({A i, Z i }, T), {z i, r i } crs χ, ({A i, Z i }, T) π* r i *A i - yt G 2 π* Accept if (Z i A i ) = E T + G π*

FIRST GS PROOF DONE We saw how to do one concrete GS proof Details are somewhat scary but the proof is very efficient Prover: n exponentiations Verifier: 2n + 4 pairings We used additive notation, so ag isexponentiation CRS: 4 group elements Proof length: 1 group element

SOME OTHER POSSIBLE SETTINGS FOR GS Prove you have committed to X i, Y i, s.t. i (A i Y i ) + i j a ij (X i Y j ) = T or to X i, y i s.t. y i A i + b j X j + i j y i c ij X j = T where all other values are publicly known

COMPARISON WITH Σ-PROTOCOLS Good: non-interactive, arguably easier to understand (?) suits well other pairing-based protocols Bad: often less efficient requires specific algebraic structure pairings, while Σ-protocols work in many settings E.g., Groth-Sahai does not work with Paillier

WHY RELEVANT Pairing-based primitives are "algebraic" Example. Boneh-Boyen signature of m with sk A s [1 / (m + sk A )] 1 Verification: accept if s ([m] 2 + [sk A ] 2 ) = [1] T In some protocols, cannot reveal s before the end of the protocol, but need to prove you know s Need GS proof: S = Com (s; r) pk = [sk A ] 2 s ([m] 2 [sk A ] 2 ) = [1] T

GS PROOF FOR CIRCUITS Recall: to show that circuit is correctly computed, one needs a ZK proof that the committed value is Boolean ZK proof that c = Com (mg; r) and m {0, 1}: Include signatures of 0 and 1 (but nothing else) to the CRS Create a randomized commitment c sign of Sign (mg) Construct GS proof that c sign commits to a signature of mg Need structure-preserving signatures"

STUDY OUTCOMES Efficient NIZK from pairings Dual-mode commitment Groth-Sahai proofs Idea One example

THIS WAS THE LAST LECTURE This was the last lecture

STUDY OUTCOMES OF THE COURSE Goal of cryptographic protocols: security against malicious adversary security = correctness + privacy General design principles

STUDY OUTCOMES (CONT.) Most general principle: design passively secure protocol achieve active security by employing ZK proofs (In the case MPC, one uses different techniques)

STUDY OUTCOMES: PASSIVE SECURITY Employing homomorphic cryptography Elgamal, Paillier Recursion (BDD,...) Better comp. efficiency by allowing many rounds Glimpse to multi-party computation Glimpse to garbled circuits Pairing-based cryptography

STUDY OUTCOMES: ACTIVE SECURITY Σ-protocols Basic protocols, composition Getting full 4-round ZK from Σ-protocols Pairing-based NIZK protocols Groth-Sahai

FURTHER DIRECTIONS Different basic techniques for passive security: lattice-based cryptography, much more garbled circuits, much more multi-party computation, much more pairings... for active security: cut-and-choose, ZK based on other algebraic techniques Many insanely clever ideas to improve efficiency Other aspects: verification,... Concrete applications: e-voting, auctions, e-cash,...

THIS COURSE IN FIVE YEARS More emphasis on quantum-safe protocols Lattice-based crypto Fancy applications like fully homomorphic crypto More on information-theoretic crypto // also quantum-safe MPC Need many more hours :) No course in 2017, in 2018 will have 32 lectures

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback