CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu
UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols Pairing-based cryptography
THIS TIME Pairing-based NIZK in the CRS model An example of Groth-Sahai proofs: efficient NIZK proofs for algebraic relations
BACKGROUND READING Jens Groth, Amit Sahai. Efficient Noninteractive Proof Systems for Bilinear Groups. SIAM Journal on Computing, 2012 Alex Escala, Jens Groth. Fine-Tuning Groth- Sahai Proofs. PKC 2015
REMINDER: PAIRINGS Pairing: function ê: G 1 G 2 G T that satisfies Bilinearity: ê (ag 1, bg 2 ) = ab ê (g 1, g 2 ) ê ([a] 1, [b] 2 ) = [ab] T Non-degenerative: ê ([a] 1, [b] 2 ) 0 if a, b 0, g i 0 Efficiently computable Setup (1 κ ) returns (p, G 1, G 2, G T, ê) Basic fact of pairings: ê ([a] 1, [b] 2 ) = ê ([c] 1, [d] 2 ) <=> ab = cd
REMINDER: NIZK td x Simulator π P(crs, td, x) crs Output Ver(crs, x, π) x, ω π P(crs, x, ω) x, π Output Ver(crs, x, π) Output Ver(crs, x, π)
GROTH-SAHAI PROOFS Let Com be a commitment scheme Goal (general): Given A i = Com (a i ), verify that various algebraic equations hold between a i a i can be either a group element (a i ) or integer Example goal: for A i = Com(a i ), B i = Com(b i ), it holds that C = Com(Σb i a i )
GROTH-SAHAI PROOFS Only hardness assumption: The commitment scheme is secure Several instantiations known (XDH, DLIN,...) Variant 0: Com is perfectly binding/comp. hiding Perfectly sound/computationally NIZK Variant 1: Com is comp. binding/perfectly hiding Computationally sound/perfectly NIZK
DUAL-MODE COMMITMENTS Use Com with CRS from one of two different distributions crs 0 ("binding") or crs 1 ("hiding") Theorem: crs 0 and crs 1 are indistinguishable crs 0 crs 1 Theorem: Com[crs 0 ] is perfectly binding Theorem: Com[crs 1 ] is perfectly hiding and trapdoor The only difference is in the CRS. The rest of Com is the same in both cases
DUAL-MODE COMMITMENTS Use Com with CRS from one of two different distributions crs 0 ("binding") or crs 1 ("hiding") Theorem: crs 0 and crs 1 are indistinguishable crs 0 crs 1 Theorem: Com[crs 0 ] is perfectly binding Theorem: Com[crs 1 ] is perfectly hiding and trapdoor Corollary. Com[crs 0 ] is computationally hiding Corollary. Com[crs 1 ] is computationally binding
COM[CRS0] IS COMP. BINDING (CHECK AT HOME) Lemma. If crs 0 and crs 1 are computationally indistinguishable, and Com[crs 0 ] is perfectly binding, then Com[crs 0 ] is computationally binding. Proof: Assume that Com[crs 0 ] is not comp. binding. Thus, there adv. A that can on input crs 0 produce (C, m, r, m*, r*), s.t. C = Com (m; r) = Com (m*; r*), m* m, with probability ε Α. Assume Com[crs 0 ] is perf. binding. We construct adv. B that distinguishes crs 0 and crs 1 with probability ε Β ε Α / 2 + 1 / 4. B is given as an input crs i for i {0, 1}. B sends crs i to A. If A succeeds, then B outputs i* 0, otherwise B outputs i* 0. ε B = Pr[i* = i] = Pr[i* = 0 i = 0] Pr[i = 0] + Pr[i* = 1 i = 1] Pr[i = 1] = (Pr[i* = 0 i = 0] + Pr[i* = 1 i = 1]) / 2 = (Pr[A succeeds i = 0] + (1 - Pr[A succeeds i = 1])) / 2 = ε Α / 2 + 1 / 2-1 / 4 = ε Α / 2 + 1 / 4
GS PROOFS: IDEA Use Com with CRS from one of two different distributions crs 0 ("binding") or crs 1 ("hiding") crs 0 and crs 1 are indistinguishable crs 0 crs 1 GS proofs with Com[crs 0 ] are perfectly sound GS proofs with Com[crs 1 ] are perfectly zero-knowledge GS proofs with Com[crs 0 ] are computationally zero-knowledge GS proofs with Com[crs 1 ] are computationally sound
DMC: TECHNICALITIES We need two separate commitment schemes: DMC G, to commit to group elements and DMC E, to commit to exponents DMC G and DMC E have to play well together Due to this and DMC requirements, DMC G / DMC E are somewhat complicated
DIFFERENT INSTANTIATIONS Different instantiations of DMC E /DMC G are known based on say XDH, DLIN, SH assumptions We will describe DMC E /GS proof with XDH thus we need to use asymmetric pairings Will not have time to describe DMC G, DLIN/SH setting proofs,...
DDH: DIFFERENT VIEW Denote G = (g 1, h), E = (E 1, E 2 ) X = (g 1, h, E 1, E 2 ) is a DDH tuple iff E = G for some scalar a iff E and G are linearly dependent Corollary 1. X=(g 1, h, E 1, E 2 ) is not a DDH tuple iff {G, E} is a basis of the vector space V = G 1 2 E G E G not DDH DDH
DDH: DIFFERENT VIEW X=(g 1, h, E 1, E 2 ) is a DDH tuple iff E = G for some scalar a iff E and G are linearly dependent Corollary 2. B is a DDH tuple => each vector c <G> can be written nonuniquely as c 1 G + c 2 E while c <G> cannot be written as c 1 G + c 2 E B is not a DDH tuple => each vector c V can be written uniquely as c 1 G + c 2 E E unique (c 1,c 2 )C=c 1 G + c 2 E G (c 1,c 2 )C c 1 G + c 2 E G ( c 1 c 2 )C=c 1 G + c 2 E E not DDH DDH
DMCE: IDEA We need to create crs 0 and crs 1 that are computationally indistinguishable under XDH Idea: let crs χ = (gk, g 1, h, E 1, E 2 ), where each vector c V can be written uniquely as c 1 G + c 2 E (g 1, h, E 1, E 2 ) is not a DDH tuple if χ = 0 indistinguishable under XDH assumption (g 1, h, E 1, E 2 ) is a DDH tuple if χ = 1 each vector c <G> can be written non-uniquely as c 1 G + c 2 E while c <G> cannot be written as c 1 G + c 2 E
DMC FOR EXPONENTS 1. // χ = hiding mode? 1 : 0 2. gk Setup (1 κ ) 3. g 1 G 1, x,y Z p 4. G [(1, x)] 1 5. E yg + [(0, 1 - χ)] 1 6. crs χ (gk, G, E) 7. td y crs χ, (m, r) crs χ c = Com (m; r) me + rg χ = 0: (g 1, h, E 1, E 2 ) is not a DDH tuple. χ = 1: (g 1, h, E 1, E 2 ) is a DDH tuple. crs 0 crs 1 due to XDH assumption. crs χ crs χ c Store c Open: (m, r) Note: Com (1; 0) = E
PERFECT BINDING WITH CRS 0 crs 0 = (gk, G = [(1, x)]₁, E yg + [(0, 1)] 1 Com (m; r) = me + rg = [(my + r, m + (my + r)x)] 1 = Elgamal (m; my + r) // r is random Thus perfectly binding and computationally hiding
PERFECT HIDING WITH CRS 1 crs 0 = (gk, G = [(1, x)]₁, E yg Com (m; r) = me + rg = (my + r)g random element of <G> Perfectly hiding since r is random Since crs 0 crs 1, and DMCE[crs 0 ] is perfectly binding => this version is computationally binding under XDH
TRAPDOOR WITH CRS 1 crs 1 = ( gk, G = [(1, x)] 1, E yg) Com (m; r) = me + rg = (my + r)g Set td y Given td and m*, compute r* such that my + r = m*y + r* Com (m*; r*) = (m*y + r*)g = (my + r)g = Com (m; r) Clearly trapdoor
DMCE SECURITY: THEOREM Theorem. Assume XDH holds. DMC E is either perfectly binding and computationally hiding (if crs 0 is used), or computationally binding, perfectly hiding, and trapdoor (if crs 1 is used). Proof. Given on previous pages.
FIRST GROTH-SAHAI PROOF Goal: Given Z i = Com (z i ; r i ) G 1 2 and A i, T G 2 Z i, A i, T are public Construct NIZK proof that z i A i = T Denote (A, B) C := (A C, B C) Bilinear operation! The first argument of is a commitment G 1 2
FIRST GROTH-SAHAI PROOF Goal: given Z i = Com(z i ; r i ), A i, T, prove that z i A i = 1 T (*) The basic idea is always similar Use commitments instead of messages, and additions/bilinear operations in different algebraic domain show that if randomness is zero then (Com (z i ; 0) A i ) = Com (1; 0) T Both and are bilinear operations For any randomness: to prove (*), derive π G 2 from (Com (z i ; r i ) A i ) = Com (1; 0) T + (, ) π order important: asymmetric pairings π compensates for added randomness
VERIFICATION WITHOUT PRIVACY First, consider the case without privacy Z i = Com(z i ; 0) = z i E + 0G (Com(z i ; 0) A i ) = (z i E A i ) Com (1; 0) = E = E ( z i A i ) = E T Thus (Com (z i ; 0) A i ) = Com (1; 0) T
GENERAL CASE WITH RANDOMNESS Recall: crs χ = (gk, G [(1, x)] 1, E yg + [(0, 1 - χ)] 1 Z i = Com(z i ; r i ) = z i E + r i G (Z i A i ) = ((z i E + r i G) Aᵢ) = E ( z i A i ) + G ( r i A i ) = T =: π
GS PROOF OF Z I A I = T 1. // χ = [hiding mode] 2. gk Setup (1 κ ) 3. g 1 G 1, x,y Z p 4. G [(1, x)] 1 5. E yg + [(0, 1 - χ)] 1 6. crs χ (gk, G, E) 7. td y crs χ crs χ crs χ, ({A i, Z i }, T), ({z i, r i }) crs χ, ({A i, Z i }, T) π r i A i G 2 π Accept if (Z i A i ) = E T + G π
SOUNDNESS WITH CRS 0 crs 0 = (gk, G = [(1, x)]₁, E yg + [(0, 1)] 1 Assume Z i = Com (z i ; r i ) = z i E + r i G for some z i Component-wise verification: ((z i E 1 + r i g 1 ) A i ) = E 1 T + g 1 π (Z i A i ) = E T + G π ((z i E 2 + r i h ) A i ) = E 2 T + h π (( z i g 1 + 0) A i ) = g 1 T + 0 x Second - x first Thus g 1 z i A i = g 1 T Thus z i A i = T, as needed
ZERO KNOWLEDGE WITH CRS 1 crs 1 = (gk, G = [(1, x)]₁, E yg Trapdoor com.: Com (1; 0) = E = yg = Com (0; y) Simulator writes Z i = Com (z i *; r i *) for z i * = 0 and some r i * Basic idea: the simulator creates a GS proof that z i *A i - t*t = 0, where t* is an opening of comm. E Since prover has z i * = z i, t* = 1, the prover must be honest Simulator, knowing y, can take z i * = t* = 0
ZERO KNOWLEDGE crs 1 = (gk, G = [(1, x)]₁, E yg Com (1; 0) = E = yg = Com (0; y) Simulator writes Z i = Com(0; r i *) = r i *G Simulator creates π* r i *A i - yt // GS proof for 0A i - 0T = 0 Verification succeeds: G π* = G ( r i *A i - yt) = (r i *G A i ) - yg T = (Z i A i ) - E T
SIMULATING PROOF OF ZᵢAᵢ = T 1. // χ = [hiding mode] 2. gk Setup (1 κ ) 3. g 1 G 1, x,y Z p 4. G [(1, x)] 1 5. E yg + [(0, 1 - χ)] 1 6. crs χ (gk, G, E) 7. td y crs χ, td crs χ crs χ, td, ({A i, Z i }, T), {z i, r i } crs χ, ({A i, Z i }, T) π* r i *A i - yt G 2 π* Accept if (Z i A i ) = E T + G π*
FIRST GS PROOF DONE We saw how to do one concrete GS proof Details are somewhat scary but the proof is very efficient Prover: n exponentiations Verifier: 2n + 4 pairings We used additive notation, so ag isexponentiation CRS: 4 group elements Proof length: 1 group element
SOME OTHER POSSIBLE SETTINGS FOR GS Prove you have committed to X i, Y i, s.t. i (A i Y i ) + i j a ij (X i Y j ) = T or to X i, y i s.t. y i A i + b j X j + i j y i c ij X j = T where all other values are publicly known
COMPARISON WITH Σ-PROTOCOLS Good: non-interactive, arguably easier to understand (?) suits well other pairing-based protocols Bad: often less efficient requires specific algebraic structure pairings, while Σ-protocols work in many settings E.g., Groth-Sahai does not work with Paillier
WHY RELEVANT Pairing-based primitives are "algebraic" Example. Boneh-Boyen signature of m with sk A s [1 / (m + sk A )] 1 Verification: accept if s ([m] 2 + [sk A ] 2 ) = [1] T In some protocols, cannot reveal s before the end of the protocol, but need to prove you know s Need GS proof: S = Com (s; r) pk = [sk A ] 2 s ([m] 2 [sk A ] 2 ) = [1] T
GS PROOF FOR CIRCUITS Recall: to show that circuit is correctly computed, one needs a ZK proof that the committed value is Boolean ZK proof that c = Com (mg; r) and m {0, 1}: Include signatures of 0 and 1 (but nothing else) to the CRS Create a randomized commitment c sign of Sign (mg) Construct GS proof that c sign commits to a signature of mg Need structure-preserving signatures"
STUDY OUTCOMES Efficient NIZK from pairings Dual-mode commitment Groth-Sahai proofs Idea One example
THIS WAS THE LAST LECTURE This was the last lecture
STUDY OUTCOMES OF THE COURSE Goal of cryptographic protocols: security against malicious adversary security = correctness + privacy General design principles
STUDY OUTCOMES (CONT.) Most general principle: design passively secure protocol achieve active security by employing ZK proofs (In the case MPC, one uses different techniques)
STUDY OUTCOMES: PASSIVE SECURITY Employing homomorphic cryptography Elgamal, Paillier Recursion (BDD,...) Better comp. efficiency by allowing many rounds Glimpse to multi-party computation Glimpse to garbled circuits Pairing-based cryptography
STUDY OUTCOMES: ACTIVE SECURITY Σ-protocols Basic protocols, composition Getting full 4-round ZK from Σ-protocols Pairing-based NIZK protocols Groth-Sahai
FURTHER DIRECTIONS Different basic techniques for passive security: lattice-based cryptography, much more garbled circuits, much more multi-party computation, much more pairings... for active security: cut-and-choose, ZK based on other algebraic techniques Many insanely clever ideas to improve efficiency Other aspects: verification,... Concrete applications: e-voting, auctions, e-cash,...
THIS COURSE IN FIVE YEARS More emphasis on quantum-safe protocols Lattice-based crypto Fancy applications like fully homomorphic crypto More on information-theoretic crypto // also quantum-safe MPC Need many more hours :) No course in 2017, in 2018 will have 32 lectures