CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 16
Groth-Sahai proofs
helger lipmaa, university of tartu
UP TO NOW
Introduction to the field
Secure computation protocols
Interactive zero knowledge from Σ-protocols
Pairing-based cryptography
THIS TIME
Pairing-based ZK in the CRS model
Simple examples
An example of Groth-Sahai proofs:
efficient NIZK proofs for algebraic relations
ADDITIVE NOTATION
Additive notation for group op-s / pairings
We denote group elements in bold
Group operation: g + h (instead of gh)
Exponentiation: a · g (instead of ga)
We still denote opposite of this by log: logg ag = a
Pairing: see the next slide
Makes it easier to read, since we have many things in exponentsplus it will make sense from algebraic viewpoint although it is probably confusing :(
REMINDER: PAIRINGS
Pairing: function ê: G1 × G2 → G' that satisfies
Bilinearity: ê (ag₁, bg₂) = ab · ê (g1, g2)
Non-degenerative: ê (ag1, bg2) ≠ 0 if a, b ≠ 0, gi ≠ 0
Efficiently computable
Setup (1κ) returns (p, G1 × G2, G', ê)
all three groups have order p, pairing is symmetric if G1 = G2 =: G, otherwise asymmetric
Basic fact of pairings: ê (ag1, bg2) = ê (cg1, dg2) <=> ab = cd
COMPONENT-WISE NOTATION
We also use a lot of component-wise notation
a(g, h) = (ag, ah)
(a, b)g = (ag, bg) // symmetric pairings
ê ((A, B), (C, D)) = (ê (A, C), ê (B, D))
GROTH-SAHAI PROOFS
Let Com be some well-defined commitment scheme
Goal (general): Given Ai = Com (ai), verify that various algebraic equations hold between ai
ai can be either group element (ai) or exponent
Example goal:
for Ai = Com(ai), Bi = Com(bi), it holds that C = Com (Σbiai)
GROTH-SAHAI PROOFS
Only hardness assumption:
The commitment scheme is secure
Several instantiations known (XDH, DLIN, ...)
Variant 0: Com is perfectly binding/comp. hiding
Perfectly sound/computationally NIZK
Variant 1: Com is comp. binding/perfectly hiding
Computationally sound/perfectly NIZK
DUAL-MODE COMMITMENTS
Use Com with CRS from one of two different distributions
crs0 ("binding") or crs1 ("hiding")
crs0 crs1
Prove: crs0 and crs1 are indistinguishable
Prove: Com[crs0] is perfectly binding
The only difference is in the CRS. The rest of Com is the same in both cases
Prove: Com[crs1] is perfectly hiding and trapdoor
DUAL-MODE COMMITMENTS
Use Com with CRS from one of two different distributions
crs0 ("binding") or crs1 ("hiding")
crs0 crs1
Prove: crs0 and crs1 are indistinguishable
Prove: Com[crs0] is perfectly binding
Prove: Com[crs1] is perfectly hiding and trapdoor
Corollary. Com[crs0] is computationally hiding
Corollary. Com[crs1] is computationally binding
GS PROOFS: IDEA
Use Com with CRS from one of two different distributions
crs0 ("binding") or crs1 ("hiding")
crs0 crs1
crs0 and crs1 are indistinguishable
GS proofs with Com[crs0] are perfectly sound
GS proofs with Com[crs0] are computationally zero-knowledge
GS proofs with Com[crs1] are computationally sound
GS proofs with Com[crs1] are perfectly zero-knowledge
DMC: TECHNICALITIES
We need two separate commitment schemes:
DMCG, to commit to group elements and
DMCE, to commit to exponents
DMCG and DMCE have to play well together
Due to this and DMC requirements, DMCG/DMCE are somewhat complicated
DIFFERENT INSTANTIATIONS
Different instantiations of DMCE/DMCG are known
based on say XDH, DLIN, SH assumptions
We will describe DMCE/GS proof with XDH
thus we need to use asymmetric pairings
Will not have time to describe DMCG, DLIN/SH setting proofs, ...
DMCE: IDEA
We need to create crs0 and crs1 that are computationally indistinguishable under XDH
Idea: let crsχ = (gk, g1, h, E1, E2), where
(g1, h, E2, E1) is not a DDH tuple if χ = 0
(g1, h, E2, E1) is a DDH tuple if χ = 1indistinguishable under XDH assumption
crsχ, (m, r)
c
crsχ
DUAL-MODE COMMITMENT FOR EXPONENTS
Store c
c ← m (E1,E2) + r (h, g1)
crsχcrsχ
1. // χ = hiding mode ? 1 : 02. gk ← Setup (1κ)3. g1 ← G1, x,y ← ℤp
4. h ← xg1
5. E1 ← (1 - χ)g1 + yh, E2←yg1
6. crsχ ← (gk, g1, h, E1, E2)
Open: (m, r)
χ = 0: (g1, h, E2, E1) is not a DDH tuple.χ = 1: (g1, h, E2, E1) is a DDH tuple.crs0 ≈ crs1 due to XDH assumption.
PERFECT BINDING WITH CRS0
crs0 = (gk, g1, h = xg1, E1 ← g1 + yh, E2 ← yg1)
Com (m; r) = m (E1, E2) + r (h, g1)
= (mg1 + (my + r)h, (my + r)g1)
= Elgamal (m; my + r) // r is random
Thus perfectly binding and computationally hiding
PERFECT HIDING WITH CRS1
crs1 = (gk, g1, h = xg1, E₁ ← 0g1 + yh, E2 ← yg1)
Com (m; r) = m (E₁ + E2) + r(h, g1)
= (my + r)(h, g1) ≈ random DDH tuple
Perfectly hiding since r is random
Since crs0 ≈ crs1, and DMCE[crs0] is perfectly binding => this version is computationally binding under XDH
TRAPDOOR WITH CRS1
crs1 = (gk, g1, h = xg1, E₁ ← yh, E2 ← yg1)
Com (m; r) = m (E₁ + E2) + r(h, g1) = (my + r)(h, g1)
Set td ← y
Given m*, compute r* such that my + r = m*y + r*
Com (m*; r*) = (m*y + r*) (h, g1)
= (my + r) (h, g1) = Com (m; r)
Clearly trapdoor
DMCE SECURITY: THEOREM
Theorem. Assume XDH holds. DMCE is either perfectly binding and computationally hiding (if crs0 is used), or computationally binding, perfectly hiding, and trapdoor (if crs1 is used).
Proof. Given on previous pages.
FIRST GROTH-SAHAI PROOF
Goal:
Given Zi = Com (zi; ri) ∈ G12 and Ai, T ∈ G2
Construct NIZK proof that ∑ ziAi = T
Denote (A, B) ● C := (ê (A, C), ê (B, C))The first argument of ● is a commitment ∈ G12
FIRST GROTH-SAHAI PROOF
Goal: prove that ∑ zi · Ai = 1 · T, given Zi = Com(zi; ri), Ai, T
The basic idea is always similar
show that if randomness is zero then
∑ (Com (zi; 0) ● Ai) = Com (1; 0) ● T
For any randomness: to prove ∑zi Ai = T, derive π ∈ G2 from
∑ (Com (zi; ri) ● Ai) = Com (1; 0) ● T + Ê (..., π)π compensates for added randomnessorder important: asymmetric pairings
Both · and ● are bilinear operations
Use commitments instead of messages, and additions/bilinear operations in different algebraic domain
VERIFICATION WITHOUT PRIVACY
First, consider the case without privacy
Zi = Com(zi; 0) = zi (E1, E2) + 0 (h, g1)
∑ (Com(zi; 0) ● Ai) = ∑ (zi (E1, E2) ● Ai)
= (E1, E2) ● (∑ zi Ai) = (E1, E2) ● T
Com (1; 0) = (E1, E2)
Thus ∑ (Com (zi; 0) ● Ai) = Com (1; 0) ● T
zi Ai
∑ zi · Ai
· and +
1 · T
= ?
Zi =Com(zi; 0) Ai
∑ (Zi ● Ai) = (E1, E2) ● (∑ zi Ai)
● and +
Com (1; 0) ● T = (E1, E2) ● T
= ?if and only if
ALGEBRAIC VIEWPOINT
1 T TCom(1; 0)· : ℤp × G1 → G1 ●
Both · and ● are bilinear operations
GENERAL CASE WITH RANDOMNESS
∑ (Zi ● Ai) = ∑ ((zi(E1, E2) + ri(h, g1)) ● Aᵢ) =
(E1, E2) ● (∑ ziAi) + (h, g1) ● (∑ riAi)= T =: π
Recall:
crsχ = (gk, g1, h ← xg1, E1 ← (1 - χ)g1 + yh, E2 ← yg1)
Zi = Com(zi; ri) = zi (E1, E2) + ri (h, g1)
crsχ, ({Ai, Zi}, T), ({zi, ri})
π
crsχ, ({Ai, Zi}, T)
GS PROOF OF ∑ ZIAI = T
Accept if ∑ (Zi ● Ai) = (E1, E2) ● T + (h, g1) ● π
π ← ∑ riAi ∈ G2
crsχcrsχ
1. // χ = [hiding mode]2. gk ← Setup (1κ)3. g1 ← G1, x,y ← ℤp
4. h ← xg1
5. E1 ← (1 - χ)g1 + yh, E2←yg1
6. crsχ ← (gk, g1, h, E1, E2)
SOUNDNESS WITH CRS0
crs0 = (gk, g1, h ← xg1, E1 ← g1 + yh, E2 ← yg1)
Assume Zi = Com(zi; ri) = zi (E₁, E₂) + ri (h, g1) for some zi
Component-wise verification:
∑ ê (zi E1 + ri h, Ai) = ê (E1, T) + ê (h , π)
∑ ê (zi E2 + ri g1, Ai) = ê (E2, T) + ê (g1, π)
∑ ê ( zi g1 + 0, Ai) = ê (g1, T) + 0
Thus ê (g1, ∑zi Ai) = ê (g1, T) Thus ∑zi Ai = T, as needed
· xFirst - x · second
∑ (Zi ● Ai) = (E1, E2) ● T + (h, g1) ● π
ZERO KNOWLEDGE WITH CRS1
Consider crs1 = (gk, g1, h ← xg1, E1 ← yh, E2 ← yg1)
Trapdoor com.: (E1, E2) = y (h, g1) = Com (0; y) = Com (1; 0)
Simulator writes Zi = Com (zi*; ri*) for zi* = 0 and some ri*
Basic idea: the simulator creates a GS proof that ∑zi*Ai - t*T = 0, where t* is an opening of (E1, E2)
Since prover has zi* = zi, t* = 1, the prover must be honest
Simulator, knowing y, can take zi* = t* = 0
ZERO KNOWLEDGE
Consider crs1 = (gk, g1, h ← xg1, E1 ← yh, E2 ← yg1)
(E1, E2) = y (h, g1) = Com (0; y) = Com (1; 0)
Simulator writes Zi = Com(0; ri*) = ri* (h, g1)
Simulator creates π* ← ∑ri*Ai - yT // GS proof for ∑0Ai - 0T = 0
Verification succeeds:
(h, g1) ● π* = (h, g1) ● (∑ri*Ai - yT)
= ∑ (ri* (h, g1) ● Ai) - y (h, g1) ● T
= ∑ (Zi ● Ai) - (E1, E2) ● T
crsχ, td, ({Ai, Zi}, T), {zi, ri}
π*
crsχ, ({Ai, Zi}, T)
SIMULATING PROOF OF ∑ ZᵢAᵢ = T
Accept if ∑ (Zi ● Ai) = (E1, E2) ● T + (h, g1) ● π*
crsχ, tdcrsχ
1. // χ = [hiding mode]2. gk ← Setup (1κ)3. g1 ← G1, x,y ← ℤp
4. h ← xg1
5. E1 ← (1 - χ)g1 + yh, E2←yg1
6. crsχ ← (gk, g1, h, E1, E2)
π* ← ∑ ri*Ai - yT ∈ G2
FIRST GS PROOF DONE
We saw how to do one concrete GS proof
Details are somewhat scary
but the proof is very efficient
Prover: n exponentiations
Verifier: 2n + 4 pairings ê
Proof length: 1 group element
We used additive notation, so ag is what was called exponentiation earlier
SOME OTHER POSSIBLE SETTINGS FOR GS
Prove you have committed to Xi, Yi, s.t.
∑ ê (Ai, Yi) + ∑i ∑j aij ê (Xi, Yj) = T
or to Xi, yi s.t.
∑ yi Ai + ∑ bj Xj + ∑i∑j yicijXj = T
where all other values are publicly known
COMPARISON WITH Σ-PROTOCOLS
Good:
non-interactive, arguably easier to understand (?)
suits well other pairing-based protocols
Bad:
often less efficient
requires specific algebraic structure
pairings, while Σ-protocols work in many settingsE.g., Groth-Sahai does not work with Paillier
WHY RELEVANT
Pairing-based primitives are "algebraic"
Example. Short signature of m with sk x: s = xm
In some protocols, cannot reveal signature before the end of the protocol, but you need to prove you know the signature
Need GS proof: S = Com (s) ∧pk = xg1 ∧ s = xm
GS PROOF FOR CIRCUITS
Recall that to show that circuit is correctly computed, one only needs a ZK proof that the committed value is Boolean
ZK proof that c = Com (mg; r) and m ∈ {0, 1}:
Include signatures of 0 and 1 (but nothing else) to the CRS
Create a randomized commitment csign of Sign (mg)
Construct GS proof that csign commits to a signature of mg
SUBLINEAR NIZK
Recent works have made pairing-based NIZK very efficient
Drawback: use of very strong non-standard assumptions
Knowledge assumption (example): given (g1, h), it is impossible to compute (yg1, yh) without knowing y
Such assumptions are known to be “non-falsifiable"
and many researchers do not like them…
but random oracles do not exist --- k.a.-s are better
QAP-BASED SUBLINEAR NIZK
[Gennaro, Gentry, ..., 2013], and follow-up work:
computationally sound NIZK to verify correct computation of an arbitrary n-gate arithmetic circuit
prover computation: O (n log n) exponentiations
proof length: < 10 group elements // independent of n
verifier computation: O (|input length|)
STUDY OUTCOMES
Efficient NIZK from pairings
Basic ideas - product proofs
Groth-Sahai proofs
THIS WAS LAST LECTURE
This was the last lecture
STUDY OUTCOMES OF THE COURSE
Goal of cryptographic protocols:
security against malicious adversary
security = correctness + privacy
General design principles
STUDY OUTCOMES (CONT.)
Most general principle:
design passively secure protocol
achieve active security by employing ZK proofs
STUDY OUTCOMES: PASSIVE SECURITY
Employing homomorphic cryptography
Elgamal, Paillier
Recursion (BDD, ...)
Better comp. efficiency by allowing many rounds
Glimpse to multi-party computation
Glimpse to garbled circuits
STUDY OUTCOMES: ACTIVE SECURITY
Σ-protocols
Basic protocols, composition
Getting full 4-round ZK from Σ-protocols
Pairing-based NIZK protocols
Groth-Sahai + some other examples
FURTHER DIRECTIONS
Different basic techniques for passive security:
lattice-based cryptography, garbled circuits, multi-party computation
... for active security:
cut-and-choose, ZK based on other algebraic techniques
Many insanely clever ideas to improve efficiency
Other aspects: verification, ...
Concrete applications: e-voting, auctions, e-cash, ...
THIS COURSE IN FIVE YEARS
More emphasis on quantum-safe protocols
Lattice-based crypto
Fancy applications like fully homomorphic crypto
More on information-theoretic crypto // also quantum-safe
MPC
Need many more hours :)