Simulation-sound Simulation-sound NIZK Proofs for a NIZK Proofs for a

Practical Language Practical Language

and Constant Size and Constant Size Group SignaturesGroup Signatures

Jens GrothUniversity of California Los

Angeles

Presenter: Eike Kiltz, CWI

OverviewOverview

Groups with bilinear map

NIZK proofs for Pairing Product Equations

RCCA-secure encryption

Digital signatures

Simulation-extractable NIZK for PPEs

Group signatures

Bilinear groupsBilinear groups

G, GT cyclic groups of prime order p

g generator for G

Bilinear map e: G G GT

e(ga, gb) = e(g, g)ab

e(g, g) generator for GT

ElGamal encryption failsElGamal encryption fails

Public key: g, h

Encrypt message m:

(u, v) = (gr, hrm)

Not semantically secure, can for instance tell whether ciphertext (u,v) contains 1:

e(u, h) = e(gr, h) = e(g, h)r= e(g, hr)

e(g, v) = e(g, hrm)

BBS-encryption [BBS04]BBS-encryption [BBS04]

Public key: f, h, g

Secret key: x, y so f = gx, h= gy

Encrypt message m:

(u, v, w) = (fr, hs, gr+sm)

Decrypt (u,v,w):

m = w u-1/x v-1/y

Security assumptionSecurity assumption

Decisional linear assumption [BBS04]:

f, h, g, fr, hs, gt

Hard to distinguish tuples with t = r+s from tuples with t random

Generalization of DDH (s = 0)

Example: verifiable Example: verifiable encryptionencryption

Public key: f, h, g

Encryption of message m:

(u, v, w) = (fr, hs, gr+sm)

Statement ”m is plaintext of (u, v, w)”:

e(u, h) = e(f, x)

e(wm-1, h) = e(g, xv)

Witness for satisfiability: x = hr

Pairing product Pairing product equationsequations

Equation over variables x1, ..., xn

ke(akixieki, bkixi

fki) = 1

for constants ak, bk G , eki, fki Zp

Length of pairing product equation: k=1,...,l

Earlier example, equation over x:e(u, h) = e(f, x) ↔ e(ux0,

hx0)e(fx0,x-1) = 1

Satisfiability of pairing Satisfiability of pairing product equationsproduct equations

Given a set of pairing product equations

S = {eq1, ..., eqm}

over variables x1, ..., xn

Satisfiability of pairing product equations:

Does there exist a choice of x1,...,xn G so all m equations are satisfied?

Satisfiability of pairing Satisfiability of pairing product equationsproduct equations

• Relations between group elements

• Direct expression, no reduction to Circuit SAT !

• At the same time very general: From S1, ..., SL can construct

SAND: All Si simultaneously satisfiable

SOR: Exists Si that is satisfiable

NP-complete

Common reference string: crs

Statement: S satisfiable NP-language

Prover Verifier

NIZK ProofsNIZK Proofs

Witness x1,...xn

Soundness:

valid proof → S

satisfiableZero-

knowledge:S satisfiable,

but I learned

nothing else

NIZK proof for satisfiability NIZK proof for satisfiability of pairing product of pairing product

equationsequations Perfect completeness, perfect soundness

and computational zero-knowledge Common reference string:

6 group elements NIZK proof for set S = {eq1, ..., eqm}

with total length L = l1+...+lm over variables x1, ..., xn:

4n + 228L - 3m group elements In other words:

O(1) size crs, O(n+L) size proofs

Main technical Main technical contributioncontribution

NIZK proof for a practical language:

Satisfiability of pairing product equations

Consequences:

Efficient simulation-extractable NIZK proofs

Group signatures with constant number of group elements

OverviewOverview

Groups with bilinear map

NIZK proofs for Pairing Product Equations

RCCA-secure encryption

Digital signatures

Simulation-extractable NIZK for PPEs

Group signatures

Zero-knowledgeZero-knowledge

Computational zero-knowledge:Pr[A1|Simulated proofs (S1,S2)]

≈ Pr[A1|Real proofs (K,P)]

Proof π

sk

S1(1k

)Set of PPEs SWitness x1,...,xn

”Common reference string”

0/1S2(crs, sk, S)

Simulator Adversary

Simulation-soundnessSimulation-soundness

Simulation-soundnessPr[ A(S, ) so valid proof

(S,)Q, S unsatisfiable] 0

Proof π

sk

S1(1k)

Set of PPEs S

”Common reference string”

(S, )

S2(crs, sk, S)

Simulator Adversary

Simulation-extractabilitySimulation-extractability

Simulation-extractabilityPr[ A(S, ) so valid proof

(S,)Q, E2(xk, S, ) ≠ w] 0

Proof π

sk, xk

SE1(1k)

Set of PPEs S

”Common reference string”

(S, )

S2(crs, sk, S)

Simulator Adversary

Simulation-extractable Simulation-extractable NIZKNIZK

Simulation-extractable NIZK proof for satisfiability of pairing product equations

CRS: O(1) group elementsProofs: O(n+L) group elements

Comparison for Circuit SAT: Our proof size: O(|C|k) bits Previous: O(|C|k + poly(k)) bits

Group signatureGroup signature

gpk

Group manager

Group members

Signature on m

Anonymous

Group manager can open/trace

Group signatureGroup signatureGroup public key: vkcert, pkcpa, crs

Group manager’s join key: skcert

Group manager’s open key: dkcpa

Join user i:

User: (vki, ski) ← CMA-secure signature keys

GM: certi ← signskcert(vki)

User i’s public key: vki, certi

User i’s signing key: ski

Group signatureGroup signatureGroup public key: vkcert, pkcpa, crs

Group signature by member i on message m:

(vksots, sksots) ← strong one-time signature keys

c ← Epkcpa(vki, certi, signski

(vksots))

← Simulation-extractable NIZK proof for ”c has certified vki and signature on vksots”

sig ← signsksots(m, vksots, c, )

GroupSig(m) = (vksots, c, , sig)

Group signatureGroup signature Key sizes: O(1) group elements

Group signature: O(1) group elements (huge) Strong security: [BMW03, BSZ05]

Dynamic group: join membersFull-anonymity: anonymous under

adaptive opening attackFull-traceability: GM can track user, no

framing Assumption: decisional linear assumption

Compare withBSZ05: general construction, poly-size proofsBW06: O(log n) group elements, static

group, CPA-securityACHdM05: O(1) group elements, key exposure

attack, strong assumptions

ThanksThanks

Acknowledgment:Rafail Ostrovsky, Amit Sahai and Brent Waters for helpful discussions and comments

I do apologize for not being here myself today. Questions can be sent to jg@cs.ucla.edu

Thanks a lot to Eike for presenting!