Date post: | 28-Mar-2015 |
Category: |
Documents |
Upload: | noah-sutherland |
View: | 213 times |
Download: | 0 times |
Simulation-sound Simulation-sound NIZK Proofs for a NIZK Proofs for a
Practical Language Practical Language
and Constant Size and Constant Size Group SignaturesGroup Signatures
Jens GrothUniversity of California Los
Angeles
Presenter: Eike Kiltz, CWI
OverviewOverview
Groups with bilinear map
NIZK proofs for Pairing Product Equations
RCCA-secure encryption
Digital signatures
Simulation-extractable NIZK for PPEs
Group signatures
Bilinear groupsBilinear groups
G, GT cyclic groups of prime order p
g generator for G
Bilinear map e: G G GT
e(ga, gb) = e(g, g)ab
e(g, g) generator for GT
ElGamal encryption failsElGamal encryption fails
Public key: g, h
Encrypt message m:
(u, v) = (gr, hrm)
Not semantically secure, can for instance tell whether ciphertext (u,v) contains 1:
e(u, h) = e(gr, h) = e(g, h)r= e(g, hr)
e(g, v) = e(g, hrm)
BBS-encryption [BBS04]BBS-encryption [BBS04]
Public key: f, h, g
Secret key: x, y so f = gx, h= gy
Encrypt message m:
(u, v, w) = (fr, hs, gr+sm)
Decrypt (u,v,w):
m = w u-1/x v-1/y
Security assumptionSecurity assumption
Decisional linear assumption [BBS04]:
f, h, g, fr, hs, gt
Hard to distinguish tuples with t = r+s from tuples with t random
Generalization of DDH (s = 0)
Example: verifiable Example: verifiable encryptionencryption
Public key: f, h, g
Encryption of message m:
(u, v, w) = (fr, hs, gr+sm)
Statement ”m is plaintext of (u, v, w)”:
e(u, h) = e(f, x)
e(wm-1, h) = e(g, xv)
Witness for satisfiability: x = hr
Pairing product Pairing product equationsequations
Equation over variables x1, ..., xn
ke(akixieki, bkixi
fki) = 1
for constants ak, bk G , eki, fki Zp
Length of pairing product equation: k=1,...,l
Earlier example, equation over x:e(u, h) = e(f, x) ↔ e(ux0,
hx0)e(fx0,x-1) = 1
Satisfiability of pairing Satisfiability of pairing product equationsproduct equations
Given a set of pairing product equations
S = {eq1, ..., eqm}
over variables x1, ..., xn
Satisfiability of pairing product equations:
Does there exist a choice of x1,...,xn G so all m equations are satisfied?
Satisfiability of pairing Satisfiability of pairing product equationsproduct equations
• Relations between group elements
• Direct expression, no reduction to Circuit SAT !
• At the same time very general: From S1, ..., SL can construct
SAND: All Si simultaneously satisfiable
SOR: Exists Si that is satisfiable
NP-complete
Common reference string: crs
Statement: S satisfiable NP-language
Prover Verifier
NIZK ProofsNIZK Proofs
Witness x1,...xn
Soundness:
valid proof → S
satisfiableZero-
knowledge:S satisfiable,
but I learned
nothing else
NIZK proof for satisfiability NIZK proof for satisfiability of pairing product of pairing product
equationsequations Perfect completeness, perfect soundness
and computational zero-knowledge Common reference string:
6 group elements NIZK proof for set S = {eq1, ..., eqm}
with total length L = l1+...+lm over variables x1, ..., xn:
4n + 228L - 3m group elements In other words:
O(1) size crs, O(n+L) size proofs
Main technical Main technical contributioncontribution
NIZK proof for a practical language:
Satisfiability of pairing product equations
Consequences:
Efficient simulation-extractable NIZK proofs
Group signatures with constant number of group elements
OverviewOverview
Groups with bilinear map
NIZK proofs for Pairing Product Equations
RCCA-secure encryption
Digital signatures
Simulation-extractable NIZK for PPEs
Group signatures
Zero-knowledgeZero-knowledge
Computational zero-knowledge:Pr[A1|Simulated proofs (S1,S2)]
≈ Pr[A1|Real proofs (K,P)]
Proof π
sk
S1(1k
)Set of PPEs SWitness x1,...,xn
”Common reference string”
0/1S2(crs, sk, S)
Simulator Adversary
Simulation-soundnessSimulation-soundness
Simulation-soundnessPr[ A(S, ) so valid proof
(S,)Q, S unsatisfiable] 0
Proof π
sk
S1(1k)
Set of PPEs S
”Common reference string”
(S, )
S2(crs, sk, S)
Simulator Adversary
Simulation-extractabilitySimulation-extractability
Simulation-extractabilityPr[ A(S, ) so valid proof
(S,)Q, E2(xk, S, ) ≠ w] 0
Proof π
sk, xk
SE1(1k)
Set of PPEs S
”Common reference string”
(S, )
S2(crs, sk, S)
Simulator Adversary
Simulation-extractable Simulation-extractable NIZKNIZK
Simulation-extractable NIZK proof for satisfiability of pairing product equations
CRS: O(1) group elementsProofs: O(n+L) group elements
Comparison for Circuit SAT: Our proof size: O(|C|k) bits Previous: O(|C|k + poly(k)) bits
Group signatureGroup signature
gpk
Group manager
Group members
Signature on m
Anonymous
Group manager can open/trace
Group signatureGroup signatureGroup public key: vkcert, pkcpa, crs
Group manager’s join key: skcert
Group manager’s open key: dkcpa
Join user i:
User: (vki, ski) ← CMA-secure signature keys
GM: certi ← signskcert(vki)
User i’s public key: vki, certi
User i’s signing key: ski
Group signatureGroup signatureGroup public key: vkcert, pkcpa, crs
Group signature by member i on message m:
(vksots, sksots) ← strong one-time signature keys
c ← Epkcpa(vki, certi, signski
(vksots))
← Simulation-extractable NIZK proof for ”c has certified vki and signature on vksots”
sig ← signsksots(m, vksots, c, )
GroupSig(m) = (vksots, c, , sig)
Group signatureGroup signature Key sizes: O(1) group elements
Group signature: O(1) group elements (huge) Strong security: [BMW03, BSZ05]
Dynamic group: join membersFull-anonymity: anonymous under
adaptive opening attackFull-traceability: GM can track user, no
framing Assumption: decisional linear assumption
Compare withBSZ05: general construction, poly-size proofsBW06: O(log n) group elements, static
group, CPA-securityACHdM05: O(1) group elements, key exposure
attack, strong assumptions
ThanksThanks
Acknowledgment:Rafail Ostrovsky, Amit Sahai and Brent Waters for helpful discussions and comments
I do apologize for not being here myself today. Questions can be sent to [email protected]
Thanks a lot to Eike for presenting!