simulation-sound nizk proofs for a practical language and constant size group signatures jens groth...
TRANSCRIPT
![Page 1: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/1.jpg)
Simulation-sound Simulation-sound NIZK Proofs for a NIZK Proofs for a
Practical Language Practical Language
and Constant Size and Constant Size Group SignaturesGroup Signatures
Jens GrothUniversity of California Los
Angeles
Presenter: Eike Kiltz, CWI
![Page 2: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/2.jpg)
OverviewOverview
Groups with bilinear map
NIZK proofs for Pairing Product Equations
RCCA-secure encryption
Digital signatures
Simulation-extractable NIZK for PPEs
Group signatures
![Page 3: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/3.jpg)
Bilinear groupsBilinear groups
G, GT cyclic groups of prime order p
g generator for G
Bilinear map e: G G GT
e(ga, gb) = e(g, g)ab
e(g, g) generator for GT
![Page 4: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/4.jpg)
ElGamal encryption failsElGamal encryption fails
Public key: g, h
Encrypt message m:
(u, v) = (gr, hrm)
Not semantically secure, can for instance tell whether ciphertext (u,v) contains 1:
e(u, h) = e(gr, h) = e(g, h)r= e(g, hr)
e(g, v) = e(g, hrm)
![Page 5: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/5.jpg)
BBS-encryption [BBS04]BBS-encryption [BBS04]
Public key: f, h, g
Secret key: x, y so f = gx, h= gy
Encrypt message m:
(u, v, w) = (fr, hs, gr+sm)
Decrypt (u,v,w):
m = w u-1/x v-1/y
![Page 6: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/6.jpg)
Security assumptionSecurity assumption
Decisional linear assumption [BBS04]:
f, h, g, fr, hs, gt
Hard to distinguish tuples with t = r+s from tuples with t random
Generalization of DDH (s = 0)
![Page 7: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/7.jpg)
Example: verifiable Example: verifiable encryptionencryption
Public key: f, h, g
Encryption of message m:
(u, v, w) = (fr, hs, gr+sm)
Statement ”m is plaintext of (u, v, w)”:
e(u, h) = e(f, x)
e(wm-1, h) = e(g, xv)
Witness for satisfiability: x = hr
![Page 8: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/8.jpg)
Pairing product Pairing product equationsequations
Equation over variables x1, ..., xn
ke(akixieki, bkixi
fki) = 1
for constants ak, bk G , eki, fki Zp
Length of pairing product equation: k=1,...,l
Earlier example, equation over x:e(u, h) = e(f, x) ↔ e(ux0,
hx0)e(fx0,x-1) = 1
![Page 9: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/9.jpg)
Satisfiability of pairing Satisfiability of pairing product equationsproduct equations
Given a set of pairing product equations
S = {eq1, ..., eqm}
over variables x1, ..., xn
Satisfiability of pairing product equations:
Does there exist a choice of x1,...,xn G so all m equations are satisfied?
![Page 10: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/10.jpg)
Satisfiability of pairing Satisfiability of pairing product equationsproduct equations
• Relations between group elements
• Direct expression, no reduction to Circuit SAT !
• At the same time very general: From S1, ..., SL can construct
SAND: All Si simultaneously satisfiable
SOR: Exists Si that is satisfiable
NP-complete
![Page 11: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/11.jpg)
Common reference string: crs
Statement: S satisfiable NP-language
Prover Verifier
NIZK ProofsNIZK Proofs
Witness x1,...xn
Soundness:
valid proof → S
satisfiableZero-
knowledge:S satisfiable,
but I learned
nothing else
![Page 12: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/12.jpg)
NIZK proof for satisfiability NIZK proof for satisfiability of pairing product of pairing product
equationsequations Perfect completeness, perfect soundness
and computational zero-knowledge Common reference string:
6 group elements NIZK proof for set S = {eq1, ..., eqm}
with total length L = l1+...+lm over variables x1, ..., xn:
4n + 228L - 3m group elements In other words:
O(1) size crs, O(n+L) size proofs
![Page 13: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/13.jpg)
Main technical Main technical contributioncontribution
NIZK proof for a practical language:
Satisfiability of pairing product equations
Consequences:
Efficient simulation-extractable NIZK proofs
Group signatures with constant number of group elements
![Page 14: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/14.jpg)
OverviewOverview
Groups with bilinear map
NIZK proofs for Pairing Product Equations
RCCA-secure encryption
Digital signatures
Simulation-extractable NIZK for PPEs
Group signatures
![Page 15: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/15.jpg)
Zero-knowledgeZero-knowledge
Computational zero-knowledge:Pr[A1|Simulated proofs (S1,S2)]
≈ Pr[A1|Real proofs (K,P)]
Proof π
sk
S1(1k
)Set of PPEs SWitness x1,...,xn
”Common reference string”
0/1S2(crs, sk, S)
Simulator Adversary
![Page 16: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/16.jpg)
Simulation-soundnessSimulation-soundness
Simulation-soundnessPr[ A(S, ) so valid proof
(S,)Q, S unsatisfiable] 0
Proof π
sk
S1(1k)
Set of PPEs S
”Common reference string”
(S, )
S2(crs, sk, S)
Simulator Adversary
![Page 17: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/17.jpg)
Simulation-extractabilitySimulation-extractability
Simulation-extractabilityPr[ A(S, ) so valid proof
(S,)Q, E2(xk, S, ) ≠ w] 0
Proof π
sk, xk
SE1(1k)
Set of PPEs S
”Common reference string”
(S, )
S2(crs, sk, S)
Simulator Adversary
![Page 18: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/18.jpg)
Simulation-extractable Simulation-extractable NIZKNIZK
Simulation-extractable NIZK proof for satisfiability of pairing product equations
CRS: O(1) group elementsProofs: O(n+L) group elements
Comparison for Circuit SAT: Our proof size: O(|C|k) bits Previous: O(|C|k + poly(k)) bits
![Page 19: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/19.jpg)
Group signatureGroup signature
gpk
Group manager
Group members
Signature on m
Anonymous
Group manager can open/trace
![Page 20: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/20.jpg)
Group signatureGroup signatureGroup public key: vkcert, pkcpa, crs
Group manager’s join key: skcert
Group manager’s open key: dkcpa
Join user i:
User: (vki, ski) ← CMA-secure signature keys
GM: certi ← signskcert(vki)
User i’s public key: vki, certi
User i’s signing key: ski
![Page 21: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/21.jpg)
Group signatureGroup signatureGroup public key: vkcert, pkcpa, crs
Group signature by member i on message m:
(vksots, sksots) ← strong one-time signature keys
c ← Epkcpa(vki, certi, signski
(vksots))
← Simulation-extractable NIZK proof for ”c has certified vki and signature on vksots”
sig ← signsksots(m, vksots, c, )
GroupSig(m) = (vksots, c, , sig)
![Page 22: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/22.jpg)
Group signatureGroup signature Key sizes: O(1) group elements
Group signature: O(1) group elements (huge) Strong security: [BMW03, BSZ05]
Dynamic group: join membersFull-anonymity: anonymous under
adaptive opening attackFull-traceability: GM can track user, no
framing Assumption: decisional linear assumption
Compare withBSZ05: general construction, poly-size proofsBW06: O(log n) group elements, static
group, CPA-securityACHdM05: O(1) group elements, key exposure
attack, strong assumptions
![Page 23: Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike](https://reader034.vdocuments.us/reader034/viewer/2022051613/5515db1a55034638038b4986/html5/thumbnails/23.jpg)
ThanksThanks
Acknowledgment:Rafail Ostrovsky, Amit Sahai and Brent Waters for helpful discussions and comments
I do apologize for not being here myself today. Questions can be sent to [email protected]
Thanks a lot to Eike for presenting!