Download presentation

Presentation is loading. Please wait.

Published byNoah Sutherland Modified over 4 years ago

1
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike Kiltz, CWI

2
Overview Groups with bilinear map NIZK proofs for Pairing Product Equations RCCA-secure encryption Digital signatures Simulation-extractable NIZK for PPEs Group signatures

3
Bilinear groups G, G T cyclic groups of prime order p g generator for G Bilinear map e: G G G T e(g a, g b ) = e(g, g) ab e(g, g) generator for G T

4
ElGamal encryption fails Public key: g, h Encrypt message m: (u, v) = (g r, h r m) Not semantically secure, can for instance tell whether ciphertext (u,v) contains 1: e(u, h) = e(g r, h) = e(g, h) r = e(g, h r ) e(g, v) = e(g, h r m)

5
BBS-encryption [BBS04] Public key: f, h, g Secret key: x, y so f = g x, h= g y Encrypt message m: (u, v, w) = (f r, h s, g r+s m) Decrypt (u,v,w): m = w u -1/x v -1/y

6
Security assumption Decisional linear assumption [BBS04]: f, h, g, f r, h s, g t Hard to distinguish tuples with t = r+s from tuples with t random Generalization of DDH (s = 0)

7
Example: verifiable encryption Public key: f, h, g Encryption of message m: (u, v, w) = (f r, h s, g r+s m) Statement m is plaintext of (u, v, w): e(u, h) = e(f, x) e(wm -1, h) = e(g, xv) Witness for satisfiability: x = h r

8
Pairing product equations Equation over variables x 1,..., x n k e(a k i x i e ki, b k i x i f ki ) = 1 for constants a k, b k G, e ki, f ki Z p Length of pairing product equation: k=1,...,l Earlier example, equation over x: e(u, h) = e(f, x) e(ux 0, hx 0 )e(fx 0,x -1 ) = 1

9
Satisfiability of pairing product equations Given a set of pairing product equations S = {eq 1,..., eq m } over variables x 1,..., x n Satisfiability of pairing product equations: Does there exist a choice of x 1,...,x n G so all m equations are satisfied?

10
Satisfiability of pairing product equations Relations between group elements Direct expression, no reduction to Circuit SAT ! At the same time very general: From S 1,..., S L can construct S AND : All S i simultaneously satisfiable S OR : Exists S i that is satisfiable NP-complete

11
Common reference string: crs Statement: S satisfiable NP-language Prover Verifier NIZK Proofs Witness x 1,...x n Soundness: valid proof S satisfiable Zero- knowledge: S satisfiable, but I learned nothing else

12
NIZK proof for satisfiability of pairing product equations Perfect completeness, perfect soundness and computational zero-knowledge Common reference string: 6 group elements NIZK proof for set S = {eq 1,..., eq m } with total length L = l 1 +...+l m over variables x 1,..., x n : 4n + 228L - 3m group elements In other words: O(1) size crs, O(n+L) size proofs

13
Main technical contribution NIZK proof for a practical language: Satisfiability of pairing product equations Consequences: Efficient simulation-extractable NIZK proofs Group signatures with constant number of group elements

14
Overview Groups with bilinear map NIZK proofs for Pairing Product Equations RCCA-secure encryption Digital signatures Simulation-extractable NIZK for PPEs Group signatures

15
Zero-knowledge Computational zero-knowledge: Pr[A 1|Simulated proofs (S 1,S 2 )] Pr[A 1|Real proofs (K,P)] Proof π sk S 1 (1 k ) Set of PPEs S Witness x 1,...,x n Common reference string 0/1 S 2 (crs, sk, S) Simulator Adversary

16
Simulation-soundness Simulation-soundness Pr[ A (S, ) so valid proof (S, ) Q, S unsatisfiable] 0 Proof π sk S 1 (1 k ) Set of PPEs S Common reference string (S, ) S 2 (crs, sk, S) Simulator Adversary

17
Simulation-extractability Simulation-extractability Pr[ A (S, ) so valid proof (S, ) Q, E 2 (xk, S, ) w] 0 Proof π sk, xk SE 1 (1 k ) Set of PPEs S Common reference string (S, ) S 2 (crs, sk, S) Simulator Adversary

18
Simulation-extractable NIZK Simulation-extractable NIZK proof for satisfiability of pairing product equations CRS:O(1) group elements Proofs: O(n+L) group elements Comparison for Circuit SAT: Our proof size: O(|C|k) bits Previous: O(|C|k + poly(k)) bits

19
Group signature gpk Group manager Group members Signature on m Anonymous Group manager can open/trace

20
Group signature Group public key: vk cert, pk cpa, crs Group managers join key: sk cert Group managers open key: dk cpa Join user i: User:(vk i, sk i ) CMA-secure signature keys GM:cert i sign sk cert (vk i ) User is public key: vk i, cert i User is signing key: sk i

21
Group signature Group public key: vk cert, pk cpa, crs Group signature by member i on message m: (vk sots, sk sots ) strong one-time signature keys c E pk cpa (vk i, cert i, sign sk i (vk sots )) Simulation-extractable NIZK proof for c has certified vk i and signature on vk sots sig sign sk sots (m, vk sots, c, ) GroupSig(m) = (vk sots, c,, sig)

22
Group signature Key sizes: O(1) group elements Group signature:O(1) group elements (huge) Strong security: [BMW03, BSZ05] Dynamic group:join members Full-anonymity:anonymous under adaptive opening attack Full-traceability:GM can track user, no framing Assumption:decisional linear assumption Compare with BSZ05: general construction, poly-size proofs BW06: O(log n) group elements, static group, CPA-security ACHdM05: O(1) group elements, key exposure attack, strong assumptions

23
Thanks Acknowledgment: Rafail Ostrovsky, Amit Sahai and Brent Waters for helpful discussions and comments I do apologize for not being here myself today. Questions can be sent to jg@cs.ucla.edu Thanks a lot to Eike for presenting!

Similar presentations

OK

1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International.

1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International.

© 2018 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on applied operational research consultants Free download ppt on world war 1 Ppt on modernization in indian railways Ppt on technology vs science Ppt on recycling of waste in india Ppt on nature and human beings Lymphatic system anatomy and physiology ppt on cells Ppt on chemical bonding and structures Ppt on applied operational research society Ppt on charge-coupled device pdf