Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike Kiltz, CWI

Overview Groups with bilinear map NIZK proofs for Pairing Product Equations RCCA-secure encryption Digital signatures Simulation-extractable NIZK for PPEs Group signatures

Bilinear groups G, G T cyclic groups of prime order p g generator for G Bilinear map e: G G G T e(g a, g b ) = e(g, g) ab e(g, g) generator for G T

ElGamal encryption fails Public key: g, h Encrypt message m: (u, v) = (g r, h r m) Not semantically secure, can for instance tell whether ciphertext (u,v) contains 1: e(u, h) = e(g r, h) = e(g, h) r = e(g, h r ) e(g, v) = e(g, h r m)

BBS-encryption [BBS04] Public key: f, h, g Secret key: x, y so f = g x, h= g y Encrypt message m: (u, v, w) = (f r, h s, g r+s m) Decrypt (u,v,w): m = w u -1/x v -1/y

Security assumption Decisional linear assumption [BBS04]: f, h, g, f r, h s, g t Hard to distinguish tuples with t = r+s from tuples with t random Generalization of DDH (s = 0)

Example: verifiable encryption Public key: f, h, g Encryption of message m: (u, v, w) = (f r, h s, g r+s m) Statement m is plaintext of (u, v, w): e(u, h) = e(f, x) e(wm -1, h) = e(g, xv) Witness for satisfiability: x = h r

Pairing product equations Equation over variables x 1,..., x n k e(a k i x i e ki, b k i x i f ki ) = 1 for constants a k, b k G, e ki, f ki Z p Length of pairing product equation: k=1,...,l Earlier example, equation over x: e(u, h) = e(f, x) e(ux 0, hx 0 )e(fx 0,x -1 ) = 1

Satisfiability of pairing product equations Given a set of pairing product equations S = {eq 1,..., eq m } over variables x 1,..., x n Satisfiability of pairing product equations: Does there exist a choice of x 1,...,x n G so all m equations are satisfied?

Satisfiability of pairing product equations Relations between group elements Direct expression, no reduction to Circuit SAT ! At the same time very general: From S 1,..., S L can construct S AND : All S i simultaneously satisfiable S OR : Exists S i that is satisfiable NP-complete

Common reference string: crs Statement: S satisfiable NP-language Prover Verifier NIZK Proofs Witness x 1,...x n Soundness: valid proof S satisfiable Zero- knowledge: S satisfiable, but I learned nothing else

NIZK proof for satisfiability of pairing product equations Perfect completeness, perfect soundness and computational zero-knowledge Common reference string: 6 group elements NIZK proof for set S = {eq 1,..., eq m } with total length L = l l m over variables x 1,..., x n : 4n + 228L - 3m group elements In other words: O(1) size crs, O(n+L) size proofs

Main technical contribution NIZK proof for a practical language: Satisfiability of pairing product equations Consequences: Efficient simulation-extractable NIZK proofs Group signatures with constant number of group elements

Overview Groups with bilinear map NIZK proofs for Pairing Product Equations RCCA-secure encryption Digital signatures Simulation-extractable NIZK for PPEs Group signatures

Zero-knowledge Computational zero-knowledge: Pr[A 1|Simulated proofs (S 1,S 2 )] Pr[A 1|Real proofs (K,P)] Proof π sk S 1 (1 k ) Set of PPEs S Witness x 1,...,x n Common reference string 0/1 S 2 (crs, sk, S) Simulator Adversary

Simulation-soundness Simulation-soundness Pr[ A (S, ) so valid proof (S, ) Q, S unsatisfiable] 0 Proof π sk S 1 (1 k ) Set of PPEs S Common reference string (S, ) S 2 (crs, sk, S) Simulator Adversary

Simulation-extractability Simulation-extractability Pr[ A (S, ) so valid proof (S, ) Q, E 2 (xk, S, ) w] 0 Proof π sk, xk SE 1 (1 k ) Set of PPEs S Common reference string (S, ) S 2 (crs, sk, S) Simulator Adversary

Simulation-extractable NIZK Simulation-extractable NIZK proof for satisfiability of pairing product equations CRS:O(1) group elements Proofs: O(n+L) group elements Comparison for Circuit SAT: Our proof size: O(|C|k) bits Previous: O(|C|k + poly(k)) bits

Group signature gpk Group manager Group members Signature on m Anonymous Group manager can open/trace

Group signature Group public key: vk cert, pk cpa, crs Group managers join key: sk cert Group managers open key: dk cpa Join user i: User:(vk i, sk i ) CMA-secure signature keys GM:cert i sign sk cert (vk i ) User is public key: vk i, cert i User is signing key: sk i

Group signature Group public key: vk cert, pk cpa, crs Group signature by member i on message m: (vk sots, sk sots ) strong one-time signature keys c E pk cpa (vk i, cert i, sign sk i (vk sots )) Simulation-extractable NIZK proof for c has certified vk i and signature on vk sots sig sign sk sots (m, vk sots, c, ) GroupSig(m) = (vk sots, c,, sig)

Group signature Key sizes: O(1) group elements Group signature:O(1) group elements (huge) Strong security: [BMW03, BSZ05] Dynamic group:join members Full-anonymity:anonymous under adaptive opening attack Full-traceability:GM can track user, no framing Assumption:decisional linear assumption Compare with BSZ05: general construction, poly-size proofs BW06: O(log n) group elements, static group, CPA-security ACHdM05: O(1) group elements, key exposure attack, strong assumptions

Thanks Acknowledgment: Rafail Ostrovsky, Amit Sahai and Brent Waters for helpful discussions and comments I do apologize for not being here myself today. Questions can be sent to Thanks a lot to Eike for presenting!