Presentation is loading. Please wait.

Presentation is loading. Please wait.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Published byNoah Sutherland Modified over 10 years ago

Similar presentations

Presentation on theme: "Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike."— Presentation transcript:

1 Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike Kiltz, CWI

2 Overview Groups with bilinear map NIZK proofs for Pairing Product Equations RCCA-secure encryption Digital signatures Simulation-extractable NIZK for PPEs Group signatures

3 Bilinear groups G, G T cyclic groups of prime order p g generator for G Bilinear map e: G G G T e(g a, g b ) = e(g, g) ab e(g, g) generator for G T

4 ElGamal encryption fails Public key: g, h Encrypt message m: (u, v) = (g r, h r m) Not semantically secure, can for instance tell whether ciphertext (u,v) contains 1: e(u, h) = e(g r, h) = e(g, h) r = e(g, h r ) e(g, v) = e(g, h r m)

5 BBS-encryption [BBS04] Public key: f, h, g Secret key: x, y so f = g x, h= g y Encrypt message m: (u, v, w) = (f r, h s, g r+s m) Decrypt (u,v,w): m = w u -1/x v -1/y

6 Security assumption Decisional linear assumption [BBS04]: f, h, g, f r, h s, g t Hard to distinguish tuples with t = r+s from tuples with t random Generalization of DDH (s = 0)

7 Example: verifiable encryption Public key: f, h, g Encryption of message m: (u, v, w) = (f r, h s, g r+s m) Statement m is plaintext of (u, v, w): e(u, h) = e(f, x) e(wm -1, h) = e(g, xv) Witness for satisfiability: x = h r

8 Pairing product equations Equation over variables x 1,..., x n k e(a k i x i e ki, b k i x i f ki ) = 1 for constants a k, b k G, e ki, f ki Z p Length of pairing product equation: k=1,...,l Earlier example, equation over x: e(u, h) = e(f, x) e(ux 0, hx 0 )e(fx 0,x -1 ) = 1

9 Satisfiability of pairing product equations Given a set of pairing product equations S = {eq 1,..., eq m } over variables x 1,..., x n Satisfiability of pairing product equations: Does there exist a choice of x 1,...,x n G so all m equations are satisfied?

10 Satisfiability of pairing product equations Relations between group elements Direct expression, no reduction to Circuit SAT ! At the same time very general: From S 1,..., S L can construct S AND : All S i simultaneously satisfiable S OR : Exists S i that is satisfiable NP-complete

11 Common reference string: crs Statement: S satisfiable NP-language Prover Verifier NIZK Proofs Witness x 1,...x n Soundness: valid proof S satisfiable Zero- knowledge: S satisfiable, but I learned nothing else

12 NIZK proof for satisfiability of pairing product equations Perfect completeness, perfect soundness and computational zero-knowledge Common reference string: 6 group elements NIZK proof for set S = {eq 1,..., eq m } with total length L = l 1 +...+l m over variables x 1,..., x n : 4n + 228L - 3m group elements In other words: O(1) size crs, O(n+L) size proofs

13 Main technical contribution NIZK proof for a practical language: Satisfiability of pairing product equations Consequences: Efficient simulation-extractable NIZK proofs Group signatures with constant number of group elements

14 Overview Groups with bilinear map NIZK proofs for Pairing Product Equations RCCA-secure encryption Digital signatures Simulation-extractable NIZK for PPEs Group signatures

15 Zero-knowledge Computational zero-knowledge: Pr[A 1|Simulated proofs (S 1,S 2 )] Pr[A 1|Real proofs (K,P)] Proof π sk S 1 (1 k ) Set of PPEs S Witness x 1,...,x n Common reference string 0/1 S 2 (crs, sk, S) Simulator Adversary

16 Simulation-soundness Simulation-soundness Pr[ A (S, ) so valid proof (S, ) Q, S unsatisfiable] 0 Proof π sk S 1 (1 k ) Set of PPEs S Common reference string (S, ) S 2 (crs, sk, S) Simulator Adversary

17 Simulation-extractability Simulation-extractability Pr[ A (S, ) so valid proof (S, ) Q, E 2 (xk, S, ) w] 0 Proof π sk, xk SE 1 (1 k ) Set of PPEs S Common reference string (S, ) S 2 (crs, sk, S) Simulator Adversary

18 Simulation-extractable NIZK Simulation-extractable NIZK proof for satisfiability of pairing product equations CRS:O(1) group elements Proofs: O(n+L) group elements Comparison for Circuit SAT: Our proof size: O(|C|k) bits Previous: O(|C|k + poly(k)) bits

19 Group signature gpk Group manager Group members Signature on m Anonymous Group manager can open/trace

20 Group signature Group public key: vk cert, pk cpa, crs Group managers join key: sk cert Group managers open key: dk cpa Join user i: User:(vk i, sk i ) CMA-secure signature keys GM:cert i sign sk cert (vk i ) User is public key: vk i, cert i User is signing key: sk i

21 Group signature Group public key: vk cert, pk cpa, crs Group signature by member i on message m: (vk sots, sk sots ) strong one-time signature keys c E pk cpa (vk i, cert i, sign sk i (vk sots )) Simulation-extractable NIZK proof for c has certified vk i and signature on vk sots sig sign sk sots (m, vk sots, c, ) GroupSig(m) = (vk sots, c,, sig)

22 Group signature Key sizes: O(1) group elements Group signature:O(1) group elements (huge) Strong security: [BMW03, BSZ05] Dynamic group:join members Full-anonymity:anonymous under adaptive opening attack Full-traceability:GM can track user, no framing Assumption:decisional linear assumption Compare with BSZ05: general construction, poly-size proofs BW06: O(log n) group elements, static group, CPA-security ACHdM05: O(1) group elements, key exposure attack, strong assumptions

23 Thanks Acknowledgment: Rafail Ostrovsky, Amit Sahai and Brent Waters for helpful discussions and comments I do apologize for not being here myself today. Questions can be sent to jg@cs.ucla.edu Thanks a lot to Eike for presenting!

Download ppt "Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike."

Similar presentations

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.
Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Short Non-interactive Zero-Knowledge Proofs

Short Non-interactive Zero-Knowledge Proofs
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme Dana Dachman-Soled University of Maryland.

A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme Dana Dachman-Soled University of Maryland.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.

Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.

Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Similar presentations

Ads by Google