Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces

Download Report

Transcript Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces

Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces Charanjit Jutla, IBM Watson and Arnab Roy, Fujitsu Labs of America

El-Gamal Encryption

a ∗

g

, x ∗

g

, x · a ∗

g

a ∗

g

, x ∗ c ∗

g g

, x · a ∗ ,

f g

≈ a ∗

g

, x ∗

g

, x ′ · a ∗

g a

  (DDH) ≈ a ∗

g

, x ∗ c ∗

g g

, (c ∗ ,

f f

+ x · a ∗

g

)  ( El-Gamal Encryption of c ∗ f )  a, x, c ::

a =

a ∗

g

, 

=

x ∗

g

,  = c ∗

g

, 

=

c ∗

f

+ x · a ∗

g

 x, c :: 

=

x ∗

g

,  = c ∗

g

, 

=

c ∗

f

+ x ∗

a

 x, c ::

(

 ,  , 

) =

 x c    

g 0 0 g a f

 

Novel Quasi-Adaptive NIZK

El-Gamal Encryption

Public Parameters:

g

,

a, f a, f

) 

D

and

CRS

CRS-gen(g

,

Honest Party: Choose x, c at random, generate

 ,  , 

and proof

π  Adv (Need to hide x, c from Adv.

) 1. Replace

π

with simulated proof

π

‘ 2. So, x and c no more needed in proof gen.

3.

a ∗

g

, x ∗

g

, (c ∗

f

+ x · a ∗

g

) ≈ a ∗

g

, x ∗ c ∗

g

,

f

c ∗

g g

, x · a ∗ ,

f g

CRS-gen better be a polynomial time Turing Machine.

4. c ∗

f

not needed in simulation to Adv .

Proving Hard Linear Subspaces

Our Comp. Sound Proof System – DH example

Comparison with Groth-Sahai

• • n : the number of equations t : the number of witnesses XDH Proof Size CRS Size #Pairings

Groth-Sahai

n + 2t 4 2n·(t+2)

Ours

n - t 2t·(n-t)+2 (n t)·(t+2) DLIN Proof Size CRS Size #Pairings 2n + 3t 9 3n· (t+3) 2n - 2t 4t·(n-t)+3 2(n t)·(t+2)

• • n : the number of equations t : the number of witnesses

Conceptual Comparison

Groth Sahai Ours

CRS independent of language constants CRS dependent on the language constants Each witness is taken to a higher dimensional space: • 2 for XDH, 3 for DLIN Each of the n equations is checked by pairing with the commitments • Along 2 dims for XDH, 3 for DLIN With hiding CRS: Perfect ZK, Comp Sound With binding CRS: Comp ZK, Perfect Sound Since the properties are based on the indistinguishability of the two types of CRSes, the system is fundamentally based on a decision problem.

No special treatment of witnesses.

The first t elements of the candidate are themselves treated as witnesses.

Only the remaining n t ‘dependent’ elements are checked by pairing • Along 1 dim for XDH, 2 for DLIN There is no analogous hiding/binding CRS concept.

Perfect ZK, Comp Sound

Properties Comparison

Groth-Sahai

Verifier needs language description/parameters

Ours

Extends to Quadratic Equations Linear Pairing Product Equations Quadratic Pairing Product Equations Randomized Proofs Extends to Quadratic but only using Groth-Sahai commitments.

Better Linear Pairing Product Equations of special kind. 2/3 improvement.

No additional Advantage Unique Proofs Split CRS -- verifier CRS does not depend on the language. Verifier does not even need language.

Dual-System IBE with a hint from QA-NIZKs • A fully-secure (perfectly complete, anonymous) IBE follows under SXDH.

– Only 4 group elements. – (shortest under static standard assumptions) – Recently and independently CLLWW-12 : 5 group elements and larger MPK.

• Dual-system IBE (Waters 08) has built-in QA-NIZK and obtains effective simulation soundness using smooth hash-proofs.

Thanks!

Quasi-Adaptive NIZK Definition • (K0, K1, P, V) is a QA-NIZK for a distribution D on collection of relations R that for all PPT adversaries A1, A2, A3: ρ if there exists a PPT simulator (S1, S2) such • (Completeness) Pr[ λ← K0(1 m ); ρ ← (x;w) ← A1( λ ; ψ ; ρ ); D; ψ ← K1( λ π ← P( ψ ; x;w) : V( ψ ; x; π R ρ (x;w)] = 1 • (Computational-Soundness) ) = 1 if ; ρ ); Pr[ λ← K0(1 m ); ρ ← ← A2( λ ; ψ ; ρ ) : D; ψ ← V( ψ ; x; K1( λ ; ρ ); (x; π ) π ) = 1 and not ( ∃ w : R (x;w))]

Novel Quasi-Adaptive NIZK

• Can the CRS depend on defining matrix, i.e.

g

,

f

,

a ?

• Yes,

g

,

f

,

a

are defined by a trusted party, who can also set CRS for NIZK depending on

g

,

f

,

a

• Problem:

g

,

f

,

a

are not constant, but are chosen according to some distribution. – The hardness of DDH (hence encryption security) depends on this choice.

Novel Quasi-Adaptive NIZK

• Can the CRS depend on defining matrix or

g

,

f

,

a ?

• Yes,

g

,

f

,

a

are defined by a trusted party, who can also set CRS for NIZK depending on

g

,

f

,

a

• Problem:

g

,

f

,

a

are not constant, but are chosen according to some distribution. – The hardness of DDH (hence encryption security) depends on this choice.

• CRS can depend on defining matrix, but CRS gen must be a single efficient machine for the distribution of defining matrix.

• Most applications can use this notion.

Detour: Groth-Sahai NIZKs

Proving Hard Linear Subspaces

QA-NIZK for Hard Linear Subspaces Prover CRS Verifier CRS

Zero Knowledge Simulation

Soundness

Soundness (contd.)

Extensions

Signatures from QA-NIZK and CCA2 Encryption