Fine-Tuning Groth-Sahai Proofs
description
Transcript of Fine-Tuning Groth-Sahai Proofs
Fine-Tuning Groth-Sahai Proofs
Alex EscalaScytl Secure Electronic Voting
Jens GrothUniversity College London
Non-interactive zero-knowledge proofs
• Completeness: Prover can prove true statements• Soundness: Prover cannot prove false statements• Zero-knowledge: Proofs does not reveal anything else
2
StatementCommon reference string
3
NIZK proofs
Circuit SAT Pratical pairing-based statements
Inefficient
Efficient
Statistical sampling techniques
Groth-Ostrovsky-Sahai 2012 (2006)
Groth 2006
Groth-Sahai 2012 (2008)
1 GB
1 KB
Statement: Here is a ciphertext and a document. The ciphertext contains a digital signature on the document.
Further reduction of sizeMore efficient computation
Prime order bilinear groups
4
• generates • finite cyclic groups of prime order • Pairing
• Deciding group membership, group operations, and bilinear pairing efficiently computable
SXDH bilinear groups
• Three types of groups– Type I: Symmetric, i.e., – Type II: Efficiently computable isomorphism – Type III: No efficiently computable isomorphisms in
either direction between the source groups and • SXDH assumption in Type III bilinear groups
– Decision Diffie-Hellman problem hard in both and
5
6
Groth and Sahai give NIZK proofs for simultaneous satisfiability a set of equations over variables of the forms
– Pairing product equations
– Multi-exponentiation equations
– Quadratic equations
7
Linear algebra notation
Equations over variables – Pairing product equations
Use additive notation for groups, multiplicative notation for pairings to getEquations over variables
– Pairing product equations
Groth-Sahai proofs
8
Commitments
Proofs that committed values satisfy equations
Commit-and-prove system [Kil90,CLOS02,Fuc11]
9
𝑐𝑜𝑚 ( �̂�1 )
𝑐𝑜𝑚 ( �̌�1 )
𝜋𝑒𝑞1
𝑐𝑜𝑚 ( �̂�2 )
𝜋𝑒𝑞2
Type-based commit-and-prove system
• We commit to values with a public part (type) and a (potentially) private part
• Gen generates a commitment key • Com generates commitment to • Prove generates proof for commitments containing
witnesses certifying the veracity of the statement • Verify verifies the proof and either accepts or rejects
10
Commitments to elements in
• Common reference string contains– and ()
• Commitment to – ()
– This is an ElGamal encryption of
• Zero-knowledge simulation uses CRS with – and – This makes the commitment perfectly hiding
11
ElGamal encryption of elements in
• Common reference string contains– and ()
• ElGamal encryption of – ()
– Using ElGamal encryption can save computation and
reduce proof sizes• Zero-knowledge simulation uses CRS with
– and – ElGamal encryption is not perfectly hiding, so be careful
12
Public constants in
• Common reference string contains– and ()
• Public can be trivially committed– ()
– This is easily verifiable as commitment to
• Simplifies pairing product equations to
where some of the ’s and ’s may be public constants or ElGamal encrypted 13
Type-based commitments
• Generalize commitment scheme to allow many different types of commitments– commit to public element – commit by ElGamal encrypting element– commit using Groth-Sahai commitment– commit to (public) element – Similar types for elements in and also types for
committing to elements in • Commitment format is where we view as a public
part and as a (potentially private) part of the committed message 14
The base type
• Why not just use ?• Because in general we do not know discrete
logarithm of in but for we do, which helps in the zero-knowledge simulation
• In general Groth-Sahai proofs are not (directly) zero-knowledge if involves pairings of public elements, but as it turns out they are zero-knowledge if the discrete logarithms are known
15
Commitments
• All commitments to elements in are of the form
where for some types or • Let be a matrix of the commitments, then we
have
• Similarly, the matrix of commitments to elements in is
16
Proofs
• The equation to be proved is • The proof is of the form
• Completeness
17
Soundness
• A standard CRS has vectors such that
• Define and • The verification equation gives us
so for each equation 18
Zero-knowledge simulation for commitments
• In the simulation, the CRS contains and
• Since are linearly independent, commitments using a simulated CRS are perfectly hiding
• The simulator knows types, but not values. Simulates commitments as follows– Commits to instead of making real commitments– Can open base commitment as , i.e., it can interpret it
as a commitment to – Makes ElGamal type commitments as encryptions of – Makes commitments as 19
Zero-knowledge simulation for proofs
• Given an equation the simulator needs to simulate proof such that
• Simulator can create proof if it knows openings or or more generally, if for each non-zero matrix entry it knows openings to or – (Restrictions on use of ElGamal encryptions though in order for the
security proof to work) 20
Prover-chosen common reference string
• Faster computation at the cost of sending a separate CRS and proving it is correct– Good trade-off when many proofs to the same verifiers
21
Common reference string
I will use this CRS
𝑝𝑘 ,𝜋𝑝𝑘
Conclusion
• Working in the SXDH setting we have fine-tuned Groth-Sahai proofs as follows– Simplified notation– Generalized to type-based commit-and-prove schemes– Enabled the use of ElGamal encryption– Allowed pairings of base elements in equations– Permitted the prover to choose her own CRS
• Weak Boneh-Boyen signatures
22
Commitment to may be reused many times, making a commit-and-prove scheme ideal
Save a couple of group elements in each proof by using ElGamal encryption
We can handle base elements directly
Prover can reduce computation by using own key
Size: Reduced from 16 to 6 group elements ~63%Computation: Reduced ~40%