Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces
description
Transcript of Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces
Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces
Charanjit Jutla, IBM Watson
and
Arnab Roy, Fujitsu Labs of America
a ∗ g , x ∗ g , x · a ∗ g ≈ a ∗ g , x ∗ g , x ′ · a ∗ g (DDH)
a ∗ g , x ∗ g , x · a ∗ g ≈ a ∗ g , x ∗ g , (c ∗ f + x · a ∗ g)
c ∗ g , f c ∗ g , f
(El-Gamal Encryption of c f∗ )
a, x, c :: a = a ∗ g , = x ∗ g , = c ∗ g , = c ∗ f + x · a ∗g
x, c :: = x ∗ g , = c ∗ g , = c ∗ f + x ∗ a
x, c :: (, , ) =
El-Gamal Encryption
a
fg0
a0gcx
Novel Quasi-Adaptive NIZK
El-Gamal Encryption
Public Parameters: g, a, f D and CRS CRS-gen(g, a, f )
Honest Party: Choose x, c at random, generate , , and proof π Adv (Need to hide x, c from Adv.)1. Replace π with simulated proof π‘2. So, x and c no more needed in proof gen.
3. a ∗ g , x ∗ g , (c ∗ f + x · a ∗ g) ≈ a ∗ g , x ∗ g , x · a ∗ g c ∗ g , f c ∗ g , f
CRS-gen better be a polynomial time Turing Machine.4. c ∗ f not needed in simulation to Adv.
Proving Hard Linear Subspaces
Our Comp. Sound Proof System – DH example
Comparison with Groth-Sahai
Groth-Sahai Ours
XDH
Proof Size n + 2t n - t
CRS Size 4 2t·(n-t)+2
#Pairings 2n·(t+2) (n-t)·(t+2)
DLIN
Proof Size 2n + 3t 2n - 2t
CRS Size 9 4t·(n-t)+3
#Pairings 3n· (t+3) 2(n-t)·(t+2)
• n : the number of equations• t : the number of witnesses
Conceptual Comparison
• n : the number of equations• t : the number of witnesses
Properties Comparison Groth-Sahai Ours
Extends to Quadratic Equations Extends to Quadratic but only using Groth-Sahai commitments.
Linear Pairing Product Equations Better Linear Pairing Product Equations of special kind. 2/3 improvement.
Quadratic Pairing Product Equations
No additional Advantage
Randomized Proofs Unique Proofs
Verifier needs language description/parameters
Split CRS -- verifier CRS does not depend on the language. Verifier does not even need language.
Dual-System IBE with a hint from QA-NIZKs
• A fully-secure (perfectly complete, anonymous) IBE follows under SXDH.– Only 4 group elements. – (shortest under static standard assumptions)– Recently and independently CLLWW-12 :
5 group elements and larger MPK.• Dual-system IBE (Waters 08) has built-in
QA-NIZK and obtains effective simulation soundness using smooth hash-proofs.
Thanks!
Quasi-Adaptive NIZK Definition• (K0, K1, P, V) is a QA-NIZK for a distribution D on collection of
relations Rρ if there exists a PPT simulator (S1, S2) such that for all PPT adversaries A1, A2, A3:• (Completeness) Pr[ λ←K0(1m); ρ ← D; ψ ← K1(λ; ρ ); (x;w) ← A1(λ; ψ ; ρ ); π ← P(ψ; x;w) : V(ψ; x; π ) = 1 if Rρ(x;w)] = 1• (Computational-Soundness) Pr[λ←K0(1m); ρ ← D; ψ ← K1(λ; ρ ); (x; π) ← A2(λ; ψ ; ρ ) : V(ψ; x; π) = 1 and not (∃w : Rρ(x;w))] ≈ 0• QA ZK Pr[λ←K0(1m); ρ ← D; ψ ← K1(λ; ρ ): A3 P(ψ ; .;.) (λ; ψ ; ρ ) = 1] ≈ Pr[λ←K0(1m); ρ ← D; (ψ, τ) ← S1(λ; ρ ) :A3 S2(ψ ; τ; .; *) (λ; ψ ; ρ ) = 1]
Novel Quasi-Adaptive NIZK
• Can the CRS depend on defining matrix, i.e. g, f, a ?
• Yes, g, f, a are defined by a trusted party, who can also set CRS for NIZK depending on g, f, a
• Problem: g, f, a are not constant, but are chosen according to some distribution. – The hardness of DDH (hence encryption security)
depends on this choice.
Novel Quasi-Adaptive NIZK
• Can the CRS depend on defining matrix or g, f, a ?
• Yes, g, f, a are defined by a trusted party, who can also set CRS for NIZK depending on g, f, a
• Problem: g, f, a are not constant, but are chosen according to some distribution. – The hardness of DDH (hence encryption security)
depends on this choice.• CRS can depend on defining matrix, but CRS-
gen must be a single efficient machine for the distribution of defining matrix.
• Most applications can use this notion.
Detour: Groth-Sahai NIZKs
Proving Hard Linear Subspaces
QA-NIZK for Hard Linear Subspaces
Prover CRS
Verifier CRS
Zero Knowledge Simulation
Soundness
Soundness (contd.)
Extensions
Signatures from QA-NIZK and CCA2 Encryption