Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces

Charanjit Jutla, IBM Watson

and

Arnab Roy, Fujitsu Labs of America

a ∗ g , x ∗ g , x · a ∗ g ≈ a ∗ g , x ∗ g , x ′ · a ∗ g (DDH)

a ∗ g , x ∗ g , x · a ∗ g ≈ a ∗ g , x ∗ g , (c ∗ f + x · a ∗ g)

c ∗ g , f c ∗ g , f

(El-Gamal Encryption of c f∗ )

a, x, c :: a = a ∗ g , = x ∗ g , = c ∗ g , = c ∗ f + x · a ∗g

x, c :: = x ∗ g , = c ∗ g , = c ∗ f + x ∗ a

x, c :: (, , ) =

El-Gamal Encryption

a

fg0

a0gcx

Novel Quasi-Adaptive NIZK

El-Gamal Encryption

Public Parameters: g, a, f D and CRS CRS-gen(g, a, f )

Honest Party: Choose x, c at random, generate , , and proof π Adv (Need to hide x, c from Adv.)1. Replace π with simulated proof π‘2. So, x and c no more needed in proof gen.

3. a ∗ g , x ∗ g , (c ∗ f + x · a ∗ g) ≈ a ∗ g , x ∗ g , x · a ∗ g c ∗ g , f c ∗ g , f

CRS-gen better be a polynomial time Turing Machine.4. c ∗ f not needed in simulation to Adv.

Proving Hard Linear Subspaces

Our Comp. Sound Proof System – DH example

Comparison with Groth-Sahai

Groth-Sahai Ours

XDH

Proof Size n + 2t n - t

CRS Size 4 2t·(n-t)+2

#Pairings 2n·(t+2) (n-t)·(t+2)

DLIN

Proof Size 2n + 3t 2n - 2t

CRS Size 9 4t·(n-t)+3

#Pairings 3n· (t+3) 2(n-t)·(t+2)

• n : the number of equations• t : the number of witnesses

Conceptual Comparison

• n : the number of equations• t : the number of witnesses

Properties Comparison Groth-Sahai Ours

Extends to Quadratic Equations Extends to Quadratic but only using Groth-Sahai commitments.

Linear Pairing Product Equations Better Linear Pairing Product Equations of special kind. 2/3 improvement.

Quadratic Pairing Product Equations

No additional Advantage

Randomized Proofs Unique Proofs

Verifier needs language description/parameters

Split CRS -- verifier CRS does not depend on the language. Verifier does not even need language.

Dual-System IBE with a hint from QA-NIZKs

• A fully-secure (perfectly complete, anonymous) IBE follows under SXDH.– Only 4 group elements. – (shortest under static standard assumptions)– Recently and independently CLLWW-12 :

5 group elements and larger MPK.• Dual-system IBE (Waters 08) has built-in

QA-NIZK and obtains effective simulation soundness using smooth hash-proofs.

Thanks!

Quasi-Adaptive NIZK Definition• (K0, K1, P, V) is a QA-NIZK for a distribution D on collection of

relations Rρ if there exists a PPT simulator (S1, S2) such that for all PPT adversaries A1, A2, A3:• (Completeness) Pr[ λ←K0(1m); ρ ← D; ψ ← K1(λ; ρ ); (x;w) ← A1(λ; ψ ; ρ ); π ← P(ψ; x;w) : V(ψ; x; π ) = 1 if Rρ(x;w)] = 1• (Computational-Soundness) Pr[λ←K0(1m); ρ ← D; ψ ← K1(λ; ρ ); (x; π) ← A2(λ; ψ ; ρ ) : V(ψ; x; π) = 1 and not (∃w : Rρ(x;w))] ≈ 0• QA ZK Pr[λ←K0(1m); ρ ← D; ψ ← K1(λ; ρ ): A3 P(ψ ; .;.) (λ; ψ ; ρ ) = 1] ≈ Pr[λ←K0(1m); ρ ← D; (ψ, τ) ← S1(λ; ρ ) :A3 S2(ψ ; τ; .; *) (λ; ψ ; ρ ) = 1]

Novel Quasi-Adaptive NIZK

• Can the CRS depend on defining matrix, i.e. g, f, a ?

• Yes, g, f, a are defined by a trusted party, who can also set CRS for NIZK depending on g, f, a

• Problem: g, f, a are not constant, but are chosen according to some distribution. – The hardness of DDH (hence encryption security)

depends on this choice.

Novel Quasi-Adaptive NIZK

• Can the CRS depend on defining matrix or g, f, a ?

• Yes, g, f, a are defined by a trusted party, who can also set CRS for NIZK depending on g, f, a

• Problem: g, f, a are not constant, but are chosen according to some distribution. – The hardness of DDH (hence encryption security)

depends on this choice.• CRS can depend on defining matrix, but CRS-

gen must be a single efficient machine for the distribution of defining matrix.

• Most applications can use this notion.

Detour: Groth-Sahai NIZKs

Proving Hard Linear Subspaces

QA-NIZK for Hard Linear Subspaces

Prover CRS

Verifier CRS

Zero Knowledge Simulation

Soundness

Soundness (contd.)

Extensions

Signatures from QA-NIZK and CCA2 Encryption