cryptographic protocols 2014, lecture 14 Groth-Sahai proofs helger lipmaa, university of tartu

Up to now Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols Pairing-based cryptography

this time Pairing-based ZK in the CRS model Simple examples An example of Groth-Sahai proofs: efficient NIZK proofs for algebraic relations

additive notation Additive notation for group op-s / pairings We denote group elements in bold Group operation: g + h (instead of gh) Exponentiation: a · g (instead of g^a) We still denote opposite of this by log: logg ag = a Pairing: see the next slide Makes it easier to read, since we have many things in exponents plus it will make sense from algebraic viewpoint although it is probably confusing :(

Basic fact of pairings: ê (ag₁, bg₂) = ê (cg₁, dg₂) <=> ab = cd reminder: pairings Pairing: function ê: G ₁ × G ₂ → G' that satisfies Bilinearity: ê (ag₁, bg₂) = ab · ê (g₁, g₂) Non-degenerative: ê (ag₁, bg₂) ≠ 0 if a, b ≠ 0, gᵢ ≠ 0 Efficiently computable Setup (1^κ) returns (p, G ₁, G ₂, G', ê) all three groups have order p, pairing is symmetric if G₁ = G₂ =: G, otherwise asymmetric Basic fact of pairings: ê (ag₁, bg₂) = ê (cg₁, dg₂) <=> ab = cd

component-wise notation We also use a lot of component-wise notation a(g, h) = (ag, ah) (a, b)g = (ag, bg) // symmetric pairings ê ((A, B), (C, D)) = (ê (A, C), ê (B, D))

pedersen in bilinear setting gk = (p, G, G, G', ê) ← Setup (κ) g ← G, x ← ℤ*p, h ← xg crs ← (gk, g, h), td ← x Recall: Pedersen is perfectly hiding and computationally binding (assuming DL). DL holds even together with symmetric pairings crs crs c ← mg + rh crs, (m, r) crs c Store c Open: (m, r)

product proof with pedersen We will now describe a very simple NIZK proof Uses Pedersen (a known commitment scheme) Explains basic concepts, and gets us going Inputs: Pedersen commitments of a, b and c Goal: construct NIZK proof that c = ab

Idea: product proof Inputs: Pedersen commitments of a, b and c Goal: construct NIZK proof that c = ab First consider the case without privacy, randoms = 0 Com (m, 0) = mg + 0h Clearly ê (Com (a, 0), Com (b, 0)) = ê (ag, bg) = ê (abg, g) = ê (cg, g) = ê (Com (c, 0), Com (1, 0)) Thus if randoms = 0, one can check c = ab efficiently ... only given Com(a), Com(b), Com(c)

algebraic viewpoint if and only if · : ℤp × ℤp → ℤp ê : G × G → G' = ? Equivalent equality test, but in a different algebraic domain on "garbled" versions of a, b, c

main idea: pairing-based NIZK Establish a simple pairing-based verification when randoms = 0 Modify the verification equation by adding to it some expressions of form ê (π, h) NIZK proof π: compute from ver. eq. Proving soundness / ZK: often succeeds magically Every step needs creativity, and might fail to work - works only for certain nice algebraic languages

Continuing: product proof Let A = ag + rh, B = bg + sh, C = cg + th Let π be such that ê (π, h) = ê (A, B) - ê (C, g) log π · x = log A · log B - log C · log g = (a + rx)(b + sx) - (ab + tx) = ((as + br - t) + rsx) · x Set π ← (as + br - t)g + rsh Creative part: to come up with "h" here The same verification equation, but we took DL --- with basis g'= ê (g, g) --- of both sides Idea: π compensates for additional randomness

Accept if ê(π, h) = ê(A, B) - ê(C, g) NIZK product proof gk ← Setup (κ) g ← G, x ← ℤ*p, h ← xg crs ← (gk, g, h), td ← x crs crs crs, (A, B, C), (a, b, r, s, t) crs, (A, B, C) π ← (as + br - t)g + rsh π Accept if ê(π, h) = ê(A, B) - ê(C, g)

Soundness Assume verification holds but c ≠ ab log π · x = log A · log B - log C · log g = (a + rx) (b + sx) - (c + tx) = ((ab - c) / x + (as + br - t) + rsx) · x Thus π = ((ab - c) / x)g + (as + br - t)g + rsh Or: (1 / x)g = (1 / (ab - c)) · (π - (as + br - t)g - rsh) If soundness broken: can compute (1 / x)g from (g, xg) Recall ab - c ≠ 0

Diffie-hellman inversion Game DHI(Setup,A) gk ← Setup(1^κ) g ← G x ← ℤ*p h ← xg crs ← (gk, g, h) f ← A (crs) Return f = (1/x)g ? 1 : 0 Use gk = (G, G', p, ê) ← Setup (1^κ) Adv[DHI] := | Pr[DHI = 1] - 1 / p | A ε-breaks DHI wrt Setup iff Adv[DHI] ≥ ε Setup is (τ,ε)-DHI secure iff no time ≤ τ adversary A ε-breaks DHI wrt Setup Setup is a DHI secure iff it is (poly(κ),negl(κ))- DHI secure Another weird pairing assumption, but a well-known one still probably stronger than DL (= Pedersen is binding)

simulation of product proof gk ← Setup (κ) g ← G, x ← ℤ*p, h ← xg crs ← (gk, g, h), td ← x We know π* is accepting (from 2 slides ago). It comes from a correct distribution since accepting π is unique crs, x crs crs, (A, B, C), (a, b, c, r, s, t), x crs, (A, B, C) π* ← ((ab - c) / x + as + br - t)g + rsh π* Accept if ê(π*, h) = ê(A, B) - ê(C, g)

nizk product proof: theorem Theorem. The previous NIZK product proof is perfectly complete and perfectly zero knowledge. It is computationally sound under the DHI assumption Proof. Given on previous pages.

not a proof of knowledge Recall π ← (as + br - t)g + rsh Not a proof of knowledge: π can be computed given say only ag, b and cg = b(ag) prover does not have to know both a and b similarly, prover does not need to know r, s, t

extension: arithmetic circuits A.c. consist of · and + gates Can be used to evaluate any function f NIZK to verify computation of a.c.: for every · gate: construct and publish product proof for every + gate: compute O = I₁ + I₂ Publish inputs to the circuit + O = Com (i₁ + i₂, r₁ + r₂) · + I₁ = Com (i₁, r₁) I₂ = Com (i₂, r₂) · · + x y z

groth-sahai proofs Goal (general): Given Aᵢ = Com (aᵢ, rᵢ), verify that various algebraic equations hold between aᵢ aᵢ can be either group element (aᵢ) or exponent Example goal: check that for Aᵢ = Com(aᵢ), Bᵢ = Com(bᵢ), it holds that C = Com (Σbᵢaᵢ)

groth-sahai proofs Only hardness assumption: Recall product proof used Pedersen (secure under DL), but its soundness is based on DHI assumption Only hardness assumption: Commitment scheme is secure Several instantiations known (XDH, DLIN, ...) Variant 0: Com is perfectly binding/comp. hiding Perfectly sound/computationally NIZK Variant 1: Com is comp. binding/perfectly hiding Computationally sound/perfectly NIZK

Dual-mode commitments Use Com with CRS from one of two different distributions crs0 ("binding") or crs1 ("hiding") Prove: crs0 and crs1 are indistinguishable crs0 crs1 Prove: Com[crs1] is perfectly hiding and trapdoor Prove: Com[crs0] is perfectly binding The only difference is in the CRS. The rest of Com is the same in both cases

dual-mode commitments Use Com with CRS from one of two different distributions crs0 ("binding") or crs1 ("hiding") Prove: crs0 and crs1 are indistinguishable crs0 crs1 Prove: Com[crs1] is perfectly hiding and trapdoor Prove: Com[crs0] is perfectly binding Corollary. Com[crs0] is computationally hiding Corollary. Com[crs1] is computationally binding

GS proofs: idea Use Com with CRS from one of two different distributions crs0 ("binding") or crs1 ("hiding") crs0 and crs1 are indistinguishable crs0 crs1 GS proofs with Com[crs1] are perfectly zero-knowledge GS proofs with Com[crs0] are perfectly sound GS proofs with Com[crs0] are computationally zero-knowledge GS proofs with Com[crs1] are computationally sound

DMC: technicalities We need two separate commitment schemes: DMCG, to commit to group elements and DMCE, to commit to exponents DMCG and DMCE have to play well together Due to this and DMC requirements, DMCG/DMCE are somewhat complicated

Different instantiations Different instantiations of DMC are known based on say XDH, DLIN, SH assumptions We will describe DMCE/GS proof with XDH thus we need to use asymmetric pairings Will not have time to describe DMCG, DLIN/SH setting proofs, ...

elgamal as commitment (bilinear Setting) crs = crs0. Perfectly binding, computationally hiding. Needs some modification to get properties that we need, since it is unknown how to do it with this crs gk = (G₁, G₂, ...) ← Setup (κ) g₁ ← G₁, x ← ℤp, h ← xg₁ crs ← (gk, g₁, h), td ← x crs crs c ← (mg₁ + rh, rg₁) crs, (m, r) crs c Store c Open: (m, r) In GS proofs, XDH is used differently. Idea: create crs0 and crs1 so that they are indistinguishable under XDH assumption

indistinguishable under XDH assumption dmce: idea We need to create crs0 and crs1 that are computationally indistinguishable under XDH Idea: let crsβ = (gk, g₁, h, E₁, E₂), where (g₁, h, E₂, E₁) is not a DDH tuple if β = 0 (g₁, h, E₂, E₁) is a DDH tuple if β = 1 indistinguishable under XDH assumption

Dual-mode commitment for exponents // β = hiding mode ? 1 : 0 gk ← Setup (κ) g₁ ← G₁, x,y ← ℤp h ← xg₁ E₁ ← (1 - β)g₁ + yh, E₂←yg₁ crsβ ← (gk, g₁, h, E₁, E₂) td ← y β = 0: (g₁, h, E₂, E₁) is not a DDH tuple. β = 1: (g₁, h, E₂, E₁) is a DDH tuple. crs0 ≈ crs1 due to XDH assumption. crs crs c ← (mE₁ + rh, mE₂ + rg₁) crsβ, (m, r) crsβ c Store c Open: (m, r)

perfect binding with crs0 crs0 = (gk, g₁, h = xg₁, E₁ ← g₁ + yh, E₂ ← yg₁) Com (m, r) = (mE₁ + rh, mE₂ + rg₁) = (mg₁ + (my + r)h, (my + r)g₁) = Elgamal (m, my + r) // r is random Thus perfectly binding and computationally hiding

perfect hiding with crs1 crs1 = (gk, g₁, h = xg₁, E₁ ← yh, E₂ ← yg₁) Com (m; r) = (mE₁ + rh, mE₂ + rg₁) = (myh + rh, myg₁ + rg₁) = (my + r)(h, g₁) ≈ random DDH tuple Perfectly hiding since r is random Since crs0 ≈ crs1, and DMCE[crs0] is perfectly binding => this version is computationally binding under XDH

= (my + r) (h, g₁) = Com (m, r) trapdoor with crs1 crs1 = (gk, g₁, h = xg₁, E₁ ← yh, E₂ ← yg₁) td = y Com (m, r) = (my + r)(h, g₁) Given m*, compute r* such that my + r = m*y + r* Com (m*, r*) = (m*y + r*) (h, g₁) = (my + r) (h, g₁) = Com (m, r) Clearly trapdoor

DMCE security: theorem Theorem. Assume XDH holds. DMCE is either perfectly binding and computationally hiding (if crs0 is used), or computationally binding, perfectly hiding, and trapdoor (if crs1 is used). Proof. Given on previous pages.

first groth-sahai proof Goal: Given Zᵢ = Com(zᵢ, rᵢ)∈G₁² and Aᵢ, T∈G₂ Construct NIZK proof that ∑zᵢAᵢ = T Denote Ê ((A, B), C) := (ê (A, C), ê (B, C)) The first argument is a commitment ∈ G₁²

first groth-sahai proof Goal: prove that ∑zᵢAᵢ = T, given Zᵢ = Com(zᵢ, rᵢ), Aᵢ, T Similar basic idea as with product proof: to prove ab = c for committed a, b, c ∈ ℤp, we derived π from ê (Com (a), Com (b)) = ê (Com (c), Com (1)) + ê (π, ...) to prove ∑zᵢAᵢ = T where Aᵢ, T∈G₂, we derive π∈G₂ from ∑ Ê (Com (zᵢ), Aᵢ) = Ê (Com (1), T) + Ê (..., π) order important: asymmetric pairings π compensates for added randomness

verification without privacy First, consider the case without privacy Zᵢ = Com(zᵢ, 0) = zᵢ(E₁, E₂) + 0(h, g₁) ∑ Ê (Com(zᵢ, 0), Aᵢ) = ∑ Ê (zᵢ(E₁, E₂), Aᵢ) = Ê ((E₁, E₂), ∑ zᵢAᵢ) = Ê ((E₁, E₂), T) Com (1, 0) = (E₁, E₂) Thus ∑ Ê (Com (zᵢ, 0), Aᵢ) = Ê (Com (1, 0), T)

algebraic viewpoint if and only if · and + Ê and + = ? = ? · : ℤp × G₁ → G₁ Ê

general case with randomness crsβ = (gk, g₁, h ← xg₁, E₁ ← (1 - β)g₁ + yh, E₂ ← yg₁) Zᵢ = Com(zᵢ, rᵢ) = zᵢ(E₁, E₂) + rᵢ(h, g₁) ∑ Ê (Zᵢ, Aᵢ) = ∑ Ê (zᵢ(E₁, E₂) + rᵢ(h, g₁), Aᵢ) = Ê ((E₁, E₂), ∑ zᵢAᵢ) + Ê ((h, g₁), ∑ rᵢAᵢ) = T =: π

gs proof of ∑ zᵢAᵢ = T crs crs // β = [hiding mode] gk ← Setup (κ) g₁ ← G₁, x,y ← ℤp h ← xg₁ E₁ ← (1 - β)g₁ + yh, E₂←yg₁ crsβ ← (gk, g₁, h, E₁, E₂) td ← y crs crs crsβ, ({Aᵢ, Zᵢ}, T), ({zᵢ, rᵢ}) crsβ, ({Aᵢ, Zᵢ}, T) π ← ∑ rᵢAᵢ ∈ G₂ π Accept if ∑ Ê(Zᵢ, Aᵢ) = Ê((E₁, E₂), T) + Ê((h, g₁), π)

soundness with crs0 crs0 = (gk, g₁, h ← xg₁, E₁ ← g₁ + yh, E₂ ← yg₁) Assume Zᵢ = Com(zᵢ, rᵢ) = zᵢ(E₁, E₂) + rᵢ(h, g₁) for some zᵢ Component-wise verification: ∑ ê (zᵢ E₁ + rᵢ h, Aᵢ) = ê (E₁, T) + ê (h , π) ∑ ê (zᵢ E₂ + rᵢ g₁, Aᵢ) = ê (E₂, T) + ê (g₁, π)

soundness with crs0 crs0 = (gk, g₁, h ← xg₁, E₁ ← g₁ + yh, E₂ ← yg₁) Assume Zᵢ = Com(zᵢ, rᵢ) = zᵢ(E₁, E₂) + rᵢ(h, g₁) for some zᵢ Component-wise verification: ∑ ê (zᵢ E₁ + rᵢ h, Aᵢ) = ê (E₁, T) + ê (h , π) ∑ ê (zᵢ E₂ + rᵢ g₁, Aᵢ) = ê (E₂, T) + ê (g₁, π) ∑ ê ( zᵢ g₁ + 0, Aᵢ) = ê (g₁, T) + 0 Thus ê (g₁, ∑zᵢAᵢ) = ê (g₁, T) · x First - x · second Thus ∑zᵢAᵢ = T, as needed

Zero knowledge with crs1 Consider crs1 = (gk, g₁, h ← xg₁, E₁ ← yh, E₂ ← yg₁) Trapdoor com.: (E₁, E₂) = y(h, g₁) = Com (0, y) = Com (1, 0) Simulator writes Zᵢ = Com (zᵢ*, r*ᵢ) for zᵢ* = 0 and some r*ᵢ Basic idea: the simulator creates a GS proof that ∑zᵢ*Aᵢ - t*T = 0, where t* is an opening of (E₁, E₂) Since prover has zᵢ* = zᵢ, t* = 1, the prover must be honest Simulator, knowing y, can take zᵢ* = t* = 0

Zero knowledge Consider crs1 = (gk, g₁, h ← xg₁, E₁ ← yh, E₂ ← yg₁) (E₁, E₂) = y(h, g₁) = Com (0, y) = Com (1, 0) Simulator writes Zᵢ = Com(0, r*ᵢ) = r*ᵢ(h, g₁) Simulator creates π* ← ∑r*ᵢAᵢ - yT // GS proof for ∑0Aᵢ - 0T = 0 Verification succeeds: Ê ((h, g₁), π*) = Ê ((h, g₁), ∑r*ᵢAᵢ - yT) = ∑ Ê (r*ᵢ(h, g₁), Aᵢ) - Ê (y(h, g₁), T) = ∑ Ê (Zᵢ, Aᵢ) - Ê ((E₁, E₂), T)

Simulating proof of ∑ zᵢAᵢ = T // β = [hiding mode] gk ← Setup (κ) g₁ ← G₁, x,y ← ℤp h ← xg₁ E₁ ← (1 - β)g₁ + yh, E₂←yg₁ crsβ ← (gk, g₁, h, E₁, E₂) td ← y crs crs, td crsβ, td, ({Aᵢ, Zᵢ}, T), {zᵢ, rᵢ} crsβ, ({Aᵢ, Zᵢ}, T) π* ← ∑ r*ᵢAᵢ - yT ∈ G₂ π* Accept if ∑ Ê(Zᵢ, Aᵢ) = Ê((E₁, E₂), T) + Ê((h, g₁), π*)

First proof done We saw how to do one concrete GS proof Details are somewhat scary but the proof is very efficient Prover: n exponentiations Verifier: 2n + 4 pairings ê Proof length: 1 group element We used additive notation, so ag is what was called exponentiation earlier

Some other possible settings for GS Prove you have committed to Xᵢ, Yᵢ, s.t. ∑ ê (Aᵢ, Yᵢ) + ∑ᵢ ∑j aij ê (Xᵢ, Yj) = T or to Xᵢ, yᵢ s.t. ∑ yᵢAᵢ + ∑ bjXj + ∑ᵢ∑j yᵢcijXj = T where all other values are publicly known

comparison with Σ-protocols Good: non-interactive, arguably easier to understand (?) suits well other pairing-based protocols Bad: often less efficient requires specific algebraic structure pairings, while Σ-protocols work in many settings E.g., Groth-Sahai does not work with Paillier

why relevant Pairing-based primitives are "algebraic" Example. Short signature of m with sk x: s = xm In some protocols, cannot reveal signature before the end of the protocol, but you need to prove you know the signature Need GS proof: S = Com (s) ∧pk = xg₁ ∧ s = xm

Study outcomes Efficient NIZK from pairings Basic ideas - product proofs Groth-Sahai proofs

this was Last Lecture This was the last lecture Since two lectures were cancelled, we did not manage to cover some topics, initially planned: garbled circuits lattice-based cryptography

Study outcomes of the course Goal of cryptographic protocols: security against malicious adversary security = correctness + privacy General design principles

study outcomes (cont.) Most general principle: design passively secure protocol achieve active security by employing ZK proofs

study outcomes: passive security Employing homomorphic cryptography Elgamal, Paillier Recursion (BDD, ...) Better comp. efficiency by allowing many rounds Glimpse to multi-party computation

study outcomes: active security Σ-protocols Basic protocols, composition Getting full 4-round ZK from Σ-protocols Pairing-based NIZK protocols Groth-Sahai + some other examples

Further directions Different basic techniques for passive security: lattice-based cryptography, garbled circuits, multi-party computation ... for active security: cut-and-choose, ZK based on other algebraic techniques Many insanely clever ideas to improve efficiency Other aspects: verification, ...

further directions We concentrated on secure computation Other goals: functional encryption attribute-based encryption ....