cryptographic protocols 2016, lecture 16 Groth-Sahai proofs helger lipmaa, university of tartu

Up to now Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols Pairing-based cryptography

this time Pairing-based NIZK in the CRS model An example of Groth-Sahai proofs: efficient NIZK proofs for algebraic relations

Background reading Jens Groth, Amit Sahai. Efficient Noninteractive Proof Systems for Bilinear Groups. SIAM Journal on Computing, 2012 Alex Escala, Jens Groth. Fine-Tuning Groth- Sahai Proofs. PKC 2015

Reminder: pairings Pairing: function ê: G1 × G2 → GT that satisfies Bilinearity: ê (ag1, bg2) = ab · ê (g1, g2) ê ([a]1, [b]2) = [ab]T Non-degenerative: ê ([a]1, [b]2) ≠ 0 if a, b ≠ 0, gi ≠ 0 Efficiently computable Setup (1κ) returns (p, G1, G2, GT, ê) Basic fact of pairings: ê ([a]1, [b]2) = ê ([c]1, [d]2) <=> ab = cd

Reminder: NIZK x td crs x, ω x, π Simulator π ← P(crs, td, x) Output Ver(crs, x, π) crs x, ω π ← P(crs, x, ω) Output Ver(crs, x, π) x, π Output Ver(crs, x, π)

groth-sahai proofs Let Com be a commitment scheme Goal (general): Given Ai = Com (ai), verify that various algebraic equations hold between ai ai can be either a group element (ai) or integer Example goal: for Ai = Com(ai), Bi = Com(bi), it holds that C = Com(Σbiai)

groth-sahai proofs Only hardness assumption: The commitment scheme is secure Several instantiations known (XDH, DLIN, ...) Variant 0: Com is perfectly binding/comp. hiding Perfectly sound/computationally NIZK Variant 1: Com is comp. binding/perfectly hiding Computationally sound/perfectly NIZK

Dual-mode commitments Use Com with CRS from one of two different distributions crs0 ("binding") or crs1 ("hiding") Theorem: crs0 and crs1 are indistinguishable crs0 crs1 Theorem: Com[crs1] is perfectly hiding and trapdoor Theorem: Com[crs0] is perfectly binding The only difference is in the CRS. The rest of Com is the same in both cases

dual-mode commitments Use Com with CRS from one of two different distributions crs0 ("binding") or crs1 ("hiding") Theorem: crs0 and crs1 are indistinguishable crs0 crs1 Theorem: Com[crs1] is perfectly hiding and trapdoor Theorem: Com[crs0] is perfectly binding Corollary. Com[crs0] is computationally hiding Corollary. Com[crs1] is computationally binding

Com[crs0] is comp. binding (Check at home) Lemma. If crs0 and crs1 are computationally indistinguishable, and Com[crs0] is perfectly binding, then Com[crs0] is computationally binding. Proof: Assume that Com[crs0] is not comp. binding. Thus, there ∃ adv. A that can on input crs0 produce (C, m, r, m*, r*), s.t. C = Com (m; r) = Com (m*; r*), m*≠ m, with probability εΑ. Assume Com[crs0] is perf. binding. We construct adv. B that distinguishes crs0 and crs1 with probability εΒ ≥ εΑ / 2 + 1 / 4. B is given as an input crsi for i ← {0, 1}. B sends crsi to A. If A succeeds, then B outputs i* ← 0, otherwise B outputs i* ← 0. εB = Pr[i* = i] = Pr[i* = 0 | i = 0] Pr[i = 0] + Pr[i* = 1 | i = 1] Pr[i = 1] = (Pr[i* = 0 | i = 0] + Pr[i* = 1 | i = 1]) / 2 = (Pr[A succeeds | i = 0] + (1 - Pr[A succeeds | i = 1])) / 2 = ≥ εΑ / 2 + 1 / 2 - 1 / 4 = εΑ / 2 + 1 / 4

GS proofs: idea Use Com with CRS from one of two different distributions crs0 ("binding") or crs1 ("hiding") crs0 and crs1 are indistinguishable crs0 crs1 GS proofs with Com[crs1] are perfectly zero-knowledge GS proofs with Com[crs0] are perfectly sound GS proofs with Com[crs0] are computationally zero-knowledge GS proofs with Com[crs1] are computationally sound

DMC: technicalities We need two separate commitment schemes: DMCG, to commit to group elements and DMCE, to commit to exponents DMCG and DMCE have to play well together Due to this and DMC requirements, DMCG/DMCE are somewhat complicated

Different instantiations Different instantiations of DMCE/DMCG are known based on say XDH, DLIN, SH assumptions We will describe DMCE/GS proof with XDH thus we need to use asymmetric pairings Will not have time to describe DMCG, DLIN/SH setting proofs, ...

DDH: different view Denote G = (g1, h), E = (E1, E2) X = (g1, h, E1, E2) is a DDH tuple iff E = G for some scalar a iff E and G are linearly dependent Corollary 1. X=(g1, h, E1, E2) is not a DDH tuple iff {G, E} is a basis of the vector space V = G12 G E not DDH DDH

DDH: different view not DDH DDH X=(g1, h, E1, E2) is a DDH tuple iff E = G for some scalar a iff E and G are linearly dependent Corollary 2. B is a DDH tuple => each vector c ∈ <G> can be written non- uniquely as c1G + c2E while c ∈ <G> cannot be written as c1G + c2E B is not a DDH tuple => each vector c ∈ V can be written uniquely as c1G + c2E G E not DDH DDH ∃unique(c1,c2)C=c1G + c2E ¬∃(c1,c2)C≠c1G + c2E (∀c1∃c2)C=c1G + c2E

indistinguishable under XDH assumption dmce: idea We need to create crs0 and crs1 that are computationally indistinguishable under XDH Idea: let crsχ = (gk, g1, h, E1, E2), where (g1, h, E1, E2) is not a DDH tuple if χ = 0 (g1, h, E1, E2) is a DDH tuple if χ = 1 each vector c ∈ V can be written uniquely as c1G + c2E each vector c ∈ <G> can be written non-uniquely as c1G + c2E while c ∈ <G> cannot be written as c1G + c2E indistinguishable under XDH assumption

DMC for exponents crsχ crsχ // χ = hiding mode ? 1 : 0 gk ← Setup (1κ) g1 ← G1, x,y ← ℤp G ← [(1, x)]1 E ← yG + [(0, 1 - χ)]1 crsχ ← (gk, G, E) td ← y χ = 0: (g1, h, E1, E2) is not a DDH tuple. χ = 1: (g1, h, E1, E2) is a DDH tuple. crs0 ≈ crs1 due to XDH assumption. crsχ crsχ c = Com (m; r) ← mE + rG crsχ crsχ, (m, r) c Store c Open: (m, r) Note: Com (1; 0) = E

perfect binding with crs0 crs0 = (gk, G = [(1, x)]₁, E ←yG + [(0, 1)]1 Com (m; r) = mE + rG = [(my + r, m + (my + r)x)]1 = Elgamal (m; my + r) // r is random Thus perfectly binding and computationally hiding

perfect hiding with crs1 crs0 = (gk, G = [(1, x)]₁, E ← yG Com (m; r) = mE + rG = (my + r)G ≈ random element of <G> Perfectly hiding since r is random Since crs0 ≈ crs1, and DMCE[crs0] is perfectly binding => this version is computationally binding under XDH

trapdoor with crs1 crs1 = ( gk, G = [(1, x)]1, E ← yG) Com (m; r) = mE + rG = (my + r)G Set td ← y Given td and m*, compute r* such that my + r = m*y + r* Com (m*; r*) = (m*y + r*)G = (my + r)G = Com (m; r) Clearly trapdoor

DMCE security: theorem Theorem. Assume XDH holds. DMCE is either perfectly binding and computationally hiding (if crs0 is used), or computationally binding, perfectly hiding, and trapdoor (if crs1 is used). Proof. Given on previous pages.

first groth-sahai proof Goal: Given Zi = Com (zi; ri) ∈ G12 and Ai, T ∈ G2 Construct NIZK proof that ∑ zi Ai = T Denote (A, B) ● C := (A ● C, B ● C) Bilinear operation! Zi, Ai, T are public The first argument of ● is a commitment ∈ G12

first groth-sahai proof Goal: given Zi = Com(zi; ri), Ai, T, prove that ∑ zi · Ai = 1 · T (*) The basic idea is always similar show that if randomness is zero then ∑ (Com (zi; 0) ● Ai) = Com (1; 0) ● T For any randomness: to prove (*), derive π ∈ G2 from ∑ (Com (zi; ri) ● Ai) = Com (1; 0) ● T + (…, …) ● π Use commitments instead of messages, and additions/bilinear operations in different algebraic domain Both · and ● are bilinear operations order important: asymmetric pairings π compensates for added randomness

verification without privacy First, consider the case without privacy Zi = Com(zi; 0) = ziE + 0G ∑ (Com(zi; 0) ● Ai) = ∑ (ziE ● Ai) = E ● (∑ zi Ai) = E ● T Com (1; 0) = E Thus ∑ (Com (zi; 0) ● Ai) = Com (1; 0) ● T

general case with randomness Recall: crsχ = (gk, G ← [(1, x)]1, E ← yG + [(0, 1 - χ)]1 Zi = Com(zi; ri) = ziE + ri G ∑ (Zi ● Ai) = ∑ ((ziE + ri G) ● Aᵢ) = E ● (∑ ziAi) + G ● (∑ riAi) = T =: π

gs proof of ∑ ziAi = T crsχ crsχ // χ = [hiding mode] gk ← Setup (1κ) g1 ← G1, x,y ← ℤp G ← [(1, x)]1 E ←yG + [(0, 1 - χ)]1 crsχ ← (gk, G, E) td ← y crsχ crsχ crsχ, ({Ai, Zi}, T), ({zi, ri}) crsχ, ({Ai, Zi}, T) π ← ∑ ri Ai ∈ G2 π Accept if ∑ (Zi ● Ai) = E ● T + G ● π

soundness with crs0 · x crs0 = (gk, G = [(1, x)]₁, E ←yG + [(0, 1)]1 Assume Zi = Com (zi; ri) = ziE + ri G for some zi Component-wise verification: ∑ ((zi E1 + ri g1) ● Ai) = E1 ● T + g1 ● π ∑ ((zi E2 + ri h ) ● Ai) = E2 ● T + h ● π ∑ (( zi g1 + 0) ● Ai) = g1 ● T + 0 Thus g1 ● ∑zi Ai = g1 ● T ∑ (Zi ● Ai) = E ● T + G ● π · x Second - x · first Thus ∑zi Ai = T, as needed

Zero knowledge with crs1 crs1 = (gk, G = [(1, x)]₁, E ← yG Trapdoor com.: Com (1; 0) = E = yG = Com (0; y) Simulator writes Zi = Com (zi*; ri*) for zi* = 0 and some ri* Basic idea: the simulator creates a GS proof that ∑zi*Ai - t*T = 0, where t* is an opening of comm. E Since prover has zi* = zi, t* = 1, the prover must be honest Simulator, knowing y, can take zi* = t* = 0

Zero knowledge crs1 = (gk, G = [(1, x)]₁, E ← yG Com (1; 0) = E = yG = Com (0; y) Simulator writes Zi = Com(0; ri*) = ri*G Simulator creates π* ← ∑ri*Ai - yT // GS proof for ∑0Ai - 0T = 0 Verification succeeds: G ● π* = G ● (∑ri*Ai - yT) = ∑ (ri*G ● Ai) - yG ● T = ∑ (Zi ● Ai) - E ● T

Simulating proof of ∑ zᵢAᵢ = T // χ = [hiding mode] gk ← Setup (1κ) g1 ← G1, x,y ← ℤp G ← [(1, x)]1 E ← yG + [(0, 1 - χ)]1 crsχ ← (gk, G, E) td ← y crsχ crsχ, td crsχ, td, ({Ai, Zi}, T), {zi, ri} crsχ, ({Ai, Zi}, T) π* ← ∑ ri*Ai - yT ∈ G2 π* Accept if ∑ (Zi ● Ai) = E ● T + G ● π*

We used additive notation, so ag isexponentiation First gs proof done We saw how to do one concrete GS proof Details are somewhat scary but the proof is very efficient Prover: n exponentiations Verifier: 2n + 4 pairings CRS: 4 group elements Proof length: 1 group element We used additive notation, so ag isexponentiation

Some other possible settings for GS Prove you have committed to Xi, Yi, s.t. ∑i (Ai ●Yi) + ∑i ∑j aij (Xi●Yj) = T or to Xi, yi s.t. ∑ yi Ai + ∑ bj Xj + ∑i∑j yicijXj = T where all other values are publicly known

comparison with Σ-protocols Good: non-interactive, arguably easier to understand (?) suits well other pairing-based protocols Bad: often less efficient requires specific algebraic structure pairings, while Σ-protocols work in many settings E.g., Groth-Sahai does not work with Paillier

why relevant Pairing-based primitives are "algebraic" Example. Boneh-Boyen signature of m with skA s ←[1 / (m + skA)]1 Verification: accept if s ● ([m]2 + [skA]2) = [1]T In some protocols, cannot reveal s before the end of the protocol, but need to prove you know s Need GS proof: S = Com (s; r) ∧pk = [skA]2 ∧ s ● ([m]2 · [skA]2) = [1]T

Need “structure-preserving signatures" Gs PROOF FOR CIRCUITs Recall: to show that circuit is correctly computed, one needs a ZK proof that the committed value is Boolean ZK proof that c = Com (mg; r) and m ∈ {0, 1}: Include signatures of 0 and 1 (but nothing else) to the CRS Create a randomized commitment csign of Sign (mg) Construct GS proof that csign commits to a signature of mg Need “structure-preserving signatures"

Study outcomes Efficient NIZK from pairings Dual-mode commitment Groth-Sahai proofs Idea One example

this was the Last Lecture

Study outcomes of the course Goal of cryptographic protocols: security against malicious adversary security = correctness + privacy General design principles

study outcomes (cont.) Most general principle: design passively secure protocol achieve active security by employing ZK proofs (In the case MPC, one uses different techniques)

study outcomes: passive security Employing homomorphic cryptography Elgamal, Paillier Recursion (BDD, ...) Better comp. efficiency by allowing many rounds Glimpse to multi-party computation Glimpse to garbled circuits Pairing-based cryptography

study outcomes: active security Σ-protocols Basic protocols, composition Getting full 4-round ZK from Σ-protocols Pairing-based NIZK protocols Groth-Sahai

Further directions Different basic techniques for passive security: lattice-based cryptography, much more garbled circuits, much more multi-party computation, much more pairings ... for active security: cut-and-choose, ZK based on other algebraic techniques Many insanely clever ideas to improve efficiency Other aspects: verification, ... Concrete applications: e-voting, auctions, e-cash, ...

This course in five years More emphasis on quantum-safe protocols Lattice-based crypto Fancy applications like fully homomorphic crypto More on information-theoretic crypto // also quantum- safe MPC Need many more hours :) No course in 2017, in 2018 will have 32 lectures