Download presentation
Presentation is loading. Please wait.
Published byNorman Strickland Modified over 6 years ago
1
Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces
Charanjit Jutla, IBM Watson and Arnab Roy, Fujitsu Labs of America
2
El-Gamal Encryption a ∗ g , x ∗ g , x · a ∗ g ≈ a ∗ g , x ∗ g , x ′ · a ∗ g (DDH) a ∗ g , x ∗ g , x · a ∗ g ≈ a ∗ g , x ∗ g , (c ∗ f + x · a ∗ g) c ∗ g , f c ∗ g , f (El-Gamal Encryption of c ∗ f) a, x, c :: a = a ∗ g , = x ∗ g , = c ∗ g , = c ∗ f + x · a ∗ g x, c :: = x ∗ g , = c ∗ g , = c ∗ f + x ∗ a x, c :: (, , ) = a
3
Novel Quasi-Adaptive NIZK
4
El-Gamal Encryption Public Parameters: g, a, f D and CRS CRS-gen(g, a, f ) Honest Party: Choose x, c at random, generate , , and proof π Adv (Need to hide x, c from Adv.) Replace π with simulated proof π‘ So, x and c no more needed in proof gen. a ∗ g , x ∗ g , (c ∗ f + x · a ∗ g) ≈ a ∗ g , x ∗ g , x · a ∗ g c ∗ g , f c ∗ g , f CRS-gen better be a polynomial time Turing Machine. 4. c ∗ f not needed in simulation to Adv.
5
Proving Hard Linear Subspaces
6
Our Comp. Sound Proof System – DH example
7
Comparison with Groth-Sahai
n : the number of equations t : the number of witnesses Groth-Sahai Ours XDH Proof Size n + 2t n - t CRS Size 4 2t·(n-t)+2 #Pairings 2n·(t+2) (n-t)·(t+2) DLIN 2n + 3t 2n - 2t 9 4t·(n-t)+3 3n· (t+3) 2(n-t)·(t+2)
8
Conceptual Comparison
n : the number of equations t : the number of witnesses Conceptual Comparison Groth Sahai Ours CRS independent of language constants CRS dependent on the language constants Each witness is taken to a higher dimensional space: 2 for XDH, 3 for DLIN No special treatment of witnesses. The first t elements of the candidate are themselves treated as witnesses. Each of the n equations is checked by pairing with the commitments Along 2 dims for XDH, 3 for DLIN Only the remaining n-t ‘dependent’ elements are checked by pairing Along 1 dim for XDH, 2 for DLIN With hiding CRS: Perfect ZK, Comp Sound With binding CRS: Comp ZK, Perfect Sound There is no analogous hiding/binding CRS concept. Perfect ZK, Comp Sound Since the properties are based on the indistinguishability of the two types of CRSes, the system is fundamentally based on a decision problem.
9
Properties Comparison
Groth-Sahai Ours Extends to Quadratic Equations Extends to Quadratic but only using Groth-Sahai commitments. Linear Pairing Product Equations Better Linear Pairing Product Equations of special kind. 2/3 improvement. Quadratic Pairing Product Equations No additional Advantage Randomized Proofs Unique Proofs Verifier needs language description/parameters Split CRS -- verifier CRS does not depend on the language. Verifier does not even need language.
10
Dual-System IBE with a hint from QA-NIZKs
A fully-secure (perfectly complete, anonymous) IBE follows under SXDH. Only 4 group elements. (shortest under static standard assumptions) Recently and independently CLLWW-12 : group elements and larger MPK. Dual-system IBE (Waters 08) has built-in QA-NIZK and obtains effective simulation soundness using smooth hash-proofs.
11
Thanks!
12
Quasi-Adaptive NIZK Definition
(K0, K1, P, V) is a QA-NIZK for a distribution D on collection of relations Rρ if there exists a PPT simulator (S1, S2) such that for all PPT adversaries A1, A2, A3: (Completeness) Pr[ λ←K0(1m); ρ ← D; ψ ← K1(λ; ρ ); (x;w) ← A1(λ; ψ ; ρ ); π ← P(ψ; x;w) : V(ψ; x; π ) = 1 if Rρ(x;w)] = 1 (Computational-Soundness) Pr[λ←K0(1m); ρ ← D; ψ ← K1(λ; ρ ); (x; π) ← A2(λ; ψ ; ρ ) : V(ψ; x; π) = 1 and not (∃w : Rρ(x;w))] ≈ 0 QA ZK Pr[λ←K0(1m); ρ ← D; ψ ← K1(λ; ρ ): A3 P(ψ ; .;.) (λ; ψ ; ρ ) = 1] ≈ Pr[λ←K0(1m); ρ ← D; (ψ, τ) ← S1(λ; ρ ) :A3 S2(ψ ; τ; .; *) (λ; ψ ; ρ ) = 1]
13
Novel Quasi-Adaptive NIZK
Can the CRS depend on defining matrix, i.e. g, f, a ? Yes, g, f, a are defined by a trusted party, who can also set CRS for NIZK depending on g, f, a Problem: g, f, a are not constant, but are chosen according to some distribution. The hardness of DDH (hence encryption security) depends on this choice.
14
Novel Quasi-Adaptive NIZK
Can the CRS depend on defining matrix or g, f, a ? Yes, g, f, a are defined by a trusted party, who can also set CRS for NIZK depending on g, f, a Problem: g, f, a are not constant, but are chosen according to some distribution. The hardness of DDH (hence encryption security) depends on this choice. CRS can depend on defining matrix, but CRS-gen must be a single efficient machine for the distribution of defining matrix. Most applications can use this notion.
15
Detour: Groth-Sahai NIZKs
16
Proving Hard Linear Subspaces
17
QA-NIZK for Hard Linear Subspaces
Prover CRS Verifier CRS
18
Zero Knowledge Simulation
19
Soundness
20
Soundness (contd.)
21
Extensions
22
Signatures from QA-NIZK and CCA2 Encryption
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.