1. cryptographic protocols 2016, lecture 16 Groth-Sahai proofs
helger lipmaa, university of tartu

2. Up to now Introduction to the field Secure computation protocols
Interactive zero knowledge from Σ-protocols
Pairing-based cryptography

3. this time Pairing-based NIZK in the CRS model
An example of Groth-Sahai proofs:
efficient NIZK proofs for algebraic relations

4. Background reading
Jens Groth, Amit Sahai. Efficient Noninteractive Proof Systems for Bilinear Groups. SIAM Journal on Computing, 2012
Alex Escala, Jens Groth. Fine-Tuning Groth- Sahai Proofs. PKC 2015

5. Reminder: pairings Pairing: function ê: G1 × G2 → GT that satisfies
Bilinearity: ê (ag1, bg2) = ab · ê (g1, g2)
ê ([a]1, [b]2) = [ab]T
Non-degenerative: ê ([a]1, [b]2) ≠ 0 if a, b ≠ 0, gi ≠ 0
Efficiently computable
Setup (1κ) returns (p, G1, G2, GT, ê)
Basic fact of pairings: ê ([a]1, [b]2) = ê ([c]1, [d]2) <=> ab = cd

6. Reminder: NIZK x td crs x, ω x, π Simulator π ← P(crs, td, x)
Output Ver(crs, x, π)
crs
x, ω
π ← P(crs, x, ω)
Output Ver(crs, x, π)
x, π
Output Ver(crs, x, π)

7. groth-sahai proofs Let Com be a commitment scheme
Goal (general): Given Ai = Com (ai), verify that various algebraic equations hold between ai
ai can be either a group element (ai) or integer
Example goal:
for Ai = Com(ai), Bi = Com(bi), it holds that C = Com(Σbiai)

8. groth-sahai proofs Only hardness assumption:
The commitment scheme is secure
Several instantiations known (XDH, DLIN, ...)
Variant 0: Com is perfectly binding/comp. hiding
Perfectly sound/computationally NIZK
Variant 1: Com is comp. binding/perfectly hiding
Computationally sound/perfectly NIZK

9. Dual-mode commitments
Use Com with CRS from one of two different distributions
crs0 ("binding") or crs1 ("hiding")
Theorem: crs0 and crs1 are indistinguishable
crs0
crs1
Theorem: Com[crs1] is perfectly hiding and trapdoor
Theorem: Com[crs0] is perfectly binding
The only difference is in the CRS. The rest of Com is the same in both cases

10. dual-mode commitments
Use Com with CRS from one of two different distributions
crs0 ("binding") or crs1 ("hiding")
Theorem: crs0 and crs1 are indistinguishable
crs0
crs1
Theorem: Com[crs1] is perfectly hiding and trapdoor
Theorem: Com[crs0] is perfectly binding
Corollary. Com[crs0] is computationally hiding
Corollary. Com[crs1] is computationally binding

11. Com[crs0] is comp. binding (Check at home)
Lemma. If crs0 and crs1 are computationally indistinguishable, and Com[crs0] is perfectly binding, then Com[crs0] is computationally binding.
Proof: Assume that Com[crs0] is not comp. binding. Thus, there ∃ adv. A that can on input crs0 produce (C, m, r, m*, r*), s.t. C = Com (m; r) = Com (m*; r*), m*≠ m, with probability εΑ. Assume Com[crs0] is perf. binding. We construct adv. B that distinguishes crs0 and crs1 with probability εΒ ≥ εΑ / / 4.
B is given as an input crsi for i ← {0, 1}. B sends crsi to A. If A succeeds, then B outputs i* ← 0, otherwise B outputs i* ← 0.
εB = Pr[i* = i] = Pr[i* = 0 | i = 0] Pr[i = 0] + Pr[i* = 1 | i = 1] Pr[i = 1]
= (Pr[i* = 0 | i = 0] + Pr[i* = 1 | i = 1]) / 2
= (Pr[A succeeds | i = 0] + (1 - Pr[A succeeds | i = 1])) / 2 =
≥ εΑ / / / 4 = εΑ / / 4

12. GS proofs: idea
Use Com with CRS from one of two different distributions
crs0 ("binding") or crs1 ("hiding")
crs0 and crs1 are indistinguishable
crs0
crs1
GS proofs with Com[crs1] are perfectly zero-knowledge
GS proofs with Com[crs0] are perfectly sound
GS proofs with Com[crs0] are computationally zero-knowledge
GS proofs with Com[crs1] are computationally sound

13. DMC: technicalities We need two separate commitment schemes:
DMCG, to commit to group elements and
DMCE, to commit to exponents
DMCG and DMCE have to play well together
Due to this and DMC requirements, DMCG/DMCE are somewhat complicated

14. Different instantiations
Different instantiations of DMCE/DMCG are known
based on say XDH, DLIN, SH assumptions
We will describe DMCE/GS proof with XDH
thus we need to use asymmetric pairings
Will not have time to describe DMCG, DLIN/SH setting proofs, ...

15. DDH: different view Denote G = (g1, h), E = (E1, E2)
X = (g1, h, E1, E2) is a DDH tuple iff E = G for some scalar a iff E and G are linearly dependent
Corollary 1. X=(g1, h, E1, E2) is not a DDH tuple iff {G, E} is a basis of the vector space V = G12 G E
not DDH
DDH

16. DDH: different view not DDH DDH
X=(g1, h, E1, E2) is a DDH tuple iff E = G for some scalar a iff E and G are linearly dependent
Corollary 2.
B is a DDH tuple => each vector c ∈ <G> can be written non- uniquely as c1G + c2E while c ∈ <G> cannot be written as c1G + c2E
B is not a DDH tuple => each vector c ∈ V can be written uniquely as c1G + c2E G E
not DDH
DDH
∃unique(c1,c2)C=c1G + c2E
¬∃(c1,c2)C≠c1G + c2E
(∀c1∃c2)C=c1G + c2E

17. indistinguishable under XDH assumption
dmce: idea
We need to create crs0 and crs1 that are computationally indistinguishable under XDH
Idea: let crsχ = (gk, g1, h, E1, E2), where
(g1, h, E1, E2) is not a DDH tuple if χ = 0
(g1, h, E1, E2) is a DDH tuple if χ = 1
each vector c ∈ V can be written uniquely as c1G + c2E
each vector c ∈ <G> can be written non-uniquely as c1G + c2E while c ∈ <G> cannot be written as c1G + c2E
indistinguishable under XDH assumption

18. DMC for exponents crsχ crsχ // χ = hiding mode ? 1 : 0 gk ← Setup (1κ)
g1 ← G1, x,y ← ℤp
G ← [(1, x)]1
E ← yG + [(0, 1 - χ)]1
crsχ ← (gk, G, E)
td ← y
χ = 0: (g1, h, E1, E2) is not a DDH tuple.
χ = 1: (g1, h, E1, E2) is a DDH tuple.
crs0 ≈ crs1 due to XDH assumption.
crsχ
crsχ
c = Com (m; r)
← mE + rG
crsχ
crsχ, (m, r) c
Store c
Open: (m, r)
Note: Com (1; 0) = E

19. perfect binding with crs0
crs0 = (gk, G = [(1, x)]₁, E ←yG + [(0, 1)]1
Com (m; r) = mE + rG
= [(my + r, m + (my + r)x)]1
= Elgamal (m; my + r) // r is random
Thus perfectly binding and computationally hiding

20. perfect hiding with crs1
crs0 = (gk, G = [(1, x)]₁, E ← yG
Com (m; r) = mE + rG
= (my + r)G ≈ random element of <G>
Perfectly hiding since r is random
Since crs0 ≈ crs1, and DMCE[crs0] is perfectly binding => this version is computationally binding under XDH

21. trapdoor with crs1 crs1 = ( gk, G = [(1, x)]1, E ← yG)
Com (m; r) = mE + rG = (my + r)G
Set td ← y
Given td and m*, compute r* such that my + r = m*y + r*
Com (m*; r*) = (m*y + r*)G = (my + r)G = Com (m; r)
Clearly trapdoor

22. DMCE security: theorem
Theorem. Assume XDH holds. DMCE is either perfectly binding and computationally hiding (if crs0 is used), or computationally binding, perfectly hiding, and trapdoor (if crs1 is used).
Proof. Given on previous pages.

23. first groth-sahai proof
Goal:
Given Zi = Com (zi; ri) ∈ G12 and Ai, T ∈ G2
Construct NIZK proof that ∑ zi Ai = T
Denote (A, B) ● C := (A ● C, B ● C)
Bilinear operation!
Zi, Ai, T are public
The first argument of ● is a commitment ∈ G12

24. first groth-sahai proof
Goal: given Zi = Com(zi; ri), Ai, T, prove that
∑ zi · Ai = 1 · T (*)
The basic idea is always similar
show that if randomness is zero then
∑ (Com (zi; 0) ● Ai) = Com (1; 0) ● T
For any randomness: to prove (*), derive π ∈ G2 from
∑ (Com (zi; ri) ● Ai) = Com (1; 0) ● T + (…, …) ● π
Use commitments instead of messages, and additions/bilinear operations in different algebraic domain
Both · and ● are bilinear operations
order important: asymmetric pairings
π compensates for added randomness

25. verification without privacy
First, consider the case without privacy
Zi = Com(zi; 0) = ziE + 0G
∑ (Com(zi; 0) ● Ai) = ∑ (ziE ● Ai)
= E ● (∑ zi Ai) = E ● T
Com (1; 0) = E
Thus ∑ (Com (zi; 0) ● Ai) = Com (1; 0) ● T

26. general case with randomness
Recall:
crsχ = (gk, G ← [(1, x)]1, E ← yG + [(0, 1 - χ)]1
Zi = Com(zi; ri) = ziE + ri G
∑ (Zi ● Ai) = ∑ ((ziE + ri G) ● Aᵢ) =
E ● (∑ ziAi) + G ● (∑ riAi)
= T
=: π

27. gs proof of ∑ ziAi = T crsχ crsχ // χ = [hiding mode] gk ← Setup (1κ)
g1 ← G1, x,y ← ℤp
G ← [(1, x)]1
E ←yG + [(0, 1 - χ)]1
crsχ ← (gk, G, E)
td ← y
crsχ
crsχ
crsχ, ({Ai, Zi}, T), ({zi, ri})
crsχ, ({Ai, Zi}, T)
π ← ∑ ri Ai ∈ G2 π
Accept if ∑ (Zi ● Ai) = E ● T + G ● π

28. soundness with crs0 · x crs0 = (gk, G = [(1, x)]₁, E ←yG + [(0, 1)]1
Assume Zi = Com (zi; ri) = ziE + ri G for some zi
Component-wise verification:
∑ ((zi E1 + ri g1) ● Ai) = E1 ● T + g1 ● π
∑ ((zi E2 + ri h ) ● Ai) = E2 ● T + h ● π
∑ (( zi g ) ● Ai) = g1 ● T + 0
Thus g1 ● ∑zi Ai = g1 ● T
∑ (Zi ● Ai) = E ● T + G ● π
· x
Second - x · first
Thus ∑zi Ai = T, as needed

29. Zero knowledge with crs1
crs1 = (gk, G = [(1, x)]₁, E ← yG
Trapdoor com.: Com (1; 0) = E = yG = Com (0; y)
Simulator writes Zi = Com (zi*; ri*) for zi* = 0 and some ri*
Basic idea: the simulator creates a GS proof that ∑zi*Ai - t*T = 0, where t* is an opening of comm. E
Since prover has zi* = zi, t* = 1, the prover must be honest
Simulator, knowing y, can take zi* = t* = 0

30. Zero knowledge crs1 = (gk, G = [(1, x)]₁, E ← yG
Com (1; 0) = E = yG = Com (0; y)
Simulator writes Zi = Com(0; ri*) = ri*G
Simulator creates π* ← ∑ri*Ai - yT // GS proof for ∑0Ai - 0T = 0
Verification succeeds:
G ● π* = G ● (∑ri*Ai - yT)
= ∑ (ri*G ● Ai) - yG ● T
= ∑ (Zi ● Ai) - E ● T

31. Simulating proof of ∑ zᵢAᵢ = T
// χ = [hiding mode]
gk ← Setup (1κ)
g1 ← G1, x,y ← ℤp
G ← [(1, x)]1
E ← yG + [(0, 1 - χ)]1
crsχ ← (gk, G, E)
td ← y
crsχ
crsχ, td
crsχ, td, ({Ai, Zi}, T), {zi, ri}
crsχ, ({Ai, Zi}, T)
π* ← ∑ ri*Ai - yT ∈ G2 π*
Accept if ∑ (Zi ● Ai) = E ● T + G ● π*

32. We used additive notation, so ag isexponentiation
First gs proof done
We saw how to do one concrete GS proof
Details are somewhat scary
but the proof is very efficient
Prover: n exponentiations
Verifier: 2n + 4 pairings
CRS: 4 group elements
Proof length: 1 group element
We used additive notation, so ag isexponentiation

33. Some other possible settings for GS
Prove you have committed to Xi, Yi, s.t.
∑i (Ai ●Yi) + ∑i ∑j aij (Xi●Yj) = T
or to Xi, yi s.t.
∑ yi Ai + ∑ bj Xj + ∑i∑j yicijXj = T
where all other values are publicly known

34. comparison with Σ-protocols
Good:
non-interactive, arguably easier to understand (?)
suits well other pairing-based protocols
Bad:
often less efficient
requires specific algebraic structure
pairings, while Σ-protocols work in many settings
E.g., Groth-Sahai does not work with Paillier

35. why relevant Pairing-based primitives are "algebraic"
Example. Boneh-Boyen signature of m with skA
s ←[1 / (m + skA)]1
Verification: accept if s ● ([m]2 + [skA]2) = [1]T
In some protocols, cannot reveal s before the end of the protocol, but need to prove you know s
Need GS proof:
S = Com (s; r) ∧pk = [skA]2 ∧ s ● ([m]2 · [skA]2) = [1]T

36. Need “structure-preserving signatures"
Gs PROOF FOR CIRCUITs
Recall: to show that circuit is correctly computed, one needs a ZK proof that the committed value is Boolean
ZK proof that c = Com (mg; r) and m ∈ {0, 1}:
Include signatures of 0 and 1 (but nothing else) to the CRS
Create a randomized commitment csign of Sign (mg)
Construct GS proof that csign commits to a signature of mg
Need “structure-preserving signatures"

37. Study outcomes Efficient NIZK from pairings Dual-mode commitment
Groth-Sahai proofs
Idea
One example

38. this was the Last Lecture

39. Study outcomes of the course
Goal of cryptographic protocols:
security against malicious adversary
security = correctness + privacy
General design principles

40. study outcomes (cont.) Most general principle:
design passively secure protocol
achieve active security by employing ZK proofs
(In the case MPC, one uses different techniques)

41. study outcomes: passive security
Employing homomorphic cryptography
Elgamal, Paillier
Recursion (BDD, ...)
Better comp. efficiency by allowing many rounds
Glimpse to multi-party computation
Glimpse to garbled circuits
Pairing-based cryptography

42. study outcomes: active security
Σ-protocols
Basic protocols, composition
Getting full 4-round ZK from Σ-protocols
Pairing-based NIZK protocols
Groth-Sahai

43. Further directions Different basic techniques for passive security:
lattice-based cryptography, much more garbled circuits, much more multi-party computation, much more pairings
... for active security:
cut-and-choose, ZK based on other algebraic techniques
Many insanely clever ideas to improve efficiency
Other aspects: verification, ...
Concrete applications: e-voting, auctions, e-cash, ...

44. This course in five years
More emphasis on quantum-safe protocols
Lattice-based crypto
Fancy applications like fully homomorphic crypto
More on information-theoretic crypto // also quantum- safe
MPC
Need many more hours :)
No course in 2017, in 2018 will have 32 lectures