1 / 22

Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces

Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces. Charanjit Jutla, IBM Watson and Arnab Roy, Fujitsu Labs of America. El-Gamal Encryption. a ∗ g , x ∗ g , x · a ∗ g ≈ a ∗ g , x ∗ g , x ′ · a ∗ g (DDH)

halia
Download Presentation

Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces Charanjit Jutla, IBM Watson and Arnab Roy, Fujitsu Labs of America

  2. El-Gamal Encryption • a ∗ g , x ∗ g , x · a ∗ g≈ a ∗ g ,x ∗ g, x ′ · a ∗ g(DDH) • a ∗ g , x ∗ g, x · a ∗ g≈ a ∗ g , x ∗ g, (c ∗ f + x · a ∗ g) • c ∗ g , fc ∗ g , f • (El-Gamal Encryption of c ∗ f) • a, x, c :: a = a ∗ g ,  = x ∗ g ,  = c ∗ g ,  = c ∗ f + x · a ∗ g • x, c ::  = x ∗ g ,  = c ∗ g ,  = c ∗ f + x ∗ a x, c :: (, , ) =   a 

  3. Novel Quasi-Adaptive NIZK

  4. El-Gamal Encryption • Public Parameters: g, a, f D and CRS  CRS-gen(g, a, f ) • Honest Party: • Choose x, c at random, generate , ,  and proof π Adv • (Need to hide x, c from Adv.) • Replace πwith simulated proofπ‘ • So, x and c no more needed in proof gen. • a ∗ g , x ∗ g, (c ∗ f + x · a ∗ g) ≈a ∗ g , x ∗ g, x · a ∗ g • c ∗ g , fc ∗ g , f • CRS-gen better be a polynomial time Turing Machine. • 4. c ∗ f not needed in simulation to Adv.

  5. Proving Hard Linear Subspaces

  6. Our Comp. Sound Proof System– DH example

  7. Comparison with Groth-Sahai • n : the number of equations • t : the number of witnesses

  8. Conceptual Comparison • n : the number of equations • t : the number of witnesses

  9. Properties Comparison

  10. Dual-System IBE with a hint from QA-NIZKs • A fully-secure (perfectly complete, anonymous) IBE follows under SXDH. • Only 4 group elements. • (shortest under static standard assumptions) • Recently and independently CLLWW-12 : 5 group elements and larger MPK. • Dual-system IBE (Waters 08) has built-in QA-NIZK and obtains effective simulation soundness using smooth hash-proofs.

  11. Thanks!

  12. Quasi-Adaptive NIZK Definition • (K0, K1, P, V) is a QA-NIZK for a distribution D on collection of relations Rρ if there exists a PPT simulator (S1, S2) such that for all PPT adversaries A1, A2, A3: • (Completeness) Pr[ λ←K0(1m); ρ ←D; ψ← K1(λ; ρ ); (x;w) ← A1(λ; ψ ; ρ ); π ← P(ψ; x;w) : V(ψ; x; π ) = 1 if Rρ(x;w)] = 1 • (Computational-Soundness) Pr[λ←K0(1m); ρ ←D; ψ← K1(λ; ρ ); (x; π) ← A2(λ; ψ ; ρ ) : V(ψ; x; π) = 1 and not (∃w : Rρ(x;w))] ≈0 • QA ZK Pr[λ←K0(1m); ρ ←D; ψ← K1(λ; ρ ): A3 P(ψ; .;.) (λ; ψ ; ρ) = 1] ≈ Pr[λ←K0(1m); ρ ←D; (ψ, τ) ← S1(λ; ρ ) :A3 S2(ψ; τ; .; *) (λ; ψ ; ρ) = 1]

  13. Novel Quasi-Adaptive NIZK • Can the CRS depend on defining matrix, i.e. g,f, a ? • Yes, g,f, a are defined by a trusted party, who can also set CRS for NIZK depending ong,f, a • Problem:g,f, a are not constant, but are chosen according to some distribution. • The hardness of DDH (hence encryption security) depends on this choice.

  14. Novel Quasi-Adaptive NIZK • Can the CRS depend on defining matrix or g, f, a ? • Yes, g, f, a are defined by a trusted party, who can also set CRS for NIZK depending on g, f, a • Problem: g, f, a are not constant, but are chosen according to some distribution. • The hardness of DDH (hence encryption security) depends on this choice. • CRS can depend on defining matrix, but CRS-gen must be a single efficient machine for the distribution of defining matrix. • Most applications can use this notion.

  15. Detour: Groth-Sahai NIZKs

  16. Proving Hard Linear Subspaces

  17. QA-NIZK for Hard Linear Subspaces Prover CRS Verifier CRS

  18. Zero Knowledge Simulation

  19. Soundness

  20. Soundness (contd.)

  21. Extensions

  22. Signatures from QA-NIZK and CCA2 Encryption

More Related