1 / 22

Fine-Tuning Groth-Sahai Proofs

Fine-Tuning Groth-Sahai Proofs. Alex Escala Scytl Secure Electronic Voting Jens Groth University College London. Non-interactive zero-knowledge proofs. Common reference string. Statement. Completeness: Prover can prove true statements Soundness: Prover cannot prove false statements

gore
Download Presentation

Fine-Tuning Groth-Sahai Proofs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fine-Tuning Groth-Sahai Proofs Alex Escala Scytl Secure Electronic Voting Jens Groth University College London

  2. Non-interactive zero-knowledge proofs Common reference string Statement • Completeness: Prover can prove true statements • Soundness: Prover cannot prove false statements • Zero-knowledge: Proofs does not reveal anything else 

  3. NIZK proofs Statement: Here is a ciphertext and a document. The ciphertext contains a digital signature on the document. 1 GB Statistical sampling techniques Groth 2006 1 KB Groth-Ostrovsky-Sahai 2012 (2006) Groth-Sahai 2012 (2008) Further reduction of size More efficient computation

  4. Prime order bilinear groups • generates • finite cyclic groups of prime order • Pairing • Deciding group membership, group operations, and bilinear pairing efficiently computable

  5. SXDH bilinear groups • Three types of groups • Type I: Symmetric, i.e., • Type II: Efficiently computable isomorphism • Type III: No efficiently computable isomorphisms in either direction between the source groups and • SXDH assumption in Type III bilinear groups • Decision Diffie-Hellman problem hard in both and

  6. Groth and Sahai give NIZK proofs for simultaneous satisfiability a set of equations over variables of the forms • Pairing product equations • Multi-exponentiation equations • Quadratic equations

  7. Linear algebra notation Equations over variables • Pairing product equations Use additive notation for groups, multiplicative notation for pairings to get Equations over variables • Pairing product equations

  8. Groth-Sahai proofs Commitments Proofs that committed values satisfy equations

  9. Commit-and-prove system [Kil90,CLOS02,Fuc11]

  10. Type-based commit-and-prove system • We commit to values with a public part (type) and a (potentially) private part • Gen generates a commitment key • Com generates commitment to • Prove generates proof for commitments containing witnesses certifying the veracity of the statement • Verify verifies the proof and either accepts or rejects

  11. Commitments to elements in • Common reference string contains • and () • Commitment to • () • This is an ElGamal encryption of • Zero-knowledge simulation uses CRS with • and • This makes the commitment perfectly hiding

  12. ElGamal encryption of elements in • Common reference string contains • and () • ElGamal encryption of • () • Using ElGamal encryption can save computation and reduce proof sizes • Zero-knowledge simulation uses CRS with • and • ElGamal encryption is not perfectly hiding, so be careful

  13. Public constants in • Common reference string contains • and () • Public can be trivially committed • () • This is easily verifiable as commitment to • Simplifies pairing product equations towhere some of the ’s and ’s may be public constants or ElGamal encrypted

  14. Type-based commitments • Generalize commitment scheme to allow many different types of commitments • commit to public element • commit by ElGamal encrypting element • commit using Groth-Sahai commitment • commit to (public) element • Similar types for elements in and also types for committing to elements in • Commitment format is where we view as a public part and as a (potentially private) part of the committed message

  15. The base type • Why not just use ? • Because in general we do not know discrete logarithm of in but for we do, which helps in the zero-knowledge simulation • In general Groth-Sahai proofs are not (directly) zero-knowledge if involves pairings of public elements, but as it turns out they are zero-knowledge if the discrete logarithms are known

  16. Commitments • All commitments to elements in are of the formwhere for some types or • Let be a matrix of the commitments, then we have • Similarly, the matrix of commitments to elements in is

  17. Proofs • The equation to be proved is • The proof is of the form • Completeness

  18. Soundness • A standard CRS has vectors such that • Define and • The verification equation gives us so for each equation

  19. Zero-knowledge simulation for commitments • In the simulation, the CRS contains and • Since are linearly independent, commitments using a simulated CRS are perfectly hiding • The simulator knows types, but not values. Simulates commitments as follows • Commits to instead of making real commitments • Can open base commitment as , i.e., it can interpret it as a commitment to • Makes ElGamal type commitments as encryptions of • Makes commitments as

  20. Zero-knowledge simulation for proofs • Given an equation the simulator needs to simulate proof such that • Simulator can create proof if it knows openings or or more generally, if for each non-zero matrix entry it knows openings to or • (Restrictions on use of ElGamal encryptions though in order for the security proof to work)

  21. Prover-chosen common reference string Common reference string • Faster computation at the cost of sending a separate CRS and proving it is correct • Good trade-off when many proofs to the same verifiers I will use this CRS

  22. Size: Reduced from 16 to 6 group elements ~63% Computation: Reduced ~40% Conclusion Commitment to may be reused many times, making a commit-and-prove scheme ideal • Working in the SXDH setting we have fine-tuned Groth-Sahai proofs as follows • Simplified notation • Generalized to type-based commit-and-prove schemes • Enabled the use of ElGamal encryption • Allowed pairings of base elements in equations • Permitted the prover to choose her own CRS • Weak Boneh-Boyensignatures Save a couple of group elements in each proof by using ElGamal encryption We can handle base elements directly Prover can reduce computation by using own key

More Related