"A proof is whatever convinces me.", Shimon Even. G ROTH -S - PowerPoint PPT Presentation

N ON -I NTERACTIVE P ROOF S YSTEMS G ROTH -S AHAI P ROOFS C ORRECTED G ROTH -S AHAI NIWI P ROOFS G ROTH -S AHAI P ROOFS IN T YP G ROTH -S AHAI P ROOFS R EVISITED E. Ghadafi N.P. Smart B. Warinschi Department of Computer Science, University of Bristol 13th International Conference on Practice and Theory in Public Key Cryptography 2010 G ROTH -S AHAI P ROOFS R EVISITED

N ON -I NTERACTIVE P ROOF S YSTEMS G ROTH -S AHAI P ROOFS C ORRECTED G ROTH -S AHAI NIWI P ROOFS G ROTH -S AHAI P ROOFS IN T YP O UTLINE N ON -I NTERACTIVE P ROOF S YSTEMS 1 G ROTH -S AHAI P ROOFS 2 C ORRECTED G ROTH -S AHAI NIWI P ROOFS 3 G ROTH -S AHAI P ROOFS IN T YPE -2 P AIRINGS 4 R ESULTS AND C OMPARISON 5 S UMMARY 6 G ROTH -S AHAI P ROOFS R EVISITED

N ON -I NTERACTIVE P ROOF S YSTEMS G ROTH -S AHAI P ROOFS C ORRECTED G ROTH -S AHAI NIWI P ROOFS G ROTH -S AHAI P ROOFS IN T YP N ON -I NTERACTIVE P ROOFS "A proof is whatever convinces me.", Shimon Even. G ROTH -S AHAI P ROOFS R EVISITED 1 / 18

N ON -I NTERACTIVE P ROOF S YSTEMS G ROTH -S AHAI P ROOFS C ORRECTED G ROTH -S AHAI NIWI P ROOFS G ROTH -S AHAI P ROOFS IN T YP P ROPERTIES OF NIZK P ROOFS ◮ Completeness: Verifier always accepts a valid proof. ◮ Soundness: Prover only has a negligible probability in making the verifier accept a proof for a false statement. ◮ (Composable) Zero-Knowledge: Verifier cannot tell a real proof from a simulated one. G ROTH -S AHAI P ROOFS R EVISITED 2 / 18

N ON -I NTERACTIVE P ROOF S YSTEMS G ROTH -S AHAI P ROOFS C ORRECTED G ROTH -S AHAI NIWI P ROOFS G ROTH -S AHAI P ROOFS IN T YP A PPLICATIONS OF Z ERO -K NOWLEDGE P ROOFS Example applications: Anonymous Credentials: Client proves he possesses the required credentials without revealing them. Online Voting: Voter proves to the server that he has voted correctly without revealing his actual vote. E-Cash, Signature Schemes, Oblivious Transfer , CCA-2 Encryption Schemes, ... G ROTH -S AHAI P ROOFS R EVISITED 3 / 18

N ON -I NTERACTIVE P ROOF S YSTEMS G ROTH -S AHAI P ROOFS C ORRECTED G ROTH -S AHAI NIWI P ROOFS G ROTH -S AHAI P ROOFS IN T YP H ISTORY OF NIZK P ROOFS Blum-Feldman-Micali, 1988. Damgard, 1992. Killian-Petrank, 1998. Feige-Lapidot-Shamir, 1999. De Santis-Di Crescenzo-Persiano, 2002. Groth-Sahai, 2008. G ROTH -S AHAI P ROOFS R EVISITED 4 / 18

N ON -I NTERACTIVE P ROOF S YSTEMS G ROTH -S AHAI P ROOFS C ORRECTED G ROTH -S AHAI NIWI P ROOFS G ROTH -S AHAI P ROOFS IN T YP O UR C ONTRIBUTION ◮ We present a correction to a minor problem in GS NIWI proofs under the DLIN and XSDH assumptions. ◮ We extend GS proofs to work under Type-2 pairings; the previous formulation only worked under Type-1 and Type-3 pairings. G ROTH -S AHAI P ROOFS R EVISITED 5 / 18

N ON -I NTERACTIVE P ROOF S YSTEMS G ROTH -S AHAI P ROOFS C ORRECTED G ROTH -S AHAI NIWI P ROOFS G ROTH -S AHAI P ROOFS IN T YP B ILINEAR G ROUPS G 1 , G 2 , G T are finite cyclic groups of order n ( prime or composite number), where G 1 = < P 1 > and G 2 = < P 2 > . Pairing ( e : G 1 × G 2 − → G T ) : The function e must have the following properties: ◮ Bilinearity: ∀ Q 1 ∈ G 1 , Q 2 ∈ G 2 x , y ∈ Z n , we have e ([ x ] Q 1 , [ y ] Q 2 ) = e ( Q 1 , Q 2 ) xy . ◮ Non-Degeneracy: The value e ( P 1 , P 2 ) � = 1 generates G T . ◮ The function e is efficiently computable. G ROTH -S AHAI P ROOFS R EVISITED 6 / 18

N ON -I NTERACTIVE P ROOF S YSTEMS G ROTH -S AHAI P ROOFS C ORRECTED G ROTH -S AHAI NIWI P ROOFS G ROTH -S AHAI P ROOFS IN T YP P AIRINGS ’ T YPES ◮ Type-1 : This is the symmetric pairing setting in which G 1 = G 2 = G and e : G × G − → G T . ◮ Type-2 : e : G 1 × G 2 − → G T , where G 1 � = G 2 and there is an efficiently computable isomorphism ψ : G 2 − → G 1 where ψ ( P 2 ) = P 1 . ◮ Type-3 : e : G 1 × G 2 − → G T , where G 1 � = G 2 , but there is no known efficiently computable isomorphism. G ROTH -S AHAI P ROOFS R EVISITED 7 / 18

N ON -I NTERACTIVE P ROOF S YSTEMS G ROTH -S AHAI P ROOFS C ORRECTED G ROTH -S AHAI NIWI P ROOFS G ROTH -S AHAI P ROOFS IN T YP G ROTH -S AHAI P ROOFS f A 1 × A 2 → A T G ROTH -S AHAI P ROOFS R EVISITED 8 / 18

N ON -I NTERACTIVE P ROOF S YSTEMS G ROTH -S AHAI P ROOFS C ORRECTED G ROTH -S AHAI NIWI P ROOFS G ROTH -S AHAI P ROOFS IN T YP G ROTH -S AHAI P ROOFS f A 1 × A 2 → A T ι 1 ↓↑ ρ 1 ι 2 ↓↑ ρ 2 ι T ↓↑ ρ T F B 1 × B 2 − → B T G ROTH -S AHAI P ROOFS R EVISITED 8 / 18

N ON -I NTERACTIVE P ROOF S YSTEMS G ROTH -S AHAI P ROOFS C ORRECTED G ROTH -S AHAI NIWI P ROOFS G ROTH -S AHAI P ROOFS IN T YP G ROTH -S AHAI P ROOFS f A 1 × A 2 → A T ι 1 ↓↑ ρ 1 ι 2 ↓↑ ρ 2 ι T ↓↑ ρ T F B 1 × B 2 − → B T Properties: ∀ x ∈ A 1 , ∀ y ∈ A 2 : F ( ι 1 ( x ) , ι 2 ( y )) = ι T ( f ( x , y )) , ∀X ∈ B 1 , ∀Y ∈ B 2 : f ( p 1 ( X ) , p 2 ( Y )) = p T ( F ( X , Y )) . How does it work? Commit to the secrets(the witness), and just plug the commitments into the original equations you are proving! Binding Setting = ⇒ Perfect Soundness ( Allows witness extraction). Hiding Setting = ⇒ Perfect Witness Indistinguishability (Allows simulation). G ROTH -S AHAI P ROOFS R EVISITED 8 / 18

N ON -I NTERACTIVE P ROOF S YSTEMS G ROTH -S AHAI P ROOFS C ORRECTED G ROTH -S AHAI NIWI P ROOFS G ROTH -S AHAI P ROOFS IN T YP G ROTH -S AHAI P ROOFS Key Idea: Adversary cannot distinguish which setting we are working in. From NIWI to NIZK proofs ? In many cases (apart from a few Pairing Product Equations cases), it is easy to transform a NIWI proof into a NIZK proof. Just transform the equation into an equation with a trivial right-hand side and using the trapdoor information open a commitment to 1 to 0. What statements can be proven ? A variety of statements related to bilinear groups. G ROTH -S AHAI P ROOFS R EVISITED 9 / 18

N ON -I NTERACTIVE P ROOF S YSTEMS G ROTH -S AHAI P ROOFS C ORRECTED G ROTH -S AHAI NIWI P ROOFS G ROTH -S AHAI P ROOFS IN T YP T YPES OF EQUATIONS ◮ Pairing Product Equation n 1 n 2 n 1 n 2 e ( X i , Y j ) r i , j = T � � � � e ( A i , Y i ) · e ( X i , B i ) · i = 1 i = 1 i = 1 j = 1 here T ∈ G T ◮ Multi-scalar multiplication in G 1 n 1 n 2 n 1 n 2 � � � � y i A i + b i X i + r i , j y j X i = T 1 i = 1 i = 1 i = 1 i = j here T 1 ∈ G 1 ◮ Multi-scalar multiplication in G 2 n 1 n 2 n 1 n 2 � � � � a i Y i + x i B i + r i , j x i Y j = T 2 i = 1 i = 1 i = 1 i = j here T 2 ∈ G 2 ◮ Quadratic-equation in Z p n 1 n 2 n 1 n 2 � � � � a i y i + x i b i + r i , j x i y j = t i = 1 i = 1 i = 1 i = j here t ∈ Z p G ROTH -S AHAI P ROOFS R EVISITED 10 / 18

N ON -I NTERACTIVE P ROOF S YSTEMS G ROTH -S AHAI P ROOFS C ORRECTED G ROTH -S AHAI NIWI P ROOFS G ROTH -S AHAI P ROOFS IN T YP H ARD P ROBLEMS D EFINITION Symmetric External Diffie-Hellman (SXDH) Assumption: e : G 1 × G 2 − → G T (Type-3 Pairings) Setting : Assumption: DDH problem is hard in both G 1 and G 2 . D EFINITION Decisional Linear Problem(DLIN) Assumption: e : G × G − → G T (Type-1 Pairings) Setting : Input: ([ a ] P , [ b ] P , [ ra ] P , [ sb ] P , [ t ] P ) where a , b , r , s , t ∈ F q It is hard to tell whether t = r + s or t is random. Assumption: G ROTH -S AHAI P ROOFS R EVISITED 11 / 18

"A proof is whatever convinces me.", Shimon Even. G ROTH -S - PowerPoint PPT Presentation

N ON -I NTERACTIVE P ROOF S YSTEMS G ROTH -S AHAI P ROOFS C ORRECTED G ROTH -S AHAI NIWI P ROOFS G ROTH -S AHAI P ROOFS IN T YP G ROTH -S AHAI P ROOFS R EVISITED E. Ghadafi N.P. Smart B. Warinschi Department of Computer Science, University of

3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

Shimon An Intelligent Music-Playing Robot Capable of Improvising with Humans Vincent Rolfs

9.54 Class 16 Features for recognition supervised, unsupervised and innate Shimon Ullman +

A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of

9.54 class 8 Supervised learning Optimization, regularization, kernels Shimon Ullman + Tomaso

9.54 Review Levels +Biophysics+ Supervised learning Shimon Ullman + Tomaso Poggio Danny Harari +

9.54 Shimon Ullman + Tomaso Poggio Danny Harari + Daniel Zysman + Darren Seibert 9.54, fall

CS 671 Automated Reasoning Proof Automation in First Order Logic 1. Tactic-based proof search 2.

PROOF installation/usage Attila Krasznahorkay for the Tier3 PROOF WG Wednesday, June 9, 2010

9.54 Review Supervised learning + Invariant Learning Shimon Ullman + Tomaso Poggio Danny Harari

KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems

LipNet End-to-End Sentence-level Lipreading Yannis Assael, Brendan Shillingford, Shimon Whiteson,

9.54 Class 13 Unsupervised learning Clustering Shimon Ullman + Tomaso Poggio Danny Harari +

Predicting Risk from Financial Reports with Regression Shimon Kogan, University of Texas at

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Proofs of communication and its application e-mails Proof-of-work for fighting spam Proof-of-

Security and Privacy of Blockchain Protocols and Applications Sergei Tikhomirov

X RIPEMD-160 SHA-256 SHA-512 This is an input to a crypto- SHA-3 graphic hash function. The

Is Bitcoin a suitable research topic? Digital Conference Seminar Clermont-Ferrand, France

Advanced Network Security -. Bitcoin Jaap-Henk Hoepman Digital Security (DS) Radboud University

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

22:010:622 Internet Technology and E-Business Dr. Peter R. Gillett Associate Professor

Computer Security HKUST, Hong Kong Computer Security Cunsheng DING, HKUST COMP4631

Privacy by Design A technical perspective Carmela Troncoso Gradiant The usual privacy