A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL Prastudy Fauzi, - - PowerPoint PPT Presentation

A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL

Prastudy Fauzi, Helger Lipmaa, Michal Zajac University of Tartu, Estonia

ASIACRYPT 2016

OUR RESULTS

▪A new efficient CRS-based NIZK shuffle argument

OUR RESULTS

▪A new efficient CRS-based NIZK shuffle argument ▪Four+ times more efficient verification than in prior work

OUR RESULTS

▪A new efficient CRS-based NIZK shuffle argument ▪Four+ times more efficient verification than in prior work ▪Verification time more critical

OUR RESULTS

▪A new efficient CRS-based NIZK shuffle argument ▪Four+ times more efficient verification than in prior work ▪Verification time more critical ▪Soundness proof in the Generic Bilinear Group Model

OUR RESULTS

▪A new efficient CRS-based NIZK shuffle argument ▪Four+ times more efficient verification than in prior work ▪Verification time more critical ▪Soundness proof in the Generic Bilinear Group Model ▪Very complicated machine-assisted proof

OUR RESULTS

▪A new efficient CRS-based NIZK shuffle argument ▪Four+ times more efficient verification than in prior work ▪Verification time more critical ▪Soundness proof in the Generic Bilinear Group Model ▪Very complicated machine-assisted proof ▪Use computer algebra to solve systems of polyn. eq.

OUR RESULTS

▪A new efficient CRS-based NIZK shuffle argument ▪Four+ times more efficient verification than in prior work ▪Verification time more critical ▪Soundness proof in the Generic Bilinear Group Model ▪Very complicated machine-assisted proof ▪Use computer algebra to solve systems of polyn. eq. ▪Esp. to find Gröbner bases

A BIT OF MOTIVATION: E-VOTING

A BIT OF MOTIVATION: E-VOTING

A BIT OF MOTIVATION: E-VOTING

A BIT OF MOTIVATION: E-VOTING

Lesson from the past:
 It is not voters who counts, but who counts the votes

• Can we get away with that?
• I’m 140% sure!

A BIT OF MOTIVATION: E-VOTING

Anonymity Correctness

Lesson from the past:
 It is not voters who counts, but who counts the votes

• Can we get away with that?
• I’m 140% sure!

A BIT OF MOTIVATION: E-VOTING

Anonymity Correctness

Data is public (Data, source) is private

Lesson from the past:
 It is not voters who counts, but who counts the votes

• Can we get away with that?
• I’m 140% sure!

SIMPLE MIX-NETS

SIMPLE MIX-NETS

c1=Encpk(m1) c2=Encpk (m2) c3=Encpk (m3)

SIMPLE MIX-NETS

c1=Encpk(m1) c2=Encpk (m2) c3=Encpk (m3) π, r

Encryption protects against eavesdropping on the Internet

d1=cπ(1) d2=cπ(2) d3=cπ(3)

SIMPLE MIX-NETS

c1=Encpk(m1) c2=Encpk (m2) c3=Encpk (m3) π, r

Encryption protects against eavesdropping on the Internet

d1=cπ(1) d2=cπ(2) d3=cπ(3) ψ,s e1=dψ(1) e2=dψ(2) e3=dψ(3)

SIMPLE MIX-NETS

c1=Encpk(m1) c2=Encpk (m2) c3=Encpk (m3) π, r mψ(π(1)) mψ(π(2)) mψ(π(3))

Encryption protects against eavesdropping on the Internet

d1=cπ(1) d2=cπ(2) d3=cπ(3) ψ,s e1=dψ(1) e2=dψ(2) e3=dψ(3) sk

SIMPLE MIX-NETS

c1=Encpk(m1) c2=Encpk (m2) c3=Encpk (m3) π, r mψ(π(1)) mψ(π(2)) mψ(π(3))

Encryption protects against eavesdropping on the Internet Private against each individual server

d1=cπ(1) d2=cπ(2) d3=cπ(3) ψ,s e1=dψ(1) e2=dψ(2) e3=dψ(3) sk

Anonymity

SIMPLE MIX-NETS

c1=Encpk(m1) c2=Encpk (m2) c3=Encpk (m3) π, r mψ(π(1)) mψ(π(2)) mψ(π(3))

Encryption protects against eavesdropping on the Internet Private against each individual server

d1=cπ(1) d2=cπ(2) d3=cπ(3) ψ,s e1=dψ(1) e2=dψ(2) e3=dψ(3) sk

Not enough: what if a server cheats?

Anonymity Correctness

ACCOUNTABLE MIX-NETS

c2=Encpk (m2) pk, π, r mψ(π(1)) mψ(π(2)) mψ(π(3)) d1=cπ(1) d2=cπ(2) d3=cπ(3) pk, ψ,s e1=dψ(1) e2=dψ(2) e3=dψ(3) sk c1=Encpk(m1) c3=Encpk (m3)

ACCOUNTABLE MIX-NETS

c2=Encpk (m2) pk, π, r mψ(π(1)) mψ(π(2)) mψ(π(3)) d1=cπ(1) d2=cπ(2) d3=cπ(3) pk, ψ,s e1=dψ(1) e2=dψ(2) e3=dψ(3) sk

Prove that shuffling was correct, send proof to the next server

proof c1=Encpk(m1) c3=Encpk (m3)

ACCOUNTABLE MIX-NETS

c2=Encpk (m2) pk, π, r mψ(π(1)) mψ(π(2)) mψ(π(3)) d1=cπ(1) d2=cπ(2) d3=cπ(3) pk, ψ,s e1=dψ(1) e2=dψ(2) e3=dψ(3) sk

Prove that shuffling was correct, send proof to the next server Verify all previous proofs, shuffle, create your own proof

proof proof c1=Encpk(m1) c3=Encpk (m3)

ACCOUNTABLE MIX-NETS

c2=Encpk (m2) pk, π, r mψ(π(1)) mψ(π(2)) mψ(π(3)) d1=cπ(1) d2=cπ(2) d3=cπ(3) pk, ψ,s e1=dψ(1) e2=dψ(2) e3=dψ(3) sk

Prove that shuffling was correct, send proof to the next server Verify all previous proofs, shuffle, create your own proof

proof proof

Verify all proofs

c1=Encpk(m1) c3=Encpk (m3)

ACCOUNTABLE MIX-NETS

c2=Encpk (m2) pk, π, r mψ(π(1)) mψ(π(2)) mψ(π(3)) d1=cπ(1) d2=cπ(2) d3=cπ(3) pk, ψ,s e1=dψ(1) e2=dψ(2) e3=dψ(3) sk

Prove that shuffling was correct, send proof to the next server Verify all previous proofs, shuffle, create your own proof

proof proof

Verify all proofs

c1=Encpk(m1) c3=Encpk (m3)

Anonymity Correctness

SHUFFLE ARGUMENT

▪Shuffle argument: ▪efficient zero knowledge argument of correctness

• f shuffling 


Mix-server permutes ciphertexts, re-encrypt them and provides a proof that he has done it correctly.

SHUFFLE ARGUMENT

▪Shuffle argument: ▪efficient zero knowledge argument of correctness

• f shuffling 


Mix-server permutes ciphertexts, re-encrypt them and provides a proof that he has done it correctly.

▪Existing CRS model arguments not very efficient

CRS-BASED SHUFFLE ARGUMENTS


Lipmaa-Zhang (2012)

Fauzi-Lipmaa (2016) This paper CRS length 7n + 6 8n + 17 3n + 14 Communic. 12n + 11 9n + 2 7n + 3 P comp. (units) 36 19.8 24.3 V comp. (units) 196 126 36.3

GBGM? PSDL, DLIN (comp.) KE, PKE (knowledge) TSDH, PCDH, PSP (comp.) 2x PKE (knowledge) Pure GBGM

Soundness Full Culpable Full

1 unit = n million machine cycles According to speed records on BN curves n: number of ciphertexts (say 100,000) Assumption proposed in that paper, proof in GBGM

• Assmpt. proposed 2010+, but not in that paper, proof in GBGM

ZERO KNOWLEDGE: CRS MODEL

crs

ZERO KNOWLEDGE: CRS MODEL

x, w crs

ZERO KNOWLEDGE: CRS MODEL

x, w x crs

ZERO KNOWLEDGE: CRS MODEL

x, w x

P(crs,x,w)=π: Proof of ” x ∈ L”

crs

ZERO KNOWLEDGE: CRS MODEL

x, w x

P(crs,x,w)=π: Proof of ” x ∈ L” V(crs,x,π): Accepts or rejects

crs

ZERO KNOWLEDGE: CRS MODEL

x, w x

P(crs,x,w)=π: Proof of ” x ∈ L” V(crs,x,π): Accepts or rejects

crs td

ZERO KNOWLEDGE: CRS MODEL

x, w x

P(crs,x,w)=π: Proof of ” x ∈ L” V(crs,x,π): Accepts or rejects

crs td

Sim(crs,td,x)=π: Proof of ” x ∈ L”

ZERO KNOWLEDGE: CRS MODEL

x, w x

P(crs,x,w)=π: Proof of ” x ∈ L” V(crs,x,π): Accepts or rejects

crs td

Sim(crs,td,x)=π: Proof of ” x ∈ L”

Correctness Soundness Zero knowledge

BILINEAR PAIRINGS

BILINEAR PAIRINGS

▪Three cyclic groups of the same order q: G1, G2, GT

BILINEAR PAIRINGS

▪Three cyclic groups of the same order q: G1, G2, GT ▪Generators g1 of G1, g2 of G2, gT of GT

BILINEAR PAIRINGS

▪Three cyclic groups of the same order q: G1, G2, GT ▪Generators g1 of G1, g2 of G2, gT of GT ▪Bilinear map: e: G1 x G2 → GT

BILINEAR PAIRINGS

▪Three cyclic groups of the same order q: G1, G2, GT ▪Generators g1 of G1, g2 of G2, gT of GT ▪Bilinear map: e: G1 x G2 → GT ▪Requirements:

▪Efficiently computable ▪Non-degeneracy: e (g1, g2) ≠ 1 ▪Bilinearity: e (g1

a, g2 b) = e (g1, g2)ab

ASSUMPTIONS & PAIRINGS

▪Inverting pairings should be hard

ASSUMPTIONS & PAIRINGS

▪Inverting pairings should be hard

▪Given e (A, B), compute either A or B

ASSUMPTIONS & PAIRINGS

▪Inverting pairings should be hard

▪Given e (A, B), compute either A or B ▪Analogous to DL: given ga, compute a

ASSUMPTIONS & PAIRINGS

▪Inverting pairings should be hard

▪Given e (A, B), compute either A or B ▪Analogous to DL: given ga, compute a

▪What else should be hard?

NON-GENERIC APPROACH

Protocol

NON-GENERIC APPROACH

Protocol Assumption 1 (known) … Assumption m (known)

NON-GENERIC APPROACH

Protocol Assumption 1 (known) … Assumption m (known) Assumption m+1 (new) … Assumption m+m’ (new)

NON-GENERIC APPROACH

Protocol Assumption 1 (known) … Assumption m (known) Generic Model Assumption m+1 (new) … Assumption m+m’ (new)

NON-GENERIC APPROACH

Protocol Assumption 1 (known) … Assumption m (known) Generic Model Assumption m+1 (new) … Assumption m+m’ (new)

Pro: nice if m’ is not big, or most assumptions are well-known, or…

NON-GENERIC APPROACH

Protocol Assumption 1 (known) … Assumption m (known) Generic Model Assumption m+1 (new) … Assumption m+m’ (new)

Pro: nice if m’ is not big, or most assumptions are well-known, or… Con: each arrow might mean a loss in efficiency

GENERIC MODEL APPROACH

Protocol Generic Model

Pro: only one arrow, thus smaller loss in efficiency Con: proof in GGM is only for restricted adversaries

GENERIC BILINEAR GROUP MODEL

▪Meta-Assumption: adversary only has access to

GENERIC BILINEAR GROUP MODEL

▪Meta-Assumption: adversary only has access to ▪group operations, bilinear map, equality tests

GENERIC BILINEAR GROUP MODEL

▪Meta-Assumption: adversary only has access to ▪group operations, bilinear map, equality tests

▪Each computed element in Gi (i=1, 2) is given by group

• peration of two already known elements

GENERIC BILINEAR GROUP MODEL

▪Meta-Assumption: adversary only has access to ▪group operations, bilinear map, equality tests

▪Each computed element in Gi (i=1, 2) is given by group

• peration of two already known elements

▪Recursively, DL of each computed element is a known

polynomial of some indeterminates

GENERIC BILINEAR GROUP MODEL

▪Meta-Assumption: adversary only has access to ▪group operations, bilinear map, equality tests

▪Each computed element in Gi (i=1, 2) is given by group

• peration of two already known elements

▪Recursively, DL of each computed element is a known

polynomial of some indeterminates

▪Note: we do not handle GT as a generic group

SOUNDNESS IN GBGM

SOUNDNESS IN GBGM

X1 … Xs

Random variables (TTP)

SOUNDNESS IN GBGM

X1 … Xs {[f1i(X)]1} {[f2i(X)]2}

Random variables (TTP) CRS (TTP) Polynomials (TTP knows X) [X] = gX

SOUNDNESS IN GBGM

X1 … Xs {[f1i(X)]1} {[f2i(X)]2} {[g1i(X) =Σi a1if1i(X)]1} {[g2i(X) =Σi a2if2i(X)]1}

Random variables (TTP) CRS (TTP) Outputs in argument (adversary) Linear combinations (only group operation) Polynomials (TTP knows X) [X] = gX

SOUNDNESS IN GBGM

X1 … Xs {[f1i(X)]1} {[f2i(X)]2} {[g1i(X) =Σi a1if1i(X)]1} {[g2i(X) =Σi a2if2i(X)]1}

Random variables (TTP) CRS (TTP) Outputs in argument (adversary)

V1(X)=Σij b1ijh1i(X) h2i(X)=0

…

Vu(X)=Σij buijh1i(X) h2i(X)=0

Verifications (verifier) {hji} = {fji, hji} Linear combinations (only group operation) Quadratic tests (can use bilinear map) Polynomials (TTP knows X) [X] = gX

SOUNDNESS IN GBGM

▪jth verification equation ascertains Vj(X) = 0

SOUNDNESS IN GBGM

▪jth verification equation ascertains Vj(X) = 0 ▪Solve system of polynomial equations {Vj(X) = 0} in

coefficients aji chosen by the adversary

SOUNDNESS IN GBGM

▪jth verification equation ascertains Vj(X) = 0 ▪Solve system of polynomial equations {Vj(X) = 0} in

coefficients aji chosen by the adversary

▪Show that solution’s coefficients are ”nice”

SOUNDNESS IN GBGM

▪jth verification equation ascertains Vj(X) = 0 ▪Solve system of polynomial equations {Vj(X) = 0} in

coefficients aji chosen by the adversary

▪Show that solution’s coefficients are ”nice”

▪= restricted to be as in the honest case

INTUITION: CONSTRUCTING ARGUMENT

▪Decomposing:

INTUITION: CONSTRUCTING ARGUMENT

▪Decomposing:

▪Write down main building blocks you need to prove

in argument

INTUITION: CONSTRUCTING ARGUMENT

▪Decomposing:

▪Write down main building blocks you need to prove

in argument

▪Each ”subargument” should be efficiently verifiable

(by a single pairing)

INTUITION: CONSTRUCTING ARGUMENT

▪Decomposing:

▪Write down main building blocks you need to prove

in argument

▪Each ”subargument” should be efficiently verifiable

(by a single pairing)

▪Ascertain each subargument is sound independently

INTUITION: CONSTRUCTING ARGUMENT

▪Decomposing:

▪Write down main building blocks you need to prove

in argument

▪Each ”subargument” should be efficiently verifiable

(by a single pairing)

▪Ascertain each subargument is sound independently

▪CRS composition:

INTUITION: CONSTRUCTING ARGUMENT

▪Decomposing:

▪Write down main building blocks you need to prove

in argument

▪Each ”subargument” should be efficiently verifiable

(by a single pairing)

▪Ascertain each subargument is sound independently

▪CRS composition:

▪Compose CRS-s of individual subarguments together,

getting one big CRS

INTUITION: CONSTRUCTING ARGUMENT

INTUITION: CONSTRUCTING ARGUMENT

INTUITION: CONSTRUCTING ARGUMENT

▪Soundness check:

▪Is the composed protocol sound?

▪ Subarguments get extra inputs in CRS

▪If not: introduce new random variables that guarantee

CRS elements are used in only correct subarguments, reiterate

SUBARGUMENTS

▪”Permutation matrix argument”:

SUBARGUMENTS

▪”Permutation matrix argument”: ▪Prover commits to permutation; proves this is done correctly

SUBARGUMENTS

▪”Permutation matrix argument”: ▪Prover commits to permutation; proves this is done correctly ▪”Consistency argument”:

SUBARGUMENTS

▪”Permutation matrix argument”: ▪Prover commits to permutation; proves this is done correctly ▪”Consistency argument”: ▪Prover proves she used the committed permutation to

shuffle ciphertexts

SUBARGUMENTS

▪”Permutation matrix argument”: ▪Prover commits to permutation; proves this is done correctly ▪”Consistency argument”: ▪Prover proves she used the committed permutation to

shuffle ciphertexts

▪”Validity argument”:

SUBARGUMENTS

▪”Permutation matrix argument”: ▪Prover commits to permutation; proves this is done correctly ▪”Consistency argument”: ▪Prover proves she used the committed permutation to

shuffle ciphertexts

▪”Validity argument”: ▪Prover proves each ciphertext has been formed ”correctly”

SUBARGUMENTS

▪”Permutation matrix argument”: ▪Prover commits to permutation; proves this is done correctly ▪”Consistency argument”: ▪Prover proves she used the committed permutation to

shuffle ciphertexts

▪”Validity argument”: ▪Prover proves each ciphertext has been formed ”correctly” ▪Correctly: so that the soundness proof goes through

SUBARGUMENTS

▪”Permutation matrix argument”: ▪Prover commits to permutation; proves this is done correctly ▪”Consistency argument”: ▪Prover proves she used the committed permutation to

shuffle ciphertexts

▪”Validity argument”: ▪Prover proves each ciphertext has been formed ”correctly” ▪Correctly: so that the soundness proof goes through

PERMUTATION MATRIX ARGUMENT

▪Lemma. A matrix is permutation matrix iff 1.

It is stochastic // rows sum to (1, …, 1)

2.

Each row is 1-sparse

At most one coefficient is non-zero

PERMUTATION MATRIX ARGUMENT

▪Lemma. A matrix is permutation matrix iff 1.

It is stochastic // rows sum to (1, …, 1)

2.

Each row is 1-sparse

At most one coefficient is non-zero

1-SPARSITY ARGUMENT

▪Commitment:

1-SPARSITY ARGUMENT

▪Commitment:

[Ai(X)]i = [aIPI (X) + rXρ]i // i = 1, 2

Pi (X) are linearly independent, well-chosen polynomials

1-SPARSITY ARGUMENT

▪Commitment:

[Ai(X)]i = [aIPI (X) + rXρ]i // i = 1, 2

▪Argument: // ”square span programs”

Pi (X) are linearly independent, well-chosen polynomials

1-SPARSITY ARGUMENT

▪Commitment:

[Ai(X)]i = [aIPI (X) + rXρ]i // i = 1, 2

▪Argument: // ”square span programs”

[π(X)]1 = [((aIPI (X) + P0 (X) + rXρ)2 - 1) / Xρ]1

Pi (X) are linearly independent, well-chosen polynomials

1-SPARSITY ARGUMENT

▪Commitment:

[Ai(X)]i = [aIPI (X) + rXρ]i // i = 1, 2

▪Argument: // ”square span programs”

[π(X)]1 = [((aIPI (X) + P0 (X) + rXρ)2 - 1) / Xρ]1

▪Verification equation:

Pi (X) are linearly independent, well-chosen polynomials

1-SPARSITY ARGUMENT

▪Commitment:

[Ai(X)]i = [aIPI (X) + rXρ]i // i = 1, 2

▪Argument: // ”square span programs”

[π(X)]1 = [((aIPI (X) + P0 (X) + rXρ)2 - 1) / Xρ]1

▪Verification equation:

V (X) := (A1(X) + Xα+ P0 (X)) (A2(X) - Xα+ P0 (X)) - π(X) Xρ – (1 - Xα)2

Pi (X) are linearly independent, well-chosen polynomials

1-SPARSITY ARGUMENT

▪Commitment:

[Ai(X)]i = [aIPI (X) + rXρ]i // i = 1, 2

▪Argument: // ”square span programs”

[π(X)]1 = [((aIPI (X) + P0 (X) + rXρ)2 - 1) / Xρ]1

▪Verification equation:

V (X) := (A1(X) + Xα+ P0 (X)) (A2(X) - Xα+ P0 (X)) - π(X) Xρ – (1 - Xα)2 = 0

Pi (X) are linearly independent, well-chosen polynomials

SOUNDNESS PROOF: IDEA

honest prover: [Ai(X)]i = [aIPI (X) + rXρ]i

SOUNDNESS PROOF: IDEA

▪ In GBGM we know constants a1i, A1ρ, …, s.t. for X = (X, Xρ, Xα, Xβ, Xγ, Xsk) honest prover: [Ai(X)]i = [aIPI (X) + rXρ]i

SOUNDNESS PROOF: IDEA

▪ In GBGM we know constants a1i, A1ρ, …, s.t. for X = (X, Xρ, Xα, Xβ, Xγ, Xsk)

A1 (X) = Σ a1iPi (X) + A1ρXρ+ A1α (X α+ P0 (X)) + A11 P0 (X) + …

CRS: ({[Pi(X)]1}i, [Xρ]1, [Xα+P0(X)]1, [P0(X)]1,…, ({[Pi(X)]2}i, [Xρ]2, [-Xα+P0(X)]2, [1]2,…)

honest prover: [Ai(X)]i = [aIPI (X) + rXρ]i

SOUNDNESS PROOF: IDEA

▪ In GBGM we know constants a1i, A1ρ, …, s.t. for X = (X, Xρ, Xα, Xβ, Xγ, Xsk)

A1 (X) = Σ a1iPi (X) + A1ρXρ+ A1α (X α+ P0 (X)) + A11 P0 (X) + … A2 (X) = Σ a2iPi (X) + A2ρXρ+ A2α (-Xα + P0 (X)) + A21 + …

CRS: ({[Pi(X)]1}i, [Xρ]1, [Xα+P0(X)]1, [P0(X)]1,…, ({[Pi(X)]2}i, [Xρ]2, [-Xα+P0(X)]2, [1]2,…)

honest prover: [Ai(X)]i = [aIPI (X) + rXρ]i

SOUNDNESS PROOF: IDEA

▪ In GBGM we know constants a1i, A1ρ, …, s.t. for X = (X, Xρ, Xα, Xβ, Xγ, Xsk)

A1 (X) = Σ a1iPi (X) + A1ρXρ+ A1α (X α+ P0 (X)) + A11 P0 (X) + … A2 (X) = Σ a2iPi (X) + A2ρXρ+ A2α (-Xα + P0 (X)) + A21 + … π (X) = Σ πiPi (X) + πρXρ+ πα (X α+ P0 (X)) + π1 P0 (X) + …

CRS: ({[Pi(X)]1}i, [Xρ]1, [Xα+P0(X)]1, [P0(X)]1,…, ({[Pi(X)]2}i, [Xρ]2, [-Xα+P0(X)]2, [1]2,…)

honest prover: [Ai(X)]i = [aIPI (X) + rXρ]i

SOUNDNESS PROOF: IDEA

▪ In GBGM we know constants a1i, A1ρ, …, s.t. for X = (X, Xρ, Xα, Xβ, Xγ, Xsk)

A1 (X) = Σ a1iPi (X) + A1ρXρ+ A1α (X α+ P0 (X)) + A11 P0 (X) + … A2 (X) = Σ a2iPi (X) + A2ρXρ+ A2α (-Xα + P0 (X)) + A21 + … π (X) = Σ πiPi (X) + πρXρ+ πα (X α+ P0 (X)) + π1 P0 (X) + …

▪Verification equation states CRS: ({[Pi(X)]1}i, [Xρ]1, [Xα+P0(X)]1, [P0(X)]1,…, ({[Pi(X)]2}i, [Xρ]2, [-Xα+P0(X)]2, [1]2,…)

honest prover: [Ai(X)]i = [aIPI (X) + rXρ]i

SOUNDNESS PROOF: IDEA

▪ In GBGM we know constants a1i, A1ρ, …, s.t. for X = (X, Xρ, Xα, Xβ, Xγ, Xsk)

A1 (X) = Σ a1iPi (X) + A1ρXρ+ A1α (X α+ P0 (X)) + A11 P0 (X) + … A2 (X) = Σ a2iPi (X) + A2ρXρ+ A2α (-Xα + P0 (X)) + A21 + … π (X) = Σ πiPi (X) + πρXρ+ πα (X α+ P0 (X)) + π1 P0 (X) + …

▪Verification equation states V(X) = (A1(X) + Xα+ P0 (X)) (A2(X) - Xα+ P0 (X)) - π(X) Xρ – (1 - Xα)2 = 0 CRS: ({[Pi(X)]1}i, [Xρ]1, [Xα+P0(X)]1, [P0(X)]1,…, ({[Pi(X)]2}i, [Xρ]2, [-Xα+P0(X)]2, [1]2,…)

honest prover: [Ai(X)]i = [aIPI (X) + rXρ]i

SOUNDNESS PROOF: IDEA

▪ In GBGM we know constants a1i, A1ρ, …, s.t. for X = (X, Xρ, Xα, Xβ, Xγ, Xsk)

A1 (X) = Σ a1iPi (X) + A1ρXρ+ A1α (X α+ P0 (X)) + A11 P0 (X) + … A2 (X) = Σ a2iPi (X) + A2ρXρ+ A2α (-Xα + P0 (X)) + A21 + … π (X) = Σ πiPi (X) + πρXρ+ πα (X α+ P0 (X)) + π1 P0 (X) + …

▪Verification equation states V(X) = (A1(X) + Xα+ P0 (X)) (A2(X) - Xα+ P0 (X)) - π(X) Xρ – (1 - Xα)2 = 0 ▪Goal: find coefficients s.t. verification equation is satisfied CRS: ({[Pi(X)]1}i, [Xρ]1, [Xα+P0(X)]1, [P0(X)]1,…, ({[Pi(X)]2}i, [Xρ]2, [-Xα+P0(X)]2, [1]2,…)

honest prover: [Ai(X)]i = [aIPI (X) + rXρ]i

SOLVING SYSTEM OF POL. EQUATIONS

SOLVING SYSTEM OF POL. EQUATIONS

▪Goal: ▪find coefficients s.t. V (X) = 0

SOLVING SYSTEM OF POL. EQUATIONS

▪Goal: ▪find coefficients s.t. V (X) = 0 ▪Step 1: ▪V (X) = 0 iff each coefficient [Xα

jXρ k …] V (X) = 0

SOLVING SYSTEM OF POL. EQUATIONS

▪Goal: ▪find coefficients s.t. V (X) = 0 ▪Step 1: ▪V (X) = 0 iff each coefficient [Xα

jXρ k …] V (X) = 0

▪This is a system of polynomial equations ▪… and a nasty one ▪of more than 20 polynomial equations

SOLVING…

SOLVING…

▪Used a mixture of computer algebra system and manual labor

SOLVING…

▪Used a mixture of computer algebra system and manual labor

• 1. Use linear independence of Pi (X) to split some coefficients

SOLVING…

▪Used a mixture of computer algebra system and manual labor

• 1. Use linear independence of Pi (X) to split some coefficients
• 2. Construct Gröbner basis of system of polynomial equations
• Needs(?) a CAS…

SOLVING…

▪Used a mixture of computer algebra system and manual labor

• 1. Use linear independence of Pi (X) to split some coefficients
• 2. Construct Gröbner basis of system of polynomial equations
• Needs(?) a CAS…
• 3. Solve the Gröbner basis
• Can be done manually or by using CAS

SOLVING…

▪Used a mixture of computer algebra system and manual labor

• 1. Use linear independence of Pi (X) to split some coefficients
• 2. Construct Gröbner basis of system of polynomial equations
• Needs(?) a CAS…
• 3. Solve the Gröbner basis
• Can be done manually or by using CAS
• Obtain that Ai (X) = aI PI (X) => Sound

THANK YOU!