On Instantiating the Algebraic Group Model from Falsifiable - - PowerPoint PPT Presentation

On Instantiating the Algebraic Group Model from Falsifiable Assumptions

Thomas Agrikola Dennis Hofheinz Julia Kastner

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 1

The Algebraic Group Model1

[y]G

$

← A([x1]G , . . . , [xn]G)

[y]G =

n

• j=1
• xj

zj

G

1FKL18. Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 2

The Algebraic Group Model1

[y]G

$

← A([x1]G , . . . , [xn]G)

[y]G =

n

• j=1
• xj

zj

G

How to obtain the representation z?

1FKL18. Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 2

Related work2

Extraction of representation through knowledge assumption [x]H = ([x]G , aux) [y]H ← A([x1]H , . . . , [xn]H ; rA) z ← ExtA([y]H , [x1]H , . . . [xn]H , rA) Requirements for G: pairing friendly, knowledge of exponent assumption

2[KP19] Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 3

Our Contributions

• algebraic wrapper around a group G
• extraction of constant sized representation
• transfer of AGM results

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 4

Obtaining a representation without knowledge assumptions

[x]H = ([x]G , z)

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 5

Obtaining a representation without knowledge assumptions

[x]H = ([x]G , z) B = {[b1]G , . . . [bn]G} [x]G =

n

• i=1

[bi]zi

G

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 5

Obtaining a representation without knowledge assumptions

[x]H = ([x]G , Enc(z)) B = {[b1]G , . . . [bn]G} [x]G =

n

• i=1

[bi]zi

G

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 5

Obtaining a representation without knowledge assumptions

[x]H = ([x]G , Enc(z′)) B′ = {[b1]r1

G , . . . [bn]rn G}

[x]G =

n

• i=1

[bi]

z′

i ·ri

G

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 5

Obtaining a representation without knowledge assumptions

[x]H = ([x]G , Enc(z′), π) B′ = {[b1]r1

G , . . . [bn]rn G}

[x]G =

n

• i=1

[bi]

z′

i ·ri

G

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 5

Obtaining a representation without knowledge assumptions

[x]H = ([x]G , Enc(z′), π) B′ = {[b1]G , . . . [bn]G} [x]G =

n

• i=1

[bi]zi

G

∧Add ← piO(CAdd)

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 5

Switching

B0 = ([1]G , β) [x1]H ˆ =(x, 0) B1 = ([1]G , [x]G) [x1]H ˆ =(0, 1)

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 6

Switching

B0 = ([1]G , β) [x1]H ˆ =(x, 0) [x2]H ˆ = . . . B1 = ([1]G , [x]G) [x1]H ˆ =(0, 1) [x2]H ˆ = . . .

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 6

Switching

B0 = ([1]G , β) [x1]H ˆ =(x, 0) [x2]H ˆ = . . . . . . [xk]H ˆ = . . . B1 = ([1]G , [x]G) [x1]H ˆ =(0, 1) [x2]H ˆ = . . . . . . [xk]H ˆ = . . .

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 6

Switching

B0 = ([1]G , β) [x1]H ˆ =(x, 0) [x2]H ˆ = . . . . . . [xk]H ˆ = . . . B1 = ([1]G , [x]G) [x1]H ˆ =(0, 1) [x2]H ˆ = . . . . . . [xk]H ˆ = . . . k-switching

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 6

Example:DLOGG ⇒ CDHH

B = ([1]G , β1, β2) [1]H ˆ =(1, 0, 0) [x]H ˆ =(x, 0, 0) [y]H ˆ =(y, 0, 0) Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 7

Example:DLOGG ⇒ CDHH

B = ([1]G , β1, β2) [1]H ˆ =(1, 0, 0) [x]H ˆ =(x, 0, 0) [y]H ˆ =(y, 0, 0) B = ([1]G , [x]G , [y]G) [1]H ˆ =(1, 0, 0) [x]H ˆ =(0, 1, 0) [y]H ˆ =(0, 0, 1) 2-switching Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 7

Example:DLOGG ⇒ CDHH

B = ([1]G , β1, β2) [1]H ˆ =(1, 0, 0) [x]H ˆ =(x, 0, 0) [y]H ˆ =(y, 0, 0) B = ([1]G , [x]G , [y]G) [1]H ˆ =(1, 0, 0) [x]H ˆ =(0, 1, 0) [y]H ˆ =(0, 0, 1) B = ([1]G , Z, [y]G) [1]H ˆ =(1, 0, 0) [x]H ˆ =(0, 1, 0) [y]H ˆ =(0, 0, 1) B = ([1]G , [x]G , Z) [1]H ˆ =(1, 0, 0) [x]H ˆ =(0, 1, 0) [y]H ˆ =(0, 0, 1) 2-switching Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 7

Rerandomization

• different options of how to generate a group element

– sampling from a representation – addition

• [x]H ,

[x]H

• RerandH([x]H) ≅ RerandH(

[x]H)

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 8

Applications - Schnorr Signatures

KGen(ppH) x ← Zp pk := ([1]H , [x]H) sk := (pk, x) return (pk, sk) Sign(sk, m) r ← Zp

• R = [r]H

c := H( R, m) s := r + c · x mod p return σ := ( R, s) Ver(pk = ( 1, X), m, σ = ( R, s)) c := H( R, m) return [s]H == R · X c

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 9

Proof Overview

• want to

– extract and use representation submitted to hash oracle [FPS20] – simulate signatures

• key differences to [FPS20]:

– due information encoded in group elements – switching of base, pk and random element R via origin elements – re-randomization

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 10

Applications - Schnorr Signatures

• B = ([1]G , β)
• public key

– 1 =(1, 0) – X =(x, 0)

• signature randomness

– R =(r, 0)

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 11

Origin Elements

How to achieve 1-switching instead of q-switching

• R1

2

(r1, 0)

• R2

2

(r2, 0)

. . .

• Rq

2

(rq, 0) B = ([1]G , β)

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 12

Origin Elements

How to achieve 1-switching instead of q-switching

• R1

2

(s1, −c1)

• R2

2

(s2, −c2)

. . .

• Rq

2

(sq, −cq) B = ([1]G , [x]G)

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 12

Origin Elements

How to achieve 1-switching instead of q-switching

ξ1

(1, 0)

ξ2

(x, 0)

• R1

2 ξ

s1 1 ·ξ−c1 2

• =(r1,0)
• R2

2 ξ

s2 1 ·ξ−c2 2

• =(r2,0)

. . .

• Rq

2 ξ

sq 1 ·ξ −cq 2

• =(rq,0)

B = ([1]G , β)

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 12

Origin Elements

How to achieve 1-switching instead of q-switching

ξ1

(1, 0)

ξ2

(0, 1)

• R1

2 ξ

s1 1 ·ξ−c1 2

• =(s1,−c1)
• R2

2 ξ

sq 1 ·ξ −cq 2

• =(s2,−c2)

. . .

• Rq

2 ξ

sq 1 ·ξ −cq 2

• =(sq,−cq)

B = ([1]G , [x]G)

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 12

Applications - Schnorr Signatures

• B = ([1]G , β)
• origin elements

– ξ1 =(1, 0) – ξ2 =(x, 0)

• public key

– 1 = ξ1 – X = ξ2

• signature randomness

– R1 =(r, 0) – R2 ← ξs

1 · ξ−c 2

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 13

Applications - Schnorr Signatures

• B = ([1]G , [x]G)
• origin elements

– ξ1 =(1, 0) – ξ2 =(0, 1)

• public key

– 1 = ξ1 – X = ξ2

• signature randomness

– R1 =(r, 0) – R2 ← ξs

1 · ξ−c 2

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 14

Applications - Schnorr Signatures

• apply techniques of [FPS20]

– keep track of representations submitted to RO – abort in (unlikely case) of bad representation – choose c, s beforehand and program random oracle

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 15

Summary of Results

• wrapper group that allows for extraction of a constant-size representation
• non-interactive DH-type assumptions
• Schnorr signatures

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 16

Open Questions

• q-type/one-more assumptions
• transfer other results from AGM, e.g. BLS signatures

– information-theoretically, we reveal the scenario to the adversary

• non-wrapping groups

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 17

Full Version

https://eprint.iacr.org/2020/070

Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 18