On Instantiating the Algebraic Group Model from Falsifiable Assumptions Thomas Agrikola Dennis Hofheinz Julia Kastner Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 1
The Algebraic Group Model 1 $ ← A ([ x 1 ] G , . . . , [ x n ] G ) [ y ] G n � � � z j [ y ] G = x j G j =1 1 FKL18. Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 2
The Algebraic Group Model 1 $ ← A ([ x 1 ] G , . . . , [ x n ] G ) [ y ] G n � � � z j [ y ] G = x j G j =1 How to obtain the representation z ? 1 FKL18. Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 2
Related work 2 Extraction of representation through knowledge assumption [ x ] H = ([ x ] G , aux) [ y ] H ← A ([ x 1 ] H , . . . , [ x n ] H ; r A ) z ← Ext A ([ y ] H , [ x 1 ] H , . . . [ x n ] H , r A ) Requirements for G : pairing friendly, knowledge of exponent assumption 2 [ K P19] Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 3
Our Contributions • algebraic wrapper around a group G • extraction of constant sized representation • transfer of AGM results Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 4
Obtaining a representation without knowledge assumptions [ x ] H = ([ x ] G , z ) Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 5
Obtaining a representation without knowledge assumptions [ x ] H = ([ x ] G , z ) B = { [ b 1 ] G , . . . [ b n ] G } n � [ b i ] z i [ x ] G = G i =1 Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 5
Obtaining a representation without knowledge assumptions [ x ] H = ([ x ] G , Enc( z )) B = { [ b 1 ] G , . . . [ b n ] G } n � [ b i ] z i [ x ] G = G i =1 Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 5
Obtaining a representation without knowledge assumptions [ x ] H = ([ x ] G , Enc( z ′ )) B ′ = { [ b 1 ] r 1 G , . . . [ b n ] r n G } n � z ′ i · r i [ x ] G = [ b i ] G i =1 Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 5
Obtaining a representation without knowledge assumptions [ x ] H = ([ x ] G , Enc( z ′ ) , π ) B ′ = { [ b 1 ] r 1 G , . . . [ b n ] r n G } n � z ′ i · r i [ x ] G = [ b i ] G i =1 Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 5
Obtaining a representation without knowledge assumptions [ x ] H = ([ x ] G , Enc( z ′ ) , π ) B ′ = { [ b 1 ] G , . . . [ b n ] G } n � [ b i ] z i [ x ] G = G i =1 ∧ Add ← piO( C Add ) Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 5
Switching B 0 = ([1] G , β ) B 1 = ([1] G , [ x ] G ) [ x 1 ] H ˆ =( x , 0) [ x 1 ] H ˆ =(0 , 1) Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 6
Switching B 0 = ([1] G , β ) B 1 = ([1] G , [ x ] G ) [ x 1 ] H ˆ =( x , 0) [ x 1 ] H ˆ =(0 , 1) [ x 2 ] H ˆ = . . . [ x 2 ] H ˆ = . . . Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 6
Switching B 0 = ([1] G , β ) B 1 = ([1] G , [ x ] G ) [ x 1 ] H ˆ =( x , 0) [ x 1 ] H ˆ =(0 , 1) [ x 2 ] H ˆ = . . . [ x 2 ] H ˆ = . . . . . . . . . [ x k ] H ˆ = . . . [ x k ] H ˆ = . . . Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 6
Switching B 0 = ([1] G , β ) B 1 = ([1] G , [ x ] G ) [ x 1 ] H ˆ =( x , 0) [ x 1 ] H ˆ =(0 , 1) [ x 2 ] H ˆ = . . . [ x 2 ] H ˆ = . . . . . . . . . [ x k ] H ˆ = . . . [ x k ] H ˆ = . . . k - switching Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 6
Example:DLOG G ⇒ CDH H B = ([1] G , β 1 , β 2 ) [1] H ˆ =(1 , 0 , 0) [ x ] H ˆ =( x , 0 , 0) [ y ] H ˆ =( y , 0 , 0) Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 7
Example:DLOG G ⇒ CDH H B = ([1] G , β 1 , β 2 ) [1] H ˆ =(1 , 0 , 0) [ x ] H ˆ =( x , 0 , 0) [ y ] H ˆ =( y , 0 , 0) 2- switching B = ([1] G , [ x ] G , [ y ] G ) [1] H ˆ =(1 , 0 , 0) [ x ] H ˆ =(0 , 1 , 0) [ y ] H ˆ =(0 , 0 , 1) Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 7
Example:DLOG G ⇒ CDH H B = ([1] G , β 1 , β 2 ) [1] H ˆ =(1 , 0 , 0) [ x ] H ˆ =( x , 0 , 0) [ y ] H ˆ =( y , 0 , 0) 2- switching B = ([1] G , [ x ] G , [ y ] G ) [1] H ˆ =(1 , 0 , 0) [ x ] H ˆ =(0 , 1 , 0) [ y ] H ˆ =(0 , 0 , 1) B = ([1] G , Z , [ y ] G ) B = ([1] G , [ x ] G , Z ) [1] H ˆ =(1 , 0 , 0) [1] H ˆ =(1 , 0 , 0) [ x ] H ˆ =(0 , 1 , 0) [ x ] H ˆ =(0 , 1 , 0) [ y ] H ˆ =(0 , 0 , 1) [ y ] H ˆ =(0 , 0 , 1) Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 7
Rerandomization • different options of how to generate a group element – sampling from a representation – addition • [ x ] H , � [ x ] H • Rerand H ([ x ] H ) ≅ Rerand H ( � [ x ] H ) Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 8
Applications - Schnorr Signatures Ver( pk = ( � 1 , � X ) , m , σ = ( � KGen(pp H ) Sign( sk , m ) R , s )) c := H ( � x ← Z p r ← Z p R , m ) � return [ s ] H == � R · � pk := ([1] H , [ x ] H ) R = [ r ] H X c c := H ( � sk := ( pk , x ) R , m ) return ( pk , sk ) s := r + c · x mod p return σ := ( � R , s ) Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 9
Proof Overview • want to – extract and use representation submitted to hash oracle [FPS20] – simulate signatures • key differences to [FPS20]: – due information encoded in group elements – switching of base, pk and random element � R via origin elements – re-randomization Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 10
Applications - Schnorr Signatures • B = ([1] G , β ) • public key – � 1 � =(1 , 0) – � X � =( x , 0) • signature randomness – � R � =( r , 0) Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 11
Origin Elements How to achieve 1- switching instead of q - switching B = ([1] G , β ) � � � R q R 1 R 2 . . . 2 2 2 ( r 1 , 0) ( r 2 , 0) ( r q , 0) Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 12
Origin Elements How to achieve 1- switching instead of q - switching B = ([1] G , [ x ] G ) � � � R q R 1 R 2 . . . 2 2 2 ( s 1 , − c 1 ) ( s 2 , − c 2 ) ( s q , − c q ) Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 12
Origin Elements How to achieve 1- switching instead of q - switching ξ 1 ξ 2 B = ([1] G , β ) (1 , 0) ( x , 0) � � � R q R 1 R 2 . . . 2 2 2 s 1 1 · ξ − c 1 s 2 1 · ξ − c 2 sq − cq � � � ξ =( r 1 , 0) ξ =( r 2 , 0) 1 · ξ =( r q , 0) ξ 2 2 2 Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 12
Origin Elements How to achieve 1- switching instead of q - switching ξ 1 ξ 2 B = ([1] G , [ x ] G ) (1 , 0) (0 , 1) � � � R q R 1 R 2 . . . 2 2 2 1 · ξ − c 1 s 1 sq − cq sq − cq � � � ξ =( s 1 , − c 1 ) ξ 1 · ξ =( s 2 , − c 2 ) 1 · ξ =( s q , − c q ) ξ 2 2 2 Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 12
Applications - Schnorr Signatures • B = ([1] G , β ) • origin elements – ξ 1 � =(1 , 0) – ξ 2 � =( x , 0) • public key – � 1 = ξ 1 – � X = ξ 2 • signature randomness – � R 1 � =( r , 0) – � R 2 ← ξ s 1 · ξ − c 2 Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 13
Applications - Schnorr Signatures • B = ([1] G , [ x ] G ) • origin elements – ξ 1 � =(1 , 0) – ξ 2 � =(0 , 1) • public key – � 1 = ξ 1 – � X = ξ 2 • signature randomness – � R 1 � =( r , 0) – � R 2 ← ξ s 1 · ξ − c 2 Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 14
Applications - Schnorr Signatures • apply techniques of [FPS20] – keep track of representations submitted to RO – abort in (unlikely case) of bad representation – choose c , s beforehand and program random oracle Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 15
Summary of Results • wrapper group that allows for extraction of a constant-size representation • non-interactive DH-type assumptions • Schnorr signatures Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 16
Open Questions • q-type/one-more assumptions • transfer other results from AGM, e.g. BLS signatures – information-theoretically, we reveal the scenario to the adversary • non-wrapping groups Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 17
Full Version https://eprint.iacr.org/2020/070 Thomas Agrikola, Dennis Hofheinz, Julia Kastner April 30, 2020 18
Recommend
More recommend
