Tiramisu : Black-Box Simulation Extractable NIZKs in the Updatable - - PowerPoint PPT Presentation

/4

Tiramisu: Black-Box Simulation Extractable NIZKs in the Updatable CRS Model

Karim Baghery 1,2 and Mahdi Sedaghat 1

1imec-COSIC, KU Leuven, Leuven, Belgium 2University of Tartu, Tartu, Estonia.

karim.baghery@kuleuven.be ssedagha@esat.kuleuven.be ia.cr/2020/474

/4

Overview on Tiramisu & (Sub./Upd.) NIZKs in the CRS Model:

COSIC (Computer Security and Industrial Cryptography group)

2

(stat, proof) proof ←Prove(CRS, stat, witness) {1, 0} ←Verify(CRS, stat, proof)

(CRS, TD) ←CRSGen(1𝑜, RL)

Sub-ZK

Witness w (x,w)  RL

Sub: Subversion | U: Updatable BB: Black-Box | nBB: non-Black-Box ZK: Zero-knowledge | SND: Soundness | KS: Knowledge Sound | SE: Simulation Extractable

U-ZK ZK

U-BB-SE U-nBB-SE BB-SE BB-KS nBB-SE nBB-KS U-nBB-KS U-BB-KS

SND

U-ZK [PHGR13] COCO [KZM+15 ] [BCG+15, ABL+19] [Gro16] [BFS16] [ABLZ17] [Fuc18] [GKM+18] [Bag19b] Lamassu [ARS20] Tiramisu [BS20] [GM17, AB19] [Bag19a]

/4

Tiramisu: Building U-ZK and U-BB-SE NIZKs (zk-SNARKs)

COSIC (Computer Security and Industrial Cryptography group)

3

• Given a language 𝑴 with the NP relation 𝐒𝑴, define 𝑴′ s. t.

𝑦, 𝑑, 𝑞𝑙𝑗 , 𝑥, 𝑠 ∈ 𝑺𝑴′ iff: Sub/U-ZK and U-nBB- SE SNARK (e.g. [ARS20])

Tiramisu [BS20]

[Bag19a], [Bag19b], [ARS20]

U-ZK and U-BB-SE NIZK (SNARK)

𝑑 = 𝐹𝑜𝑑(𝑞𝑙𝑗, 𝑥; 𝑠)) ሥ 𝑦, 𝑥 ∈ 𝑺𝑴

• Πenc ≔ KG, Enc, Dec is CPA secure public-key cryptosystem with updatable keys (pki, ski)
• Updatable public-key cryptosystems: can be constructed from key-homomorphic encryption

schemes [AHI11] (a variation of El-Gamal [ElG84] instantiated in the pairing-based groups)

• Similar to updatable NIZK arguments [GKM+18]
• and updatable signatures [ARS20]

/4

Tiramisu in Comparison with Current Constructions:

COSIC (Computer Security and Industrial Cryptography group)

4

 nBB Knowledge Sound zk-SNARKs [e.g. Gro16]  nBB Sim. Ext. zk-SNARK [GM17, BG18, AB19]  nBB Sim. Ext. & Sub-ZK SNARK [Bag19b, Lip19] 

• Upd. nBB Sim. Ext. & Sub-ZK SNARK [Lamassu, ARS20]



• Upd. BB Sim. Ext. & Upd-ZK NIZKs (SNARKs) [Tiramisu, BS20]

 BB Sim. Ext. NIZKs (zk-SNARK) [KZM+15, Bag19a]

/4

Thank You!

karim.baghery@kuleuven.be ssedagha@esat.kuleuven.be

/4

C∅C∅ Framework: Building BB-SE NIZKs (zk-SNARKs)

COSIC (Computer Security and Industrial Cryptography group)

6

(nBB Knowledge) Sound NIZK (zk-SNARK)

C∅C∅ Framework [KZM+15]

Black-Box Sim. Ext. NIZK (zk-SNARK)

• Given a language 𝑴 with the corresponding NP relation 𝐒𝑴, defines a new language 𝑴′ such

that 𝑦, 𝑑, 𝜈, 𝑞𝑙𝑡, 𝑞𝑙𝑓, 𝜍 , 𝑥, 𝑠, 𝑠

0, 𝑡0

∈ 𝑺𝑴′ iff:

𝑑 = 𝐹𝑜𝑑(𝑞𝑙𝑓, 𝑥; 𝑠)) ሥ 𝑦, 𝑥 ∈ 𝑺𝑴 ሧ 𝜈 = 𝑔

𝑡0 𝑞𝑙𝑡 ሥ 𝜍 = 𝐷𝑝𝑛(𝑡0, 𝑠0)

• 𝐹𝑜𝑑(.) is a semantically secure encryption scheme,
• 𝑔

𝑡0 . : 0,1 ∗ → 0,1 𝜇 is a PRF family,

• 𝐷𝑝𝑛(. ) is a perfectly binding commitment scheme.

Black-Box Extraction Simulation Sound or nBB Simulation Extractable

• Used in several UC-secure protocols [Gro06]: Hawk [KMS+16], Gyges [JKS16], Ouroboros

Crypsinous [KKKZ19], …

/4

[Bag19b, ARS20]: Building Sub-ZK & nBB-SE/U-nBB-SE zk-SNARKs

COSIC (Computer Security and Industrial Cryptography group)

7

Sub-ZK and nBB Knowledge Sound SNARK e.g. [ABLZ17, Fuc18]

[Bag19b]

[BG90, KZM+15] Sub-ZK & nBB-SE SNARK

• Given a language 𝑴 with the corresponding NP relation 𝐒𝑴, define a new language 𝑴′ such that

𝑦, 𝑑, 𝜈, 𝑞𝑙𝑡, 𝑞𝑙𝑓, 𝜍 , 𝑥, 𝑠, 𝑠0, 𝑡0 ∈ 𝑺𝑴′ iff:

𝑑 = 𝐹𝑜𝑑(𝑞𝑙𝑓, 𝑥; 𝑠)) ሥ 𝑦, 𝑥 ∈ 𝑺𝑴 ሧ 𝜈 = 𝑔

𝑡0 𝑞𝑙𝑡 ሥ 𝜍 = 𝐷𝑝𝑛(𝑡0, 𝑠0)

Sub-ZK and Updatable nBB Knowledge Sound SNARK e.g. [GKM+18]

[ARS20, Lamassu]

[DS16, Bag19b] Sub-ZK & U-nBB-SE SNARK

• Given a language 𝑴 with the corresponding NP relation 𝐒𝑴, defines a new language 𝑴′ such

that 𝑦, 𝑑𝑞𝑙, 𝑞𝑙 , 𝑥, 𝑑𝑡𝑙 − 𝑡𝑙 ∈ 𝑺𝑴′ iff: 𝑦, 𝑥 ∈ 𝑺𝑴 ሧ cpk = pk ⋅ 𝜈(csk − 𝑡𝑙)

• (cpk, csk) of a key-homomorphic signature
• pk, sk of a one-time secure signature
• 𝜈: SK → 𝑄𝐿 (e.g. pk = 𝑕sk).