Group to Group Commitments Do Not Shrink - PowerPoint Presentation

Slide1

Group to Group Commitments Do Not Shrink

Masayuki ABEKristiyan HaralambievMiyako Ohkubo

1

Slide2

Contents

Introduction for Structure-Preserving SchemesMotivationState of the ArtStructure-Preserving Commitments (SPC)Lower Boundssize(commitment) >= size(message)#(verification equations) >= 2 in

Type-I groupsUpper Boundsconstructions with optimal expansion factor

2

/32

Slide3

Combination of Building

BlocksEncryption, Signatures, Commitments, etc..Zero-knowledge Proof Systemex) Proving possession of a valid signature without showing it.Extra RequirementsNon-interactive, Proof of knowledge

Modular Protocol Design

Slide4

NIZK in Theory

Translate “Verify” function

into a circuit. Then prove the correctness of I/O at every gate by NIZK.

Very powerful tool. But not practical.

Slide5

Practical NIZK

Groth-Sahai Proof System [GS08]Currently the only practical Non-Interactive Proof system.Works on bilinear groups.A Witness Indistinguishable Proof System (NIWI) for quadratic relations among witnesses.

A Proof of Knowledge for relations represented by pairing product equations. (see next page)

Slide6

Pairing Product Equation

Bilinear Groups

Z=1 for ZK

witnesses must

be base group

elements for

PoK

Slide7

Structure-Preserving Schemes

Cryptographic schemes such as signatures, encryption, commitments, etc...constructed over bilinear groups, and public objects such as public-keys, messages, signatures, commitments, de-commitments, ciphertexts, and etc., are group elements, andrelevant verifications such as signature verification, correct decryption, correct decommitment, evaluate pairing product equations.

7

/32

Slide8

Structure-Preserving Schemes

Proof SystemNIWI: [GS08]GS with Extra Properties: [BCCKLS09,Fuc11,CKLM12]Signature SchemesConstructions: [Gro06, GH08, CLY09, AFGHO10, AHO10, AGHO11, CK11]Bounds: [AGHO11, AGH11]CCA2 Public-Key Encryption

[CKH11]Commitment SchemesConstructions: [Gro09, CLY09, AFGHO10, AHO10]

8

/32

Slide9

Structure-Preserving Commitments (SPC)

9/32

Slide10

Syntax

10/32

evaluates pairing product equations

from the base group (

Strict-SPC

)

vector of group elements

Slide11

SPC in the Literature

11/32

Question:

Can Strict-SPC be shrinking?

Slide12

Impossibility Result (1)

12/32

The theorem holds for type-III groups as well.

Slide13

Algebraic Algorithm

13/32

Slide14

Alg.Alg. is not KEA

Algebraic AlgorithmsClass of Reduction / ConstructionOften used for showing separationConsidered as “not overly restrictive”Positive consequence if avoidedKnowledge of Exponent Assumption

Assumption on adversariesOften used in security proofs for specific constructionsOften

criticized as too

strong since it is not falsifiable

Negative impact if not hold

14

/32

Slide15

Proof Intuition (1/3)

15/32

Slide16

Proof Intuition (2/3)

16/32

Slide17

Proof Intuition (3/3)

17/32

Slide18

Impossibility Result (2)

18/32

Slide19

Optimal Constructions

19/32

Slide20

Two New Strict-SPCs

20/32

All schemes are homomorphic

and trapdoor as well as previous schemes.

Slide21

Scheme 1 in Type-III Groups

21/32

Slide22

Security

22/32DBP is implied by SXDH.

Slide23

Summary

Upper and Lower Bounds for Strict-SPCStrict-SPC does not shrink!Bounds w.r.t. commitment size match each other except for small additive terms.Open IssuesGet rid of the additive terms, or show its impossibility.Do non-algebraic constructions help to get around the lower bound?

23/32

Slide24

Reduction

24/32

Slide25

Scheme 1 in Type-III Groups

25/32

Slide26

Scheme 1 (Cont’d)

26/32

Slide27

Bilinear Groups