Prastudy Fauzi Helger Lipmaa Michal Zajac University of Tartu Estonia EstonianLatvian Joint Theory Days 14102016 ASIACRYPT 2016 Our results A new efficient CRSbased NIZK shuffle argument ID: 661562
Download Presentation The PPT/PDF document "A shuffle argument secure in the generic..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
A shuffle argument secure in the generic model
Prastudy Fauzi, Helger Lipmaa, Michal ZajacUniversity of Tartu, Estonia
Estonian-Latvian Joint Theory Days, 14.10.2016
ASIACRYPT 2016Slide2
Our results
A new efficient CRS-based NIZK shuffle argumentFour+ times more efficient verification than in prior workVerification time more criticalSoundness proof in the Generic Bilinear Group Model
Very complicated machine-assisted proofUse computer algebra to solve systems of polyn
. eq.Esp. to find Gröbner basesEnables proof verification by practitioners
Possible future work: synthesis?Slide3
A bit of motivation: e-voting
Anonymity
Correctness
Data is public
(Data, source) is privateSlide4
Simple Mix-nets
c
1
=
Enc
pk
(m
1
)
c
2
=
Enc
pk
(m
2
)
c
3
=
Enc
pk
(m
3
)
π,
r
m
ψ(π(
1
)
) mψ(π(2)) mψ(π(3))
Encryption protects against eavesdropping on the Internet
Private against each individual server
d
1
=
c
π(1)
d2=cπ(2)
d3=cπ(3)
ψ,s
e
1
=
d
ψ(1)
e2=dψ(2)
e3=dψ(3)
sk
Not yet correct: what if
a
server cheats?Slide5
Accountable Mix-nets
c
1
=
Enc
pk
(m
1
)
c
2
=
Enc
pk
(m
2
)
c
3
=
Enc
pk
(m
3
)
p
k
,
π,
r
m
ψ(π(1)) mψ(π(2)) mψ(π(3)
)
d
1
=
c
π(1)
d2=c
π(2)d3=c
π(3)pk,
ψ,s
e
1
=
d
ψ(1)e2=
dψ(2)e3=
dψ(3)
sk
”Prove” that shuffling was correct, send proof to the next server
Verify all previous proofs, shuffle, create your own proof
proof
proof
Verify all proofsSlide6
Shuffle argument
Shuffle argument:efficient zero knowledge argument of correctness of shufflingMany shuffles in the ”random oracle model” exist
Several of them are quite efficientExisting CRS model arguments much less efficientSlide7
CRS-based shuffle arguments
L
-Zhang (2012)Fauzi-L
(2016)Fauzi-
L
-
Zajac
CRS length
7n + 6
8n + 17
3n + 14
Communic
.
12n + 11
9n + 2
7n + 3
P
comp. (units)36
19.824.3V
comp. (units)196126
36.3
GBGM?
PSDL, DLIN (comp.)
KE, PKE (knowledge)
TSDH, PCDH, PSP
(comp.)
2x PKE (knowledge)
Pure GBGM
Soundness
Full
Culpable
Full
1 unit =
n million machine cyclesAccording to speed records on BN curvesn: number of ciphertexts (say 100,000)
Proposed in that paper, proof in GBGM
Proposed 2010+, but not in that paper, proof in GBGMSlide8
Zero knowledge: CRS model
x, w
x
P
(
crs,
x
,
w
)=
π
: Proof of ”
x
∈
L”
V(crs,x
,π): Accepts or rejects
crs
td
Sim
(
crs,td,
x
)=
π
: Proof of ”
x
∈
L
”Slide9
Zero knowledge: desiderata
x, w
x
P
(
crs,
x
,
w
)=
π
: Proof of ”
x
∈
L”
V(crs,x
,π): Accepts or rejects
crs
td
Sim
(
crs,td,
x
)=
π
: Proof of ”
x
∈
L
”
Correctness
Soundness
Zero knowledge (privacy)Slide10
Bilinear PAirings
Three cyclic groups of the same order q: G1,
G2,
GTGenerators
g
1
of
G
1
,
g
2
of
G
2, g
T of GTBilinear map:
e:
G1 x
G2 → G
TRequirements:Efficiently computableNon-degeneracy: e (
g
1
,
g
2
) ≠ 1
Bilinearity
:
e
(
g
1a,
g2b) = e (
g1, g2)abSlide11
Assumptions & Pairings
Inverting pairings should be hardGiven e (A,
B), compute either A or
BAnalogous to DL: given
g
a
, compute
a
What else should be hard?Slide12
What else should be difficult?
People disagree…A few hundred (thousand?) known pairing-related hardness assumptionsEach of them has to be cryptanalysed”Easiest” sanity check: does this assumption hold in the generic model?Slide13
Non-generic approach
ProtocolAssumption 1 (known)
…
Assumption
m
(known)
Generic Model
Assumption
m
+1 (new)
…
Assumption
m
+
m
’ (new)
Pro:
nice if m’ is not big, or most assumptions are well-known, or
…
Con:
each arrow might mean a loss in efficiencySlide14
generic approach
ProtocolGeneric Model
Pro:
only one arrow, thus smaller loss in efficiencySlide15
(SEMI-)Generic bilinear group model
Meta-Assumption: adversary only has access togroup operations, bilinear map, equality testsEach computed element in G
i (i=1, 2) is product of two already known elements
Recursively, DL of each computed element is a known polynomial of some indeterminates
Note: we do not handle
G
T
as a generic groupSlide16
Soundness in (semi-)GBGM
X1
…
X
s
{[
f
1i
(
X
)
]
1
}
{[
f
2i(
X)]2}
{[
g1i(X) =
Σ
i
a
1i
f
1i
(
X
)
]
1}
{[g2i(X) =Σ
i a2if2i(X)]1}
Random variables
(TTP)
CRS
(TTP)
Outputs (adversary)
V
1(
X)=Σij b1ijh1i(X) h2i(
X)=0
…
V
u(X)=Σij b
uijh1i(X) h
2i(X)=0Verifications (verifier){hji} = {f
ji, hji}
Linear combinations
(only group operation)
Quadratic tests
(can use bilinear map)
Polynomials
(TTP knows
X
)Slide17
Soundness in (SEMI-)GBGM
jth verification equation ascertains Vj(
X) = 0Solve system of polynomial equations {
Vj(
X
) =
0}
in coefficients
a
ji
chosen by the adversary
Show that solution coefficients are ”nice”
Restricted to be as in the honest caseSlide18
Intuition: constructing argument
Decomposing:Write down main building blocks you need to prove in argumentEach ”subargument” should be efficiently verifiable (by a single pairing)Ascertain each subargument
is sound independentlyCRS composition:Compose CRS-s of individual subarguments together, getting one big CRSSlide19
Intuition: constructing argument
Soundness check:Is the composed protocol sound? Subarguments get extra inputs in CRSIf not: introduce new random variables that guarantee CRS elements are used in only correct subarguments, reiterateSlide20
Subarguments
”Permutation matrix argument”:Prover commits to permutation; proves this is done correctly”Consistency argument”:Prover proves she used the committed permutation to shuffle ciphertexts”Validity argument”:
Prover proves each ciphertext has been formed ”correctly”Correctly: so that the soundness proof goes throughSlide21
Permutation matrix argument
Lemma. A matrix is permutation matrix iffIt is stochastic
// rows sum to (1, …, 1)Each row is
1-sparse
At most one coefficient is non-zeroSlide22
1-sparsity Argument
Commitment:[Ai(X
)]i = [
aIP
I
(
X
)
+
rX
ρ
]
i //
i = 1, 2
Argument: // ”square span programs”
[π(X
)]1 = [((a
IPI (X
)
+
P
0
(
X
) +
rX
ρ
)
2 - 1) /
Xρ]1Verification equation:
V (X) := (A1(X) + Xα+ P0 (X)) (A
2(X) -
Xα+
P0 (X
)) - π(
X) Xρ
– (1 - Xα)
2 = 0
Pi (X) are linearly independent, well-chosen
polynomialsSlide23
Soundness proof: idea
In GBGM we know constants a1i, A
1ρ, …,
s.t. for X = (X
,
X
ρ
,
X
α
,
X
β
, Xγ,
Xsk)
A1 (
X) = Σ
a1iPi
(X) + A1
ρ
X
ρ
+
A
1
α
(
X
α
+
P
0 (X)) + A11
P0 (X) + … A2 (X) = Σ a2iPi (
X) + A2
ρXρ
+ A2α
(-Xα +
P0 (X
)) + A21 +
… π (X) = Σ
πiPi (X) + π
ρXρ+ πα (
X α+ P0 (
X)) + π1
P0 (X
) + …Verification equation states V
(X) = (A
1(X) + Xα+ P
0 (X)) (A2(X) -
Xα+ P0 (X)) - π
(X) Xρ
– (1 - Xα)
2
= 0
Goal: find coefficients
s.t.
verification equation is satisfied
CRS: ({
[
P
i
(
X
)]
1
}
i
, [
X
ρ
]
1
,
[
X
α
+
P
0
(
X
)
]
1
,
[
P
0
(
X
)
]
1
,
…
,
({[
P
i
(
X
)]
2
}
i
, [
X
ρ
]
2
,
[
-
X
α
+
P
0
(
X
)
]
2
,
[
1
]
2
,
…
) Slide24
Solving system of pol. equations
Goal: find coefficients s.t. V (
X) = 0Step 1:
V (X
) = 0
iff
each coefficient
[
X
α
j
X
ρ
k
…]
V (X) = 0This is a system of polynomial equations
… and a nasty oneof more than 20 polynomial equationsSlide25Slide26
Solving…
Too large a system for a simple human researcher…Used a mixture of computer algebra system and manual laborUse linear independence of P
i (X
) to split some coefficientsConstruct Gröbner
basis of system of polynomial equations
Needs(?) a CAS
…
Solve the Gr
öbner
basis
Can be done manually or by using CAS
Obtain that
A
i
(X) =
aI PI
(X) => SoundSlide27
Thank you!