NON-GENERIC APPROACH Assumption 1 (known) … Assumption m (known) Protocol Generic Model Assumption m +1 (new) … Assumption m + m ’ (new) Pro: nice if m’ is not big, or most assumptions are well-known, or…
NON-GENERIC APPROACH Assumption 1 (known) … Assumption m (known) Protocol Generic Model Assumption m +1 (new) … Assumption m + m ’ (new) Pro: nice if m’ is not big, or most assumptions are well-known, or… Con: each arrow might mean a loss in efficiency
GENERIC MODEL APPROACH Protocol Generic Model Con: proof in GGM is only for restricted adversaries Pro: only one arrow, thus smaller loss in efficiency
GENERIC BILINEAR GROUP MODEL ▪ Meta-Assumption: adversary only has access to
GENERIC BILINEAR GROUP MODEL ▪ Meta-Assumption: adversary only has access to ▪ group operations, bilinear map, equality tests
GENERIC BILINEAR GROUP MODEL ▪ Meta-Assumption: adversary only has access to ▪ group operations, bilinear map, equality tests ▪ Each computed element in G i (i=1, 2) is given by group operation of two already known elements
GENERIC BILINEAR GROUP MODEL ▪ Meta-Assumption: adversary only has access to ▪ group operations, bilinear map, equality tests ▪ Each computed element in G i (i=1, 2) is given by group operation of two already known elements ▪ Recursively, DL of each computed element is a known polynomial of some indeterminates
GENERIC BILINEAR GROUP MODEL ▪ Meta-Assumption: adversary only has access to ▪ group operations, bilinear map, equality tests ▪ Each computed element in G i (i=1, 2) is given by group operation of two already known elements ▪ Recursively, DL of each computed element is a known polynomial of some indeterminates ▪ Note: we do not handle G T as a generic group
SOUNDNESS IN GBGM
SOUNDNESS IN GBGM X 1 … X s Random variables (TTP)
SOUNDNESS IN GBGM Polynomials (TTP knows X ) [ X ] = g X X 1 {[ f 1i ( X ) ] 1 } … {[ f 2i ( X ) ] 2 } X s Random variables CRS (TTP) (TTP)
SOUNDNESS IN GBGM Polynomials Linear combinations (TTP knows X ) (only group operation) [ X ] = g X X 1 {[ f 1i ( X ) ] 1 } {[ g 1i ( X ) = Σ i a 1i f 1i ( X ) ] 1 } … {[ f 2i ( X ) ] 2 } {[ g 2i ( X ) = Σ i a 2i f 2i ( X ) ] 1 } X s Random variables CRS (TTP) Outputs in argument (TTP) (adversary)
SOUNDNESS IN GBGM Polynomials Linear combinations Quadratic tests (TTP knows X ) (only group operation) (can use bilinear map) [ X ] = g X X 1 V 1 ( X )= Σ ij b 1ij h 1i ( X ) h 2i ( X )= 0 {[ f 1i ( X ) ] 1 } {[ g 1i ( X ) = Σ i a 1i f 1i ( X ) ] 1 } … … {[ f 2i ( X ) ] 2 } {[ g 2i ( X ) = Σ i a 2i f 2i ( X ) ] 1 } V u ( X )= Σ ij b uij h 1i ( X ) h 2i ( X )= 0 X s Verifications (verifier) Random variables CRS (TTP) Outputs in argument {h ji } = {f ji , h ji } (TTP) (adversary)
SOUNDNESS IN GBGM ▪ j th verification equation ascertains V j ( X ) = 0
SOUNDNESS IN GBGM ▪ j th verification equation ascertains V j ( X ) = 0 ▪ Solve system of polynomial equations { V j ( X ) = 0} in coefficients a ji chosen by the adversary
SOUNDNESS IN GBGM ▪ j th verification equation ascertains V j ( X ) = 0 ▪ Solve system of polynomial equations { V j ( X ) = 0} in coefficients a ji chosen by the adversary ▪ Show that solution’s coefficients are ”nice”
SOUNDNESS IN GBGM ▪ j th verification equation ascertains V j ( X ) = 0 ▪ Solve system of polynomial equations { V j ( X ) = 0} in coefficients a ji chosen by the adversary ▪ Show that solution’s coefficients are ”nice” ▪ = restricted to be as in the honest case
INTUITION: CONSTRUCTING ARGUMENT ▪ Decomposing:
INTUITION: CONSTRUCTING ARGUMENT ▪ Decomposing: ▪ Write down main building blocks you need to prove in argument
INTUITION: CONSTRUCTING ARGUMENT ▪ Decomposing: ▪ Write down main building blocks you need to prove in argument ▪ Each ”subargument” should be efficiently verifiable (by a single pairing)
INTUITION: CONSTRUCTING ARGUMENT ▪ Decomposing: ▪ Write down main building blocks you need to prove in argument ▪ Each ”subargument” should be efficiently verifiable (by a single pairing) ▪ Ascertain each subargument is sound independently
INTUITION: CONSTRUCTING ARGUMENT ▪ Decomposing: ▪ Write down main building blocks you need to prove in argument ▪ Each ”subargument” should be efficiently verifiable (by a single pairing) ▪ Ascertain each subargument is sound independently ▪ CRS composition:
INTUITION: CONSTRUCTING ARGUMENT ▪ Decomposing: ▪ Write down main building blocks you need to prove in argument ▪ Each ”subargument” should be efficiently verifiable (by a single pairing) ▪ Ascertain each subargument is sound independently ▪ CRS composition: ▪ Compose CRS-s of individual subarguments together, getting one big CRS
INTUITION: CONSTRUCTING ARGUMENT
INTUITION: CONSTRUCTING ARGUMENT
INTUITION: CONSTRUCTING ARGUMENT ▪ Soundness check: ▪ Is the composed protocol sound? ▪ Subarguments get extra inputs in CRS ▪ If not: introduce new random variables that guarantee CRS elements are used in only correct subarguments, reiterate
SUBARGUMENTS ▪ ”Permutation matrix argument”:
SUBARGUMENTS ▪ ”Permutation matrix argument”: ▪ Prover commits to permutation; proves this is done correctly
SUBARGUMENTS ▪ ”Permutation matrix argument”: ▪ Prover commits to permutation; proves this is done correctly ▪ ”Consistency argument”:
SUBARGUMENTS ▪ ”Permutation matrix argument”: ▪ Prover commits to permutation; proves this is done correctly ▪ ”Consistency argument”: ▪ Prover proves she used the committed permutation to shuffle ciphertexts
SUBARGUMENTS ▪ ”Permutation matrix argument”: ▪ Prover commits to permutation; proves this is done correctly ▪ ”Consistency argument”: ▪ Prover proves she used the committed permutation to shuffle ciphertexts ▪ ”Validity argument”:
SUBARGUMENTS ▪ ”Permutation matrix argument”: ▪ Prover commits to permutation; proves this is done correctly ▪ ”Consistency argument”: ▪ Prover proves she used the committed permutation to shuffle ciphertexts ▪ ”Validity argument”: ▪ Prover proves each ciphertext has been formed ”correctly”
SUBARGUMENTS ▪ ”Permutation matrix argument”: ▪ Prover commits to permutation; proves this is done correctly ▪ ”Consistency argument”: ▪ Prover proves she used the committed permutation to shuffle ciphertexts ▪ ”Validity argument”: ▪ Prover proves each ciphertext has been formed ”correctly” ▪ Correctly: so that the soundness proof goes through
SUBARGUMENTS ▪ ”Permutation matrix argument”: ▪ Prover commits to permutation; proves this is done correctly ▪ ”Consistency argument”: ▪ Prover proves she used the committed permutation to shuffle ciphertexts ▪ ”Validity argument”: ▪ Prover proves each ciphertext has been formed ”correctly” ▪ Correctly: so that the soundness proof goes through
PERMUTATION MATRIX ARGUMENT ▪ Lemma. A matrix is permutation matrix iff It is stochastic // rows sum to (1, …, 1) 1. Each row is 1-sparse 2. At most one coefficient is non-zero
PERMUTATION MATRIX ARGUMENT ▪ Lemma. A matrix is permutation matrix iff It is stochastic // rows sum to (1, …, 1) 1. Each row is 1-sparse 2. At most one coefficient is non-zero
1-SPARSITY ARGUMENT ▪ Commitment:
1-SPARSITY ARGUMENT ▪ Commitment: P i ( X ) are linearly independent , well-chosen polynomials [ A i ( X )] i = [ a I P I ( X ) + rX ρ ] i // i = 1, 2
1-SPARSITY ARGUMENT ▪ Commitment: P i ( X ) are linearly independent , well-chosen polynomials [ A i ( X )] i = [ a I P I ( X ) + rX ρ ] i // i = 1, 2 ▪ Argument: // ”square span programs”
1-SPARSITY ARGUMENT ▪ Commitment: P i ( X ) are linearly independent , well-chosen polynomials [ A i ( X )] i = [ a I P I ( X ) + rX ρ ] i // i = 1, 2 ▪ Argument: // ”square span programs” [ π ( X )] 1 = [(( a I P I ( X ) + P 0 ( X ) + rX ρ ) 2 - 1) / X ρ ] 1
1-SPARSITY ARGUMENT ▪ Commitment: P i ( X ) are linearly independent , well-chosen polynomials [ A i ( X )] i = [ a I P I ( X ) + rX ρ ] i // i = 1, 2 ▪ Argument: // ”square span programs” [ π ( X )] 1 = [(( a I P I ( X ) + P 0 ( X ) + rX ρ ) 2 - 1) / X ρ ] 1 ▪ Verification equation:
1-SPARSITY ARGUMENT ▪ Commitment: P i ( X ) are linearly independent , well-chosen polynomials [ A i ( X )] i = [ a I P I ( X ) + rX ρ ] i // i = 1, 2 ▪ Argument: // ”square span programs” [ π ( X )] 1 = [(( a I P I ( X ) + P 0 ( X ) + rX ρ ) 2 - 1) / X ρ ] 1 ▪ Verification equation: V ( X ) := ( A 1 ( X ) + X α + P 0 ( X )) ( A 2 ( X ) - X α + P 0 ( X )) - π ( X ) X ρ – (1 - X α ) 2
1-SPARSITY ARGUMENT ▪ Commitment: P i ( X ) are linearly independent , well-chosen polynomials [ A i ( X )] i = [ a I P I ( X ) + rX ρ ] i // i = 1, 2 ▪ Argument: // ”square span programs” [ π ( X )] 1 = [(( a I P I ( X ) + P 0 ( X ) + rX ρ ) 2 - 1) / X ρ ] 1 ▪ Verification equation: V ( X ) := ( A 1 ( X ) + X α + P 0 ( X )) ( A 2 ( X ) - X α + P 0 ( X )) - π ( X ) X ρ – (1 - X α ) 2 = 0
honest prover: [ A i ( X )] i = [ a I P I ( X ) + rX ρ ] i SOUNDNESS PROOF: IDEA
honest prover: [ A i ( X )] i = [ a I P I ( X ) + rX ρ ] i SOUNDNESS PROOF: IDEA ▪ In GBGM we know constants a 1 i , A 1 ρ , …, s.t. for X = (X , X ρ , X α , X β , X γ , X sk )
honest prover: [ A i ( X )] i = [ a I P I ( X ) + rX ρ ] i SOUNDNESS PROOF: IDEA ▪ In GBGM we know constants a 1 i , A 1 ρ , …, s.t. for X = (X , X ρ , X α , X β , X γ , X sk ) A 1 ( X ) = Σ a 1 i P i ( X ) + A 1 ρ X ρ + A 1 α ( X α + P 0 ( X )) + A 11 P 0 ( X ) + … CRS: ({[ P i ( X )] 1 } i , [ X ρ ] 1 , [ X α + P 0 ( X )] 1 , [ P 0 ( X )] 1 ,…, ({[ P i ( X )] 2 } i , [ X ρ ] 2 , [- X α + P 0 ( X )] 2 , [ 1 ] 2 ,…)
honest prover: [ A i ( X )] i = [ a I P I ( X ) + rX ρ ] i SOUNDNESS PROOF: IDEA ▪ In GBGM we know constants a 1 i , A 1 ρ , …, s.t. for X = (X , X ρ , X α , X β , X γ , X sk ) A 1 ( X ) = Σ a 1 i P i ( X ) + A 1 ρ X ρ + A 1 α ( X α + P 0 ( X )) + A 11 P 0 ( X ) + … A 2 ( X ) = Σ a 2 i P i ( X ) + A 2 ρ X ρ + A 2 α (- X α + P 0 ( X )) + A 21 + … CRS: ({[ P i ( X )] 1 } i , [ X ρ ] 1 , [ X α + P 0 ( X )] 1 , [ P 0 ( X )] 1 ,…, ({[ P i ( X )] 2 } i , [ X ρ ] 2 , [- X α + P 0 ( X )] 2 , [ 1 ] 2 ,…)
honest prover: [ A i ( X )] i = [ a I P I ( X ) + rX ρ ] i SOUNDNESS PROOF: IDEA ▪ In GBGM we know constants a 1 i , A 1 ρ , …, s.t. for X = (X , X ρ , X α , X β , X γ , X sk ) A 1 ( X ) = Σ a 1 i P i ( X ) + A 1 ρ X ρ + A 1 α ( X α + P 0 ( X )) + A 11 P 0 ( X ) + … A 2 ( X ) = Σ a 2 i P i ( X ) + A 2 ρ X ρ + A 2 α (- X α + P 0 ( X )) + A 21 + … π ( X ) = Σ π i P i ( X ) + π ρ X ρ + π α ( X α + P 0 ( X )) + π 1 P 0 ( X ) + … CRS: ({[ P i ( X )] 1 } i , [ X ρ ] 1 , [ X α + P 0 ( X )] 1 , [ P 0 ( X )] 1 ,…, ({[ P i ( X )] 2 } i , [ X ρ ] 2 , [- X α + P 0 ( X )] 2 , [ 1 ] 2 ,…)
honest prover: [ A i ( X )] i = [ a I P I ( X ) + rX ρ ] i SOUNDNESS PROOF: IDEA ▪ In GBGM we know constants a 1 i , A 1 ρ , …, s.t. for X = (X , X ρ , X α , X β , X γ , X sk ) A 1 ( X ) = Σ a 1 i P i ( X ) + A 1 ρ X ρ + A 1 α ( X α + P 0 ( X )) + A 11 P 0 ( X ) + … A 2 ( X ) = Σ a 2 i P i ( X ) + A 2 ρ X ρ + A 2 α (- X α + P 0 ( X )) + A 21 + … π ( X ) = Σ π i P i ( X ) + π ρ X ρ + π α ( X α + P 0 ( X )) + π 1 P 0 ( X ) + … ▪ Verification equation states CRS: ({[ P i ( X )] 1 } i , [ X ρ ] 1 , [ X α + P 0 ( X )] 1 , [ P 0 ( X )] 1 ,…, ({[ P i ( X )] 2 } i , [ X ρ ] 2 , [- X α + P 0 ( X )] 2 , [ 1 ] 2 ,…)
honest prover: [ A i ( X )] i = [ a I P I ( X ) + rX ρ ] i SOUNDNESS PROOF: IDEA ▪ In GBGM we know constants a 1 i , A 1 ρ , …, s.t. for X = (X , X ρ , X α , X β , X γ , X sk ) A 1 ( X ) = Σ a 1 i P i ( X ) + A 1 ρ X ρ + A 1 α ( X α + P 0 ( X )) + A 11 P 0 ( X ) + … A 2 ( X ) = Σ a 2 i P i ( X ) + A 2 ρ X ρ + A 2 α (- X α + P 0 ( X )) + A 21 + … π ( X ) = Σ π i P i ( X ) + π ρ X ρ + π α ( X α + P 0 ( X )) + π 1 P 0 ( X ) + … ▪ Verification equation states V ( X ) = ( A 1 ( X ) + X α + P 0 ( X )) ( A 2 ( X ) - X α + P 0 ( X )) - π ( X ) X ρ – (1 - X α ) 2 = 0 CRS: ({[ P i ( X )] 1 } i , [ X ρ ] 1 , [ X α + P 0 ( X )] 1 , [ P 0 ( X )] 1 ,…, ({[ P i ( X )] 2 } i , [ X ρ ] 2 , [- X α + P 0 ( X )] 2 , [ 1 ] 2 ,…)
Recommend
More recommend
