malleable proof systems and applications
play

Malleable Proof Systems and Applications Melissa Chase (MSR Redmond) - PowerPoint PPT Presentation

Malleable Proof Systems and Applications Melissa Chase (MSR Redmond) Markulf Kohlweiss (MSR Cambridge) Anna Lysyanskaya (Brown University) Sarah Meiklejohn (UC San Diego) 1 Non-malleable cryptography Twenty years ago, saw a strong emphasis on


  1. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one 8

  2. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one σ , τ s , τ e 8

  3. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one σ , τ s , τ e σ , τ e 8

  4. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one σ , τ s , σ , τ e τ e 8

  5. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one Q σ , τ s , σ , τ e τ e 8

  6. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i Q σ , τ s , σ , τ e τ e 8

  7. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i π i Q σ , τ s , σ , τ e τ e 8

  8. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) π i Q σ , τ s , σ , τ e τ e 8

  9. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) (w,x ′ ,T) π i Q σ , τ s , σ , τ e τ e 8

  10. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) (w,x ′ ,T) π i Q σ , τ s , σ , τ e τ e A wins if the proof verifies and x ∉ Q but (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 8

  11. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) (w,x ′ ,T) π i Q σ , τ s , σ , τ e τ e A wins if the proof verifies and x ∉ Q but (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) We call the proof CM-SSE (controlled malleable simulation sound extractable) if any PPT adversary A has at most negligible probability in winning this game 8

  12. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) (w,x ′ ,T) π i Q σ , τ s , σ , τ e τ e A wins if the proof verifies and x ∉ Q but (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) We call the proof CM-SSE (controlled malleable simulation sound extractable) if any PPT adversary A has at most negligible probability in winning this game (like function privacy for encryption) If a proof is zero knowledge, CM-SSE, and strongly derivation private, then we call it a cm-NIZK 8

  13. Outline cm-NIZK construction Cryptographic background Definitions Malleable NIZK construction Generic construction Efficient instantiation Applications Conclusions 9

  14. How to construct cm-NIZKs 10

  15. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures 10

  16. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } 10

  17. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } 10

  18. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } Q τ s =sk 10

  19. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } x i Q τ s =sk 10

  20. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } x i π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10

  21. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } x i (x, π ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10

  22. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10

  23. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10

  24. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10

  25. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  26. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or w ≠ ⊥ but isn’t a valid witness T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  27. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) violates extractability x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or w ≠ ⊥ but isn’t a valid witness T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  28. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x ≠ T(x ′ ) T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  29. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) violates extractability x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x ≠ T(x ′ ) T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  30. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) T is not in T 10

  31. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) T is not in T violates extractability 10

  32. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  33. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x x T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) violates extractability 10

  34. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x x T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  35. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q x x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x x violates extractability T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  36. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q x x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x x violates extractability T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) violates unforgeability 10

  37. Instantiating this (relatively) efficiently 11

  38. Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] 11

  39. Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] For the signature, we need a structure-preserving signature [AFGHO10,CK11] to integrate with GS proofs (verifying signature = verifying set of pairing product equations), this means we can instantiate based solely on Decision Linear 11

  40. Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] For the signature, we need a structure-preserving signature [AFGHO10,CK11] to integrate with GS proofs (verifying signature = verifying set of pairing product equations), this means we can instantiate based solely on Decision Linear The efficiency of our scheme hinges on the efficiency of the signature and the representation of the transformation (depends on the transformation) 11

  41. Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] For the signature, we need a structure-preserving signature [AFGHO10,CK11] to integrate with GS proofs (verifying signature = verifying set of pairing product equations), this means we can instantiate based solely on Decision Linear The efficiency of our scheme hinges on the efficiency of the signature and the representation of the transformation (depends on the transformation) For the class of transformations, need it to contain the identity (for simulation) and be closed under composition (for compactness): given proof for x = T 1 (x ′ ), size won’t increase for T 2 (x) = T 2° T 1 (x ′ ) 11

  42. Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] For the signature, we need a structure-preserving signature [AFGHO10,CK11] to integrate with GS proofs (verifying signature = verifying set of pairing product equations), this means we can instantiate based solely on Decision Linear The efficiency of our scheme hinges on the efficiency of the signature and the representation of the transformation (depends on the transformation) For the class of transformations, need it to contain the identity (for simulation) and be closed under composition (for compactness): given proof for x = T 1 (x ′ ), size won’t increase for T 2 (x) = T 2° T 1 (x ′ ) In the paper, we examine the many ways in which GS proofs are malleable 11

  43. Outline Cryptographic background Definitions cm-NIZK construction Applications Applications Conclusions Boosting encryption security Compactly verifiable shuffles 12

  44. CM-CCA security 13

  45. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) 13

  46. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) 13

  47. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Real KeyGen Enc(pk,m) Dec(sk,c) 13

  48. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Simulated Real KeyGen SimKeyGen Enc(pk,m) Dec(sk,c) 13

  49. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Simulated Real KeyGen SimKeyGen E(pk,m) c = SimEnc(pk, τ ) Enc(pk,m) add (m,c) to Q return c Q D(sk,c) (c ′ ,T) = SimExt(sk,c) Dec(sk,c) if ∃ i s.t. c ′ =c i ∈ Q and T ∈ T return T(m i ) else return Dec(sk,c) 13

  50. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Simulated Real Which world? KeyGen SimKeyGen E(pk,m) c = SimEnc(pk, τ ) Enc(pk,m) add (m,c) to Q return c Q D(sk,c) (c ′ ,T) = SimExt(sk,c) Dec(sk,c) if ∃ i s.t. c ′ =c i ∈ Q and T ∈ T return T(m i ) else return Dec(sk,c) 13

  51. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Simulated Real Which world? KeyGen SimKeyGen E(pk,m) c = SimEnc(pk, τ ) Enc(pk,m) add (m,c) to Q return c Q D(sk,c) (c ′ ,T) = SimExt(sk,c) Dec(sk,c) if ∃ i s.t. c ′ =c i ∈ Q and T ∈ T return T(m i ) else return Dec(sk,c) Give a generic construction for achieving CM-CCA-secure encryption: just define Enc(pk,m) = (c, π ), where c is IND-CPA-secure and π is a cm-NIZK 13

  52. A shuffle 14

  53. A shuffle c 1 c 2 c 3 c 4 c 5 Users encrypt their individual values to yield a public set of ciphertexts {c i } 14

Recommend


More recommend