Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one 8
Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one σ , τ s , τ e 8
Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one σ , τ s , τ e σ , τ e 8
Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one σ , τ s , σ , τ e τ e 8
Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one Q σ , τ s , σ , τ e τ e 8
Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i Q σ , τ s , σ , τ e τ e 8
Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i π i Q σ , τ s , σ , τ e τ e 8
Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) π i Q σ , τ s , σ , τ e τ e 8
Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) (w,x ′ ,T) π i Q σ , τ s , σ , τ e τ e 8
Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) (w,x ′ ,T) π i Q σ , τ s , σ , τ e τ e A wins if the proof verifies and x ∉ Q but (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 8
Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) (w,x ′ ,T) π i Q σ , τ s , σ , τ e τ e A wins if the proof verifies and x ∉ Q but (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) We call the proof CM-SSE (controlled malleable simulation sound extractable) if any PPT adversary A has at most negligible probability in winning this game 8
Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) (w,x ′ ,T) π i Q σ , τ s , σ , τ e τ e A wins if the proof verifies and x ∉ Q but (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) We call the proof CM-SSE (controlled malleable simulation sound extractable) if any PPT adversary A has at most negligible probability in winning this game (like function privacy for encryption) If a proof is zero knowledge, CM-SSE, and strongly derivation private, then we call it a cm-NIZK 8
Outline cm-NIZK construction Cryptographic background Definitions Malleable NIZK construction Generic construction Efficient instantiation Applications Conclusions 9
How to construct cm-NIZKs 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } Q τ s =sk 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } x i Q τ s =sk 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } x i π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } x i (x, π ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or w ≠ ⊥ but isn’t a valid witness T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) violates extractability x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or w ≠ ⊥ but isn’t a valid witness T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x ≠ T(x ′ ) T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) violates extractability x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x ≠ T(x ′ ) T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) T is not in T 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) T is not in T violates extractability 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x x T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) violates extractability 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x x T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q x x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x x violates extractability T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10
How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q x x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x x violates extractability T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) violates unforgeability 10
Instantiating this (relatively) efficiently 11
Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] 11
Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] For the signature, we need a structure-preserving signature [AFGHO10,CK11] to integrate with GS proofs (verifying signature = verifying set of pairing product equations), this means we can instantiate based solely on Decision Linear 11
Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] For the signature, we need a structure-preserving signature [AFGHO10,CK11] to integrate with GS proofs (verifying signature = verifying set of pairing product equations), this means we can instantiate based solely on Decision Linear The efficiency of our scheme hinges on the efficiency of the signature and the representation of the transformation (depends on the transformation) 11
Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] For the signature, we need a structure-preserving signature [AFGHO10,CK11] to integrate with GS proofs (verifying signature = verifying set of pairing product equations), this means we can instantiate based solely on Decision Linear The efficiency of our scheme hinges on the efficiency of the signature and the representation of the transformation (depends on the transformation) For the class of transformations, need it to contain the identity (for simulation) and be closed under composition (for compactness): given proof for x = T 1 (x ′ ), size won’t increase for T 2 (x) = T 2° T 1 (x ′ ) 11
Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] For the signature, we need a structure-preserving signature [AFGHO10,CK11] to integrate with GS proofs (verifying signature = verifying set of pairing product equations), this means we can instantiate based solely on Decision Linear The efficiency of our scheme hinges on the efficiency of the signature and the representation of the transformation (depends on the transformation) For the class of transformations, need it to contain the identity (for simulation) and be closed under composition (for compactness): given proof for x = T 1 (x ′ ), size won’t increase for T 2 (x) = T 2° T 1 (x ′ ) In the paper, we examine the many ways in which GS proofs are malleable 11
Outline Cryptographic background Definitions cm-NIZK construction Applications Applications Conclusions Boosting encryption security Compactly verifiable shuffles 12
CM-CCA security 13
CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) 13
CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) 13
CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Real KeyGen Enc(pk,m) Dec(sk,c) 13
CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Simulated Real KeyGen SimKeyGen Enc(pk,m) Dec(sk,c) 13
CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Simulated Real KeyGen SimKeyGen E(pk,m) c = SimEnc(pk, τ ) Enc(pk,m) add (m,c) to Q return c Q D(sk,c) (c ′ ,T) = SimExt(sk,c) Dec(sk,c) if ∃ i s.t. c ′ =c i ∈ Q and T ∈ T return T(m i ) else return Dec(sk,c) 13
CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Simulated Real Which world? KeyGen SimKeyGen E(pk,m) c = SimEnc(pk, τ ) Enc(pk,m) add (m,c) to Q return c Q D(sk,c) (c ′ ,T) = SimExt(sk,c) Dec(sk,c) if ∃ i s.t. c ′ =c i ∈ Q and T ∈ T return T(m i ) else return Dec(sk,c) 13
CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Simulated Real Which world? KeyGen SimKeyGen E(pk,m) c = SimEnc(pk, τ ) Enc(pk,m) add (m,c) to Q return c Q D(sk,c) (c ′ ,T) = SimExt(sk,c) Dec(sk,c) if ∃ i s.t. c ′ =c i ∈ Q and T ∈ T return T(m i ) else return Dec(sk,c) Give a generic construction for achieving CM-CCA-secure encryption: just define Enc(pk,m) = (c, π ), where c is IND-CPA-secure and π is a cm-NIZK 13
A shuffle 14
A shuffle c 1 c 2 c 3 c 4 c 5 Users encrypt their individual values to yield a public set of ciphertexts {c i } 14
Recommend
More recommend