Tiramisu : Black-Box Simulation Extractable NIZKs in the Updatable - PowerPoint PPT Presentation

Tiramisu : Black-Box Simulation Extractable NIZKs in the Updatable CRS Model Karim Baghery 1,2 and Mahdi Sedaghat 1 1 imec-COSIC, KU Leuven, Leuven, Belgium 2 University of Tartu, Tartu, Estonia. karim.baghery@kuleuven.be ssedagha@esat.kuleuven.be ia.cr/2020/474 /4

Overview on Tiramisu & ( Sub. / Upd. ) NIZKs in the CRS Model: [PHGR13] Witness w [BCG+15, ABL+19] (x,w)  R L COCO [KZM+15 ] (CRS, TD) ← CRSGen ( 1 𝑜 , R L ) [Gro16] (stat, proof) [BFS16] proof ← Prove (CRS, stat, witness) { 1 , 0 } ← Verify (CRS, stat, proof) [ABLZ17] [Fuc18] U-nBB-SE U-BB-SE Sub-ZK U-ZK U-ZK [GM17, AB19] [GKM+18] U-BB-KS BB-SE nBB-SE U-nBB-KS [Bag19a] ZK [Bag19b] nBB-KS BB-KS Lamassu Sub : Subversion | U : Updatable [ARS20] SND BB : Black-Box | nBB : non-Black-Box Tiramisu ZK : Zero-knowledge | SND : Soundness | KS : Knowledge Sound | SE : Simulation Extractable [BS20] 2 /4 COSIC (Computer Security and Industrial Cryptography group)

Tiramisu: Building U-ZK and U-BB-SE NIZKs ( zk-SNARKs ) Tiramisu [BS20] Sub/U-ZK and U-nBB- U-ZK and U-BB-SE NIZK SE SNARK (e.g. [ARS20]) (SNARK) [Bag19a], [Bag19b], [ARS20]  Given a language 𝑴 with the NP relation 𝐒 𝑴 , define 𝑴′ s. t. ∈ 𝑺 𝑴 ′ iff: 𝑦, 𝑑, 𝑞𝑙 𝑗 , 𝑥, 𝑠 𝑑 = 𝐹𝑜𝑑(𝑞𝑙 𝑗 , 𝑥; 𝑠)) ሥ 𝑦, 𝑥 ∈ 𝑺 𝑴  Π enc ≔ KG, Enc, Dec is CPA secure public-key cryptosystem with updatable keys (pk i , sk i )  Updatable public-key cryptosystems: can be constructed from key-homomorphic encryption schemes [AHI11] (a variation of El-Gamal [ElG84] instantiated in the pairing-based groups)  Similar to updatable NIZK arguments [GKM+18] and updatable signatures [ARS20]  3 /4 COSIC (Computer Security and Industrial Cryptography group)

Tiramisu in Comparison with Current Constructions:  Upd. BB Sim. Ext. & Upd- ZK NIZKs (SNARKs) [Tiramisu, BS20]  Upd. nBB Sim. Ext. & Sub - ZK SNARK [Lamassu, ARS20]  nBB Sim. Ext. & Sub- ZK SNARK [Bag19b, Lip19] BB Sim. Ext. NIZKs (zk-SNARK) [KZM+15, Bag19a]  nBB Sim. Ext. zk-SNARK [GM17, BG18, AB19]  nBB Knowledge Sound zk-SNARKs [e.g. Gro16]  4 /4 COSIC (Computer Security and Industrial Cryptography group)

Thank You! karim.baghery@kuleuven.be ssedagha@esat.kuleuven.be /4

C ∅ C ∅ Framework : Building BB-SE NIZKs ( zk-SNARKs ) C ∅ C ∅ Framework (nBB Knowledge) Sound Black-Box Sim. Ext. NIZK (zk-SNARK) NIZK (zk-SNARK) [KZM+15]  Given a language 𝑴 with the corresponding NP relation 𝐒 𝑴 , defines a new language 𝑴′ such that ∈ 𝑺 𝑴 ′ iff: 𝑦, 𝑑, 𝜈, 𝑞𝑙 𝑡 , 𝑞𝑙 𝑓 , 𝜍 , 𝑥, 𝑠, 𝑠 0 , 𝑡 0 𝑑 = 𝐹𝑜𝑑(𝑞𝑙 𝑓 , 𝑥; 𝑠)) ሥ 𝑦, 𝑥 ∈ 𝑺 𝑴 ሧ 𝜈 = 𝑔 𝑡 0 𝑞𝑙 𝑡 ሥ 𝜍 = 𝐷𝑝𝑛(𝑡 0 , 𝑠 0 )  𝐹𝑜𝑑 (.) is a semantically secure encryption scheme, Simulation Sound or Black-Box 𝑡 0 . : 0,1 ∗ → 0,1 𝜇 is a PRF family,  𝑔 Extraction nBB Simulation Extractable  𝐷𝑝𝑛(. ) is a perfectly binding commitment scheme.  Used in several UC-secure protocols [Gro06]: Hawk [KMS+16], Gyges [JKS16], Ouroboros Crypsinous [KKKZ19], … 6 /4 COSIC (Computer Security and Industrial Cryptography group)

[ Bag 19b , ARS 20]: Building Sub-ZK & nBB-SE / U-nBB-SE zk-SNARKs [Bag19b] Sub-ZK & nBB-SE Sub-ZK and nBB Knowledge Sound SNARK e.g. [ABLZ17, Fuc18] SNARK [BG90, KZM+15]  Given a language 𝑴 with the corresponding NP relation 𝐒 𝑴 , define a new language 𝑴′ such that ∈ 𝑺 𝑴 ′ iff: 𝑦, 𝑑, 𝜈, 𝑞𝑙 𝑡 , 𝑞𝑙 𝑓 , 𝜍 , 𝑥, 𝑠, 𝑠 0 , 𝑡 0 𝑑 = 𝐹𝑜𝑑(𝑞𝑙 𝑓 , 𝑥; 𝑠)) ሥ 𝑦, 𝑥 ∈ 𝑺 𝑴 ሧ 𝜈 = 𝑔 𝑡 0 𝑞𝑙 𝑡 ሥ 𝜍 = 𝐷𝑝𝑛(𝑡 0 , 𝑠 0 ) [ARS20, Lamassu] Sub-ZK & U-nBB-SE Sub-ZK and Updatable nBB Knowledge Sound SNARK e.g. [GKM+18] SNARK [DS16, Bag19b]  Given a language 𝑴 with the corresponding NP relation 𝐒 𝑴 , defines a new language 𝑴′ such ∈ 𝑺 𝑴 ′ iff: that 𝑦, 𝑑𝑞𝑙, 𝑞𝑙 , 𝑥, 𝑑𝑡𝑙 − 𝑡𝑙 𝑦, 𝑥 ∈ 𝑺 𝑴 ሧ cpk = pk ⋅ 𝜈(csk − 𝑡𝑙)  (cpk, csk) of a key-homomorphic signature pk, sk of a one-time secure signature   𝜈: SK → 𝑄𝐿 (e.g. pk = 𝑕 sk ). 7 /4 COSIC (Computer Security and Industrial Cryptography group)