New Techniques for Structural Batch Verification in Bilinear Groups with Applications to Groth-Sahai Proofs

Herold, Gottfried; Hoffmann, Max; Klooß, Michael; Ràfols, Carla; Rupp, Andy

doi:10.1145/3133956.3134068

Cited by 8 publications

(4 citation statements)

References 44 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the most efficient instantiation, the proof size is (3d + 2)|G 1 | + (d + 2)|G 2 | and naive verification requires to compute 3d pairings for the quadratic relations and 2(n 0 + 3d + 4) for the linear part, n d exponentiations in G 1 for the output. Using the "bilinear batching" techniques of Herold et al [21] the number of pairings can be reduced to n 0 + 3d + 4 for the linear part. Since the input is known in Z p , n 0 pairings in this part can be replaced by n 0 exponentiations in G T .…”

Section: Efficiencymentioning

confidence: 99%

“…First, one can observe that in fact since the input is known in Z p , the n 0 pairings can be replaced by exponentiations in G T . Second, using the "bilinear batching" techniques of [21] this is reduced to 7d + 3d + 4. Finally, using traditional batching techniques [6], the cost of verifying all the to GS equations can be reduced to d + 6, resulting in a total cost of 4d + 10 pairings (and O(n 0 + d) exponentiations).…”

Section: Adding Zero-knowledgementioning

confidence: 99%

See 1 more Smart Citation

Shorter Pairing-Based Arguments Under Standard Assumptions

González

Ràfols

2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

This paper constructs efficient non-interactive arguments for correct evaluation of arithmetic and boolean circuits with proof size O(d) group elements, where d is the multiplicative depth of the circuit, under falsifiable assumptions. This is achieved by combining techniques from SNARKs and QA-NIZK arguments of membership in linear spaces. The first construction is very efficient (the proof size is ≈ 4d group elements and the verification cost is ≈ 4d pairings and O(n + n + d) exponentiations, where n is the size of the input and n of the output) but one type of attack can only be ruled out assuming the knowledge soundness of QA-NIZK arguments of membership in linear spaces. We give an alternative construction which replaces this assumption with a decisional assumption in bilinear groups at the cost of approximately doubling the proof size. The construction for boolean circuits can be made zero-knowledge with Groth-Sahai proofs, resulting in a NIZK argument for circuit satisfiability based on falsifiable assumptions in bilinear groups of proof size O(n + d).Our main technical tool is what we call an "argument of knowledge transfer". Given a commitment C1 and an opening x, such an argument allows to prove that some other commitment C2 opens to f (x), for some function f , even if C2 is not extractable. We construct very short, constant-size, pairing-based arguments of knowledge transfer with constant-time verification for any linear function and also for Hadamard products. These allow to transfer the knowledge of the input to lower levels of the circuit.

show abstract

Section: Efficiencymentioning

confidence: 99%

Section: Adding Zero-knowledgementioning

confidence: 99%

Shorter Pairing-Based Arguments Under Standard Assumptions

González

Ràfols

2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…For decryption, we need to check the equations. Using the probabilistic verification of [Her+17], we can reduce the number of pairings needed to compute to rougly 22 for NYUE and 29 for NYUE. We ignore the additional overhead, which is one (small) exponentiation per commitment and several per proof.…”

Section: Compilation For Nyue We Have Following Typed Equationsmentioning

confidence: 99%

(R)CCA Secure Updatable Encryption with Integrity Protection

Klooß

Lehmann

Rupp

2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

An updatable encryption scheme allows a data host to update ciphertexts of a client from an old to a new key, given so-called update tokens from the client. Rotation of the encryption key is a common requirement in practice in order to mitigate the impact of key compromises over time. There are two incarnations of updatable encryption: One is ciphertext-dependent, i.e. the data owner has to (partially) download all of his data and derive a dedicated token per ciphertext. Everspaugh et al. (CRYPTO'17) proposed CCA and CTXT secure schemes in this setting. The other, more convenient variant is ciphertext-independent, i.e., it allows a single token to update all ciphertexts. However, so far, the broader functionality of tokens in this setting comes at the price of considerably weaker security: the existing schemes by Boneh et al. (CRYPTO'13) and Lehmann and Tackmann (EUROCRYPT'18) only achieve CPA security and provide no integrity protection. Arguably, when targeting the scenario of outsourcing data to an untrusted host, plaintext integrity should be a minimal security requirement. Otherwise, the data host may alter or inject ciphertexts arbitrarily. Indeed, the schemes from BLMR13 and LT18 suffer from this weakness, and even EPRS17 only provides integrity against adversaries which cannot arbitrarily inject ciphertexts. In this work, we provide the first ciphertext-independent updatable encryption schemes with security beyond CPA, in particular providing strong integrity protection. Our constructions and security proofs of updatable encryption schemes are surprisingly modular. We give a generic transformation that allows key-rotation and confidentiality/integrity of the scheme to be treated almost separately, i.e., security of the updatable scheme is derived from simple properties of its static building blocks. An interesting side effect of our generic approach is that it immediately implies the unlinkability of ciphertext updates that was introduced as an essential additional property of updatable encryption by EPRS17 and LT18. Encrypt-and-MAC (E&M, Sec. 3) Naor-Yung (NYUAE, Sec. 4) Confidentiality CCA RCCA Integrity ciphertext integrity plaintext integrity ReEnc algorithm deterministic probabilistic ReEnc oracle honestly derived ciphertexts only arbitrary ciphertexts

show abstract

“…For the verification of NIZK proofs, we assume batch verification techniques from (Herold et al 2017) to significantly speed up the verification process. Also note, that the number of operations needed for verification was generously estimated.…”

Section: Efficiencymentioning

confidence: 99%

P6V2G: a privacy-preserving V2G scheme for two-way payments and reputation

et al. 2019

Self Cite

View full text Add to dashboard Cite

The number of electric vehicles (EVs) is steadily growing. This provides a promising opportunity for balancing the smart grid of the future, because vehicle-to-grid (V2G) systems can utilize the batteries of plugged-in EVs as much needed distributed energy storage: In times of high production and low demand the excess energy in the grid is stored in the EVs' batteries, while peaks in demand are mitigated by EVs feeding electricity back to the grid. But the data needed for managing individual V2G charging sessions as well as for billing and rewards is of a highly personal and therefore sensitive nature. This causes V2G systems to pose a significant threat to the privacy of their users. Existing cryptographic protocols for this scenario either do not offer adequate privacy protection or fail to provide key features necessary to obtain a practical system. Based on the recent cryptographic toll collection framework P4TC, this work introduces a privacy-preserving but efficient V2G payment and reward system called P6V2G. Our system facilitates two-way transactions in a semi online and post-payment setting. It provides double-spending detection, an integrated reputation system, contingency traceability and blacklisting features, and is portable between EVs. The aforementioned properties are holistically captured within an established cryptographic security framework. In contrast to existing protocols, this formal model of a V2G payment and reward system allows us to assert all properties through a comprehensive formal proof.

show abstract

New Techniques for Structural Batch Verification in Bilinear Groups with Applications to Groth-Sahai Proofs

Cited by 8 publications

References 44 publications

Shorter Pairing-Based Arguments Under Standard Assumptions

Shorter Pairing-Based Arguments Under Standard Assumptions

(R)CCA Secure Updatable Encryption with Integrity Protection

P6V2G: a privacy-preserving V2G scheme for two-way payments and reputation

Contact Info

Product

Resources

About