Article

Algebraic Group Model with Oblivious Sampling

Authors:

Roberto Parisella,

Janno SiimAuthors Info & Claims

Theory of Cryptography: 21st International Conference, TCC 2023, Taipei, Taiwan, November 29–December 2, 2023, Proceedings, Part IV

Pages 363 - 392

https://doi.org/10.1007/978-3-031-48624-1_14

Published: 29 November 2023 Publication History

Abstract

In the algebraic group model (AGM), an adversary has to return with each group element a linear representation with respect to input group elements. In many groups, it is easy to sample group elements obliviously without knowing such linear representations. Since the AGM does not model this, it can be used to prove the security of spurious knowledge assumptions. We show several well-known zk-SNARKs use such assumptions. We propose AGM with oblivious sampling (AGMOS), an AGM variant where the adversary can access an oracle that allows sampling group elements obliviously from some distribution. We show that AGM and AGMOS are different by studying the family of “total knowledge-of-exponent” assumptions, showing that they are all secure in the AGM, but most are not secure in the AGMOS if the DL holds. We show an important separation in the case of the KZG commitment scheme. We show that many known AGM reductions go through also in the AGMOS, assuming a novel falsifiable assumption

TOFR

.

References

[1]

Abdolmaleki B, Baghery K, Lipmaa H, and Zajac M Takagi T and Peyrin T A subversion-resistant SNARK Advances in Cryptology – ASIACRYPT 2017 2017 Cham Springer 3-33

[2]

Abdolmaleki B, Lipmaa H, Siim J, and Zajac M On subversion-resistant SNARKs J. Cryptol. 2021 34 3 17

[3]

Bellare M, Fuchsbauer G, and Scafuro A Cheon JH and Takagi T NIZKs with an untrusted CRS: security in the face of parameter subversion Advances in Cryptology – ASIACRYPT 2016 2016 Heidelberg Springer 777-804

[4]

Boneh D, Boyen X, and Goh E-J Cramer R Hierarchical identity based encryption with constant size ciphertext Advances in Cryptology – EUROCRYPT 2005 2005 Heidelberg Springer 440-456

[5]

Boneh D and Franklin M Kilian J Identity-based encryption from the weil pairing Advances in Cryptology — CRYPTO 2001 2001 Heidelberg Springer 213-229

[6]

Boyen X Galbraith SD and Paterson KG The uber-assumption family Pairing-Based Cryptography – Pairing 2008 2008 Heidelberg Springer 39-56

[7]

Brands S Stinson DR Untraceable off-line cash in wallet with observers (extended abstract) Advances in Cryptology — CRYPTO’ 93 1994 Heidelberg Springer 302-318

[8]

Brier E, Coron J-S, Icart T, Madore D, Randriam H, and Tibouchi M Rabin T Efficient indifferentiable hashing into ordinary elliptic curves Advances in Cryptology – CRYPTO 2010 2010 Heidelberg Springer 237-254

[9]

Brown, D.R.L.: The exact security of ECDSA. Contributions to IEEE P1363a, January 2001. https://grouper.ieee.org/groups/1363/

[10]

Campanelli, M., Faonio, A., Fiore, D., Querol, A., Rodríguez, H.: Lunar: a toolbox for more efficient universal and updatable zkSNARKs and commit-and-prove extensions. Cryptology ePrint Archive, Report 2020/1069 (2020). https://eprint.iacr.org/2020/1069

[11]

Campanelli M, Faonio A, Fiore D, Querol A, and Rodríguez H Tibouchi M and Wang H Lunar: a toolbox for more efficient universal and updatable zkSNARKs and commit-and-prove extensions Advances in Cryptology – ASIACRYPT 2021 2021 Cham Springer 3-33

[12]

Damgård I Feigenbaum J Towards practical public key systems secure against chosen ciphertext attacks Advances in Cryptology — CRYPTO ’91 1992 Heidelberg Springer 445-456

[13]

Danezis G, Fournet C, Groth J, and Kohlweiss M Sarkar P and Iwata T Square span programs with applications to succinct NIZK arguments Advances in Cryptology – ASIACRYPT 2014 2014 Heidelberg Springer 532-550

[14]

Dent AW Zheng Y Adapting the weaknesses of the random oracle model to the generic group model Advances in Cryptology — ASIACRYPT 2002 2002 Heidelberg Springer 100-109

[15]

Fischlin M Okamoto T A note on security proofs in the generic model Advances in Cryptology — ASIACRYPT 2000 2000 Heidelberg Springer 458-469

[16]

Fischlin M, Lehmann A, Ristenpart T, Shrimpton T, Stam M, and Tessaro S Abe M Random oracles with(out) programmability Advances in Cryptology - ASIACRYPT 2010 2010 Heidelberg Springer 303-320

[17]

Fouque P-A and Tibouchi M Abdalla M and Barreto PSLM Estimating the size of the image of deterministic hash functions to elliptic curves Progress in Cryptology – LATINCRYPT 2010 2010 Heidelberg Springer 81-91

[18]

Fuchsbauer G, Kiltz E, and Loss J Shacham H and Boldyreva A The algebraic group model and its applications Advances in Cryptology – CRYPTO 2018 2018 Cham Springer 33-62

[19]

Fuchsbauer G, Plouviez A, and Seurin Y Canteaut A and Ishai Y Blind Schnorr signatures and signed ElGamal encryption in the algebraic group model Advances in Cryptology – EUROCRYPT 2020 2020 Cham Springer 63-95

[20]

Gabizon, A., Williamson, Z.J., Ciobotaru, O.: PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive, Report 2019/953 (2019). https://eprint.iacr.org/2019/953

[21]

Ghoshal A and Tessaro S Malkin T and Peikert C Tight state-restoration soundness in the algebraic group model Advances in Cryptology – CRYPTO 2021 2021 Cham Springer 64-93

[22]

Icart T Halevi S How to hash into elliptic curves Advances in Cryptology - CRYPTO 2009 2009 Heidelberg Springer 303-316

[23]

Jager T and Rupp A Abe M The semi-generic group model and applications to pairing-based cryptography Advances in Cryptology - ASIACRYPT 2010 2010 Heidelberg Springer 539-556

[24]

Kate A, Zaverucha GM, and Goldberg I Abe M Constant-size commitments to polynomials and their applications Advances in Cryptology - ASIACRYPT 2010 2010 Heidelberg Springer 177-194

[25]

Kohlweiss M, Maller M, Siim J, and Volkhov M Tibouchi M and Wang H Snarky ceremonies Advances in Cryptology – ASIACRYPT 2021 2021 Cham Springer 98-127

[26]

Lipmaa H Cramer R Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments Theory of Cryptography 2012 Heidelberg Springer 169-189

[27]

Lipmaa, H.: Simulation-extractable ZK-SNARKs revisited. Technical report 2019/612, IACR, 31 May 2019. https://ia.cr/2019/612. Accessed 8 Feb 2020

[28]

Lipmaa H Hanaoka G, Shikata J, and Watanabe Y A unified framework for non-universal SNARKs Public-Key Cryptography – PKC 2022 2022 Heidelberg Springer 553-583

[29]

Lipmaa, H., Siim, J., Parisella, R.: Algebraic group model with oblivious sampling. Technical report 2023/?, IACR, September 2023. https://eprint.iacr.org/2023/?

[30]

Maurer UM Smart NP Abstract models of computation in cryptography (invited paper) Cryptography and Coding 2005 Heidelberg (Dec Springer 1-12

[31]

Nielsen JB Yung M Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case Advances in Cryptology — CRYPTO 2002 2002 Heidelberg Springer 111-126

[32]

Rotem, L.: Revisiting the uber assumption in the algebraic group model: fine-grained bounds in hidden-order groups and improved reductions in bilinear groups. In: Dachman-Soled, D. (ed.) ITC 2022. LIPIcs, vol. 230, pp. 13:1–13:13. Cambridge, MA, USA, 5–7 July 2022.

[33]

Rotem L and Segev G Pass R and Pietrzak K Algebraic distinguishers: from discrete logarithms to decisional uber assumptions Theory of Cryptography 2020 Cham Springer 366-389

[34]

Schnorr CP Efficient signature generation by smart cards J. Cryptol. 1991 4 3 161-174

[35]

Shoup V Fumy W Lower bounds for discrete logarithms and related problems Advances in Cryptology — EUROCRYPT ’97 1997 Heidelberg Springer 256-266

[36]

Stern J, Pointcheval D, Malone-Lee J, and Smart NP Yung M Flaws in applying proof methodologies to signature schemes Advances in Cryptology — CRYPTO 2002 2002 Heidelberg Springer 93-110

[37]

Wahby, R.S., Boneh, D.: Fast and simple constant-time hashing to the BLS12-381 elliptic curve. IACR TCHES 2019(4), 154–179 (2019)., https://tches.iacr.org/index.php/TCHES/article/view/8348

[38]

Zhandry M Dodis Y and Shrimpton T To label, or not to label (in generic groups) Advances in Cryptology – CRYPTO 2022 2022 Heidelberg Springer 66-96

[39]

Zhang, C., Zhou, H.S., Katz, J.: An Analysis of the Algebraic Group Model, pp. 310–322 (2022)

Cited By

Lipmaa H(2024)Polymath: Groth16 Is Not the LimitAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68403-6_6(170-206)Online publication date: 18-Aug-2024
https://dl.acm.org/doi/10.1007/978-3-031-68403-6_6
Lipmaa HParisella RSiim J(2024)Constant-Size zk-SNARKs in ROM from Falsifiable AssumptionsAdvances in Cryptology – EUROCRYPT 202410.1007/978-3-031-58751-1_2(34-64)Online publication date: 26-May-2024
https://dl.acm.org/doi/10.1007/978-3-031-58751-1_2
Campanelli MFaonio AFiore DLi TLipmaa H(2024)Lookup Arguments: Improvements, Extensions and Applications to Zero-Knowledge Decision TreesPublic-Key Cryptography – PKC 202410.1007/978-3-031-57722-2_11(337-369)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1007/978-3-031-57722-2_11

Index Terms

Algebraic Group Model with Oblivious Sampling

Index terms have been assigned to the content through auto-classification.

Recommendations

Quantum Oblivious LWE Sampling and Insecurity of Standard Model Lattice-Based SNARKs
STOC 2024: Proceedings of the 56th Annual ACM Symposium on Theory of Computing

The Learning With Errors (LWE) problem asks to find ‍s from an input of the form (A, b = As+e) ∈ (ℤ/qℤ)^{m × n} × (ℤ/qℤ)^m, for a vector ‍e that has small-magnitude entries. In this work, we do not focus on solving ‍LWE but on the task of sampling instances. ...
Blind Schnorr Signatures and Signed ElGamal Encryption in the Algebraic Group Model
Advances in Cryptology – EUROCRYPT 2020
Abstract
The Schnorr blind signing protocol allows blind issuing of Schnorr signatures, one of the most widely used signatures. Despite its practical relevance, its security analysis is unsatisfactory. The only known security proof is informal and in the ...
Tight State-Restoration Soundness in the Algebraic Group Model
Advances in Cryptology – CRYPTO 2021
Abstract
Most efficient zero-knowledge arguments lack a concrete security analysis, making parameter choices and efficiency comparisons challenging. This is even more true for non-interactive versions of these systems obtained via the Fiat-Shamir transform,...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

Theory of Cryptography: 21st International Conference, TCC 2023, Taipei, Taiwan, November 29–December 2, 2023, Proceedings, Part IV

Nov 2023

550 pages

ISBN:978-3-031-48623-4

DOI:10.1007/978-3-031-48624-1

Editors:
Guy Rothblum
https://ror.org/059hsda18Apple, Cupertino, CA, USA
,
Hoeteck Wee
NTT Research, Sunnyvale, CA, USA

© International Association for Cryptologic Research 2023.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 29 November 2023

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lipmaa H(2024)Polymath: Groth16 Is Not the LimitAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68403-6_6(170-206)Online publication date: 18-Aug-2024
https://dl.acm.org/doi/10.1007/978-3-031-68403-6_6
Lipmaa HParisella RSiim J(2024)Constant-Size zk-SNARKs in ROM from Falsifiable AssumptionsAdvances in Cryptology – EUROCRYPT 202410.1007/978-3-031-58751-1_2(34-64)Online publication date: 26-May-2024
https://dl.acm.org/doi/10.1007/978-3-031-58751-1_2
Campanelli MFaonio AFiore DLi TLipmaa H(2024)Lookup Arguments: Improvements, Extensions and Applications to Zero-Knowledge Decision TreesPublic-Key Cryptography – PKC 202410.1007/978-3-031-57722-2_11(337-369)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1007/978-3-031-57722-2_11

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents