Batch Groth-Sahai

In 2008, Groth and Sahai proposed a general methodology for constructing non-interactive zeroknowledge (and witness-indistinguishable) proofs in bilinear groups. While avoiding expensive NP-reductions, these proof systems are still inefficient due to a number of pairing computations required for verification. We apply recent techniques of batch verification to the Groth-Sahai proof systems and manage to improve significantly the complexity of proof verification. We give explicit batch verification formulas for generic Groth-Sahai equations (whose cost is less than a tenth of the original) and also for specific popular protocols relying on their methodology (namely Groth’s group signatures and Belenkiy-Chase-Kohlweiss-Lysyanskaya’s P-signatures).

[1]  Marc Fischlin,et al.  A Closer Look at PKI: Security and Efficiency , 2007, Public Key Cryptography.

[2]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[3]  Jens Groth,et al.  A Non-interactive Shuffle with Pairing Based Verifiability , 2007, ASIACRYPT.

[4]  Manuel Blum,et al.  Proving Security Against Chosen Cyphertext Attacks , 1988, CRYPTO.

[5]  Jan Camenisch,et al.  Batch Verification of Short Signatures , 2007, Journal of Cryptology.

[6]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[7]  Bogdan Warinschi,et al.  Groth-Sahai proofs revisited , 2010, IACR Cryptol. ePrint Arch..

[8]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[9]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[10]  Dan Boneh,et al.  Evaluating 2-DNF Formulas on Ciphertexts , 2005, TCC.

[11]  Jennifer Seberry,et al.  Identi cation of Bad Signatures in , 2006 .

[12]  Georg Fuchsbauer,et al.  Transferable Constant-Size Fair E-Cash , 2009, IACR Cryptol. ePrint Arch..

[13]  Hovav Shacham,et al.  Randomizable Proofs and Delegatable Anonymous Credentials , 2009, CRYPTO.

[14]  Brent Waters,et al.  Full-Domain Subgroup Hiding and Constant-Size Group Signatures , 2007, Public Key Cryptography.

[15]  Nigel P. Smart,et al.  On Computing Products of Pairings , 2006, IACR Cryptol. ePrint Arch..

[16]  Dan Boneh,et al.  Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups , 2008, Journal of Cryptology.

[17]  Matthew Green,et al.  Practical Short Signature Batch Verification , 2009, CT-RSA.

[18]  David M'Raïhi,et al.  Can D.S.A. be Improved? Complexity Trade-Offs with the Digital Signature Standard , 1994, EUROCRYPT.

[19]  Brent Waters,et al.  Compact Group Signatures Without Random Oracles , 2006, EUROCRYPT.

[20]  Jan Camenisch,et al.  Practical Group Signatures without Random Oracles , 2005, IACR Cryptol. ePrint Arch..

[21]  Amit Sahai,et al.  Ring Signatures of Sub-linear Size Without Random Oracles , 2007, ICALP.

[22]  Mihir Bellare,et al.  Foundations of Group Signatures: The Case of Dynamic Groups , 2005, CT-RSA.

[23]  Mihir Bellare,et al.  Fast Batch Verification for Modular Exponentiation and Digital Signatures , 1998, IACR Cryptol. ePrint Arch..

[24]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[25]  Jens Groth,et al.  Fully Anonymous Group Signatures without Random Oracles , 2007, IACR Cryptol. ePrint Arch..

[26]  Markulf Kohlweiss,et al.  Compact E-Cash and Simulatable VRFs Revisited , 2009, Pairing.

[27]  Markulf Kohlweiss,et al.  P-signatures and Noninteractive Anonymous Credentials , 2008, TCC.

[28]  Brian J. Matt Identification of Multiple Invalid Signatures in Pairing-Based Batched Signatures , 2009, Public Key Cryptography.