Group to Group Commitments Do Not ShrinkMasayuki ABEKristiyan HaralambievMiyako Ohkubo1ContentsIntroduction as long as Structure-Preserving SchemesMotivationState of the ArtStructure-Preserving Commitments (SPC)Lower Boundssize(commitment) >= size(message) (verification equations) >= 2 in Type-I groupsUpper Boundsconstructions with optimal expansion factor2/32Combination of Building BlocksEncryption, Signatures, Commitments, etc Zero-knowledge Proof Systemex) Proving possession of a valid signature without showing it.Extra RequirementsNon-interactive, Proof of knowledgeModular Protocol Design

NIZK in TheoryTranslate “Verify” functioninto a circuit. Then prove the correctness of I/O at every gate by NIZK.Very powerful tool. But not practical.Practical NIZKGroth-Sahai Proof System [GS08]Currently the only practical Non-Interactive Proof system.Works on bilinear groups.A Witness Indistinguishable Proof System (NIWI) as long as quadratic relations among witnesses.A Proof of Knowledge as long as relations represented by pairing product equations. (see next page)Pairing Product EquationBilinear GroupsZ=1 as long as ZKwitnesses must be base group elements as long as PoK

Structure-Preserving SchemesCryptographic schemes such as signatures, encryption, commitments, etc constructed over bilinear groups, in addition to public objects such as public-keys, messages, signatures, commitments, de-commitments, ciphertexts, in addition to etc., are group elements, in addition to relevant verifications such as signature verification, correct decryption, correct decommitment, evaluate pairing product equations.7/32Structure-Preserving SchemesProof SystemNIWI: [GS08]GS with Extra Properties: [BCCKLS09,Fuc11,CKLM12]Signature SchemesConstructions: [Gro06, GH08, CLY09, AFGHO10, AHO10, AGHO11, CK11]Bounds: [AGHO11, AGH11]CCA2 Public-Key Encryption[CKH11]Commitment SchemesConstructions: [Gro09, CLY09, AFGHO10, AHO10]8/32Structure-Preserving Commitments (SPC)9/32

Syntax10/32from the base group (Strict-SPC)SPC in the Literature11/32Question: Can Strict-SPC be shrinkingImpossibility Result (1)12/32The theorem holds as long as type-III groups as well.

Algebraic Algorithm13/32Alg.Alg. is not KEA Algebraic AlgorithmsClass of Reduction / ConstructionOften used as long as showing separationConsidered as “not overly restrictive”Positive consequence if avoidedKnowledge of Exponent AssumptionAssumption on adversariesOften used in security proofs as long as specific constructionsOften criticized as too strong since it is not falsifiableNegative impact if not hold14/32Proof Intuition (1/3)15/32

Proof Intuition (2/3)16/32Proof Intuition (3/3)17/32Impossibility Result (2)18/32

Optimal Constructions19/32Two New Strict-SPCs20/32All schemes are homomorphic in addition to trapdoor as well as previous schemes.Scheme 1 in Type-III Groups21/32

Security22/32DBP is implied by SXDH.SummaryUpper in addition to Lower Bounds as long as Strict-SPCStrict-SPC does not shrink!Bounds w.r.t. commitment size match each other except as long as small additive terms.Open IssuesGet rid of the additive terms, or show its impossibility.Do non-algebraic constructions help to get around the lower bound23/32Reduction24/32

Scheme 1 in Type-III Groups25/32Scheme 1 (Cont’d)26/32Bilinear Groups

