 Hello everyone. My name is Julia Kastner and I'm going to talk to you about how to instantiate the algebraic group model from falsifiable assumptions. This was joint work with Thomas Acricola and Dennis Hofreins and it was conducted at KIT. First off, what is the algebraic group model? The algebraic group model is a computational model that was introduced by Fuchs-Bauer Kielsen-Loss and in the algebraic group model we assume that when an adversary gets group elements as input and he also outputs a group element, he must know how to compute the output group element from the input group elements. So he must give us a representation vector that explains how to compute these elements, namely the representation vector set is going to be a vector of exponents such that if we take the inputs and exponentiate them with the vector set, then we get the output group element and this representation vector can be used in security reductions to compute some additional information, for example discrete logarithms. So a question we asked ourselves was how can we obtain such a representation set? So if we have a group, how do we get a representation from an adversary? And one answer to this question was already given, we can use a knowledge assumption. So if we have a group that satisfies a certain knowledge of exponent assumption, then we can use this assumption and use the extractor that comes from this assumption to extract a representation vector set from an adversary. However, knowledge assumptions are non-fossifiable and therefore this is quite a strong assumption to make about the group and we wanted to try and find a way to construct the algebraic group model without using such a non-fossifiable assumption. So we asked ourselves what if we only use falsifiable assumptions? How far can we get? And how close to the algebraic group model can we get? So here's an overview. We have something that we call an algebraic wrapper around a base group G and this algebraic wrapper allows us to extract a constant size representation which in turn allows us to transfer results from the algebraic group model. So how does this work? Well, we take our group element and we want to have a representation with each group element. The new group element is going to be an old group element with a representation. So first question to ask is well, what basis does this representation have? Because we can't have an adversary dependent representation when this is going to be our group structure. So we need a group basis. So we have some group elements from the base group that constitute our basis to which we will represent all the other group elements. So now the question is if we have an adversary that gets this representation vector, he might learn something here, right? So there might be discrete logarithms in this representation vector. We don't want the adversary to have this kind of information. So we need to hide the representation from the adversary. So what we do is we encrypt the representation and now the adversary can't read it anymore. At this point we can still do an addition because we can just use the homomorphic encryption scheme for example that will allow us to add representations together homomorphically. Another thing is the basis might also reveal something to the adversary. Like for example whether he's being played in a reduction or actually interacting with a proper challenger. So we want to somehow hide the basis. So we scrambled the basis up with some random exponents so that the adversary can't tell anymore which game he's playing because it always looks kind of random. Now we have these group elements that come with the representation to the scrambled up basis and the question is how does one know whether a group element that comes with some ciphertext is actually a valid group element so that ciphertext actually contains a valid representation not some random string or a not valid representation. So we want to have a proof that shows we have a valid representation and this is going to be a kneesic proof. So now we have a group element with a representation and a proof of consistency but now the question is can we still add these together because before we could do through homomorphic encryption but now we have a kneesic proof and we might need a witness to compute new kneesic proofs and for the witness we need secret information that we don't want the adversary to have. So we want to have some way for the adversary to compute new proofs for new group elements and the adversary is going to need a way to do this without having the secret information. So what we use is probabilistic IO and we're going to give the adversary a obfuscated circuit so that the adversary can't read secret information but he can still do the addition operation on group elements. So now we have something that looks like a group but it comes with these nonunique encodings so for the same group element we might have an encoding that contains one or the other representation or maybe it's computed with different encryption randomness. So now what time we hide in these nonunique encodings and one thing we can hide is the representation. So we have this property we call switching and switching means if we have two bases of the same so we have two bases and we have the same group element represented in each basis maybe differently maybe the same representation but the interesting part is of course if the representation is different depending on the bases. And we have these two scenarios scenario 0 and scenario 1 and we might have more than just one group element. We might have more group elements that change representation over the switching procedure. So we have these two scenarios and we want that the adversary can't tell the difference and as this is based on the NCPA security of the underlying encryption scheme this is a computational difference here so the adversary and a computationally bounded adversary is not supposed to be able to tell the difference and therefore we call this property k time switching because it matters how many group elements switch representations throughout this game. So we have k time switching a property that allows us to switch between games whether how the basis looks and how the group element looks internally. So how do we use the switching? Why is this necessary? Well let's look at an example so say we want to prove that computational Diffie-Hellman is hard in our constructed group if we assume that the discrete logarithm is hard in the underlying base group so we start off with a game where we have a basis consisting of a generator and two random group elements and now we represent all our challenge elements in the first component. In this scenario we need to know the discrete logarithm of all the challenge elements so we can't embed any discrete logarithm challenge but we want to embed a discrete logarithm challenge somewhere so that the adversary can help us solve our problem. So what we do is we take our basis and we switch it for one that actually contains our challenge elements so it contains the x and the y and now the x and the y in our constructed group are represented to this basis so they're just all unit vectors and now the representation is independent of the discrete logarithm which allows a security reduction to actually embed a discrete logarithm challenge in either challenge element and so when the adversary outputs a solution the reduction can just like in the algebraic group model use a representation that comes with this solution to compute a discrete logarithm and this is why the switching is relevant. Another thing that can happen in our group is well we have different ways to compute group elements one way is we have a representation and we construct the group element from scratch so this means we take first the representation times the basis to construct the group element part so the part that is an element from the base group and then we can encrypt the representation to get the ciphertext part and also we can compute the NISIC proof of consistency because we know the representation and we know how we encrypt it so we know the encryption randomness and with all these informations we can then actually get a group element from our constructed group and we call this process sampling so sampling is constructing a group element from scratch from a representation and another process we can get group elements from is the addition so if we already have some group elements and maybe they were generated through sampling maybe through addition and sampling we can add group elements together we have a new group element and we want this to look the same so if we have two group elements that were maybe constructed differently we want to have a re-randomization property a statistical re-randomization property that allows us to apply this re-randomization to one of the group elements and then even an unbounded adversary is not supposed to know which one it was in the first place so obviously this only since it's against an unbounded adversary it can only work if our group elements contain the same representation so we will need to watch out for this in security reductions so re-randomization is applied to group elements that already have the same representation but were maybe computed by different algorithms so we will see how this works in a few minutes now security reductions we want to implement a proof from the algebraic group model in our wrapper model what do we do well we take a proof by Fuchs-Bauer, Plovier, and so on in the algebraic group model for schnoz signatures and we're going to apply it in our model so we're going to apply their techniques on our group and schnoz signatures work like this you have a secret key which is an exponent and you have a public key which is a group element corresponding to this exponent and when you sign a message you want to have a random exponent for a group element and you hash the group element together with a measure message to receive a challenge such that you can compute an S that is just R plus the challenge times the secret key so you can compute this easily when you have the secret key it's hard or assumed to be hard when you don't have the secret key and so what you when you want to verify a signature you just check the equation that this group element corresponding to S is equal to R times X to the C so one thing to watch out for here in our wrapper group we have non-unique encodings so we need to make sure that the hash function always returns the same when we apply it to the same group element and we simply do this by using a unique identifier in our case this is the group element from the base group so we assume the base group at least has unique identifiers but the hash oracle is given the entire group element it just only respects the first part for its hash function so now how do how do I work with this what do we what is the trick in the algebraic group model well in the algebraic group model you get a representation of output group elements and the elements that are submitted to the hash function for generating signatures by the adversary so the adversary needs to ask the hash function for his signature then there is a representation with this group element but also later on the adversary gives us a forged signature and basically signatures also a representation because a signature has two exponents so an exponent vector the exponent S and an exponent C and so each signature is a representation as well and it's likely to be a different representation than the representation that was originally submitted to the hash oracle because at the time when the representation was submitted to the hash oracle the adversary didn't know what the response was going to be from the hash oracle so the C that comes from the hash oracle and so you can have a linear equation system and compute from there the discrete logarithm of the public key so we want to apply this technique in our algebraic wrapper this means we want to extract a representation we can do this if we have a secret key to our encryption scheme and also we want to simulate signatures so we need to find a way to make to generate signatures and generate group elements without knowing the discrete logarithm of our public key however our group elements come with additional information that normal group elements would not have and therefore we first need to do some additional steps until we get to the point where we can actually apply the techniques of fox power in our group so we need to switch the base of the group so that we can embed a discrete logarithm challenge in there and we can also we also need to switch a public key and the random elements so that their representations contain this discrete logarithm challenge and in between we need to construct group elements from addition instead of sampling and therefore we also need to apply the re-randomization so here's some further explanation how this works we start off with a base game where we have a base that is a generator and a random group element and we represent everything in the first component like before we already had this for CDH we represent everything in the first component we need to know the discrete logarithms at this point so we want to forget the discrete logarithms we want to be able to forget them so that we can embed a challenge however here we don't only need to switch a constant amount of elements we need to switch more than just a constant amount we need to switch Q of them and we want them to look like they would look in the signature like as if we constructed the same representation as in the signature for these random elements that are contained in the signatures that we give to the adversary so how do we do this well if we just switch Q times then we lose the tightness of the security reduction we don't want that so what we're going to do is we're going to find a way to only use one time switching and we call this origin elements so we take elements a constant amount of them in this case two and we construct everything else from them so in this case we have this C1 and C2 and we construct all the random elements from them by multiplication and with using the exponents that we would get from the signature as well and then when we switch to representation of the second origin element the representations of all the random elements also switch at the same time so we get Q switchings from actually just one switching so the reduction is still tight because we only applied one time switching so now here's how the steps look in the scheme we first introduce these origin elements and compute other elements by addition this is justified by the re-randomization procedure so what we want to do in the signature is because we don't know we don't program the random oracle yet we want to take a random R and submit this to the random oracle and then afterwards when we want an R to give to the adversary after we've received our random oracle challenge and computed the S then we're going to we're going to construct the R2 which we're going to give to the adversary that is constructed by addition so the element that the adversary sees is an constructed by addition element and the element he doesn't see is sampled normally so justified by re-randomization we now have origin elements next we switch the origin elements so we switch the representation here we switch the basis and here we have this Q to the price of one switching operation and now the second randomness element is actually represented in two components just and it contains the same representation as the signature would and now we can apply the techniques of Fuchs-Bauer et al to prove that there's a tight reduction between discrete logarithm in the base group and the Schnorr signature scheme in our constructed group and we're going to just now we can just really fill in their techniques we can just plug them into our scheme we keep track of representations that were submitted to the random oracle as all our group elements have representations and we avoid in the unlikely case that the adversary submits a representation that contains the exact same C that we later give him through the random oracle and since we swapped out the representations of our random element R2 we can actually now program the random oracle so we construct only the element R2 from the C and the S and we program the random oracle such that it will return us this exact same C that we used to construct the group element so now we no longer need to know the discrete logarithm of the public key so the secret key in order to generate signatures as long as this exact same query wasn't made to the random oracle before and we can't program it any longer but this is the same technique as Fuchs-Bauer et al used and so we have a proof in the algebraic wrapper from techniques from the algebraic group model and now as a brief summary of the results we have a wrapper group and this wrapper group allows for extraction of a constant sized representation and we can use this wrapper group in any in cases where the algebraic group model also only uses a constant sized representation for example this would be non-interactive Diffie-Hellman type assumptions and Schnorr signatures however this constant sized representation comes with some limitations so for example if we want to use a not constant sized assumption in the base group like Q type assumption or one more assumption where there's an oracle where the adversary gets to ask many questions through the oracle and then we would need to put all the answers to those queries into our base and we can't do that because it's a constant sized base so there might be an adversary that might exceed this base and then we have a problem. Another thing is some proofs from the algebraic group model use a certain asymmetry between reductions and the adversary so the adversary in the algebraic group model always has to give you some representation of his group element however a reduction when it gives a group element to the adversary it does not give him anything but the group element there's no no representation attached to it but in our group information theoretically there is a representation because it's I mean it's encrypted but it is there and so we don't have this information theoretic indistinguishability of group elements that we give to the adversary as a reduction and therefore we can't implement proofs that rely on this information theoretical indistinguishability like for example the BLS signature scheme so this is some restriction of our model maybe there's a way to extend our model in such a way that we can solve this another thing is that we have a group that wraps around another group and it would be interesting to figure out whether there's a possibility to construct a group from scratch that wraps not around some other group so this was it for my part you can find the full version at this link thank you for your attention and I hope to see you all at the conference