Aspectos legales

We summarize the relevant definitions and theorems from [11]. Most of what follows is taken verbatim from [11]. LetT = (Tx, Tw)be a pair of efficiently computablen-ary

functions,Tx:{{0,1}∗}n → {0,1}∗,Tw:{{0,1}∗}n → {0,1}∗. We refer to such a

tupleTas an n-ary transformation.

Definition 10 (Definition 2.1 of [11]).An efficient relationRis closed under ann-ary transformationT = (Tx, Tw)if for anyn-tuple{(x1, w1), . . . ,(xn, wn)} ∈ Rn, the

pair(Tx(x1, . . . , xn), Tw(w1, . . . , wn))∈ R. IfRis closed underT, then we say that

T is admissible forR. LetT be some set of transformations; if for everyT ∈ T,T is admissible forR, thenT is an allowable set of transformations.

We define amalleable proof system; i.e., one in which, from proofs(π1, . . . , πn)that

(x1, . . . , xn)∈L, one can compute a proofπthatTx(x1, . . . , xn)∈L, for an admissible

transformationT = (Tx, Tw):

Definition 11 (Definition 2.3 of [11]).Let(I,P,V)be a non-interactive proof system for a relationR. LetT be an allowable set of transformations forR. Then this proof system ismalleable with respect toT if there exists an efficient algorithmZKEvalthat on input(ω, T,{xi, πi}), whereT ∈ T is ann-ary transformation, andV(ω, xi, πi) = 1

for alli,1≤i≤n, outputs a valid proofπfor the statementx=Tx({xi})(i.e., a proof

πsuch thatV(ω, x, π) = 1).

Definition 12 (Definition 2.4 of [11]).For a non-interactive proof system(I,P,V,ZKEval) for an efficient relationRmalleable with respect toT , an adversaryA, and a bitb, let pb

A(κ)be the probability of the event thatb0= 0in the following game: – Step 1.ω←I(1κ_).

– Step 2.(state, x1, w1, π1, . . . , xq, wq, πq, T)←A(ω)

– Step 3. IfV(ω, xi, πi) = 0for somei,(xi, wi)6∈ Rfor somei, orT 6∈ T , abort

and output⊥. Otherwise, form π←

P(ω, Tx(x1, . . . , xq), Tw(w1, . . . , wq)) ifb= 0

ZKEval(ω, T,{xi, πi}) ifb= 1 – Step 4.b←A(state, π).

We say that the proof system is derivation private if for all PPT algorithmsAthere exists a negligible functionν(·)such that|¯p0_A(κ)−p1_A(κ)|< ν(κ).

Definition 13 (Definition 3.1 of [11]). Let N IZK = (I,P,V)be a NIZK proof of knowledge system for an efficient relationR, with a simulator(S0,S1)and an extractor Ext. LetT be an allowable set of unary transformations for the relationRsuch that membership inT is efficiently testable. LetAbe given, and consider the following game:

– Step 1.(ω, τsim, τext)←S0(1κ).

– Step 2.(x, π)←A(ω, τsim)SIM∗(ω, τsim,). – Step 3.(w, x0, T)←Ext(ω, τext, x, π).

Where the simulation oracleSIM∗takes as input a tuple(L, x)and outputs a simulated argumentS1(τsim, L, x). We say thatN IZKsatisfies controlled-malleable simulation-

sound extractability (CM-SSE, for short) if for all PPT algorithmsAthere exists a negligible functionν()such that the probability (over the choices ofS0,A, andSIM) thatV(ω, x, π) = 1and(x, π)6∈ Q(whereQis the set of queried statements and their responses) but either (1)w6=⊥and(x, w)6∈ R; (2)(x0, T)6= (⊥,⊥)and eitherx06∈ Qx(the set of queried instances),x6=Tx(x0), orT 6∈ T ; or (3)(w, x0, T) = (⊥,⊥,⊥)

is at mostν(κ).

Given a relation and a transformations set(R,T)and a set of labelsL, consider the following the followingextendedrelationship:

R0:={(x, L), w: (x, w)∈ R, L∈ L}

Consider the followingextendedtransformation set:

T0:={Tφ = (Tx, Ty) :Tx((x, L)) = (x, φ(L)), Tw(w) =w, φ∈ T }

Notice thatT0_{is set of allowable transformation forR}0_{, since for any((x, L), w)in} R0_{and any transformationT}

φ∈ T0whereφ∈ T the element((x, φ(L)), w)is inR0.

Given a CM-NIZKN IZK0 = (I0,P0,V0,ZKEval)for the relationsR0 _{and the set of} transformationT0_{we construct a lM-NIZKN IZK= (I,P,V,LEval)for the relation} Rwith labels setLand trasformationT:

– I(1κ_{): Same asI}0₍₁κ_).

– PL_{(ω, x, w): Setx}0_{:= (x, L)and returnP}0_{(ω, x}0_{, w).}

– VL_{(ω, x, π): Setx}0 _{:= (x, L)and returnV}0_{(ω, x}0_{, π).}

– LEval(ω, φ,(x, L, π)): Setx0:= (x, L)and returnZKEval(ω, Tφ,(x0, π)). Theorem 6. For anyNP relationRand set of label transformationsT, ifN IZK0is a CM-NIZK for the relationR0_{with allowable set of transformationT}0_{, it is derivation} private and it satisfies controlled-malleable simulation extractability thenN IZKis a lM-NIZK for the relationRand it is labele-derivation private and it isT-malleable label simulation extractable.

Notice that the transformation from CM-NIZK to lM-NIZK is mostly syntatic. We simple add the label as part of the instance and, apart of this, we can see CM-NIZK as a generalization of lM-NIZK.

We consider the set of relations and tranformations for which we can use Groth-Sahai proofs to construct CM-NIZK:

Definition 14 (Definition C.1 of [11]).For a relationRand a set of transformationsT on the set of labelsL, we say(R,T)isCM-friendlyif the following six properties hold:

1. Representable statements:any instance and witness of Rcan be represented as a set of group elements; i.e., there are efficiently computable bijectionsFs :

LR → Gdsis for someds andis,Fw : WR → Gdwid for somedwandiw where

LR:={x|∃w: (x, w)∈ R}andLR:={w|∃x: (x, w)∈ R}.

2. Representable transformations:any transformation inT can be represented as a set of group elements; i.e., there is an efficiently computable bijectionFt:T →Gditt

for somedtand someit.

3. Provable statements:we can prove the statement(x, w) ∈ R(using the above representation forxandw) using pairing product equations; i.e., there is a pairing product statement that is satisfied byFs(x)andFw(w)iff(x, w)∈ R.

4. Provable transformations:we can prove the statement “Tx(x0) =x∧T ∈ T”

(using the above representations forx, x0andT) using a pairing product equation, i.e. there is a pairing product statement that is satisfied byFt(T), Fl(L), Fl(L0)iff

T ∈ T ∧ Tx(x0) =x.

5. Transformable statements:for anyT ∈ T , there is a valid transformations(T) that takes the statement “(x, w)∈ R” (phrased using pairing products as above) and produces the statement “(Tx(x), Tw(w))∈R”.

6. Transformable transformations:for anyT, T0∈ T there is a valid transformation t(T)that takes the statement “Tx(x0) = x∧ T ∈ T” (phrased using pairing

products as above) and produces the statement “(T0◦T)(x0) =T(x)∧ (T0◦T)∈ T”, and preserves the variables inx0.

Definition 15 (Definition B.2. of [11]).We say a valid transformation T preserves X1, . . . Xn if it can be expressed as a set of basic operations which does not include

RemoveVar(Xi)for anyi∈[n]

Theorem 7 (Theorem 4.6 of [11]).If DLIN holds, then we can construct a cm-NIZK that satisfies derivation privacy for any CM-friendly relation and transformation set (R,T).

We are ready to prove Theorem 3 of Section 5.

Proof (of Thm. 3). Given a LM-friendly relation and trasformation set(R,T)whereT is a set of label transformations for the set of labelsL, we show that the extended sets (R0_,T0_{)as defined above are CM-friendly. The theorem follows by Thm. 7. Notice that}

points 2,3,6 of Def. 14 match points 2,3,5 of Def. 8.

Representable statements: Let((x, L), w)be an instance forR0_{, by our hypothesis on} (R,T)there exist efficiently computable bijectionsFs:L →Gdsis,Fl:L →Gdlil

andil = is. So we can define an efficiently computable bijectionFs0(x, L) :=

(Fs(x), Fl(x)).

Transformable statements: Given a transformationT∈ T0_{there exists a label trans-} formationφ ∈ T such that Tx((x, L)) := (x, φ(L)) andTw(w) := w where

takes the statement “((x, L), w)∈ R0_{” (phrased using pairing products) and pro-} duces the statement “((x, φ(L)) ∈ R0_{. By definition ofR}0 _{the pairing products} for “((x, L), w)∈ R0_{” do not involves variablesF}

l(L), therefore lets(T)be the

identity function. Notice that the transformation does not remove any variables ofL.