Zero-knowledge proofs of knowledge for group homomorphisms

Maurer, Ueli

doi:10.1007/s10623-015-0103-5

Cited by 18 publications

(25 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Indeed, in Section 4.1 we show how a malicious prover, based on the second round played by the verifier, can craft a false statement that will make the verifier accept and the extractor of special soundness fail even when the statement is true. The attack applies to the most commonly used Σ-protocols, such as Schnorr's protocol for discrete logarithm, the protocol for Diffie-Hellman (DH) tuples and the protocol of [MP03] for proving knowledge of committed messages, and to all Σ-protocols in the well known class proposed by Cramer in [CD98] and Maurer in [Mau15].…”

Section: Our Resultsmentioning

confidence: 99%

Online/Offline OR Composition of Sigma Protocols

Ciampi

Persiano

Scafuro

et al. 2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Proofs of partial knowledge allow a prover to prove knowledge of witnesses for k out of n instances of NP languages. Cramer, Schoenmakers and Damgård [CDS94] provided an efficient construction of a 3-round public-coin witness-indistinguishable (k, n)-proof of partial knowledge for any NP language, by cleverly combining n executions of Σ-protocols for that language. This transform assumes that all n instances are fully specified before the proof starts, and thus directly rules out the possibility of choosing some of the instances after the first round. Very recently, Ciampi et al. [CPS + 16a] provided an improved transform where one of the instances can be specified in the last round. They focus on (1, 2)-proofs of partial knowledge with the additional feature that one instance is defined in the last round, and could be adaptively chosen by the verifier. They left as an open question the existence of an efficient (1, 2)-proof of partial knowledge where no instance is known in the first round. More in general, they left open the question of constructing an efficient (k, n)-proof of partial knowledge where knowledge of all n instances can be postponed. Indeed, this property is achieved only by inefficient constructions requiring NP reductions [LS90]. In this paper we focus on the question of achieving adaptive-input proofs of partial knowledge. We provide through a transform the first efficient construction of a 3-round public-coin witnessindistinguishable (k, n)-proof of partial knowledge where all instances can be decided in the third round. Our construction enjoys adaptive-input witness indistinguishability. Additionally, the proof of knowledge property remains also if the adversarial prover selects instances adaptively at last round as long as our transform is applied to a proof of knowledge belonging to the widely used class of proofs of knowledge described in [Mau15, CD98]. Since knowledge of instances and witnesses is not needed before the last round, we have that the first round can be precomputed and in the online/offline setting our performance is similar to the one of [CDS94]. Our new transform relies on the DDH assumption (in contrast to the transforms of [CDS94, CPS + 16a] that are unconditional). We also show how to strengthen the transform of [CPS + 16a] so that it also achieves adaptive soundness, when the underlying combined protocols belong to the class of protocols described in [Mau15, CD98].

show abstract

Section: Our Resultsmentioning

confidence: 99%

Online/Offline OR Composition of Sigma Protocols

Ciampi

Persiano

Scafuro

et al. 2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Beyond Schnorr's Protocol. The works of Cramer [16], Cramer and Damgård [17], and Maurer [34,35] showed that a protocol (referred to as the Pre-Image Protocol ) for proving knowledge of a pre-image of a group homomorphism unifies and generalizes a large number of protocols in the literature. Classic Σ-protocols, such as Schnorr's protocol [42] and the Guillou-Quisquater protocol [29], are particular cases of this abstraction.…”

Section: Discussionmentioning

confidence: 99%

Improved OR-Composition of Sigma-Protocols

Ciampi

Persiano

Scafuro

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

In [18] Cramer, Damgård and Schoenmakers (CDS) devise an OR-composition technique for Σ-protocols that allows to construct highly-efficient proofs for compound statements. Since then, such technique has found countless applications as building block for designing efficient protocols. Unfortunately, the CDS OR-composition technique works only if both statements are fixed before the proof starts. This limitation restricts its usability in those protocols where the theorems to be proved are defined at different stages of the protocol, but, in order to save rounds of communication, the proof must start even if not all theorems are available. Many round-optimal protocols ([21, 30,41,44]) crucially need such property to achieve round-optimality, and, due to the inapplicability of CDS's technique, are currently implemented using proof systems that requires expensive NP reductions, but that allow the proof to start even if no statement is defined (a.k.a., LS proofs from Lapidot-Shamir [31]). In this paper we show an improved OR-composition technique for Σ-protocols, that requires only one statement to be fixed when the proof starts, while the other statement can be defined in the last round. This seemingly weaker property is sufficient for the applications, where typically one of the theorems is fixed before the proof starts. Concretely, we show how our new OR-composition technique can directly improve the round complexity of the efficient perfect quasi-polynomial time simulatable argument system of Pass [38] (from four to three rounds) and of efficient resettable WI arguments (from five to four rounds).

show abstract

“…To recall, it relies on Groth-Sahai (GS) zero-knowledge proofs [20] together with pairing-based cryptographic primitives. Since the protocol is interactive anyway, we can replace GS proofs with more efficient interactive proofs, namely Sigma protocols [29]. Now we are not bound by the constraints of GS proofs anymore, in particular, pairing-free instantiations become possible.…”

Section: From Bba+ To Bbwmentioning

confidence: 99%

“…As already mentioned, for efficiency reasons we make use of sigma protocols for our ZK proofs. We make use of the generalized definition of a sigma protocol by Maurer [29] which is perfect special honest verifier zero-knowledge. We extend it by replacing the challenge with a Blum coin-toss to achieve perfect composable zero-knowledge as proposed by Damgård [16].…”

Section: Instantiationmentioning

confidence: 99%

See 1 more Smart Citation

Black-Box Wallets: Fast Anonymous Two-Way Payments for Constrained Devices

Hoffmann

Klooß

Raiber

et al. 2020

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Black-box accumulation (BBA) is a building block which enables a privacy-preserving implementation of point collection and redemption, a functionality required in a variety of user-centric applications including loyalty programs, incentive systems, and mobile payments. By definition, BBA+ schemes (Hartung et al. CCS ‘17) offer strong privacy and security guarantees, such as unlinkability of transactions and correctness of the balance flows of all (even malicious) users. Unfortunately, the instantiation of BBA+ presented at CCS ‘17 is, on modern smartphones, just fast enough for comfortable use. It is too slow for wearables, let alone smart-cards. Moreover, it lacks a crucial property: For the sake of efficiency, the user’s balance is presented in the clear when points are deducted. This may allow to track owners by just observing revealed balances, even though privacy is otherwise guaranteed. The authors intentionally forgo the use of costly range proofs, which would remedy this problem.We present an instantiation of BBA+ with some extensions following a different technical approach which significantly improves efficiency. To this end, we get rid of pairing groups, rely on different zero-knowledge and fast range proofs, along with a slightly modified version of Baldimtsi-Lysyanskaya blind signatures (CCS ‘13). Our prototype implementation with range proofs (for 16 bit balances) outperforms BBA+ without range proofs by a factor of 2.5. Moreover, we give estimates showing that smart-card implementations are within reach.

show abstract

Zero-knowledge proofs of knowledge for group homomorphisms

Cited by 18 publications

References 17 publications

Online/Offline OR Composition of Sigma Protocols

Online/Offline OR Composition of Sigma Protocols

Improved OR-Composition of Sigma-Protocols

Black-Box Wallets: Fast Anonymous Two-Way Payments for Constrained Devices

Contact Info

Product

Resources

About