Complex Zero-Knowledge Proofs of Knowledge Are Easy to Use (original) (raw)

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting

Lecture Notes in Computer Science, 2014

Since their introduction in 1985, by Goldwasser, Micali and Rackoff, followed by Feige, Fiat and Shamir, zero-knowledge proofs have played a significant role in modern cryptography: they allow a party to convince another party of the validity of a statement (proof of membership) or of its knowledge of a secret (proof of knowledge). Cryptographers frequently use them as building blocks in complex protocols since they offer quite useful soundness features, which exclude cheating players. In most of modern telecommunication services, the execution of these protocols involves a prover on a portable device, with limited capacities, and namely distinct trusted part and more powerful part. The former thus has to delegate some computations to the latter. However, since the latter is not fully trusted, it should not learn any secret information. This paper focuses on proofs of knowledge of discrete logarithm relations sets (DLRS), and the delegation of some prover's computations, without leaking any critical information to the delegatee. We will achieve various efficient improvements ensuring perfect zero-knowledge against the verifier and partial zero-knowledge, but still reasonable in many contexts, against the delegatee.

Linear zero-knowledge---a note on efficient zero-knowledge proofs and arguments

Proceedings of the twenty-ninth annual ACM symposium on Theory of computing - STOC '97, 1997

We present a zero-knowledge proof system [19] for any NP language L, which allows showing that x ∈ L with error probability less than 2 −k using communication corresponding to O(|x| c) + k bit commitments, where c is a constant depending only on L. The proof can be based on any bit commitment scheme with a particular set of properties. We suggest an efficient implementation based on factoring. We also present a 4-move perfect zero-knowledge interactive argument for any NPlanguage L. On input x ∈ L, the communication complexity is O(|x| c) • max(k, l) bits, where l is the security parameter for the prover 1. Again, the protocol can be based on any bit commitment scheme with a particular set of properties. We suggest efficient implementations based on discrete logarithms or factoring. We present an application of our techniques to multiparty computations, allowing for example t committed oblivious transfers with error probability 2 −k to be done simultaneously using O(t+k) commitments. Results for general computations follow from this. As a function of the security parameters, our protocols have the smallest known asymptotic communication complexity among general proofs or arguments for NP. Moreover, the constants involved are small enough for the protocols to be practical in a realistic situation: both protocols are based on a Boolean formula Φ containing and-, or-and not-operators which verifies an NP-witness of membership in L. Let n be the number of times this formula reads an input variable. Then the communication complexity of the protocols when using our concrete commitment schemes can be more precisely stated as at most 4n + k + 1 commitments for the interactive proof and at most 5nl + 5l bits for the argument (assuming k ≤ l). Thus, if we use k = n, the number of commitments required for the proof is linear in n. Both protocols are also proofs of knowledge of an NP-witness of membership in the language involved. * Basic Research in Computer Science, Centre of the Danish National Research Foundation. 1 The meaning of l is that if the prover is unable to solve an instance of a hard problem of size l before the protocol is finished, he can cheat with probability at most 2 −k

Efficient Zero-Knowledge Proofs of Knowledge without Intractability Assumptions

Public Key Cryptography, 2000

We initiate the investigation of the class of relations that admit extremely efficient perfect zero knowledge proofs of knowledge: constant number of rounds, communication linear in the length of the statement and the witness, and negligible knowledge error. In its most general incarnation, our result says that for relations that have a particular three-move honest-verifier zero-knowledge (HVZK) proof of knowledge, and which admit a particular three-move HVZK proof of knowledge for an associated commitment relation, perfect zero knowledge (against a general verifier) can be achieved essentially for free, even when proving statements on several instances combined under under monotone function composition. In addition, perfect zero-knowledge is achieved with an optimal 4-moves. Instantiations of our main protocol lead to efficient perfect ZK proofs of knowledge of discrete logarithms and RSA-roots, or more generally, q-one-way group homomorphisms. None of our results rely on intractability assumptions.

Zero-Knowledge Proofs from Secure Multiparty Computation

SIAM Journal on Computing, 2009

A zero-knowledge proof allows a prover to convince a verifier of an assertion without revealing any further information beyond the fact that the assertion is true. Secure multiparty computation allows n mutually suspicious players to jointly compute a function of their local inputs without revealing to any t corrupted players additional information beyond the output of the function. We present a new general connection between these two fundamental notions. Specifically, we present a general construction of a zero-knowledge proof for an NP relation R(x, w), which makes only a black-box use of any secure protocol for a related multiparty functionality f. The latter protocol is required only to be secure against a small number of "honest but curious" players. We also present a variant of the basic construction that can leverage security against a large number of malicious players to obtain better efficiency. As an application, one can translate previous results on the efficiency of secure multiparty computation to the domain of zero-knowledge, improving over previous constructions of efficient zero-knowledge proofs. In particular, if verifying R on a witness of length m can be done by a circuit C of size s, and assuming that one-way functions exist, we get the following types of zero-knowledge proof protocols: (1) Approaching the witness length. If C has constant depth over ∧, ∨, ⊕, ¬ gates of unbounded fan-in, we get a zero-knowledge proof protocol with communication complexity m • poly(k) • polylog(s), where k is a security parameter. (2) "Constant-rate" zero-knowledge. For an arbitrary circuit C of size s and a bounded fan-in, we get a zero-knowledge protocol with communication complexity O(s) + poly(k, log s). Thus, for large circuits, the ratio between the communication complexity and the circuit size approaches a constant. This improves over the O(ks) complexity of the best previous protocols.

Strengthening Zero-Knowledge Protocols Using Signatures

Journal of Cryptology, 2005

Recently there has been an interest in zero-knowledge protocols with stronger properties, such as concurrency, unbounded simulation soundness, non-malleability, and universal composability. In this paper, we show a novel technique to convert a large class of existing honest-verifier zero-knowledge protocols into ones with these stronger properties in the common reference string model. More precisely, our technique utilizes a signature scheme existentially unforgeable against adaptive chosen-message attacks, and transforms any Σ-protocol (which is honest-verifier zero-knowledge) into an unbounded simulation sound concurrent zero-knowledge protocol. We also introduce Ω-protocols, a variant of Σ-protocols for which our technique further achieves the properties of non-malleability and/or universal composability. In addition to its conceptual simplicity, a main advantage of this new technique over previous ones is that it avoids the Cook-Levin theorem, which tends to be rather inefficient. Indeed, our technique allows for very efficient instantiation based on the security of some efficient signature schemes and standard number-theoretic assumptions. For instance, one instantiation of our technique yields a universally composable zeroknowledge protocol under the Strong RSA assumption, incurring an overhead of a small constant number of exponentiations, plus the generation of two signatures.

Zero knowledge proofs of identity

1987

In this paper we extend the notion of zero knowledge proofs of membership (which reveal one bit of information) to zero knowledge proofs of knowledge (which reveal no information whatsoever). After formally defining this notion, we show its relevance to identification schemes, in which parties prove their identity by demonstrating their knowiedge rather than by proving the validity c'f assertions. We describe a novel scheme which is provably secure if factoring is difficult <and whose practical implementations are about two orders of magnitude faster than RSA-based identification schemes. In the last part of the Paper we consider the question of sequential versus parallel executions of zero knowledge protocols, define a new notion of "transferable information", and prove that the parallel version of our identification scheme (which is not known to be zero knowledge) is secure since it reveals no transferable information.

Practical zero-knowledge proofs: Giving hints and using deficiencies

Journal of Cryptology, 1991

New zero-knowledge proofs are given for some number-theoretic problems. All of the problems are in NP, but the proofs given here are much more e cient than the previously known proofs. In addition, these proofs do not require the prover to be super-polynomial in power. A probabilistic polynomial time prover with the appropriate trap-door knowledge is su cient. The proofs are perfect or statistical zero-knowledge in all cases except one.

A Survey of Zero-Knowledge Proof for Authentication

Zero-knowledge proofs are cryptographic protocols which do not disclose the information or secret itself during the protocol. Zero-knowledge proofs plays an important role in the design of cryptographic protocols. The application of Zero-knowledge protocols can be in authentication, identification, key exchange and other basic cryptographic operations. Zero-knowledge proof has been implemented without expose any secret information during the conversation and with smaller computational requirement than using comparable public key protocols. The most cryptographic problems can be solved with the help of zero-knowledge protocols, as well as with cryptography. Zero-knowledge protocols can be a best solution in many occasions. The Zero-knowledge proof protocols are very lightweight, due to which it requires less amount of memory. Thus Zero-knowledge protocols widely used especially in authentication. This paper presents an overview of zero-knowledge protocol used for authentication, identification and key exchange.

Zero-Knowledge Protocols Based on Public-Encryption

International Journal of Innovation and Applied Studies, 2015

The paper considers the design of two-step zero-knowledge protocols of two different types: 1) protocols based on the public encryption 2) protocols based on the public key agreement scheme. The novelty of the proposed design relating to the first type of protocols consists in using specified labels that are embedded in the encrypted message. Due to using the labels the proposed design is free of using hash-functions and provides higher performance and cheaper hardware implementation. The paper describes protocols implemented with using El-Gamal, Rabin, and RSA public-encryption algorithms. There are discussed details of the protocol design, which depends on the used public-encryption algorithm. The novelty of the proposed design relating to the second-type protocols consists in using the public key agreement scheme.

On the communication complexity of zero-knowledge proofs

Journal of Cryptology, 1993

The fact that there are zero-knowledge proofs for all languages in NP (see , , and [5]) has, potentially, enormous implications to cryptography. For cryptographers, the issue is no longer "which languages in NP have zeroknowledge proofs" but rather "which languages in NP have practical zeroknowledge proofs." Thus, the concrete complexity of zero-knowledge proofs for different languages must be established.