Communication-Efficient Non-interactive Proofs of Knowledge with Online Extractors

We show how to turn three-move proofs of knowledge into non-interactive ones in the random oracle model. Unlike the classical Fiat-Shamir transformation our solution supports an online extractor which outputs the witness from such a non-interactive proof instantaneously, without having to rewind or fork. Additionally, the communication complexity of our solution is significantly lower than for previous proofs with online extractors. We furthermore give a superlogarithmic lower bound on the number of hash function evaluations for such online extractable proofs, matching the number in our construction, and we also show how to enhance security of the group signature scheme suggested recently by Boneh, Boyen and Shacham with our construction.

[1]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[2]  Andrew Odlyzko,et al.  Advances in Cryptology — CRYPTO’ 86 , 2000, Lecture Notes in Computer Science.

[3]  Mihir Bellare,et al.  Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions , 2003, EUROCRYPT.

[4]  Tatsuaki Okamoto,et al.  Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes , 1992, CRYPTO.

[5]  Jean-Jacques Quisquater,et al.  A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory , 1988, EUROCRYPT.

[6]  Carl Pomerance,et al.  Advances in Cryptology — CRYPTO ’87 , 2000, Lecture Notes in Computer Science.

[7]  Jean-Sébastien Coron,et al.  Optimal Security Proofs for PSS and Other Signature Schemes , 2002, EUROCRYPT.

[8]  Mihir Bellare,et al.  Fast Batch Verification for Modular Exponentiation and Digital Signatures , 1998, IACR Cryptol. ePrint Arch..

[9]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[10]  Rosario Gennaro,et al.  Securing Threshold Cryptosystems against Chosen Ciphertext Attack , 1998, EUROCRYPT.

[11]  Giovanni Di Crescenzo,et al.  On monotone formula closure of SZK , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[12]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[13]  Mihir Bellare Advances in Cryptology — CRYPTO 2000 , 2000, Lecture Notes in Computer Science.

[14]  Jeffrey Shallit,et al.  Algorithmic Number Theory , 1996, Lecture Notes in Computer Science.

[15]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[16]  Stanislaw Jarecki,et al.  A Signature Scheme as Secure as the Diffie-Hellman Problem , 2003, EUROCRYPT.

[17]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[18]  Masayuki Abe,et al.  Combining Encryption and Proof of Knowledge in the Random Oracle Model , 2004, Comput. J..

[19]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[20]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[21]  Rafael Pass,et al.  On Deniability in the Common Reference String and Random Oracle Model , 2003, CRYPTO.

[22]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[23]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[24]  Mihir Bellare,et al.  An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem , 2004, EUROCRYPT.

[25]  Niklaus Wirth,et al.  Advances in Cryptology — EUROCRYPT ’88 , 2000, Lecture Notes in Computer Science.

[26]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[27]  Jonathan Katz,et al.  Efficiency improvements for signature schemes with tight security reductions , 2003, CCS '03.

[28]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[29]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[30]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[31]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.

[32]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[33]  Daniele Micciancio,et al.  Statistical Zero-Knowledge Proofs with Efficient Provers: Lattice Problems and More , 2003, CRYPTO.

[34]  Bart Preneel,et al.  On the Performance of Signature Schemes Based on Elliptic Curves , 1998, ANTS.

[35]  Marc Joye,et al.  A Practical and Provably Secure Coalition-Resistant Group Signature Scheme , 2000, CRYPTO.

[36]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[37]  Alfredo De Santis,et al.  Zero-knowledge proofs of knowledge without interaction , 1992, Proceedings., 33rd Annual Symposium on Foundations of Computer Science.

[38]  Yael Tauman Kalai,et al.  On the (In)security of the Fiat-Shamir paradigm , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[39]  Jean-Sébastien Coron,et al.  On the Exact Security of Full Domain Hash , 2000, CRYPTO.

[40]  Ernest F. Brickell,et al.  Advances in Cryptology — CRYPTO’ 92 , 2001, Lecture Notes in Computer Science.

[41]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.