Slow Motion Zero Knowledge Identifying with Colliding Commitments

Discrete-logarithm authentication protocols are known to present two interesting features: The first is that the prover's commitment, $$x=g^r$$x=gr, claims most of the prover's computational effort. The second is that x does not depend on the challenge and can hence be computed in advance. Provers exploit this feature by pre-loading or pre-computing ready to use commitment pairs $$r_i,x_i$$ri,xi. The $$r_i$$ri can be derived from a common seed but storing each $$x_i$$xi still requires 160 to 256 bits when implementing DSA or Schnorr. This paper proposes a new concept called slow motion zero-knowledge SM-ZK. SM-ZK allows the prover to slash commitment size by a factor of 4 to 6 by combining classical zero-knowledge and a timing channel. We pay the conceptual price of requiring the ability to measure time but, in exchange, obtain communication-efficient protocols.

[1]  Ted Wobber,et al.  Moderately hard, memory-bound functions , 2005, TOIT.

[2]  Marc Girault,et al.  An Identity-based Identification Scheme Based on Discrete Logarithms Modulo a Composite Number , 1991, EUROCRYPT.

[3]  Moni Naor,et al.  Pebbling and Proofs of Work , 2005, CRYPTO.

[4]  Silvio Micali,et al.  Local zero knowledge , 2006, STOC '06.

[5]  Yehuda Lindell,et al.  Efficient Secure Two-Party Protocols , 2010, Information Security and Cryptography.

[6]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[7]  Amos Fiat,et al.  Zero-knowledge proofs of identity , 1987, Journal of Cryptology.

[8]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[9]  Peter de Rooij On Schnorr's Preprocessing for Digital Signature Schemes , 1993, EUROCRYPT.

[10]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[11]  Moni Naor,et al.  Timed Commitments , 2000, CRYPTO.

[12]  I. Damgård,et al.  The protocols. , 1989, The New Zealand nursing journal. Kai tiaki.

[13]  Jacques Stern,et al.  On the Fly Authentication and Signature Schemes Based on Groups of Unknown Order , 2006, Journal of Cryptology.

[14]  Jacques Stern,et al.  Security Analysis of a Practical "on the fly" Authentication and Signature Generation , 1998, EUROCRYPT.

[15]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[16]  Jacques Stern,et al.  On the Length of Cryptographic Hash-Values Used in Identification Schemes , 1994, CRYPTO.

[17]  S. Vadhan,et al.  Time-Lock Puzzles in the Random Oracle , 2011 .

[18]  Oana Ciobotaru,et al.  On the (Non-)Equivalence of UC Security Notions , 2012, ProvSec.

[19]  Peter de Rooij,et al.  On Schnorr’s preprocessing for digital signature schemes , 1997, Journal of Cryptology.

[20]  D. Naccache,et al.  Couponing Scheme Reduces Computational Power Requirements for DSS Signatures , 1994 .

[21]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[22]  Yehuda Lindell,et al.  Efficient Secure Two-Party Protocols: Techniques and Constructions , 2010 .

[23]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[24]  Robert L. Bernstein Multiplication by integer constants , 1986, Softw. Pract. Exp..

[25]  Moni Naor,et al.  On Memory-Bound Functions for Fighting Spam , 2003, CRYPTO.