Batch Proofs of Partial Knowledge

This paper examines "batch zero-knowledge" protocols for communication- and computation-efficient proofs of propositions composed of many simple predicates. We focus specifically on batch protocols that use Cramer, Damgard, and Schoenmakers' proofs of partial knowledge framework (Crypto 1994) to prove propositions that may be true even when some of their input predicates are false. Our main result is a novel system for batch zero-knowledge arguments of knowledge and equality of k-out-of-n discrete logarithms. Along the way, we propose the first general definition for batch zero-knowledge proofs and we revisit Peng and Bao's batch zero-knowledge proofs of knowledge and equality of one-out-of-n discrete logarithms (Inscrypt 2008). Our analysis of the latter protocol uncovers a critical flaw in the security proof, and we present a practical lattice-based attack to exploit it.

[1]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[2]  Rolf Haenni,et al.  A New Approach towards Coercion-Resistant Remote E-Voting in Linear Time , 2011, Financial Cryptography.

[3]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[4]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[5]  Darren Leigh,et al.  Batching Schnorr Identification Scheme with Applications to Privacy-Preserving Authorization and Low-Bandwidth Communication Devices , 2004, ASIACRYPT.

[6]  Man Ho Au,et al.  PEREA: Practical TTP-free revocation of repeatedly misbehaving anonymous users , 2011, TSEC.

[7]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[8]  Amit Sahai,et al.  Honest-verifier statistical zero-knowledge equals general statistical zero-knowledge , 1998, STOC '98.

[9]  Andrew Odlyzko,et al.  Advances in Cryptology — CRYPTO’ 86 , 2000, Lecture Notes in Computer Science.

[10]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.

[11]  Bart De Decker,et al.  A Practical System for Globally Revoking the Unlinkable Pseudonyms of Unknown Users , 2007, ACISP.

[12]  Ian Goldberg,et al.  Constant-Size Commitments to Polynomials and Their Applications , 2010, ASIACRYPT.

[13]  Arnaldo V. Moura,et al.  LATIN'98: Theoretical Informatics , 1998, Lecture Notes in Computer Science.

[14]  Ed Dawson,et al.  Batch zero-knowledge proof and verification and its applications , 2007, TSEC.

[15]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[16]  Ian Goldberg,et al.  All-but-k Mercurial Commitments and their Applications † , 2012 .

[17]  Willy Susilo,et al.  BLACR: TTP-Free Blacklistable Anonymous Credentials with Reputation , 2012, NDSS.

[18]  Martin Fürer,et al.  Faster integer multiplication , 2007, STOC '07.

[19]  Johannes A. Buchmann,et al.  On Coercion-Resistant Electronic Elections with Linear Work , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[20]  Ian Goldberg,et al.  Practical PIR for electronic commerce , 2011, CCS '11.

[21]  Oded Goldreich,et al.  A Note on Computational Indistinguishability , 1990, Inf. Process. Lett..

[22]  Jacques Traoré,et al.  A practical and secure coercion-resistant scheme for remote elections , 2007, Frontiers of Electronic Voting.

[23]  Dan Boneh,et al.  Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups , 2008, Journal of Cryptology.

[24]  Dario Fiore,et al.  Zero-Knowledge Sets with Short Proofs , 2008, EUROCRYPT.

[25]  Ernest F. Brickell,et al.  Advances in Cryptology — CRYPTO’ 92 , 2001, Lecture Notes in Computer Science.

[26]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[27]  Christian Cachin,et al.  Efficient private bidding and auctions with an oblivious third party , 1999, CCS '99.

[28]  Anne Canteaut,et al.  Progress in Cryptology - INDOCRYPT 2004, 5th International Conference on Cryptology in India, Chennai, India, December 20-22, 2004, Proceedings , 2004, INDOCRYPT.

[29]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[30]  Mihir Bellare,et al.  Batch Verification with Applications to Cryptography and Checking , 1998, LATIN.

[31]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[32]  Markus Jakobsson,et al.  Coercion-resistant electronic elections , 2005, WPES '05.

[33]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[34]  Moti Yung,et al.  Concise Mercurial Vector Commitments and Independent Zero-Knowledge Sets with Short Proofs , 2010, TCC.

[35]  Markus Kasper,et al.  The World is Not Enough: Another Look on Second-Order DPA , 2010, IACR Cryptol. ePrint Arch..

[36]  Pil Joong Lee,et al.  Advances in Cryptology — ASIACRYPT 2001 , 2001, Lecture Notes in Computer Science.

[37]  Yi Mu,et al.  Compact E-Cash from Bounded Accumulator , 2007, CT-RSA.

[38]  Jean-Jacques Quisquater,et al.  Advances in Cryptology — EUROCRYPT ’95 , 2001, Lecture Notes in Computer Science.

[39]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[40]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[41]  Joseph K. Liu,et al.  Separable Linkable Threshold Ring Signatures , 2004, INDOCRYPT.

[42]  Kun Peng,et al.  Batch ZK Proof and Verification of OR Logic , 2009, Inscrypt.

[43]  Ian Goldberg,et al.  Improving the Robustness of Private Information Retrieval , 2007 .

[44]  Mihir Bellare,et al.  Fast Batch Verification for Modular Exponentiation and Digital Signatures , 1998, IACR Cryptol. ePrint Arch..

[45]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[46]  Nigel P. Smart,et al.  Advances in Cryptology - EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13-17, 2008. Proceedings , 2008, EUROCRYPT.

[47]  Sean W. Smith,et al.  BLAC: Revoking Repeatedly Misbehaving Anonymous Users without Relying on TTPs , 2010, TSEC.

[48]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[49]  Jens Groth,et al.  A Verifiable Secret Shuffle of Homomorphic Encryptions , 2003, Journal of Cryptology.

[50]  Jeremy Clark,et al.  Selections: Internet Voting with Over-the-Shoulder Coercion-Resistance , 2011, Financial Cryptography.

[51]  Ian Goldberg,et al.  Polynomial Commitments , 2010 .

[52]  Kun Peng,et al.  Batch Range Proof for Practical Small Ranges , 2010, AFRICACRYPT.

[53]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[54]  Kazue Sako,et al.  Receipt-Free Mix-Type Voting Scheme - A Practical Solution to the Implementation of a Voting Booth , 1995, EUROCRYPT.

[55]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[56]  Tanja Lange,et al.  Progress in Cryptology - AFRICACRYPT 2010, Third International Conference on Cryptology in Africa, Stellenbosch, South Africa, May 3-6, 2010. Proceedings , 2010, AFRICACRYPT.

[57]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.