Efficient Zero-Knowledge Proofs and Applications

Zero-knowledge proofs provide a means for a prover to convince a verifier that some claim is true and nothing more. The ability to prove statements while conveying zero information beyond their veracity has profound implications for cryptography and, especially, for its applicability to privacy-enhancing technologies. Unfortunately, the most common zero-knowledge techniques in the literature suffer from poor scalability, which limits their usefulness in many otherwise promising applications. This dissertation addresses the problem of designing communicationand computation-efficient protocols for zero-knowledge proofs and arguments of propositions that comprise many “simple” predicates. In particular, we propose a new formal model in which to analyze batch zero-knowledge protocols and perform the first systematic study of systems for batch zero-knowledge proofs and arguments of knowledge. In the course of this study, we suggest a general construction for batch zero-knowledge proof systems and use it to realize several new protocols suitable for proving knowledge of and relationships among large batches of discrete logarithm (DL) representations in prime-order groups. Our new protocols improve on existing protocols in several ways; for example, among the new protocols is one with lower asymptotic computation cost than any other such system in the literature. We also tackle the problem of constructing batch proofs of partial knowledge, proposing new protocols to prove knowledge of a DL that is equal to at least k-out-of-n other DLs, at most k-out-of-n other DLs, or exactly k-outof-n other DLs. These constructions are particularly interesting as they prove some propositions that appear difficult to prove using existing techniques, even when efficiency is not a primary consideration. We illustrate the applicability of our new techniques by using them to construct efficient protocols for anonymous blacklisting and reputation systems. Thesis examining committee: • Ian Goldberg (PhD Advisor), Associate Professor, University of Waterloo • Douglas R. Stinson, University Professor, University of Waterloo • Alfred Menezes, Professor, University of Waterloo • David Jao, Associate Professor, University of Waterloo • Nicholas J. Hopper, Associate Professor, University of Minnesota

[1]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[2]  Kai-Yeung Siu,et al.  On Optimal Depth Threshold Circuits for Multiplication and Related Problems , 1994, SIAM J. Discret. Math..

[3]  Jörg Sauerbrey,et al.  Resource Requirements for the Application of Addition Chains in Modulo Exponentiation , 1992, EUROCRYPT.

[4]  Nicholas Hopper,et al.  Jack: scalable accumulator-based nymble system , 2010, WPES '10.

[5]  Amit Sahai,et al.  Honest-verifier statistical zero-knowledge equals general statistical zero-knowledge , 1998, STOC '98.

[6]  Ed Dawson,et al.  Batch zero-knowledge proof and verification and its applications , 2007, TSEC.

[7]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[8]  Adi Shamir,et al.  Witness indistinguishable and witness hiding protocols , 1990, STOC '90.

[9]  Sean W. Smith,et al.  Nymble: Anonymous IP-Address Blocking , 2007, Privacy Enhancing Technologies.

[10]  David M'Raïhi,et al.  Batch exponentiation: a fast DLP-based signature generation strategy , 1996, CCS '96.

[11]  Keith M. Martin,et al.  Geometric secret sharing schemes and their duals , 1994, Des. Codes Cryptogr..

[12]  Sean W. Smith,et al.  BLAC: Revoking Repeatedly Misbehaving Anonymous Users without Relying on TTPs , 2010, TSEC.

[13]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[14]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[15]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[16]  Ivan Damgård,et al.  Honest Verifier vs Dishonest Verifier in Public Coin Zero-Knowledge Proofs , 1995, CRYPTO.

[17]  Ben Adida,et al.  Helios: Web-based Open-Audit Voting , 2008, USENIX Security Symposium.

[18]  Nicholas Pippenger,et al.  On the Evaluation of Powers and Monomials , 1980, SIAM J. Comput..

[19]  Ernest F. Brickell,et al.  Fast Exponentiation with Precomputation (Extended Abstract) , 1992, EUROCRYPT.

[20]  Ian Goldberg,et al.  Practical PIR for electronic commerce , 2011, CCS '11.

[21]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[22]  Jens Groth,et al.  A Verifiable Secret Shuffle of Homomorphic Encryptions , 2003, Journal of Cryptology.

[23]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[24]  Darren Leigh,et al.  Batching Schnorr Identification Scheme with Applications to Privacy-Preserving Authorization and Low-Bandwidth Communication Devices , 2004, ASIACRYPT.

[25]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[26]  Man Ho Au,et al.  PEREA: Practical TTP-free revocation of repeatedly misbehaving anonymous users , 2011, TSEC.

[27]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[28]  Ian Goldberg,et al.  Formalizing Anonymous Blacklisting Systems , 2011, 2011 IEEE Symposium on Security and Privacy.

[29]  C. Andrew Neff,et al.  A verifiable secret shuffle and its application to e-voting , 2001, CCS '01.

[30]  Jeremy Clark,et al.  Selections: Internet Voting with Over-the-Shoulder Coercion-Resistance , 2011, Financial Cryptography.

[31]  Koji Chida,et al.  Batch Processing for Proofs of Partial Knowledge and Its Applications , 2008, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[32]  Man Ho Au,et al.  PERM: practical reputation-based blacklisting without TTPS , 2012, CCS.

[33]  Nicholas Hopper,et al.  BNymble: More Anonymous Blacklisting at Almost No Cost (A Short Paper) , 2011, Financial Cryptography.

[34]  Joseph A. Gallian,et al.  Contemporary Abstract Algebra , 2021 .

[35]  Abhi Shelat,et al.  Efficient Protocols for Set Membership and Range Proofs , 2008, ASIACRYPT.

[36]  Mihir Bellare,et al.  Batch Verification with Applications to Cryptography and Checking , 1998, LATIN.

[37]  Dan Boneh,et al.  Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups , 2008, Journal of Cryptology.

[38]  Ian Goldberg,et al.  Making a Nymbler Nymble Using VERBS , 2010, Privacy Enhancing Technologies.

[39]  Christian Cachin,et al.  Efficient private bidding and auctions with an oblivious third party , 1999, CCS '99.

[40]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[41]  Kazue Sako,et al.  Receipt-Free Mix-Type Voting Scheme - A Practical Solution to the Implementation of a Voting Booth , 1995, EUROCRYPT.

[42]  P. Erdös Remarks on number theory III. On addition chains , 1960 .

[43]  Willy Susilo,et al.  BLACR: TTP-Free Blacklistable Anonymous Credentials with Reputation , 2012, NDSS.

[44]  Daniel J. Bernstein,et al.  Pippenger's Exponentiation Algorithm , 2002 .

[45]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[46]  Ian Goldberg,et al.  Batch Proofs of Partial Knowledge , 2013, ACNS.

[47]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[48]  Thomas Icart,et al.  How to Hash into Elliptic Curves , 2009, IACR Cryptol. ePrint Arch..

[49]  Lloyd N. Trefethen,et al.  Barycentric Lagrange Interpolation , 2004, SIAM Rev..

[50]  Jiangtao Li,et al.  Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities , 2012, IEEE Trans. Dependable Secur. Comput..

[51]  Kun Peng,et al.  Attack against a batch zero-knowledge proof system , 2012, IET Inf. Secur..

[52]  Murat Kantarcioglu,et al.  Privacy-preserving data mining in the malicious model , 2008, Int. J. Inf. Comput. Secur..

[53]  Silvio Micali,et al.  How to Prove all NP-Statements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design , 1986, CRYPTO.

[54]  A. Brauer On addition chains , 1939 .

[55]  Ian Goldberg,et al.  All-but-k Mercurial Commitments and their Applications † , 2012 .

[56]  Salil P. Vadhan An Unconditional Study of Computational Zero Knowledge , 2004, FOCS.

[57]  Douglas R. Stinson,et al.  Group Testing and Batch Verification , 2009, ICITS.

[58]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[59]  Markus Jakobsson,et al.  Coercion-resistant electronic elections , 2005, WPES '05.

[60]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 1: Basic Techniques , 2001 .

[61]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[62]  Felix Brandt,et al.  How to obtain full privacy in auctions , 2006, International Journal of Information Security.

[63]  Moti Yung,et al.  Concise Mercurial Vector Commitments and Independent Zero-Knowledge Sets with Short Proofs , 2010, TCC.

[64]  Matthijs J. Coster,et al.  Addition Chain Heuristics , 1989, CRYPTO.

[65]  Bart De Decker,et al.  A Practical System for Globally Revoking the Unlinkable Pseudonyms of Unknown Users , 2007, ACISP.

[66]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[67]  Ian Goldberg,et al.  One (Block) Size Fits All: PIR and SPIR with Variable-Length Records via Multi-Block Queries , 2013, NDSS.

[68]  Kun Peng,et al.  Batch ZK Proof and Verification of OR Logic , 2009, Inscrypt.

[69]  John R. Douceur,et al.  The Sybil Attack , 2002, IPTPS.

[70]  Donald E. Knuth,et al.  Big Omicron and big Omega and big Theta , 1976, SIGA.

[71]  Phillip Rogaway,et al.  Formalizing Human Ignorance: Collision-Resistant Hashing without the Keys , 2006, IACR Cryptol. ePrint Arch..

[72]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[73]  Markus Stadler,et al.  Publicly Verifiable Secret Sharing , 1996, EUROCRYPT.

[74]  Mihir Bellare,et al.  Fast Batch Verification for Modular Exponentiation and Digital Signatures , 1998, IACR Cryptol. ePrint Arch..

[75]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[76]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[77]  David Chaum,et al.  Multiparty Unconditionally Secure Protocols (Extended Abstract) , 1988, STOC.

[78]  Sean W. Smith,et al.  Blacklistable anonymous credentials: blocking misbehaving users without ttps , 2007, CCS '07.

[79]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[80]  I. Damgård,et al.  The protocols. , 1989, The New Zealand nursing journal. Kai tiaki.

[81]  Bingsheng Zhang,et al.  A Non-interactive Range Proof with Constant Communication , 2012, Financial Cryptography.

[82]  Andrew Chi-Chih Yao,et al.  On the Evaluation of Powers , 1976, SIAM J. Comput..

[83]  Ian Goldberg,et al.  Extending Nymble-like Systems , 2011, 2011 IEEE Symposium on Security and Privacy.

[84]  Ian Goldberg,et al.  Thinking inside the BLAC box: smarter protocols for faster anonymous blacklisting , 2013, WPES.

[85]  Ronald Cramer,et al.  Modular Design of Secure yet Practical Cryptographic Protocols , 1997 .

[86]  Ian Goldberg,et al.  Constant-Size Commitments to Polynomials and Their Applications , 2010, ASIACRYPT.

[87]  Yi Mu,et al.  Constant-Size Dynamic k-TAA , 2006, SCN.

[88]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[89]  Melissa Chase,et al.  On Signatures of Knowledge , 2006, CRYPTO.

[90]  Anton Stiglic,et al.  Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems , 2001, Information Hiding.

[91]  Baruch Awerbuch,et al.  Verifiable secret sharing and achieving simultaneity in the presence of faults , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[92]  Dan Boneh,et al.  Hierarchical Identity Based Encryption with Constant Size Ciphertext , 2005, EUROCRYPT.

[93]  Thomas Shrimpton,et al.  Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance , 2004, FSE.

[94]  David Jao,et al.  Do All Elliptic Curves of the Same Order Have the Same Difficulty of Discrete Log? , 2004, ASIACRYPT.

[95]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[96]  Josh Benaloh,et al.  Generalized Secret Sharing and Monotone Functions , 1990, CRYPTO.

[97]  Ian Goldberg,et al.  Polynomial Commitments , 2010 .

[98]  Nicholas Pippenger,et al.  On the evaluation of powers and related problems , 1976, 17th Annual Symposium on Foundations of Computer Science (sfcs 1976).

[99]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[100]  Chae Hoon Lim,et al.  More Flexible Exponentiation with Precomputation , 1994, CRYPTO.

[101]  Lance Fortnow,et al.  The status of the P versus NP problem , 2009, CACM.

[102]  Tal Malkin,et al.  Mercurial Commitments with Applications to Zero-Knowledge Sets , 2005, Journal of Cryptology.

[103]  Dan Boneh,et al.  The Decision Diffie-Hellman Problem , 1998, ANTS.

[104]  Joseph K. Liu,et al.  Separable Linkable Threshold Ring Signatures , 2004, INDOCRYPT.

[105]  Mario Di Raimondo,et al.  Zero-Knowledge Sets With Short Proofs , 2008, IEEE Transactions on Information Theory.

[106]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[107]  Leonardo Franco,et al.  A New Decomposition Algorithm for Threshold Synthesis and Generalization of Boolean Functions , 2008, IEEE Transactions on Circuits and Systems I: Regular Papers.

[108]  Kun Peng,et al.  Batch Range Proof for Practical Small Ranges , 2010, AFRICACRYPT.

[109]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.