Efficient Threshold Zero-Knowledge with Applications to User-Centric Protocols

In this paper, we investigate on threshold proofs, a framework for distributing the prover's side of interactive proofs of knowledge over multiple parties. Interactive proofs of knowledge (PoK) are widely used primitives of cryptographic protocols, including important user-centric protocols, such as identification schemes, electronic cash (e-cash), and anonymous credentials. We present a security model for threshold proofs of knowledge and develop threshold versions of well-known primitives such as range proofs, zero-knowledge proofs for preimages of homomorphisms (which generalizes PoKs of discrete logarithms, representations, p-th roots, etc.), as well as OR statements. These building blocks are proven secure in our model. Furthermore, we apply the developed primitives and techniques in the context of user-centric protocols. In particular, we construct distributed-user variants of Brands' e-cash system and the bilinear anonymous credential scheme by Camenisch and Lysyanskaya. Distributing the user party in such protocols has several practical advantages: First, the security of a user can be increased by sharing secrets and computations over multiple devices owned by the user. In this way, losing control of a single device does not result in a security breach. Second, this approach also allows groups of users to jointly control an application (e.g., a joint e-cash account), not giving a single user full control. The distributed versions of the protocols we propose in this paper are relatively efficient (when compared to a general MPC approach). In comparison to the original protocols only the prover's (or user's) side is modified while the other side stays untouched. In particular, it is oblivious to the other party whether it interacts with a distributed prover (or user) or one as defined in the original protocol.

[1]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[2]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[3]  Joan Feigenbaum Advances in Cryptology - CRYPTO '91, 11th Annual International Cryptology Conference, Santa Barbara, California, USA, August 11-15, 1991, Proceedings , 1992, CRYPTO.

[4]  Bart Preneel,et al.  Advances in cryptology - EUROCRYPT 2000 : International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000 : proceedings , 2000 .

[5]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[6]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[7]  Joan Feigenbaum,et al.  Advances in Cryptology-Crypto 91 , 1992 .

[8]  Yiannis Tsiounis,et al.  Easy Come - Easy Go Divisible Cash , 1998, EUROCRYPT.

[9]  Ernest F. Brickell,et al.  Advances in Cryptology — CRYPTO’ 92 , 2001, Lecture Notes in Computer Science.

[10]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[11]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[12]  Juan A. Garay,et al.  Strengthening Zero-Knowledge Protocols Using Signatures , 2003, Journal of Cryptology.

[13]  Tal Rabin,et al.  A Simplified Approach to Threshold and Proactive RSA , 1998, CRYPTO.

[14]  Ueli Maurer,et al.  Unifying Zero-Knowledge Proofs of Knowledge , 2009, AFRICACRYPT.

[15]  Yvo Desmedt,et al.  Shared Generation of Authenticators and Signatures (Extended Abstract) , 1991, CRYPTO.

[16]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[17]  Yvo Desmedt Treshold Cryptosystems (invited talk) , 1992, AUSCRYPT.

[18]  Hugo Krawczyk,et al.  Robust and Efficient Sharing of RSA Functions , 1996, Journal of Cryptology.

[19]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[20]  Ivan Damgård,et al.  Fast and Secure Immunization Against Adaptive Man-in-the-Middle Impersonation , 1997, EUROCRYPT.

[21]  Jean-Jacques Quisquater,et al.  A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory , 1988, EUROCRYPT.

[22]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[23]  Manuel Blum,et al.  How to Prove a Theorem So No One Else Can Claim It , 2010 .

[24]  Ivan Damgård,et al.  On the Theory and Practice of Personal Digital Signatures , 2009, IACR Cryptol. ePrint Arch..

[25]  Bart Preneel,et al.  Increased Resilience in Threshold Cryptography: Sharing a Secret with Devices That Cannot Store Shares , 2010, Pairing.

[26]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[27]  Giovanni Di Crescenzo,et al.  Multiplicative Non-abelian Sharing Schemes and their Application to Threshold Cryptography , 1994, ASIACRYPT.

[28]  Stefan A. Brands,et al.  Untraceable Off-line Cash in Wallet with Observers , 2002 .

[29]  Yuval Ishai,et al.  Efficient Multi-party Computation over Rings , 2003, EUROCRYPT.

[30]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[31]  Yuval Ishai,et al.  Share Conversion, Pseudorandom Secret-Sharing and Applications to Secure Computation , 2005, TCC.

[32]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[33]  Torben P. Pedersen Distributed Provers with Applications to Undeniable Signatures , 1991, EUROCRYPT.

[34]  Tatsuaki Okamoto,et al.  Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes , 1992, CRYPTO.

[35]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[36]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[37]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[38]  Ivan Damgård,et al.  Simplified Threshold RSA with Adaptive and Proactive Security , 2006, EUROCRYPT.

[39]  Anna Lysyanskaya,et al.  Signature schemes and applications to cryptographic protocol design , 2002 .

[40]  Ivan Damgård,et al.  A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order , 2002, ASIACRYPT.

[41]  Yevgeniy Dodis,et al.  Efficient Constructions of Composable Commitments and Zero-Knowledge Proofs , 2008, CRYPTO.

[42]  Claus-Peter Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1990, EUROCRYPT.

[43]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[44]  Adi Shamir,et al.  Witness indistinguishable and witness hiding protocols , 1990, STOC '90.

[45]  Ivan Damgård,et al.  Practical Threshold RSA Signatures without a Trusted Dealer , 2000, EUROCRYPT.

[46]  Helger Lipmaa,et al.  On Diophantine Complexity and Statistical Zero-Knowledge Arguments , 2003, ASIACRYPT.