Compressing Proofs of k-Out-Of-n Partial Knowledge

In a zero-knowledge (ZK) proof of partial knowledge, introduced by Cramer, Damg̊ard and Schoenmakers (CRYPTO 1994), a prover claiming knowledge of witnesses for some k-subset of n given public statements can convince the verifier without revealing which k-subset. The accompanying dedicated solution based on secret sharing achieves linear communication complexity for general k, n and for many natural classes of statements. Especially the case k = 1 and n = 2 (“one-out-of-two”) has seen myriad applications during the last decades, e.g., in electronic voting, ring signatures, and confidential transaction systems in general. In this paper we focus on the discrete logarithm (DL) setting; the prover’s claim pertains to knowledge of discrete logarithms of k-out-of-n given elements from a group supporting DL-based cryptography. Groth and Kohlweiss (EUROCRYPT 2015) have shown how to solve the special case k = 1 and general n with logarithmic communication instead of linear. However, their method, which is original, takes explicit advantage of k = 1 and does not generalize to k > 1 without losing all advantage over prior work. Our contributions are as follows. We show a solution with logarithmic communication for general k, n instead of just k = 1 and general n from prior work. Applying the Fiat-Shamir transform renders a non-interactive logarithmic-size zero-knowledge proof. Our approach deploys a novel twist on a basic primitive from Compressed Σ-Protocol Theory (CRYPTO 2020) that we then utilize to compress a carefully chosen adaptation of the CRYPTO 1994 approach down to logarithmic size. Interestingly, even for k = 1 and general n our approach improves prior work as it reduces communication up to almost a factor 1/2. We also generalize this to proofs of partial knowledge about compact commitments of long vectors. Optionally, the prover may at the same time demonstrate his secret to satisfy some arbitrary given constraint. Finally, we also generalize from threshold to arbitrary access structures.

[1]  Dongxi Liu,et al.  Short Lattice-based One-out-of-Many Proofs and Applications to Ring Signatures , 2019, IACR Cryptol. ePrint Arch..

[2]  Jens Groth,et al.  Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting , 2016, EUROCRYPT.

[3]  Silvio Micali,et al.  More on Proofs of Knowledge , 1998, IACR Cryptol. ePrint Arch..

[4]  Matthew Green,et al.  Zerocoin: Anonymous Distributed E-Cash from Bitcoin , 2013, 2013 IEEE Symposium on Security and Privacy.

[5]  Aram Jivanyan,et al.  Lelantus: Towards Confidentiality and Anonymity of Blockchain Transactions from Standard Assumptions , 2019, IACR Cryptol. ePrint Arch..

[6]  Yael Tauman Kalai,et al.  How to Leak a Secret: Theory and Applications of Ring Signatures , 2001, Essays in Memory of Shimon Even.

[7]  Jens Groth,et al.  Zero-Knowledge Argument for Polynomial Evaluation with Application to Blacklists , 2013, EUROCRYPT.

[8]  Ivan Damgård,et al.  Zero-Knowledge Proofs for Finite Field Arithmetic; or: Can Zero-Knowledge be for Free? , 1998, CRYPTO.

[9]  Ronald Cramer,et al.  Compressed Σ-Protocol Theory and Practical Application to Plug & Play Secure Algorithmics , 2020, IACR Cryptol. ePrint Arch..

[10]  Yehuda Lindell,et al.  Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation , 2001, Journal of Cryptology.

[11]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[12]  Jan Camenisch,et al.  Efficient and Generalized Group Signatures , 1997, EUROCRYPT.

[13]  Markulf Kohlweiss,et al.  One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin , 2015, EUROCRYPT.

[14]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[15]  Dominique Unruh,et al.  Quantum Proofs of Knowledge , 2012, IACR Cryptol. ePrint Arch..

[16]  Josh Benaloh,et al.  One-Way Accumulators: A Decentralized Alternative to Digital Sinatures (Extended Abstract) , 1994, EUROCRYPT.

[17]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[18]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[19]  Moti Yung,et al.  Blind, Auditable Membership Proofs , 2000, Financial Cryptography.

[20]  Aram Jivanyan,et al.  Hierarchical One-out-of-Many Proofs With Applications to Blockchain Privacy and Ring Signatures , 2020, 2020 15th Asia Joint Conference on Information Security (AsiaJCIS).

[21]  Ivan Damgård,et al.  Zero-Knowledge Proofs for Finite Field Arithmetic or: Can Zero-Knowledge be for Free? , 1997 .

[22]  Dan Boneh,et al.  Zether: Towards Privacy in a Smart Contract World , 2020, IACR Cryptol. ePrint Arch..

[23]  Anna Gál,et al.  Combinatorial methods in boolean function complexity , 1995 .

[24]  Jens Groth,et al.  Short Accountable Ring Signatures Based on DDH , 2015, ESORICS.

[25]  Benjamin E. Diamond,et al.  "Many-out-of-Many" Proofs with Applications to Anonymous Zether , 2020, IACR Cryptol. ePrint Arch..

[26]  Ronald Cramer,et al.  Modular Design of Secure yet Practical Cryptographic Protocols , 1997 .

[27]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[28]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[29]  Ivan Damgård,et al.  Secure Multiparty Computation and Secret Sharing , 2015 .

[30]  Ralph C. Merkle,et al.  Protocols for Public Key Cryptosystems , 1980, 1980 IEEE Symposium on Security and Privacy.