A Certifying Compiler for Zero-Knowledge Proofs of Knowledge Based on Sigma-Protocols

Zero-knowledge proofs of knowledge (ZK-PoK) are important building blocks for numerous cryptographic applications. Although ZK-PoK have a high potential impact, their real world deployment is typically hindered by their significant complexity compared to other (non-interactive) crypto primitives. Moreover, their design and implementation are time-consuming and error-prone. We contribute to overcoming these challenges as follows: We present a comprehensive specification language and a compiler for ZK-PoK protocols based on Σ-protocols. The compiler allows the fully automatic translation of an abstract description of a proof goal into an executable implementation. Moreover, the compiler overcomes various restrictions of previous approaches, e.g., it supports the important class of exponentiation homomorphisms with hidden-order co-domain, needed for privacy-preserving applications such as DAA. Finally, our compiler is certifying, in the sense that it automatically produces a formal proof of the soundness of the compiled protocol for a large class of protocols using the Isabelle/HOL theorem prover.

[1]  Michael K. Reiter,et al.  Automatic generation of two-party computations , 2003, CCS '03.

[2]  Aggelos Kiayias,et al.  Public Key Cryptography - PKC 2006 , 2006, Lecture Notes in Computer Science.

[3]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[4]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[5]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[6]  Elisa Bertino,et al.  Privacy preserving multi-factor authentication with biometrics , 2006, DIM '06.

[7]  I. Damgård,et al.  The protocols. , 1989, The New Zealand nursing journal. Kai tiaki.

[8]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[9]  Jean-Jacques Quisquater,et al.  A "Paradoxical" Indentity-Based Signature Scheme Resulting from Zero-Knowledge , 1988, CRYPTO.

[10]  Tatsuaki Okamoto,et al.  A New Public-Key Cryptosystem as Secure as Factoring , 1998, EUROCRYPT.

[11]  Jean Goubault-Larrecq,et al.  Cryptographic Protocol Analysis on Real C Code , 2005, VMCAI.

[12]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[13]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[14]  Ahmad-Reza Sadeghi,et al.  On the Design and Implementation of Efficient Zero-Knowledge Proofs of Knowledge , 2009 .

[15]  Shafi Goldwasser,et al.  Advances in Cryptology — CRYPTO’ 88: Proceedings , 1990, Lecture Notes in Computer Science.

[16]  Jan Camenisch,et al.  Group signature schemes and payment systems based on the discrete logarithm problem , 1998 .

[17]  Jens Groth,et al.  Non-interactive Zero-Knowledge Arguments for Voting , 2005, ACNS.

[18]  Ahmad-Reza Sadeghi,et al.  Sokrates - A Compiler Framework for Zero-Knowledge Protocols , 2005 .

[19]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[20]  Michael Backes,et al.  Zero-Knowledge in the Applied Pi-calculus and Automated Verification of the Direct Anonymous Attestation Protocol , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[21]  Kaoru Kurosawa,et al.  Efficient Chosen Ciphertext Secure Public Key Encryption under the Computational Diffie-Hellman Assumption , 2008, IACR Cryptol. ePrint Arch..

[22]  Jan Camenisch,et al.  Balancing Accountability and Privacy Using E-Cash (Extended Abstract) , 2006, SCN.

[23]  Andrew D. Gordon,et al.  Verified Interoperable Implementations of Security Protocols , 2006, CSFW.

[24]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[25]  Ivan Damgård,et al.  A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System , 2001, Public Key Cryptography.

[26]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[27]  Benny Pinkas,et al.  Fairplay - Secure Two-Party Computation System (Awarded Best Student Paper!) , 2004 .

[28]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[29]  Joan Feigenbaum,et al.  Advances in Cryptology-Crypto 91 , 1992 .

[30]  Lawrence Charles Paulson,et al.  Isabelle: A Generic Theorem Prover , 1994 .

[31]  Ernest F. Brickell,et al.  Advances in Cryptology — CRYPTO’ 92 , 2001, Lecture Notes in Computer Science.

[32]  Marc Joye,et al.  A Practical and Provably Secure Coalition-Resistant Group Signature Scheme , 2000, CRYPTO.

[33]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[34]  Walter Fumy,et al.  Advances in Cryptology — EUROCRYPT ’97 , 2001, Lecture Notes in Computer Science.

[35]  Jan Camenisch,et al.  Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes , 1998, EUROCRYPT.

[36]  Frank Piessens,et al.  A programming model for concurrent object-oriented programs , 2008, TOPL.

[37]  Ivan Damgård,et al.  Asynchronous Multiparty Computation: Theory and Implementation , 2008, IACR Cryptol. ePrint Arch..

[38]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[39]  Endre Bangerter,et al.  Efficient zero knowledge proofs of knowledge for homomorphisms , 2005 .

[40]  Ahmad-Reza Sadeghi,et al.  Automatic Generation of Sigma-Protocols , 2009, EuroPKI.

[41]  Andrew Odlyzko,et al.  Advances in Cryptology — CRYPTO’ 86 , 2000, Lecture Notes in Computer Science.

[42]  Masakatsu Nishigaki,et al.  Privacy-preserving similarity evaluation and application to remote biometrics authentication , 2010, Soft Comput..

[43]  Alptekin Küpçü,et al.  ZKPDL: A Language-Based System for Efficient Zero-Knowledge Proofs and Electronic Cash , 2010, USENIX Security Symposium.

[44]  Serge Vaudenay Public Key Cryptography - PKC 2005, 8th International Workshop on Theory and Practice in Public Key Cryptography, Les Diablerets, Switzerland, January 23-26, 2005, Proceedings , 2005, Public Key Cryptography.

[45]  Ivan Damgård,et al.  A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order , 2002, ASIACRYPT.

[46]  Ronald Cramer,et al.  Modular Design of Secure yet Practical Cryptographic Protocols , 1997 .

[47]  Benjamin Grégoire,et al.  Formal certification of code-based cryptographic proofs , 2009, POPL '09.

[48]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[49]  Ueli Maurer,et al.  Efficient Proofs of Knowledge of Discrete Logarithms and Representations in Groups with Hidden Order , 2005, Public Key Cryptography.

[50]  Helger Lipmaa,et al.  On Diophantine Complexity and Statistical Zero-Knowledge Arguments , 2003, ASIACRYPT.

[51]  Ramaswamy Ramanujam,et al.  A Dolev-Yao Model for Zero Knowledge , 2009, ASIAN.

[52]  P. Cogn,et al.  A Computationally Sound Mechanized Prover for Security Protocols , 2009 .

[53]  Jan Camenisch,et al.  Design and implementation of the idemix anonymous credential system , 2002, CCS '02.

[54]  Stefan A. Brands,et al.  Untraceable Off-line Cash in Wallet with Observers , 2002 .

[55]  Michael Backes,et al.  Type-checking zero-knowledge , 2008, CCS.

[56]  Stefan Brands,et al.  Rapid Demonstration of Linear Relations Connected by Boolean Operators , 1997, EUROCRYPT.

[57]  Yuliang Zheng,et al.  Advances in Cryptology — ASIACRYPT 2002 , 2002, Lecture Notes in Computer Science.

[58]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[59]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[60]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[61]  Jacques Stern,et al.  Proofs of Knowledge for Non-monotone Discrete-Log Formulae and Applications , 2002, ISC.

[62]  Chi Sung Laih,et al.  Advances in Cryptology - ASIACRYPT 2003 , 2003 .

[63]  Yehuda Lindell,et al.  Implementing Two-Party Computation Efficiently with Security Against Malicious Adversaries , 2008, SCN.

[64]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[65]  Jacques Stern,et al.  Advances in Cryptology — EUROCRYPT ’99 , 1999, Lecture Notes in Computer Science.

[66]  Tobias Nipkow,et al.  A Proof Assistant for Higher-Order Logic , 2002 .

[67]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[68]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[69]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[70]  Ahmad-Reza Sadeghi,et al.  Zero-Knowledge Watermark Detection and Proof of Ownership , 2001, Information Hiding.

[71]  Ahmad-Reza Sadeghi,et al.  Automatic Generation of Sound Zero-Knowledge Protocols , 2008, IACR Cryptol. ePrint Arch..

[72]  Stanislaw Jarecki,et al.  Public Key Cryptography – PKC 2009 , 2009, Lecture Notes in Computer Science.

[73]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.

[74]  Benjamin Grégoire,et al.  A Machine-Checked Formalization of Sigma-Protocols , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[75]  Michael Backes,et al.  Computational Soundness of Symbolic Zero-Knowledge Proofs Against Active Attackers , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[76]  Kefei Chen,et al.  Receipt-Freeness for Groth e-Voting Schemes , 2009, J. Inf. Sci. Eng..

[77]  Cédric Fournet,et al.  Cryptographically verified implementations for TLS , 2008, CCS.

[78]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[79]  Jacques Stern,et al.  Cryptanalysis of an Efficient Proof of Knowledge of Discrete Logarithm , 2006, Public Key Cryptography.

[80]  Zhengjun Cao Analysis of One Popular Group Signature Scheme , 2006, ASIACRYPT.