Efficient Protocols for Set Membership and Range Proofs

We consider the following problem: Given a commitment to a valueσ , prove in zero-knowledge that σ belongs to some discrete set φ . The set φ can perhaps be a list of cities or clubs; often φ canbe a numerical range such as [1,220]. This problemarises in e-cash systems, anonymous credential systems, and variousother practical uses of zero-knowledge protocols. When using commitment schemes relying on RSA-like assumptions,there are solutions to this problem which require only a constantnumber of RSA-group elements to be exchanged between the prover andverifier [5, 15, 16]. However, for many commitment schemes based onbilinear group assumptions, these techniques do not work, and thebest known protocols require O (k ) group elementsto be exchanged where k is a security parameter. In this paper, we present two new approaches to buildingset-membership proofs. The first is based on bilinear groupassumptions. When applied to the case where φ is arange of integers, our protocols require $O(\frac{k}{\log k -\log\log k})$ group elements to be exchanged. Not only is thisresult asymptotically better, but the constants are small enough toprovide significant improvements even for small ranges. Indeed, fora discrete logarithm based setting, our new protocol is an order ofmagnitude more efficient than previously known ones. We also discuss alternative implementations of our membershipproof based on the strong RSA assumption. Depending on theapplication, e.g., when φ is a published set of valuessuch a frequent flyer clubs, cities, or other ad hoc collections,these alternative also outperform prior solutions.

[1]  Aggelos Kiayias,et al.  Public Key Cryptography - PKC 2006 , 2006, Lecture Notes in Computer Science.

[2]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[3]  Helger Lipmaa,et al.  On Diophantine Complexity and Statistical Zero-Knowledge Arguments , 2003, ASIACRYPT.

[4]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[5]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[6]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[7]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[8]  Ueli Maurer,et al.  Efficient Proofs of Knowledge of Discrete Logarithms and Representations in Groups with Hidden Order , 2005, Public Key Cryptography.

[9]  Moni Naor Advances in Cryptology - EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20-24, 2007, Proceedings , 2007, EUROCRYPT.

[10]  Silvio Micali,et al.  Zero-knowledge sets , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[11]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[12]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[13]  Arto Salomaa,et al.  Public-Key Cryptography , 1991, EATCS Monographs on Theoretical Computer Science.

[14]  Oded Goldreich,et al.  Foundations of Cryptography: Basic Tools , 2000 .

[15]  Jan Camenisch,et al.  Efficient group signature schemes for large groups , 1997 .

[16]  Kazue Sako,et al.  k-Times Anonymous Authentication with a Constant Proving Cost , 2006, Public Key Cryptography.

[17]  Helger Lipmaa Statistical Zero-Knowledge Proofs from Diophantine Equations , 2001, IACR Cryptol. ePrint Arch..

[18]  Serge Vaudenay Public Key Cryptography - PKC 2005, 8th International Workshop on Theory and Practice in Public Key Cryptography, Les Diablerets, Switzerland, January 23-26, 2005, Proceedings , 2005, Public Key Cryptography.

[19]  Ernest F. Brickell,et al.  Advances in Cryptology — CRYPTO’ 92 , 2001, Lecture Notes in Computer Science.

[20]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[21]  M. Rabin,et al.  Randomized algorithms in number theory , 1985 .

[22]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[23]  Jens Groth,et al.  Non-interactive Zero-Knowledge Arguments for Voting , 2005, ACNS.

[24]  Ivan Damgård,et al.  Efficient Zero-Knowledge Proofs of Knowledge Without Intractability Assumptions , 2000, Public Key Cryptography.

[25]  Yevgeniy Dodis,et al.  A Verifiable Random Function with Short Proofs and Keys , 2005, Public Key Cryptography.

[26]  Yiannis Tsiounis,et al.  Easy Come - Easy Go Divisible Cash , 1998, EUROCRYPT.

[27]  Abhi Shelat,et al.  Simulatable Adaptive Oblivious Transfer , 2007, EUROCRYPT.

[28]  Ivan Damgård,et al.  Honest Verifier vs Dishonest Verifier in Public Coin Zero-Knowledge Proofs , 1995, CRYPTO.

[29]  Kelly Black Classroom Note: Putting Constraints in Optimization for First-Year Calculus Students , 1997, SIAM Rev..

[30]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[31]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[32]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[33]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[34]  Bart Preneel,et al.  Advances in cryptology - EUROCRYPT 2000 : International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000 : proceedings , 2000 .

[35]  Ivan Damgård,et al.  A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order , 2002, ASIACRYPT.

[36]  Ronald Cramer,et al.  Modular Design of Secure yet Practical Cryptographic Protocols , 1997 .

[37]  Jung Hee Cheon,et al.  Security Analysis of the Strong Diffie-Hellman Problem , 2006, EUROCRYPT.

[38]  Chi Sung Laih,et al.  Advances in Cryptology - ASIACRYPT 2003 , 2003 .