Zero-Knowledge Sets with Short Proofs

Zero Knowledge Sets, introduced by Micali, Rabin and Kilian in [17], allow a prover to commit to a secret set S in a way such that it can later prove, non interactively, statements of the form x ∈ S (or x ∉ S), without revealing any further information (on top of what explicitly revealed by the inclusion/exclusion statements above) on S, not even its size. Later, Chase et al. [5] abstracted away the Micali, Rabin and Kilian's construction by introducing an elegant new variant of commitments that they called (trapdoor) mercurial commitments. Using this primitive, it was shown in [5,4] how to construct zero knowledge sets from a variety of assumptions (both general and number theoretic). In this paper we introduce the notion of trapdoor q-mercurial commitments (qTMCs), a notion of mercurial commitment that allows the sender to commit to an ordered sequence of exactly q messages, rather than to a single one. Following [17,5] we show how to construct ZKS from qTMCs and collision resistant hash functions. Then, we present an efficient realization of qTMCs that is secure under the so called Strong Diffie Hellman assumption, a number theoretic conjecture recently introduced by Boneh and Boyen in [3]. Using our scheme as basic building block, we obtain a construction of ZKS that allows for proofs that are much shorter with respect to the best previously known implementations. In particular, for an appropriate choice of the parameters, our proofs are up to 33% shorter for the case of proofs of membership, and up to 73% shorter for the case of proofs of non membership.

[1]  Silvio Micali,et al.  Independent Zero-Knowledge Sets , 2006, ICALP.

[2]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[3]  Jung Hee Cheon,et al.  Security Analysis of the Strong Diffie-Hellman Problem , 2006, EUROCRYPT.

[4]  Ivan Damgård,et al.  Collision Free Hash Functions and Public Key Signature Schemes , 1987, EUROCRYPT.

[5]  Silvio Micali,et al.  Verifiable random functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[6]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[7]  Rafail Ostrovsky,et al.  Invariant Signatures and Non-Interactive Zero-Knowledge Proofs are Equivalent (Extended Abstract) , 1992, CRYPTO.

[8]  Moni Naor,et al.  An Efficient Existentially Unforgeable Signature Scheme and Its Applications , 1994, Journal of Cryptology.

[9]  Ivan Visconti,et al.  Mercurial Commitments: Minimal Assumptions and Efficient Constructions , 2006, TCC.

[10]  Silvio Micali,et al.  Zero-knowledge sets , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[11]  Moses D. Liskov Updatable Zero-Knowledge Databases , 2005, ASIACRYPT.

[12]  R. Ostrovsky,et al.  Efficient Consistency Proofs on a Committed Database , 2003 .

[13]  Chae Hoon Lim,et al.  More Flexible Exponentiation with Precomputation , 1994, CRYPTO.

[14]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[15]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[16]  S. Micali,et al.  Noninteractive Zero-Knowledge , 1990, SIAM J. Comput..

[17]  Manuel Blum,et al.  Noninteractive Zero-Knowledge , 1991, SIAM J. Comput..

[18]  Ivan Damgård,et al.  New Generation of Secure and Practical RSA-Based Signatures , 1996, CRYPTO.