An Extension of the Groth-Sahai Proof System

Non-interactive zero-knowledge proofs, particularly those constructed on top of bilinear groups, have been significantly studied in cryptography and used in a wide variety of applications in recent years. One very powerful suite of techniques for proofs over bilinear groups is the Groth-Sahai proof system, which provides efficient non-interactive witnessindistinguishable and zero-knowledge proofs without relying on any one assumption or language. The Groth-Sahai suite of proofs has already been used in a number of applications, including group signature schemes, anonymous voting, and anonymous credentials. In this paper, we describe a technique that allows us to prove that two GS commitments open to the same value. We then use this technique to create a non-interactive zero-knowledge protocol that satisfies a stronger version of zero-knowledge than the original GS protocol. Finally, we use both these techniques to provide a new extension of the proof system that makes it into a non-interactive zero-knowledge proof of knowledge of an exponent. We then outline new building blocks based on this technique that can be used in a variety of applications. The main application of our technique will involve using it to construct a fully unforgeable non-interactive anonymous credentials scheme.

[1]  Richard E. Overill,et al.  Foundations of Cryptography: Basic Tools , 2002, J. Log. Comput..

[2]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[3]  S. Micali,et al.  Noninteractive Zero-Knowledge , 1990, SIAM J. Comput..

[4]  Adi Shamir,et al.  Multiple non-interactive zero knowledge proofs based on a single random string , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[5]  M. F.,et al.  Bibliography , 1985, Experimental Gerontology.

[6]  Eric R. Verheul,et al.  Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems , 2004, Journal of Cryptology.

[7]  Jens Groth,et al.  Fully Anonymous Group Signatures without Random Oracles , 2007, IACR Cryptol. ePrint Arch..

[8]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[9]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[10]  Manuel Blum,et al.  Noninteractive Zero-Knowledge , 1991, SIAM J. Comput..

[11]  Joe Kilian,et al.  An Efficient Noninteractive Zero-Knowledge Proof System for NP with General Assumptions , 1998, Journal of Cryptology.

[12]  Mike Scott,et al.  Authenticated ID-based Key Exchange and remote log-in with simple token and PIN number , 2002, IACR Cryptol. ePrint Arch..

[13]  Ratna Dutta,et al.  Pairing-Based Cryptographic Protocols : A Survey , 2004, IACR Cryptol. ePrint Arch..

[14]  Jens Groth,et al.  A Non-interactive Shuffle with Pairing Based Verifiability , 2007, ASIACRYPT.

[15]  Dan Boneh,et al.  Evaluating 2-DNF Formulas on Ciphertexts , 2005, TCC.

[16]  Markulf Kohlweiss,et al.  Non-Interactive Anonymous Credentials , 2007, IACR Cryptol. ePrint Arch..

[17]  Vitaly Shmatikov,et al.  Efficient Two-Party Secure Computation on Committed Inputs , 2007, EUROCRYPT.

[18]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[19]  Brent Waters,et al.  Full-Domain Subgroup Hiding and Constant-Size Group Signatures , 2007, Public Key Cryptography.

[20]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[21]  Ivan Damgård,et al.  Non-Interactive Circuit Based Proofs and Non-Interactive Perfect Zero-knowledge with Proprocessing , 1992, EUROCRYPT.

[22]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[23]  Rafail Ostrovsky,et al.  Perfect Non-Interactive Zero Knowledge for NP , 2006, IACR Cryptol. ePrint Arch..