Non-interactive Distributed-Verifier Proofs and Proving Relations among Commitments

A commitment multiplication proof, CMP for short, allows a player who is committed to secrets s, s? and s? = s ? s?, to prove, without revealing s, s? or s?, that indeed s? = ss?. CMP is an important building block for secure general multi-party computation as well as threshold cryptography.In the standard cryptographic model, a CMP is typically done interactively using zero-knowledge protocols. In the random oracle model it can be done non-interactively by removing interaction using the Fiat-Shamir heuristic. An alternative non-interactive solution in the distributed setting, where at most a certain fraction of the verifiers are malicious, was presented in [1] for Pedersen's discrete log based commitment scheme. This CMP essentially consists ofa few invocations ofP edersen's verifiable secret sharing scheme (VSS) and is secure in the standard model.In the first part ofthis paper, we improve that CMP by arguing that a building block used in its construction in fact already constitutes a CMP. This not only leads to a simplified exposition, but also saves on the required number of invocations of Pedersen's VSS. Next we show how to construct non-interactive proofs of partial knowledge [8] in this distributed setting. This allows for instance to prove noninteractively the knowledge of l out of m given secrets, without revealing which ones. We also show how to construct efficient non-interactive zero-knowledge proofs for circuit satisfiability in the distributed setting.In the second part, we investigate generalizations to other homomorphic commitment schemes, and show that on the negative side, Pedersen's VSS cannot be generalized to arbitrary (black-box) homomorphic commitment schemes, while on the positive side, commitment schemes based on q-one-way-group-homomorphism [7], which cover wide range of currently used schemes, suffice.

[1]  R. Cramer,et al.  Optimal Black-Box Secret Sharing over Arbitrary Abelian Groups , 2002 .

[2]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[3]  Donald Beaver,et al.  Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority , 2004, Journal of Cryptology.

[4]  Ivan Damgård,et al.  Linear zero-knowledge—a note on efficient zero-knowledge proofs and arguments , 1997, STOC '97.

[5]  Ivan Damgård,et al.  Zero-Knowledge Proofs for Finite Field Arithmetic; or: Can Zero-Knowledge be for Free? , 1998, CRYPTO.

[6]  Masayuki Abe Robust distributed multiplication without interaction , 1999 .

[7]  Ivan Damgård,et al.  Zero-Knowledge Proofs for Finite Field Arithmetic or: Can Zero-Knowledge be for Free? , 1997 .

[8]  Matthew K. Franklin,et al.  Multi-Autority Secret-Ballot Elections with Linear Work , 1996, EUROCRYPT.

[9]  Baruch Awerbuch,et al.  Verifiable secret sharing and achieving simultaneity in the presence of faults , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[10]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[11]  Ueli Maurer,et al.  Complete characterization of adversaries tolerable in secure multi-party computation (extended abstract) , 1997, PODC '97.

[12]  Masayuki Abe,et al.  Robust Distributed Multiplicaton with out Interaction , 1999, CRYPTO.

[13]  R. Cramer,et al.  Linear Zero-Knowledgde. A Note on Efficient Zero-Knowledge Proofs and Arguments , 1996 .

[14]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[15]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[16]  Avi Wigderson,et al.  On span programs , 1993, [1993] Proceedings of the Eigth Annual Structure in Complexity Theory Conference.

[17]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[18]  Tal Rabin,et al.  Simplified VSS and fast-track multiparty computations with applications to threshold cryptography , 1998, PODC '98.

[19]  Stuart A. Kurtz,et al.  A discrete logarithm implementation of zero-knowledge blobs , 1987 .

[20]  Adi Shamir,et al.  How to share a secret , 1979, CACM.