Proofs of Knowledge for Non-monotone Discrete-Log Formulae and Applications

  title={Proofs of Knowledge for Non-monotone Discrete-Log Formulae and Applications},
  author={Emmanuel Bresson and Jacques Stern},
This paper addresses the problem of defining and providing proofs of knowledge for a general class of exponentiation-based formulae. We consider general predicates built from modular exponentiations of secret values, combined by products and connected with the logical operators "AND", "OR", "NOT". We first show how to deal with non-linear combination of secret exponents. Next, we extend the work by Brands [4] to a strictly larger class of predicates, allowing a more liberal use ofthe logical… 
Proofs of Knowledge with Several Challenge Values
This paper considers the problem of increasing the number of possible challenge values from 2 to s in various zero-knowledge cut and choose protocols and shows how increasing this number improves efficiency of protocols for double discrete logarithm and e-th root of discrete logrithm.
Zero-knowledge proofs for secure computation
A new type of zero-knowledge proofs is introduced that stands between two existing notions, interactive zeroknowledge proofs and non-interactive zero- knowledge proofs, and can be built from essentially the same cryptographic assumptions than the former, which allows to get improved efficiency and security guarantees.
Forking Lemmas in the Ring Signatures' Scenario
The generalized forking lemmas are used to prove that the proposed new ring signature scheme is existentially unforgeable under adaptive chosen-message attacks, in the random oracle model.
Practical Verifiable Encryption and Decryption of Discrete Logarithms
This paper presents a variant of the new public key encryption of Cramer and Shoup based on Paillier's decision composite residuosity assumption, along with efficient protocols for verifiable encryption and decryption of discrete logarithms.
A Certifying Compiler for Zero-Knowledge Proofs of Knowledge Based on Sigma-Protocols
A comprehensive specification language and a compiler for ZK-PoK protocols based on Σ-protocols that automatically produces a formal proof of the soundness of the compiled protocol for a large class of protocols using the Isabelle/HOL theorem prover.
Removing the Strong RSA Assumption from Arguments over the Integers
Range proofs consist in proving that a committed integer lies in a public interval, which can be seen as a particular case of the more general Diophantine relations: for the committed vector of integers \(\varvec{x}\), there exists a vectors of integers such that \(P(x, w)=0\) where P is a polynomial.
Universally Convertible Directed Signatures
A positive answer to the universal conversion of directed signatures has remained an open problem since their introduction in 1993 is provided by showing a very efficient design for universally convertible directed signatures (UCDS) both in terms of computational complexity and signature size.
An Efficient and Usable Multi-show Non-transferable Anonymous Credential System
This paper gives a construction for multi-show non-transferable credentials for which the owner can prove that the credentials satisfy access control policies expressed by means of linear boolean formulae.
Automatic Generation of Sigma-Protocols
A compiler with corresponding languages for the automatic generation of sound and efficient ZK-PoK based on Σ-protocols is presented, which automatically generates the protocol implementation in Java code and can output a description of the protocol in LATEX which can be used for documentation or verification.
Bringing Zero-Knowledge Proofs of Knowledge to Practice
  • S. Krenn
  • Computer Science, Mathematics
    Security Protocols Workshop
  • 2009
Efficient zero-knowledge proofs of knowledge (ZK-PoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty


On monotone formula closure of SZK
This work investigates structural properties of statistical zero knowledge (SZK) both in the interactive and in the non-interactive model and shows that interactive SZK for random self reducible languages (RSR) and for co-RSR is closed under monotone Boolean operations.
Rapid Demonstration of Linear Relations Connected by Boolean Operators
  • S. Brands
  • Computer Science, Mathematics
  • 1997
This work describes how the prover can rapidly demonstrate any satisfiable boolean formula for which the atomic propositions are relations that are linear in the secrets, without revealing more information about the secrets than what is conveyed by the formula itself.
Zero-knowledge proofs of identity
This paper defines the definition of unrestricted input zero- knowledge proofs of knowledge in which the prover demonstrates possession of knowledge without revealing any computational information whatsoever (not even the one bit revealed in zero-knowledge proofs of assertions).
Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols
This work shows how to transform P into a witness indistinguishable protocol, in which the prover demonstrates knowledge of the solution to some subset of n problem instances out of a collection of subsets denned by S.
Demonstrating Possession of a Discrete Logarithm Without Revealing It
Techniques are presented that allow A to convince B that she knows a solution to the Discrete Log Problem without revealing anything about x to B, and it is proved that these protocols secure under a formal model which is of interest in its own right.
Random oracles are practical: a paradigm for designing efficient protocols
It is argued that the random oracles model—where all parties have access to a public random oracle—provides a bridge between cryptographic theory and cryptographic practice, and yields protocols much more efficient than standard ones while retaining many of the advantages of provable security.
Proof systems for general statements about discrete logarithms
The basic underlying techniques are identified, the techniques are generalized to prove linear relations among discrete logarithms, and a notation for describing complex and general statements about knowledge of discrete Logarithm leading directly to a method for constructing efficient proof systems of knowledge is proposed.
Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer
We present the first undeniable signature schemes where signers are unconditionally secure. In the efficient variants, the security for the recipients relies on a discrete logarithm assumption or on
An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations
It is proved that the sequential versions of these protocols do not reveal any "knowledge" about the discrete logarithm(s) in a well-defined sense, provided that A knows (a multiple of) the order of α.
Separability and Efficiency for Generic Group Signature Schemes
This paper provides a generic fully separable group signature scheme and presents an efficient instantiation thereof, which is comparable to the most efficient schemes that do not offer separability and is an order of magnitude more efficient than a previous scheme that provides partial separability.