Rapid Demonstration of Linear Relations Connected by Boolean Operators

  title={Rapid Demonstration of Linear Relations Connected by Boolean Operators},
  author={Stefan Brands},
  • S. Brands
  • Published in EUROCRYPT 11 May 1997
  • Computer Science, Mathematics
Consider a polynomial-time prover holding a set of secrets. We describe how the prover can rapidly demonstrate any satisfiable boolean formula for which the atomic propositions are relations that are linear in the secrets, without revealing more information about the secrets than what is conveyed by the formula itself. Our protocols support many proof modes, and are as secure as the Discrete Logarithm assumption or the RSA/factoring assumption. 
Proofs of Knowledge for Non-monotone Discrete-Log Formulae and Applications
This paper addresses the problem of defining and providing proofs of knowledge for a general class of exponentiation-based formulae. We consider general predicates built from modular exponentiations
The Representation Problem Based on Factoring
It is shown that the representation problem based on factoring gives rise to alternative solutions to a lot of cryptographic protocols in the literature, and the solutions here work with the most general factoring assumption.
On the Portability of Generalized Schnorr Proofs
The notion of "protocol portability," a property that identifies input and verifier state distributions under which a protocol becomes a ZKP when called as a subroutine in a sequential execution of a larger application, is introduced.
Batching proofs of knowledge and its applications
  • K. Nguyen, V. Varadharajan, Y. Mu
  • Computer Science, Mathematics
    Proceedings. Tenth International Workshop on Database and Expert Systems Applications. DEXA 99
  • 1999
The use of the batching technique can significantly reduce the number of online computations required in the proofs and consequently helps to lower the costs associated with the corresponding transactions.
Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes
This work presents the first efficient statistical zero-knowledge protocols to prove statements such as - A committed number is a prime and any multivariate modular polynomial equation is satisfied, where only commitments to the variables of thepolynomial and to the modulus need to be known.
How to Prove That a Committed Number Is Prime
This paper proposes a new protocol to prove a committed number to be prime that is O(t) times more efficient than Camenisch and Michels's protocol, where t is the security parameter.
A Framework for Practical Universally Composable Zero-Knowledge Protocols
A specification language akin to the CKY-language and a compiler such that the resulting protocols are UC-secure and efficient are introduced, and a special composition theorem is state which allows one to use the weaker but more efficient and often sufficient notion of proofs of membership in the UC-framework.
A Certifying Compiler for Zero-Knowledge Proofs of Knowledge Based on Sigma-Protocols
A comprehensive specification language and a compiler for ZK-PoK protocols based on Σ-protocols that automatically produces a formal proof of the soundness of the compiled protocol for a large class of protocols using the Isabelle/HOL theorem prover.
Practical zero-knowledge protocols based on the discrete logarithm assumption
This work constructs zero-knowledge arguments with sublinear communication complexity, and achievable computational demands, and constructs new protocols which compare very favorably to the current state of the art.
On Diophantine Complexity and Statistical Zero-Knowledge Arguments
  • H. Lipmaa
  • Mathematics, Computer Science
  • 2003
The outsourcing model for cryptographic protocols is proposed and communication-efficient versions of the Damgard-Jurik multi-candidate voting scheme and of the Lipmaa-Asokan-Niemi (b+1)st-price auction scheme that work in this model are proposed.


Gradual and Verifiable Release of a Secret
This work presents protocols allowing someone with a secret discrete logarithm to release it, bit by bit, such that anyone can verify each bit’s correctness as they receive it.
Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols
This work shows how to transform P into a witness indistinguishable protocol, in which the prover demonstrates knowledge of the solution to some subset of n problem instances out of a collection of subsets denned by S.
Zero Knowledge Proofs of Knowledge in Two Rounds
These protocols rely on two novel ideas: One for constructing commitment schemes, the other for constructing subprotocols which are not known to be zero knowledge, yet can be proven not to reveal useful information.
Random self-reducibility and zero knowledge interactive proofs of possession of information
  • M. Tompa, H. Woll
  • Mathematics, Computer Science
    28th Annual Symposium on Foundations of Computer Science (sfcs 1987)
  • 1987
It is shown that any "random self-reducible" problem has a zero knowledge interactive proof of this sort, and new zeroknowledge interactive proofs are exhibited for "knowledge" of the factorization of an integer, nonmembership in cyclic subgroups of Zp*, and determining whether an element generates Zp*.
The Discrete Logarithm Modulo a Composite Hides O(n) Bits
On Defining Proofs of Knowledge
The purpose of this paper is to indicate the source of the problems of the commonly cited formalizations of the "proof of knowledge" notion and suggest a definition which resolves them.
On monotone formula closure of SZK
This work investigates structural properties of statistical zero knowledge (SZK) both in the interactive and in the non-interactive model and shows that interactive SZK for random self reducible languages (RSR) and for co-RSR is closed under monotone Boolean operations.
On Deening Proofs of Knowledge
The purpose of this paper is to indicate the source of problems of the commonly cited formalizations of the notion of a proof of knowledge and suggest a deenition which resolves them.
Random oracles are practical: a paradigm for designing efficient protocols
It is argued that the random oracles model—where all parties have access to a public random oracle—provides a bridge between cryptographic theory and cryptographic practice, and yields protocols much more efficient than standard ones while retaining many of the advantages of provable security.
Advances in Cryptology — CRYPTO’ 88: Proceedings
  • S. Goldwasser
  • Computer Science, Mathematics
    Lecture Notes in Computer Science
  • 1990
We present strong evidence that the implication, “if one-way permutations exist, then secure secret key agreement is possible”, is not provable by standard techniques. Since both sides of this