## Proofs of Knowledge for Non-Monotone Discrete-Log Formulae and Applications (2002)

Venue: | Information Security (ISC 2002), volume 2433 of LNCS |

Citations: | 14 - 0 self |

### BibTeX

@INPROCEEDINGS{Bresson02proofsof,

author = {Emmanuel Bresson and Jacques Stern},

title = {Proofs of Knowledge for Non-Monotone Discrete-Log Formulae and Applications},

booktitle = {Information Security (ISC 2002), volume 2433 of LNCS},

year = {2002},

pages = {272--288},

publisher = {Springer Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

This paper addresses the problem of defining and providing proofs of knowledge for a general class of exponentiation-based formulae.

### Citations

1443 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, P
- 1993
(Show Context)
Citation Context ...that e[i] = 1 3. P performs the following proof of knowledge: ZKPK h 0 ; : : : ; k ; 0 ; : : : ; k : v 0 = g 0 h 0 ^ k ^ i=1 v i = g i h i ^ ( i = e[i] 0 2 i 1 ) ^ y = g k i (2) Note that according to Theorem 1, a statement of the form i = e[i] 0 2 i 1 can be demonstrated by proving an additional representation of the form v i = v i 1 i 1 h t i in case e[i] = 0 and t... |

896 | How to prove yourself: Practical solutions to identification and signature problems, proceeding
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...otocol. The (interactive) protocols are thus proved zero-knowledge when they reveal no information apart from the validity of the statement. Almost at the same time, the concept of proof of knowledge =-=[21]-=- introduced the notion of extractor for a secret and became a building block in public-key cryptography. The property of zero-knowledge is useful as soon as one wants to perform some operations with s... |

537 |
Heyst. Group signatures
- Chaum, van
- 1991
(Show Context)
Citation Context ...for large groups originally proposed in 1997 by Camenish and Stadler [10]. 6.1 Group signatures The concept of group signature, although extremely useful, appeared relatively recently in cryptography =-=[16, 18]-=-. It allows a member of a group to sign documents anonymously on behalf of the group, in an unlinkable but publicly veri able way. As a feature, a group signature scheme considers a group leader, also... |

328 |
Zero-knowledge proofs of identity
- Fiege, Fiat, et al.
- 1988
(Show Context)
Citation Context ... cryptography. The property of zero-knowledge is useful as soon as one wants to perform some operations with secret values without revealing them. Classical examples are authentication, identication [=-=5, 20, 21]-=-, digital signatures [21] and group signatures [10, 18]. From a more general point of view, the idea of satisfying boolean statements (predicates) without leaking any information has beensrst introduc... |

291 | Efficient group signature schemes for large groups
- Camenisch, Stadler
- 1997
(Show Context)
Citation Context ...s soon as one wants to perform some operations with secret values without revealing them. Classical examples are authentication, identification [5,20,21], digital signatures [21] and group signatures =-=[10,18]-=-. From a more general point of view, the idea of satisfying boolean statements (predicates) without leaking any information has been first introduced by Chaum et al. [13,15,22]. Numerous schemes [14] ... |

287 | Proofs of partial knowledge and simplified design of witness hiding protocols
- Cramer, Damg̊ard, et al.
- 1994
(Show Context)
Citation Context ...o prove more elaborated statements about discrete logarithms; the very first only covered the case of a single equations connected by “AND” statement. In 1994, De Santis et al. [25] and Cramer et =-=al. [19] ind-=-ependently discovered a general method to deal with the “OR” connective. Using their method, one can design proof systems for monotone formulae (i.e. statements without negations). An application ... |

258 | A practical and provably secure coalition-resistant group signature scheme
- Ateniese, Camenisch, et al.
(Show Context)
Citation Context ...(i.e. the judge, when revealing the signer's identity, cannot falsely accuse an honest member). The last property is coalition resistance, which have been proven for thesrst time in the recent scheme =-=[1]-=-. Coalition resistance means that a subset of dishonest members cannot generate a valid group signature which, in case of opening, would reveal an honest (non-colluding) member as the signer. 6.2 A Cl... |

238 | Untraceable off-line cash in wallet with observers
- Brands
(Show Context)
Citation Context ...s boolean statements built from modular exponentiations of secret values, combined by products and connected with the logical operators “AND”, “OR”, “NOT”. 2.1 Preliminaries We follow the =-=notation of [4,3]. -=-We denote a polynomial-time prover by P and a possibly unlimited verifier by V. The notation x ∈R S means that x is chosen in the set S randomly; we assume uniform distribution, unless otherwise spe... |

124 | Publicly verifiable secret sharing
- Stadler
- 1996
(Show Context)
Citation Context ...ge of a root of a discrete logarithm is much more difficult. Two ideas have been proposed so far, which remain quite inefficient or constrained to particular values. 4.1 A Generic Bit-by-bit Solution =-=[28] M-=-. Stadler proposed in [28] a bit-by-bit protocol which allows to prove knowledge of the e-th root of the discrete logarithm of an element y, relatively to a base element g. That is, given y, g ∈ G a... |

89 |
Knowledge complexity of interactive proofs
- Goldwasser, Micali, et al.
- 1985
(Show Context)
Citation Context ...an be useful to protect privacy or for collabrative use of group signatures, respectively. 1 Introduction 1.1 Proof of Knowledge Zero-knowledge has been introduced by Goldwasser, Micali and Racko in [=-=23]-=- to quantify the amount of information leaked in an interactive protocol. The (interactive) protocols are thus proved zero-knowledge when they reveal no information apart from the validity of the stat... |

87 |
A group signature scheme with improved e±ciency
- Camenisch, Michels
- 1999
(Show Context)
Citation Context ...of opening, would reveal an honest (non-colluding) member as the signer. 6.2 A Class of Group signature schemes The class of group signatures that we dene contains the most recent and ecient schemes [=-=1, 8, 10]-=-. It is characterized by the following criteria: { Computations are made in a group G = hgi in which the discrete logarithm problem is hard. { The judge holds an ElGamal public key y = g w which is an... |

77 | Separability and efficiency for generic group signature schemes
- Camenisch, Michels
- 1999
(Show Context)
Citation Context ...him. To provide separability, we can consider two different entities, a membership manager and a revocation manager. The latter should be needed only to open signatures. Separability is considered in =-=[9,24]-=-. However, in this paper, and to avoid confusion in the context of member exclusion, we call him the judge rather than the revocation manager. A group signature scheme consists of the following five p... |

76 | Identity Escrow
- Kilian, Petrank
(Show Context)
Citation Context ... him. To provide separability, we can consider two dierent entities, a membership manager and a revocation manager. The latter should be needed only to open signatures. Separability is considered in [=-=9, 24]-=-. However, in this paper, and to avoid confusion in the context of member exclusion, we call him the judge rather than the revocation manager. A group signature scheme consists of the followingsve pro... |

74 | Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer
- Chaum, Heijst, et al.
- 1992
(Show Context)
Citation Context ...s if y = Q m i=1 g x i i . Without loss of generality, we assume that the generators appearing in such a product are dierent. The following lemma is a critical part of our construction. Lemma 1 (see [=-=17]-=-). Under the discrete logarithm assumption, it holds that no probabilistic polynomial-time algorithm, on input q and a randomly chosen, polynomial-sized tuple of generators (g 1 ; : : : ; g m ), can o... |

67 | Proof systems for general statements about discrete logarithms - Camenisch, Stadler - 1997 |

64 |
New group signature schemes
- Chen, Pedersen
- 1994
(Show Context)
Citation Context ... soon as one wants to perform some operations with secret values without revealing them. Classical examples are authentication, identication [5, 20, 21], digital signatures [21] and group signatures [=-=10, 18]-=-. From a more general point of view, the idea of satisfying boolean statements (predicates) without leaking any information has beensrst introduced by Chaum et al. [13, 15, 22]. Numerous schemes [14] ... |

61 | Group Signature Schemes and Payment Systems Based on the Discrete Logarithm Problem - Camenisch - 1998 |

58 | Non-Transitive Transfer of Confidence: A Perfect Zero-knowledge Interactive Protocol for SAT and Beyond - Brassard, Crépeau - 1986 |

57 |
de Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations
- Chaum, Evertse, et al.
- 1988
(Show Context)
Citation Context ..., 18]. From a more general point of view, the idea of satisfying boolean statements (predicates) without leaking any information has beensrst introduced by Chaum et al. [13, 15, 22]. Numerous schemes =-=[14] allo-=-w to combine several proofs to prove more elaborated statements about discrete logarithms; the verysrst only covered the case of a single equations connected by \AND" statement. In 1994, De Santi... |

49 |
E±cient group signatures schemes for large groups
- Camenisch, Stadler
- 1997
(Show Context)
Citation Context ... soon as one wants to perform some operations with secret values without revealing them. Classical examples are authentication, identication [5, 20, 21], digital signatures [21] and group signatures [=-=10, 18]-=-. From a more general point of view, the idea of satisfying boolean statements (predicates) without leaking any information has beensrst introduced by Chaum et al. [13, 15, 22]. Numerous schemes [14] ... |

43 | Practical forward-secure group signature schemes
- Song
- 2001
(Show Context)
Citation Context ...ve to be practical, the scheme proposed in [4] is not sucient. As a concrete application of this particular extension, we give two examples related to group signatures. Thesrst formalizes the work of =-=[6, 27]-=- to perform member revocation while the second introduces multi-signer features in that context. 2 A General Class of Exponentiation-Based Formulae We describe here a formal class of predicates, seen ... |

42 | Rapid demonstration of linear relations connected by boolean operators
- Brands
- 1997
(Show Context)
Citation Context ...et values, combined by products and connected with the logical operators \AND", \OR", \NOT". Wesrst show how to deal with non-linear combination of secret exponents. Next,we extend the =-=work by Brands [4] to a-=- strictly larger class of predicates, allowing a more liberal use of the logical operator \NOT". We sketch two applications by which we enhance group signatures schemes with revocation of identit... |

42 | On monotone formula closure of SZK
- Santis, Crescenzo, et al.
- 1994
(Show Context)
Citation Context ... combine several proofs to prove more elaborated statements about discrete logarithms; the verysrst only covered the case of a single equations connected by \AND" statement. In 1994, De Santis et=-= al. [25] and -=-Cramer et al. [19] independently discovered a general method to deal with the \OR" connective. Using their method, one can design proof systems for monotone formulae (i.e. statements without nega... |

34 |
Demonstrating Possession of a Discrete Logarithm Without Revealing It
- Chaum, Evertse, et al.
- 1987
(Show Context)
Citation Context ...s [21] and group signatures [10, 18]. From a more general point of view, the idea of satisfying boolean statements (predicates) without leaking any information has beensrst introduced by Chaum et al. =-=[13, 15, 22]. Num-=-erous schemes [14] allow to combine several proofs to prove more elaborated statements about discrete logarithms; the verysrst only covered the case of a single equations connected by \AND" state... |

33 | E±cient revocation in group signatures
- Bresson, Stern
- 2001
(Show Context)
Citation Context ...ve to be practical, the scheme proposed in [4] is not sucient. As a concrete application of this particular extension, we give two examples related to group signatures. Thesrst formalizes the work of =-=[6, 27]-=- to perform member revocation while the second introduces multi-signer features in that context. 2 A General Class of Exponentiation-Based Formulae We describe here a formal class of predicates, seen ... |

30 |
A private interactive test of a Boolean predicate and minimum-knowledge public-key cryptosystems
- Galil, Haber, et al.
- 1985
(Show Context)
Citation Context ...s [21] and group signatures [10, 18]. From a more general point of view, the idea of satisfying boolean statements (predicates) without leaking any information has beensrst introduced by Chaum et al. =-=[13, 15, 22]. Num-=-erous schemes [14] allow to combine several proofs to prove more elaborated statements about discrete logarithms; the verysrst only covered the case of a single equations connected by \AND" state... |

27 |
Untraceable O®-line Cash in Wallets with Observers
- Brands
- 1994
(Show Context)
Citation Context ...s boolean statements built from modular exponentiations of secret values, combined by products and connected with the logical operators \AND", \OR", \NOT". 2.1 Preliminaries We follow t=-=he notation of [4, 3-=-]. We denote a polynomial-time prover by P and a possibly unlimited verier by V . The notation x 2R S means that x is chosen in the set S randomly; we assume uniform distribution, unless otherwise spe... |

27 |
Demonstrating that a Public Predicate Can Be Satisfied without Revealing any Information about How
- Chaum
- 1987
(Show Context)
Citation Context ... [21] and group signatures [10,18]. From a more general point of view, the idea of satisfying boolean statements (predicates) without leaking any information has been first introduced by Chaum et al. =-=[13,15,22]. Nu-=-merous schemes [14] allow to combine several proofs to prove more elaborated statements about discrete logarithms; the very first only covered the case of a single equations connected by “AND” sta... |

21 |
Proofs of partial knowledge and simplied design of witness hiding protocols
- Cramer, Damgard, et al.
- 1994
(Show Context)
Citation Context ... to prove more elaborated statements about discrete logarithms; the verysrst only covered the case of a single equations connected by \AND" statement. In 1994, De Santis et al. [25] and Cramer et=-= al. [19] inde-=-pendently discovered a general method to deal with the \OR" connective. Using their method, one can design proof systems for monotone formulae (i.e. statements without negations). An application ... |

18 |
Publicly veri secret sharing
- Stadler
(Show Context)
Citation Context ...nowledge of a root of a discrete logarithm is much more dicult. Two ideas have been proposed so far, which remain quite inecient or constrained to particular values. 4.1 A Generic Bit-by-bit Solution =-=[28]-=- M. Stadler proposed in [28] a bit-by-bit protocol which allows to prove knowledge of the e-th root of the discrete logarithm of an element y, relatively to a base element g. That is, given y; g 2 G a... |

12 |
Separability and e±ciency for generic group signature schemes
- Camenisch, Michels
- 1999
(Show Context)
Citation Context ... him. To provide separability, we can consider two dierent entities, a membership manager and a revocation manager. The latter should be needed only to open signatures. Separability is considered in [=-=9, 24]-=-. However, in this paper, and to avoid confusion in the context of member exclusion, we call him the judge rather than the revocation manager. A group signature scheme consists of the followingsve pro... |

4 |
Efficient Proofs of
- Schoenmakers
- 1993
(Show Context)
Citation Context ...formulae (i.e. statements without negations). An application to group signature was made in an earlier paper [18] that mentioned [19]. Both papers were based on a protocol proposed by Schoenmakers in =-=[26]. Later, C-=-amenisch and Stadler [11, 7] introduced a formal model for building and proving general linear relations about discrete logarithms, and combining them by the logical operators \OR" and \AND"... |

3 |
An Efficient Threshold PKC Secure Against Adaptive CCA
- Canetti, Goldwasser
(Show Context)
Citation Context ...ome well-chosen public parameters. This is also the underlying idea in [4]. But our protocol uses additional values, which allow \blinding" techniques. Some examples of this technique can be foun=-=d in [12, 6]-=-. A Basic Situation. We consider Alice holding public key YA = g xA . Bob's public key is YB , but the corresponding secret key XB = log h YB is, of course, not known. If Alice wants to prove that she... |

2 | Non-transitive transfer of con A perfect zero-knowledge interactive protocol for sat and beyond - Brassard, Crepeau - 1986 |

1 |
Demonstrating that a public predicate can be satis without revealing any information about how
- Chaum
- 1986
(Show Context)
Citation Context ...s [21] and group signatures [10, 18]. From a more general point of view, the idea of satisfying boolean statements (predicates) without leaking any information has beensrst introduced by Chaum et al. =-=[13, 15, 22]. Num-=-erous schemes [14] allow to combine several proofs to prove more elaborated statements about discrete logarithms; the verysrst only covered the case of a single equations connected by \AND" state... |