## Automatic generation of sound zero-knowledge protocols (Extended Poster Abstract) (2008)

Citations: | 8 - 5 self |

### BibTeX

@MISC{Bangerter08automaticgeneration,

author = {Endre Bangerter and Jan Camenisch and Stephan Krenn and Ahmad-reza Sadeghi and Thomas Schneider},

title = {Automatic generation of sound zero-knowledge protocols (Extended Poster Abstract)},

year = {2008}

}

### OpenURL

### Abstract

Efficient zero-knowledge proofs of knowledge (ZK-PoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation. Currently, first applications that critically rely on ZK-PoKs are being deployed in the real world. The most prominent example is Direct Anonymous Attestation (DAA), which was adopted by the Trusted Computing Group (TCG) and implemented as one of the functionalities of the cryptographic chip Trusted Platform Module (TPM). Implementing systems using ZK-PoK turns out to be challenging, since ZK-PoK are, loosely speaking, significantly more complex than standard crypto primitives, such as encryption and signature schemes. As a result, implementation cycles of ZK-PoK are time-consuming and error-prone, in particular for developers with minor or no cryptographic skills. In this paper we report on our ongoing and future research vision with the goal to bring ZK-PoK to practice by automatically generating sound ZK-PoK protocols and make them accessible to crypto and security engineers. To this end we are developing protocols and compilers that support and automate the design and generation of secure and efficient implementation of ZK-PoK protocols.

### Citations

3161 | A Method for Obtaining Digital Signatures and Public-Key Cryptosystems - Rivest, Shamir, et al. - 1978 |

1920 | How to share a secret
- Shamir
- 1979
(Show Context)
Citation Context ...ined with other Σ-protocols by boolean operators AND and OR with standard composition techniques. Arbitrary monotone access structures can be realized efficiently using secret sharing schemes such as =-=[Sha79]-=- as described in [CDS94]. Yet, these techniques can also be adopted for usage with the protocols given in [BCM05,CKY09]. The major advantage of the Σexp protocol is that it can easily be transformed i... |

881 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...ee moves only. Hence they can not be applied immediately to those six-move protocols. Examples are the highly efficient and widely used Fiat-Shamir transformation for non-interactive ZK (NIZK) in ROM =-=[FS87]-=-, or constructions for concurrent zeroknowledge (CZK) [Dam00,MP03,Vis06]. The Σexp-protocol [BCK+ 08], which was introduced independently from, and earlier than [CKY09], fits excellently into this fra... |

691 | Public-key cryptosystems based on composite degree residuosity classes - Paillier - 1999 |

618 |
Efficient Signature Generation for Smart Cards
- Schnorr
(Show Context)
Citation Context ...-PoK proof techniques play an important role in applied cryptography. In fact, many practically oriented applications use such proofs as basic building blocks. Examples include identification schemes =-=[Sch91]-=-, interactive verifiable computation [CM99], group signatures [Cam98], secure watermark detection [ARS05], and efficient secure multiparty computation [LPS08] - just to name a few. ⋆ This work is supp... |

428 | Safeguarding cryptographic keys - Blakley - 1979 |

408 | Non-interactive and information-theoretic secure verifiable secret sharing - Pedersen - 1992 |

389 | Proofs that Yield Nothing but their Validity or All Languages in NP have Zero-Knowledge Proof System - Goldreich, Micali, et al. - 1991 |

285 | Efficient group signature schemes for large groups
- Camenisch, Stadler
- 1997
(Show Context)
Citation Context ...uage in which the semantic goal of a ZK-PoK together with its non-functional properties can be formulated in a user-friendly way. The language is inspired by the well-known Camenisch-Stadler notation =-=[CS97]-=- which is used to formulate the intended semantic goal. We enrich this with non-functional properties which allow to specify optimization constraints (e.g., upper bounds for computation- or communicat... |

282 | Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols
- Cramer, Damgard, et al.
- 1994
(Show Context)
Citation Context ...ptosystems such as Pedersen commitments/verifiable secret sharing [Ped92], Schnorr authentication/signatures [Sch91], electronic cash [Bra94,Oka95,CFT98], group signatures [CL04], and ring signatures =-=[CDS94]-=-. Efficiency of implementation process. In fact, this challenge is solved inherently by our compiler based approach (i.e., by automating the implementation process). Our first prototype of the compile... |

233 | Untraceable Off-line Cash in Wallets with Observers - Brands - 1993 |

226 | An efficient system, for non-transferable anonymous credentials with optional anonymity revocation - Camenisch, Lysyanskaya - 2001 |

204 | A Practical Zero-Knowledge Protocol Fitted to Security Microprocessors Minimizing both Transmission and - Guillou, Quisquater - 1988 |

195 | Signature schemes and anonymous credentials from bilinear maps
- Camenisch, Lysyanskaya
- 2004
(Show Context)
Citation Context ...s which includes various cryptosystems such as Pedersen commitments/verifiable secret sharing [Ped92], Schnorr authentication/signatures [Sch91], electronic cash [Bra94,Oka95,CFT98], group signatures =-=[CL04]-=-, and ring signatures [CDS94]. Efficiency of implementation process. In fact, this challenge is solved inherently by our compiler based approach (i.e., by automating the implementation process). Our f... |

169 | A Generalisation, a Simplification and Some Applications of Paillier’s Probabilistic Public-Key System - Damgard, Jurik - 2001 |

168 | A signature scheme with efficient protocols - Camenisch, Lysyanskaya |

159 | Direct anonymous attestation
- Brickell, Camenisch, et al.
- 2004
(Show Context)
Citation Context ...ion level, a direction of applied research has produced first applications using ZK-PoKs that are deployed in the real world. The probably most prominent example is Direct Anonymous Attestation (DAA) =-=[BCC04]-=-, which was adopted by the Trusted Computing Group (TCG), an industry consortium of many IT enterprises, as a privacy enhancing mechanism for remote authentication of computing platforms. Another exam... |

158 | FairPlay – A Secure Two-Party Computation System - Malkhi, Nisan, et al. |

150 | On defining proofs of knowledge - Bellare, Goldreich - 1992 |

148 | Practical verifiable encryption and decryption of discrete logarithms - Camenisch, Shoup - 2003 |

130 | Design and Implementation of the Idemix Anonymous Credential System
- Camenisch, Herreweghen
- 2002
(Show Context)
Citation Context ...G), an industry consortium of many IT enterprises, as a privacy enhancing mechanism for remote authentication of computing platforms. Another example is the identity mixer anonymous credential system =-=[CH02]-=-, which was released by IBM into the Eclipse Higgins project, an open source effort dedicated to developing software for “user-centric” identity management. Up to now, design and implementation of ZK-... |

130 | Proving in zero-knowledge that a number is the product of two safe primes
- Camenisch, Michels
- 1999
(Show Context)
Citation Context ... in applied cryptography. In fact, many practically oriented applications use such proofs as basic building blocks. Examples include identification schemes [Sch91], interactive verifiable computation =-=[CM99]-=-, group signatures [Cam98], secure watermark detection [ARS05], and efficient secure multiparty computation [LPS08] - just to name a few. ⋆ This work is supported by the EU under FP7 project CACE (Com... |

114 | Efficient Concurrent Zero-Knowledge in the Auxiliary String Model - Damg̊ard |

76 | An integer commitment scheme based on groups with hidden order - Damgård, Fujisaki - 2002 |

72 | Easy come - easy go divisible cash - Chan, Frankel, et al. |

61 |
Group Signature Schemes and Payment Systems Based on the Discrete Logarithm Problem
- Camenisch
- 1998
(Show Context)
Citation Context ... In fact, many practically oriented applications use such proofs as basic building blocks. Examples include identification schemes [Sch91], interactive verifiable computation [CM99], group signatures =-=[Cam98]-=-, secure watermark detection [ARS05], and efficient secure multiparty computation [LPS08] - just to name a few. ⋆ This work is supported by the EU under FP7 project CACE (Computer Aided Cryptography E... |

61 | An efficient divisible electronic cash scheme - Okamoto - 1995 |

51 | Modular Design of Secure yet Practical Cryptographic Protocols - Cramer - 1997 |

48 | Concurrent zero knowledge with logarithmic round-complexity - Prabhakaran, Rosen, et al. - 2002 |

41 | Rapid demonstration of linear relations connected by boolean operators - Brands - 1997 |

39 | Implementing two-party computation efficiently with security against malicious adversaries
- Lindell, Pinkas, et al.
- 2008
(Show Context)
Citation Context .... Examples include identification schemes [Sch91], interactive verifiable computation [CM99], group signatures [Cam98], secure watermark detection [ARS05], and efficient secure multiparty computation =-=[LPS08]-=- - just to name a few. ⋆ This work is supported by the EU under FP7 project CACE (Computer Aided Cryptography Engineering).While many of these applications typically only exist on a specification lev... |

31 | On diophantine complexity and statistical zero-knowledge arguments
- Lipmaa
- 2003
(Show Context)
Citation Context ...propriate proof techniques according to the user’s requirements on communicational and computational complexity. For example interval proofs can be done either with techniques described in [Bou00] or =-=[Lip03]-=- which have different communication and computation complexity. To support low level optimization we’ll (additionally to C) also provide a compiler backend that outputs code in the CAO (“Cryptography ... |

27 | Zero-knowledge watermark detection and proof of ownership
- Adelsbach, Sadeghi
- 2001
(Show Context)
Citation Context ...applications use such proofs as basic building blocks. Examples include identification schemes [Sch91], interactive verifiable computation [CM99], group signatures [Cam98], secure watermark detection =-=[ARS05]-=-, and efficient secure multiparty computation [LPS08] - just to name a few. ⋆ This work is supported by the EU under FP7 project CACE (Computer Aided Cryptography Engineering).While many of these app... |

15 | Zero-knowledge from secure multiparty computation - Ishai, Kushilevitz, et al. - 2007 |

14 | Proofs of knowledge for non-monotone discrete-log formulae and applications - Bresson, Stern - 2002 |

13 | Efficient proofs of knowledge of discrete logarithms and representations in groups with hidden order
- Bangerter, Camenisch, et al.
- 2005
(Show Context)
Citation Context ... protocols and give a generic protocol transformation from a given generalized Schnorr protocol (which is a Σ-protocol) into an unconditionally portable protocol. Both, the existing transformation of =-=[BCM05]-=- in the random oracle model and its adoption for the standard model [CKY09] need six moves. However, most protocol transformations that need to be applied in order to use such honest-verifier ZK proto... |

13 | First Steps Toward a CryptographyAware Language and Compiler. Cryptology ePrint Archive
- Barbosa, Noad, et al.
- 2004
(Show Context)
Citation Context ... computation complexity. To support low level optimization we’ll (additionally to C) also provide a compiler backend that outputs code in the CAO (“Cryptography Aware language and cOmpiler”) language =-=[BNPS05]-=-. This is a language and a compiler geared towards the generation of an efficient and secure low-level implementation of cryptographic primitives; CAO is also being developed in the CACE project. Resu... |

12 | On the Automatic Construction of Indistinguishable Operations - Barbosa, Page - 2005 |

11 | Low communication 2-prover zero-knowledge proofs for np - Dwork, Feige, et al. - 1992 |

10 | Verifiable encryption of digital signatures and applications
- Ateniese
(Show Context)
Citation Context ...s of prover and verifier and the messages being exchanged). For instance, the well known Schnorr protocol [Sch91] realizes the first semantic goal mentioned above, and verifiable encryption protocols =-=[Ate04]-=- realize the latter. It is important to note that given a semantic goal, there can be many different protocols realizing that goal; also sometimesone does not know how to construct an efficient proto... |

9 | Simulatable Commitments and Efficient Concurrent ZeroKnowledge - Micciancio, Petrank - 2003 |

8 | Sokrates - a compiler framework for zero- knowledge protocols - Camenisch, Rohe, et al. - 2005 |

7 | Compiler for zero-knowledge proof-of-knowledge protocols - Briner |

7 | Efficient zero knowledge on the internet - Visconti |

6 | Compiler assisted elliptic curve cryptography - Barbosa, Moss, et al. |

3 | On Σ-protocols, 2004. Lecture on Cryptologic Protocol Theory - Damg˚ard |

2 |
On the portability of generalized schnorr proofs. Cryptology ePrint Archive, Report 2009/050
- Camenisch, Kiayias, et al.
- 2009
(Show Context)
Citation Context ...+ 08,CKY09] and generation of C or CAO code.4 The Σ exp -protocol - An unconditionally portable Σ-protocol in the auxiliary string model The newly introduced framework of Camenisch, Kiayias and Yung =-=[CKY09]-=- spotlights several known problems when proving preimages of exponentiation homomorphisms (i.e. homomorphisms of the form φ(x1, . . . , xn) = g x1 1 · · · gxn n ), especially when such proofs are perf... |