## Rapid Demonstration of Linear Relations Connected by Boolean Operators (1997)

Venue: | In EUROCRYPT ’97 |

Citations: | 37 - 0 self |

### BibTeX

@INPROCEEDINGS{Brands97rapiddemonstration,

author = {Stefan Brands},

title = {Rapid Demonstration of Linear Relations Connected by Boolean Operators},

booktitle = {In EUROCRYPT ’97},

year = {1997},

pages = {318--333},

publisher = {Springer Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

. Consider a polynomial-time prover holding a set of secrets. We describe how the prover can rapidly demonstrate any satisfiable boolean formula for which the atomic propositions are relations that are linear in the secrets, without revealing more information about the secrets than what is conveyed by the formula itself. Our protocols support many proof modes, and are as secure as the Discrete Logarithm assumption or the RSA/factoring assumption. 1 Introduction Consider a polynomial-time prover that has committed to a vector of secrets and wants to demonstrate that the secrets satisfy some satisfiable formula from propositional logic, where the atomic propositions are relations that are linear in the secrets. An example formula is \Gamma (5x 1 \Gamma 3x 2 = 5) AND (2x 2 + 3x 3 = 7) \Delta OR \Gamma NOT(x 1 + 4x 3 = 5) \Delta ; where (x 1 ; : : : ; x k ) is the prover's vector of secrets. The prover does not want to reveal any more information about its secrets than what is co...

### Citations

1334 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...set is as in Subsection 4.1. This time, P has to demonstrate to V that its representation satisfies the formula NOT \Gamma x (1) = ff 1 + ff 2 x (2) + \Delta \Delta \Delta + ff k x (k) mod q \Delta : =-=(3)-=- The coefficients ff i , for 1sisk, are elements of Z q . Clearly, the permutation (\Delta) can always be defined to interchange at most two elements and leave the rest unchanged. Our technique for de... |

268 | Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols
- Cramer, Damgard, et al.
- 1994
(Show Context)
Citation Context ...ocols facilitate many other proof modes. De Santis, Di Crescenzo, Persiano and Yung [17] show how to prove any monotone formula over a random self-reducible language (Cramer, Damgard and Schoenmakers =-=[15]-=- independently discovered virtually the same technique). If a monotone formula has m logical connectives, then this technique requires the prover to perform m proofs of knowledge, one for each sub-for... |

226 | Untraceable off-line cash in wallets with observers
- Brands
(Show Context)
Citation Context ...; we call (g 1 ; : : : ; g k ) a generator-tuple. From now on, an integer in the Discrete Log setting is said to be "small" if it is polynomial in jqj, and "large" otherwise. Using=-= the terminology of [6, 7]-=-, a representation of a number h 2 G q with respect to (g 1 ; : : : ; g k ) is a vector of numbers, (x 1 ; : : : ; x k ), such that h = k Y i=1 g x i i ; where x 1 ; : : : ; x k are in Z q . Intractab... |

190 | Noninteractive zero-knowledge
- Blum, Santis, et al.
- 1991
(Show Context)
Citation Context .... . . . . . . . . . . . . ff l1 : : : ff l;k\Gammal 0 0 : : : 1 1 C C A 0 B B @ x (1) x (2) . . . x (k) 1 C C A = 0 B B @ b 1 \Gamma f 1 ffl b 2 \Gamma f 2 ffl . . . b l \Gamma f l ffl 1 C C A mod q; =-=(5)-=- where f 1 ; : : : ; f l are numbers in Z q . (Clearly, one of the f i 's can always be 1.) Our technique for demonstrating the boolean formula that corresponds to the system (5) is based on the follo... |

147 |
Generalized Secret Sharing and Monotone Functions
- Benaloh, Leichter
- 1990
(Show Context)
Citation Context ...ular, the restrictions according to which P generates its self-chosen challenges from the supplied challenge can be dictated in accordance with the secret-sharing construction of Benaloh and Leichter =-=[4]-=- for the access structure defined by the dual of the formula F (see Cramer et al. [15] for details). In other words, expressing F in a more compact form than (6) may lead to a more efficient protocol.... |

140 | On Defining Proofs of Knowledge
- Bellare, Goldreich
- 1992
(Show Context)
Citation Context ...n any other manner that ensures that P cannot find collisions for the generated instance. Proving Knowledge. Our results in Section 4 can be based on any proof of knowledge (see Bellare and Goldreich =-=[1]-=-) of a representation. For practical purposes we are interested in highly efficient protocols that offer a wide range of proof modes. The following generic protocol enables P, for any m with 1smsk, to... |

136 | An efficient off-line electronic cash system based on the representation problem
- Brands
- 1993
(Show Context)
Citation Context ...; we call (g 1 ; : : : ; g k ) a generator-tuple. From now on, an integer in the Discrete Log setting is said to be "small" if it is polynomial in jqj, and "large" otherwise. Using=-= the terminology of [6, 7]-=-, a representation of a number h 2 G q with respect to (g 1 ; : : : ; g k ) is a vector of numbers, (x 1 ; : : : ; x k ), such that h = k Y i=1 g x i i ; where x 1 ; : : : ; x k are in Z q . Intractab... |

105 |
Zero-Knowledge Proofs of Knowledge in Two Rounds
- Feige, Shamir
- 1989
(Show Context)
Citation Context ...reducing the boolean formula that is to be demonstrated to an instance of the NP-complete language Directed Hamiltonian Cycle, and applying the zeroknowledge argument of knowledge of Feige and Shamir =-=[18]-=-. However, techniques such as this are not practical, because they amount to encoding the statement into a boolean circuit and using commitments for each gate. By restricting q in the Discrete Logarit... |

74 | Incremental cryptography: The case of hashing and signing
- Bellare, Goldreich, et al.
- 1994
(Show Context)
Citation Context ...a randomly chosen generator-tuple (g 1 ; : : : ; g k ), outputs with non-negligible probability of success a number h 2 G q and two different representations of h. 1 Bellare, Goldreich and Goldwasser =-=[2]-=- noted that the reduction can be modified to achieve a success probability for the Discrete-Logarithm finder that is within a constant factor of that of the collision-finding oracle, instead of being ... |

70 | Cryptographically strong undeniable signatures, unconditionally secure for the signer,” Interner Bericht, Fakultät für Informatik - Chaum, Heijst, et al. - 1990 |

59 |
Practical and Provably Secure Release of a Secret and Exchange of Signatures
- Damg˚ard
- 1995
(Show Context)
Citation Context ...d the size of its public key, but independent of the parameters specifying the atomic proposition or anything else. The following approaches do not satisfy this criterion: -- The technique of Damgard =-=[16]-=- can be adapted in order to demonstrate atomic formulae of the form x a1 1 + ff 2 x a2 2 + \Delta \Delta \Delta + ff k x ak k = ff 1 mod q; but this requires P to perform O( P k i=1 a i ) separate bas... |

41 | On Monotone Formula Closure of SZK
- Santis, Crescenzo, et al.
- 1994
(Show Context)
Citation Context ...en overlooked by Chaum et al. [14]), but the resulting protocols remain less efficient than ours. Moreover, our protocols facilitate many other proof modes. De Santis, Di Crescenzo, Persiano and Yung =-=[17]-=- show how to prove any monotone formula over a random self-reducible language (Cramer, Damgard and Schoenmakers [15] independently discovered virtually the same technique). If a monotone formula has m... |

39 |
An Interactive Identification Scheme Based on Discrete Logarithms and Factoring
- Brickell, McCurley
- 1991
(Show Context)
Citation Context ...rator that outputs q's that have only large prime factors; finding collisions then requires one to break the Discrete Logarithm problem in G q or to factor q. In addition, as in Brickell and McCurley =-=[12]-=-, one can let the g i 's be generators of a non-trivial subgroup of G q . To guarantee V's security one should generate the elements of the set-up in accordance with the probability distributions of t... |

30 |
de Graaf, Gradual and verifiable release of a secret, in
- Brickell, Chaum, et al.
- 1988
(Show Context)
Citation Context ...f k x ak k = ff 1 mod q; but this requires P to perform O( P k i=1 a i ) separate basic proofs of knowledge and proofs of equality of discrete logarithms; -- Brickell, Chaum, Damgard and Van de Graaf =-=[11]-=- showed how to prove that an exponent is in an interval, but their protocol inherently requires binary challenges (and thus polynomially many iterations), and moreover the proof must be performed for ... |

21 | Restrictive blinding of secret-key certificates - Brands - 1995 |

3 | Restrictive Blind Issuing of Secret-Key Certificates in Parallel Mode - Brands - 1995 |