## Efficient proofs of knowledge of discrete logarithms and representations in groups with hidden order (2005)

Venue: | In PKC 2005, LNCS 3386 |

Citations: | 12 - 7 self |

### BibTeX

@INPROCEEDINGS{Bangerter05efficientproofs,

author = {Endre Bangerter and Jan Camenisch and Ueli Maurer},

title = {Efficient proofs of knowledge of discrete logarithms and representations in groups with hidden order},

booktitle = {In PKC 2005, LNCS 3386},

year = {2005},

pages = {154--171},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. For many one-way homomorphisms used in cryptography, there exist efficient zeroknowledge proofs of knowledge of a preimage. Examples of such homomorphisms are the ones underlying the Schnorr or the Guillou-Quisquater identification protocols. In this paper we present, for the first time, efficient zero-knowledge proofs of knowledge for expo-nentiation ψ(x1). = h x1 1 and multi-exponentiation homomorphisms ψ(x1,..., xl). = h x1 1 ·... · h x l l with h1,..., hl ∈ H (i.e., proofs of knowledge of discrete logarithms and representations) where H is a group of hidden order, e.g., an RSA group. 1

### Citations

2914 | A Method for Obtaining Digital Signatures and Public-Key Cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ... generator DP(H, |H|, l). ⊓⊔ Theorem 1 implies that the PP problem is hard for multi-exponentiations in groups for which the ROOT problem is hard. This is widely assumed to be the case for RSA groups =-=[32]-=- and class groups [8]. Moreover, Damg˚ard and Koprowski [23] have shown that if a group has hidden order 5sand if the order of that group contains a large prime factor, then the ROOT problem is hard f... |

1336 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ... the Σ + -protocol is governed by the smallest prime in | image(ψM)|. The computational validity property of the Σ + -protocol holds under the Strong RSA assumption [4, 25] in the random oracle model =-=[34]-=-. The Σ + -protocol is a proof of knowledge regardless of whether the prover or the verifier knows the order of H. Technically, the construction of the Σ + -protocol takes up and extends ideas underly... |

583 |
Efficient Signature Generation by Smart Cards
- Schnorr
- 1991
(Show Context)
Citation Context ... an order of magnitude more efficient. Examples of homomorphisms for which this is known to be possible are for instance those underlying the Schnorr and the Guillou-Quisquater identification schemes =-=[33, 28]-=-. In fact, Cramer [18] remarks that all the homomorphisms for which this is the case allow one to compute some information (e.g., the order of the group) from their description that enables the knowle... |

374 |
Non-interactive and information-theoretic secure verifiable secret sharing
- Pedersen
- 1992
(Show Context)
Citation Context ...l. A similar statement was recently proved by Camenisch and Shoup [12, Theorem 3]. Let commit(·, ·) be a computationally binding and statistically hiding commitment scheme such as the one by Pedersen =-=[29]-=-. To commit to value γ, one computes C ← commit(γ, r), where r is a random value. To open the commitment C, one reveals γ and r to a verifier, who checks that C = commit(γ, r). 5.2 The Σ + -Protocol a... |

300 |
Wallet databases with observers
- Chaum, Pedersen
- 1992
(Show Context)
Citation Context ....) These two Σ-protocols are run in parallel as one would do in a proof of equality in groups of known order to demonstrate that the preimage of y equals the first component of the preimage of y (cf. =-=[17]-=-). In fact, in all evaluations of ψM and ϑ (see steps 2 and 7) the argument of ψM and the first argument of ϑ are equal. This allows us to obtain a knowledge extractor for the Σ + -protocol as follows... |

264 | Efficient group signature schemes for large groups
- Camenisch, Stadler
(Show Context)
Citation Context ...of two discrete logarithms of two different group elements with respect to different bases and also that the discrete logarithms are equal. That is, using notation introduced by Camenisch and Stadler =-=[14]-=-, on can realize a proof PK({α1, α2} : y1 = h α1 1 ∧ y2 = h α2 2 ∧ α1 = α2}. The approach to obtain such an equality proof in the auxiliary setting is to choose the auxiliary pseudo-preimage (v, w) to... |

238 | A practical and provably secure coalition-resistant group signature scheme
- Ateniese, Camenisch, et al.
- 2000
(Show Context)
Citation Context ..., (△s, △s)) of y under ϑ. That is, we have y △c = ψM(△s) = h △s y △c = ϑ(△s, △s) = g △s g △s 1 . (3) As we run the two Σ-protocols in parallel as described above, the same integers △c and △s occur in =-=(2)-=- and (3). Now, as ϑ was chosen according to Dϑ(2, k), Theorem 3 implies that in (3) we must have △c | △s and △c | △s. Thus, (if we, e.g., additionally assert that gcd(△c, | image(ψM)|) = 1) the knowle... |

200 |
A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing both Transmission and Memory
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context ... an order of magnitude more efficient. Examples of homomorphisms for which this is known to be possible are for instance those underlying the Schnorr and the Guillou-Quisquater identification schemes =-=[33, 28]-=-. In fact, Cramer [18] remarks that all the homomorphisms for which this is the case allow one to compute some information (e.g., the order of the group) from their description that enables the knowle... |

169 | Dynamic accumulators and application to efficient revocation of anonymous credentials - Camenisch, Lysyanskaya - 2002 |

163 | Collision-free accumulators and fail-stop signature schemes without trees
- Barić, Pfitzmann
- 1997
(Show Context)
Citation Context ...idden order. The knowledge error of the Σ + -protocol is governed by the smallest prime in | image(ψM)|. The computational validity property of the Σ + -protocol holds under the Strong RSA assumption =-=[4, 25]-=- in the random oracle model [34]. The Σ + -protocol is a proof of knowledge regardless of whether the prover or the verifier knows the order of H. Technically, the construction of the Σ + -protocol ta... |

159 | Concurrent Zero-Knowledge
- Dwork, Naor, et al.
- 1998
(Show Context)
Citation Context ...he cardinality of C is polynomially bounded in k. In case one requires real zero-knowledge or the even stronger notion of concurrent zero-knowledge, one can apply one of numerous constructions, e.g., =-=[20, 24, 16]-=-. Most notably, the technique by Damg˚ard [20] achieves concurrent zero-knowledge at almost no computational and communicational overhead. In Definition 3, the Σ-protocol is only defined for homomorph... |

153 | Efficient Proofs That a Committed Number Lies in an Interval
- Boudot
(Show Context)
Citation Context ...cally, this is the reason why the Σ + -protocol works in all cases where the DF scheme is known to work. In particular, the Σ + -protocol can also be used to obtain so called interval or range proofs =-=[6]-=-. Finally, the DF scheme is often considered under different conditions than formulated in Theorem 4, allowing one, e.g., only to prove that one knows b and z such that y = bh z with b 2 = 1. Given th... |

140 | On Defining Proofs of Knowledge
- Bellare, Goldreich
- 1992
(Show Context)
Citation Context ...mg˚ard and Fujisaki scheme as the DF scheme. As pointed out and explained in detail by its authors [22], the DF scheme is not a (computational) proof of knowledge according to the standard definition =-=[5]-=-. Rather, it only works in a stronger definitional setting resulting in “weak proofs of knowledge”. Technically, the DF scheme demonstrates knowledge only over a suitable probability distribution of (... |

137 | V.: Practical verifiable encryption and decryption of discrete logarithms - Camenisch, Shoup - 2003 |

132 |
Statistical Zero Knowledge Protocols to Prove Modular
- Fujisaki, Okamoto
- 1997
(Show Context)
Citation Context ..., their protocol is not a proof of knowledge of a discrete logarithm in the RSA group. The most relevant work in the field is that by Damg˚ard and Fujisaki [22] (based on work by Fujisaki and Okamoto =-=[25]-=-). They show that the Σ-protocol can be used in certain cases to demonstrate knowledge of a discrete logarithm (or representation) in hidden order groups provided that the prover is not given the grou... |

108 | Efficient Concurrent Zero-Knowledge in the Auxiliary String Model
- Damgard
- 2000
(Show Context)
Citation Context ...he cardinality of C is polynomially bounded in k. In case one requires real zero-knowledge or the even stronger notion of concurrent zero-knowledge, one can apply one of numerous constructions, e.g., =-=[20, 24, 16]-=-. Most notably, the technique by Damg˚ard [20] achieves concurrent zero-knowledge at almost no computational and communicational overhead. In Definition 3, the Σ-protocol is only defined for homomorph... |

85 | Efficient non-transferable anonymous multi-show credential system with optional anonymity revocation - Camenisch, Lysyanskaya |

84 | A group signature scheme with improved efficiency - Camenisch, Michels - 1998 |

74 | Resettable Zero-Knowledge
- Canetti, Goldreich, et al.
- 2000
(Show Context)
Citation Context ...he cardinality of C is polynomially bounded in k. In case one requires real zero-knowledge or the even stronger notion of concurrent zero-knowledge, one can apply one of numerous constructions, e.g., =-=[20, 24, 16]-=-. Most notably, the technique by Damg˚ard [20] achieves concurrent zero-knowledge at almost no computational and communicational overhead. In Definition 3, the Σ-protocol is only defined for homomorph... |

71 | A Statistically-Hiding Integer Commitment Scheme Based on
- Damgård, Fujisaki
- 2002
(Show Context)
Citation Context ... the security of their identification scheme, their protocol is not a proof of knowledge of a discrete logarithm in the RSA group. The most relevant work in the field is that by Damg˚ard and Fujisaki =-=[22]-=- (based on work by Fujisaki and Okamoto [25]). They show that the Σ-protocol can be used in certain cases to demonstrate knowledge of a discrete logarithm (or representation) in hidden order groups pr... |

58 |
Efficient verifiable encryption (and fair exchange) of digital signatures
- Ateniese
- 1999
(Show Context)
Citation Context ...llision extractability property. For a detailed analysis of this property we refer to Damg˚ard [21]. Now, using △c . = c ′ − c and △s . = s − s ′ , where wlog we assume △c > 0, one gets y △c = ψ(△s). =-=(1)-=- In the case where the challenge set is C = {0, 1} we have △c = 1 and thus y = ψ(△s). This proves part (a) of the theorem. To prove part (b) we may assume that ψ is special. Now, we in invoke a pseudo... |

58 |
Group Signature Schemes and Payment Systems Based on the Discrete Logarithm Problem
- Camenisch
- 1998
(Show Context)
Citation Context ...practical interest of proofs of knowledge in the auxiliary setting is that one can use techniques from groups with known order for proving relations among preimages of different multi-exponentiations =-=[7, 15]-=-. As an example one can prove knowledge of two discrete logarithms of two different group elements with respect to different bases and also that the discrete logarithms are equal. That is, using notat... |

51 | Zero-knowledge proof for finite field arithmetic, or: Can zero-knowledge be for free
- Cramer, Damg˚ard
- 1998
(Show Context)
Citation Context ... y given rewinding oracle access to such a prover. For all (computable) homomorphisms there exists a proof of knowledge: the well known commitment-challenge-response protocol, often called Σ-protocol =-=[18, 19]-=-, with binary challenges. Due to the binary challenges, the protocol has a knowledge error of 1/2 and therefore it needs to be repeated sequentially sufficiently many times to achieve a reasonably sma... |

49 |
Modular Design of Secure, yet Practical Cryptographic Protocols
- Cramer
- 1996
(Show Context)
Citation Context ... y given rewinding oracle access to such a prover. For all (computable) homomorphisms there exists a proof of knowledge: the well known commitment-challenge-response protocol, often called Σ-protocol =-=[18, 19]-=-, with binary challenges. Due to the binary challenges, the protocol has a knowledge error of 1/2 and therefore it needs to be repeated sequentially sufficiently many times to achieve a reasonably sma... |

37 | Rapid demonstration of linear relations connected by boolean operators
- Brands
- 1997
(Show Context)
Citation Context ...practical interest of proofs of knowledge in the auxiliary setting is that one can use techniques from groups with known order for proving relations among preimages of different multi-exponentiations =-=[7, 15]-=-. As an example one can prove knowledge of two discrete logarithms of two different group elements with respect to different bases and also that the discrete logarithms are equal. That is, using notat... |

36 |
A key-exchange system based on imaginary quadratic fields
- Buchmann, Williams
- 1998
(Show Context)
Citation Context .... . , xl) . = h x1 1 ⋆ A preliminary version of this paper appeared in the proceedings of PKC2005 [3]. · . . . · hxl l with h1, . . . , hl ∈ Hsin hidden order groups H, e.g., where H is a class group =-=[8, 23]-=- or an RSA group. Such homomorphisms are for instance the basis of recent group signature and identity escrow schemes, credential systems, and fair exchange protocols [2, 1, 9–11, 29, 6, 26, 12]. In f... |

31 | A practical and provably secure scheme for publicly verifiable secret sharing and its applications - Fujisaki, Okamoto |

28 |
An identity-based identification scheme based on discrete logarihtms modulo a composite number
- Girault
- 1991
(Show Context)
Citation Context ...n fact in these schemes, the authors often employ the Σ-protocol with non-binary challenges, sometimes wrongly relying on them to be proofs of knowledge in this setting as well. Related Work. Girault =-=[27]-=- suggests an efficient proof of knowledge for discrete logarithms in the RSA group based on the Σ-protocol. His approach is to publish the order of the sub-group in which the images lies. This require... |

28 | Security analysis of a practical “on the fly” authentication and signature generation
- Poupard, Stern
- 1998
(Show Context)
Citation Context ... that giving away the order of the sub-group does not allow one to factor the RSA modulus. Also, one can no longer make use of the RSA-trapdoor for this subgroup with this approach. Poupard and Stern =-=[31]-=- describe an identification scheme based on the Σ-protocol, where the private key is a discrete logarithm of a generator of a subgroup of the RSA group. They show that from an adversary that breaks th... |

27 | Two-party generation of DSA signatures - MacKenize, Reiter - 2001 |

20 | An identity escrow scheme with appointed verifiers - Camenisch, Lysyanskaya - 2001 |

13 | Generic lower bounds for root extraction and signature schemes in general groups
- Damgard, Koprowski
- 2002
(Show Context)
Citation Context .... . , xl) . = h x1 1 ⋆ A preliminary version of this paper appeared in the proceedings of PKC2005 [3]. · . . . · hxl l with h1, . . . , hl ∈ Hsin hidden order groups H, e.g., where H is a class group =-=[8, 23]-=- or an RSA group. Such homomorphisms are for instance the basis of recent group signature and identity escrow schemes, credential systems, and fair exchange protocols [2, 1, 9–11, 29, 6, 26, 12]. In f... |

2 |
On sigma-protocols
- Damg˚ard
- 2002
(Show Context)
Citation Context ...on of the Σ-protocol. 4.1 Preliminaries: The Σ-Protocol and its Properties In this section we review known properties of the Σ-protocol. For a detailed discussion we refer to Cramer [18] and Damg˚ard =-=[21]-=-. Definition 3 (Σ-Protocol). Let Ψ be a collection of homomorphisms with a finite domain and let ((ψ, y), x) ∈ R[Ψ(k)]. Let (P, V ) be a pair of interactive machines with common input (ψ, y), the priv... |