Abstract
Discrete-logarithm authentication protocols are known to present two interesting features: The first is that the prover’s commitment, \(x=g^r\), claims most of the prover’s computational effort. The second is that x does not depend on the challenge and can hence be computed in advance. Provers exploit this feature by pre-loading (or pre-computing) ready to use commitment pairs \(r_i,x_i\). The \(r_i\) can be derived from a common seed but storing each \(x_i\) still requires 160 to 256 bits when implementing DSA or Schnorr.
This paper proposes a new concept called slow motion zero-knowledge (SM-ZK). SM-ZK allows the prover to slash commitment size (by a factor of 4 to 6) by combining classical zero-knowledge and a timing channel. We pay the conceptual price of requiring the ability to measure time but, in exchange, obtain communication-efficient protocols.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Note that special honest-verifier zero-knowledge implies honest-verifier zero-knowledge.
- 2.
Or for \(\mathcal P\) by a trusted authority.
- 3.
If y was received before \(\varDelta _\mathrm{max}\).
- 4.
The probability of success at step 3 is essentially 1 / B, and the expected number of executions of the loop is B, so that the simulation of N rounds runs in O(NB): the machine runs in expected polynomial time.
References
Abadi, M., Burrows, M., Manasse, M.S., Wobber, T.: Moderately hard, memory-bound functions. ACM Trans. Internet Technol. 5(2), 299–327 (2005)
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) CCS 1993, Proceedings of the 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, 3–5 November, 1993, pp. 62–73. ACM (1993)
Bernstein, R.L.: Multiplication by integer constants. Softw. Pract. Exper. 16(7), 641–652 (1986)
Boneh, D., Naor, M.: Timed commitments. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, p. 236. Springer, Heidelberg (2000)
Ciobotaru, O.: On the (Non-)Equivalence of UC security notions. In: Takagi, T., Wang, G., Qin, Z., Jiang, S., Yu, Y. (eds.) ProvSec 2012. LNCS, vol. 7496, pp. 104–124. Springer, Heidelberg (2012)
Damgård, I.: On \(\Sigma \) Protocols (2010). http://www.cs.au.dk/~ivan/Sigma.pdf
Dwork, C., Goldberg, A.V., Naor, M.: On memory-bound functions for fighting spam. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 426–444. Springer, Heidelberg (2003)
Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993)
Dwork, C., Naor, M., Wee, H.M.: Pebbling and proofs of work. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 37–54. Springer, Heidelberg (2005)
Feige, U., Fiat, A., Shamir, A.: Zero-knowledge proofs of identity. J. Cryptology 1(2), 77–94 (1988)
Girault, M.: An identity-based identification scheme based on discrete logarithms modulo a composite number. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 481–486. Springer, Heidelberg (1991)
Girault, M., Poupard, G., Stern, J.: On the fly authentication and signature schemes based on groups of unknown order. J. Cryptology 19(4), 463–487 (2006)
Girault, M., Stern, J.: On the length of cryptographic hash-values used in identification schemes. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 202–215. Springer, Heidelberg (1994)
Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity for all languages in NP have zero-knowledge proof systems. J. ACM 38(3), 691–729 (1991)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems (extended abstract). In: Sedgewick, R. (ed.) Proceedings of the 17th Annual ACM Symposium on Theory of Computing, 6–8 May, 1985, Providence, Rhode Island, USA, pp. 291–304. ACM (1985)
Hazay, C., Lindell, Y.: Efficient secure two-party protocols: techniques and constructions. Springer Science and Business Media, Heidelberg (2010)
Mahmoody, M., Moran, T., Vadhan, S.: Time-lock puzzles in the random oracle model. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 39–50. Springer, Heidelberg (2011)
Micali, S., Pass, R.: Local zero knowledge. In: Kleinberg, J.M. (ed.) Proceedings of the 38th Annual ACM Symposium on Theory of Computing, Seattle, WA, USA, 21–23 May, 2006, pp. 306–315. ACM (2006)
M’Raïhi, D., Naccache, D.: Couponing scheme reduces computational power requirements for dss signatures. In: Proceedings of CardTech/SecurTech, pp. 99–104 (1994)
Poupard, G., Stern, J.: Security analysis of a practical “On the Fly” authentication and signature generation. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 422–436. Springer, Heidelberg (1998)
Rivest, R., Shamir, A., Wagner, D.: Time-lock puzzles and timed-release crypto, technical report, MIT/LCS/TR-684 (1996)
de Rooij, P.: On schnorr’s preprocessing for digital signature schemes. J. Cryptology 10(1), 1–16 (1997)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proof of Lemma 2
Proof
The zero-knowledge property of the standard GPS protocol is proven by constructing a polynomial-time simulation of the communication between a prover and a verifier [12, Theorem 2]. We adapt this proof to the context of the proposed protocol. The function \(\delta \) is defined by \(\delta (\mathsf {true}) = 1\) and \(\delta (\mathsf {false}) = 0\), and \(\wedge \) denotes the logical operator “and”. For clarity, the function \(f_{\tau , \ell }\) is henceforth written f.
The scenario is that of a prover \(\mathcal P\) and a dishonest verifier \(\mathcal A\) who can use an adaptive strategy to bias the choice of the challenges to try to obtain information about s. In this case the challenges are no longer chosen at random, and this must be taken into account in the security proof. Assume the protocol is run N times and focus on the i-th round.
\(\mathcal A\) has already obtained a certain amount of information \(\eta \) from past interactions with \(\mathcal P\). \(\mathcal P\) sends a pre-computed commitment \(x_i\). Then \(\mathcal A\) chooses a commitment using all information available to her, and a random tape \(\omega \): \(c_i\left( x_i, \eta , \omega \right) \).
The following is an algorithm (using its own random tape \(\omega _M\)) that simulates this round:
-
Step 1.
Choose \(\overline{c_i} \xleftarrow {\$}[0, B-1]\) and \(\overline{y_i} \xleftarrow {\$}[(B-1)(S-1), A-1]\) using \(\omega _M\).
-
Step 2.
Compute \(\overline{x_i} = f_{\tau ,\ell }\left( g^{\overline{y_i}}v^{\overline{c_i}}\right) \).
-
Step 3.
If \(c_i\left( \overline{x_i}, \eta , \omega \right) = \overline{c_i}\) then return to step 1 and try again with another pair \((\overline{c_i}, \overline{y_i})\), else return \((\overline{x_i}, \overline{c_i}, \overline{y_i})\).Footnote 4
The rest of the proof shows that, provided \(\varPhi = (B-1)(S-1)\) is much smaller than A, this simulation algorithm outputs triples that are indistinguishable from real ones, for any fixed random tape \(\omega \).
Formally, we want to prove that
is negligible, i.e., that the two distributions cannot be distinguished by accessing a polynomial number of triples (even using an infinite computational power). Let \((\alpha , \beta , \gamma )\) be a fixed triple, and assuming a honest prover, we have the following probability:
where \(f = f_{\tau ,\ell }\).
We now consider the probability \(\overline{p} = \mathrm {Pr}_{\omega _M}\left[ (\overline{x},\overline{c},\overline{y}) = (\alpha ,\beta ,\gamma )\right] \) to obtain the triple \((\alpha ,\beta ,\gamma )\) during the simulation described above. This is a conditional probability given by
Using the definition of conditional probabilities, this equals
Let us introduce
then the denominator in \(\overline{p}\) is simply \(Q/B(A-\varPhi )\). Therefore:
We will now use the following combinatorial lemma:
Lemma 4
If \(h : \mathcal G \rightarrow [0, B-1]\) and \(v \in \{g^{-s}, s \in [0, S-1]\}\) then the total number M of solutions \((c,y) \in [0, B-1]\times [\varPhi , A-1]\) to the equation \(c = h(g^y v^{c})\) satisfies \(A - 2\varPhi \le M\le A\).
Proof
(Proof of Lemma 4 ) [12, Appendix A]. Specialising Lemma 4 to the function that computes \(c(f(g^{\overline{y}}v^{\overline{c}}), \eta , \omega )\) from \((\overline{c}, \overline{y})\) gives \(A-2\varPhi \le Q \le A\). This enables us to bound \(\varSigma _1\):
Therefore \(\varSigma _1 \le 2 |Q-A|/A \le 4\varPhi /A < 4SB/A\), which proves that the real and simulated distributions are statistically indistinguishable if SB / A is negligible. \(\square \)
B GPS Commitment Pre-computation
Figure 4 described one possible way in which pre-computed commitments are generated and used for GPS. In this figure, we delegate the computation to a trusted authority. That role can be played by \(\mathcal P\) alone, but we leverage the authority to alleviate \(\mathcal P\)’s computational burden.
To efficiently generate a sequence of commitments, the authority uses a shared secret seed J and a cryptographic hash function H. Here J is chosen by \(\mathcal P\) but it could be chosen by the authority instead.
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Ferradi, H., Géraud, R., Naccache, D. (2016). Slow Motion Zero Knowledge Identifying with Colliding Commitments. In: Lin, D., Wang, X., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2015. Lecture Notes in Computer Science(), vol 9589. Springer, Cham. https://doi.org/10.1007/978-3-319-38898-4_22
Download citation
DOI: https://doi.org/10.1007/978-3-319-38898-4_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-38897-7
Online ISBN: 978-3-319-38898-4
eBook Packages: Computer ScienceComputer Science (R0)