DOI: https://doi.org/10.1007/s12083-024-01715-w

IF: 3.488

2024-06-01

Peer-to-Peer Networking and Applications

Abstract:Blockchain technology is incredibly popular nowadays which is based on a distrusted ledger technology (DLT) and decentralized database that stores encrypted blocks of data in transparency to the public. In this paper, we proposed a Quantum Range Proof a new non-interactive zero-knowledge (NIZK) proof protocol containing logarithmically small proof that lacks a trusted system. A NIZK argument is provided for the satisfy ability of a quantum circuit containing quantum range proof complexities that logarithmically grow in the quantum circuit size. The witness complexities a referred to as probability distribution measurement and for a quantum circuit containing N -dimensional complex space , the soundness property of our argument convinces a verifier with the probability of quantum range proof. A novel argument system is an effective non-interactive zero knowledge of opening witness that lies between inner product spaces over the spin in N-dimension complex space. The inner product space requires logarithmic time complexity to find the witness in quantum range proof for both verifier and prover. In addition to this, a commitment schema is developed to attain a non-polynomial probability distribution and the witness at an arbitrary point in quantum state in a demonstrable manner is revealed. The efficiency of quantum range proof is particularly well suited for the non-polynomial probability distribution and trustless nature of blockchain.

computer science, information systems,telecommunications

Wei Liu,Jian Weng,Bingsheng Zhang,Kai He,Junjie Huang

DOI: https://doi.org/10.1016/j.ins.2022.09.026

IF: 8.1

2022-01-01

Information Sciences

Abstract:Non-interactive zero-knowledge (NIZK) proof systems are very useful for statement verification without interaction in cryptography; they entail just one message, called the proof, that convinces the verifier of the truth of the statement without leaking any extra information. Many NIZK proof systems are related to quadratic residuosity languages and follow three main steps. First, the prover and the verifier sample a common reference string (CRS) in some particular form. Second, the prover proves that n is a Blum integer (BL , n = p 1 t 1 · p 2 t 2, where p 1 and p 2 are different primes both congruent to 3 modulo 4, and t 1 and t 2 are odd). Third, various statements (e.g., NQR n , OR n , AND n , T ( k , t ), and 3 SAT) can be proven by the prover based on the properties of BL . In this study, we improve the NIZK proof system for n ∈ BL based on the special distribution of the square roots modulo n and embed this proof in the third step. Moreover, we show that the CRS can be sampled more efficiently using the improved process.

Prastudy Fauzi,Helger Lipmaa,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-662-45472-5_14

2014-01-01

Abstract:We propose a non-interactive zero knowledge pairwise multiset sum equality test (PMSET) argument of knowledge in the common reference string (CRS) model that allows a prover to show that the given committed multisets A(j) for j is an element of {1, 2, 3, 4} satisfy A(1) (sic) A(2) = A(3) (sic) A(4), i. e., every element is contained in A(1) and A(2) exactly as many times as in A3 and A(4). As a corollary to the PMSET argument, we present arguments that enable to efficiently verify the correctness of various (multi) set operations, for example, that one committed set is the intersection or union of two other committed sets. The new arguments have constant communication and verification complexity (in group elements and group operations, respectively), whereas the CRS length and the prover's computational complexity are both proportional to the cardinality of the (multi) sets. We show that one can shorten the CRS length at the cost of a small increase of the communication and the verifier's computation.

Yevgeniy Dodis,Aleksandr Yampolskiy

DOI: https://doi.org/10.1007/978-3-540-30580-4_28

2005-01-01

Abstract:We give a simple and efficient construction of a verifiable random function (VRF) on bilinear groups. Our construction is direct. In contrast to prior VRF constructions [14,15], it avoids using an inefficient Goldreich-Levin transformation, thereby saving several factors in security. Our proofs of security are based on a decisional bilinear Diffie-Hellman inversion assumption, which seems reasonable given current state of knowledge. For small message spaces, our VRF’s proofs and keys have constant size. By utilizing a collision-resistant hash function, our VRF can also be used with arbitrary message spaces. We show that our scheme can be instantiated with an elliptic group of very reasonable size. Furthermore, it can be made distributed and proactive.

Pouriya Alikhani,Nicolas Brunner,Claude Crépeau,Sébastien Designolle,Raphaël Houlmann,Weixu Shi,Nan Yang,Hugo Zbinden

DOI: https://doi.org/10.1038/s41586-021-03998-y

2022-02-16

Abstract:Protecting secrets is a key challenge in our contemporary information-based era. In common situations, however, revealing secrets appears unavoidable, for instance, when identifying oneself in a bank to retrieve money. In turn, this may have highly undesirable consequences in the unlikely, yet not unrealistic, case where the bank's security gets compromised. This naturally raises the question of whether disclosing secrets is fundamentally necessary for identifying oneself, or more generally for proving a statement to be correct. Developments in computer science provide an elegant solution via the concept of zero-knowledge proofs: a prover can convince a verifier of the validity of a certain statement without facilitating the elaboration of a proof at all. In this work, we report the experimental realisation of such a zero-knowledge protocol involving two separated verifier-prover pairs. Security is enforced via the physical principle of special relativity, and no computational assumption (such as the existence of one-way functions) is required. Our implementation exclusively relies on off-the-shelf equipment and works at both short (60 m) and long distances ($\geqslant$400 m) in about one second. This demonstrates the practical potential of multi-prover zero-knowledge protocols, promising for identification tasks and blockchain applications such as cryptocurrencies or smart contracts.

Cryptography and Security,Quantum Physics

Shuangjun Zhang,Haibin Kan,Liguan Wang

DOI: https://doi.org/10.1016/j.tcs.2022.06.005

IF: 1.002

2022-01-01

Theoretical Computer Science

Abstract:We design a new preprocessing succinct non-interactive argument (SNARG) for rank-1 constraint satisfiability (R1CS) from holographic Interactive Oracle Proofs (IOPs). The protocol is secure in the random oracle model (ROM). We achieve polylogarithm time verifier and polylogarithm proof size. Our construction consists of two parts: (1) a holographic IOP for R1CS with linear size proof and logarithmic query complexity. (2) A cryptography complier converts holographic IOPs to SNARGs. In the first part, univariate sumcheck and low degree testing play an important role in the holographic IOP. In the second part, we use Merkle tree scheme and Fiat-Shamir heuristic to achieve succinctness and non-interactivity.

Shaofen Xie,Wang Yao,Faguo Wu,Zhiming Zheng

DOI: https://doi.org/10.1371/journal.pone.0256372

IF: 3.7

2021-08-20

PLoS ONE

Abstract:Lattice-based non-interactive zero-knowledge proof has been widely used in one-way communication and can be effectively applied to resist quantum attacks. However, lattice-based non-interactive zero-knowledge proof schemes have long faced and paid more attention to some efficiency issues, such as proof size and verification time. In this paper, we propose the non-interactive zero-knowledge proof schemes from RLWE-based key exchange by making use of the Hash function and public-key encryption. We then show how to apply the proposed schemes to achieve the fixed proof size and rapid public verification. Compared with previous approaches, our schemes can realize better effectiveness in proof size and verification time. In addition, the proposed schemes are secure from completeness, soundness, and zero-knowledge.

multidisciplinary sciences

Moti Yung,Yunlei Zhao

DOI: https://doi.org/10.1007/11681878_2

2006-01-01

Abstract:We investigate the design and proofs of zero-knowledge (ZK) interactive systems under what we call the “restricted random oracle model” which restrains the usage of the oracle in the protocol design to that of collapsing protocol rounds a la Fiat-Shamir heuristics, and limits the oracle programmability in the security proofs. We analyze subtleties resulting from the involvement of random oracles in the interactive setting and derive our methodology. Then we investigate the Feige-Shamir 4-round ZK argument for $\mathcal{NP}$ in this model: First we show that a 2-round protocol is possible for a very interesting set of languages; we then show that while the original protocol is not concurrently secure in the public-key model, a modified protocol in our model is, in fact, concurrently secure in the bare public-key model. We point at applications and implications of this fact. Of possible independent interest is a concurrent attack against the Feige-Shamir ZK in the public-key model (for which it was not originally designed).

Sven Laur,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-319-13257-0_9

2014-01-01

Abstract:Crypto-computing is a set of well-known techniques for computing with encrypted data. The security of the corresponding protocols are usually proven in the semi-honest model. In this work, we propose a new class of zero-knowledge proofs, which are tailored for cryptocomputing protocols. First, these proofs directly employ properties of the underlying crypto systems and thus many facts have more concise proofs compared to generic solutions. Second, we show how to achieve universal composability in the trusted set-up model where all zero-knowledge proofs share the same system-wide parameters. Third, we derive a new protocol for multiplicative relations and show how to combine it with several crypto-computing frameworks.

Prastudy Fauzi,Helger Lipmaa,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-319-02937-5_6

2013-01-01

Abstract:We propose a non-interactive product argument, that is more efficient than the one by Groth and Lipmaa, and a novel shift argument. We then use them to design several novel non-interactive zero-knowledge (NIZK) arguments. We obtain the first range proof with constant communication and subquadratic prover's computation. We construct NIZK arguments for NP-complete languages, Set-Partition, Subset-Sum and Decision-Knapsack, with constant communication, subquadratic prover's computation and linear verifier's computation.

Jan Camenisch,Markus Michels

DOI: https://doi.org/10.7146/brics.v5i29.19435

1998-01-29

BRICS Report Series

Abstract:This paper presents the first efficient statistical zero-knowledge protocols to prove statements such as: A committed number is a pseudo-prime. A committed (or revealed) number is the product of two safe primes, i.e., primes p and q such that (p - 1)=2 and (q - 1)=2 are primes as well. A given value is of large order modulo a composite number that consists of two safe prime factors. So far, no methods other than inefficient circuit-based proofs are known for proving such properties. Proving the second property is for instance necessary in many recent cryptographic schemes that rely on both the hardness of computing discrete logarithms and of difficulty computing roots modulo a composite. The main building blocks of our protocols are statistical zero-knowledge proofs that are of independent interest. Mainly, we show how to prove the correct computation of a modular addition, a modular multiplication, or a modular exponentiation, where all values including the modulus are committed but not publicly known. Apart from the validity of the computation, no other information about the modulus (e.g., a generator which order equals the modulus) or any other operand is given. Our technique can be generalized to prove in zeroknowledge that any multivariate polynomial equation modulo a certain modulus is satisfied, where only commitments to the variables of the polynomial and a commitment to the modulus must be known. This improves previous results, where the modulus is publicly known. We show how a prover can use these building blocks to convince a verifier that a committed number is prime. This finally leads to efficient protocols for proving that a committed (or revealed) number is the product of two safe primes. As a consequence, it can be shown that a given value is of large order modulo a given number that is a product of two safe primes. Keywords. RSA-based protocols, zero-knowledge proofs of knowledge, primality tests.

English Else

Nir Bitansky

DOI: https://doi.org/10.1007/s00145-019-09331-1

2019-09-04

Journal of Cryptology

Abstract:<span><em class="EmphasisTypeItalic">Verifiable random functions</em> (VRFs) are pseudorandom functions where the owner of the seed, in addition to computing the function's value <em class="EmphasisTypeItalic">y</em> at any point <em class="EmphasisTypeItalic">x</em>, can also generate a non-interactive proof <span class="InlineEquation">\(\pi \)</span> that <em class="EmphasisTypeItalic">y</em> is correct, without compromising pseudorandomness at other points. Being a natural primitive with a wide range of applications, considerable efforts have been directed toward the construction of such VRFs. While these efforts have resulted in a variety of algebraic constructions (from bilinear maps or the RSA problem), the relation between VRFs and other general primitives is still not well understood. We present new constructions of VRFs from general primitives, the main one being <em class="EmphasisTypeItalic">non-interactive witness-indistinguishable proofs</em> (NIWIs). This includes: (1) a selectively secure VRF assuming NIWIs and non-interactive commitments. As usual, the VRF can be made adaptively secure assuming subexponential hardness of the underlying primitives. (2) An adaptively secure VRF assuming (polynomially hard) NIWIs, non-interactive commitments, and (<em class="EmphasisTypeItalic">single-key</em>) <em class="EmphasisTypeItalic">constrained pseudorandom functions</em> for a restricted class of constraints. The above primitives can be instantiated under various standard assumptions, which yields corresponding VRF instantiations, under different assumptions than were known so far. One notable example is a non-uniform construction of VRFs from subexponentially hard trapdoor permutations, or more generally, from <em class="EmphasisTypeItalic">verifiable pseudorandom generators</em> (the construction can be made uniform under a standard derandomization assumption). This partially answers an open question by Dwork and Naor (FOCS '00). The construction and its analysis are quite simple. Both draw from ideas commonly used in the context of <em class="EmphasisTypeItalic">indistinguishability obfuscation</em>.</span>

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Susan Hohenberger,Brent Waters

DOI: https://doi.org/10.1007/978-3-642-13190-5_33

2010-01-01

Abstract:We present a family of verifiable random functions which are provably secure for exponentially-large input spaces under a noninteractive complexity assumption. Prior constructions required either an interactive complexity assumption or one that could tolerate a factor 2n security loss for n-bit inputs. Our construction is practical and inspired by the pseudorandom functions of Naor and Reingold and the verifiable random functions of Lysyanskaya. Set in a bilinear group, where the Decisional Diffie-Hellman problem is easy to solve, we require the l- Decisional Diffie-Hellman Exponent assumption in the standard model, without a common reference string. Our core idea is to apply a simulation technique where the large space of VRF inputs is collapsed into a small (polynomial-size) input in the view of the reduction algorithm. This view, however, is information-theoretically hidden from the attacker. Since the input space is exponentially large, we can first apply a collision-resistant hash function to handle arbitrarily-large inputs.

Frédéric Dupuis,Philippe Lamontagne,Louis Salvail

2024-02-21

Abstract:We explore the cryptographic power of arbitrary shared physical resources. The most general such resource is access to a fresh entangled quantum state at the outset of each protocol execution. We call this the Common Reference Quantum State (CRQS) model, in analogy to the well-known Common Reference String (CRS). The CRQS model is a natural generalization of the CRS model but appears to be more powerful: in the two-party setting, a CRQS can sometimes exhibit properties associated with a Random Oracle queried once by measuring a maximally entangled state in one of many mutually unbiased bases. We formalize this notion as a Weak One-Time Random Oracle (WOTRO), where we only ask of the $m$-bit output to have some randomness when conditioned on the $n$-bit input. We show that when $n-m\in\omega(\lg n)$, any protocol for WOTRO in the CRQS model can be attacked by an (inefficient) adversary. Moreover, our adversary is efficiently simulatable, which rules out the possibility of proving the computational security of a scheme by a fully black-box reduction to a cryptographic game assumption. On the other hand, we introduce a non-game quantum assumption for hash functions that implies WOTRO in the CRQS model (where the CRQS consists only of EPR pairs). We first build a statistically secure WOTRO protocol where $m=n$, then hash the output. The impossibility of WOTRO has the following consequences. First, we show the fully-black-box impossibility of a quantum Fiat-Shamir transform, extending the impossibility result of Bitansky et al. (TCC 2013) to the CRQS model. Second, we show a fully-black-box impossibility result for a strenghtened version of quantum lightning (Zhandry, Eurocrypt 2019) where quantum bolts have an additional parameter that cannot be changed without generating new bolts. Our results also apply to $2$-message protocols in the plain model.

Quantum Physics,Cryptography and Security

Foteini Baldimtsi,Aggelos Kiayias,Thomas Zacharias,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-662-53890-6_30

2016-01-01

Abstract:We introduce a new class of protocols called Proofs of Work or Knowledge PoWorKs. In a PoWorK, a prover can convince a verifier that she has either performed work or that she possesses knowledge of a witness to a public statement without the verifier being able to distinguish which of the two has taken place. We formalize PoWorK in terms of three properties, completeness, f-soundness and indistinguishability where f is a function that determines the tightness of the proof of work aspect and present a construction that transforms 3-move HVZK protocols into 3-move public-coin PoWorKs. To formalize the work aspect in a PoWorK﾿protocol we define cryptographic puzzles that adhere to certain uniformity conditions, which may also be of independent interest. We instantiate our puzzles in the random oracle RO model as well as via constructing \"dense\" versions of suitably hard one-way functions. We then showcase PoWorK﾿protocols by presenting a number of applications. We first show how non-interactive PoWorKs can be used to reduce spam email by forcing users sending an e-mail to either prove to the mail server they are approved contacts of the recipient or to perform computational work. As opposed to previous approaches that applied proofs of work to this problem, our proposal of using PoWorKs is privacy-preserving as it hides the list of the receiver's approved contacts from the mail server. Our second application, shows how PoWorK can be used to compose cryptocurrencies that are based on proofs of work \"Bitcoin-like\" with cryptocurrencies that are based on knowledge relations these include cryptocurrencies that are based on \"proof of stake\", and others. The resulting PoWorK-based cryptocurrency inherits the robustness properties of the underlying two systems while PoWorK-indistinguishability ensures a uniform population of miners. Finally, we show that PoWorK﾿protocols imply straight-line quasi-polynomial simulatable arguments of knowledge and based on our construction we obtain an efficient straight-line concurrent 3-move statistically quasi-polynomial simulatable argument of knowledge.

Shafi Goldwasser,Silvio Micali,Charles Rackoff

DOI: https://doi.org/10.1137/0218012

1989-02-01

SIAM Journal on Computing

Abstract:Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/non-Hamiltonian. In this paper a computational complexity theory of the knowledge contained in a proof is developed. Zero-knowledge proofs are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question. Examples of zero-knowledge proof systems are given for the languages of quadratic residuosity and &#x27;quadratic nonresiduosity. These are the first examples of zero-knowledge proofs for languages not known to be efficiently recognizable.

computer science, theory & methods,mathematics, applied

Yang Yu,Guangwu Xu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-54365-8_17

2017-01-01

Abstract:Due to its remarkable performance and potential resistance to quantum attacks, NTRUEncrypt has drawn much attention recently; it also has been standardized by IEEE. However, classical NTRUEncrypt lacks a strong security guarantee and its security still relies on heuristic arguments. At Eurocrypt 2011, Stehle and Steinfeld first proposed a variant of NTRUEncrypt with a security reduction from standard problems on ideal lattices. This variant is restricted to the family of rings Z[X]/(X-n + 1) with n a power of 2 and its private keys are sampled by rejection from certain discrete Gaussian so that the public key is shown to be almost uniform. Despite the fact that partial operations, especially for RLWE, over Z[X]/(X-n + 1) are simple and efficient, these rings are quite scarce and different from the classical NTRU setting. In this work, we consider a variant of NTRUEncrypt over prime cyclotomic rings, i.e. Z[X]/(Xn-1 + ... + X + 1) with n an odd prime, and obtain IND-CPA secure results in the standard model assuming the hardness of worst-case problems on ideal lattices. In our setting, the choice of the rings is much more flexible and the scheme is closer to the original NTRU, as Z[X]/(Xn-1 + ... + X + 1) is a large subring of the NTRU ring Z[X]/(X-n -1). Some tools for prime cyclotomic rings are also developed.

Gennaro Avitabile,Vincenzo Botta,Daniele Friolo,Daniele Venturi,Ivan Visconti

DOI: https://doi.org/10.1007/s00145-024-09532-3

2024-11-28

Journal of Cryptology

Abstract:At CRYPTO '94, Cramer, Damgård, and Schoenmakers introduced a general technique for constructing honest-verifier zero-knowledge proofs of partial knowledge (PPK), where a prover Alice wants to prove to a verifier Bob she knows witnesses for claims out of claims without revealing the indices of those claims. Their solution starts from a base honest-verifier zero-knowledge proof of knowledge and requires to run in parallel execution of the base protocol, giving a complexity of , where is the communication complexity of the base protocol. However, modern practical scenarios require communication-efficient zero-knowledge proofs tailored to handle partial knowledge in specific application-dependent formats. In this paper, we propose a technique to compose a large class of -protocols for atomic statements into -protocols for PPK over formulae in conjunctive normal form (CNF) that overlap, in the sense that there is a common subset of literals among all clauses of the formula. In such formulae, the statement is expressed as a conjunction of clauses, each of which consists of a disjunction of literals (i.e., each literal is an atomic statement) and literals are shared among clauses. The prover, for a threshold parameter , proves knowledge of at least witnesses for distinct literals in each clause. At the core of our protocol, there is a new technique to compose -protocols for regular CNF relations (i.e., when ) that exploits the overlap among clauses and that we then generalize to formulae where providing improvements over state-of-the-art constructions.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Kaiyan Shi,Kaushik Chakraborty,Wen Yu Kon,Omar Amer,Marco Pistoia,Charles Lim

2024-09-05

Abstract:We initiate the study of relativistic zero-knowledge quantum proof of knowledge systems with classical communication, formally defining a number of useful concepts and constructing appropriate knowledge extractors for all the existing protocols in the relativistic setting which satisfy a weaker variant of the special soundness property due to Unruh (EUROCRYPT 2012). We show that there exists quantum proofs of knowledge with knowledge error 1/2 + negl({\eta}) for all relations in NP via a construction of such a system for the Hamiltonian cycle relation using a general relativistic commitment scheme exhibiting the fairly-binding property due to Fehr and Fillinger (EUROCRYPT 2016). We further show that one can construct quantum proof of knowledge extractors for proof systems which do not exhibit special soundness, and therefore require an extractor to rewind multiple times. We develop a new multi-prover quantum rewinding technique by combining ideas from monogamy of entanglement and gentle measurement lemmas that can break the quantum rewinding barrier. Finally, we prove a new bound on the impact of consecutive measurements and use it to significantly improve the soundness bound of some existing relativistic zero knowledge proof systems, such as the one due to Chailloux and Leverrier (EUROCRYPT 2017).

Quantum Physics,Cryptography and Security