4.2 Interactive Proof Protocols
4.2.2 Interactive Proof for the co-GHID Problem
Let G, H, and S = {(g1, e1), . . . , (gs, es)} ⊆ G × H be parameters of a GHID
problem, and let d be the order of H with smallest prime factor p. Let T =
{(x1, z1), . . . , (xt, zt)} ⊆ G × H be a set of t points. We assume that we have a
prover who wants to convince a verifier that for at least one k the answer to the 1-S-GHID problem with input (xk, zk) is negative. For this, the prover makes use
of the knowledge of a group homomorphism f uniquely interpolating S. Let ` ∈ N be a security parameter. He performs the interaction depicted in Figure 4.3 with a verifier.
coGHIproof`(S, T )
Parameters: G, H, d, p
Input: `, S = {(g1, e1), . . . , (gs, es)}, T = {(x1, z1), . . . , (xt, zt)}
1: The verifier picks ri,k ∈U G, ai,j,k ∈U Zd, and λi ∈U Zp uniformly
at random for i = 1, . . . , `, j = 1, . . . , s, k = 1, . . . , t. He computes ui,k := dri,k+
Ps
j=1ai,j,kgj+ λixk and wi,k :=
Ps
j=1ai,j,kej+ λizk for all
i and k. Set u := (u1,1, . . . , u`,t) and w := (w1,1, . . . , w`,t). He sends u
and w to the prover.
2: The prover computes yk = f (xk) for k = 1, . . . , t and verifies that
yk 6= zk for at least one k. Otherwise, he aborts the protocol. Then,
he computes vi,k := f (ui,k) for i = 1, . . . , `, k = 1, . . . , t. From the
equation wi,k − vi,k = λi(zk − yk), he should be able to find each λi
if the verifier is honest, since yk 6= zk for at least one k. Otherwise,
he picks λi ∈U Zp uniformly at random for i = 1, . . . , `. He computes
(com, dec) ← Commit(λ), where λ := (λ1, . . . , λ`). The prover sends the
committed value com to the verifier.
3: The verifier sends all ri,k’s and ai,j,k’s to the prover.
4: The prover checks that u and w were correctly computed by verifying that ui,k := dri,k +
Ps
j=1ai,j,kgj + λixk and wi,k :=
Ps
j=1ai,j,kej + λizk
for all i and k. If not, he aborts the protocol. He then opens the commitment by sending λ and dec.
5: The verifier checks that the prover has found the right λ and that the commitment is correctly opened by checking 1 ← Open(λ, com, dec). If this is the case, the verifier accepts the proof. Otherwise, he rejects it.
Figure 4.3: Interactive proof for the co-GHID problem
Remark 4.2.5. Note that retrieving the values λi’s in coGHIproof requires to ex-
tract discrete logarithms in H which are restricted in the set Zp. So, the group H
4. MOVA Undeniable Signature
should be selected to satisfy this property. Another way to get rid of this problem is to restrict the challenge λ in a smaller interval of Zp.
This protocol was inspired from the denial protocol of Gennaro et al. [66]. This one can actually be seen as a special case of ours with the RSA encryption function as homomorphism.
We also notice that λ was chosen such that it can uniquely be retrieved from every nonzero values of H that can be taken by the elements zk− yk’s. Namely, this
is shown by the following result.
Lemma 4.2.6. Let H be an Abelian group of order d, and a, b ∈ H such that b 6= 0. Let λ be in Zp where p is the smallest prime dividing d. Then, if the equation a = λb
has a solution in λ, then this one is unique.
Proof. Let us first consider the subgroup hbi generated by b. If there exists a solution to the above equation, we must have a ∈ hbi. Moreover, the coefficient λ is uniquely defined modulo ord(b). By definition of p, we have ord(b) ≥ p. Therefore, λ is uniquely defined in Zp.
As for the GHIproof protocol, we can see that this interactive proof is the paral- lelization of ` times a simpler protocol with one challenge. We depict this simplified version in Figure 4.4.
Security results related to coGHIproof are given in the following theorem.
Theorem 4.2.7. Let G, H be some Abelian groups and ` ∈ N. We denote by d the order of H and p the smallest prime factor of d. Assume that we are given a set of points S = {(g1, e1), . . . , (gs, es)} ⊆ G × H such that the elements g1, . . . , gs
H-generate the group G and such that S interpolates in exactly one homomorphism f known by the prover. We consider the coGHIproof`(S, T ) protocol, where T =
{(x1, z1), . . . , (xt, zt)} ⊆ G × H.
1. The coGHIproof protocol is complete.
2. Assuming that Commit is perfectly hiding, the coGHIproof protocol is perfect black-box zero-knowledge against any verifier. Moreover, if Commit is a per- fectly hiding trapdoor commitment scheme, the coGHIproof protocol is perfect black-box straight-line zero-knowledge against any verifier who has the secret key KV
s associated to Commit.
3. Assuming that Commit is a perfectly hiding trapdoor commitment scheme with associated secret key KV
s of the (honest) verifier, the coGHIproof protocol is
perfect non-transferable.
4.2. Interactive Proof Protocols
Prover Verifier
vk = f (uk), yk= f (xk)
retrieves λ from wk− vk= λ(zk− yk)
(com, dec) ← Commit(λ)
uk’s, wk’s ←−−−−−−−−− rk ∈ G, aj,k ∈ Zd, λ ∈ Zp uk = drk+ Ps j=1aj,kgj+λxk wk= Ps j=1aj,kej + λzk com −−−−−−−−−→ checks uk = drk+ Ps j=1aj,kgj+λxk wk= Ps j=1aj,kej+ λzk rk’s, aj,k’s ←−−−−−−−−− λ, dec
−−−−−−−−−→ checks that λ is correct and 1 ← Open(λ, com, dec)
Figure 4.4: Simplified interactive proof for the co-GHID problem
4. The coGHIproof protocol is sound: from any cheating prover P∗ who passes
the protocol on a set T interpolating with S in a group homomorphism (i.e., f ) with a probability Succsd-coGHI
P∗ = ε and an expert group knowledge of G, we can
construct an algorithm B which finds a collision on the commitment scheme
Commit with a probability Succcom-bndB ≥ ε(ε − p−`) by rewinding P∗ once.
Proof.
1. The completeness follows directly from the uniqueness of the values λi’s as shown
in Lemma 4.2.6, when for at least one k we have yk 6= zk. This is fullfiled by as-
sumption.
2. The proof of zero-knowledge works in a very similar way as that of GHIproof. Namely, in the case of the trapdoor commitment scheme, the simulator B first answers a committed value com0 picked uniformly at random. After having received
the values ri,k’s and ai,j,k’s, B deduces λi from the equation
ui,k − dri,k+ s
X
j=1
ai,j,kgj = λixk
for i = 1, . . . , ` and k = 1, . . . , t and checks that each λi is identical for all k. He can
then checks that the wi,k’s were correctly generated. Then, the simulator opens com0
4. MOVA Undeniable Signature
on the right λi’s using the secret key of Commit. As for GHIproof, the simulator
outputs a transcript with identical distribution as the one produced between the same verifier and an honest prover, when Commit is perfectly hiding.
When Commit is not a trapdoor commitment, the simulator B needs to stop after the verifier discloses ri,k’s and ai,j,k’s. After rewinding the verifier, B is now able to
commit to the right answer λi’s. Following the same methodology as for GHIproof,
the simulator finally outputs a perfectly simulated transcript.
3. The simulator behaves exactly as for the straight-line zero-knowledge, except when the set T interpolates with S in f . In this case, the simulator aborts the pro- tocol. So, the simulator behaves identically as an honest prover. Thus, this protocol is perfect non-transferable.
4. We first remark that ui,k is uniformly distributed for any fixed λi for i = 1, . . . , `
and k = 1, . . . , t by Lemma 4.1.9. Moreover, if the set of points T interpolates in f , we have f (xk) = zkfor all k = 1, . . . , t. By the homomorphic property of f , we have
f (ui,k) = wi,k for any i and k. Putting all together implies that the distribution
of the challenge (ui,k, wi,k) is completely independent of the value λi for any i and
k. Thus, a prover cannot deduce the right λi’s with a probability greater than p−`
from the challenges. Below, we show how we can break the binding property of Commit using a prover succeeding with a probability ε > p−`. To this, we follow the
same methodology as to prove assertion 4 of Theorem 4.2.1 (soundness of GHIproof) which consists in running the protocol once with the prover, rewinding this one, and running the protocol with carefully chosen coefficients.
The simulator B first picks the values ai,j,k’s, ri,k’s, and λi’s uniformly at random
and computes the tuples u = (u1,1, . . . , u`,t) and w = (w1,1, . . . , w`,t) according to the
co-GHIproof protocol. Then, B sends u, w to the prover P∗. This one answers com.
The simulator releases the coefficients ai,j,k’s, ri,k’s, λi’s, and the prover succeeds if
he opens com on λ = (λ1, . . . , λ`). In this case, B picks λ∗ = (λ∗1, . . . , λ∗`) uniformly
at random. By using his expert group knowledge, he is able to find some uniformly random coefficients a∗
i,j,k’s, ri,k∗ ’s satisfying
ui,k − λ∗ixk= dri,k∗ + s
X
j=1
a∗i,j,kgj for i = 1, . . . , ` and k = 1, . . . , t.
The simulator rewinds P∗ with the same random tape and the same challenges. He
answers the same commitment com. This time, B sends a∗
i,j,k’s, r∗i,k’s. The prover
wins if he is able to open com on the value λ∗. If λ∗ 6= λ, the simulator breaks the
computationally binding property of Commit.
Note that B simulates an honest verifier perfectly in both protocol runs. We can compute the success probability that B finds a collision for Commit in a very
4.2. Interactive Proof Protocols
similar way as for GHIproof. Namely, we decompose the probability of success for the different random tapes $ and challenges u. Let ε$,u be the probability that
the prover wins in one protocol run with the random tape $ and the challenge u (and thus w = f (u)). Since the probability that λ = λ∗ for any random tape $ and
challenge u is equal to p−`, we can show as for GHIproof that the success probability
of B satisfies
Succcom-bnd
B ≥
X
$,u
q$,u· (ε2$,u− ε$,u· p−`),
where q$,u denotes the probability that the protocol runs with the random tape $
and the challenge u. Again, applying Jensen’s inequality leads to the desired bound
ε(ε − p−`).
Remark 4.2.8. The security properties of Theorem 4.2.7 can easily be proved when the λi’s are picked in a set {0, 1, . . . , q}, for an integer q < p − 1. The soundness
probability becomes q−` in this setting.
Remark 4.2.9. As for GHIproof, we will usually consider coGHIproof with Commit as a perfectly hiding and computationally binding trapdoor commitment scheme. However, in a context where non-transferability is not required coGHIproof can be instantiated with a classical perfectly hiding and computationally binding commit- ment.