Simple Product Argument - Practical zero-knowledge Protocols based on the discrete logarithm As

We will now give an argument how to prove the correctness of a product a · b = c ∈ Zq, for committed

values a, b, c ∈ Zq. The protocol is based on the techniques in [CP92], [CD98], and [NBMV99].

Statement: {G, p, q}, ck, ca, cb, cc∈ G

Prover’s witness: a, b, c, r, s, t ∈ Zqsuch that

a · b = c ca= comck(a; r) cb= comck(b; s) cc = comck(c; t).

Initial message: Compute

1. cd= comck(d, ρ) where d, ρ ← Zq

2. ce= comck(e, σ) where e, σ ← Zq

3. cf= cdbcomck(0; τ ) where τ ← Zq

Send: cd, ce, cf

62 Chapter 5. Basic Protocols Answer: Calculate 1. a = d + xa r = ρ + xr 2. b = e + xb s = σ + xs 3. t = τ − x(sa − t) Send: a, r, b, s, t

Verification: Accept the argument if and only if 1. cd, ce, cf ∈ G

2. a, r, b, s, t ∈ Zq

3. cxacd= comck(a; r) cxbce= comck(b; s)

4. cx

ccf = cabcomck(0; t)

Theorem 17. The protocol is a 3-round public-coin perfect Σ−protocol of committed values a, b, c such thata · b = c.

Proof. Perfect completeness can be seen by careful inspection of the verification equations. Given challenge x ← Z∗q the simulator picks a, r, b, s, t ← Zq, and sets

cd= c−xa comck(a; r) ce= c−xb comck(b; s) cf = c−xc c a

bcomck(0, t).

The answers a, r, b, s, t are uniformly random in the real argument and also in the simulated argument. The unconditionally hiding property of the commitment schemes gives us that cd, ce, cf follow

the same distribution as in the real argument. Therefore, the protocol is SHVZK.

It remains to show that the protocol has perfect special soundness. Given two transcripts

ca, cb, x1, a(1), r(1), b (1)

, s(1), t(1), ca, cb, x2, a(2), r(2), b (2)

, r(2), t(2)with x1 6= x2, the extrac-

tor gets openings a, b, c, r, s, t by taking linear equations of the verifications. More precisely, we have the two answers satisfy

cx1 a cd= comck a(1); r(1) cx2 2 cd= comck a(2); r(2).

Picking α1, α2such that α1x1+ α2x2= 1 and α1+ α2= 0 gives us

ca= cαa1x1+α2x2c α1+α2 d = comck(α1a(1)+ α2a(2); α1r(1)+ α2r(2)). Similar we get cb= comck(α1b (1) + α2b (2) ; α1s(1)+ α2s(2)).

To extract c we take linear equations over

5.1. Simple Product Argument 63 using the same α1, α2as before we get

cc= c α1x1+αx22 c cαf1+α2 = cα1a(1)+α2a(2) b comck(0, t (1) )α1_com ck(0; t (2) )α2 = comck α21a(1)b (1) + α1α2(a(1)b (2) + a(2)b(1)) + α22a(2)b (2) ; α2₁a(1)s(1)+ α1α2(a(1)s(2)+ a(2)s(1)) + α22a (2)_s(2)_{+ α} 1t (1) + α2t (2)

Lastly, we have to argue that the extracted openings satisfy the statement. The commitment cf

contains xc + bd − xab for random x by the binding property of the commitment scheme. Since cf is

fixed before the prover sees the challenge x, this implies that c = ab, and a, b, c are the same values as known by the prover. If this is not the case, the extractor could be used by the prover to find a second opening to their their commitments and the commitment scheme is broken.

We can conclude that the argument is a Σ−protocol.

Efficiency: During the whole protocol 3 group elements and 5 field elements are transferred between the prover and verifier.

The prover has to calculate 6 exponentiations and the verifier 9 exponentiations in G. The total number of multiplications are 6 for the prover and 4 for the verifier.

Example: Let be G = hGi = h149i ⊂ Z∗179, which has prime order q = 89.

The statement consists of {G, {p, q} = {h149i, 179, 89}, ck = {G, H} = {149, 129}, ca = 144, cb= 155, cc = 77 ∈ G, and the claim that a · b = c.

The prover knows a = 88, b = 47, and c = a · b = 42 ∈ Z89, and r = 13, s = 25, t = 67 ∈ Z89

such that.

ca = comck(a; r) = 14988·1293= 74 ∈ G cb = comck(b; s) = 155 ∈ G cc= comck(c; t) = 77 ∈ G.

To prove knowledge of witnesses a, b the prover picks d = 34, ρ = 36, e = 3, σ = 15, computes

cd= comck(d; ρ) = 47 ce= comck(3, 15) = 177 cf = cdb · comck(0; ρ) = 36,

and sends

cd= 47 ce= 177 cf= 36

to the verifier.

The verifier picks challenge x = 26 ∈ Z∗q and gives this value to the prover.

To answer the challenge the prover calculates

a = d + xa = 34 + 26 · 88 = 8 r = ρ + xr = 36 + 26 · 13 = 18 b = e + xb = 3 + 26 · 47 = 68 s = σ + xs = 15 + 26 · 25 = 42

64 Chapter 5. Basic Protocols

t = ρ − x(sa − t) = 36 − 26(25 · 88 − 67) = 25 and send these values to the verifier.

The verifier checks if cd, ce, cf ∈ G, a, r, b, st ∈ Zq, and finally

cx_acd = 173 = comck(a; r) (X)

cx_bce= 161 = comck(b; s) (X)

cx_ccf = 60 = cabcomck(0, t) (X)

Thus, the verifier is convinced that the prover knows a, b, c such that a · b = c.

In document Practical zero-knowledge Protocols based on the discrete logarithm Assumption (Page 61-64)