namely the number field sieve (NFS) algorithm and the similar function field sieve (FFS) [Sch08]. Both algorithms work in finite fields Fpn, where p is prime; hence, in Fp = Zp. These algorithms have a
better expected run-time than the variants of Index-Calculus. The run-time of NFS is
Ln[1/3; (64/9)1/3]
and FFS runs in
Ln[1/3; (32/9)1/3].
We have to mention that recent work by Joux [Jou13] brought down the complexity to calculate the discrete logarithm on Fpnto Ln[1/4; c] for small p. However, this result does not affect our work as we
will work over finite fields with large prime order.
We see that there are many ways to find the discrete logarithm in groups; however, none of these algorithms runs in expected polynomial time. We also have to mention the work by Shor [Sho97]. He showed that it is possible to calculate the discrete logarithm of a general group element in polynomial time providing that a quantum computer with sufficient number of bits exists. At the moment it seems that it will take a long time before such a computer can be built and we believe that the discrete logarithm assumption holds in near future.
All in all, we can justify to base our protocols on cryptographic schemes, which are secure as long as the discrete logarithm assumption holds, as we have seen that the assumption indeed holds in various groups.
2.2
Zero-Knowledge
The concept of zero-knowledge, introduced by Goldwasser, Micali, and Rackoff [GMR85] is very pow- erful and is used to construct various cryptographic protocols. Informally, a zero-knowledge proof is an interactive protocol, in which the prover wants to convince the verifier of the validity of their assertion without revealing more than the correctness of the claim.
An interactive proof is a protocol between two parties, called prover and verifier. The goal of the prover is to convince the verifier of the validity of an assertion. The protocol consists of multiple rounds and each round consists of a message either from the prover or the verifier. More precisely, such an interactive protocol should allow an honest prover to always convince the verifier of a true statement. That means the protocols should be complete. On the other hand, the protocol should guarantee that no prover can find a strategy to convince the verifier of a wrong statement except with small probability. This property is called the soundness of the interactive proof.
Lastly, the interactive protocol should be zero-knowledge. That means a malicious verifier should gain no new information from the interaction with the prover. Or in other words, zero-knowledge means that everything that the verifier can calculate after the interaction with the prover can be calculated by the verifier by the assertion itself.
34 Chapter 2. Background
Proof vs. Argument: A zero-knowledge proof is a protocol as described above, for which the require- ments holds for a computationally unbounded prover and a probabilistic polynomial time verifier. Even an unbounded time prover should not be able to cheat.
Brassard et al. [BC86, BCC88] relaxed the soundness condition such that no polynomial time prover should be able to fool the verifier, but an unbounded time prover might be able to cheat. This weaker definition is good enough for most cryptographic protocols. Interactive proof systems which satisfy this definition are called arguments [BCY91].
Levels of zero-knowledge: The zero-knowledge property of an interactive proof or argument requires that the verifier learns nothing new from the communication with the prover other than what he can deduce from just seeing the statement itself. Depending how strong or weak an adversary is allowed to be we have different levels of zero-knowledge.
In a perfect world nobody, not even an unbounded time adversary, can learn anything from the tran- script of the interaction. This is called perfect zero-knowledge. Protocols which fulfill the principle that an unrestricted adversary cannot deduce any useful information from the transcript, except with negligi- ble probability, are statistical zero-knowledge. Lastly, if a probabilistic polynomial time adversary will not get any useful information from the transcript, but an unbounded adversary can deduce information, then this type is called computational zero-knowledge. Clearly, a perfect zero-knowledge protocol is also statistical zero-knowledge, and statistical zero-knowledge implies computational zero-knowledge.
Computational zero-knowledge is the most liberal notion of the three levels, but good enough for real life protocols. However, it is not known if in the future more powerful devices will be developed, for example a quantum computer, which allows an adversary to deduce information from the transcript. In this case the other two levels of zero knowledge guarantee a higher level of security, and therefore it is preferable to construct interactive protocols which are perfect or statistical zero-knowledge.
Proof of knowledge: Zero-knowledge proofs defined in [GMR85] are proofs of language membership that means the prover convinces the verifier that common input x is in some fixed language L. In more detail the prover wants to show that x has some property, for example is a quadratic residue, or is a 3-colorable graph. Though, sometimes the prover wants to show knowledge of some object, and in this case the definition by Goldwasser et al. does not fit. To get an adequate definition the notion of proof of knowledgewas first suggested in [GMR89], but not formalized. Formal definitions were first given by Feige et al. [FFS88, FS89], and Tompa and Woll [TW87], but they only considered provers which can convince the verifier with non-negligible probability. This can lead to problems, as pointed out by Bellare and Goldreich [BG92]. In the same work they gave the nowadays standard definition of a proof of knowledge and also of arguments of knowledge.
Private coin vs. public coin: In the setting of interactive proof systems, defined by Goldwasser et al. [GMR85], the verifier can pick some randomness in private, and there are no restrictions on the use of the outcome. The verifier can perform any polynomial time computation on it and send the result to the prover. Therefore, this setting is called private coin. On the contrary in the setting of Babai [Bab85] it is required that the verifier shows the result of the coin toss to the prover. Thus, this is called a public
2.2. Zero-Knowledge 35 coin protocol.
In some of the early examples of interactive proofs, it was important that a verifier keeps their coin tosses secret. So, it seems that the general case of private coin is stronger and can prove more statements. However, Goldwasser and Sisper [GS86] showed that private coin interactive proofs can be transformed into public coin interactive proofs. This transformation increases the number of rounds only by an additive constant. However, the new prover needs to be super-polynomial time and the transformation does not preserve zero-knowledge. Furthermore, the transformation cannot be applied to arguments.
Okamoto [Oka96] was able to show that private coin statistical zero-knowledge proofs can be trans- formed into public coin zero-knowledge proofs which need a super-polynomial time prover. Similar results were found by Vadhan [Vad06], who showed that computational private coin zero-knowledge equals computational public coin zero-knowledge. Furthermore, Pass et al. [PV10] state a transforma- tion from private coin zero-knowledge into public coin zero-knowledge which can also be applied to arguments.
Existence of zero-knowledge proofs systems: Goldwasser et al. [GMR85, GMR89] gave in their semi- nal work the first examples for zero-knowledge proofs. However, it was not clear how powerful the new notion is and how much can be proven using zero-knowledge protocols.
Goldreich, Micali, and Wigderson [GMW86, GMW91] showed that, assuming one-way functions exist, every language in NP has a computational zero-knowledge proof. Ben-Or et al. [BOGG+88] gen- eralized this result and showed that every language that has an interactive proof has a computational zero- knowledge proof, given a secure probabilistic encryption scheme exists. Goldreich and Kahan [GK96] explained how to construct constant-round computational zero-knowledge proofs for every language in NP.
Unfortunately, the same does not hold for statistical zero-knowledge proofs, Fortnow [For87] showed that if all languages in NP have a statistical zero-knowledge proof then the polynomial time hierarchy will collapse. However, for some problems in NP statistical zero-knowledge proofs exist.
For arguments the situation is better, Brassard et al. [BCC88] proved that every language in NP has a statistical zero-knowledge argument based on specific algebraic assumptions. Naor et al. [NOVY92] showed that the existence of one-way permutations is enough for every language in NP to have a perfect zero-knowledge argument. Furthermore, Nguyen et al. [NOV06] showed that every language in NP has a statistical zero-knowledge argument under the assumption that one-way functions exist. Feige and Shamir [FS89] gave constructions for perfect zero-knowledge arguments of knowledge for all NP. Honest verifier zero-knowledge: The definition of zero-knowledge requires that no verifier, not even a cheating one, learns anything new from the conversation with the prover. A weaker definition of Honest verifier zero-knowledge (HVZK)was given by Bellare et al. [BMO90], they considered the amount of information which can be extracted by an honest verifier following the protocol.
This definition is not strong enough for cryptographic applications; however, Bellare et al. [BMO90] showed that there exists a statistical zero-knowledge proof for each problem which has a statistical HVZK proof, under the assumption that the discrete logarithm assumption or the factoring assumption
36 Chapter 2. Background
holds. Ostrovsky et al. [OVY93] have proven that the same result holds under the more general assump- tion that one-way permutation exists. Okamoto [Oka96] were able to show that if a language L has a statistical HVZK proof then L has a statistical zero-knowledge proof, given one-way functions exist.
Damg˚ard [Dam93] could show that each constant round public coin statistical HVZK proof or argument can be transformed in a constant round public coin statistical zero-knowledge proof sys- tem. This transformation does not rely on any computational assumption. Damg˚ard et al. [DGOW95] proposed other transformations from constant round public coin HVZK to constant round public coin zero-knowledge with less round complexity, but these transformations can only be applied to proofs. Goldreich et al. [GSV98] gave the first transformation of statistical HVZK into statistical general zero- knowledge under no condition, which holds for all interactive proof systems. Vadhan [Vad06] showed that the same is true for computational zero-knowledge.
All the transformations above are not practically viable, a more practical approach was given by Feige and Shamir [FS89] provided the discrete logarithm holds. Also, Groth [Gro04], Jarecki and Lysyanskaya [JL00], Damg˚ard [Dam00], Garay et al. [GMY06] gave ways to transform HVZK proof systems into zero-knowledge proof systems which cost only a small number of elements, see Section 3.5. Optimizations: All general constructions of zero-knowledge proofs and arguments are not practical and efficient. Naturally, the question arose whether or not interactive proof protocols can be more efficient. Various aspects in zero-knowledge proof systems can be considered to be optimized, that is the number of rounds, communication complexity, and computational complexity.
Brassard, Cr´epeau, and Yung [BCY91] constructed a 6-move perfect zero-knowledge argument for all languages in NP. Whereas, Feige and Shamir [FS89] showed that it is possible to construct compu- tational zero-knowledge arguments of knowledge with 4-rounds given some algebraic assumptions or in 5-rounds assuming that one-way functions exist. Similar results were stated by Bellare et al. [BJY97] they showed the existence of 4-round zero-knowledge arguments of knowledge, given that one-way func- tions exist. As shown by Goldreich and Krawczyk [GK90] this result is optimal, unless the language is in BPP.
In the case of proofs, Goldreich and Kahan [GK96] explain how to construct constant round zero- knowledge proofs with 5-rounds, under widely believed number-theoretical assumptions. Results by Katz [Kat12] indicated that for computational zero-knowledge that 5-rounds are optimal and therefore the result by Goldreich and Kahan are optimal. Recently, Ong and Vadhan [OV08] showed that in- deed all languages which have a statistical zero-knowledge proof have a constant round statistical zero- knowledge proof.
These results only hold for zero-knowledge proofs for language membership and it was not clear if constant round proofs of knowledge with constant rounds exist. The gap was closed by Lindell [Lin10] who showed the existence of 5-round computational zero-knowledge proofs of knowledge for all lan- guages in NP.
Round complexity is one aspect which can be optimized, another one is the amount of data sent between both parties. In protocols with a unbounded number of rounds a basic protocol was repeated k
2.2. Zero-Knowledge 37 times to achieve a security of 2−k, this approach has a cost of at least Ω(kn) bits, where n is the statement size. Special techniques allowed Boyar et al. [BLP93, BBP91] to reduce this cost to subquadratic for any language L and Kilian [Kil92] reduced this cost slightly for proofs using PCPs.
Cramer and Damg˚ard [CD97] were able to construct a zero-knowledge proof for all NP with linear communication cost and constant number of rounds. Recently, Ishai et al. [IKOS07] improved this result further, their approach depends only linearly on the statement size and they gave also a version depending quasilinearly on the witness size. Crescenzo and Fedyukovych [CF12] have taken a different approach and also showed that it is possible to prove all statements in NP with communication cost which depends linearly on the statement size. Their proof performs better than [IKOS07] for small circuits; however, for big circuits the technique by [IKOS07] gives better performance.
Cramer and Damg˚ard’s [CD97] technique for arguments turns out to have the same complexity as the technique by the authors for proofs. But for arguments the communication cost can be even lower. Kilian’s [Kil92, Kil95] technique leads to arguments for each language in NP with constant number of rounds and a communication with polylogarithmic cost in the statement size. The recent work by Ishai et al. [IKOS07], and Goldwasser et al. [GKR08] achieved arguments with communication depending only quasilinearly on the witness size.
The last important aspect which can be optimized is the computational complexity. Since Schnorr’s [Sch91] construction to prove identification in zero-knowledge, it has been known that it is possible to have zero-knowledge proofs and arguments with low computational complexity. However, all general constructions to prove statements in NP requires heavy reductions to special problems; thus, they are not efficient in this respect. Moreover, it is hard to give good lower bounds on the computa- tional complexity, as all protocols have to read at least the statement. However, work was undertaken to reduce the cost of zero-knowledge protocols for specific problems. For instance, [BDD07, Pen11] for non-membership arguments or [CD98, Gro09, Gro11] for circuit satisfiability.
Chapter 3
Preliminaries
In this chapter we will give definitions of the key concepts needed to construct our zero-knowledge arguments. When arguing that a protocol is correct we will use homomorphic commitment schemes extensively, different commitment schemes can be used. We will describe our work using the Pedersen commitment scheme [Ped91] as it is based on the discrete logarithm. Our shuffle protocol works for different types of homomorphic encryption schemes, for example ElGamal encryption [ElG84] or Pail- lier encryption [Pai99]. We will focus on ElGamal encryption since it is based on the discrete logarithm assumption and also for notational reasons. Finally, we give precise definitions of what we mean by honest verifier zero knowledge arguments.
3.1
Notation
Definition 1 (Negligible, Overwhelming). We say a function f : N → [0, 1] is negligible if f (x) = O(x−c)
for every constant c > 0. We say 1 − f is overwhelming if f is negligible.
To define security in our protocols, we will use a security parameter λ. The security parameter λ is written in unary 1λ and is given as input to all parties in our protocols. Intuitively, the higher the security parameter the more secure the protocol, see also Section 4.1.1. Formally, we define security in the following by saying a protocol has security level λ if an adversarial algorithm requires at least 2λ steps to succeed.
We write y = A(x; r) when the algorithm A, on input x and randomness r, outputs y. We write y ← A(x) for the process of picking randomness r uniformly at random and setting y = A(x; r). We also write y ← S for sampling y uniformly at random from a set S.
We will denote field elements from Zq with lower case characters. For randomizers we will stick
throughout the thesis to r, s, t, ρ, σ, τ ∈ Zq and to x, y, z ∈ Z∗q for challenges, which are sent by the
verifier. The encryption scheme and the commitment scheme may use different underlying groups, but we require that both groups have the same prime order q. We will write G for the group used by the commitment scheme and write H for the ciphertext space.
40 Chapter 3. Preliminaries
We will use bold letters for vectors, for example a = (a1, . . . , an) or M = (M1, . . . , Mm), and
use the standard notation of upper case letters for matrices.
For vectors of group elements, we write X ◦ Y = (X1Y1, . . . , XnYn) for the entry-wise product
and correspondingly Xz = (Xz
1, . . . , Xnz). We write xπ if the entries of vector x are permuted by the
permutation π, i.e. xπ = (xπ(1), . . . , xπ(n)). For vectors of field elements, we use the standard inner
product x · y =Pn
i=1xiyi.