19
Advanced Topics

Zero-Knowledge Proofs

Authentication and deniability seem fundamentally opposed. Authentication means becoming convinced of someone's identity. Deniability, in the context of authentication, means having no proof of interacting with someone. How can you become convinced of someone's identity without also having proof of their identity?

Amazingly, it is possible to reconcile authentication with deniability, to authenticate without a trace. I can prove my identity to you in such a way that leaves you with no evidence you could use to convince someone else. This concept of leaving no trace is called zero knowledge, and it is not limited only to authentication. A zero-knowledge proof lets me convince you that something is true—like the fact that I know a private key corresponding to some public key—while leaving no useful information behind.

19.1. The Schnorr identification protocol

Cryptographic authentication happens with respect to a public key. Let's consider key pairs where an integer aa is the private key and A=gaA = g^a is the corresponding public key, where gg is the generator of a suitable cyclic group. “Authenticating the owner of public key AA means becoming convinced that you are talking to someone who knows the discrete logarithm aa of AA. The following interactive protocol, named after its creator Claus Schnorr, is a method for doing just that:

Construction 19.1.1 (Schnorr identification protocol)

Let G\G be a cyclic group with generator gg and prime order n\nmod. Suppose a verifier knows a group element A=gaGA = g^a \in \G. The following protocol, called the Schnorr identification protocol, allows a prover to convince the verifier that it knows the discrete logarithm aa of AA.

The modulus n\nmod must be prime because our analysis of this protocol requires multiplicative inverses mod n\nmod.

When the protocol is executed as shown above, the verifier will always accept, because

gr=gy+ca=gy(ga)c=YAc. g^r = g^{y+ca} = g^y \cdot (g^a)^c = Y \cdot A^c.

It's more interesting to consider what happens when one of the participants is adversarial.

Lying prover: The verifier wants to be sure that only someone who knows the private key aa can succeed in the protocol. The analysis of Schnorr's protocol uses a clever way to characterize whether a cheating prover “knows” a certain value.

Definition 19.1.2 (Protocol transcript)

The transcript of a Schnorr protocol execution consists of values (A,Y,c,r)(A,Y,c,r). It is an accepting transcript if gr=YAcg^r = Y \cdot A^c—in other words, if the verifier would accept.

Claim 19.1.3 (Soundness of Schnorr protocol)

There is an efficient algorithm that computes the discrete logarithm aa of AA, given any two accepting transcripts (A,Y,c,r)(A,Y,c,r) and (A,Y,c,r)(A,Y,c',r') with the same AA and YY but different ccc \ne c'.

Proof:

If (A,Y,c,r)(A,Y,c,r) and (A,Y,c,r)(A,Y,c',r') are accepting transcripts, they satisfy:

gr=YAc, andgr=YAc.\begin{aligned} g^{r} &= Y \cdot A^{c}, \text{ and} \\ g^{r'} &= Y \cdot A^{c'}.\end{aligned}

“Divide” the two equations by each other (i.e., multiply the first equation by the inverse of the second). The YY values cancel, resulting in:

(gr)(gr)1=(YAc)(YAc)1    grr=Acc.\begin{aligned} \left(g^{r}\right) \left( g^{r'} \right)^{-1} &= \left(Y \cdot A^{c}\right) \left( Y \cdot A^{c'} \right)^{-1} \\ \implies g^{r - r'} &= A^{c - c'}.\end{aligned}

Exponents in this cyclic group operate modulo n\nmod, which is a prime. Since cc0c - c' \ne 0, there exists an inverse (cc)1(c-c')^{-1} mod n\nmod. Raise both sides of the equation to this power to get:

g(rr)(cc)1=A. g^{(r - r')(c-c')^{-1}} = A.

Thus, (rr)(cc)1(r-r')(c-c')^{-1} is the discrete logarithm of AA, and we can compute it easily from the two transcripts.

What does this have to do with determining whether the prover knows aa, you might be asking? Consider the moment in Schnorr's protocol immediately after the prover has sent their first message YY. The verifier is about to sample cZnc \gets \Z_\nmod. For any possible cc, we can imagine whether the prover would be able to produce the correct response, causing the verifier to accept. There are two cases to consider:

  • The prover could respond correctly to two different values of cc. If the prover is able to do this, then from claim 19.1.3 the prover surely has enough information to compute aa. Thus, it is safe to say that the prover knows aa, and it is fine that the verifier accepts.

  • Otherwise, the prover can respond correctly to at most one value of cc. It doesn't matter what this value is, just that there is at most one such value. Since the verifier samples cc uniformly in Zn\Z_\nmod, the chance of choosing this special value is 1/n1/\nmod, which is negligible (n\nmod is exponentially large, as the order of a cryptographically strong cyclic group). Barring this negligibly likely bad event, the verifier must choose a cc for which the prover cannot produce the correct response, so the verifier will reject.

Nosy verifier: What does the verifier learn about the prover in this protocol? This answer is (arguably) best understood with a story:

King Richard decides to hold an archery competition to identify the best archer in the land. He constructs a long wooden wall, with many targets painted on it. During the competition, he is stunned as Robin Hood stands 100 meters away from the wall and fires one arrow into the center of each of the targets. Of course, Robin Hood is declared the winner.

Later that day, the Sheriff of Nottingham arrives at the King's castle. The King describes Robin Hood's exceptional performance, pointing to the arrows still in the targets. The Sheriff is not impressed. “Robin Hood is a fraud and a liar. Those arrows prove nothing,” he says. He takes his own bow and fires a series of arrows into blank parts of the wall. He finds a bucket of paint and paints a target around each of his arrows. “See,” he says again, “arrows in targets prove nothing!”

Why does the King think that an arrow in the middle of a target is convincing evidence of Robin Hood's skill, but the Sheriff does not? The Sheriff is correct that it requires no skill to produce an arrow in the center of a target. On the other hand, it requires great skill to produce an arrow in the center of a target if the target is painted before the arrow is fired! The King saw that the target was painted before Robin Hood fired his arrow, but the Sheriff did not.

In the world of zero-knowledge, the artifacts of the interaction are not convincing in themselves; what is convincing is the manner in which those artifacts were produced. We can say something similar about Schnorr's protocol:

Alice, whose public key is A=gaA=g^a, contacts Bob and uses Schnorr's protocol to prove that she knows the secret key aa. Bob is convinced that he is talking to Alice, and he writes down everything he sees: (A,Y,c,r)(A,Y,c,r).

Later that day, Charlie arrives at Bob's house. Bob mentions that he talked to Alice earlier in the day, and he shows Charlie the accepting transcript (A,Y,c,r)(A,Y,c,r). “That proves nothing,” says Charlie, and he proceeds to generate his own accepting transcript (A,Y,c,r)(A,Y',c',r'), even though he doesn't know aa.

In the Schnorr protocol, YY and cc are like the target, and rr is like the arrow. If YY is chosen first and cc second, then only someone who knows Alice's private key can produce the correct rr (except with negligibly small probability). Like King Richard at his archery competition, a verifier who participates in Schnorr's protocol becomes convinced that the prover knows aa. However, after the interaction is finished, its transcript is meaningless. Anyone can create an accepting transcript by choosing rr and cc first, and then solving for YY; this is like painting a target where the arrow struck. And since these “fake” transcripts can be generated without knowing the secret value aa, the “real” Schnorr transcripts, generated using aa, cannot leak any information about aa.

Let's see how to generate Schnorr protocol transcripts without knowing the private key:

Claim 19.1.4 (Zero-Knowledge of Schnorr protocol)

The following two libraries are indistinguishable:

Lschnorr-real\lib{schnorr-real}
schnorr.transcript(a)\schnorrtrans(a):
A:=gaA := g^a
// run the protocol to
// generate a transcript
yZny \gets \Z_\nmod
Y:=gyY := g^y
cZnc \gets \Z_\nmod
r:=(y+ca)%nr := (y+ca) \pct \nmod
return (A,Y,c,r)(A,Y,c,r)
\indist
Lschnorr-fake\lib{schnorr-fake}
schnorr.transcript(a)\schnorrtrans(a):
A:=gaA := g^a
// generate a “fake”
// transcript using only AA
cZnc \gets \Z_\nmod
rZnr \gets \Z_\nmod
Y:=gr(Ac)1Y := g^r \cdot (A^c)^{-1}
return (A,Y,c,r)(A,Y,c,r)

In other words, transcripts generated by running the protocol (where the prover uses its secret exponent aa) are indistinguishable from transcripts generated using only AA, which the verifier already knows.

Proof:

Hybrid Sequence:
The starting point is Lschnorr-real\lib{schnorr-real}.
We can rearrange things so that cc is chosen first.
Now rr is essentially a OTP encryption of plaintext caca under key yy, using a variant of OTP with addition mod n\nmod. We achieve the same distribution by choosing rr uniformly and solving for yy:
Now YY is computed as Y=gy=grca=gr(gac)1=gr(Ac)1Y = g^y = g^{r-ca} = g^r (g^{ac})^{-1} = g^r (A^c)^{-1}. By rewriting YY in this way, the private exponent aa is no longer needed. The result is Lschnorr-fake\lib{schnorr-fake}, completing the proof.
Lschnorr-real\lib{schnorr-real}
schnorr.transcript\schnorrtrans(aa):
A:=gaA := g^a
yZny \gets \Z_\nmod
Y:=gyY := g^y
cZnc \gets \Z_\nmod
rr
:=(y+ca)%n{}:= (y+ca) \pct \nmod
Zn{}\gets \Z_\nmod
return (A,Y,c,r)(A,Y,c,r)

An authentication session using Schnorr's protocol leaves behind no valuable information. Everything the verifier sees during the protocol, he could have generated himself using the process in Lschnorr-fake\lib{schnorr-fake}, even without knowing the private key aa.

Compare this aspect of Schnorr's protocol with signature-based authentication. Only someone who knows the signing key can generate a valid signature. If Alice authenticates by sending Bob a signature, she gives him something that he could not have computed himself. He could have obtained this signature only by interacting with Alice.

19.2. Sigma protocols

Schnorr's protocol is an example of a special kind of interactive proof called a sigma protocol.

Unfortunately, two very fundamental things in cryptography are named “sigma protocols”: the interactive proofs in this section, and the authenticated key exchange protocol from section 18.2.4. The key exchange protocol is usually written in all-caps.

An interactive proof is simply an interactive protocol in which the prover tries to convince the verifier that some condition is true.

In Schnorr's protocol, there is a public value AA, known to both the prover and verifier; the prover wants to convince the verifier that it knows a private value aa that satisfies ga=Ag^a = A. In a generic sigma protocol, there is a public value XX called an instance; the prover wants to convince the verifier that it knows a private witness WW such that XX and WW together satisfy some condition (or predicate).

Example 19.2.1 (Proofs and witnesses)
  • In the Schnorr protocol, (g,A)(g,A) is the instance; the private key aa is the witness; the condition is ga=Ag^a = A.

  • Alice may wish to convince Bob that a triple of group elements (A,B,C)(A,B,C) have the form (ga,gb,gab)(g^a, g^b, g^{ab}), as in the DDH problem, without revealing their discrete logarithms. In this case, (A,B,C)(A,B,C) are the instance; the exponents aa and bb are the witness; and the condition is (A,B,C)=(ga,gb,gab)(A,B,C) = (g^a, g^b, g^{ab}).

  • Alice may wish to convince Bob that (C1,C2)(C_1, C_2) is an El Gamal encryption under some public key AA, of either M=g0M = g^0 or M=g1M=g^1, without revealing which one. In this case, (C1,C2,A)(C_1, C_2, A) is the instance; MM and the encryption randomness rr are the witness; and the condition is [(C1,C2)=(gr,MAr)(C_1,C_2) = (g^r, M \cdot A^r) and M{g0,g1}M \in \{g^0, g^1\}].

  • Alice may wish to convince Bob that a string XX is the output of a PRG GG, without revealing the corresponding seed. In this case, XX is the instance; the seed S\seed is the witness; and the condition is G(S)=XG(\seed) = X.

Definition 19.2.2 (Sigma protocol)

A sigma protocol consists of the following parameters:

  • Commit\Commit: a randomized algorithm that takes an instance XX and witness WW as input, and outputs a protocol message YY and state σ\sigma. (The prover sends two messages in a sigma protocol, and σ\sigma represents the information that the prover must remember in the meantime.)

  • C\C: a set of verifier challenges.

  • Respond\Respond: a deterministic algorithm that takes state σ\sigma and challenge CCC \in \C as input, and outputs a response RR.

  • Check\Check: a deterministic algorithm that takes a transcript (X,Y,C,R)(X,Y,C,R) as input, and outputs a boolean.

These algorithms are intended to be executed in the following interactive protocol:

In the language of mathematical proofs, completeness means that every true thing should have a valid proof, and soundness means that only true things have valid proofs. Interactive proofs like sigma protocols must be both complete and sound in order to be useful:

Definition 19.2.3 (Completeness)

The sigma protocol is complete (with respect to a condition PP) if, for any (X,W)(X,W) satisfying P(X,W)P(X,W), the verifier always accepts when the protocol is run according to the definition above.

We define soundness for sigma protocols in the style of Schnorr's protocol. Namely, if there are two accepting transcripts that share a common prefix, then we must be able to extract a witness WW that satisfies P(X,W)P(X,W). This way of defining soundness is highly specialized to the strict structure of a sigma protocol, and is not meaningful for all flavors of interactive proofs that cryptographers study. Thus, it is traditionally called special soundness.

Definition 19.2.4 (Special soundness)

A sigma protocol has special soundness (with respect to a condition PP) if there is an efficient algorithm Extract\Extract with the following property: For any two accepting transcripts (X,Y,C,R)(X,Y,C,R) and (X,Y,C,R)(X,Y,C',R') with the same XX and YY but different CCC \ne C', Extract(X,Y,C,R,C,R)\Extract(X,Y,C,R,C',R') outputs a witness WW such that P(X,W)P(X,W) is true.

We call an interactive proof zero-knowledge if, informally, the interaction reveals nothing about the witness to the verifier. This property can be formalized by saying that there is a way to generate convincing protocol transcripts without using the witness at all. By definition, these “fake” transcripts contain no information about the witness. So if they are indistinguishable from real transcripts, then real transcripts must not leak information about the witness.

The zero-knowledge security definition for sigma protocols considers only transcripts that are generated with a verifier who follows the protocol. Thus, the definition can be interpreted as: Verifiers who follow the protocol learn nothing about the witness. Other forms of zero-knowledge proofs, which we do not study in this book, also consider the more challenging case where a verifier cheats in (deviates from) the protocol.

Definition 19.2.5 (Honest-verifier zero-knowledge)

A sigma protocol is honest-verifier zero-knowledge (HVZK) if there is an efficient algorithm SimTranscript\SimTrans, called a simulator, such that the following two libraries are indistinguishable:

Lhvzk-real\lib{hvzk-real}
hvzk.transcript(X,W)\hvzktrans(X,W):
// generate transcript as in
// normal protocol interaction
(Y,σ):=Commit(X,W)(Y,\sigma) := \Commit(X,W)
CCC \gets \C
R:=Respond(σ,C)R := \Respond(\sigma,C)
return (X,Y,C,R)(X,Y,C,R)
\indist
Lhvzk-fake\lib{hvzk-fake}
hvzk.transcript(X,W)\hvzktrans(X,W):
// generate “fake” transcript
// using only XX
(Y,C,R):=SimTranscript(X)(Y,C,R) := \SimTrans(X)
return (X,Y,C,R)(X,Y,C,R)

Importantly, Lhvzk-fake\lib{hvzk-fake} does not use WW at all.

19.3. More examples of sigma protocols

This section introduces several more sigma protocols for proving more complex conditions.

19.3.1. Proof of discrete log equality

Let (g1,g2,A1,A2)(g_1, g_2, A_1, A_2) be cyclic group elements, and suppose the prover would like to convince the verifier that it knows a value aa such that g1a=A1g_1^a = A_1 and g2a=A2g_2^a = A_2—in other words, that two discrete logarithms are equal.

Running Schnorr's identification protocol twice, first on (g1,A1)(g_1,A_1) and then on (g2,A2)(g_2,A_2), would establish that the prover knows both discrete logs, but it would do nothing to establish that those discrete logs are equal. The idea instead is to run these two instances of Schnorr's protocol, but restrict the prover to use the same challenge and response in both instances. It turns out that this idea is enough to ensure that the two discrete logs must be equal.

Construction 19.3.1 (Sigma protocol for equality of discrete logs)

Let G\G be a cyclic group with generator gg and prime order n\nmod. The following sigma protocol allows the prover to convince the verifier that it knows a witness aa such that g1a=A1g_1^a = A_1 and g2a=A2g_2^a = A_2, for a public instance (g1,g2,A1,A2)(g_1, g_2, A_1, A_2):

Commit((g1,g2,A1,A2),a)\Commit\Bigl( (g_1,g_2,A_1,A_2), a \Bigr):
yZny \gets \Z_\nmod
Y1:=g1y;Y2:=g2yY_1 := g_1^y; Y_2 := g_2^y
σ:=(a,y)\sigma := (a,y)
return ((Y1,Y2),σ)\bigl( (Y_1,Y_2), \sigma \bigr)
Respond(σ=(a,y),c)\Respond\bigl( \sigma = (a,y), c \bigr):
r:=(y+ca)%nr := (y + ca) \pct \nmod
return rr
\quad
C=Zn\C = \Z_\nmod
Check((g1,g2,A1,A2),(Y1,Y2),c,r)\Check\Bigl( (g_1,g_2,A_1,A_2), (Y_1,Y_2), c, r \Bigr):
if g1r==Y1A1cg_1^r == Y_1 \cdot A_1^c and g2r==Y2A2cg_2^r == Y_2 \cdot A_2^c:
return true\mytrue
else return false\myfalse

Shown visually, the protocol is as follows:

Claim 19.3.2 (Special soundness of discrete-log-equality protocol)

Construction 19.3.1 has special soundness.

Proof:

Suppose we are given two accepting transcripts for construction 19.3.1:

((g1,g2,A1,A2),(Y1,Y2),c,r),((g1,g2,A1,A2),(Y1,Y2),c,r),\begin{aligned} \bigl( (g_1,g_2,A_1,A_2), (Y_1,Y_2), c, r \bigr), \\ \bigl( (g_1,g_2,A_1,A_2), (Y_1,Y_2), c', r' \bigr),\end{aligned}

with ccc \ne c'. Since they are both accepting, we have:

g1r=Y1A1c,g2r=Y2A2c,g1r=Y1A1c,g2r=Y2A2c.\begin{aligned} g_1^{r} &= Y_1 \cdot A_1^{c}, & g_2^{r} &= Y_2 \cdot A_2^{c}, \\ g_1^{r'} &= Y_1 \cdot A_1^{c'}, & g_2^{r'} &= Y_2 \cdot A_2^{c'} .\end{aligned}

Divide matching equations to cancel Y1Y_1 and Y2Y_2, resulting in:

g1rr=A1cc,g2rr=A2cc.\begin{aligned} g_1^{r - r'} &= A_1^{c - c'}, & g_2^{r - r'} &= A_2^{c - c'} .\end{aligned}

Then since n\nmod is prime and cc0c-c' \ne 0, there is a multiplicative inverse (cc)1(c-c')^{-1} mod n\nmod. Exponentiate both sides of the equations to this power to get:

g1(rr)(cc)1=A1,g2(rr)(cc)1=A2.\begin{aligned} g_1^{(r - r')(c-c')^{-1}} &= A_1, & g_2^{(r - r')(c-c')^{-1}} &= A_2.\end{aligned}

Setting a=(rr)(cc)1a = (r-r')(c-c')^{-1}, we now have g1a=A1g_1^a = A_1 and g2a=A2g_2^a = A_2. In other words, we have computed a witness for the desired condition.

Claim 19.3.3 (Zero-knowledge of discrete-log-equality protocol)

Construction 19.3.1 has honest-verifier zero-knowledge.

Proof:

To simulate an accepting transcript for this sigma protocol, first sample cZnc \gets \Z_\nmod and rZnr \gets \Z_\nmod. Then compute Y1=g1r(A1c)1Y_1 = g_1^r (A_1^c)^{-1} and Y2=g2r(A2c)1Y_2 = g_2^r (A_2^c)^{-1}. The proof that these simulated transcripts are indistinguishable from real ones is almost identical to that of claim 19.1.4, and is omitted here.

19.3.2. Proving ANDs and ORs

In this section we show how to construct sigma protocols for more complicated conditions, involving ands and ors. For example:

  • Alice wants to prove that she knows the discrete log of either A1A_1 or A2A_2. Imagine that these are public keys of two people who are authorized to use a system, and Alice wants to authenticate without revealing who she is.

  • Given a public ciphertext C\ctxt, Alice wants to prove that Dec(SK,C){yes,no}\Dec(\sk,\ctxt) \in \{ \bit{yes}, \bit{no} \}. In other words, either the ciphertext decrypts to yes\bit{yes}, or it decrypts to no\bit{no}. The ciphertext may represent a vote in an election, and Alice wants to prove that she cast an unambiguous vote, without revealing it.

  • Alice wants to prove that (g1,g2,g3,A1,A2,A3)(g_1,g_2,g_3, A_1,A_2,A_3) satisfy (gi)a=Ai(g_i)^a = A_i. In other words, the discrete logs of A1A_1 and A2A_2 are equal, and the discrete logs of A2A_2 and A3A_3 are equal.

Proving an OR: We start with the case of an or of two conditions. Suppose we have a sigma protocol Σ0\Sigma_0 for condition P0P_0 and a sigma protocol Σ1\Sigma_1 for condition P1P_1. A prover wants to prove knowledge of WW such that [P0(X,W)P_0(X,W) or P1(X,W)P_1(X,W)], or in other words, prove knowledge of b{0,1}b \in \{0,1\} and WW such that Pb(X,W)P_b(X,W).

To understand the clever idea behind this sigma protocol, we return to the metaphor involving arrows and targets. Robin Hood has two bows and wants to convince the King that he can fire one of them accurately. The King could draw two targets and ask Robin to fire an arrow from each bow and hit the two targets. But Robin might not be able to hit both targets, because one of his bows might be erratic. Additionally, the final positions of the arrows might reveal to the King which bow is the good one.

Instead, the King should draw only one target, and ask Robin to fire an arrow from each bow, so that the target is precisely between the two arrows. As long as Robin can fire just one bow accurately, he can succeed. He should first fire the erratic bow; its arrow will land unpredictably, likely nowhere near the target. But then Robin knows exactly where he should fire the second arrow, now from the accurate bow, so that the target is precisely between the arrows.

Okay, this physical metaphor is convoluted and strained, but it captures the spirit of the sigma protocol, which works as follows:

  • The prover sends the first messages (Y0,Y1Y_0, Y_1) in parallel instances of Σ0\Sigma_0 and Σ1\Sigma_1.

  • The verifier uniformly samples CC and challenges the prover to complete two accepting transcripts (Y0,C0,R0)(Y_0, C_0, R_0) and (Y1,C1,R1)(Y_1, C_1, R_1), such that C0+C1=CC_0 + C_1 = C. Here, C0C_0 and C1C_1 are like the two arrows, which can be fired anywhere but whose average (or sum, in this case) must hit a particular target CC.

  • Suppose the prover knows a witness for Σ0\Sigma_0 but not Σ1\Sigma_1. Then it should have generated Y1Y_1 by simulating a transcript (Y1,C1,R1)(Y_1, C_1, R_1). Now the prover is bound to use this C1C_1 and has no control over C0=CC1C_0 = C - C_1, so it must use its witness to construct the correct response R0R_0 in the Σ0\Sigma_0 instance.

The formal details are given below. The verifier thinks of the two sigma protocol instances using subscripts 0 and 1, but the prover, who has a witness for PbP_b, thinks of them using subscripts bb and 1b1-b.

Construction 19.3.4 (Sigma protocol for disjunctions)

Let Σ0\Sigma_0 and Σ1\Sigma_1 be sigma protocols for conditions P0P_0 and P1P_1, respectively, with identical challenge sets Σ0.C=Σ1.C\Sigma_0.\C = \Sigma_1.\C, and where Σi.C\Sigma_i.\C has an addition operation. Define the new sigma protocol Σor\Sigma^{\text{or}} as follows:

Commit(X,(W,b))\Commit\Bigl( X, (W,b) \Bigr):
// prover does not have a witness for Σ1b\Sigma_{1-b}
(Y1b,C1b,R1b)(Y_{1-b}, C_{1-b}, R_{1-b})
:=Σ1b.SimTranscript(X){} := \Sigma_{1-b}.\SimTrans(X)
(Yb,σb):=Σb.Commit(X,W)(Y_b, \sigma_b) := \Sigma_b.\Commit(X,W)
return ((Y0,Y1),(b,C1b,R1b,σb))\bigl( (Y_0,Y_1), (b,C_{1-b}, R_{1-b}, \sigma_b) \bigr)
Respond(σ,C)\Respond( \sigma, C ):
(b,C1b,R1b,σb):=σ(b,C_{1-b}, R_{1-b}, \sigma_b) := \sigma
Cb:=CC1bC_b := C - C_{1-b}
Rb:=Σb.Respond(σb,Cb)R_b := \Sigma_b.\Respond(\sigma_b, C_b)
return (C0,C1,R0,R1)(C_0, C_1, R_0, R_1)
C=Σ0.C=Σ1.C\C = \Sigma_0.\C = \Sigma_1.\C
Check(X,(Y0,Y1),C,(C0,C1,R0,R1))\Check\Bigl( X, (Y_0,Y_1), C, (C_0,C_1,R_0,R_1) \Bigr):
if C0+C1==CC_0 + C_1 == C
and Σ0.Check(X,Y0,C0,R0)\Sigma_0.\Check(X,Y_0,C_0,R_0)
and Σ1.Check(X,Y1,C1,R1)\Sigma_1.\Check(X,Y_1,C_1,R_1):
return true\mytrue
else return false\myfalse

Shown pictorially:

Claim 19.3.5 (Special soundness of disjunction sigma protocol)

Construction 19.3.4 has special soundness (with respect to P0P1P_0 \lor P_1) if Σ0\Sigma_0 and Σ1\Sigma_1 do.

Proof:

A transcript has the form (X,(Y0,Y1),C,(C0,C1,R0,R1))\bigl( X, (Y_0,Y_1), C, (C_0,C_1,R_0,R_1) \bigr). The definition of special soundness considers the case where two accepting transcripts are known:

(X,(Y0,Y1),C,(C0,C1,R0,R1))  and(X,(Y0,Y1),C,(C0,C1,R0,R1)),\begin{aligned} & \bigl( X, (Y_0,Y_1), C, (C_0,C_1,R_0,R_1) \bigr) ~~ \text{and} \\& \bigl( X, (Y_0,Y_1), C', (C'_0,C'_1,R'_0,R'_1) \bigr) ,\end{aligned}

with CCC \ne C'. In this case a witness (W,b)(W,b) can be computed efficiently as follows:

Extract(X,(Y0,Y1),C,C,(C0,C1,R0,R1),(C0,C1,R0,R1))\Extract\bigl( X, (Y_0,Y_1), C, C', (C_0, C_1, R_0, R_1), (C'_0, C'_1, R'_0, R'_1) \bigr):
if C0C0C_0 \ne C'_0:
b:=0b := 0
else: // must have C1C1C_1 \ne C'_1 in this case
b:=1b:=1
W:=Σb.Extract(X,Yb,Cb,Cb,Rb,Rb)W := \Sigma_b.\Extract( X, Y_b, C_b, C'_b, R_b, R'_b )
return (W,b)(W,b)

The main idea is that since the two transcripts are accepting, they satisfy C=C0+C1C = C_0 + C_1 and C=C0+C1C' = C'_0 + C'_1. There must be some b{0,1}b\in\{0,1\} such that CbCbC_b \ne C'_b, because if this were not the case then it would imply C=CC = C', a contradiction. Focusing on this choice of bb, then (X,Yb,Cb,Rb)(X, Y_b, C_b, R_b) and (X,Yb,Cb,Rb)(X, Y_b, C'_b, R'_b) are two accepting transcripts for Σb\Sigma_b, with CbCbC_b \ne C'_b. Hence, we can use them to extract a witness WW for the condition PbP_b. Altogether, we can extract (W,b)(W,b) such that Pb(X,W)P_b(X,W), as desired.

Claim 19.3.6 (Zero-knowledge of disjunction sigma protocol)

Construction 19.3.4 is honest-verifier zero-knowledge if Σ0\Sigma_0 and Σ1\Sigma_1 are.

Proof:

The simulator for Σor\Sigma^{\text{or}} is simple: Generate simulated transcripts for Σ0\Sigma_0 and Σ1\Sigma_1, then solve for C=C0+C1C = C_0 + C_1:

SimTranscript(X)\SimTrans(X):
(Y0,C0,R0):=Σ0.SimTranscript(X)(Y_0, C_0, R_0) := \Sigma_0.\SimTrans(X)
(Y1,C1,R1):=Σ1.SimTranscript(X)(Y_1, C_1, R_1) := \Sigma_1.\SimTrans(X)
C:=C0+C1C := C_0 + C_1
return ((Y0,Y1),C,(C0,C1,R0,R1))\bigl( (Y_0, Y_1), C, (C_0,C_1,R_0,R_1) \bigr)

Exercise 19.9 asks you to prove that the resulting simulator produces indistinguishable transcripts.

Proving an AND: Now suppose we have sigma protocols Σ0\Sigma_0 and Σ1\Sigma_1, for conditions P0P_0 and P1P_1, respectively, and the prover would like to convince the verifier that it knows W0W_0 and W1W_1 such that P0(X,W0)P_0(X,W_0) and P1(X,W1)P_1(X,W_1). A natural idea is to simply run an instance of each of Σ0\Sigma_0 and Σ1\Sigma_1, in parallel. It is true that if the verifier accepts both proofs, then he can be convinced that the prover knows a witness to both conditions. However, the resulting protocol does not technically satisfy the formal security properties of a sigma protocol; exercise 19.12 explores this issue further.

To combine Σ0\Sigma_0 and Σ1\Sigma_1 into a single protocol that satisfies all of the usual sigma protocol security definitions, we must make one small modification:

Construction 19.3.7 (Sigma protocol for conjunction)

Let Σ0\Sigma_0 and Σ1\Sigma_1 be sigma protocols, for conditions P0P_0 and P1P_1, respectively, with Σ0.C=Σ1.C\Sigma_0.\C = \Sigma_1.\C, where Σi.C\Sigma_i.\C has an addition operation. Define the new sigma protocol Σand\Sigma^{\text{and}} as follows:

Commit(X,(W0,W1))\Commit\Bigl( X, (W_0,W_1) \Bigr):
(Y0,σ0):=Σ0.Commit(X,W0)(Y_0, \sigma_0) := \Sigma_0.\Commit(X,W_0)
(Y1,σ1):=Σ1.Commit(X,W1)(Y_1, \sigma_1) := \Sigma_1.\Commit(X,W_1)
ΔC\Delta \gets \C
return ((Y0,Y1,Δ),(σ0,σ1,Δ))\bigl( (Y_0,Y_1,\Delta), (\sigma_0,\sigma_1,\Delta) \bigr)
Respond(σ,C)\Respond( \sigma, C ):
(σ0,σ1,Δ):=σ(\sigma_0,\sigma_1,\Delta) := \sigma
R0:=Σ0.Respond(σ0,C)R_0 := \Sigma_0.\Respond(\sigma_0, C)
R1:=Σ1.Respond(σ1,C+Δ)R_1 := \Sigma_1.\Respond(\sigma_1, C + \Delta)
return (R0,R1)(R_0, R_1)
\quad
C=Σ0.C=Σ1.C\C = \Sigma_0.\C = \Sigma_1.\C
Check(X,(Y0,Y1,Δ),C,(R0,R1))\Check\Bigl( X, (Y_0,Y_1,\Delta), C, (R_0,R_1) \Bigr):
if Σ0.Check(X,Y0,C,R0)\Sigma_0.\Check(X,Y_0,C,R_0)
and Σ1.Check(X,Y1,C+Δ,R1)\Sigma_1.\Check(X,Y_1,C + \Delta,R_1):
return true\mytrue
else return false\myfalse

In short, the prover generates Y0Y_0 and Y1Y_1 as usual, but also samples a value Δ\Delta. The verifier samples a single challenge CC, and the prover responds to CC in Σ0\Sigma_0 but responds to C+ΔC+\Delta in Σ1\Sigma_1.

You are asked to prove the following in an exercise:

Claim 19.3.8 (Security of conjunction sigma protocol)

Suppose Σ0\Sigma_0 and Σ1\Sigma_1 have special soundness and are honest-verifier zero-knowledge. Then construction 19.3.7 has also has special soundness (with respect to P0P1P_0 \land P_1) and is honest-verifier zero-knowledge.

19.4. Noninteractive proofs and signatures

19.4.1. The Fiat-Shamir transformation

Interaction in a sigma protocol is crucial: It is how the protocol enforces that the verifier's challenge CC is chosen after the prover has committed to a value of YY. Without this strict order of operations, a sigma protocol proves nothing. Indeed, we have seen that it is easy to generate an accepting transcript in a different order; this is an important feature of a sigma protocol.

But interaction is not the only way to enforce that CC is chosen after YY. Suppose we compute C:=H(X,Y)C := \ro(X,Y), where H\ro is a random oracle. Then there is indeed no way to predict CC before calling H(X,Y)\ro(X,Y). Furthermore, CC will be distributed uniformly, just as in the sigma protocol.

The idea of replacing the verifier with a random oracle is called the Fiat-Shamir method. It converts an interactive sigma protocol into a noninteractive proof. The prover can generate the entire transcript locally:

Construction 19.4.1 (Fiat-Shamir transformation)

Let Σ\Sigma be a sigma protocol. The Fiat-Shamir transformation of Σ\Sigma is defined as follows:

Prove(X,W)\textsf{Prove}(X,W):
(Y,σ):=Σ.Commit(X,W)(Y,\sigma) := \Sigma.\Commit(X,W)
C:=H(X,Y)C := \ro( X, Y ) // “virtual” verifier
R:=Σ.Respond(σ,C)R := \Sigma.\Respond(\sigma,C)
return (Y,R)(Y,R)
Verify(X,Y,R)\textsf{Verify}(X,Y,R):
C:=H(X,Y)C := \ro(X,Y)
return Σ.Check(X,Y,C,R)\Sigma.\Check(X,Y,C,R)

The intuitive idea is that only someone who knows a valid witness WW can generate a proof that causes Verify\textsf{Verify} to output true\mytrue, and yet the proof (Y,R)(Y,R) reveals nothing about the witness WW. We will not formally define security properties of abstract noninteractive proof systems, but rather state some useful properties of the Fiat-Shamir construction. In particular, we reason about soundness in a similar way to sigma protocols. If a prover is able to produce valid proofs, then we can efficiently extract a valid witness from that prover.

Lemma 19.4.2 (Forking lemma)

Let Σ\Sigma be a sigma protocol, let XX be an instance for Σ\Sigma, and let H\ro be a hash function, modeled as a random oracle, whose output range is Σ.C\Sigma.\C:

Lro\lib{ro}
H(A)\ro(A):
if H[A]\rotable[A] undefined:
H[A]Σ.C\rotable[A] \gets \Sigma.\C
return H[A]\rotable[A]

Suppose there is a polynomial-time algorithm A\A that can produce valid Fiat-Shamir proofs for instance XX, with nonnegligible probability. In other words,

Pr[ALro(Y,R) such that Verify(X,Y,R)=true] \PR{ \A \link \lib{ro} \outputs (Y,R) \text{ such that } \textsf{Verify}(X,Y,R) = \mytrue }

is nonnegligible.

Then we can construct another polynomial-time algorithm A\A' that has nonnegligible probability of outputting a valid witness WW for XX.

Proof:

(Sketch) As a warm-up, imagine that A\A is a very simple algorithm that knows a witness WW and simply runs Prove\textsf{Prove} as instructed. In other words, A\A computes YY, then C:=H(X,Y)C := \ro(X,Y), then RR, then outputs (Y,R)(Y,R). Given such a program A\A, we might hope to find WW in its source code. But what if A\A were written in an obfuscated manner? Is there a way to extract the witness WW without needing to analyze A\A's source code?

One approach would be the following:

  • First, run A\A in a simulation, where we play the role of the random oracle Lro\lib{ro}. We know this particular A\A will call the random oracle as H(X,Y)\ro(X,Y). When this happens, we:

    • record A\A's entire internal state at this moment (think of A\A running in a virtual machine, and we take a snapshot of memory);

    • play the role of Lro\lib{ro}, uniformly choosing a response CC and giving it to A\A.

  • Continue running A\A, until it eventually outputs a valid proof (Y,R)(Y,R). Thus, (X,Y,C,R)(X,Y,C,R) is an accepting transcript in the sigma protocol.

  • Next, “rewind” A\A to its previously saved state. It has just called H(X,Y)\ro(X,Y) and is waiting for the response. This time, choose a different CCC' \ne C as the random oracle's response.

  • Continue running A\A, until it outputs a valid proof (Y,R)(Y,R'). Now we have two accepting sigma protocol transcripts: (X,Y,C,R)(X,Y,C,R) and (X,Y,C,R)(X,Y,C',R') with CCC \ne C'. The special soundness of the sigma protocol means we can now compute a witness WW.

This approach does not require understanding the source code of A\A, but it does assume that A\A “behaves nicely.” In the more general case, A\A could be a completely arbitrary program and the only thing we know about it is that it has a nonnegligible probability of outputting a valid proof. If we try to adapt the method above to this general case, we encounter several difficulties:

  • A\A may call the random oracle many times, and we don't know at the time of each call whether it will be the target of our “rewinding” strategy. So we must store A\A's internal state every time it calls the random oracle. Only after A\A finally outputs (Y,R)(\hl{Y},R) can we realize that we should rewind A\A to the specific call H(X,Y)\ro(X,\hl{Y}).

  • Suppose A\A outputs (Y,R)(Y,R), so we rewind A\A to the moment it calls H(Y,R)\ro(Y,R), give a different response this time, and continue running A\A. We have changed an input to A\A, so it might not even output a valid proof this time; even if it does, there is no guarantee that the new proof will have the same YY as before! But we can only use the sigma protocol extraction algorithm if the two proofs share the same YY.

In order to deal with completely arbitrary programs A\A, as in the statement of the lemma, we must address this tricky second challenge. The basic idea of the witness extraction algorithm A\A' is the following:

  • Run A\A as above, until it outputs a valid proof (Y,R)(Y,R).

  • Rewind A\A to the moment it called H(X,Y)\ro(X,Y) and restart the execution with fresh random choices.

  • If A\A outputs another valid proof using the same YY, use the sigma protocol extraction algorithm to compute a witness WW.

  • Otherwise, repeat this rewind/replay process a maximum of kk times (kk depends on A\A's success probability) before giving up.

The difficulty is now arguing that if A\A has nonnegligible probability of generating a valid proof, then A\A' successfully extracts a valid witness with nonnegligible probability. The analysis is technical and tedious, and omitted here. See the chapter notes for references to the details.

Lemma 19.4.2 is often called the forking lemma, because of how A\A' “forks” the execution of A\A into many different branches.

Deniability: Be careful! The Fiat-Shamir technique destroys a sigma protocol's deniability property! Plain (interactive) sigma protocol transcripts are deniable, because anyone can easily generate an accepting transcript. In the real protocol execution, YY is chosen first, then CC, and then RR; but anyone can generate an accepting transcript by choosing CC and RR first and then solving for YY.

In a Fiat-Shamir proof, we have C=H(X,Y)C = \ro(X,Y). Anyone with access to the random oracle—which is to say, anyone at all, since a random oracle is public—can conclude that YY must have been chosen before CC. And only someone who knows a valid witness can complete an accepting transcript when YY is chosen before CC.

19.4.2. Schnorr signatures

Imagine applying the Fiat-Shamir method to Schnorr's protocol, in which the prover convinces the verifier that it knows the discrete log aa for a public value A=gaA = g^a:

As we discussed above, such Fiat-Shamir proofs are not deniable. In some situations the lack of deniability is a bad thing, but on the other hand we have achieved almost exactly the goal of a digital signature: Only someone who knows the witness aa can generate a valid Fiat-Shamir proof, but anyone can verify it.

However, we have not yet constructed a digital signature scheme, because each signature needs to be associated with a particular message. We can incorporate a message M\ptxt by computing the sigma protocol's challenge, not as c:=H(A,Y)c := \ro(A,Y), but as c:=H(A,Y,M)c := \ro(A,Y, \hl{\ptxt}). The result of this change is the Schnorr signature scheme:

Construction 19.4.3 (Schnorr signature scheme)

Let G\G be a cyclic group of prime order n\nmod, with generator gg. The Schnorr signature scheme is defined as follows:

KeyGen()\KeyGen(\,):
SK:=aZn\sk := a \gets \Z_\nmod
PK:=A:=ga\pk := A := g^a
return (PK,SK)(\pk,\sk)
Sign(a,M)\Sign(a,\ptxt):
yZny \gets \Z_\nmod
Y:=gyY := g^y
c:=H(ga,Y,M)c := \ro(g^a, Y, \ptxt)
r:=(y+ca)%nr := (y + ca) \pct \nmod
return (Y,r)(Y,r)
Verify(A,M,(Y,r))\Verify(A,\ptxt,(Y,r)):
c:=H(A,Y,M)c := \ro(A,Y,\ptxt)
return gr==YAcg^r == Y \cdot A^c

You can interpret Schnorr signatures in the following way: A valid signature is essentially an accepting sigma protocol transcript (A,Y,c,r)(A,Y,c,r). The fact that c=H(A,Y,M)c = \ro(\hl{A,Y},\ptxt), implies that YY was chosen before cc, and thus only someone who knows the private key aa could have generated the transcript. Furthermore, since M\ptxt is included in H(A,Y,M)\ro(A,Y,\hl{\ptxt}), the person who knows aa clearly generated the transcript with M\ptxt specifically in mind! The sigma protocol transcript is bound to M\ptxt.

Claim 19.4.4 (Security of Schnorr signature scheme)

The Schnorr signature scheme (construction 19.4.3) is secure in the random oracle model, if the discrete logarithm problem is hard in G\G. More formally, it is secure if the following two libraries are indistinguishable:

Ldl-realG\lib{dl-real}^\G
aZna \gets \Z_\nmod
A:=gaA := g^a
dl.get()\subname{dl.get}(\,):
return AA
dl.guess(x)\subname{dl.guess}(x):
return gx==Ag^x == A
\indist
Ldl-fakeG\lib{dl-fake}^\G
aZna \gets \Z_\nmod
A:=gaA := g^a
dl.get()\subname{dl.get}(\,):
return AA
dl.guess(x)\subname{dl.guess}(x):
return false\myfalse

The proof of this claim is somewhat technical, and beyond the scope of this book, but uses several important ideas introduced above:

  • We introduce a hybrid library where sig.sign\sigsign generates signatures in a different way: It simulates an accepting transcript (Y,C,r)(Y,C,r), then programs the random oracle so that H(A,Y,M)=C\ro(A,Y,M) = C. Thus, (Y,r)(Y,r) is a valid signature of MM, but it was generated without knowledge of the signing key aa.

  • Next, we use the forking lemma (lemma 19.4.2) to argue that if an adversary can successfully produce signature forgeries, then there would be a way to efficiently extract the Schnorr witness aa. But such an algorithm would contradict the discrete logarithm assumption. So we must conclude that it is hard for an adversary to produce a forgery.

Schnorr signatures in the wild: Schnorr signatures are elegant and have a security analysis that is easy to understand in light of Schnorr's identification protocol. Schnorr signatures can be implemented using a cyclic group based on elliptic curves, leading to signatures that can be as short as 512 bits. In comparison, RSA signatures are generally 2048–4096 bits in practice, because that is the range of safe sizes for an RSA modulus.

Despite its unmistakable advantages, the Schnorr signature scheme is not used in practice as much as it deserves to be. The main reason is that for a long time the construction was subject to a patent. Governmental organizations that standardize cryptographic algorithms, like NIST, are reluctant to standardize algorithms that are encumbered by patents. As a result, the standardized options for elliptic-curve-based signatures are algorithms like ECDSA and EdDSA, two algorithms that were clearly inspired by Schnorr signatures, but that lack its simplicity and charm since an important design constraint was avoiding the reach of Schnorr's patent. Unfortunately, it is exactly these differences from Schnorr signatures that make ECDSA and EdDSA difficult for provable security. Neither has a proof that bases their security on such a simple problem as discrete logarithm. Although Schnorr's patent expired in 2010, by that time ECDSA and EdDSA had become entrenched as standards.

Exercises

  1. Definition 19.2.5 asks for a simulator that generates the entire transcript (Y,C,R)(Y,C,R) together. There are some situations where we require CC to be chosen first, and the rest of the transcript (Y,R)(Y,R) computed as a function of (X,C)(X,C). Let's say that a sigma protocol has special HVZK if there is a simulator SimTranscript\SimTrans such that the following libraries are indistinguishable:

    Lshvzk-real\lib{shvzk-real}
    hvzk.transcript(X,W)\hvzktrans(X,W):
    (Y,σ):=Commit(X,W)(Y,\sigma) := \Commit(X,W)
    CCC \gets \C
    R:=Respond(σ,C)R := \Respond(\sigma,C)
    return (X,Y,C,R)(X,Y,C,R)
    \indist
    Lshvzk-fake\lib{shvzk-fake}
    hvzk.transcript(X,W)\hvzktrans(X,W):
    CC\hl{C \gets \C}
    (Y,R):=SimTranscript(X,C)(Y,R) := \SimTrans(X, \hl{C})
    return (X,Y,C,R)(X,Y,C,R)

    In this exercise, you will show how to convert a standard sigma protocol into one with special HVZK.

    Suppose Σ\Sigma is a sigma protocol and Σ.C\Sigma.\C has an addition operation. Define the new protocol Σ\Sigma^* as follows:

    Σ.C=Σ.C\Sigma^*.\C = \Sigma.\C
    Σ.Commit(X,W)\Sigma^*.\Commit(X,W):
    (Y,σ):=Σ.Commit(X,W)(Y, \sigma) := \Sigma.\Commit(X,W)
    ΔΣ.C\Delta \gets \Sigma.\C
    return ((Y,Δ),(σ,Δ))\bigl( (Y,\Delta), (\sigma,\Delta) \bigr)
    Σ.Respond(σ,C)\Sigma^*.\Respond( \sigma^*, C ):
    (σ,Δ):=σ(\sigma,\Delta) := \sigma^*
    return Σ.Respond(σ,C+Δ)\Sigma.\Respond(\sigma, \hl{C+\Delta})
    Σ.Check(X,Y,C,R)\Sigma^*.\Check(X, Y^*, C, R):
    (Y,Δ):=Y(Y,\Delta) := Y^*
    return Σ.Check(X,Y,C+Δ,R)\Sigma.\Check(X,Y,\hl{C+\Delta},R)
    1. Prove that Σ\Sigma^* has special soundness, if Σ\Sigma does.

    2. Prove that Σ\Sigma^* has special HVZK, if Σ\Sigma has (plain) HVZK. Clearly describe the simulator for Σ\Sigma^*, in terms of the simulator for Σ\Sigma.

  2. Let (g1,g2,A1,A2)(g_1,g_2,A_1,A_2) be cyclic group elements. Describe a sigma protocol that lets a prover convince a verifier that it knows aa such that g1a=A1g_1^a = A_1 and g22a=A2\hl{g_2^{2a}} = A_2. Prove that your protocol satisfies honest-verifier zero-knowledge and special soundness.

  3. Suppose (U,V)(U,V) are two public values. Describe a sigma protocol that lets a prover convince a verifier that it knows aa such that (U,V)=(ga,ga2)(U,V) = (g^a, g^{a^2}). Prove that your protocol satisfies honest-verifier zero-knowledge and special soundness. Assume that the group generator gg is public.

  4. h Describe a sigma protocol for proving that a public instance (A,B,C)(A,B,C) has the form (ga,gb,gab)(g^a, g^b, g^{ab}), and prove that your protocol satisfies honest-verifier zero-knowledge and special soundness. Assume that gg is public, and that the prover knows aa and bb.

    Rename gg to g1g_1 and BB to g2g_2.

  5. h Let (C1,C2)(C_1,C_2) be an El Gamal ciphertext encrypted under key pair (SK,PK)(\sk,\pk), and let M\ptxt be a publicly known value. Propose a sigma protocol whereby a prover can convince a verifier that Dec(SK,(C1,C2))=M\Dec(\sk, (C_1,C_2)) = \ptxt.

    1. Describe such a protocol that is suitable for a prover who knows SK\sk, but not the randomness used to generate the ciphertext.

    2. Describe such a protocol that is suitable for a prover who knows the randomness used to generate the ciphertext, but does not know SK\sk.

    In both cases, prove that the protocol satisfies special soundness and honest-verifier zero knowledge.

    Manipulate the El Gamal decryption equation into an expression that can be proven with a single instance of the Schnorr proof. For part (b), prove knowledge of rr that satisfies (C1,C2)=(gr,MPKr)(C_1,C_2) = (g^r, \ptxt \cdot \pk^r).

  6. h Let (C1,C2)(C_1,C_2) and (C3,C4)(C_3,C_4) be El Gamal ciphertexts, encrypted under a common public key PK\pk. Describe a sigma protocol whereby a prover can convince a verifier that:

    Dec(SK,(C1,C2))=Dec(SK,(C3,C4)). \Dec\bigl(\sk, (C_1,C_2)\bigr) = \Dec\bigl(\sk, (C_3,C_4) \bigr).

    The protocol should be suitable for a prover who knows the randomness used to generate the ciphertexts but not SK\sk. Prove that the protocol satisfies special soundness and honest-verifier zero knowledge.

    if (C1,C2)=(gr1,MPKr1)and (C3,C4)=(gr2,MPKr2)then (C1(C3)1,C2(C4)1)=(gr1r2,PKr1r2)\begin{aligned} \text{if } (C_1,C_2) &= (g^{r_1}, M \cdot \pk^{r_1}) \\ \text{and } (C_3,C_4) &= (g^{r_2}, M \cdot \pk^{r_2}) \\ \text{then } ( C_1 (C_3)^{-1}, C_2 (C_4)^{-1} ) &= ( g^{r_1 - r_2}, \pk^{r_1 - r_2} )\end{aligned}
  7. Let X,g,hX, g, h be public group elements, in a cyclic group of prime order n\nmod. Describe a sigma protocol whereby a prover can convince a verifier that it knows exponents a,ba,b such that X=gahbX = g^a h^b. Prove that the protocol satisfies special soundness and honest-verifier zero knowledge.

  8. h\star Let (g1,g2,A1,A2)(g_1,g_2,A_1,A_2) be a public instance, and suppose Alice knows a value aa such that A1=g1aA_1 = g_1^a but A2g2aA_2 \hl{\ne} g_2^a. She would like to prove in zero knowledge that A1A_1 and A2A_2 have different discrete logs. In other words, nothing should be revealed about the relationship between those discrete logs besides the fact that they are different. Describe a sigma protocol for this problem and prove that it satisfies special soundness and honest-verifier zero knowledge.

    A1rg1ar=1A_1^r g_1^{-ar} = 1 and A2rg2ar1A_2^r g_2^{-ar} \ne 1, for any nonzero rr. Additionally, when rr is uniform, A2rg2arA_2^r g_2^{-ar} is distributed uniformly. Have the prover send X=A2rg2arX = A_2^r g_2^{-ar} to the verifier and then prove knowledge of exponents s,ts, t such that A1sg1t=1A_1 ^s g_1^t = 1 and A2sg2t=XA_2^s g_2^t = X. The verifier should also check that X1X \ne 1.

  9. Complete the proof of claim 19.3.6: Prove that the simulated transcripts are indistinguishable from real ones.

  10. Suppose the verifier forgets to check the condition C0+C1==CC_0 + C_1 == C in construction 19.3.4. Show how the prover can prove a false statement.

  11. The prover in construction 19.3.4 convinces the verifier that one of two conditions is true.

    1. Suppose there are three conditions. Describe a sigma protocol that allows the prover to prove that at least one of the conditions is true (without revealing which one). Prove that your protocol is secure.

    2. Describe a sigma protocol that allows the prover to prove that at least two of the three conditions are true (without revealing which ones). Prove that your protocol is secure.

    3. \star Generalize this construction to tt out of nn conditions and prove that your construction is secure.

  12. Let Σ0\Sigma_0 and Σ1\Sigma_1 be sigma protocols for conditions P0P_0 and P1P_1, respectively. Consider the naïve method of composing them in parallel to obtain a sigma protocol to prove P0(X,W0)P_0(X,W_0) and P1(X,W1)P_1(X,W_1):

    Version 1 of the protocol is as described above; version 2 is the same except both instances use the same challenge (i.e., C0=C1C_0 = C_1). One of these versions has special soundness but not necessarily HVZK; the other has HVZK but not necessarily special soundness. Which is which, and why?

  13. Prove claim 19.3.8: Construction 19.3.7 has special soundness and is HVZK.

  14. Describe a sigma protocol for the following problem, and prove that it satisfies the usual properties: Alice has generated an El Gamal encryption under a public key PK\pk; she wants to convince a verifier that the ciphertext decrypts to either g0g^0 or g1g^1. Assume that Alice knows the randomness used to encrypt the ciphertexts but not the El Gamal private key.

  15. h Suppose n\nmod is an RSA modulus, and ee is a prime exponent such that gcd(e,n)=1\gcd(e,\nmod)=1. Consider the following sigma protocol, in which the prover wants to convince the verifier that it knows an ee-th root of a public value XX.

    Note that neither the prover nor verifier need to know the factorization of n\nmod. Prove that the protocol satisfies special soundness and honest-verifier zero knowledge.

    Given two accepting transcripts (X,Y,c,R)(X,Y,c,R) and (X,Y,c,R)(X,Y,c',R') with ccc\ne c', use Bezout's theorem to compute integers ss and tt such that se+t(cc)=1s e + t (c-c') = 1, and take WnXs(R/R)tW \equiv_\nmod X^s (R/R')^t.

  16. In the Schnorr signature scheme, the signer samples a value yy uniformly. Show that if an adversary obtains signatures of two different messages signed using the same yy, they can compute the private signing key.

  17. Digital Signature Algorithm (DSA) is a standard signature scheme defined using modular arithmetic. In the following, p\pmod and q\qmod are distinct primes and gg is a fixed integer. All three values are publicly known parameters. HH is a hash function with output in Zq\Z_\qmod.

    KeyGen()\KeyGen(\,):
    SKZq\sk \gets \Z_\qmod
    PK:=gSK%p\pk := g^{\sk} \pct \pmod
    return (SK,PK)(\sk,\pk)
    Sign(SK,M)\Sign(\sk,\ptxt):
    kZqk \gets \Z_\qmod
    R:=(gk%p)%qR := (g^k \pct \pmod) \pct \qmod
    S:=(k1(H(M)+SKR))%qS := \bigl(k^{-1} ( H(\ptxt) + \sk \cdot R ) \bigr) \pct \qmod
    return (R,S)(R,S)

    The verification algorithm is not relevant for this exercise.

    1. Suppose an adversary observes a signature (R,S)(R,S) on message M\ptxt and another signature (R,S)(R',S') on message MM\ptxt' \ne \ptxt, where the same value kk was chosen for both signatures. Show how the adversary can efficiently calculate kk.

    2. Given the same circumstances as part (a), show how the adversary can efficiently calculate SK\sk.

  18. The Schnorr signing algorithm computes C:=H(A,Y,M)C := \ro(A,Y,M).

    1. Show that the scheme is no longer a secure signature scheme if CC is computed as H(A,M)\ro(A,M).

    2. Show that the scheme is no longer a secure signature scheme if CC is computed as H(A,Y)\ro(A,Y).

    3. Suppose we restrict the scheme to sign messages from the cyclic group G\G, and compute CC as H(AYM)\ro(A \cdot Y \cdot M). Multiplication here refers to the group operation in G\G. Show that the resulting scheme is not a secure signature scheme.

Chapter Notes

Schnorr's identification protocol and signature scheme were proposed by Claus Schnorr in 1989 [198]. The abstraction of sigma protocols is due to Cramer [74]; Damgård [80] provides an accessible overview. Maurer [156] shows a unified way to derive many sigma protocols from the literature. The security of Schnorr signatures in the random oracle model was analyzed by Pointcheval and Stern [183].

The transformation in exercise 19.1 was described by Barthe, Hedin, Zanella-Béguelin, Grégoire, and Heraud [10].

Construction 19.3.4 is due to Cramer, Damgård, and Schoenmakers [75]. The sigma protocol for equality of discrete logarithms is due to Chaum and Pederson [64]. Exercise 19.7 is due to Okamoto [174], while exercise 19.8 is due to Camenisch and Shoup [57]. The protocol to prove knowledge of ee-th roots under an RSA modulus in exercise 19.15 is due to Guillou and Quisquater [118].

The Fiat-Shamir construction of noninteractive proofs is from [101]. The forking lemma (lemma 19.4.2) is due to Feige, Fiat, and Shamir [99], with later and more detailed analyses by Pointcheval and Stern [183] and Bellare and Neven [25].

  1. Previous Chapter18. Authenticated Key Exchange
  2. Next Chapter20. Post-Quantum Cryptography