Bringing Zero-Knowledge Proofs of Knowledge to Practice

  • Endre Bangerter
  • Stefania Barzan
  • Stephan Krenn
  • Ahmad-Reza Sadeghi
  • Thomas Schneider
  • Joe-Kai Tsay
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7028)


Efficient zero-knowledge proofs of knowledge (ZK-PoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation. Currently, first applications that critically rely on ZK-PoKs are being deployed in the real world. The most prominent example is Direct Anonymous Attestation (DAA), which was adopted by the Trusted Computing Group (TCG) and implemented as one of the functionalities of the cryptographic Trusted Platform Module (TPM) chip.

Implementing systems using ZK-PoK turns out to be challenging, since ZK-PoK are, loosely speaking, significantly more complex than standard crypto primitives, such as encryption and signature schemes. As a result, implementation cycles of ZK-PoK are time-consuming and error-prone, in particular for developers with minor or no cryptographic skills.

In this paper we report on our ongoing and future research vision with the goal to bring ZK-PoK to practice by making them accessible to crypto and security engineers. To this end we are developing compilers and related tools that support and partially automate the design, implementation, verification and secure implementation of ZK-PoK protocols.


Signature Scheme Trusted Platform Module Knowledge Property Cryptology ePrint Archive Secure Multiparty Computation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Goldreich, O.: On Defining Proofs of Knowledge. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 390–420. Springer, Heidelberg (1993)Google Scholar
  2. 2.
    Dwork, C., Feige, U., Kilian, J., Naor, M., Safra, M.: Low Communication 2-Prover Zero-Knowledge Proofs for NP. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 215–227. Springer, Heidelberg (1993)Google Scholar
  3. 3.
    Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. Journal of the ACM 38(1), 691–729 (1991); Preliminary version in 27th FOCS (1986) MathSciNetzbMATHGoogle Scholar
  4. 4.
    Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: ACM Symposium on Theory of Computing – STOC 2007, pp. 21–30. ACM Press, New York (2007)CrossRefGoogle Scholar
  5. 5.
    Prabhakaran, M., Rosen, A., Sahai, A.: Concurrent zero knowledge with logarithmic round-complexity. In: IEEE Symposium on Foundations of Computer Science – FOCS 2002, pp. 366–375. IEEE Computer Society, Washington, DC (2002)Google Scholar
  6. 6.
    Schnorr, C.: Efficient signature generation by smart cards. Journal of Cryptology 4(3), 161–174 (1991)MathSciNetzbMATHCrossRefGoogle Scholar
  7. 7.
    Camenisch, J., Michels, M.: Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 107–122. Springer, Heidelberg (1999)Google Scholar
  8. 8.
    Camenisch, J.: Group Signature Schemes and Payment Systems Based on the Discrete Logarithm Problem. PhD thesis, ETH Zurich, Konstanz (1998)Google Scholar
  9. 9.
    Adelsbach, A., Rohe, M., Sadeghi, A.R.: Complementing zero-knowledge watermark detection: Proving properties of embedded information without revealing it. Multimedia Systems 11(2), 143–158 (2005)CrossRefGoogle Scholar
  10. 10.
    Lindell, Y., Pinkas, B., Smart, N.P.: Implementing Two-Party Computation Efficiently with Security Against Malicious Adversaries. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 2–20. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  11. 11.
    Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. In: Atluri, V., Backes, M., Basin, D.A., Waidner, M. (eds.) ACM Conference on Computer and Communications Security – CCS 2004, pp. 132–145. ACM Press (2004)Google Scholar
  12. 12.
    Camenisch, J., Herreweghen, E.V.: Design and implementation of the idemix anonymous credential system. In: Atluri, V. (ed.) ACM Conference on Computer and Communications Security – CCS 2002, pp. 21–30. ACM Press (2002),
  13. 13.
    Bangerter, E.: Efficient Zero-Knowledge Proofs of Knowledge for Homomorphisms. PhD thesis, Ruhr-University Bochum (2005)Google Scholar
  14. 14.
    Bangerter, E., Camenisch, J., Maurer, U.: Efficient Proofs of Knowledge of Discrete Logarithms and Representations in Groups with Hidden Order. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 154–171. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems. In: ACM Symposium on Theory of Computing – STOC 1985, pp. 291–304. ACM Press, New York (1985)CrossRefGoogle Scholar
  16. 16.
    Guillou, L.C., Quisquater, J.-J.: A “Paradoxical” Identity-Based Signature Scheme Resulting from Zero-Knowledge. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 216–231. Springer, Heidelberg (1990)Google Scholar
  17. 17.
    Cramer, R., Damgård, I., Schoenmakers, B.: Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)Google Scholar
  18. 18.
    Camenisch, J., Stadler, M.: Proof systems for general statements about discrete logarithms. Technical Report 260, Institute for Theoretical Computer Science, ETH Zürich (1997)Google Scholar
  19. 19.
    Brands, S.: Rapid Demonstration of Linear Relations Connected by Boolean Operators. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 318–333. Springer, Heidelberg (1997)Google Scholar
  20. 20.
    Bresson, E., Stern, J.: Proofs of Knowledge for Non-monotone Discrete-Log Formulae and Applications. In: Chan, A.H., Gligor, V.D. (eds.) ISC 2002. LNCS, vol. 2433, pp. 272–288. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  21. 21.
    Cramer, R.: Modular Design of Secure yet Practical Cryptographic Protocols. PhD thesis, CWI and University of Amsterdam (1997)Google Scholar
  22. 22.
    Fujisaki, E., Okamoto, T.: Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997)Google Scholar
  23. 23.
    Damgård, I., Fujisaki, E.: A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  24. 24.
    Camenisch, J., Kiayias, A., Yung, M.: On the Portability of Generalized Schnorr Proofs. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 425–442. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  25. 25.
    Briner, T.: Compiler for zero-knowledge proof-of-knowledge protocols. Master’s thesis, ETH Zurich (2004)Google Scholar
  26. 26.
    Camenisch, J., Rohe, M., Sadeghi, A.R.: Sokrates - a compiler framework for zero-knowledge protocols. In: Western European Workshop on Research in Cryptology – WEWoRC 2005 (2005)Google Scholar
  27. 27.
    Bangerter, E., Camenisch, J., Krenn, S., Sadeghi, A.R., Schneider, T.: Automatic generation of sound zero-knowledge protocols. Cryptology ePrint Archive, Report 2008/471 (2008),, Poster Session of EUROCRYPT 2009
  28. 28.
    Camenisch, J.L., Stadler, M.A.: Efficient Group Signature Schemes for Large Groups. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997)Google Scholar
  29. 29.
    Shamir, A.: How to share a secret. Communications of the ACM 22(11), 612–613 (1979)MathSciNetzbMATHCrossRefGoogle Scholar
  30. 30.
    Fiat, A., Shamir, A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
  31. 31.
    MacKenzie, P., Oprea, A., Reiter, M.K.: Automatic generation of two-party computations. In: Jajodia, S., Atluri, V., Jaeger, T. (eds.) ACM Conference on Computer and Communications Security – CCS 2003, pp. 210–219. ACM Press (2003)Google Scholar
  32. 32.
    Malkhi, D., Nisan, N., Pinkas, B., Sella, Y.: Fairplay – a secure two-party computation system. In: Proceedings of the 13th Conference on USENIX Security Symposium – SSYM 2004 (2004),
  33. 33.
    Barbosa, M., Page, D.: On the automatic construction of indistinguishable operations. Cryptology ePrint Archive, Report 2005/174 (2005),
  34. 34.
    Barbosa, M., Moss, A., Page, D.: Compiler Assisted Elliptic Curve Cryptography. In: Meersman, R. (ed.) OTM 2007, Part II. LNCS, vol. 4804, pp. 1785–1802. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  35. 35.
    Barbosa, M., Noad, R., Page, D., Smart, N.P.: First steps toward a cryptography-aware language and compiler. Cryptology ePrint Archive, Report 2005/160 (2005),
  36. 36.
    Ateniese, G.: Verifiable encryption of digital signatures and applications. ACM Transactions on Information and System Security 7(1), 1–20 (2004)CrossRefGoogle Scholar
  37. 37.
    Camenisch, J.L., Lysyanskaya, A.: An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  38. 38.
    Boudot, F.: Efficient Proofs that a Committed Number Lies in an Interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  39. 39.
    Lipmaa, H.: On Diophantine Complexity and Statistical Zero-Knowledge Arguments. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 398–415. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  40. 40.
    Bangerter, E., Briner, T., Henecka, W., Krenn, S., Sadeghi, A.-R., Schneider, T.: Automatic Generation of Sigma-Protocols. In: Martinelli, F., Preneel, B. (eds.) EuroPKI 2009. LNCS, vol. 6391, pp. 67–82. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  41. 41.
    Pedersen, T.P.: Non-interactive and Information-Theoretic Secure Verifiable Secret Sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)Google Scholar
  42. 42.
    Brands, S.: Untraceable Off-Line Cash in Wallets with Observers. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 302–318. Springer, Heidelberg (1994)Google Scholar
  43. 43.
    Chan, A., Frankel, Y., Tsiounis, Y.: Easy come - easy go divisible cash. Technical Report TR-0371-05-98-582, GTE (1998), Updated version with correctionsGoogle Scholar
  44. 44.
    Okamoto, T.: An Efficient Divisible Electronic Cash Scheme. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 438–451. Springer, Heidelberg (1995)Google Scholar
  45. 45.
    Camenisch, J., Lysyanskaya, A.: Signature Schemes and Anonymous Credentials from Bilinear Maps. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 56–72. Springer, Heidelberg (2004)Google Scholar
  46. 46.
    Paulson, L.C.: Isabelle. LNCS, vol. 828. Springer, Heidelberg (1994)zbMATHCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Endre Bangerter
    • 1
  • Stefania Barzan
    • 1
    • 2
  • Stephan Krenn
    • 1
    • 2
  • Ahmad-Reza Sadeghi
    • 3
  • Thomas Schneider
    • 3
  • Joe-Kai Tsay
    • 4
    • 5
    • 6
  1. 1.Security Engineering LabBern University of Applied SciencesSwitzerland
  2. 2.University of FribourgSwitzerland
  3. 3.Horst Görtz Institute for IT-SecurityRuhr-University BochumGermany
  4. 4.LSV, École Normale Supérieure de CachanFrance
  5. 5.CNRSFrance
  6. 6.INRIAFrance

Personalised recommendations