Zero-Knowledge Argument for Polynomial Evaluation with Application to Blacklists

  • Stephanie Bayer
  • Jens Groth
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7881)

Abstract

Verification of a polynomial’s evaluation in a secret committed value plays a role in cryptographic applications such as non-membership or membership proofs. We construct a novel special honest verifier zero-knowledge argument for correct polynomial evaluation. The argument has logarithmic communication cost in the degree of the polynomial, which is a significant improvement over the state of the art with cubic root complexity at best. The argument is relatively efficient to generate and very fast to verify compared to previous work. The argument has a simple public-coin 3-move structure and only relies on the discrete logarithm assumption.

The polynomial evaluation argument can be used as a building block to construct zero-knowledge membership and non-membership arguments with communication that is logarithmic in the size of the blacklist. Non-membership proofs can be used to design anonymous blacklisting schemes allowing online services to block misbehaving users without learning the identity of the user. They also allow the blocking of single users of anonymization networks without blocking the whole network.

Keywords

Zero-knowledge argument discrete logarithm polynomial evaluation anonymous blacklisting membership and non-membership proofs 

References

  1. 1.
    Ateniese, G., Song, D., Tsudik, G.: Quasi-efficient revocation in group signatures. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357, pp. 183–197. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Benaloh, J.C., de Mare, M.: One-way accumulators: A decentralized alternative to digital signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  3. 3.
    Boneh, D., Shacham, H.: Group signatures with verifier-local revocation. In: ACM Conference on Computer and Communications Security, pp. 168–177 (2004)Google Scholar
  4. 4.
    Brands, S., Demuynck, L., De Decker, B.: A practical system for globally revoking the unlinkable pseudonyms of unknown users. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 400–415. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Bresson, E., Stern, J.: Efficient revocation in group signatures. In: Kim, K.-C. (ed.) PKC 2001. LNCS, vol. 1992, pp. 190–206. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Camacho, P., Hevia, A., Kiwi, M., Opazo, R.: Strong accumulators from collision-resistant hashing. Int. J. Inf. Sec. 11(5), 349–363 (2012)CrossRefGoogle Scholar
  7. 7.
    Camenisch, J.L., Chaabouni, R., Shelat, A.: Efficient protocols for set membership and range proofs. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 234–252. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. 8.
    Camenisch, J., Kohlweiss, M., Soriente, C.: An accumulator based on bilinear maps and efficient revocation for anonymous credentials. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 481–500. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  11. 11.
    Cramer, R., Damgård, I.B.: Zero-knowledge proofs for finite field arithmetic or: Can zero-knowledge be for free? In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 424–441. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  12. 12.
    Cramer, R., Damgård, I.B., Schoenmakers, B.: Proof of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)Google Scholar
  13. 13.
    Dingledine, R.: Tor and circumvention: Lessons learned. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 485–486. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  14. 14.
    Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  15. 15.
    Groth, J.: Linear algebra with sub-linear zero-knowledge arguments. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 192–208. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    Groth, J.: Efficient zero-knowledge arguments from two-tiered homomorphic commitments. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 431–448. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  17. 17.
    Groth, J., Ishai, Y.: Sub-linear zero-knowledge argument for correctness of a shuffle. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 379–396. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Henry, R., Goldberg, I.: Extending nymble-like systems. In: IEEE Symposium on Security and Privacy, pp. 523–537 (2011)Google Scholar
  19. 19.
    Henry, R., Henry, K., Goldberg, I.: Making a nymbler nymble using verbs. In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 111–129. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  20. 20.
    Johnson, P., Kapadia, A., Tsang, P., Smith, S.: Nymble: Anonymous ip-address blocking. In: Borisov, N., Golle, P. (eds.) PET 2007. LNCS, vol. 4776, pp. 113–133. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Kilian, J.: A note on efficient zero-knowledge proofs and arguments. In: STOC, pp. 723–732 (1992)Google Scholar
  22. 22.
    Li, J., Li, N., Xue, R.: Universal accumulators with efficient nonmembership proofs. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 253–269. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  23. 23.
    Libert, B., Peters, T., Yung, M.: Scalable group signatures with revocation. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 609–627. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  24. 24.
    Lim, C.: Efficient multi-exponentiation and application to batch verification of digital signatures (2000), http://dasan.sejong.ac.kr/~chlim/pub/multiexp.ps
  25. 25.
    Lindell, Y.: Parallel coin-tossing and constant-round secure two-party computation. J. Cryptology 16(3), 143–184 (2003)MathSciNetMATHCrossRefGoogle Scholar
  26. 26.
    Lofgren, P., Hopper, N.: Bnymble: More anonymous blacklisting at almost no cost (a short paper). In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 268–275. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  27. 27.
    Nakanishi, T., Funabiki, N.: A short verifier-local revocation group signature scheme with backward unlinkability. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S.-i. (eds.) IWSEC 2006. LNCS, vol. 4266, pp. 17–32. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  28. 28.
    Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless receivers. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 41–62. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  29. 29.
    Nguyen, L.: Accumulators from bilinear pairings and applications. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 275–292. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  30. 30.
    Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)Google Scholar
  31. 31.
    Peng, K.: A general, flexible and efficient proof of inclusion and exclusion. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 33–48. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  32. 32.
    Peng, K., Bao, F.: Improving applicability, efficiency and security of non-membership proof. In: International Symposium on Data, Privacy, and E-Commerce, pp. 39–44 (2010)Google Scholar
  33. 33.
    Schnorr, C.: Efficient signature generation by smart cards. J. Cryptology 4(3), 161–174 (1991)MathSciNetMATHCrossRefGoogle Scholar
  34. 34.
    Song, D.: Practical forward secure group signature schemes. In: ACM Conference on Computer and Communications Security, pp. 225–234 (2001)Google Scholar
  35. 35.
    Tor. The tor project Inc., https://www.torproject.org/
  36. 36.
    Tsang, P., Kapadia, A., Cornelius, C., Smith, S.: Nymble: Blocking misbehaving users in anonymizing networks. IEEE Trans. Dependable Sec. Comput. 8(2), 256–269 (2011)CrossRefGoogle Scholar
  37. 37.
    Tsudik, G., Xu, S.: Accumulating composites and improved group signing. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 269–286. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  38. 38.
    Wang, P., Wang, H., Pieprzyk, J.: A new dynamic accumulator for batch updates. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 98–112. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  39. 39.
    Yu, K.Y., Yuen, T.H., Chow, S.S.M., Yiu, S.M., Hui, L.C.K.: Pe(ar)2: Privacy-enhanced anonymous authentication with reputation and revocation. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 679–696. Springer, Heidelberg (2012)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Stephanie Bayer
    • 1
  • Jens Groth
    • 1
  1. 1.University College LondonUK

Personalised recommendations