Efficient ZeroKnowledge Proof of Algebraic and NonAlgebraic Statements with Applications to Privacy Preserving Credentials
 12 Citations
 2.2k Downloads
Abstract
Practical anonymous credential systems are generally built around sigmaprotocol ZK proofs. This requires that credentials be based on specially formed signatures. Here we ask whether we can instead use a standard (say, RSA, or (EC)DSA) signature that includes formatting and hashing messages, as a credential, and still provide privacy. Existing techniques do not provide efficient solutions for proving knowledge of such a signature: On the one hand, ZK proofs based on garbled circuits (Jawurek et al. 2013) give efficient proofs for checking formatting of messages and evaluating hash functions. On the other hand they are expensive for checking algebraic relations such as RSA or discretelog, which can be done efficiently with sigma protocols.
We design new constructions obtaining the best of both worlds: combining the efficiency of the garbled circuit approach for nonalgebraic statements and that of sigma protocols for algebraic ones. We then discuss how to use these as buildingblocks to construct privacypreserving credential systems based on standard RSA and (EC)DSA signatures.
Other applications of our techniques include anonymous credentials with more complex policies, the ability to efficiently switch between commitments (and signatures) in different groups, and secure twoparty computation on committed/signed inputs.
Keywords
Hash Function Discrete Logarithm Ideal Functionality Commitment Scheme Oblivious Transfer1 Introduction
Efficient Proofs. Zero knowledge proofs [GMR85] provide an extremely powerful tool, which allows a prover to convince a verifier that a statement is true without revealing any further information. Moreover, it has been shown that every NP language has a zero knowledge proof system [GMW87], opening up the possibility for a vast range of privacy preserving applications. However, while this is true in theory, designing proof systems that are efficient enough to be used is significantly more challenging. In reality, we only have a few techniques for efficient proofs, and those only apply to a restricted set of languages.
Almost exclusively, these proof systems focus on proving algebraic statements, i.e. statements about discrete logarithms, roots, or polynomial relationships between values [Sch90, GQ88, CS97b, GS08]. The most common and most efficient of these systems fall into a class known as sigma protocols. Of course we could express any NP relation as a combination of algebraic statements, for example by expressing the relation as a circuit, and expressing each gate as an algebraic relation between input and output wires. But if we were to take this approach to prove a statement using sigma protocols we would need several exponentiations per gate in the circuit. This becomes prohibitively expensive for large circuits (for example a circuit computing a cryptographic hash function or block cipher).^{1}
Recently, [JKO13] introduced a new approach for proving statements phrased as boolean circuits, based on garbled circuits. Their construction has the advantage that it only requires a few symmetric key operations per gate, making it dramatically more efficient than a sigmaprotocolbased solution for nonalgebraic statements. This means that it is finally practical to prove statements about complex operations such as hash functions or block ciphers. For instance, zero knowledge proofs for an AES circuit or a SHA256 circuit can be done in miliseconds on standard PCs using state of the art implementations for garbled circuits. On the other hand, expressing many public key operations as a circuit is still extremely expensive. (Consider for example a circuit computing modular exponentiation on a cryptographic group  the result would be much larger than the circuit computing a hash function, and computing a garbled circuit for such a computation would be too expensive to be practical.)
Now we have two very different techniques for achieving zero knowledge proofs for algebraic and nonalgebraic statements. But in some applications, one is interested in proving statements that combine the two. For example, what if we want an efficient protocol for proving knowledge of a DSA or RSA signature, whose verification requires computing both a hash function and several exponentiations?
The state of the art fails to take advantage of the best of both worlds and has to forgo the efficiency of one approach to obtain the other’s. One might consider directly combining both protocols, but a naive solution would allow a cheating prover to use a different witness for the algebraic and nonalgebraic components of the computation and produce a convincing proof for a statement for which there is no single valid witness. Thus, one of the basic challenges is to bind the values committed to in the sigma protocols to the prover’s inputs in the GCbased zero knowledge proof, without having to perform expensive group operations (e.g. exponentiation) inside the garbled circuit, and without proving largecircuit statements using sigma protocols.
Anonymous Credentials. Here, we primarily focus on the case of anonymous credentials, introduced by Chaum [Cha86], although we believe our results will be applicable to many other privacy protocols. A credential system allows a user to obtain credentials from an organization and at some later point prove to a verifier (either the same organization or some other party) that she has been given appropriate credentials. More specifically, the user’s credentials will contain a set of attributes, and the verifier will require that the user prove that the attributes in his credential satisfy some policy. We say the system is anonymous if this proof does not reveal anything beyond this fact.
There have been several proposals for constructions of anonymous credential systems [CL01, CL04, BCKL08, Bra99, BL13]. In general, they all follow a similar approach: the credential is a signature from the organization on the user’s attributes. To prove possession of valid credentials, the user will first commit to her attributes, then prove, in zero knowledge, knowledge of a signature on the committed attributes, and finally prove, again in zero knowledge, that the committed attributes satisfy the policy. To make these zero knowledge proofs efficient, most of the proposed credential systems are based on sigma protocols, which as described above give efficient proofs of knowledge for certain algebraic statements. This in turn means that the signatures used must be specially designed so that a sigma protocol can be used to prove knowledge of a signature on a committed message.^{2}
But what if we want to base our credentials on a standard signature such as FDHRSA or DSA which includes hashing the message? Or what if we want the user to be able to prove a statement about his attributes that is not easily expressible as an algebraic relation?
Our Results. We study the problem of combining proof systems for algebraic and nonalgebraic statements, and obtain the following results.

Given an algebraic commitment C, we propose two protocols for proving that C is a commitment to x such that \(f(x)=1\) where f is expressed as a boolean circuit. Both constructions have the desired property that the GCbased component is dominated by the cost of garbling f (i.e. not garbling expensive group operations), and the total number of publickey operations is independent of the size of f.
More specifically, our first solution has public key operations proportional to the maximum bit length of the input (x), and symmetrickey operations proportional to the number of gates in f. The second has publickey operations proportional to the statistical security parameter s and symmetrickey operations proportional to the number of gates in \(f + xs\).
Existing solutions either require publickey operations proportional to the size of f, or need to garble circuits for expensive group operations such as exponentiations in large groups.

Building directly on these protocols, we show how to implement a proof that one committed message is the hash of another, and a proof that two commitments in different groups commit to the same value.

Finally, we show how we can combine all of these protocols to obtain an efficient proof of knowledge of a signature on a committed message for RSAFDH^{3}, DSA, and ECDSA signatures.

Anonymous Credentials Based on RSA, DSA, ECDSA Signatures. The most direct application in the context of anonymous credentials would be to use RSA, DSA, or ECDSA signatures directly as credentials but still allow for privacy preserving presentation protocols. This would be slower than existing credential systems, but it would have the advantage that the issuer would not have to perform a complex protocol, but would only have to issue standardized signatures. It further enables interoperability with existing libraries and nonprivate credential applications. ^{4} Alternatively, we could construct a service which allows users to convert their nonprivate credentials (based on RSA/DSA/ECDSA signatures) into traditional anonymous credentials (e.g. Idemix [ide10] or UProve [PZ13] tokens, or keyedverification credentials [CMZ14]). Using our new protocol, the service could perform that conversion without knowing the user’s attributes: the user would commit to his attributes, prove using our protocol that they have been signed, and then obtain from the service an anonymous credential encoding the same attributes. (All of these anonymous credential systems allow for issuing credentials on committed attributes.)

Anonymous Credentials with more General Policies. Even if we consider a system based on traditional anonymous credentials, we might use the \(\varPi _{\mathsf {Com}, f}\) protocol (which we will describe in Sect. 3) to allow the user to prove that his attributes satisfy a more complicated policy. For example, he might want to release the hash of one of his attributes and prove that that has been done correctly, or prove that an attribute has been encrypted using a standard encryption scheme like RSAOAEP.
Our protocols could also be used to prove that a user’s attributes fall in a given range, or to prove statements about comparisons between attributes. If the range of values possible for each attribute is small, we already have reasonably efficient solutions  the user can just commit to each bit of the value, and do a straightforward proof. However this becomes expensive when the range gets larger, in which case the most efficient known approach is based on integer commitments [FO97] and requires several exponentiations with an RSA modulus where the exponent is larger than the group order (e.g. a roughly 2000 bit exponentiation with a 2000 bit modulus for reasonable security parameters). Alternatively we can use our second scheme, which only requires a number of publickey operations linear in the security parameter (e.g. 60), and allows those operations to use much more efficient elliptic curve groups.
We note that the independent and concurrent work of [KKL+16] provides an alternative solution to the problem of anonymous credentials for general policies, using different techniques.

Converting Between Different Commitment Schemes. There are many protocols based around commitments, and ideally we would be able to combine these protocols arbitrarily. For example, if we have an efficient protocol for proving that a committed tag matches one of the attributes in a user’s credential, and another protocol for proving that a committed tag is not on a list of revoked values, then we would be able to combine the two protocols to prove that the user’s credential has not been revoked. However, often the protocols will be based on different commitment schemes, or even worse, on schemes that operate in different sized groups. (For example UProve credentials can be instantiated in standardized elliptic curve groups like those used for ECDSA, while revocation systems like that in [Ngu05] require pairing groups; to combine the two we would need to find a pairing group whose group order matches one of the standardized curves. Finding a pairing group to match a specific group order often incurs a significant cost in efficiency.) With our protocol for converting between commitment schemes we could choose the most efficient groups for each, and then the user would merely prove that he has used the same attributes in each. Before our work, the only known approach to convert between groups of different sizes was to use integer commitments, which as described above can be quite expensive.

Other PrivacyPreserving Protocols. We note that while anonymous credentials make a good motivating application, these problems (converting between commitments schemes, comparing committed values, or proving other nonalgebraic statements) come up in many other privacy/anonymity scenarios.

2PC with Authenticated Input. As input to a secure computation protocol, sometimes it is desirable to use previously committed [JS07] or signed [CZ09] inputs. In our constructions, we show how to commit to an input x and prove knowledge of x (or prove knowledge of a signature on x) and a nonalgebraic statement \(f(x) = 1\) using garbled circuits. As we discuss in Sect. 3.4, it is relatively easy to extend our construction to also allow secure twoparty computation of g(x, y) where x is the prover’s input and y the verifier’s, hence obtaining secure twoparty computation on signed/committed inputs. The benefit of this approach is that checking the signature takes place outside the secure twoparty computation and can be significantly more efficient.
2 Preliminaries
2.1 SimulationBased Security
2.2 Commitment Scheme
A commitment protocol involves two parties: the committer and the receiver. At a high level, it consists of two stages, a commitment phase and a decommitment phase. In the commitment stage, the committer with a secret input m engages in a protocol with the receiver. At the end of this protocol, receiver does not know what m is (hiding property), and at the same time, the committer, can subsequently in the decommitment phase, open only one possible value of m (binding property). Throughout the paper, we use algebraic commitment schemes that allow proving linear relationships among committed values. An example of such a scheme with computational binding and unconditional hiding properties based on the discrete logarithm problem is the one due to Pedersen [Ped91]. It works in a group G of prime order q. Given two random generators g and h such that \(\log _g h\) is unknown, a value \(x \in \mathbb {Z}_q\) is committed to by choosing r randomly from \(\mathbb {Z}_q\), and computing \(C_x = g^x h^r\). Protocols are known in literature to prove knowledge of a committed value, equality of two committed values, and so on, and the protocols can be combined in natural ways. In particular, Pedersen commitments allows proving linear relationships among committed values: Given \(C_x\) and \(C_y\), prove that \(y=ax+b\) for some public values a and b.
2.3 Committing OT
2.4 Garbled Circuits
We assume some familiarity with standard constructions of garbled circuits. We employ the abstraction of garbling schemes [BHR12] introduced by Bellare et al., but similar to [JKO13] we add a verification algorithm that can check correctness of the garbled circuit given all input labels to the circuit.

\(\mathsf {Gb}\) is a randomized garbled circuit generation function that takes a security parameter, and the description of a boolean circuit f and outputs a garbled circuit GC and the encoding and decoding information e and d, respectively.

The \(\mathsf {En}\) algorithm takes the encoding information e output by \(\mathsf {Gb}\), and an input x to f, and outputs the garbled input corresponding to x.

The \(\mathsf {Eval}\) algorithm takes the garbled circuit GC and the garbled input, and outputs an encoded output.

The \(\mathsf {De}\) algorithm gets the encoded output and the decoding information d as input and returns a decoded output.

The \(\mathsf {Ve}\) algorithm gets as input a garbled circuit GC, the encoding information e, and a boolean function f, and outputs d or \(\bot \).
In our constructions, we assume that the encoding information e is a vector of pairs of input labels, where the pair \((K_i^0, K_i^1)\) denotes the input labels for 0 and 1 for input wire i in the circuit. Similarly, we assume that the decoding information d is a vector of pairs of output labels.
A garbling scheme may satisfy several properties such as correctness, authenticity and privacy. We review these notions next.
Definition 1
 for all boolean circuits f and all input x,$$\mathsf {De}(d, \mathsf {Eval}(GC,\mathsf {En}(e,x))) = f(x) \text { whenever } (GC,e,d) \leftarrow \mathsf {Gb}(f,1^{\kappa })$$
 for all boolean circuits f and all (possibly malicious) garbled circuits GC and encoding information e, decoding information d, and all input x,$$\text { if } d \leftarrow \mathsf {Ve}(GC, e,f) \text { and } d\ne \bot \text { then } \mathsf {De}(d, \mathsf {Eval}(GC,\mathsf {En}(e,x))) = f(x) $$
Definition 2
Definition 3

Real(f, x) : run \((GC,e,d) \leftarrow \mathsf {Gb}(f,1^{\kappa })\), and output \((GC, \mathsf {En}(e,x), d)\).

\(Ideal_{\mathcal {S}}(f, f(x))\): output \(\mathcal {S}(f,f(x))\)
2.5 ZeroKnowledge Proofs
A Zeroknowledge (ZK) proof allows a prover to convince a verifier of the validity of a statement, without revealing any other information. Let \(\mathcal {L}\) be the language associated with an NP relation R: \(\mathcal {L} = \lbrace x \mid \exists w : R(x,w) =1 \rbrace \). A zeroknowledge proof for \(\mathcal {L}\) lets the prover convince a verifier that \(x \in \mathcal {L}\) for a common input x. A proof of knowledge captures not only the truth of a statement \(x \in \mathcal {L}\), but also that the prover “possesses" a witness w to this fact. A proof of knowledge for a relation \(R(\cdot , \cdot )\) is an interactive protocol where a prover P convinces a verifier V that P knows a w such that \(R(x, y)=1\), where x is a common input to P and V. The prover can always successfully convince the verifier if indeed P knows such a w. Conversely, if P can convince the verifier with reasonably high probability, then it “knows"such a w, that is, such a w can be efficiently computed given x and the code of P. The formal definition follows. In the following, \(view_V\) is the “view" of the verifier in the interaction, consisting of its input x, its random coins, and the sequence of the prover’s messages.
Definition 4
(ZK Proof of Knowledge). An interactive protocol \(\left\langle P,V \right\rangle \) is a zeroknowledge proof of knowledge for an NP relation R if the following properties are satisfied.
 1.Completeness: \(\forall x,y\) such that \(R(x,y) = 1\),$$ \Pr [ \left\langle P(x,w),V (x) \right\rangle = 1] =1 $$
 2.Proof of Knowledge: For every polynomial time prover strategy \(P^{*}, \exists \) an oracle PPT machine K called the extractor such that \(K^{P^{*}}(x)\) outputs \(w'\) andis negligible in \(\kappa \).$$ \Pr [ \left\langle P^{*}(x,w),V(x) \right\rangle = 1 \wedge R(x,w')=0 ] $$
 3.Zeroknowledge: For every polynomial time verifier \(V^{*}\), there is a PPT algorithm \(\mathcal {S}\) called the simulator such that for every \(x \in \mathcal {L}\), the following two distributions are indistinguishable:

\(view_{V^{*}} ( \left\langle P(x,w),V^{*}(x) \right\rangle )\)

\(\mathcal {S}(x)\)

Honestverifier zeroknowledge: An interactive proof system (P, V ) for a language \(\mathcal {L}\) is said to be honestverifier zero knowledge if there exists a PPT algorithm \(\mathcal {S}\) called the simulator such that for all \(x \in \mathcal {L}\), \(view_{V} ( \left\langle P(x,w),V(x) \right\rangle )\) and \(\mathcal {S}(x)\) are indistinguishable. This definition says that the verifier gains no knowledge from the interaction, as long as it runs the prescribed algorithm V. If the verifier tries to gain some knowledge from its interaction with the prover by deviating from the prescribed protocol, we should consider an arbitrary (but efficient) cheating verifier \(V^{*}\) as in the property 3 of the above definition which is full zeroknowledge. Efficient zero knowledge proofs are known which are based on sigma protocols. Sigma protocols are three round publiccoin protocols and are honestverifier zeroknowledge proof systems. There exist sigma protocols for various tasks like proving knowledge of discrete logarithm of a value, that a tuple is of the DiffieHellman type etc., and it is also possible to efficiently combine sigma protocols to prove compound statements. It is possible to efficiently compile a sigma protocol (which is honestverifier ZK) into a zeroknowledge proof of knowledge. The FiatShamir transform [FS86] converts any publiccoin zeroknowledge proof into a zeroknowledge proof of knowledge and removes interaction, and is secure in the random oracle model [PS96]. Transformations in the common reference string model [Dam00, Lin15] are also known. The transformation of [Dam00] gives a 3round concurrent zeroknowledge protocol in the CRS model, whereas [Lin15] is noninteractive.
2.6 ZK Proof Based on Garbled Circuits
 1.
The verifier generates a garbled circuit computing \(R(x,\cdot )\). Using a committing oblivious transfer, the prover obtains the wire labels corresponding to his private input w. Then the verifier sends the garbled circuit to the prover.
 2.
The prover evaluates the garbled circuit, obtaining a single garbled output (wire label). He commits to this garbled output.
 3.
The verifier opens his inputs to the committing oblivious transfer, giving the prover all garbled inputs. From this, the prover can check whether the garbled circuit was generated correctly. If so, the prover opens his commitment to the garbled output; if not, the prover aborts.
 4.
The verifier accepts the proof if the prover’s commitment holds the output wire label corresponding to true.
Security against a cheating prover follows from the properties of the circuit garbling scheme. Namely, the prover commits to the output wire label before the circuit is opened, so the authenticity property of the garbling scheme ensures that he cannot predict the true output wire label unless he knows a w with \(R(x,w)=\textsc {true}\). Security against a cheating verifier follows from correctness of the garbling scheme. The garbled output of a correctly generated garbled circuit reveals only the output of the (plain) circuit, and this garbled output is not revealed until the garbled circuit was shown to be correctly generated.
Note that in this protocol, the prover evaluates the garbled circuit on an input which is completely known to him. This is the main reason that the garbled circuit used for evaluation can also be later opened and checked for correctness, unlike in the setting of cutandchoose for general 2PC. Along the same lines, it was further pointed out in [FNO15] that the circuit garbling scheme need not satisfy the privacy requirement of [BHR12], only the authenticity requirement. Removing the privacy requirement from the garbling scheme leads to a nontrivial reduction in garbled circuit size.
In one of our constructions (Sect. 3.2), the verifier does have a private input, but its input only needs to be kept private until the circuit is evaluated and the prover has committed to the output. In that scenario, we also invoke the privacy property of the garbling scheme as defined above.
Efficiency of Garbling Schemes. The state of the art garbling scheme uses the freeXOR technique [KS08] to garble XOR gates and the halfgate technique to garble AND gates [ZRE15]. For a circuit with g nonXOR gates, the total number of ciphertexts is 2g, and the number of hash invocations is 4g for the garbler and 2g for the evaluator.
For privacyfree garbling, the costs are reduced by factor of two (see [FNO15, ZRE15]). In particular, for a circuit with g nonXOR gates, the total number of ciphertexts is g, and the number of hash invocations is 2g for the garbler and g for the evaluator.
We need to garble a few common buildingblock circuits in our constructions. It is helpful to review the size of these circuits based on the concrete constructions given in [KSS09]. The circuit for comparing \(\ell \) bit integers requires \(4\ell \) nonXOR gates. The circuit for testing equality of \(\ell \) bit integers also requires \(4\ell \) nonXOR gates. The circuit for adding two \(\ell \) bit integers requires \(4\ell \) nonXOR gates, while the circuit for multiplying two \(\ell \) bit integers requires \(8\ell ^2  4\ell \) nonXOR gates.
3 Proving Nonalgebraic Statements on Algebraic Commitments
An important subprotocol used in our constructions, is to commit to an input x using an algebraic commitment \(\mathsf {Com}(x)\) (e.g. pedersen commitment), and perform a zeroknowledge proof of a nonalgebraic statement about x, i.e. that \(f(x) = 1\) for a boolean circuit f.
Such a protocol allows one to efficiently switch between proving algebraic statements on a committed input (e.g. proof of knowledge of a signature on a committed input) and nonalgebraic statement (e.g. hashing, comparison, equality testing and more).
The starting point for both instantiations is the ZKproof of nonalgebraic statements based on garbled circuits [JKO13] (see Sect. 2.6). As the naive solution we could garble a circuit that takes x and the opening of \(\mathsf {Com}(x)\) as prover’s input and outputs 1 if \(f(x) = 1\) and \(\mathsf {Com}(x)\) correctly opens to x. The main drawback of this solution is that checking correctness of opening for an algebraic commitment requires performing expensive group operations (e.g. exponentiation) inside the garbled circuit which would dominate the computation/communication cost. Our two instantiations show how to avoid these costs and perform all algebraic operations outside the garbled circuit.
3.1 First Instantiation
In our first construction, we have the prover commit to each bit of x, i.e. \(\mathsf {Com}(x_i)\) for all \(i \in [n]\), and prove that when combined they yield x.
Then, following the GCbased approach, the verifier constructs a garbled circuit that computes f(x), parties go through the steps of the GCbased ZK proof for the prover to prove knowledge of a value \(x'\) such that \(f(x') = 1\). The main issue is that a malicious prover may use a different input \(x' \ne x\) in the circuit than what he committed to.
But we observe that the input keys associated with \(x'\) in the GC (which are obtained through the COT), can function as onetime MACs on each bit of \(x'\) and can be used to enforce that \(x' = x\) using efficient algebraic ZK proofs that take place outside the garbled circuit. In particular, immediately after the COTs, the prover commits to its input keys i.e. \(K_i^{x'_i}\) for the ith bit of \(x'\). When the GC is opened and both input keys \(K_i^0,K_i^1\) are opened, the prover can provide ZK proofs that \(K_i^{x'_i} = x_i K_i^1 + (1x_i)K_i^0\) if the commitment scheme provides efficient proofs of linear relations.
Theorem 1
Let \(\mathcal {G}\) be a garbling scheme satisfying correctness and authenticity properties as defined in 2.4. Let \(\mathsf {Com}\) be a secure commitment scheme, and let the proofs PK be implemented with a zero knowledge proof of knowledge. Then, the protocol \(\varPi _{\mathsf {Com}, f}\) in Fig. 3 securely implements \(\mathcal {F}_{\mathsf {Com},f}\) in the presence of malicious adversaries in the \(\mathcal {F}_{COT}\)hybrid model.
Proof
Corrupt Prover.
The simulator works as follows: It uses the OT simulator to extract the prover’s input \(x'\) to the OT. It then plays the role of the honest verifier in the rest of the simulation  it constructs the garbled circuit honestly and uses its input keys as verifier’s inputs to the COT functionality. The simulator then extracts the value \(Z'\) committed to by the prover from the proofs of knowledge of opening in step 8. It also extracts prover’s committed input x and the values \(K'_i\) that prover committed to in the protocol, using the extractor for the ZK proof of knowledge in step 13. The simulator finally outputs x and the opening extracted from the ZK proofs, iff all the following hold: \(x=x'\), \(f(x)=1, Z\) is the onekey of the output wire, \(K'_i = K_i^{x_i}\) for all i, the commitment in step 8 is opened to Z, and the ZK proofs of step 13 verifies. Note that in the ideal model the functionality will always output accept when the simulator sends this witness.
We now prove that a corrupt prover’s view in the real protocol is indistinguishable from his view with the simulator via a series of intermediate games.

\(\mathsf {Game}\) Ideal: This is the interaction of the corrupt prover with the simulator and functionality as described above.

\(\mathsf {Game}\) \(\mathsf {G}_{0}\): This is the interaction of the corrupt prover with the simulator as described above, with the exception that instead of the simulator sending x and the opening to F, which outputs accept iff \(f(x)=1\), the game will output accept iff \(f(x')=1\) for the \(x'\) extracted from the OT (and all the other conditions listed hold). Since one of the conditions checks \(x=x'\), this is identical.

\(\mathsf {Game}\) \(\mathsf {G}_{1}\): This game, behaves exactly as in \(\mathsf {G}_{0}\) except for a slight change in the accept condition. It outputs accept if \(f(x')=1\) and \(K'_i = K_i^{x_i}\) for all i and Z is the onekey of the output wire and the commitment in step 8 is correctly opened to Z, and all the ZK proofs verify (i.e. no \(x = x'\) check).
Indistinguishability:
Define the event \(\mathsf {Bad}\) as the event that \(x \ne x', f(x') = 1, Z\) is the onekey of the output wire, \(K'_i = K_i^{x_i}\) for all i, and the opening to Z is correct and the ZK proofs of step 13 verify.
Observe that \(\mathsf {G}_0\) is identical to \(\mathsf {G}_1\) conditioned on \(\overline{\mathsf {Bad}}\). We now argue that \(\Pr [\mathsf {Bad}]\) is negligible, by observing that an adversary who makes us reject \(\mathsf {G}_0\) but accept in \(\mathsf {G}_1\), can only succeed with probability \(1/2^s\) where s is a statistical security parameter, given the COT hybrid model. Without loss of generality lets assume the ith bit of x is 0 and ith bit of \(x'\) is 1. Then, the probability of the adversary guessing \(K_i^0\) given only \(K_i^1\) is less than \(1/2^{K_i^0}\). Note that \(K_i^0\) is the computational security parameter, which is 128 bits for an AES key. But without loss of security we can used a truncated \(K_i^0\) (to its least significant s bits) in the ZK proofs of step 13.
Hence Games \(\mathsf {G}_0\) and \(\mathsf {G}_1\) are indistinguishable except with negligible probability in s.

\(\mathsf {Game}\) \(\mathsf {G}_{2}\): This game behaves as in \(\mathsf {G}_1\) except for another change in the accept condition. We accept if \(f(x')=1\) and ZK proofs of step 13 verifies and Z is the onekey of the output wire, and the commitment in step 8 is correctly opened to Z (i.e. no \(K'_i = K_i^{x_i}\) check).
If an adversary can distinguish between Games \(\mathsf {G}_1\) and \(\mathsf {G}_2\), we can break the soundness of the ZK proof of step 13. Therefore, \(\mathsf {G}_1\) and \(\mathsf {G}_2\) are indistinguishable.

\(\mathsf {Game}\) \(\mathsf {G}_{3}\): This game behaves as in \(\mathsf {G}_2\) except for a small change in accept condition. We accept if ZK proofs of step 13 verifies and Z is the onekey of the output wire, and the commitment in step 8 is correctly opened to Z (i.e. no \(f(x') = 1\) check).
Games \(\mathsf {G}_2\) and \(\mathsf {G}_3\) are identical, except when the following event occurs: \(f(x')\ne 1\) and ZK proof of step 13 passes, and Z is the onekey of the output wire. When this event occurs, we accept in \(\mathsf {G}_3\) and rejects in \(\mathsf {G}_2\). We now argue that the probability of this event is negligible. For the sake of contradiction, assume the prover’s input to OT is \(x'\) such that \(f(x') \ne 1\), but the value committed to is the correct onekey Z for the output wire. We can use such a prover to break the authenticity of the garbling scheme (See Definition 2).

\(\mathsf {Game}\) \(\mathsf {G}_{4}\): This game behaves as in \(\mathsf {G}_3\) except for the accept condition. We accept if the ZK proofs of step 13 verifies and the commitment in step 8 opens correctly (i.e. no check that it is the same as extracted Z).
An adversary who can distinguish between \(\mathsf {G}_3\) and \(\mathsf {G}_4\) can be used to violate the binding property of the commitment scheme. \(\mathsf {G}_4\) is identical to the real world game with an honest verifier.
It then runs \(\mathsf {Ve}(GC, (K_i^0,K_i^1), f)\) to either obtain \(\mathsf {reject}\), or the decoding information d. If the output is \(\mathsf {reject}\) it commits to a dummy value, else it commits to the onekey for the output wire, denoted by Z.
It then receives the “open" message from the verifier. If \(\mathsf {Ve}\) had not output \(\mathsf {reject}\) earlier, the simulator opens the commitment to Z and uses the simulator for the ZK proof to simulate the proofs of step 13. Otherwise, the simulator aborts.

\(\mathsf {Game}\) \(\mathsf {G}_{0}\): This is the interaction of the corrupt verifier with the simulator as described above.

\(\mathsf {Game}\) \(\mathsf {G}_{1}\): Is similar to game \(\mathsf {G}_0\) except that the real input x of prover is committed to.
The two games are indistinguishable due to the hiding property of the commitment scheme.

\(\mathsf {Game}\) \(\mathsf {G}_{2}\): Is similar to \(\mathsf {G}_1\) except that instead of computing Z by running \(\mathsf {Ve}\), we run \(\mathsf {Eval}(GC,K_i^{x_i})\) to compute and commit to Z.
The two games are indistinguishable due to the second condition in the correctness property of the garbling scheme. Note that we are also implicitly using the committing OT property (the protocol described in the COT hybrid model) as the keys extracted in the OTs and what the functionality sends to the honest prover are the same.

\(\mathsf {Game}\) \(\mathsf {G}_{3}\): Is similar to \(\mathsf {G}_2\) except that the honest input x of the prover is used in the OTs.
The two games are identical in the OT hybrid model.

\(\mathsf {Game}\) \(\mathsf {G}_{4}\): Is similar to \(\mathsf {G}_3\) except that the simulator commits to inputs keys associated with the real input x.
The two games are identical due to the hiding property of the commitment scheme.

\(\mathsf {Game}\) \(\mathsf {G}_{5}\): Is similar to \(\mathsf {G}_{4}\) except that in step 13, the simulator performs the proofs, honestly.
The two games are indistinguishable due to zeroknowledge property of the ZK proof.
Note that \(\mathsf {G}_5\) is the real game with the honest prover.
3.2 Second Instantiation
We now give an alternative construction that implements the functionality in Fig. 2. In particular, we avoid the bitwise commitments to each bit of \(x_i\), and the associated bitwise ZK proofs, and hence require fewer publickey operations (exponentiations) in the construction. On the other hand, the garbled circuit is augmented and hence a larger number of symmetrickey operations are needed.
The idea is as follows. In order to ensure that the prover uses the same input x in the GC, we have the circuit not only compute f(x) but also a onetime MAC of x, i.e. \(t=ax+b\) for random a and b of the verifier’s choice. a and b are initially unknown to the prover, but are opened along with the GC after the prover has committed to t. Given a and b, the prover then provides a ZK proof that \(\mathsf {Com}(t)\) is indeed the onetime MAC of x (using efficient proofs of linear relations). We note that the \(t= ax+b\) operation performed in the circuit is on integers.
We note that our construction deviates from the standard construction of GCbased ZK where the verifier has no input, and privacyfree garbling is sufficient. In particular, we do invoke the privacy property of the garbling scheme in our construction to ensure that the prover does not learn a and b, until the opening stage.
Theorem 2
Let \(\mathcal {G}\) be a garbling scheme satisfying correctness, authenticity, and privacy properties as defined in Sect. 2.4. Let \(\mathsf {Com}\) be a secure commitment scheme, and let the proofs PK be implemented with a zero knowledge proof of knowledge. Then, the protocol \(\varPi _{\mathsf {MAC},f}\) in Fig. 4 securely implements \(\mathcal {F}_{\mathsf {Com},f}\) in the presence of malicious adversaries in the \(\mathcal {F}_{COT}\)hybrid model.
Proof
Corrupt Prover.
The simulator works as follows: It uses the OT simulator to extract the prover’s input \(x'\) to the OT. It then plays the role of the honest verifier in the rest of the simulation  it chooses a, b randomly as the honest verifier would, constructs the garbled circuit honestly and uses its input keys as verifier’s inputs to the COT functionality. The simulator then extracts the value \(Z'\) committed to by the prover from the proofs of knowledge of opening in step 8. It also extracts prover’s committed input x and the tag \(t'\) that the prover committed to in the protocol, using the extractor for the ZK proof of knowledge in step 16. The simulator finally outputs x and the opening extracted from the ZK proofs, iff all the following hold: \(x=x'\), \(f(x)=1, Z\) is the onekey of the output wire, \(t'=ax+b\), the commitment in step 8 is opened to Z, and the ZK proof of step 16 verifies. Note that in the ideal model the functionality will always output accept when the simulator sends this witness.
We now prove that a corrupt prover’s view in the real protocol is indistinguishable from his view with the simulator by a series of intermediate games.

\(\mathsf {Game}\) Ideal: This is the interaction of the corrupt prover with the simulator and functionality as described above.

\(\mathsf {Game}\) \(\mathsf {G}_{0}\): This is the interaction of the corrupt prover with the simulator as described above, with the exception that instead of the simulator sending x and the opening to F, which outputs accept iff f(x)=1, the game will output accept iff \(f(x')=1\) for the \(x'\) extracted from the OT (and all the other conditions listed hold). Since one of the conditions checks \(x=x'\), this is identical.

\(\mathsf {Game}\) \(\mathsf {G}_{1}\): In this game, the simulator behaves exactly as in \(G_0\) except that it does not check the \(x = x'\) condition.
Define the event \(\mathsf {Bad}\) as the event that \(x \ne x'\) but \(t=ax+b\). Observe that \(\mathsf {G}_0\) is identical to \(\mathsf {G}_1\) conditioned on \(\overline{\mathsf {Bad}}\). We argue that \(\Pr [\mathsf {Bad}]\) is negligible due to the unforgeability property of the onetime MAC, the hiding property of the commitment scheme, and the privacy of the garbled circuit.
Consider a game where we run as in \(\mathsf {G}_{1}\) but stop after step 10, and look at the probability that in this gane \(t'=ax+b\) but \(x\ne x'\); if \(\Pr [\mathsf {Bad}]\) is nonnegligible, this will be nonnegligible as well. Now, by the privacy of the garbled circuit, this is indistinguishable from a game where the verifier computes a tag t on \(x'\), and then constructs (GC, e, d) using the privacy simulator: \(\mathcal {S}(F,(t,1))\). Similarly, by the hiding of the commitment scheme this is still indistinguishable from a game where the verifier commits to random values instead of a, b. But if in this final game we get \(t'=ax+b\) and \(x\ne x'\) with nonnegligible probability, then we can break the unforgeability of the MAC. The probability of forgery is bounded by \(1/2^{a}\), and hence exponentially small in the statistical security parameter \(s = a\).

\(\mathsf {Game}\) \(\mathsf {G}_{2}\): In this game, the simulator behaves as in \(\mathsf {G}_1\) except that it does not check the condition \(t = ax +b\).
If an adversary can distinguish between Games \(\mathsf {G}_2\) and \(\mathsf {G}_1\), we can break the soundness of the ZK proof of step 16.

\(\mathsf {Game}\) \(\mathsf {G}_{3}\): In this game, the simulator behaves as in \(\mathsf {G}_2\) except that we do not check the condition \(f(x') = 1\).
Games \(\mathsf {G}_2\) and \(\mathsf {G}_3\) are identical, except when the following event occurs: \(f(x')\ne 1\) and ZK proof of tag verifies and Z is the onekey of the output wire. We now argue that the probability of this event is negligible. For the sake of contradiction, assume the prover’s input to OT is \(x'\) such that \(f(x') \ne 1\), but the value committed to is the correct onekey Z for the output wire. We can use such a prover to break the authenticity of the garbling scheme (See definition 2).

\(\mathsf {Game}\) \(\mathsf {G}_{4}\): In this game, the simulator behaves as in \(\mathsf {G}_3\) except for the accept condition. The simulator accepts if the ZK proofs of step 16 verifies and the commitment in step 8 opens correctly (i.e. no check that it is the same as extracted Z).
An adversary who can distinguish between \(\mathsf {G}_4\) and \(\mathsf {G}_3\) can be used to violate the binding property of the commitment scheme. \(\mathsf {G}_4\) is identical to the real world game with an honest verifier.
It then runs \(\mathsf {Ve}(GC, (K_i^0,K_i^1), F)\) (and checks against the extracted a, b) to either obtain \(\mathsf {reject}\), or the decoding information d. If the output is \(\mathsf {reject}\) it commits to dummy values for Z and t, else it commits to the onekey for the output wire denoted by Z, and dummy t.
The simulator receives the openings of \(\mathsf {Com}(a)\) and \(\mathsf {Com}(b)\). If the openings are not what it extracted earlier, or if \(\mathsf {Ve}\) had output \(\mathsf {reject}\) earlier, it aborts. Else, the simulator opens the commitment to Z and uses the simulator for the ZK proof to simulate the proofs of step 16.

\(\mathsf {Game}\) \(\mathsf {G}_{0}\): This is the interaction of the corrupt verifier with the simulator as described above.

\(\mathsf {Game}\) \(\mathsf {G}_{1}\): Is similar to game \(\mathsf {G}_0\) except that \(t= ax+b\) for the real input x of prover is committed to.
The two games are indistinguishable due to the hiding property of the commitment scheme.

\(\mathsf {Game}\) \(\mathsf {G}_{2}\): Is similar to \(\mathsf {G}_1\) except that instead of computing Z and t by running \(\mathsf {Ve}\), we run \(\mathsf {Eval}(GC,K_i^{x_i})\) to compute and commit to Z and t.
The two games are indistinguishable due to the second condition in the correctness property of the garbling scheme, and binding property of commitments \(\mathsf {Com}(a)\) and \(\mathsf {Com}(b)\). Note that we are also implicitly using the committing OT property (the protocol described in the COT hybrid model) as the keys extracted in the OTs and what the functionality sends to the honest prover are the same.

\(\mathsf {Game}\) \(\mathsf {G}_{3}\): Is similar to \(\mathsf {G}_2\) except that the honest input x of the prover is used in the OTs.
The two games are identical in the OT hybrid model.

\(\mathsf {Game}\) \(\mathsf {G}_{4}\): Is similar to \(\mathsf {G}_{3}\) except that in step 13, the simulator performs the proofs honestly.
The two games are indistinguishable due to zeroknowledge property of the ZK proof.
Note that \(\mathsf {G}_4\) is the real game with the honest prover.
3.3 Efficiency Comparison and Optimizations
Efficiency Comparison. In our first instantiation, in addition to the cost associated with the GCbased ZK, i.e. the oblivious transfer for x and the cost of garbling f, O(n) exponentiations are necessary to commit to each bit of input x and to perform the bitwise ZK proofs associated with them in the last step.
In our second instantiation, the bitwise commitments/proofs are eliminated (i.e. only a constant number of exponentiations) but instead the circuit for \(ax+b\) needs to be garbled which requires \(O(ns + s^2)\) additional symmetrickey operations when using textbook multiplication (we discuss range of values for s shortly). Using Karatsuba’s multiplication algorithm [Knu69], this can potentially be further reduced.
The round complexity of both protocols is essentially the same as the GCbased ZK proof of [JKO13] (5 rounds), as the extra messages can be sent within the same rounds. (To simplify presentation, we used a separate step for each operation in our protocol description, but many of these can be combined.) A more roundefficient GCbased ZK proof would make our constructions more round efficient as well.
The first instantiation requires more exponentiations which are significantly costlier than their symmetrickey counterpart, but the total number of symmetrickey operations in the second instantiation is higher. Hence, when n is small, the first instantiation is likely more efficient, while when n is larger, the second instantiation will be the better option. Furthermore, if bitwise commitment to the input is already necessary as part of the bigger protocol (as is the case in some of our constructions), the first instantiation may be the better choice. In the case where a comparison circuit \(x < q\) is also computed, an additional O(n) symmetrickey operations suffices.
Optimizations. Next we review a few other optimizations that improve efficiency of our instantiations.
 Reducing exponentiations. We consider the following optimization for the protocol \(\varPi _{\mathsf {Com}, f}\) in Fig. 3 which reduces the number of exponentiations necessary for the ZK proofs significantly. In step 6, the prover commits to the sum of the keys received instead of individually to each wire key. The prover sends \(\mathsf {Com}(S) = \mathsf {Com}\left( \sum _{i=1}^{n}K'_i \right) \) in step 6. We assume that the bit commitment scheme \(\mathsf {Com}\) is homomorphic, and each wire key \(K_i\) is truncated to s bits and interpreted as a group element. Now, in the zero knowledge proofs of step 13, the prover proves the following statements which can be performed with fewer exponentiations:

\(\mathsf {PK}\lbrace (x_i,S,r,R): \mathsf {Com}(x_i) = g^{x_i}h^{r} \wedge \mathsf {Com}(S) = g^{S}h^{R} \wedge S =\sum _{i=1}^{n} \left( x_i K_i^1 + (1x_i) K_i^0 \right) \rbrace \)

\(\mathsf {PK}\lbrace (x, x_1,\cdots ,x_n,r,r_1, \cdots r_n):\mathsf {Com}(x) = g^{x}h^{r} \wedge \mathsf {Com}(x_i) = g^{x_i}h^{r_i} \wedge x = g^{\sum 2^i x_i} h^{r} \rbrace \)
We can show that if the sum extracted by the simulator from the commitment in step 6 is not equal to the sum of keys corresponding to the input \(x'\) extracted from COT, but the ZK proofs verify, then for some i, the prover must have correctly guessed \(K_i^{b}\) such that \(b \ne x'_i \). The probability of this is negligible by the security of the COT protocol.


Privacyfree garbling. As discussed earlier, in [FNO15] it is observed that privacyfree garbling is sufficient for GCbased ZK proofs of nonalgebraic statements. This improves the communication/computation cost of garbled circuits in our first instantiation by a factor of two. But as mentioned earlier, the same cannot be said about our second construction since the privacy property of garbling is required to hide a and b in the earlier stage of the construction.
But we can think of bigger circuit as consisting of two smaller circuits: one computing the function f and the other computing \(ax+b\). If we split the computation into two garbled circuits with shared OT, then we can use the privacy free garbling scheme of [FNO15, ZRE15] for the first circuit as the verifier has no input, and use a standard garbling scheme for the \(ax+b\) circuit.

Smaller multiplication circuit. For the onetime MAC in the second protocol, a small a is sufficient for security  if the security (unforgeability) desired is \(2^{s}\), it suffices for a to be s bits long. Hence, for a 512bit input, a 40–80bit a is sufficient to compute \(ax+b\) which reduces the size of the multiplication circuit significantly.
3.4 Secure Computation on Committed/Signed Inputs
In the protocols described above, we have shown how to commit to a value \(\mathsf {Com}(x)\) and then use a GCbased ZK proof to prove nonalgebraic statements about x.
It is not hard to show that one can extend this approach, to a fullfledged secure twoparty computation (2PC) of any function g(x, y) where x is the committed input of the prover. In particular, note that in the ZK proof, the prover feeds its input x into the COTs in order to obtain its inputs keys to the GC of the ZK proof. In order to extend this to a secure 2PC based on garbled circuits, we let the prover play the role of the evaluator in a cutandchoose 2PC based on garbled circuits, and use the same COT as above for the prover to obtain the garbled inputs for x in the 2PC. This would ensure that the same x that was used in the ZK proof is also used in the 2PC, and the ZK proof already ensures that this is the same input committed to in \(\mathsf {Com}(x)\).
A subtle point here is that we need to open the sender’s input to the COTs for the GC for the ZK but not for the GCs for the 2PC. This is supported by the committing OT of [S+11] (also see the discussion on COTs in [MR13]). It is interesting to explore the use of OT extension in such COTs where some sender inputs are opened while others are not.
We emphasize that the GCs for the 2PC only garble the desired function g, and hence the GC for the ZK proof is not part of any cutandchoose. However, we note that the above technique is currently limited to the evaluator’s input since the OTs for evaluator’s input enable an almostfree check of equality of inputs in the 2PC and the ZK. Extending the ideas to both party’s inputs is an interesting future direction.
This approach can be easily extended to prove other statements about x, such as proof of knowledge of a signature on x (hence signedinput 2PC) either using the techniques we give below in the case of RSA/DSA signatures, or using previous techniques to give a proof of knowledge of a CL signature [CL01].
4 Building Blocks for PrivacyPreserving Signature Verification
We introduce three important building blocks for our privacypreserving signature verification protocols. Two of them can be directly instantiated using our \(\mathcal {F}_{\mathsf {Com},f}\) functionality introduced in Sect. 3, while for the third one we provide a customized construction.
4.1 Proving that a Committed Value Is the Hash of Another Committed Value
Theorem 3
The protocol \(\varPi _{Hash}\) in Fig. 6 securely implements \(\mathcal {F}_{Hash}\), given the ideal functionality \(\mathcal {F}_{\mathsf {Com},f}\), in the presence of malicious adversaries.
4.2 Proof of Equality of Committed Values in Different Groups
4.3 Proof of Equality of Discrete Logarithm of a Committed Value and Another Committed Value
We will show that the protocol in Fig. 9 is correct, has a soundness error of \(1/2^k\), and is honest verifier zero knowledge.
Proof

Completeness: If the prover and the verifier behave honestly, it is easy to see that verification conditions hold.
If \(c_i = 0\):If \(c_i = 1\):$$\begin{aligned}G_1^{g^r_i} H_1^{s_i} = G_1^{g^{\alpha _i}} H_1^{\beta _i} = u_i \text { and } G_2^{r_i} H_2^{t_i} = G_2^{\alpha _i} H_2^{\gamma _i} = v_i \end{aligned}$$$$\begin{aligned} y_1^{g^{r_i}} H_1^{s_i} = (G_1^{g^{x}})^{g^{r_i}} (H_1^{R_1})^{g^{r_i}}H_1^{s_i} = G_1^{g^{\alpha _i}} H_1^{\beta _i} = u_i \text { and } \end{aligned}$$$$\begin{aligned} y_2 G_2^{r_i} H_2^{t_i} = G_2^{x} H_2^{R_2} G_2^{r_i} H_2^{t_i} = v_i \end{aligned}$$  Soundness: We show an extractor that computes \(x,R_1,R_2\) given two different accepting views with same commitments but different challenge strings. Say, we have two accepting views for challenges c and \(\hat{c} \ne c\). Without loss of generality, let us assume that they differ in the jth position, and \(c_j =0\). We have,$$\begin{aligned} u_j = G_1^{g^{r_j}} H_1^{s_j} = y_1^{g^{\hat{r_j}}} H_1^{\hat{s}_j} \end{aligned}$$$$\begin{aligned} G_1^{g^{r_j}} H_1^{s_j} = G_1^{g^x g^{\hat{r_j}}} H_1^{R g^{\hat{r_j}}+\hat{s_j}} \end{aligned}$$We can compute (in \(\mathbb {Z}_q\)),$$\begin{aligned} g^x = g^{r_j  \hat{r_j}} \end{aligned}$$We have,$$\begin{aligned} x = r_j  \hat{r_j} \end{aligned}$$and thus,$$\begin{aligned} s_j = R_1 g^{\hat{r_j}}+\hat{s_j} \end{aligned}$$We also have$$\begin{aligned} R_1 = \frac{s_j  \hat{s_j}}{g^{\hat{r_j}}} \end{aligned}$$$$\begin{aligned} v_j = G_2^{r_j} H_2^{t_j} = y_2 G_2^{\hat{r_j}} H_2^{\hat{t_j}} \end{aligned}$$and thus,$$\begin{aligned} G_2^{r_j} H_2^{t_j} = G_2^{x+\hat{r_j}} H_2^{\hat{t_j} + R_2} \end{aligned}$$$$\begin{aligned} R_2 = t_j  \hat{t_j} \end{aligned}$$

Honest Verifier Zero Knowledge: We show a simulator such that the output of the simulator is statistically indistinguishable from the transcript of the protocol with a prover. The simulator on input c, randomly chooses \(\alpha _{i} = r_i \in \mathbb {Z}_q, \beta _i = s_i \in \mathbb {Z}_p, \gamma _i = t_i \in \mathbb {Z}_q\) and computes for \(1 \le i \le k\):
If \(c_i =0\),if \(c_i =1\),$$u_{i} = G_1^{g^{r_i}} H_1^{s_i} \text { and } v_i = G_2^{r_i}H_2^{t_i}$$$$u_{i} = y_1^{g^{r_i}} H_1^{s_i} \text { and } v_i = y_2 G_2^{r_i} H_2^{t_i}$$
5 PrivacyPreserving FDHRSA Signature Verification
5.1 Proof of Knowledge of RSA Signatures
Given \(\mathsf {Com}_N(m)\), a commitment to m in a group of order N, the following protocol is a zero knowledge proof of knowledge of a valid RSA signature on m.
 1.
The prover has input \((m,\sigma )\) and the verifier is in possession of \(\mathsf {Com}_N(m) = C_1 = g^m h^{r_1}\)
 2.
The prover commits to \(M=\mathcal {H}(m)\), that is, \( M \in \mathbb {Z}_N\), compute \(\mathsf {Com}_N(M) = C_2 = g^{M} h^{r_2}\), for randomly chosen \(r_2 \in Z_N^{*}\). Send \(C_2\) to the verifier and prove knowledge of opening.
 3.
The prover and verifier engage in the protocol \(\varPi _{Hash}\) with inputs (m, M) and \((C_1, C_2)\) respectively.
 4.
The prover proves knowledge of eth root of a committed value [CS97a]. Given \(y=C_2=g^{M}h^r\), prover proves knowledge of \(\sigma \), such that, \(y=g^{\sigma ^e}h^r\).
 (a)The prover computes the following tuple:for randomly chosen \(r_i \in \mathbb {Z}_N\), for \(i=1\) to \(e1\).$$(y_1, \cdots , y_{e1} ) \text { where } y_i = g^{\sigma ^i} h^{r_i}$$
 (b)The prover and the verifier run the following proof of knowledge:$$\mathsf {PK}\lbrace ( \alpha , (\beta _1, \cdots ,\beta _{e})) : y_1 = g^{\alpha } h^{\beta _1} \wedge y_2 = y_1^{\alpha } h^{\beta _2} \wedge \cdots \wedge y = y_{e1}^{\alpha } h^{\beta _e} \rbrace $$
 (a)
 1.The prover computes the following tuple:for randomly chosen \(r_i \in \mathbb {Z}_N\), for \(i=1\) to k.$$(y_0, y_1, \cdots , y_{k} ) \text { where } y_i = g^{\sigma ^{2^i}} h^{r_i}$$
 2.The prover and the verifier run the following proof of knowledge:$$\begin{aligned}&\mathsf {PK}\lbrace ( \alpha , \alpha _1, \cdots , \alpha _k, \beta , \beta _0, \cdots ,\beta _{k}, R_0, \cdots , R_k) : \\&\qquad \quad \quad y_0 = g^{\alpha } h^{\beta } \wedge y_1 = y_0^{\alpha } h^{\beta _0} \wedge y_1 = g^{\alpha _1} h^{R_0} \wedge y_2 = y_1^{\alpha _1} h^{\beta _1} \\&\quad \wedge y_2 = g^{\alpha _2} h^{R_1} \cdots \wedge y_{k} = y_{k1}^{\alpha _{k1}} h^{\beta _{k1}} \wedge y_{k} = g^{\alpha _{k}} h^{R_{k1}} \wedge y = y_{k}^{\alpha } h^{\beta _k} \rbrace \end{aligned}$$
It might be possible to improve the efficiency for some e’s by using addition chains for the integer e. An addition chain for integer e is an ascending sequence \(1 = e_0< e_1 < \cdots e_r = e\) such that for \(1 \le i \le r\), we have \(e_i = e_j + e_k\). The prover, now, would have to provide only the \(y_i\)’s for which i is an element of the addition chain for e. The relations among the \(y_i\)’s will be sightly different, but can be proved in a similar way.
The above verification protocol can also be adapted to support variants of RSAbased signatures, like the probabilistic signature scheme (PSS) from [BR96]. PSS is a probabilistic generalization of FDH which uses two hash functions and more complicated padding. We can instantiate protocol \(\varPi _{\mathsf {Com}, f}\) with an f that verifies the additional checks of PSS to achieve privacy preserving verification of a PSS signature.
5.2 Proof of Security

Soundness: We show an extractor, that, given access to the prover, extracts \((m,\sigma )\) such that \(\mathsf {Verify}_{N,e}(m,\sigma )=1\). The extractor invokes the simulator for the corrupt prover of protocol \(\varPi _{Hash}\) to extract m and M. It then runs the extractor corresponding to the proof in step 4b to extract \(\alpha \). By the security of \(\varPi _{Hash}\) and the binding property of \(\mathsf {Com}\), it follows that \(\alpha ^e \mod N = M = \mathcal {H}(m)\).

Zeroknowledge: We sketch a simulator that simulates the verifier’s view in the protocol. The simulator commits to a random value on behalf of the prover in step 2 by computing \(C'_2 = \mathsf {Com}(M')\). It sends \(C'_2\) to the verifier, proves knowledge of opening and invokes the simulator for the corrupt verifier of protocol \(\varPi _{Hash}\). It then chooses \(y_1, \cdots , y_{e1} \in Z_N\) at random, and runs the simulator corresponding to the proof in step 4b. We can show that the view of the verifier in the protocol is indistinguishable from the view with the simulator.
6 PrivacyPreserving (EC)DSA Signature Verification
6.1 Proof of Knowledge of DSA Signatures
Let (r, s) be the DSA signature on m. Let \(\mathbb {G}_1 = \langle G_1 \rangle \) and \(\mathbb {G}_2 = \langle G_2 \rangle \) be two distinct groups of order p and q respectively where p and q are the parameters of the DSA signature algorithm. One technical difficulty is that we have to show r in \(G_1\) and \(G_2\) is equal modulo q. For that purpose, we use our protocol \(\varPi _{Eq}\) from Fig. 8 to prove equality across groups. We also employ our protocol from Fig. 9 to prove equality of discrete logarithm of a committed value and another committed value. We now describe the DSA verification protocol in detail. Given a commitment to m, the following protocol is a zeroknowledge proof of knowledge of a valid DSA signature on m.
 1.
The verifier is in possession of \(C_1 = \mathsf {Com}_q(m) \), and the prover has as input message \(\left( m, (r,s)\right) \) and the opening information of \(C_1\) to m.
 2.
The prover commits to \(M=\mathcal {H}(m)\), that is, \( M \in \mathbb {Z}_q\), compute \( C_2 = \mathsf {Com}_q(M) \) Send \(C_2\) to the verifier and prove knowledge of opening.
 3.
Now the prover and verifier engage in the protocol \(\varPi _{Hash}\) to prove that \(M=\mathcal {H}(m)\).
 4.
The prover commits to the signature (r, s) by sending \(\mathsf {Com}_{pq}(r) = (\mathsf {Com}_p(r), \mathsf {Com}_q(r))\) and \(\mathsf {Com}_{q}(s)\). The prover also commits to the following values: \(u_1 = \mathcal {H}(m) s^{1}, u_2 = r s^{1}, \alpha = g^{u_1}, \beta = y^{u_2}\), where g is the generator of a cyclic group of order q in \(\mathbb {Z}_p^{*}\) used in DSA signing, and y is the DSA public key. Prover sends \(\mathsf {Com}_{q}(u_1), \mathsf {Com}_{q}(u_2), \mathsf {Com}_{p}(\alpha ), \mathsf {Com}_{p}(\beta )\).
 5.The prover and the verifier carry out the following \(\Sigma \)protocol zeroknowledge proofs of knowledge:
 (a)
\(\mathsf {PK}\lbrace (u_1,R_1,R_2): \mathsf {Com}_{p}(\alpha ) = G_1^{g^{u_1}} H_1^{R_1}\wedge \mathsf {Com}_{q}(u_1) = G_2^{u_1}H_1^{R_2} \rbrace \)
 (b)
\(\mathsf {PK}\lbrace (u_2,R_1,R_2): \mathsf {Com}_{p}(\beta ) = G_1^{y^{u_2}} H_1^{R_1}\wedge \mathsf {Com}_{q}(u_2) = G_2^{u_2}H_1^{R_2} \rbrace \)
 (c)
\(\mathsf {PK}\lbrace (r,\alpha ,\beta ,R_1,R_2,R_3): \mathsf {Com}_{p}(\beta ) = G_1^{\beta } H_1^{R_1}\wedge \mathsf {Com}_{p}(\alpha ) = G_1^{\alpha } H_1^{R_2} \wedge \mathsf {Com}_{p}(r) = G_1^{r}H_1^{R_3}\wedge r=\alpha \beta \rbrace \)
 (d)
\(\mathsf {PK}\lbrace (M,u_1,s,R_1,R_2,R_3): \mathsf {Com}_{q}(M) = G_2^{M} H_2^{R_1}\wedge \mathsf {Com}_{q}(u_1) = G_2^{u_1} H_2^{R_2} \wedge \mathsf {Com}_{q}(s) = G_2^{s}H_2^{R_3}\wedge M=u_1 s \rbrace \)
 (e)
\(\mathsf {PK}\lbrace (r,u_2,s,R_1,R_2,R_3): \mathsf {Com}_{q}(r) = G_2^{r} H_2^{R_1}\wedge \mathsf {Com}_{q}(u_2) = G_2^{u_2} H_2^{R_2} \wedge \mathsf {Com}_{q}(s) = G_2^{s}H_2^{R_3}\wedge r=u_2 s \rbrace \)
 (a)
 6.
The prover and verifier engage in \(\varPi _{Eq}\) with input \(\mathsf {Com}_{pq}(r)\).
6.2 Proof of Security
We sketch a proof of the soundness and zeroknowledge properties of the above protocol. The completeness follows from security of \(\varPi _{Hash}\) and completeness of the proofs of knowledge in step 5.

Proof of Knowledge: We show an extractor, that, given access to the prover, extracts \(\left( m,(r,s)\right) \) such that \(\mathsf {Verify}(m,(r,s))=1\). The extractor invokes the simulator for the corrupt prover of protocol \(\varPi _{Hash}\) to extract m and M and the opening information for \(C_1\).
It then runs the extractor guaranteed by the proof of knowledge property of the proofs in step 5 to extract \(u_1,u_2, \alpha , \beta ,s,r \). Finally it returns \(\left( m, (r,s)\right) \) and the opening information. By security of \(\varPi _{Hash}\), \(\varPi _{Eq}\) and the binding property of the commitment scheme \(\mathsf {Com}\), it follows that \(r = g^{ M s^{1}} y^{ r s^{1}}\) and \(M= \mathcal {H}(m)\).

Zeroknowledge: We sketch a simulator that simulates the verifier’s view in the protocol. The simulator commits to a random value on behalf of the prover in step 2 by computing \(C'_2 = \mathsf {Com}(M')\). It sends \(C'_2\) to the verifier, proves knowledge of the opening and invokes the simulator for the corrupt verifier of protocol \(\varPi _{Hash}\). It then commits to random values in step 4, and runs the simulator corresponding to the proofs of knowledge in step 5. Finally in step 6, the simulator invokes the simulator for protocol \(\varPi _{Eq}\). We can show that the view of the verifier in the protocol is indistinguishable from the view with the simulator.
6.3 Proof of Knowledge of ECDSA Signatures
Let (r, s) be the ECDSA signature on m. Let \(\mathbb {G}_1 = \langle G_1 \rangle \) and \(\mathbb {G}_2 = \langle G_2 \rangle \) be two distinct groups of order p and n respectively where p is the order of the field of the curve and n is the order of point P. Addition of elliptic curve points which is the group operation requires arithmetic operations in the underlying finite field \(\mathbb {Z}_p\) of the curve E. We use a straight forward variant of the protocol in Fig. 9 to prove statements about multiples of an elliptic curve point (elliptic curve analogue of exponentiation) inside commitments.
 1.
The verifier is in possession of \(C_1 = \mathsf {Com}_p(m)\) and the prover has as input \((m,\sigma )\) and the opening of \(C_1\) to m.
 2.
The prover commits to \(M=\mathcal {H}(m)\), by computing \(C_2 = \mathsf {Com}_p(M)\). Send \(C_2\) to the verifier and prove knowledge of opening.
 3.
The prover and verifier engage in the protocol \(\varPi _{Hash}\) with inputs (m, M) and \((C_1, C_2)\) respectively.
 4.
The prover commits to the signature (r, s) and proves knowledge of an opening. The prover sends \(\mathsf {Com}_{pn}(r) =( \mathsf {Com}_{p}(r), \mathsf {Com}_{n}(r))\) and \(\mathsf {Com}_{n}(s)\). The prover also commits to the following values: \(u_1 = \mathcal {H}(m) s^{1}, u_2 = r s^{1}\), and the coordinates of the points \(u_1P = (\alpha _x, \alpha _y), u_2Q=(\beta _x,\beta _y)\), where P is the point of order n in \(E(\mathbb {Z}_p)\) used in ECDSA signing, and Q is the ECDSA public key. The prover sends \(\mathsf {Com}_{n}(u_1)\), \(\mathsf {Com}_{n}(u_2)\), \(\mathsf {Com}_{p}(\alpha _x)\),\(\mathsf {Com}_{p}(\alpha _y)\), \(\mathsf {Com}_{p}(\beta _x)\), \(\mathsf {Com}_{p}(\beta _y)\).
 5.The prover and the verifier carry out the following \(\Sigma \)protocol zeroknowledge proofs of knowledge:
 (a)
\(\mathsf {PK}\lbrace (u_1,\alpha _x,\alpha _y,R_1,R_2,R_3): \mathsf {Com}_{p}(\alpha _x)= G_1^{\alpha _x} H_1^{R_1} \wedge \mathsf {Com}_{p}(\alpha _y)= G_1^{\alpha _y} H_1^{R_2} \wedge \mathsf {Com}_{n}(u_1)= G_2^{u_1} H_1^{R_3} \wedge (\alpha _x, \alpha _y) = u_1P \rbrace \)
 (b)
\(\mathsf {PK}\lbrace (u_2,\beta _x, \beta _y,R_1,R_2,R_3): \mathsf {Com}_{p}(\beta _x)= G_1^{\beta _x} H_1^{R_1} \wedge \mathsf {Com}_{p}(\beta _y)= G_1^{\beta _y} H_1^{R_2} \wedge \mathsf {Com}_{n}(u_2)= G_2^{u_2} H_1^{R_3} \wedge (\beta _x, \beta _y) = u_2Q \rbrace \)
 (c)
\(\mathsf {PK}\lbrace (r,\alpha _x,\alpha _y,\beta _x,\beta _y,R_1,R_2,R_3,R_4,R_5): \mathsf {Com}_{p}(\beta _x) = G_1^{\beta _x} H_1^{R_1} \wedge \mathsf {Com}_{p}(\beta _y) = G_1^{\beta _y} H_1^{R_2}\wedge \mathsf {Com}_{p}(\alpha _x) = G_1^{\alpha _x} H_1^{R_3}\wedge \mathsf {Com}_{p}(\alpha _y) = G_1^{\alpha _y} H_1^{R_4} \wedge \mathsf {Com}_{p}(r) = G_1^{r}H_1^{R_5}\wedge r= \left( (\alpha _x,\alpha _y) +(\beta _x,\beta _y) \right) _x \rbrace \)
 (d)
\(\mathsf {PK}\lbrace (M,u_1,s,R_1,R_2,R_3): \mathsf {Com}_{n}(M) = G_2^{M} H_2^{R_1}\wedge \mathsf {Com}_{n}(u_1) = G_2^{u_1} H_2^{R_2} \wedge \mathsf {Com}_{n}(s) = G_2^{s}H_2^{R_3}\wedge M=u_1 s \rbrace \)
 (e)
\(\mathsf {PK}\lbrace (r,u_2,s,R_1,R_2,R_3): \mathsf {Com}_{n}(r) = G_2^{r} H_2^{R_1}\wedge \mathsf {Com}_{n}(u_2) = G_2^{u_2} H_2^{R_2} \wedge \mathsf {Com}_{n}(s) = G_2^{s}H_2^{R_3}\wedge r=u_2 s \rbrace \)
 (a)
 6
The prover and verifier engage in \(\varPi _{Eq}\) with input \(\mathsf {Com}_{pn}(r)\).
The above protocol can be proven to be a zero knowledge proof of knowledge of ECDSA signature. The proofs for correctness, soundness and zeroknowledge are similar to the proofs of the protocol for the DSA signature.
Footnotes
 1.
 2.
Technically, [Bra99, BL13] work slightly differently in that the user and organization jointly compute the proof of knowledge of a signature as part of the credential issuance. However they still use a customized issuing protocol which would not be compatible with standardized signatures, and they use sigma protocols exactly as described here to prove that the committed attributes satisfy the policy.
 3.
This easily extends to standardized variants of RSA like RSAPSS.
 4.
DelignatLavaud et al. [DLFKP16] achieve a similar result using SNARKs, but with very different tradeoffs: their approach results in much shorter, noninteractive proofs, but much more expensive proof generation. They also explore several applications in more detail; in some of these applications, those which allow for interactive proofs, our protocols could be used to achieve these different tradeoffs.
References
 [BCKL08]Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: Psignatures and noninteractive anonymous credentials. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 356–374. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 [BHR12]Bellare, M., Hoang, V.T., Rogaway, P.: Foundations of garbled circuits. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 784–796. ACM (2012)Google Scholar
 [BL13]Baldimtsi, F., Lysyanskaya, A.: Anonymous credentials light. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 1087–1098. ACM Press, November 2013Google Scholar
 [BR93]Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM (1993)Google Scholar
 [BR96]Bellare, M., Rogaway, P.: The exact security of digital signatures  how to sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
 [Bra99]Brands, S.: Rethinking public key infrastructure and digital certificates– building in privacy. Ph.D. thesis, Eindhoven Institute of Technology, Eindhoven, The Netherlands (1999)Google Scholar
 [Cha86]Chaum, D.: Showing credentials without identification. In: Pichler, F. (ed.) EUROCRYPT 1985. LNCS, vol. 219, pp. 241–244. Springer, Heidelberg (1986)CrossRefGoogle Scholar
 [CL01]Camenisch, J.L., Lysyanskaya, A.: An efficient system for nontransferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 [CL04]Camenisch, J.L., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 56–72. Springer, Heidelberg (2004)CrossRefGoogle Scholar
 [CMZ14]Chase, M., Meiklejohn, S., Zaverucha, G.: Algebraic MACs and keyedverification anonymous credentials. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 2014, pp. 1205–1216. ACM Press, November 2014Google Scholar
 [CS97a]Camenisch, J.L., Stadler, M.A.: Efficient group signature schemes for large groups. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997)CrossRefGoogle Scholar
 [CS97b]Camenisch, J.L., Stadler, M.A.: Efficient group signature schemes for large groups. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997)CrossRefGoogle Scholar
 [CZ09]Camenisch, J., Zaverucha, G.M.: Private intersection of certified sets. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 108–127. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 [Dam00]Damgård, I.B.: Efficient concurrent zeroknowledge in the auxiliary string model. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 418–430. Springer, Heidelberg (2000)CrossRefGoogle Scholar
 [DF02]Damgård, I.B., Fujisaki, E.: A statisticallyhiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002)CrossRefGoogle Scholar
 [DLFKP16]DelignatLavaud, A., Fournet, C., Kohlweiss, M., Parno, B.: Cinderella: turning shabby X.509 certificates into elegant anonymous credentials with the magic of verifiable computation. In: IEEE Symposium on Security & Privacy 2016 (Oakland 2016). IEEE (2016)Google Scholar
 [FNO15]Frederiksen, T.K., Nielsen, J.B., Orlandi, C.: Privacyfree garbled circuits with applications to efficient zeroknowledge. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 191–219. Springer, Heidelberg (2015)Google Scholar
 [FO97]Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997)CrossRefGoogle Scholar
 [FS86]Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
 [GGPR13]Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 [GMR85]Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proofsystems (extended abstract). In: Proceedings of the 17th Annual ACM Symposium on Theory of Computing, 6–8 May 1985, Providence, Rhode Island, USA, pp. 291–304 (1985)Google Scholar
 [GMW87]Goldreich, O., Micali, S., Wigderson, A.: How to prove all NPstatements in zeroknowledge and a methodology of cryptographic protocol design. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 171–185. Springer, Heidelberg (1987)Google Scholar
 [GQ88]Guillou, L.C., Quisquater, J.J.: A practical zeroknowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988)Google Scholar
 [Gro10]Groth, J.: Short pairingbased noninteractive zeroknowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 [GS08]Groth, J., Sahai, A.: Efficient noninteractive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 [ide10]Specification of the identity mixer cryptographic library (revised version 2.3.0). Technical report RZ 3730, IBM Research, April 2010Google Scholar
 [JKO13]Jawurek, M., Kerschbaum, F., Orlandi, C.: Zeroknowledge using garbled circuits: how to prove nonalgebraic statements efficiently. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 955–966. ACM Press, November 2013Google Scholar
 [JS07]Jarecki, S.: Efficient twoparty secure computation on committed inputs. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 97–114. Springer, Heidelberg (2007)CrossRefGoogle Scholar
 [KKL+16]Kolesnikov, V., Krawczyk, H., Lindell, Y., Malozemoff, A.J., Rabin, T.: Attributebased key exchange with general policies. Cryptology ePrint Archive, Report 2016/518 (2016). http://eprint.iacr.org/
 [Knu69]Knuth, D.E.: The Art of Computer Programming Vol. 2: Seminumerical Algorithms, pp. 229–279. Addison Wesley, Reading (1969)Google Scholar
 [KS06]Kiraz, M., Schoenmakers, B.: A protocol issue for the malicious case of yaos garbled circuit construction. In: 27th Symposium on Information Theory in the Benelux, pp. 283–290 (2006)Google Scholar
 [KS08]Kolesnikov, V., Schneider, T.: Improved garbled circuit: free XOR gates and applications. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 486–498. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 [KSS09]Kolesnikov, V., Sadeghi, A.R., Schneider, T.: Improved garbled circuit building blocks and applications to auctions and computing minima. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 1–20. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 [Lin15]Lindell, Y.: An efficient transform from sigma protocols to NIZK with a CRS and nonprogrammable random oracle. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part I. LNCS, vol. 9014, pp. 93–109. Springer, Heidelberg (2015)Google Scholar
 [MGGR13]Miers, I., Garman, C., Green, M., Rubin, A.D.: Zerocoin: Anonymous distributed ecash from bitcoin. In: IEEE Symposium on Security and Privacy (SP), pp. 397–411. IEEE (2013)Google Scholar
 [MR13]Mohassel, P., Riva, B.: Garbled circuits checking garbled circuits: more efficient and secure twoparty computation. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 36–53. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 [Ngu05]Nguyen, L.: Accumulators from bilinear pairings and applications. In: Menezes, A. (ed.) CTRSA 2005. LNCS, vol. 3376, pp. 275–292. Springer, Heidelberg (2005)CrossRefGoogle Scholar
 [Ped91]Pedersen, T.P.: Noninteractive and informationtheoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)Google Scholar
 [PS96]Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996)Google Scholar
 [PZ13]Paquin, C., Zaverucha, G.: Uprove cryptographic specification v1.1 (revision 2) (2013). www.microsoft.com/uprove
 [S+11]shelat, A., Shen, C.: Twooutput secure computation with malicious adversaries. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 386–405. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 [Sch90]Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)Google Scholar
 [Sta96]Stadler, M.A.: Publicly verifiable secret sharing. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 190–199. Springer, Heidelberg (1996)Google Scholar
 [ZRE15]Zahur, S., Rosulek, M., Evans, D.: Two halves make a whole. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 220–250. Springer, Heidelberg (2015)Google Scholar