Zero-Knowledge Sets with Short Proofs

  • Dario Catalano
  • Dario Fiore
  • Mariagrazia Messina
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4965)


Zero Knowledge Sets, introduced by Micali, Rabin and Kilian in [17], allow a prover to commit to a secret set S in a way such that it can later prove, non interactively, statements of the form x ∈ S (or x ∉ S), without revealing any further information (on top of what explicitly revealed by the inclusion/exclusion statements above) on S, not even its size. Later, Chase et al. [5] abstracted away the Micali, Rabin and Kilian’s construction by introducing an elegant new variant of commitments that they called (trapdoor) mercurial commitments. Using this primitive, it was shown in [5,4] how to construct zero knowledge sets from a variety of assumptions (both general and number theoretic).

In this paper we introduce the notion of trapdoor q-mercurial commitments (qTMCs), a notion of mercurial commitment that allows the sender to commit to an ordered sequence of exactly q messages, rather than to a single one. Following [17,5] we show how to construct ZKS from qTMCs and collision resistant hash functions.

Then, we present an efficient realization of qTMCs that is secure under the so called Strong Diffie Hellman assumption, a number theoretic conjecture recently introduced by Boneh and Boyen in [3]. Using our scheme as basic building block, we obtain a construction of ZKS that allows for proofs that are much shorter with respect to the best previously known implementations. In particular, for an appropriate choice of the parameters, our proofs are up to 33% shorter for the case of proofs of membership, and up to 73% shorter for the case of proofs of non membership.


Signature Scheme Short Proof Random Oracle Commitment Scheme Collision Resistance 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security (1993)Google Scholar
  2. 2.
    Blum, M., De Santis, A., Micali, S., Persiano, P.: Non Interactive Zero Knowledge. SIAM Journal on Computing 20(6) (1991)Google Scholar
  3. 3.
    Boneh, D., Boyen, X.: Short Signatures Without Random Oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, Springer, Heidelberg (2004)Google Scholar
  4. 4.
    Catalano, D., Dodis, Y., Visconti, I.: Mercurial Commitments: Minimal Assumptions and Efficient Constructions. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Chase, M., Healy, A., Lysyanskaya, A., Malkin, T., Reyzin, L.: Mercurial commitments with applications to zero-knowledge sets. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, Springer, Heidelberg (2005)Google Scholar
  6. 6.
    Hee Cheon, J.: Security Analysis of the Strong Diffie-Hellman Problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, Springer, Heidelberg (2006)Google Scholar
  7. 7.
    Cramer, R., Damgård, I.: New Generation of Secure and Practical RSA-based signatures. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 173–185. Springer, Heidelberg (1996)Google Scholar
  8. 8.
    Damgård, I.: Collision free hash functions and public key signature schemes. In: Price, W.L., Chaum, D. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 203–216. Springer, Heidelberg (1988)Google Scholar
  9. 9.
    Dwork, C., Naor, M.: An efficient existentially unforgeable signature scheme and its applications. J. of Cryptology 11(3), 187–208 (1998)zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for Cryptographers, Cryptology ePrint Archive, Report 2006/165 (2006),
  11. 11.
    Gennaro, R., Micali, S.: Independent Zero-Knowledge Sets. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Goldwasser, S., Ostrovsky, R.: Invariant Signatures and Non Interactive Zero Knowledge proofs are equivalent. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, Springer, Heidelberg (1993)Google Scholar
  13. 13.
    Lim, C.H.: Efficient Multi-Exponentiation and Application to Batch Verification of Digital Signatures (unpublished manuscript) (August 2000)Google Scholar
  14. 14.
    Lim, C.H.: More Flexible Exponentiation with Precomputation. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, Springer, Heidelberg (1994)Google Scholar
  15. 15.
    Liskov, M.: Updatable zero-knowledge databases. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, Springer, Heidelberg (2005)CrossRefGoogle Scholar
  16. 16.
    Merkle, R.: A Digital Signature based on a Conventional Encryption Function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988)Google Scholar
  17. 17.
    Micali, S., Rabin, M., Kilian, J.K.: Zero-Knowledge Sets. In: In proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science – FOCS 2003 (2003)Google Scholar
  18. 18.
    Micali, S., Rabin, M., Vadhan, S.: Verifiable Random Functions. In: Proceedings of the 40th Annual IEEE Symposium on Foundations of Computer Science – FOCS 1999 (1999)Google Scholar
  19. 19.
    Ostrovsky, R., Rackoff, C., Smith, A.: Efficient consistency proof on a committed database. In: Díaz, J., Karhumäki, J., Lepistö, A., Sannella, D. (eds.) ICALP 2004. LNCS, vol. 3142, Springer, Heidelberg (2004)Google Scholar
  20. 20.
    Pedersen, T.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)Google Scholar
  21. 21.
    Prabhakaran, M., Xue, R.: Statistically Hiding Sets, Cryptology ePrint Archive, Report 2007/349 (2007),

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Dario Catalano
    • 1
  • Dario Fiore
    • 1
  • Mariagrazia Messina
    • 2
  1. 1.Dipartimento di Matematica ed InformaticaUniversità di CataniaItaly
  2. 2.MicrosoftItalia

Personalised recommendations