Statistically Hiding Sets

Zero-knowledge set is a primitive introduced by Micali, Rabin, and Kilian (FOCS 2003)which enables a prover to commit a set to a verifier, without revealing even the size of the set.Later the prover can give zero-knowledge proofs to convince the verifier of membership/non-membership of elements in/not in the committed set.We present a new primitive called Statistically Hiding Sets (SHS), similar to zero-knowledgesets, but providing an information theoretic hiding guarantee, rather than one based on efficientsimulation. This is comparable to relaxing zero-knowledge proofs to witness independent proofs.More precisely, we continue to use the simulation paradigm for our definition, but do not requirethe simulator (nor the distinguisher) to be efficient.We present a new scheme for statistically hiding sets, which does not fit into the “Merkle-tree/mercurial-commitment” paradigm that has been used for all zero-knowledge set construc-tions so far. This not only provides efficiency gains compared to the best schemes in thatparadigm, but also lets us provide statistical hiding; previous approaches required the prover tomaintain growing amounts of state with each new proof for this.Our construction is based on an algebraic tool called trapdoor DDH groups (TDG), intro-duced recently by Dent and Galbraith (ANTS 2006). Ours is perhaps the first non-trivialapplication of this tool. However the specific hardness assumptions we associate with TDGare different, and of a strong nature — strong RSA and a knowledge-of-exponent assumption.Our new knowledge-of-exponent assumption may be of independent interest. We prove thisassumption in the generic group model.