Efficient Proofs of Knowledge of Discrete Logarithms and Representations in Groups with Hidden Order
نویسندگان
چکیده
For many one-way homomorphisms used in cryptography, there exist efficient zero-knowledge proofs of knowledge of a preimage. Examples of such homomorphisms are the ones underlying the Schnorr or the Guillou-Quisquater identification protocols. In this paper we present, for the first time, efficient zero-knowledge proofs of knowledge for exponentiation ψ(x1) . = h1 1 and multi-exponentiation homomorphisms ψ(x1, . . . , xl) . = h1 1 · . . . · hl l with h1, . . . , hl ∈ H (i.e., proofs of knowledge of discrete logarithms and representations) where H is a group of hidden order, e.g., an RSA group.
منابع مشابه
Efficiency Limitations for Σ-Protocols for Group Homomorphisms
Efficient zero-knowledge proofs of knowledge for group homomorphisms are essential for numerous systems in applied cryptography. Especially, Σ-protocols for proving knowledge of discrete logarithms in known and hidden order groups are of prime importance. Yet, while these proofs can be performed very efficiently within groups of known order, for hidden order groups the respective proofs are far...
متن کاملQuantum factoring, discrete logarithms, and the hidden subgroup problem
Amongst the most remarkable successes of quantum computation are Shor’s efficient quantum algorithms for the computational tasks of integer factorisation and the evaluation of discrete logarithms. In this article we review the essential ingredients of these algorithms and draw out the unifying generalization of the so-called abelian hidden subgroup problem. This involves an unexpectedly harmoni...
متن کاملQuantum computation of discrete logarithms in semigroups
We describe an efficient quantum algorithm for computing discrete logarithms in semigroups using Shor’s algorithms for period finding and discrete log as subroutines. Thus proposed cryptosystems based on the presumed hardness of discrete logarithms in semigroups are insecure against quantum attacks. In contrast, we show that some generalizations of the discrete log problem are hard in semigroup...
متن کاملBatch Proofs of Partial Knowledge
We present a practical attack on the soundness of Peng and Bao’s ‘batch zero-knowledge proof and verification’ protocol for proving knowledge and equality of one-out-of-n pairs of discrete logarithms. Fixing the protocol seems to require a commitment scheme with a nonstandard, mercurial-esque binding property: the prover commits to just n− 1 values, but later opens the commitment to n values wi...
متن کاملPractical Verifiable Encryption and Decryption of Discrete Logarithms
This paper addresses the problem of designing practical protocols for proving properties about encrypted data. To this end, it presents a variant of the new public key encryption of Cramer and Shoup based on Paillier’s decision composite residuosity assumption, along with efficient protocols for verifiable encryption and decryption of discrete logarithms (and more generally, of representations ...
متن کامل