We use our proof system to instantiate both ring signatures and zerocoin, a novel mechanism for bitcoin privacy. We use our Sigma-protocol as a (linkable) ad-hoc group identification scheme where the users have public keys that are commitments and demonstrate knowledge of an opening for one of the commitments to unlinkably identify themselves (once) as belonging to the group. Applying the Fiat-Shamir transform on the group identification scheme gives rise to ring signatures, applying it to the linkable group identification scheme gives rise to zerocoin.
Our ring signatures are very small compared to other ring signature schemes and we only assume the users' secret keys to be the discrete logarithms of single group elements so the setup is quite realistic. Similarly, compared with the original zerocoin protocol we rely on a weak cryptographic assumption and do not require a trusted setup.
A third application of our Sigma protocol is an efficient proof of membership of a secret committed value belonging to a public list.
Category / Keywords: cryptographic protocols / Sigma-protocol, zero-knowledge, disjunctive proof, ring signature, zerocoin, membership proof Date: received 29 Sep 2014 Contact author: j groth at ucl ac uk Available format(s): PDF | BibTeX Citation Version: 20140930:123207 (All versions of this report) Short URL: ia.cr/2014/764 Discussion forum: Show discussion | Start new discussion