Cryptology ePrint Archive: Report 2021/457

Non-Interactive Composition of Sigma-Protocols via Share-then-Hash

Masayuki Abe and Miguel Ambrona and Andrej Bogdanov and Miyako Ohkubo and Alon Rosen

Abstract: Proofs of partial knowledge demonstrate the possession of certain subsets of witnesses for a given collection of statements $x_1,\dots,x_n$. Cramer, Damgård, and Schoenmakers (CDS), built proofs of partial knowledge, given ``atomic'' protocols for individual statements $x_i$, by having the prover randomly secret share the verifier's challenge and using the shares as challenges for the atomic protocols. This simple and highly-influential transformation has been used in numerous applications, ranging from anonymous credentials to ring signatures.

We consider what happens if, instead of using the shares directly as challenges, the prover first hashes them. We show that this elementary enhancement can result in significant benefits: \begin​{itemize} \item the proof contains a {\em single} atomic transcript per statement $x_i$, \item it suffices that the atomic protocols are $\kappa$-special sound for $\kappa \geq 2$, \item when compiled to a signature scheme using the Fiat-Shamir heuristic, its unforgeability can be proved in the {\em non-programmable} random oracle model. \end{itemize} None of the above features is satisfied by the CDS transformation.

Category / Keywords: foundations / sigma-protocols, random oracles, proof of partial knowledge

Original Publication (in the same form): IACR-ASIACRYPT-2020
DOI:
10.1007/978-3-030-64840-4\_25

Date: received 7 Apr 2021, last revised 7 Apr 2021

Contact author: masayuki abe cp at hco ntt co jp, miguel ambrona fu at hco ntt co jp, andrejb at cse cuhk edu hk, m ohkubo at nict go jp, alon rosen at idc ac il

Available format(s): PDF | BibTeX Citation

Version: 20210408:122629 (All versions of this report)

Short URL: ia.cr/2021/457


[ Cryptology ePrint archive ]