Scribd Logo
Upload

Welcome to Scribd!

  • 03 ZK

    Uploaded by

    Daudet Polycarpe Tiomela
    4 views2 pages
    This document discusses three cryptographic protocols: 1) Schnorr's DLOG proof, which allows a party P to prove knowledge of a secret value ω to another party V without revealing ω. 2) Using an AND-proof to prove that Alice and Bob established a shared key Kab in a Diffie-Hellman key exchange without revealing their private values. 3) A proposed Σ-protocol ring signature scheme that allows a signer to prove a message was signed by one party in a set of three parties, without revealing which party, using zero-knowledge proofs. The document asks questions about how this scheme could be implemented and optimized.

    Original Description:

    Original Title

    03_ZK

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses three cryptographic protocols: 1) Schnorr's DLOG proof, which allows a party P to prove knowledge of a secret value ω to another party V without revealing ω. 2) Using an AND-proof to prove that Alice and Bob established a shared key Kab in a Diffie-Hellman key exchange without revealing their private values. 3) A proposed Σ-protocol ring signature scheme that allows a signer to prove a message was signed by one party in a set of three parties, without revealing which party, using zero-knowledge proofs. The document asks questions about how this scheme could be implemented and optimized.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    4 views2 pages

    03 ZK

    Uploaded by

    Daudet Polycarpe Tiomela
    This document discusses three cryptographic protocols: 1) Schnorr's DLOG proof, which allows a party P to prove knowledge of a secret value ω to another party V without revealing ω. 2) Using an AND-proof to prove that Alice and Bob established a shared key Kab in a Diffie-Hellman key exchange without revealing their private values. 3) A proposed Σ-protocol ring signature scheme that allows a signer to prove a message was signed by one party in a set of three parties, without revealing which party, using zero-knowledge proofs. The document asks questions about how this scheme could be implemented and optimized.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 2

    Cryptographic Protocols

    Exercise 3 – Zero-Knowledge
    Prof. Dr.-Ing. Thomas Schneider
    M.Sc. Helen Möllering

    Summer 2021– v1.0

    1 Schnorr’s DLOG Proof

    In Schnorr’s DLOG proof, P proves to V that she knows ω without revealing it to V . Why can’t P just use ω to sign some
    challenge from V in order to prove that she knows ω?

    2 Diffie-Hellman Key-Exchange (DHKE) / Diffie-Hellman Tuples

    Alice and Bob have established a shared key Kab in a Diffie-Hellman Key Exchange, as shown in Figure 1.

    DHKE
    Alice Bob
    a ∈R Z∗q (G, q, g), g a

    gb b ∈R Z∗q

    Kab = (g b )a = g ab Kab = (g a )b = g ab

    Figure 1: DHKE between Alice and Bob.

    1. Use the AND-proof from the lecture to prove that Alice and Bob have established the key Kab by defining the
    AND-proof values g0 , g1 , h0 , h1 , and ω using the corresponding DHKE values.
    2. What is protected by using this AND-proof and why is it useful?

    3 Σ-Protocol Ring Signature

    Build a ring signature scheme that allows to prove that a message m was signed by (at least) one party out of a set
    of three parties. The signature scheme must be non-interactive and should be based on Σ-protocols. You can use the
    random oracle model (ROM). The three parties have three different private keys ωi , and corresponding public keys hi . 1
    1. Describe in Camenisch-Stadler notation and in your own words what you are proving.
    2. Show how a signer, knowing a single private key ω0 , can create a valid ring signature. Assume that the first of the
    three parties creates the signature.
    3. How can such a ring signature be verified?
    1 Hints: Schnorr’s DLOG protocol, OR-proofs, and the Fiat-Shamir heuristic might be useful in this exercise.

    1
    4. What is protected by using such a ring signature scheme?
    5. How can the concrete communication complexity of this scheme be improved?
    6. What is the size of this original ring signature above for today’s recommended security parameters (|p| =
    2048 bit, |q| = 256 bit, t = 256 bit) when the underlying group is instantiated as a subgroup of Z∗p of prime order
    q? By how much do the optimizations before improve over that?

    You might also like