Professional Documents
Culture Documents
03 ZK
03 ZK
Exercise 3 – Zero-Knowledge
Prof. Dr.-Ing. Thomas Schneider
M.Sc. Helen Möllering
In Schnorr’s DLOG proof, P proves to V that she knows ω without revealing it to V . Why can’t P just use ω to sign some
challenge from V in order to prove that she knows ω?
Alice and Bob have established a shared key Kab in a Diffie-Hellman Key Exchange, as shown in Figure 1.
DHKE
Alice Bob
a ∈R Z∗q (G, q, g), g a
gb b ∈R Z∗q
Kab = (g b )a = g ab Kab = (g a )b = g ab
1. Use the AND-proof from the lecture to prove that Alice and Bob have established the key Kab by defining the
AND-proof values g0 , g1 , h0 , h1 , and ω using the corresponding DHKE values.
2. What is protected by using this AND-proof and why is it useful?
Build a ring signature scheme that allows to prove that a message m was signed by (at least) one party out of a set
of three parties. The signature scheme must be non-interactive and should be based on Σ-protocols. You can use the
random oracle model (ROM). The three parties have three different private keys ωi , and corresponding public keys hi . 1
1. Describe in Camenisch-Stadler notation and in your own words what you are proving.
2. Show how a signer, knowing a single private key ω0 , can create a valid ring signature. Assume that the first of the
three parties creates the signature.
3. How can such a ring signature be verified?
1 Hints: Schnorr’s DLOG protocol, OR-proofs, and the Fiat-Shamir heuristic might be useful in this exercise.
1
4. What is protected by using such a ring signature scheme?
5. How can the concrete communication complexity of this scheme be improved?
6. What is the size of this original ring signature above for today’s recommended security parameters (|p| =
2048 bit, |q| = 256 bit, t = 256 bit) when the underlying group is instantiated as a subgroup of Z∗p of prime order
q? By how much do the optimizations before improve over that?