Non-interactive zero-knowledge proofs of non-membership

Olivier Blazy; Céline Chevalier; Damien Vergnaud

doi:10.1007/978-3-319-16715-2_8

Non-interactive zero-knowledge proofs of non-membership

Olivier Blazy
, Céline Chevalier
, Damien Vergnaud

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Often, in privacy-sensitive cryptographic protocols, a party commits to a secret message m and later needs to prove that m belongs to a language L or that m does not belong to L (but does not want to reveal any further information). We present a method to prove in a non-interactive way that a committed value does not belong to a given language L. Our construction is generic and relies on the corresponding proof of membership to L. We present an efficient realization of our proof system by combining smooth projective hash functions and Groth-Sahai proof system. In 2009, Kiayias and Zhou introduced zero-knowledge proofs with witness elimination which enable to prove that a committed message m belongs to a set L in such a way that the verifier accepts the interaction only if m does not belong to a set determined by a public relation Q and some private input m‘ of the verifier. We show that the protocol they proposed is flawed and that a dishonest prover can actually make a verifier accept a proof for any message m ∈ L even if (m,m ‘) ∈ Q. Using our non-interactive proof of non-membership of committed values, we are able to fix their protocol and improve its efficiency. Our approach finds also efficient applications in other settings, e.g. in anonymous credential systems and privacy-preserving authenticated identification and key exchange protocols.

Original language	English
Title of host publication	Topics in Cryptology - CT-RSA 2015 - The Cryptographers’ Track at the RSA Conference 2015, Proceedings
Editors	Kaisa Nyberg
Publisher	Springer Verlag
Pages	145-164
Number of pages	20
ISBN (Electronic)	9783319167145
DOIs	https://doi.org/10.1007/978-3-319-16715-2_8
Publication status	Published - 1 Jan 2015
Externally published	Yes
Event	2015 Conference on Cryptographer's Track at the RSA, CT-RSA 2015 - San Francisco, United States Duration: 21 Apr 2015 → 24 Apr 2015

Publication series

Name	Lecture Notes in Computer Science
Volume	9048
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	2015 Conference on Cryptographer's Track at the RSA, CT-RSA 2015
Country/Territory	United States
City	San Francisco
Period	21/04/15 → 24/04/15

Keywords

Groth-Sahai proof system
Smooth projective hash function
Witness elimination
Zero knowledge

Access to Document

10.1007/978-3-319-16715-2_8

Cite this

@inproceedings{c12045ae1e774272ad0d5fb3a8ff1950,

title = "Non-interactive zero-knowledge proofs of non-membership",

abstract = "Often, in privacy-sensitive cryptographic protocols, a party commits to a secret message m and later needs to prove that m belongs to a language L or that m does not belong to L (but does not want to reveal any further information). We present a method to prove in a non-interactive way that a committed value does not belong to a given language L. Our construction is generic and relies on the corresponding proof of membership to L. We present an efficient realization of our proof system by combining smooth projective hash functions and Groth-Sahai proof system. In 2009, Kiayias and Zhou introduced zero-knowledge proofs with witness elimination which enable to prove that a committed message m belongs to a set L in such a way that the verifier accepts the interaction only if m does not belong to a set determined by a public relation Q and some private input m{\textquoteleft} of the verifier. We show that the protocol they proposed is flawed and that a dishonest prover can actually make a verifier accept a proof for any message m ∈ L even if (m,m {\textquoteleft}) ∈ Q. Using our non-interactive proof of non-membership of committed values, we are able to fix their protocol and improve its efficiency. Our approach finds also efficient applications in other settings, e.g. in anonymous credential systems and privacy-preserving authenticated identification and key exchange protocols.",

keywords = "Groth-Sahai proof system, Smooth projective hash function, Witness elimination, Zero knowledge",

author = "Olivier Blazy and C{\'e}line Chevalier and Damien Vergnaud",

note = "Publisher Copyright: {\textcopyright} Springer International Publishing Switzerland 2015.; 2015 Conference on Cryptographer's Track at the RSA, CT-RSA 2015 ; Conference date: 21-04-2015 Through 24-04-2015",

year = "2015",

month = jan,

day = "1",

doi = "10.1007/978-3-319-16715-2\_8",

language = "English",

series = "Lecture Notes in Computer Science",

publisher = "Springer Verlag",

pages = "145--164",

editor = "Kaisa Nyberg",

booktitle = "Topics in Cryptology - CT-RSA 2015 - The Cryptographers{\textquoteright} Track at the RSA Conference 2015, Proceedings",

}

Blazy, O, Chevalier, C & Vergnaud, D 2015, Non-interactive zero-knowledge proofs of non-membership. in K Nyberg (ed.), Topics in Cryptology - CT-RSA 2015 - The Cryptographers’ Track at the RSA Conference 2015, Proceedings. Lecture Notes in Computer Science, vol. 9048, Springer Verlag, pp. 145-164, 2015 Conference on Cryptographer's Track at the RSA, CT-RSA 2015, San Francisco, United States, 21/04/15. https://doi.org/10.1007/978-3-319-16715-2_8

Non-interactive zero-knowledge proofs of non-membership. / Blazy, Olivier; Chevalier, Céline; Vergnaud, Damien.
Topics in Cryptology - CT-RSA 2015 - The Cryptographers’ Track at the RSA Conference 2015, Proceedings. ed. / Kaisa Nyberg. Springer Verlag, 2015. p. 145-164 (Lecture Notes in Computer Science; Vol. 9048).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Non-interactive zero-knowledge proofs of non-membership

AU - Blazy, Olivier

AU - Chevalier, Céline

AU - Vergnaud, Damien

N1 - Publisher Copyright: © Springer International Publishing Switzerland 2015.

PY - 2015/1/1

Y1 - 2015/1/1

N2 - Often, in privacy-sensitive cryptographic protocols, a party commits to a secret message m and later needs to prove that m belongs to a language L or that m does not belong to L (but does not want to reveal any further information). We present a method to prove in a non-interactive way that a committed value does not belong to a given language L. Our construction is generic and relies on the corresponding proof of membership to L. We present an efficient realization of our proof system by combining smooth projective hash functions and Groth-Sahai proof system. In 2009, Kiayias and Zhou introduced zero-knowledge proofs with witness elimination which enable to prove that a committed message m belongs to a set L in such a way that the verifier accepts the interaction only if m does not belong to a set determined by a public relation Q and some private input m‘ of the verifier. We show that the protocol they proposed is flawed and that a dishonest prover can actually make a verifier accept a proof for any message m ∈ L even if (m,m ‘) ∈ Q. Using our non-interactive proof of non-membership of committed values, we are able to fix their protocol and improve its efficiency. Our approach finds also efficient applications in other settings, e.g. in anonymous credential systems and privacy-preserving authenticated identification and key exchange protocols.

AB - Often, in privacy-sensitive cryptographic protocols, a party commits to a secret message m and later needs to prove that m belongs to a language L or that m does not belong to L (but does not want to reveal any further information). We present a method to prove in a non-interactive way that a committed value does not belong to a given language L. Our construction is generic and relies on the corresponding proof of membership to L. We present an efficient realization of our proof system by combining smooth projective hash functions and Groth-Sahai proof system. In 2009, Kiayias and Zhou introduced zero-knowledge proofs with witness elimination which enable to prove that a committed message m belongs to a set L in such a way that the verifier accepts the interaction only if m does not belong to a set determined by a public relation Q and some private input m‘ of the verifier. We show that the protocol they proposed is flawed and that a dishonest prover can actually make a verifier accept a proof for any message m ∈ L even if (m,m ‘) ∈ Q. Using our non-interactive proof of non-membership of committed values, we are able to fix their protocol and improve its efficiency. Our approach finds also efficient applications in other settings, e.g. in anonymous credential systems and privacy-preserving authenticated identification and key exchange protocols.

KW - Groth-Sahai proof system

KW - Smooth projective hash function

KW - Witness elimination

KW - Zero knowledge

U2 - 10.1007/978-3-319-16715-2_8

DO - 10.1007/978-3-319-16715-2_8

M3 - Conference contribution

AN - SCOPUS:84930431722

T3 - Lecture Notes in Computer Science

SP - 145

EP - 164

BT - Topics in Cryptology - CT-RSA 2015 - The Cryptographers’ Track at the RSA Conference 2015, Proceedings

A2 - Nyberg, Kaisa

PB - Springer Verlag

T2 - 2015 Conference on Cryptographer's Track at the RSA, CT-RSA 2015

Y2 - 21 April 2015 through 24 April 2015

ER -

Non-interactive zero-knowledge proofs of non-membership

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this