离散对数
承诺方案
计算机科学
航程(航空)
群(周期表)
安全参数
煤气表校准仪
离散数学
集合(抽象数据类型)
数学证明
对数
二进制对数
零知识证明
理论计算机科学
算法
密码学
数学
加密
公钥密码术
计算机安全
几何学
复合材料
数学分析
有机化学
化学
材料科学
程序设计语言
作者
Jan Camenisch,Rafik Chaabouni,Abhi Shelat
标识
DOI:10.1007/978-3-540-89255-7_15
摘要
We consider the following problem: Given a commitment to a value σ, prove in zero-knowledge that σ belongs to some discrete set Φ. The set Φ can perhaps be a list of cities or clubs; often Φ can be a numerical range such as [1,220]. This problem arises in e-cash systems, anonymous credential systems, and various other practical uses of zero-knowledge protocols. When using commitment schemes relying on RSA-like assumptions, there are solutions to this problem which require only a constant number of RSA-group elements to be exchanged between the prover and verifier [5, 15, 16]. However, for many commitment schemes based on bilinear group assumptions, these techniques do not work, and the best known protocols require O(k) group elements to be exchanged where k is a security parameter. In this paper, we present two new approaches to building set-membership proofs. The first is based on bilinear group assumptions. When applied to the case where Φ is a range of integers, our protocols require $O(\frac{k}{\log k - \log\log k})$ group elements to be exchanged. Not only is this result asymptotically better, but the constants are small enough to provide significant improvements even for small ranges. Indeed, for a discrete logarithm based setting, our new protocol is an order of magnitude more efficient than previously known ones. We also discuss alternative implementations of our membership proof based on the strong RSA assumption. Depending on the application, e.g., when Φ is a published set of values such a frequent flyer clubs, cities, or other ad hoc collections, these alternative also outperform prior solutions.
科研通智能强力驱动
Strongly Powered by AbleSci AI