[Resource Topic] 2016/399: Slow Motion Zero Knowledge Identifying With Colliding Commitments

Welcome to the resource topic for 2016/399

Slow Motion Zero Knowledge Identifying With Colliding Commitments

Authors: Houda Ferradi, Rémi Géraud, David Naccache


Discrete-logarithm authentication protocols are known to present two interesting features: The first is that the prover’s commitment, x=g^r, claims most of the prover’s computational effort. The second is that x does not depend on the challenge and can hence be computed in advance. Provers exploit this feature by pre-loading (or pre-computing) ready to use commitment pairs r_i,x_i. The r_i can be derived from a common seed but storing each x_i still requires 160 to 256 bits when implementing DSA or Schnorr. This paper proposes a new concept called slow motion zero-knowledge. SM-ZK allows the prover to slash commitment size (by a factor of 4 to 6) by combining classical zero-knowledge and a timing side-channel. We pay the conceptual price of requiring the ability to measure time but, in exchange, obtain communication-efficient protocols.

ePrint: https://eprint.iacr.org/2016/399

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .