[Resource Topic] 2021/457: Non-Interactive Composition of Sigma-Protocols via Share-then-Hash

Welcome to the resource topic for 2021/457

Non-Interactive Composition of Sigma-Protocols via Share-then-Hash

Authors: Masayuki Abe, Miguel Ambrona, Andrej Bogdanov, Miyako Ohkubo, Alon Rosen


Proofs of partial knowledge demonstrate the possession of certain subsets of witnesses for a given collection of statements x_1,\dots,x_n. Cramer, Damgård, and Schoenmakers (CDS), built proofs of partial knowledge, given ``atomic’’ protocols for individual statements x_i, by having the prover randomly secret share the verifier’s challenge and using the shares as challenges for the atomic protocols. This simple and highly-influential transformation has been used in numerous applications, ranging from anonymous credentials to ring signatures. We consider what happens if, instead of using the shares directly as challenges, the prover first hashes them. We show that this elementary enhancement can result in significant benefits: \begin{itemize} \item the proof contains a {\em single} atomic transcript per statement x_i, \item it suffices that the atomic protocols are \kappa-special sound for \kappa \geq 2, \item when compiled to a signature scheme using the Fiat-Shamir heuristic, its unforgeability can be proved in the {\em non-programmable} random oracle model. \end{itemize} None of the above features is satisfied by the CDS transformation.

ePrint: https://eprint.iacr.org/2021/457

Talk: https://www.youtube.com/watch?v=sn14aEt47ck

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .