Efficient Zero-Knowledge Proofs of Knowledge for Homomorphisms

Eﬃcient Zero-Knowledge Proofs of Knowledge for Homomorphisms

Dissertation

Submitted to the Fakult¨at fur¨ Elektrotechnik und Informationstechnik at the Ruhr-Universit¨at Bochum

for the Degree of Doktor-Ingenieur

Endre Bangerter

Bochum, Germany, July 2005

Abstract

Efficient zero-knowledge proofs of knowledge for homomorphisms are a key building block in a vast number of constructions in applied cryptography. Examples are: identification-, signature-, group signature-, anonymous credential-, and identity escrow-schemes as well as voting systems, e-cash, multi-party computations, and trusted computing. This dissertation studies efficient zero-knowledge proofs of knowledge for exponentiation homomorphisms. We prove that there are inherent efficiency limitations for existing proofs of knowledge for homomorphisms and describe novel proofs of knowledge that overcome these efficiency limitations. All efficient zero-knowledge proofs of knowledge for homomorphisms happen to be instances of the same protocol. We refer to this protocol as the Σψ-protocol. While all efficient zero-knowledge proofs of knowledge for homomorphisms are obtained using the Σψ-protocol, the converse is not true: the Σψ-protocol is not known to yield efficient proofs of knowledge for all practically relevant homomorphisms. It was not known whether these efficiency limitations are inherent to the Σψ-protocol or whether they are limitations that can be overcome, i.e., limitations which are due to the conditions under which the Σψ-protocol currently is known to be a proof of knowledge. We prove in different set- tings and for different homomorphisms that the efficiency limitations of the Σψ-protocol are inherent to the protocol, and hence cannot be overcome. In particular, for the practically important class of exponentiation ho- . x . x1 xl momorphisms ψE(x) = h and ψE(x1, . . . , xl) = h1 · ... · hl in hidden order groups (e.g., RSA groups or class groups) no efficient zero-knowledge proofs of knowledge were known; neither using the Σψ-protocol, nor using any other protocol. We describe novel protocols that for the first time allow to obtain efficient zero-knowledge proofs of knowledge for such homomorphisms.

3 Kurzzusammenfassung

Effiziente zero-knowledge Beweise von Wissen fur¨ Homomorphismen sind Grundbausteine einer Vielzahl kryptographischer Anwendungen. Beispiele sind (anonyme) Identifikations-, (Gruppen) Signatur-, und Wahlsysteme, sowie digitales Geld, verteilte Berechnungen und so genanntes trusted computing. Schranken fur¨ die Effizienz solcher Beweise sind demnach von grosser praktischer Bedeutung. Diese Dissertation befasst sich mit effizienten zero-knowledge Beweisen von Wissen fur¨ Homomorphismen. Einerseits untersuchen wir die Effizienz- beschränkungen bestehender Beweise von Wissen fur¨ Homomorphismen und zeigen auf, dass fur¨ solche Beweise inhärente und demnach prinzipiell nicht uberwindbare¨ Effizienzbeschränkungen bestehen. Andererseits beschreiben wir neue Protokolle, welche diese Beschränkungen zu uberwinden¨ vermögen. Alle bestehenden, effizienten zero-knowledge Beweise von Wissen fur¨ Ho- momorphismen sind Instanzen eines einzigen Protokolls. Wir bezeichnen die- ses Protokoll als das Σψ-Protokoll. Der Umkehrschluss gilt hingegen nicht: das Σψ-Protokoll liefert nicht fur¨ alle praktisch bedeutsamen Homomor- phismen effiziente Beweise von Wissen. Offen war die Frage, ob diese Effizi- enzbeschränkungen dem Σψ-Protokoll inhärent sind – oder ob sie allenfalls uberwunden¨ werden können. Wir tragen zur Klärung dieser Frage bei, indem wir beweisen, dass unter verschiedenen Voraussetzungen und fur¨ verschie- dene Homomorphismen die genannten Effizienzbeschränkungen tatsächlich protokoll-inhärent und demnach unuberwindbar¨ sind. Insbesondere waren fur¨ die praktisch bedeutsame Klasse von Exponen- . x . x1 xl tiations-Homomorphismen ψE(x) = h und ψE(x1, . . . , xl) = h1 · ... · hl in Gruppen unbekannter Ordnung (wie z.B., RSA- oder Klassengruppen) bis- her keine zero-knowledge Beweise von Wissen bekannt – weder mittels des Σψ-Protokolls, noch mittels anderer Protokolle. Wir beschreiben neue Pro- tokolle, die erstmalig effiziente zero-knowledge Beweise von Wissen fur¨ Ex- ponentiations-Homomorphismen in Gruppen unbekannter Ordnung liefern. Damit haben wir nicht nur gezeigt, dass fur¨ bisherige Protokolle unuber-¨ windbare Effizienzbeschränkungen bestehen, sondern vermögen diese mittels neuer Protokolle zu uberwinden.¨

4 Acknowledgments

I am profoundly grateful to Jan Camenisch and Ahmad Sadeghi for supporting me and without whom creating this thesis would not have been possible. I am also indebted to J¨org Schwenk for being one of the referees of this thesis and for taking on the time consuming work arising from this role, and to Ueli Maurer for proposing the topic of this thesis. Many thanks to Dieter Sommer and Markus Rohe who have proof read parts of this thesis and helped me to improve the text with their insightful comments. This thesis was elaborated at the IBM Zurich Research Lab between 2001 and 2004 and at the University of Bochum during winter 2005. I would like to take the opportunity to thank the following people from these in- stitutions: Michael Waidner, Birgit Pﬁtzmann, Matthias Schunter, Michael Backes, Christopher Giblin, Thomas Gross, Gunter¨ Karjoth, Irmgard Kuhn,¨ Luke O’Connor, Christof Paar, Jonathan Poritz, Andy Rupp, Els Van Her- reweghen, Christian Cachin, Andreas Wespi, Morton Swimmer.

5 Contents

1 Introduction page 9 1.1 Results 11 1.1.1 Efficiency limitations of the Σψ-protocol 12 1.1.2 Efficient proofs of knowledge for exponentiation homomorphisms in hidden order groups 13 1.2 Outline 14 2 Basic concepts 15 2.1 Some notation 15 2.2 Complexity theory 16 2.2.1 Algorithms and reducibility 16 2.2.2 Two-party protocols 21 2.3 Group theory 21 2.3.1 Notation and basic facts 22 2.3.2 Computational aspects 24 2.3.3 Concrete groups and homomorphisms used in cryptography 30 2.3.4 A note on the presentation 36 2.4 Zero-knowledge proofs 37 2.4.1 Definitions 38 2.4.2 Some fundamental results 43 3 Pseudo-preimages and related computational problems 45 3.1 Definition and basic facts 46 3.2 Pseudo-preimage problem 47 3.2.1 Solvable instances of the pseudo-preimage problem 47 3.2.2 Hardness of the pseudo-preimage problem 50 3.3 Pseudo-preimage generation problem 53

6 Contents 7

4 The Σψ-protocol 61 4.1 Protocol definitions and the zero-knowledge property 63 4.2 Proof of knowledge property 67 4.2.1 A note on pseudo-preimage extractors 72 4.3 Knowledge error and efficiency of the Σψ-protocol 73 4.3.1 Efficiency analysis 74 4.3.2 Efficiency limitations and the minimal standard knowledge error 76 4.4 Interactive proofs 77 4.5 The Damgaard-Fujisaki scheme 80 5 On the optimality of the standard knowledge extractor of the Σψ-protocol 85 5.1 Definition of lower bound on the knowledge error 87 5.2 Lower bounds in the generic model 89 5.2.1 Model 91 5.2.2 Pseudo-random functions 95 5.2.3 Results 96 5.3 Lower bounds in the plain model 99 5.3.1 Lower bounds for power homomorphisms 99 5.3.2 Lower bounds for exponentiation homomorphisms 102 5.4 Proof of Theorem 5.1 110 5.4.1 Preliminaries 111 ∗ 5.4.2 Definition of cheating prover P and DK(k) 114 5.4.3 Non-triviality and uniformity 115 5.4.4 Hardness 115 5.4.5 Evaluation of bounds in the simulated world 120 6 Efficient proofs of knowledge for exponentiation homomorphisms 125 6.1 Auxiliary information in the common input 127 6.2 The Σψ-protocol in the auxiliary setting 128 6.2.1 Sketch of basic idea 128 6.2.2 Formalization of basic idea 129 6.2.3 Application to exponentiation homomorphisms in hidden order groups 132 + + 6.3 The Σψ - and the Σψ -WS-protocol 138 6.3.1 Proofs of knowledge in the auxiliary string model 138 + 6.3.2 The Σψ -protocol 140 + 6.3.3 The Σψ -WS-protocol 149 6.4 Comparison 154 8 Contents 7 Concluding remarks 156 Bibliography 158 1 Introduction

Zero-knowledge proofs of knowledge are a key building block for a large number of results in theoretical and in applied cryptography. A zero-knowledge proof of knowledge allows a prover to demonstrate to a verifier that it knows a solution of a search problem, whereas the verifier learns nothing about the solution. More precisely, a proof of knowledge is a protocol between a prover and a verifier. The common protocol input is an instance of a search problem, and the prover’s input is a solution of the problem. At the end of the protocol execution the verifier either accepts or rejects. If a prover succeeds in getting the verifier to accept with a probability larger than some threshold probability (the knowledge error), then the verifier can be asserted that the prover “knows a solution” of the problem instance at hand. “Knowing a solution” means that an algorithm (the knowledge extractor) exists that, given the prover as a black-box, computes the desired solution. The notions of zero-knowledge and proof of knowledge origin in a seminal paper by Goldwasser, Micali, and Rackoff [GMR85]. The notion of zero- knowledge was formally introduced in the context of so called interactive proofs (an interactive proof allows a prover to demonstrate the validity of an assertion to a verifier), while the idea of a proof of knowledge was coined, but not formalized. Subsequently, formal definitions of a proof of knowledge were given by Tompa and Woll [TW87] and Feige, Fiat, and Shamir [FFS88]. A more refined definition, which is the commonly used definition nowadays, was later proposed by Bellare and Goldreich [BG92]. Fundamental results of theoretical cryptography by Goldreich, Micali, and Wigderson [GMW86] and by Brassard, Chaum, and Crepeau [BCC88] describe generic techniques that yield zero-knowledge proofs of knowledge for all NP search problems. The class of NP search problems consists of search problems for which one can efficiently test whether one has found a solution. Essentially all constructions in applied (public key) cryptography are ba-

9 10 Introduction sed on (group) homomorphisms. These are mappings ψ : G → H, where the domain is the group (G, +) and the co-domain is the group (H, ·), such that ψ(x + x0) = ψ(x) · ψ(x0) for all x and x0 from G. In a proof of knowledge for a homomorphism, a prover demonstrates knowledge of a preimage x of y under ψ (i.e., y = ψ(x)) to a verifier. A proof of knowledge for a homomorphism is zero-knowledge, if a verifier learns nothing about a preimage of y under ψ. (We note that the search problem underlying zero-knowledge proofs of knowledge for homomorphisms is, given y and ψ, to compute a preimage of y under ψ.) Zero-knowledge proofs of knowledge for homomorphisms are a key building block in a vast number of practically oriented cryptographic applications. Examples are: identification-, signature-, group signature-, anonymous credential-, and identity escrow-schemes as well as voting systems, e-cash, and multi-party computations. Moreover, since recently, first applications that use proofs of knowledge for homomorphisms as a building block have been deployed in the real world. An example is direct anonymous at- testation [BCC04, Cam04], which was adopted by the Trusted Computing Group [Tru] industry consortium as the method for remote authentication of hardware modules (called Trusted Platform Modules). Accordingly, it is believed by many cryptographers that zero-knowledge proofs of knowledge for homomorphisms will be building blocks of various real world applications in the very near future. Since all practically relevant homomorphisms give rise to NP search problems, one can use the generic techniques mentioned above to obtain zero- knowledge proofs of knowledge for such homomorphisms. Yet, generic techniques are only efficient in a complexity theoretical sense, where efficiency refers to a polynomial computation or communication cost. For the use in applied cryptography these generic techniques are considered to be much too inefficient. Luckily there exist specific techniques that exploit the algebraic properties of homomorphisms and thus yield significantly more efficient proofs of knowledge than generic ones. Perhaps surprisingly, (to the best of our knowledge) all efficient zero-knowledge proofs of knowledge for homomorphisms happen to be instances of the same protocol. We refer to this protocol as the Σψ-protocol. Well known examples of proofs of knowledge based on the . e Σψ-protocol are those for power homomorphisms ψP(x) = x by Guillou- Quisquater [GQ88] and for exponentiation homomorphisms (in groups of . x known order) ψE(x) = h by Schnorr [Sch91]. It is hard to overestimate the importance of the Σψ-protocol as a building block of practically oriented cryptographic applications. In fact, virtually all of the cryptographic ap- 1.1 Results 11 plications mentioned above use the Σψ-protocol as a building block (see e.g. [ACJT00, Bra93, CD00, CL01a, CL01b, CL02, CFSY96, FS87, HS00, KP98]). An important point is that while all efficient proofs of knowledge for homomorphisms are obtained using the Σψ-protocol, the converse is not true. That is, the Σψ-protocol is not known to yield efficient proofs of knowledge for all (concrete) homomorphisms. More precisely, the efficiency of proofs of knowledge obtained using the Σψ-protocol varies considerably for different homomorphisms: For some homomorphisms the Σψ-protocol yields very efficient proofs of knowledge (e.g., the ones used in the Schnorr and the Guillou-Quisquater scheme). For others, the resulting proofs of knowledge are too inefficient for the use in most practical applications. Exponentiati- . x . x1 xl on homomorphisms ψE(x) = h and ψE(x1, . . . , xl) = h1 · ... · hl in hidden order† groups (e.g., RSA groups or class groups) fall into the later class of homomorphisms. This is quite unfortunate, since ψE in hidden order groups play an important role in applied cryptography, and thus it would be very desirable to have efficient zero-knowledge proofs of knowledge available for them.

1.1 Results This dissertation studies efficient zero-knowledge proofs of knowledge for homomorphisms. In a nutshell, the two key results of this thesis are the following: First, prior to our work, it was not known whether the efficiency limitations of the Σψ-protocol discussed above are inherent to the protocol or are limitations that can be overcome. That is, limitations which are due to the conditions under which the Σψ-protocol is currently known to be a proof of knowledge. Under different conditions and for different homomorphisms we prove ample evidence that the efficiency limitations of the Σψ-protocol are inherent to the protocol, and hence cannot be overcome. Second, prior to our work, no efficient proofs of knowledge for exponentiation homomorphisms in hidden order groups were known. We describe novel techniques that for the first time allow to obtain efficient zero-knowledge proofs of knowledge for such homomorphisms. The results are based on Ban- gerter, Camenisch, and Maurer [BCM05]. Moreover, we give a unified and comprehensive description of proofs of knowledge using the Σψ-protocol and their algebraic foundations. To the

† In a hidden order group it is hard to compute a non-zero multiple of a random group element. 12 Introduction best of our knowledge, this uniﬁed presentation is novel, and possibly of independent interest. In the following we describe our key results in more detail.

1.1.1 Eﬃciency limitations of the Σψ-protocol

The efficiency of a proof of knowledge (using the Σψ-protocol) for a given homomorphism ψ is determined by the size of the knowledge error that can be achieved. That is, the smaller the knowledge error can be made for ψ, the more efficient proofs of knowledge can be obtained using the Σψ- protocol. Yet, for any given homomorphism ψ the knowledge error cannot be made arbitrarily small. Rather, for any ψ there is a minimal knowledge error that is known to be achievable. In the following we refer to this minimal knowledge error as the minimal standard (MS) knowledge error. We have mentioned earlier that the efficiency of proofs of knowledge using the Σψ- protocol varies for different homomorphisms ψ. The underlying reason is that the MS knowledge error varies for different ψ. It is important to note that the MS knowledge error is the smallest knowledge error that is known to be achievable using currently available knowledge extractors. That is, there could be knowledge extractors for the Σψ-protocol that achieve a smaller knowledge error than the MS knowledge error, and hence would allow to overcome the efficiency limitations of the Σψ-protocol. Given the importance and the abundant use of the Σψ-protocol it is quite surprising that little was known about the question whether these limitations on the knowledge error, and thus the efficiency of proofs of knowledge, are inherent to the Σψ-protocol or not. On the one hand, this is a theoretical question concerning the understanding of the proof of knowledge property of the Σψ-protocol. On the other hand, it is also of practical relevance, since for proofs of knowledge for exponentiation homomorphisms in hidden order groups it would be important to overcome the current efficiency limitations. We prove ample evidence that the efficiency limitations of the Σψ-protocol are inherent to the protocol. The starting point of our analysis is the conjecture that there are no knowledge extractors that achieve a knowledge error smaller than the MS knowledge error, and, hence, one cannot increase the efficiency of the Σψ-protocol beyond what is known to be achievable. Whi- le we do not know how to prove this conjecture in general, we prove that under certain conditions and for certain homomorphisms the conjecture is true. More precisely, we introduce the notion of a lower bound β on the knowledge error of a homomorphism: β is a lower bound on the knowledge error if no knowledge extractor exists, when the knowledge error is less than 1.1 Results 13 or equal to β. Then, we prove under different conditions and for different types of homomorphisms that there exist lower bounds on the knowledge error of the Σψ-protocol. In all cases, the lower bounds we derive are equal to the MS knowledge error and thus they confirm our conjecture. In particular, our results suggest that the Σψ-protocol cannot be used to obtain efficient proofs of knowledge for exponentiation homomorphisms in hidden order groups.

1.1.2 Efficient proofs of knowledge for exponentiation homomorphisms in hidden order groups So far we have seen that it would be essential to have efficient proofs of knowledge for exponentiation homomorphisms ψE in hidden order groups available. Yet, our results on the limitations of the Σψ-protocol suggest that the Σψ-protocol cannot be used to obtain efficient proofs of knowledge for such homomorphisms. Hence, to nevertheless obtain efficient proofs of knowledge for ψE in hidden order groups, novel protocols have to be found. We show that this is indeed possible and describe three novel techniques that yield for the first time efficient zero-knowledge proofs of knowledge for ψE in hidden order groups. Two of the techniques have in common that, additionally to an exponentiation homomorphism ψE and an image element y, one makes available auxiliary information as part of the common input of a protocol. Our techniques are complementary in the sense that they work under different conditions (e.g., on the factorization of the order of the co-domain of ψE, the auxiliary information being given). l Our first technique applies to exponentiation homomorphisms ψE : Z → H in hidden order groups H, provided that the prover (but not the verifier) knows the order H. The protocol underlying the technique is the Σψ-protocol in a novel setting where the common input additionally to ψE and y contains a pseudo-preimage (v, w) of y under ψE. A pseudo-preimage of y (where y ∈ v H) under ψ : G → H is a pair (v, w) with v ∈ Z and w ∈ G, such that y = ψ(w). In this setting we obtain proofs of knowledge for essentially any ψE in hidden order groups. The resulting proofs of knowledge are very efficient since they achieve an arbitrary small knowledge error in a single execution of the Σψ-protocol. + Our second technique is based on a novel protocol that we call the Σψ - protocol. It yields so called proofs of knowledge in the auxiliary string model, which was introduced by Damgaard [Dam00]. The key idea underlying the auxiliary string model is that an auxiliary string with a prescribed probability distribution is available to the prover and the verifier. The auxiliary string 14 Introduction model is a stronger definitional setting than the one underlying conventional proofs of knowledge. Yet, for many practical applications it is adequate. + The Σψ -protocol yields zero-knowledge proofs of knowledge in the auxiliary string model for any exponentiation homomorphism ψE and hence also for ψE in hidden order groups. The resulting proofs of knowledge are very efficient when | image(ψE)| contains only large prime factors. Thus, for instance, we obtain efficient proofs of knowledge for exponentiation homomorphisms in RSA groups whose modulus is a product of safe primes. The proofs are computationally valid under the strong RSA assumption [BP97, FO97]. In + practice the use of the Σψ -protocol often requires for a setup protocol to be + run initially. The setup protocol is rather inefficient. Hence, using the Σψ - protocol together with the setup protocol is only efficient, when the cost of the setup protocol does not matter, which is the case in a vast number of practical applications. + + Finally, we introduce the Σψ -WS-protocol, which is a variant of the Σψ - protocol that removes the setup protocol and the associated costs. Moreover, this variant yields real proofs of knowledge instead of proofs of knowledge in + the auxiliary string model. The Σψ -WS-protocol is a zero-knowledge proof of knowledge in the so called random oracle model (i.e., under the assumption that perfect hash functions exist).

1.2 Outline This thesis has the following structure. In §2 we introduce the basic concepts and results as well as the notation used in the following. In §3 we lay the algebraic and computational foundations that underly the results in the following chapters. Thereby we extend existing results and also prove novel hardness results about computational problems that underly the construction of efficient proofs of knowledge for homomorphisms. In §4 we review the theory on existing proofs of knowledge using the Σψ-protocol. We provide definitions and results, which we use for the statement of our results in the following chapters. In §5 we prove our results on inherent efficiency limitations of the Σψ-protocol. In §6 we describe our novel techniques that yield efficient proofs of knowledge for exponentiation homomorphisms in hidden order groups. 2 Basic concepts

This chapter introduces the basic concepts and results as well as the notation used throughout the following. The goal of this chapter is to make this thesis self-contained. By no means it is meant to be an introduction into the respective subject areas. For the reader who is interested in additional information each section contains references to further reading.

2.1 Some notation If a and b are integers with a ≤ b, then {a, b} is the ﬁnite set of integers {a, a + 1, . . . , b}. By abs(·) we denote the absolute value of an integer, and max(·) stands for the largest value of a ﬁnite set of integers. The greatest common divisor of a pair of integers a and b is denoted by gcd(a, b). If a and b are real numbers with a ≤ b, then [a, b] is the set of real numbers {x : x ∈ R and a ≤ x ≤ b}. By {0, 1}k we denote the set of binary strings of length k and by {0, 1}∗ the set of all binary strings. We denote by log(x) the natural logarithm of x, and the logarithm of x to the base b is denoted by logb(x). If D is a random variable then δ ← D denotes that δ was chosen according to the distribution of D. If (D1,..., Dl) are random variables and B is a boolean predicate, then

δ1 ← D1, δ2 ← D2, . . . , δl ← Dl : B(δ1, . . . , δl) denotes the event that δi was chosen according to Di for i = 1, . . . , l and that the predicate B(δ1, . . . , δl) is fulﬁlled; more precisely, as a random variable Di may depend on a random variable Dj if i > j, we assume that the choices δ1 ← D1, δ2 ← D2, . . . , δl ← Dl are made sequentially (starting with δ1 ← D1).

15 16 Basic concepts If D is a random variable, then D = δ denotes the event δ0 ← D : δ = δ0. If S is a ﬁnite set, then s ←U S denotes that s is chosen uniformly at random from S. If E is an event, then Pr(E) denotes the probability that E occurs. Finally, poly() stands for an arbitrary but ﬁxed positive polynomial.

2.2 Complexity theory In this section we review some basic notions and results from the theory of computation. For further reading we refer to Goldreich’s book on the theoretical foundations of cryptography [Gol01], Goldreich and Wigderson’s lecture notes on computational complexity [Gol00, GW04], and the textbooks by Sip- ser [Sip96] and Hopcroft, Motwani, and Ullman [HMU01].

2.2.1 Algorithms and reducibility Informally speaking, an algorithm is a computational procedure defined in terms of a finite set of well-defined instructions. Given an arbitrary input, an algorithm terminates its computation by producing an output. We follow the widely used approach to formalize the notion of an algorithm by identifying algorithms with Turing machines. In the following we simply use “machine” instead of “Turing machine”. We assume that all inputs and outputs of algorithms are (encoded by) binary strings (i.e., elements of the set {0, 1}∗). A deterministic algorithm M on input y (denoted by M(y)) is identified with a machine on input y. If for all inputs y, M(y) halts after at most poly(kyk) computational steps, where kyk denotes the length of the string y, then M is called a (deterministic) polynomial-time algorithm. A probabilistic algorithm M(y) is identified with a machine that additionally to the input y is given a second input ζ (the random input). The computation of a probabilistic algorithm M(y) is distributed over the uniform random choices of random inputs ζ of some finite length. Moreover, if for all inputs y, M(y) halts after at most poly(kyk) computational steps, then it is called a probabilistic polynomial-time algorithm. An expected polynomial-time algorithm is a probabilistic algorithm M(y) that performs an expected number of computational steps (over the choices of random inputs) that is upper bounded by poly(kyk). We note that expected polynomial-time algorithms are more powerful than probabilistic polynomial-time algorithms. 2.2 Complexity theory 17 We follow the convention used in cryptography that is to associate efficient (or “feasible”) computations with probabilistic polynomial-time algorithms, and correspondingly we often refer to a probabilistic polynomial-time algorithm as an efficient algorithm. If M(y) is an algorithm with input y, then we let M(y) (a bit ambiguously) also denote the random variable describing the output of M(y). That is, γ ← M(y) denotes that γ was obtained by running M(y), whereas in the case where M is a probabilistic algorithm γ is distributed over the choices of M’s random inputs. Let us state some standard definitions: – We call any L ⊂ {0, 1}∗ a language. –A (polynomial) binary relation is R ⊂ {0, 1}∗ × {0, 1}∗ with the property that there is a polynomial poly(), such that for all (y, x) ∈ R we have kxk ≤ poly(kyk). The language LR associated with R is defined by . LR ={y :(y, x) ∈ R}.

– The witness set WR(y) of a language element y ∈ LR is deﬁned by . WR(y) ={x :(y, x) ∈ R}.

An x ∈ WR(y) is called a witness of y. Given a binary relation R one can naturally formulate the following computational problem: Given a language element y ∈ LR, compute a witness x of y. We refer to such a problem as a search problem, and since a relation R uniquely deﬁnes a search problem we shall talk about the “search problem R”. Moreover, we call y ∈ LR an instance of the search problem R. The class of NP search problems consists of search problems for which one can decide in deterministic polynomial-time if one has found a solution of the problem. A precise deﬁnition is as follows:

Deﬁnition 2.1 (Class of NP search problems) A search problem R is in NP, if there exists a deterministic polynomial-time algorithm M, such that M(y, x) = 1 if and only if (y, x) ∈ R. Almost all computational problems that we encounter in the following fall into the class of NP search problems. Next we formalize what we mean by “solvable instances of a search problem” and by a “hard search problem”. To this end we introduce some terminology.

Definition 2.2 Let ν : N → R denote a function. 18 Basic concepts – ν is negligible, if for all polynomials poly() and for all sufficiently large k, we have ν(k) < 1/ poly(k). – ν is non-negligible, if ν() is not negligible. – ν is noticeable, if there is a polynomial poly(), such that for all sufficiently large values of k we have ν(k) ≥ 1/ poly(k). – ν is super-polynomial, if 1/ν(k) is negligible. It is not difficult to verify that ν is non-negligible if there exists a polynomial poly(), such that for all k0 there exists a k ≥ k0 with ν(k) ≥ 1/ poly(k). Next we define the notion of solvable instances of a search problem.

Deﬁnition 2.3 (Solvable instances of a search problem) Let R be a search problem. We call the problem instances y ∈ S ⊆ LR solvable, if there is a probabilistic polynomial-time algorithm M, such that for all y ∈ S we have

Pr(x ← M(y): x ∈ WR(y)) = 1 − ν(||y||), where ν() is a negligible function. To formalize the notion of a hard search problem we use notation as follows. Let be given a search problem R and let k denote an integer security parameter. If DR(k) is a probabilistic polynomial-time algorithm, such that for all y ← DR(k) we have y ∈ LR with kyk = poly(k), then we call DR(k) a(n) (instance) generator for R. Throughout the following we shall adopt the following conventions: First, when an algorithm is given the security parameter k as input then we shall always assume that k is given in the unary representation, i.e., encoded by the string 1k. Second, we shall assume (without loss of generality for our purposes) that the length of the output of polynomial-time algorithms is a polynomial function of the length of the inputs.

Deﬁnition 2.4 (Hard search problem) A search problem R is hard if there is a generator DR(k) for R, such that for all probabilistic polynomial- time algorithms M the probability

Pr(y ← DR(k), x ← M(y): x ∈ WR(y)) is negligible in k. We call DR(k) a hard generator. Hard NP search problems play a key role in cryptography and, of course, also in the following. Next we look at so called “oracles”. Let M denote (a possibly probabilistic) algorithm, and let O denote a possibly probabilistic algorithm. We say 2.2 Complexity theory 19 that the oracle algorithm M is given (oracle) access to the oracle O, if M is allowed to repeatedly and arbitrarily choose O’s input q (the oracle query) and to receive O’s output O(q) (the oracle reply). A bit more formally, the oracle algorithm M is a machine with an additional oracle communication port, to which it will write its queries; once it is ﬁnished with writing a query, the oracle O is invoked and its reply is written to the oracle communication port. We denote M on input y given oracle access to O by M O(y). We count M issuing an oracle query and receiving an oracle reply as one computational step of M. Using oracles we can relate two search problems as follows.

Deﬁnition 2.5 (Reducibility) Let R1 and R2 be search problems. Let M2 be an algorithm that for each y2 ∈ LR2 outputs a witness of y2.

(a) R1 is deterministic polynomial-time reducible to R2 (denoted by R2 ≥ R1), if there is a deterministic polynomial-time oracle ma- M2 chine M1, such that for any y1 ∈ LR1 , M1(y1) outputs a witness of y1 by issuing at most one oracle query to M2. (b) R1 is probabilistic polynomial-time reducible to R2 (denoted by R2 ≥P R1), if there is probabilistic polynomial-time oracle machi- M2 ne M1, such that for any y1 ∈ LR1 , M1(y1) outputs a witness of y1 with probability 1 − ν(ky1k), whereas M1 issues at most one oracle query to M2 and ν() is a negligible function.

In both cases we call the algorithm M1 a reduction algorithm.

Note that (in Deﬁnition 2.5) we allow a reduction algorithm M1 to issue only a single query to the oracle M2. Thats is, our notion of a reduction is that of a so called (probabilistic) Karp reduction adapted to search problems. For our purposes in the following this notion of reducibility is suﬃcient. Yet, in many cryptographic proofs the more generic notion of a probabilistic Cook reduction, i.e., where M1 may arbitrarily often query M2, is used. Assume that R2 ≥ R1 or R2 ≥P R1, and let M1 denote the corresponding reduction algorithm. Then we let Q(M1(y1)) be the random variable describing the queries y2 ∈ LR2 issued to the oracle M2 by M1 on input y1 ∈ LR1 . Using this notation and the notion of reducibility we can relate the computational complexity of two search problems as follows.

Theorem 2.1 Let R1 and R2 be search problems. If either R2 ≥ R1 or holds R2 ≥P R1 holds and if R1 is hard, then R2 is hard.

Proof In either of the cases R2 ≥ R1 or R2 ≥P R1 let M1 denote a corre- 20 Basic concepts sponding reduction algorithm. Now, by assumption there is a hard generator D1(k) for the problem R1. Then we deﬁne a generator D2(k) for the problem R as follows: 2 . D2(k) = 1: Choose y1 ← D1(k). 2: Choose y2 ← Q(M1(y1)). 3: Output y2. By contradiction we assume that there is a probabilistic polynomial-time algorithm M2 that over the choices of D2(k) solves the problem R2 with non- negligible probability. Then, by construction of D2(k) and deﬁnition of M1, M2 this implies that M1 solves the problem R1 with non-negligible probability over the choices of D1(k). This contradicts the hardness of D1(k). Hence the success probability of any probabilistic polynomial-time algorithm M2 for solving R2 over the choices of D2(k) must be negligible. This proves that D2(k) is a hard generator, and the claim follows.

The following corollary results from the proof of Theorem 2.1.

Corollary 2.1 Let R1 and R2 be search problems, such that R2 ≥ R1 or R2 ≥P R1 holds, and let M1 be a corresponding reduction algorithm. Given a generator D (k) for R , we deﬁne a generator D (k) for R as follows: . 1 1 2 2 D2(k) = 1: Choose y1 ← D1(k). 2: Choose y2 ← Q(M1(y1)). 3: Output y2.

If D1 is a hard generator for the search problem R1, then D2 is a hard generator for the search problem R2.

We shall also encounter so called decision problems. A decision problem for a language L is deﬁned as follows. Given a y ∈ {0, 1}∗, output 1 if y ∈ L and output 0 otherwise. Next we deﬁne the class of NP decision problems:

Deﬁnition 2.6 (Complexity class NP) A decision problem L is in NP if there exists a binary relation R such that L = LR and if R is an NP search problem.

Let L1 and L2 be decision problems in NP, and let M2 be an algorithm ∗ that decides L2 (i.e., on input y ∈ {0, 1} , M2 outputs 1 when y ∈ L2 and 0 otherwise). Then L1 is polynomial-time reducible to L2 , if there is a 2.3 Group theory 21 deterministic polynomial-time oracle machine M1 that given oracle access to M2 decides L1, whereas M1 issues at most one oracle query to M2.

Deﬁnition 2.7 (NP-completeness) A decision problem L is NP- complete if L is in NP and if every decision problem in NP is polynomial- time reducible to L. An abundant number of NP-complete problems is known to exist. Well known examples of such problems are the Traveling Salesman problem, the 3- Coloring problem, and the SAT (satisﬁability of a boolean circuit) problem.

2.2.2 Two-party protocols A two-party protocol consists of a pair of machines which are given the ability to exchange messages. Formally, the computational model underlying a two-party protocol is the one of a (deterministic or probabilistic) interactive machine that is a (deterministic or probabilistic) machine with an input and an output port. Now, a two-party protocol consists of a pair (M1,M2) of interactive machines, where M1’s output port is connected to M2’s input port and M1’s input port is connected to M2’s output port. Each of the machines M1 and M2 is given a private input x1 and x2, respectively, and both machines are given a common input y. We denote such a protocol by (M1(x1),M2(x2))(y). We refer to the computation of a pair of interactive machines as the protocol execution or the joint computation. A (deterministic or probabilistic) interactive machine M1 is called polynomial-time, if there is a polynomial poly() such that for all common inputs y, all interactive machines M2, and all private inputs x1 and x2 of M1 and M2, respectively, the machine M1 halts in the execution of the protocol (M1(x1),M2(x2))(y) after at most poly(kyk) steps.

2.3 Group theory In this section we introduce the group theoretical foundations used throughout the following chapters. Presuming that the reader is familiar with basic group theory, we introduce in §2.3.1 our notation and recall some basic results of group theory. In §2.3.2 we focus on computational aspects of groups and homomorphisms. On the one hand, we describe on a generic level the basic computational tasks we assume to be feasible in any concrete group and for any concrete homomorphism used in our constructions. On the other hand, also on a generic level, we describe certain computational problems for groups and homomorphisms, which are widely used in cryptography. 22 Basic concepts The relevance of these computational problems is that they are assumed to be hard for certain concrete groups and homomorphisms. In §2.3.3 we give an overview of such concrete groups and homomorphisms, and discuss for which concrete groups and homomorphisms these computational problems are actually assumed to be hard. For further reading on (computational) algebra and group theory we refer to Shoup [Sho04], Bach and Shalit [BS96], and Menezes, Oorschot, and Vanstone [MvOV96].

2.3.1 Notation and basic facts We shall only be interested in abelian groups, and correspondingly whenever we write “group” we always mean “abelian group”. Throughout this thesis we use the following notation to denote groups and related notions from group theory: – By G we denote an additive group with group operation “+” and identity element “0”. By (−g) we denote the inverse of a g ∈ G. If a is a non- negative integer and g ∈ G, then ag denotes repeated addition in the usual way, and (−a)g stands for −(ag). – By H we denote a multiplicative group with group operation “·” and identity element “1”. By (h−1) we denote the inverse of an h ∈ H. If a is a non-negative integer and h ∈ H then ha denotes repeated multiplication in the usual way and h−a stands for (ha)−1. – By S ≤ H we denote that S is a subgroup of H. – By |H| we refer to the order of the group H, and |h| denotes the order of h ∈ H. – By hhi we denote the cyclic subgroup of H generated by h ∈ H, and, more generally, hh1, . . . , hli is the subgroup of H generated by the group elements h1, . . . , hl ∈ H. – If H is a group, then Hl stands for the direct product H×...×H consisting of l factors H. – Let H be a group, and let S be a subgroup of H. Then the quotient group of H modulo S is denoted by H/S. We shall make use of the following simple facts about the order of a group and the order of group elements.

Theorem 2.2 Let H be a ﬁnite group and let h ∈ H. (a) If for some integer e we have he = 1, then |h| divides e. (b) h|h| = 1. 2.3 Group theory 23 (c) |h| divides |H|. (d) If S is a subgroup of H, then |S| divides |H|. The notion of a homomorphism will play a key role in the following.

Definition 2.8 (Homomorphism) A mapping ψ : G → H is a homomorphism, if ψ(g1 + g2) = ψ(g1) · ψ(g2) for all g1, g2 ∈ G. We say that g ∈ G is a preimage of the image element h ∈ H under ψ : G → H if h = ψ(g), and we call G the domain of ψ and H the co- domain of ψ. The kernel and the image of a homomorphism are defined as follows: – The image of a homomorphism ψ : G → H is the subset of the co-domain H defined by image(ψ) = {h : h ∈ H and there exists a g ∈ G such that h = ψ(g)}.

– The kernel of a homomorphism ψ : G → H is the subset of the domain G deﬁned by . ker(ψ) ={g : g ∈ G such that ψ(g) = 1}.

We will make use of the following properties of homomorphisms.

Theorem 2.3 If ψ : G → H is a homomorphism, then the following holds: (a) ψ(0) = 1. (b) If e is an integer and g ∈ G, then ψ(eg) = ψ(g)e. (c) ker(ψ) is a subgroup of the domain G. (d) image(ψ) is a subgroup of the co-domain H. (e) |G| = | image(ψ)| | ker(ψ)|. A homomorphism ψ : G → H that is bijective is called an isomorphism. Two groups G and H are called isomorphic, if there exists an isomorphism ψ : G → H. Intuitively, two isomorphic groups are the same except that group elements and the group operations in each group are named diﬀerently. The following theorem describes the structure of any ﬁnite abelian group.

Theorem 2.4 (Fundamental theorem of ﬁnite abelian groups) Every ﬁnite abelian group H is isomorphic to a direct product of cyclic additive modular groups of the form

Z e1 × ... × Z el , p1 pl 24 Basic concepts where pi are primes, which are not necessarily distinct. The direct product is unique up to the possible rearrangement of the factors. The next theorem describes a structural relation between the domain, the kernel, and the image of a homomorphism.

Theorem 2.5 (First isomorphism theorem) If ψ : G → H is a homomorphism, then the quotient group G/ ker(ψ) is isomorphic to image(ψ).

2.3.2 Computational aspects The existence of efficiently computable tasks and of hard problems are key for cryptographic constructions: In fact, efficiently computable tasks underly the viability of cryptographic constructions, whereas hard problems underly their security properties. Almost all constructions and results in this thesis are based on the existence of a few basic efficiently computable tasks and hard problems related to groups and homomorphisms. In this section we describe these tasks and problems. We give the description on a generic level, i.e., in terms of groups and homomorphisms without referring to concrete groups and homomorphisms used in cryptography. The connection to concrete groups and homomorphisms is established in §2.3.3.

2.3.2.1 Efficiently computable tasks Computational properties of groups (and thus cryptographic constructions based on groups) are, loosely speaking, always considered for sets of groups of the same type. For instance, for the set of multiplicative modular groups with a prime modulus. An important property of such “sets of groups of the same type” is that there exist efficient algorithms to perform the relevant algebraic operations and computational tasks (e.g., the evaluation of the group operation, choosing a random element) in these groups. Analogous remarks hold for homomorphisms, where one considers “sets of homomorphisms of the same type”. In this section we formalize what we mean by “sets of groups and homomorphisms of the same type” by introducing the notions of “computationally tractable collection of groups” and “computationally tractable collection of homomorphisms”, respectively. We shall follow the convention that when we say that, e.g., a homomorphism ψ, a group H, a group element h ∈ H etc., is given as input to, or output by an algorithm M, then we implicitly mean that a description in terms of a binary string of these objects is input to M or output by M. 2.3 Group theory 25 Correspondingly, we let kψk, kHk and khk etc. denote the length of the respective binary strings describing these objects. A collection H of groups is a (finite or infinite) set of finite groups. We assume that if H ∈ H and h ∈ H, then khk ≤ poly(kHk) for some arbitrary but fixed polynomial poly(). Sometimes we consider subsets H(k) of H consisting of groups whose descriptions have the same length, i.e., . H(k) ={H : H ∈ H with kHk = poly(k)}, where poly() stands for some arbitrary but fixed polynomial. We call groups contained in a collection H computationally tractable if the following holds:

– Evaluation of the group operation: There is a deterministic polynomial- time algorithm that on input any H ∈ H and any h1, h2 ∈ H outputs h1 · h2. – Computing the inverse: There is a deterministic polynomial-time algorithm that on input any H ∈ H and any h ∈ H outputs h−1. – Testing equality: There is a deterministic polynomial-time algorithm that on input any H ∈ H and any h1, h2 ∈ H outputs 1 if h1 = h2, and 0 otherwise. – Testing group membership: There is a deterministic polynomial-time algorithm that on input any H ∈ H and any γ ∈ {0, 1}∗ outputs 1 if γ is a valid description of an element h ∈ H, and outputs 0 otherwise. – Choosing random group elements: There is a probabilistic polynomial-time algorithm that on input any H ∈ H randomly and uniformly chooses a group element of H. – Computing upper bound on group order: There is a probabilistic polynomial-time algorithm that on input any H ∈ H outputs an integer λ+, such that |H| < λ+. Note that all commonly used concrete groups in cryptography (see §2.3.2) are computationally tractable in the above sense. We shall see that the viability of (almost all of) our constructions follows from the properties of computationally tractable groups. Yet of course, in each concrete group there is a variety of efficiently computable algebraic operations, which do not appear in the above list. A collection of homomorphisms Ψ is a (finite or infinite) set of homomorphisms ψ : G → H. For all ψ ∈ Ψ we assume that the co-domain H is finite and that the domain G is of the form . G = G1 × ... × Gl, 26 Basic concepts whereas each Gi is either a finite group or the integers Z. We also consider subsets of Ψ defined by . Ψ(k) ={ψ : ψ ∈ Ψ with kψk = poly(k)}, where poly() is an arbitrary but fixed polynomial. We call homomorphisms contained in a collection Ψ computationally tractable if the following holds:

– Computational tractability of the co-domain: For all ψ ∈ Ψ, where ψ : G → H, ψ contains a description of its co-domain H such that the computational properties for collections of computationally tractable groups (as described above) hold for H. – Computational tractability of the domain: For all ψ ∈ Ψ, where ψ : . G = G1 × ... × Gl → H, ψ contains a description of the Gi such that the following holds:

If Gi is a ﬁnite group, then the computational properties for collections of computationally tractable groups (as described above) hold for Gi. If Gi = Z we make no explicit requirements, since in this case Gi features the computational properties of the integers. – Evaluation of homomorphism: There is a deterministic polynomial-time algorithm that on input ψ ∈ Ψ and x ∈ G outputs y = ψ(x).

To simplify the terminology in the following, we shall often only talk about groups H and homomorphisms ψ and implicitly assume that H and ψ are elements of respective collections. Yet we shall talk about collections of groups and homomorphisms, when formally necessary. Moreover, when we talk about groups and homomorphisms in the context of computations, then we always assume that they are computationally tractable as described above.

2.3.2.2 Computational problems The following computational problems in groups will be relevant for us.

Deﬁnition 2.9 (Computational problems in groups) (a) Order problem (ORDER): Given a group H and h ∈ H, compute a non-zero multiple of |h|. (b) Root problem (ROOT): Given a group H, a group element h ∈ H, and an integer e ≥ 2 with gcd(|H|, e) = 1, compute an r ∈ H such that re = h. 2.3 Group theory 27 (c) Generalized root problem (GROOT): Given a group H and a group element h ∈ H compute an r ∈ H and an integer e ≥ 2 such that re = h. (d) Discrete logarithm problem (DLOG): Given a group H, a group element h ∈ H, and a group element y ∈ hhi, compute an integer e such that y = he. (e) Representation problem (REP): Given a group H, group elements h1, . . . , hl ∈ H such that hh1, . . . , hli is a cyclic subgroup of H, and a group element y ∈ hh1, . . . , hli, compute integers (e1, . . . , el) such e1 el that y = h1 · ... · hl . Using the fact that H is computationally tractable, it is easy to verify that the problems in Deﬁnition 2.9 fall into the class of NP search problems. These problems are cryptographically relevant as in certain concrete groups they are assumed to be hard. By “assumed to be hard” we mean the following. None of the above problems is known to be provably hard in any concrete group (and in fact the proof of the hardness of any of these problems in some concrete group would be a major breakthrough in theoretical computer science). Yet, for each of the above problems there are concrete groups such that all currently known algorithms in these groups fail to solve the respective problem. Motivated by this fact, the assumptions that the problems are hard in the respective groups are made. For instance, the assumption that the ORDER problem is hard for a group H is called the ORDER assumption for H, and analogously one talks about the ROOT and the DLOG assumption for H. Precise statements of hardness assumptions consist of the description of a concrete generator D(k) for the problem for which the assumption is made, and the assumption then is that D(k) is a hard generator. In particular, for the above problems these assumptions are made for collections of groups and not for a single group. As an example, the ORDER assumption for a collection of groups H consists of a description of a generator DORD(k), i.e., (H, h) ← DORD(k) with H ∈ H and h ∈ H. Then the ORDER assumption for H is that DORD(k) is a hard generator. Finally, when we talk about, e.g., the ORDER assumption for the group H, then we actually mean that H is an element of a collection of groups H for which the ORDER assumption, as described above, is made. Next we consider relations among the problems introduced above.

Theorem 2.6 (a) ORDER ≥ ROOT 28 Basic concepts (b) ROOT ≥ GROOT (c) DLOG ≥P ORDER (d) REP ≥ DLOG

Proof Part (a). Given an instance (H, h, e) of the ROOT problem, we issue the query (H, h) to the oracle for the ORDER problem to obtain a non-zero multiple λ of |h|. Then we run the following algorithm: . . 1: Set λ˜ = λ and d = 1. 2: repeat . 3: Set λ˜ = λ/d˜ . . 4: Set d = gcd(λ,˜ e). 5: until d = 1. 6: Output λ˜. By assumption we have gcd(|H|, e) = 1, and hence (by Theorem 2.2 (c)) gcd(|h|, e) = 1. Using this fact we can see that λ˜ output by the above algorithm is a non-zero multiple of |h| with gcd(λ,˜ e) = 1. We now compute . 1/e (mod λ˜) and let r = h1/e. Clearly, r is an e-th root of h and the claim follows. Part (b). Given an instance (H, h) of the GROOT problem we choose an integer e ≥ 2. Then we issue the query (H, h, e) to the oracle for the ROOT problem to obtain an e-th root r of h. Since r is also a solution of the GROOT problem, the claim follows. Part (c). Let be given an instance (H, h) of the ORDER problem. By our basic assumptions on computationally tractable groups, we can compute a λ > |H|. Then we choose an integer r ←{U 1, 2kλ }, where k is an integer + . + security parameter, and set y = hr. We issue the query (H, h, y) to the DLOG oracle to obtain an x such that y = hx. Hence, we have hx−r = 1, and unless x = r, (2.1) (by Theorem 2.2 (a)) we have found a non-zero multiple of |h| and we are done. It remains to verify that over the choices of r (2.1) only occurs with negligible probability. To this end we decompose r = a|h|+b with 0 ≤ b < |h| and rewrite (2.1) as x = a|h| + b. (2.2)

U k k Since r ←{1, 2 λ+}, we can see that there are at least 2 values of a that fulﬁll (2.2), and each of them is chosen with probability at most 1/2k. Mo- reover, we note that y = hr = ha|h|+b = hb, and hence the query (H, h, y) 2.3 Group theory 29 issued to the DLOG oracle contains no information on a. Thus, the probability that the oracle reply x fulﬁlls (2.2) is at most 1/2k and the claim follows. Part (d). Given an instance (H, h, y) of the DLOG problem, we choose . e1 . e arbitrary integers (e1, . . . , el) and set h1 = h , . . . , hl = h l . Then we issue the query (H, h1, . . . , hl, y) to the REP oracle to obtain (x1, . . . , xl) such x1 xl e1x1+e2x2+...+elxl that y = h1 · ... · hl . Hence, we have y = h , and we have solved the DLOG problem.

Note that in some cases† one can also prove the direction DLOG ≥ REP. However, neither of the reductions ROOT ≥ ORDER, GROOT ≥ ROOT, and ORDER ≥ DLOG is known to hold. Especially, the latter is unlikely to hold, as the DLOG problem is assumed to be hard in groups in which the ORDER problem is solvable (for concrete examples of such groups we refer to the following section). For homomorphisms we are interested in the following computational problem.

Deﬁnition 2.10 (Homomorphisms inversion problem) Inversion problem (INV): Given a homomorphism ψ and an image element y ∈ image(ψ), compute a preimage of y under ψ.

Assuming that ψ is computationally tractable, it is easy to verify that the INV problem is a NP search problem. We shall see in the following section that the INV problem is hard for many concrete homomorphisms used in cryptography. Finally, we introduce the following terminology:

– A group H has hidden order, if the ORDER problem for H is (assumed to be) hard. – A group H has known order, if the ORDER problem for H is solvable. – A homomorphism ψ is one-way, if the INV problem for ψ is (assumed to be) hard.

As hidden order groups will be important for us, we make the following fact (which immediately follows from Theorem 2.6 (a) and Theorem 2.1) explicit.

† As an example, when given an instance (H, h1, . . . , hl, y) of the REP problem, one can eﬃciently ﬁnd a generator of hh1, . . . , hli. 30 Basic concepts Corollary 2.2 The ROOT assumption for a group H implies that H has hidden order.

2.3.3 Concrete groups and homomorphisms used in cryptography This section starts with a brief and informal overview of some concrete groups used in cryptography. Our main goal is to describe which of the problems introduced in the previous section are assumed to be hard in these concrete groups. The second part of this section gives a comprehensive and formal description of the concrete homomorphisms that are commonly used in cryptography. We also discuss the computational properties of these concrete homomorphisms.

2.3.3.1 Concrete groups and assumptions In the following we look at modular groups, elliptic curve groups, and class groups. While there are also other concrete groups used in cryptography, one can safely say that an overwhelming number of cryptographic systems is based on the two former types of groups. All these (types of) groups are known to be computationally tractable (as described in the previous section). In fact, they are not just efficiently tractable in a complexity theoretic sense (i.e., where efficient means probabilistic polynomial-time computable), but efficiently tractable in a practical sense. For instance, computations in modular groups and elliptic curve groups can be efficiently implemented even on quite restricted hardware, such as smart-cards.

Modular groups. The most widely used type of group in cryptography are modular groups. There are additive modular groups Zn and multiplica- ∗ tive modular groups Zn. Computational assumptions are only made for the latter. Which assumptions are made for a modular group Zn depends on the choice of the modulus n. Loosely speaking, the most popular choices of the modulus fall into the following three classes:

∗ – Prime moduli: The modulus is a prime number p, and we refer to Zp as a prime-modulus group. In prime-modulus groups the DLOG assumption ∗ is made. They have a known order, since |Zp| = (p − 1). – Composite moduli: The modulus is a composite n = pq, where p and q are primes with kpk = kqk. The modulus n is called an RSA modulus and the corresponding group is called an RSA group. In RSA groups the DLOG-, ROOT-, and GROOT- assumptions are made. We note that in RSA groups, the ROOT assumption is the famous 2.3 Group theory 31 RSA assumption put forth by Rivest, Shamir, and Adelmann [RSA78a], and the GROOT assumption is the strong RSA assumption introduced by Baric and Pﬁtzmann, and Fujisaki and Okamoto [BP97, FO97]. By Co- rollary 2.2, RSA groups have a hidden order under the RSA assumption. – Squares of composite moduli: The modulus is chosen to be the square of an RSA modulus. This choice of modulus was introduced by Paillier [Pai99] and the corresponding groups are often called Paillier groups. In Paillier groups the DLOG-, ROOT-, and GROOT- assumptions are made. Hence by Corollary 2.2 these are hidden order groups.

For multiplicative modular groups the ORDER problem is reducible to computing the factorization of the modulus n. Let us be more precise:

Deﬁnition 2.11 (Factorization problem) The factorization problem FACTOR is: given an integer n, compute the complete prime factorization of n.

Now, the following reduction holds.

∗ Theorem 2.7 The ORDER problem in a multiplicative modular group Zn and the FACTOR problem for n are related by FACTOR ≥ ORDER.

∗ Proof It is a well known fact that for any multiplicative modular group Zn e1 el ∗ e1−1 el−1 with n = p1 · ... · pl we have |Zn| = (p1 − 1)p1 · ... · (pl − 1)pl . From this fact and Theorem 2.2 (c) the claim immediately follows.

For further reading we refer to an overview on computational problems in modular groups by Woll [Wol87]. McCurly [McC90] and Odlyzko [Odl00] discuss the DLOG problem, and Lenstra [Len00] the factorization problem. A concrete analysis of the actual hardness, i.e., in terms of computational cost on existing hardware, of some of the problems discussed above is found in Lenstra and Verheul [LV01].

Elliptic curve groups. The use of elliptic curve groups in cryptography was proposed independently by Koblitz [Kob87] and Miller [Mil85]. An elliptic curve group consists of points on an elliptic curve over a field. In elliptic curve groups the DLOG assumption is made, and the ORDER problem is solvable (i.e., elliptic curve groups are known order groups). There are various reasons for using elliptic curve groups in cryptography. One is that a given level of hardness of the DLOG problem (i.e., a given level of security of DLOG-based cryptographic systems) can be achieved 32 Basic concepts by elliptic curve groups with an order that is smaller than the one of multiplicative modular groups. The reason is, loosely speaking, that the best algorithms for solving the DLOG problem in elliptic curve groups are less efficient than the ones in multiplicative modular groups. As a result, for a given level of security elliptic curve group arithmetic is more efficient than modular group arithmetic. Thus elliptic curve groups are especially suitable in environments where the computing power is limited, e.g., in smart-cards. Another reason for the growing popularity of elliptic curve groups is that a novel computational problem termed the “Gap Diffie-Hellman problem” [OP01, JN03] is assumed to be hard in elliptic curve groups. The assumption gives rise to a series of novel cryptographic constructions (e.g., [BB04, BBS04, CL04]), which are not known to be achievable in other groups. Finally we note that elliptic curve groups have a much richer algebraic structure than modular groups. Hence, there is potentially a wider spectrum of attacks on the DLOG problem. Correspondingly, there is a certain scepticism concerning the hardness of the DLOG problem in elliptic curve groups. For further reading on elliptic curves we refer to [KMV00, Sil86].

Class groups. Buchmann and Williams [BW91] introduced cryptographic systems based on class groups (of imaginary quadratic orders). In class groups the DLOG, the ORDER, ROOT, and GROOT assumptions are made [BH01, HM00, DK02], and hence (by Corollary 2.2) class groups are hidden order groups. An interesting property of class groups is that the ORDER and the DLOG problem are provably harder than the FACTOR problem. Hence, should factoring become feasible (which would make RSA groups essentially useless for cryptography), the security of cryptographic systems in class groups would remain unaﬀected. As class groups have received considerably less attenti- on than modular groups or elliptic curve groups, hardness assumptions in class groups seem to stand on weaker grounds than hardness assumptions for elliptic curve and modular groups. Moreover, in analogy to elliptic curve groups, class groups have a much richer algebraic structure than modular groups. Hence, potentially there is a wider spectrum of attacks on the computational problems mentioned above.

Conclusions. For a summary of solvable and assumed to be hard problems in the groups discussed above we refer to Table 2.1 (whereas “s” stands for “solvable”, and “h” for “assumed to be hard”). Finally, we note that for each type of group there are precise formulati- 2.3 Group theory 33 GROOT ROOT ORDER DLOG REP Prime-modulus group s s s h h RSA group h h h h h Paillier group h h h h h Elliptic curve group s s s h h Class group h h h h h

Table 2.1. Solvable and hard problems in cryptographic groups. ons of the computational assumptions being made. We recall that a precise formulation consists of the description of an instance generator for which the problem at hand is assumed to be hard. Often for a given type of group and a given computational problem there are several variants of a hardness assumption (i.e., there are diﬀerent generators for the same problem and the same type of group, for which the problem is believed to be hard). While these assumptions are made for the same problem, they are often not equivalent. This was pointed out by Sadeghi and Steiner [SS01] for the DLOG and related problems. Moreover, for each type of group described above there exists a variety of computational problems and respective computational assumptions, which we have left out in our discussion as they will not be relevant for us in the following.

2.3.3.2 Concrete homomorphisms Essentially all concrete homomorphisms used in cryptography fall into one of the three classes described next.

Deﬁnition 2.12 (Concrete homomorphisms) Let H be a group, and let Z either stand for a ﬁnite additive modular group Zn or the integers Z.

(a) An exponentiation homomorphism is a mapping ψE : Z1 × ...×Zl → H deﬁned by

. x1 xl ψE(x1, . . . , xl) = h1 · ... · hl ,

where h1, . . . , hl ∈ H, and if Zi = Zni , then |hi| | |Zni |. l (b) A power homomorphism is a mapping ψP : H → H deﬁned by

. e1 el ψP(x1, . . . , xl) = x1 · ... · xl ,

where (e1, . . . , el) are integers. (c) An exponentiation-power homomorphism is a mapping ψEP : 34 Basic concepts

l2 Z1 × ... × Zl1 ×H → H deﬁned by

. xl el ψ (x , . . . , x , x , . . . , x ) = hx1 · ... · h 1 · xe1 · ... · x 2 , EP 1 l1 l1+1 l1+l2 1 l1 l1+1 11+l2

where (e1, . . . , el2 ) are integers, h1, . . . , hl1 ∈ H, and if Zi = Zni ,

then |hi| | |Zni |. It is straightforward to verify that these mappings indeed are homomorphisms according to Definition 2.8. In cryptographic applications of the concrete homomorphism in Definition 2.12 the group H is typically chosen to be one of the concrete groups discussed in the previous section. Next we verify that these concrete homomorphisms are computationally tractable, whenever the group H (which occurs in Definition 2.12) is computationally tractable. The properties required for the domain and the co-domain of a computationally tractable homomorphism can be immediately seen to hold. It remains to check that concrete homomorphisms can be efficiently evaluated. We see that if one can efficiently compute so called discrete exponentiations, i.e., if given h ∈ H one can efficiently compute he, then our concrete homomorphisms can be efficiently evaluated. The brute force approach to compute he is to perform (e − 1) group operations. Yet, when kek = poly(k) and hence e is super-polynomial, then this brute force approach takes super-polynomial time, i.e., it is not efficient. Luckily, there are various efficient algorithms for computing discrete exponentiations. The most widely known algorithm is the so called square and multiply algorithm (see, e.g., Knuth [Knu97] or Shoup [Sho04]), which computes he using at most O(log(e)) group operations in H. One of the most efficient techniques that is currently known for computing discrete exponentiations is the so called windowing algorithm by Brauer [Bra39], which takes O((1 + 1/ log(log(e))) log(e)) group operations. Clearly, using either the square and multiply or the windowing algorithm, one can effi- e1 el ciently compute discrete multi-exponentiations h1 · ... · hl by evaluating ei each of the terms hi and by multiplying the respective results (assuming that l ≤ poly(k)). Using Brauer’s algorithm for exponentiation this approach requires O(l(1 + 1/ log(log(e))) log(e)) group operations. An even more efficient algorithm to compute discrete multi-exponentiations is the one by Straus [Str64], which requires O((1 + l/ log(log(e))) log(e)) group operations. The following theorem describes conditions under which certain concrete homomorphisms are known to be one-way.

Theorem 2.8 (Concrete one-way homomorphisms) 2.3 Group theory 35

(a) Exponentiation homomorphism ψE : Z1 × ... × Zl → H with a cyclic image(ψE) are one-way under the DLOG assumption for H. . e (b) Power homomorphisms ψP : H → H deﬁned by ψP(x) = x with e ≥ 2 are one-way under the ROOT assumption for H. l (c) Exponentiation-power homomorphisms ψEP : Z × H → H de- . x1 xl e ﬁned by ψEP(x1, . . . , xl, xl+1) = h1 · ... · hl xl+1 with e ≥ 2 and gcd(|H|, e) = 1 are one-way under the ROOT assumption for H.

Proof Part (a) follows from Theorem 2.6 (d) and Theorem 2.1. Part (b) trivially holds. It remains to prove part (c). We show that INV ≥ ROOT, where INV is the inversion problem for the exponentiation-power homomorphisms we are looking at. Let be given an instance (H, h, e) of the ROOT problem. . e . e Then we choose arbitrary r1, . . . , rl ∈ H, and set h1 = r1, . . . , hl = rl . Using . x1 xl e these choices we deﬁne ψEP(x1, . . . , xl, xl+1) = h1 ·...·hl xl+1. By deﬁnition of the ROOT problem we have gcd(|H|, e) = 1 and thus h ∈ image(ψEP). Now, we issue the query (ψEP, h) to the INV oracle to obtain a preimage (w1, . . . , wl, wl+1) of h under ψEP. That is, we have

h = ψEP(w1, . . . , wl, wl+1) w1 wl e = h1 · ... · hl wl+1 ew1 ewl e = r1 · ... · rl wl+1 w1 wl e = (r1 · ... · rl wl+1) . Thus we have found an e-th root of h, and hence the reduction INV ≥ ROOT holds. The claim of part (c) now follows from Theorem 2.1.

In the following it will often matter whether the co-domain of a (concrete) homomorphism has known or hidden order. In particular this is true for exponentiation homomorphisms. Therefore we shall use the following naming conventions: – Exponentiation homomorphism in a hidden order group or with a hidden l order co-domain refers to an exponentiation homomorphism ψE : Z → H, where H is a hidden order group. – Exponentiation homomorphism in a known order group or with a known order co-domain refers to an exponentiation homomorphism ψE : Z1 × ... × Zl → H, where H is a known order group. Finally we note that one-way homomorphisms with known and hidden order co-domain appear abundantly in (practically oriented) cryptographic 36 Basic concepts

∗ Example 2.1 Exponentiation homomorphisms ψE : Zq → Zp deﬁned by . x ∗ ψE(x) = h , where Zp is a prime-modulus group and q|(p − 1), are used in Schnorr’s proof of knowledge [Sch91]. ∗ Such homomorphisms are one-way under the DLOG assumption for Zp and ∗ have a known order co-domain (since |Zp| = (p − 1)).

∗ Example 2.2 Exponentiation homomorphisms ψE : Z × Z → Zn deﬁ- . x1 x2 ∗ ned by ψE(x1, x2) = h1 h2 , where Zn is an RSA group, are used in a commitment scheme by Damgaard and Fujisaki [DF02]. Such homomorphisms are one-way under the DLOG assumption and have a hidden order co-domain.

∗ ∗ . Example 2.3 Power homomorphisms ψP : Zn → Zn deﬁned by ψP(x) = e ∗ x , where Zn is an RSA group and e ≥ 2, are used in the RSA scheme [RSA78b] or in the Guillou-Quisquater proof of knowledge [GQ88]. Such homomorphisms are one-way under the RSA assumption, and have a hidden order co-domain.

∗ Example 2.4 Exponentiation-power homomorphisms ψEP : Zn2 × Zn2 → ∗ . x1 n ∗ Zn2 deﬁned by ψEP(x1, x2) = h x2 , where Zn2 is a Paillier group, are used in a variant of Paillier’s encryption scheme [Pai99]. Such homomorphisms are one-way under the ROOT assumption, and have a hidden order co-domain.

Fig. 2.1. Examples of concrete one-way homomorphisms used in cryptography. constructions. As an illustration we refer to a few examples given in Figu- re 2.1.

2.3.4 A note on the presentation It is our aim in the following state the minimal conditions that underly our constructions and results. It turns out that in most cases it is sufficient that a group H is computationally tractable and that certain computational hardness assumptions (e.g., the ORDER assumption) hold for H. That is, most of our constructions and results are described in terms of abstract collections of computationally tractable groups H and hardness assumptions being made for H. In particular, we will not make use of concrete groups unless we explicitly exploit particular properties of a concrete group. A (trivial but) crucial point is that one can instantiate our constructions and results using any concrete group for which the respective assumptions are made. 2.4 Zero-knowledge proofs 37 2.4 Zero-knowledge proofs Zero-knowledge interactive proofs were introduced in a fundamental paper by Goldwasser, Micali, and Rackoff [GMR85]. In the same paper, the idea of a proof of knowledge was coined, but not formalized. Subsequently, formal definitions of a proof of knowledge were given by Feige, Fiat, and Sha- mir [FFS88] and by Tompa and Woll [TW87]. Let us first informally introduce the concepts of interactive proofs, proofs of knowledge, and zero-knowledge. To this end we consider two-party protocols (P,V ) between a prover P and a verifier V , where we assume that V terminates by either accepting (i.e., by outputting 1) or rejecting (i.e., by outputting 0) a protocol run. An interactive proof for a language L is a two-party protocol (P,V ) that allows P to assert to V that a common input y to the protocol is an element of the language L. More precisely, an interactive proof has the property that on common input y, P can always convince V to accept the protocol when y ∈ L, and that no dishonest prover P ∗ can convince V to accept the protocol when y∈ / L. A proof of knowledge for a binary relation R is a two-party protocol (P (x),V )(y) with (y, x) ∈ R that allows P to assert to V that it knows a witness for y. The notion of the “prover knowing a witness” is formalized as follows: An algorithm M is said to be given black-box access to an interactive machine P ∗, if M can repeatedly reset P ∗ to its initial state, choose P ∗’s random input, and then may execute the protocol (P ∗,M). Now, let P ∗ be a possibly dishonest prover given some arbitrary private input γ, which makes V accept in the protocol (P ∗(γ),V )(y) with a probability larger than some threshold value (the knowledge error). Then the protocol (P,V ) is a proof of knowledge if there is a so called knowledge extractor algorithm that given as input y and black-box access to P ∗(y, γ) computes a witness of y. Consider a binary relation R and a two-party protocol (P (x),V )(y) that is defined for all (y, x) ∈ R†. The protocol (P (x),V )(y) is zero-knowledge, if a possibly dishonest verifier V ∗ does not learn any (computational) information in the execution of the protocol (P (x),V ∗)(y). The notion of “not learning any computational information” is formalized using the following simulation paradigm: V ∗ does not learn additional information if there is a simulator algorithm whose input is only y and that can generate all the messages that V ∗ receives during the execution of the protocol (P (x),V ∗)(y). Finally we note that there is a trivial interactive proof and proof of know-

† As special case this definitional setting includes protocols that are defined for common input y ∈ L and where the prover is not given private input. 38 Basic concepts ledge for all languages in NP and relations in NP, respectively. In this trivial protocol the prover simply sends a witness of y to the verifier. Howe- ver, this trivial protocol is not zero-knowledge. Hence, loosely speaking, the art is to design zero-knowledge interactive proofs and proofs of knowledge, i.e., protocols that prove language membership or knowledge of a witness without giving away computational information on a witness.

2.4.1 Deﬁnitions Let us turn to the formal deﬁnitions of the above notions. In the following hP (x1),V (x2)i(y) denotes the random variable describing V ’s local output in the execution of the protocol (P (x1),V (x2))(y).

Deﬁnition 2.13 (Interactive proof) A two-party protocol (P,V ) is an interactive proof for a language L, if V is a probabilistic polynomial-time interactive machine and if the following conditions hold: – Completeness: For every y ∈ L we have Pr(hP,V i(y) = 1) = 1. – Soundness: For every y∈ / L and every interactive machine P ∗ we have Pr(hP ∗,V i(y) = 1) ≤ ω(kyk), where 1 − ω(kyk) is a noticeable function. We call ω the soundness error.

Note that by k-times sequentially repeating an interactive proof with soundness error ω one can obtain an interactive proof with soundness error ωk. Also, often a more liberal definition of an interactive proof is given, where one relaxes the completeness property to Pr(hP,V i(y) = 1) ≥ µ(kyk) and requires that µ(kyk) − ω(kyk) is a noticeable function. An interactive argument is a variant of an interactive proof, where the prescribed prover P as well as cheating provers P ∗ are restricted to be probabilistic polynomial-time interactive machines. Moreover, in an interactive argument provers are allowed to be given private input for each y ∈ L. We omit the definition of an interactive proof, as it will not be important for us in the following. Let us consider proofs of knowledge next. To this end we need to define the notion of black-box access.

Definition 2.14 (Black-box access) We say that a machine M is given black-box access to an interactive machine P ∗ on common input y and private input γ ∈ {0, 1}∗ of P ∗, if M(y) may repeatedly reset P ∗ to its initial state, choose P ∗’s random input, and then perform the joint computation (P ∗(γ),M)(y). This is denoted by M P ∗(y,γ)(y). 2.4 Zero-knowledge proofs 39 The original definitions of a proof of knowledge [FFS88, TW87] were refined by Bellare and Goldreich [BG92]. The latter definition is now considered to be the standard definition, and correspondingly it is the definition that we shall use throughout the following.

Deﬁnition 2.15 (Proof of knowledge [BG92]) Let R be a binary relation and let κ : N → [0, 1] be a function. Let V be a probabilistic polynomial-time interactive machine and P be a probabilistic interactive machine. The protocol (P,V ) is a proof of knowledge for the binary relation R with knowledge error κ if the following holds: – Non-triviality: For all (y, x) ∈ R it is Pr(hP (x),V i(y) = 1) = 1. – Validity: A probabilistic machine M (the knowledge extractor) and a polynomial poly(·) exist, such that the following holds. For every ∗ probabilistic interactive machine P , every y ∈ LR, and every γ ∈ {0, 1}∗ let . (y, γ, P ∗) = Pr(hP ∗(γ),V i(y) = 1).

If (y, γ, P ∗) > κ(kyk), then M(y) with black-box access to P ∗(y, γ) outputs a witness w ∈ WR(y) in an expected number of steps bounded by poly(kyk) . (y, γ, P ∗) − κ(kyk) A so called computational proof of knowledge is a variant of the above deﬁnition in which provers are required to be probabilistic polynomial-time interactive machines. More precisely, the validity condition in a computational proof of knowledge is reformulated as follows:

– Computational validity: A probabilistic machine M (the knowledge extractor) and a polynomial poly(·) exist, such that the following holds. For ∗ every probabilistic polynomial-time interactive machine P , every y ∈ LR, and every γ ∈ {0, 1}∗ let . (y, γ, P ∗) = Pr(hP ∗(γ),V i(y) = 1).

For all sufficiently large kyk we require that if (y, γ, P ∗) > κ(kyk), then ∗ M(y) with black-box access to P (y, γ) outputs a witness w ∈ WR(y) in an expected number of steps bounded by poly(kyk) . (y, γ, P ∗) − κ(kyk) 40 Basic concepts An important fact is that the knowledge error κ of a (computational) proof of knowledge protocol can be reduced to κl by sequentially repeating the protocol l-times. We see that the definition of a (computational) proof of knowledge requires the existence of a knowledge extractor for y ∈ L, and it does not make requirements when y∈ / L. Hence, loosely speaking, a proof of knowledge is not automatically also an interactive proof for the language L, unless we additionally require that a (computational) proof of knowledge also fulfills the following soundness property:

– Soundness: For every P ∗, y∈ / L, and γ ∈ {0, 1}∗ we require that (y, γ, P ∗) ≤ ω(kyk), where 1 − ω(kyk) is a noticeable function. We call ω the soundness error.

We refer to proofs of knowledge that have this soundness property as proofs of knowledge with soundness. Let us conclude with a few remarks concerning Deﬁnition 2.15:

– We see that a knowledge extractor potentially may run in expected time that is super-polynomial. Given that we identify feasible computations with probabilistic polynomial-time algorithms this is conceptually not satisfactory. A conceptually satisfactory alternative to a proof of knowledge as given in Definition 2.15 is that of a so called strong proof of knowledge (see Goldreich [Gol01, §4.7.6]). In a strong proof of knowledge a knowledge extractor is required to run in strict polynomial-time. However, while many protocols can be shown to be a proof of knowledge according to Definition 2.15, none of these protocols is known to be a strong proof of knowledge. Moreover, a recent negative result by Barak and Lindell [BL02] shows that there can be no constant-round (a proof of knowledge that achieves a negligible knowledge error with a constant number of message exchanges) zero-knowledge strong proof of knowledge. This is a limitation, which does not hold for conventional proofs of knowledge. – We are not aware of any compelling reason for the choice of the bound on the expected running time of a knowledge extractor in Definition 2.15; except that this is a condition on the running time that can be met by knowledge extractors for existing protocols. In private communications Maurer and Shoup independently commented that for instance there seems to be no obvious reason why the knowledge extractor shouldn’t be allowed to run in expected time bounded by, e.g., poly(kyk)/((y, x,ˆ P ∗) − κ(kyk))2 (i.e., where the denominator is a second instead of a first power of ((y, x,ˆ P ∗) − κ(kyk))). 2.4 Zero-knowledge proofs 41 – Finally we note that in his book on the foundations of cryptography Gold- reich introduces a variant of proof of knowledge [Gol01, Definition 4.7.2], which is strictly stronger than the one in Definition 2.15. In that definition, he requires that knowledge extractors work for every random input ρ for which a prover P ∗ is successful with probability at least κ. Correspon- dingly, the knowledge extractor is given black-box access to P ∗ for a fixed random input ρ, i.e., it may only reset and rerun P ∗ at will, but not choose P ∗’s random input.

The notion of zero-knowledge is based on the indistinguishability of two probability ensembles as described next.

Deﬁnition 2.16 (Indistinguishability) Let L denote a language. For y ∈ L we consider two probability ensembles D1(y) and D2(y) (i.e., inﬁnite sequences of random variables indexed by y ∈ L). The probability ensembles D1(y) and D2(y) are

– perfectly indistinguishable, if Pr(D1(y) = γ) = Pr(D2(y) = γ) for all γ ∈ {0, 1}∗, – statistically indistinguishable, if the statistical diﬀerence between the probability ensembles D1(y) and D2(y) deﬁned by X | Pr(D1(y) = γ) − Pr(D2(y) = γ)|, γ∈{0,1}∗ is a negligible function in kyk, and – computationally indistinguishable, if for all probabilistic polynomial- time algorithms M it holds that

| Pr(γ ← D1(y): M(y, γ) = 1) − Pr(γ ← D2(y): M(y, γ) = 1)| is a negligible function in kyk.

∗ ∗ The view of a veriﬁer V in the protocol (P (x1),V (x2))(y) is the random variable describing the inputs (i.e., random input, common input, and private input) of V ∗ and the messages from P received by V ∗ during the ∗ protocol execution. The view is denoted by view((P (x1),V (x2))(y)).

Deﬁnition 2.17 (Perfect zero-knowledge) Let (P,V ) be a two-party protocol that is deﬁned for common inputs in a language L. We call (P,V ) perfect zero-knowledge, if for every probabilistic polynomial-time interactive machine V ∗ there is a probabilistic polynomial-time machine M (the simulator), such that for all y ∈ L the following conditions hold: 42 Basic concepts – With probability at most 1/2, machine M(y) outputs a special symbol ⊥ (i.e., Pr(M(y) = ⊥) ≤ 1/2)). – Let m(y) be a random variable describing the output distribution of M(y) conditioned on M(y) 6= ⊥ (i.e., Pr(m(y) = γ) = Pr(M(y) = γ | M(y) 6= ⊥) for all γ ∈ {0, 1}∗). Then the probability ensembles m(y) and view((P,V ∗)(y)) are perfectly indistinguishable.

We see that the simulator is allowed to fail with probability at most 1/2. Hence, by repeating the simulation polynomial many times one can obtain a simulator with a negligible failure probability. The following variants of zero-knowledge require that the simulated view and the veriﬁer’s view are statistically or computationally indistinguishable, respectively.

Deﬁnition 2.18 (Statistical and computational zero-knowledge) Let (P,V ) be a two-party protocol that is deﬁned for common inputs in a language L. We call (P,V ) statistical / computational zero-knowledge if for every probabilistic polynomial-time interactive machine V ∗ there is a probabilistic polynomial-time machine M such that for all y ∈ L the probability ensembles M(y) and view((P,V ∗)(y)) are statistically / computationally indistinguishable.

Let us make two remarks. First, it is not difficult to verify that perfect zero-knowledge implies statistical zero-knowledge, and in turn that statistical zero-knowledge implies computational zero-knowledge. Second, we note that the original definition of zero-knowledge [GMR85] allows for simulators that may run in expected polynomial-time. Goldreich’s definitions [Gol01] formulated for probabilistic polynomial-time simulators, which we use here, are conceptually preferable as our convention is to identify feasible computations with probabilistic polynomial-time algorithms. The above variants of zero-knowledge require the existence of a simulator for every (dishonest) verifier. In contrast to this, the notion of black-box zero-knowledge requires the existence of a single simulator for all verifiers.

Definition 2.19 (Statistical and computational black-box zero- knowledge) Let (P,V ) be a two-party protocol that is defined for common inputs in a language L. We call (P,V ) statistical / computational black-box zero-knowledge, if there is a probabilistic polynomial-time machine M, such that for every probabilistic polynomial-time interactive machine V ∗, for all y ∈ L, the probability ensembles view((P,V ∗)(y)) and M V ∗(y)(y) are statistically / computationally indistinguishable. 2.4 Zero-knowledge proofs 43 Analogously, by introducing a black-box simulator into the definition of perfect zero-knowledge (in Definition 2.17) one obtains the notion of perfect black-box zero-knowledge. The definition of black-box zero-knowledge is stronger than the one of (non black-box) zero-knowledge, i.e., the different variants of black-box zero-knowledge imply the respective variants of (non black-box) zero-knowledge. Yet, with exception of a recent result by Ba- rak [Bar01], which describes for the first time a non black-box simulator, all concrete protocols that are known to be zero-knowledge are actually shown to be black-box zero-knowledge. The variants of zero-knowledge stated above are not quite adequate when the prover or the verifier are given private input (such as in a proof of knowledge or an interactive argument). In this case, one requires auxiliary input zero-knowledge, where the simulator is given the verifier’s private input and is required to work for all private inputs of the honest prover for which the honest prover is defined. Yet another variant of zero-knowledge is honest-verifier zero-knowledge, where the simulator is only required to work for the honest verifier. While this variant is weaker than the above variants of zero-knowledge, it turns out to be sufficient for certain applications. An important question for many cryptographic constructions is whether the composition of zero-knowledge protocols remains zero-knowledge. While the sequential composition of zero-knowledge protocols is known to remain zero-knowledge, this is not true in general for parallel composition [GK96]. In the latter case one needs a stronger variant of zero-knowledge, which is called concurrent zero-knowledge. In a concurrent zero-knowledge protocol even collaborating dishonest verifiers, which concurrently run different instances of the protocol with the prover, do not learn any information about the prover’s secret. For further reading on zero-knowledge interactive proofs and proofs of knowledge we refer to Goldreich’s book [Gol01], a survey paper on zero- knowledge [Gol04] by the same author, and to Goldreich and Oren [GO94].

2.4.2 Some fundamental results From a purely theoretical perspective the problem of constructing zero- knowledge interactive proofs and zero-knowledge proofs of knowledge can be considered to be resolved. A fundamental construction by Goldreich, Micali, and Wigderson [GMW86] yields computational zero-knowledge interactive proofs and proofs of knowledge for all NP decision, and search problems, respectively. Another fundamental construction by Brassard, Chaum, and 44 Basic concepts Crepeau [BCC88] allows for perfect zero-knowledge interactive arguments and computational proofs of knowledge for all NP decision and search problems, respectively. Technically, these results are based on protocols that yield zero-knowledge interactive proofs and proofs of knowledge for the NP-complete problems 3- Coloring (graph three coloring) and SAT (satisﬁability of a boolean circuit), respectively. To obtain a zero-knowledge interactive proof or proof of knowledge for an arbitrary NP problem, loosely speaking, one reduces the NP problem at hand to SAT or 3-Coloring, respectively, and then applies the corresponding of the above protocols. As SAT and G3C are NP-complete, this technique works for any NP-relation. 3 Pseudo-preimages and related computational problems

In this section we introduce the notion of a pseudo-preimage of a homomorphism. A pseudo-preimage of a y ∈ H under a homomorphism ψ : G → H is a pair (v, w) such that the equation yv = ψ(w) holds. We are interested in two computational problems related to pseudo-preimages. One is the pseudo-preimage problem that is to compute a preimage x of y under ψ from a pseudo-preimage (v, w) (i.e., given yv = ψ(w)). The pseudo-preimage problem is solvable for certain homomorphisms and hard for others. We describe under which algebraic conditions the problem is solvable or hard, respectively. The other problem is the pseudo-preimage generation problem. . x As an example, given an exponentiation homomorphism ψE(x) = h , the pseudo-preimage generation problem is to find a y and a pseudo-preimage v w (v, w), such that y = ψE(w) = h subject to the condition that v - w. We prove the pseudo-preimage generation problem to be hard under standard computational assumptions. In following chapters we concern ourselves with efficient zero-knowledge proofs of knowledge of a preimage under a homomorphism. We shall see that pseudo-preimages and the related computational problems mentioned above are pivotal for all existing as well as our new results on such zero- knowledge proofs of knowledge. In fact, we shall see that pseudo-preimages turn out to be the common abstraction underlying all efficient proof of knowledge techniques for homomorphisms. Therefore the understanding of the pseudo-preimage problem is fundamental for the understanding of the question under which conditions and for what homomorphisms different proof of knowledge techniques are applicable. Technically, pseudo-preimages and the pseudo-preimage problem are the key to the construction of knowledge extractors for these protocols. Pseudo-preimages and the related computational problems mentioned above appear implicitly in a large number of cryptographic constructions

45 46 Pseudo-preimages and related computational problems that are based on the so called Σ-protocol (see Chapter 4). All these constructions rely on the existence of solvable instances of the pseudo-preimage problem. Yet, neither the notion of a pseudo-preimage nor the associated computational problems were discussed explicitly until recently. In fact, Ban- gerter, Camenisch, and Maurer [BCM05] have made these notions explicit and have shown that the pseudo-preimage problem is hard for exponentiation homomorphisms in hidden order groups.

3.1 Deﬁnition and basic facts Let us deﬁne the notion of a pseudo-preimage.

Deﬁnition 3.1 (Pseudo-preimage) Let ψ : G → H be a homomorphism, let y ∈ H and w ∈ G, and let v be a non-zero integer. If yv = ψ(w), then (v, w) is a pseudo-preimage of y under ψ. The integer v is the pseudo- preimage exponent and w is the pseudo-preimage domain element. Next we discuss the relation between a preimage and a pseudo-preimage. Informally speaking, the notion of a pseudo-preimage (v, w) of a y under ψ may be viewed as a generalization of the notion of a preimage x of y under ψ. In fact, in the case where the pseudo-preimage exponent v = 1, then w simply is a preimage of y under ψ, and loosely speaking a pseudo-preimage and a preimage become the same thing. In certain cases, pseudo-preimages and preimages are unrelated in the following sense. Given a non-surjective homomorphism ψ : G → H, there exist pseudo-preimages for y ∈ H for which no preimage exists, i.e., there exist pseudo-preimages for y∈ / image(ψ). As an example, we can easily verify that (|H|, 0) is a pseudo-preimage of any y ∈ H under ψ. Indeed, using basic algebraic facts (i.e., Theorem 2.2 (b) and (c) and Theorem 2.3 (a)), we have y|H| = 1 = ψ(0) and the claim follows. On the other hand, the pseudo-preimage (v, w) of y under ψ the preimage x of y under ψ are related, when y ∈ image(ψ): Using the First Isomor- phism Theorem (see Theorem 2.5) we have w = vx in the group G/ ker ψ. Thus, when y ∈ image(ψ), the preimage x is the v-th root of a pseudo- preimage domain element w in the quotient group G/ ker ψ. Moreover, for certain values of the pseudo-preimage exponent v one can assert that if (v, w) is a pseudo-preimage of y under ψ, then y ∈ image(ψ) (and hence a preimage of y under ψ exists). More precisely, the following holds: 3.2 Pseudo-preimage problem 47 Lemma 3.1 Let ψ : G → H be a homomorphism and let y ∈ H. If (v, w) is a pseudo-preimage of y under ψ with gcd(v, |y|) = 1, then y ∈ image(ψ).

Proof By deﬁnition we have yv = ψ(w). As gcd(v, |y|) = 1, there is a v−1 such that vv−1 ≡ 1 (mod |y|). Using Theorem 2.2 (b) we have yvv−1 = y. Thus yvv−1 = y = ψ(w)v−1 = ψ(v−1w), where the last equality follows from Theorem 2.3 (b).

3.2 Pseudo-preimage problem Pseudo-preimages naturally give rise to the following computational problem.

Deﬁnition 3.2 (Pseudo-preimage problem) The pseudo-preimage (PP) problem is, given a homomorphism ψ, a y ∈ image(ψ), and a pseudo- preimage (v, w) of y under ψ, compute a preimage x of y under ψ. It is easy to verify that the PP problem falls into the class of NP search problems. The number of solutions of the PP problem is easily seen to be | ker(ψ)|. Loosely speaking, the PP problem is to invert ψ (i.e., to solve the INV problem described in Deﬁnition 2.10), where additionally to ψ and y ∈ image(ψ) one is given a pseudo-preimage (v, w) (of y under ψ). Thus, we have INV ≥ PP, i.e., solving the PP problem is at most as hard as inverting the homomorphism at hand. Next we discuss the computational complexity of the PP problem.

3.2.1 Solvable instances of the pseudo-preimage problem Let us investigate under what conditions the PP problem is solvable. The reducibility PP ≥ INV implies that the PP problem is solvable for homomorphisms that are eﬃciently invertible. However, this case is of no interest for us in the following. Rather, our objective in this section is to describe techniques to solve the PP problem without directly inverting the respective homomorphism, i.e., techniques that allow to solve the PP problem for one-way homomorphisms. We know of the following three cases where the PP problem is solvable for one-way homomorphisms.

Trivial pseudo-preimages. For instances ((v, w), y, ψ) of the PP problem where the pseudo-preimage exponent v = 1 the domain element w is a preimage of y under ψ and the PP problem is trivially solvable. 48 Pseudo-preimages and related computational problems

Example 3.1 (Schnorr-type homomorphisms [Sch91]) Consider an ∗ . x exponentiation homomorphism ψE : Zq → Zp deﬁned by ψE(x) = h , where ∗ ∗ Zp is a prime-modulus group and q is a prime, such that q|(p − 1), h ∈ Zp, and |h| = q. Now, there is a pseudo-preimage ﬁnder M that on input (ψE, y) outputs a pair (q, 0). We see that (q, 0) is a pseudo-preimage of y under ψE, as q 0 y = 1 = h = ψE(0) for any y ∈ image(ψE).

Example 3.2 (Guillou-Quisquater-type homomorphisms [GQ88]) ∗ ∗ . e Consider a power homomorphism ψP : Zn → Zn given by ψP(x) = x , ∗ where Zn is an RSA group and e ≥ 2 is an integer. Now, there is a pseudo-preimage ﬁnder M that on input (ψP, y) outputs e a pair (e, y). In fact, we have y = ψP(y) and hence (e, y) is a pseudo- preimage of y under ψP.

Example 3.3 (Paillier-type homomorphisms [Pai99, DJ01]) Consi- ∗ ∗ der an exponentiation-power homomorphism ψEP : Zn2 ×Zn2 → Zn2 deﬁned . x1 n ∗ ∗ by ψEP(x1, x2) = h x2 , where Zn2 is a Paillier group and h ∈ Zn2 . Now, there is a pseudo-preimage ﬁnder M that on input (ψEP, y) outputs e a pair (e, (0, y)). In fact, we have y = ψEP(0, y) and hence (e, (0, y)) is a pseudo-preimage of y under ψEP.

Fig. 3.1. Examples of concrete special homomorphisms.

Special homomorphisms. The PP problem can be shown to be solvable for so called special homomorphisms.

Deﬁnition 3.3 (Special homomorphism [Cra97].) Let Ψ be a collection of homomorphisms. If there is a deterministic polynomial-time algorithm M that on input any ψ ∈ Ψ and any y ∈ image(ψ) outputs a pseudo-preimage (v, w) of y under ψ, then Ψ is a collection of special homomorphisms. The algorithm M is called a pseudo-preimage ﬁnder.

We note that the special property is a computational and not an algebraic one. All known (collections of) practically relevant special homomorphisms fall into one of the following classes.

– Homomorphisms with known order co-domain. For a homomorphism ψ : G → H with known order co-domain given y ∈ image(ψ) one can eﬃ- ciently compute a non-zero multiple λ of |y|. For such homomorphisms a pseudo-preimage ﬁnder M on input (ψ, y) simply outputs (λ, 0), which (using Theorem 2.2 (b) and Theorem 2.3 (a)) is easily seen to be a pseudo- preimage: yλ = 1 = ψ(0).

– Homomorphisms with a power. Consider homomorphisms ψ(x1, x2): 3.2 Pseudo-preimage problem 49 G × H → H defined as follows. Let µ : G → H denote an arbitrary . e homomorphism and define ψ(x1, x2) = µ(x1)x2 with e ≥ 2. Now, there is a pseudo-preimage finder M that on input (ψ, y) outputs (e, (0, y)), which is easily seen to be a pseudo-preimage: ye = 1ye = µ(0)ye = ψ(0, y). Many concrete homomorphisms used in cryptography are special. In fact, power and exponentiation-power homomorphisms (see Definition 2.12) fall into the latter of the above classes. A few examples of special (one-way) homomorphisms used in cryptographic applications are given in Figure 3.1. A key property of pseudo-preimages is that, given two appropriate pseudo- preimages for the same y and ψ, one can efficiently compute a preimage of y under ψ.

Lemma 3.2 (Shamir’s trick) Let (v1, w1) and (v2, w2) be pseudo- preimages of y under ψ such that gcd(v1, v2) = 1. Using the extended Euclidean algorithm (see e.g., Shoup [Sho04, §4.2]) . compute integers a and b such that av1 + bv2 = 1. Then x = aw1 + bw2 is a preimage of y under ψ.

1 av bv v v Proof We have y = y 1 y 2 . Using y 1 = ψ(w1), y 2 = ψ(w2) and the homomorphism property of ψ we get y = ψ(aw1 + bw2). Using Shamir’s trick we can describe solvable instances of the PP problem for special homomorphisms as follows.

Corollary 3.1 Let ψ be a special homomorphism with a pseudo-preimage ﬁnder M. Then instances ((v, w), y, ψ) of the PP problem such that (v0, w0) ← M(ψ, y) and gcd(v0, v) = 1 are solvable.

Divisible pseudo-preimages. In the following we focus on the PP problem for exponentiation homomorphisms. As earlier, we let Z either stand for a ﬁnite additive modular group Zn or the integers Z. Then, using the fact that elements of the domain of an exponentiation homomorphism are integer tuples, we make the following deﬁnition.

Deﬁnition 3.4 ((Non-) Divisible pseudo-preimage) Let ψE : Z1 × ...× Zl → H be an exponentiation homomorphism, let y ∈ H, and let (v, (w1, . . . , wl)) be a pseudo-preimage of y under ψE. If v | w1, . . . , v | wl, then (v, (w1, . . . , wl)) is a divisible pseudo-preimage; otherwise the pseudo- preimage (v, (w1, . . . , wl)) is called non-divisible. For divisible pseudo-preimages the following holds. 50 Pseudo-preimages and related computational problems

From Lemma 3.3 (c) we obtain the following description of solvable PP problem instances for exponentiation homomorphisms.

Corollary 3.2 Let ψE : Z1 × ... × Zl → H be an exponentiation homomorphism. Then instances ((v, (w1, . . . , wl)), y, ψE) of the PP problem are solvable, if (v, (w1, . . . , wl)) is a divisible pseudo-preimage and gcd(v, | image(ψE)|) = 1.

3.2.2 Hardness of the pseudo-preimage problem In the following we show that the PP problem is hard for exponentiation l homomorphisms ψE : Z → H with a hidden order co-domain H. Let us describe the instances of the PP problem for which we prove the problem to be hard:

Definition 3.5 (PP problem for exponentiation homomorphisms) The PP-EHOM problem is the PP problem for exponentiation homomor- l phisms ψE : Z → H whereas problem instances ((v, (w1, . . . , wl)), y, ψE) fulfill the following requirements: The image(ψE) is a cyclic group, there is a generator h ∈ H of image(ψE), and there are integers (e1, . . . , el) with e1 e h1 = h , . . . , hl = h l , such that v - (e1w1 + ... + elwl). As a simple example for instances of the PP-EHOM problem, consider . x an exponentiation homomorphism ψE(x) = h . Then for any y ∈ image(ψE), 3.2 Pseudo-preimage problem 51 pseudo-preimages (v, w) such that v - w fulfill the requirements of Definiti- on 3.5. Now, the PP-EHOM problem and the ORDER problem are related as follows.

l Theorem 3.1 The PP-EHOM problem for ψE : Z → H and the ORDER problem for the co-domain H of ψE are related by PP-EHOM ≥ ORDER.

Proof Let H and u ∈ H be an instance of the ORDER problem. Our goal is to compute a non-zero multiple of |u|. Given H and u we construct an instance of the PP-EHOM problem as follows. We choose an integer v and integer tuples (w1, . . . , wl) and (e1, . . . , el), such that

v - (e1w1 + ... + elwl). (3.1) Then we set . h = uv (3.2) and

. e1 . el h1 = h , . . . , hl = h . (3.3) l We deﬁne an exponentiation homomorphism ψE : Z → H by . x1 xl . (e1w1+...+e w ) ψE(x1, . . . , xl) = h1 · ... · hl . Also, we set y = u l l . It is easy to see that we have constructed an instance ((v, (w1, . . . , wl)), y, ψE) of the PP-EHOM problem, i.e., it is

v . w1 wl y = ψE(w1, . . . , wl) = h1 · ... · hl . (3.4) Now, we invoke the oracle for the PP-EHOM problem on query ((v, (w1, . . . , wl)), y, ψE) to obtain a preimage (z1, . . . , zl) of y under ψE. Then using (3.3) we have

v z1 zl v y = (h1 · ... · hl ) = h(e1z1+...+elzl)v. (3.5) From (3.3) and (3.4) we get

v w1 wl y = h1 · ... · hl = h(e1w1+...+elwl). (3.6) . Using λ = (e1w1 + ... + elwl) − (e1z1 + ... + elzl)v, the equations (3.5) and (3.6) yield hλ = 1. (3.7) 52 Pseudo-preimages and related computational problems By (3.1) we have λ 6= 0 and hence (3.7) implies that λ is a non-zero multiple of |h|. Finally, from (3.2) and (3.7) we have uλv = 1. Thus λv is a non-zero multiple of |u|, which concludes the proof.

From Theorem 2.1 and Theorem 3.1 we obtain the following corollary.

Corollary 3.3 The PP-EHOM problem is hard for exponentiation homo- l morphisms ψE : Z → H with a hidden order co-domain H. As a concrete example, Corollary 3.3 implies that the PP-EHOM problem is hard for exponentiation homomorphisms in RSA and class groups. We note that the PP-EHOM problem is a so called trapdoor problem. Roughly, these are hard problems that become eﬃciently solvable when some auxiliary information (the trapdoor) is made available. As an example, the RSA problem is a trapdoor problem, where the trapdoor is the group order. Similarly, the order of H is a trapdoor for the PP-EHOM problem (assuming that the pseudo-preimage exponent v is co-prime to |H|) for exponentiation l homomorphisms ψE : Z → H in hidden order groups. For constructions in following chapters we will need a hard generator for the PP-EHOM problem. We describe such a generator next, whereas we make use of the following algorithms:

– Let DORD(k) denote a hard generator for the ORDER problem for a collection of groups H. That is, DORD(k) outputs tuples (H, u) with H ∈ H and u ∈ H. – Let l denote an integer parameter and let H ∈ H be a group. Then D˜ (H, l) denotes an eﬃcient algorithm that outputs (v, (w1, . . . , wl), (e1, . . . , el)) such that v is an integer and (w1, . . . , wl) and (e1, . . . , el) are integer tuples with the property that

v - (e1w1 + ... + elwl). Note that D˜ (H, l) is arbitrary as long as its outputs fulﬁll this relation.

The generator for the PP-EHOM problem uses DORD(k) and D˜ (H, l) as subroutines, and it is deﬁned as follows.

Definition 3.6 We define an instance generator for the PP-EHOM problem as follows: . DPPE(k, l) = 1: Choose (H, u) ← DORD(k). 2: Choose (v, (w1, . . . , wl), (e1, . . . , el)) ← D˜ (H, l). 3.3 Pseudo-preimage generation problem 53 . . . 3: Set h = uv, h = he1 , . . . , h = hel and define the exponentiation homo- 1 l . morphism ψ (x , . . . , x ) = hx1 · ... · hxl (i.e., ψ : l → H). . E 1 l 1 l E Z 4: Set y = u(e1w1+...+elwl). 5: Output the PP-EHOM problem instance ((v, (w1, . . . , wl)), y, ψE).

From the assumption that DORD(k) is a hard generator for the ORDER problem and Corollary 2.1 applied to the reduction argument given in the proof of Theorem 3.1, we immediately get the following result.

Corollary 3.4 If DORD(k) is a hard generator for the ORDER problem, then DPPE(k, l) is a hard generator for the PP-EHOM problem.

Finally, a property of the hard generator DPPE(k, l), which will be important in later applications, is that the pseudo-preimage exponent v in the output of DPPE(k, l) can be arbitrarily chosen. In fact, given an arbitrary v > 1, we construct the “auxiliary generator” D˜ (H, l) (in the deﬁnition of DPPE(k, l)), for example, as follows: . D˜ (H, l) = 1: Choose (w1, . . . , wl) and (e1, . . . , el) such that the requirement v - (e1w1 + ... + elwl) is fulﬁlled (whereas it is easy to see that such a choice of (w1, . . . , wl) and (e1, . . . , el) always exists). 2: Output (v, (w1, . . . , wl), (e1, . . . , el))

3.3 Pseudo-preimage generation problem In this section we consider another computational problem related to pseudo- preimages. The problem is deﬁned as follows.

Deﬁnition 3.7 (Pseudo-preimage generation problem) The pseudo- preimage generation problem (PPGEN) is: Given an exponentiation homomorphism ψE : Z1 × ... × Zl → H, compute a y ∈ H and a non-divisible pseudo-preimage (v, (w1, . . . , wl)) of y under ψE.

Note that we do not require that y ∈ image(ψE) for (v, (w1, . . . , wl)) and y to be a solution to the PPGEN problem. Let us develop some intuition for the PPGEN problem. We see that if there wouldn’t be the requirement that we need to ﬁnd non-divisible pseudo- preimages, then the PPGEN problem would be easy to solve. In fact, given 54 Pseudo-preimages and related computational problems an exponentiation homomorphism ψE : Z1 × ... × Zl → H, we would simply choose a pseudo-preimage exponent v 6= 0 and a preimage (x , . . . , x ) ∈ . . 1 l Z1 × ... × Zl, set y = ψE(x1, . . . , xl), and set (w1, . . . , wl) =(vx1, . . . , vxl). It is easy to see that we have constructed a divisible pseudo-preimage (v, (w1, . . . , wl)) of y under ψE. In the case where we are given the order of H, we can easily solve the PPGEN problem. To this end we choose a pseudo-preimage exponent v such that 2|H| > v > |H| and an arbitrary preimage (x , . . . , x ) ∈ Z × ... × Z , 1 . l 1 l such that (x , . . . , x ) 6= (0,..., 0). Then we set y = ψ (x , . . . , x ) and set . 1 l E 1 l (w1, . . . wl) =(vx1 mod |H|, . . . , vxl mod |H|). It is easy to see that by construction (v, (w1, . . . , wl)) is a non-divisible pseudo-preimage of y under ψE, and thus a solution of the PPGEN problem. However, in the case where one is not given |H| (i.e., when H is a hidden order group), one quickly gets the feeling that the PPGEN problem is hard. As a matter of fact we prove below that the PPGEN problem is hard for ∗ exponentiation homomorphisms ψE : Z → Zn, where the co-domain is an RSA group with a so called “special modulus”. For a precise description of our results we need the two following deﬁniti- ons.

Deﬁnition 3.8 (Safe prime) A prime number p is called safe if p = 2p0+1, whereas p0 is also a prime number.

Deﬁnition 3.9 (Special RSA modulus) An RSA modulus n = pq is special, if p and q are safe primes.

∗ RSA groups Zn with a special modulus have the following structure

∗ Zn ' Z2 × Z2 × Zp0q0 . (3.8)

The subgroup of squares (or, subgroup of quadratic residues) QRn of an ∗ RSA group Zn is deﬁned by . ∗ 2 ∗ QRn ={x : x ∈ Zn and x = r for some r ∈ Zn}. If n is a special modulus, then we see from (3.8) that

QRn ' Zp0q0 . Now that we have introduced the algebraic setting, we can precisely describe the instances of the PPGEN problem for which we prove the problem to be hard. 3.3 Pseudo-preimage generation problem 55

Deﬁnition 3.10 Let n be a special RSA modulus and QRn the subgroup of ∗ squares of Zn. (a) The PPGEN-QRN problem is the PPGEN problem for expo- . x1 xl nentiation homomorphisms ψE(x1, . . . , xl) = h1 · ... · hl with h1, . . . , hl ∈ QRn. † (b) The SRSA-QRN problem is the strong RSA problem in QRn. That ∗ is, given a special RSA modulus n and g ∈ QRn ≤ Zn, compute ∗ e an r ∈ Zn and an integer e ≥ 2, such that r = g. These problems are related by the following reduction.

Theorem 3.2 PPGEN-QRN ≥P SRSA-QRN

Proof Let be given an instance (n, g) of the SRSA-QRN problem. Thus, by deﬁnition we have n = pq = (2p0 + 1)(2q0 + 1).

∗ e Our goal is to compute an r ∈ Zn and an integer e ≥ 2, such that r = g. Towards this goal let us construct an instance of the PPGEN-QRN problem U 2 as follows. For i = 1,..., (l − 1) we choose ρi ←{0, n } and set

. ρi gi = g . (3.9) Then we deﬁne the exponentiation homomorphism

. x1 xl−1 xl ϑ(x1, . . . , xl) = g1 · ... · gl−1 · g . (3.10) l By assumption we have g ∈ QRn and hence ϑ : Z → QRn is an instance of the PPGEN-QRN problem as required. Thus, if we invoke the PPGEN- ∗ QRN oracle on ϑ, we obtain a y ∈ Zn and a non-divisible pseudo-preimage (v, (w1, . . . , wl)) of y under ϑ, i.e., we have

v w1 wl−1 wl y = ϑ(w1, . . . , wl) = g1 · ... · gl−1 · g . (3.11) ∗ It is important to note that possibly y ∈ Zn and y∈ / QRn.

† We recall that the strong RSA problem is (what we call) the GROOT problem specialized to RSA groups. 56 Pseudo-preimages and related computational problems

0 0 U ∗ p |v and q - v. If we choose h ← Zn, then, since n = pq, we have gcd(h, p) = 1. As p = 2p0 + 1, Euler’s Theorem (see, e.g., [Sho04]) implies h2p0 ≡ 1 (mod p), and thus h2v ≡ 1 (mod p). Except with negligible probability we have h 6= ±1 and thus gcd(h2v − 1, n) = p. Given p we can factor n and by ∗ Theorem 2.7 compute a non-zero multiple of |Zn|. As we have seen above 0 this allows to solve the SRSA-QRN problem. In the case where p - v and q0 | v an analogous argument holds, and hence Claim 3.1 follows. For the remainder of this proof we assume that

p - v and q - v. (3.12)

Next we observe that in our construction of ϑ above, we have introdu- 2 ced a probability space consisting of choices of ρ1, . . . , ρl−1 ∈ {0, n }. In the following we consider the probability space conditioned on choices of 2 ρ1, . . . , ρl−1 ∈ {0, n } that yield the same exponentiation homomorphism ϑ as we have obtained in (3.10). Moreover, we also ﬁx the choices of v, (w1, . . . , wl), and y made by the PPGEN-QRN oracle. Now, using (3.9) we get from (3.11)

yv = gρ1w1+...+ρl−1wl−1+wl . (3.13)

In the following we distinguish between the cases whether or not the exponent v on the left hand side of (3.13) divides the exponent on the right hand side of (3.13). To this end we deﬁne the events E1 and E2 in the conditional probability space introduced above by

E1 occurs if (ρ1w1 + ... + ρl−1wl−1 + wl) 6≡ 0 (mod v), and

E2 occurs if (ρ1w1 + ... + ρl−1wl−1 + wl) ≡ 0 (mod v).

We note that E1 and E2 are exclusive events, i.e., Pr(E1 ∩ E2) = 0, and Pr(E1) + Pr(E2) = 1.

Claim 3.2 If E1 occurs, then we can solve the SRSA-QRN problem for (n, g). Let . d = gcd(v, ρ1w1 + ... + ρl−1wl−1 + wl), (3.14) and using the extended Euclidean algorithm (see e.g., Shoup [Sho04, §4.2]) compute integers a and b such that

d = av + b(ρ1w1 + ... + ρl−1wl−1 + wl). 3.3 Pseudo-preimage generation problem 57

By the deﬁnitions of d and the event E1 we have v/d > 1. (3.20)

If v/d is even and since g ∈ QRn, (3.16) implies that r ∈ QRn, and thus by (3.19) we have r = 1. Now, (3.16) yields (gayb)v/d = g. Using (3.20) we see that (gayb) and v/d are a solution of the SRSA-QRN problem. If v/d is odd, then (3.19) implies rv/d = r, and (3.16) yields g = (rgayb)v/d. Using (3.20), we see that (rgayb) and v/d are a solution of the SRSA-QRN problem. This concludes the proof of Claim 3.2

Claim 3.3 Pr(E2) ≤ 1/2 ± ν(k), where ν(k) is negligible.

By assumption (v, (w1, . . . , wl)) is a non-divisible pseudo-preimage and thus there is a j ∈ {1, l}, such that wj 6≡ 0 (mod v). We argue next that 0 there must be a j ∈ {1, (l − 1)}, such that wj0 6≡ 0 (mod v). If j 6= l, then the existence of j0 trivially follows, i.e., j0 = j. Hence, let us assume that j = l, i.e.,

wl 6≡ 0 (mod v). (3.21) Now, the existence of a j0 ∈ {1, (l − 1)} follows by contradiction. In fact, if 0 no such j exists, then we get from the deﬁnition of the event E2 that wl ≡ 0 (mod v), which contradicts our assumption (3.21) as desired. 58 Pseudo-preimages and related computational problems

f Then as wj0 6≡ 0 (mod v), there exists a prime powerq ¯ with f ≥ 1, such that q¯f | v and (3.22) f q¯ - wj0 . (3.23)

By deﬁnition of the event E2 and using (3.22) we have f (ρ1w1 + ... + ρlwl−1 + wl) ≡ 0 (modq ¯ ). (3.24) . If we write ρj0 = a + b|g| (where 0 ≤ abs(a) < |g|), then (3.24) yields

X f b|g|wj0 ≡ −awj0 − wl − ρiwi (modq ¯ ). (3.25) i=1...(l−1),i6=j0 By an elementary number theoretical result, equation (3.25) has f d = gcd(|g|wj0 , q¯ ) (3.26) f solutions for b in Zq¯f . From p - v and q - v in (3.12),q ¯ | v in (3.22), and |g| | pq it follows that gcd(|g|, q¯f ) = 1. From this last equation and from (3.23) and by (3.26) we get an upper bound on the number of solutions of (3.25) of d ≤ q¯f−1. (3.27)

Using this upper bound on d we derive an upper bound on Pr(E2). Since U 2 2 f ρj ←{0, n }, and as n is much larger thanq ¯ , it follows that the distribution of b on {0, (¯qf − 1)} is statistically indistinguishable from the uniform random distribution on {0, (¯qf − 1)}. Moreover, we note that the oracle for the PPGEN-QRN problem, which we have invoked on input ϑ at the onset of our proof, learns no information on the value of b from gj0 , as ρ 0 a+b|g| a gj0 = g j = g = g . Hence, the oracle for the PPGEN-QRN problem can do no better than guess a b such that (3.25) holds. The success probability of guessing such a b is at most d/q¯f ± ν(k), where ν(k) is a negligible function in k.† Finally, using (3.27) we get d/q¯f ± ν(k) ≤ q¯f−1/q¯f ± ν(k) = 1/q¯ ± ν(k) ≤ 1/2 ± ν(k), and thus Claim 3.3 follows. Finally, from Claim 3.1, Claim 3.2, and Claim 3.3 it follows that we can

† The negligible term ν(k) occurs, since the distribution of b on {0, (¯qf − 1)} is uniform random, but only statistically indistinguishable from the uniform random distribution on {0, (¯qf − 1)}. 3.3 Pseudo-preimage generation problem 59 solve the PPGEN-QRN problem with noticeable probability and hence the theorem follows. Next we show that the PPGEN-QRN problem is hard under the strong RSA assumption. For a precise statement of the strong RSA assumption we explicitly describe a generator for the strong RSA problem.

Deﬁnition 3.11 We deﬁne an instance generator for the strong RSA problem as follows: . DSRSA(k) = 1: Choose randomly and uniformly k-bit primes q0 and p0, such that p = . 2p0 + 1 and q = 2q0 + 1 are primes and p0 6= q0. Set n = pq. U ∗ 2: Choose u ← Zn 3: Output the strong RSA problem instance (n, u).

Using DSRSA(k), we formulate the strong RSA assumption as follows.

Deﬁnition 3.12 (Strong RSA assumption [BP97, FO97]) The strong RSA assumption is the assumption that DSRSA(k) is a hard generator for the strong RSA problem. To be precise, we note that the strong RSA assumption is made for arbitrary RSA moduli n. What we have deﬁned above, is a widely used variant of the assumption for the case where n is a special RSA modulus. Using (3.8) we see that for a strong RSA problem instance (n, u) chosen with the generator DSRSA(k) we have with probability at least 1/4 that u ∈ QRn. Hence, under the strong RSA assumption the strong RSA problem is ∗ not only hard in the RSA group Zn but also in the subgroup of squares QRn, i.e., under the strong RSA assumption the SRSA-QRN problem is hard. From this observation, Theorem 3.2, and Theorem 2.1 we get the following corollary.

Corollary 3.5 The PPGEN-QRN problem is hard under the strong RSA assumption. We note that Camenisch and Shoup [CS03] prove a result, which is similar to Corollary 3.5. However, their result is not sufficient for our applications in the following. The original proof ideas underlying Corollary 3.5 are implicit in work by Damgaard and Fujisaki [DF01, DF02], which in turn draws on ideas of Fujisaki and Okamoto [FO97]. Finally, for later use, we explicitly describe a hard generator DPPG(k, l) for the PPGEN-QRN problem. 60 Pseudo-preimages and related computational problems Definition 3.13 We define an instance generator for the strong PPGEN- QRN problem as follows: . DPPG(k, l) = 0 1: Choose (n, g ) ← DSRSA(k). . 2 2: Let g = g0 . U 2 . ρ 3: For i = 1,..., (l − 1) choose ρi ←{0, n } and set gi = g i . l 4: Using these choices, define an exponentiation homomorphism ϑl : Z → x . x1 l−1 xl QRn by ϑl(x1, . . . , xl) = g1 · ... · gl−1 · g . 5: Output ϑl.

Note, that by “output ϑl” we mean that a description of ϑl consisting of n and g1, . . . , gl−1, g is output. The hardness of DPPG(k, l) follows from Corollary 2.1 applied to the reduction argument given in the proof of Theorem 3.2 and Corollary 3.5.

Corollary 3.6 Under the strong RSA assumption DPPG(k, l) is a hard generator for the PPGEN-QRN problem. 4 Zero-knowledge proofs of knowledge for homomorphisms using the Σψ-protocol

Proofs of knowledge of a preimage under a homomorphism (for short: proofs of knowledge for homomorphisms) are a key building block in a vast number of constructions in applied cryptography. Examples of such applications are: identification-, signature-, group signature-, anonymous credential-, and identity escrow-schemes as well as voting systems, e-cash, and multi-party computations. In this chapter we review the theory of “practically efficient” proofs of knowledge for homomorphisms existing prior to our work. Rough- ly, practically efficient means that the computational cost of these protocols consists of a couple of homomorphism evaluations and exponentiations in the domain and co-domain of the homomorphism at hand; whereas, the communication cost consists of the exchange of a few group elements of the domain and the co-domain, respectively. We also provide definitions and results, which are key for the statement and the understanding of our results in later chapters. We recall that proofs of knowledge are defined (see Definition 2.15) for binary relations. Hence, if we talk about proofs of knowledge for homomorphisms, then we actually mean proofs of knowledge for homomorphism relations defined as follows.

Deﬁnition 4.1 (Homomorphism relation) If Ψ is a collection of homomorphisms, then the binary relation . R[Ψ] ={((ψ, y), x): ψ ∈ Ψ, where ψ : G → H, x ∈ G, and y = ψ(x)}, is called a homomorphism relation.

Homomorphism relations R[Ψ] that are based on collections Ψ of computationally tractable homomorphisms (see §2.3.2) are easily seen to be NP

61 62 The Σψ-protocol relations†. In particular, this is true for homomorphism relations obtained from concrete homomorphisms used in cryptography. Therefore, using generic techniques that work for all NP relations (see §2.4.2), there is a zero- knowledge proof of knowledge for any homomorphism (relation). Thus, from a theoretical point of view, the problem of proving knowledge of a preimage under a homomorphism is completely resolved. However, these generic techniques are efficient only in a complexity theoretical sense. That is, prover and verifier are probabilistic polynomial-time algorithms; and the communication cost, i.e., the length and the number of messages being exchanged are polynomially bounded. For practically oriented applications, such as the ones mentioned above, these generic techniques are not considered to be usable. Luckily, one can trade the universality of generic techniques for the efficiency of specific techniques designed to be used for homomorphisms. Spe- cific techniques exploit the algebraic properties of homomorphisms and thus yield significantly more efficient proofs of knowledge than generic ones. Per- haps surprisingly (to the best of our knowledge) all efficient zero-knowledge proofs of knowledge for homomorphisms happen to be instances of the same protocol. We refer to this protocol as the Σψ-protocol. Well known examples of proofs of knowledge based on the Σψ-protocol are the proofs of knowledge for power homomorphisms by Guillou-Quisquater [GQ88] and for exponentiation homomorphisms by Schnorr [Sch91] – just to name a few. It is hard to overestimate the importance of the Σψ-protocol as a building block of practically oriented cryptographic applications. In fact, virtually all practical implementations of the cryptographic applications listed at the onset of this section use the Σψ-protocol as a sub-protocol (see e.g. [ACJT00, Bra93, CD00, CL01a, CL01b, CL02, CFSY96, FS87, HS00, KP98]). An important point is that while all efficient proofs of knowledge for homomorphisms are obtained using the Σψ-protocol, the converse is not true. That is, the Σψ-protocol is not known to yield efficient proofs of knowledge for all concrete homomorphisms. In particular, for the practically significant class of exponentiation homomorphisms in hidden order groups the resulting proofs of knowledge are too inefficient for many practical applications. This chapter discusses the Σψ-protocol and various applications thereof. We shall see that pseudo-preimages and the related computational problems discussed in §3 play a key role for applications of the Σψ-protocol. In §4.1

† The notion of a computationally tractable homomorphism requires more than is necessary for a homomorphism relation to be in NP. In fact, it is sufficient when the homomorphisms underlying a homomorphism relation can be efficiently evaluated, and if the equality of group elements in their co-domain can be efficiently tested. 4.1 Protocol definitions and the zero-knowledge property 63

P ((ψ, y), x) V (ψ, y)

Choose r ←U G . Set t = ψ(r) t - c ←U C c . s = r + cx s - if ψ(s) = tyc, then output 1; else output 0

Fig. 4.1. Deﬁnition of the Σψ-protocol for homomorphisms with a ﬁnite domain.

we define the Σψ-protocol and discuss its zero-knowledge properties. In §4.2 we describe for which homomorphisms and under what conditions the Σψ- protocol is a proof of knowledge. In §4.3 we discuss the efficiency of proofs of knowledge using the Σψ-protocol. In §4.4 we briefly shift our focus away from proofs of knowledge, and discuss interactive proofs for homomorphisms using the Σψ-protocol. In §4.5 we discuss the Damgaard and Fujisaki scheme [DF02], which, although it does not yield proofs of knowledge, allows to “demonstrate knowledge” of a preimage under a homomorphism using the Σψ-protocol.

4.1 Protocol definitions and the zero-knowledge property . Throughout the following C = C(k) denotes a sequence of finite subsets of the integers indexed by the security parameter k. The role of C will be the one of a so called challenge set. We first define the Σψ-protocol for homomorphisms with a finite domain.

Definition 4.2 (Σψ-protocol for homomorphisms with a finite domain) Let Ψ be a collection of homomorphisms with a finite domain and let ((ψ, y), x) ∈ R[Ψ(k)].A Σψ-protocol for homomorphisms with a finite domain is a pair of interactive machines (P,V ) performing the joint computation described in Figure 4.1.

Loosely speaking, the Σψ-protocol is the Schnorr or Guillou-Quisquater 64 The Σψ-protocol protocol defined for arbitrary homomorphisms ψ : G → H, instead of the concrete homomorphisms used in the respective schemes. The Σψ-protocol above is not defined for homomorphisms ψ : G → H with l an infinite domain, such as exponentiation homomorphisms ψE : Z → H. The reason for this is that the first step of the prover’s computation in the Σψ-protocol, i.e., the choice of a uniform random element from the domain l G, is not defined in the case where G is infinite (e.g., if G = Z ). For exponentiation homomorphisms we can circumvent the problem cau- sed by an infinite domain. The approach is to restrict the domain of ψE : l l Z → H to a finite subset G of the domain Z . While the idea underlying this approach is straightforward, one needs to be careful in order for the resulting protocol to be (honest-verifier) zero-knowledge. In fact, to obtain a (honest-verifier) zero-knowledge protocol we have to introduce two finite subsets G and G0 of the domain l as described next. The role of these sets Z . . will become clear below. For i = 1, . . . , l we let 4xi = 4xi(k) andx ¯i =x ¯i(k) be positive integer parameters. Given a sequence of challenge sets C(k) we define . γ = max({abs(c): c ∈ C(k)}). . Moreover, using an auxiliary security parameter ks = poly(k) we define . G ={−4x1 +x ¯1, x¯1 + 4x1} × ... × {−4xl +x ¯l, x¯l + 4xl}, and

0 . ks ks ks ks G ={−2 γ4x1, 2 γ4x1} × ... × {−2 γ4xl, 2 γ4xl}. . We also use some additional notation, and deﬁnex ¯ =(¯x ,..., x¯ ). Now, if . . 1 l r =(r , . . . , r ) and x =(x , . . . , x ) are elements of l and if c is an integer, 1 l . 1 l Z then we write s = r + c(x − x¯) to denote . (s1, . . . , sl) =(r1, . . . , rl) + c(x1 − x¯1, . . . , xl − x¯l), and correspondingly, cx¯ stands for c(¯x1,..., x¯l). Using this notation, we are ready to deﬁne the Σψ-protocol for exponen- l tiation homomorphisms ψE : Z → H.

Deﬁnition 4.3 (Σψ-protocol for exponentiation homomor- l phisms ψE : Z → H) Let Ψ be a collection of exponentiation ho- l momorphisms ψE : Z → H and let ((ψE, y), x) ∈ R[Ψ(k)] with x ∈ G. A Σψ-protocol for exponentiation homomorphisms is a pair of interactive machines (P,V ) performing the joint computation described in Figure 4.2. 4.1 Protocol deﬁnitions and the zero-knowledge property 65

P ((ψE, y), x) V (ψE, y)

Choose r ←U G0 . Set t = ψE(r) t - c ←U C c . s = r + c(x − x¯) s - c if ψE(s + cx¯) = ty , then output 1; else output 0

Fig. 4.2. Deﬁnition of the Σψ-protocol for exponentiation homomorphisms.

Now we see what role the sets G and G0 (in Deﬁnition 4.3) play : G is the set from which the preimages x are taken, while G0 is the set from which the prover, in the ﬁrst round of its computation, chooses a uniform random element r. The variants of the Σψ-protocol introduced above have the following zero- knowledge properties.

Theorem 4.1 (Zero-knowledge properties of Σψ-protocols)

(a) The Σψ-protocol for homomorphisms with a ﬁnite domain is honest- veriﬁer zero-knowledge, and if for the challenge set C(k) we have |C(k)| ≤ poly(k), then it is zero-knowledge.

(b) The Σψ-protocol for exponentiation homomorphisms is statistical honest-veriﬁer zero-knowledge, and if for the challenge set C(k) we have |C(k)| ≤ poly(k), then it is statistical zero-knowledge.

Proof Proof of part (a) of the theorem is standard, i.e., it is the same as, e.g., for the Schnorr or Guillou-Quisquater protocol, and hence omitted. Part (b) of the theorem is what informally is called a folklore theorem and we are not aware of a good reference for the proof. Hence, we sketch the key parts of the proof. To this end we consider the Σψ-protocol (P (x),V )(ψE, y) with y = ψE(x) and x ∈ G. We show the honest-verifier zero-knowledge property first. The simulator of V ’s view works as follows: It chooses c0 ←U C, 0 U 0 0 . 0 0 −c0 0 0 0 s ← G , sets t = ψE(s + c x¯)y , and outputs (t , c , s ). 66 The Σψ-protocol Let us verify the claim that the probability distribution of the simulated view on tuples (t0, c0, s0) is statistically indistinguishable from the probability distribution of the verifier V ’s real view (in the protocol with the prover 0 0 P ((ψE, y), x)) on tuples (t, c, s). We note that given (s, c) and (s , c ) the group elements t and t0, respectively, are uniquely determined. Hence, it suffices to show that the probability distributions of (s, c) and (s0, c0) are statistically indistinguishable. By assumption that the verifier is honest, we clearly have Pr(c) = Pr(c0). Thus it remains to show that the statistical difference between the probability distributions Pr(s0|c0, x) and Pr(s|c, x) is negligible. To this 0 end we recall that s, s , and the preimage x of y under ψE are inte- 0 0 0 ger tuples, i.e., s = (s1, . . . , sl), s = (s1, . . . , sl), and x = (x1, . . . , xl). 0 0 That is, we have Pr(s|c, x) = Pr(s1, . . . , sl|c, x1, . . . , xl) and Pr(s |c , x) = 0 0 0 0 0 Pr(s1, . . . , sl|c , x1, . . . , xl). Let us consider Pr(si|c, xi) and Pr(si|c , xi) for some i ∈ {1, l}. In the former case we can see that si is uniform and random on

ks ks {−2 γ4xi + c(xi − x¯i), c(xi − x¯i) + 2 γ4xi}.

0 In the latter case si is uniform and random on

ks ks {−2 γ4xi, 2 γ4xi}. The statistical difference between these probability distributions ks+1 is (2 abs(c(xi − x¯i)))/(2 γ4xi). Using that abs(c(xi − x¯i)) ≤ (γ4xi), 0 0 we see that the statistical difference between Pr(si|cxi) and Pr(si|c xi) is −ks at most 1/2 . We note that Pr(si|c, xi) and Pr(sj|c, xj) with i 6= j and 0 0 0 Pr(si|c , xi) and Pr(sj|c, xj) with i 6= j, respectively, are independent. This implies that Pr(s1, . . . , sl|c, x1, . . . , xl) = Pr(s1|c, x1) · ... · Pr(sl|c, xl) and 0 0 0 0 0 0 Pr(s1, . . . , sl|c , x1, . . . , xl) = Pr(s1|c , x1) · ... · Pr(sl|c, xl). Hence, the statistical difference between Pr(s0|c0, x) and Pr(s|c, x) is at most l/2−ks . The fact that l is polynomially bounded concludes the proof. Let us sketch the statistical zero-knowledge property, when |C(k)| ≤ poly(k). In this case the simulator uses the same algorithm as above to compute the tuple (t0, c0, s0). Then, it sends t0 to the (possibly) dishonest verifier V ∗. Wlog we assume that V ∗ responds with a challenge c. If c = c0, then the simulator outputs (t0, c0, s0); otherwise it fails and outputs ⊥. It is not difficult to see that the simulator is successful with probability at least 1/|C(k)|, which is noticeable by assumption. Conditioned on the event that the simulator is successful we see, by the same argument as given above, that the simulated view and the real view of V ∗ are statistically indistinguishable. The claim now follows by the observation that by re-running the 4.2 Proof of knowledge property 67 simulator polynomially often one can achieve a negligible failure probability.

We conclude with two remarks. First, we see from the proof of Theo- rem 4.1 (b) that the auxiliary security parameter ks (which is used in the definition of the set G0) controls the tightness of the statistical (honest- verifier) zero-knowledge property of the Σψ-protocol for exponentiation homomorphisms. Second, we shall see that for proofs of knowledge, using either variant of the Σψ-protocol defined above, it is quite desirable to choose the challenge set C to be super-polynomially large. In that case, according to Theo- rem 4.1, the Σψ-protocol is only known to be (statistical) honest-verifier zero-knowledge, which is not sufficient in many applications. Fortunately, there exist various transformations [CGGM00, Dam00, DNS98] that turn the Σψ-protocol with an arbitrarily sized challenge set into zero-knowledge or even concurrent zero-knowledge protocols. In particular, the transformation by Damgaard [Dam00] comes with almost no computation and communication overhead. Third, one can define the Σψ-protocol also for the broader class of exponentiation homomorphisms ψE : Z1 × ... × Zl → H, i.e., where the domain is a product of infinite groups Z and finite modular groups Zn. Therefore one introduces sets G and G0 as follows: . . . – We set G = G1 × ... × Gl, where Gi = Zni if Zi = Zni and Gi ={−4xi + x¯i, x¯i + 4xi} if Zi = Z. 0 . 0 0 0 . – We set G = G 1 × ... × G l, where G i = Zni if Zi = Zni and 0 . ks ks G i ={−2 γ4xi, 2 γ4xi} if Zi = Z. 0 Then by plugging G and G into the Σψ-protocol in Definition 4.3, one gets a variant of the Σψ-protocol that is well defined for exponentiation homomorphisms ψE : Z1 × ... × Zl → H. It is not difficult to see that the resulting protocol is statistical (honest-verifier) zero-knowledge as described in Theorem 4.1 (b). Also, all the results in the following equally hold for this variant of the Σψ-protocol.

4.2 Proof of knowledge property In this section we discuss for which homomorphisms and under what conditions the Σψ-protocol is a proof of knowledge. As the results below hold for both variants of the Σψ-protocol (i.e., the one in Definition 4.2 and the one in Definition 4.3), we simply talk in the following about “the Σψ-protocol”. 68 The Σψ-protocol Let us start with an informal description of a knowledge extractor for the Σψ-protocol. A key property of the Σψ-protocol is that, given black- box access to a sufficiently successful prover P ∗((ψ, y), γ), we can extract a pseudo-preimage (4c, 4s) of y under ψ. We call this the pseudo-preimage extractability property (of the Σψ-protocol). Using this property, we can now easily describe a knowledge extractor for the Σψ-protocol (for an illustration we refer to Figure 4.3) that proceeds in two phases as follows:

1. Using the pseudo-preimage extractability property, compute a pseudo-preimage (4c, 4s) of y under ψ. 2. Solve the resulting instance ((4c, 4s), y, ψ) of the PP problem for a preimage x of y under ψ. Output x.

Assuming that the PP problem instances being extracted are solvable, the above algorithm is indeed a knowledge extractor for the Σψ-protocol. Yet, we have seen that the PP problem is only solvable for certain homomorphisms and for their respective pseudo-preimages. Moreover, for some homomorphisms it is even a hard problem. Thus we cannot expect the above knowledge extractor to be always successful in the second phase of its computation. In fact, we shall see below that it is the solvability of the PP problem that determines for which homomorphisms and under what conditions the Σψ-protocol is a proof of knowledge. Let us go over to a formal discussion of the knowledge extractor sketched above. To this end we introduce some naming:

Deﬁnition 4.4 (v-special homomorphisms) Let Ψ be a collection of special homomorphisms and M a corresponding pseudo-preimage ﬁnder. If for all ψ ∈ Ψ(k) and all y ∈ image(ψ) we have that for (v, w) ← M(ψ, y) the pseudo-preimage exponent has the same value v = v(k), then Ψ is a collection of v-special homomorphisms.

In contrast to the more liberal Definition 3.3 of a collection of special homomorphisms, Definition 4.4 requires that the pseudo-preimage exponent v is unique for a given value of the security parameter. The purpose of this convention is solely to simplify the statement of our results in the following and it is not essential. Moreover, the restriction is, loosely speaking, not “unnatural” since all known examples of concrete (collections of) special homomorphisms (see §3.2.1) are v-special. Given a set of integers S, we define the set . 4(S) = {abs(s − s0): s, s0 ∈ S, where s 6= s0}. 4.2 Proof of knowledge property 69

Fig. 4.3. Standard knowledge extractor for the Σψ-protocol.

Using this notation we can now formally describe the pseudo-preimage extractability property of the Σψ-protocol.

Theorem 4.2 (Pseudo-preimage extractability) Consider the Σ - . ψ protocol (P,V ) with challenge set C = C(k) for a homomorphisms relation R[Ψ] (for which the Σψ-protocol is defined). Then there is a probabilistic machine M (the pseudo-preimage extractor) and a polynomial poly(·) such that the following holds. For every probabilistic interactive machine P ∗, eve- ∗ ry (ψ, y) ∈ LR[Ψ(k)], and every γ ∈ {0, 1} let . ((ψ, y), γ, P ∗) = Pr(hP ∗(γ),V i(ψ, y) = 1). If ((ψ, y), γ, P ∗) > 1/|C|, then M(ψ, y) with black-box access to P ∗((ψ, y), γ) outputs a pseudo-preimage (4c, 4s) of y under ψ with 4c ∈ 4C. The pseudo-preimage extractor M runs in an expected number of steps bounded by poly(k) . ((ψ, y), γ, P ∗) − 1/|C| The proof of Theorem 4.2 is implicit in works by Damgaard and Fujisa- ki [Dam04, Dam00, DF02]. For more details on the pseudo-preimage extrac- 70 The Σψ-protocol tability property we refer to §4.2.1 below. Note that the running time of the pseudo-preimage extractor fulfills the requirements imposed on the running time of a knowledge extractor (see Definition 2.15). Using the pseudo-preimage extractor and our results on the solvability of the PP problem (see §3.2.1) we can easily prove the following theorem.

Theorem 4.3 (Proofs of knowledge using the Σ -protocol) Let . ψ c+ = c+(k) denote a positive integer parameter. The Σψ-protocol with challenge set C = {0, c+} is a proof of knowledge for R[Ψ]

(a) with knowledge error 1/2, if c+ = 1, and (b) with knowledge error 1/(c+ + 1), if Ψ is a collection of v-special homomorphisms and c+ < p, where p is the smallest prime dividing the pseudo preimage exponent v.

The proof of Theorem 4.3 describes an elaborated version of the knowledge extractor, which we have sketched at the onset of this section and illustrated in Figure 4.3.

Proof Let us verify the non-triviality and the validity property as required by Definition 2.15. Using our basic assumption that homomorphisms are computationally tractable (see §2.3.2), the non-triviality property of both variants (Definition 4.2 and Definition 4.3) of the Σψ-protocol is straightforward to verify and left to the reader. Let us demonstrate the validity property. Let P ∗ be an arbitrary prover that is successful in the Σψ-protocol on common input (ψ, y) ∈ LR[Ψ(k)] ∗ and arbitrary private input γ ∈ {0, 1} with probability > 1/(c+ + 1). We describe a knowledge extractor M that proceeds in two phases as follows. 1. M uses the pseudo-preimage extractor described in Theorem 4.2 to find a pseudo-preimage (4c, 4s) of y under ψ, where 4c ∈ {1, c+}. 2. Given the pseudo-preimage (4c, 4s) of y under ψ, M computes a preimage of y under ψ. In the case where the challenge set is C = {0, 1} we have 4c = 1 and thus y = ψ(4s). This proves part (a) of the theorem. To prove part (b) we may assume that ψ is v-special. Hence, we may invoke a corresponding pseudo-preimage finder for ψ on input (ψ, y) to obtain a pseudo preimage (v, w) of y under ψ. Using 4c ∈ {1, c+} and the assumption c+ < p, it follows that gcd(v, 4c) = 1, and by Corollary 3.1 we can efficiently compute the required preimage. As noted above, the running time of the pseudo-preimage extractor used 4.2 Proof of knowledge property 71 in the first phase of M is within the bounds allowed for a knowledge extractor. Phase two of M’s computation runs in polynomial-time. Using these observations it is easy to see that the total running time of M fulfills the requirements imposed on the running time of a knowledge extractor.

Throughout the remainder of this thesis we use the following terminology:

– The standard knowledge extractor (for the Σψ-protocol) is the knowledge extractor described in the proof of Theorem 4.3. – A collection of non-special homomorphisms is a collection of homomorphisms that is not (known to be) special (i.e., homomorphisms for which no pseudo-preimage ﬁnder is known). A large class of concrete non-special l homomorphisms are exponentiation homomorphisms ψE : Z → H in hidden order groups†.

Looking at the standard knowledge extractor we make the following observations:

– The ﬁrst phase of its computation works for all choices of the challenge . ∗ set C ={0, c+}, for all homomorphisms, and for all provers P that are successful with probability > 1/(c+ + 1). – The second phase only works when the extracted pseudo-preimages are solvable. More precisely, we have the following situation: When C = {0, 1}, then the extracted pseudo-preimages are solvable for all homomorphisms ψ. On the other hand, when C = {0, c+} with c+ > 1, then the extracted pseudo-preimages are only known to be solvable for special homomorphisms and for appropriate choices of c+. As a result, by the relation κ = 1/(c+ + 1), a knowledge error κ < 1/2 can only be achieved for special homomorphisms.

Finally, it is important to note that, informally speaking, the standard knowledge extractor is the only knowledge extractor that is known for the Σψ-protocol. More precisely, Cramer [Cra97] has pointed out that all currently known and apparently diﬀerent knowledge extractors for the Σψ- protocol (e.g., [Sch91, GQ88, Bra97, DJ01]) are instances of the standard knowledge extractor.

† In fact, we claim here without proof that for many ψE in hidden order groups one can show that (under the ORDER assumption for H) given (ψE, y), it is hard to compute a pseudo- preimage (v, w) with v 6= 0. Hence, there can be no pseudo-preimage finder for such homomorphisms, and they are provably non-special. 72 The Σψ-protocol 4.2.1 A note on pseudo-preimage extractors In this section we detail the key ideas underlying the construction of a pseudo-preimage extractor as claimed by Theorem 4.2. We also introduce concepts and terminology for later use. The reader may wish to skip this section upon first reading and come back to it later. Let us first see how the pseudo-preimage extractor computes a pseudo- preimage. Let (t, c, s) denote a tuple consisting of the commitment t sent by the prover, the challenge c sent by the verifier, and the answer s sent by the prover in the Σψ-protocol on common input (ψ, y). We call such a tuple accepting, if it fulfills the verifier’s verification equation in the last step of c the Σψ-protocol, i.e., if ψ(s) = ty . Given black-box access to a sufficiently successful P ∗((ψ, y), γ), the pseudo-preimage extractor computes a pair of accepting tuples (t, c, s) and (t0, c0, s0) such that c 6= c0 and t = t0. That is,

0 ψ(s) = tyc and ψ(s0) = tyc . . . Then, using 4c = c0 − c and 4s = s0 − s, we get y4c = ψ(4s), and we see that, as desired, (4c, 4s) is a pseudo-preimage of y under ψ. So it remains to see how one can compute a pair of accepting tuples (t, c, s) and (t0, c0, s0). To this end we adopt a line of reasoning attributed to Shamir. Let M be a matrix with one row for each possible random input (of a given length) of P ∗((ψ, y), γ), and columns index by the possible challenges in C. The matrix contains a 1 if the verifier accepts P ∗((ψ, y), γ) for that random input and challenge, and a 0 otherwise. In the following we refer to M as the acceptance matrix of the prover P ∗((ψ, y), γ). Note that if the ∗ success probability of P ((ψ, y), γ) in the Σψ-protocol is , then the fraction of 1’s in its acceptance matrix is . Now, being given black-box access to the prover P ∗((ψ, y), γ) simply means that one can probe entries in the acceptance matrix M. Thus the problem of constructing a pseudo-preimage extractor is to construct an algorithm that finds two 1’s in the same row. A crude search strategy for doing so works as follows: 1. Randomly probe entries in M until a 1 is found. 2. Randomly probe the row in which the 1 is located until a second 1 is found. Unfortunately, this crude search strategy, loosely speaking, is not good enough. In fact, the fraction of 1’s in a row of the acceptance matrix is on the average only. Hence, it may happen that the first 1 being found is located in a row that does not contain a second 1 at all or only very 4.3 Knowledge error and efficiency of the Σψ-protocol 73 few 1’s. As a result the search either fails or consumes more time than stated in Theorem 4.2. It turns out that constructing a search strategy that finds two 1’s and also fulfills the requirements on the running time stated in Theorem 4.2 is not a completely trivial task. In fact, the only detailed construction of such a strategy (and hence a pseudo-preimage extractor), we are aware of, is found in work by Damgaard and Fujisaki [Dam04, DF02, Dam00]. Their key idea is to modify this crude search strategy above such that the second step only runs for a limited time. Then if the desired pair on 1’s is not found within this allotted time, the search restarts with the first step. Finally, we note that the bound > 1/|C| on the success probability of a prover in Theorem 4.2 is optimal, i.e., in the case ≤ 1/|C| there can be no pseudo-preimage extractor along the lines sketched above. This follows from the observation that a cheating prover P ∗ can always be successful with probability 1/|C| (i.e., for one challenge c ∈ C) using the simulation technique described in the proof of Theorem 4.1 (b). In the statement of our results in §5.3.2 we shall refer to pseudo-preimage extractors that work as sketched above. To this end we make the following definition.

Deﬁnition 4.5 (Acceptance matrix based pseudo-preimage extractor) We call a pseudo-preimage extractor for the Σψ-protocol that – extracts a pair of accepting tuples (t, c, s) and (t0, c0, s0) with t = t0 and c 6= c by solely using the acceptance matrix of a prover P ∗, and then . – computes a pseudo-preimage (4c, 4s) by letting 4c = c0 − c and . 4s = s0 − s, an acceptance matrix based pseudo-preimage extractor.

We note that all known pseudo-preimage extractors for the Σψ-protocol (including those that have slightly diﬀerent runtime properties than described in Theorem 4.2) are acceptance matrix based.

4.3 Knowledge error and efficiency of the Σψ-protocol In this section we discuss the relation between the knowledge error and the efficiency of proofs of knowledge using the Σψ-protocol. Roughly, we shall see that the smaller the knowledge error for a given homomorphism is, the more efficient proofs of knowledge we obtain using the Σψ-protocol. We shall 74 The Σψ-protocol also see that the efficiency of proofs of knowledge obtained using the Σψ- protocol considerably varies for different homomorphisms ψ; and that for certain ψ the resulting proofs of knowledge are too inefficient for the use in practice.

4.3.1 Eﬃciency analysis In the following analysis our goal is to obtain a proof of knowledge with a negligible knowledge error of 2−k for some homomorphism ψ using the Σψ-protocol. The motivation for this goal is that the knowledge error is the cheating probability of a dishonest prover, which in virtually all practical applications of proofs of knowledge has to be negligibly small. In our analysis we use the following result by Bellare and Gold- reich [BG92].

Theorem 4.4 Let be given a proof of knowledge protocol Π for a binary relation R with knowledge error κ. Consider the protocol Π0 that results from sequentially repeating k-times the protocol Π and which is accepted by the veriﬁer if all k executions of Π are accepting. Then the protocol Π0 is a proof of knowledge for R with knowledge error κk. Let us look at two ways to achieve our goal formulated above:

– Repeated KE-1/2 Σψ-protocol. The Σψ-protocol with the binary challenge set C = {0, 1} is a proof of knowledge for ψ with knowledge error 1/2 (see Theorem 4.3 (a)). Thus, by Theorem 4.4, k-repetitions of this protocol yield a proof of knowledge with the desired knowledge error of 2−k. We call this the repeated KE (knowledge error)-1/2 Σψ-protocol. – Repeated KE-κ Σψ-protocol. Let us assume that the Σψ-protocol is also a proof of knowledge for ψ with a knowledge error κ < 1/2 (i.e., with the non-binary challenge set C = {0, 1/κ − 1}). Thus, by Theorem 4.4,

k/ log2(1/κ) repetitions of this protocol yield a proof of knowledge with −k the desired knowledge error of 2 . We call this the repeated KE-κ Σψ- protocol. In the following we compare the communication and computation cost of the repeated KE-1/2 Σψ-protocol and the repeated KE-κ Σψ-protocol. We see that the smaller κ is, the fewer repetitions are required in the repeated KE-κ Σψ-protocol. Hence, naively we expect that the smaller κ gets, the more efficient becomes the repeated KE-κ Σψ-protocol compared to the repeated KE-1/2 Σψ-protocol. The analysis in the following shows that under certain conditions our naive expectations indeed are true. 4.3 Knowledge error and efficiency of the Σψ-protocol 75 4.3.1.1 Computation cost Let cost(G), cost(H), and cost(ψ) denote the computation cost of the group operation in G and H, and the computation cost of evaluating the homomorphism ψ : G → H, respectively. The total computation cost (i.e., of the prover and the verifier) of the repeated KE-1/2 Σψ-protocol is easily seen to be at most k(cost(G) + cost(H) + 2 cost(ψ)), and for the repeated KE-κ Σψ-protocol it is at most k (log2(1/κ − 1)(cost(G) + cost(H)) + 2 cost(ψ)). log2(1/κ) In both expressions we have neglected the cost of choosing a random group element in the prover’s first step of the Σψ-protocol and the cost of testing equality in the verifier’s last step. For the latter cost, we have assumed that the square and multiply algorithm (see §2.3.3†) is used by the prover to . evaluate the expression s = r + cx in G (i.e., the prover’s second step in the c Σψ-protocol) and by the verifier to evaluate ty in H (i.e., the verifiers last step in the Σψ-protocol). Using these expressions and by making the approximation log2(1/κ) ' log2(1/κ − 1) we obtain the following ratio of the computational cost of the repeated KE-κ Σψ-protocol to the one of the repeated KE-1/2 Σψ-protocol cost(G) + cost(H) + 2/ log (1/κ) cost(ψ) 2 . (4.1) cost(G) + cost(H) + 2 cost(ψ) If our naive expectations formulated above would hold with respect to the computation cost, then the cost ratio (4.1) would have to become small when κ goes to zero. However, this is not the case in general. Whether there is an efficiency gain depends on how large cost(ψ) is compared to cost(G) + cost(H). Let us illustrate this by considering the following cases: – In the case where cost(ψ) ' cost(G) + cost(H), the cost ratio (4.1) becomes O(1). That is, a small knowledge error κ does not yield considerable efficiency gains. A practical example where this condition holds are power . 2 homomorphisms ψP(x) = x . – In the case where cost(ψ) cost(G) + cost(H) (i.e., when we may neglect cost(G) + cost(H) relative to cost(ψ)), the cost ratio (4.1) becomes

† Indeed, in §2.3.3 we have reported that the square and multiply algorithm for evaluating he uses O(log(e)) group operations. Here, we use a non-asymptotic upper bound on the number of operations of 2 log2(e). 76 The Σψ-protocol

O(1/ log2(1/κ)). Practical examples for this case are exponentiation ho- . e momorphisms or power homomorphisms ψP(x) = x with a large power e. We note that in the latter case, the resulting eﬃciency gain can be considerable. In the best case, where κ = 2−k, the resulting speed-up is O(k).

4.3.1.2 Communication cost Next we consider the communication cost measured in terms of bits exchanged. By size(G) and size(H) we denote the binary length of the encoding of group elements of G and H, respectively. For the repeated KE-1/2 Σψ-protocol the communication cost is at most k(size(G) + size(H) + 1), where for the repeated KE-κ Σψ-protocol it is at most k (size(G) + size(H) + log2(1/κ − 1)). log2(1/κ) Using these expressions, the ratio of the communication cost of the repeated KE-κ Σψ-protocol to the one of the repeated KE-1/2 Σψ-protocol is size(G) + size(H) + log (1/κ − 1) 2 . (4.2) log2(1/κ)(size(G) + size(H) + 1)

Using C = {0, 1/κ − 1}, we have log2(1/κ − 1) = log2(|C|). In all practical application we have log2(|C|) ≤ size(G) and log2(|C|) ≤ size(H) and hence log2(1/κ − 1) ≤ size(G) + size(H). Using this relation, the cost ratio in (4.2) becomes O(1/ log2(1/κ)). Thus, we see that a small knowledge error κ always results in eﬃciency gains with respect to the communication cost.

4.3.1.3 Summary In summary, we see that a small knowledge error always yields eﬃciency gains with respect to the communication cost. With respect to the computation cost there is only a gain when cost(ψ) cost(G) + cost(H), which for instance is the case for exponentiation homomorphisms.

4.3.2 Efficiency limitations and the minimal standard knowledge error We have just seen that the smaller the knowledge error can be made for a homomorphism ψ, that the more efficient proofs of knowledge for ψ can be obtained using the Σψ-protocol. Yet, given a ψ, the knowledge error cannot be made arbitrarily small, i.e., for any ψ there is a minimal knowledge error 4.4 Interactive proofs 77 that is known to be achievable using the Σψ-protocol. By the relation of the efficiency and the size of the knowledge error established above, the size of this minimal knowledge error determines the efficiency of proofs of knowledge that can be obtained using the Σψ-protocol for ψ. In the following we refer to this minimal knowledge error as the minimal standard knowledge error. More precisely, we make the following definition:

Definition 4.6 (Minimal standard knowledge error) The minimal standard (MS) knowledge error of a collection of homomorphisms Ψ is the smallest knowledge error that is achieved in a proof of knowledge for Ψ using the Σψ-protocol and the standard knowledge extractor. By Theorem 4.3, the minimal standard knowledge error is – 1/p for collections of v-special homomorphisms, where p is the smallest prime dividing v, and – 1/2 for collections of non-special homomorphisms. We note that the MS-knowledge error is indeed the smallest knowledge error that is known to be achievable using the Σψ-protocol, since the standard knowledge extractor is the only knowledge extractor known for the Σψ-protocol. Let us make two important observations concerning the MS knowledge error: – The MS knowledge error varies considerably for different concrete homomorphisms, and hence so does the efficiency of the corresponding proofs of knowledge using the Σψ-protocol. The examples in Figure 4.4 illustrate that for different concrete homomorphisms the MS knowledge error can vary from negligibly small to 1/2. The efficiency is worst for non-special homomorphisms, since their MS knowledge error is 1/2. To obtain a proof of knowledge with a negligible knowledge error for such homomorphisms, one has to use the repeated KE-1/2 Σψ-protocol described above. The resulting proofs of knowledge are considered to be too inefficient for most practical applications. – The practically important exponentiation homomorphisms ψE in hidden order groups are non-special, and hence the Σψ-protocol only yields inefficient proofs of knowledge for ψE in hidden order groups.

4.4 Interactive proofs In this section we shift our focus from proofs of knowledge to zero-knowledge interactive proofs for homomorphisms using the Σψ-protocol. An interactive 78 The Σψ-protocol

Example 4.1 (MS knowledge error varies for special homomor- ∗ phisms) Consider exponentiation homomorphisms ψE : Zq → Zp deﬁned . x ∗ by ψE(x) = h , where Zp is a prime-modulus group and h has prime order q. Thus the homomorphism ψE is q-special. Since q is prime, the MS knowledge error of ψE is 1/q. Now clearly, q can be any prime number, ∗ depending on the choice of the modulus p and of h ∈ Zp. Hence depending on the choice of these algebraic parameters we get exponentiation homomorphisms ψE with a MS knowledge error that varies from a constant 1/2 to negligibly small.

Example 4.2 (Large constant knowledge error for non-special ho- l momorphisms) Exponentiation homomorphisms ψE : Z → H with a hidden order co-domain H are non-special and the their MS knowledge error is 1/2.

Fig. 4.4. Examples illustrating the varying size of the MS knowledge error. proof for a collection of homomorphisms Ψ is an interactive proof for the language LR[Ψ]. That is, given a homomorphism ψ (where ψ ∈ Ψ) and a y ∈ image(ψ), an interactive proof allows a prover to assert to a verifier that y ∈ image(ψ). For certain concrete (collections of) homomorphisms the decision problem associated with the language LR[Ψ] (i.e., to decide if y ∈ image(ψ)) is hard under standard hardness assumptions (see Example 4.3 in Figure 4.5). For such (collections of) homomorphisms the existence of zero-knowledge interactive proofs is non-trivial. Assuming that Ψ is a collection of computationally tractable homomorphisms, it is easy to see that the language LR[Ψ] is in NP. Thus, one can use generic zero-knowledge interactive proof techniques (see §2.4.2) that work for all NP to obtain interactive proofs for homomorphisms. However, as for proofs of knowledge, these generic techniques are not practically efficient. For the use in applied cryptography, considerably more efficient interactive proofs are needed. The Σψ-protocol can not only be used to obtain efficient proofs of knowledge for homomorphisms, but it also yields efficient interactive proofs for homomorphisms. The following theorem describes conditions . under which this is known to be the case. Let c+ = c+(k) denote a positive integer parameter.

Theorem 4.5 The Σψ-protocol with challenge set C = {0, c+} is an interactive proof for the language LR[Ψ] with

(a) soundness error 1/2, if c+ = 1, and (b) soundness error 1/(c+ + 1), if for every ψ ∈ Ψ(k) and y ∈ ψ there 4.4 Interactive proofs 79

exists a pseudo-preimage (v, w), such that c+ < p, where p is the smallest prime dividing the pseudo preimage exponent v.

∗ ∗ Proof Assume that a prover P ((ψ, y), γ) with (ψ, y) ∈ LR[Ψ] and γ ∈ {0, 1} is successful in the Σψ-protocol with probability > 1/(c+ + 1). Then there must exist two accepting tuples (t, c, s) and (t0, c0, s0) (i.e., tuples that fulﬁll ψ(s) = tyc and ψ(s0) = tyc0 ) with t = t0 and c 6= c0. Hence, (4c, 4s) with . . 4c = c0 − c and 4s = s0 − s is a pseudo-preimage of y under ψ, whereas 4c ∈ {1, c+}. If c+ = 1, then y = ψ(4s) and part (a) of the claim follows. For the proof of part (b) we may assume that there exists a pseudo- preimage (v, w) of y under ψ such that c+ is smaller than the smallest prime factor of v. Thus gcd(4c, v) = 1 and by Lemma 3.2 there exists a preimage of y under ψ, and the claim follows.

We note that whenever according to Theorem 4.3 the Σψ-protocol is a proof of knowledge with knowledge error κ for some homomorphism collection Ψ, then it is also an interactive proof for Ψ with soundness error κ according to Theorem 4.5. The converse is not true. In fact, while the conditions in Theorem 4.5 (a) and Theorem 4.3 (a) are the same, the ones in Theorem 4.5 (b) are weaker than the ones in Theorem 4.3 (b): In the former case only the existence of an appropriate pseudo-preimage (v, w) of y under ψ is required; in the latter a pseudo-preimage needs to be efficiently computable given y and ψ (i.e., ψ needs to be special). However, in most practical applications these conditions become, loosely speaking, the same. The reason is that a verifier in an interactive proof (using the Σψ-protocol) needs to check somehow that a pseudo-preimage fulfilling the conditions in Theorem 4.5 (b) exists. In practice, this is often only feasible for special homomorphisms, i.e., when the verifier can compute a pseudo-preimage itself, and then check that it fulfills the required conditions. It is well known that the soundness error of an interactive proof can be reduced by sequentially repeating a protocol. Thus, in analogy to the knowledge error, it is desirable to achieve a small soundness error in a single execution of the Σψ-protocol to obtain efficient interactive proofs with a negligible soundness error. However, by our above observation that in practice the soundness error is equal to the knowledge error, interactive proofs using the Σψ-protocol are plagued with the same efficiency problems as are proofs of knowledge. For instance, no efficient interactive proofs for exponentiation homomorphisms in hidden order groups are known. Yet, for many practical applications it would be highly desirable to have efficient interactive proofs 80 The Σψ-protocol

∗ Example 4.3 Let be given an RSA group Zn and its subgroup of squa- ∗ res QRn. Then, given y ∈ Zn, it is assumed to be hard to decide if y ∈ QRn. This is the so called quadratic residuosity assumption. Now, . x if we look at an exponentiation homomorphism ψE(x) = h with h ∈ QRn, then under the quadratic residuosity assumption it is hard to decide whether y ∈ image(ψE) = hhi. The same holds true for power homomor- ∗ ∗ . 2 phisms ψP : Zn → Zn deﬁned by ψP(x) = x .

∗ Example 4.4 Consider the exponentiation homomorphism ψE : Zq → Zp . x ∗ defined by ψE(x) = h , where p and q are primes and q|(p − 1). Since Zp q is a cyclic group, we have y = 1 exactly if y ∈ image(ψE). Thus, as q is a parameter that is efficiently computable from the description of ψE, one can efficiently test whether y ∈ image(ψE) and correspondingly no interactive proof is needed in this case.

∗ ∗ Example 4.5 Consider the power homomorphism ψP : Zn → Zn de- . e ∗ ﬁned by ψP(x) = x , where Zn is an RSA group and e is chosen such ∗ that gcd(e, |Zn|) = 1. This implies that ψP is bijective. Thus, to test whether y ∈ image(ψP) is to test whether y ∈ H, which (by our assumptions on computationally tractable groups) is trivial . Hence, no interactive proof is needed in this case.

Fig. 4.5. Examples of interactive proofs for diﬀerent concrete homomorphisms. for exponentiation homomorphisms in hidden order groups available, and ﬁnding such protocols is an open problem. Finally we note that for many concrete homomorphisms for which proofs of knowledge are an important tool in practice, interactive proofs are not important. In fact, Examples 4.4 and 4.5 in Figure 4.5 illustrate that for large classes of concrete homomorphisms the decision problem for the language LR[Ψ] is solvable, and hence no interactive proofs are needed.

4.5 The Damgaard-Fujisaki scheme The Damgaard and Fujisaki (DF) scheme [DF01, DF02] is a commitment scheme with a protocol that allows to efficiently demonstrate knowledge of a commitment opening. The DF scheme is of great practical importance as it is used as a building block in numerous cryptographic applications (see, e.g., [BCC04, CKW, CL01b, CS03, CL01a, ACJT00, Bou00, Son01, KYT04]). The commitment function in the DF scheme is an exponentiation homo- . morphism ϑ : 2 → ∗ defined by ϑ(x , x ) = gx1 gx2 . To commit to an Z Zn . 1 2 1 integer value x, one sets y = ϑ(x, r) (whereas r is some appropriately chosen random value). The protocol to demonstrate knowledge of a commitment 4.5 The Damgaard-Fujisaki scheme 81 opening, i.e., of a preimage under ϑ, is the Σψ-protocol. Hence, in some sense, the DF schemes allows to efficiently demonstrate knowledge of a preimage under ϑ using the Σψ-protocol. In the following, we refer to this property as the demonstration of knowledge property of the DF scheme. Yet, as explained in detail in [DF02], the DF scheme is not a proof of knowledge 2 ∗ for ϑ : Z → Zn and, in particular, not a proof of knowledge using the Σψ-protocol. Nevertheless, it is often mistakenly used as such resulting in constructions whose security proofs are either incorrect or incomplete at best. In the following we review the DF scheme and its demonstration of knowledge property on a conceptual level. The reason for doing so is twofold. On the one hand, we want to point out why the DF scheme is not a proof of knowledge. On the other hand, we shall take up ideas underlying the DF scheme in later chapters to obtain novel efficient proofs of knowledge for exponentiation homomorphisms in hidden order groups. For details on the DF scheme and a precise definition of what we informally call a demonstration of knowledge we refer to [DF01, DF02].

Description of the DF scheme. The DF scheme is a two-party protocol between a prover (i.e., committer) P and a veriﬁer V . It consists of a setup, a commitment, and a demonstration of knowledge sub-protocol (see Figure 4.6 for an illustration). In the setup sub-protocol P and V jointly choose a commitment function ϑ as follows:

1. V chooses an exponentiation homomorphism ϑ ← DPPG(k, 2), where DPPG is the hard generator for the PPGEN-QRN problem according 2 ∗ . x1 x2 to Corollary 3.6. That is, ϑ : Z → Zn is deﬁned by ϑ(x1, x2) = g1 g , ∗ where g1, g ∈ QRn ≤ Zn and n is a special RSA modulus with n = (2p0 + 1)(2q0 + 1). Then V sends a description of ϑ to P . x1 x2 2. V demonstrates to P in an interactive proof that ϑ(x1, x2) = g1 g is chosen such that g1 ∈ hgi. (To this end the Σψ-protocol with soundness error 1/2 is repeated sequentially k-times, where typically k = 80). In the commitment sub-protocol, P commits to some secret integer value x. Therefore it chooses a random integer r (from some appropriate integer . interval), sets y = ϑ(x, r), and sends the commitment y to V . In the demonstration of knowledge sub-protocol, P demonstrates to V that it knows a preimage of y under ϑ (i.e., that it knows an opening of the commitment y). To this end, P and V execute the Σψ-protocol with 82 The Σψ-protocol

Fig. 4.6. Overview of the sub-protocols of the DF scheme.

. 0 0 challenge set C ={0, c+}, whereas c+ < p , q . The common input is (ϑ, y) and P ’s private input is a preimage (x, r) of y under ϑ. In practice, the DF scheme is used as follows: Initially, the setup sub- protocol is run “once and for all” to choose a commitment function ϑ. Then the commitment and the demonstration of knowledge sub-protocol can be run arbitrarily often to generate commitments using ϑ and to demonstrate knowledge of a commitment opening, respectively. Next we consider the demonstration of knowledge property of the DF scheme in some detail. 4.5 The Damgaard-Fujisaki scheme 83 Demonstration of knowledge property. Assume that a pro- ∗ ver P ((ϑ, y), γ) is successful in the Σψ-protocol (i.e., the one in the demonstration of knowledge sub-protocol) with probability > 1/(c+ + 1), where ϑ is a commitment function chosen using the setup sub-protocol, y is a commitment, and γ ∈ {0, 1}∗. Then there is a black-box algorithm M (in the following we refer to M as the commitment extractor) that, given access to P ∗, extracts a preimage of y under ϑ as follows: 1. M uses the pseudo-preimage extractability property of the Σψ-protocol (see Theorem 4.2) to extract a pseudo-preimage ∗ (4c, (4s1, 4s2)) of y under ϑ from P , where 4c ∈ {1, c+}. 2. Since ϑ is chosen using DPPG(k, 2), by Corollary 3.6 (under the strong RSA assumption) (4c, (4s1, 4s2)) is a divisible (see Deﬁnition 3.4) 0 0 0 0 pseudo-preimage. Then, as c+ < p , q and | image(ϑ)| = p q we have gcd(4c, | image(ϑ)|) = 1 and by Corollary 3.2, M can compute a preimage of y under ϑ. We see that the commitment extractor works whenever P ∗ is successful in 0 0 the Σψ-protocol with probability > 1/(c+ + 1) and if c+ < p , q . Hence, loosely speaking, the Σψ-protocol is a demonstration of knowledge with know- † 0 0 ledge error 1/(c+ +1) . Thus, if p and q are super-polynomially large, then, 0 0 by the relation c+ < p , q , the knowledge error 1/(c+ + 1) can be made very small in a single execution of the Σψ-protocol. Hence, the resulting demonstrations of knowledge are quite eﬃcient.

Discussion. First, let us see why the DF scheme is not a proof of knowledge. In a proof of knowledge it is sufficient that a homomorphism ψ, y, and x (with y = ψ(x)) are given. Then the prover can show to the verifier that it knows a preimage of y under ψ. In contrast, in the DF scheme, demonstrations of knowledge for an exponentiation homomorphism ϑ, y, and (x, r) (with y = ϑ(x, r)) only work, when ϑ is chosen with the probability distribution induced by the setup sub-protocol. In fact, it is easy to see that the line of reasoning in the construction of the commitment extractor fails, as soon as ϑ does not have the correct distribution. Thus, the definitional setting underlying demonstrations of knowledge using the DF scheme is quite different (and in fact much stronger) from that of a proof of knowledge (see Definition 2.15). Concerning the efficiency of the DF scheme, we note that the setup sub- protocol of the DF scheme is quite inefficient. The reason is that it contains

† In fact, informally speaking, the knowledge error “is governed by” 1/(c+ + 1), but it can be a bit larger than 1/(c+ + 1) (see [DF01, DF02] for details). 84 The Σψ-protocol an interactive proof using the sequentially repeated Σ -protocol with chal- . ψ lenge set C ={0, 1}. Hence, the DF scheme is only efficient in application scenarios where the setup cost does not matter. We note that the DF scheme can be easily shown to work for commit- l ∗ ment functions ϑ : Z → Zn with l > 2 (i.e., for what is sometimes called a multi-value commitment scheme). Moreover, it can be generalized to expo- l nentiation homomorphisms ϑ : Z → H if H fulfills various computational assumptions, such that, loosely speaking, from a computational point of view H is like an RSA group (for details see [DF01, DF02]). Last but not least, we would like to emphasize that the hardness of the PPGEN-QRN problem plays a key-role for the construction of the commitment extractor and hence for the DF scheme. In fact (as mentioned earlier), what we call the PPGEN-QRN problem and the respective hardness proof first appeared implicitly in work by Damgaard and Fujisaki [DF01, DF02] and Fujisaki and Okamoto [FO97]. 5

Eﬃciency limitations of the Σψ-protocol and the optimality of the standard knowledge extractor

We have seen in the foregoing chapter that the efficiency of proofs of knowledge using the Σψ-protocol is determined by the MS knowledge error. That is, the smaller the MS knowledge error of a homomorphism ψ is, the more efficient proofs of knowledge does the Σψ-protocol yield for ψ. Yet, the MS knowledge error varies considerably for different homomorphisms, and so does the efficiency of the respective proofs of knowledge. In particular, for the practically important class of exponentiation homomorphisms in hidden order groups the MS knowledge error is large (i.e., 1/2), and the resulting proofs of knowledge are inefficient. It is important to recall that the MS knowledge error is only the smallest knowledge error that is known to be achievable using the standard knowledge extractor; and that the standard knowledge extractor is the only knowledge extractor that is currently known for the Σψ-protocol. However, there could be better knowledge extractors for the Σψ-protocol, which achieve a knowledge error that is smaller than the MS knowledge error. Consequent- ly, by the relation of the size of the knowledge error and the efficiency of proofs of knowledge, one could obtain more efficient proofs of knowledge using the Σψ-protocol and overcome the existing limitations. The ultimate goal would be to achieve a negligible knowledge error, and hence efficient proofs of knowledge, for all (concrete) homomorphisms. However, if one tries to find such better knowledge extractors for the Σψ-protocol, one realizes that this is not an easy task. Given the importance and the abundant use of the Σψ-protocol, it is quite surprising that prior to our work little was known about whether the above limitations are inherent to the Σψ-protocol or just happen to be shortcomings of the standard knowledge extractor, which can be overcome. On the one hand, this is a theoretical question concerning the understanding of the proof of knowledge property of the Σψ-protocol. On the other hand,

85 86 On the optimality of the standard knowledge extractor of the Σψ-protocol by the relation of the eﬃciency of proofs of knowledge and the size of the knowledge error, it is also practically relevant, since it would be important for many practical applications to overcome the current eﬃciency limitations. In this chapter we prove substantial evidence showing that the above limitations are inherent to the Σψ-protocol. To start with, we make the following conjecture:

Conjecture 5.1 (Optimality conjecture) There can be no knowledge extractor for the Σψ-protocol that for a given collection of one-way homomorphism Ψ achieves a smaller knowledge error than the MS knowledge error of Ψ.

While we do not know how to prove the optimality conjecture in general, we prove ample evidence for the conjecture. That is, we prove that under certain conditions and for certain homomorphisms the optimality conjecture is true. To this end, we introduce in §5.1 the notion of a lower bound on the knowledge error of a protocol: β is a lower bound on the knowledge error of a homomorphism ψ, if no knowledge extractor exists (for the protocol at hand) that is successful in extracting a preimage of ψ with a knowledge error less than or equal to β. We then prove under different conditions, and for different types of homomorphisms the existence of lower bounds on the knowledge error of the Σψ-protocol. These lower bounds turn out to be equal to the MS knowledge error, and thus they confirm our conjecture. Let us discuss our results in more detail. First, we derive lower bounds on the knowledge error using generic group techniques (§5.2). For that purpose, we introduce the notion of a generic homomorphism algorithm. This is an algorithm that can only perform a restricted set of operations on a homomorphism ψ : G → H (i.e., loosely speaking, perform typical operations in the groups G and H and evaluate ψ). Then, we derive lower bounds on the knowledge error that can be achieved by knowledge extractors that are generic homomorphism algorithms. As a result we obtain a comprehensive description of lower bounds on the knowledge error of the Σψ-protocol for different types of homomorphisms (e.g, non-special homomorphisms, and special homomorphisms with known and hidden order co-domain). All these lower bounds turn out to be equal to the MS knowledge error. In the generic homomorphism setting we can thus prove the optimality conjecture to be true. As these lower bounds only hold with respect to knowledge extractors that are generic homomorphism algorithms, they could be under-run by plain model (i.e., conventional non-generic) knowledge extractors. That is, the 5.1 Definition of lower bound on the knowledge error 87 optimality conjecture could turn out to be false in the plain model. Hence, we further investigate our optimality conjecture in the plain model (§5.3). To . this end we consider exponentiation homomorphisms ψ (x) = hx and power . E homomorphisms ψ(x) = xe in hidden order groups, for which we can prove the existence of lower bounds on the knowledge error (in the plain model). The resulting lower bounds are equal to the MS knowledge error, and hence further confirm our optimality conjecture. In particular, our results indicate that for exponentiation homomorphisms in hidden order groups one cannot achieve a smaller knowledge error than 1/2. This in turn suggests that the Σψ-protocol cannot be used to obtain efficient proofs of knowledge for such homomorphisms.

5.1 Definition of lower bound on the knowledge error Let us define what we mean by a lower bound on the knowledge error of a proof of knowledge. To this end we recall that by Definition 2.15, a protocol (P,V ) is a proof of knowledge with knowledge error κ for a binary relation R, if there exists an algorithm (the knowledge extractor) for the following ∗ computational problem: Given a y ∈ LR and black-box to a prover P (y, γ) (where γ ∈ {0, 1}∗) that is successful in the protocol with probability . (y, γ, P ∗) = Pr (hP ∗(γ),V i(y) = 1) > κ(kyk), compute a witness for y; the knowledge extractor is required to be successful with probability 1 for all such (P ∗, y, γ) and may run in expected time bounded by . poly(kyk) t (κ, y, P ∗, γ) = . + (y, γ, P ∗) − κ(kyk) Intuitively, β is a lower bound on the knowledge error of a protocol (P,V ) for a relation R, if there is no knowledge extractor that achieves a knowledge error κ ≤ β. This means that the computational problem to be solved by a knowledge extractor is hard as soon as κ ≤ β. Thus, we can essentially use the standard definitional approach used to formalize the notion of a hard problem to define a lower bound on the knowledge error. Using this approach, β is a lower bound on the knowledge error if the follo- ∗ wing holds: There is a generator DK(k) taking on values on tuples (P , y, γ) (i.e., “instances of the problem to be solved by a knowledge extractor”) ∗ with (y, γ, P ) > β, such that, over the choices of DK(k), all knowledge extractors that are given black-box access to P ∗(y, γ) trying to achieve a knowledge error κ ≤ β have only a “small success probability” in finding a witness. 88 On the optimality of the standard knowledge extractor of the Σψ-protocol A proper formalization of a lower bound on the knowledge error along these lines is as follows.

Deﬁnition 5.1 (Lower bound on the knowledge error) Let (P,V ) be a pair of interactive probabilistic polynomial-time machines, let R be a binary relation, and let β : N → [0, 1] be a function. We say that β is a lower bound on the knowledge error of the protocol (P,V ) for R if there exists an ∗ interactive probabilistic polynomial-time machine P and a generator DK(k) taking on values on tuples (y, γ) with y ∈ LR, kyk = poly1(k), and γ ∈ {0, 1}poly2(k), such that the following holds. – Non-triviality: For all (y, x) ∈ R it is Pr(hP (x),V i(y) = 1) = 1. – Uniformity: There is a polynomial poly(·) such that for all suﬃciently large values of k and for all (y, γ) ← DK(k) we have (y, γ, P ∗) ≥ β(k) + 1/ poly(k).

– Hardness: For all expected polynomial-time machines M the probability P ∗(y,γ) Pr((y, γ) ← DK(k), w ← M (y): w ∈ W(y)) is negligible in k. Let us comment Definition 5.1. It is not difficult to verify that, if the requirements of Definition 5.1 can be shown to hold for a protocol (P,V ) and a relation R, then (P,V ) is not a computational proof of knowledge for R with knowledge error κ ≤ β (according to Definition 2.15). We note that Definition 5.1 is not the “most generic possible definition” of a lower bound on the knowledge error. Rather, it describes the actual conditions that we demonstrate in the proofs of our results. In fact, Definiti- on 5.1 is stronger than saying “β is a lower bound on the knowledge error κ of the protocol (P,V ) for the relation R, if (P,V ) is not a computational proof of knowledge for R with knowledge error κ ≤ β”. Let us consider the uniformity condition. We note that the running time t+ of a knowledge extractor is “unconventional” in two ways:

∗ – First, t+ can be super-polynomially large, when the diﬀerence (y, γ, P )− κ(kyk) becomes very small. ∗ – Second, t+ is a function of κ, y, P , and γ and not a function of kyk, which is usually considered to be the security parameter determining the running time of algorithms. Now, the uniformity condition (y, γ, P ∗) ≥ β(k)+1/ poly(k) on the success 5.2 Lower bounds in the generic model 89

∗ probability of a prover P asserts that the expected running time t+ of a knowledge extractor trying to achieve a knowledge error κ ≤ β becomes polynomial in k. Loosely speaking, this condition brings us back from the world of unconventional algorithms of the above type, into the (almost) conventional world of expected polynomial-time algorithms. Given this observation, the hardness condition states in a straightforward manner that there is no knowledge extractor achieving a knowledge error κ ≤ β. It is important to note that the hardness condition is required to hold for expected polynomial-time algorithms. As a consequence all the lower bounds we prove in the following hold under hardness assumptions with respect to expected polynomial-time algorithms (e.g., the assumption that the ROOT problem in a group is hard with respect to expected polynomial- time algorithms). Finally, the non-triviality condition is the same as in the definition of a proof of knowledge (Definition 2.15), and we impose it as it makes no sense to talk about lower bounds on the knowledge error of protocols that are not proofs of knowledge because they do not fulfill this condition.

5.2 Lower bounds in the generic model In this section we derive lower bounds on the knowledge error that can be achieved by knowledge extractors that are generic (homomorphism) algorithms. Let us first informally introduce the notions of generic groups and generic algorithms. In the generic group model one considers algorithms (so called generic group algorithms) that can only perform a restricted set of operations on group elements of a given group. Typically, these are the following operations: – Evaluation of the group operation. – Inversion of a group element. – Test of equality of two group elements. – Choice of a uniform random group element. The generic group model is considered to be relevant for two reasons. First, within this model one can prove computational problems in groups to be hard without making use of unproven computational assumptions. In fact, various cryptographic problems were proved to be hard in the generic group model (e.g., the DLOG problem by Nechaev [Nec94] and Shoup [Sho97], the GROOT and the ROOT problem by Damgaard and Koprowski [DK02]). Second, the hardness of a computational problem in the generic model is 90 On the optimality of the standard knowledge extractor of the Σψ-protocol a necessary (but not sufficient) condition for the problem to be hard in the plain model (i.e., in concrete groups such as RSA groups). This follows from the observation that plain model algorithms, i.e., conventional algorithms that are given the description of concrete groups and group elements etc., can perform all of the operations listed above, plus, of course other group specific operations. Thus whatever problem can be solved by a generic algorithm can also be solved by a plain model algorithm. Now, since there is no rigorous evidence for the validity of the various hardness assumptions being made in cryptography, it is often considered to be a good practice to prove such problems to be hard in the generic model (i.e., to check at least that known necessary conditions for a problem’s hardness hold). Technically, a generic group algorithm M is not given an explicit description of a group G and elements of G but only handles to group elements. Using these handles, M and can only perform operations on group elements by issuing respective queries to a group oracle O, which performs the reque- sted operation and returns a handle to the resulting group element. In the following we are looking at generic homomorphism algorithms. The notion of a generic homomorphism algorithm M is a straightforward extension of a generic group algorithm to homomorphisms. That is, M is an algorithm that is restricted to perform only the following operations related to a homomorphism ψ : G → H:

– In the domain G and the co-domain H, respectively, M may perform the generic group operations (listed above). – M may evaluate the homomorphism ψ on elements of the domain G. – Optionally, if ψ is a special homomorphism, then for any element y of the co-domain H, M may obtain a pseudo-preimage (v, w) of y under ψ.

Looking at the Σψ-protocol, it is straightforward to see that the veriﬁer and the prover in the Σψ-protocol are generic homomorphism algorithms. Hence, one can naturally consider knowledge extractors for the Σψ-protocol that are generic homomorphism algorithms. We say that a generic (homomorphism) black-box algorithm M is an algorithm that is given black-box access to a prover P ∗((ψ, y), γ) (where γ ∈ {0, 1}∗) as in the plain model, ∗ ∗ i.e., M may repeatedly reset P , choose P ’s random input, and run the Σψ- protocol with P ∗; however, in contrast to the plain model, M is given all the group elements it sees in the Σψ-protocol (i.e., the common input y and the group elements sent by P ∗) through handles and it can perform operations on group elements only by means of a homomorphism oracle for ψ. It is not diﬃcult to verify that the standard knowledge extractor of the 5.2 Lower bounds in the generic model 91

Σψ-protocol is a generic black-box algorithm and hence that the MS knowledge error can be achieved in the generic homomorphism model. In the following we show that there are lower bounds on the knowledge error that is achievable by generic black-box algorithms. These lower bounds are equal to the MS knowledge error. Thus, in the generic homomorphism model we can prove our optimality conjecture (i.e., Conjecture 5.1) to be true. This section is structured as follows. In §5.2.1 we formalize the notions of a generic black-box algorithm and of a generic knowledge extractor for the Σψ-protocol. Then in §5.2.2 we recall the deﬁnition of a pseudo-random function, which we use in §5.2.3 to derive our main result on lower bounds on the knowledge error achievable by generic black-box algorithms.

5.2.1 Model In this section we formalize the notion of a generic black-box algorithm. For the formal deﬁnition of such algorithms we use the oracle O described next.

Deﬁnition 5.2 (Homomorphism oracle) The homomorphism oracle O has two ports Q1 and Q2. It maintains a pair of lists G and H, which initially are empty. By gi and hi we denote the i-th element in the list G and H, respectively. The computation of O consists of an initialization phase which is run once, followed by a query-handling phase in which O replies at . most m = m(k) queries. 1. Initialization. The oracle O takes ((ψ, y), x) as input, where ψ : G → H is a homomorphism and y = ψ(x). It appends y to the list H, chooses r ←U G, . . . , r ←U G and s ←U H, . . . , s ←U H, and initializes 1 m . . 1 m the integer counters i1 = i2 = 1. 2. Query-handling. A query is replied by performing the corresponding computation in (a) followed by the computation in (b).

(a) send() queries received on port Q1 are processed as follows: . – send(G, g˜): Set g0 =g ˜ (where we assume g˜ ∈ G). . send(H, h˜): Set h0 = h˜ (where we assume h˜ ∈ H) group-op(), random(), hom(), and pp-find() queries received on port Q2 are processed as follows: 0 . – group-op(G, i ± j): set g = gi ± gj. 0 . group-op(H, i ± j): set h = hi ± hj. 0 . . – random(G): set g = ri1 and i1 = i1 + 1. 0 . . – random(H): set h = si2 and i2 = i2 + 1. 0 . – hom(i): set h = ψ(gi). 92 On the optimality of the standard knowledge extractor of the Σψ-protocol – pp-find() (this query is only available if ψ is a v-special homomorphism): Invoke the pseudo-preimage finder M for ψ 0 † to obtain (v, g ) ← M(ψ, y) and output v on port Q2 . (b) If a query results in a group element g0 ∈ G, then append g0 to 0 the list G and output the equality set {i : gi ∈ G and g = gi} and the string “G” on port Q2. If a query results in a group element h0 ∈ H, then append h0 to 0 the list H and output the equality set {i : hi ∈ H and h = hi} and the string “H” on port Q2. Using the homomorphism oracle O we can now formally introduce generic (homomorphism) black-box algorithms.

Deﬁnition 5.3 (Generic black-box access and generic black-box algorithm) Let be given a probabilistic interactive machine P ∗ and the homomorphism oracle O. Let ψ : G → H be a homomorphism, let x ∈ G, and let y ∈ H, such that y = ψ(x). We say that a machine M is given generic (homomorphism) black-box access to P ∗((ψ, y), γ), where γ ∈ {0, 1}∗, if the following holds: – O is initialized with ((ψ, y), x). ∗ – P is connected to O’s port Q1 – M is connected to O’s port Q2. – P ∗’s read-only port is connected to M’s write-only port. – M may repeatedly reset P ∗ to its initial state, choose P ∗’s random input, and then engage in a joint computation with P ∗. When P ∗ is reset, then the oracle O is not reset. We denote M given generic (homomorphism) black-box access to P ∗ by M P ∗((ψ,y),γ),O((ψ,y),x), and call M a generic (homomorphism) black-box algorithm. For the running time of M a query issued to O and resetting P ∗ together with setting a random input count as one computational step. For an illustration of Deﬁnition 5.3 we refer to Figure 5.1. Next, we make the following observations concerning generic black-box algorithms: – A generic black-box algorithm M can only perform operations on G, H, and ψ that are made available through the homomorphism oracle O’s queries (on oracle port Q2). In particular, all group elements of G and H

† Actually for our results to hold it is required that there is a x ∈ G and a k ∈ ker(ψ) such that for all y ∈ image(ψ) and (v, g0) ← M(ψ, y) it is g0 = vx+k in G. For all practically used special homomorphisms this requirement is fulﬁlled. 5.2 Lower bounds in the generic model 93

Queries: Queries: send( ) group-op( ) Oracle O hom( ) random( ) pp-find( )

Port Q1 Port Q2

read only write only port port P* M

Fig. 5.1. Generic black-box algorithm M given access to P ∗.

that are sent (using the send() queries) by the prover P ∗ are, loosely speaking, “routed through the oracle O”, which translates these group elements from the plain into the generic model. – For special homomorphisms the functionality of a pseudo-preimage ﬁnder is made available through the homomorphism oracle’s query pp-ﬁnd(). This allows us to consider special homomorphisms also in the generic model. Technically, this approach† is necessary since the special property of a homomorphism is encoding dependent and as in the generic model encoding dependent properties of a homomorphism are hidden (i.e., loosely speaking, a special homomorphism in the plain model is not automatically a special homomorphism in the generic model). – The prover P ∗ is given its inputs ((ψ, y), γ) in the plain model and hence it is a plain model algorithm.

5.2.1.1 Generic knowledge extractors for the Σψ-protocol ∗ ∗ Consider the Σψ-protocol (P (γ),V )(ψ, y), where P is a possibly cheating prover. Let M be a generic black-box algorithm given access to P ∗((ψ, y), γ) (i.e., M P ∗((ψ,y),γ),O((ψ,y),x)). Now, it remains to deﬁne what it means that M ﬁnds a preimage of y under ψ (i.e., a witness of y). To this end assume that M terminates its computation by outputting an integer index i into

† We note that it is a standard approach to make information, which is implicitly available in the plain setting, explicitly available in the generic setting. For instance, Shoup [Sho97] in his analysis of the discrete logarithm problem in generic groups, makes explicitly available the group order. 94 On the optimality of the standard knowledge extractor of the Σψ-protocol the list G of the homomorphism oracle O. We say M has found a preimage of y under ψ if the list element gi is a preimage y under ψ. Using this terminology it is easy to see that the notions of a proof of knowledge and of a lower bounds on the knowledge error carry over to generic black-box algorithms. Correspondingly, a generic knowledge extractor is a knowledge extractor that is a generic black-box algorithm. Finally, we make the important observation that the standard knowledge extractor for the Σψ-protocol is a generic knowledge extractor. Thus the results on proofs of knowledge using the Σψ-protocol in §4.2 equally apply in our generic model. In particular,

– the results in Theorem 4.3 also hold with respect to generic black-box algorithms, and – the MS knowledge error (see Deﬁnition 4.6) is achievable using the standard knowledge extractor in the generic model.

5.2.1.2 A note on the representation of generic group elements The reader may wish to skip this section upon first reading and come back to it later. Loosely speaking, group elements in the generic model are re- presented towards a generic algorithm by “handles” chosen by the group oracle. There are various methods for choosing these handles. The most widely used method is based on random encoding functions and was introduced by Shoup [Sho97]. In the definition of our homomorphism oracle O we use a different less widely used method, which was proposed by Maurer [Mau00]. In the following we briefly describe and compare these two methods. Applied to our homomorphism oracle O, Shoup’s method roughly works as follows. Let SG and SH be two sufficiently large finite subsets of the binary strings. Upon initialization of O with a homomorphism ψ : G → H one chooses randomly and uniformly injective mappings σG : G → SG and σH : H → SH (the random encoding functions). Then (in part 2 (b) of the homomorphism oracle’s computation), a handle to the group element g0 0 . 0 is chosen to be σG = σG(g ) and output on port Q2. Likewise for the group 0 0 . 0 0 element h one sets σH = σH (h ). Let σG,i denote the handle to the i-th group 0 element gi in the oracle’s list G, and σH,i the handle to hi ∈ H. Since the random encoding functions are injective, we have

0 0 0 0 σG,i = σG,j ⇔ gi = gj and σH,i = σH,j ⇔ hi = hj. That is, handles to elements in the group G and the group H, respectively, are unique, and thus given two handles a generic algorithm can tell if the referenced group elements are equal or not. We note that by introducing 5.2 Lower bounds in the generic model 95 random encoding functions the probability space underlying computations in the generic model is enlarged compared to the plain model. That is, Shoup’s random encodings introduce an artifact into the generic model. For our homomorphism oracle O we use a method for giving out handles proposed by Maurer [Mau00]. When using this method, generic algorithms are deﬁned on the same probability space as plain model algorithms. In Maurer’s method (see part 2 (b) of our homomorphism oracle O) the handle to the i-th group element gi ∈ G is simply its index i, and analogously for hi ∈ H the handle is the index i. It is easy to see that using this method handles are not unique, i.e.,

i = j 6⇔ gi = gj and i = j 6⇔ hi = hj. Thus, a generic algorithm given two handles i and j cannot tell whether the referenced group elements gi and gj are equal (and the same applies to elements hi and hj). Yet, this problem can be easily overcome. To this end in Maurer’s model, for each query that results in a new list element, the oracle returns the set of indices of group elements contained in G that are equal to the new group element. (In the deﬁnition of our oracle O we have called this set of indices the equality set.) So we see that in both models a generic algorithm is able to test the equality of group elements. In fact, it is not diﬃcult to see that, using a simulator, it is possible to transform any generic algorithm running in Shoup’s variant of the generic model into an algorithm in Maurer’s variant of the model, and vice versa. Correspondingly, our results given below also hold in Shoup’s variant of the model.

5.2.2 Pseudo-random functions Our results in the next section rely on the existence of pseudo-random functions. Here we introduce pseudo-random functions by following the deﬁni- tional approach of Goldreich [Gol01].

Deﬁnition 5.4 ((Uniform) l(k)-bit function ensemble) Let be given a l(k): N → N.

– An l(k)-bit function ensemble is a probability ensemble DF(k) on functions mapping l(k)-bit strings to l(k)-bit strings (i.e., any f ← l(k) l(k) DF(k) is a mapping f : {0, 1} → {0, 1} ). – The uniform l(k)-bit function ensemble is the l(k)-bit function ensemble DUF(k) that is uniformly distributed on the mappings of l(k)- bit strings to l(k)-bit strings. 96 On the optimality of the standard knowledge extractor of the Σψ-protocol

We call an l(k)-bit function ensemble DF(k) eﬃciently computable if it has the two following properties.

1. There is a generator MF(k) (i.e., an expected polynomial-time algorithm) such that the output distribution of MF(k) is equal to the probability distribution of DF(k). 2. There is a deterministic polynomial-time algorithm that can be used to evaluate the functions chosen by the generator MF.

Moreover, we use the following notation: if DF(k) is a l(k)-bit function ensemble, then M DF(k) denotes that the function f is chosen according to DF(k) and then the oracle machine M is given oracle access to f.

Deﬁnition 5.5 (Expected polynomial-time pseudo-random function ensemble) Let DUF(k) denote the uniform l(k)-bit function ensemble. An eﬃciently computable l(k)-bit function ensemble DPRF(k) is an expected polynomial-time pseudo-random function (PRF) ensemble if for all expected polynomial-time oracle machines M the probability

| Pr(M DPRF(k) = 1) − Pr(M DUF(k) = 1)| is negligible in k. Note that our definitions of efficiently computable and of a PRF ensemble deviate from the standard definition (see e.g., Goldreich [Gol01]) in that they are stated with respect to expected polynomial-time rather than probabilistic polynomial-time algorithms.

5.2.3 Results

In this section we describe lower bounds on the knowledge error of the Σψ- protocol that can be achieved by generic black-box algorithms. Let us first introduce a few definitions, which we use in the statement of our results. For the remainder of this section we assume that homomorphisms ψ : G → H have a finite domain and co-domain. Then, we define . max-div(ψ) = max({p : p | | image(ψ)|}), i.e., max-div(ψ) is the largest prime factor in the order of image(ψ).

Definition 5.6 (Large order image) Let Ψ = {ψk} be an infinite sequence of homomorphisms indexed by the security parameter k. We call Ψ a collection of homomorphisms with a large order image, if max-div(ψk) is a super-polynomial function in k. 5.2 Lower bounds in the generic model 97 An example for homomorphisms with a large order image are Schnorr-type . x (see also Figure 3.1) exponentiation homomorphisms ψE(x) = h , where |h| is prime and super-polynomial. We let Dψ denote a random variable taking on values on a finite number of homomorphisms and make the following definitions:

– By πmax(Dψ) we denote the random variable on prime numbers that is obtained from Dψ by choosing a homomorphism ψ ← Dψ and then selecting the largest prime factor of | image(ψ)|. – By α(π ) we denote the maximal probability in the distribution . max πmax = πmax(Dψ), i.e., we deﬁne . α(πmax) = max({Pr(p): p ← πmax}).

Intuitively, α(πmax) measures how hard it is to guess the largest prime in the order of image(ψ), when ψ is chosen according to Dψ.

Definition 5.7 (Hard to guess image order) Let be given a collection of homomorphisms Ψ and a generator D (k) taking on values on Ψ, and . Ψ let πmax(k) = πmax(DΨ(k)). We call Ψ a collection of homomorphisms with hard to guess image order, if α(πmax(k)) is a negligible function in k. We note that Definition 5.7 (and the related formalism) is a straightforward adaption of similar definitions introduced by Damgaard and Koprow- ski [DK02], for the analysis of the ROOT problem in generic groups with hidden order. Damgaard and Koprowski [DK02] point out that it is a standard practice ∗ to choose RSA moduli n such that the order of the RSA group Zn contains a large random prime. Hence, Guillou-Quisquater-type (see also Figure 3.1) ∗ ∗ . e power homomorphisms ψ : Zn → Zn defined by ψ(x) = x are an example for homomorphisms with a hard to guess image order. Another example are . x ∗ exponentiation homomorphisms in RSA groups, i.e., ψE(x) = h with h ∈ Zn (assuming that |h| contains the respective prime factor). Now we are ready to state our main result on lower bounds of the knowledge error of the Σψ-protocol that are achievable by generic black-box algorithms. As earlier, C(k) denotes a sequence of arbitrary finite subsets of the integers indexed by the security parameter k.

Theorem 5.1 Consider the Σψ-protocol with challenge set C(k) for a homomorphism relation R[Ψ]. If there exist expected polynomial-time PRF, then the following lower bounds on the knowledge error hold for generic black-box algorithms: 98 On the optimality of the standard knowledge extractor of the Σψ-protocol

(a) If Ψ = {ψk}k is a collection of v(k)-special homomorphisms with a large order image and | image(ψk)||v(k), then 1/p(k) − 1/ poly(k) is a lower bound on the knowledge error; whereas p(k) is the smallest prime factor of v(k). (b) If Ψ is a collection of v(k)-special homomorphisms with hard to guess image order, then 1/p(k) − 1/ poly(k) is a lower bound on the knowledge error; whereas p(k) is the smallest prime factor of v(k). (c) If Ψ is a collection of homomorphisms with hard to guess image order, then 1/2 − 1/ poly(k) is a lower bound on the knowledge error. The proof of Theorem 5.1 is given in §5.4. The remainder of this section is dedicated to the discussion of Theorem 5.1. While the theorem is a bit technical, each of the parts (a) - (c) has the following intuitive interpretation: (a) If ψ is a one-way homomorphism for which a non-zero multiple v of | image(ψ)| is known and if p is the smallest prime factor of v, then the lower bound is 1/p − 1/ poly(k). (b) If ψ is a v-special one-way homomorphism with a hidden order co- domain H † and p is the smallest prime factor of v, then the lower bound is 1/p − 1/ poly(k). (c) If ψ is a non-special one-way homomorphism, then the lower bound is 1/2 − 1/ poly(k). In fact, these interpretations can be formally justiﬁed by proving the respective properties in the generic (homomorphism model), e.g., that the (collection of) homomorphisms in (b) has a hidden order co-domain and that those in (c) are non-special. We note that the lower bounds hold for arbitrary choices of the challenge set. Thus, informally speaking, there are no smart choices of the challenge set C that can be exploited to obtain a smaller knowledge error than by using . the commonly used challenge set C ={0, . . . , c+}. We also observe, that the lower bounds for special homomorphisms with known order co-domain in part (a) and those for special homomorphisms with hidden order co-domain in part (b) of the theorem are equal. The key observation is that the lower bounds in Theorem 5.1 (up to an additive term of 1/ poly(k)) are equal to the MS knowledge error (see §4.2). That is: – The lower bounds for special homomorphisms in Theorem 5.1 (a) and (b) correspond to the MS knowledge error of v-special homomorphisms.

† Less intuitively but more precisely, we should say that ψ is a v-special one-way homomorphism such that image(ψ) is a hidden order group. 5.3 Lower bounds in the plain model 99 – The lower bound for non-special homomorphisms in Theorem 5.1 (c) cor- responds to the MS knowledge error for non-special homomorphisms.

So, the above results completely confirm our optimality conjecture and show that the standard knowledge extractor of the Σψ-protocol is optimal in the generic (homomorphism) model. Finally, let us turn to the relevance of our results. As mentioned earlier, a result in the generic model always is necessary but not sufficient for the corresponding result to hold in the plain model. Hence, on the one hand, our results are evidence that lower bounds on the knowledge error of the Σψ- protocol also exist in the plain model. On the other hand, they do not exclude the existence of knowledge extractors in the plain model that under-run the lower bounds described above. A different interpretation of this fact is as follows. We remember that for proofs of knowledge using the Σψ-protocol to be more efficient it would be desirable to under-run the MS knowledge error for certain homomorphisms. Our results imply that to achieve this goal, one has to come up with novel knowledge extractors that are not generic (homomorphism) algorithms and that exploit encoding dependent properties of concrete homomorphisms.

5.3 Lower bounds in the plain model Given that the lower bounds on the knowledge error derived in the foregoing section only hold for generic black-box algorithms, it is natural to ask whether there also exist lower bounds in the plain model. In this section . e we show that this is the case for power homomorphisms ψP(x) = x (with . x x ∈ H) and exponentiation homomorphisms ψE(x) = h (with h ∈ H). The bounds hold under the ROOT and ORDER assumption for H, respectively. In particular, it turns out that these lower bounds (in many cases) coincide with the MS knowledge error. Thus, the results in this section are evidence that our optimality conjecture also holds in the plain model.

5.3.1 Lower bounds for power homomorphisms Our results in the following hold under what we call the expected polynomial- time ROOT assumption. That is the assumption that the ROOT problem in some group H is hard with respect to expected polynomial-time algorithms. Note that this assumption is stronger than the conventional ROOT assumption (e.g., the RSA assumption), which is put forth with respect to probabilistic polynomial-time algorithms. 100 On the optimality of the standard knowledge extractor of the Σψ-protocol If S is a set of integers and d is an integer, then we deﬁne a subset of S by . Div(S, d) ={s : s ∈ S and d | s}. . Once more, we let C = C(k) denote a sequence of arbitrary ﬁnite subsets of the integers indexed by the security parameter k. Using this notation, the following theorem describes lower bounds on the knowledge error of the Σψ-protocol for power homomorphisms.

Theorem 5.2 Let Ψ be a collection of power homomorphisms ψP : H → H . e deﬁned by ψP(x) = x with gcd(e, |H|) = 1) and e ≥ 2, and consider the Σψ- protocol with challenge set C for R[Ψ]. Under the expected polynomial-time ROOT assumption for H, the knowledge error is lower bounded by | Div(C, d)| max({ : d | e and 2 ≤ d ≤ e}) − 1/ poly(k). |C|

Proof (sketch) In the following we describe a cheating prover P ∗ and its inputs and then show that P ∗ with these inputs fulfills the requirements of Definition 5.1 (i.e., the non-triviality, uniformity, and hardness condition) for the lower bound claimed in Theorem 5.2. Non-triviality is a property of the Σψ-protocol that is known to hold, and hence we do not need to check it. . e Let be given a power homomorphism ψP : H → H defined by ψP(x) = x . Then, we define d¯ to be an integer with 2 ≤ d¯≤ e such that | Div(C, d¯)| | Div(C, d)| = max({ : d | e and 2 ≤ d ≤ e}). |C| |C| Given an arbitrary element u ∈ H, we set . ¯ y = u(e/d). (5.1)

∗ Next we define a cheating prover P for the Σψ-protocol that on common input (ψP, y) and private input u performs the following steps: U . e 1. Choose r ← H, set t = ψP(r) = r , and send t to the verifier. 2. Let c denote the challenge P ∗ receives from the verifier. Now, if c ∈ . ¯ Div(C, d¯), then set s = ruc/d and send s to the verifier; otherwise halt. Let us verify the uniformity condition. By construction, P ∗ upon its initial message t = re answers a challenge c ∈ Div(C, d¯) with s = ruc/d¯. Such a tuple (t, c, s) fulfills

c/d¯ ce/d¯ c ψP(s) = ψP(ru ) = tu = ty , 5.3 Lower bounds in the plain model 101 whereas we have used (5.1) to obtain the last equality. Hence (t, c, s) is accepted by the veriﬁer in the last step of the Σψ-protocol. By deﬁnition of d¯ and since P ∗ answers all challenges in Div(C, d¯), P ∗ is successful in the Σψ-protocol with probability | Div(C, d)| max({ : d | e and 2 ≤ d ≤ e}), |C| and the uniformity condition follows. Let us turn to the hardness condition. By contradiction, assume that there is an expected polynomial-time algorithm M that, given black-box access ∗ to P ((ψP, y), u), with non-negligible probability computes an x ∈ H, such that e y = ψP(x) = x .

Then, this last equation and (5.1) yield ¯ ue/d = xe, and as gcd(|H|, e) = 1 by assumption, we get ¯ u = xd.

That is, given an arbitrary u ∈ H we can compute a d¯-th root x of u. This contradicts the expected polynomial-time ROOT assumption and thus any expected polynomial-time algorithm M can only compute a preimage of y under ψP with negligible probability. The hardness condition now follows.

In contrast to our results in the generic model, the lower bound in Theo- rem 5.2 depends on the choice of the challenge set C. Let us consider this dependency in more detail. We first look at the case where C is some integer interval, such as the . “standard choice” C ={0, c+}. Then, it is not difficult to verify that Theo- . e rem 5.2 implies a lower bound on the knowledge error for ψP(x) = x that is at least 1/p − 1/ poly(k), where p is the smallest prime factor of the expo- . e nent e. Recalling that ψP(x) = x is an e-special homomorphism (see Figu- re 3.1), we see that this lower bound is (up to an additive term 1/ poly(k)) . e larger than or equal to the MS knowledge error of ψP(x) = x . Thus, when C is an integer interval, our optimality conjecture is true. In the case where C is not restricted to be an interval (i.e., when C can be an arbitrary finite subset of the integers), depending on the choice of C, the lower bound can take on any value between 0 and 1 − 1/ poly(k). Let us 102 On the optimality of the standard knowledge extractor of the Σψ-protocol illustrate this claim with examples for the maximal and the minimal lower bound, respectively: – When C consists of integers c, such that for some d ≥ 2 we have d | c . e and d | e, where ψP(x) = x , then the lower bound becomes 1−1/ poly(k). – When the challenge set C consists of integers that are co-prime to the . e exponent e of ψP(x) = x , then the lower bound becomes 0 − 1/ poly(k), that is, 0. Hence, the implications of Theorem 5.2 with respect to our optimality conjecture are mixed in the case where C can be arbitrary. On the one hand, for choices of C where the lower bound β is greater than or equal to the MS knowledge error (i.e., β ≥ 1/p−1/ poly(k), where p is the smallest prime factor of the exponent e), the optimality conjecture is confirmed. On the other hand, for choices of C where β falls below the MS knowledge error, there might exist knowledge extractors† that under-run the MS knowledge error and hence contradict our conjecture. However, this implies by no means that such knowledge extractors exist and that the optimality conjecture is wrong. Finally, we note that Theorem 5.2 is a generalization of an observation made by Shoup [Sho96] that, using our terminology, the knowledge error of 2t the Σψ-protocol for ψP(x) = x is lower bounded by 1/2 − 1/ poly(k).

5.3.2 Lower bounds for exponentiation homomorphisms

In the following we prove a lower bound on the knowledge error of the Σψ- . x protocol for exponentiation homomorphisms ψE(x) = h (with h ∈ H) in hidden order groups H. The result in this section is weaker than those in the previous ones in the sense that the lower bound derived below does not hold for arbitrary black-box algorithms, but only for the class of pseudo- preimage based black-box algorithms. A pseudo-preimage based black-box algorithm M (for the Σψ-protocol) is deﬁned in terms of two algorithms M1 and M2 that are sequentially executed as follows:

1. M1 is an acceptance matrix based pseudo-preimage extractor (see De- ∗ ﬁnition 4.5), which, given black-box access to a prover P ((ψE, y), γ), extracts a pseudo-preimage (4c, 4s) of y under ψE(x). 2. M2 is an arbitrary algorithm that is given (ψE, y) and the pseudo- preimage (4c, 4s) extracted by M1 as inputs. Its task is to compute a preimage of y under ψE, i.e., to solve the resulting PP-EHOM problem

† By our results in the generic model, such a knowledge extractor would have to be a non- generic algorithm, which is able to exploit encoding dependent properties of a power homomorphism ψP. 5.3 Lower bounds in the plain model 103

instance ((4c, 4s), y, ψE). Thereby, M2 is not given black-box access ∗ to P ((ψE, y), γ). We note that the standard knowledge extractor and all presently existing knowledge extractors for the Σψ-protocol fall into the class of pseudo- preimage based black-box algorithms. Our results in this section are based on the hardness of the PP-EHOM problem (i.e., the PP problem for exponentiation homomorphisms in hidden order groups, see Theorem 3.1 and Corollary 3.3). More precisely, we have seen that PP-EHOM problem instances ((4c, 4s), y, ψE) are hard to solve ∗ when 4c - 4s. Below we show that there is a cheating prover P that is successful in the Σψ-protocol with probability 1/2, such that the PP- EHOM problem instances extracted by M1 are such hard instances. Hence, any pseudo-preimage based black-box algorithms fails in the second phase of its computation M2. Using this line of argument we establish a lower bound of 1/2 − 1/ poly(k) on the knowledge error that can be achieved by pseudo-preimage based black-box algorithms.

5.3.2.1 Results So far, when we were talking about the ORDER assumption, it did not matter with respect to which probability distribution of problem instances (H, u) the ORDER problem is assumed to be hard. In this section we need to be a bit more specific about the distribution of group elements u ∈ H: When we talk about the ORDER assumption, then we mean that the ORDER problem is hard over uniform random choices of group elements, i.e., u ← H. (Of course there also has to be some appropriate probability distribution on groups H ∈ H, where H is some collection of groups. Yet, the concrete distribution of H is not important for our results and hence may be arbitrary.) According to our earlier convention, we shall in the following simply talk about the ORDER assumption for H. We note that this variant of the OR- DER assumption is standard and made, e.g., for RSA groups†. Finally, the expected polynomial-time ORDER assumption is the ORDER assumption as above, except that hardness is assumed to hold with respect to expected polynomial-time algorithms. For the statement of our result we need the following notation: 0 0 0 – By H E H we denote that H is a subgroup of H and that |H |/|H| is † To be precise, we note that the ORDER assumption is not (usually) made as an independent ∗ assumption for RSA groups Zn. However, by the RSA assumption it is hard to compute roots U ∗ for elements u ← Zn. Then, by the reduction ORDER ≥ ROOT (see Theorem 2.6 (a)) and U ∗ Corollary 2.1 it follows that the ORDER problem is hard over the choices u ← Zn. That is, the RSA assumption implies the ORDER assumption as formulated above. 104 On the optimality of the standard knowledge extractor of the Σψ-protocol 0 0 noticeable. Informally speaking, H EH means that H is a large subgroup of H. Formally, it means that if we choose u ←U H, then with noticeable probability u ∈ H0. Using this observation, it is not difficult to see that 0 if H EH, then under the ORDER assumption for H, the ORDER problem is hard in H0 over the choices of u ←U H0. – If S is a set of integers, then we define . 4(S) = {|s − s0| : s, s0 ∈ S, where s 6= s0}.

– We say that an integer s is co-prime to a ﬁnite set of integers S, if all pairs (s, s0) with s0 ∈ S are co-prime. . – As earlier, C = C(k) is a sequence of ﬁnite subsets of the integers indexed by k.

Theorem 5.3 Let Ψ be a collection of exponentiation homomorphisms 0 . x 0 ψE : Z → H E H deﬁned by ψE(x) = h with h ∈ H E H, and consider the Σψ-protocol with challenge set C for R[Ψ]. Then, under the expected polynomial-time ORDER assumption for H the following holds. If for 0 ψE ∈ Ψ(k), |H | and 4(C) are co-prime, then the knowledge error is lower bounded by 1/2−1/ poly(k); the lower bound holds for pseudo-preimage based black-box algorithms.

By “...the lower bound holds for pseudo-preimage based black-box algorithms” we mean that the conditions of Deﬁnition 5.1 hold except that the hardness condition only holds for M that are pseudo-preimage based black-box algorithms. The proof of Theorem 5.3 is given in §5.3.2.2. While Theorem 5.3 might seem a bit technical, it is easy to come up with concrete examples of homomorphisms for which the result applies. One such example is as follows.

. x Example 5.1 Consider exponentiation homomorphisms ψE(x) = h with ∗ ∗ h ∈ QRn ≤ Zn, where Zn is an RSA group with a special modulus n = 0 0 (2p + 1)(2q + 1), and QRn is the subgroup of squares. Then by (3.8) we ∗ ∗ have |QRn|/|Zn| = 1/4 and thus QRn E Zn. Moreover, consider the Σψ- 0 0 protocol with challenge set C = {0, c+}, such that c+ < p , q . Then, we have 4C = {1, c+}. Hence, the condition required in Theorem 5.3 that |QRn| = p0q0 is co-prime to 4(C) is easily seen to be fulﬁlled, and the lower bound of 1/2 − poly(k) follows.

Despite that Theorem 5.3 “only” holds for pseudo-preimage based black- box algorithms, it is still relevant for the following reasons. First, as no- 5.3 Lower bounds in the plain model 105 ted earlier, all known knowledge extractors for the Σψ-protocol are pseudo- preimage based black-box algorithms. Second, the lower bound in the theorem is equal to the MS knowledge error (for non-special homomorphisms), and hence again we have a piece of evidence supporting our optimality conjecture. Third, we recall from our discussion in §4.3 that since the MS know- . x ledge error for exponentiation homomorphisms ψE(x) = h in hidden order groups is 1/2, there are only inefficient proofs of knowledge for ψE using the Σψ-protocol. Given the practical importance of such homomorphisms it is quite desirable to overcome this limitation. One possibility is to find a novel knowledge extractor for the Σψ-protocol and ψE in hidden order groups that under-runs the MS knowledge error of 1/2. Now, our results do not exclude the existence of such a knowledge extractor. However, our results (in this section and our results in the generic model) imply that such a knowledge extractor has to be neither a pseudo-preimage based black-box algorithm nor a generic homomorphism algorithm. Thus, it seems that substantially new insights are required to find such a knowledge extractor, if it is possible at all. We seriously doubt that such a knowledge extractor exist, and hence that one can obtain efficient proofs of knowledge for ψE in hidden order groups using the Σψ-protocol. Finally, we note that it is straightforward to extend the results of this . x1 xl section to multi-exponentiations ψE(x1, . . . , xl) = h1 ·...·hl in hidden order groups.

5.3.2.2 Proof of Theorem 5.3 The proof strategy is straightforward: we define a cheating prover P ∗ for the ∗ Σψ-protocol and a generator DK for P ’s inputs and check that they fulfill the conditions required by Definition 5.1, i.e., the correctness, uniformity, and hardness property. We recall that the hardness property only needs to be shown with respect to pseudo-preimage based black-box algorithms. Moreover, correctness is a property of the Σψ-protocol, which we have seen to hold earlier, and hence we only prove the uniformity and the hardness property. We first prove the theorem for the case |C| ≥ 3, whereas C is the challenge set of the Σψ-protocol. By assumption, we are dealing with exponentiation 0 . z 0 homomorphisms ψE : Z → H E H defined by ψE(z) = h with h ∈ H E H, which have an infinite domain. Thus we need to consider in the following the variant of the Σψ-protocol described in Definition 4.3. Correspondingly, we need to define the set G that is used in Definition 4.3. To this end, we choose 106 On the optimality of the standard knowledge extractor of the Σψ-protocol . . 4x = 4x(k), such that |H0|/4x is negligible, and define G ={−4x, +4x}. Then, we define . DK = U 0 . z 1: Choose h ← H and define the mapping ψE(z) = h . U 2: Choose x ← G. . x 3: Set y = ψE(x) = h . 4: Output ((ψE, y), (x, |h|)).

Next, we deﬁne a cheating prover P ∗. If S is a set of integers and a and b are integers, then we deﬁne a subset of S by . coset(S, a, b) ={s : s ∈ S and s ≡ a (mod b)}.

There exists an integerr ¯ ∈ {0, 1} such that | coset(C, r,¯ 2)| ≥ 1/2. (5.2) |C| ∗ On input ((ψE, y), (x, |h|)) ← DK our cheating prover P works as follows:

1. Choose r ←U G0 (where G0 is obtained from G as described prior to . r Definition 4.3 in §4.1), set t = ψE(r) = h , and send t to the verifier. 2. Answer the verifier’s challenge c ∈ C as follows: If c ∈ coset(C, r,¯ 2), then set . c +r ¯ s = r + cx + ( )|h| 2 and send s to the verifier; otherwise, if c 6∈ coset(C, r,¯ 2), then halt. Let us prove the uniformity property. Therefore we need to show that for ∗ all of its inputs ((ψE, y), (x, |h|)), chosen using DK , P is successful with probability ≥ 1/2. By construction, we see that the success probability of P ∗ is independent of its inputs. Let (t, c, s) with c ∈ coset(C, r,¯ 2) denote the messages resulting from a protocol execution (P ∗,V ), whereas V ∗ r is the verifier of the Σψ-protocol. Then, by definition of P , t = ψE(r) = h , c+¯r s = r + cx + ( 2 )|h|, and (c +r ¯) ψ (s) = ψ (r)ψ (cx)ψ ( |h|) E E E E 2 = tyc, where we have used that (c +r ¯) is even, which follows from the definition of coset(C, r,¯ 2), and thus ψE(((c +r ¯)/2)|h|) = 1. This shows that (t, c, s) is a tuple, which is accepted by V . Now, from (5.2) we immediately have 5.3 Lower bounds in the plain model 107 that P ∗ is successful with probability ≥ 1/2, and the uniformity property follows. Next we prove the hardness property. To this end we need to demonstrate that, over the choices ((ψE, y), (x, |h|)) ← DK , any (expected polynomial- time) pseudo-preimage based black-box algorithm M, given black-box access ∗ to P ((ψE, y), (x, |h|)), is successful only with negligible probability in finding a preimage of y under ψE. By definition, M consists of an acceptance matrix based pseudo-preimage extractor M1 and an arbitrary algorithm M2. By Dout we denote the random variable describing M1’s output obtained as follows . Dout = 1: Choose ((ψE, y), (x, |h|)) ← DK . ∗ P ((ψE,y),(x,|h|)) 2: Choose ((4c, 4s), y, ψE) ← M1 (ψE, y). 3: Output ((4c, 4s), y, ψE).

We observe that for all of its inputs, P ∗ answers exactly the same challenges, i.e., the ones in coset(C, r,¯ 2). Hence, for all of its inputs the acceptance matrix of P ∗ (see §4.2.1) is the same. In fact, it is uniquely determined by coset(C, r,¯ 2) as follows: every row contains a 1 in the columns that correspond to challenges in coset(C, r,¯ 2), and a 0 otherwise. Using this observation and the fact that M1 is an acceptance matrix based pseudo-preimage extractor it is not diﬃcult to verify that the following holds:

Claim 5.1

(a) The probability distribution of 4c in Dout is independent from the probability distribution of (ψE, y) in Dout. (b) The probability distribution of (ψE, y) in Dout is the same as the probability distribution of (ψE, y) in DK . (c) There is an expected polynomial-time algorithm MS that on input coset(C, r,¯ 2) outputs integers 4c0 with the same probability distribution as 4c in Dout.

Using MS as in Claim 5.1 (c), we define a generator for the PP-EHOM problem (i.e., the PP problem for exponentiation homomorphisms, see De- finition 3.5) by . DPPE = U 1: Choose u ← H0. 0 2: Choose 4c ← MS(coset(C, r,¯ 2)). U . 3: Choose x0 ← G and set 4s0 = 4c0(x0 + 1/2). 0 . 4c0 0 . 0z 4: Set h = u and define the exponentiation homomorphism ψE(z) = h . 108 On the optimality of the standard knowledge extractor of the Σψ-protocol . 0 5: Set y0 = u4s . 0 0 0 0 6: Output the PP-EHOM problem instance ((4s , 4c ), y , ψE).

0 0 0 0 0 0 By construction, we have for ((4s , 4c ), y , ψE) ← DPPE that 4c - 4s . Using this observation, it is not diﬃcult to see that DPPE is a generator to which Corollary 3.4 applies. Hence, the following holds:

Claim 5.2 Under the expected polynomial-time ORDER assumption for H, the instance generator DPPE is a hard generator (with respect to expected polynomial-time algorithms) for the PP-EHOM problem.

Moreover, we make the following claim.

Claim 5.3 The probability ensembles DPPE and Dout are statistically indistinguishable.

From Claim 5.2 and Claim 5.3 it immediately follows that, under the expected polynomial-time ORDER assumption, any (expected polynomial- time) algorithm M2 of a pseudo-preimage based black-box algorithm has only a negligible success probability for ﬁnding a preimage. Thus the hardness property and Theorem 5.3 follow for the case C ≥ 3. It remains to verify Claim 5.3. To this end let Pr(4s, 4c, y, ψE) denote 0 0 0 0 the probability distribution of Dout and Pr(4s , 4c , y , ψE) the probability distribution of DPPE. We write

Pr(4s, 4c, y, ψE) = Pr(y|4s, 4c, ψE) Pr(4s|4c, ψE)

Pr(ψE|4c) Pr(4c) (5.3) and

0 0 0 0 0 0 0 0 0 0 0 Pr(4s , 4c , y , ψE) = Pr(y |4s , 4c , ψE) Pr(4s |4c , ψE) 0 0 0 Pr(ψE|4c ) Pr(4c ). (5.4)

Our goal is to show that statistical difference between Pr(4s, 4c, y, ψE) 0 0 0 0 and Pr(4s , 4c , y , ψE) is negligible. To this end we prove that the 0 statistical difference between Pr(4c) and Pr(4c ), Pr(ψE|4c) and 0 0 0 0 0 Pr(ψE|4c ), Pr(4s|4c, ψE) and Pr(4s |4c , ψE), and Pr(y|4s, 4c, ψE) and 0 0 0 0 Pr(y |4s , 4c , ψE) is negligible. 0 The equality Pr(4c) = Pr(4c ) holds by definition of DPPE. 0 0 Let us consider Pr(ψE|4c) and Pr(ψE|4c ). By Claim 5.1 (a), 4c and ψE are independently distributed, i.e., Pr(ψE|4c) = Pr(ψE). Concerning . z Pr(ψE), we have from Claim 5.1 (b) and by definition of DK that ψE(z) = h , 5.3 Lower bounds in the plain model 109

0 0 0 where h is a uniform random element of H . Next we look at Pr(ψE|4c ). 0 0 . 0z By construction of DPPE, ψE is deﬁned by ψE(z) = h , with . 0 h0 = u4c , (5.5) whereas u is a uniform random element of H0. By assumption |H0| is co- prime to 4(C) and as 4c0 ∈ 4C we have gcd(4c0, |u|) = 1. Using (5.5), this implies that, over the choices of u, h0 is independently distributed from 4c0, 0 0 0 0 i.e., Pr(ψE|4c ) = Pr(ψE). It also follows that h is random and uniform 0 0 on H , and thus Pr(ψE) = Pr(ψE). In summary, we have shown Pr(ψE|4c) = 0 0 Pr(ψE|4c ). 0 0 0 Next, we consider Pr(4s|4c, ψE) and Pr(4s |4c , ψE). By deﬁnition of a ∗ . pseudo-preimage based black-box algorithm and of P we have 4c = c1 − c2 c1+¯r c2+¯r with c1 6= c2, and using s1 = r +c1x+( 2 )|h| and s2 = r +c2x+( 2 )|h|, . 4s = s1 − s2 = 4c(x + |h|/2). (5.6)

On the other hand, by construction of DPPE we have . 4s0 = 4c0(x0 + 1/2). (5.7) . . Letx ˜ =(x + |h|/2) andx ˜0 =(x0 + 1/2). From (5.6) and (5.7) we see that, if Pr(˜x) and Pr(˜x0) are statistically indistinguishable, then so are 0 0 0 Pr(4s|4c, ψE) and Pr(4s |4c , ψE); whereas the probabilities are over the choices of x and x0, respectively. By assumption, |H0| and 4(C) are co-prime. This implies that |H0| is odd, since when |C| ≥ 3, then at least one element of 4(C) is even. Then h ∈ H0 implies that |h| must be odd too. Thus, both 0 x˜ andx ˜ take on values in the set {i + 1/2 : i ∈ Z}. Using this observation, one can easily verify that the statistical difference between Pr(˜x) and Pr(˜x0) is at most |h|/4x ≤ |H0|/4x, which is negligible by definition of 4x. 0 0 0 Thus, the statistical difference between Pr(4s|4c, ψE) and Pr(4s |4c , ψE) is negligible. 0 0 0 0 Finally, we consider Pr(y|4s, 4c, ψE) and Pr(y |4s , 4c , ψE). We claim . z that given (4c, 4s) and ψE(z) = h , the element y is uniquely determined. In fact, by assumption, |H0| and 4(C) are co-prime and hence gcd(4c, |H0|) = 1. In turn, h ∈ H0 implies gcd(4c, |h|) = 1. Hence, a unique multiplicative inverse 1/4c of 4c exists modulo |h|. Since (4c, 4s) 1/4c is a pseudo-preimage of y under ψE, we have y = ψE(4s) . By the 0 0 0 . 0z 0 same argument (4c , 4s ) and ψE(z) = h uniquely determine y . Thus 0 0 0 0 Pr(y|4s, 4c, ψE) = Pr(y |4s , 4c , ψE). This concludes the proof of Claim 2 and hence of the theorem for the case |C| ≥ 3. . z It remains to sketch the proof for the case 1 ≤ |C| ≤ 2. Let ψE(z) = h 110 On the optimality of the standard knowledge extractor of the Σψ-protocol 0 with h ∈ H and y ∈ image(ψE). By the proof of the statistical honest- verifier zero-knowledge property of the Σψ-protocol (see the proof of Theo- ∗ rem 4.1 (b)), there is a prover P (ψE, y) that can answer at least one chal- ∗ lenge in C. Thus the success probability of P (ψE, y) is at least 1/2, and the uniformity property follows. It remains to verify the hardness property. Assume that there is an expected polynomial-time knowledge extractor M ∗ that, given black-box access to P (ψE, y), computes a preimage of y under ψE. To compute a preimage of y under ψE is to compute a discrete logarithm of y to the basis h. However, under the expected polynomial-time ORDER assumption and by Theorem 2.6 (c) the DLOG problem is hard in H. Thus M has only a negligible success probability and the hardness property follows. This concludes the proof of the theorem.

5.4 Proof of Theorem 5.1 The proof of Theorem 5.1 (b) is rather technical and long. Hence, let us sketch an outline of the proof structure:

∗ – First, we define a cheating prover P and a generator DK(k) for the in- ∗ ∗ puts of P . Then, we show that P and DK (k) fulfill the non-triviality, uniformity, and hardness condition required by Definition 5.1 for the lower bound claimed in Theorem 5.1 (b). We roughly prove these conditions as follows: – The proofs of the non-triviality and uniformity conditions are straightforward. The former condition is simply the non-triviality property of the Σψ-protocol, which is known to hold. To verify the latter, we show that P ∗ is successful with probability at least 1/p(k) for all of its inputs chosen using DK (k). – Showing the hardness condition is the main part of the proof. It is to show that over the choices of DK (k) any (expected polynomial-time) generic black-box algorithm M given (black-box) access to P ∗ finds a preimage only with negligible probability. Technically, this argument consists of the following parts: 0 Definition of simulated world: We describe an oracle O and a prover P ∗0 that, informally speaking, simulate the computation of O and P ∗, respectively. ¯ Relation of simulated and real world: Let M denote an arbitrary deterministic polynomial-time algorithm. In the “real world”, let Pr(S) be the probability that M¯ given black-box access to P ∗ using oracle O 5.4 Proof of Theorem 5.1 111 finds a preimage. In the “simulated world”, let Pr(S0) be the probability that M¯ given black-box access to P ∗0 using the oracle O0 finds a preimage. Let Pr(¬K) denote the probability that M¯ can distinguish the simulated from the real world. Then, the key result of this part of the proof is that these probabilities are related by Pr(S) ≤ Pr(S0)+Pr(¬K). Evaluation of bounds in the simulated world: In the simulated world we can rather easily compute upper bounds on Pr(S0) and Pr(¬K), respectively, and thus obtain an upper bound on Pr(S). Moreover, we prove that the resulting upper bound is negligible. Using this result, it is then easy to show that the success probability of probabilistic polynomial- time algorithms is also negligible. Hence the hardness property follows.

For simplicity, we do not denote in the following the dependency on the security parameter k except where necessary. However, the reader should keep in mind that unless stated otherwise all quantities depend on k. In the following section §5.4.1 we derive some auxiliary results, which we use later in our proof. The actual proof along the lines sketched above starts in §5.4.2.

5.4.1 Preliminaries The reader may wish to skip this section upon ﬁrst reading and come back to it later, when the results of this section are actually referred to. The following results are based on results by Damgaard and Koprowski [DK02] used in the analysis of the ROOT problem in hidden order groups. Let Dp denote a random variable taking on values on a ﬁnite set of prime numbers, and let α(Dp) denote the maximal probability occurring in the probability distribution Pr(Dp), i.e., . α(Dp) = max({Pr(Dp = p): p is a prime number}).

Then the following holds.

Lemma 5.1 Let Dp denote a random variable on prime numbers. (a) If A is a positive integer, then

Pr(p ← Dp : p ≤ A) ≤ Aα(Dp).

(b) If A is a non-zero integer, then

Pr(p ← Dp : A ≡ 0 (mod p)) ≤ log2(abs(A))α(Dp). 112 On the optimality of the standard knowledge extractor of the Σψ-protocol Proof Proof of claim (a): There are at most A primes less than are or equal to A. Each such prime can be chosen with probability at most α(Dp), and hence the claim follows.

Proof of claim (b): Since A has at most log2(abs(A)) prime divisors, and each prime divisor is chosen with probability at most α(Dp), the claim follows.

We introduce notation as follows:

Definition 5.8 Let DF denote a random variable on finite additive groups. Then Π(DF ) is a set of random variables π on prime numbers that are constructed as follows. For every deterministic algorithm M that on input F ← D outputs a prime factor of |F | we define . F π = 1: Choose F ← DF . 2: Using M choose a prime p | |F |. 3: Output p.

Loosely speaking, for each different method M to pick a prime in the order of F we get a different random variable π, and the set Π(DF ) consists of all these different random variables π. If Z[X1,...,Xl] is the ring of polynomials in the variables X1,...,Xl, then hX1,...,Xli denotes the additive sub-group of the ring generated by X1,...,Xl. An arbitrary element E˜ ∈ hX1,...,Xli is of the form

E˜ = a1X1 + ... + alXl, where ai are integer coeﬃcients.

Deﬁnition 5.9 (Evaluation homomorphism) Let F denote an arbitrary . l additive group and let f =(f1, . . . , fl) ∈ F . Then (using the above notation) for any E˜ ∈ hX1,...,Xli we deﬁne

f . ϕ (E˜) = a1f1 + ... + alfl.

f The mapping ϕ : hX1,...,Xli → F is called an evaluation homomorphism.

We note that it is straightforward to verify that evaluation homomorphisms indeed are homomorphisms according to Deﬁnition 2.8.

Lemma 5.2 Let DF denote a random variable on ﬁnite additive groups and let π ∈ Π(DF ). Let E˜ ∈ hX1,...,Xli with E˜ 6= 0, and let z denote an integer 5.4 Proof of Theorem 5.1 113 such that for E˜ = a1X1 + ... + alXl we have z ≥ abs(ai). If A is a positive integer, then U l f ˜ Pr(F ← DF , f ← F : ϕ (E) = 0) ≤ 1/A + (log2(z) + A)α(π).

Proof Let us consider the event f ϕ (E˜) = a1f1 + ... + alfl = 0 in F, and assume without loss of generality that a1 6= 0. Then we write

a1f1 = −a2f2 − ... − alfl in F. (5.8) Let p denote the prime dividing |F | that is chosen according to π. Then by 0 Theorem 2.4 for some integer t ≥ 1 we have F ' F × Zpt . Correspondingly 0 0 0 the fi ∈ F for i = 1, . . . , l decompose into (f i, xi) with fi ∈ F and xi ∈ Zpt . Thus, if (5.8) is fulﬁlled, then it must hold t a1x1 ≡ −a2x2 − ... − alxl (mod p ). (5.9) We observe that the probability (over the choices of F and f) that (5.9) holds, is an upper bound on the probability that (5.8) holds. Now, by Lemma

5.1 (b) the probability that a1 ≡ 0 (mod p) occurs is at most log2(z)α(π). Let us assume in the following that a1 6≡ 0 (mod p). Thus (5.9) yields t x1 ≡ 1/a1(−a2x2 − ... − alxl) (mod p ), (5.10) t where 1/a1 is the multiplicative inverse of a1 modulo p . By Lemma 5.1 (a) the probability that p ≤ A, for some positive integer A, is at most Aα(π). In the following we assume that p > A. Since the fi are random uniform in F , the xi’s are random uniform elements in Zpt . Thus the probability that (5.10) holds is at most 1/p ≤ 1/A. In summary, the probability (over the choices of F and f) that (5.8) is fulﬁlled is at most log2(z)α(π) + Aα(π) + 1/A and the claim follows.

For later use we make the following deﬁnition.

Deﬁnition 5.10 If DΨ is a random variable on homomorphisms, then we introduce the following random variables. . (a) Dom(DΨ) = 1: Choose ψ ← DΨ with ψ : G → H. 2: Output the domain G of ψ. . (b) Codom(DΨ) = 1: Choose ψ ← DΨ with ψ : G → H. 114 On the optimality of the standard knowledge extractor of the Σψ-protocol

2: Output the co-domain H of ψ.

If we assume that the homomorphisms ψ ← DΨ are surjective, then using Theorem 2.3 (e) we easily see that

Π(Codom(DΨ)) ⊆ Π(Dom(DΨ)). (5.11)

∗ 5.4.2 Definition of cheating prover P and DK(k) ∗ In this section we define a cheating prover P for the Σψ-protocol and a ∗ ∗ generator DK(k) for the inputs of P . Later we show that P and DK (k) fulfill the conditions required by Definition 5.1 for the lower bound claimed in Theorem 5.1 (b).

Cheating prover P ∗. If S is a set of integers and a and b are integers, then we deﬁne a subset of S by . coset(S, a, b) ={s : s ∈ S and s ≡ a (mod b)}. In the following Ψ always stands for a collection of v-special homomorphisms as described in Theorem 5.1 (b). Moreover, by p we denote the smallest prime dividing v. Let C be the challenge set of the Σψ-protocol. It is easy to see that there is anr ¯ (where 0 ≤ r¯ ≤ (p − 1)) such that | coset(C, r,¯ p)| 1 ≥ . (5.12) |C| p

In the first step of the Σψ-protocol (see Definition 4.2), the prover chooses a uniform random element r of the domain G of ψ, which is denoted by r ←U G. Actually the notation r ←U G means that there is a probabilistic polynomial-time algorithm that performs this computation (see also our basic assumptions on computationally tractable groups in §2.3.2). Let us refer to such an algorithm by random-choice(·, ·). That is, given the group G and a sufficiently long random bit-string ζ as input, random-choice(G, ζ) outputs an r ∈ G, such that, over the choices of ζ, the output distribution of r ← random-choice(G, ζ) is (statistically indistinguishable from) the uniform distribution on G. (In the description of P ∗ below we refer to the algorithm random-choice(·, ·) to make the dependency of P ∗’s computation on its random inputs explicit). Let us describe the inputs of P ∗: . – ζ ∈ {0, 1}λ is the random input of P ∗, where λ = poly(k). – ρ is a mapping ρ : {0, 1}λ → {0, 1}λ. 5.4 Proof of Theorem 5.1 115 – ((ψ, y), x) ∈ R[Ψ].

The cheating prover P ∗((ψ, y), (x, ρ), ζ) works as follows:

. . 1. Set ζ0 = ρ(ζ), let r ← random-choice(G, ζ0), let t = ψ(r), and issue the oracle query send(H, t) (i.e., send t to the verifier V ). 2. Answer the verifier’s challenge c ∈ C as follows. If c ∈ coset(C, r,¯ p), . then set s = r + cx and issue the oracle query send(G, s) (i.e., send s to the verifier V ); otherwise if c 6∈ coset(C, r,¯ p), halt.

Generator DK(k). Let DPRF(k) denote an expected polynomial-time (λ- bit) PRF ensemble (see Definition 5.5). By assumption Ψ is a collection of homomorphisms with a hard to guess order, and DΨ(k) denotes the corresponding generator taking on values on Ψ (see Definition 5.7). Using these generators as a subroutine we make the following definition. . DK(k) = 1: Choose ψ ← DΨ(k). U 2: Choose x ← G. . 3: Set y = ψ(x). 4: Choose ρ ← DPRF(k). 5: Output ((ψ, y), (x, ρ)).

5.4.3 Non-triviality and uniformity ∗ Let us verify that P and DK (k) fulfill the non-triviality and uniformity conditions required by Definition 5.1 for the lower bound 1/p − 1/ poly(k). In fact, as remarked earlier, non-triviality is a property of the Σψ-protocol which is known to hold. Regarding the uniformity condition, it is straightforward to verify that P ∗ correctly answers all challenges in coset(C, r,¯ p). Hence, by definition ofr ¯ in (5.12), its success probability is at least 1/p and thus the uniformity condition holds.

5.4.4 Hardness It remains to demonstrate the hardness condition, i.e., that for any (probabilistic expected polynomial-time) generic black-box algorithm M the pro- 116 On the optimality of the standard knowledge extractor of the Σψ-protocol bability

P ∗((ψ,y),(x,ρ)),O((ψ,y),x) Pr(((ψ, y), (x, ρ)) ← DK (k), i ← M¯ : i is the index of a preimage of y under ψ), (5.13) is negligible.

5.4.4.1 Definition of simulated world Let us describe an oracle O0 and a dishonest prover P ∗0 that “simulate” the computation of the oracle O and the dishonest prover P ∗, respectively. The computations of O0 and P ∗0 take place in the groups G0 and H0 defined next. ∗ ∗ If Z[X,R1,...,Rm,R1,...,Rm,S1,...,Sm] is a polynomial ring, then 0 . ∗ ∗ G = hX,R1,...,Rm,R1,...,Rmi (5.14) is the sub-group of the additive group of the ring generated by the group ∗ ∗ elements X,R1,...,Rm,R1,...,Rm. Correspondingly we define 0 . ∗ ∗ H = hX,R1,...,Rm,R1,...,Rm,S1,...,Smi. (5.15)

0 Deﬁnition 5.11 The oracle O has two ports Q1 and Q2. It maintains a pair of lists E and F, which initially are empty. By Ei and Fi we denote the i-th element in the list E and F, respectively. The computation of O0 consists of an initialization phase which is run once, followed by a query-handling . phase in which O0 replies at most m = m(k) queries. 1. Initialization. The oracle O0 takes ((ψ, y), x) as input, where ψ : U U G → H and y = ψ(x). It chooses r1 ← G, . . . , rm ← G and U U . . s1 ← H, . . . , sm ← H, and initializes the integer counters i1 = i2 = 1. It appends X ∈ H0 to the list F. 2. Query-handling. A query is replied by performing the corresponding computation in (a) followed by the computation in (b).

(a) send() queries received on port Q1 are processed as follows: . – send(G, E˜): set E0 = E˜ (where we assume that E˜ ∈ G0). . send(H, F˜): set F 0 = F˜ (where we assume that F˜ ∈ H0). group-op(), random(), hom(), and pp-ﬁnd() queries received on port Q2 are processed as follows: 0 . – group-op(G, i ± j): set E = Ei + Ej. 0 . group-op(H, i ± j): set F = Fi + Fj. 0 . 0 . – random(G): set E = Ri1 , where Ri1 ∈ G , and i1 = i1 + 1. 0 . 0 . random(H): set F = Si2 , where Si2 ∈ H , and i2 = i2 + 1. 5.4 Proof of Theorem 5.1 117

0 . – hom(i): set F = Ei. – pp-find() (this query is only available if ψ is a v-special 0 . homomorphism) set E = vX and output v on port Q2. (b) If a query results in a group element E0 ∈ G0, then append E0 0 to the list E and output the equality set {i : Ei ∈ E and E = Ei} and the string “G” on port Q2. If a query results in a new group element F 0 ∈ H0, then ap- 0 pend F to the list F and output the equality set {i : Fi ∈ 0 F and F = Fi} and the string “H” on port Q2. Next we define a cheating prover algorithm P ∗0, which is designed to work . with the oracle O0. Initially, P ∗0 sets l = 1 and initializes the empty list R. ∗0 ∗ During the computation of P , R will contain pairs (ζi,Ri ), where ζi is a ∗ 0 ∗ bit-string and Ri is an element of G . On inputs as described for P above, the computation of P ∗0((ψ, y), (x, ρ)), ζ) is as follows: . 1. If there is a pair (ζ ,R∗) with ζ = ζ in the list R, then let R = R∗; . i i i i otherwise let R = R∗ (where R∗ ∈ G0), append (ζ, R∗) to R, set . l l l l = l + 1, and issue the query send(H,R) to the oracle O0. 2. Answer the challenge c ∈ C as follows. If c ∈ coset(C, r,¯ p), then let . S = R + cX (where X ∈ G0) and issue the query send(G, S) to the oracle O0; otherwise, if c 6∈ coset(C, r,¯ p), then halt. Clearly, in analogy to the generic black-box algorithm M given access to P ∗ using the homomorphism oracle O, denoted by M P ∗((ψ,y),γ),O((ψ,y),x)) (see Definition 5.3), one can consider M given generic black-box access to the simulated prover P ∗0 using the simulated oracle O0, denoted by 0 M P ∗ ((ψ,y),γ),O0((ψ,y),x)).

5.4.4.2 Relation of real and simulated world Let M¯ be an arbitrary generic black-box algorithm M with an arbitrary but ﬁxed value of its random input. We observe that the computations

∗ M¯ P ((ψ,y),(x,ρ)),O((ψ,y),x) (5.16) and ∗0 0 M¯ P ((ψ,y),(x,ρ)),O ((ψ,y),x) (5.17) are both deﬁned on the same probability space taken over the following choices: . . – The random choices ~s =(s1, . . . , sm) and ~r =(r1, . . . , rm) made by O and O0, respectively, upon initialization. 118 On the optimality of the standard knowledge extractor of the Σψ-protocol

– The choices of DK(k), i.e., ((ψ, y), (x, ρ)) ← DK(k). Let us explicitly denote this probability space by . P ={ι : ι = ((ψ, y), (x, ρ), (~s,~r))}. Given a ι ∈ P we abbreviate (5.16) and (5.17) by

∗ ∗0 0 M¯ (P ,O)(ι) and M¯ (P ,O )(ι), respectively. We note that for ﬁxed ι the computations M¯ (P ∗,O)(ι) and 0 M¯ (P ∗ ,O0)(ι) are deterministic. We count a query issued by M¯ or P ∗ to O in the computation M¯ (P ∗,O)(ι) as one oracle computation step; an oracle computation step is deﬁned in com- 0 plete analogy for M¯ (P ∗ ,O0)(ι). We note that in the computation M¯ (P ∗,O)(ι) 0 (M¯ (P ∗ ,O0)(ι)), P ∗ (P ∗0) will only issue a query to O ( O0), when P ∗ (P ∗0) is reset by M¯ , or when P ∗ (P ∗0) answers a challenge from M¯ . Hence, the number of oracle computation steps in the computations M¯ (P ∗,O)(ι) and 0 M¯ (P ∗ ,O0)(ι) is determined by M¯ and it is upper-bounded by the maximal number of computational steps made by M¯ . Next we introduce some terminology associated with the computations 0 M¯ (P ∗,O)(ι) and M¯ (P ∗ ,O0)(ι), respectively.

Deﬁnition 5.12 (State, consistent state, and view) (a) The state of the oracle O (denoted by state(ι, O)) is the pair (G, H) of lists maintained by O after the computation M¯ (P ∗,O)(ι) has halted. In the same way we deﬁne state(ι, O0) to be the pair of lists (E, F) maintained by the oracle O0. (b) We call state(ι, O) = (G, H) and state(ι, O0) = (E, F) consistent, if – |G| = |E|, |H| = |F|, (where | · | denotes the length of a list), and – if for all i1, i2 ∈ {1, |G|} and j1, j2 ∈ {1, |H|} it holds that

(gi1 = gi2 ⇔ Ei1 = Ei2 ) and (hj1 = hj2 ⇔ Fj1 = Fj2 ). (c) The view of M¯ after the computation M¯ (P ∗,O)(ι) has halted (denoted by view(M¯ (P ∗,O)(ι))) consists of M¯ ’s inputs, the sequence of messages M¯ has sent and received on its oracle port, and the sequence of messages sent on its communication port. In complete analogy we define 0 view(M¯ (P ∗ ,O0)(ι)). Let G0 and H0 be the groups defined in (5.14) and (5.15), respectively. Then an arbitrary E˜ ∈ G0 is of the form ˜ ∗ ∗ E = aX + a11R1 + ... + a1mRm + a21R1 + ... + a2mRm, (5.18) 5.4 Proof of Theorem 5.1 119 and an arbitrary F˜ ∈ H0 is of the form ˜ ∗ ∗ F = bX + b11R1 + ... + b1mRm + b21R1 + ... + b2mRm + b31S1 + ... + b3mSm, (5.19) where a, b, aij, and bij are integer coefficients.

Definition 5.13 Let ι ∈ P and recall that ι = ((ψ, y), (x, ρ), (~r,~s)) with ψ : G → H, ~r = (r1, . . . , rm), and ~s = (s1, . . . , sm). Let R = ∗ ∗ ∗0 [(ζ1,R1),..., (ζj,Rj )] (with j ≤ m) be the list maintained by P after the 0 computation M¯ (P ∗ ,O0)(ι) has halted. ˜ 0 ι 0 – For any E ∈ G the mapping ϕG0 : G → G is defined by ι ˜ . ϕG0 (E) = ax + a11r1 + ... + a1mrm + a21ρ(ζ1) + ... + a2jρ(ζj). ˜ 0 ι 0 – For any F ∈ H the mapping ϕH0 : H → H is defined by ι ˜ . ϕH0 (F ) = bψ(x) + b11ψ(r1) + ... + b1mψ(rm) + b21ψ(ρ(ζ1))+ ... + b2jψ(ρ(ζj)) + b31s1 + ... + b3msm. ι ι We note that the mappings ϕG0 and ϕH0 introduced in Definition 5.13 are evaluation homomorphisms (see Definition 5.9). Using the observation that G0 ≤ H0, we can easily see that for any E˜ ∈ G0 we have ι ˜ ι ˜ ϕH0 (E) = ψ(ϕG0 (E)). (5.20) ι ι The evaluation homomorphisms ϕG0 and ϕH0 allow us to relate the com- 0 putations M¯ (P ∗,O)(ι) and M¯ (P ∗ ,O0)(ι) as follows.

Claim 5.4 For ι ∈ P consider the pair of states state(ι, O) = (G, H) and state(ι, O0) = (E, F). If these states are consistent, then the following holds: 0 (a) view(M¯ (P ∗,O)(ι)) = view(M¯ (P ∗ ,O0)(ι)). † ι (b) For i ∈ {1, |G|} and j ∈ {1, |H|} we have gi = ϕG0 (Ei) and hj = ι ϕH0 (Fj). The proof of Claim 5.4, which is a straightforward induction argument over the number of oracle computation steps of M, is left to the reader. . . If ι = ((ψ, y), (x, ρ), (~r,~s)), (G, H) = state(ι, O), and (E, F) = state(ι, O0), then we say that: – M¯ (P ∗,O)(ι) ﬁnds a preimage (of y under ψ), if for i ← M¯ (P ∗,O)(ι) we have ψ(gi) = y, where gi ∈ G. (We note that this terminology is consistent with the one introduced earlier in §5.2.1.)

† Since the states are consistent, we have |G| = |E| and |H| = |F|. 120 On the optimality of the standard knowledge extractor of the Σψ-protocol

0 0 – M¯ (P ∗ ,O0)(ι) finds a preimage (of y under ψ), if for i ← M¯ (P ∗ ,O0)(ι) we ι have ψ(ϕG0 (Ei)) = y, where Ei ∈ E. We now define events in the probability space P as follows: . ∗ S ={ι : ι ∈ P and M¯ (P ,O)(ι) finds a preimage} . ∗0 0 S0 ={ι : ι ∈ P and M¯ (P ,O )(ι) finds a preimage} . K ={ι : state(ι, O) and state(ι, O0) are consistent}

Claim 5.5 It is S ∩ K = S0 ∩ K

Proof First, we check that S0 ∩ K ⊆ S ∩ K. Let be given ι ∈ S0 ∩ K and let 0 i ← M¯ (P ∗ ,O0)(ι). As ι ∈ K, it follows by Claim 5.4 (a) that i ← M¯ (P ∗(ρ)O)(ι). 0 ι As ι ∈ S we have ψ(ϕG0 (Ei)) = y and by Claim 5.4 (b) we have ψ(gi) = y, and hence ι ∈ S. Analogously, we can establish S0 ∩ K ⊇ S ∩ K and the claim follows.

We will make use of the following lemma by Shoup [Sho01].

Lemma 5.3 If E1, E2, and E3 are events deﬁned on a probability space such that Pr(E1 ∩ E3) = Pr(E2 ∩ E3), then | Pr(E1) − Pr(E2)| ≤ Pr(¬E3). Now, from Claim 5.5 and Lemma 5.3 the following result immediately follows.

Claim 5.6 If ¬K denotes the complement of K in P, then

Pr(S) ≤ Pr(S0) + Pr(¬K).

Claim 5.6 is the key result of this section.

5.4.5 Evaluation of bounds in the simulated world Using Claim 5.6 we derive in the following an upper bound on the probability Pr(S) (i.e., the probability that the generic black-box algorithm M¯ ﬁnds a preimage). To this end we compute upper bounds on Pr(¬K) and Pr(S0), respectively.

Upper bound on Pr(¬K) . The following claim is straightforward to verify.

Claim 5.7 For ι ∈ P consider the pair of states state(ι, O) = (G, H) and state(ι, O0) = (E, F). If the states are not consistent, then there exists indices 5.4 Proof of Theorem 5.1 121 i1, i2 ∈ {1, |E|} such that

ι Ei1 − Ei2 6= 0 and ϕG0 (Ei1 − Ei2 ) = 0 or a pair of indices j1, j2 ∈ {1, |F|} such that

ι Fj1 − Fj2 6= 0 and ϕH0 (Fj1 − Fj1 ) = 0.

A key observation is that while we have formally deﬁned the computation 0 M¯ (P ∗ ,O0)(ι) on the probability space P, it does not depend on the choices of ι ∈ P. This implies that for all ι ∈ P

– the state(ι, O0) = (E, F) is the same, and 0 – the index i output by M¯ , i.e., i ← M¯ (P ∗ ,O0)(ι), is the same.

Using this observation, Claim 5.7, the union bound argument, and that by deﬁnition for ι ∈ (¬K) the states state(ι, O) and state(ι, O0) are not consistent, we have

X ι Pr(¬K) ≤ Pr(ϕG0 (Ei − Ej) = 0) i

– ρ is a “real” random functions (instead of pseudo-random functions), and – that the homomorphism ψ is surjective.

We shall comeback to the former assumption. The latter is to simplify the following reasoning, while it is not difficult to check that it is not essential. ι Using these assumptions, we see that the evaluation homomorphisms ϕG0 ι and ϕH0 (in Definition 5.13) fulfill the preconditions of Lemma 5.2 (over the choices of (x, ρ), (~s,~r)). Thus using this lemma and notation introduced in §5.4.1, for any Fi 6= Fj we have

ι Pr(ϕH0 (Fi − Fj) = 0) ≤ 1/A + (m + log2(K) + A)α(π), (5.22) 122 On the optimality of the standard knowledge extractor of the Σψ-protocol where A is an arbitrary positive integer and π ∈ Π(Codom(DΨ(k)). By the same argument, for any Ei 6= Ej we have ι Pr(ϕG0 (Ei − Ej) = 0) ≤ 1/A + (m + log2(K) + A)α(π) (5.23) where we choose A and π to be the same as in (5.23) (this is possible since A is arbitrary and by virtue of relation (5.11)). Finally, since there are at most (m + 1)2 terms in each of the sums in (5.21), using (5.22) and (5.23) we have

2 Pr(¬K) ≤ 2(m + 1) (1/A + (m + log2(K) + A)α(π)). (5.24)

Upper bound on Pr(S0) . Next we compute an upper bound on Pr(S0). 0 By deﬁnition of S0 and our earlier remark that i ← M¯ (P ∗ ,O0)(ι) is the same for all ι ∈ P, we have

0 ι Pr(S ) = Pr(ψ(ϕG0 (Ei)) = y), (5.25) whereas the probabilities are taken over the choices of ι ∈ P. Using the ι observation that for any ι ∈ P we have y = ϕH0 (X) and using (5.20), equation (5.25) yields

0 ι Pr(S ) = ϕH0 (X − Ei) = 0. (5.26)

Claim 5.8 For all i ∈ {1, |E|} we have X − Ei 6= 0.

Proof Let c1, . . . ck ∈ coset(C, r,¯ p) be the challenge values that are answered 0 by P ∗0 in the computation M¯ (P ∗ ,O0)(ι). Then, by inspection of P ∗0 and O0, one can see that any Ei ∈ E is of the form

∗ ∗ Ei = avX + a11(R1 + c1X) + ... + a1k(R1 + ckX)+ ∗ ∗ + a21(R2 + c1X) + ... + a2k(R2 + ckX) + ... ∗ ∗ + aj1(Rj + c1X) + ... + ajk(Rj + ckX)

+ b1R1 + ... + bmRm, (5.27) for some j ≤ m and some a, aii0 , and bi. Now, by contradiction assume that for some i ∈ {1, |E|} we have X − Ei = 0. Using (5.27), the equality X − Ei = 0 only holds when

∗ ∗ avX + a11(R1 + c1X) + ... + a1k(R1 + ckX) ∗ ∗ + a21(R2 + c1X) + ... + a2k(R2 + ckX)+ ∗ ∗ ... + aj1(Rj + c1X) + ... + ajk(Rj + ckX) = X. (5.28) 5.4 Proof of Theorem 5.1 123 In turn, it is not difficult to verify that (5.28) only holds when the coefficients fulfill

av + (a12 + ... + aj2)(c2 − c1)

(a13 + ... + aj3)(c3 − c1) + ...

+ (a1k + ... + ajk)(ck − c1) = 1. (5.29)

By the deﬁnition of coset(C, r,¯ p), we have v ≡ (c2 −c1) ≡ ... ≡ (ck −c1) ≡ 0 (mod p) with p ≥ 2, and hence (5.29) cannot be fulﬁlled. Thus we get the desired contradiction, and the claim follows.

Using Claim 5.8, by essentially the same argument that we have used to derive (5.22), we get from (5.26) the bound ˜ Pr(S) ≤ 1/A + (m + log2(K) + A)α(π). (5.30)

Demonstration of the hardness condition. From Claim 5.6, (5.24), and (5.30) we have

2 Pr(S) ≤ (2(m + 1) + 1)(1/A + (m + log2(K) + A)α(π)). (5.31) Equation (5.31) is a bound on the success probability of M¯ , i.e., an arbitrary expected polynomial time algorithm M with a ﬁxed random input. Using this bound we derive next a bound on the success probability of M. To this end, let h·iM denote the expectation value of a random variable taken over the choices of random inputs of M. Then from (5.31) we have

2 hPr(S)iM ≤ h(2(m + 1) + 1)(1/A + (m + log2(K) + A)α(π))iM . (5.32)

We immediately see that hPr(S)iM is the probability (5.13). Hence to conclude our proof, it remains for us to show the claim that hPr(S)iM is a negligible function in k. This claim follows from the following observations:

– Since Ψ is a collection of exponentiation homomorphisms with hard to guess image order (see Deﬁnition 5.7), there is by deﬁnition a πmax ∈ Π(Codom(DΨ(k)) such that α(πmax) is negligible in k. Since the random variable π that occurs in (5.32), is an arbitrary π ∈ Π(Codom(D (k)), we . Ψ may set π = πmax in (5.32). . 1/2 – We set the so far arbitrary integer parameter A to be A = 1/α(πmax) (see also [DK02]). Then the terms 1/A and Aα(πmax) are negligible.

– The term log2(K) is a polynomial quantity, and α(πmax) and log2(K) are independent of M’s random inputs. 124 On the optimality of the standard knowledge extractor of the Σψ-protocol – So far, m has denoted the maximal number of queries replied by the . oracles O and O0, respectively. Wlog, we may set m = m(k) to be the maximal number of queries issued to the oracles O and O0 in the com- 0 putations M¯ (P ∗,O)(ι) and M¯ (P ∗ ,O0)(ι), respectively. Then, since M is an expected polynomial-time algorithm, hm(k)iM is bounded by a polyno- 2 3 mial in k, and hence so are hm(k) iM and hm(k) iM . To conclude the proof, we note that under the assumption that there exist pseudo-random functions secure against expected probabilistic-polynomial time algorithms, the probability hPr(S)iM remains negligible, if the functions ρ that occur in ι = ((ψ, y), (x, ρ), (~s,~r)) ∈ P are pseudo random functions, instead of real random functions, which we have assumed in the deri- vation of (5.32).

Proofs of part (c) and (a) of Theorem 5.1. The proof of part (c) of the theorem is almost identical to the one given above. Roughly, it results . from the proof given above by setting the pseudo-preimage exponent v = 0. The proof of part (a) is essentially a simpliﬁed version of the proof of part (b), as one does not consider probability ensembles on homomorphisms but only sequences of homomorphisms. This results in a slightly “smaller” probability space, and to compute upper bounds on the probabilities on the right hand side of the inequality in Claim 5.6, one has to use a lemma by Shoup [Sho97, Lemma 1] instead of Lemma 5.2. 6 Eﬃcient proofs of knowledge for exponentiation homomorphisms in hidden order groups

In this chapter we describe novel zero-knowledge proofs of knowledge, which overcome the efficiency limitations of existing proofs of knowledge for exponentiation homomorphisms ψE in hidden order groups. Let us briefly recapitulate what we have learned so far on efficient proofs of knowledge and related techniques for ψE in hidden order groups. On the one hand, we have seen that the Σψ-protocol yields proofs of knowledge for ψE in hidden order groups. However, the resulting proofs of knowledge are too inefficient for many practical applications, since the MS knowledge error of such ψE is 1/2. On the other hand, in the DF scheme one can efficiently demonstrate knowledge of a commitment opening, which in fact is to demonstrate knowledge of a preimage under an exponentiation homomorphism in an RSA group (which is a hidden order group). However, these demonstrations of knowledge only work in the context of the DF commitment scheme and, in particular, are not proofs of knowledge. Besides these methods, prior to our work, no efficient zero-knowledge proofs of knowledge or related techniques were known for ψE in hidden order groups. Moreover, our results in the previous chapter are strong evidence that using the Σψ-protocol it is impossible to obtain efficient proofs of knowledge for ψE in hidden order groups. More precisely, we have proved that the MS knowledge error of 1/2 of such ψE cannot be under-run by generic homomorphism or pseudo-preimage based black-box algorithms. Thus, if we want to overcome the limitations of existing techniques and find efficient proofs of knowledge for ψE in hidden order groups, then there are two ways to go:

1. We construct a novel knowledge extractor for the Σψ-protocol (which is neither a generic homomorphism nor a pseudo-preimage based black-box algorithm) that achieves a negligibly small knowledge error, and thus allows to obtain eﬃcient proofs of knowledge.

125 126 Eﬃcient proofs of knowledge for exponentiation homomorphisms 2. We construct novel protocols that yield eﬃcient proofs of knowledge.

In the following we go the latter way and describe three novel techniques that for the first time yield efficient proofs of knowledge for ψE in hidden order groups. The techniques are complementary in the sense that they work under different conditions and assumptions. Two of them have in common that, additionally to an exponentiation homomorphism ψE and an image element y, one makes available auxiliary information as part of the common input. Our first technique is based on the Σψ-protocol where the common input consisting of ψE and y is extended with an “auxiliary pseudo-preimage” of y under ψE. This allows us to obtain proofs of knowledge for essentially any ψE in hidden order groups. The resulting proofs of knowledge are very efficient since they achieve an arbitrary small knowledge error in a single execution of the Σψ-protocol. The technique works provided that the prover l is explicitly given a non-zero multiple of | image(ψE)| (e.g., |H| for ψE : Z → H), while it asserts that the verifier learns no additional information on |H| (i.e., |H| remains hidden from the verifier). + The second technique is based on a novel protocol that we call the Σψ - protocol. It yields a so called proof of knowledge in the auxiliary string model, which was introduced by Damgaard [Dam00]. The key idea underlying the auxiliary string model is that an auxiliary string with a prescribed probability distribution is available to the prover and the verifier. The auxiliary string model is a stronger definitional setting than the one underlying conventional proofs of knowledge. Yet, for many practical applications it is + adequate. Using the Σψ -protocol, one can obtain zero-knowledge proofs of knowledge in the auxiliary string model for any exponentiation homomorphism ψE; in particular, also for ψE in hidden order groups. The resulting proofs of knowledge are very efficient when | image(ψE)| contains only large prime factors. The proofs are computationally valid under the strong RSA assumption (see Definition 3.12). Technically, the construction of the + Σψ -protocol takes up and extends ideas underlying the DF scheme. In fact, + similarly to the DF scheme the knowledge extractor of the Σψ -protocol is also based on the hardness of the PPGEN-QRN problem (see §3.3). Moreo- + ver, in most applications of the Σψ -protocol one has to use the same setup + protocol as the DF scheme. Hence, as the DF scheme, the Σψ -protocol is only efficient when the cost of the setup protocol does not matter. Luckily, this is the case in many practical applications. + Finally, we introduce the Σψ -WS-protocol, which underlies our third tech- + + nique. The Σψ -WS-protocol is an extension of the Σψ -protocol designed 6.1 Auxiliary information in the common input 127

+ to get rid of the setup protocol (and of the associated costs) of the Σψ - + + protocol. Moreover, unlike the Σψ -protocol, the Σψ -WS-protocol yields stan- + dard proofs of knowledge. In fact, the Σψ -WS-protocol yields zero-knowledge computational proofs of knowledge in the so called random oracle model and works under the strong RSA assumption; it works exactly for the same class + of exponentiation homomorphisms as the Σψ -protocol. This chapter is structured as follows. In §6.1 we describe the rationale behind the idea of making available auxiliary information as part of the common input. In §6.2 we describe the ﬁrst of our techniques, which is based + + on the Σψ-protocol. In §6.3 we describe the Σψ -protocol and the Σψ -WS- protocol. The results of this section extend work by Bangerter, Camenisch, and Maurer [BCM06] which revises and supersedes [BCM05]†.

6.1 Auxiliary information in the common input The basic idea underlying two of our new proof of knowledge techniques is to enhance the common input (of the prover and the verifier) with some auxiliary information. That is, the common input consists of an exponentiation homomorphism ψE, an image element y, and, additionally, a piece of auxiliary information α. The motivation for adding auxiliary information is that the common input is available to knowledge extractors for a protocol. Thus, loosely speaking, by appropriately choosing α one can provide advice to a knowledge extractor. In fact, as we shall see below, by providing appropriate advice (i.e., an appropriate α) we can construct two new efficient techniques that yield efficient proofs of knowledge for ψE in hidden order groups. The nature of the requirements we need to impose on the auxiliary information is quite different for our two techniques:

– For our first technique (i.e., the Σψ-protocol in the auxiliary setting described in §6.2) to be a proof of knowledge, it is sufficient that the common input consisting of (ψE, y) and the auxiliary information α is correctly chosen. That is, there is a predicate M, such that whenever M(α, (ψE, y)) = 1, then the protocol on common input (α, (ψE, y)) is a proof of knowledge. We shall see that making available auxiliary information fulfilling requirements of this type is within the definitional setting of a proof of knowledge.

† + To avoid possible confusion, we note that the protocol that is called Σψ -protocol in [BCM05, + + BCM06] is called Σψ -WS-protocol in this thesis. The protocol that is called Σψ -protocol in this thesis is novel and has not yet been published at the time of this writing. 128 Efficient proofs of knowledge for exponentiation homomorphisms That is, the resulting technique yields proofs of knowledge according to Definition 2.15. + – For our second technique (i.e., the Σψ -protocol described in §6.3) to be a proof of knowledge it is not sufficient that (ψE, y) and α fulfill some predicate M(α, (ψE, y)). Rather, it is additionally required that α is a random variable with some prescribed probability distribution. This type of requirement on the auxiliary information is outside of the definitional setting of a proof of knowledge. Hence, our second technique does not yield conventional proofs of knowledge, but so called proofs of knowledge in the auxiliary string model. Finally, we note that when proofs of knowledge with auxiliary information are used as sub-protocols in cryptographic applications, then the presence of auxiliary information has to be taken into account in the security analysis of the application at hand. Also, one needs to assert that the auxiliary information, which is chosen in the context of the application, meets the requirements for the sub-protocol to be a proof of knowledge. Such an analysis depends on the auxiliary information and the properties of the application within which a proof of knowledge is used. Hence, this analysis cannot be given in general, and must be carried out for each application separately.

6.2 The Σψ-protocol in the auxiliary setting

In this section we consider the Σψ-protocol in the setting where the common input (ψ, y) contains as auxiliary information a pseudo-preimage (v, w) of y l under ψ. Applied to exponentiation homomorphisms ψE : Z → H in hidden order groups this technique yields very efficient zero-knowledge proofs of knowledge for almost any such ψE. It requires that the prover is explicitly given a non-zero multiple of | image(ψE)| and asserts that the verifier gets no additional information on |H|, i.e., that |H| remains hidden from the verifier.

6.2.1 Sketch of basic idea Let us see why choosing the auxiliary information to be a pseudo-preimage . is a good choice. Consider the Σψ-protocol with challenge set C ={0, c+} for some homomorphism ψ. Then, the common input is (ψ, y) plus an auxiliary pseudo-preimage (v, w) of y under ψ. The prover’s private input remains to be a preimage of y under ψ. Let us assume that v is chosen to be a prime number, such that v > c+. In the following we refer to this setting as the Σψ-protocol in the auxiliary setting. 6.2 The Σψ-protocol in the auxiliary setting 129

We can easily construct a knowledge extractor M for the Σψ-protocol in the auxiliary setting as follows:

1. Given black-box access to a convincing prover P ∗, M uses the pseudo- preimage extractor (see Theorem 4.2) to extract a pseudo-preimage (4c, 4s) of y under ψ with 4c ∈ {1, c+}. 2. Now there are two pseudo-preimages of y under ψ available to M: the extracted pseudo-preimage (4c, 4s) and the auxiliary pseudo- preimage (v, w). Since v is prime, 4c ∈ {1, c+}, and c+ < v we have gcd(v, 4c) = 1 and using Shamir’s trick (see Lemma 3.2) M can compute a preimage of y under ψ.

We note that the knowledge extractor M is the standard knowledge extractor of the Σψ-protocol (see §4.2) being given advice in form of an auxiliary pseudo-preimage (v, w). The knowledge error of this knowledge extractor is κ = 1/(c +1). Thus by choosing v to be a super-polynomially large prime + . . and letting C ={0, (v −1)} (i.e., c+ = v −1), we can achieve a negligibly small κ for any ψ (using the Σψ-protocol in the auxiliary setting). This concludes the description of our basic idea. The remainder of this section is structured as follows. In §6.2.2 we formalize the idea sketched above. Also we shall see that the use of auxiliary pseudo-preimages potentially raises problems. In fact, for certain homomorphisms proofs of knowledge using the Σψ-protocol in the auxiliary setting are not viable. In §6.2.3 we focus on the application of the Σψ-protocol in the auxiliary setting to exponentiation homomorphisms in hidden order groups. We show that for such homomorphisms we obtain viable proofs of knowledge.

6.2.2 Formalization of basic idea Let us formalize the idea sketched in the previous section.

Deﬁnition 6.1 (Σψ-protocol in the auxiliary setting) Let R[Ψ] denote a homomorphism relation for which the Σψ-protocol is deﬁned. The Σψ-protocol in the auxiliary setting for R[Ψ] is the Σψ-protocol where for each ((ψ, y), x) ∈ R[Ψ] the common input additionally to (ψ, y) contains a pseudo-preimage (v, w) of y under ψ, and where the prover’s private input is x. We call (v, w) an auxiliary pseudo-preimage.

The fact that the common input is augmented by an auxiliary pseudo- preimage does not aﬀect the zero-knowledge property of the Σψ-protocol. 130 Eﬃcient proofs of knowledge for exponentiation homomorphisms

Corollary 6.1 (Zero-knowledge properties of the Σψ-protocol in the auxiliary setting) The Σψ-protocol in the auxiliary setting has the same zero-knowledge properties as the Σψ-protocol in the conventional setting described in Theorem 4.1.

Moreover, one can use Damgaard’s [Dam00] approach to turn the Σψ- protocol in the auxiliary setting into a concurrent zero-knowledge protocol. Let us assume for the moment that the pseudo-preimage exponent v of an auxiliary pseudo-preimage (v, w) can be chosen arbitrarily. (We shall see later that this assumption is fulﬁlled, when we look at exponentiation homomorphisms in hidden order groups.) Using this assumption, we get the following result.

Theorem 6.1 Let poly() be an arbitrary polynomial. The Σψ-protocol in the auxiliary setting with challenge set C = {0, 2poly(k) − 1} is a proof of knowledge for R[Ψ] with (negligible) knowledge error κ(k) = 1/2poly(k).

Proof (sketch) By assumption, the exponent v of an auxiliary pseudo- preimage (v, w) of a (ψ, y) ∈ R[Ψ] can be chosen arbitrarily. Hence, we choose v to be a prime with v > 2poly(k). The claim now immediately follows using the knowledge extractor described in §6.2.1.

We see from Theorem 6.1 that using the Σψ-protocol in the auxiliary setting we can achieve an arbitrarily small knowledge error for any homomorphism. This is a quite desirable property, as (by the relation of the size of the knowledge error and the efficiency of the Σψ-protocol discussed in §4.3) it allows to obtain very efficient proofs of knowledge for any homomorphism relation R[Ψ]. Note that this is in contrast to proofs of knowledge for homomorphisms using the Σψ-protocol in the conventional setting, where the MS knowledge error is determined by properties of the homomorphism at hand and cannot be made arbitrarily small. So far we were focused on obtaining proofs of knowledge using the Σψ- protocol in the auxiliary setting. However, we did not consider ulterior implications of making available an auxiliary pseudo-preimage as part of the common input. Here and in the following, “being given computational information” means being given a binary string that one cannot efficiently generate by oneself. A crucial point is that, in general, the Σψ-protocol in the auxiliary setting is not equivalent to the Σψ-protocol in the conventional setting. That is, an auxiliary pseudo-preimage makes available computational information to the prover and the verifier that is not available in the conventional setting. In fact, if this would not be the case, then an auxilia- 6.2 The Σψ-protocol in the auxiliary setting 131 ry pseudo-preimage would not provide any useful advice to the knowledge extractor, either. Now, the potential problem is that an auxiliary pseudo- preimage may “leak unwanted computational information” to the prover and the verifier, respectively. That is, given an auxiliary pseudo-preimage, the prover and the verifier, respectively, may be able to perform computational tasks that they wouldn’t be able to do otherwise. As an example, the common input ((v, w), ψ, y) of the Σψ-protocol in the auxiliary setting could allow a verifier to compute a preimage x (i.e., “leak a preimage”) of y under ψ, even when ψ is one-way†. In this case, using the Σψ-protocol in the auxiliary setting would be futile, as one could just as well give the preimage x to the verifier right away. Thus, to establish the Σψ-protocol in the auxiliary setting as a viable proof of knowledge technique for a given homomorphism, one needs to show that, loosely speaking, no “unwanted computational information” is leaked by an auxiliary pseudo-preimage. In the following section we shall see that this is the case for exponentiation homomorphisms in hidden order groups. We conclude this section with two technical remarks. First, one might object that adding an auxiliary pseudo-preimage to the common input is outside of the definitional scope of a proof of knowledge. This objection is not justified. Rather, the formally correct interpretation is that a proof of knowledge for a homomorphism relation R[Ψ] using the Σψ-protocol in the auxiliary setting is a proof of knowledge for the binary relation . R˜[Ψ] ={(((v, w), y, ψ), x): ψ ∈ Ψ, with ψ : G → H, x ∈ G, y = ψ(x), and (v, w) is a pseudo-preimage of y under ψ} (6.1) using the Σψ-protocol. Second, the Σψ-protocol in the auxiliary setting can achieve not only a very small, but actually a zero knowledge error. Goldreich [Gol01] has shown that if the knowledge error of a proof of knowledge for an NP relation drops below a certain value, then one can achieve a knowledge error of zero.

Theorem 6.2 (Goldreich [Gol01]) Let R be an NP relation, and let poly() be a polynomial such that (y, x) ∈ R implies kxk ≤ poly(kyk). Sup- pose that (P,V ) is a proof of knowledge for the relation R, with knowledge error κ(k) = 1/2poly(k). Then, (P,V ) is a proof of knowledge for R with zero knowledge error. We recall that, by our basic assumption that homomorphisms are computationally tractable (see §2.3.2), homomorphism relations are NP relations.

† Indeed, it is easy to see that this can happen when ψ is a special homomorphism. 132 Eﬃcient proofs of knowledge for exponentiation homomorphisms Thus, from Goldreich’s theorem and Theorem 6.1 we immediately obtain the following corollary.

Corollary 6.2 The Σψ-protocol in the auxiliary setting is a proof of knowledge for R[Ψ] with zero knowledge error.

6.2.3 Application to exponentiation homomorphisms in hidden order groups

In this section we apply the Σψ-protocol in the auxiliary setting to exponen- l tiation homomorphisms ψE : Z → H in hidden order groups. The results in the previous section (Theorem 6.1) trivially imply that the Σψ-protocol in the auxiliary setting yields eﬃcient proofs of knowledge for such ψE. In the following we address the issue raised in the preceding section and analyze the computational information (not) being leaked by an auxiliary pseudo-preimage. In a nutshell, the analysis shows that the Σψ-protocol in the auxiliary setting yields viable and eﬃcient proofs of knowledge for ψE in hidden order groups with the following properties:

– The prover needs to be given as part of its private input (a non-zero multiple of) the order of image(ψE). In practice this often means that the prover is given the order of (the hidden order) co-domain H. – The order of H remains hidden to the veriﬁer, i.e., the veriﬁer provably learns no computational information on |H|.

6.2.3.1 How to choose an auxiliary pseudo-preimage

So far we have assumed that the inputs to the Σψ-protocol in the auxiliary setting are given, and that the exponent v of an auxiliary pseudo-preimage can be chosen arbitrarily. Yet, in practice it is important that one can actually generate the protocol inputs. Let us see how this can be done for l exponentiation homomorphisms ψE : Z → H in hidden order groups. We shall see below that it is important to choose the common input consisting of (ψE, y) and the auxiliary pseudo-preimage (v, (w1, . . . , wl)), to be a hard instance of the PP-EHOM problem (i.e., the PP problem for exponentiation homomorphisms in hidden order groups, see §3.2.2). Hence, a good way to choose the common input is using the hard generator DPPE(k, l) (see §3.2.2 and Corollary 3.4) for the PP-EHOM problem. We have seen in §3.2.2 that using DPPE(k, l), one can choose the pseudo-preimage exponent v arbitrarily. Hence, the respective assumption underlying Theorem 6.1 is fulﬁlled. 6.2 The Σψ-protocol in the auxiliary setting 133

Given the common input chosen using DPPE(k, l), i.e.,

((v, (w1, . . . , wl)), y, ψE) ← DPPE(k, l), (6.2) it remains to see how we can choose the prover’s private input, i.e., a preimage (x1, . . . , xl) of y under ψE. To this end let us assume that the party that generates the inputs to the Σψ-protocol in the auxiliary setting is explicitly given | image(ψE)|. Moreover, let us assume that gcd(v, | image(ψE)|) = 1 holds in (6.2). This can always be asserted, e.g., by choosing v to be a prime larger than |H|†. Then, we can easily ﬁnd a preimage by computing the multiplicative inverse 1/v of v modulo | image(ψ )|, and by set- . E ting (x1, . . . , xl) =(w1/v, . . . , wl/v). Note that one does not necessarily need to be given | image(ψE)|. Any non-zero multiple of | image(ψE)| (e.g., the order of the co-domain H of ψE) will do, provided that it is co-prime to v. Finally, it is crucial to note that we do not know how to compute the common input and the prover’s private input without being given (a non- zero multiple of) | image(ψE)|.

6.2.3.2 Computational information that is (not) leaked

For the following discussion we still consider the Σψ-protocol in the auxiliary setting for ψE in hidden order groups, and assume that the inputs to the Σψ-protocol (in the auxiliary setting) are chosen as described in the previous section. Now, let us look at the computational information that is (not) leaked by an auxiliary pseudo-preimage to the prover and the veri- ﬁer, respectively. It is impossible to consider all the possible computational information (not) being leaked by an auxiliary pseudo-preimage. Rather, we focus on computational information about the (hidden) order of the co- l domain of ψE : Z → H and on preimages of the image element y. The motivation for these choices is that the co-domain H having hidden order and the one-way property of ψE are key properties underlying many cryptographic applications.

Computational information leaked to the prover. Since by deﬁnition the prover is given a preimage of y under ψE as its private input, computational information leaked on a preimage is of no concern. So let us look at computational information being leaked on the order of the hidden order co-domain H. If we look at simple exponentiation homomorphisms, i.e., . x mappings ψE : Z → H deﬁned by ψE(x) = h with h ∈ H, then from a

† In fact, by our basic assumptions on computationally tractable groups, one can always compute an upper bound λ+ on the order of a group H. Given such a λ+, we can choose v to be a prime v ≥ λ+ and fulﬁll the above requirement. 134 Eﬃcient proofs of knowledge for exponentiation homomorphisms pseudo-preimage and a preimage, i.e.,

v w y = ψE(w) = h and x y = ψE(x) = h . the prover can easily compute hw−vx = 1.

Hence, using that v - w, which holds by deﬁnition of the generator DPPE(k, l), we see that (w −xv) is a non-zero multiple of |h| = | image(ψE)|. Thus, an auxiliary pseudo-preimage leaks | image(ψE)| to the prover, which it would not be able to compute without being given an auxiliary pseudo- preimage†. . x1 For multi-exponentiation homomorphisms, i.e., mappings ψE(x) = h1 ·...· xl hl with h1, . . . , hl ∈ H and l ≥ 2, we are not able to show that the prover learns | image(ψE)| (unless we additionally assume that the prover knows the e2 el discrete logarithms h2 = h1 , . . . , hl = h1 ). But more importantly, neither do we know how to show that an auxiliary pseudo-preimage does not leak computational information on |H|. Moreover, recall our earlier observation that we do not know how to generate the protocol inputs unless we are given a non-zero multiple of | image(ψE)|. Hence, if it is the (honest) prover who generates the inputs to the protocol, which is the case in many practical applications of proofs of knowledge, then it needs to be given a non-zero multiple of | image(ψE)|. In summary, we can certainly not assume that an auxiliary pseudo- preimage does not leak computational information on |H| to the prover, and in fact in many cases the prover will learn or will explicitly be given (a non-zero multiple of) | image(ψE)|. So, loosely speaking, the Σψ-protocol in the auxiliary setting ﬁts best into application scenarios where the prover is given |H|.

Computational information leaked to the verifier. Let us turn to the computational information being leaked to a possibly dishonest verifier. As the Σψ-protocol in the auxiliary setting is zero-knowledge, even a potentially dishonest verifier does not gain any computational information from a protocol execution. Hence, it is sufficient to consider what a verifier learns from its protocol inputs alone (i.e., the common input). Now, from our results (in §3.2.2) on the hardness of the PP-EHOM problem it follows that:

† In fact, the argument also shows that we not only do not know how to compute the protocol inputs for simple exponentiations ψE without being given | image(ψE)|, but that it is infeasible to do so without being given | image(ψE)|. 6.2 The Σψ-protocol in the auxiliary setting 135

– It is hard for a verifier to compute a preimage of y under ψE from the common input. In fact, computing a preimage is to solve the PP-EHOM problem, and since the common input is chosen using the hard generator DPPE(k, l) the claim follows. – The verifier does not learn any computational information on the order of H from the common input. In fact, if we look at the definition of DPPE(k, l), then we see that DPPE(k, l) only requires to be given H (and no additional information related to |H|). Thus, the verifier could as well itself generate the common input using DPPE(k, l), and the claim follows.

Conclusions. In summary, we see that the Σψ-protocol in the auxiliary setting yields viable proofs of knowledge for exponentiation homomorphisms in hidden order groups with the properties we have claimed at the onset of this section. Let us close with two remarks. First, the fact that one has to consider the computational information leaked by the protocol inputs is not peculiar to the Σψ-protocol in the auxiliary setting. In the same way one has to do this analysis for the Σψ-protocol in the conventional setting (in fact for any proof of knowledge protocol). Yet, the analysis and its outcome are diﬀerent in the two cases. Second, if one uses the Σψ-protocol in the auxiliary setting to obtain a proof of knowledge as a sub-protocol in a higher level system, one needs to consider the computational information leaked by an auxiliary pseudo- preimage in the context of the whole system. Such an analysis, however, must be given for the system at hand and is outside the scope of our discussion. Again, we note that an analogous analysis has to be performed for any proof of knowledge protocol when it is used as a sub-protocol.

6.2.3.3 The dual role of the hardness of the PP-EHOM problem It is interesting to note that the hardness of the PP-EHOM problem plays a dual role in efficient proofs of knowledge for exponentiation homomorphisms ψE in hidden order groups: – On the one hand, we have used the hardness to prove lower bounds on the knowledge error of the Σψ-protocol in Theorem 5.3. As discussed, this result indicates that using the Σψ-protocol it is impossible to obtain efficient proofs of knowledge for ψE in hidden order groups. – On the other hand, we have just seen that the very same hardness result underlies the viability of our novel efficient proofs of knowledge using the Σψ-protocol in the auxiliary setting. 136 Efficient proofs of knowledge for exponentiation homomorphisms Thus, in the first case the hardness of the PP-EHOM problem was used to derive a negative result, while in the latter case it underlies a positive result.

6.2.3.4 Applications Let us describe some examples of applications of proofs of knowledge using the Σψ-protocol in the auxiliary setting.

Identification schemes. An identification (ID) scheme enables a prover holding a secret key to identify itself to a verifier holding the corresponding public key [FFS88]. Typically, the public key is tied to the prover’s “real identity”. Roughly, an ID scheme is secure, if given only a public key it is impossible for a dishonest prover to identify itself to the verifier. In practical applications of ID schemes small key sizes and low communication and computation costs are desirable for efficiency reasons. Since the prover is often implemented using devices with little computational power (e.g., smart cards), it is especially desirable to keep the prover’s computation and communication cost low. All practical implementations of ID schemes are based on homomorphisms that fall into one of the classes of concrete homomorphisms described in Defi- nition 2.12. The public key and the secret key in these schemes are an image and a preimage, respectively, under the homomorphism being considered. Moreover, all practical schemes use the Σψ-protocol, or, loosely speaking, a slightly modified version of the Σψ-protocol, as the identification protocol. One large class of ID schemes [Oka93, GQ88, Sho96, FFS88] is based on power or exponentiation-power homomorphisms in RSA groups. These schemes are secure under the RSA assumption or under the FAC- TORING assumption, respectively. Another class is based on simple- . x exponentiation homomorphisms ψE(x) = h or multi-exponentiation homo- . x1 x2 morphisms ψE(x) = h1 h2 in prime-modulus groups [Sch91, Oka93] or RSA groups [PS98] . Their security properties hold under the DLOG assumption for the respective groups. Exponentiation homomorphism based ID schemes using the Σψ-protocol are more efficient than power (or exponentiation-power) homomorphism based ones. In fact, the former are known to achieve a low computation and low communication cost, whereas the latter, either achieve a low computation . 2 and a relatively high communication cost (e.g., for ψP(x) = x ) or a rela- . e tively high computation and a low communication cost (e.g., for ψP(x) = x where e = 80). Following a standard construction of ID schemes from proofs of knowledge 6.2 The Σψ-protocol in the auxiliary setting 137 using the Σψ-protocol, we can construct a novel, efficient ID scheme based . x on exponentiation homomorphisms ψE(x) = h in RSA groups using the Σψ- protocol in the auxiliary setting. In fact, since we are using the Σψ-protocol in the auxiliary setting, the public key not only consists of ψE and an image element y, but also of an auxiliary pseudo-preimage (v, w) of y under ψE; the secret key still is a preimage x of y under ψE. Using a standard argument, this scheme can be shown to be secure† provided that it is hard to compute a secret key from the public key. That is, if it is hard to solve the PP-EHOM problem for the public key ((v, w), y, ψE). By Corollary 3.3 and Corollary 2.2 this is indeed the case under the RSA assumption, and hence our ID scheme is secure. The resulting ID scheme is quite similar to the one by Poupard and Stern [PS98], which is also based on exponentiation homomorphisms in RSA groups and the Σψ-protocol. The Poupard and Stern scheme is secure under the DLOG assumption. Yet, due to the fact that the Σψ-protocol in the auxiliary setting is a proof of knowledge, our ID scheme has a tighter security reduction than the one by Poupard and Stern. In fact, to prove our scheme to be secure one only needs to invoke the pseudo-preimage extractor (see Theorem 4.2 and §4.2.1) for the Σψ-protocol once, whereas for the latter scheme it has to be run at least twice. Moreover, our scheme works under weaker algebraic requirements. For instance, we do not need to make the ∗ assumption that the public key y has maximal order in Zn. Finally, we note that, using the so called Fiat-Shamir heuristic [FS87, PS00, BR93], we can transform our ID scheme into an efficient signature scheme, which is secure in the so called “random oracle model” under the RSA assumption.

Equality proofs. A property of practical interest of proofs of knowledge in the auxiliary setting is that one can use techniques from groups with known order for proving relations among preimages of different exponentiation homomorphisms [Bra97, Cam98, CP93] in hidden order groups. As an example, one can prove knowledge of two discrete logarithms α1 and α2 of two different group elements y1 and y2 with respect to different bases h1 and h2 and also that the discrete logarithms are equal, i.e., α1 = α2. That is, using the notation introduced by Camenisch and Stadler [CS97],

† The security against so called passive attacks essentially follows from the proof of knowledge property of the Σψ-protocol in the auxiliary setting. To prove the scheme to be secure against so called active attacks, one needs to restrict the challenge set of the Σψ-protocol to be |C| ≤ poly(k). Correspondingly, the protocol needs to be sequentially repeated a few times, when performing the identiﬁcation. 138 Eﬃcient proofs of knowledge for exponentiation homomorphisms one can realize a proof

α1 α2 PK({α1, α2} : y1 = h1 ∧ y2 = h2 ∧ α1 = α2), where y1, h1, y2, h2 ∈ H and H is a hidden order group. The approach to obtain such an equality proof in the auxiliary setting is to choose a single auxiliary pseudo-preimage (v, w) such that v w v w y1 = h1 and y2 = h2 . (6.3) Thus, using gcd(v, |H|) = 1 (which we can assert as discussed above), we x x . have y1 = h1 and y2 = h2 with x = w/v, where 1/v is the multiplicative inverse of v modulo |H|. Then we run the Σψ-protocol in the auxiliary setting x x in parallel for y1 = h1 and y2 = h2 as described by Chaum and Peder- sen [CP93]. That is, the prover in the first step of its computation chooses . . a random value r and sets t = hr and t = hr; in the second step it answers 1 .1 2 2 the verifier’s challenge c with s = r + cx. Finally, the verifier in the last step s c s c of the Σψ-protocol checks the equalities h1 = ty1 and h2 = ty2 . The knowledge extractor for this variant of the Σψ-protocol can extract a pseudo-preimage (4c, 4s), such that 4c 4s 4c 4s y1 = h1 and y2 = h2 . Then, from this last equation and (6.3), using Shamir’s trick in Lemma 3.2, 0 x0 x0 the knowledge extractor can compute an x such that y1 = h1 and y2 = h2 .

+ + 6.3 The Σψ - and the Σψ -WS-protocol + In this section we introduce the Σψ -protocol and a modified variant the- + reof, which we call the Σψ -WS-protocol. Both protocols yield efficient zero- knowledge proofs of knowledge for exponentiation homomorphisms ψE in general and for ψE in hidden order groups in particular. More precisely, the former yields so called proofs of knowledge in the auxiliary string model, whereas the latter yields standard computational proofs of knowledge in the random oracle model (i.e., an ideal hash function model). This section is structured as follows. In §6.3.1 we define the notion of a proof of knowledge in the auxiliary string model. In §6.3.2 we describe the + + Σψ -protocol and in §6.3.3 the Σψ -WS-protocol.

6.3.1 Proofs of knowledge in the auxiliary string model The notion of a proof of knowledge in the auxiliary string model was introduced by Damgaard [Dam00]. The key idea underlying the auxiliary string + + 6.3 The Σψ - and the Σψ -WS-protocol 139 model is that an auxiliary string α with a prescribed probability distribution is available to the prover P and the veriﬁer V . More precisely, a proof of knowledge in the auxiliary string model for a binary relation R consists of a pair of probabilistic polynomial-time interactive machines (P,V ) and a generator D(k). The common input of P and V is (y, α) and P ’s private input is x, where (y, x) ∈ R and the auxiliary string is chosen as α ← D(k). At the end of a protocol run V halts and either accepts or rejects. Then (P,V ) is a proof of knowledge in the auxiliary string model, if (in analogy to a proof of knowledge) there is a knowledge extractor that computes a witness for y. Yet, the probability space underlying a protocol in this model is taken over the random inputs of P , V , and additionally of D(k) (i.e., over the choices α ← D(k)). Correspondingly, a knowledge extractor given black-box access to a prover P ∗ may choose P ∗’s random input and also the auxiliary string α. Moreover, we note that even when we consider cheating provers, we still assume that α is correctly generated using D(k). Let us formally introduce proofs of knowledge in the auxiliary string mo- . del. Given a binary relation R, we use the following notation R(k) ={(y, x): (y, x) ∈ R and kyk = poly(k) for some ﬁxed poly()}.

Deﬁnition 6.2 (Proof of knowledge in the auxiliary string model [Dam00]) Let R be a binary relation and let κ : N → [0, 1] be a function. Let P and V be probabilistic polynomial-time interactive machines, and let D(k) denote a generator. Then, (P,V ) and D(k) are a proof of knowledge in the auxiliary string model for the binary relation R with knowledge error κ if over the choices of α ← D(k) the following holds: – Non-triviality: For all (y, x) ∈ R(k) it is Pr(hP (x),V i(α, y) = 1) = 1.

– Computational validity: A probabilistic machine M (the knowledge extractor) and a polynomial poly(·) exist, such that the following holds. For every probabilistic polynomial-time interactive machine ∗ ∗ P , every y ∈ LR, and every γ ∈ {0, 1} let . (y, γ, P ∗) = Pr(hP ∗(γ),V i(α, y) = 1). If (y, γ, P ∗) > κ(k), then for all sufficiently large values of k, M(y) ∗ with black-box access to P (y, γ) outputs a witness w ∈ WR(y) in an expected number of steps bounded by poly(k) . (y, γ, P ∗) − κ(k) 140 Efficient proofs of knowledge for exponentiation homomorphisms Following Damgaard [Dam00], we have defined here for simplicity the case where an auxiliary string is only used to prove a single statement. This restriction is not essential, and it can be ignored in practical applications. Finally, we note that Definition 6.2 is stronger than the conventional definition of a (computational) proof of knowledge (see Definition 2.15). That is, any (computational) proof of knowledge is also a proof of knowledge in the auxiliary string model. Yet, for many practical applications the notion of a proof of knowledge in the auxiliary strong model is adequate.

+ 6.3.2 The Σψ -protocol + Here we define the Σψ -protocol and describe under what conditions it is zero-knowledge and a proof of knowledge in the auxiliary string model, re- + spectively. We define the Σψ -protocol for exponentiation homomorphisms l † ψE : Z → H . As such ψE have an infinite domain, we run into the same problem as when defining the Σψ-protocol for ψE (see Definition 4.3). Lucki- ly, we can use the same approach to circumvent the problem by introducing appropriate finite subsets G and G0 of l as described next. . . Z Let c = c (k) and k = k (k) be integer parameters. Also, for i = 1, . . . , l, + +. s s . we let 4xi = 4xi(k) andx ¯i =x ¯i(k) denote integer parameters. Then we define . G ={−4x1 +x ¯1, x¯1 + 4x1} × ... × {−4xl +x ¯l, x¯l + 4xl}, . and using the auxiliary security parameter ks = poly(k)

0 . ks ks ks ks G ={−2 c+4x1, 2 c+4x1} × ... × {−2 c+4xl, 2 c+4xl}.

Deﬁnition 6.3 ((Hiding) ϑm-function) By a ϑm-function we refer in the following to a mapping deﬁned by

. z1 zm−1 zm ϑm(z1, . . . , zm) = g1 · ... · gm−1 · g , ∗ where g1, . . . , gm−1, g ∈ Zn. If additionally we have g1, . . . , gm−1 ∈ hgi, then we call a ϑm-function hiding. l Moreover, we use the following notation for arithmetic in Z in the des- + cription of the Σψ -protocol:

† + In fact, it is not difficult to define the Σψ for the broader class of exponentiation homomorphisms ψE : Z1 × ... × Zl → H. All our results also hold for such mappings. Yet, such a definition requires a somewhat cumbersome notation. Moreover, our main concern here are exponentiation homomorphisms in hidden order groups H. In all practical examples, such ho- l + momorphisms are of the form ψE : Z → H, and hence we only consider the Σψ -protocol for this latter type of mappings. + + 6.3 The Σψ - and the Σψ -WS-protocol 141 . . . – Ifx ¯ =(¯x ,..., x¯ ), r =(r , . . . , r ), x =(x , . . . , x ) ∈ l and if c is an integer, 1 l . 1 l 1 l Z then we write s = r + c(x − x¯) to denote . (s1, . . . , sl) =(r1, . . . , rl) + c(x1 − x¯1, . . . , xl − x¯l).

Correspondingly, cx¯ stands for c(¯x1,..., x¯l). l – Given a ϑl+1-function, x ∈ Z, and x = (x1, . . . , xl) ∈ Z , ϑl+1(x, x) stands for ϑl+1(x1, . . . , xl, x). + Using this notation we now deﬁne the Σψ -protocol.

+ Deﬁnition 6.4 (Σψ -protocol) Let Ψ be a collection of exponentiation ho- l momorphisms ψE : Z → H. Let ((ψE, y), x) ∈ R[Ψ(k)] with x ∈ G, and + . let be given a ϑl+1-function. A Σψ -protocol with challenge set C ={0, c+} consists of (P,V ) performing the joint computation described in Figure 6.1.

P ((ψE, y, ϑl+1), x) V (ψE, y, ϑl+1)

U ks . x ←{0, 2 n}; y = ϑl+1(x, x) r ←U G0

U 2ks 2ks r ←{−2 c+n, 2 c+n} . t = ψE(r) . t = ϑl+1(r, r) (y, t, t) - 2. U . c ← C ={0, c+} 3. c . s = r + c(x − x¯) . s = r + cx

(s, s) - 4. c if ψE(s + cx¯) = ty , c and ϑl+1(s + cx,¯ s) = ty , then output 1; else output 0

+ Fig. 6.1. Description of the Σψ -protocol.

+ We see that the Σψ -protocol takes as an auxiliary string in the common input a ϑl+1-function. In the following we refer to such a function as an auxiliary ϑl+1-function. 142 Eﬃcient proofs of knowledge for exponentiation homomorphisms

+ The Σψ -protocol has the following zero-knowledge properties.

+ Theorem 6.3 (Zero-knowledge properties of the Σψ -protocol) If the auxiliary ϑ -function is hiding, then the Σ+-protocol with challenge set . l+1 ψ C ={0, c+} has the following properties: (a) It is statistical honest-veriﬁer zero-knowledge. (b) If |C(k)| ≤ poly(k), where poly() is an arbitrary polynomial, then it is statistical zero-knowledge.

+ Proof Let us show part (a) of the theorem. To this end we consider the Σψ - protocol (P (x),V )(ψE, y) with y = ψE(x) and x ∈ G. The auxiliary input to . z1 the protocol is a hiding ϑl+1-function defined by ϑl+1(z1, . . . , zl+1) = g1 ·...· U zl zl+1 0 ks gl · g . The simulator of V ’s view works as follows: Choose x ←{0, 2 n} 0 0 . x 0 U 0 U 0 0 U 2ks 2ks and set y = g . Choose c ← C, s ← G , and s ←{−2 c+n, 2 c+n}. Set 0 . 0 0 −c0 0 . 0 0 0 0−c0 0 0 0 0 0 0 t = ψE(s + c x¯)y and t = ϑl+1(s + c x,¯ s )y . Output (y , t , t , c , s , s ). Let us verify that the probability distribution of the simulated view on tuples (y0, t0, t0, c0, s0, s0) is statistically indistinguishable from the probability distribution of the verifier V ’s real view on tuples (y, t, t, c, s, s). We note that given (y0, c0, s0, s0) and (y, c, s, s) the group elements (t0, t0) and (t, t), respectively, are uniquely determined by the equations in the last step of + the verifier’s computation in the Σψ -protocol. Hence, it suffices to show the claim that the probability distributions of Pr(y0, c0, s0, s0) and Pr(y, c, s, s) are statistically indistinguishable. To this end we write Pr(y0, c0, s0, s0) = Pr(s0, s0|y0, c0) Pr(y0|c0) Pr(c0) and Pr(y, c, s, s) = Pr(s, s|y, c) Pr(y|c) Pr(c). To prove the claim, we show in the following that the respective probability distributions occurring on the right hand side in these expressions are statistically indistinguishable. By assumption that the verifier is honest we have Pr(c) = Pr(c0). Next we argue that Pr(y0|c0) and Pr(y|c) are statistically indistinguishable. First we note that y and c are independently distributed and so are y0 and c0. Thus it suffices to show that Pr(y0) and Pr(y) are statistically indistinguishable. As the ϑl+1-function is hiding by assumption (i.e., g1, . . . , gl ∈ hgi) U and since x ←{0, 2ks n}, which is an interval that is much larger than |g|, we . x1 xl x have that the probability distribution of y = ϑl+1(x, x) = g1 · ... · gl · g is statistically close to uniform on hgi. On the other, it is straightforward to see that the distribution of y0 is statistically close to uniform on hgi. Thus, Pr(y0) and Pr(y) are statistically indistinguishable and our claim follows. It remains to show that Pr(s0, s0|y0, c0) and Pr(s, s|y, c) are statistically indistinguishable. The proof of this claim is a straightforward adaption of a + + 6.3 The Σψ - and the Σψ -WS-protocol 143 line of argument that we have given in the proof of Theorem 4.1, and hence omitted. Part (b) follows from part (a) using an argument that is analogous to the one given in the proof of Theorem 4.1.

We claim without proof that using a transformation by Dam- + gaard [Dam00], the Σψ -protocol can be turned into a zero-knowledge or even concurrent zero-knowledge protocol also in the case when |C| is super- polynomial. + For proofs of knowledge in the auxiliary string model using the Σψ - protocol we need (by Deﬁnition 6.2) to specify a generator to select auxiliary ϑl+1-functions. To this end, we use in the following the generator DPPG(k, l + 1) for the PPGEN-QRN problem described in §3.3 and proved to be hard in Corollary 3.6. Note that, using the terminology introduced above, DPPG(k, l + 1) outputs hiding ϑl+1-functions. Hence, if we use the generator DPPG(k, l + 1) to select the auxiliary ϑl+1-function, then + the zero-knowledge properties of the Σψ -protocol hold as described above. + The Σψ -protocol is a proof of knowledge in the auxiliary string model under the following conditions.

+ Theorem 6.4 (Proof of knowledge property of the Σψ -protocol) l Let Ψ denote a collection of exponentiation homomorphisms ψE : Z → H, + . + and consider the Σψ -protocol with challenge set C ={0, c+}. Then the Σψ - protocol with the generator DPPG(k, l + 1) is a proof of knowledge in the auxiliary string model for R[Ψ], if for ψE ∈ Ψ(k), c+ is smaller than the smallest prime factor of | image(ψE)|. The knowledge error is 1/(c++1)+1/ poly(k), where poly() is an arbitrary polynomial, and the computational validity property holds under the strong RSA assumption. In the proof of Theorem 6.4 we make use of a result by Cramer [Cra97]. Let M be a 0/1-matrix (i.e., the entries of M are 0’s and 1’s) with a rows and b columns. Consider the following collision game: Select a random uniform entry in M. If it is a 1-entry, select a diﬀerent random uniform entry from the same row. If this is a 1-entry as well, output “success”.

Lemma 6.1 (Cramer [Cra97]) Let M be a 0/1-matrix with a rows and b columns, and let denote the fraction of 1-entries in M. Suppose > 1/b. Then, the probability of success in the collision game is greater than or equal to ( − 1/b). 144 Eﬃcient proofs of knowledge for exponentiation homomorphisms Now, we are ready to prove Theorem 6.4.

∗ + Proof Let P ((ψE, y), γ) denote a prover that is successful in the Σψ -protocol with probability at least 1/(c+ + 1) + 1/ poly(k). Then, M is an algorithm ∗ given black-box access to P ((ψE, y), γ) that proceeds as follows: 1. Choose uniformly and randomly a sufficiently long random in- ∗ put ζ for P ((ψE, y), γ), choose an auxiliary function ϑl+1 ← U + DPPG(k, l + 1), and c ← C. Then run the Σψ -protocol with ∗ ∗ P ((ψE, y), γ) using ζ and ϑl+1 as P ’s respective inputs and with c being the verifier’s challenge. Wlog we let the tuple ((y, t, t), c, (s, s)) denote the corresponding messages exchanged in the protocol. We call such a tuple accepting, if it fulfills the verifier’s equations in the + last step of the Σψ -protocol. Now, if the above tuple is accepting, then M proceeds to phase 2 of its computation; otherwise it halts. 0 U + 2. Choose a c ← C \ {c} and then run the Σψ -protocol as above using 0 0 0 0 0 0 0 ((ζ, ϑl+1), c ). Wlog we let the tuple ((y , t , t ), c , (s , s )) denote the corresponding messages exchanged in the protocol. Since here and in 0 0 0 phase 1 (ζ, ϑl+1) are the same, we have y = y, t = t, and t = t. Clearly we have c0 6= c. If the above tuple is accepting, then M proceeds; otherwise it halts. . . . Then it sets 4c = c0 − c, 4s = s0 − s, and 4s = s0 − s (i.e., 4s = 0 0 (4s1,..., 4sl) = (s1 − s1, . . . , sl − sl)). Using that ((y, t, t), c, (s, s)) and ((y0, t0, t0), c0, (s0, s0)) are accepting, it is easy to see that (4c, (4s + 4cx,¯ )) is a pseudo-preimage of y under ψE and that (4c, (4s + 4cx,¯ 4s)) is a pseudo-preimage of y under ϑl+1. 3. If we assume that (4c, (4s+4cx,¯ 4s)) is a divisible pseudo-preimage of y under ϑl+1, then (4c, (4s + 4cx,¯ )) is a divisible pseudo- preimage of y under ψE. Since 4c ∈ {1, c+} and as by assumption c+ is smaller than the smallest prime in | image(ψE)|, we have gcd(4c, | image(ψE)|) = 1. Thus, by Corollary 3.2, M can compute a preimage of y under ψE. Let us analyze the success probability of M. To this end we note that the + probability space underlying the Σψ -protocol consists of pairs ((ζ, ϑl+1), c). In analogy to §4.2.1, where we have considered the Σψ-protocol, we associa- ∗ te an acceptance matrix M with the prover P ((ψE, y), γ). It has one row for each possible (ζ, ϑl+1) and columns index by the possible challenges c in ∗ C. The matrix contains a 1 if the verifier accepts P ((ψE, y), γ) with input (ζ, ϑl+1) and for the challenge c, and a 0 otherwise. We now see that the algorithm M described above plays the collision game on the acceptance ma- + + 6.3 The Σψ - and the Σψ -WS-protocol 145 trix M. That is, M is successful in phase 1 and phase 2 of its computation, if it is successful in the collision game on the acceptance matrix M. Thus, using ∗ Cramer’s Lemma 6.1 and that P ((ψE, y), γ) is successful with probability at least 1/(c+ + 1) + 1/ poly(k), M is successful in finding pseudo-preimages with probability at least (1/(c+ + 1) + 1/ poly(k))1/ poly(k). We note that this is a noticeable probability and that M runs in probabilistic polynomial- time. It remains to consider phase 3 of M’s computation. By contradiction we assume that M fails with non-negligible probability in phase 3. That is, with non-negligible probability the pseudo-preimage (4c, (4s + 4cx,¯ 4s)) found by M is a non-divisible pseudo-preimage of y under ϑl+1. This implies that M is a probabilistic polynomial-time algorithm that solves the PPGEN- QRN problem. Since the instances ϑl+1 of the PPGEN-QRN problem are chosen using the hard generator DPPG(k, l + 1), we get by Corollary 3.6 a contradiction to the strong RSA assumption. Hence (4c, (4s + 4cx,¯ 4s)) is a divisible pseudo-preimage. This analysis shows that under the strong RSA assumption M finds a required preimage of y under ψE with noticeable probability and in polynomial-time. Thus, by repeating M sufficiently many times we get a + knowledge extractor for the Σψ -protocol as required by Definition 6.2.

+ We note that the condition that is required in Theorem 6.4 for the Σψ - protocol to be a proof of knowledge in the auxiliary string model (i.e., that . the upper bound c+ of the challenge set C ={0, c+} is less than the smallest prime factor in | image(ψE)|) is independent of whether the prover or the veriﬁer know | image(ψE)| or any other information on the order of the co- + domain H of ψE. Thus, the Σψ -protocol is also a proof of knowledge for exponentiation homomorphisms in hidden order groups.

6.3.2.1 How to choose the auxiliary ϑm-function in practice + In applications of the Σψ -protocol as a building block of higher level systems, the question arises how we can assert that the auxiliary ϑl+1-functions are chosen with the correct distribution. The answer to this question depends + on the application scenario in which the Σψ -protocol is used, and hence it cannot be answered in general. Yet, loosely speaking, there are the following typical application scenarios that occur:

– A trusted third party chooses ϑl+1 with the correct distribution (i.e., using the generator DPPG(k, l + 1)), and makes ϑl+1 available to the prover and + the veriﬁer in the Σψ -protocol. 146 Eﬃcient proofs of knowledge for exponentiation homomorphisms

– The prover and the veriﬁer jointly choose ϑl+1 in a setup protocol prior + to running the Σψ -protocol.

In the following we consider the latter case and describe a corresponding setup protocol. To this end we introduce the following notation:

– First we need a handy notation to refer to interactive proofs. Let be given a group H and h1, . . . , hl, h ∈ H, such that h1, . . . , hl ∈ hhi. Then,

SZK-IP(h1 ∈ hhi ∧ ... ∧ hl ∈ hhi) (6.4)

denotes a statistical zero-knowledge interactive proof demonstrating that h1, . . . , hl are elements of the cyclic group hhi. (Formally, this is an interactive proof for the language consisting of the elements of hhi.) By Theo- . rem 4.1 and Theorem 4.5, the Σψ-protocol with challenge set C ={0, 1} can be used to implement the interactive proof (6.4) with soundness error 1/2. Hence, by sequentially repeating the protocol suﬃciently many times one can realize the interactive proof (6.4) with a negligible soundness error. We note that to carry out the proof (6.4), the prover needs to be given e1 e the discrete logarithms e1, . . . , el, such that h1 = h , . . . , hl = h l .

– Let DPPG(k, l + 1) be the hard generator (see Corollary 3.6) for the PPGEN-QRN problem defined in §3.3. Then, D˜ PPG(k, l + 1) is a generator that is defined exactly the same as DPPG(k, l + 1), except that addi- ∗ tionally to a description of ϑl+1 (i.e., a modulus n and g1, . . . , gl, g ∈ Zn, . z1 zl zl+1 such that ϑl+1(z1, . . . , zl+1) = g1 · ... · gl · g ) it outputs the discrete logarithms ρ1, . . . , ρl that occur in the computation of DPPG(k, l + 1) and ρ1 ρ fulfill g1 = g , . . . , gl = g l .

Using this notation we deﬁne a setup protocol that allows the prover and the veriﬁer to jointly choose an auxiliary ϑl+1-function.

Deﬁnition 6.5 (Damgaard-Fujisaki (DF) setup protocol) If l ≥ 1 is an integer parameter, then a DF setup protocol consists of (P,V ) performing the joint computation described in Figure 6.2.

The protocol is a slightly enhanced version of the setup protocol used in the DF scheme (see §4.5), and therefore we call it the DF setup protocol. Let us assume that the prover and the veriﬁer choose ϑl+1 using the DF + setup protocol and then execute the Σψ -protocol with the auxiliary ϑl+1- function. Formally, the use of a setup protocol to choose an auxiliary ϑl+1- function is outside of the deﬁnitional scope under which Theorem 6.3 and + + 6.3 The Σψ - and the Σψ -WS-protocol 147 P (l) V (l)

(ϑl+1, (ρ1, . . . , ρl)) ← D˜ PPG(k, l + 1) ϑl+1

2. 2. P in the role V in the role of the veriﬁer computes of the prover computes

SZK-IP(g1 ∈ hgi ∧ ... ∧ gl ∈ hgi) 3. 3. If the SZK-IP(·) protocol in step 2 is accepting, then output ϑl+1. Output ϑl+1.

Fig. 6.2. Description of the DF setup sub-protocol.

Theorem 6.4 are derived. Hence, we need to convince ourselves that Theo- rem 6.3 and Theorem 6.4 still hold, when we choose ϑl+1 using the DF setup protocol. To this end we make the following observations:

– For the proof of knowledge property, we may assume that V is honest, ∗ while P ((ψE, y), γ) possibly is dishonest. In this case ϑl+1 is chosen with the correct distribution by V . Moreover, since step 2 in the DF setup ∗ protocol is statistical zero-knowledge, P ((ψE, y), γ) does not learn any- ∗ thing but ϑl+1. Hence, loosely speaking, from P ((ψE, y), γ)’s point of view choosing ϑl+1 using the DF setup protocol is equivalent to choosing ϑl+1 using the prescribed generator DPPG(k, l + 1). Thus, the preconditions of Theorem 6.4 hold and the proof of knowledge property in the auxiliary string model follows. – For the zero-knowledge property we may assume that P is honest, while V ∗ possibly is dishonest. It is easy to see that the DF setup protocol ∗ itself is zero-knowledge. However, when V is dishonest then the ϑl+1 cho- ∗ sen by V in the DF setup protocol possibly is not a hiding ϑl+1-function z1 zl zl+1 (i.e., possibly we have ϑl+1(z1, . . . , zl+1) = g1 · ... · gl g with some gi 6∈ hgi). Hence, the preconditions of Theorem 6.3 do not hold and the + Σψ -protocol with auxiliary ϑl+1 is no longer zero-knowledge. However, this bad case only occurs with negligible probability, i.e., the soundness error of the interactive proof carried out in step 2 of the DF setup protocol. + Moreover, if we consider the DF setup protocol together with the Σψ - 148 Efficient proofs of knowledge for exponentiation homomorphisms protocol as a single protocol, then it is not difficult to see that the ag- gregate protocol is (honest verifier) statistical zero-knowledge (under the same conditions as formulated in Theorem 6.3).

6.3.2.2 Discussion In the following we discuss various aspects of proofs of knowledge in the + auxiliary string model using the Σψ -protocol.

Use in practice. So far, we have assumed that an auxiliary ϑl+1-function + is only used for a single proof of knowledge using the Σψ -protocol. Yet, in + most practical applications of proofs of knowledge based on the Σψ -protocol it is suﬃcient to choose a single auxiliary ϑl+1-function “once and for all”. + Then, the Σψ -protocol with the auxiliary ϑl+1 can be used arbitrarily often l to get a proof of knowledge for exponentiation homomorphism ψE : Z → + H. Moreover, it is straightforward to modify the Σψ -protocol, such that + given an auxiliary ϑm-function the Σψ -protocol works for all exponentiation l homomorphisms ψE : Z → H with l ≤ m−1. In summary, choosing a single ϑm-function is suﬃcient to get arbitrary many proofs of knowledge (in the l auxiliary string model) for any exponentiation homomorphism ψE : Z → H with l ≤ m − 1.

+ Efficiency. The computation and communication cost of the Σψ -protocol is easily seen to be roughly twice the respective cost of the Σψ-protocol. + For exponentiation homomorphisms in hidden order groups the Σψ -protocol yields considerably more efficient proofs of knowledge than the Σψ-protocol. + The reason is that (in a single execution) the Σψ -protocol can achieve a small knowledge error for such homomorphisms, while the MS knowledge error of the Σψ-protocol is 1/2. + In the case where the auxiliary ϑl+1-function of the Σψ -protocol is chosen using the DF setup protocol, the cost of the latter needs also be taken in- to account. Unfortunately, the DF setup protocol is rather inefficient, since step 2 of the protocol consists of an interactive proof using the sequentially repeated Σψ-protocol with soundness error 1/2. Hence, if the DF setup + protocol is used, then proofs of knowledge using the Σψ -protocol are only efficient in application scenarios where the cost of the DF setup protocol does not matter. Note that basically the same restriction also applies to the DF scheme. The existence of a large number of applications based on the DF scheme suggests that this restriction can be met in a large number of practical applications. + + 6.3 The Σψ - and the Σψ -WS-protocol 149 + Relation to the DF scheme. Technically, the construction of the Σψ - protocol takes up and extends ideas underlying the DF scheme. That is, + similarly to the DF scheme the knowledge extractor of the Σψ -protocol is also based on the hardness of the PPGEN-QRN problem. Additionally, if we assume that the auxiliary ϑl+1-function is chosen using the DF setup + protocol, then the DF scheme and the Σψ -protocol both consist of the same setup protocol, which is followed by a “proof protocol”; in the former case + it is the Σψ-protocol, in the latter it is the Σψ -protocol. Yet, while both schemes, loosely speaking, look similar, they are quite different from a definitional point of view, and most of all, they solve quite + different problems. On the one hand, the Σψ -protocol is an efficient proof of knowledge in the auxiliary string model that works for any exponentiation homomorphism. On the other hand, the DF scheme is a commitment scheme, which allows to demonstrate knowledge of a commitment opening (whereas the commitment function being used is an exponentiation homomorphism in RSA groups). It only works for the specific commitment function underlying the DF scheme, assuming that it is chosen with a certain probability distribution. In particular, it does not yield proofs of knowledge (in the auxiliary string model).

+ 6.3.3 The Σψ -WS-protocol We have seen in the preceding section that proofs of knowledge using the + Σψ -protocol are only efficient in application scenarios where the cost of the + DF setup protocol does not matter. In this section we describe the Σψ - + WS-protocol (the Σψ -Without-Setup-protocol), which is a variant of the + Σψ -protocol, that works without the DF setup protocol and thus gets rid + of the associated efficiency limitations. Moreover, unlike the Σψ -protocol, + the Σψ -WS-protocol yields standard proofs of knowledge. Loosely speaking, + the price we have to pay for these advantages is that the Σψ -WS-protocol is a zero-knowledge proof of knowledge only in the so called random oracle model (i.e., an ideal hash function model). + The construction of the Σψ -WS-protocol makes use of hash functions. A l lc . . hash function is a mapping χ : {0, 1} d → {0, 1} , where ld = ld(k), lc = lc(k), and ld > lc. The typical security properties of hash functions are: – χ is one-way, if, given a y ∈ {0, 1}lc , it is hard to compute an x ∈ {0, 1}ld , such that y = χ(x). – χ is collision resistant if it is hard to compute x, x0 ∈ {0, 1}∗, such that x 6= x0 and χ(x) = χ(x0). 150 Efficient proofs of knowledge for exponentiation homomorphisms Various very efficient implementations of hash functions with these properties are known. For further reading we refer to an overview of hash functions by Preneel [Pre97, Pre99]. The random oracle model, introduced by Bellare and Rogaway [BR93], models ideal hash functions. Algorithms in this model are given access to the random oracle that implements an ideal hash function as follows: Let x ∈ {0, 1}lc denote a hash query issued to the random oracle. If the query x has been issued to the random oracle earlier, then it replies with the same y ∈ {0, 1}lc as before. If the query x has not been issued before, U then it replies with y ←{0, 1}lc . The random oracle model is known to be an overly strong model in the sense that no real hash function can implement the model. Yet, it is the widely used standard model for the security analysis of cryptographic constructions that make use of hash functions. + In the following definition of the Σψ -WS-protocol we reuse the notation + we have introduced in the section on the Σψ -protocol. Moreover, we make use of the following notation: – By “⊕” we denote the string concatenation operation. – If H is a group, then EncLen+(H) is an upper bound on the length of the binary encoding of elements of H.

+ Deﬁnition 6.6 (Σψ -WS-protocol) Let Ψ be a collection of exponentiation l homomorphisms ψE : Z → H. Let ((ψE, y), x) ∈ R[Ψ(k)] with x ∈ G. Let be l lc + given a hash function χ : {0, 1} d → {0, 1} , such that ld > EncLen (H). + . A Σψ -WS-protocol with challenge set C ={0, c+} consists of (P,V ) performing the joint computation described in Figure 6.3.

+ The Σψ -WS-protocol has the following zero-knowledge properties.

+ Theorem 6.5 (Zero-knowledge properties of the Σψ -WS-protocol) In the random oracle mode, the Σ+-WS-protocol with challenge set . ψ C ={0, c+} has the following properties. (a) It is statistical honest-veriﬁer zero-knowledge. (b) If |C(k)| ≤ poly(k) where poly() is an arbitrary polynomial, then it is statistical zero-knowledge. The proof of this theorem is left to the reader, since it largely consists of the repetition of arguments given in the proof of Theorem 6.3. Yet, there are two important observations that one will use in the proof: + + 6.3 The Σψ - and the Σψ -WS-protocol 151

P ((ψE, y), x) V (ψE, y)

(ϑl+1, (ρ1, . . . , ρl)) ← D˜ PPG(k, l + 1) with

. z1 zl zl+1 ϑl+1(z1, . . . , zl+1) = g1 · ... · gl g ∗ and g1, . . . , gl, g ∈ Zn. 2. ϑl+1

U ks . x ←{0, 2 n}; y = ϑl+1(x, x) r ←U G0

U 2ks 2ks r ←{−2 c+n, 2 c+n} . t = ψE(r) . t = ϑl+1(r, r) U ld Choose rH ←{0, 1} . K = χ(t ⊕ y ⊕ rH) (K, t) - 3. U . c ← C ={0, c+} 4. c . s = r + c(x − x¯) . s = r + cx

(s, s) - 5.

6. (ρ1, . . . , ρl) If there is an i ∈ {1, l}, such that ρi gi 6= g , then halt; else continue.

(t, y, rH) - 7.

If K = χ(t ⊕ y ⊕ rH), c ψE(s + cx¯) = ty , and c ϑl+1(s + cx,¯ s) = ty , then output 1; else output 0

+ Fig. 6.3. Description of the Σψ -WS-protocol.

+ – The string rH in step 2 of the Σψ -WS-protocol is uniformly and randomly chosen from the domain of the hash function χ. In the random oracle 152 Efficient proofs of knowledge for exponentiation homomorphisms . model this implies that, over the choices of rH, K = χ(t ⊕ y ⊕ rH) is independently distributed from the values of t and y. + – The checks in step 6 of the Σψ -WS-protocol assert that the ϑl+1-function sent by a possibly dishonest verifier in step 1 is hiding. The prover only sends the quantities t and y computed using ϑl+1 to the verifier, after it has asserted that the ϑl+1-function is hiding. We also claim without proof that using the construction by Dam- + gaard [Dam00], the Σψ -WS-protocol can be turned into a concurrent zero- knowledge protocol. Next we describe the proof of knowledge property of + the Σψ -WS-protocol.

+ Theorem 6.6 (Proof of knowledge property of the Σψ -WS-protocol) l Let Ψ denote a collection of exponentiation homomorphisms ψE : Z → H, + . and consider the Σψ -WS-protocol with challenge set C ={0, c+}. In the ran- + dom oracle model the Σψ -WS-protocol is a computational proof of knowledge for R[Ψ] if for ψE ∈ Ψ(k), c+ is smaller than the smallest prime factor of | image(ψE)|. The knowledge error is 1/(c+ +1)+1/ poly(k), where poly() is an arbitrary polynomial, and the computational validity property holds under the strong RSA assumption.

∗ + Proof (sketch) Let P ((ψE, y), γ) denote a prover that is successful in the Σψ - WS-protocol with probability at least 1/(c++1)+1/ poly(k). In the following + we construct a knowledge extractor M for the Σψ -WS-protocol that works in the random oracle model. That is, evaluations of the hash function χ are performed by a random oracle, which is controlled by M. Now, M is an ∗ algorithm given black-box access to P ((ψE, y), γ) that proceeds as follows: Choose uniformly and randomly a sufficiently long random input ζ ∗ for P ((ψE, y), γ), choose an auxiliary function ϑl+1 ← DPPG(k, l + 1), U + ∗ ∗ and c ← C. Then run the Σψ -WS-protocol with P ((ψE, y), γ) using ζ as P ’s random input and with ϑl+1 and c being the messages sent by the verifier + in the steps 1 and 3 of the Σψ -WS-protocol. Instead of running the protocol + to the end (i.e., step 7), M halts after step 4 of the Σψ -WS-protocol. Sin- ce we are in the random oracle model, M gets to see the argument to the hash function χ, i.e., t and y. Hence, wlog we let the tuple ((y, t, t), c, (s, s)) c denote the messages M gets to see until step 4. If ψE(s + cx¯) = ty and c ϑl+1(s + cx,¯ s) = ty , then M proceeds to the next phase; otherwise it halts. If a tuple fulfills these equations, then we call it accepting. + + 6.3 The Σψ - and the Σψ -WS-protocol 153 0 U + Next, M chooses a c ← C \ {c} and then runs the Σψ -protocol as above 0 0 0 0 0 0 0 until step 4 using (ζ, (ϑl+1, c )). Wlog we let ((y , t , t ), c , (s , s )) denote the corresponding tuple M gets to see. If the tuple is accepting, then M proceeds; otherwise it halts. Since here and above (ζ, ϑl+1) are the same, we have y0 = y, t0 = t, and t0 = t. By construction of M, we have c0 6= c. We can now easily see that M gets exactly the same information as in the proof of Theorem 6.4. Thus M can proceed by performing the same steps as the knowledge extractor described there to obtain a preimage of y under ψE. It remains to check the success probability of M. An important observation is that the probability that M can find an accepting tuple ((y, t, t), c, (s, s)) is at least 1/(c+ + 1) + 1/ poly(k). In fact, this immediately follows since these accepting tuples fulfill the second and the third of the ve- + rification equations in step 7 of the Σψ -WS-protocol, and as by assumption ∗ P is successful with probability at least 1/(c+ + 1) + 1/ poly(k). Using this observation, the analysis of the success probability of M is essentially identical to the one of the knowledge extractor in Theorem 6.4. Following that analysis it is straightforward to establish that M is a know- + ledge extractor of the Σψ -WS-protocol, and that the claim of the theorem follows.

+ We see that the Σψ -WS-protocol is a proof of knowledge and not only a + proof of knowledge in the auxiliary string model as the Σψ -protocol. The + reason is that in the Σψ -WS-protocol the auxiliary ϑl+1-function is chosen + within the protocol and hence no auxiliary input, as in the Σψ -protocol, + is required. Otherwise, the Σψ -WS-protocol is a proof of knowledge for the same exponentiation homomorphisms and under exactly the same conditions + as the Σψ -protocol is a proof of knowledge in the auxiliary string model. + Hence, the Σψ -WS-protocol enjoys the same wide applicability to a large + number of exponentiation homomorphisms as the Σψ -protocol. + Let us compare the efficiency of the Σψ -protocol with the efficiency of + the Σψ -WS-protocol when applied to the same exponentiation homomorphism ψE. To this end, we first compare the total cost of one execution + of the DF setup protocol together with one execution of the Σψ -protocol + against the cost of one execution of the Σψ -WS-protocol. Let us look at the computation cost first: Neglecting the cost of hash function evaluation, we + see that the computation costs of steps 1,2,3,4, and 7 in the Σψ -WS-protocol equally occur in step 1 of the DF setup protocol and the steps 1,2,3, and + 4 in the Σψ -protocol. Hence, the difference in computational cost between the two protocols is determined by the difference of the cost of step 6 in the 154 Efficient proofs of knowledge for exponentiation homomorphisms

+ Σψ -WS-protocol and the one of step 2 in the DF setup protocol. The cost of the former are l exponentiations, whereas the cost of the latter is the one of the sequentially repeated Σψ-protocol. In practice, the number of sequential repetitions of the Σψ-protocol typically is 80 (to achieve a soundness error of 1/280), and hence we can neglect the former cost compared to the latter. + In summary, we see that (roughly) the Σψ -WS-protocol manages to get rid of the computation cost of the sequentially repeated Σψ-protocol in step 2 of + the DF setup protocol. The resulting efficiency gain of the Σψ -WS-protocol is substantial for practical applications. Concerning the communication cost it is not difficult to verify that we get an analogous efficiency gain for the + + Σψ -WS-protocol. That is, roughly the Σψ -WS-protocol gets rid of the communication cost of step 2 in the DF setup protocol. Again, the resulting efficiency gain is substantial in practice. The above analysis is based on the scenario where we compare one exe- + + cution of the DF setup and the Σψ -protocol with one execution of the Σψ - WS-protocol. Yet, there are different scenarios, where the comparison yields different results. For instance, in scenarios where the cost of the DF setup + + protocol does not matter, the Σψ -protocol is more efficient than the Σψ - + WS-protocol. On the other hand, one can optimize the Σψ -WS-protocol in many practical applications. To this end the verifier pre-computes its first step, which involves the costly choice of a special RSA modulus. Using this + optimization the efficiency of the Σψ -WS-protocol becomes, up to some con- + stant factor, the same as the one of the Σψ -protocol, even when the cost of the DF setup protocol does not matter.

6.4 Comparison

Proofs of knowledge based on the Σψ-protocol in the auxiliary setting, based + + on the Σψ -protocol in the auxiliary string model, and based on the Σψ -WS- protocol all work under different conditions and assumptions. For instance, the Σψ-protocol in the auxiliary setting works for certain exponentiation + homomorphisms for which the Σψ -protocol is not known to work and vice versa. In Table 6.2, we give a comparison of the most important of these conditions and assumptions. The description assumes that all three techniques l are applied to an exponentiation homomorphism ψE : Z → H. 6.4 Comparison 155 -protocol. -protocol. -protocol. + ψ + ψ + ψ -WS-protocol + ψ Σ Computational proof of knowledge in the random oracle model. Same as for Σ Same as for Σ Same as for Σ - . | + ) . | +1 E l ) /p ϑ ψ E ψ is the smal- image( p | when the up- image( | E of the challenge ψ is smaller than the + } c + ), whereas , c 0 k { . = C -protocol poly( + ψ / function with a prescribedbution. distri- Σ Proof of knowledgeliary in string the model. auxi- input The contains common an auxiliary Works for any per bound set smallest prime in Smallest knowledge error is 1 1 Strong RSAquired assumption for the is computationallidity va- re- property ofproofs of the knowledge. resulting lest prime dividing re- (i.e, under -WS-protocol. H H + ψ y Σ in hidden E -protocol in the auxiliary setting, the ψ ψ Σ . | ) E ψ . The order of H ) and additionally an auxi- is a hidden order group). , y image( -protocol, and the -protocol in the auxiliary set- . | E + ψ ψ E ψ mains hiddenprover to learns a verifier, non-zero multiple of while order Σ Proof ofmon knowledge. The protocol( com- input contains ψ Works for any Can be made arbitrarily small. ORDER assumption for H The assumptionthat is the required verifierte so cannot a preimage compu- frompseudo the preimage. auxiliary ting liary pseudo-preimage of Σ Comparison of the Table 6.2. Definitional setting Conditionsapplicability for Knowledge error Computational assumptions 7 Concluding remarks

This thesis studies the foundations of efficient zero-knowledge proofs of knowledge for homomorphisms. Prior to our work, the Σψ-protocol was the only protocol that allowed to obtain such proofs of knowledge. Yet, the Σψ-protocol is only known to yield efficient proofs of knowledge for some homomorphisms, while for other homomorphisms the resulting proofs of knowledge are too inefficient for most practical applications. In particular, for the practically important class of exponentiation homomorphisms in hidden order groups the Σψ-protocol only yields inefficient proofs of knowledge. It was not known whether the existing efficiency limitations of the Σψ-protocol were protocol inherent or if they could be overcome by means of novel knowledge extractors for the Σψ-protocol. One the one hand, we have proved strong evidence suggesting that the existing efficiency limitations are indeed inherent to the Σψ-protocol. On the other hand, we have described novel techniques that for the first time yield efficient zero-knowledge proofs of knowledge for exponentiation homomorphisms in hidden order groups. We believe that there is opportunity for novel research drawing on this thesis:

– Our efficient proof of knowledge techniques for exponentiation homomorphisms in hidden order groups open up the possibility to construct either novel cryptographic applications or to find novel and more efficient implementations of existing applications, such as: identification-, signature-, group signature-, and anonymous credential-schemes. – In many practical applications of proofs of knowledge for homomorphisms one not only proves knowledge of a preimage under a homomorphism. Rat- her, one proves knowledge of multiple preimages under possibly different homomorphisms as well as relations between these preimages. As an example, these relations can be that two preimages are equal or that they fulfill

156 Concluding remarks 157 some polynomial relation. Also, one can prove that an integer preimage lies in some specific integer interval. These techniques are not well understood in the sense that they lack a unified theory. We believe that the common abstraction and hence the understanding of all or most of these techniques is based on the study of the solvability of systems of pseudo-preimage problem instances for possibly different homomorphisms. These systems have the property that pseudo-preimage problem instances have the same pseudo-preimage exponent and that some of the pseudo-preimage domain elements are related by algebraic equations over groups. Bibliography

[ACJT00] Giuseppe Ateniese, Jan Camenisch, Marc Joye, and Gene Tsudik. A practical and provably secure coalition-resistant group signature scheme. In Mihir Bellare, editor, Advances in Cryptology — CRYPTO 2000, volume 1880 of Lecture Notes in Computer Science, pages 255–270. Springer Verlag, 2000. [Bar01] Boaz Barak. How to go beyond the black-box simulation barrier. In Proc. 42nd IEEE Symposium on Foundations of Computer Science (FOCS), pages 106–115, 2001. [BB04] Dan Boneh and Xavier Boyen. Short signatures without random oracles. In Christian Cachin and Jan Camenisch, editors, Advances in Cryptology — EUROCRYPT 2004, volume 3027 of LNCS, pages 54–73. Springer, 2004. [BBS04] Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group signatures using strong diffie hellman. In Advances in Cryptology — CRYPTO 2004, LNCS. Springer Verlag, 2004. [BCC88] Gilles Brassard, David Chaum, and Claude Crépeau. Minimum disclosure proofs of knowledge. Journal of Computer and System Sciences, 37(2):156–189, October 1988. [BCC04] Ernie Brickell, Jan Camenisch, and Liqun Chen. Direct anonymous atte- station. Technical Report Research Report RZ 3450, IBM Research Division, March 2004. [BCM05] Endre Bangerter, Jan Camenisch, and Ueli Maurer. Efficient proofs of knowledge of discrete logarithms and representations in groups with hidden order. In Serge Vaudenay, editor, PKC 2005, Lecture Notes in Computer Science. Springer Verlag, 2005. [BCM06] Endre Bangerter, Jan Camenisch, and Ueli Maurer. Efficient proofs of knowledge of discrete logarithms and representations in groups with hidden order. Available at www.zurich.ibm.com/∼jca, 2006. [BG92] Mihir Bellare and Oded Goldreich. On defining proofs of knowledge. In Ernest F. Brickell, editor, Advances in Cryptology — CRYPTO ’92, volume 740 of Lecture Notes in Computer Science, pages 390–420. Springer-Verlag, 1992. [BH01] Johannes Buchmann and Safuat Hamdy. A survey on iq cryptography. Tech- nical Report Technical Report No. TI-4/01, TU Darmstadt, 2001. [BL02] Boaz Barak and Yehuda Lindell. Strict polynomial-time in simulation and extraction. In STOC ’02: Proceedings of the thiry-fourth annual ACM symposium on Theory of computing, pages 484–493. ACM Press, 2002.

158 Bibliography 159

[Bou00] Fabrice Boudot. Efficient proofs that a committed number lies in an interval. In Bart Preneel, editor, Advances in Cryptology — EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 431–444. Springer Verlag, 2000. [BP97] Niko Barićand Birgit Pfitzmann. Collision-free accumulators and fail-stop signature schemes without trees. In Walter Fumy, editor, Advances in Crypto- logy — EUROCRYPT ’97, volume 1233 of Lecture Notes in Computer Science, pages 480–494. Springer Verlag, 1997. [BR93] Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In First ACM Conference on Computer and Communication Security, pages 62–73. Association for Computing Machi- nery, 1993. [Bra39] Alfred Brauer. On addition chains. Bulletin of the American Mathematical Society, 45:736 – 739, 1939. [Bra93] Stefan Brands. Electronic cash systems based on the representation problem in groups of prime order. In Preproceedings of Advances in Cryptology — CRYPTO ’93, pages 26.1–26.15, 1993. [Bra97] Stefan Brands. Rapid demonstration of linear relations connected by boolean operators. In Walter Fumy, editor, Advances in Cryptology — EURO- CRYPT ’97, volume 1233 of Lecture Notes in Computer Science, pages 318– 333. Springer Verlag, 1997. [BS96] E. Bach and J. Shalit. Algorithmic Number Theory, Volume 1: Efficient Algorithms. MIT Press, 1996. [BW91] Johannes A. Buchmann and Hugh C. Williams. Some remarks concerning the complexity of computing class groups of quadratic fields. Journal of Com- plexity, 7(3):311–315, 1991. [Cam98] Jan Leonhard Camenisch. Group Signature Schemes and Payment Systems Based on the Discrete Logarithm Problem. PhD thesis, ETH Zurich,¨ 1998. Diss. ETH No. 12520, Hartung Gorre Verlag, Konstanz. [Cam04] Jan Camenisch. Better privacy for trusted computing platforxms. In Peter Ryan and Pierangela Samarati, editors, European Symposium on Research in Computer Security — ESORICS 2004, LNCS. Springer Verlag, 2004. [CD00] Jan Camenisch and Ivan Damg˚ard. Verifiable encryption, group encryption, and their applications to group signatures and signature sharing schemes. In Tatsuaki Okamoto, editor, Advances in Cryptology — ASIACRYPT 2000, volume 1976 of LNCS, pages 331–345. Springer Verlag, 2000. [CFSY96] Ronald Cramer, Matthiew Franklin, Berry Schoenmakers, and Moti Yung. Multi-authority secret-ballot elections with linear work. In Ueli Maurer, editor, Advances in Cryptology — EUROCRYPT ’96, volume 1070 of LNCS, pages 72–83. Springer Verlag, 1996. [CGGM00] Ran Canetti, Oded Goldreich, Shafi Goldwasser, and Silvio Micali. Re- settable zero-knowledge. pages 235–244. ACM Press, 2000. [CKW] Jan Camenisch, Maciej Koprowski, and Bogdan Warinschi. Efficient blind signatures without random oracles. In submission. [CL01a] Jan Camenisch and Anna Lysyanskaya. Efficient non-transferable anonymous multi-show credential system with optional anonymity revocation. In Birgit Pfitzmann, editor, Advances in Cryptology — EUROCRYPT 2001, volume 2045 of LNCS, pages 93–118. Springer Verlag, 2001. [CL01b] Jan Camenisch and Anna Lysyanskaya. An identity escrow scheme with appointed verifiers. In Joe Kilian, editor, Advances in Cryptology — CRYPTO 160 Bibliography

2001, volume 2139 of LNCS, pages 388–407. Springer Verlag, 2001. [CL02] Jan Camenisch and Anna Lysyanskaya. Dynamic accumulators and application to efficient revocation of anonymous credentials. In Moti Yung, editor, Advances in Cryptology — CRYPTO 2002, volume 2442 of LNCS, pages 61–76. Springer Verlag, 2002. [CL04] Jan Camenisch and Anna Lysyanskaya. Signature schemes and anonymous credentials from bilinear maps. In Advances in Cryptology — CRYPTO 2004, LNCS. Springer Verlag, 2004. [CP93] David Chaum and Torben Pryds Pedersen. Wallet databases with observers. In Ernest F. Brickell, editor, Advances in Cryptology — CRYPTO ’92, volume 740 of Lecture Notes in Computer Science, pages 89–105. Springer-Verlag, 1993. [Cra97] Ronald Cramer. Modular Design of Secure yet Practical Cryptographic Pro- tocol. PhD thesis, University of Amsterdam, 1997. [CS97] Jan Camenisch and Markus Stadler. Efficient group signature schemes for large groups. In Burt Kaliski, editor, Advances in Cryptology — CRYPTO ’97, volume 1296 of Lecture Notes in Computer Science, pages 410–424. Springer Verlag, 1997. [CS03] Jan Camenisch and Victor Shoup. Practical verifiable encryption and de- cryption of discrete logarithms. In Dan Boneh, editor, Advances in Cryptology — CRYPTO 2003, volume 2729 of LNCS, pages 126–144, 2003. [Dam00] Ivan Damg˚ard. Efficient concurrent zero-knowledge in the auxiliary string model. In Bart Preneel, editor, Advances in Cryptology — EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 431–444. Springer Verlag, 2000. [Dam04] Ivan Damg˚ard. On sigma-protocols. Available at www.daimi.au.dk/ ∼ivan/Sigma.ps, 2004. [DF01] Ivan Damg˚ardand E. Fujisaki. An integer commitment scheme based on groups with hidden order, 2001. [DF02] Ivan Damg˚ard and Eiichiro Fujisaki. An integer commitment scheme based on groups with hidden order. In Advances in Cryptology — ASIACRYPT 2002, volume 2501 of LNCS. Springer, 2002. [DJ01] Ivan Damg˚ardand Mads Jurik. A generalisation, a simplification and some applications of paillier’s probabilistic public-key system. In Proceedings of Public Key Cryptography 2001, 2001. [DK02] Ivan Damg˚ard and Maciej Koprowski. Generic lower bounds for root extraction and signature schemes in general groups. In XY, editor, Advances in Cryptology — EUROCRYPT’02, volume 2332 of Lecture Notes in Computer Science, pages 256–?? Springer Verlag, 2002. [DNS98] Cynthia Dwork, Moni Naor, and Amit Sahai. Concurrent zero knowledge. In Proc. 30th Annual ACM Symposium on Theory of Computing (STOC), 1998. [FFS88] Uriel Feige, Amos Fiat, and Adi Shamir. Zero-knowledge proofs of identity. Journal of Cryptology, 1:77–94, 1988. [FO97] Eiichiro Fujisaki and Tatsuaki Okamoto. Statistical zero knowledge protocols to prove modular polynomial relations. In Burt Kaliski, editor, Advances in Cryptology — CRYPTO ’97, volume 1294 of Lecture Notes in Computer Science, pages 16–30. Springer Verlag, 1997. [FS87] Amos Fiat and Adi Shamir. How to prove yourself: Practical solution to identification and signature problems. In Andrew M. Odlyzko, editor, Advances in Cryptology — CRYPTO ’86, volume 263 of Lecture Notes in Computer Bibliography 161

Science, pages 186–194. Springer Verlag, 1987. [GK96] Oded Goldreich and Hugo Krawczyk. On the composition of zero-knowledge proof systems. SIAM Journal on Computing, 25(1):169–192, 1996. [GMR85] Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge complexity of interactive proof systems. In Proc. 27th Annual Symposium on Foun- dations of Computer Science, pages 291–304, 1985. [GMW86] Oded Goldreich, Silvio Micali, and Avi Wigderson. Proofs that yield nothing but their validity and a method of cryptographic protocol design. In Proc. 27th IEEE Symposium on Foundations of Computer Science (FOCS), pages 174–187. IEEE Computer Society Press, 1986. [GO94] Oded Goldreich and Yair Oren. Definitions and properties of zero-knowledge proof systems. Journal of Cryptology, 7(1):1–32, 1994. [Gol00] Oded Goldreich. Computational complexity. Available at www.wisdom. weizmann.ac.il/∼oded/PS/cc.ps, 2000. [Gol01] Oded Goldreich. Fundations of Cryptography. Cambridge University Press, 2001. [Gol04] Oded Goldreich. Zero-knowledge twenty years after its invention. Available at www.wisdom.weizmann.ac.il/∼oded/PS/zk-tut02v4.ps, 2004. [GQ88] Louis C. Guillou and Jean-Jacques Quisquater. A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In Christoph G. Gunther,¨ editor, Advances in Cryptology — EURO- CRYPT ’88, volume 330 of Lecture Notes in Computer Science, pages 123–128. Springer Verlag, 1988. [GW04] Oded Goldreich and Avi Wigderson. Complexity theory - a survey. Availa- ble at www.wisdom.weizmann.ac.il/∼oded/cc-sur2.html, 2004. [HM00] Safuat Hamdy and Bodo Möller. Security of cryptosystems based on class groups of imaginary quadratic orders. In Tatsuaki Okamoto, editor, Advances in Cryptology — ASIACRYPT 2000, volume 1976 of Lecture Notes in Com- puter Science, pages 234–247, 2000. [HMU01] J. E. Hopcroft, R. Motwani, and J. D. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison Wesley, 2001. [HS00] Martin Hirt and Kazue Sako. Efficient receipt-free voting based on homo- morphic encryption. In Bart Preneel, editor, Advances in Cryptology — EU- ROCRYPT 2000, volume 1807 of LNCS, pages 539–556. Springer Verlag, 2000. [JN03] Antoine Joux and Kim Nguyen. Separating decision diffie-hellman from computational diffie-hellman in cryptographic groups. J. Cryptology, 16(4):239– 247, 2003. [KMV00] Neal Koblitz, Alfred Menezes, and Scott Vanstone. The state of elliptic curve cryptography. Des. Codes Cryptography, 19(2-3):173–193, 2000. [Knu97] Donald E. Knuth. Seminumerical Algorithms, volume 2 of The Art of Com- puter Programming. Addison-Wesley, Reading, Massachusetts, third edition, 1997. [Kob87] Neal Koblitz. Elliptic curve cryptosystems. In Mathematics of Computation, volume 48, pages 203–209, 1987. [KP98] Joe Kilian and Erez Petrank. Identity escrow. In Hugo Krawczyk, editor, Advances in Cryptology — CRYPTO ’98, volume 1642 of LNCS, pages 169– 185, Berlin, 1998. Springer Verlag. [KYT04] Aggelos Kiayias, Moti Yung, and Yiannis Tsiounis. Traceable signatures. In Christian Cachin and Jan Camenisch, editors, Advances in Cryptology — EUROCRYPT 2004, volume 3027 of LNCS, pages 571–589. Springer, 2004. 162 Bibliography

[Len00] Arjen K. Lenstra. Integer factoring. Des. Codes Cryptography, 19(2/3):101– 128, 2000. [LV01] Arjen K. Lenstra and Eric R. Verheul. Selecting cryptographic key sizes. J. Cryptology, 14(4):255–293, 2001. [Mau00] Ueli Maurer. Index search, discerete logarithms, and diffie-hellman. MS- RI Number-theoretic cryptography workshop, Mathematical Sciences Research Institute (MSRI), Berkeley, 16–20 October 2000. [McC90] Kevin McCurley. The discrete logarithm problem. In Carl Pomerance, editor, Cryptology and computational number theory, volume 42 of Proceedings of Symposia in Applied Mathematics, pages 49–74. American Mathematical Society, 1990. [Mil85] Victor S. Miller. Use of elliptic curves in cryptography. In CRYPTO, pages 417–426, 1985. [MvOV96] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Hand- book of Applied Cryptography. CRC Press, 1996. [Nec94] V. I. Nechaev. Complexity of a determinate algorithm for the discrete logarithm. Mathematical Notes, 55(2):165–172, 1994. Translated from Matemati- cheskie Zametki, 55(2):91–101, 1994. [Odl00] Andrew M. Odlyzko. Discrete logarithms: The past and the future. Des. Codes Cryptography, 19(2/3):129–145, 2000. [Oka93] Tatsuaki Okamoto. Provable secure and practical identification schemes and corresponding signature schemes. In Ernest F. Brickell, editor, Advances in Cryptology — CRYPTO ’92, volume 740 of Lecture Notes in Computer Science, pages 31–53. Springer-Verlag, 1993. [OP01] Tatsuaki Okamoto and David Pointcheval. The gap-problems: A new class of problems for the security of cryptographic schemes. In Public Key Crypto- graphy, pages 104–118, 2001. [Pai99] Pascal Paillier. Public-key cryptosystems based on composite residuosity classes. In Jacques Stern, editor, Advances in Cryptology — EUROCRYPT ’99, volume 1592 of LNCS, pages 223–239. Springer Verlag, 1999. [Pre97] Bart Preneel. Cryptographic primitives for information authentication - state of the art. In Bart Preneel and Vincent Rijmen, editors, State of the Art in Applied Cryptography, volume 1528 of Lecture Notes in Computer Science, pages 49–104. Springer, 1997. [Pre99] Bart Preneel. The state of cryptographic hash functions. In Ivan Damgaard, editor, Lectures on Data Security, Lecture Notes in Computer Science, volume 1561, pages 158 – 182, Jan 1999. [PS98] Guilaume Poupard and Jacques Stern. Security analysis of a practical “on the fly” authentication and signature generation. In Kaisa Nyberg, editor, Advances in Cryptology — EUROCRYPT ’98, volume 1403 of Lecture Notes in Computer Science, pages 422–436. Springer Verlag, 1998. [PS00] David Pointcheval and Jacques Stern. Security arguments for signatures and blind signatures. Journal of Cryptology, 13(3):361–396, 2000. [RSA78a] Ron L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. CACM, 21(2):120– 126, February 1978. [RSA78b] Ronld Rivest, Adi Shamir, and Leonard Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, February 1978. [Sch91] Claus P. Schnorr. Efficient signature generation for smart cards. Journal Of Bibliography 163

Cryptology, 4(3):239–252, 1991. [Sho96] Victor Shoup. On fast and provably secure message authentication based on universal hashing. In Neal Koblitz, editor, Advances in Cryptology— CRYPTO ’96, volume 1109 of Lecture Notes in Computer Science, pages 313– 328. Springer-Verlag, 18–22 August 1996. [Sho97] Victor Shoup. Lower bounds for discrete logarithms and related problems. In Walter Fumy, editor, Advances in Cryptology — EUROCRYPT ’97, volume 1233 of Lecture Notes in Computer Science, pages 256–266. Springer Verlag, 1997. [Sho01] Victor Shoup. Oaep reconsidered. In J. Kilian, editor, Advances in Cryp- tology — CRYPTO ’01, volume 2139 of Lecture Notes in Computer Science, page 239. Springer Verlag, 2001. [Sho04] Victor Shoup. A computational introduction to number theory and algebra. Available at shoup.net/ntb, 2004. [Sil86] Joseph Silverman. The Arithmetic of Elliptic Curves. Springer-Verlag, 1986. [Sip96] Michael Sipser. Introduction to the Theory of Computation. PWS, Boston, MA, 1996. [Son01] Dawn Xiaodong Song. Practical forward secure group signature schemes. In Proc. 8th ACM Conference on Computer and Communications Security, pages 225–234. ACM press, nov 2001. [SS01] Ahmad-Reza Sadeghi and Michael Steiner. Assumptions related to discrete logarithms: Why subtleties make a real diﬀerence. In EUROCRYPT, pages 244–261, 2001. [Str64] Ernst G. Straus. Addition chains of vectors (problem 5125). American Mathematical Monthly, 70:806 – 808, 1964. [Tru] Trusted Computing Group website. www.trustedcomputinggroup.org. [TW87] Martin Tompa and Heather Woll. Random self-reducibility and zero knowledge interactive proofs of possession of information. In 28th Annual Sympo- sium on Foundations of Computer Science, pages 472–482, Los Angeles, Cali- fornia, 12–14 October 1987. IEEE. [Wol87] Heather Woll. Reductions among number theoretic problems. Information and Computation, 72:167–179, March 1987.