Non-interactive distributed-verifier proofs and proving relations among commitments

Abstract

A commitment multiplication proof, CMP for short, allows a player who is committed to secrets s, s _ and s __ = s · s _, to prove, without revealing s, s _ or s __, that indeed s __ = ss _. CMP is an important building block for secure general multi-party computation as well as threshold cryptography. In the standard cryptographic model, a CMP is typically done interactively using zero-knowledge protocols. In the random oracle model it can be done non-interactively by removing interaction using the Fiat-Shamir heuristic. An alternative non-interactive solution in the distributed setting, where at most a certain fraction of the verifiers are malicious, was presented in [1] for Pedersen’s discrete log based commitment scheme. This CMP essentially consists ofa few invocations ofP edersen’s verifiable secret sharing scheme (VSS) and is secure in the standard model. In the first part ofthis paper, we improve that CMP by arguing that a building block used in its construction in fact already constitutes a CMP. This not only leads to a simplified exposition, but also saves on the required number ofin vocations ofP edersen’s VSS. Next we show how to construct non-interactive proofs of partial knowledge [8] in this distributed setting. This allows for instance to prove non-interactively the knowledge of _ out of m given secrets, without revealing which ones. We also show how to construct efficient non-interactive zero-knowledge proofs for circuit satisfiability in the distributed setting. In the second part, we investigate generalizations to other homomorphic commitment schemes, and show that on the negative side, Pedersen’s VSS cannot be generalized to arbitrary (black-box) homomorphic commitment schemes, while on the positive side, commitment schemes based on q-one-way-group-homomorphism [7], which cover wide range ofcurrently used schemes, suffice.