Skip to main content
Springer Nature Link
Log in

CDLS: Proving Knowledge of Committed Discrete Logarithms with Soundness

  • Conference paper
  • First Online:
Progress in Cryptology - AFRICACRYPT 2024 (AFRICACRYPT 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14861))

Included in the following conference series:

  • 199 Accesses

Abstract

The works of CRYPTO ’18 [1] and SAC ’21 [15] exist in the \(\varSigma \)-protocol setting in order to prove knowledge that a commitment to a scalar is the discrete logarithm of the commitment to an elliptic curve point. While the former, original work [1] is inadequately specified so that detailed analysis can be performed, we show that the latter follow up work, the \(\varSigma \)-protocol of ZKAttest [15], suffers from soundness issues that invalidate its security proof. Further, we also provide a practical attack on ZKAttest’s public implementation, and point out other flaws in it that differ from the paper’s specification. Lastly, we introduce two new protocols, \(\textsf{CDLSS}\) and \(\textsf{CDLSD}\), which are sound, provably secure, have concrete security bounds, and perform favourably in comparison to the prior works when the soundness issue is taken into account.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    This is likely also the case in [1], however the specification of the protocol is not sufficiently detailed.

  2. 2.

    Using the common compressed representation for elliptic curve points, which is the x-coordinate along with a parity bit, one does not need to evaluate the curve equation each time.

  3. 3.

    See https://charts.woobull.com/bitcoin-hash-price/, which places the value of \(10^{12}\) SHA-256 hashes at approximately \(10^{-6}\) USD, assuming modern ASICs can be set up to handle arbitrary fixed length input.

  4. 4.

    For the calculations of these estimates, see the attached Sage script as seen in https://github.com/brave-experiments/CDLS.

  5. 5.

    https://github.com/brave-experiments/CDLS.

References

  1. Agrawal, S., Ganesh, C., Mohassel, P.: Non-interactive zero-knowledge proofs for composite statements. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part III. LNCS, vol. 10993, pp. 643–673. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_22

    Chapter  Google Scholar 

  2. Attema, T., Fehr, S., Klooß, M.: Fiat-Shamir transformation of multi-round interactive proofs. In: Kiltz, E., Vaikuntanathan, V. (eds.) TCC 2022, Part I. LNCS, vol. 13747, pp. 113–142. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22318-1_5

    Chapter  Google Scholar 

  3. Babai, L.: Trading group theory for randomness. In: Proceedings of the Seventeenth Annual ACM Symposium on Theory of Computing, STOC 1985, pp. 421–429. Association for Computing Machinery, New York (1985). https://doi.org/10.1145/22145.22192

  4. Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications. In: Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC 1988, pp. 103–112. Association for Computing Machinery, New York (1988). https://doi.org/10.1145/62212.62222

  5. Boudot, F.: Efficient proofs that a committed number lies in an interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_31

    Chapter  Google Scholar 

  6. Broker, R.: Constructing elliptic curves of prescribed order. Ph.D. thesis (2006)

    Google Scholar 

  7. Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334. IEEE Computer Society Press (2018). https://doi.org/10.1109/SP.2018.00020

  8. Camenisch, J., Chaabouni, R., Shelat, A.: Efficient protocols for set membership and range proofs. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 234–252. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7_15

    Chapter  Google Scholar 

  9. Camenisch, J., Michels, M.: Proving in zero-knowledge that a number is the product of two safe primes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 107–122. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_8

    Chapter  Google Scholar 

  10. Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052252

    Chapter  Google Scholar 

  11. Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_7

    Chapter  Google Scholar 

  12. Cramer, R.: Modular design of secure yet practical cryptographic protocols. Ph.D. thesis (1997)

    Google Scholar 

  13. Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_19

    Chapter  Google Scholar 

  14. Damgård, I.: On sigma-protocols (2010). https://www.cs.au.dk/~ivan/Sigma.pdf. https://www.cs.au.dk/~ivan/Sigma.pdf

  15. Faz-Hernández, A., Ladd, W., Maram, D.: ZKAttest: ring and group signatures for existing ECDSA keys. In: AlTawy, R., Hülsing, A. (eds.) SAC 2021. LNCS, vol. 13203, pp. 68–83. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-99277-4_4

    Chapter  Google Scholar 

  16. Feige, U., Fiat, A., Shamir, A.: Zero-knowledge proofs of identity. J. Cryptol. 1(2), 77–94 (1988). https://doi.org/10.1007/BF02351717

    Article  MathSciNet  Google Scholar 

  17. Feige, U., Shamir, A.: Witness indistinguishable and witness hiding protocols. In: 22nd ACM STOC, pp. 416–426. ACM Press (1990). https://doi.org/10.1145/100216.100272

  18. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12

    Chapter  Google Scholar 

  19. Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052225

    Chapter  Google Scholar 

  20. Goldreich, O., Krawczyk, H.: On the composition of zero-knowledge proof systems. In: Paterson, M.S. (ed.) ICALP 1990. LNCS, vol. 443, pp. 268–282. Springer, Heidelberg (1990). https://doi.org/10.1007/BFb0032038

    Chapter  Google Scholar 

  21. Hazay, C., Lindell, Y.: Sigma protocols and efficient zero-knowledge\(^{1}\). In: Hazay, C., Lindell, Y. (eds.) Efficient Secure Two-Party Protocols. ISC, pp. 147–175. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14303-8_6

    Chapter  Google Scholar 

  22. Krenn, S., Orrù, M.: Proposal: \(\sigma \)-protocols (2021). https://docs.zkproof.org/pages/standards/accepted-workshop4/proposal-sigma.pdf

  23. Nguyen, K.Q., Bao, F., Mu, Y., Varadharajan, V.: Zero-knowledge proofs of possession of digital signatures and its applications. In: Varadharajan, V., Mu, Y. (eds.) ICICS 1999. LNCS, vol. 1726, pp. 103–118. Springer, Heidelberg (1999). https://doi.org/10.1007/978-3-540-47942-0_9

    Chapter  Google Scholar 

  24. Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9

    Chapter  Google Scholar 

  25. Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991). https://doi.org/10.1007/BF00196725

    Article  MathSciNet  Google Scholar 

  26. Silverman, J.H.: The geometry of elliptic curves. In: Silverman, J.H. (ed.) The Arithmetic of Elliptic Curves. GTM, vol. 106, pp. 41–114. Springer, New York (2009). https://doi.org/10.1007/978-0-387-09494-6_3

    Chapter  Google Scholar 

  27. Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly-efficient zkSNARKs without trusted setup. In: 2018 IEEE Symposium on Security and Privacy, pp. 926–943. IEEE Computer Society Press (2018). https://doi.org/10.1109/SP.2018.00060

Download references

Author information

Authors and Affiliations

  1. Brave Software, Lisbon, Portugal

    Sofia Celi

  2. University of Auckland, Auckland, New Zealand

    Shai Levin

  3. Royal Holloway, University of London, Egham, UK

    Joe Rowell

Authors
  1. Sofia Celi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shai Levin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Joe Rowell
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sofia Celi .

Editor information

Editors and Affiliations

  1. Ecole Polytechnique Fédérale de Lausanne, Lausanne, Switzerland

    Serge Vaudenay

  2. University of Birmingham, Birmingham, UK

    Christophe Petit

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Celi, S., Levin, S., Rowell, J. (2024). CDLS: Proving Knowledge of Committed Discrete Logarithms with Soundness. In: Vaudenay, S., Petit, C. (eds) Progress in Cryptology - AFRICACRYPT 2024. AFRICACRYPT 2024. Lecture Notes in Computer Science, vol 14861. Springer, Cham. https://doi.org/10.1007/978-3-031-64381-1_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-64381-1_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-64380-4

  • Online ISBN: 978-3-031-64381-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics