International Association for Cryptologic Research

International Association
for Cryptologic Research


Non-Interactive Composition of Sigma-Protocols via Share-then-Hash

Masayuki Abe
Miguel Ambrona
Andrej Bogdanov
MIyako Ohkubo
Alon Rosen
DOI: 10.1007/978-3-030-64840-4_25
Search ePrint
Search Google
Abstract: Proofs of partial knowledge demonstrate the possession of certain subsets of witnesses for a given collection of statements x_1,\dots,x_n. Cramer, Damg{\aa}rd, and Schoenmakers (CDS), built proofs of partial knowledge, given "atomic" protocols for individual statements x_i, by having the prover randomly secret share the verifier's challenge and using the shares as challenges for the atomic protocols. This simple and highly-influential transformation has been used in numerous applications, ranging from anonymous credentials to ring signatures. We consider what happens if, instead of using the shares directly as challenges, the prover first hashes them. We show that this elementary enhancement can result in significant benefits: - the proof contains a {\em single} atomic transcript per statement x_i, - it suffices that the atomic protocols are k-special sound for k \geq 2, - when compiled using the Fiat-Shamir heuristic, the protocol retains its soundness in the {\em non-programmable} random oracle model. None of the above features is satisfied by the CDS transformation.
Video from ASIACRYPT 2020
  title={Non-Interactive Composition of Sigma-Protocols via Share-then-Hash},
  booktitle={Advances in Cryptology - ASIACRYPT 2020},
  author={Masayuki Abe and Miguel Ambrona and Andrej Bogdanov and MIyako Ohkubo and Alon Rosen},