ADDITIVE PROOFS OF KNOWLEDGE

A New Notion for Non-Interactive Proofs

Amitabh Saxena

∗

Department of Information and Communication Technology

University of Trento, TN, Italy

Keywords:

Non-interactive zero-knowledge proofs of knowledge, proofs of decision power, additive proofs, identiﬁcation.

Abstract:

This paper has two contributions. Firstly, we describe an efﬁcient Non-Interactive Zero-Knowledge (NIZK)

Proof of Knowledge (PoK) protocol using bilinear pairings. The protocol assumes the hardness of the Com-

putational Difﬁe-Hellman (CDH) problem. The prover does not perform any pairing computations while the

veriﬁer performs 3 pairing computations. The protocol can be used for identiﬁcation (eg. in smart-cards).

Secondly, we extend the idea to multiple proofs and propose the notion of efﬁcient Additive Non-Interactive

Witness-Indistinguishable (A-NIWI) proofs. Intuitively an A-NIWI proof can be considered as a PoK of

another A-NIWI proof. Our ideas are based on the aggregate signature scheme of Boneh et al. (proposed in

Eurocrypt 2003).

1 INTRODUCTION

We study the aggregate signatures of (Boneh et al.,

2003) in more detail. Many schemes derived from

aggregate signatures such as Veriﬁably Encrypted sig-

natures (VES) (Boneh et al., 2003) and Chain Sig-

natures (CS) (Saxena and Soh, 2005) require that al-

though some given aggregate signature can be veri-

ﬁed, no useful information about the individual sig-

natures is leaked. However, the very fact that the

aggregate signature can be veriﬁed leaks certain in-

formation - that the individual signatures are indeed

well-formed. Apart from this, is there any other in-

formation leaked? We show that there is absolutely

no other information leaked about the individual sig-

natures when the aggregation contains only two sig-

natures.

Another observation is that the aggregate signa-

tures are extensible. This leads to an interesting con-

struction of Non-Interactive Witness Indistinguish-

able (NIWI) proofs - a given NIWI proof π

of state-

ment m

can be combined with another NIWI proof

of m

to yield a new NIWI proof π

(1,2)

of m

∧ m

such that given π

(1,2)

, it is no longer possi-

ble to obtain π

(or π

). This process can be con-

tinued using another proof π

of m

. We term this

∗

The author is funded by the European Commission

(contract No. 021186-2 for the RE-TRUST project).

property additiveness and formally give a construc-

tion of a NIWI proof that satisﬁes this property. We

call any NIWI proof system satisfying this property

an Additive NIWI (A-NIWI) proof system. Although

this property can be achieved using conventional con-

structions of NIZK proofs (using an NP reduction),

such constructions are extremely inefﬁcient and there-

fore useless in practice.

The rest of this paper is organized as follows.

In Section 2, we give some background on zero-

knowledge. In Section 3, we give an informal de-

scription of our idea by showing that aggregate signa-

tures (of two users) are zero-knowledge. We then give

a formal construction of our zero-knowledge proofs

of knowledge in Section 4. Finally, in Section 5, we

present our example of additive NIWI proofs.

2 PRELIMINARIES

Zero-Knowledge (ZK). Zero Knowledge proofs are

proofs which convince a veriﬁer that a given state-

ment (eg. x ∈ L for some L ∈ NP) is indeed

true without giving any information as to why it

is true (Goldwasser et al., 1989). This concept

can be intuitively captured by saying that what-

ever the veriﬁer knows after seeing the proof was

already known to the veriﬁer before seeing the

239

Saxena A. (2007).

ADDITIVE PROOFS OF KNOWLEDGE - A New Notion for Non-Interactive Proofs.

In Proceedings of the Second International Conference on Security and Cryptography, pages 239-244

DOI: 10.5220/0002117102390244

 SciTePress

proof. More formally, we require that there ex-

ist a PPT simulator outputting a transcript that is

indistinguishable to the transcript produced by the

real prover.

Witness Indistinguishability (WI). Another in-

tuitive way to restrict knowledge leakage is

using witness indistinguishable proofs (Feige

and Shamir, 1990; Dwork and Naor, 2000).

However, unlike ZK proofs, a WI proof cannot be

simulated. Informally, a WI proof can be deﬁned

as follows. Let x ∈ L for some L ∈ NP such that x

has two or more witness for L. A proof is WI if it

convinces a veriﬁer that indeed x ∈ L but does not

reveal which witness was used to construct the

proof (even if the veriﬁer knows all witnesses).

Proofs of Knowledge (PoKs). Till now we re-

stricted ourselves to proofs of statements of the

type x ∈ L for some L ∈ NP. These are called

proofs of membership (PoMs). However, a more

useful notion is of proofs of statements of the

type I know the witness of x ∈ L. That is, the

prover not only proves that x ∈ L but also proves

knowledge of a witness to the fact. Such proofs

are called proofs of knowledge (PoKs) and are

formally deﬁned in (Bellare and Goldreich,

1993). Informally, a PoK requires that there be

a knowledge extractor that uses the prover in a

black-box manner and extracts the witness for the

statement to be proved (Bellare and Goldreich,

1993).

Proofs of Decision Power (PoDPs). Let L ∈ NP ∩

co-NP. A ZK (or WI) proof of decision power

(PoDP) is a PoK for some x ∈ L ∪ co-L that con-

vinces a veriﬁer about the knowledge of a witness

for x but does not reveal whether x ∈ L or x ∈ co-

L. See (Crescenzo et al., 1997; Crescenzo et al.,

2000) for a discussion on this concept. All our

proofs presented in this paper (whether WI or ZK)

will be PoDPs.

Non-Interactive (NI) ZK and WI Proofs. ZK (and

WI) proofs come in two ﬂavors: interactive and

non-interactive (NI). In the interactive variants,

there are many exchanges of messages (called

rounds) before the proof is completed. On the

other hand, in the non-interactive variants, the

veriﬁer’s role is played by a hash function or

some other random source of information (such

as a random oracle) (Blum et al., 1988; Rackoff

and Simon, 1992; Goldreich, 2001; Groth et al.,

2006). Depending on whether the proof is ZK of

WI, we call it a NIZK or NIWI proof. Similar to

interactive proofs, NI proofs can also be classiﬁed

as PoMs or PoKs.

3 ZERO KNOWLEDGE IN

AGGREGATE SIGNATURES

We give the motivation behind our The aggregate sig-

natures of (Boneh et al., 2003) can be brieﬂy de-

scribed (with some simpliﬁcations) as follows. The

construction requires a bilinear map between prime

order groups, which we describe ﬁrst.

3.1 Bilinear Maps

Let G

and G

be two cyclic multiplicative groups

both of prime order q such that computing discrete

logarithms in G

and G

is intractable. A bilinear

pairing is a map ˆe : G

× G

7→ G

that satisﬁes the

following properties (Boneh et al., 2004; Boneh et al.,

2003).

1. Bilinearity: ˆe(a

) = ˆe(a,b)

∀a,b ∈ G

and

x,y ∈ Z

2. Non-degeneracy: If g is a generator of G

then

ˆe(g,g) is a generator of G

3. Computability: The map ˆe is efﬁciently com-

putable.

For the rest of this paper we will assume that g ∈

is some ﬁxed generator.

Security of aggregate signatures is based on the

hardness of the following problem.

Deﬁnition 3.1. Computational Difﬁe-Hellman

(CDH) problem: Given (X,Y) ∈ G

, compute

Z ∈ G

satisfying ˆe(X,Y) = ˆe(Z,g).

3.2 Aggregate Signatures

In the aggregate signature scheme of (Boneh et al.,

2003), the private keys of two users are x

∈ Z

while the public keys are X

= g

respec-

tively. The scheme also requires a cryptographic hash

function

H : {0,1} 7→ G

. Let the hashes of the mes-

sages to be signed be Y

= g

and Y

= g

respec-

tively (for unknown y

). Then the the aggregate

signature under public keys X

corresponds to the

value Z

= g

(to verify the signature we check

if the equality ˆe(X

) · ˆe(X

)

= ˆe(Z

,g) holds).

Additionally, the corresponding individual signature

under the public key X

= g

turns out to be g

the extraction of which will correspond to the solu-

tion of the CDH instance (X

) = (g

). Call

this the signature extraction problem for the tuple

). Without the extra inputs X

this reduces to the ordinary CDH problem for (X

We show next that these extra inputs leak no informa-

tion about the solution of the CDH instance (X

SECRYPT 2007 - International Conference on Security and Cryptography

240

Observe that given just the CDH instance

) = (g

), we can straightaway transform

it into an instance of the signature extraction prob-

lem without knowing either x

or y

as follows. Gen-

erate two random integers r,u. Then compute X

· g

= g

r+x

, Y

= g

u−y

, Z

= X

·Y

u+ru−ry

. The tuple (X

) forms a valid

instance of the signature extraction problem.

In other

words, the aggregate signature leaks absolutely no

knowledge about the individual signature!

This mo-

tivates the following application.

3.3 An Identiﬁcation Protocol

Assume that Alice has public key X

in the example

of Section 3.2 and is authorized to issue credentials

that can be used for identiﬁcation. Bob would like

to identify using his credential and at the same time

ensure that the veriﬁer cannot impersonate him later.

1. Alice uses the signature scheme of Section 3.2 to

sign the message m

=“The holder of this card is

Bob” such that the resulting hash of m

is Y

. She

gives the resulting signature Z

to Bob.

2. Suppose Bob wants to identify to Carol using

Alice’s card. Both Bob and Carol agree on a

common random string (CRS) Y

∈ G

Then

Bob generates random x

← Z

∗

and computes

) = (g

·Y

) ∈ G

. He gives (Z

)

to Carol.

We show in Section 4.1 that Z

proves (to Carol) the

knowledge of the credential Z

without leaking any

information. We do this by proving that the non-

interactive variant of the above protocol (where the

CRS is decided beforehand) is a NIZK-PoK of Z

4 NIZK PROOFS OF

KNOWLEDGE

We now give a formal discussion of the above zero-

knowledge property. We use the common-random-

This was proved in (Coron and Naccache, 2003).

There is a subtility here. The resulting value Y

needs

to be the output of the hash function H . However, if we

consider H to be a random oracle then we can ignore this

subtility in our context.

The CRS could be decided before Z

is computed.

However, it is necessary for both Bob and Carol to ensure

that the CRS is indeed random. For the purpose of this pa-

per, we will assume that there is a trusted authority that is

responsible for generating the CRS. Also note that a CRS

can be used only once. Hence both parties must ensure that

the CRS is fresh.

string model (Blum et al., 1988) - both prover (P) and

veriﬁer (V) share a common random string (CRS).

Our notion of NIZK-PoKs is similar to that of (Santis

and Persiano, 1992). Let L ∈ NP ∩ co-NP be some

language. For any x ∈ L ∪ co-L, let

be the set of

witnesses for either x ∈ L or x /∈ L. For simplicity, we

will assume that all strings in {0,1}

∗

correspond to ei-

ther “yes” or “no” instances of L. Let k be a security

parameter. Deﬁne the following protocol.

Protocol (P, V)

1. Common Random String: P and V agree on a

common random string (crs) r

← {0,1}

2. Common Input: Some string x

← {0,1}

(possi-

bly chosen by P) is common input to P and V.

3. Prover’s Auxiliary Input: P is given as auxiliary

input w

←

4. Proof Generation: P uses (r,w, x) to compute

and output a proof π.

5. Proof Veriﬁcation: V uses a deterministic proce-

dure on input (x,r, π) and outputs either 0 or 1.

Deﬁnition 4.1. (P,V) is a NIZK-PoK (and a PoDP)

for L ∈ NP ∩ co-NP if the following hold.

1. Completeness: For all x ∈ Σ

∗

and honest provers



V(x,r, π) = 1

r, x

← {0, 1}

← W

π ← P(x,w,r)



= 1

2. Zero-Knowledge: There is a universal PPT simu-

lator M that on input some random string x (the

problem instance) outputs a tuple (r

,π

) such

that V(x,r

,π

) = 1 and the distributions {x,r,π}

and {x,r

,π

} below are indistinguishable.

{x,r, π}

def







r,x

← {0,1}

V(x, r,π) = 1 w

← W

π ← P(x, w, r)







{x,r

,π

}

def



V(x,r

,π

) = 1

← {0, 1}

,π

) ← M



3. Proof-of-Knowledge: There is a universal PPT ex-

tractor E that functions as follows. E gives a “ran-

dom looking” string r

to the prover P

∗

, who out-

puts a pair (x,π). If V(x, r

,π) = 1 then E takes

in as input (x,r

,π) and outputs a string w

. We

require that for all P

∗

, the strings r

are indistin-

guishable from truly random strings, and





← E(x),(x, π) ← P

∗

∈ W

V(x,r

,π) = 1,

← E(x,r

,π)





≈ 1

Note that our NIZK-PoKs are adaptive - the prover

can choose the statement x after seeing the CRS r.

ADDITIVE PROOFS OF KNOWLEDGE - A New Notion for Non-Interactive Proofs

241

4.1 NIZK-PoK for a CDH Solution

Let ˆe : G

× G

7→ G

be a bilinear map as deﬁned

in Section 3.1 such that |G

| = |G

| = q (prime). Let

g be some ﬁxed generator of G

, which we will use

as the base for our problem instances. Assume that

the computational Difﬁe-Hellman (CDH) problem is

hard in G

. Therefore, due to the Goldreich-Levin

Theorem (Goldreich and Levin, 1989), there must ex-

ist a hard-core predicate (say δ()) for the solution of

the CDH instance.

Consider the language consisting

of pairs of the form (g

) ∈ G

L = {(g

)|hard-core predicate δ(g

) = 1}

Clearly, L ∈ NP ∩ co-NP and the element g

, the

solution to the CDH instance (g

) forms the wit-

ness to both the “yes” and “no” instances. We de-

scribe a NIZK-PoK for the knowledge of this witness.

First we deﬁne the following problem.

Deﬁnition 4.2. Decision Class-Difﬁe-Hellman

(DCDH) problem. Given X,Y ∈ G

, output 1 if

(X,Y) ∈ L, otherwise output 0.

Deﬁne the following protocol between P and V.

Protocol (P,V).

1. Common random string (CRS): An element

← G

. Let Y

= g

for unknown y

2. Common input: A DCDH instance (X

) =

) ∈ G

3. Provers auxiliary input: WitnessW = g

∈ G

for the DCDH instance (X

4. Proof generation: P generates x

← Z

∗

and com-

putes (X

) = (g

,W · Y

) ∈ G

. It outputs

) as its proof.

5. Proof veriﬁcation: V accepts the above proof if

the following holds:

ˆe(X

) · ˆe(X

)

= ˆe(Z

,g) (1)

Theorem 4.3. The above non-interactive protocol

(P,V) is a NIZK proof of knowledge of the witness

to the DCDH decision problem instance (X

Proof. Completeness is trivial:

LHS = ˆe(X

) · ˆe(X

) = ˆe(g

) · ˆe(g

)

= ˆe(g

,g) = RHS

To apply the Goldreich-Levin result, we must exhibit

a one-way function that takes as input any CDH solution

(say H ∈ G

) and outputs a corresponding CDH instance

) ∈ G

. To do this, generate α

← Z

∗

and compute

) = (H

1/α

) ∈ G

. Then H is the solution (to

base g) of the CDH instance (H

Zero Knowledge: The input is some DCDH in-

stance (X

). Simulator M generates two random

elements r, u

← Z

∗

. It then computes X

= X

·g

and Z

= X

·Y

. It outputs X

as part of

the simulated transcript. The tuple (X

)

is indistinguishable from a real transcript.

Proof of Knowledge: We construct an extractor

E as follows. E generates a random element y

← Z

∗

and sets Y

= g

. It gives Y

as the random string

to the prover P, who outputs (X

) such

that (X

,g) satisﬁes Equation 1. Then

E computes and outputs W = Z

/(X

)

, the witness

to the DCDH instance (X

5 ADDITIVE NON-INTERACTIVE

PROOFS OF KNOWLEDGE

Observe that in the protocol of Section 4.1, given

the transcript (X

,g), we can generate

a new DCDH instance (X

) = (g

) and form

the tuple (X

,g), such that Z

· g

behaves like a PoK of Z

. We call this prop-

erty “additiveness” - whenever a non-interactive PoK

can be converted into a new non-interactive PoK

i+1

of Z

. First we deﬁne the following problem.

5.1 The Composite-CDH Problem

Let S

= {(X

),(X

),...,(X

)} be a set con-

taining i DCDH instances. Deﬁne Z

∈ G

to be the

value such that

∏

)∈S

ˆe(X

) = ˆe(Z

,g)

Deﬁnition 5.1. Composite Computational Difﬁe

Hellman (CCDH) problem. Given S

, compute Z

We say that Z

is the CCDH solution of the set S

The CCDH problem is as hard as the CDH problem.

Lemma 5.1. The CCDH problem is hard if and only

if the CDH problem is hard.

Proof. The “only if” part is trivial to prove. For the

“if” part, consider an adversary

A who can always

output the CCDH solution of any set S

. We can use

to solve any CDH instance (X,Y) as follows. Gener-

ate random x

′

← Z

∗

and compute X

′

= g

′

= g

′

The set S

= {(X,Y), (X

′

)} is given to

A , who out-

puts the CCDH solution Z

of S

. In this case Z

′

is the solution of our CDH instance.

SECRYPT 2007 - International Conference on Security and Cryptography

242

5.2 Additive NIWI Proofs

We now present a construction of an Additive

Non-Interactive Witness-Indistinguishable Proof of

Knowledge (A-NIWI-PoK). An A-NIWI-PoK can be

instantly transferred into another another A-NIWI-

PoK such that the new proof behaves like a PoK of

the older PoK. Deﬁne the following protocol between

P and V.

Protocol (P,V)

1. Common Random String: A random element

n+1

← G

2. Common Input: The common input is a set

= {(X

),(X

),...,(X

)} containing n

DCDH instances w.r.t. a common generator g.

3. Prover’s Auxiliary Input: Z

, the CCDH solu-

tion of S

. P will prove knowledge of Z

4. Proof Generation: P generates x

n+1

← Z

∗

and

sets (X

n+1

) ← (g

n+1

· Y

n+1

) ∈ G

. It

outputs (X

n+1

). Observe that Z

n+1

is the

CCDH solution of S

n+1

= S

∪ {(X

n+1

)}.

5. Proof Veriﬁcation: V veriﬁes that Z

n+1

is indeed

the CCDH solution of S

n+1

Theorem 5.2. The pair (Z

n+1

) is a NIWI-PoK

of the CCDH solution Z

of S

for all n ≥ 1.

Proof. Similar to ZK proofs, a WI proof has com-

pleteness, witness-indistinguishability and knowl-

edge extractor requirements (Feige and Shamir, 1990;

Dwork and Naor, 2000). Completeness is trivial.

Witness-Indistinguishability: The claim is true

for n = 1 (because ZK implies WI). For any n > 1,

given the set S

and random string Y

n+1

, we can

construct a pair (X

n+1

) such that Z

n+1

is the

CCDH solution of S

n+1

= S

∪ {(X

n+1

)}. This

can be done in at least two different ways: (1) Using

the CCDH solution Z

of S

and the witness for the

DCDH instance (X

n+1

). (2) Using the CCDH

solution of S

n+1

\{(X

)} and the witness for the

DCDH instance (X

). Clearly, it is infeasible to

distinguish which strategy was used.

Proof of Knowledge: We must exhibit an extrac-

tor E

n+1

that works as follows. First E

n+1

outputs a

random string Y

n+1

, which is given to the prover. The

prover then outputs a tuple (S

n+1

) such that

is a set containing n DCDH instances and Z

n+1

the CCDH solution of S

∪ {(X

n+1

)}. Finally,

n+1

takes as input (S

n+1

) and outputs Z

the CCDH solution of S

n+1

generates y

n+1

← Z

∗

and computes Y

n+1

∈ G

. E

n+1

gives Y

n+1

to some prover P who

outputs a tuple (S

n+1

) such that S

contains

n DCDH instances and Z

n+1

is the CCDH solution of

n+1

= S

∪{(X

n+1

)}. From this E

n+1

computes

= Z

n+1

· X

−y

n+1

and outputs Z

as the CCDH solu-

tion of S

5.2.1 Additiveness

Observe that any given Niwi-PoK (Z

) can be in-

stantly transferred into a new Niwi-PoK (Z

n+1

)

of (Z

) (in other words, (Z

n+1

) proves

knowledge of (Z

)). We call this property addi-

tiveness and any Niwi-PoK exhibiting this property

an Additive Niwi-PoK (A-Niwi-PoK).

5.2.2 Is it Zero-knowledge?

The witness indistinguishability property of above

NIWI-PoK ensures that Z

n+1

does not leak any “use-

ful” information about the secret Z

. However, we

have been unable to construct a simulator and it

is quite likely that the above protocol is not zero-

knowledge.

To see why it may not be zero-knowledge (and

still be witness hiding), observe that given the pair

) with |S

| = 3, an adversary may be able to ob-

tain some information about all the CCDH solutions

∗

for the 3 sets S

∗

( S

with |S

∗

| = 2 without getting

any information about the witnesses of the individual

DCDH instances of S

6 SUMMARY

In this paper we presented an efﬁcient Non-Interactive

Zero-Knowledge (NIZK) protocol that is a Proof of

Knowledge (PoK) for the solution of some given

Difﬁe-Hellman problem instance in bilinear groups.

Our protocol is based on the aggregate signatures

of (Boneh et al., 2003) and its interactive variant

(where the CRS is generated “on-the-ﬂy”) can be used

for efﬁcient identiﬁcation (eg. in smart-cards).

We also proposed the notion of Additive

Non-Interactive Witness Indistinguishable Proofs of

Knowledge (A-NIWI-PoKs). An A-NIWI proof can

be considered as a PoK of another A-NIWI proof.

However, we have unable to construct a simulator to

achieve zero-knowledge. We can use the simulator of

the proof of Theorem 4.3 and achieve additive NIZK

property at the cost of increasing the size of the proof

to 2

at n levels. As an open question, we would like

to ask if constant-size additive NIZK PoKs exist.

In summary, we feel that the proposed paradigm

of A-NIWI-PoKs can be used in a vast majority of e-

commerce applications, more speciﬁcally in the core

ADDITIVE PROOFS OF KNOWLEDGE - A New Notion for Non-Interactive Proofs

243

of protocols for smart cards and secure web purchases

but even more so in the context of auctions (due to the

inherent non-interactive nature of the scheme).

ACKNOWLEDGEMENTS

We would like to thank Ioannis Atsonios and the

anonymous referees for valuable comments.

REFERENCES

Bellare, M. and Goldreich, O. (1993). On deﬁning proofs

of knowledge. Lecture Notes in Computer Science,

740:390–420.

Blum, M., Feldman, P., and Micali, S. (1988). Non-

interactive zero-knowledge and its applications. In

STOC ’88: Proceedings of the twentieth annual ACM

symposium on Theory of computing, pages 103–112.

ACM Press.

Boneh, D., Gentry, C., Lynn, B., and Shacham, H. (2003).

Aggregate and veriﬁably encrypted signatures from

bilinear maps. In Biham, E., editor, EUROCRYPT,

volume 2656 of Lecture Notes in Computer Science,

pages 416–432. Springer.

Boneh, D., Lynn, B., and Shacham, H. (2004). Short signa-

tures from the weil pairing. J. Cryptology, 17(4):297–

319.

Coron, J.-S. and Naccache, D. (2003). Boneh et al.’s k-

element aggregate extraction assumption is equivalent

to the Difﬁe-Hellman assumption. In Laih, C.-S., ed-

itor, ASIACRYPT, volume 2894 of Lecture Notes in

Computer Science, pages 392–397. Springer.

Crescenzo, G. D., Sakurai, K., and Yung, M. (1997). Zero-

knowledge proofs of decision power: new protocols

and optimal round-complexity. In ICICS ’97: Pro-

ceedings of the First International Conference on In-

formation and Communication Security, pages 17–27,

London, UK. Springer-Verlag.

Crescenzo, G. D., Sakurai, K., and Yung, M. (2000). On

zero-knowledge proofs (extended abstract): “from

membership to decision”. In STOC ’00: Proceed-

ings of the thirty-second annual ACM symposium on

Theory of computing, pages 255–264, New York, NY,

USA. ACM Press.

Dwork, C. and Naor, M. (2000). Zaps and their applica-

tions. In FOCS ’00: Proceedings of the 41st Annual

IEEE Symposium on Foundations of Computer Sci-

ence, pages 283–293, Washington, DC, USA. IEEE

Computer Society.

Feige, U. and Shamir, A. (1990). Witness indistinguishable

and witness hiding protocols. In STOC ’90: Proceed-

ings of the twenty-second annual ACM symposium on

Theory of computing, pages 416–426, New York, NY,

USA. ACM Press.

Goldreich, O. (2001). Foundations of Cryptography I, vol-

ume Basic Tools. Cambridge University Press.

Goldreich, O. and Levin, L. A. (1989). A hard-core pred-

icate for all one-way functions. In STOC ’89: Pro-

ceedings of the twenty-ﬁrst annual ACM symposium

on Theory of computing, pages 25–32, New York, NY,

USA. ACM Press.

Goldwasser, S., Micali, S., and Rackoff, C. (1989). The

knowledge complexity of interactive proof systems.

SIAM J. Comput., 18(1):186–208.

Groth, J., Ostrovsky, R., and Sahai, A. (2006). Perfect non-

interactive zero knowledge for np. In Vaudenay, S.,

editor, EUROCRYPT, volume 4004 of Lecture Notes

in Computer Science, pages 339–358. Springer.

Rackoff, C. and Simon, D. R. (1992). Non-interactive zero-

knowledge proof of knowledge and chosen ciphertext

attack. In CRYPTO ’91: Proceedings of the 11th

Annual International Cryptology Conference on Ad-

vances in Cryptology, pages 433–444, London, UK.

Springer-Verlag.

Santis, A. D. and Persiano, G. (1992). Zero-knowledge

proofs of knowledge without interaction. In Proceed-

ings of the 33rd Annual Symposium on Foundations of

Computer Science, pages 427–436.

Saxena, A. and Soh, B. (2005). One-way signature chain-

ing: A new paradigm for group cryptosystems. Cryp-

tology ePrint Archive, Report 2005/335.

SECRYPT 2007 - International Conference on Security and Cryptography

244