Efficient Zero-Knowledge Proofs and Applications

Abstract

Zero-knowledge proofs provide a means for a prover to convince a verifier that some claim is true and nothing more. The ability to prove statements while conveying zero information beyond their veracity has profound implications for cryptography and, especially, for its applicability to privacy-enhancing technologies. Unfortunately, the most common zero-knowledge techniques in the literature suffer from poor scalability, which limits their usefulness in many otherwise promising applications. This dissertation addresses the problem of designing communication- and computation-efficient protocols for zero-knowledge proofs and arguments of propositions that comprise many "simple" predicates. In particular, we propose a new formal model in which to analyze batch zero-knowledge protocols and perform the first systematic study of systems for batch zero-knowledge proofs and arguments of knowledge. In the course of this study, we suggest a general construction for batch zero-knowledge proof systems and use it to realize several new protocols suitable for proving knowledge of and relationships among large batches of discrete logarithm (DL) representations in prime-order groups. Our new protocols improve on existing protocols in several ways; for example, among the new protocols is one with lower asymptotic computation cost than any other such system in the literature. We also tackle the problem of constructing batch proofs of partial knowledge, proposing new protocols to prove knowledge of a DL that is equal to at least k-out-of-n other DLs, at most k-out-of-n other DLs, or exactly k-out-of-n other DLs. These constructions are particularly interesting as they prove some propositions that appear difficult to prove using existing techniques, even when efficiency is not a primary consideration. We illustrate the applicability of our new techniques by using them to construct efficient protocols for anonymous blacklisting and reputation systems.