One-out-of-Many Proofs:Or How to Leak a Secret and Spend a Coin

Jens Groth

University College London

Markulf Kohlweiss

Microsoft Research

One-out-of-many statement

One of them holds gold!

But I will not tell you which one!

Prover Verifier

One-out-of-many proof

Prover Verifier

Argument

Zero-knowledgeRemains secret which one of them holds gold

SoundnessOnly accept if one of them holds gold

Ring signature

Ring signatureOne of them signed, but secret who it was

ConstructionNon-interactive one-of-many argument of knowledge of a secret key corresponding to one of their public keys

Zerocoin

Coin spendingSerial number 1001101

AnonymityEach coin has unique secret serial number known only to ownerUse one-of-many proof to demonstrate one of the coins has this serial number

Membership proof

2

One-out-of-many proof that secret committed value belongs to a list

One-out-of-many proof for commitment to 0

Statement:

Claim that one of them is commitment to 0

Prover Verifier

Witness

SoundnessStatement is true, there is a commitment to 0

Zero-knowledgeRemains secret which commitment contains 0

Pedersen commitments

• Setup with commitment key that specifies group of prime order and two random generators

• Commitment to using randomness computed as • Additively homomorphic

• Perfectly hiding• Computationally binding

– Assuming hard to compute discrete logarithms

𝑎 𝑏⋅ ¿ 𝑎+𝑏

Sigma-protocols

• -special soundness– Compute witness from answers to different challenges

• Special honest verifier zero-knowledge– Given challenge simulate transcript

Prover Verifier

StatementWitness s.t. 𝑎𝑥←𝒁𝒑

∗

𝑧

Main result: one-out-of-many proof

Sigma-protocol for one out of many commitments being a commitment to

– Perfect completeness– Computational -soundness– Perfect special honest verifier ZK

Can use Fiat-Shamir heuristic to make it non-interactive for ring signatures and zerocoin

Rounds Prover Verifier Communication

3 expo. expo. group + field

For 256-bit elliptic curve groups bytes

𝛿11=1

𝛿00=1

Binary tree

• Want to show is commitment to 0• Equivalently write and • Want to show is commitment to 0

𝑐0 𝑐1 𝑐2 𝑐3

𝑁=2𝑛0

1

𝑐ℓ=com(0 ;𝑟 )

𝛿01=0

𝛿10=0

𝛿01=0𝛿11=1

Want SHVZKCannot reveal

Commit to path

• Prover commits to

• Standard Sigma-protocol for knowledge of opening of commitment to – Run arguments for in parallel

𝑐0 𝑐1 𝑐2 𝑐3

𝑁=2𝑛0

1

𝑐ℓ=com(0 ;𝑟 )

𝑓 𝑗=𝑥 ℓ 𝑗+𝑎 𝑗

Build polynomials of degree in challenge

• We have and • Define and and

Check

and 𝑥←𝒁𝒑

∗

ℓ 𝑗

𝑎 𝑗

𝑐ℓ 𝑗=¿

𝑓 𝑗

Polynomials

defined by Communication

• Use committed path to construct polynomials

in a verifiable manner• Both prover and verifier can compute

• Prover sends before challenge If then is a commitment to 0Otherwise negligible chance of commitment to 0

One-out-of-many proofs

Sigma-protocol for one out of many commitments being a commitment to

Can save computation if prover knows openings of all commitments instead of just one of them

Rounds Prover Verifier Communication

3 expo. expo. group + field

Rounds Prover Verifier Communication

3 mult. expo. group + field

Membership proof

• Have commitment and want to give argument of knowledge of opening to value in the list

• Give one-out-of-many proof for statement

• Save computation since both prover and verifier know a lot about commitments

Rounds Prover Verifier Communication

3 mult. mult. group + field

Fiat-Shamir heuristic

• Sigma-protocol has quasi-unique challenges– Hard to compute many different answers to a challenge – Implies non-interactive argument is simulation-extractable

in the random oracle model

StatementWitness s.t. 𝑎𝑥←Hash(𝑢 ,𝑎 ,𝑎𝑢𝑥)𝑧 𝜋=(𝑎 ,𝑧 )

Non-interactive argument

Ring signatures

• Ring contains public keys of the form

• Interpret them as commitments to , i.e.,

𝑐0=h𝑟 0

𝑐1=h𝑟1

𝑐2=h𝑟 2

• Use Fiat-Shamir heuristic with challenge to prove knowledge of some

• Signature is the non-interactive argument

Zerocoin

• Bulletin board with coins• Each coin commitment

to a serial number

• Spend a coin from a set anonymously by posting serial number and proving one of the coins in has this serial number– Prove that one of

is commitment to 0 using Fiat-Shamir challenge – Serial number prevents double spending– Zero-knowledge guarantees anonymity

Summary

Sigma-protocol for one out of many commitments being a commitment to

– Perfect completeness– Computational -soundness– Perfect special honest verifier ZK

Membership proof Ring signature Zerocoin

Rounds Prover Verifier Communication

3 expo. expo. group + field