]> Sigma Protocols CNRS
m@orru.net
zero-knowledge This document describes Sigma protocols, a secure, general-purpose non-interactive zero-knowledge proof of knowledge. Concretely, the scheme allows proving knowledge of a witness, without revealing any information about the undisclosed messages or the signature itself, while at the same time, guarantying soundness of the overall protocols. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Source for this draft and an issue tracker can be found at .
Introduction A Sigma Protocol is a simple zero-knowledge proof of knowledge. Any sigma protocols must define three objects:
  • A commitment, sometimes also called nonce. This message is computed by the prover.
  • A challenge, computed using the Fiat-Shamir transformation using a hash function.
  • A response, computed by the prover, which depends on the commitment and the challenge.
A sigma protocol allows to convince a verifier of the knowledge of a secret witness satisfying a statement.
Generic interface A sigma protocol is an interface exposing the following functions: Internally, each sigma protocol implements the following methods. SigmaProtocol def prover_commit(self, witness: Witness) -> (commitment, prover_state) def prover_response(self, prover_state, challenge) -> response def verifier(self, commitment, challenge, response) -> bool # optional def simulate_response() -> response # optional def simulate_commitment(response, challenge) -> commitment ]]> Where:
  • new(il: [u8], cs: ConstraintSystem) -> SigmaProtocol, denoting the initialization function. This function takes as input a label identifying local context information (such as: session identifiers, to avoid replay attacks; protocol metadata, to avoid hijacking; optionally, a timestamp and some pre-shared randomness, to guarantee freshness of the proof) and an instance generated via the ConstraintSystem, the public information shared between prover and verifier. This function should pre-compute parts of the statement, or initialize the state of the hash function.
  • prover_commit(self, witness: Witness) -> (commitment, prover_state), denoting the commitment phase, that is, the computation of the first message sent by the prover in a Sigma protocol. This method outputs a new commitment together with its associated prover state, depending on the witness known to the prover and the statement to be proven. This step generally requires access to a high-quality entropy source. Leakage of even just of a few bits of the nonce could allow for the complete recovery of the witness. The commitment meant to be shared, while prover_state must be kept secret.
  • prover_response(self, prover_state, challenge) -> response, denoting the response phase, that is, the computation of the second message sent by the prover, depending on the witness, the statement, the challenge received from the verifier, and the internal state prover_state. The returned value response is meant to be shared.
  • verifier(self, commitment, challenge, response) -> bool, denoting the verifier algorithm. This method checks that the protocol transcript is valid for the given statement. The verifier algorithm outputs nothing if verification succeeds, or an error if verification fails.
The final two algorithms describe the zero-knowledge simulator and are optional. The simulator is primarily an efficient algorithm for proving zero-knowledge in a theoretical construction, but it is also needed for verifying short proofs and for or-composition, where a witness is not known and thus has to be simulated. We have:
  • simulate_response() -> response, denoting the first stage of the simulator. It is an algorithm drawing a random response that follows the same output distribution of the algorithm prover_response
  • simulate_commitment(response, challenge) -> commitment, returning a simulated commitment -- the second phase of the zero-knowledge simulator.
The abstraction SigmaProtocol allows implementing different types of statements and combiners of those, such as OR statements, validity of t-out-of-n statements, and more.
Σ-protocols over prime-order groups The following sub-section present concrete instantiations of Σ-protocols over prime-order groups such as elliptic curves. Traditionally, Σ-protocols are defined in Camenish-Stadtler notation as (for example): This section describes how to build and prove statements of this form programmatically.
Group abstraction Because of their dominance, the presentation in the following focuses on proof goals over elliptic curves, therefore leveraging additive notation. For prime-order subgroups of residue classes, all notation needs to be changed to multiplicative, and references to elliptic curves (e.g., curve) need to be replaced by their respective counterparts over residue classes. We therefore assume two objects are available to the programmer: + Sub + Mul + From + Eq + Serialize + Deserialize Scalar: Zero + One + Div + Add + Sub + From + Eq + Serialize + Deserialize ]]> We detail the functions that can be invoked on these objects. Example choices can be found in .
Group
  • order(): Outputs the order of the group p.
  • random(): outputs a random element
  • serialize([Group; N]): serializes a list of group elements and returns a canonical byte array buf of fixed length Ng * N.
  • deserialize(buf): Attempts to map a byte array buf of size Ng * N into [Group; N], and fails if the input is not the valid canonical byte representation of an element of the group. This function can raise a DeserializeError if deserialization fails.
Scalar
  • random(): outputs a random element
  • serialize([Scalar; N]): serializes a list of scalars and returns their canonical representation of fixed length Ns * N.
Witness representation A witness is simply a list of num_scalars elements.
Constraint representation Internally, the constraint can be represented as: ; num_statements] // An list of references to group elements representing the left-hand side part of the equations image: [&Group; num_statements] // the number of secret scalars num_scalars: usize // the number of equations to be proven num_statements: usize } ]]> The object LinearCombination encodes pairs of indices of the witness vector with group elements. The initial example of the VRF can therefore be expressed with the following constraints: In the above, Equations.new() creates a new Equations with label "VRF".
Instantiation of the constraints
Scalar witness allocation
Public group element allocation
Group element assignment
Enforcing an equation This function adds an equation statement constraint to the instance, expressed as a left-hand side (the target group element), and a list of pairs encoding a linear combination of scalars and group elements. A witness can be mapped to a group element via:
Core protocol
Verifier procedure
Prover We describe below the prover's wrapping function.
Verifier
Nonce and challenge derivation Two types of randomness are needed for a sigma protocol:
  1. A nonce seeding the randomness used to produce the commitment of the first round of the protocol
  2. A challenge representing the verifier's public random coin.
The challenge of a Schnorr proof is derived with This can be generated with: The iv, which must properly separate the application and the statement being proved, is described below.
Statement generation Let H be a hash object. The statement is encoded in a stateful hash object as follows. In simpler terms, without stateful hash objects, this should correspond to the following: and the nonce is produced as: Where: - pad is a (padding) zero string of length 168 - len(random). - scalar_bytes is the number of bytes required to produce a uniformly random group element - random is a random seed obtained from the operating system memory
Ciphersuites
P-384 This ciphersuite uses P-384 for the Group.
Elliptic curve group of P-384 (secp384r1)
  • order(): Return 0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973.
  • serialize([A]): Implemented using the compressed Elliptic-Curve-Point-to-Octet-String method according to ; Ng = 49.
  • deserialize(buf): Implemented by attempting to read buf into chunks of 49-byte arrays and convert them using the compressed Octet-String-to-Elliptic-Curve-Point method according to , and then performs partial public-key validation as defined in section 5.6.2.3.4 of . This includes checking that the coordinates of the resulting point are in the correct range, that the point is on the curve, and that the point is not the point at infinity.
Scalar Field of P-384 (secp384r1)
  • serialize(s): Relies on the Field-Element-to-Octet-String conversion according to ; Ns = 48.
  • deserialize(buf): Reads the byte array buf in chunks of 48 bytes using Octet-String-to-Field-Element from . This function can fail if the input does not represent a Scalar in the range [0, G.Order() - 1].
Acknowledgments Jan Bobolz, Stephan Krenn, Mary Maller, Ivan Visconti, Yuwen Zhang.
References Normative References Recommendation for pair-wise key-establishment schemes using discrete logarithm cryptography National Institute of Standards and Technology Informative References Digital signature standard (DSS) National Institute of Standards and Technology (U.S.) SEC 1: Elliptic Curve Cryptography