F. Boudot. E#cient proofs that a committed number lies in an interval. In Eurocrypt '00, pages 431--444, 2000.  Home/Search   Document Not in Database   Summary   Related Articles   Check

.... that log g y that lies in the integer interval [a, b] is denoted by PK (#) y = g [a, b] Under the strong RSA assumption and if it is assured that the prover is not provided the factorization of the modulus (i.e. is not provided the order of the group) this proof can be done e#ciently [Bou00] (it compares to about six ordinary PK (#) y = g . Proofs of knowledge or equality in di#erent groups. The previous protocol can also be used to prove that the discrete logarithms of two group elements y 1 G 1 , y 2 G 1 to the bases g 1 G 1 and g 2 G 2 in di#erent groups G 1 ....

Fabrice Boudot. E#cient proofs that a committed number lies in an interval. In Bart Preneel, editor, Advances in Cryptology --- EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 431--444. Springer Verlag, 2000.

....a protocol with common inputs (1) a commitment key (n, g, h) as described in Section 5.1; 2) a value C QR n ; 3) integers a and b, where the prover proves knowledge of the integers # and # such that C = g mod n and b. An e#cient protocol that implements such proofs is due to Boudot [4]. However, if the integer # the prover knows in fact satisfies the the more restrictive bound, then there are more e#cient protocols (these protocols are very similar to a simple proof of knowledge of a discrete log; see, e.g. 9] More precisely, there protocols are applicable if the prover s ....

F. Boudot. E#cient proofs that a committed number lies in an interval. In B. Preneel, editor, Advances in Cryptology --- EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 431--444. Springer Verlag, 2000.

....therefore give in Section 3.3 an alternative (more e#cient) solution. Jumping ahead, the vendor in the revised protocol will not try to verify that p is in the right range but will rather make sure that any such violation on the part of the buyer will cripple all future interactions. We note that [3] gives an e#cient zero knowledge proof to a related problem, of proving that a committed number lies in a an interval. However, the problem we solve (and hence our machinery for solving it) is easier. Sending an Item. We now assume that 0 b and that the balance was updated by the vendor. All ....

F. Boudot. E#cient proofs that a committed number lies in an interval. EUROCRYPT 2000.

....therefore give in Section 3.3 an alternative (more e#cient) solution. Jumping ahead, the vendor in the revised protocol will not try to verify that p is in the right range but will rather make sure that any such violation on the part of the buyer will cripple all future interactions. We note that [3] gives an e#cient zero knowledge proof to a related problem, of proving that a committed number lies in a an interval. However, the problem we solve (and hence our machinery for solving it) is easier. Sending an Item. We now assume that 0 b and that the balance was updated by the vendor. All ....

F. Boudot. E#cient proofs that a committed number lies in an interval. EUROCRYPT 2000, pp. 431-444. Springer-Verlag, 2000.

....Proving Relations for Committed Numbers To ensure the correctness of the committed values used in our protocols, we need to prove that certain relations hold for committed numbers, i.e. a committed number lies in an interval or a committed number is the product of two other committed numbers. In [5] e#cient protocols are described for proving in zeroknowledge that a committed number lies in an exact interval. In [6] e#cient and secure techniques for proving relations in modular arithmetic (addition, multiplication, exponentiation) between committed numbers in zero knowledge are proposed: ....

....to this sub protocol as ZKP(com(A ) see [6] Being convinced that com(A ) really contains the correctly computed value A , compute the commitment com(C) mod n on the value C. Finally in zero knowledge, that the value contained in com(C) is 0 using protocols from [5]. We refer to this sub protocol as 0) If accepts this proof then ZK DETECT ( ends with true, otherwise with false. Note that the modulus n is contained in the public commitment parameters par com . The latter is necessary for the used detection criteria to be equivalent to the original ....

[Article contains additional citation context not shown here]

Fabrice Boudot: E#cient Proofs that a Committed Number Lies in an Interval; Eurocrypt '00, LNCS 1807, Springer-Verlag, Berlin 2000, pp. 431-444

....secure zeroknowledge proof systems for proving relations in modular arithmetic (addition, multiplication, exponentiation) between committed numbers are proposed: Given commitments to the values a, b, c, m M one can prove that a b c mod m, a#b c mod m or a b c mod m. Furthermore, [2] described e#cient zero knowledge proof systems for proving that a committed number lies in an exact interval. 3 Solutions based on Interactive Proof Systems Two protocols for proving watermark presence with minimum knowledge (that work with a potentially large class of watermarking schemes) were ....

.... fulfil this strong security property: they hide all to be secret values in commitments from [8] and compute a commitment on the detection statistic of the underlying watermarking scheme, using the homomorphicproperty and zero knowledge proofs from [3] see Section 2) Finally, using protocols from [2] the prover proves to the verifier in zero knowledge, that the committed value of the detection statistic lies above the detectionthreshold. The idea underlying this approach is general and easily adaptable to any watermarking scheme that detects watermarks by computing a detection statistic, ....

[Article contains additional citation context not shown here]

F. Boudot: E#cient Proofs that a Committed Number Lies in an Interval; Eurocrypt '00, LNCS 1807, Springer, 2000, pp. 431--444.

....the following three commitments c v = comK (v; r v ) c b = comK (M v; r b ) c c = comK (M ; 0) satisfy a multiplicative relationship. This implies that the absolute value of the content in c v , v , is a divisor in M . Subsequently using a range proof, see [18] or Boudot s article [2], we can then prove that v 0. Combining these two pieces of information we see that v is of the desired form. This idea can be improved upon. Proving that a committed integer is positive is not that simple. In [18] the fact that all positive integers can be written as a sum of four squares, ....

....way a random shadow for erc . We can speak of computational, statistical and perfect shadowing depending on how the shadow hides the underlying element. In the protocols we know of the most common case is statistically hiding shadows and random shadows. 10 According to [18] the range proofs in [2] are 20 more e#cient but still in the same ball park. As an alternative, we propose letting M be the square of a prime. Any legal vote is now a square, and we simply have to prove it a square in order to show that it is non negative. So let M = p with p prime and provide a commitment c v to ....

Boudot: E#cient Proof that a Committed Number Lies in an Interval, Proc. of EuroCrypt 2000, Springer Verlag LNCS series 1807.

....encrypted in A. For simple reduction functions ( in our construction, is simply the identity) this can be achieved by combining the technique of veri able ElGamal encryption of a logarithm (Stadler, 25] and the proof of equality of discrete logarithms in di erent groups, due to Boudot[6]. We have described the whole procedure as if composed of several steps. However, the various proofs of knowledge described can be made non interactive through the Fiat Shamir heuristic and combined together in a single step. We describe this in detail in Section 5. 4 Proofs of knowledge In this ....

....PK[x; r 2 ; r 3 : F = E = F ] PK[x; r 1 : E = E(x ; r 1 ) The next two proofs of knowledge assert that a committed value lies in an interval. The rst one was introduced in [12] and corrected in [13] The second one, which uses the rst as building block, was introduced in [6], and is used in our scheme. De nition 10 (Proof that a committed number lies in a larger interval) A prover U can convince a veri er V that a number x 2 [0; b] which is committed in E = E(x; r) g n 1] lies in the much larger interval [ 2 b] by sending V the triple (C; D 1 ; D ....

[Article contains additional citation context not shown here]

Fabrice Boudot. Ecient proofs that a committed number lies in an interval. In Advances in Cryptology  EUROCRYPT'00, vol. 1807 of Lecture Notes in Computer Science, Springer Verlag, 2000

.... # # [a, b] m) denote a signature of knowledge of a discrete logarithm of y # G with respect to g # G such that log g y lies in the integer interval [a, b] This protocol can be e#ciently done under the strong RSA assumption and if the prover is not provided the factorization of the modulus [8]. 4. FORWARD SECURE GROUP SIGNATURE I 4.1 The Scheme SETUP Procedure. The group manager (GM) chooses two (#n 2) bit primes p = 2p # 1 and q = 2q # 1 where p # and q # are also primes. Set n : pq. GM also randomly chooses elements a, d, g, g1 #R QRn , a secret element x #R Z # p # q # , ....

F. Boudot. E#cient proofs that a committed number lies in an interval. In B. Preneel, editor, Advances in Cryptology - EUROCRYPT 2000, pages 431--444, Berlin, 2000. Springer-Verlag. Lecture Notes in Computer Science Volume 1807.

No context found.

F. Boudot. E#cient proofs that a committed number lies in an interval. In Eurocrypt '00, pages 431--444, 2000.

No context found.

F. Boudot. E#cient Proofs that a Committed Number Lies in an Interval. In Preneel [35], pages 431--444.

No context found.

F. Boudot. Ecient proofs that a committed number lies in an interval. In Advances in Cryptology  Eurocrypt 2000, volume 1807 of Lecture Notes in Computer Science, pages 431444. Springer Verlag, 2000.

No context found.

F. Boudot. E#cient proofs that a committed number lies in an interval. In Eurocrypt'00, pages 431--444, 2000.

No context found.

F. Boudot. E#cient proofs that a committed number lies in an interval. In Eurocrypt'00, pages 431--444, 2000.

No context found.

F. Boudot. E#cient proofs that a committed number lies in an interval. In Bart Preneel, editor, Advances in Cryptology - EuroCrypt '00, pages 431--444, Berlin, 2000. Springer-Verlag. Lecture Notes in Computer Science Volume 1807.

No context found.

Fabrice Boudot. E#cient proofs that a committed number lies in an interval. In Bart Preneel, editor, Advances in Cryptology --- EUROCRYPT '00, volume 1807 of LNCS, pages 431--444. Springer Verlag, 2000.

No context found.

F. Boudot. E#cient Proofs that A Committed Number lies in an Interval. Advances in Cryptology - Eurocrypt 2000, Lecture Notes in Computer Science 1807, pages 431 -- 444, 2000.

No context found.

F. Boudot, E#cient proofs that a committed number lies in an interval, Advances in Cryptology-Eurocrypt 2000, LNCS 1807, pp.431-444, Springer-Verlag, 2000.

No context found.

Fabrice Boudot: E#cient Proof that a Committed Number Lies in an Interval, pp.431-444 in Proc. of EuroCrypt 2000, Springer Verlag LNCS #1807.

No context found.

F. Boudot. E#cient proofs that a committed number lies in an interval. In Advances in Cryptology -- EUROCRYPT 2000.

No context found.

F. Boudot. E#cient proofs that a committed number lies in an interval. In B. Preneel, editor, Advances in Cryptology --- EUROCRYPT 2000.

No context found.

F. Boudot. E#cient proofs that a committed number lies in an interval. In B. Preneel, editor, Advances in Cryptology --- EUROCRYPT 2000.

No context found.

F. Boudot: E#cient Proofs that a Committed Number Lies in an Interval, Advances in Cryptology - EUROCRYPT 2000.

No context found.

Fabrice Boudot. E#cient proofs that a committed number lies in an interval. In Proceedings of EUROCRYPT'00, pages 431--444, 2000.

No context found.

F. Boudot. E#cient Proofs that a Committed Number Lies in an Interval. In EUROCRYPT 2000.

No context found.

F.Boudot, E#cient Proofs that a Committed Number Lies in an Interval. Advances in Cryptology-EUROCRYPT'00, pp 431-444, Berlin:

No context found.

F. Boudot, E#cient proofs that a committed number lies in an interval, Advances in Cryptology --- EUROCRYPT

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC