One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin.

We construct a 3-move public coin special honest verifier zero-knowledge proof, a so-called Sigma-protocol, for a list of commitments having at least one commitment that opens to 0. ... A third application of our Sigma protocol is an efficient proof of membership of a secret committed value u belonging to a public list L = {λ1, . . . , λN }. ... [AOS04] use disjunctive proofs to demonstrate possession of one out of N secret keys to construct ring signatures. ...

doi:10.1007/978-3-662-46803-6_9 fatcat:m5yqe775obfp7i5xdip62sq2gu

To prove our protocol secure against adaptive attacks, which are particularly critical in the PoS setting, we introduce a new coin evolution technique that relies on a SNARKs mechanism and key-private ... To model its security we give a thorough treatment of private ledgers in the universal composition (UC) setting that might be of independent interest. ... To spend a coin at time τ , parties will need to prove knowledge of the secret key residing as the τ th leaf of the Merkle tree. ...

doi:10.1109/sp.2019.00063 dblp:conf/sp/KerberKKZ19 fatcat:abtqsxa3e5asbdh75nswaepybm

The credentials issued on one of a user's pseudonyms can be transferred to other pseudonyms by the user without revealing the links between pseudonyms. ... In an anonymous credential system, one user may have many pseudonyms. ... A class of group signature schemes based on proofs of knowledge of one out of many witnesses are presented. ...

doi:10.7146/dpb.v13i477.6950 fatcat:opvsf422kvhn3kkphqibux7o7y

In this paper, we propose any-out-of-many proofs, a logarithmic zero-knowledge scheme for proving knowledge of an arbitrary number of secrets out of a public list. ... Unlike existing k-out-of-N proofs [S&P'21, CRYPTO'21], our approach also hides the exact amount of secrets k, which can be used to achieve a higher anonymity level. ... is higher than many-out-of-many proofs [?] as the indexes of all secrets can be predicted when the permutation method and any one of indexes is leaked. ...

dblp:journals/iacr/ZhengGXS21 fatcat:3etbmy22ebchpgnsz2xcrdjgie

These proofs allow a prover to demonstrate knowledge of a witness w corresponding to a secret element x of a public set, such that they jointly satisfy a given NP relation, i.e. ... ℛ(w, x) = 1 and x is a member of a public set {x 1, . . . , x𝓁}. This allows the identity of the prover to remain hidden, eg. ring signatures and confidential transactions in cryptocurrencies. ... Acknowledgments The first and second authors are supported in part by NSF ...

doi:10.2478/popets-2022-0047 fatcat:kjnmuvna7nh2jc2pxlgihgvekm

DOAJ

This paper presents a detailed proposal of a proof-of-accuracy protocol. ... Since it represents a possible vulnerability, the community has made efforts to solve this and other blockchain problems, which has resulted in the birth of alternative consensus protocols, e.g., the proof ... Conflicts of Interest: The authors declare no conflict of interest. ...

doi:10.3390/math10142504 fatcat:uq33d7mbrjcfvgrl3u6nafug3y

DOAJ Szczepanski

Extending decentralization to the human identity concept, we can think of using blockchain for creating a list of verified human identities with a one-person-one-ID property. ... One part of this identity is simply the user's claim on one of his unique, permanent, and measurable characteristics -biometrics. ... One can formalize that as "How many people should collude, and how much money they need, in order to do X in the system?" ...

arXiv:1806.07583v1 fatcat:7p2xeqmkwrcgxbgpxbq43nss7u

One of the Bitcoin's innovations is the Proof of Work puzzle (aka scratch-off puzzle) as a consensus protocol for anonymous networks without pre-established PKI. ... Bitcoins based on the Proof of Work puzzle have been harshly blamed today for problems such as energy wasted and not easily scalable. ... The Bitcoin based on the proof of work faces the problem of resource waste and security. The Peercoin based on the proof of stake faces centralization of the coin. ...

dblp:journals/iacr/LiAWW17 fatcat:wtba5wyamre2xj27chomx74jze

This MPC protocol uses either a constant number of rounds and linear communication, or a logarithmic number of rounds and logarithmic communication. ... Our Contributions We present Bulletproofs, a new zero-knowledge argument of knowledge 1 system, to prove that a secret committed 1. ... We thank Peter Dettmann for pointing out the batch inversion trick. We thank Sean Bowe for various optimizations applicable to arithmetic circuits for Pedersen hash functions. ...

doi:10.1109/sp.2018.00020 dblp:conf/sp/BunzBBPWM18 fatcat:eqo5xk6trzgxjb7xumtcstdfw4

Omniring is the first RingCT scheme which 1) does not require a trusted setup or pairing-friendly elliptic curves, 2) has a proof size logarithmic in the size of the ring, and 3) allows to share the same ... Our zero-knowledge proofs rely on novel enhancements to the Bulletproofs framework (S&P 2018), which we believe are of independent interest. ... Potential Issues of Leaking One-Time Secret Keys For completeness, we point out a potential issue which seems costly to avoid. We observe that in Noether et al. ...

dblp:journals/iacr/LaiRRSTW19 fatcat:boqezbrfnzd25et7qy4xo5jfiy

Specifically, for commitments C = Commit1(y), D = Commit 2 (x), of value y and a tuple x = (x 1 , . . . , x L ), respectively, our argument system allows one to demonstrate the knowledge of (x, y) such ... Specifically, for commitments C = Commit1(y), D = Commit2(x), of value y and a tuple x = (x1, . . . , xL), respectively, our argument system allows one to demonstrate the knowledge of (x, y) such that ... Conclusion We constructed a new zero-knowledge argument system and illustrated its significance with applications to blind signatures, traceable signatures and compact e-cash systems. ...

doi:10.1007/978-3-642-14081-5_22 fatcat:7k754v74c5ef5jgsobcjbierou

cryptocurrencies that are based on "proof of stake", and others). ... We introduce a new class of protocols called Proofs of Work or Knowledge (PoWorKs). ... The requirement there is that the puzzle solver should spend a minimum of computational resources to find a solution to the puzzle (and may or may not choose to parallelize). Applications. ...

doi:10.1007/978-3-662-53890-6_30 fatcat:wy6nncpc3rabjjseoa45uftr44

Different from existing approaches that adopt a one-out-of-many proof [CCS'19, Crypto'19], we show that a linear sum proof suffices in ring signatures which could avoid the costly binary proof part. ... Finally, we show how to adopt these techniques in RingCT protocols and implement a prototype to compare the performance with existing approaches. ... We would also like to thank to the reviewers of Oakland'20 and Oakland'21 for their valuable comments. ...

dblp:journals/iacr/GaoZGX21 fatcat:tuothoh3evgw5lefp2btnks234

As the name suggests, a PoH is a proof that a human invested a moderate amount of effort to solve some challenge. A PoH puzzle should be moderately hard for a human to solve. ... We introduce the novel notion of a Proof of Human-work (PoH) and present the first distributed consensus protocol from hard Artificial Intelligence problems. ... The authors also thank Andrew Miller, and the PC of ITCS 2016 and TCC 2016B for their helpful comments. ...

doi:10.1007/978-3-662-53644-5_20 fatcat:m4wa3kkx6naglmtriqqbzjypk4

In this work, we show how public parameters for a class of NIZKs can be generated by a multi-party protocol, such that if at least one of the parties is honest, then the result is secure (in both aforementioned ... This party is trusted to correctly run a probabilistic algorithm (specified by the the proof system) that outputs the public parameters, and publish them, without leaking any other information (such as ... A common random string can, e.g., be implemented via a public randomness source with high entropy (or even coin-tossing protocols). of a random evaluation of C PGHR corresponds to public parameters for ...

doi:10.1109/sp.2015.25 dblp:conf/sp/Ben-SassonC0TV15 fatcat:lh2mmdyenjhexcmt3cytfwncfa

One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin [chapter]

Preserved Fulltext

Ouroboros Crypsinous: Privacy-Preserving Proof-of-Stake

Preserved Fulltext

Witness Hiding Proofs and Applications

Preserved Fulltext

Leaking Arbitrarily Many Secrets: Any-out-of-Many Proofs and Applications to RingCT Protocols [article]

Preserved Fulltext

Efficient Set Membership Proofs using MPC-in-the-Head

Preserved Fulltext

On Proof-of-Accuracy Consensus Protocols

Preserved Fulltext

UniqueID: Decentralized Proof-of-Unique-Human [article]

Preserved Fulltext

Designing Proof of Transaction Puzzles for Cryptocurrency [article]

Preserved Fulltext

Bulletproofs: Short Proofs for Confidential Transactions and More

Preserved Fulltext

Omniring: Scaling Up Private Payments Without Trusted Setup - Formal Foundations and Constructions of Ring Confidential Transactions with Log-size Proofs [article]

Preserved Fulltext

Proof-of-Knowledge of Representation of Committed Value and Its Applications [chapter]

Preserved Fulltext

Indistinguishable Proofs of Work or Knowledge [chapter]

Preserved Fulltext

Efficient and Post-Quantum Zero-Knowledge Proofs for Blockchain Confidential Transaction Protocols [article]

Preserved Fulltext

Designing Proof of Human-Work Puzzles for Cryptocurrency and Beyond [chapter]

Preserved Fulltext

Secure Sampling of Public Parameters for Succinct Zero Knowledge Proofs

Preserved Fulltext