Rafik Chaabouni

Efficient Protocols for Set Membership and Range Proofs

We consider the following problem: Given a commitment to a valueσ , prove in zero-knowledge that σ belongs to some discrete set φ . The set φ can perhaps be a list of cities or clubs; often φ canbe a numerical range such as [1,220]. This problemarises in e-cash systems, anonymous credential systems, and variousother practical uses of zero-knowledge protocols. When using commitment schemes relying on RSA-like assumptions,there are solutions to this problem which require only a constantnumber of RSA-group elements to be exchanged between the prover andverifier [5, 15, 16]. However, for many commitment schemes based onbilinear group assumptions, these techniques do not work, and thebest known protocols require O (k ) group elementsto be exchanged where k is a security parameter. In this paper, we present two new approaches to buildingset-membership proofs. The first is based on bilinear groupassumptions. When applied to the case where φ is arange of integers, our protocols require

A Non-interactive Range Proof with Constant Communication

O(\frac{k}{\log k -\log\log k})

Additive combinatorics and discrete logarithm based range protocols

group elements to be exchanged. Not only is thisresult asymptotically better, but the constants are small enough toprovide significant improvements even for small ranges. Indeed, fora discrete logarithm based setting, our new protocol is an order ofmagnitude more efficient than previously known ones. We also discuss alternative implementations of our membershipproof based on the strong RSA assumption. Depending on theapplication, e.g., when φ is a published set of valuessuch a frequent flyer clubs, cities, or other ad hoc collections,these alternative also outperform prior solutions.

Break WEP Faster with Statistical Analysis

In a range proof, the prover convinces the verifier in zero-knowledge that he has encrypted or committed to a value a ∈ [0, H] where H is a public constant. Most of the previous non-interactive range proofs have been proven secure in the random oracle model. We show that one of the few previous non-interactive range proofs in the common reference string (CRS) model, proposed by Yuen et al. in COCOON 2009, is insecure. We then construct a secure non-interactive range proof that works in the CRS model. The new range proof can have (by different instantiations of the parameters) either very short communication (14 080 bits) and verifier’s computation (81 pairings), short combined CRS length and communication (log1 / 2 + o (1) H group elements), or very efficient prover’s computation (Θ(logH) exponentiations).

The Extended Access Control for Machine Readable Travel Documents

We show how to express an arbitrary integer interval I = [0,H] as a sumset I =Σi=1l Gi * [0, u - 1] + [0, H′] of smaller integer intervals for some small values l, u, and H′ < u - 1, where b*A = {ba: a ∈ A} and A+B = {a+b: a ∈ A ∧ b ∈ B}. We show how to derive such expression of I as a sumset for any value of 1 < u < H, and in particular, how the coefficients Gi can be found by using a nontrivial but efficient algorithm. This result may be interesting by itself in the context of additive combinatorics. Given the sumset-representation of I, we show how to decrease both the communication complexity and the computational complexity of the recent pairing-based range proof of Camenisch, Chaabouni and shelat from ASIACRYPT 2008 by a factor of 2. Our results are important in applications like e-voting where a voting server has to verify thousands of proofs of e-vote correctness per hour. Therefore, our new result in additive combinatorics has direct relevance in practice.