Efficient zero-knowledge proofs of knowledge for homomorphisms

Efficient zero-knowledge proofs of knowledge for homomorphisms are a key building block in a vast number of constructions in applied cryptography. Examples are: identification-, signature-, group signature-, anonymous credential-, and identity escrow-schemes as well as voting systems, e-cash, multi-party computations, and trusted computing. This dissertation studies efficient zero-knowledge proofs of knowledge for exponentiation homomorphisms. We prove that there are inherent efficiency limitations for existing proofs of knowledge for homomorphisms and describe novel proofs of knowledge that overcome these efficiency limitations. All efficient zero-knowledge proofs of knowledge for homomorphisms happen to be instances of the same protocol. We refer to this protocol as the Σψ-protocol. While all efficient zero-knowledge proofs of knowledge for homomorphisms are obtained using the Σψ-protocol, the converse is not true: the Σψ-protocol is not known to yield efficient proofs of knowledge for all practically relevant homomorphisms. It was not known whether these efficiency limitations are inherent to the Σψ-protocol or whether they are limitations that can be overcome, i.e., limitations which are due to the conditions under which the Σψ-protocol currently is known to be a proof of knowledge. We prove in different settings and for different homomorphisms that the efficiency limitations of the Σψ-protocol are inherent to the protocol, and hence cannot be overcome. In particular, for the practically important class of exponentiation homomorphisms ψE(x) . =hx and ψE(x1, . . . , xl) . =h1 1 · . . . · h xl l in hidden order groups (e.g., RSA groups or class groups) no efficient zero-knowledge proofs of knowledge were known; neither using the Σψ-protocol, nor using any other protocol. We describe novel protocols that for the first time allow to obtain efficient zero-knowledge proofs of knowledge for such homomorphisms.