Batch Proofs of Partial Knowledge

We present a practical attack on the soundness of Peng and Bao’s ‘batch zero-knowledge proof and verification’ protocol for proving knowledge and equality of one-out-of-n pairs of discrete logarithms. Fixing the protocol seems to require a commitment scheme with a nonstandard, mercurial-esque binding property: the prover commits to just n− 1 values, but later opens the commitment to n values without revealing which one out of the n values was not part of the original commitment. With this requirement as a motivator, we propose and formally define all-but-k commitment schemes, and give a concrete construction based on polynomial commitments. We use the special case of “all-but-one” commitments to fix the above zero-knowledge protocol and then we describe a variant of the protocol that uses the more general all-but-k commitments to implement a batch zero-knowledge proof of knowledge and equality of k-out-of-n pairs of discrete logarithms, for arbitrary (public) k ∈ [1,n]. This latter protocol is asymptotically efficient, and it naturally yields batch “OR” proofs (one-out-of-n) and batch “AND” proofs (n-out-of-n) as two special cases; for all intermediate 1 < k < n, it is entirely novel.