Zero-knowledge proofs in theory and practice

Zero-knowledge proof schemes are one of the main building blocks of modern cryptography. Using the Helios voting protocol as a practical example, we show mistakes in the previous understanding of these proof schemes and the resulting security problems. We proceed to deVne a hierarchy of security notions that solidiVes our understanding of proof schemes: weak proof schemes, strong proof schemes and multi-proofs. We argue that the problems in Helios result from its use of weak proofs and show how these proofs can be made strong. We provide the Vrst proof of ballot privacy for full Helios ballots with strong proofs. In Helios, a proof scheme commonly known as Fiat-Shamir-Schnorr is used to strengthen encryption, a construction also known as Signed ElGamal or more generally, Encrypt+PoK. We show that in the Encrypt+PoK construction, our hierarchy of proof scheme notions corresponds naturally to a well-known hierarchy of security notions for public-key encryption: weak proofs yield chosen-plaintext secure encryption, strong proofs yield non-malleable encryption and multi-proofs yield chosen-ciphertext secure encryption. Next, we ask whether Signed ElGamal is chosen-ciphertext secure, a question closely related but not identical to whether Fiat-Shamir-Schnorr proofs are multi-proofs. We answer both these questions negatively: under a reasonable assumption, the failure of which would cast doubt on the security of Schnorr-like proofs, we prove that Signed ElGamal cannot be shown to be chosenciphertext secure by a reduction to the security of plain ElGamal. This answers an open question, to our knowledge Vrst asked by Shoup and Gennaro in a paper published in 1998.