Sigma protocols are a special form of zero-knowledge proof. They can be turned into non-interactive proofs using the Fiat-Shamir heuristic.
Questions tagged [sigma-protocol]
37 questions
8
votes
1 answer
Sigma protocol when order is unknown
In the following paper (page 5) they have a proof that a triple $\left(g,b_{i-1},b_{i}\right)$ is of the form: $\left(g,g^{x},g^{x^{2}}\right)$ for some x.
The relevant text from the paper is as follows:
They say the protocol is based on a classic…
yacovm
- 209
- 1
- 11
8
votes
2 answers
What is an example of a secure sigma proof?
I want to implement Threshold Elgamal as described in section 6.3.1 and in the decryption phase each party must broadcast a sigma proof to show that it actually has a valid secret share of the secret key.
I read about Schnorr protocol as a solution…
guglielmo london
- 699
- 3
- 11
6
votes
2 answers
Is this Sigma Protocol zero knowledge or is it just a proof of knowledge?
Suppose I have the witness $x$ and need to prove that I correctly computed $(g^x)^x$ to a verifier. $g$ and $g^x$ are public. The verifier asks me for $(g^x)^x$, but wants proof that I've given them the right answer.
Here's my attempt at a…
fraiser
- 448
- 3
- 8
4
votes
2 answers
Sigma proofs for Pedersen commitments arithmetic under different bases
I was wondering if it's possible to prove an equality of openings between $3$ Pedersen commitments $P\cdot Q$ and $R$ when $P, Q, R$ have different commitment keys.
Suppose that commitment $R$ commits to $a+b$ and $P$ and $Q$ commit to $a$ and $b$…
pintor
- 558
- 3
- 14
4
votes
1 answer
Zk-SNARK against Sigma Protocols and for Secure Function Evaluation
I have a couple of questions on ZK-SNARK:
Based on what I understand, a ZK-SNARK is an "Argument of knowledge". That means that it should be equivalent to Sigma Protocols like Fiat-Shamir and Pederson committments, RSA Accumulators, and even…
jimmytann
- 177
- 5
4
votes
1 answer
Are multi move proof protocols still "sigma protocols"?
Conventionally, sigma protocols are defined as being a three-move protocol (1. commit, 2. challenge, 3. response). Reading papers like "Bulletproofs" (Bunz, Bootle, Boneh et al., 2018), it feels like the authors avoid to call their protocols "sigma…
Ruben De Smet
- 2,530
- 15
- 27
4
votes
1 answer
Fiat-Shamir transform to Sigma protocols to turn into NIZK
I'm reading about the Schnorr's zero-knowledge proof for DLOG and the Sigma protocol for DH tuple proof, and I want to know how one applies Fiat-Shamir transform to both of them, to turn them into NIZK proofs.
I know that Prover would need to hash…
user4936
4
votes
3 answers
Sigma protocol for AND-composition involving the same secret
Say we have two public cyclic groups $G_1$, $G_2$ of corresponding prime orders $p_1$, $p_2$, and known generators $g_1$, $g_2$.
Say $g_3$ is also a generator of $G_2$.
For publicly known $C_1$ and $C_2$, and secret $r$ and $m$, I want to prove:…
oleiba
- 377
- 2
- 10
4
votes
1 answer
Security impact of weakened collision resistance for 128-bit Fiat-Shamir challenges
As I understand, to achieve a security level of $\lambda$, a hash function's output should be at least $2\lambda$ in length, since the search space is halved for collision resistance.
However, I am also under the impression that for many…
Taka
- 43
- 6
3
votes
1 answer
Intuition Behind Commitment-Challenge-Response a.k.a. Sigma Protocols
In How To Prove Yourself: Practical Solutions to Identification and Signature Problems, Fiat and Shamir introduce a zero-knowledge identification scheme where
The prover sends a commitment to the verifier
The verifier sends a challenge to the…
cadaniluk
- 229
- 1
- 4
3
votes
1 answer
Sigma-protocol for 3SAT problem
I have some questions from previous years exams, I hope you could help me with them. :)
Let $g,h$ denote generators of a group $G$ of large prime order $n$ such that $\log_g h$ is unknown to anyone. Consider an instance of the 3SAT problem for…
Peter De Vries
- 61
- 1
3
votes
0 answers
Transforming simplest protocol into a Sigma-protocol
I have some questions from previous years exams, I hope you could help me with them. :)
Suppose that a protocol satisfies the properties of a $\Sigma$-protocol, except that it is only (plain) honest-verifier zero-knowledge. Show how to transform…
Peter De Vries
- 61
- 1
3
votes
1 answer
Sigma protocol: witness hiding
I am working on an assignment and I am stuck with the last part of proving witness hiding for the protocol.
I have previously proved it is witness indistinguishable, and it has q (primer number chosen as in Schnorr's protocol) different values for…
Nohr
- 31
- 1
3
votes
0 answers
Sigma Protocol for commitment to m ∈ {0,1}
I am confused about the sigma protocol presented in this paper: One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin (enter link description here). I wonder how to understand each step of this protocol.
In my understanding, $(a,s)$ is a…
Yini Lin
- 31
- 1
2
votes
1 answer
Extending the OR-proof to more than two statements
I have been reading about the sigma protocols, specially the OR-Proof.
Many examples just take into account two statements and provide a way to say that one of the statements is valid, but not which one. For example this question zero-knowledge…
wattlab
- 21
- 2