Questions tagged [sigma-protocol]
Sigma protocols are a special form of zero-knowledge proof. They can be turned into non-interactive proofs using the Fiat-Shamir heuristic.
37 questions
1
vote
1
answer
57
views
Proving that one discrete logarithm is the square or inverse of another one
In Proof systems for general
statements about discrete
logarithms, at the very end, under "open problems", the authors have this sentence:
An interesting open problem is the design of ...
1
vote
1
answer
91
views
What is the difference between Sigma protocol and zero-knowledge protocol? What about non-interactive Sigma and ZK?
I have read many articles in Wikipedia and some research papers, but since I'm a 1th grade student, I have not much knowledge on the topic, and it only makes me confusing reading all articles, as each ...
- 33
3
votes
0
answers
68
views
Sigma Protocol for commitment to m ∈ {0,1}
I am confused about the sigma protocol presented in this paper: One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin (enter link description here). I wonder how to understand each step of ...
- 31
0
votes
0
answers
48
views
Can ring signatures be considered as non interactive set membership proofs?
Can ring signatures be considered as non interactive set membership proofs?
For example, if the message msg is set to null, can the ring signature scheme proposed by Rivest et al. be regarded as a non ...
- 125
1
vote
1
answer
102
views
Showing special soundness for Dilithiums underlying $\Sigma$-protocol
I'm trying to prove the security of Dilithiums underlying $\Sigma$-protocol using the following theorem.
Let $\Sigma=\left(\mathcal{P},\mathcal{V}\right)$ be a $\Sigma$-protocol on an effective ...
- 253
4
votes
1
answer
155
views
Security impact of weakened collision resistance for 128-bit Fiat-Shamir challenges
As I understand, to achieve a security level of $\lambda$, a hash function's output should be at least $2\lambda$ in length, since the search space is halved for collision resistance.
However, I am ...
- 43
1
vote
1
answer
359
views
Special Soundness $\Sigma$-Protocols
About the characterizations of Special Soundness, from Staking Sigmas we have that:
''A $\Sigma$-protocol $\Pi=(A,Z,\phi)$ is said to have ${\it special\ soundness}$ if there exists a PPT extractor $\...
- 217
0
votes
0
answers
56
views
Verifying a random subset of a parallel repitition of sigma protocols
Suppose a prover computes a non-interactive proof which is composed of $k$ parallel repetitions of a sigma protocol with binary challenges (and knowledge error $\frac{1}{2}$), composed in parallel and ...
- 466
2
votes
1
answer
162
views
Fiat-Shamir with interactions
Suppose we have a standard $\Sigma$-protocol for proving the knowledge of a witness $x$ for the statement $y$. It has an honest-verifier ZK and special soundness. Now we do an unusual modification to ...
- 558
2
votes
2
answers
567
views
How to calculate soundness error of a sigma protocol?
How do I calculate the soundness error of a sigma protocol, such as Schnorr's interactive protocol for knowledge of a discrete logarithm?
0
votes
0
answers
296
views
Difference between sigma protocol, Schnorr protocol, Pedersen commitment
Could you explain the difference between sigma protocol, Schorr protocol with examples. What is the advantage of using commit-and-prove zero knowledge proof over general zero knowledge proof?
- 212
1
vote
1
answer
108
views
Input Delayed Sigma-Protocol
In a Sigma-protocol, the steps are (1) commitment, (2) challenge, and (3) response. In general, the prover has a statement and witness that they can use to compute the commitment step. But in some ...
- 395
2
votes
1
answer
413
views
Extending the OR-proof to more than two statements
I have been reading about the sigma protocols, specially the OR-Proof.
Many examples just take into account two statements and provide a way to say that one of the statements is valid, but not which ...
- 21
3
votes
1
answer
386
views
Intuition Behind Commitment-Challenge-Response a.k.a. Sigma Protocols
In How To Prove Yourself: Practical Solutions to Identification and Signature Problems, Fiat and Shamir introduce a zero-knowledge identification scheme where
The prover sends a commitment to the ...
- 229
0
votes
3
answers
345
views
The challenge c in Sigma protocol (using Fiat Shamir)
As is known to all, the following picture depicts a sigma protocol, and to eliminate the interactivity, Prover can generate c by hashing (t, y) using Fiat Shamir transform. My question is:
1). Can c ...
