On Sigma-Protocols and (packed) Black-Box Secret Sharing Schemes

$\Sigma$-protocols are a widely utilized, relatively simple and well understood type of zero-knowledge proofs. However, the well known Schnorr $\Sigma$-protocol for proving knowledge of discrete logarithm in a cyclic group of known prime order, and similar protocols working over this type of groups, are hard to generalize to dealing with other groups. In particular with hidden order groups, due to the inability of the knowledge extractor to invert elements modulo the order. In this paper, we introduce a universal construction of $\Sigma$-protocols designed to prove knowledge of preimages of group homomorphisms for any abelian finite group. In order to do this, we first establish a general construction of a $\Sigma$-protocol for $\mathfrak{R}$-module homomorphism given only a linear secret sharing scheme over the ring $\mathfrak{R}$, where zero knowledge and special soundness can be related to the privacy and reconstruction properties of the secret sharing scheme. Then, we introduce a new construction of 2-out-of-$n$ packed black-box secret sharing scheme capable of sharing $k$ elements of an arbitrary (abelian, finite) group where each share consists of $k+\log n-3$ group elements. From these two elements we obtain a generic ``batch\u27\u27 $\Sigma$-protocol for proving knowledge of $k$ preimages of elements via the same group homomorphism, which communicates $k+\lambda-3$ elements of the group to achieve $2^{-\lambda}$ knowledge error. For the case of class groups, we show that our $\Sigma$-protocol improves in several aspects on existing proofs for knowledge of discrete logarithm and other related statements that have been used in a number of works. Finally, we extend our constructions from group homomorphisms to the case of ZK-ready functions, introduced by Cramer and Damg\aa rd in Crypto 09, which in particular include the case of proofs of knowledge of plaintext (and randomness) for some linearly homomorphic encryption schemes such as Joye-Libert encryption. However, in the case of Joye-Libert, we show an even better alternative, using Shamir secret sharing over Galois rings, which achieves $2^{-k}$ knowledge soundness by communicating $k$ ciphertexts to prove $k$ statements

Zero-Knowledge Arguments for Subverted RSA Groups

This work investigates zero-knowledge protocols in subverted RSA groups where the prover can choose the modulus and where the verifier does not know the group order. We introduce a novel technique for extracting the witness from a general homomorphism over a group of unknown order that does not require parallel repetitions. We present a NIZK range proof for general homomorphisms such as Paillier encryptions in the designated verifier model that works under a subverted setup. The key ingredient of our proof is a constant sized NIZK proof of knowledge for a plaintext. Security is proven in the ROM assuming an IND-CPA additively homomorphic encryption scheme. The verifier\u27s public key is reusable, can be maliciously generated and is linear in the number of proofs to be verified

The equivariant topology of stable Kneser graphs

The stable Kneser graph $SG_{n,k}$, $n\ge1$, $k\ge0$, introduced by Schrijver \cite{schrijver}, is a vertex critical graph with chromatic number $k+2$, its vertices are certain subsets of a set of cardinality $m=2n+k$. Bj\"orner and de Longueville \cite{anders-mark} have shown that its box complex is homotopy equivalent to a sphere, \Hom(K_2,SG_{n,k})\homot\Sphere^k. The dihedral group $D_{2m}$ acts canonically on $SG_{n,k}$, the group $C_2$ with 2 elements acts on $K_2$. We almost determine the $(C_2\times D_{2m})$-homotopy type of \Hom(K_2,SG_{n,k}) and use this to prove the following results. The graphs $SG_{2s,4}$ are homotopy test graphs, i.e. for every graph $H$ and $r\ge0$ such that \Hom(SG_{2s,4},H) is $(r-1)$-connected, the chromatic number $\chi(H)$ is at least $r+6$. If $k\notin\set{0,1,2,4,8}$ and $n\ge N(k)$ then $SG_{n,k}$ is not a homotopy test graph, i.e.\ there are a graph $G$ and an $r\ge1$ such that \Hom(SG_{n,k}, G) is $(r-1)$-connected and $\chi(G)<r+k+2$.Comment: 34 pp

Tame Class Field Theory for Global Function Fields

We give a function field specific, algebraic proof of the main results of class field theory for abelian extensions of degree coprime to the characteristic. By adapting some methods known for number fields and combining them in a new way, we obtain a different and much simplified proof, which builds directly on a standard basic knowledge of the theory of function fields. Our methods are explicit and constructive and thus relevant for algorithmic applications. We use generalized forms of the Tate-Lichtenbaum and Ate pairings, which are well-known in cryptography, as an important tool.Comment: 25 pages, to appear in Journal of Number Theor

Equivariant Kirchberg-Phillips-type absorption for amenable group actions

We show an equivariant Kirchberg-Phillips-type absorption theorem for pointwise outer actions of discrete amenable groups on Kirchberg algebras with respect to natural model actions on the Cuntz algebras $\mathcal{O}_\infty$ and $\mathcal{O}_2$. This generalizes results known for finite groups and poly-$\mathbb{Z}$ groups. The model actions are shown to be determined, up to strong cocycle conjugacy, by natural abstract properties, which are verified for some examples of actions arising from tensorial shifts. We also show the following homotopy rigidity result, which may be understood as a precursor to a general Kirchberg-Phillips-type classification theory: If two outer actions of an amenable group on a unital Kirchberg algebra are equivariantly homotopy equivalent, then they are conjugate. This marks the first C*-dynamical classification result up to cocycle conjugacy that is applicable to actions of all amenable groups.Comment: v3 42 pages; this version has been accepted for publication in Communications in Mathematical Physic