Schnorr Non-interactive Zero-Knowledge Proof
RFC 8235
| Document | Type |
RFC - Informational
(September 2017; Errata)
Was draft-hao-schnorr (individual)
|
|
|---|---|---|---|
| Author | Feng Hao | ||
| Last updated | 2020-12-11 | ||
| Stream | Independent Submission | ||
| Formats | plain text html pdf htmlized (tools) htmlized bibtex | ||
| IETF conflict review | conflict-review-hao-schnorr | ||
| Stream | ISE state | Published RFC | |
| Consensus Boilerplate | Unknown | ||
| Document shepherd | Adrian Farrel | ||
| Shepherd write-up | Show (last changed 2017-05-10) | ||
| IESG | IESG state | RFC 8235 (Informational) | |
| Telechat date | |||
| Responsible AD | (None) | ||
| Send notices to | Nevil Brownlee <rfc-ise@rfc-editor.org> | ||
| IANA | IANA review state | IANA OK - No Actions Needed | |
| IANA action state | No IANA Actions | ||
Independent Submission F. Hao, Ed.
Request for Comments: 8235 Newcastle University (UK)
Category: Informational September 2017
ISSN: 2070-1721
Schnorr Non-interactive Zero-Knowledge Proof
Abstract
This document describes the Schnorr non-interactive zero-knowledge
(NIZK) proof, a non-interactive variant of the three-pass Schnorr
identification scheme. The Schnorr NIZK proof allows one to prove
the knowledge of a discrete logarithm without leaking any information
about its value. It can serve as a useful building block for many
cryptographic protocols to ensure that participants follow the
protocol specification honestly. This document specifies the Schnorr
NIZK proof in both the finite field and the elliptic curve settings.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any other
RFC stream. The RFC Editor has chosen to publish this document at
its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not a candidate for any level of Internet
Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc8235.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Hao Informational [Page 1]
RFC 8235 Schnorr NIZK Proof September 2017
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
1.2. Notation . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Schnorr NIZK Proof over Finite Field . . . . . . . . . . . . 4
2.1. Group Parameters . . . . . . . . . . . . . . . . . . . . 4
2.2. Schnorr Identification Scheme . . . . . . . . . . . . . . 4
2.3. Non-interactive Zero-Knowledge Proof . . . . . . . . . . 5
2.4. Computation Cost . . . . . . . . . . . . . . . . . . . . 6
3. Schnorr NIZK Proof over Elliptic Curve . . . . . . . . . . . 6
3.1. Group Parameters . . . . . . . . . . . . . . . . . . . . 6
3.2. Schnorr Identification Scheme . . . . . . . . . . . . . . 7
3.3. Non-interactive Zero-Knowledge Proof . . . . . . . . . . 8
3.4. Computation Cost . . . . . . . . . . . . . . . . . . . . 8
4. Variants of Schnorr NIZK proof . . . . . . . . . . . . . . . 9
5. Applications of Schnorr NIZK proof . . . . . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . . . 10
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.1. Normative References . . . . . . . . . . . . . . . . . . 11
8.2. Informative References . . . . . . . . . . . . . . . . . 12
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 13
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction
A well-known principle for designing robust public key protocols is
as follows: "Do not assume that a message you receive has a
particular form (such as g^r for known r) unless you can check this"
[AN95]. This is the sixth of the eight principles defined by Ross
Anderson and Roger Needham at Crypto '95. Hence, it is also known as
the "sixth principle". In the past thirty years, many public key
protocols failed to prevent attacks, which can be explained by the
violation of this principle [Hao10].
While there may be several ways to satisfy the sixth principle, this
document describes one technique that allows one to prove the
knowledge of a discrete logarithm (e.g., r for g^r) without revealing
its value. This technique is called the Schnorr NIZK proof, which is
a non-interactive variant of the three-pass Schnorr identification
scheme [Stinson06]. The original Schnorr identification scheme is
made non-interactive through a Fiat-Shamir transformation [FS86],
assuming that there exists a secure cryptographic hash function
(i.e., the so-called random oracle model).
Hao Informational [Page 2]
Show full document text