Formalising Sigma-Protocols and Commitment Schemes using CryptHOL


Machine-checked proofs of security are important to increase the rigour of provable security. In this work we present a formalised theory of two fundamental two party cryptographic primitives: Σ-protocols and Com- mitment Schemes. Σ-protocols allow a prover to convince a verifier that they possess some knowledge without leaking information about the knowledge. Commitment schemes allow a committer to commit to a message and keep it secret until revealing it at a later time.

We use CryptHOL to formalise both primitives and prove secure multi- ple examples namely; the Schnorr, Chaum-Pedersen and Okamoto Σ-protocols as well as a construction that allows for compound (AND and OR) Σ-protocols and the Pedersen and Rivest commitment schemes.

A highlight of the work is a formalisation of the construction of commit- ment schemes from Σ-protocols. We formalise this proof at an abstract level using the modularity available in Isabelle/HOL and CryptHOL. This way, the proofs of the instantiations come for free.

Citation information

David Butler, Andreas Lochbihler, David Aspinall, Adria Gascon, 

Formalising Sigma-Protocols and Commitment Schemes using CryptHOL, Cryptography ePrint Archive, Report 2019/1185,


Turing affiliated authors