On the Amortized Complexity of Zero-Knowledge Protocols

Abstract

We propose a general technique that allows improving the complexity of zero-knowledge protocols for a large class of problems where previously the best known solution was a simple cut-and-choose style protocol, i.e., where the size of a proof for problem instance x and error probability 2⁻ⁿ was O(|x|n) bits. By using our technique to prove n instances simultaneously, we can bring down the proof size per instance to O(|x|+n) bits for the same error probability while using no computational assumptions. Examples where our technique applies include proofs for quadratic residuosity, proofs of subgroup membership and knowledge of discrete logarithms in groups of unknown order, interval proofs of the latter, and proofs of plaintext knowledge for various types of homomorphic encryption schemes. We first propose our protocols as Σ-protocols and extend them later to zero-knowledge proofs of knowledge.

1 Introduction

In a zero-knowledge protocol, a prover tries to convince a skeptical verifier that a certain statement is true. Except with a small error probability, the verifier should be convinced if and only the statement is indeed true, but should learn nothing beyond the validity of the assertion. The statement can take the form of claiming that the input string x is in a given language L (interactive proofs) or claiming that the prover knows a “witness” w such that (x,w) is in some given relation \(\mathcal {R}\) (interactive proofs of knowledge).

Zero-knowledge was introduced in [8] and has been the subject of intense research ever since. Zero-knowledge protocols are interesting as theoretical objects in their own right but are also very useful as building blocks in larger protocols.

The efficiency of zero-knowledge proofs has been studied in many works, and in some cases, extremely efficient zero-knowledge proofs have been found. For NP complete problems such as Boolean circuit satisfiability, Ishai et al. [10] show protocols where the proof size (communication complexity) is \(O(|x| +\operatorname {poly}(k))\), where k is a security parameter, and |x| is the size of the input x. In prime-order groups, Schnorr’s protocol [11] proves knowledge of a discrete logarithm using a (honest verifier) zero-knowledge proof of size O(|x|+n) for an error probability of 2⁻ⁿ. In a practical application, one must expect to have to communicate x to make the claim in the first place as well as an n-bit challenge, so this is essentially optimal.¹

However, for several interesting problems, such methods for improved zero-knowledge protocols do not work. This includes, for instance, the very first problem for which a zero-knowledge protocol was suggested, namely quadratic residuosity, where one proves on input (x,N) that x is a square modulo N (and that the prover knows a square root). The well-known classical protocol [4] for this has error probability 1/2, and one must repeat it n times for an error probability of 2⁻ⁿ so that the proof will be of size O(|x|n). No more efficient solution with unconditional soundness and zero-knowledge was previously known.

The state of affairs is similar for the discrete log problem in groups of unknown order. Say we are given \(g,h\in\mathbb{Z}_{N}^{*}\) for an RSA modulus N, and the prover claims that h is in the group generated by g and that he knows the discrete logarithm of h base g. The best solution we know for this has error probability 1/2, and again we must repeat the entire protocol to reduce the error. Schnorr’s protocol cannot be used here since its proof of soundness requires that the group order is known, and finding the order of \(\mathbb{Z}_{N}^{*}\) is equivalent to factoring N. Even if we were happy with only a proof of membership in the group generated by g, the error probability for known solutions would be 1 divided by the smallest prime factor in the total group order, which is 1/2 for the case of \(\mathbb{Z}_{N}^{*}\). It should be noted that Fujisaki and Okamoto [7] have shown how to get around these difficulties, but only if we are guaranteed to be working in a subgroup of \(\mathbb{Z}_{N}^{*}\) with only large prime factors in the order, and then only under the strong RSA assumption.

Other examples of a similar nature come from various proposals for homomorphic encryption where one uses subgroups of \(\mathbb{Z}_{N}^{*}\), often with small prime factors in their order, to make the decryption algorithm efficient [5, 9]. Many applications require a zero-knowledge proof that one knows the plaintext for a given ciphertext, and we then have all the same problems as described above.

In this paper, we show a general method that applies to all the problems mentioned above and allows us to reduce the proof size in the amortized sense: we can give a proof for n instances of the problem simultaneously such that the communication complexity per instance proved is O(|x|+n) for an error probability of 2⁻ⁿ, thus we are as efficient as the best known unconditional protocols for any problem. The technique uses no computational assumptions. In all cases, the computational complexity is also reduced compared to naive repetition of the basic protocol. Here, the most favorable case is discrete log where computation is reduced by a factor n, for quadratic residuosity we gain a factor logn.

We emphasize that for the case of proofs for quadratic residues, what we achieve is different from what can be done using Fiat–Shamir-type protocols [6], although they may seem superficially similar to ours: the Fiat–Shamir protocol is also efficient, it takes n quadratic residues as input, and has an error probability of 2⁻ⁿ. The difference lies in the type of witness that the prover proves knowledge of. For Fiat–Shamir, the prover only has to know a product of some of the square roots of the input numbers. In fact, the prover could know nothing about the first input number and still survive with probability 1/2. In contrast, our protocol guarantees that the prover knows all the square roots.

It also makes sense to compare our work to the “MPC-in-the-head” technique from [10], where the idea is to construct a zero-knowledge protocol from a multiparty computation protocol. The technique requires a commitment scheme, and it is well known that such schemes cannot offer unconditional security for both parties. This means that for any protocol constructed using MPC-in-the-head, either soundness or zero-knowledge will be computational, unlike our results that require no computational assumptions. Nevertheless, it should be noted that one can adapt the construction from [10] to give a protocol for quadratic residuosity modulo some number N with complexity similar to ours. This is because one can start the construction of [10] from a multiparty protocol that is particularly efficient because it is based on a special-purpose secret sharing scheme that works modulo N. For other cases, such as discrete log in a group of unknown order, no such secret-sharing scheme is available, one has to resort to generic MPC protocols, and the complexity then becomes much larger than ours.

We give an abstract framework characterizing the type of problem that our method applies to and derive all the examples above as special cases. Basically, we need a function with certain homomorphic properties on some Abelian groups and a ring A that acts on the groups in a sufficiently nice way. The latter holds if all groups are A-modules (although this is not a necessary condition). It follows that ℤ can be always used as A since all Abelian groups are ℤ-modules.

Applications of our result include multiparty computation based on homomorphic encryption, where players would supply inputs by sending them in encrypted form. To make the overall protocol secure, players must prove that they know the inputs they supply, and our method can be used to give such proofs efficiently for a large number of ciphertexts, see [3] for a concrete example of such an application. Note that some computations, such as certain auctions, do in fact require players to submit large amounts of data as input. Another application involves proofs of negative statements such as proving that a number x is not a square modulo N. The classical protocol for this from [8] uses the proof for quadratic residuosity as a subroutine and has complexity O(|x|n ²). Our method reduces this to O(|x|n) without making any computational assumptions. The same idea can used to prove for some homomorphic encryption schemes that a ciphertext contains a nonzero plaintext. Note that these applications are for a single instance proof and so are not of an amortized nature.

The Σ-protocols presented in Sect. 3.4 are only honest-verifier zero-knowledge (HVZK), as it is the case for Schnorr’s protocol. In Sect. 5, we present an extended version of our basic protocol (called Protocol 1 in the following), which is a zero-knowledge proof of knowledge. We use a technique by Bellare et al. [2] to construct it but extend their result by showing soundness as a proof of knowledge, which was not done in [2]. As common for zero-knowledge proofs, the verifier has to commit to his challenge at the beginning of the protocol. Here, the commitment scheme is constructed from basic Σ-protocol for a new instance generated by the prover. The extended protocol has only constant-factor overhead of the basic one.

1.1 An Intuitive Explanation of Our Technique

Our basic idea is closely connected to secret sharing (a concept that we assume in the reader is familiar with). To understand this, it is instructive to have a look at the well-known zero-knowledge protocol for discrete logarithms, where the prover claims to know w such that h=g ^w in some finite group. The prover sends a=g ^r, the verifier chooses a challenge e=0 or 1, and the prover returns z=r+ewmodt where t is the order of g. The verifier checks that g ^z=a⋅h ^e.

One can interpret this protocol as being based on a very simple 2-out-of-2 secret sharing scheme, where the secret is w, r is the randomness used for the sharing, and the shares are r and r+w. In this language, the protocol is that the prover commits to the randomness for the secret sharing by sending a=g ^r and must then reveal the share of the verifiers choice. The verifier’s check ensures that the correct share is indeed revealed. On one hand, since two shares are enough to reconstruct, we can extract the secret from any prover who can answer two different challenges. On the other hand, since one share reveals no information on the secret, we can simulate the protocol without knowing the secret.

If the group order t is public and is a prime, we can instead use the obvious linear 2-out-of-t secret sharing scheme, where there are t shares, and the eth share is r+ew mod t. If we again build a protocol by asking the prover to commit to the randomness by sending g ^r and then reveal the share of the verifier’s choice, we get exactly Schnorr’s protocol. From this point of view, the efficiency of this protocol can be explained from the fact that it is based on a 2-out-of-t secret sharing scheme for a very large t.

The protocols from this paper be understood in a similar way: the prover’s secret is a vector of witnesses w ₁,…,w _n , and, loosely speaking, the idea is to construct a suitable 2-out-of-2ⁿ secret sharing scheme and otherwise do “the same” as in Schnorr’s protocol. We show a concrete example of this in the following section.

2 An Example of Our Basic Idea

The first zero-knowledge proof ever presented was the well-known protocol to prove quadratic residuosity. We show here a variant related to Goldwasser–Micali probabilistic cryptosystem, which we will use as a running example in the following. In this cryptosystem, the public key is an RSA modulus N, and we assume for simplicity that it is chosen such that −1 is not a square modulo N. To encrypt a bit w with randomness s, we compute E _N (w,s)=(−1)^w s ²modN. The encryption function is homomorphic, that is, it has two properties: first, E _N (w,s)E _N (w′,s′)modN=E _N (w⊕w′,ss′modN), and moreover, we can multiply a known plaintext b “into a ciphertext,” i.e., we have E _N (w,s)^b=E _N (wb,s ^b).

Now consider a scenario where the common input to prover P and verifier V is a pair of numbers N and ciphertext x. Now P claims to know a bit w and \(s\in\mathbb{Z}_{N}^{*}\) such that x=E _N (w,s). The protocol goes as follows:

1. 1.

   P chooses r∈{0,1} and \(u\in\mathbb{Z}_{N}^{*}\) at random and sends a=E _N (r,u) to V.

2. 2.

   V chooses a bit b at random and sends it to P.

3. 3.

   P sends z=r⊕bw and v=us ^bmodN to V, who accepts if and only if E _n (z,v)=ax ^bmodN and u,v are in \(\mathbb{Z}_{N}^{*}\).

It is well known that this protocol is perfect zero-knowledge and has error probability 1/2. The reader can easily verify that completeness, soundness, and zero-knowledge of the protocol can be based only on the above homomorphic properties of E _N . While the error probability 1/2 is not sufficient in practice, repeating the protocol n times reduces the error probability to 2⁻ⁿ. However, the size of the entire proof will be roughly n times the size of the problem instance.

In this paper we will be concerned with doing it more efficiently if we are to give a proof for n instances of a problem simultaneously. So say we are given a vector x=(x ₁,…,x _n ) of ciphertexts. If we expand the encryption function in a natural way to vectors by applying it to every entry, we can say that the prover’s claim now is that he knows vectors w,s such that E _N (w,s)=x.

Now, the key idea is to consider w not just as a bit string, but as an element in the extension field GF(2ⁿ). Since addition in GF(2ⁿ) is coordinate-wise xor, the (expanded) encryption function is still homomorphic. We have

$$E_N(\mathbf{w},\mathbf{s}) E_N\bigl( \mathbf{w}',\mathbf{s}'\bigr) =E_N\bigl( \mathbf{w}+\mathbf{w}',\mathbf{ss}'\bigr), $$

where w+w′ is addition in GF(2ⁿ), and s′s is multiplication in the direct product \((\mathbb{Z}_{N}^{*})^{n}\). We are also able to multiply an element e∈GF(2ⁿ) “into a ciphertext.” We can do this by noticing that if we consider GF(2ⁿ) as a vector space over GF(2), multiplication by e is a linear mapping. Taking E to be the matrix of this mapping, multiplying E on an n-bit vector implements multiplication by e. Using this, we can define \(\mathbf{x}^{e}\in (\mathbb{Z}_{N}^{*})^{n}\), where \(\mathbf{x} \in(\mathbb{Z}_{N}^{*})^{n}\), namely the ith entry in x ^e is

$$\bigl(\mathbf{x}^e\bigr)_i = \prod _{j=1}^n x_j^{E(i,j)}\bmod N, $$

where E(i,j) is interpreted as a 0/1 integer. The reader can easily verify that this gives us

$$E_N(\mathbf{w},\mathbf{s})^e =E_N\bigl(e \mathbf{w},\mathbf{s}^e\bigr). $$

The upshot of this is that since E _N satisfies the same homomorphic properties as before, when seen as a function for encrypting elements in GF(2ⁿ), we can do a proof of knowledge for plaintexts in GF(2ⁿ) by mimicking the protocol above:

1. 1.

   P chooses r∈{0,1}ⁿ and \(\mathbf{u}\in (\mathbb{Z}_{N}^{*})^{n}\) at random and sends a=E _N (r,u) to V.

2. 2.

   V chooses e∈GF(2ⁿ) at random and sends it to P.

3. 3.

   P sends z=r+e w and v=us ^e to V, who accepts if and only if E _n (z,v)=ax ^e and all entries in u,v are in \(\mathbb{Z}_{N}^{*}\).

Note that V now chooses between 2ⁿ challenges. In fact, one can show that if the prover could answer correctly two different challenges e,e′, then from the answers we could efficiently compute valid w,s. The key reason why this is possible is that e−e′ is invertible because GF(2ⁿ) is a field (a detailed proof follows as a special case of the general framework we present below).

Hence, this protocol has error probability 2⁻ⁿ. Note, however, that we only send a constant number of “compound” ciphertexts to do the protocol. Hence, compared to iterating the basic protocol n times for all n instances which would be the naive solution, we have saved a factor n in the size of the proof.

This construction can also be described in the “secret-sharing language” from the introduction: the prover’s secret is a pair of vectors w,s, there is a share for each element e∈GF(2ⁿ), and with randomness r,u the eth share is computed as r+e w,us ^e.

3 A Framework

In this section we show that the idea we just outlined is not tied to encryption functions over finite fields. All we really need is a function with certain homomorphic properties on Abelian groups (the encryption function in our example), and a ring that acts in a “nice” way on the involved groups (GF(2) in our example). To help understand the framework, we use the protocol from the previous section as a running example.

3.1 Setup and Assumptions

Consider a function f:R×S→X, where R,S,X are finite Abelian groups. To make the framework fit with the example instantiations to follow, we will write R additively and S,X multiplicatively. We require that f is “almost” homomorphic and that X is “almost” a A-module with A being a commutative ring with 1. The following definition explains what we mean by this algebraically.

Definition 1

Let R,S,X be Abelian groups written as above, A a commutative ring with 1, and f:R×S→X a function. We say that f is ZK-ready with respect to A if all of the following holds.

There exist g:R→X and a group homomorphism h:S→X such that

(1)

(2)

for all r,r′∈R, s∈S, where \(\pi: X \to X/\operatorname {Im}(h)\) denotes the canonical projection. In other words, π∘g is a group homomorphism.

Every a∈A acts as an endomorphism of X, i.e., given x∈X, there exists x ^a∈X such that

$$ x^a y^a = (xy)^a $$

(3)

for all x,y∈X. In particular, 0∈A acts as the trivial endomorphism, and 1∈A acts as the identity, i.e.,

$$ x^0 = 1,\quad x^1 = x $$

(4)

for every x∈X.

R and \(\operatorname {Im}(\pi)\) are A-modules, \(\operatorname {Im}(\pi\circ g)\) is an A-submodule of the latter, π∘g is an A-module homomorphism, and

$$ \pi\bigl(x^a\bigr) = \pi(x)^a $$

(5)

for all a∈A, x∈X.

To connect the framework to the example in the previous section, one may think of R=ℤ₂, \(S= X= \mathbb{Z}_{N}^{*}\), and f(r,s)=(−1)^r s ²modN, where N is such that −1 is a nonsquare modulo N. Here, of course, we have that g(r):=(−1)^r is a group homomorphism because (−1)²=1. Therefore, π∘g is a group homomorphism as well. Furthermore, we set A=GF(2), so an element a∈A is 0 or 1. \(x^{a}\in\mathbb{Z}_{N}^{*}\) is then defined by (4), \(\operatorname {Im}(\pi) \cong \operatorname {Im}(\pi\circ g) \cong\mathbb{Z}_{2}\) clearly is a GF(2)-module, and (5) is trivially achieved.

Jumping ahead, we mention that if we set A=ℤ, the above conditions on A are always satisfied, and in fact we show in Theorem 1 below that all conditions in our framework can be satisfied for A=ℤ and any f satisfying (1) and (2).

For a practical usage of our framework, we need the following two lemmas. They establish several functions that quantify the deviation of f and X from being a homomorphic function and an A-module, respectively. We will use the equalities stated in the lemmas to prove the properties of our proposed Σ-protocols as one would use the homomorphic property of discrete exponentation and the fact that any cyclic group is a ℤ-module to prove that Schnorr’s protocol is a Σ-protocol.

Lemma 1

Let f be ZK-ready with respect to A, and let all symbols be as above. Then, there exist δ:R×R→S, Δ:X×A×A→S, Γ:X×A×A→S, γ:A×R×S→S such that

(6)

(7)

(8)

for all r,r′∈R, s,s′∈S, x∈X, a,b∈A.

In our example, δ(r,r′)=1 for all r∈R because f is homomorphic. For (7), one has to remember that the addition in the exponent is in GF(2) and so is actually an xor. Therefore, Δ(x,a,b)=x when a=b=1 and Δ(x,a,b)=1 otherwise. On the other hand, Γ(x,a,b)=1 always, and γ(a,r,s)=s ^a.

It can be shown that (1) is in fact equivalent to (6). Given (5), one can also show that \(\operatorname {Im}(\pi)\) being an A-module is equivalent to (7) and \(\operatorname {Im}(\pi\circ g)\) being an A-module is equivalent to (8).

Proof

(1) implies that

and thus, the following is well defined for all r,r′∈R:

$$ \delta\bigl(r,r'\bigr) := h^{-1} \bigl(g\bigl(r + r'\bigr)^{-1} \cdot g(r) \cdot g \bigl(r'\bigr) \bigr), $$

(9)

where \(h^{-1}: \operatorname {Im}(h) \to S\) can be any inverse of h. It directly follows that f satisfies the following:

for all r,r′∈R, s,s′∈S.

From (5) and the fact that \(\operatorname {Im}(\pi)\) is an A-module, it follows that

for all x∈X, a,b∈A. Similarly to above, one can therefore define

(10)

and (7) follows.

Finally,

$$\pi\bigl(f(r,s)^a\bigr) = \pi\bigl(g(r)\bigr)^a \pi \bigl(h(s)\bigr)^a = \pi\bigl(g(a \cdot r)\bigr) $$

for all r∈R, s∈S. Therefore, one can define

$$ \gamma(a,r,s) := h^{-1}\bigl(f(r,s)^a \cdot g(a \cdot r)^{-1}\bigr), $$

(11)

which achieves (8). □

Lemma 2

Let f be ZK-ready with respect to A, and δ as in the previous lemma. Then,

(12)

(13)

(14)

for all r∈R, s∈S.

This lemma also constitutes the raising d’être of (2), namely to simplify the computations. The framework would also work without it; nevertheless, all known examples achieve the condition.

Proof

The following follows from (1), (2), and (6):

for all r∈R,s,s′∈S, and thus,

$$ f(r,s)^{-1} = f\bigl(-r, s^{-1} \cdot\delta(r, -r)^{-1}\bigr). $$

 □

In the following, we will consider the direct products A ⁿ,R ⁿ,S ⁿ,X ⁿ for a natural number n. Our final assumption is that there exist a special subset Ω _n ⊂A ⁿ and an efficiently computable mapping ω that for every e∈Ω _n outputs a matrix ω(e) with m rows and n columns and entries in A, where m is some polynomial function of n, and furthermore for every pair e,e′∈Ω _n where e≠e′, the matrix ω(e)−ω(e′) is invertible, i.e., there exists an n by m matrix N such that

$$N\bigl(\omega(e)-\omega\bigl(e'\bigr)\bigr) = I_n. $$

Values e∈Ω _n will be used as challenges in our protocols to follow, and since the error probability will be 1/|Ω _n |, we will be looking for constructions that give us a large Ω _n , preferably of size exponentially large in n. In the following, we will use E as shorthand for ω(e).

In our example, we can set Ω _n to be all of A ⁿ=GF(2)ⁿ and m=n. Then for e∈Ω _n , we let E=ω(e) be the matrix that implements multiplication by e in the field GF(2ⁿ), as in the previous section.

The following definition combines all requirements for our framework, algebraical and computational.

Definition 2

Let f be ZK-ready with respect to A. We say that f is ZK-friendly with respect to A and ω if there exists ω as described above for every natural number n and there is a representation of the groups R,S,X and the ring A such that all of the following is efficiently computable:

• uniformly random elements of all groups (sampling)

• membership check for all groups

• group operations and inversions in all groups

• addition, additive inverse, and multiplication in A

• the action of A on X

• δ, Δ, Γ, and a′ as defined in Lemma 1

• ω and N inverting (ω(e)−ω(e′)) for every distinct pair e,e′∈Ω _n

3.2 A Generic Challenge Space

Suppose we are given any function f satisfying (1) and (2). Note that if we choose A=ℤ, most of the other conditions of Definition 1 are automatically satisfied, because any Abelian group is a ℤ-module. In more concrete terms, it always makes sense to multiply a group element by an integer if the group is written additively (or raise it to an integral power if it is written multiplicatively). In fact, (3), (4), and (5) follow trivially if we set A=ℤ, so the only missing condition is the existence of the special subset Ω _n in ℤⁿ and the mapping ω.

Recall that Ω _n must be a subset of A ⁿ=ℤⁿ. We choose Ω _n to be the set of vectors with entries that are 0 or 1, and thus Ω _n has size 2ⁿ. We then need to build, from e∈Ω _n , a matrix ω(e) with n columns and m rows, where we choose m=2n−1, and where e≠e′ implies that ω(e)−ω(e′) is invertible. We do this as follows: thinking of e as a column vector, the jth column of ω(e) starts with j−1 zeros, followed by e, followed by n−j zeros:

It is straightforward to show that for any two different e,e′, indeed ω(e)−ω(e′) has an inverse N such that N(ω(e)−ω(e′)) is the identity matrix. One just observes that the matrix ω(e)−ω(e′) must always be upper triangular with only 1s or −1s on the diagonal. Therefore we have the following:

Theorem 1

Any f:R×S→X satisfying (1) and (2) is ZK-friendly with respect to ℤ and ω constructed as above if R, S, and X fulfill the first three conditions of Definition 2 and if δ as defined in Lemma 1 is efficiently computable.

Proof

By (10), Δ and Γ are constantly 1, and

by (11) and (9). Furthermore, arithmetic in ℤ is efficient, and the action of ℤ on X is efficiently computable if group operations in X are. It follows that all requirements in Definition 2 are achieved. □

It is worth noting that this construction of ω is closely connected to secret sharing, in exactly the way we explained in the introduction: if we consider our protocols from the previous section and combine with the idea of using A=ℤ, we can rephrase the construction as follows: our protocols work with secrets that are vectors of elements in some Abelian group. What we construct is a 2-out-of-2ⁿ secret sharing scheme where the eth share is computed by acting on the secret vector by the matrix ω(e).

3.3 Notation

We will use r,s to denote column vectors of elements in R, respectively S, and f(r,s) to denote the result of applying f to each coordinate:

$$\mathbf{r} = \left ( \begin{array}{c} r_1 \\ r_2 \\ \vdots\\ r_n \end{array} \right ),\qquad \mathbf{s} = \left ( \begin{array}{c} s_1 \\ s_2 \\ \vdots\\ s_n \end{array} \right ),\qquad f(\mathbf{r}, \mathbf{s}) = \left ( \begin{array}{c} f(r_1,s_1) \\ f(r_2,s_2) \\ \vdots\\ f(r_n,s_n) \end{array} \right ) $$

Let x be a vector of elements in X, and M be a matrix with entries in A and m rows and n columns. Then we define:

$$\mathbf{x}^M = \left ( \begin{array}{c} \prod_{i=1}^n x_i^{M[1,i]} \\[3pt] \prod_{i=1}^n x_i^{M[2,i]} \\ \vdots\\ \prod_{i=1}^n x_i^{M[m,i]} \end{array} \right ) $$

It is straightforward to verify that our assumptions on the action of A on X imply that

$$\mathbf{x}^B\mathbf{x}^{C} = \mathbf{x}^{B+C} f \bigl(0^n, \boldsymbol{\varDelta } (\mathbf{x}, B, C)\bigr),\qquad \bigl( \mathbf{x}^M\bigr)^N = \mathbf{x}^{NM} f \bigl(0^n, \boldsymbol{\varGamma}(\mathbf{x}, M, N)\bigr), $$

$$f(\mathbf{r}, \mathbf{s})f\bigl(\mathbf{r}', \mathbf{s}'\bigr) = f\bigl(\mathbf{r}+\mathbf{r}', \mathbf{s} \mathbf{s}' \delta \bigl(\mathbf{r},\mathbf{r}'\bigr) \bigr),\qquad f(\mathbf{r}, \mathbf{s})^M = f\bigl(M\mathbf{r}, \gamma(M,\mathbf{r}, \mathbf{s}) \bigr) $$

for matrices B,C,M,N, where the vectors Δ(x,B,C), Γ(x,M,N), δ(r,r′), and γ(M,r,s) can be efficiently computed as follows:

for all j. Note that 0ⁿ denotes the column vector with n zero entries.

To compute what γ(M,r,s) should be, one starts from the fact that \((f(\mathbf{r}, \mathbf{s})^{M})_{j} = \prod_{i=1}^{n} f(\mathbf {r}, \mathbf{s})_{i}^{M[j,i]}\) and then use (3), (6), and (7). If f is not 1–1, it may be possible to get different values for γ(M,r,s) depending on the order in which we compute the product. But this is not a problem since, in the following, we only need that we can compute some element in γ(M,r,s)∈S ⁿ that makes f(r,s)^M=f(M r,γ(M,r,s)) be true.

3.4 Some Σ-Protocols

In this section, we assume throughout that we are given a function f that is ZK-friendly w.r.t. some A,ω and then show that we can build a number of zero-knowledge protocols; more specifically, they will be so-called Σ-protocols. A Σ-protocol for a relation \(\mathcal {R}= \{ (x,w)\}\) is a 3-move protocol for prover P and verifier V. x is the common input, and P gets w as private input. Conversations in the protocol have form (a,e,z) where e is a random challenge sent by V. The standard properties of a Σ-protocol are that it is perfectly complete, honest verifier zero-knowledge and sound in the particular sense that from x and conversations (a,e,z),(a,e′,z′) where e≠e′, one can efficiently compute w such that \((x,w)\in \mathcal {R}\). This implies that the protocol is a proof of knowledge for \(\mathcal {R}\) according to the standard definition, with knowledge error 1 divided by the number of possible challenges.

The homomorphic property of f described above already implies that there is a Σ-protocol with error probability 1/2 for the relation \(\mathcal {R}= \{ (x,(w,s)) \mid f(w,s) = x\}\). Namely, P sends a=f(r,u) for random r,u, and V asks P to send a preimage of either a or xa. This will be called Protocol 0 in the following.

We now give a Σ-protocol for a set of n instances, where the public input is x∈X ⁿ, and the prover demonstrates knowledge of w,s such that f(w,s)=x. In other words, a Σ-protocol for the relation \(\mathcal {R}_{f}= \{ (\mathbf{x}, (\mathbf{w},\mathbf{s}) ) \mid f(\mathbf{w},\mathbf{s}) = \mathbf {x} \}\). The protocol works as follows.

Protocol 1

1. 1.

   P chooses vectors r,u of length m at random and sends a=f(r,u) to V.

2. 2.

   V selects a random element e∈Ω _n and sends it to P.

3. 3.

   P sends z=E w+r and v=γ(E,w,s)⋅u⋅δ(E w,r) to V.

4. 4.

   V accepts if and only if f(z,v)=x ^E⋅a.

In this protocol, as well as in all the following, the verifier should also check that every communicated group element is in the group it should be in. For the example from the introduction, this translates to checking that numbers communicated are relatively prime to the modulus N.

Lemma 3

Protocol 1 is a Σ-protocol for \(\mathcal {R}_{f}\), with error probability 1/|Ω _n |. The protocol is also an interactive proof that each entry in x is in \(\operatorname {Im}(f)\).

Proof

Completeness is trivial by the homomorphic property of f. For special soundness, we can assume that we have conversations

$$(\mathbf{a}, e, \mathbf{z},\mathbf{v}),\bigl(\mathbf{a}, e', \mathbf{z}',\mathbf{v}'\bigr)\quad \mbox{such that}\quad f(\mathbf{z},\mathbf{v}) = \mathbf{x}^{E} \cdot\mathbf{a},\ f\bigl(\mathbf{z}',\mathbf {v}'\bigr) = \mathbf{x}^{E'} \cdot\mathbf{a}, $$

and we must compute a valid witness for x. Dividing one equation by the other and applying (13) as well as the definition of Δ gives

$$f(\mathbf {z}, \mathbf {v}) \cdot f\bigl(-\mathbf {z}', \mathbf {v}'^{-1} \cdot\delta\bigl(\mathbf {z}', -\mathbf {z}'\bigr)^{-1} \bigr) = \mathbf {x}^{E-E'} \cdot f\bigl(0^n, \boldsymbol {\varDelta }\bigl(\mathbf {x}, E, -E'\bigr)\bigr), $$

which is by (6), (12), and (14) equivalent to

$$f\bigl(\mathbf {z}- \mathbf {z}', \mathbf {v}\cdot \mathbf {v}'^{-1} \cdot \delta\bigl(\mathbf {z}', -\mathbf {z}'\bigr)^{-1} \cdot \delta\bigl(\mathbf {z}, \mathbf {z}'\bigr) \cdot \boldsymbol {\varDelta }\bigl(\mathbf {x}, E, -E'\bigr)^{-1}\bigr) = \mathbf {x}^{E-E'}. $$

Defining c,d as the arguments of f on the right-hand side and M:=E−E′ gives

$$f(\mathbf{c},\mathbf{d}) = \mathbf{x}^M. $$

We then apply the inverse N of M, which exists by Definition 2, on both sides and get

$$f\bigl(N\cdot\mathbf{c} , \gamma(N, \mathbf{c},\mathbf{d} )\bigr ) = \bigl( \mathbf{x}^M\bigr)^{N} = \mathbf{x} \cdot f \bigl(0^n, \boldsymbol {\varGamma }(\mathbf {x}, M, N)\bigr). $$

Applying (12) and (14) once more, we conclude

$$f\bigl(N \mathbf {c}, \gamma(N,\mathbf {c},\mathbf {d}) \cdot \boldsymbol {\varGamma }(\mathbf {x}, M, N)^{-1}\bigr) = \mathbf {x}, $$

and so we have the required witness. Since we always obtain something in the preimage of x under f, soundness as a proof of membership follows as well.

Finally, we have to provide an honest verifier simulator. For this, we simply choose e,z,v uniformly in their respective domains and let a=f(z,v)⋅(x ^E)⁻¹. This clearly simulates the real conversations perfectly, since z,v are indeed uniform in real conversations, and a is fixed when given z,v. □

A straightforward specialization of Protocol 1 can be used to show that x=f(0ⁿ,s):

Protocol 1.5

1. 1.

   P chooses a vector u of length m at random and sends a=f(0ⁿ,u) to V.

2. 2.

   V selects a random element e∈Ω _n and sends it to P.

3. 3.

   P sends v=γ(E,0ⁿ,s)⋅u to V.

4. 4.

   V accepts if and only if f(0ⁿ,v)=x ^E⋅a.

Lemma 4

Protocol 1.5 is a Σ-protocol for the relation {(x,s)∣f(0ⁿ,s)=x}.

One immediate generalization of Protocol 1 assumes that we have two functions f,g that both satisfy our assumptions for the same A,R,S. We can then build a Σ-protocol for the relation \(\mathcal {R}_{f,g}= \{ (\mathbf{x},\mathbf{x}', (\mathbf{w},\mathbf {s},\mathbf{s}') ) \mid f(\mathbf{w},\mathbf{s}) = \mathbf{x}, g(\mathbf{w},\mathbf{s}')= \mathbf{x}' \}\), i.e., the demand is that the same w appears in both preimages. The protocol works as follows.

Protocol 2

1. 1.

   Start two instances of Protocol 1, using as input x respectively x′. The prover sends a,a′, computed using the same value of r in both instances.

2. 2.

   The verifier sends one challenge e that the prover uses in both instances to compute the answer.

3. 3.

   The prover sends z,v,z′,v′, and the verifier accepts if and only if z=z′ and f(z,v)=x ^E⋅a, g(z′,v′)=x′^E⋅a′.

By following through the proof for Protocol 1, one trivially obtains the following lemma.

Lemma 5

Protocol 2 is a Σ-protocol for \(\mathcal {R}_{f,g}\), with error probability 1/|Ω _n |. The protocol is also an interactive proof that each entry in x is in \(\operatorname {Im}(f)\) and each entry in x′ is in \(\operatorname {Im}(g)\).

Protocols Assuming R is a Ring

We now show that our framework can also be used to show multiplicative relations among preimages under f. To do this, we need to assume that the (additive) group R is actually a ring and furthermore that we can define an action of R on X such that (3), (4), and (5) are satisfied for A=R. We also need that the multiplication operation of R agrees with operation of R on \(\operatorname {Im}(\pi\circ g)\), i.e.,

$$\pi\bigl(g\bigl(r'\bigr)\bigr)^r = \pi\bigl(g\bigl(rr'\bigr )\bigr) $$

for all r,r′∈R, where π and g are induced by f as in Definition 1.

Then, we define for \(x\in \operatorname {Im}(f)\) a function

$$f_x(r,s) := g_x(r) \cdot h(s) := x^r\cdot f(0,s) $$

for h induced by f as in Definition 1. If π(x ^r)=π(g(r)) for all r∈R, π∘g _x =π∘g clearly achieves (1).

Now, suppose we are given x,y,z∈X where a prover knows a,b,c,s _a ,s _b ,s _c such that x=f(a,s _a ),y=f(b,s _b ),z=f(c,s _c ) and where furthermore c=ab. Following several previous works, we can express the relation a bit differently so that it becomes something we can prove using essentially just the protocol we have already.

Notice that if we set s′=s _c ⋅γ(b,a,s _a )⁻¹⋅δ(ab,0)⁻¹, then we have

$$f(c,s_c) = f(ab,s_c) = f_x \bigl(b,s'\bigr). $$

We now consider n instances of such a case, but for a single x, and we want a Σ-protocol for the relation \(\mathcal {R}_{mult}\), defined as:

$$\bigl\{ \bigl( (x, \mathbf{y},\mathbf{z}) , (a,\mathbf{b},\mathbf {c} ,s_a, \mathbf{s}_{\mathbf{b}},\mathbf{s}_{\mathbf{c}}) \bigr) \mid x=f(a,s_a), \mathbf{y}=f(\mathbf{b},\mathbf{s}_{\mathbf{b}}),\mathbf {z}=f(\mathbf{c},\mathbf{s}_{\mathbf{c}}), a \cdot\mathbf{b}=\mathbf{c} \bigr\}. $$

Then the protocol and lemma below follow immediately.

Protocol 3

1. 1.

   Run Protocol 0 iterated log|Ω _n | times on input x (we can afford to do this on a single input, as it will have the same complexity as the next step).

2. 2.

   Exploiting the fact that ab=c, the prover computes s′ as above such that z=f _x (b,s′).

3. 3.

   Do Protocol 2 on input y,z using f,f _x as the functions f,g.

Lemma 6

Protocol 3 is a Σ-protocol for \(\mathcal {R}_{mult}\) with error probability 1/|Ω _n |.

As a final example, we show that the framework can be used to show a more negative kind of statement. We need to assume that r is uniquely determined from f(r,s) and second that R is a field. Then we can build an interactive proof system for the language L={x∣x=f(r,s),r≠0}.

Protocol 4

1. 1.

   V chooses n-vectors r∈R ⁿ and s∈S ⁿ at random and computes g=f _x (r,s). He sends the g to P.

2. 2.

   V uses Protocol 1 to show that he knows r,s such that g=f _x (r,s).

3. 3.

   If P accepts the proof in the previous step, he computes r and sends it to V, who accepts if and only if P sent the correct r.

Note that P can do the computation in step 3: since x=f(w,s) for w≠0, we have \(g_{i} = x^{r_{i}}f(0,s_{i}) = f(wr_{i},u_{i})\) for some u _i . By assumption wr _i is determined from f(wr _i ,u _i ) and P can divide out w to get r _i . In general, P may need large computing power to find wr _i , but in some cases, P can have a trapdoor allowing him to do it efficiently.

On the other hand, if w=0, then g contains no information on r. Neither does the proof given by V, since it is honest verifier zero-knowledge and hence witness indistinguishable. Therefore, the prover can do no better than a random guess, so the error probability is |R|⁻ⁿ. Finally, the protocol is easily seen to be zero-knowledge by a standard argument: the simulator uses rewinding of V to extract r and can then send exactly what the prover would have sent. If |R| is a small constant such as 2, then Protocol 4 gives a way to improve the complexity over the naive solution where V in step 2 uses Protocol 0 to prove he knows r: we only need to send O(n) group elements, rather than n ².

The following corollary applies Theorem 1 to the Σ-protocols presented in this section.

Corollary 1

For A=ℤ, Ω _n ={0,1}ⁿ, and ω as in Sect. 3.2, the Σ-Protocols 1, 1.5, 2, 3, and 4 have error probability 2⁻ⁿ and communication complexity linear in n.

Proof

The error probability follows immediately from |Ω _n |=2ⁿ. The communication of Protocol 1 consists of four vectors of length m=2n−1 and n bits. The Protocols 1.5, 2, and 4 consist of up to four instances of Protocol 1. Protocol 3 in addition runs Protocol 0 n times, which has constant communication complexity. □

4 Examples

4.1 Quadratic Residuosity

Let N be a composite number, and let y be a nonsquare mod N. Then we can set \(R= \mathit{GF}(2), S=X= \mathbb{Z}_{N}^{*}, f(r,s)= y^{r} s^{2} \bmod N, A= \mathit{GF}(2)\).

Now, we can let vectors in A ⁿ=GF(2)ⁿ correspond in the standard way to elements in the extension field GF(2ⁿ). Multiplication by an element e∈GF(2ⁿ) is a linear mapping, so we set m=n and let E be the matrix of this mapping. Finally we can set Ω _n to be all of GF(2)ⁿ since any nonzero element in GF(2ⁿ) is invertible. It is straightforward to check that this satisfies all our assumptions in the framework. Protocol 1 above now becomes a proof that the prover knows how to decrypt n ciphertexts in the Goldwasser–Micali cryptosystem.

The computational cost of the protocols are clearly dominated by the cost of computing the action of E on the vector x. Doing this is equivalent to computing n products of various subsets of n given elements in \(\mathbb{Z}_{N}^{*}\). Using a straightforward variant of the so-called 4-Russians algorithm, this can be done using O(n ²/logn) multiplications modulo N. We therefore have the following:

Corollary 2

Protocol 1 instantiated for the quadratic residuosity case is a proof that the prover knows how to decrypt n ciphertexts in the Goldwasser–Micali cryptosystem. It has communication complexity 2n elements in \(\mathbb{Z}_{N}^{*}\) plus 2n bits, error probability 2⁻ⁿ, and the computational complexity is O(n ²/logn) multiplications modulo N.

Note that if we wanted to obtain the same error probability using simple repetition of the standard cut-and-choose protocol, the cost for all n instances would be 2n ² group elements plus 2n bits and the computational cost O(n ²) multiplications modulo N. Protocol 1.5 instantiated for this case is easily seen to be a proof that n input numbers are all squares modulo N. It may seem that to use this protocol, we need that a nonsquare y is given, to define the function f, but this is not the case, since we only need to evaluate f on inputs where the first component is 0, and we always have f(0,s)=s ²modN no matter which y we would use.

Protocol 4 instantiated for this case is a proof that a given number is a nonsquare modulo N, and this improves the complexity of the classical protocol for this problem from [8] by a factor of n. Again, one can verify that we do not need a nonsquare y given a priori.

Finally, Protocol 3 in this case becomes a protocol proving that encrypted bit a and encrypted bitstrings b,c satisfy a∧b=c, where a∧b is the string obtained by taking the and of a and each bit in b.

4.2 Homomorphic Encryption

We already mentioned earlier how our technique can be used for the Goldwasser–Micali probabilistic public-key scheme. This generalizes in a very natural way to encryptions schemes based on higher-degree residuosity, say degree q for q a prime larger than 2, provided that q divides ϕ(N). The plaintext space for the encryption would be R=ℤ _q , and one would then define the encryption of plaintext r as f(r,s)=y ^r s ^qmodN where y is not a q-power modulo N. The basic Protocol 0 with A=ℤ _q and \(\varOmega_{n}= \mathbb {Z}_{q}^{n}\) gives a proof of knowledge of the plaintext for a given ciphertext with error probability 1/q. Using Protocol 1, this can be amplified to a proof for n plaintexts with error probability q ⁻ⁿ, at cost n times the cost of Protocol 0.

In [9], a different type of encryption function is proposed, also based on a composite modulus N and two elements \(g,h\in \mathbb{Z}_{N}^{*}\). The encryption function is f(m,s)=g ^m h ^smodN. Here m is the message chosen in ℤ _M for a public M, and s is chosen at random in some interval [0,T]. We do not need to go into the details of the scheme and its security here, it is enough to say that the order of h has to be secret and one needs to assume for security that a random element in the group generated by h cannot be efficiently distinguished from a random element in \(\mathbb{Z}_{N}^{*}\).

Standard methods for proving in zero-knowledge that you know m,s for a given ciphertext have error probability 1/2, namely one does the obvious Σ-protocol with a binary challenge. One cannot do better using Schnorr-like techniques because one would need to know the order of h to do the knowledge extraction required for soundness. However, the scheme fits in our framework, by setting R=ℤ _M , S=ℤ, \(X= \mathbb{Z}_{N}^{*}\), and A=ℤ. Now, using Theorem 1, Protocol 1 shows that we can prove knowledge of n plaintexts with error probability 2⁻ⁿ at cost about 2n times the standard protocol for a single instance.

Finally, we note that if g has order M, R can act on S and X as required for Protocols 3 and 4. Protocol 3 can be used to show multiplicative relations among plaintexts, and in case the plaintext space is a field (i.e., if M is a prime). Protocol 4 can be used to show that a ciphertext contains a nonzero plaintext.

4.3 Discrete Log in a Group of Unknown Order

In Sect. 6, we will show how to prove knowledge of a discrete log in \(\mathbb{Z}_{N}^{*}\) with a modified version of our framework.

5 Zero-Knowledge Proof of Knowledge

To have small soundness error probability in our protocols, it is desirable that the challenge space Ω _n is exponentially big. Then, however, Protocol 1 cannot be proven to be zero-knowledge because a deviating verifier could make its challenge depend on the first message a by P, and then the standard simulation by rewinding fails. A standard solution to this problem is to let V commit to his challenge in advance. Our protocol uses the following problem-dependent commitment scheme: From a Σ-protocol for \(\mathcal {R}= \{(x,w)\}\) one can construct a commitment scheme with public key x as follows: Let e be a possible challenge and (a,e,z) a transcript generated by the HVZK simulator. Then, a is a commitment to e with opening information z. To verify, one has to validate (a,e,z). The commitment is perfectly hiding because (a,e,z) is distributed as the transcript of an execution where a is chosen independent of e. The computationally binding property follows from the fact that for two different openings (e,z), (e′,z′) with e≠e′, one can compute w such that \((x, w) \in \mathcal {R}\), and hence, breaking the commitment scheme is at least as hard as breaking the underlying relation.

Figure 1 shows a 5-round protocol, which combines Protocol 1 with the technique by Bellare et al. [2]. \(\stackrel {?}{=}\) denotes that a party checks equality and aborts if the check fails. Furthermore, it is assumed implicitly that both parties check incoming messages for membership of the respective sets and that they abort in case of failure.

Fig. 1.

Zero-knowledge proof of knowledge of a vector of preimages of f.

P starts by generating a new random instance x _P of the problem and sending it to V (1), who commits to the challenge e using x _P (2). P then sends the first message of Protocol 1 (3), whereupon V opens the commitment to his challenge (4). P checks the opening, answers the challenge as in Protocol 1, and also sends the witness of the instance generated in the first step (5). Finally, V checks the answer and either accepts or rejects.

Informally, zero-knowledge is achieved by V committing to the challenge e with c. In the zero-knowledge simulator, we sometimes set x _P :=x⋅f(w _P ,s _P ). From a preimage of x _P , (w,s) with f(w,s)=x can then be computed in polynomial time, which trivially allows us to simulate the conversion.

In the following, we will formally prove that the protocol is indeed is a zero-knowledge proof of knowledge as defined by the following definitions.

Definition 3

(Proof of knowledge)

Let \(\mathcal {R}\) be a relation, and x common input to P and V. A proof of knowledge has the following properties:

• Completeness: If \((x, w) \in \mathcal {R}\) and w is input to P, V always accepts.

• Knowledge soundness: Let P ^∗ be any prover, and ϵ(x) the probability that V accepts with common input x. Then there exists a knowledge extractor M which efficiently computes w from x such that \((x, w) \in \mathcal {R}\) with at most \(\frac{|x|^{c}}{\epsilon(x) - \kappa(x)}\) rewindable black-box accesses to P ^∗. κ is called the knowledge error.

Definition 4

(Zero-knowledge)

A proof is zero-knowledge if for any verifier V ^∗, there exists an expected polynomial-time simulator M _V∗ that takes input x and generates a transcript distributed the same way as a transcript of P and V ^∗, having rewindable black-box access to V ^∗.

5.1 Zero-Knowledge

Zero-knowledge proofs require the construction of a simulator M _V∗ that generates a protocol run using rewindable black-box access to a possibly cheating verifier V ^∗. The resulting transcript must be indistinguishable to a normal protocol execution in some way. Our protocol is perfect zero-knowledge. The proof is inspired by Bellare et al. [2].

Test Algorithm

The basic building block of the simulator is a so-called test algorithm. Its idea consists in running the last three steps (the actual Σ-protocol) first with some random a, as an honest prover would, and then with an a prepared for the challenge we got from V ^∗. If V ^∗ sends the same challenge again, we can generate an accepting transcript. If that is not true, i.e., V ^∗ is able to open his commitment in two different ways, we are able to extract a witness of x _P . The test algorithm works as follows:

1. 1.

   Take x _P as input and send it to V ^∗.

2. 2.

   Wait for c from V ^∗.

3. 3.

   Generate a′ as an honest prover would and send it to V ^∗.

4. 4.

   Wait for \(E', \mathbf {d}_{\mathbf {R}}', \mathbf {d}_{\mathbf {S}}'\) from V ^∗, and check whether \((\mathbf {x}_{\mathbf {P}})^{E'} \cdot f(\mathbf {d}_{\mathbf {R}}', \mathbf {d}_{\mathbf {S}}') = \mathbf {c}\). If false, return fail.

5. 5.

   Rewind V ^∗ to the state before step 3, sample (z,v)∈ _R R ^m×S ^m, compute a:=f(z,v)⋅(x ^E)⁻¹, and send it to V ^∗.

6. 6.

   Wait for E,d _R ,d _S from V ^∗. If (x _P )^E⋅f(d _R ,d _S )≠c, repeat from step 5.

7. 7.

   Return \(\mathbf {c}, E', \mathbf {d}_{\mathbf {R}}', \mathbf {d}_{\mathbf {S}}', E, \mathbf {d}_{\mathbf {R}}, \mathbf {d}_{\mathbf {S}} , \mathbf {z}, \mathbf {v}\).

It is straightforward to see that the algorithm terminates in expected polynomial time: Let g be the number of messages a that are answered correctly by V ^∗. Since \(\mathbf {a}\in \operatorname {Im}(f)^{m}\), \(\frac{g}{|\operatorname {Im}(f)|^{m}}\) is the probability that the algorithm enters the loop, and \(\frac{g-1}{|\operatorname {Im}(f)|^{m}}\) the one that the loop is left. If g>1, the expected running time is \(\frac{g}{|\operatorname {Im}(f)|^{m}} \cdot\frac{|\operatorname {Im}(f)|^{m}}{g-1} \in O(1)\). To handle the case of g=1, we try to find the witness w for x parallel to the loop. Because the probability of guessing a witness is \((\frac{1}{|\operatorname {Im}(f)|} )^{n}\), and n≤m, the algorithm then terminates in expected time O(1) for any g.

Witness Extraction

A further algorithm used by the simulator is an algorithm extracting a witness of x _P if V ^∗ can open his commitments in two different ways. We use this to extract a witness of x because we can generate x _P as a rerandomization of x.

Witness extraction is based on the special soundness property of the Σ-protocol. Given E,d _R ,d _S and \(E', \mathbf {d}_{\mathbf {R}}', \mathbf {d}_{\mathbf {S}}'\) with \((\mathbf {x}_{\mathbf {P}})^{E} \cdot f(\mathbf {d}_{\mathbf {R}}, \mathbf {d}_{\mathbf {S}}) = \mathbf {c}= (\mathbf {x}_{\mathbf {P}})^{E'} \cdot f(\mathbf {d}_{\mathbf {R}}', \mathbf {d}_{\mathbf {S}}')\), we can find \((\tilde {\mathbf {w}}, \tilde {\mathbf {s}})\) with \(f(\tilde {\mathbf {w}}, \tilde {\mathbf {s}}) = \mathbf {x}_{\mathbf {P}}\) similarly to the proof of Lemma 3. Thus, we can compute a witness for x _P .

The Simulator

Now we put the algorithms together. The simulator \(M_{V^{*}}\) works as follows:

1. 1.

   Fix the randomness of V ^∗.

2. 2.

   Call the test algorithm with \(\mathbf {x}_{\mathbf {P}}= \mathbf {x}\cdot f(\tilde {\mathbf {w}}_{\mathbf {P}}, \tilde {\mathbf {s}}_{\mathbf {P}})\) for \((\tilde {\mathbf {w}}_{\mathbf {P}}, \tilde {\mathbf {s}}_{\mathbf {P}}) \in_{R} R^{n} \times S^{n}\).

   • If it returns fail, return fail as well.

   • If it returns two different challenges E≠E′, a preimage of x can be computed with the witness extraction algorithm because \((\mathbf {x}_{\mathbf {P}})^{E} \cdot f(\mathbf {d}_{\mathbf {R}}, \mathbf {d}_{\mathbf {S}}) = (\mathbf {x}_{\mathbf {P}})^{E'} \cdot f(\mathbf {d}_{\mathbf {R}}', \mathbf {d}_{\mathbf {S}}')\) and \(\mathbf {x}_{\mathbf {P}}= \mathbf {x}\cdot f(\tilde {\mathbf {w}}_{P}, \tilde {\mathbf {s}}_{P})\). After computing (w,s) with x=f(w,s), repeat the following:

     1. (a)

        Generate x _P =f(w _P ,s _P ) with (w _P ,s _P )∈ _R R ⁿ×S ⁿ.

     2. (b)

        Rewind V ^∗ to the beginning.

     3. (c)

        Call the test algorithm with x _P . If it returns two different challenges, output x _P ,c,a, (E,d _R ,d _S ),(z,v,w _P ,s _P ) and return. (z,v) can be computed using (w,s). Otherwise, continue with the loop.

   • If it returns two times the same challenge E=E′, repeat the following:

     1. (a)

        Generate x _P =f(w _P ,s _P ) with (w _P ,s _P )∈ _R R ⁿ×S ⁿ.

     2. (b)

        Rewind V ^∗ to the beginning.

     3. (c)

        Call the test algorithm with x _P . If it returns two equal challenges, output x _P ,c,a, (E,d _R ,d _S ),(z,v,w _P ,s _P ) and return. Otherwise, continue with the loop.

\(M_{V^{*}}\) terminates in expected polynomial time because it only calls algorithms with expected polynomial running time and because the loops stop with the same probability as they were entered.

The proof that the distribution of the output of the simulator complies with the one of a normal execution is, mutatis mutandis, the same as the proof given by Bellare et al. [2]. A central element is that one loops runs until V ^∗ returns two different challenges, and the other loop runs until V ^∗ return twice the same challenge. In the second case, this is needed to generate a correct answer. In the first case however, the simulator knows a witness for x and could answer every challenge correctly. The reason to wait for two different challenges is that some challenges are less likely to be generated by the second loop than by a normal execution. For example, a cheating verifier could open the commitments to some challenge E only for one choice of a. Such a challenge would never be output by the second loop because it requires two times the same challenge for two different a. This is compensated by the first loop, which outputs such challenges with higher probability than in a normal execution.

5.2 Knowledge Extraction

In this section, we show how to extract a witness for x from any P ^∗ that has success probability bigger than 2/|Ω _n |. Bellare and Goldreich [1] proved that deterministic provers in proofs of knowledge are as strong as probabilistic provers; therefore, it suffices to present a knowledge extractor for a deterministic prover. Our algorithm is based on the knowledge extraction with a plain Σ-protocol, which uses the special soundness property of Σ-protocols. The goal is to get the answer (z,v) for two different challenges e but the same previous message a. The extractor consists of three phases: Generating an accepting transcript to learn a preimage of x _P , generating a transcript with equivocable commitments, and generating a transcript with the same a as previously, but a different challenge.

The standard proof that a Σ-protocol is a proof of knowledge does not translate directly to the extended protocol. This is because openings of the commitments in phases 2 and 3 have to be independent of (w _P ,s _P ) sent by P ^∗ in the last message of phase 1. Otherwise, P ^∗ could behave differently when receiving the opening (d _R ,d _S ), which breaks the proof because it relies on that fact P ^∗’s success probability does not change. Our framework for self-reducible problems does not guarantee the required independence. Therefore, even though we can open the generated commitment in both ways after learning (w _P ,s _P ), we need to generate a new random commitment after that, which necessitates a three-phase knowledge extractor.

Equivocable Commitments

An essential part of the proof is the notion of equivocable commitments, i.e., commitments that can be opened to any e∈Ω _n . Such commitments can be generated as follows: We choose (u _R ,u _S )∈ _R R ^m×S ^m and compute c:=f(u _R ,u _S ). To open, let

$$ \begin{aligned}[c] &\mathbf {d}_{\mathbf {R}}:= \mathbf {u}_{\mathbf {R}}- E \mathbf {w}_{\mathbf {P}},\\ &\mathbf {d}_{\mathbf {S}}:= \mathbf {u}_{\mathbf {R}}\cdot\gamma(E, \mathbf {w}_{\mathbf {P}}, \mathbf{s}_{\mathbf {P}})^{-1} \cdot\delta(E \mathbf {w}_{\mathbf {P}}, \mathbf {u}_{\mathbf {R}}- E \mathbf {w}_{\mathbf {P}})^{-1}. \end{aligned} $$

(15)

Then, it is easy to see that

We now give a description of the three phases of the knowledge extractor. First, we need to learn a witness (w _P ,s _P ) for x _P in order to be able to generate equivocable commitments. We just execute the protocol as a regular verifier and restart whenever P ^∗ fails to send a correct message. If the execution is successful, the extractor learns (w _P ,s _P ) at the end. Overall, this takes time inverse to the success probability of P ^∗, which complies with the definition of a proof of knowledge.

In the second phase, we try to generate a new transcript with equivocable commitments. To do so, we rewind P ^∗ to the state after step 1 (see the protocol on p. 18), choose new randomness for V, and run the protocol while generating an equivocable commitment c using (w _P ,s _P ) learned in the previous step. Then, we send them to P ^∗, wait for a, and open our commitments to a randomly chosen challenge.

To generate a transcript with a different challenge, we rewind P ^∗ to the state after step 3, choose a new challenge e′ uniformly at random, and open the commitment to it as described above. We then send the new challenge and the opening information to P ^∗, and wait for an answer. It is crucial that the opening in the second and third phases is independent of (w _P ,s _P ) sent by P ^∗ in the first phase because (w _P ,s _P ) could be dependent of the opening there. We achieve independence by generating new commitments.

Another component that we use in extractor is a random experiment returning 0 or 1, where the probability of returning 1 is the same as the success probability of P ^∗. This is straightforward, we just try to generate an accepting transcript with an independent instance of P ^∗ using fresh randomness. If we are successful, we return 1, and 0 otherwise.

Putting the pieces together, the extractor works as follows:

1. 1.

   Loop:

   • Try to generate an accepting transcript following V’s algorithm to learn (w _P ,s _P ). If successful, go to phase 2.

2. 2.

   Loop:

   • Rewind P ^∗ to the state after step 1 and try to generate a transcript with equivocable commitments. If successful, go to phase 3.

3. 3.

   Loop:

   • Rewind P ^∗ to the state after step 3 and try to generate a transcript with a fresh random challenge. If successful, extract the witness (w,s) and stop.

   • Do the random experiment once and go to phase 2 if it has been successful 8 times.

Theorem 2

The above algorithm is a valid knowledge extractor for deterministic provers with knowledge error 2/|Ω _n |.

Proof

An essential part of the proof is the notion of randomness of V, which is not learned by P ^∗. This is some of the randomness used to generate equivocable commitments, namely the choice of (d _R ,d _S ) in \(f^{-1}(\mathbf {c}\cdot(\mathbf {x}_{\mathbf {P}}^{\omega (e)})^{-1})\). In other words, this is the choice in all possible openings of c to e. Note that x _P is fixed for a deterministic prover.

Let \(C := \operatorname {Im}(f)\) be the set of all commitments, and \(D_{\mathbf {c},e} := f^{-1}(\mathbf {c}\cdot(\mathbf {x}_{\mathbf {P}}^{\omega(e)})^{-1})\) the set of all possible openings (d _R ,d _S ) for c∈C and e∈Ω _n . Note that D _c,e ≠∅ for all c,e∈C×Ω _n because \(C = \operatorname {Im}(f)\) is a group by (1) and (2), and thus, it is possible to open a commitment to any e. The random choice (u _R ,u _S ) of the extractor generating the commitment in phase 2 determines a d∈D _c,e for every c∈C,e∈Ω _n . We denote this determination by \(q: C \times\varOmega_{n} \to\bigcup_{c \in C, e \in \varOmega_{n}} D_{c,e}\), and we denote by Q the set of all q induced by all (u _R ,u _S )∈R ^m×S ^m. By definition, q(c,e)∈D _c,e for all q∈Q,c∈C,e∈Ω _n . From (15) it easily follows that every (u _R ,u _S )∈R ^m×S ^m induces a different q∈Q and that for a uniformly at random chosen (u _R ,u _S )∈R ^m×S ^m, q(c,e) is uniformly distributed in D _c,e for all c∈C,e∈Ω _n . Therefore, q(c,e) is uniformly distributed in D _c,e for a uniformly chosen q∈Q for all c∈C,e∈Ω _n . Finally, we denote by K all successful communications, i.e., K:={(c,e,d)∣c∈C,e∈Ω _n ,d∈D _c,e }.

There exists a subset G⊂K of all successful protocol executions with V ^∗. In the second loop, we search for an entry (c,e,q(c,e))∈G in the second loop for a uniformly chosen q∈Q. Recall that we cannot use the commitment from the first loop because we cannot open the commitment to an arbitrary challenge. Finally, we fix c and try to find an entry (c,e′,q(c,e′))∈G with e′≠e, which allows us to compute the witness. Since a uniformly distributed q∈Q implies that q(c,e) and q(c,e′) are uniformly distributed and independent, we can assume for simplicity that the extractor uniformly chooses (c,e,d) in the second phase and (c,e′,d′) in the third phase instead.

Now, we prove that the extractor is able to extract a witness in expected time \(O(\frac{1}{\epsilon- 2/|\varOmega_{n}|})\), where ϵ denotes the success probability of P ^∗.

We call (q,c)∈Q×C heavy if {(c,e,q(c,e))∣e∈Ω _n } contains a fraction of at least ϵ/2 entries in G, i.e., at least 2 entries because ϵ>2/|Ω _n |. Half of the entries in K have a heavy (q,c). Otherwise, let H the set of all nonheavy (q,c)∈Q×C, and K′:={(c,e,q(c,e))∣(q,c)∈H,e∈Ω _n }⊂K. Then,

which is a contradiction. It follows from the definition of G, the contradiction assumption (♡), and the definition of K′ ().

The expected running time of the first and second loops is T ₁=T ₂=1/ϵ because ϵ is the success probability of P ^∗. By the random experiment, the expected maximal running time of the third loop is T ₃=8/ϵ, respectively. And by the union bound, the probability that the random experiment fails at least T ₃/2 times is 1/2.

Since half of the entries in G have a heavy (q,c), the probability of fixing such an (q,c) in the first loop is 1/2. In this case, the expected time to find a successful entry (c,e,d)∈G is 2/ϵ because their share is at least ϵ/2. By Markov’s inequality, the probability of finding a successful entry in less than T ₃/2 tries is at least \(1 - \frac{2/\epsilon}{T_{3}/2} = 1 - \frac{4\epsilon}{8\epsilon} = \frac{1}{2}\). Therefore, with probability 1/2⋅1/2=1/4, we are successful in the third loop.

We conclude that with at least constant probability 1/2⋅1/4=1/8, we can extract a witness in time T ₁+T ₂+T ₃=10/ϵ. Thus, the extractor requires expected time \(\frac{8 \cdot10}{\epsilon} \in O (\frac{1}{\epsilon- 2/|\varOmega_{n}|} )\). □

6 Discrete Log in a Group of Unknown Order

Let N be an arbitrary k-bit number, and \(g\in\mathbb{Z}_{N}^{*}\). Then we will set R=ℤ, S to be the trivial group with one element, \(X= \mathbb{Z}_{N}^{*}\), and f(r,1)=g ^rmodN. We also set A=ℤ. This does not quite satisfy our framework since R is not finite, but we will fix this shortly. Throughout this section, we will ignore the second input to f since it is constantly 1.

The construction behind Theorem 1 implies that we can satisfy the conditions in our framework by constructing the set Ω _n as the subset of ℤⁿ consisting of binary strings. Recall that the construction defines m:=2n−1 and ω:ℤⁿ→ℤ^m×n as follows: Let the ith column of ω(e) consist of i−1 zeros, followed by e and n−i zeros.

In this case, Protocol 1 has to be tweaked slightly: instead of choosing r uniformly in R ⁿ, which does not make sense for R=ℤ, we choose the entries as uniform (2logn+2k)-bit numbers. This choice ensures both that f(r) will be statistically close to uniform in \(\operatorname {Im}(f)^{m}\) with respect to k and that the entries in z will be statistically close to uniform (2logn+2k)-bit numbers. This follows from the fact that the entries in E w will be at most n times bigger than the ones of w because E is an m×n-matrix with all entries in {0,1}. Thus, the entries of E w are at most n2^k if the entries of w are smaller than N.

The protocol now becomes an interactive proof that the input numbers x ₁,…,x _n are all in the group generated by g, and it is a proof that the prover knows the discrete logarithms. The protocol will be honest-verifier statistical zero-knowledge.

To prove the properties of the protocol more formally, we need the following three lemmas. For readability, we will write logn instead of ⌈logn⌉; recall that n≤2^⌈logn⌉.

Lemma 7

Let n,l,N∈ℕ, l≥2k+logn, and N≤2^k. If r is a vector of m=2n−1 uniformly and independently chosen l-bit numbers, then f(r) is distributed statistically close to the uniform distribution in \((\mathbb{Z}_{N}^{*})^{m}\), with respect to k.

Proof

First, we determine the statistical distance for one entry. Let φ denote Euler’s totient function, that is, \(\varphi(N) = |\mathbb{Z}_{N}^{*}|\). Since

$$f(r) = g^r = g^{r \bmod\varphi(N)} = f\bigl(r \bmod\varphi(N)\bigr), $$

it is easy to see that the probability to sample x is

$$\Pr\bigl[f(r) = x\bigr] \in\biggl\{ \biggl\lceil\frac {2^l}{\varphi(N)} \biggr\rceil \cdot\frac{1}{2^l}, \biggl\lfloor\frac{2^l}{\varphi(N)} \biggr \rfloor\cdot \frac{1}{2^l} \biggr\} $$

for all \(x \in\mathbb{Z}_{N}^{*}\) because r is chosen uniformly at random in [0,2^l−1]. It follows that

$$\Pr\bigl[f(r) = x\bigr] \le\biggl( \frac{2^l}{\varphi(N)} + 1 \biggr) \cdot \frac{1}{2^l} = \frac{1}{\varphi(N)} + \frac{1}{2^l} $$

for all \(x \in\mathbb{Z}_{N}^{*}\), and, similarly,

$$\Pr\bigl[f(r) = x\bigr] \ge\frac{1}{\varphi(N)} - \frac{1}{2^l} $$

for all \(x \in\mathbb{Z}_{N}^{*}\). It follows that the statistical distance of one entry is

The latter two inequalities follow from φ(N)≤N≤2^k. Finally, the statistical distance between f(r) and a uniformly chosen vector is less than

$$m \cdot2^{-k - \log n } \le2n \cdot2^{-k - \log n } \le2^{-k + 1}, $$

which is negligible in k. □

Lemma 8

Let \(\mathbf {y}\in(\mathbb{Z}_{N}^{*})^{n}\) be chosen according to a distribution statistically close to the uniform distribution, and x an arbitrary element of \((\mathbb{Z}_{N}^{*})^{n}\). Then, x⋅y is also distributed statistically close to the uniform distribution.

Proof

That the statistical distance of x⋅y to the uniform distribution is

because multiplication with a fixed element is bijective on a group. The lemma follows directly. □

Lemma 9

Let n,m,k,l,l′∈ℕ be such that l′≥k+l+2logn and m=2n−1, a be chosen arbitrarily in [−2^l n,2^l n]^m, and b be chosen uniformly in [0,2^l′−1]^m. Then, a+b is distributed statistically close to the uniform distribution on [0,2^l′−1]^m, with respect to k.

Proof

Let

$$d(c) := \begin{cases} 2^{-l'}, & c \in[0, 2^{l'} - 1], \\ 0 & \text{otherwise} \end{cases} $$

be the density function of the uniform distribution on l′-bit numbers. For one entry a+b in the vector a+b, the statistical distance is

$$\sum_{c \in[-2^ln, 2^{l'} + 2^ln - 1]} \bigl \vert \Pr[a + b = c] - d(c) \bigr \vert . $$

For any c,

$$\Pr[a + b = c] = \sum_{i = -2^ln}^{2^ln} \Pr[a = i] \Pr[b = c + i]. $$

It follows that for c∈[2^l n,2^l′−2^l n−1],

$$\bigl \vert \Pr[a + b = c] - d(c) \bigr \vert = \Biggl \vert \sum _{i = -2^ln}^{2^ln} \Pr[a = i] \cdot2^{-l'} - 2^{-l'} \Biggr \vert = 0, $$

and for c<2^l n,

$$\bigl \vert \Pr[a + b = c] - d(c) \bigr \vert = \Biggl \vert \sum _{i = -c}^{2^ln} \Pr[a = i] \cdot2^{-l'} - d(c) \Biggr \vert \le2^{-l'}, $$

since d(c)∈{0,2^−l′}. The same holds by symmetry for c>2^−l′−2^l n−1. Summing up, the statistical distance is less than

$$\sum_{c \in[-2^ln, 2^ln - 1] \cup[2^{-l'} - 2^ln, 2^{l'} + 2^ln - 1]} 2^{-l'} = 4 \cdot2^ln \cdot2^{-l'} \le2^{2 - k - \log n }. $$

Therefore, the statistical distance of the whole vector is less than

$$m \cdot2^{2 - k - \log n } \le2n \cdot2^{2 - k - \log n } \le2^{3 - k}, $$

which is negligible in k. □

Lemma 10

Protocol 1 instantiated for the discrete log in \(\mathbb{Z}_{N}^{*}\) case is a honest-verifier statistical zero-knowledge Σ-protocol proving that the input numbers x ₁,…,x _n are all in the group generated by g and that the prover knows the discrete logarithms. Let k be the bit length of N. Then the communication complexity is O(nk+nlogn) bits, the error probability 2⁻ⁿ, and the computational complexity is O(n ²) multiplications modulo N.

Proof

Completeness is trivial by construction, and soundness follows exactly as in the proof of Lemma 3. The honest-verifier zero-knowledge simulator works similarly as well: Choose e∈ _R Ω _n , the entries of z as uniform (2logn+2k)-bit numbers, and let a:=f(z)⋅(x ^ω(e))⁻¹. a is then distributed statistically close to uniform in \(\operatorname {Im}(f)^{m}\) by Lemma 8 because f(z) is so by Lemma 7. In a real execution, a is also statistically close to uniform in \(\operatorname {Im}(f)^{m}\) by Lemma 7, e has the same distribution, and the entries of z are statistically close to uniform (2logn+2k)-bit numbers by Lemma 9 with l=k. It follows that the protocol is honest-verifier statistical zero-knowledge.

The communication complexity is dominated by z, which is a vector of n numbers with bit length O(logn+k). Furthermore, the verifier has to compute x ^E⋅a, which consists of O(n ²) multiplications modulo N. □

If we wanted to obtain error probability 2⁻ⁿ using simple repetition of the standard cut-and-choose protocol, the cost for n instances would be communication O(n ² k) bits and also O(n ² k) multiplications modulo N. Therefore, if we choose, e.g., n=k, our solution saves a factor k in both the communication and computational complexity.

6.1 Zero-Knowledge Proof of Knowledge

The protocol in Fig. 1 can be adapted to R=ℤ similarly. Let the entries of w _P and d _R be chosen as uniform (logn+2k)-bit and (3logn+3k)-bit numbers, respectively. Then, both f(w _P ) and f(d _R ) are statistically close to uniform in \(\operatorname {Im}(f)^{n}\) and \(\operatorname {Im}(f)^{m}\), respectively, by Lemma 7. Furthermore, the prover chooses the entries of r as uniform (2logn+2k)-numbers as above.

The zero-knowledge simulator in Sect. 5.1 can be modified as follows: The test algorithm samples a′ like an honest prover and the entries of z as uniform (2logn+2k)-bit numbers. As in the proof of Lemma 10, a=f(z)⋅(x ^ω(e))⁻¹ is then statistically close to the uniform distribution, and z is statistically close to a vector of uniform (2logn+2k)-bit numbers. In the simulator algorithm, the entries of both \(\tilde {\mathbf {w}}_{\mathbf {P}}\) and w _P can be chosen as uniform (logn+2k)-bit numbers. If so, \(\mathbf {x}\cdot f(\tilde {\mathbf {w}}_{\mathbf {P}} )\) and f(w _P ) are statistically close to uniform by Lemma 7 and 8. It follows that all inputs to V ^∗ are statistically close to a real execution, and hence, statistical zero-knowledge of the modified protocol can be proven in the same way as perfect zero-knowledge of the unmodified one.

For knowledge extraction, we generate equivocable commitments by choosing the entries of u _R as uniform (3logn+3k)-bit numbers. Thus, d _R :=u _R −E w _P is statistically close to a vector of uniform (3logn+3k)-bit numbers by Lemma 9 with l=logn+2k because the entries E w _P are at most (2logn+2k)-bit numbers similarly as for E w above. By construction of the knowledge extractor in Sect. 5.2, the statistical distance of any message sent to P ^∗ is at most a negligible μ(k) compared to a real execution. Therefore, the knowledge extractor finishes in time

$$O \biggl(\frac{1}{\epsilon- \mu(k)} \biggr) \subset O \biggl (\frac{1}{\epsilon- \kappa} \biggr) $$

if κ≥μ(k). We conclude that the adapted protocol is a proof of knowledge with knowledge error κ:=max(2/|Ω _n |,μ(k)).

6.2 Interval Proof

The protocol in this section does not require that the prover knows the group order of \(X = \mathbb{Z}_{N}^{*}\). If we assume that the group order is indeed unknown, a similar protocol proves in addition a limit on w. Let w∈[0,u]ⁿ for some u∈ℕ, l:=logn+k+logu, and let P choose the entries of r as uniformly random l-bit numbers. Then, z=r+E w is distributed statistically close to the uniform distribution on [0,2^l]^m because the entries of E w are at most nu, similarly to above. On the other hand, the following lemma establishes that if the prover can answer two different challenges within [0,2^l]^m, w is in [−2^l+n,2^l+n]^m≈[−un2^k+n,un2^k+n]^m.

Lemma 11

Let \(\mathbf {x}\in\mathbb{Z}_{N}^{*}\), e≠e′∈{0,1}ⁿ, and z,z′∈[0,2^l]^m such that z and  z′ are accepted as replies to the challenges e and e′, respectively, with the same first message from P. Then, there exists w∈[−2^l+n,2^l+n2]^m such that g ^w=x.

Proof

Let the m×n matrices E:=ω(e) and E′:=ω(e′) be constructed from e and e′ as described in Sect. 3. The ith column of E and E′ consists of i−1 zeros, followed by some e and e′∈{0,1}ⁿ, respectively, and n−i zeros. (E−E′) has the same structure for e−e′∈{0,±1}ⁿ. It is easy to see that the columns of (E−E′) are linearly independent if e≠e′. Thus, (E−E′) has rank n and is left-invertible.² We call the left inverse (E−E′)⁻¹ and define w:=(E−E′)⁻¹(z−z′). z, z′ are accepted replies only if g ^z=x ^E⋅a and g ^z′=x ^E′⋅a. It follows that g ^z−z′=x ^E−E′. Applying (E−E′)⁻¹ on both sides gives

$$g^{\mathbf {w}}= g^{(E - E')^{-1}(\mathbf {z}- \mathbf {z}')} = \mathbf {x}^{(E - E')^{-1}(E - E')} = \mathbf {x}. $$

We now prove that w∈[−2^l+n,2^l+n]^m. Let y:=z−z′. If z,z′∈[0,2^l]^m, y∈[−2^l,2^l]^m. w is the solution of (E−E′)w=z−z′. Let j be the first position where e and e′ differ. Without loss of generality, we can assume that d:=e−e′ has a 1 in that position. (E−E′) then has the following structure, starting with j−1 empty rows:

Therefore, the jth equation of the system (E−E′)w=z−z′ is w ₁=z _j for w _i denoting the ith entry of w. Thus, |w ₁|≤2^l. For induction, assume that |w _h |≤2^l+h−1 for h<i. The equation induced by the ith row of E−E′ is

$$\sum_{h=1}^{i-1} d_{j+i-h} w_{h} + w_{i} = y_i. $$

It follows that

The first inequality follows from the triangle inequality and the fact that |d _i |≤1 because d _i ∈{0,±1}. The second inequality follows from the induction assumption. By induction, we have established that |w _i |≤2^l+n for all i≤n, and thus, w∈[−2^l+n,2^l+n]^m. □

Appendix A. Random Self-reducible Problems

The proofs given in Sect. 5 apply in similar form to the protocol by Bellare et al. [2]. In this section, we will present it for a more general class of problems, namely random self-reducible problems, instead of graph isomorphism.

Definition 5

(Random self-reducible problem)

Let \(\mathcal{R}_{n}\) be a family of relations R⊂{0,1}^∗×{0,1}^∗. We call \(\mathcal{R} := \{\mathcal{R}_{n}\}_{n \in \mathbb{N}}\) a random self-reducible problem if there exist rerandomizing algorithms \((\rho _{x}, \rho _{w}, \rho _{x}^{-1}, \rho _{w}^{-1})\) with the following properties for all \(R \in\mathcal{R}_{n} \in \mathcal{R}\).

• (ρ _x (x,r),ρ _w (w,r))∈R for all (x,w)∈R and r∈{0,1}^O(n).

• \(\rho _{x}^{-1}(\rho _{x}(x, r), r) = x\) and \(\rho _{w}^{-1}(\rho _{w}(w, r), r) = w\) for all (x,w)∈R.

• For all (x,w)∈R, (ρ _x (x,r),ρ _w (w,r)) is distributed uniformly at random in R if r is so in {0,1}^O(n).

• ρ _x , ρ _w , \(\rho _{x}^{-1}\), and \(\rho _{w}^{-1}\), as well as sampling in R and the computation of group operations in G are polynomial in n.

Throughout this section, we will assume that \(R \in\mathcal{R}_{n}\). Figure A.1 shows the standard knowledge proof of a solution of a random self-reducible problem. Completeness is trivial, and special soundness is straightforward: If both r and ρ _w (w,r) are known, one can compute \(w := \rho _{w}^{-1}(\rho _{w}(w, r), r)\). Special honest-verifier zero-knowledge follows from the randomizing property of ρ and from the following construction of (a,z) from e:

$$(a, z) := \begin{cases} (\rho _x(x, r), r \in_R \{0,1\}^{O(n)}), & e = 0, \\ (a, z) \in_R R, & e = 1. \end{cases} $$

Fig. A.1.

Σ-protocol to prove knowledge of a solution of random self-reducible problem.

Discrete Logarithm

A first example is the problem of finding discrete logarithms. Let \(\mathcal{G}_{n}\) be a family of representation of cyclic groups whose order has bit length n, and

$$\mathcal{R}_n := \bigl\{ \bigl\{(x, w) \bigm{|} x \in G, w \in \mathbb{Z}_{|G|}, G = \langle g \rangle, x = g^w \bigr\} \bigm{|} G \in\mathcal{G}_n \bigr\}. $$

Then \(\mathcal {R}:= \{\mathcal {R}_{n}\}_{n \in\mathbb{N}}\) is a random self-reducible problem with the following algorithms for \(R \in \mathcal {R}_{n}\). The following algorithms use r∈{0,1}^O(n) to generate s∈ _R ℤ_|G|. We define

It follows that

$$\rho _x^{-1}\bigl(\rho _x(x, r), r\bigr) = \rho _x^{-1}\bigl(x \cdot g^s\bigr) = x \cdot g^s \cdot g^{-s} = x $$

and

$$\rho _w^{-1}\bigl(\rho _w(w, r), r\bigr) = \rho _w^{-1}(w + s) = w + s - s = w. $$

Trivially, \(\rho _{x}^{-1}(\cdot, r)\) and \(\rho _{w}^{-1}(\cdot, r)\) are the inverses of ρ _x (⋅,r) and ρ _w (⋅,r), and the output of ρ _x and ρ _w is distributed uniformly at random in G and ℤ_|G|, respectively, because s∈ _R ℤ_|G|.

Quadratic Residues

Another example is the computation of quadratic residues modulo N, where N=p⋅q is an n-bit RSA modulus. Let R:={(x,w)∣x,w∈ℤ _N ,x=w ²}. Rerandomizing multiplies w by a random s∈ℤ _N and x by s ². It is easy to see that a properly compiled family of the given relations matches the definition of a random self-reducible problem.

Graph Isomorphism

The last example is the problem of finding an isomorphism for two isomorphic graphs. The adequate relationship consists of (x,w) where x is a pair of graphs with n nodes and w is an isomorphism between them. Rerandomization generates a random permutation s and applies it to the pair of graphs or computes s∘w∘s ⁻¹, respectively.

1.1 A.1 Zero-Knowledge Proof of Knowledge

Figure A.2 shows a 5-round zero-knowledge proof of knowledge of a solution of an arbitrary random self-reducible problem, a generalized version of the protocol by Bellare et al. [2]. \(\stackrel {?}{=}\) and \(\stackrel {?}{\in }\) denote that a party checks equality or set membership, respectively, and aborts if the check fails.

Fig. A.2.

Zero-knowledge proof of knowledge of a solution of a random self-reducible problem.

P starts by generating a new random instance x _P of the problem and sends it to V (1), which commits to his challenges using x _P (2). P then sends n rerandomizations of the to-be-proven instance (3), whereupon V opens the commitments to his challenges (4). P checks the openings, answers the challenges by either sending his rerandomization bits or the rerandomized witness, and also sends the witness of the instance generated in the first step (5). Finally, V checks the answer and either accepts or rejects.

Compared to the protocol for our framework, P only proves the knowledge of one witness w instead of a vector of witnesses w. Similarly, the commitment uses only one basic instance (x _P ,w _P ), and the vectors sent correspond to n independent instances of the basic protocol in Fig. A.1.

1.1.1 A.1.1 Zero-Knowledge

The proof for protocols for random self-reducible problems is basically the same as in Sect. 5. Therefore, the test algorithm resembles the one presented earlier:

1. 1.

   Take x _P as input and send it to V ^∗.

2. 2.

   Wait for the commitments from V ^∗.

3. 3.

   Generate \(a_{1}', \dots, a_{n}'\) as an honest prover would and send them to V ^∗.

4. 4.

   Wait for \(e_{1}', \dots, e_{n}'\) and the opening information from V ^∗. Check the commitments. If the check fails, return fail, otherwise, continue.

5. 5.

   Rewind V ^∗ to the state before step 3, sample valid answers to the challenges \(e_{1}', \dots, e_{n}'\) ((a _n ,z _n )∈ _R R or rerandomizations of x), compute the matching a ₁,…,a _n (rerandomization of x if necessary), and send them to V ^∗.

6. 6.

   Wait for e ₁,…,e _n and the opening information from V ^∗. Check the commitments. If the check fails, repeat from step 5. Otherwise, return all messages from V ^∗ and a ₁,…,a _n ,z ₁,…,z _n .

Witness extraction requires the commitments c ₁,…,c _n , two different challenge vectors e ₁,…,e _n and \(e_{1}', \dots, e_{n}'\) together with their opening information d ₁,…,d _n and \(d'_{1}, \dots, d'_{n}\). Let i the index where the vectors differ: \(e_{i} \ne e_{i}'\). Without loss of generality, we can assume that e _i =0 and \(e_{i}' = 1\). Therefore, c _i =ρ _x (x _P ,d _i ) and \((c_{i}, d'_{i}) \in R\). We follow that \(\rho _{w}^{-1}(d'_{i}, d_{i})\) is a witness of x _P .

The simulator \(M_{V^{*}}\) then works as follows:

1. 1.

   Fix the randomness of V ^∗.

2. 2.

   Call the test algorithm with x _P as a rerandomized version of x, i.e., x _P :=ρ _x (x,r), r∈ _R {0,1}^O(n).

   • If it returns fail, return fail as well.

   • If it returns two different challenge vectors, use the witness extraction algorithm to compute w. Then, execute the following loop:

     1. (a)

        Generate (x _P ,w _P )∈ _R R.

     2. (b)

        Rewind V ^∗ to the beginning.

     3. (c)

        Call the test algorithm with x _P . If it returns twice the same challenge vector, continue with the loop. Otherwise, output the conversation in the second run of the rerandomizer extraction, and x _P , the commitments and the second vector together with its opening information from the test algorithm. Moreover, compute z ₁,…,z _n using w, output them together with w _P , and stop.

   • If it returns twice the same challenge, execute the following loop:

     1. (a)

        Generate (x _P ,w _P )∈ _R R.

     2. (b)

        Rewind V ^∗ to the beginning.

     3. (c)

        Call the test algorithm with x _P . If it returns two different challenge vectors, continue with the loop. Otherwise, output the messages of the second round of the rerandomizer extraction algorithm, the output of the test algorithm, and z ₁,…,z _n generated by the test algorithm, and stop.

In the same way as in Sect. 5 and as Bellare et al. [2], one can argue that the simulator runs in polynomial time and that the generated transcript has the same distribution as a real execution of the protocol.

1.1.2 A.1.2 Knowledge Extraction

The knowledge extractor from Sect. 5 can be used almost identically here. The only difference is the generation of equivocable commitments: For i=1,…,n, choose u _i ∈ _R {0,1}^O(n) and compute c _i :=ρ _x (x _P ,u _i ). To open, let

$$d_i := \begin{cases} u_i, & e_i = 0, \\ \rho _w(w_P, u_i), & e_i = 1. \end{cases} $$

It can easily be seen that such a commitment and the opening are distributed in the same way as a regular commitment. For e _i =0, the commitment is generated in the exact same manner, and for e _i =1, (ρ _x (w _P ,u _i ),ρ _w (w _P ,u _i )) is distributed uniformly by the definition of random self-reducible problems.

In this vein, one can prove that the protocol in Fig. A.2 is a proof of knowledge with knowledge error 2¹⁻ⁿ because the challenge space {0,1}ⁿ has size 2ⁿ instead of |Ω _n |.