On the communication complexity of zero-knowledge proofs
- 101 Downloads
The fact that there are zero-knowledge proofs for all languages in NP (see , , and ) has, potentially, enormous implications to cryptography. For cryptographers, the issue is no longer “which languages in NP have zeroknowledge proofs” but rather “which languages in NP have practical zeroknowledge proofs.” Thus, the concrete complexity of zero-knowledge proofs for different languages must be established.
In this paper we study the concrete complexity of the known general methods for constructing zero-knowledge proofs. We establish that circuit-based methods, which can be applied in either the GMR or the BCC model, have the potential of producing proofs which can be used in practice. Then we introduce several techniques which greatly reduce the concrete complexity of circuit-based proofs, and we show that these techniques lead to zero-knowledge proofs of knowledge.
Finally, we show how to combine the techniques of Kilian, Micali, and Ostrovsky, for designing zero-knowledge proofs with only two envelopes, with some of our techniques for reducing the number of bits which the prover must commit to.
Key wordsZero-knowledge Proofs of knowledge Efficiency Cryptographic protocols Communication complexity
Unable to display preview. Download preview PDF.
- L. Babai. Trading group theory for randomness. InProceedings of the 17th Annual ACM Symposium on the Theory of Computing, pp. 421–429, 1985.Google Scholar
- J. Boyar, G. Brassard, and R. Peralta. Subquadratic zero-knowledge. InProceedings of the 32nd IEEE Symposium on the Foundations of Computer Science, pp. 69–78, 1991.Google Scholar
- G. Brassard and C. Crépeau. Nontransitive transfer of confidence: a perfect zero-knowledge interactive protocol for SAT and beyond. InProceedings of the 27th IEEE Symposium on the Foundations of Computer Science, pp. 188–195, 1986.Google Scholar
- D. Chaum, I. Damgård, and J. van de Graaf. Multiparty computations ensuring privacy of each party’s input and correctness of the result. InAdvances in Cryptology—Proceedings of CRYPTO 87, pp. 87–119. Lecture Notes in Computer Science, vol. 293, Springer-Verlag, Berlin, 1988.Google Scholar
- S. A. Cook. The complexity of theorem-proving procedures. InProceedings of the 3rd Annual ACM Symposium on the Theory of Computing, pp. 151–158, 1971.Google Scholar
- B. den Boer. An efficiency improvement to prove satisfiability with zero knowledge with public key. InAdvances in Cryptology—Proceedings of EUROCRYPT 89, pp. 208–217. Lecture Notes in Computer Science, vol. 434, Springer-Verlag, Berlin, 1989.Google Scholar
- R. Impagliazzo and M. Yung. Direct minimum-knowledge computations. InAdvances in Cryptology—Proceedings of CRYPTO 87, pp. 40–51. Lecture Notes in Computer Science, vol. 293, Springer-Verlag, Berlin, 1988.Google Scholar
- J. Kilian. A note on efficient zero-knowledge proofs and arguments. InProceedings of the 24th Annual ACM Symposium on the Theory of Computing, pp. 723–732, 1992.Google Scholar
- J. Kilian, S. Micali, and R. Ostrovsky. Minimum resource zero-knowledge proofs. InProceedings of the 30th IEEE Symposium on the Foundations of Computer Science, pp. 474–479, 1990.Google Scholar