# Using Fully Homomorphic Hybrid Encryption to Minimize Non-interative Zero-Knowledge Proofs

## Abstract

A non-interactive zero-knowledge (NIZK) proof can be used to demonstrate the truth of a statement without revealing anything else. It has been shown under standard cryptographic assumptions that NIZK proofs of membership exist for all languages in NP. While there is evidence that such proofs cannot be much shorter than the corresponding membership witnesses, all known NIZK proofs for NP languages are considerably longer than the witnesses. Soon after Gentry’s construction of fully homomorphic encryption, several groups independently contemplated the use of hybrid encryption to optimize the size of NIZK proofs and discussed this idea within the cryptographic community. This article formally explores this idea of using fully homomorphic hybrid encryption to optimize NIZK proofs and other related cryptographic primitives. We investigate the question of minimizing the communication overhead of NIZK proofs for NP and show that if fully homomorphic encryption exists then it is possible to get proofs that are roughly of the same size as the witnesses. Our technique consists in constructing a fully homomorphic hybrid encryption scheme with ciphertext size \(|m|+{\mathrm {poly}}(k)\), where \(m\) is the plaintext and \(k\) is the security parameter. Encrypting the witness for an NP-statement allows us to evaluate the NP-relation in a communication-efficient manner. We apply this technique to both standard non-interactive zero-knowledge proofs and to universally composable non-interactive zero-knowledge proofs. The technique can also be applied outside the realm of non-interactive zero-knowledge proofs, for instance to get witness-size interactive zero-knowledge proofs in the plain model without any setup or to minimize the communication in secure computation protocols.

## Keywords

Non-interactive zero-knowledge proofs Fully homomorphic encryption Hybrid encryption Secure function evaluation Minimizing communication## Notes

### Acknowledgments

Jens Groth was supported by the European Research Council under the European Union’s Seventh Framework Programme (FP/2007-2013) / ERC Grant Agreement No. 307937 and the Engineering and Physical Sciences Research Council Grant EP/G013829/1. Yuval Ishai was supported by the European Union’s Tenth Framework Programme (FP10/2010-2016) under Grant Agreement No. 259426 ERC-CaC, by ISF Grant 1361/10, and by BSF Grant 2012378. Chris Peikert was supported by the National Science Foundation under CAREER Award CCF-1054495, by the Alfred P. Sloan Foundation, and by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL) under Contract No. FA8750-11-C-0098. The views expressed are those of the authors and do not necessarily reflect the official policy or position of the National Science Foundation, the Sloan Foundation, DARPA or the U.S. Government. Amit Sahai was supported in part from a DARPA/ONR PROCEED award, NSFgrants 1228984, 1136174, 1118096, and 1065276, a Xerox Faculty Research Award, a Google Faculty Research Award, an equipment grant from Intel, and an Okawa Foundation Research Grant. This material is based upon work supported by the Defense Advanced Research Projects Agency through the U.S. Office of Naval Research under Contract N00014-11- 1-0389. The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense, the National Science Foundation, or the U.S. Government. Adam Smith was supported by US National Science Foundation awards #0941553 and #0747294.

## References

- 1.B. Barak, R. Canetti, J.-B. Nielsen, R. Pass, Universally composable protocols with relaxed set-up assumptions, in
*FOCS*, (ACM, New York, 2004), pp. 186–195Google Scholar - 2.M. Blum, P. Feldman, S. Micali, Non-interactive zero-knowledge and its applications, in
*STOC*, (ACM, New York, 1988) pp. 103–112Google Scholar - 3.Z. Brakerski, Fully homomorphic encryption without modulus switching from classical gapsvp, in
*CRYPTO*. Lecture Notes in Computer Science, vol. 7417 (Springer, Berlin, 2012), pp. 868–886Google Scholar - 4.Z. Brakerski, V. Vaikuntanathan, Efficient fully homomorphic encryption from (standard) LWE, in
*FOCS*(ACM, New York, 2011)Google Scholar - 5.Z. Brakerski, C. Gentry, S. Halevi, Packed ciphertexts in lwe-based homomorphic encryption, in
*Public Key Cryptography*. Lecture Notes in Computer Science, vol. 7778 (Springer, Berlin, 2013), pp. 1–13Google Scholar - 6.Z. Brakerski, C. Gentry, V. Vaikuntanathan, (Leveled) fully homomorphic encryption without bootstrapping, in
*ITCS*(ACM, New York, 2012), pp. 309–325Google Scholar - 7.X. Boyen, B. Waters, Compact group signatures without random oracles, in
*EUROCRYPT*. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 427–444Google Scholar - 8.R. Canetti, Universally composable security: a new paradigm for cryptographic protocols, in
*FOCS*(ACM, New York, 2001), pp. 136–145Google Scholar - 9.N. Chandran, J. Groth, A. Sahai, Ring signatures of sub-linear size without random oracles, in
*ICALP*. Lecture Notes in Computer Science, vol. 4596 (Springer, Berlin, 2007), pp. 423–434Google Scholar - 10.I. Damgård, Non-interactive circuit based proofs and non-interactive perfect zero-knowledge with preprocessing, in
*EUROCRYPT*. Lecture Notes in Computer Science, vol. 658 (Springer, Berline, 1992), pp. 341–355Google Scholar - 11.A. De Santis, G. Di Crescenzo, R. Ostrovsky, G. Persiano, A. Sahai, Robust non-interactive zero knowledge, in
*CRYPTO*. Lecture Notes in Computer Science, vol 2139 (Springer, Berline, 2002), pp. 566–598Google Scholar - 12.A. De Santis, G. Di Crescenzo, G. Persiano. Randomness-optimal characterization of two NP proof systems, in
*RANDOM*. Lecture Notes in Computer Science, vol. 2483 (Springer, Berline, 2002), pp. 179–193Google Scholar - 13.D. Dolev, C. Dwork, M. Naor, Non-malleable cryptography.
*SIAM J. Comput.***30**(2), 391–437 (2000)Google Scholar - 14.U. Feige, D. Lapidot, A. Shamir, Multiple non-interactive zero knowledge proofs under general assumptions.
*SIAM J. Comput.***29**(1), 1–28 (1999)Google Scholar - 15.C. Gentry,
*A fully homomorphic encryption scheme*. PhD thesis, Stanford University (2009)Google Scholar - 16.C. Gentry. Fully homomorphic encryption using ideal lattices, in
*STOC*(ACN, New York, 2009), pp. 169–178Google Scholar - 17.C. Gentry, S. Halevi, V. Vaikuntanathan,
*i*-hop homomorphic encryption and rerandomizable Yao circuits, in*CRYPTO*. Lecture Notes in Computer Science, vol. 6223 (Springer, Berline, 2010), pp. 155–172Google Scholar - 18.O. Goldreich, J. Håstad, On the complexity of interactive proofs with bounded communication.
*Inf. Process. Lett.***67**(4), 205–214 (1998)Google Scholar - 19.O. Goldreich, H. Krawczyk, On the composition of zero-knowledge proof systems.
*SIAM J. Comput.***25**(1), 169–192 (1996)Google Scholar - 20.O. Goldreich, Y. Oren, Definitions and properties of zero-knowledge proof systems.
*J. Cryptol.***7**(1), 1–32 (1994)Google Scholar - 21.O. Goldreich, S.P. Vadhan, A. Wigderson, On interactive proofs with a laconic prover.
*Comput. Complex.***11**(1–2), 1–53 (2002)Google Scholar - 22.S. Goldwasser, Y.T. Kalai, G.N. Rothblum, Delegating computation: interactive proofs for muggles, in
*STOC*(ACN, New York, 2008), pp. 113–122Google Scholar - 23.J. Groth, Simulation-sound NIZK proofs for a practical language and constant size group signatures, in
*ASIACRYPT*. Lecture Notes in Computer Science, vol. 4248 (Springer, Berline, 2006), pp. 444–459Google Scholar - 24.J. Groth, Short non-interactive zero-knowledge proofs, in
*ASIACRYPT*. Lecture Notes in Computer Science, vol. 6477 (Springer, Berline, 2010), pp. 341–358Google Scholar - 25.J. Groth, R. Ostrovsky, Cryptography in the multi-string model, in
*CRYPTO*. Lecture Notes in Computer Science, vol. 4622 (Springer, Berline, 2007), pp. 323–341Google Scholar - 26.J. Groth, A. Sahai, Efficient non-interactive proof systems for bilinear groups, in
*EUROCRYPT*. Lecture Notes in Computer Science, vol. 4965 (Springer, Berline, 2008), pp. 415–432Google Scholar - 27.J. Groth, R. Ostrovsky, A. Sahai, New techniques for noninteractive zero-knowledge.
*J. ACM***59**(3), 11 (2012)Google Scholar - 28.J. Håstad, R. Impagliazzo, L.A. Levin, M. Luby, A pseudorandom generator from any one-way function.
*SIAM J. Comput.***28**(4), 1364–1396 (1999)Google Scholar - 29.Y. Ishai, Efficiency vs. assumptions in secure computation, in
*Presentation at Impagliazzo’s Worlds Workshop*(2009)Google Scholar - 30.Y. Ishai, E. Kushilevitz, R. Ostrovsky, A. Sahai, Zero-knowledge proofs from secure multiparty computation.
*SIAM J. Comput.***39**(3), 1121–1152 (2009)Google Scholar - 31.Y.T. Kalai, R. Raz, Interactive PCP, in
*ICALP*. Lecture Notes in Computer Science, vol. 5126 (Springer, Berline, 2008), pp. 536–547Google Scholar - 32.J. Kilian, Erez Petrank, An efficient noninteractive zero-knowledge proof system for NP with general assumptions.
*J. Cryptol.***11**(1), 1–27 (1998)Google Scholar - 33.H. Lipmaa, Efficient multi-query CPIR from ring-LWE, in
*Cryptology ePrint Archive, Report 2011/595*(2011)Google Scholar - 34.M. Naor, K. Nissim, Communication preserving protocols for secure function evaluation, in
*STOC*(ACN, New York, 2001), pp. 590–599Google Scholar - 35.M. Naor, M. Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks, in
*STOC*(ACN, New York, 1990), pp. 427–437Google Scholar - 36.Y. Oren, On the cunning power of cheating verifiers: some observations about zero knowledge proofs, in
*FOCS*(ACN, New York, 1987), pp. 462–471Google Scholar - 37.C. Peikert, A. Smith, Concise, uninformative proofs, in
*Rump Session Presentation at Asiacrypt*(2009)Google Scholar - 38.J. Rompel, One-way functions are necessary and sufficient for secure signatures, in
*STOC*(ACN, New York, 1990), pp. 387–394Google Scholar - 39.A. Sahai, Non-malleable non-interactive zero-knowledge and adaptive chosen-ciphertext security, in
*FOCS*(ACN, New York, 2001), pp. 543–553Google Scholar - 40.D. Stehlé, R. Steinfeld, Faster fully homomorphic encryption, in
*ASIACRYPT*. Lecture Notes in Computer Science, vol. 6477 (Springer, Berline, 2010), pp. 377–394Google Scholar - 41.N.P. Smart, F. Vercauteren, Fully homomorphic encryption with relatively small key and ciphertext sizes, in
*Public Key Cryptography*. Lecture Notes in Computer Science, vol. 6056 (Springer, Berline, 2010), pp. 420–443Google Scholar - 42.M. van Dijk, C. Gentry, S. Halevi, V. Vaikuntanathan, Fully homomorphic encryption over the integers, in
*EUROCRYPT*. Lecture Notes in Computer Science, vol. 6110 (Springer, Berline, 2010), pp. 24–43Google Scholar - 43.A.C.-C. Yao, Protocols for secure computations (extended abstract), in
*FOCS*(ACN, New York, 1982), pp. 160–164Google Scholar