Journal of Cryptology

, Volume 28, Issue 4, pp 820–843 | Cite as

Using Fully Homomorphic Hybrid Encryption to Minimize Non-interative Zero-Knowledge Proofs

  • Craig Gentry
  • Jens GrothEmail author
  • Yuval Ishai
  • Chris Peikert
  • Amit Sahai
  • Adam Smith


A non-interactive zero-knowledge (NIZK) proof can be used to demonstrate the truth of a statement without revealing anything else. It has been shown under standard cryptographic assumptions that NIZK proofs of membership exist for all languages in NP. While there is evidence that such proofs cannot be much shorter than the corresponding membership witnesses, all known NIZK proofs for NP languages are considerably longer than the witnesses. Soon after Gentry’s construction of fully homomorphic encryption, several groups independently contemplated the use of hybrid encryption to optimize the size of NIZK proofs and discussed this idea within the cryptographic community. This article formally explores this idea of using fully homomorphic hybrid encryption to optimize NIZK proofs and other related cryptographic primitives. We investigate the question of minimizing the communication overhead of NIZK proofs for NP and show that if fully homomorphic encryption exists then it is possible to get proofs that are roughly of the same size as the witnesses. Our technique consists in constructing a fully homomorphic hybrid encryption scheme with ciphertext size \(|m|+{\mathrm {poly}}(k)\), where \(m\) is the plaintext and \(k\) is the security parameter. Encrypting the witness for an NP-statement allows us to evaluate the NP-relation in a communication-efficient manner. We apply this technique to both standard non-interactive zero-knowledge proofs and to universally composable non-interactive zero-knowledge proofs. The technique can also be applied outside the realm of non-interactive zero-knowledge proofs, for instance to get witness-size interactive zero-knowledge proofs in the plain model without any setup or to minimize the communication in secure computation protocols.


Non-interactive zero-knowledge proofs Fully homomorphic encryption Hybrid encryption Secure function evaluation Minimizing communication 



Jens Groth was supported by the European Research Council under the European Union’s Seventh Framework Programme (FP/2007-2013) / ERC Grant Agreement No. 307937 and the Engineering and Physical Sciences Research Council Grant EP/G013829/1. Yuval Ishai was supported by the European Union’s Tenth Framework Programme (FP10/2010-2016) under Grant Agreement No. 259426 ERC-CaC, by ISF Grant 1361/10, and by BSF Grant 2012378. Chris Peikert was supported by the National Science Foundation under CAREER Award CCF-1054495, by the Alfred P. Sloan Foundation, and by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL) under Contract No. FA8750-11-C-0098. The views expressed are those of the authors and do not necessarily reflect the official policy or position of the National Science Foundation, the Sloan Foundation, DARPA or the U.S. Government. Amit Sahai was supported in part from a DARPA/ONR PROCEED award, NSFgrants 1228984, 1136174, 1118096, and 1065276, a Xerox Faculty Research Award, a Google Faculty Research Award, an equipment grant from Intel, and an Okawa Foundation Research Grant. This material is based upon work supported by the Defense Advanced Research Projects Agency through the U.S. Office of Naval Research under Contract N00014-11- 1-0389. The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense, the National Science Foundation, or the U.S. Government. Adam Smith was supported by US National Science Foundation awards #0941553 and #0747294.


  1. 1.
    B. Barak, R. Canetti, J.-B. Nielsen, R. Pass, Universally composable protocols with relaxed set-up assumptions, in FOCS, (ACM, New York, 2004), pp. 186–195Google Scholar
  2. 2.
    M. Blum, P. Feldman, S. Micali, Non-interactive zero-knowledge and its applications, in STOC, (ACM, New York, 1988) pp. 103–112Google Scholar
  3. 3.
    Z. Brakerski, Fully homomorphic encryption without modulus switching from classical gapsvp, in CRYPTO. Lecture Notes in Computer Science, vol. 7417 (Springer, Berlin, 2012), pp. 868–886Google Scholar
  4. 4.
    Z. Brakerski, V. Vaikuntanathan, Efficient fully homomorphic encryption from (standard) LWE, in FOCS (ACM, New York, 2011)Google Scholar
  5. 5.
    Z. Brakerski, C. Gentry, S. Halevi, Packed ciphertexts in lwe-based homomorphic encryption, in Public Key Cryptography. Lecture Notes in Computer Science, vol. 7778 (Springer, Berlin, 2013), pp. 1–13Google Scholar
  6. 6.
    Z. Brakerski, C. Gentry, V. Vaikuntanathan, (Leveled) fully homomorphic encryption without bootstrapping, in ITCS (ACM, New York, 2012), pp. 309–325Google Scholar
  7. 7.
    X. Boyen, B. Waters, Compact group signatures without random oracles, in EUROCRYPT. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 427–444Google Scholar
  8. 8.
    R. Canetti, Universally composable security: a new paradigm for cryptographic protocols, in FOCS (ACM, New York, 2001), pp. 136–145Google Scholar
  9. 9.
    N. Chandran, J. Groth, A. Sahai, Ring signatures of sub-linear size without random oracles, in ICALP. Lecture Notes in Computer Science, vol. 4596 (Springer, Berlin, 2007), pp. 423–434Google Scholar
  10. 10.
    I. Damgård, Non-interactive circuit based proofs and non-interactive perfect zero-knowledge with preprocessing, in EUROCRYPT. Lecture Notes in Computer Science, vol. 658 (Springer, Berline, 1992), pp. 341–355Google Scholar
  11. 11.
    A. De Santis, G. Di Crescenzo, R. Ostrovsky, G. Persiano, A. Sahai, Robust non-interactive zero knowledge, in CRYPTO. Lecture Notes in Computer Science, vol 2139 (Springer, Berline, 2002), pp. 566–598Google Scholar
  12. 12.
    A. De Santis, G. Di Crescenzo, G. Persiano. Randomness-optimal characterization of two NP proof systems, in RANDOM. Lecture Notes in Computer Science, vol. 2483 (Springer, Berline, 2002), pp. 179–193Google Scholar
  13. 13.
    D. Dolev, C. Dwork, M. Naor, Non-malleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)Google Scholar
  14. 14.
    U. Feige, D. Lapidot, A. Shamir, Multiple non-interactive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1–28 (1999)Google Scholar
  15. 15.
    C. Gentry, A fully homomorphic encryption scheme. PhD thesis, Stanford University (2009)Google Scholar
  16. 16.
    C. Gentry. Fully homomorphic encryption using ideal lattices, in STOC (ACN, New York, 2009), pp. 169–178Google Scholar
  17. 17.
    C. Gentry, S. Halevi, V. Vaikuntanathan, i-hop homomorphic encryption and rerandomizable Yao circuits, in CRYPTO. Lecture Notes in Computer Science, vol. 6223 (Springer, Berline, 2010), pp. 155–172Google Scholar
  18. 18.
    O. Goldreich, J. Håstad, On the complexity of interactive proofs with bounded communication. Inf. Process. Lett. 67(4), 205–214 (1998)Google Scholar
  19. 19.
    O. Goldreich, H. Krawczyk, On the composition of zero-knowledge proof systems. SIAM J. Comput. 25(1), 169–192 (1996)Google Scholar
  20. 20.
    O. Goldreich, Y. Oren, Definitions and properties of zero-knowledge proof systems. J. Cryptol. 7(1), 1–32 (1994)Google Scholar
  21. 21.
    O. Goldreich, S.P. Vadhan, A. Wigderson, On interactive proofs with a laconic prover. Comput. Complex. 11(1–2), 1–53 (2002)Google Scholar
  22. 22.
    S. Goldwasser, Y.T. Kalai, G.N. Rothblum, Delegating computation: interactive proofs for muggles, in STOC (ACN, New York, 2008), pp. 113–122Google Scholar
  23. 23.
    J. Groth, Simulation-sound NIZK proofs for a practical language and constant size group signatures, in ASIACRYPT. Lecture Notes in Computer Science, vol. 4248 (Springer, Berline, 2006), pp. 444–459Google Scholar
  24. 24.
    J. Groth, Short non-interactive zero-knowledge proofs, in ASIACRYPT. Lecture Notes in Computer Science, vol. 6477 (Springer, Berline, 2010), pp. 341–358Google Scholar
  25. 25.
    J. Groth, R. Ostrovsky, Cryptography in the multi-string model, in CRYPTO. Lecture Notes in Computer Science, vol. 4622 (Springer, Berline, 2007), pp. 323–341Google Scholar
  26. 26.
    J. Groth, A. Sahai, Efficient non-interactive proof systems for bilinear groups, in EUROCRYPT. Lecture Notes in Computer Science, vol. 4965 (Springer, Berline, 2008), pp. 415–432Google Scholar
  27. 27.
    J. Groth, R. Ostrovsky, A. Sahai, New techniques for noninteractive zero-knowledge. J. ACM 59(3), 11 (2012)Google Scholar
  28. 28.
    J. Håstad, R. Impagliazzo, L.A. Levin, M. Luby, A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)Google Scholar
  29. 29.
    Y. Ishai, Efficiency vs. assumptions in secure computation, in Presentation at Impagliazzo’s Worlds Workshop (2009)Google Scholar
  30. 30.
    Y. Ishai, E. Kushilevitz, R. Ostrovsky, A. Sahai, Zero-knowledge proofs from secure multiparty computation. SIAM J. Comput. 39(3), 1121–1152 (2009)Google Scholar
  31. 31.
    Y.T. Kalai, R. Raz, Interactive PCP, in ICALP. Lecture Notes in Computer Science, vol. 5126 (Springer, Berline, 2008), pp. 536–547Google Scholar
  32. 32.
    J. Kilian, Erez Petrank, An efficient noninteractive zero-knowledge proof system for NP with general assumptions. J. Cryptol. 11(1), 1–27 (1998)Google Scholar
  33. 33.
    H. Lipmaa, Efficient multi-query CPIR from ring-LWE, in Cryptology ePrint Archive, Report 2011/595 (2011)Google Scholar
  34. 34.
    M. Naor, K. Nissim, Communication preserving protocols for secure function evaluation, in STOC (ACN, New York, 2001), pp. 590–599Google Scholar
  35. 35.
    M. Naor, M. Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks, in STOC (ACN, New York, 1990), pp. 427–437Google Scholar
  36. 36.
    Y. Oren, On the cunning power of cheating verifiers: some observations about zero knowledge proofs, in FOCS (ACN, New York, 1987), pp. 462–471Google Scholar
  37. 37.
    C. Peikert, A. Smith, Concise, uninformative proofs, in Rump Session Presentation at Asiacrypt (2009)Google Scholar
  38. 38.
    J. Rompel, One-way functions are necessary and sufficient for secure signatures, in STOC (ACN, New York, 1990), pp. 387–394Google Scholar
  39. 39.
    A. Sahai, Non-malleable non-interactive zero-knowledge and adaptive chosen-ciphertext security, in FOCS (ACN, New York, 2001), pp. 543–553Google Scholar
  40. 40.
    D. Stehlé, R. Steinfeld, Faster fully homomorphic encryption, in ASIACRYPT. Lecture Notes in Computer Science, vol. 6477 (Springer, Berline, 2010), pp. 377–394Google Scholar
  41. 41.
    N.P. Smart, F. Vercauteren, Fully homomorphic encryption with relatively small key and ciphertext sizes, in Public Key Cryptography. Lecture Notes in Computer Science, vol. 6056 (Springer, Berline, 2010), pp. 420–443Google Scholar
  42. 42.
    M. van Dijk, C. Gentry, S. Halevi, V. Vaikuntanathan, Fully homomorphic encryption over the integers, in EUROCRYPT. Lecture Notes in Computer Science, vol. 6110 (Springer, Berline, 2010), pp. 24–43Google Scholar
  43. 43.
    A.C.-C. Yao, Protocols for secure computations (extended abstract), in FOCS (ACN, New York, 1982), pp. 160–164Google Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Craig Gentry
    • 1
  • Jens Groth
    • 2
    Email author
  • Yuval Ishai
    • 3
  • Chris Peikert
    • 4
  • Amit Sahai
    • 5
  • Adam Smith
    • 6
  1. 1.IBM T.J. Watson Research CenterOssiningUSA
  2. 2.University College LondonLondonUK
  3. 3.TechnionHaifaIsrael
  4. 4.Georgia Institute of TechnologyAtlantaUSA
  5. 5.University of California Los AngelesLos AngelesUSA
  6. 6.Pennsylvania State UniversityState CollegeUSA

Personalised recommendations