Amortized Complexity of Zero-Knowledge Proofs Revisited: Achieving Linear Soundness Slack

  • Ronald CramerEmail author
  • Ivan Damgård
  • Chaoping Xing
  • Chen Yuan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10210)


We propose a new zero-knowledge protocol for proving knowledge of short preimages under additively homomorphic functions that map integer vectors to an Abelian group. The protocol achieves amortized efficiency in that it only needs to send O(n) function values to prove knowledge of n preimages. Furthermore we significantly improve previous bounds on how short a secret we can extract from a dishonest prover, namely our bound is a factor O(k) larger than the size of secret used by the honest prover, where k is the statistical security parameter. In the best previous result, the factor was \(O(k^{\log k} n)\).

Our protocol can be applied to give proofs of knowledge for plaintexts in (Ring-)LWE-based cryptosystems, knowledge of preimages of homomorphic hash functions as well as knowledge of committed values in some integer commitment schemes.


Bipartite Graph Hash Function Random Oracle Commitment Scheme Random Oracle Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We are grateful for feedback and suggestions we received after we circulated a preprint of this work on July 6, 2016. Omer Reingold [Rei16] suggested the approach from Theorem 5 as an improvement to our “strong unique neighbor” Theorem 6, which was also stated in this preprint. This suggestion not only gave a deterministic construction instead of our Monte Carlo one but it also improved the left-vertex-set parameter from cubic to quadratic. We thank him for allowing us to incorporate his suggestion. Independently from Omer Reingold, Gilles Zémor [Z16] suggested an alternative improvement to our “strong unique neighbor” Theorem 6 which removed the probabilism as well but left the parameters essentially unchanged. His suggestion was based on combining our excellent expansion approach with an argument involving the girth of certain graphs and an application of Turán’s Theorem. Furthermore, we thank Gilles Zémor for several helpful discussions and pointers to the literature (also at an earlier stage). Finally, thanks to Amin Shokrollahi and Salil Vadhan for answering questions about the literature.


  1. [Bas81]
    Bassalygo, L.: Asymptotically optimal switching circuits. Probl. Inf. Transm. 17(3), 81–88 (1981)MathSciNetzbMATHGoogle Scholar
  2. [BDLN16]
    Baum, C., Damgård, I., Larsen, K.G., Nielsen, M.: How to prove knowledge of small secrets. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 478–498. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53015-3_17. Cryptology ePrint Archive, Report 2016/538 (2016)CrossRefGoogle Scholar
  3. [BDOZ11]
    Bendlin, R., Damgård, I., Orlandi, C., Zakarias, S.: Semi-homomorphic encryption and multiparty computation. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 169–188. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-20465-4_11 CrossRefGoogle Scholar
  4. [BG93]
    Bellare, M., Goldreich, O.: On defining proofs of knowledge. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 390–420. Springer, Heidelberg (1993). doi: 10.1007/3-540-48071-4_28 CrossRefGoogle Scholar
  5. [BGV12]
    Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, ITCS 2012, pp. 309–325. ACM, New York (2012)Google Scholar
  6. [BV14]
    Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. SIAM J. Comput. 43(2), 831–871 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  7. [CD09]
    Cramer, R., Damgård, I.: On the amortized complexity of zero-knowledge protocols. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 177–191. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03356-8_11 CrossRefGoogle Scholar
  8. [CDK14]
    Cramer, R., Damgård, I., Keller, M.: On the amortized complexity of zero-knowledge protocols. J. Cryptol. 27(2), 284–316 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  9. [CRVW02]
    Capalbo, M., Reingold, O., Vadhan, S., Wigderson, A.: Randomness conductors and constant-degree lossless expanders. In: STOC, pp. 659–668 (2002)Google Scholar
  10. [DF02]
    Damgård, I., Fujisaki, E.: A statistically-hiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002). doi: 10.1007/3-540-36178-2_8 CrossRefGoogle Scholar
  11. [DKL+13]
    Damgård, I., Keller, M., Larraia, E., Pastro, V., Scholl, P., Smart, N.P.: Practical covertly secure MPC for dishonest majority – or: breaking the SPDZ limits. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 1–18. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40203-6_1 CrossRefGoogle Scholar
  12. [DPSZ12]
    Damgård, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 643–662. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-32009-5_38 CrossRefGoogle Scholar
  13. [GGH96]
    Goldreich, O., Goldwasser, S., Halevi, S.: Collision-free hashing from lattice problems. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 3, pp. 236–241 (1996)Google Scholar
  14. [GSW13]
    Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40041-4_5 CrossRefGoogle Scholar
  15. [KL14]
    Katz, J., Lindell, Y.: Introduction to Modern Cryptography. CRC Press, Boca Raton (2014)zbMATHGoogle Scholar
  16. [LMPR08]
    Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: a modest proposal for FFT hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-71039-4_4 CrossRefGoogle Scholar
  17. [Lyu08]
    Lyubashevsky, V.: Lattice-based identification schemes secure under active attacks. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 162–179. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-78440-1_10 CrossRefGoogle Scholar
  18. [Lyu09]
    Lyubashevsky, V.: Fiat-shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-10366-7_35 CrossRefGoogle Scholar
  19. [Rei16]
    Reingold, O.: Private communication to the authors, July 2016Google Scholar
  20. [Vad12]
    Vadhan, S.: Pseudorandomness. Now publishers (2012)Google Scholar
  21. [Z16]
    Zémor, G.: Private communication to the authors, July 2016Google Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Ronald Cramer
    • 1
    • 2
    Email author
  • Ivan Damgård
    • 3
  • Chaoping Xing
    • 4
  • Chen Yuan
    • 4
  1. 1.CWIAmsterdamNetherlands
  2. 2.Mathematical InstituteLeiden UniversityLeidenNetherlands
  3. 3.Department of Computer ScienceAarhus UniversityAarhusDenmark
  4. 4.School of Physical and Mathematical SciencesNanyang Technological UniversitySingaporeSingapore

Personalised recommendations