Efficient Zero-Knowledge Proofs of Knowledge without Intractability Assumptions

  • Ronald Cramer
  • Ivan Damgård
  • Philip MacKenzie
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1751)


We initiate the investigation of the class of relations that admit extremely efficient perfect zero knowledge proofs of knowledge: constant number of rounds, communication linear in the length of the statement and the witness, and negligible knowledge error. In its most general incarnation, our result says that for relations that have a particular three-move honest-verifier zero-knowledge (HVZK) proof of knowledge, and which admit a particular three-move HVZK proof of knowledge for an associated commitment relation, perfect zero knowledge (against a general verifier) can be achieved essentially for free, even when proving statements on several instances combined under under monotone function composition. In addition, perfect zero-knowledge is achieved with an optimal 4-moves. Instantiations of our main protocol lead to efficient perfect ZK proofs of knowledge of discrete logarithms and RSA-roots, or more generally, q-one-way group homomorphisms. None of our results rely on intractability assumptions.


Secret Sharing Scheme Special Soundness Commitment Relation Knowledge Error Soundness Error 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. Bellare, M., Goldreich, O.: On defining proofs of knowledge. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 390–420. Springer, Heidelberg (1993)Google Scholar
  2. Babai, L., Gál, A., Kollár, J., Rónyai, L., Szabó, T., Wigderson, A.: Extremal bipartite graphs and superpolynomial lower bounds for monotone span programs. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, May 22-24, pp. 603–611 (1996)Google Scholar
  3. Bellare, M., Jakobsson, M., Yung, M.: Round-optimal zero-knowledge arguments based on any one-way function. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 280–305. Springer, Heidelberg (1997)Google Scholar
  4. Bellare, M., Micali, S., Ostrovsky, R.: Perfect zero-knowledge in constant rounds. In: Proceedings of the Twenty Second Annual ACM Symposium on Theory of Computing, Baltimore, Maryland, May 14-16, pp. 482–493 (1990)Google Scholar
  5. Cramer, R., Damgård, I.: Zero-knowledge proofs for finite field arithmetic, or: Can zero-knowledge be for free? In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 424–441. Springer, Heidelberg (1998)Google Scholar
  6. Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)Google Scholar
  7. Cramer, R.: Modular Design of Secure yet Practical Cryptographic Protocols. PhD thesis, CWI & Univ. of Amsterdam (November 1996)Google Scholar
  8. Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, Heidelberg (1990)zbMATHGoogle Scholar
  9. Stinson, D.R. (ed.): CRYPTO 1993. LNCS, vol. 773. Springer, Heidelberg (1994)zbMATHGoogle Scholar
  10. Damgård, I.B.: On the existence of bit commitment schemes and zero-knowledge proofs. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 17–27. Springer, Heidelberg (1990)Google Scholar
  11. Damgård, I.B.: Interactive hashing can simplify zero-knowledge protocol design without computational assumptions (extended abstract). In: CRYPTO 1993 [CRY 1993], pp. 100–109 (1993)Google Scholar
  12. Damgård, I., Pfitzmann, B.: Sequential iteration of interactive arguments. Journal version of ICALP 1998 paper (1998)Google Scholar
  13. Frankel, Y., MacKenzie, P.D., Yung, M.: Robust efficient distributed rsa-key generation. In: STOC 1998 [STO 1998], pp. 663–672 (1998)Google Scholar
  14. Feige, U., Shamir, A.: Zero knowledge proofs of knowledge in two rounds. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 526–544. Springer, Heidelberg (1990)Google Scholar
  15. Goldreich, O., Kahan, A.: How to construct constant-round zeroknowledge proof systems for np. Journal of Cryptology 9(3), 167–189 (1996)zbMATHCrossRefMathSciNetGoogle Scholar
  16. Goldreich, O., Krawczyk, H.: On the composition of zero-knowledge proof systems. SIAM Journal on Computing 25(1), 169–192 (1996)zbMATHCrossRefMathSciNetGoogle Scholar
  17. Goldreich, O.: Foundations of cryptography (fragments of a book) (February 1995)Google Scholar
  18. Guillou, L.C., Quisquater, J.-J.: A “paradoxical” indentity-based signature scheme resulting from zero-knowledge. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 216–231. Springer, Heidelberg (1990)Google Scholar
  19. Genarro, R., Rabin, M.O., Rabin, T.: Simplified vss and fast-track multiparty computations with applications to threshold cryptography. In: Proceedings of the Seventeenth Annual ACM Symposium on Principles of Distributed Computing (1998)Google Scholar
  20. Goldreich, O., Sahai, A., Vadhan, S.: Honest-verifier statistical zeroknowledge equals general statistical zero-knowledge. In: STOC 1998 [STO 1998], pp. 399–408 (1998)Google Scholar
  21. Karchmer, M., Wigderson, A.: Characterizing non-deterministic circuit size. In: Proceedings of the Twenty-Fifth Annual ACM Symposium on the Theory of Computing, San Diego, California, May 16-18, pp. 532–540 (1993)Google Scholar
  22. Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)Google Scholar
  23. De Santis, A., Di Crescenzo, G., Persiano, G.: Secret sharing and perfect zero knowledge. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 73–84. Springer, Heidelberg (1994)Google Scholar
  24. Santis, A.D., Crescenzo, G.D., Persiano, G., Yung, M.: On monotone formula closure of SZK. In: 35th Annual Symposium on Foundations of Computer Science, pp. 454–465. IEEE, Los Alamitos (1994)CrossRefGoogle Scholar
  25. Saito, T., Kurosawa, K., Sakurai, K.: 4 Move perfect ZKIP of knowledge with no assumption. In: Matsumoto, T., Imai, H., Rivest, R.L. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 321–330. Springer, Heidelberg (1993)Google Scholar
  26. Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing, Dallas, Texas (May 23-26, 1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Ronald Cramer
    • 1
  • Ivan Damgård
    • 2
  • Philip MacKenzie
    • 3
  1. 1.Institute for Theoretical Computer Science ETH ZurichZurich
  2. 2.Aarhus University, BRICS 
  3. 3.Bell LaboratoriesInformation Sciences Research CenterMurray HillUSA

Personalised recommendations