Zero-knowledge proofs for finite field arithmetic, or: Can zero-knowledge be for free?
We present a general method for constructing commitment schemes based on existence of q-one way group homomorphisms, in which elements in a finite prime field GF(q) can be committed to. A receiver of commitments can non-interactively check whether committed values satisfy linear equations. Multiplicative relations can be verified interactively with exponentially small error, while communicating only a constant number of commitments. Particular assumptions sufficient for our commitment schemes include: the RSA assumption, hardness of discrete log in a prime order group, and polynomial security of Diffie-Hellman encryption.
Based on these commitments, we give efficient zero-knowledge proofs and arguments for arithmetic circuits over finite prime fields, namely given such a circuit, show in zero-knowledge that inputs can be selected leading to a given output. For a field GF(q), where q is an m-bit prime, a circuit of size O(m), and error probability 2 −m , our protocols require communication of O(m 2 ) bits. We then look at the Boolean Circuit Satisfiability problem and give non-interactive zero-knowledge proofs and arguments with preprocessing. In the proof stage, the prover can prove any circuit of size n he wants by sending only one message of size O(n) bits. As a final application, we show that Shamirs (Shens) interactive proof system for the (IP-complete) QBF problem can be transformed to a zero-knowledge proof system with the same asymptotic communication complexity and number of rounds.
- 1.D. Beaver: Efficient Multiparty Protocols Using Circuit Randomization, Proceedings of Crypto 91, Springer-Verlag LNCS, 1992, pp. 420–432.Google Scholar
- 2.L. Babai, L. Fortnow, L. Levin and M. Szegedi: Checking Computations in Polylogarithmic Time, Proceedings of STOC '91.Google Scholar
- 3.M. Bellare and and O. Goldreich: On Defining Proofs of Knowledge, Proceedings of Crypto '92, Springer Verlag LNCS, vol. 740, pp. 390–420.Google Scholar
- 4.J. Boyar, G. Brassard and R. Peralta: Subquadratic Zero-Knowledge, Journal of the ACM, November 1995.Google Scholar
- 6.M.Ben-Or, O.Goldreich, S.Goldwasser, J.Håstad, J.Kilian, S.Micali and P.Rogaway: Everything Provable is Provable in Zero-Knowledge, Proceedings of Crypto 88, Springer Verlag LNCS series, 37–56.Google Scholar
- 7.J. Benaloh: Secret Sharing Homomorphisms: Keeping Shares of a Secret Secret, Proc. of Crypto 86, Springer Verlag LNCS series, 251–260.Google Scholar
- 8.R. Cramer and I. Damgård: Linear Zero-Knowledge, Proc. of STOC 97.Google Scholar
- 9.R. Cramer, I. Damgård and U. Maurer: Span Programs and General Secure Multiparty Computations, BRICS Report series RS-97-27, available from http://www.brics.dk.Google Scholar
- 10.R. Cramer, I. Damgård and B. Schoenmakers: Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols, Proceedings of Crypto '94, Springer verlag LNCS, vol. 839, pp. 174–187.Google Scholar
- 12.De Santis, Di Crecenzo, Persiano and Yung, Proceedings of FOCS 1994.Google Scholar
- 13.I. Damgaård and B. Pfitzmann: Sequential Iteration of Interactive Arguments, Proc. of ICALP 98, Springer Verlag LNCS series.Google Scholar
- 15.L. Fortnow: The complexity of Perfect Zero-Knowledge, Adv. in Computing Research, vol.5, 1989, 327–344.Google Scholar
- 16.E. Fujisaki and T. Okamoto: Statistical Zero-Knowledge Protocols to prove Modular Polynomial Relations, Proceedings of Crypto 97, Springer Verlag LNCS series.Google Scholar
- 18.S. Goldwasser and S. Micali: Probabilistic Encryption, JCSS, vol.28, 1984.Google Scholar
- 19.O. Goldreich, S. Micali and A. Wigderson: Proofs that yield Nothing but their Validity and a Methodology of Cryptographic Protocol Design, Proceedings of FOCS '86, pp. 174–187.Google Scholar
- 21.R.Gennaro, T.Rabin and M.Rabin: Simplified VSS and Fast-Track Multiparty Computations, Proceedings of PODC '98.Google Scholar
- 22.J. Kilian: A note on Efficient Proofs and Arguments, Proceedings of STOC '92.Google Scholar
- 23.J. Kilian: Efficient Interactive Arguments, Proceedings of Crypto '95, Springer Verlag LNCS, vol. 963, pp. 311–324.Google Scholar
- 24.T. Pedersen: Non-Interactive and Information Theoretic Secure Verifiable Secret Sharing, proc. of Crypto 91, Springer Verlag LNCS, vol. 576, pp. 129–140.Google Scholar
- 28.A. De Santis, S. Micali, G. Persiano: Non-interactive zero-knowledge with preprocessing, Advances in Cryptology — Proceedings of CRYPTO 88 (1989) Lecture Notes in Computer Science, Springer-Verlag pp. 269–282.Google Scholar