Zero-knowledge proofs for finite field arithmetic, or: Can zero-knowledge be for free?

  • Ronald Cramer
  • Ivan Damgård
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1462)


We present a general method for constructing commitment schemes based on existence of q-one way group homomorphisms, in which elements in a finite prime field GF(q) can be committed to. A receiver of commitments can non-interactively check whether committed values satisfy linear equations. Multiplicative relations can be verified interactively with exponentially small error, while communicating only a constant number of commitments. Particular assumptions sufficient for our commitment schemes include: the RSA assumption, hardness of discrete log in a prime order group, and polynomial security of Diffie-Hellman encryption.

Based on these commitments, we give efficient zero-knowledge proofs and arguments for arithmetic circuits over finite prime fields, namely given such a circuit, show in zero-knowledge that inputs can be selected leading to a given output. For a field GF(q), where q is an m-bit prime, a circuit of size O(m), and error probability 2 −m , our protocols require communication of O(m 2 ) bits. We then look at the Boolean Circuit Satisfiability problem and give non-interactive zero-knowledge proofs and arguments with preprocessing. In the proof stage, the prover can prove any circuit of size n he wants by sending only one message of size O(n) bits. As a final application, we show that Shamirs (Shens) interactive proof system for the (IP-complete) QBF problem can be transformed to a zero-knowledge proof system with the same asymptotic communication complexity and number of rounds.


Proof System Commitment Scheme Arithmetic Circuit Interactive Proof Interactive Proof System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    D. Beaver: Efficient Multiparty Protocols Using Circuit Randomization, Proceedings of Crypto 91, Springer-Verlag LNCS, 1992, pp. 420–432.Google Scholar
  2. 2.
    L. Babai, L. Fortnow, L. Levin and M. Szegedi: Checking Computations in Polylogarithmic Time, Proceedings of STOC '91.Google Scholar
  3. 3.
    M. Bellare and and O. Goldreich: On Defining Proofs of Knowledge, Proceedings of Crypto '92, Springer Verlag LNCS, vol. 740, pp. 390–420.Google Scholar
  4. 4.
    J. Boyar, G. Brassard and R. Peralta: Subquadratic Zero-Knowledge, Journal of the ACM, November 1995.Google Scholar
  5. 5.
    G. Brassard, D. Chaum and C. Crépeau: Minimum Disclosure Proofs of Knowledge, JCSS, vol.37, pp. 156–189, 1988.zbMATHGoogle Scholar
  6. 6.
    M.Ben-Or, O.Goldreich, S.Goldwasser, J.Håstad, J.Kilian, S.Micali and P.Rogaway: Everything Provable is Provable in Zero-Knowledge, Proceedings of Crypto 88, Springer Verlag LNCS series, 37–56.Google Scholar
  7. 7.
    J. Benaloh: Secret Sharing Homomorphisms: Keeping Shares of a Secret Secret, Proc. of Crypto 86, Springer Verlag LNCS series, 251–260.Google Scholar
  8. 8.
    R. Cramer and I. Damgård: Linear Zero-Knowledge, Proc. of STOC 97.Google Scholar
  9. 9.
    R. Cramer, I. Damgård and U. Maurer: Span Programs and General Secure Multiparty Computations, BRICS Report series RS-97-27, available from Scholar
  10. 10.
    R. Cramer, I. Damgård and B. Schoenmakers: Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols, Proceedings of Crypto '94, Springer verlag LNCS, vol. 839, pp. 174–187.Google Scholar
  11. 11.
    W. Diffie and M. Hellman: New Directions in Cryptography, IEEE Transactions on Information Theory IT-22 (6): 644–654, 1976.MathSciNetCrossRefGoogle Scholar
  12. 12.
    De Santis, Di Crecenzo, Persiano and Yung, Proceedings of FOCS 1994.Google Scholar
  13. 13.
    I. Damgaård and B. Pfitzmann: Sequential Iteration of Interactive Arguments, Proc. of ICALP 98, Springer Verlag LNCS series.Google Scholar
  14. 14.
    T. ElGamal, A Public-Key Cryptosystem and a Signature Scheme based on Discrete Logarithms, IEEE Transactions on Information Theory, IT-31 (4): 469–472, 1985.MathSciNetCrossRefGoogle Scholar
  15. 15.
    L. Fortnow: The complexity of Perfect Zero-Knowledge, Adv. in Computing Research, vol.5, 1989, 327–344.Google Scholar
  16. 16.
    E. Fujisaki and T. Okamoto: Statistical Zero-Knowledge Protocols to prove Modular Polynomial Relations, Proceedings of Crypto 97, Springer Verlag LNCS series.Google Scholar
  17. 17.
    O. Goldreich and A. Kahan: How to Construct Constant-Round Zero-Knowledge Proof Systems for NP, Journal of Cryptology, (1996) 9: 167–189.zbMATHMathSciNetCrossRefGoogle Scholar
  18. 18.
    S. Goldwasser and S. Micali: Probabilistic Encryption, JCSS, vol.28, 1984.Google Scholar
  19. 19.
    O. Goldreich, S. Micali and A. Wigderson: Proofs that yield Nothing but their Validity and a Methodology of Cryptographic Protocol Design, Proceedings of FOCS '86, pp. 174–187.Google Scholar
  20. 20.
    S. Goldwasser, S. Micali and C. Rackoff: The Knowledge Complexity of Interactive Proof Systems, SIAM J.Computing, Vol. 18, pp. 186–208, 1989.zbMATHMathSciNetCrossRefGoogle Scholar
  21. 21.
    R.Gennaro, T.Rabin and M.Rabin: Simplified VSS and Fast-Track Multiparty Computations, Proceedings of PODC '98.Google Scholar
  22. 22.
    J. Kilian: A note on Efficient Proofs and Arguments, Proceedings of STOC '92.Google Scholar
  23. 23.
    J. Kilian: Efficient Interactive Arguments, Proceedings of Crypto '95, Springer Verlag LNCS, vol. 963, pp. 311–324.Google Scholar
  24. 24.
    T. Pedersen: Non-Interactive and Information Theoretic Secure Verifiable Secret Sharing, proc. of Crypto 91, Springer Verlag LNCS, vol. 576, pp. 129–140.Google Scholar
  25. 25.
    C. P. Schnorr: Efficient Signature Generation by Smart Cards, Journal of Cryptology, 4 (3): 161–174, 1991.zbMATHMathSciNetCrossRefGoogle Scholar
  26. 26.
    A. Shamir: IP=PSPACE, Journal of the ACM, vol.39 (1992), 869–877.zbMATHMathSciNetCrossRefGoogle Scholar
  27. 27.
    A. Shen: IP=PSPACE, Simplified Proof, Journal of the ACM, vol.39 (1992),pp.878–880.zbMATHCrossRefGoogle Scholar
  28. 28.
    A. De Santis, S. Micali, G. Persiano: Non-interactive zero-knowledge with preprocessing, Advances in Cryptology — Proceedings of CRYPTO 88 (1989) Lecture Notes in Computer Science, Springer-Verlag pp. 269–282.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Ronald Cramer
    • 1
  • Ivan Damgård
    • 2
  1. 1.ETH ZürichSwitzerland
  2. 2.BRICS (Basic Research in Computer Science, center of the Danish National Research Foundation)Aarhus UniversityDenmarck

Personalised recommendations