Zero-knowledge proofs for finite field arithmetic, or: Can zero-knowledge be for free?

  • Ronald Cramer
  • Ivan Damgård
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1462)


We present a general method for constructing commitment schemes based on existence of q-one way group homomorphisms, in which elements in a finite prime field GF(q) can be committed to. A receiver of commitments can non-interactively check whether committed values satisfy linear equations. Multiplicative relations can be verified interactively with exponentially small error, while communicating only a constant number of commitments. Particular assumptions sufficient for our commitment schemes include: the RSA assumption, hardness of discrete log in a prime order group, and polynomial security of Diffie-Hellman encryption.

Based on these commitments, we give efficient zero-knowledge proofs and arguments for arithmetic circuits over finite prime fields, namely given such a circuit, show in zero-knowledge that inputs can be selected leading to a given output. For a field GF(q), where q is an m-bit prime, a circuit of size O(m), and error probability 2 −m , our protocols require communication of O(m 2 ) bits. We then look at the Boolean Circuit Satisfiability problem and give non-interactive zero-knowledge proofs and arguments with preprocessing. In the proof stage, the prover can prove any circuit of size n he wants by sending only one message of size O(n) bits. As a final application, we show that Shamirs (Shens) interactive proof system for the (IP-complete) QBF problem can be transformed to a zero-knowledge proof system with the same asymptotic communication complexity and number of rounds.


  1. 1.
    D. Beaver: Efficient Multiparty Protocols Using Circuit Randomization, Proceedings of Crypto 91, Springer-Verlag LNCS, 1992, pp. 420–432.Google Scholar
  2. 2.
    L. Babai, L. Fortnow, L. Levin and M. Szegedi: Checking Computations in Polylogarithmic Time, Proceedings of STOC '91.Google Scholar
  3. 3.
    M. Bellare and and O. Goldreich: On Defining Proofs of Knowledge, Proceedings of Crypto '92, Springer Verlag LNCS, vol. 740, pp. 390–420.Google Scholar
  4. 4.
    J. Boyar, G. Brassard and R. Peralta: Subquadratic Zero-Knowledge, Journal of the ACM, November 1995.Google Scholar
  5. 5.
    G. Brassard, D. Chaum and C. Crépeau: Minimum Disclosure Proofs of Knowledge, JCSS, vol.37, pp. 156–189, 1988.MATHGoogle Scholar
  6. 6.
    M.Ben-Or, O.Goldreich, S.Goldwasser, J.Håstad, J.Kilian, S.Micali and P.Rogaway: Everything Provable is Provable in Zero-Knowledge, Proceedings of Crypto 88, Springer Verlag LNCS series, 37–56.Google Scholar
  7. 7.
    J. Benaloh: Secret Sharing Homomorphisms: Keeping Shares of a Secret Secret, Proc. of Crypto 86, Springer Verlag LNCS series, 251–260.Google Scholar
  8. 8.
    R. Cramer and I. Damgård: Linear Zero-Knowledge, Proc. of STOC 97.Google Scholar
  9. 9.
    R. Cramer, I. Damgård and U. Maurer: Span Programs and General Secure Multiparty Computations, BRICS Report series RS-97-27, available from Scholar
  10. 10.
    R. Cramer, I. Damgård and B. Schoenmakers: Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols, Proceedings of Crypto '94, Springer verlag LNCS, vol. 839, pp. 174–187.Google Scholar
  11. 11.
    W. Diffie and M. Hellman: New Directions in Cryptography, IEEE Transactions on Information Theory IT-22 (6): 644–654, 1976.MathSciNetCrossRefGoogle Scholar
  12. 12.
    De Santis, Di Crecenzo, Persiano and Yung, Proceedings of FOCS 1994.Google Scholar
  13. 13.
    I. Damgaård and B. Pfitzmann: Sequential Iteration of Interactive Arguments, Proc. of ICALP 98, Springer Verlag LNCS series.Google Scholar
  14. 14.
    T. ElGamal, A Public-Key Cryptosystem and a Signature Scheme based on Discrete Logarithms, IEEE Transactions on Information Theory, IT-31 (4): 469–472, 1985.MathSciNetCrossRefGoogle Scholar
  15. 15.
    L. Fortnow: The complexity of Perfect Zero-Knowledge, Adv. in Computing Research, vol.5, 1989, 327–344.Google Scholar
  16. 16.
    E. Fujisaki and T. Okamoto: Statistical Zero-Knowledge Protocols to prove Modular Polynomial Relations, Proceedings of Crypto 97, Springer Verlag LNCS series.Google Scholar
  17. 17.
    O. Goldreich and A. Kahan: How to Construct Constant-Round Zero-Knowledge Proof Systems for NP, Journal of Cryptology, (1996) 9: 167–189.MATHMathSciNetCrossRefGoogle Scholar
  18. 18.
    S. Goldwasser and S. Micali: Probabilistic Encryption, JCSS, vol.28, 1984.Google Scholar
  19. 19.
    O. Goldreich, S. Micali and A. Wigderson: Proofs that yield Nothing but their Validity and a Methodology of Cryptographic Protocol Design, Proceedings of FOCS '86, pp. 174–187.Google Scholar
  20. 20.
    S. Goldwasser, S. Micali and C. Rackoff: The Knowledge Complexity of Interactive Proof Systems, SIAM J.Computing, Vol. 18, pp. 186–208, 1989.MATHMathSciNetCrossRefGoogle Scholar
  21. 21.
    R.Gennaro, T.Rabin and M.Rabin: Simplified VSS and Fast-Track Multiparty Computations, Proceedings of PODC '98.Google Scholar
  22. 22.
    J. Kilian: A note on Efficient Proofs and Arguments, Proceedings of STOC '92.Google Scholar
  23. 23.
    J. Kilian: Efficient Interactive Arguments, Proceedings of Crypto '95, Springer Verlag LNCS, vol. 963, pp. 311–324.Google Scholar
  24. 24.
    T. Pedersen: Non-Interactive and Information Theoretic Secure Verifiable Secret Sharing, proc. of Crypto 91, Springer Verlag LNCS, vol. 576, pp. 129–140.Google Scholar
  25. 25.
    C. P. Schnorr: Efficient Signature Generation by Smart Cards, Journal of Cryptology, 4 (3): 161–174, 1991.MATHMathSciNetCrossRefGoogle Scholar
  26. 26.
    A. Shamir: IP=PSPACE, Journal of the ACM, vol.39 (1992), 869–877.MATHMathSciNetCrossRefGoogle Scholar
  27. 27.
    A. Shen: IP=PSPACE, Simplified Proof, Journal of the ACM, vol.39 (1992),pp.878–880.MATHCrossRefGoogle Scholar
  28. 28.
    A. De Santis, S. Micali, G. Persiano: Non-interactive zero-knowledge with preprocessing, Advances in Cryptology — Proceedings of CRYPTO 88 (1989) Lecture Notes in Computer Science, Springer-Verlag pp. 269–282.Google Scholar

Copyright information

© Springer-Verlag 1998

Authors and Affiliations

  • Ronald Cramer
    • 1
  • Ivan Damgård
    • 2
  1. 1.ETH ZürichSwitzerland
  2. 2.BRICS (Basic Research in Computer Science, center of the Danish National Research Foundation)Aarhus UniversityDenmarck

Personalised recommendations