# On the concrete complexity of zero-knowledge proofs

## Abstract

The fact that there axe zero-knowledge proofs for all languages in NP has, potentially, enormous implications to cryptography. For cryptographers, the issue is no longer “which languages in NP have zero-knowledge proofs” but rather “which languages in NP have practical zero-knowledge proofs”. Thus, the concrete complexity of zero-knowledge proofs for different languages must be established.

In this paper, we study the concrete complexity of the known general meth- ods for constructing zero-knowledge proofs. We establish that circuit-based methods have the potential of producing proofs which can be used in prac- tice. Then we introduce several techniques which greatly reduce the concrete complexity of circuit-based proofs. In order to show that our protocols yield proofs of knowledge, we show how to extend the Feige-Fiat-Shamir definition for proofs of knowledge to the model of Brassard-Chaum-Crépeau. Finally, we present techniques for improving the efficiency of protocols which involve arith- metic computations, such as modular addition, subtraction, and multiplication, and greatest common divisor.

## References

- [1]J. C. Benaloh. Cryptographic capsules: A disjunctive primitive for interactive protocols. In
*Advances in Cryptology-proceedings of CRYPTO 86*, Lecture Notes in Computer Science, pages 213–222 Springer-Verlag, 1987.Google Scholar - [2]M. Blum and S. Kannan. Designing programs that check their work.
*Proceedings of the 21th Annual ACM Symposium on the Theory of Computing*, pages 86–97, 1989.Google Scholar - [3]J. Boyar, M. Krentel, and S. Kurtz. A discrete logarithm implementation of zero-knowledge blobs. Technical Report 87-002, University of Chicago, 1987. To appear in Journal of Cryptology.Google Scholar
- [4]G. Brassard, D. Chaum, and C. Crépeau. Minimum disclosure proofs of knowledge.
*Journal of Computer and System Sciences*, 37:156–189, 1988.zbMATHCrossRefMathSciNetGoogle Scholar - [5]G. Brassard and C. Crépeau. Nontransitive transfer of confidence: a perfect zero-knowledge interactive protocol for Sat and beyond. In
*Proceedings of the 27th IEEE Symposium on the Foundations of Computer Science*, pages 188–195, 1986.Google Scholar - [6]G. Brassard and C. Crépeau. Zero-knowledge simulation of boolean circuits. In
*Advances in Cryptology-proceedings of CRYPTO 86*, Lecture Notes in Computer Science, pages 223–233. Springer-Verlag, 1987.Google Scholar - [7]D. Chaum. Demonstrating that a public predicate can be satisfied without revealing any information about how. In
*Advances in Cryptology-proceedings of CRYPTO 86*, Lecture Notes in Computer Science, pages 195–199. Springer-Verlag, 1987.Google Scholar - [8]D. Chaum, I. Damgård, and J. van de Graaf. Multiparty computations ensuring privacy of each party’s input and correctness of the result. In
*Advances in Cryptology-proceedings of CRYPTO 87*, Lecture Notes in Computer Science, pages 87–119. Springer-Verlag, 1988.Google Scholar - [9]P.L. Chebyshev. Mémoire sur les nombres premiers.
*J. Math. Pures et Appl*, (I)(17):366–390, 1852.Google Scholar - [10]S. A. Cook. The complexity of theorem-proving procedures. In
*Proceedings of the 3rd Annual ACM Symposium on the Theory of Computing*, pages 151–158, 1971.Google Scholar - [11]B. den Boer. An efficiency improvement to prove satisfiability with zero knowledge with public key. In
*Advances in Cryptology-proceedings of EUROCRYPT 89*, Lecture Notes in Computer Science, 1989. To appear.Google Scholar - [12]U. Feige, A. Fiat, and A. Shamir. Zero-knowledge proofs of identity.
*Journal of Cryptology*, 1(2):77–94,1988.zbMATHCrossRefMathSciNetGoogle Scholar - [13]M.R. Garey, D.S. Johnson, and L. Stockmeyer. Some simplified np-complete graph problems.
*Theoretical Computer Science*, 1:237–267, 1976.zbMATHCrossRefMathSciNetGoogle Scholar - [14]O. Goldreich, S. Micali, and A. Wigderson. Proofs that yield nothing but their validity and a methodology of cryptographic protocol design. In
*27th. IEEE Symposium on Foundations of Computer Science*, pages 174–187, 1986.Google Scholar - [15]S. Goldwasser and S. Micali. Probabilistic encryption.
*Journal of Computer and System Sciences*, 28:270–299, 1984.zbMATHCrossRefMathSciNetGoogle Scholar - [16]S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof-systems.
*SIAM Journal of Computation*, 18(l):186–208, 1989.zbMATHCrossRefMathSciNetGoogle Scholar - [17]R. Impagliazzo and M. Yung. Direct minimum-knowledge computations. In
*Advances in Cryptology-proceedings of CRYPTO 87*, Lecture Notes in Computer Science, pages 40–51. Springer-Verlag, 1988.Google Scholar - [18]J. Kilian, S. Micali, and R. Ostrovsky. Efficient zero-knowledge proofs with bounded interaction. In
*Advances in Cryptology-proceedings of CRYPTO 89*, Lecture Notes in Computer Science. Springer-Verlag, 1990. To appear.Google Scholar - [19]W. LeVeque.
*Fundamentals of Number Theory*. Addison-Wesley, 1977.Google Scholar - [20]N. Pippenger and M. Fischer. Relations among complexity measures.
*Journal of the Association for Computing Machinery*, 23:361–381, 1979.MathSciNetGoogle Scholar - [21]J. Rosser and L. Schoenfeld. Approximate formulas for some functions of prime numbers.
*Illinois Journal of Mathematics*, 6:64–94, 1962.zbMATHMathSciNetGoogle Scholar