Linear Zero-Knowledgde. A Note on Efficient Zero-Knowledge Proofs and Arguments
Ivan Damgård,Ronald Cramer +1 more
TL;DR: Two protocols based on a Boolean formula Phi containing and- , or- and not-operators which verifies an NP-witness of membership in L have the smallest known asymptotic communication complexity among general proofs or arguments for NP.
read more
Abstract: We present a zero-knowledge proof system [19] for any NP language L, which allows showing that x in L with error probability less than 2^−k using communication corresponding to O(|x|^c) + k bit commitments, where c is a constant depending only on L. The proof can be based on any bit commitment scheme with a particular set of properties. We suggest an efficient implementation based on factoring. We also present a 4-move perfect zero-knowledge interactive argument for any NP-language L. On input x in L, the communication complexity is O(|x|^c) max(k; l) bits, where l is the security parameter for the prover. Again, the protocol can be based on any bit commitment scheme with a particular set of properties. We suggest efficient implementations based on discrete logarithms or factoring. We present an application of our techniques to multiparty computations, allowing for example t committed oblivious transfers with error probability 2^−k to be done simultaneously using O(t+k) commitments. Results for general computations follow from this. As a function of the security parameters, our protocols have the smallest known asymptotic communication complexity among general proofs or arguments for NP. Moreover, the constants involved are small enough for the protocols to be practical in a realistic situation: both protocols are based on a Boolean formula Phi containing and- , or- and not-operators which verifies an NP-witness of membership in L. Let n be the number of times this formula reads an input variable. Then the communication complexity of the protocols when using our concrete commitment schemes can be more precisely stated as at most 4n + k + 1 commitments for the interactive proof and at most 5nl +5l bits for the argument (assuming k the number of commitments required for the proof is linear in n. Both protocols are also proofs of knowledge of an NP-witness of membership in the language involved.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
On the Size of Pairing-Based Non-interactive Arguments
Jens Groth
- 08 May 2016
TL;DR: It is shown that linear interactive proofs cannot have a linear decision procedure, and it follows that SNARGs where the prover and verifier use generic asymmetric bilinear group operations cannot consist of a single group element.
•Posted Content
The Random Oracle Methodology, Revisited
TL;DR: In this paper, the authors take a critical look at the relationship between the security of cryptographic schemes in the Random Oracle Model, and the schemes that result from implementing the random oracle by so called "cryptographic hash functions".
1K
The random oracle methodology, revisited (preliminary version)
Ran Canetti,Oded Goldreich,Shai Halevi +2 more
- 23 May 1998
TL;DR: There exist signature and encryption schemes which are secure in the Random Oracle Model, but for which any implementation of the random oracle results in insecure schemes.
•Posted Content
Pinocchio: Nearly Practical Verifiable Computation.
TL;DR: Pinocchio as discussed by the authors is a built system for efficiently verifying general computations while relying only on cryptographic assumptions, where the client creates a public evaluation key to describe her computation; this setup is proportional to evaluating the computation once.
•Proceedings Article
Succinct non-interactive zero knowledge for a von Neumann architecture
Eli Ben-Sasson,Alessandro Chiesa,Eran Tromer,Madars Virza +3 more
- 20 Aug 2014
TL;DR: A system that provides succinct noninteractive zero-knowledge proofs (zk-SNARKs) for program executions on a von Neumann RISC architecture and is the first to be universal: it does not need to know the program, but only a bound on its running time.
References
The knowledge complexity of interactive proof systems
TL;DR: A computational complexity theory of the “knowledge” contained in a proof is developed and examples of zero-knowledge proof systems are given for the languages of quadratic residuosity and 'quadratic nonresiduosity.
How to generate and exchange secrets
Andrew Chi-Chih Yao
- 27 Oct 1986
TL;DR: A new tool for controlling the knowledge transfer process in cryptographic protocol design is introduced and it is applied to solve a general class of problems which include most of the two-party cryptographic problems in the literature.
4.1K
How to play ANY mental game
Oded Goldreich,Silvio Micali,Avi Wigderson +2 more
- 01 Jan 1987
TL;DR: This work presents a polynomial-time algorithm that, given as a input the description of a game with incomplete information and any number of players, produces a protocol for playing the game that leaks no partial information, provided the majority of the players is honest.
Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols
Ronald Cramer,Ivan Damgård,Berry Schoenmakers +2 more
- 21 Aug 1994
TL;DR: In this paper, the authors show how to transform a proof of knowledge P into a witness indistinguishable protocol, in which the prover demonstrates knowledge of the solution to some subset of n problem instances out of a collection of subsets denned by a secret sharing scheme S on n participants.
Minimum disclosure proofs of knowledge
Gilles Brassard,David Chaum,Claude Crépeau +2 more
- 01 Oct 1988
TL;DR: In this article, the authors present protocols for allowing a "prover" to convince a "verifier" that the prover knows some verifiable secret information, without allowing the verifier to learn anything about the secret.
1.1K