Efficient zero-knowledge arguments from two-tiered homomorphic commitments
ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
On the amortized complexity of zero knowledge protocols for multiplicative relations
ICITS'12 Proceedings of the 6th international conference on Information Theoretic Security
Zero-Knowledge proofs via polynomial representations
MFCS'12 Proceedings of the 37th international conference on Mathematical Foundations of Computer Science
| Hi-index | 0.00 |
A zero-knowledge proof allows a prover to convince a verifier of an assertion without revealing any further information beyond the fact that the assertion is true. Secure multiparty computation allows $n$ mutually suspicious players to jointly compute a function of their local inputs without revealing to any $t$ corrupted players additional information beyond the output of the function. We present a new general connection between these two fundamental notions. Specifically, we present a general construction of a zero-knowledge proof for an NP relation $R(x,w)$, which makes only a black-box use of any secure protocol for a related multiparty functionality $f$. The latter protocol is required only to be secure against a small number of “honest but curious” players. We also present a variant of the basic construction that can leverage security against a large number of malicious players to obtain better efficiency. As an application, one can translate previous results on the efficiency of secure multiparty computation to the domain of zero-knowledge, improving over previous constructions of efficient zero-knowledge proofs. In particular, if verifying $R$ on a witness of length $m$ can be done by a circuit $C$ of size $s$, and assuming that one-way functions exist, we get the following types of zero-knowledge proof protocols: (1) Approaching the witness length. If $C$ has constant depth over $\wedge,\vee,\oplus,\neg$ gates of unbounded fan-in, we get a zero-knowledge proof protocol with communication complexity $m\cdot{poly}(k)\cdot{polylog}(s)$, where $k$ is a security parameter. (2) “Constant-rate” zero-knowledge. For an arbitrary circuit $C$ of size $s$ and a bounded fan-in, we get a zero-knowledge protocol with communication complexity $O(s)+{poly}(k,\log s)$. Thus, for large circuits, the ratio between the communication complexity and the circuit size approaches a constant. This improves over the $O(ks)$ complexity of the best previous protocols.