Zero-knowledge from secure multiparty computation
Proceedings of the thirty-ninth annual ACM symposium on Theory of computing
ICALP '08 Proceedings of the 35th international colloquium on Automata, Languages and Programming, Part II
A survey of single-database private information retrieval: techniques and applications
PKC'07 Proceedings of the 10th international conference on Practice and theory in public-key cryptography
A linear lower bound on the communication complexity of single-server private information retrieval
TCC'08 Proceedings of the 5th conference on Theory of cryptography
Efficient non-interactive secure computation
EUROCRYPT'11 Proceedings of the 30th Annual international conference on Theory and applications of cryptographic techniques: advances in cryptology
Proceedings of the 3rd Innovations in Theoretical Computer Science Conference
Commitments and efficient zero-knowledge proofs from learning parity with noise
ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
Hi-index | 0.00 |
Let \Lambda: {0, 1}^n 脳 {0, 1}^m \to {0, 1} be a Boolean formula of size d, or more generally, an arithmetic circuit of degree d, known to both Alice and Bob, and let y \in {0, 1}^m be an input known only to Alice. Assume that Alice and Bob interacted in the past in a preamble phase (that is, applied a preamble protocol that depends only on the parameters, and not on \Lambda, y). We show that Alice can (non-interactively) commit to y, by a message of size poly(m, log d), and later on prove to Bob any N statements of the form \Lambda(x_1, y) = z_1, . . . , \Lambda(x_{N}, y) = z_N by a (computationally sound) non-interactive zero-knowledge proof of size poly(d, logN). (Note the logarithmic dependence on N). We give many applications and motivations for this result. In particular, assuming that Alice and Bob applied in the past the (poly-logarithmic size) preamble protocol: 1. Given a CNF formula \Psi(w_1, . . . , w_m ) of size N, Alice can prove the satisfiability of \Psi by a (computationally sound) non-interactive zero-knowledge proof of size poly(m). That is, the size of the proof depends only on the size of the witness and not on the size of the formula. 2. Given a language L in the class LOGSNP and an input x \in {0,|1}^n , Alice can prove the membership x \in L by a (computationally sound) non-interactive zero-knowledge proof of size polylogn. 3. Alice can commit to a Boolean formula y of size m, by a message of size poly(m), and later on prove to Bob any N statements of the form y(x_1 ) = z_1 , . . . , y(x_N ) = z_N by a (computationally sound) non-interactive zero-knowledge proof of size poly(m, logN). Our cryptographic assumptions include the existence of a poly-logarithmic Symmetric-Private-Information- Retrieval (SPIR) scheme, as defined in [4], and the existence of commitment schemes, secure against circuits of size exponential in the security parameter.