On the Amortized Complexity of Zero Knowledge Protocols for Multiplicative Relations

  • Ronald Cramer
  • Ivan Damgård
  • Valerio Pastro
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7412)


We present a protocol that allows to prove in zero-knowledge that committed values x i , y i , z i , i = 1,…,l satisfy x i y i  = z i , where the values are taken from a finite field. For error probability 2− u the size of the proof is linear in u and only logarithmic in l. Therefore, for any fixed error probability, the amortized complexity vanishes as we increase l. In particular, when the committed values are from a field of small constant size, we improve complexity of previous solutions by a factor of l. Assuming preprocessing, we can make the commitments (and hence the protocol itself) be information theoretically secure. Using this type of commitments we obtain, in the preprocessing model, a perfect zero-knowledge interactive proof for circuit satisfiability of circuit C where the proof has size O(|C|). We then generalize our basic scheme to a protocol that verifies l instances of an algebraic circuit D over K with v inputs, in the following sense: given committed values x i,j and z i , with i = 1,…,l and j = 1,…,v, the prover shows that D(x i,1,…,x i,v ) = z i for i = 1,…,l. The interesting property is that the amortized complexity of verifying one circuit only depends on the multiplicative depth of the circuit and not the size. So for circuits with small multiplicative depth, the amortized cost can be asymptotically smaller than the number of multiplications in D. Finally we look at commitments to integers, and we show how to implement information theoretically secure homomorphic commitments to integer values, based on preprocessing. After preprocessing, they require only a constant number of multiplications per commitment. We also show a variant of our basic protocol, which can verify l integer multiplications with low amortized complexity. This protocol also works for standard computationally secure commitments and in this case we improve on security: whereas previous solutions with similar efficiency require the strong RSA assumption, we only need the assumption required by the commitment scheme itself, namely factoring.


Secret Sharing Scheme Commitment Scheme Homomorphic Encryption Multiplication Gate Homomorphic Property 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [BDOZ11]
    Bendlin, R., Damgård, I., Orlandi, C., Zakarias, S.: Semi-Homomorphic Encryption and Multiparty Computation. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 169–188. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  2. [Bou00]
    Boudot, F.: Efficient Proofs that a Committed Number Lies in an Interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. [BSFO11]
    Ben-Sasson, E., Fehr, S., Ostrovsky, R.: Near-linear unconditionally-secure multiparty computation with a dishonest minority. Cryptology ePrint Archive, Report 2011/629 (2011),
  4. [CC06]
    Chen, H., Cramer, R.: Algebraic Geometric Secret Sharing Schemes and Secure Multi-Party Computations over Small Fields. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 521–536. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. [CCG+07]
    Chen, H., Cramer, R., Goldwasser, S., de Haan, R., Vaikuntanathan, V.: Secure Computation from Random Error Correcting Codes. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 291–310. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. [CD98]
    Cramer, R., Damgård, I.: Zero-Knowledge Proofs for Finite Field Arithmetic or: Can Zero-Knowledge Be for Free? In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 424–441. Springer, Heidelberg (1998)Google Scholar
  7. [CD09]
    Cramer, R., Damgård, I.: On the Amortized Complexity of Zero-Knowledge Protocols. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 177–191. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. [CDD+99]
    Cramer, R., Damgård, I., Dziembowski, S., Hirt, M., Rabin, T.: Efficient Multiparty Computations Secure Against an Adaptive Adversary. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 311–326. Springer, Heidelberg (1999)Google Scholar
  9. [CDM00]
    Cramer, R., Damgård, I., Maurer, U.M.: General Secure Multi-party Computation from any Linear Secret-Sharing Scheme. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 316–334. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  10. [CDN01]
    Cramer, R., Damgård, I., Nielsen, J.B.: Multiparty Computation from Threshold Homomorphic Encryption. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 280–299. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. [DF02]
    Damgård, I., Fujisaki, E.: A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. [DIK10]
    Damgård, I., Ishai, Y., Krøigaard, M.: Perfectly Secure Multiparty Computation and the Computational Overhead of Cryptography. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 445–465. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  13. [DPSZ12]
    Damgård, I., Pastro, V., Smart, N.P., Zakarias, S.: Multiparty Computation from Somewhat Homomorphic Encryption. In: Safavi-Naini, R. (ed.) CRYPTO 2012. LNCS, vol. 7417, pp. 643–662. Springer, Heidelberg (2012)Google Scholar
  14. [FO97]
    Fujisaki, E., Okamoto, T.: Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997)Google Scholar
  15. [FY92]
    Franklin, M.K., Yung, M.: Communication complexity of secure computation (extended abstract). In: STOC, pp. 699–710. ACM (1992)Google Scholar
  16. [GM84]
    Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)MathSciNetzbMATHCrossRefGoogle Scholar
  17. [IKOS09]
    Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge proofs from secure multiparty computation. SIAM J. Comput. 39(3), 1121–1152 (2009)MathSciNetzbMATHCrossRefGoogle Scholar
  18. [KW93]
    Karchmer, M., Wigderson, A.: On Span Programs. In: Structure in Complexity Theory Conference, pp. 102–111 (1993)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Ronald Cramer
    • 1
  • Ivan Damgård
    • 1
  • Valerio Pastro
    • 1
  1. 1.CWI Amsterdam and Dept. of Computer ScienceAarhus UniversityDanmark

Personalised recommendations