### On the Amortized Complexity of Zero Knowledge Protocols for Multiplicative Relations [chapter]

Ronald Cramer, Ivan Damgård, Valerio Pastro
2012 Lecture Notes in Computer Science
We present a protocol that allows to prove in zero-knowledge that committed values xi, yi, zi, i = 1, . . . , l satisfy xiyi = zi, where the values are taken from a finite field K, or are integers. The amortized communication complexity per instance proven is O(κ + l) for an error probability of 2 −l , where κ is the size of a commitment. When the committed values are from a field of small constant size, this improves complexity of previous solutions by a factor of l. When the values are
more » ... s, we improve on security: whereas previous solutions with similar efficiency require the strong RSA assumption, we only need the assumption required by the commitment scheme itself, namely factoring. We generalize this to a protocol that verifies l instances of an algebraic circuit D over K with v inputs, in the following sense: given committed values xi,j and zi, with i = 1, . . . , l and j = 1, . . . , v, the prover shows that D(xi,1, . . . , xi,v) = zi for i = 1, . . . , l. For circuits with small multiplicative depth, this approach is better than using our first protocol: in fact, the amortized cost may be asymptotically smaller than the number of multiplications in D. In typical applications of these commitment schemes, the prover needs to convince the verifier that the values he commits satisfy a certain algebraic relation. A general way to state this is that the prover commits to x 1 , . . . , x l , and the verifier wants to know that D(x 1 , . . . , x t ) = 0 for an algebraic circuit D defined over K or over the integers. If D uses only linear operations, the verifier can himself compute a commitment to D(x 1 , . . . , x t ) (using the homomorphic properties of the commitment scheme) and the prover opens this to reveal 0. However, if D uses multiplication, we need a zero-knowledge protocol where the prover convinces the verifier that three committed values x, y, z satisfy xy = z. In  , such a multiplication protocol was proposed for homomorphic commitments over any finite field K. The soundness error for this protocol is 1/|K|. For fields of small size (constant or logarithmic in the security parameter), this probability is of course too large, and the only known way to have a smaller error is to repeat the protocol. This solution leads to a protocol with communication complexity Θ(κl) for soundness error 2 −l and where commitments have size κ bits. Likewise, a multiplication protocol for integer commitments was proposed in [12, 10] . This protocol has essentially optimal communication complexity Θ(κ + l + k), where k is size in bits of the prover's secret integers, but it requires an extra assumption, namely the strong RSA assumption. If we only want to assume what the commitment scheme requires (factoring), the best known complexity is Θ((κ + k)l). An approach to improving this state of affairs was proposed in , where it was suggested to take advantage of the fact that many applications require the prover to make many ZK proofs of similar statements. The idea is then to combine all the proofs into one protocol and try to make the amortized complexity per proof be small. In our case, this would mean that the prover commits to x i , y i , z i for i = 1, . . . , l and wants to convince the verifier that x i y i = z i for all i. The technique from  yields a protocol with amortized complexity Θ(κ + l) but, unfortunately, this will only work if all x i 's are equal (or all y i 's are equal), and in most applications, this will not be satisfied . In this paper, we suggest a new protocol that achieves amortized complexity O(κ+l) for arbitrary x i , y i , z i , and works for any homomorphic commitment scheme over a finite field K. Therefore, when the committed values are from a field of small constant size, we improve the complexity of previous solutions by a factor of l. When values are integers, we obtain complexity O(κ + k + l log(l)) and we improve security of previous solutions that needed the strong RSA assumption, while we need no additional assumption. Our basic protocols are only honest-verifier zero-knowledge, but this can be improved to generalverifier zero-knowledge using standard tools. Our technique is related to the "multiparty computation in the head" technique from  , but with an important difference: both strategies make use of "virtual players", that is, the prover in his head imagines n players that receive shares of his secret values and he must later reveal information to the verifier relating to these shares. The protocol from  has complexity linear in n, because the prover must commit to the view of each virtual player. We use a different approach, exploiting the homomorphic property of the commitment scheme to get a simpler and more efficient protocol with complexity logarithmic in n. On the other hand, we show that a combination of "multiparty computation in the head" and our protocol for verifying algebraic circuits (see below) can actually improve the communication complexity for some parameter values. One application area where this result can improve state of the art is the following: as shown in  , general multiparty computation can be based on homomorphic encryption schemes, such as the Goldwasser-Micali (GM)-scheme  , where the plaintext space is F 2 . Supplying inputs to