J. Cryptology (1993) 6:65-85 Journol of

CRYPTOLOGY © 1993 International Association for Cryptologic Research

On the Communication Complexity of Zero-Knowledge Proofs

Joan Boyar* and Carsten Lund University of Chicago, Chicago, Illinois, U.S.A.

Ren6 Peralta** University of Wisconsin, Milwaukee, Wisconsin, U.S.A.

Communicated by Ernest F. Brickell and Gilles Brassard

Received 22 June 1989 and revised 11 May 1992

Abstract. The fact that there are zero-knowledge proofs for all languages in NP (see [15], [6], and [5]) has, potentially, enormous implications to cryptography. For cryptographers, the issue is no longer "which languages in NP have zero- knowledge proofs" but rather "which languages in NP have practical zero- knowledge proofs." Thus, the concrete complexity of zero-knowledge proofs for different languages must be established.

In this paper we study the concrete complexity of the known general methods for constructing zero-knowledge proofs. We establish that circuit-based methods, which can be applied in either the GMR or the BCC model, have the potential of producing proofs which can be used in practice. Then we introduce several tech- niques which greatly reduce the concrete complexity of circuit-based proofs, and we show that these techniques lead to zero-knowledge proofs of knowledge.

Finally, we show how to combine the techniques of Kilian, Micali, and Ostrov- sky, for designing zero-knowledge proofs with only two envelopes, with some of our techniques for reducing the number of bits which the prover must commit to.

Key words. Zero-knowledge, Proofs of knowledge, Efficiency, Cryptographic protocols, Communication complexity.

1. Introduction

F r o m a p r a c t i c a l p o i n t o f v iew, an i m p o r t a n t b o t t l e n e c k in z e r o - k n o w l e d g e in t e r -

a c t i ve p r o o f sy s t ems a n d in " c o m p u t a t i o n a l l y c o n v i n c i n g p r o t o c o l s " t w h i c h a re

* Supported in part by NSA Grant No. MDA90488-H-2006. ** Supported in part by NSF Grant No. CCR-8909657. 1 Protocols in the model of Brassard-Chaum-Cr6pcau [5] are not technically interactive proof

systems. They have been called both computationally convincing protocols and interactive arguments in the literature.

65

66 J. Boyar, C. Lund, and R. Peralta

produced by the techniques of [15], [8], [6], and [2] is the amount of communica- tion necessary. In this paper we provide powerful tools for reducing the number of bits communicated. We call the number of bits communicated the "communicat ion cost" of the protocol.

2. The Communication Cost of Zero-Knowledge Protocols

Let L be a language which has an interactive proof system or a computationally convincing protocol. Fix such a protocol for L. Let CCk(n ) be the number of bits communicated in this protocol to achieve probability of error no more than (1/2) k, for a security parameter k, when the input size is n.

The technique of G M W for producing a zero-knowledge interactive proof system for an arbitrary NP language proceeds by reduction of the language to the graph 3-colorability problem. A simple, zero-knowledge protocol is used to prove that the resulting graph is 3-colorable. Thus we are interested in the communication cost of GMW's protocol for graph 3-colorability. Let n be the number of vertices of the graph and let e be the number of edges. The G M W proof involves the en- cryptions of the colors of vertices. In this paper we consider as constant the cost of encrypting one bit. 2 Thus, in the graph 3-colorability problem, encrypting a color also has constant cost. With this parametrization, the complexity turns out to be CC~C°L(n) ~ O(k. e. n).

If L is a language in NP, then a zero-knowledge proof system for L would be constructed as follows:

I. Transform the instance x from L to a SAT instance S via Cook's theorem [10]. 2. Transform S to a 3-SAT instance 3S via [10]. 3. Transform 3S to a graph 3-colorability instance G via [14]. 4. Prove, via GMW, that G is 3-colorable.

The size of the SAT instances S depends on the time complexity of the non- deterministic Turing machine (NDTM) for L. Let us assume this time complexity to be linear in the size n of the problem instance. Then, using Cook's improvement on his own theorem [11], the transformation at step 1 will produce a SAT instance of size ~(n log n). If we assume no further significant blowup at steps 2 and 3, the final graph will have fl(n log n) vertices and edges. This yields a complexity of the interactive proof CCk(n) ~ ~ ( k . n 2 log 2 n). If the time complexity of the N D T M for L is Y~(n2), as it would be for many number theoretic languages, the complexity of the interactive proof would be CCk(n) ~ ~ ( k . n 4 log 2 n). Thus we see that the tech- nique of reduction to graph 3-colorability, elegant as it is, cannot reasonably be used in practice for arbitrary languages in NP.

An alternative technique for producing zero-knowledge proofs [8], [7], [6], [5], [2], [18] proceeds by reduction to a verifying boolean circuit? From now on we

2 In fact, this cost should be some value fl which depends on the type of encryption used and the security required, but we make this simplifying assumption to avoid multiplying all communication costs mentioned in this paper by the same factor, ft.

3 lmpagliazzo and Yung [18] also present a technique for giving direct proofs for the computation of a verifying Turing machine.

On the Communication Complexity of Zero-Knowledge Proofs 67

refer to this technique as "circuit-based proofs." In circuit-based proofs the commu- nication cost is CCk(S) ~ O(k'S), where S is the circuit size. The circuit size has been related to the time necessary for membership verification by a Turing machine. If this time is p(n) for a problem of size n, then, again by [11-1, there exists a verification circuit of size O(p(n) log p(n)). If the time complexity is linear, then the complexity of this protocol is CCk(n) ~ O(k" n log n). If the time complexity is quadratic, then the complexity of this protocol is CCk(n) ~ O(k" n 2 log n). From now on, we measure the communication complexity of protocols as a function of the underlying circuit's size.

The above analysis indicates that circuit-based methods have the potential of producing proofs which can be used in practice. However, if the known techniques are used, the hidden constants in the expressions for the asymptotic costs are quite large. In this paper we introduce several techniques which greatly reduce the con- crete complexity of circuit-based proofs.

In designing certificate checking circuits for problems in NP and in Babai's class MA 1,1], MAJORITY, AND, OR, and PARITY gates with large fan-in would often be useful. It is, of course, relatively easy to replace these gates with AND, OR, and NOT gates with bounded fan-in so that the protocols in I-8], [6], or 1,5] could be directly applied. The number of extra gates introduced in this process is linear in the total number of inputs to the original gates, but for MAJORITY and PARITY gates, the multiplicative constant for this linear term is greater than one. Our techniques for handling these gates decrease the amount of communication necessary by a fairly large constant factor. We also consider the possibility of using noninteractive processing for NOT and PARITY gates. This idea was originally proposed in 1,6], and it can obviously lead to very significant decreases in the communication complexity of computationally convincing protocols. We give the first proofs that this noninteractive processing actually works correctly in these zero-knowledge protocols. The proof that these do, in fact, give proofs of knowledge is much less straightforward than most previous proofs showing that other proto- cols are proofs of knowledge.

Building on the ideas in this paper, Boyar et al. [3] have since discovered significantly better techniques which greatly reduce the communication cost of such protocols. Those newer results are based on the techniques described below in Sections 5.3 and 5.5. Very recently, Kilian 1,19] has also made significant progress in improving the communication cost of zero-knowledge proofs and computa- tionally convincing arguments.

3. Blobs

A blob encryption scheme, when used in two-party protocols, allows one player, Peggy, 4 to encrypt a bit b as a string t so that the other player, Vic, cannot tell

4 In this paper it will at times be convenient to think of the verifier as being named Vic, and the prover being named Peggy. This has the advantage that personal pronouns such as "he" and "she" can be used unambiguously to identify one of the parties.

68 J. Boyar, C. Lund, and R. Peralta

whether t is the encryption of a zero or a one. This commits Peggy to the bit b in the sense that later she can show Vic that t is the encryption of b, but she cannot falsely show that t is the encryption of the complement of b. Several implementations of blobs are described in [ 5 ] and [4].

Formally, an instance of a blob encryption scheme is a function b: 10, 1) x D + Cn for suitably large n and set D. Given y E C" a blob decryption is a string x E D such that either &(O, x) = y (y is a zero blob) or d(1, x) = y (y is a one blob).

The following properties of this bit encryption technique are relevant to this paper:

a Security-if x is chosen from the uniform distribution on D, the blobs that encrypt zero have the same distribution as the blobs that encrypt one, so Peggy's blobs contain no information, in the information-theoretic sense. Authenticity and Independence-after creating several blobs, Peggy can reveal the bit encrypted to produce one of those blobs, she can convince Vic that this was in fact the bit she encrypted to produce that blob, and she can do this without revealing any information about any of the other blobs.

a Equality-if Peggy produced two blobs from the same bit b, then she can convince Vic of this fact without revealing b or any other information. Similarly, she can convince Vic that two blobs are encryptions of different bits if that is the case.

a Forgeability-Vic, using secret knowledge generated in the construction of 6 can produce a distribution of pairs (do, d l ) such that d(0, do) = d(1, dl), and both do and dl are uniformly distributed on D. Vic gives Peggy a zero- knowledge proof that he has this secret knowledge. The forgeability property is not actually necessary for our purposes, but it makes some proofs easier. Note that the forgeability property implies the security property. Blobs which have the forgeability property are called "chameleon blobs" in [5] .

Consider, for example, the following blob encryption scheme:

Definition 1 (Brassard-Crepeau). Let N be a fixed composite number and let a be a fixed quadratic residue modulo N. We define "SR-blobs" by b(0, x) = x2 (mod N) and E(1, x) = ax2 (mod N) for x E Z,*. ("SR" for "square root.")

Thus, SR-blobs encrypt a zero by the square of a random number in Z,* and a one by a times the square of a random number in Z,*, so all SR-blobs are random quadratic residues. We note that protocols using SR-blobs begin with the verifier randomly choosing an N and an a from some distribution D*, which is such that the verifier believes that N will be hard to factor. Both N and a are then fixed for the remainder of the protocol. The verifier convinces the prover that a is in fact a quadratic residue modulo N and that he knows a square root, using a zero- knowledge subprotocol. This assures the prover that the blobs have both the security and forgeability properties. The fact that there is an exponentially small probability that the verifier can cheat during this subprotocol, however, means that SR-blobs can only yield almost perfect (or statistical) zero-knowledge proofs.

On the Communication Complexity of Zero-Knowledge Proofs 69

More generally, whatever blob encryption scheme is being used, the verifier first chooses parameters for a particular instance b(. , .) from some distribution D*, which is expected to produce hard instances, and then uses a zero-knowledge sub- protocol to convince the prover that the instance chosen has the required proper- ties. The authenticity property (see [4]) holds under the following assumption:

Assumption 1. For any polynomial-sized family of circuits S,, and any polynomial q(n), the probability that S,,, given as input a random instance b ( . , .) of size n from the probability distribution D,*, outputs x , , x , E D such that b(0, x , ) = d(1, x,), is less than l/q(n), for all but a finite number of values of n.

Since the prover is only probabilistic polynomial time, this assumption implies that she will be unable to producex,, x , E D such that b(0, x , ) = &(I, x,). SR-blobs rely on the assumption that it is impossible to compute a square root of a modulo N using polynomial-sized circuit^.^ If the prover was to somehow produce x,, x , such that b(0, x , ) = b(1, x,), then we have x i = ax: which implies & = (x , /x , ) (mod N).

Definition 2. We call the evidence that Peggy gives when convincing Vic that a blob is the encryption of a particular bit the "decryption" of the blob. We call the evidence Peggy gives to show that she produced two blobs from the same bit or from different bits the "XOR-certificate" of the two blobs. We assume that both blob decryptions and XOR-certificates are strings of bits (i.e., noninteractive proofs).

Given SR-blobs u, v the prover convinces the verifier that u, v encrypt the same bit by displaying a square root of uv modulo N. The prover convinces the verifier that u, v encrypt different bits by displaying a square root of auv modulo N. These square roots are the XOR-certificates of SR-blobs.

Let t , = &(b,, x , ) , t , = b(b2, x,), and t , = d(b,, x,). That is, ti is an SR-blob encryption of bi. The reader can easily verify that given XOR-certificates C,,, between t , and t , and C2., between t , and t,, an XOR-certificate for t , and t , is given by C,, , = (C, , , C,, ,/(t,a)) (mod N ) if b, # b, and b, # b, or by C,, , = (C,,,C,,,/t,) (mod N ) otherwise. Thus, given a set of SR-blobs { t i ) and XOR- certificates {C,, j ) for some pairs of blobs, if the relationship between blobs t , and t, can be inferrred from {Ciq j ) , then the XOR-certificate C,,, is computable in polyno- mial time.

Definition 3. When an XOR-certificate for blobs t , , t , is computable in polyno- mial time from the XOR-certificates for blobs t , , t , and t,, t,, we say that XOR- certificates are "transitive."

We note that in SR-blobs, obtaining contradictory XOR-certificates constitutes breaking the system: if C,,, certifies that t , and t , encrypt the same value and C;,, certifies that t , and t , encrypt different values, then & = (C,,,C;,,)/(t, t,) (mod N). This motivates the following definitions.

As is well known, this assumption is equivalent to the assumption that factoring is hard.

70 J. Boyar, C. Lund, and R. Peralta

Definition 4. We say that the prover "breaks" the blob encryption scheme ~ if it can compute x~, x 2 such that ~(0, xl) -- o~(1, x2).

Definition 5. An implementation of blobs has the "strong equality property" if and only if

(1) the XOR-certificates are transitive and (2) obtaining contradictory XOR-certificates constitutes breaking the system.

Finally, we note that several implementations of blobs in the literature, including SR-blobs and those based on the discrete logarithm problem (see [4] and [9]), are "normal" in the sense of the following definition.

Definition 6. A blob encryption scheme g is "normal" if there is a probabilistic polynomial-time machine T, such that from any pair of blobs tl and t2 created by 6, any decryption xl of tl, and any XOR-certificate C~,2 for tl , t2, T can compute a valid decryption x2 of t2.

Normality will turn out to be an important property in proving that our protocols are proofs of knowledge.

4. The Brassard-Cr6peau Proof System

Let us recall the Brassard-Cr+peau zero-knowledge computationally convincing protocols. The prover and verifier, Peggy and Vic, have agreed upon a circuit which has S gates, all of which have bounded (or at most O(log S)) fan-in; they have agreed upon a security parameter k; Peggy knows a satisfying assignment for the circuit; and she wishes to convince Vic that she knows such an assignment. In order to do this, Peggy, who is assumed to have only probabilistic polynomial-time power, uses a blob encryption scheme. First the verifier chooses the parameters for the blob scheme and gives a zero-knowledge proof that the parameters were chosen correctly. After this is completed, the remainder of the protocol is as follows:

Peggy and Vic repeat the following steps k times:

1. For each gate in the circuit, Peggy produces a truth table for the boolean function computed by that gate. For each of the truth tables, she then, ran- domly and independently, chooses a permutation of the rows. For every wire in the circuit, she determines which value that wire would be carrying if the input wires carried the values corresponding to her satisfying assignment. Then Peggy encrypts all of the bits on the wires and all of the bits in her permuted truth tables and sends the resulting blobs over to Vic.

2. Vic then flips a coin to get a random bit b and sends that bit over to Peggy. 3. If b = 0, Peggy shows Vic that all of the truth tables were formed correctly by

decrypting them. She will also show that the blob for the output of the circuit is an encryption of a one. If b = 1, Peggy shows that the inputs and output of each gate correspond to some row in the truth table for that gate. She does this using the blob equality property, showing that the blobs, on the wires

On the Communication Complexity of Zero-Knowledge Proofs 71

which are the inputs and output of the gate, are encryptions of the same bits as the blobs in some row of the truth table.

4. Vic checks everything that Peggy has sent him and rejects if Peggy failed to answer the challenge correctly.

Finally, Vic accepts the "proof" unless he has already rejected it.

5. Eliminating Truth Tables

In this section we present techniques which can be useful in improving the efficiency of perfect and almost perfect zero-knowledge proofs which use the techniques of the original Brassard-Cr6peau [6] computationally convincing protocols. 6

In designing circuits for NP-problems, MAJORITY gates as well as AND or OR gates with large fan-in are often useful. It is, of course, relatively easy to replace these gates with AND, OR, and N O T gates with bounded fan-in so that the Brassard-Cr6peau [6] computationally convincing protocols could be applied directly. It is more efficient, however, to skip this replacement and to use the techniques in the following sections to handle these gates with large fan-in. These techniques can also be used to improve the efficiency of the protocols for circuits which only have gates with bounded fan-in. Instead of producing a truth table for every gate, as in the protocols of Brassard-Cr6peau [6], the prover need only produce a few 'additional" blobs for each gate, so there are fewer blobs she needs to send to the verifier and the communicat ion complexity is reduced.

Some blob encryption schemes allow us to reduce the communication complexity further. A blob scheme allows noninteractive processing of a particular type of gate if the verifier, given blobs for the input(s) to a gate of that type, can create a valid blob for the output of that gate, without requiring any help from the prover. Moreover, it must be the case that the prover can also compute the very same blob without interaction with the verifier. Obviously no additional blobs are necessary for these gates; the blobs on the output wires for these gates need not even be sent to the verifier.

5.1. NOT Gates

The implementation of N O T gates is straightforward. When Vic sends Peggy b = 0, Peggy will show that the N O T gates are working correctly by using the equality property to show that the blobs on the inputs and outputs of the N O T gates are encryptions of different bits. Peggy can ignore the N O T gates when b = 1.

5.2. M A J O R I T Y Gates

Consider MAJORITY gates with fan-in n, where n = 2nt + 1. The output should be one if at least m + 1 of the inputs are one, and zero if at least m + 1 of the inputs are zero. Thus, we need only show that there are m + 1 inputs which are equal to

6 Unfortunately the techniques presented here are not compatible with any complementation of the bits on the wires, so they cannot be used with the Brassard-Chaum-Cr6peau system [5].

72 J. Boyar, C. Lund, and R. Peralta

the output. In order to hide which of the inputs are the same as the output, we will have Peggy produce n more blobs corresponding to the original input blobs for this gate. These additional n blobs will be encryptions of the same bits as the input blobs, but Peggy will send them to Vic in random order, so Vic will be unable to determine the correspondence. Then if the bit b Vic sends to Peggy is a zero, Peggy will show the correspondence between the input blobs and the n additional blobs, using the equality property. If the bit b is a one, Peggy will show that m + 1 of the additional blobs are encryptions of the same bit as the output bit, again using the equality property. If the number of inputs equal to the output is greater than m + 1, Peggy will randomly choose m + 1 additional blobs which have the same value as the output.

5.3. Simulation of AND and OR gates using M A J O R I T Y Gates

M A J O R I T Y gates can be used to simulate A N D and OR gates. Consider first an A N D gate with n inputs. This can be simulated by a M A J O R I T Y gate with 2n - 1 inputs, n of which are the same inputs as to the A N D gate and n - 1 of which carry the value zero. The output of this majori ty gate will be one if and only if all of the inputs to the A N D gate were one, so the simulation is correct. OR gates with n inputs can be simulated similarly, but in this case the extra n - 1 inputs must all be ones. Thus, in order to simulate an A N D or OR gate with n inputs, Peggy will create 2n - 1 additional blobs, with n corresponding to the inputs to the A N D or OR gate and n - ! being encryptions of zeros for an A N D gate or ones for an OR gate. Then, if the bit b Vic sends to Peggy is a zero, Peggy will show the correspon- dence between the inputs to the A N D or OR gate and n of the additional blobs, and she will decode the remaining n - 1 blobs to show that they are all zeros or all ones, depending on whether the gate was an A N D or OR gate. If the bit b is a one, Peggy will show that n of the additional blobs are encryptions of the same bit as the output bit.

Notice that the simulation of A N D and OR gates with large fan-in never requires that the fan-in be greater than two. If the original gates had only two inputs, Peggy would only need to create three additional blobs per gate, rather than the 12 needed to represent a truth table. 7 If the number of inputs is N and the number of gates is S, the total number of blobs on the circuit wires is N + S. If T of the S gates are N O T gates, then the original protocols which use truth tables use N + 13(S - T) + 5T blobs per round, while the protocols described here use N + 4(S - T) + T blobs per round. Thus, the communicat ion complexity is at most one-third of that in the original Brassard-Cr~peau system, if S > 2N. Of course, the gain in efficiency is much greater when the circuit contains M A J O R I T Y gates with large fan-in.

5.4. P A R I T Y Gates

Peggy can show that PARITY gates with n inputs are working correctly using n + 1 additional blobs. These blobs will correspond to the n inputs plus the output. When

Independently of this work, den Boer 1-12] has also decreased the number of blobs necessary for validating the computation of binary boolean functions.

On the Communication Complexity of Zero-Knowledge Proofs 73

b = 0, Peggy will show the correspondence between the additional blobs and the inputs. When b = 1, Peggy can show that a PARITY gate is working correctly by exhibiting a pairing of the additional blobs for the gate (including the blob for the output bit), and using the equality property to show that the blobs within a pair are encryptions of the same bit. If n is even, there will be an unpaired additional blob, and Peggy must show that it was the encryption of a zero.

5.5. Noninteractive Processing of NOT and P A R I T Y Gates

If SR-blobs are used, then the verifier can directly produce blobs which encrypt the value of the output of a NOT gate or of a PARITY gate. a To produce an output blob for a NOT gate, the verifier multiplies the input blob of the gate by ~. An output blob for a PARITY gate can be produced by simply multiplying together all the input blobs. Since the prover need not produce any additional blobs or even the blobs for the outputs of these PARITY gates, this can greatly reduce the communication cost of our protocols, particularly in circuits with many PARITY gates (e.g., circuits for integer multiplication). It is, however, by no means obvious that the resulting protocol is a proof of knowledge. A proof of this fact is given below in Theorem 6.

6. Our Protocols Yield Zero-Knowledge Proofs

We refer to computationally convincing protocols which use the techniques de- scribed in Sections 5.1-5.4 as protocols with interactive processing of NOT and P A R I T Y gates, and we refer to computationally convincing protocols which use the techniques of Sections 5.2, 5.3, and 5.5 as protocols with noninteractive processing o fNOTand P A R I T Y gates. In the following, MAJORITY, AND, and OR gates are allowed in all circuits, and they are handled using the techniques of Sections 5.2 and 5.3.

For simplicity we assume, throughout this section, that no two NOT gates have the same input, that the output of one NOT gate is never the input to another NOT gate, and that the output of every gate (except for one) is an input to some other gate. We impose no further restrictions on fan-out.

We begin by showing that our proof systems are perfect or almost-perfect zero- knowledge proof systems, depending on which implementation of blobs is used. Note that our proof systems are obviously zero-knowledge if the blob implementa- tion used has the forgeability property (see the proof of Theorem 3). The following theorem shows that the forgeability property is not necessary.

Theorem 1. Our protocols with interactive processing of NOT and P A R I T Y gates are perfect zero-knowledge if Peggy and Vic use any implementation of blobs, such as that in [43 and [9], which leads to perfect zero-knowledge proofs in the original Brassard-Cr~peau computationally convincing protocols.

8 This was first observed by Brassard and Crrpeau in I-6].

74 J. Boyar, C. Lund, and R. Peralta

Proof. We construct a simulator for these computationally convincing protocols. Initially, as the verifier is choosing the parameters for the blob encryption scheme and giving a zero-knowledge proof that it was chosen correctly, the simulator behaves exactly as the prover would. Then the simulator sets the bits on the wires so that the output of the circuit is equal to one and so that the input of every N O T gate is different from the output of the same gate. To do this, the simulator assigns values to the wires, level by level, starting with the inputs. First the input wires are all assigned the value one. The first level of gates is the set of gates which have as their inputs the inputs to the circuit. The kth level of gates is the set of gates which are not on any of the first k - 1 levels and which have as their inputs only the inputs to the circuit and the outputs of gates at lower levels. As the simulator is assigning values to the wires corresponding to the outputs of the gates at level k, it will negate the value on the output wire for all N O T gates, and it will assign the value one otherwise. The simulator has completed its first step unless the final gate in the final level, level t, of the circuit is a N O T gate and its input is a one. If this is the case, the input to this final gate came from a unique gate on level t - 1. The simulator will change the output of that gate from a one to a zero. Since we have assumed that this gate on level t - 1 cannot be a N O T gate, the simulator has finished its first step.

Then the simulator flips a coin in an attempt to guess which bit Vic will send. If the coin flip leads to a guess of b -- 0, the simulator will set up the additional blobs for each gate so that they correctly correspond to the appropriate values on the input and output wires and so that those blobs which are supposed to have fixed values (for the AND and OR gates) have those values. The simulator then randomly permutes the additional blobs for each gate and sends everything over to Vic. If Vic sends b = 0, the simulator will have no problem responding correctly. Otherwise, it will back up the tape for the transcript it is creating and will try again.

If the simulator's coin flip leads to a guess of b -- 1, the simulator will set up the additional blobs for each gate so that it can respond correctly if b = I. For a MAJORITY gate with n -- 2m + I inputs, it will set up all of the additional blobs with the same value as the output blob. For an n-input AND gate, it will set n - 1 of the additional blobs to zero, and will make the remaining n blobs encryptions of the same bit which has been assigned to the output wire. An n-input OR would be similar except that the first n - 1 additional blobs would be encryptions of one, rather than of zero. For a PARITY gate, all of the additional blobs can be encryp- tions of zero. Then, ifVic sends b = l, the simulator will have no problem respond- ing correctly. Otherwise, it will back up the tape for the transcript it is creating and will try again. With each coin flip, the simulator has a 50-50 chance of guessing the correct value of b, so the simulation will take expected polynomial time.

The simulator will produce transcripts which have exactly the same distribution as those which would be produced with the true prover because of the blob properties mentioned above. The key to this is that zero blobs and one blobs are drawn from exactly the same distributions. [ ]

Theorem 2. I f a blob implementation is used which leads to almost perfect zero- knowledge proofs in the original Brassard-CrOpeau computationally convincing proto- cols, then our protocols with interactive processing of NOT and P A R I T Y gates are almost perfect zero-knowledge.

On the Communication Complexity of Zero-Knowledge Proofs 75

Proof. Analogous to the proof of the previous theorem. []

Theorem 3. I f SR-blobs are used in the protocols with noninteractive processing of NOT and PARITY gates, then those protocols are almost perfect zero-knowledge.

Proof. This follows from the fact that SR-blobs have the forgeability property. The simulator has control over the verifier, so it can use the zero-knowledge subprotocol, which the verifier uses to show that it knows a square root of ct, to actually find that square root. Then the simulator can create blobs which it can open as either zeros or ones. Using these blobs, the simulator can answer any challenge the verifier gives. Since the blobs the simulator creates come from the same distribu- tion as the blobs the prover creates, there is no difference between what the simulator does and what the prover would do, except that it is unnecessary for the simulator to know a satisfying assignment. In fact, it is unnecessary to use the forgeability property in order to prove this (see the proof of Theorem 7). []

7. Our Protocols Yield Proofs of Knowledge

Now we show that our protocols are proofs of knowledge. We use the formalism developed in [13], which we call the "FFS model." In the FFS model the prover and verifier are probabilistic polynomial time in power and each have an input tape, a random tape, and a "knowledge" tape. The prover is trying to convince the verifier that it "knows" a value W which satisfies a predicate P(1, W). If, for example, the prover is claiming that she knows a satisfying assignment to a boolean circuit 1, the predicate P(I, W) would be true if and only if, when W is input to the circuit I, the output is one. Paraphrasing FFS, such a proof system is a proof of knowledge for the predicate P(I, W) if

There exists a probabilistic polynomial-time Turing machine M such that for any prover A (honest or dishonest), for any initial contents of A's knowledge tape K and random tape R, and any sufficiently large input 1, if the execution of the protocol on input I (assuming an honest verifier B) succeeds with nonnegligible probability, then the output produced by M at the end of the execution of M(A, R, K) on input ! satisfies the predicate P with overwhelming probability.

For a formal definition see [13]. Note that our computationally convincing proto- cols are "restricted input," not "unrestricted input," zero-knowledge proofs of knowledge.

Given that our protocols rely on the security of blob encryption mechanisms, the possibility arises that the prover can convince the verifier that the circuit is satisfiable simply because it "knows" how to break the blob encryption scheme. However, since the verifier randomly chooses the instance of the blob encryption system to be used, it is not sufficient that the prover has the "knowledge" of how to break one instance on its knowledge tape. In order to prove that our protocols are proofs of knowledge, we actually show that if the prover can convince the verifier a

76 J. Boyar, C. Lund, and R. Peralta

nonnegligible portion of the time, then she either knows a satisfying assignment, or she can break whichever instance of the blob encryption scheme is being used. Since Assumption 1 implies that the prover is unable to break a random instance of the blob encryption scheme with any significant probability, this implies that the prover "knows" a satisfying assignment to the circuit.

Theorem 4. Suppose the circuit contains AND, OR, NOT, and M A J O R I T Y gates. After a successful execution of our protocol using a normal blob encryption scheme ~, which satisfies Assumption 1 (and either interactive or noninteractive processing of NO T gates), the verifier is convinced that the prover knows a satisfying assignment to the circuit. This remains so even if gates have unbounded fan-in.

Proof. From the proof in [13] that every problem in NP has an interactive proof system of knowledge which is zero-knowledge, ~,e see that to prove our ptotocol is a proof of knowledge, we need only show that if a probabilistic polynomial-time extractor, M, is able to see Peggy respond to receiving b = 0 and b = 1 for the same set of blobs, that extractor can learn a satisfying assignment for the circuit. If the extractor sees any prover respond correctly to both possible challenges for a given set of blobs, the extractor can learn one of these satisfying assignments by perform- ing a breadth-first search of the circuit, starting with the output, determining the values on the wires it encounters. When processing a gate G in this breadth-first search, the extractor already knows the value of the output. If G is a NOT gate, the input is the complement of the output. If G is an AND, OR, or MAJORITY gate, the answer to the challenge b = 0 will tell the extractor the correspondence between the additional blobs and the blobs on the inputs to G. The answer to the challenge b = 1 will show that some of the values encrypted by the additional blobs are equal to the value encrypted by the output blob. From the correspondence between the additional blobs and input blobs, the extractor will be able to determine the values of enough of the inputs to the gate to force that output value. After completing the breadth-first search, the extractor will know values for enough of the circuit's inputs to force an output value of one. The other inputs can be assigned arbitrary values. This process can fail if, in processing a gate, the extractor gets a contradictory assignment to an input wire. That is, a wire which has already been assigned a boolean value c is now assigned ~.

In this case, using the fact that the encryption scheme is normal, we see that the prover can decrypt a blob both to a one and to a zero, and therefore can break the blob encryption scheme. Note that the extractor chooses the instance of the blob scheme as the verifier would choose it and that Peggy is assumed to be a polynomial- time machine. Thus Peggy can only break the blob scheme with negligible probabil- ity for large enough n. Otherwise, from Peggy, her random tape and her knowledge tape, we could construct a polynomial-sized family of circuits that breaks the blob scheme with nonnegligible probability, for an infinite number of values of n. The existence of such circuits is ruled out by Assumption 1. Thus, with overwhelming probability, the extractor is able to find a satisfying assignment to the circuit. []

Now let us suppose the circuits also have PARITY gates which are processed interactively. We prove that if an implementation of blobs is used which has the

On the Communication Complexity of Zero-Knowledge Proofs 77

strong equality property (see Section 3, Definition 5), then our protocols are still proofs of knowledge. Unfortunately, the blob implementation described in I-4] and [9], which leads to perfect zero-knowledge proofs does not have the strong equality property. In this implementation, Vic sends to Peggy a prime p, a generator g for Z*, and a random element ct of Z*. To encode a one, Peggy sends ag" mod p, where r is a random number. A zero is encoded by g" mod p. To decode the blob, r is revealed. To "prove" two blobs tl and t 2 encode the same bit, the discrete log of tx/t2 is revealed. To "prove" t~ and t2 encode different bits, the discrete log oft1 t2/~ is revealed. The problem with this implementation is that it is possible for Peggy to create two blobs tl and t2 which she is unable to decrypt as either a zero or a one but which she can "prove" are both encryptions of the same bit and encryptions of different bits. She can do this by setting t~ = gr 'x/~ (mod p) and t 2 = gr2x//~ (mod p).

Suppose we attempt the breadth-first search technique used in the proof of the previous theorem on a circuit which contains PARITY gates. When the extractor encounters a PARITY gate, he may not learn enough of the gate's input values to force the correct output. If the PARITY gate has an even number of inputs, the extractor will learn that the value on some wire is a zero and it will learn which wire, though that wire might be the gate's output. If the output of the PARITY gate is paired with one of the inputs, the extractor will learn that that particular input wire carries the same value as the output. For the other wires, the extractor will only learn that some wires carry the same value as some other wires. We show, however, that this is enough information for the extractor to compute a satisfying assignment.

Theorem 5. Suppose that the blob implementation used has the strong equality property and satisfies Assumption 1. Then, after a successful execution of our protocol with interactive processing of NOT and P A R I T Y gates, the verifier is convinced that the prover knows a satisfying assignment to the circuit. This remains so even if gates have unbounded fan-in.

Proof. As in the proof of the previous theorem, we assume that the extractor has seen the prover respond to both a b = 0 challenge and a b = 1 challenge from the verifier and we perform a breadth-first search of the circuit.

Before beginning the breadth-first search, the extractor should assign distinct symbolic variables, X1, X2 . . . . . X s, to the wires, wl, w2, . . . , ws, of the circuit. The symbolic variable on a wire which is the output of a NOT gate can be pushed through the gate by assigning the complement of that symbolic variable to the input. Thus the wires may be assigned a symbolic variable X, the complement X of a symbolic variable, or a Boolean value b. In the breadth-first search, whenever the extractor learns that two wires, wi and w i, carry the same value, either because of a PARITY gate or because one is the input wire to an AND, OR, or MAJORITY gate and one is the output wire, both wires should be assigned the same value, according to the following rules:

• If both wires have a Boolean value, they should have the same value, so no updat ing is necessary. If they have different values, the prover has cheated; we show below that in this case the prover is able to break the blob encryption system, contrary to Assumption 1.

78 J. Boyar, C. Lund, and R. Peralta

• If one wire has a Boolean value b and the other has a symbolic variable X, all wires in the circuit labeled with X should be assigned the value b and all wires labeled with .~ should be assigned the value b.

• Similarly, if one wire is labeled with a Boolean value b and the other has the label X, all wires in the circuit labeled with X or X should be relabeled with or b, respectively.

• If w i is labeled with X and w~ is labeled with Y, or if wi is labeled with X and wj is labeled with Y, then all wires currently labeled with Y or Y should be relabeled X or X, respectively.

• If one wire is labeled with X and the other with Y, those wires labeled with Y or Y should be relabeled with X or X, respectively.

After the breadth-first search has been completed, some input wires will have been assigned Boolean values, but some may still be labeled with symbolic variables or the complements of symbolic variables. The extractor can then assign arbitrary Boolean values to the symbolic variables and let these assignments determine values for those input wires which have not yet been assigned Boolean values. The resulting assignment will force the output of the entire circuit to be a one.

To see this, consider numbering the gates according to the order in which they are processed during the breadth-first search, with the output gate being assigned the number one. Look at the subcircuit Ck defined by the first k - 1 gates. The inputs to this subcircuit are all encountered before we begin processing the kth gate. We claim that if these inputs to Ck are assigned any Boolean values consistent with the labels on the corresponding wires immediately before the processing of gate k, then the output of the circuit will be a one. This can be proved by induction on k. The base case, k = l, is easy because before the first gate is processed, the output is assigned the value one. Suppose this is true for k and let us look at the kth gate. The processing described above ensures that the inputs to this gate will get appropri- ate values to force the output value. This processing may affect the labeling of previously encountered wires, but only to be more restrictive in the values allowed. If the labeling becomes so restrictive that no Boolean values are consistent with the labeling, then the prover must have cheated either in decrypting some blobs or in showing that two blobs are equal or not equal to each other. In this case the prover can break the encryption scheme as described below. Thus, if the output for the subcircuit Ck is one for any consistent (according to the labeling immediately before gate k is processed) set of Boolean values assigned to the inputs, the output for the subcircuit Ck+l will be one if the inputs to Ck+l are assigned any Boolean values consistent with the labels on the corresponding wires after the processing of gate k. Since Cs is the entire circuit, the method described above will enable the extractor to find a satisfying assignment, unless he found a contradiction.

If such a contradiction occurs, the prover is able to break the blob encryption scheme. Any contradiction which arises results from two strings of blob equalities and blob inequalities, with both strings starting and ending at the same blobs. Since each blob equality or inequality is proven with an XOR-certificate, and since these certificates are transitive, the prover can compute a certificate showing that the first blob on these strings is the encryption of the same bit as the last blob and also a

On the Communication Complexity of Zero-Knowledge Proofs 79

certificate showing that they are encryptions of different bits. Since the blob imple- mentation has the strong equality property, the extractor can use these contradic- tory certificates to break the blob encryption scheme. This will only happen with negligible probability because the scheme is assumed to satisfy Assumption 1. Thus, with overwhelming probability, the extractor is able to find a satisfying assignment to the circuit. []

Finally, we prove that if SR-blobs are used, then PARITY and NOT gates can be proven noninteractively while preserving the proof-of-knowledge property. The proof that these do, in fact, give proofs of knowledge is much more difficult than might be expected. Some wires in the circuit, possibly including some of the original inputs to the circuit, might only be used as inputs to these NOT and PARITY gates, in which case the prover never shows any further relation between these bits and any other bits. We must be able to show how the extractor can still find the satisfy- ing assignment, except in those cases where the prover is able to break the blob encryption system. The ideas in the previous proof can be extended to do this. Again, when the extractor has seen responses to both possible challenges, it will use the information it has about the values on some of the wires, along with information about the relationships between the values on different wires, to produce a satisfying assignment which is consistent with this knowledge. This knowledge can be expressed as a system of linear congruences, and the extractor simply solves this system.

Theorem 6. Suppose that SR-blobs are used with noninteractive processing of NO T and P A R I T Y gates. Suppose that SR-blobs satisfy Assumption 1. Then, after a successful execution of our protocol, the verifier is convinced that the prover knows a satisfying assignment to the circuit. This remains so even if gates have unbounded fan-in.

Proof. As in the two previous proofs, we assume that the extractor has seen Peggy respond to both a b = 0 challenge and a b = 1 challenge from Vic. This will give rise to two kinds of information:

• The output blob is revealed to be 1. • At the AND, OR, and MAJORITY gates, we get a set of XOR-certificates.

First observe that, since SR-blobs are transitive, the additional blobs at AND, OR, and MAJORITY gates can be used to determine the relationships between the inputs and outputs of these gates, and then they can be ignored. We call the output blobs from NOT and PARITY gates "forced" blobs since these are functionally dependent on the input blobs to the gate. The other blobs, the input blobs to the circuit and the output blobs from AND, OR, and MAJORITY gates, we call "free" blobs. The blob corresponding to a wire will be the product of powers of free blobs and a power of a. This is clear since we only multiply blobs (at PARITY gates) and multiply blobs by ct (at NOT gates). If we look at the information given to the extractor, we see it gives rise to linear congruences of the logical values of the free blobs; there is one congruence for each blob equality which is shown and one for each wire which is shown to have a specific Boolean value. We show below that if

80 J. Boyar, C. Lund, and R. Peralta

we write the logical values on the wires as a vector, b, we get a system of linear congruences, {Akb = dk}. A solution b to this linear system will give us a satisfying assignment for the circuit. If no solution exists, the prover can break the blob encryption scheme. Let us introduce some notation:

n: the number of inputs. m: the number of free blobs. tF the ith free blob. We assume that the input blobs to the circuit are

t~ . . . . . t,. Because of the blob encryption scheme it follows that t~ is a quadratic residue in Z*.

tj: the blob on wirej. As seen above

tj = ~J f i t~ 'j . (1) i=1

b i, b~:

Co:

c~:

Aob = do:

Akb = dk:

Note that the integers c~ and a 0 are all constants depending only on the circuit. Also note that if the j th wire is an output wire from a gate with output blob q, then t~ = ti. the logical values of the corresponding blobs t~ and t~. These values are unknown to the extractor. We look at the b[s as variables. Note that bj = cj + ~ = 1 alibi (mod 2). the decryption of the output blob. Assume the output wire is wire s. Since the output blob is a one, we have (Co) 2 = tjct -~. the certificate for the kth blob equality to have been shown. Let i(k) be the index of the output blob in the kth equality, and let j(k) be the index of the input blob in the kth equality. Hence (Ck) 2 = titk)tj~k). the congruence corresponding to the fact that the blob associated with the circuit output is equal to one. We have 1 - c~ + ~7'=~ a~b~ (mod 2) and therefore {Ao} ~ = --ai~ and d o = c~ - I. the congruence corresponding to the kth blob equality to have been shown. Since it shows that ti(k) and tjtkl encode the same bit and because of (1), we get

bitk) -- ~ aijtk~bi -- c~k~ ( m o d 2) i=1

and therefore the following identities hold:

{Ak} i = --aO(k), i ~ i(k),

{Ak}~tk) = 1 -- a,k~jtk), i = i(k),

dk = q~kr

(2)

(3)

(4)

C~: the inverse of the certificate for the output blob. Hence (C~) 2 = ct/t'~. C~,: the certificate for the kth equality divided by the input blob. Hence

(C~) 2 = (C~)2/(tj~k)) 2 = t . J t j ~ k p

On the Communication Complexity of Zero-Knowledge Proofs 81

Note that if we can find bz, b2 . . . . . b m ~ {0, 1} such that, for all k, Akb -= dk (mod 2), we can u s e b t , b2, . . . , b, as the inputs to the circuit. Since all the congruences are satisfied we know that the circuit will ou tpu t one. If we are unable to find such his, we will show how the p rover can find a x /~ and hence break the b lob encrypt ion scheme. Since {Akb = dk} are l inear congruences, we can de termine if a solut ion exists using Gauss ian el imination. If noneexis t s , we can find an I such that the first I congruences have a solution, but the first l + 1 do not. Then it is easy to find 20, /~1, "" ", 21-1 ~ {0, 1} such that El--lo~,kAk =-- A, (mod 2), but Etk--lO,~.kdk ~ d, (mod 2).

1--1 Define A such that 2A = At - (~,2~o 2 k A k ) a n d d such that 2d + 1 = (~k=o 2kdk) -- dr. F o r # = (/~z, #2 . . . . . /~k) where the /~[s are integers and for z = (z~, z2 . . . . , Zk)

where zi e Z* , define ztU]= 1-Ik=~ z/". No te that ztU']z tu''l = z tu'+u''] and therefore (zt~l) x = z t~z] for integer 2.

We will need the following equa t ion for 0 < k < l:

ttA~]~ -d~ = G 2. (5)

This can be p roven as follows for 1 < k < l:

ttA~,] = f i ti {Ak}~ i=1

= t~k) a''~'s'~' f i t~ -a''~ (by (2) and (3)) i=l;i~i(k)

ti(k) HT'=, t~'J~

- - titk) o:J'k' (by (1)) tjtk)

= (C~)2ct d~ (by (4)).

The case of k = 0 is similar and therefore we get (5). N o w let C' = (C~, C'1 . . . . . C-1) . Then

1-1 X"H 2 d ~.~=o kk = H ( ~dk)2k

k=O

l-I

= H (ttA~J(CD-2) ~ k=O

=(t~_Jkk=O t[~'~"tk]) (C'[-2; '])

= t[~_~--~o2~Ak](C'[-2;q)

= t[Az-2A](ct[-22] )

= t[A,](ttA]c'tZ]) -2

(by (5))

= ctd'(G)2(ttA]c'tZ]) -2 (by (5))

82

and therefore

J. Boyar, C. Lund, and R. Peralta

Hence the prover knows a square root of a. Since the extractor will behave as the verifier is supposed to and randomly choose the parameters N and a from the same distribution, and since the scheme is assumed to satisfy Assumption 1, this only happens with negligible probability. Thus, with overwhelming probability, the extractor is able to find a satisfying assignment to the circuit. 0

8. Proofs in the GMR Model

The techniques of Section 5 for reducing the communication cost of zero-knowledge proofs have been described in terms of the model in which the prover is assumed to be restricted in power. In the original model, defined by Goldwasser et a/. in [I 71, the prover has unlimited power, so if she was using SR-blobs, she would be able to cheat. Using the probabilistic encryption techniques from [16], rather than SR-blobs, circuit-based proofs can be given for everything in N P 171, [IS]. If these proofs are used, the prover will be unable to cheat, except with a superpoly- nomially small probability, even if she is all-powerful. There is a tradeoff, though: although these proofs are zero-knowledge, they are neither perfect nor statistical zero-knowledge, and if the cryptographic assumptions fail, the verifier will learn a great deal. (In the other model, where the prover is restricted in power, if the cryptographic assumptions fail, the verifier learns nothing, but the prover can cheat.)

Since the circuit-based proofs in [7] are very similar to those in [6], except for the type of bit encryption used, the techniques described in Section 5 for reducing the communication cost can also be used to reduce the communication cost in proof systems which fit into the GMR model. The difference between probabilistic encryp- tion as used in [7] and SR-blobs is that the fixed number a used is a quadratic nonresidue rather than a quadratic residue. Let N be a fixed number which is the product of two large primes and let a be a fixed quadratic nonresidue modulo N with Jacobi symbol + 1. We define "probabilistic encryption with the quadratic residuosity assumption" by b(0, x) = x2 (mod N) and b(1, x) = ax2 (mod N) for x E Z; (see [16]). The encryptions of zeros are quadratic residues and the encryp- tions of ones are quadratic nonresidues, but, under the quadratic residuosity as- sumption, it is assumed that a BPP machine cannot distinguish between them. This allows the prover to give proofs which are computational zero-knowledge, even though they are not statistical zero-knowledge. The only other difference in the protocols is that in the [7] protocols, it is the prover who chooses the composite number N and the nonresidue u and proves to the verifier that a is in fact a nonresidue (or they may use a published composite and nonresidue). Now this probabilistic encryption with the quadratic residuosity assumption can be used in place of the blobs, using the techniques of Section 5.

On the Communication Complexity of Zero-Knowledge Proofs 83

Theorem 7. I f probabilistic encryption with the quadratic residuosity assumption is used in protocols with noninteractive processing of NOT and P A R I T Y gates, then these interactive proof systems are zero-knowledge.

Proof. The simulator can handle MAJORITY, AND, and OR gates as in the proof of Theorem 1. With NOT and PARITY gates, however, the outputs of gates must always be the correct function of the inputs. In order to accomplish this, the simulator simply labels all of the wires of the circuit with symbolic variables. The NOT gates lead to congruences of the form X = Y + 1 (mod 2) and the PARITY gates lead to congruences of the form X = YI + Y2 + "'" + Yk (mod 2), where the X's are outputs from gates and the Y's are inputs to gates. If the circuit has a satisfying assignment, the system of linear congruences it gives rise to has a solution. The simulator can find such a solution and assign values to the wires accordingly. Then it can do the necessary encryption and proceed as in Theorem 1. Although the distributions created using the true prover will be significantly different than those created using the simulator, under the quadratic residuosity assumption, no BPP distinguisher will be able to tell the difference. Thus the proofs are computa- tional zero-knowledge. []

Theorem 8. Suppose that probabilistic encryption with the quadratic residuosity assumption is used in protocols with noninteractive processing of NOT and P A R I T Y gates. Then, after a successful execution of one of these protocols, the verifier is convinced that the prover knows a satisfying assignment to the circuit. This remains so even if gates have unbounded fan-in.

Proof. The proof is similar to the proof of Theorem 6. The difference is that, rather than showing how to break the system if the system of congruences fails to have a solution, it shows, by contradiction, that the system of congruences must have a solution: the assumption that it does not leads to the extractor finding a square root of the nonresidue ~, an obvious contradiction. []

Note that although both of the previous two theorems were stated for protocols with noninteractive processing of NOT and PARITY gates, they also hold for protocols with interactive processing of NOT and PARITY gates.

9. Blobs Containing more than One Bit

The previous sections have presented techniques for improving the communication complexity of zero-knowledge proofs. At first glance, however, it appears that these techniques cannot be used in conjunction with the techniques of Kilian et al. [20], which show how to design zero-knowledge proofs which only use two "envelopes" (multibit blobs). Their techniques work with subset revealing protocols, but the techniques described in this paper rely heavily on the ability to show that two blobs are encryptions of the same bit or of different bits. In fact, however, the techniques

84 J. Boyar, C. Lund, and R. Peralta

of Kilian, Micali, and Ostrovsky can be extended to more general types of protocols, though unfortunately we have been unable to combine them with the noninteractive processing of N O T and PARITY gates.

In order to apply the Ki l ian-Mica l i -Ost rovsky techniques, one must originally have a subset revealing zero-knowledge proof. These protocols consist entirely of repetitions of the following:

1. The prover commits to a set of bits X = (xl, x2 . . . . , Xk), and sends these bit commitments to the verifier (possibly after some permutation).

2. The verifier issues a challenge c. 3. The challenge c identifies some subset l c c X, and the prover reveals the values

of all the bits in It.

In this case only two envelopes are necessary. The first contains a vector R which consists of k random bits rl, r2 . . . . , rk, and the second contains the vector Y = (xl • r~, x2 • r2 . . . . , Xk ~) rk), where O is the exclusive-or operator. To reveal the bits in l c c X, the prover sends the verifier r; and xi 0) ri for each bit x~ E I~. The verifier sends the 0-challenge or a 1-challenge at this point. Depending on the value of this challenge, the prover opens either the R envelope or the Y envelope.

If it is also wished to prove the equality or inequality of certain bits, no extra envelopes are necessary. When the verifier's challenge in step 2 above identifies the subset S = (X, X) for which the prover should prove equalities and/or inequalities, the prover reveals x; • xj and q G r~ for each pair (x~, xj) ~ S. The verifier sends a challenge of either zero or one, and depending on which challenge is received, the prover opens either the R envelope or the Y envelope. Revealing R will show that the (q 0) rj)'s were all correct, and revealing Y allows the verifier to check xi 0) xj because

xi • x~ = (x, 0 ri) @ (ri O) rj) O) (xa G rj).

It is easy to see that the protocols will still be zero-knowledge because, in the case in which the simulator has decided to be prepared to answer these equality and/or inequality questions, it has arranged that the values x~ • x i are correct. The simula- tor can choose R randomly and form Y as the prover would. The simulator then puts R and Y in envelopes. If the verifier does ask to see these equalities and inequalities proven, the simulator can simply continue as the prover would.

Thus, the techniques we have presented in previous sections, which decrease the numbers of bits the provers needs to commit to, can be used to decrease the number of bits which need to go in the envelopes in each round, and the techniques of this section can decrease the total number of envelopes quite significantly.

Acknowledgments

We would particularly like to thank Gilles Brassard for his observation that the techniques described in Section 5 can be used to produce proof systems which are proofs in the sense of [17], using the quadratic residuosity assumption and prob- abilistic encryption. We would also like to thank Steve Rudich for reminding us of the paper by Impagliazzo and Yung. Comments by anonymous referees helped us greatly improve the presentation of these results.

On the Communication Complexity of Zero-Knowledge Proofs 85

References

[I] L. Babai. Trading group theory for randomness. In Proceedings of the 17th Annual ACM Sympo- sium on the Theory of Computin 9, pp. 421-429, 1985.

[2] J.C. Benaloh. Cryptographic capsules: a disjunctive primitive for interactive protocols. In Advances in Cryptoloyy--Proceedinys of CR YPTO 86, pp. 213-222. Lecture Notes in Computer Science, vol. 263, Springer-Verlag, Berlin, 1987.

[3] J. Boyar, G. Brassard, and R. Peralta. Subquadratic zero-knowledge. In Proceedings of the 32nd IEEE Symposium on the Foundations of Computer Science, pp. 69-78, 1991.

[4] J. Boyar, M. Krentel, and S. Kurtz. A discrete logarithm implementation of zero-knowledge blobs. Journal of Cryptology, 2(2): 63-76, 1990.

[5] G. Brassard, D. Chaum, and C. Crrpeau. Minimum disclosure proofs of knowledge. Journal of Computer and System Sciences, 37: 156-189, 1988.

[6] G. Brassard and C. Crrpeau. Nontransitive transfer of confidence: a perfect zero-knowledge interactive protocol for SAT and beyond. In Proceedinos of the 27th IEEE Symposium on the Foundations of Computer Science, pp. 188-195, 1986.

[7] G. Brassard and C. Crrpeau. Zero-knowledge simulation of boolean circuits. In Advances in Cryptology--Proceedinos of CRYPTO 86, pp. 223-233. Lecture Notes in Computer Science, vol. 263, Springer-Verlag, Berlin, 1987.

[8] D. Chaum. Demonstrating that a public predicate can be satisfied without revealing any informa- tion about how. In Advances in Cryptology--Proceedings of CR YPTO 86, pp. 195-199. Lecture Notes in Computer Science, vol. 263, Springer-Verlag, Berlin, 1987.

[9] D. Chaum, I. Damg~rd, and J. van de Graaf. Multiparty computations ensuring privacy of each party's input and correctness of the result. In Advances in Cryptology--Proceedings of CR YPTO 87, pp. 87-119. Lecture Notes in Computer Science, vol. 293, Springer-Verlag, Berlin, 1988.

[10] S. A. Cook. The complexity of theorem-proving procedures. In Proceedings of the 3rd Annual ACM Symposium on the Theory of Computing, pp. 151-158, 1971.

[11] S. A. Cook. Short propositional formulas represent nondeterministic computation. Information Processing Letters, 26: 269-270, 1988.

[12] B. den Boer. An efficiency improvement to prove satisfiability with zero knowledge with public key. In Advances in Cryptology--Proceedings of EUROCR YPT 89, pp. 208-217. Lecture Notes in Computer Science, vol. 434, Springer-Verlag, Berlin, 1989.

[13] U. Feige, A. Fiat, and A. Shamir. Zero-knowledge proofs of identity. Journal of Cryptolooy, 1(2): 77-94, 1988.

[14] M. R. Garey, D. S. Johnson, and L. Stockmeyer. Some simplified NP-complete graph problems. Theoretical Computer Science, 1:237-267, 1976.

[15] O. Goldreich, S. Micali, and A. Wigderson. Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. Journal of the Association for Computin 9 Machinery, 38:691-729, 1991.

[16] S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28: 270-299, 1984.

[17] S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof-systems. SIAM Journal of Computation, 18(1): 186-208, 1989.

[18] R. Impagliazzo and M. Yung. Direct minimum-knowledge computations. In Advances in Cryptology--Proceedings of CR YPTO 87, pp. 40-51. Lecture Notes in Computer Science, vol. 293, Springer-Verlag, Berlin, 1988.

E19] J. Kilian. A note on efficient zero-knowledge proofs and arguments. In Proceedings of the 24th Annual ACM Symposium on the Theory of Computing, pp. 723-732; 1992.

[20] J. Kilian, S. Micali, and R. Ostrovsky. Minimum resource zero-knowledge proofs. In Proceedings of the 30th IEEE Symposium on the Foundations of Computer Science, pp. 474-479, 1990.