4 research outputs found
On the Amortized Complexity of Zero Knowledge Protocols for Multiplicative Relations
We present a protocol that allows to prove in zero-knowledge that committed values , satisfy , where the values are taken from a finite field , or are integers. The amortized communication complexity per instance proven is for an error probability of , where is the size of a commitment. When the committed values are from a field of small constant size, this improves complexity of previous solutions by a factor of . When the values are integers, we improve on security: whereas previous solutions with similar efficiency require the strong RSA assumption, we only need the assumption required by the commitment scheme itself, namely factoring.
We generalize this to a protocol that verifies instances of an algebraic circuit over with inputs, in the following sense: given committed values and , with and , the prover shows that for . For circuits with small multiplicative depth,
this approach is better than using our first protocol: in fact, the amortized cost may be asymptotically smaller than the number of multiplications in