### Abstract

A non-interactive zero-knowledge (NIZK) proof can be used to demonstrate the truth of a statement without revealing anything else. It has been shown under standard cryptographic assumptions that NIZK proofs of membership exist for all languages in NP. While there is evidence that such proofs cannot be much shorter than the corresponding membership witnesses, all known NIZK proofs for NP languages are considerably longer than the witnesses. Soon after Gentry’s construction of fully homomorphic encryption, several groups independently contemplated the use of hybrid encryption to optimize the size of NIZK proofs and discussed this idea within the cryptographic community. This article formally explores this idea of using fully homomorphic hybrid encryption to optimize NIZK proofs and other related cryptographic primitives. We investigate the question of minimizing the communication overhead of NIZK proofs for NP and show that if fully homomorphic encryption exists then it is possible to get proofs that are roughly of the same size as the witnesses. Our technique consists in constructing a fully homomorphic hybrid encryption scheme with ciphertext size $$|m|+{\mathrm {poly}}(k)$$|m|+poly(k), where $$m$$m is the plaintext and $$k$$k is the security parameter. Encrypting the witness for an NP-statement allows us to evaluate the NP-relation in a communication-efficient manner. We apply this technique to both standard non-interactive zero-knowledge proofs and to universally composable non-interactive zero-knowledge proofs. The technique can also be applied outside the realm of non-interactive zero-knowledge proofs, for instance to get witness-size interactive zero-knowledge proofs in the plain model without any setup or to minimize the communication in secure computation protocols.

Original language | English (US) |
---|---|

Pages (from-to) | 820-843 |

Number of pages | 24 |

Journal | Journal of Cryptology |

Volume | 28 |

Issue number | 4 |

DOIs | |

State | Published - Oct 30 2015 |

### Fingerprint

### All Science Journal Classification (ASJC) codes

- Software
- Computer Science Applications
- Applied Mathematics

### Cite this

*Journal of Cryptology*,

*28*(4), 820-843. https://doi.org/10.1007/s00145-014-9184-y

}

*Journal of Cryptology*, vol. 28, no. 4, pp. 820-843. https://doi.org/10.1007/s00145-014-9184-y

**Using Fully Homomorphic Hybrid Encryption to Minimize Non-interative Zero-Knowledge Proofs.** / Gentry, Craig; Groth, Jens; Ishai, Yuval; Peikert, Chris; Sahai, Amit; Smith, Adam.

Research output: Contribution to journal › Article

TY - JOUR

T1 - Using Fully Homomorphic Hybrid Encryption to Minimize Non-interative Zero-Knowledge Proofs

AU - Gentry, Craig

AU - Groth, Jens

AU - Ishai, Yuval

AU - Peikert, Chris

AU - Sahai, Amit

AU - Smith, Adam

PY - 2015/10/30

Y1 - 2015/10/30

N2 - A non-interactive zero-knowledge (NIZK) proof can be used to demonstrate the truth of a statement without revealing anything else. It has been shown under standard cryptographic assumptions that NIZK proofs of membership exist for all languages in NP. While there is evidence that such proofs cannot be much shorter than the corresponding membership witnesses, all known NIZK proofs for NP languages are considerably longer than the witnesses. Soon after Gentry’s construction of fully homomorphic encryption, several groups independently contemplated the use of hybrid encryption to optimize the size of NIZK proofs and discussed this idea within the cryptographic community. This article formally explores this idea of using fully homomorphic hybrid encryption to optimize NIZK proofs and other related cryptographic primitives. We investigate the question of minimizing the communication overhead of NIZK proofs for NP and show that if fully homomorphic encryption exists then it is possible to get proofs that are roughly of the same size as the witnesses. Our technique consists in constructing a fully homomorphic hybrid encryption scheme with ciphertext size $$|m|+{\mathrm {poly}}(k)$$|m|+poly(k), where $$m$$m is the plaintext and $$k$$k is the security parameter. Encrypting the witness for an NP-statement allows us to evaluate the NP-relation in a communication-efficient manner. We apply this technique to both standard non-interactive zero-knowledge proofs and to universally composable non-interactive zero-knowledge proofs. The technique can also be applied outside the realm of non-interactive zero-knowledge proofs, for instance to get witness-size interactive zero-knowledge proofs in the plain model without any setup or to minimize the communication in secure computation protocols.

AB - A non-interactive zero-knowledge (NIZK) proof can be used to demonstrate the truth of a statement without revealing anything else. It has been shown under standard cryptographic assumptions that NIZK proofs of membership exist for all languages in NP. While there is evidence that such proofs cannot be much shorter than the corresponding membership witnesses, all known NIZK proofs for NP languages are considerably longer than the witnesses. Soon after Gentry’s construction of fully homomorphic encryption, several groups independently contemplated the use of hybrid encryption to optimize the size of NIZK proofs and discussed this idea within the cryptographic community. This article formally explores this idea of using fully homomorphic hybrid encryption to optimize NIZK proofs and other related cryptographic primitives. We investigate the question of minimizing the communication overhead of NIZK proofs for NP and show that if fully homomorphic encryption exists then it is possible to get proofs that are roughly of the same size as the witnesses. Our technique consists in constructing a fully homomorphic hybrid encryption scheme with ciphertext size $$|m|+{\mathrm {poly}}(k)$$|m|+poly(k), where $$m$$m is the plaintext and $$k$$k is the security parameter. Encrypting the witness for an NP-statement allows us to evaluate the NP-relation in a communication-efficient manner. We apply this technique to both standard non-interactive zero-knowledge proofs and to universally composable non-interactive zero-knowledge proofs. The technique can also be applied outside the realm of non-interactive zero-knowledge proofs, for instance to get witness-size interactive zero-knowledge proofs in the plain model without any setup or to minimize the communication in secure computation protocols.

UR - http://www.scopus.com/inward/record.url?scp=84942552707&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84942552707&partnerID=8YFLogxK

U2 - 10.1007/s00145-014-9184-y

DO - 10.1007/s00145-014-9184-y

M3 - Article

AN - SCOPUS:84942552707

VL - 28

SP - 820

EP - 843

JO - Journal of Cryptology

JF - Journal of Cryptology

SN - 0933-2790

IS - 4

ER -