Paper 2022/082

Feta: Efficient Threshold Designated-Verifier Zero-Knowledge Proofs

Carsten Baum, Robin Jadoul, Emmanuela Orsini, Peter Scholl, and Nigel P. Smart


Zero-Knowledge protocols have increasingly become both popular and practical in recent years due to their applicability in many areas such as blockchain systems. Unfortunately, public verifiability and small proof sizes of zero-knowledge protocols currently come at the price of strong assumptions, large prover time, or both, when considering statements with millions of gates. In this regime, the most prover-efficient protocols are in the designated verifier setting, where proofs are only valid to a single party that must keep a secret state. In this work, we bridge this gap between designated-verifier proofs and public verifiability by {\em distributing the verifier}. Here, a set of verifiers can then verify a proof and, if a given threshold $t$ of the $n$ verifiers is honest and trusted, can act as guarantors for the validity of a statement. We achieve this while keeping the concrete efficiency of current designated-verifier proofs, and present constructions that have small concrete computation and communication cost. We present practical protocols in the setting of threshold verifiers with $t<n/4$ and $t<n/3$, for which we give performance figures, showcasing the efficiency of our approach.

Available format(s)
Cryptographic protocols
Publication info
Preprint. MINOR revision.
zero-knowledge proofsdistributed verifier
Contact author(s)
cbaum @ cs au dk
peter scholl @ cs au dk
robin jadoul @ esat kuleuven be
emmanuela orsini @ kuleuven be
nigel smart @ kuleuven be
2022-01-24: revised
2022-01-23: received
See all versions
Short URL
Creative Commons Attribution


      author = {Carsten Baum and Robin Jadoul and Emmanuela Orsini and Peter Scholl and Nigel P.  Smart},
      title = {Feta: Efficient Threshold Designated-Verifier Zero-Knowledge Proofs},
      howpublished = {Cryptology ePrint Archive, Paper 2022/082},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.