Zero-knowledge from secure multiparty computation

We present a general construction of a zero-knowledge proof for an NP relation R(x,w) which only makes a black-box use of a secure protocol for a related multi-partyfunctionality f. The latter protocol is only required to be secure against a small number of "honest but curious" players. As an application, we can translate previous results on the efficiency of secure multiparty computation to the domain of zero-knowledge, improving over previous constructions of efficient zero-knowledge proofs. In particular, if verifying R on a witness of length m can be done by a circuit C of size s, and assuming one-way functions exist, we get the following types of zero-knowledge proof protocols. Approaching the witness length. If C has constant depth over ∧,∨,⊕, - gates of unbounded fan-in, we get a zero-knowledge protocol with communication complexity m·poly(k)·polylog(s), where k is a security parameter. Such a protocol can be implemented in either the standard interactive model or, following a trusted setup, in a non-interactive model. "Constant-rate" zero-knowledge. For an arbitrary circuit C of size s and a bounded fan-in, we geta zero-knowledge protocol with communication complexity O(s)+poly(k). Thus, for large circuits, the ratio between the communication complexity and the circuit size approaches a constant. This improves over the O(ks) complexity of the best previous protocols.

[1]  Rafail Ostrovsky,et al.  Minimum resource zero knowledge proofs , 1989, 30th Annual Symposium on Foundations of Computer Science.

[2]  Yael Tauman Kalai,et al.  Succinct Non-Interactive Zero-Knowledge Proofs with Preprocessing for LOGSNP , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[3]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[4]  Yuval Ishai,et al.  OT-Combiners via Secure Computation , 2008, TCC.

[5]  Michael O. Rabin,et al.  How To Exchange Secrets with Oblivious Transfer , 2005, IACR Cryptol. ePrint Arch..

[6]  Oded Goldreich,et al.  How to construct constant-round zero-knowledge proof systems for NP , 1996, Journal of Cryptology.

[7]  Ivan Damgård,et al.  Zero-Knowledge Proofs for Finite Field Arithmetic; or: Can Zero-Knowledge be for Free? , 1998, CRYPTO.

[8]  Moni Naor,et al.  Communication preserving protocols for secure function evaluation , 2001, STOC '01.

[9]  Oded Goldreich,et al.  Definitions and properties of zero-knowledge proof systems , 1994, Journal of Cryptology.

[10]  Joe Kilian,et al.  Founding crytpography on oblivious transfer , 1988, STOC '88.

[11]  David Chaum,et al.  Multiparty unconditionally secure protocols , 1988, STOC '88.

[12]  Moni Naor,et al.  Bit commitment using pseudorandomness , 1989, Journal of Cryptology.

[13]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[14]  Richard E. Overill,et al.  Foundations of Cryptography: Basic Tools , 2002, J. Log. Comput..

[15]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[16]  Omer Reingold,et al.  Statistically-hiding commitment from any one-way function , 2007, STOC '07.

[17]  Yuval Ishai,et al.  Constant-Round Multiparty Computation Using a Black-Box Pseudorandom Generator , 2005, CRYPTO.

[18]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[19]  Moni Naor,et al.  Small-bias probability spaces: efficient constructions and applications , 1990, STOC '90.

[20]  Yuval Ishai,et al.  Scalable Secure Multiparty Computation , 2006, CRYPTO.

[21]  Joe Kilian,et al.  An Efficient Noninteractive Zero-Knowledge Proof System for NP with General Assumptions , 1998, Journal of Cryptology.

[22]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[23]  Oded Goldreich,et al.  On the Complexity of Interactive Proofs with Bounded Communication , 1998, Inf. Process. Lett..

[24]  Yuval Ishai,et al.  Founding Cryptography on Oblivious Transfer - Efficiently , 2008, CRYPTO.

[25]  Amit Sahai,et al.  Concurrent zero knowledge with logarithmic round-complexity , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[26]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[27]  Yehuda Lindell,et al.  Black-box constructions for secure computation , 2006, STOC '06.

[28]  Yael Tauman Kalai,et al.  Delegating computation: interactive proofs for muggles , 2008, STOC.

[29]  Rafail Ostrovsky,et al.  The (true) complexity of statistical zero knowledge , 1990, STOC '90.

[30]  Rafail Ostrovsky,et al.  Perfect Non-Interactive Zero Knowledge for NP , 2006, IACR Cryptol. ePrint Arch..

[31]  David Chaum,et al.  Multiparty Unconditionally Secure Protocols (Extended Abstract) , 1988, STOC.

[32]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[33]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[34]  Yuval Ishai,et al.  Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems , 2005, CRYPTO.

[35]  Iftach Haitner,et al.  Semi-honest to Malicious Oblivious Transfer - The Black-Box Way , 2008, TCC.

[36]  Luca Trevisan,et al.  Notions of Reducibility between Cryptographic Primitives , 2004, TCC.

[37]  Rafail Ostrovsky,et al.  Reducibility and Completeness in Private Computations , 2000, SIAM J. Comput..

[38]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[39]  Manuel Blum,et al.  Coin flipping by telephone a protocol for solving impossible problems , 1983, SIGA.

[40]  Ivan Damgård,et al.  Linear zero-knowledge—a note on efficient zero-knowledge proofs and arguments , 1997, STOC '97.

[41]  A. Yao How to generate and exchange secrets , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[42]  Gilles Brassard,et al.  Subquadratic zero-knowledge , 1991, [1991] Proceedings 32nd Annual Symposium of Foundations of Computer Science.

[43]  Yael Tauman Kalai,et al.  Interactive PCP , 2007 .

[44]  Roman Smolensky,et al.  Algebraic methods in the theory of lower bounds for Boolean circuit complexity , 1987, STOC.

[45]  Alon Rosen,et al.  A Note on Constant-Round Zero-Knowledge Proofs for NP , 2004, TCC.

[46]  Rafail Ostrovsky,et al.  One-way functions are essential for non-trivial zero-knowledge , 1993, [1993] The 2nd Israel Symposium on Theory and Computing Systems.

[47]  Ivan Damgård,et al.  Proceedings of the 35th international colloquium on Automata, Languages and Programming, Part II , 2008 .

[48]  Silvio Micali,et al.  How to Prove all NP-Statements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design , 1986, CRYPTO.

[49]  Rafail Ostrovsky,et al.  Reducibility and completeness in multi-party private computations , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[50]  Russell Impagliazzo,et al.  Limits on the provable consequences of one-way permutations , 1988, STOC '89.

[51]  Hao Chen,et al.  Algebraic Geometric Secret Sharing Schemes and Secure Multi-Party Computations over Small Fields , 2006, CRYPTO.

[52]  A. Razborov Lower bounds on the size of bounded depth circuits over a complete basis with logical addition , 1987 .

[53]  Ueli Maurer Secure multi-party computation made simple , 2006, Discret. Appl. Math..

[54]  Kevin Barraclough,et al.  I and i , 2001, BMJ : British Medical Journal.

[55]  Joe Kilian,et al.  A note on efficient zero-knowledge proofs and arguments (extended abstract) , 1992, STOC '92.

[56]  Silvio Micali,et al.  Computationally Sound Proofs , 2000, SIAM J. Comput..

[57]  John B. Shoven,et al.  I , Edinburgh Medical and Surgical Journal.

[58]  Ivan Damgård,et al.  Zero-Knowledge Proofs for Finite Field Arithmetic or: Can Zero-Knowledge be for Free? , 1997 .

[59]  Matthew K. Franklin,et al.  Communication complexity of secure computation (extended abstract) , 1992, STOC '92.