How to Prove a Secret: Zero-Knowledge Proofs on Distributed Data via Fully Linear PCPs

We introduce and study the notion of fully linear probabilistically checkable proof systems. In such a proof system, the verifier can make a small number of linear queries that apply jointly to the input and a proof vector. Our new type of proof system is motivated by applications in which the input statement is not fully available to any single verifier, but can still be efficiently accessed via linear queries. This situation arises in scenarios where the input is partitioned or secret-shared between two or more parties, or alternatively is encoded using an additively homomorphic encryption or commitment scheme. This setting appears in the context of secure messaging platforms, verifiable outsourced computation, PIR writing, private computation of aggregate statistics, and secure multiparty computation (MPC). In all these applications, there is a need for fully linear proof systems with short proofs. While several efficient constructions of fully linear proof systems are implicit in the interactive proofs literature, many questions about their complexity are open. We present several new constructions of fully linear zero-knowledge proof systems with sublinear proof size for “simple” or “structured” languages. For example, in the non-interactive setting of fully linear PCPs, we show how to prove that an input vector x ∈ F satisfies a single degree-2 equation with a proof of size O( √ n) and O( √ n) linear queries, which we show to be optimal. More generally, for languages that can be recognized by systems of constant-degree equations, we can reduce the proof size to O(log n) at the cost of O(log n) rounds of interaction. We use our new proof systems to construct new short zero-knowledge proofs on distributed and secret-shared data. These proofs can be used to improve the performance of the example systems mentioned above. Finally, we observe that zero-knowledge proofs on distributed data provide a general-purpose tool for protecting MPC protocols against malicious parties. Applying our short fully linear PCPs to “natural” MPC protocols in the honest-majority setting, we can achieve unconditional protection against malicious parties with sublinear additive communication cost. We use this to improve the communication complexity of recent honest-majority MPC protocols. For instance, using any pseudorandom generator, we obtain a 3-party protocol for Boolean circuits in which the amortized communication cost is only one bit per AND gate per party (compared to 10 bits in the best previous protocol), matching the best known protocols for semi-honest parties. ∗Stanford University. Email: dabo@cs.stanford.edu †IDC Herzliya, Israel. Email: eboyle@alum.mit.edu ‡Stanford University. Email: henrycg@cs.stanford.edu Ben-Gurion University, Israel. Email: gilboan@bgu.ac.il ¶Technion, Israel. Email: yuvali@cs.technion.ac.il

[1]  D. Boneh,et al.  Bulletproofs : Efficient Range Proofs for Confidential Transactions , 2017 .

[2]  Silvio Micali,et al.  Computationally Sound Proofs , 2000, SIAM J. Comput..

[3]  Yuval Ishai,et al.  Protecting data privacy in private information retrieval schemes , 1998, STOC '98.

[4]  Matthew Green,et al.  A Protocol for Privately Reporting Ad Impressions at Scale , 2016, CCS.

[5]  Guy N. Rothblum,et al.  Delegating computation reliably: paradigms and constructions , 2009 .

[6]  Lance Fortnow,et al.  Infeasibility of instance compression and succinct PCPs for NP , 2007, J. Comput. Syst. Sci..

[7]  Matthew K. Franklin,et al.  Communication complexity of secure computation (extended abstract) , 1992, STOC '92.

[8]  László Babai,et al.  Arthur-Merlin Games: A Randomized Proof System, and a Hierarchy of Complexity Classes , 1988, J. Comput. Syst. Sci..

[9]  Ye Zhang,et al.  Fast and Secure Three-party Computation: The Garbled Circuit Approach , 2015, IACR Cryptol. ePrint Arch..

[10]  Ivan Damgård,et al.  Scalable and Unconditionally Secure Multiparty Computation , 2007, CRYPTO.

[11]  Justin Thaler,et al.  Time-Optimal Interactive Proofs for Circuit Evaluation , 2013, CRYPTO.

[12]  Leonid A. Levin,et al.  Checking computations in polylogarithmic time , 1991, STOC '91.

[13]  Ji Luo,et al.  Compact Zero-Knowledge Proofs of Small Hamming Weight , 2018, IACR Cryptol. ePrint Arch..

[14]  Yuval Ishai,et al.  Efficient Multi-party Computation over Rings , 2003, EUROCRYPT.

[15]  Elaine Shi,et al.  Privacy-Preserving Aggregation of Time-Series Data , 2011, NDSS.

[16]  Yuval Ishai,et al.  Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs , 2018, IACR Cryptol. ePrint Arch..

[17]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[18]  Yehuda Lindell,et al.  High-Throughput Secure Three-Party Computation for Malicious Adversaries and an Honest Majority , 2017, IACR Cryptol. ePrint Arch..

[19]  Ivan Damgård,et al.  Yet Another Compiler for Active Security or: Efficient MPC Over Arbitrary Rings , 2018, IACR Cryptol. ePrint Arch..

[20]  Eli Ben-Sasson,et al.  Aurora: Transparent Succinct Arguments for R1CS , 2019, IACR Cryptol. ePrint Arch..

[21]  Yuval Ishai,et al.  Function Secret Sharing: Improvements and Extensions , 2016, CCS.

[22]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[23]  R. Cramer,et al.  Linear Zero-Knowledgde. A Note on Efficient Zero-Knowledge Proofs and Arguments , 1996 .

[24]  Yuval Ishai,et al.  Lattice-Based SNARGs and Their Application to More Efficient Obfuscation , 2017, EUROCRYPT.

[25]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 1: Basic Techniques , 2001 .

[26]  Avi Wigderson,et al.  Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation (Extended Abstract) , 1988, STOC.

[27]  Yehuda Lindell,et al.  High-Throughput Semi-Honest Secure Three-Party Computation with an Honest Majority , 2016, IACR Cryptol. ePrint Arch..

[28]  Peter Sebastian Nordholt,et al.  Minimising Communication in Honest-Majority MPC by Batchwise Multiplication Verification , 2018, IACR Cryptol. ePrint Arch..

[29]  Moni Naor,et al.  The Power of Distributed Verifiers in Interactive Proofs , 2018, Electron. Colloquium Comput. Complex..

[30]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[31]  Yehuda Lindell,et al.  Optimized Honest-Majority MPC for Malicious Adversaries — Breaking the 1 Billion-Gate Per Second Barrier , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[32]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[33]  Jonathan Katz,et al.  Improved Non-Interactive Zero Knowledge with Applications to Post-Quantum Signatures , 2018, IACR Cryptol. ePrint Arch..

[34]  Hartmut Klauck,et al.  Rectangle size bounds and threshold covers in communication complexity , 2002, 18th IEEE Annual Conference on Computational Complexity, 2003. Proceedings..

[35]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[36]  Jens Groth,et al.  Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability , 2017, IACR Cryptol. ePrint Arch..

[37]  Graham Cormode,et al.  Practical verified computation with streaming interactive proofs , 2011, ITCS '12.

[38]  Carsten Lund,et al.  Proof verification and the hardness of approximation problems , 1998, JACM.

[39]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[40]  Nir Bitansky,et al.  From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again , 2012, ITCS '12.

[41]  Xiao Wang,et al.  Secure Computation with Low Communication from Cross-checking , 2018, IACR Cryptol. ePrint Arch..

[42]  Ivan Damgård,et al.  A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System , 2001, Public Key Cryptography.

[43]  Yuval Ishai,et al.  Share Conversion, Pseudorandom Secret-Sharing and Applications to Secure Computation , 2005, TCC.

[44]  Avi Wigderson,et al.  Algebrization: A New Barrier in Complexity Theory , 2009, TOCT.

[45]  Eli Ben-Sasson,et al.  SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge , 2013, CRYPTO.

[46]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[47]  Yael Tauman Kalai,et al.  Arguments of Proximity - [Extended Abstract] , 2015, CRYPTO.

[48]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[49]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[50]  Graham Cormode,et al.  Annotations in Data Streams , 2009, ICALP.

[51]  Yuval Ishai,et al.  Circuits resilient to additive attacks with applications to secure computation , 2014, STOC.

[52]  Helger Lipmaa,et al.  Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments , 2012, TCC.

[53]  David Pointcheval,et al.  Efficient Public-Key Cryptosystems Provably Secure Against Active Adversaries , 1999, ASIACRYPT.

[54]  Jon Howell,et al.  Geppetto: Versatile Verifiable Computation , 2015, 2015 IEEE Symposium on Security and Privacy.

[55]  Michael Backes,et al.  ADSNARK: Nearly Practical and Privacy-Preserving Proofs on Authenticated Data , 2015, 2015 IEEE Symposium on Security and Privacy.

[56]  Yael Tauman Kalai,et al.  Interactive PCP , 2007 .

[57]  Eli Ben-Sasson,et al.  Interactive Oracle Proofs with Constant Rate and Query Complexity , 2017, ICALP.

[58]  Moni Naor,et al.  Computationally Secure Oblivious Transfer , 2004, Journal of Cryptology.

[59]  Helen Nissenbaum,et al.  Adnostic: Privacy Preserving Targeted Advertising , 2010, NDSS.

[60]  Abhi Shelat,et al.  Full Accounting for Verifiable Outsourcing , 2017, CCS.

[61]  Eli Ben-Sasson,et al.  Robust PCPs of Proximity, Shorter PCPs, and Applications to Coding , 2004, SIAM J. Comput..

[62]  Ian Goldberg,et al.  Constant-Size Commitments to Polynomials and Their Applications , 2010, ASIACRYPT.

[63]  Jonathan Katz,et al.  vSQL: Verifying Arbitrary SQL Queries over Dynamic Outsourced Databases , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[64]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[65]  Guy N. Rothblum,et al.  Constant-Round Interactive Proofs for Delegating Computation , 2016, Electron. Colloquium Comput. Complex..

[66]  Yael Tauman Kalai,et al.  Delegating computation: interactive proofs for muggles , 2008, STOC.

[67]  Avi Wigderson,et al.  On interactive proofs with a laconic prover , 2001, computational complexity.

[68]  Abhi Shelat,et al.  Doubly-Efficient zkSNARKs Without Trusted Setup , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[69]  Benjamin Braun,et al.  Resolving the conflict between generality and plausibility in verified computation , 2013, EuroSys '13.

[70]  Yuval Ishai,et al.  Scalable Secure Multiparty Computation , 2006, CRYPTO.

[71]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[72]  Jens Groth,et al.  Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting , 2016, EUROCRYPT.

[73]  Gillat Kol,et al.  Interactive Distributed Proofs , 2018, PODC.

[74]  Lance Fortnow,et al.  On the Power of Multi-Prover Interactive Protocols , 1994, Theor. Comput. Sci..

[75]  Ivan Damgård,et al.  SPDℤ2k: Efficient MPC mod 2k for Dishonest Majority , 2018, IACR Cryptol. ePrint Arch..

[76]  Yuval Ishai,et al.  Ligero: Lightweight Sublinear Arguments Without a Trusted Setup , 2017, Designs, Codes and Cryptography.

[77]  Yehuda Lindell,et al.  Secure Multi-Party Computation without Agreement , 2005, Journal of Cryptology.

[78]  Ivan Damgård,et al.  Zero-Knowledge Proofs for Finite Field Arithmetic; or: Can Zero-Knowledge be for Free? , 1998, CRYPTO.

[79]  Nir Bitansky,et al.  Succinct Non-Interactive Arguments via Linear Interactive Proofs , 2013, Journal of Cryptology.

[80]  Graham Cormode,et al.  Verifying Computations with Streaming Interactive Proofs , 2011, Proc. VLDB Endow..

[81]  Mark Simkin,et al.  Use your Brain! Arithmetic 3PC For Any Modulus with Active Security , 2019, IACR Cryptol. ePrint Arch..

[82]  Ron Rothblum,et al.  A Hierarchy Theorem for Interactive Proofs of Proximity , 2017, ITCS.

[83]  Richard Ryan Williams,et al.  Strong ETH Breaks With Merlin and Arthur: Short Non-Interactive Proofs of Batch Evaluation , 2016, CCC.

[84]  Dario Fiore,et al.  Vector Commitments and Their Applications , 2013, Public Key Cryptography.

[85]  László Lovász,et al.  Approximating clique is almost NP-complete , 1991, [1991] Proceedings 32nd Annual Symposium of Foundations of Computer Science.

[86]  Jens Groth,et al.  Efficient Batch Zero-Knowledge Arguments for Low Degree Polynomials , 2018, IACR Cryptol. ePrint Arch..

[87]  Victor Shoup,et al.  New algorithms for finding irreducible polynomials over finite fields , 1988, [Proceedings 1988] 29th Annual Symposium on Foundations of Computer Science.

[88]  Geoffroy Couteau A Note on the Communication Complexity of Multiparty Computation in the Correlated Randomness Model , 2018, IACR Cryptol. ePrint Arch..

[89]  George Danezis,et al.  PrivEx: Private Collection of Traffic Statistics for Anonymous Communication Networks , 2014, CCS.

[90]  Kikuchi Ryo Fast Large-Scale Honest-Majority MPC for Malicious Adversaries , 2018 .

[91]  Jens Groth,et al.  On the Size of Pairing-Based Non-interactive Arguments , 2016, EUROCRYPT.

[92]  Yuval Ishai,et al.  Compressing Cryptographic Resources , 1999, CRYPTO.

[93]  Jens Groth,et al.  Short Pairing-Based Non-interactive Zero-Knowledge Arguments , 2010, ASIACRYPT.

[94]  Eli Ben-Sasson,et al.  On Probabilistic Checking in Perfect Zero Knowledge , 2016, IACR Cryptol. ePrint Arch..

[95]  Ivan Damgård,et al.  The TinyTable Protocol for 2-Party Secure Computation, or: Gate-Scrambling Revisited , 2017, CRYPTO.

[96]  Eli Ben-Sasson,et al.  Interactive Oracle Proofs , 2016, TCC.

[97]  Madhu Sudan,et al.  Probabilistically checkable proofs , 2009, CACM.

[98]  Dan Boneh,et al.  Prio: Private, Robust, and Scalable Computation of Aggregate Statistics , 2017, NSDI.

[99]  Rafail Ostrovsky,et al.  Efficient Arguments without Short PCPs , 2007, Twenty-Second Annual IEEE Conference on Computational Complexity (CCC'07).

[100]  László Babai,et al.  Trading group theory for randomness , 1985, STOC '85.

[101]  Manuel Blum,et al.  Non-Interactive Zero-Knowledge and Its Applications (Extended Abstract) , 1988, STOC 1988.

[102]  Guy N. Rothblum,et al.  Are PCPs Inherent in Efficient Arguments? , 2009, Computational Complexity Conference.

[103]  Eran Omri,et al.  Characterization of Secure Multiparty Computation Without Broadcast , 2016, TCC.

[104]  Emiliano De Cristofaro,et al.  Efficient Private Statistics with Succinct Sketches , 2015, NDSS.

[105]  Eli Ben-Sasson,et al.  Scalable, transparent, and post-quantum secure computational integrity , 2018, IACR Cryptol. ePrint Arch..

[106]  Sanjeev Arora,et al.  Probabilistic checking of proofs; a new characterization of NP , 1992, Proceedings., 33rd Annual Symposium on Foundations of Computer Science.

[107]  Yehuda Lindell,et al.  A Framework for Constructing Fast MPC over Arithmetic Circuits with Malicious Adversaries and an Honest-Majority , 2017, IACR Cryptol. ePrint Arch..

[108]  Donald Beaver,et al.  Efficient Multiparty Protocols Using Circuit Randomization , 1991, CRYPTO.

[109]  Silvio Micali,et al.  A Completeness Theorem for Protocols with Honest Majority , 1987, STOC 1987.

[110]  Carsten Lund,et al.  Algebraic methods for interactive proof systems , 1992, JACM.

[111]  Silvio Micali,et al.  Everything Provable is Provable in Zero-Knowledge , 1990, CRYPTO.

[112]  Dan Boneh,et al.  Riposte: An Anonymous Messaging System Handling Millions of Users , 2015, 2015 IEEE Symposium on Security and Privacy.

[113]  Srinath T. V. Setty,et al.  Making argument systems for outsourced computation practical (sometimes) , 2012, NDSS.

[114]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[115]  Avi Wigderson,et al.  Multi-prover interactive proofs: how to remove intractability assumptions , 2019, STOC '88.

[116]  Adi Shamir,et al.  IP = PSPACE , 1992, JACM.