Journal of Cryptology

, Volume 27, Issue 3, pp 506–543 | Cite as

Cryptography in the Multi-string Model

  • Jens Groth
  • Rafail Ostrovsky


The common random string model introduced by Blum, Feldman, and Micali permits the construction of cryptographic protocols that are provably impossible to realize in the standard model. We can think of this model as a trusted party generating a random string and giving it to all parties in the protocol. However, the introduction of such a third party should set alarm bells going off: Who is this trusted party? Why should we trust that the string is random? Even if the string is uniformly random, how do we know it does not leak private information to the trusted party? The very point of doing cryptography in the first place is to prevent us from trusting the wrong people with our secrets.

In this paper, we propose the more realistic multi-string model. Instead of having one trusted authority, we have several authorities that generate random strings. We do not trust any single authority; we only assume a majority of them generate random strings honestly. Our results also hold even if different subsets of these strings are used in different instances, as long as a majority of the strings used at any particular invocation is honestly generated. This security model is reasonable and at the same time very easy to implement. We could for instance imagine random strings being provided on the Internet, and any set of parties that want to execute a protocol just need to agree on which authorities’ strings they want to use.

We demonstrate the use of the multi-string model in several fundamental cryptographic tasks. We define multi-string non-interactive zero-knowledge proofs and prove that they exist under general cryptographic assumptions. Our multi-string NIZK proofs have very strong security properties such as simulation-extractability and extraction zero-knowledge, which makes it possible to compose them with arbitrary other protocols and to reuse the random strings. We also build efficient simulation-sound multi-string NIZK proofs for circuit satisfiability based on groups with a bilinear map. The sizes of these proofs match the best constructions in the single common random string model.

We also suggest a universally composable commitment scheme in the multi-string model. It has been proven that UC commitment does not exist in the plain model without setup assumptions. Prior to this work, constructions were only known in the common reference string model and the registered public key model. The UC commitment scheme can be used in a simple coin-flipping protocol to create a uniform random string, which in turn enables the secure realization of any multi-party computation protocol.

Key words

Common random string model Multi-string model Non-interactive zero-knowledge Universally composable commitment Multi-party computation 



We thank Silvio Micali and Eyal Kushilevitz for an inspiring discussion in February 2004 that motivated us to explore this setting.


  1. [1]
    B. Barak, R. Pass, On the possibility of one-message weak zero-knowledge, in TCC. Lecture Notes in Computer Science, vol. 2951 (2004), pp. 121–132 Google Scholar
  2. [2]
    B. Barak, R. Canetti, J.B. Nielsen, R. Pass, Universally composable protocols with relaxed set-up assumptions, in FOCS (2004), pp. 186–195 Google Scholar
  3. [3]
    B. Barak, S.J. Ong, S.P. Vadhan, Derandomization in cryptography. SIAM J. Comput. 37(2), 380–400 (2007) CrossRefzbMATHMathSciNetGoogle Scholar
  4. [4]
    D. Beaver, Commodity-based cryptography (extended abstract), in STOC (1997), pp. 446–455 CrossRefGoogle Scholar
  5. [5]
    D. Beaver, Server-assisted cryptography, in Workshop on New Security Paradigms (1998), pp. 92–106 Google Scholar
  6. [6]
    M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation, in STOC (1988), pp. 1–10 Google Scholar
  7. [7]
    M. Blum, P. Feldman, S. Micali, Non-interactive zero-knowledge and its applications, in STOC (1988), pp. 103–112 Google Scholar
  8. [8]
    M. Blum, A. De Santis, S. Micali, G. Persiano, Noninteractive zero-knowledge. SIAM J. Comput. 20(6), 1084–1118 (1991) CrossRefzbMATHMathSciNetGoogle Scholar
  9. [9]
    D. Boneh, M.K. Franklin, Identity-based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003) CrossRefzbMATHMathSciNetGoogle Scholar
  10. [10]
    D. Boneh, X. Boyen, H. Shacham, Short group signatures, in CRYPTO. Lecture Notes in Computer Science, vol. 3152 (2004), pp. 41–55 Google Scholar
  11. [11]
    R. Canetti, Universally composable security: a new paradigm for cryptographic protocols, in FOCS (2001), pp. 136–145 Google Scholar
  12. [12]
    R. Canetti, M. Fischlin, Universally composable commitments, in CRYPTO. Lecture Notes in Computer Science, vol. 2139 (2001), pp. 19–40 Google Scholar
  13. [13]
    R. Canetti, U. Feige, O. Goldreich, M. Naor, Adaptively secure multi-party computation, in STOC (1996), pp. 639–648 Google Scholar
  14. [14]
    R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable two-party and multi-party secure computation, in STOC (2002), pp. 494–503 Google Scholar
  15. [15]
    R. Canetti, Y. Dodis, R. Pass, S. Walfish, Universally composable security with pre-existing setup, in TCC. Lecture Notes in Computer Science, vol. 4392 (2007), pp. 61–85 Google Scholar
  16. [16]
    D. Chaum, C. Crépeau, I. Damgård, Multiparty unconditionally secure protocols (extended abstract), in STOC (1988), pp. 11–19 Google Scholar
  17. [17]
    R. Cramer, V. Shoup, Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack, in CRYPTO. Lecture Notes in Computer Science, vol. 1462 (1998), pp. 13–25 Google Scholar
  18. [18]
    I. Damgård, Non-interactive circuit based proofs and non-interactive perfect zero-knowledge with preprocessing, in EUROCRYPT. Lecture Notes in Computer Science, vol. 658 (1992), pp. 341–355 Google Scholar
  19. [19]
    I. Damgård, J.B. Nielsen, Improved non-committing encryption schemes based on a general complexity assumption, in CRYPTO. Lecture Notes in Computer Science, vol. 1880 (2000), pp. 432–450 Google Scholar
  20. [20]
    I. Damgård, J.B. Nielsen, Perfect hiding and perfect binding universally composable commitment schemes with constant expansion factor, in CRYPTO. Lecture Notes in Computer Science, vol. 2442 (2002), pp. 581–596 Google Scholar
  21. [21]
    A. De Santis, G. Persiano, Zero-knowledge proofs of knowledge without interaction, in FOCS (1992), pp. 427–436 Google Scholar
  22. [22]
    A. De Santis, G. Di Crescenzo, G. Persiano, Non-interactive zero-knowledge: a low-randomness characterization of NP, in ICALP. Lecture Notes in Computer Science, vol. 1644 (1999), pp. 271–280 Google Scholar
  23. [23]
    A. De Santis, G. Di Crescenzo, R. Ostrovsky, G. Persiano, A. Sahai, Robust non-interactive zero knowledge, in CRYPTO. Lecture Notes in Computer Science, vol. 2139 (2002), pp. 566–598 Google Scholar
  24. [24]
    A. De Santis, G. Di Crescenzo, G. Persiano, Randomness-optimal characterization of two NP proof systems, in RANDOM. Lecture Notes in Computer Science, vol. 2483 (2002), pp. 179–193 Google Scholar
  25. [25]
    G. Di Crescenzo, Y. Ishai, R. Ostrovsky, Non-interactive and non-malleable commitment, in STOC (1998), pp. 141–150 Google Scholar
  26. [26]
    U. Feige, D. Lapidot, A. Shamir, Multiple non-interactive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1–28 (1999) CrossRefzbMATHMathSciNetGoogle Scholar
  27. [27]
    J.A. Garay, P.D. MacKenzie, K. Yang, Strengthening zero-knowledge protocols using signatures. J. Cryptol. 19(2), 169–209 (2006) CrossRefzbMATHMathSciNetGoogle Scholar
  28. [28]
    S. Garg, V. Goyal, A. Jain, A. Sahai, Bringing people of different beliefs together to do UC, in TCC. Lecture Notes in Computer Science, vol. 6597 (2011), pp. 311–328 Google Scholar
  29. [29]
    O. Goldreich, L.A. Levin, A hard-core predicate for all one-way functions, in STOC (1989), pp. 25–32 Google Scholar
  30. [30]
    O. Goldreich, Y. Oren, Definitions and properties of zero-knowledge proof systems. J. Cryptol. 7(1), 1–32 (1994) zbMATHMathSciNetGoogle Scholar
  31. [31]
    O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions. J. ACM 33(4), 792–807 (1986) CrossRefMathSciNetGoogle Scholar
  32. [32]
    O. Goldreich, S. Micali, A. Wigderson, How to play ANY mental game, or A completeness theorem for protocols with honest majority, in STOC (1987), pp. 218–229 Google Scholar
  33. [33]
    S. Goldwasser, Y. Lindell, Secure multi-party computation without agreement. J. Cryptol. 18(3), 247–287 (2005) CrossRefzbMATHMathSciNetGoogle Scholar
  34. [34]
    S. Goldwasser, S. Micali, C. Rackoff, The knowledge complexity of interactive proofs. SIAM J. Comput. 18(1), 186–208 (1989) CrossRefzbMATHMathSciNetGoogle Scholar
  35. [35]
    V. Goyal, J. Katz, Universally composable multi-party computation with an unreliable common reference string, in TCC. Lecture Notes in Computer Science, vol. 4948 (2008), pp. 142–154 Google Scholar
  36. [36]
    A. Granville, C. Pomerance, On the least prime in certain arithmetic progressions. J. Lond. Math. Soc. s2–41(2), 193–200 (1990) CrossRefMathSciNetGoogle Scholar
  37. [37]
    J. Groth, Simulation-sound NIZK proofs for a practical language and constant size group signatures, in ASIACRYPT. Lecture Notes in Computer Science, vol. 4248 (2006), pp. 444–459 Google Scholar
  38. [38]
    J. Groth, R. Ostrovsky, Cryptography in the multi-string model, in CRYPTO. Lecture Notes in Computer Science, vol. 4622 (2007), pp. 323–341 Google Scholar
  39. [39]
    J. Groth, R. Ostrovsky, A. Sahai, New techniques for noninteractive zero-knowledge. J. ACM 59(3), 11:1–11:35 (2012) CrossRefMathSciNetGoogle Scholar
  40. [40]
    J. Håstad, R. Impagliazzo, L.A. Levin, M. Luby, A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999) CrossRefzbMATHMathSciNetGoogle Scholar
  41. [41]
    J. Kilian, E. Petrank, An efficient noninteractive zero-knowledge proof system for NP with general assumptions. J. Cryptol. 11(1), 1–27 (1998) CrossRefzbMATHMathSciNetGoogle Scholar
  42. [42]
    P.D. MacKenzie, K. Yang, On simulation-sound trapdoor commitments, in EUROCRYPT. Lecture Notes in Computer Science, vol. 3027 (2004), pp. 382–400 Google Scholar
  43. [43]
    M. Naor, Bit commitment using pseudorandomness. J. Cryptol. 4(2), 151–158 (1991) zbMATHGoogle Scholar
  44. [44]
    M. Naor, O. Reingold, Synthesizers and their application to the parallel construction of pseudo-random functions. J. Comput. Syst. Sci. 58(2), 336–375 (1999) CrossRefzbMATHMathSciNetGoogle Scholar
  45. [45]
    R. Ostrovsky, One-way functions, hard on average problems, and statistical zero-knowledge proofs, in Structure in Complexity Theory Conference (1991), pp. 133–138 Google Scholar
  46. [46]
    R. Ostrovsky, A. Wigderson, One-way functions are essential for non-trivial zero-knowledge, in ISTCS (1993), pp. 3–17 Google Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  1. 1.Computer Science DepartmentUniversity College LondonLondonUK
  2. 2.Department of Computer Science and Department of MathematicsUniversity of CaliforniaLos AngelesUSA

Personalised recommendations