# Cryptography in the Multi-string Model

## Abstract

The common random string model introduced by Blum, Feldman, and Micali permits the construction of cryptographic protocols that are provably impossible to realize in the standard model. We can think of this model as a trusted party generating a random string and giving it to all parties in the protocol. However, the introduction of such a third party should set alarm bells going off: Who is this trusted party? Why should we trust that the string is random? Even if the string is uniformly random, how do we know it does not leak private information to the trusted party? The very point of doing cryptography in the first place is to prevent us from trusting the wrong people with our secrets.

In this paper, we propose the more realistic multi-string model. Instead of having one trusted authority, we have several authorities that generate random strings. We do not trust any single authority; we only assume a majority of them generate random strings honestly. Our results also hold even if different subsets of these strings are used in different instances, as long as a majority of the strings used at any particular invocation is honestly generated. This security model is reasonable and at the same time very easy to implement. We could for instance imagine random strings being provided on the Internet, and any set of parties that want to execute a protocol just need to agree on which authorities’ strings they want to use.

We demonstrate the use of the multi-string model in several fundamental cryptographic tasks. We define multi-string non-interactive zero-knowledge proofs and prove that they exist under general cryptographic assumptions. Our multi-string NIZK proofs have very strong security properties such as simulation-extractability and extraction zero-knowledge, which makes it possible to compose them with arbitrary other protocols and to reuse the random strings. We also build efficient simulation-sound multi-string NIZK proofs for circuit satisfiability based on groups with a bilinear map. The sizes of these proofs match the best constructions in the single common random string model.

We also suggest a universally composable commitment scheme in the multi-string model. It has been proven that UC commitment does not exist in the plain model without setup assumptions. Prior to this work, constructions were only known in the common reference string model and the registered public key model. The UC commitment scheme can be used in a simple coin-flipping protocol to create a uniform random string, which in turn enables the secure realization of any multi-party computation protocol.

### Key words

Common random string model Multi-string model Non-interactive zero-knowledge Universally composable commitment Multi-party computation### References

- [1]B. Barak, R. Pass, On the possibility of one-message weak zero-knowledge, in
*TCC*. Lecture Notes in Computer Science, vol. 2951 (2004), pp. 121–132 Google Scholar - [2]B. Barak, R. Canetti, J.B. Nielsen, R. Pass, Universally composable protocols with relaxed set-up assumptions, in
*FOCS*(2004), pp. 186–195 Google Scholar - [3]B. Barak, S.J. Ong, S.P. Vadhan, Derandomization in cryptography.
*SIAM J. Comput.***37**(2), 380–400 (2007) CrossRefMATHMathSciNetGoogle Scholar - [4]D. Beaver, Commodity-based cryptography (extended abstract), in
*STOC*(1997), pp. 446–455 CrossRefGoogle Scholar - [5]D. Beaver, Server-assisted cryptography, in
*Workshop on New Security Paradigms*(1998), pp. 92–106 Google Scholar - [6]M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation, in
*STOC*(1988), pp. 1–10 Google Scholar - [7]M. Blum, P. Feldman, S. Micali, Non-interactive zero-knowledge and its applications, in
*STOC*(1988), pp. 103–112 Google Scholar - [8]M. Blum, A. De Santis, S. Micali, G. Persiano, Noninteractive zero-knowledge.
*SIAM J. Comput.***20**(6), 1084–1118 (1991) CrossRefMATHMathSciNetGoogle Scholar - [9]D. Boneh, M.K. Franklin, Identity-based encryption from the Weil pairing.
*SIAM J. Comput.***32**(3), 586–615 (2003) CrossRefMATHMathSciNetGoogle Scholar - [10]D. Boneh, X. Boyen, H. Shacham, Short group signatures, in
*CRYPTO*. Lecture Notes in Computer Science, vol. 3152 (2004), pp. 41–55 Google Scholar - [11]R. Canetti, Universally composable security: a new paradigm for cryptographic protocols, in
*FOCS*(2001), pp. 136–145 Google Scholar - [12]R. Canetti, M. Fischlin, Universally composable commitments, in
*CRYPTO*. Lecture Notes in Computer Science, vol. 2139 (2001), pp. 19–40 Google Scholar - [13]R. Canetti, U. Feige, O. Goldreich, M. Naor, Adaptively secure multi-party computation, in
*STOC*(1996), pp. 639–648 Google Scholar - [14]R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable two-party and multi-party secure computation, in
*STOC*(2002), pp. 494–503 Google Scholar - [15]R. Canetti, Y. Dodis, R. Pass, S. Walfish, Universally composable security with pre-existing setup, in
*TCC*. Lecture Notes in Computer Science, vol. 4392 (2007), pp. 61–85 Google Scholar - [16]D. Chaum, C. Crépeau, I. Damgård, Multiparty unconditionally secure protocols (extended abstract), in
*STOC*(1988), pp. 11–19 Google Scholar - [17]R. Cramer, V. Shoup, Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack, in
*CRYPTO*. Lecture Notes in Computer Science, vol. 1462 (1998), pp. 13–25 Google Scholar - [18]I. Damgård, Non-interactive circuit based proofs and non-interactive perfect zero-knowledge with preprocessing, in
*EUROCRYPT*. Lecture Notes in Computer Science, vol. 658 (1992), pp. 341–355 Google Scholar - [19]I. Damgård, J.B. Nielsen, Improved non-committing encryption schemes based on a general complexity assumption, in
*CRYPTO*. Lecture Notes in Computer Science, vol. 1880 (2000), pp. 432–450 Google Scholar - [20]I. Damgård, J.B. Nielsen, Perfect hiding and perfect binding universally composable commitment schemes with constant expansion factor, in
*CRYPTO*. Lecture Notes in Computer Science, vol. 2442 (2002), pp. 581–596 Google Scholar - [21]A. De Santis, G. Persiano, Zero-knowledge proofs of knowledge without interaction, in
*FOCS*(1992), pp. 427–436 Google Scholar - [22]A. De Santis, G. Di Crescenzo, G. Persiano, Non-interactive zero-knowledge: a low-randomness characterization of NP, in
*ICALP*. Lecture Notes in Computer Science, vol. 1644 (1999), pp. 271–280 Google Scholar - [23]A. De Santis, G. Di Crescenzo, R. Ostrovsky, G. Persiano, A. Sahai, Robust non-interactive zero knowledge, in
*CRYPTO*. Lecture Notes in Computer Science, vol. 2139 (2002), pp. 566–598 Google Scholar - [24]A. De Santis, G. Di Crescenzo, G. Persiano, Randomness-optimal characterization of two NP proof systems, in
*RANDOM*. Lecture Notes in Computer Science, vol. 2483 (2002), pp. 179–193 Google Scholar - [25]G. Di Crescenzo, Y. Ishai, R. Ostrovsky, Non-interactive and non-malleable commitment, in
*STOC*(1998), pp. 141–150 Google Scholar - [26]U. Feige, D. Lapidot, A. Shamir, Multiple non-interactive zero knowledge proofs under general assumptions.
*SIAM J. Comput.***29**(1), 1–28 (1999) CrossRefMATHMathSciNetGoogle Scholar - [27]J.A. Garay, P.D. MacKenzie, K. Yang, Strengthening zero-knowledge protocols using signatures.
*J. Cryptol.***19**(2), 169–209 (2006) CrossRefMATHMathSciNetGoogle Scholar - [28]S. Garg, V. Goyal, A. Jain, A. Sahai, Bringing people of different beliefs together to do UC, in
*TCC*. Lecture Notes in Computer Science, vol. 6597 (2011), pp. 311–328 Google Scholar - [29]O. Goldreich, L.A. Levin, A hard-core predicate for all one-way functions, in
*STOC*(1989), pp. 25–32 Google Scholar - [30]O. Goldreich, Y. Oren, Definitions and properties of zero-knowledge proof systems.
*J. Cryptol.***7**(1), 1–32 (1994) MATHMathSciNetGoogle Scholar - [31]O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions.
*J. ACM***33**(4), 792–807 (1986) CrossRefMathSciNetGoogle Scholar - [32]O. Goldreich, S. Micali, A. Wigderson, How to play ANY mental game, or A completeness theorem for protocols with honest majority, in
*STOC*(1987), pp. 218–229 Google Scholar - [33]S. Goldwasser, Y. Lindell, Secure multi-party computation without agreement.
*J. Cryptol.***18**(3), 247–287 (2005) CrossRefMATHMathSciNetGoogle Scholar - [34]S. Goldwasser, S. Micali, C. Rackoff, The knowledge complexity of interactive proofs.
*SIAM J. Comput.***18**(1), 186–208 (1989) CrossRefMATHMathSciNetGoogle Scholar - [35]V. Goyal, J. Katz, Universally composable multi-party computation with an unreliable common reference string, in
*TCC*. Lecture Notes in Computer Science, vol. 4948 (2008), pp. 142–154 Google Scholar - [36]A. Granville, C. Pomerance, On the least prime in certain arithmetic progressions.
*J. Lond. Math. Soc.***s2–41**(2), 193–200 (1990) CrossRefMathSciNetGoogle Scholar - [37]J. Groth, Simulation-sound NIZK proofs for a practical language and constant size group signatures, in
*ASIACRYPT*. Lecture Notes in Computer Science, vol. 4248 (2006), pp. 444–459 Google Scholar - [38]J. Groth, R. Ostrovsky, Cryptography in the multi-string model, in
*CRYPTO*. Lecture Notes in Computer Science, vol. 4622 (2007), pp. 323–341 Google Scholar - [39]J. Groth, R. Ostrovsky, A. Sahai, New techniques for noninteractive zero-knowledge.
*J. ACM***59**(3), 11:1–11:35 (2012) CrossRefMathSciNetGoogle Scholar - [40]J. Håstad, R. Impagliazzo, L.A. Levin, M. Luby, A pseudorandom generator from any one-way function.
*SIAM J. Comput.***28**(4), 1364–1396 (1999) CrossRefMATHMathSciNetGoogle Scholar - [41]J. Kilian, E. Petrank, An efficient noninteractive zero-knowledge proof system for NP with general assumptions.
*J. Cryptol.***11**(1), 1–27 (1998) CrossRefMATHMathSciNetGoogle Scholar - [42]P.D. MacKenzie, K. Yang, On simulation-sound trapdoor commitments, in
*EUROCRYPT*. Lecture Notes in Computer Science, vol. 3027 (2004), pp. 382–400 Google Scholar - [43]
- [44]M. Naor, O. Reingold, Synthesizers and their application to the parallel construction of pseudo-random functions.
*J. Comput. Syst. Sci.***58**(2), 336–375 (1999) CrossRefMATHMathSciNetGoogle Scholar - [45]R. Ostrovsky, One-way functions, hard on average problems, and statistical zero-knowledge proofs, in
*Structure in Complexity Theory Conference*(1991), pp. 133–138 Google Scholar - [46]R. Ostrovsky, A. Wigderson, One-way functions are essential for non-trivial zero-knowledge, in
*ISTCS*(1993), pp. 3–17 Google Scholar