## Abstract

Ishai, Kushilevitz, Ostrovsky and Sahai (STOC 2007; SIAM J Comput 39(3):1121–1152, 2009) introduced the powerful “MPC-in-the-head” technique that provided a general transformation of information-theoretic MPC protocols secure against passive adversaries to a ZK proof in a “black-box” way. In this work, we extend this technique and provide a generic transformation of any semi-honest secure two-party computation (2PC) protocol (with mild adaptive security guarantees) in the so-called *oblivious-transfer* hybrid model to an *adaptive* ZK proof for any \(\textsf {NP}\) language, in a “black-box” way assuming only one-way functions. Our basic construction based on Goldreich–Micali–Wigderson’s 2PC protocol yields an adaptive ZK proof with communication complexity proportional to quadratic in the size of the circuit implementing the \(\textsf {NP}\) relation. Previously such proofs relied on an expensive Karp reduction of the \(\textsf {NP}\) language to Graph Hamiltonicity [Lindell and Zarosim (TCC 2009; J Cryptol 24(4):761–799, 2011)]. As an application of our techniques, we show how to obtain a ZK proof with an “input-delayed” property for any \(\textsf {NP}\) language without relying on expensive Karp reductions that is black box in the underlying one-way function. Namely, the input-delayed property allows the honest prover’s algorithm to receive the actual statement to be proved only in the final round. We further generalize this to obtain a “commit-and-prove” protocol with the same property where the prover commits to a witness *w* in the second message and proves a statement *x* regarding the witness *w* in zero-knowledge where the statement is determined only in the last round. This improves a previous construction of Lapidot and Shamir (Crypto 1990) that was designed specifically for the Graph Hamiltonicity problem and relied on the underlying primitives in a non-black-box way. Additionally, we provide a general transformation to construct a randomized encoding of a function *f* from any 2PC protocol that securely computes a related functionality (in a black-box way) from one-way functions. We show that if the 2PC protocol has mild adaptive security guarantees (which are satisfied by both the Yao’s and GMW’s protocol), then the resulting randomized encoding can be decomposed to an offline/online encoding.

## Keywords

Adaptive zero-knowledge proofs Secure two-party computation Randomized encoding Instance-dependent commitments## Notes

## References

- 1.S. Ames, C. Hazay, Y. Ishai, M. Venkitasubramaniam, Ligero: lightweight sublinear arguments without a trusted setup, in
*CCS*(2017), pp. 2087–2104Google Scholar - 2.B. Applebaum, Y. Ishai, E. Kushilevitz, Cryptography in \(NC^0\), in
*FOCS*(2004), pp. 166–175Google Scholar - 3.B. Applebaum, Y. Ishai, E. Kushilevitz, Cryptography in nc\({}^{\text{0 }}\).
*SIAM J. Comput*.**36**(4), 845–888 (2006)MathSciNetzbMATHGoogle Scholar - 4.B. Applebaum, Y. Ishai, E. Kushilevitz, From secrecy to soundness: efficient verification via secure computation, in
*ICALP*(2010), pp. 152–163Google Scholar - 5.S. Agrawal, Y. Ishai, D. Khurana, A. Paskin-Cherniavsky, Statistical randomized encodings: a complexity theoretic view, in
*ICALP*(2015), pp. 1–13Google Scholar - 6.B. Applebaum, Y. Ishai, E. Kushilevitz, B. Waters, Encoding functions with constant online rate or how to compress garbled circuits keys, in
*CRYPTO*(2013), pp. 166–184Google Scholar - 7.B. Applebaum, Key-dependent message security: generic amplification and completeness.
*J. Cryptol*.**27**(3), 429–451 (2014)MathSciNetzbMATHGoogle Scholar - 8.G. Brassard, D. Chaum, C. Crépeau, Minimum disclosure proofs of knowledge.
*J. Comput. Syst. Sci*.**37**(2), 156–189 (1988)MathSciNetzbMATHGoogle Scholar - 9.D. Beaver, Correlated pseudorandomness and the complexity of private computations, in
*STOC*(1996), pp. 479–488Google Scholar - 10.M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract), in
*STOC*(1988), pp. 1–10Google Scholar - 11.B. Barak, I. Haitner, D. Hofheinz, Y. Ishai, Bounded key-dependent message security, in
*EUROCRYPT*(2010), pp. 423–444Google Scholar - 12.M. Bellare, V. T. Hoang, P. Rogaway, Foundations of garbled circuits, in
*CCS*(2012), pp. 784–796Google Scholar - 13.M. Bellare, S. Micali, R. Ostrovsky, Stoc., 482–493 (1990)Google Scholar
- 14.D. Beaver, S. Micali, P. Rogaway, The round complexity of secure protocols (extended abstract), in
*STOC*(1990), pp. 503–513Google Scholar - 15.R. Canetti, Security and composition of multiparty cryptographic protocols.
*J. Cryptol.***13**(1), 143–202 (2000)MathSciNetzbMATHGoogle Scholar - 16.D. Chaum, C. Crépeau, I. Damgård, Multiparty unconditionally secure protocols (abstract), in
*CRYPTO*(1987), p. 462Google Scholar - 17.R. Canetti, I. Damgård, S. Dziembowski, Y. Ishai, T. Malkin, Adaptive versus non-adaptive security of multi-party protocols.
*J. Cryptol.***17**(3), 153–207 (2004)MathSciNetzbMATHGoogle Scholar - 18.I. Cascudo, I. Damgård, B. M. David, I. Giacomelli, J. B. Nielsen, R. Trifiletti, Additively homomorphic UC commitments with optimal amortized overhead, in
*PKC*(2015), pp. 495–515Google Scholar - 19.M. Chase, D. Derler, S. Goldfeder, C. Orlandi, S. Ramacher, C. Rechberger, D. Slamanig, G. Zaverucha, Post-quantum zero-knowledge and signatures from symmetric-key primitives, in
*CCS*(2017), pp. 1825–1842Google Scholar - 20.R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable two-party and multi-party secure computation, in
*STOC*(2002), pp. 494–503Google Scholar - 21.M. Ciampi, G. Persiano, A. Scafuro, L. Siniscalchi, I. Visconti, Improved or-composition of sigma-protocols, in
*TCC*(2016), pp. 112–141Google Scholar - 22.M. Ciampi, G. Persiano, A. Scafuro, L. Siniscalchi, I. Visconti, Online/offline OR composition of sigma protocols, in
*EUROCRYPT*(2016), pp. 63–92Google Scholar - 23.R. Canetti, O. Poburinnaya, M. Venkitasubramaniam, Equivocating yao: constant-round adaptively secure multiparty computation in the plain model, in
*STOC*(2017), pp. 497–509Google Scholar - 24.C. Crépeau, J. van de Graaf, A. Tapp, Committed oblivious transfer and private multi-party computation, in
*CRYPTO*(1995), pp. 110–123Google Scholar - 25.I. Damgård, On \(\Sigma \)-protocols. http://www.cs.au.dk/~ivan/Sigma.pdf (2010)
- 26.I. Damgård, Y. Ishai, Scalable secure multiparty computation, in
*CRYPTO*(2006), pp. 501–520Google Scholar - 27.I. Damgård, J. B. Nielsen, Improved non-committing encryption schemes based on a general complexity assumption, in
*CRYPTO*(2000), pp. 432–450Google Scholar - 28.I. Damgård, T. P. Pedersen, B. Pfitzmann, On the existence of statistically hiding bit commitment schemes and fail-stop signatures, in
*CRYPTO*(1993), pp. 250–265Google Scholar - 29.U. Feige, J. Kilian, M. Naor, A minimal model for secure computation (extended abstract), in
*STOC*(1994), pp. 554–563Google Scholar - 30.U. Feige, D. Lapidot, A. Shamir, Multiple noninteractive zero knowledge proofs under general assumptions.
*SIAM J. Comput*.**29**(1), 1–28 (1999)MathSciNetzbMATHGoogle Scholar - 31.U. Feige, A. Shamir, Zero knowledge proofs of knowledge in two rounds, in
*CRYPTO*(1989), pp. 526–544Google Scholar - 32.R. Gennaro, C. Gentry, B. Parno, Non-interactive verifiable computing: Outsourcing computation to untrusted workers, in
*CRYPTO*(2010), pp. 465–482Google Scholar - 33.V. Goyal, Y. Ishai, A. Sahai, R. Venkatesan, A. Wadia, Founding cryptography on tamper-proof hardware tokens, in
*TCC*(2010), pp. 308–326Google Scholar - 34.O. Goldreich, A. Kahan, How to construct constant-round zero-knowledge proof systems for NP.
*J. Cryptol.***9**(3), 167–190 (1996)MathSciNetzbMATHGoogle Scholar - 35.C. Ganesh, Y. Kondi, A. Patra, P. Sarkar, Efficient adaptively secure zero-knowledge from garbled circuits, in
*PKC*(2018), pp. 499–529Google Scholar - 36.S. Goldwasser, Y. T. Kalai, G. N. Rothblum, One-time programs, in
*CRYPTO*(2008), pp. 39–56Google Scholar - 37.V. Goyal, C.-K. Lee, R. Ostrovsky, I. Visconti, Constructing non-malleable commitments: a black-box approach, in
*FOCS*(2012), pp. 51–60Google Scholar - 38.I. Giacomelli, J. Madsen, C. Orlandi, Zkboo: faster zero-knowledge for boolean circuits, in
*USENIX*(2016), pp. 1069–1083Google Scholar - 39.S. Goldwasser, S. Micali, C. Rackoff, The knowledge complexity of interactive proof systems.
*SIAM J. Comput*.**18**(1), 186–208 (1989)MathSciNetzbMATHGoogle Scholar - 40.O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or A completeness theorem for protocols with honest majority, in
*STOC*(1987), pp. 218–229Google Scholar - 41.O. Goldreich,
*Foundations of Cryptography: Basic Tools*(Cambridge University Press, Cambridge, 2001)zbMATHGoogle Scholar - 42.V. Goyal, R. Ostrovsky, A. Scafuro, I. Visconti, Black-box non-black-box zero knowledge, in
*STOC*(2014), pp. 515–524Google Scholar - 43.J. A. Garay, D. Wichs, H.-S. Zhou, Somewhat non-committing encryption and efficient adaptively secure oblivious transfer, in
*CRYPTO*(2009), pp. 505–523Google Scholar - 44.D. Harnik, Y. Ishai, E. Kushilevitz, J. B. Nielsen, Ot-combiners via secure computation, in
*TCC*(2008), pp. 393–411Google Scholar - 45.B. Hemenway, Z. Jafargholi, R. Ostrovsky, A. Scafuro, D. Wichs, Adaptively secure garbled circuits from one-way functions, in
*CRYPTO*(2016), pp. 149–178Google Scholar - 46.S. Halevi, S. Micali, Practical and provably-secure commitment schemes from collision-free hashing, in
*CRYPTO*(1996), pp. 201–215Google Scholar - 47.I. Haitner, O. Reingold, A new interactive hashing theorem, in
*CCC*(2007), pp. 319–332Google Scholar - 48.Y. Ishai, E. Kushilevitz, Randomizing polynomials: a new representation with applications to round-efficient secure computation, in
*FOCS*(2000), pp. 294–304Google Scholar - 49.Y. Ishai, E. Kushilevitz, Perfect constant-round secure computation via perfect randomizing polynomials, in
*ICALP*(2002), pp. 244–256Google Scholar - 50.Y. Ishai, E. Kushilevitz, R. Ostrovsky, A. Sahai, Zero-knowledge from secure multiparty computation, in
*STOC*(2007), pp. 21–30Google Scholar - 51.Y. Ishai, E. Kushilevitz, R. Ostrovsky, A. Sahai, Zero-knowledge proofs from secure multiparty computation.
*SIAM J. Comput*.**39**(3), 1121–1152 (2009)MathSciNetzbMATHGoogle Scholar - 52.Y. Ishai, E. Kushilevitz, M. Prabhakaran, A. Sahai, C.-H. Yu, Secure protocol transformations, in
*CRYPTO*(2016), pp. 430–458Google Scholar - 53.T. Itoh, Y. Ohta, H. Shizuya, A language-dependent cryptographic primitive.
*J. Cryptol.***10**(1), 37–50 (1997)MathSciNetzbMATHGoogle Scholar - 54.Y. Ishai, M. Prabhakaran, A. Sahai, Founding cryptography on oblivious transfer—efficiently, in
*CRYPTO*(2008), pp. 572–591Google Scholar - 55.Y. Ishai, M. Prabhakaran, A. Sahai, Secure arithmetic computation with no honest majority, in
*TCC*(2009), pp. 294–314Google Scholar - 56.Y. Ishai, M. Weiss, Probabilistically checkable proofs of proximity with zero-knowledge, in
*TCC*(2014), pp. 121–145Google Scholar - 57.Z. Jafargholi, A. Scafuro, D. Wichs, Adaptively indistinguishable garbled circuits, in
*TCC*(2017), pp. 40–71Google Scholar - 58.Z. Jafargholi, D. Wichs, Adaptive security of yao’s garbled circuits, in
*TCC*(2016), pp. 433–458Google Scholar - 59.J. Kilian, Founding cryptography on oblivious transfer, in
*STOC*(1988), pp. 20–31Google Scholar - 60.J. Katz, R. Ostrovsky, Round-optimal secure two-party computation, in
*CRYPTO*(2004), pp. 335–354Google Scholar - 61.Y. Lindell, B. Pinkas, A proof of security of Yao’s protocol for two-party computation.
*J. Cryptol.***22**(2), 161–188 (2009)MathSciNetzbMATHGoogle Scholar - 62.D. Lapidot, A. Shamir, Publicly verifiable non-interactive zero-knowledge proofs, in
*CRYPTO*(1990), pp. 353–365Google Scholar - 63.Y. Lindell, H. Zarosim, Adaptive zero-knowledge proofs and adaptively secure oblivious transfer.
*J. Cryptol.***24**(4), 761–799 (2011)MathSciNetzbMATHGoogle Scholar - 64.M. Naor, Bit commitment using pseudorandomness.
*J. Cryptol.***4**(2), 151–158 (1991)zbMATHGoogle Scholar - 65.R. Ostrovsky, A. Scafuro, M. Venkitasubramaniam, Resettably sound zero-knowledge arguments from OWFs: the (semi) black-box way, in
*TCC*(2015), pp. 345–374Google Scholar - 66.S. J. Ong, S. P. Vadhan, An equivalence between zero knowledge and commitments, in
*TCC*(2008), pp. 482–500Google Scholar - 67.B. Pinkas, T. Schneider, N. P. Smart, S. C. Williams, Secure two-party computation is practical, in
*ASIACRYPT*(2009), pp. 250–267Google Scholar - 68.R. Pass, H. Wee, Black-box constructions of two-party protocols from one-way functions, in
*TCC*(2009), pp. 403–418Google Scholar - 69.A. C.-C. Yao, How to generate and exchange secrets (extended abstract), in
*FOCS*(1986), pp. 162–167Google Scholar - 70.Y. Lindell, H. Zarosim, Adaptive zero-knowledge proofs and adaptively secure oblivious transfer, in
*TCC*(2009), pp. 183–201Google Scholar