## Abstract

Ishai, Kushilevitz, Ostrovsky and Sahai (STOC 2007; SIAM J Comput 39(3):1121–1152, 2009) introduced the powerful “MPC-in-the-head” technique that provided a general transformation of information-theoretic MPC protocols secure against passive adversaries to a ZK proof in a “black-box” way. In this work, we extend this technique and provide a generic transformation of any semi-honest secure two-party computation (2PC) protocol (with mild adaptive security guarantees) in the so-called *oblivious-transfer* hybrid model to an *adaptive* ZK proof for any \(\textsf {NP}\) language, in a “black-box” way assuming only one-way functions. Our basic construction based on Goldreich–Micali–Wigderson’s 2PC protocol yields an adaptive ZK proof with communication complexity proportional to quadratic in the size of the circuit implementing the \(\textsf {NP}\) relation. Previously such proofs relied on an expensive Karp reduction of the \(\textsf {NP}\) language to Graph Hamiltonicity [Lindell and Zarosim (TCC 2009; J Cryptol 24(4):761–799, 2011)]. As an application of our techniques, we show how to obtain a ZK proof with an “input-delayed” property for any \(\textsf {NP}\) language without relying on expensive Karp reductions that is black box in the underlying one-way function. Namely, the input-delayed property allows the honest prover’s algorithm to receive the actual statement to be proved only in the final round. We further generalize this to obtain a “commit-and-prove” protocol with the same property where the prover commits to a witness *w* in the second message and proves a statement *x* regarding the witness *w* in zero-knowledge where the statement is determined only in the last round. This improves a previous construction of Lapidot and Shamir (Crypto 1990) that was designed specifically for the Graph Hamiltonicity problem and relied on the underlying primitives in a non-black-box way. Additionally, we provide a general transformation to construct a randomized encoding of a function *f* from any 2PC protocol that securely computes a related functionality (in a black-box way) from one-way functions. We show that if the 2PC protocol has mild adaptive security guarantees (which are satisfied by both the Yao’s and GMW’s protocol), then the resulting randomized encoding can be decomposed to an offline/online encoding.

This is a preview of subscription content, log in to check access.

## Notes

- 1.
Namely, against computationally unbounded adversaries.

- 2.
- 3.
The functionality

*f*can be efficiently defined by making only a black-box (oracle) access to the \(\textsf {NP}\) relation \(\mathcal{R}\). This notion is formalized as an “oracle call” to a protocol in [52]. - 4.
Where all parties have access to an idealized primitive that implements the OT functionality, namely, the functionality upon receiving input \((s_0,s_1)\) from the sender and a bit

*b*from the receiver, returns \(s_b\) to the receiver and nothing the sender. - 5.
To obtain a proof, we will be able to instantiate our commitment schemes using a statistically binding commitment scheme [64] for commitments made by the prover in the ZK protocol, and by a statistically hiding commitment scheme for commitments made by the verifier. Both these schemes can be instantiated from one-way functions [47, 64].

- 6.
By “black-box” use of a protocol, we mean that the next-message function of the resulting protocol uses the next-message function of the underlying protocol as an oracle. However, it could be the case that the underlying protocol might depend on the implemented functionality in a non-black-box manner. This notion is formalized and explored in [52].

- 7.
The security notion in which one party is statically corrupted, whereas the second party is adaptively corrupted is known by semi-adaptive security [43].

- 8.
Note that in Naor’s statistically binding commitment scheme [64] the decommitment information is the inverse under a pseudorandom generator that is uniformly sampled, and hence can be placed in the random tape.

- 9.
We note that the online complexity can be improved by relying on the work of [6].

- 10.
This notion has been considered in the past in the context of oblivious public-key encryption schemes requiring the ability to sample a public-key without knowing the secret key or sampling a ciphertext without the knowledge of the plaintext [27], and to switch from a real to an oblivious object.

- 11.
Note that the notion of decomposability is similar to the notion of projective garbled schemes specified in [12].

- 12.
More formally, let \(\mathrm {F}:\{0,1\}^\kappa \times \{0,1\}^\kappa \mapsto \{0,1\}^\kappa \) denote a PRF function. Then encrypting a message \(m\in \{0,1\}^\kappa \) is carried out by sampling a random \(r\leftarrow \{0,1\}^\kappa \) and returning \((\mathrm {F}_k(r)\oplus m, r)\). Furthermore, obliviously sampling a ciphertext is achieved by sampling two \(\kappa \)-bits strings. By the pseudorandomness of \(\mathrm {F}\), an obliviously generated ciphertext is indistinguishable from a real one.

- 13.
However, with our modification, indirectly the encrypted values of the sender’s real inputs are in the transcript.

- 14.
*M*will be chosen to be proportional to the width of the circuit implementing the function*f*. - 15.
We have not optimized the parameters as our focus is to demonstrate theoretical feasibility of such protocols.

- 16.
More explicitly, we assume that the common statement

*x*is embedded inside the circuit and only \(\omega \) is given as its input.

## References

- 1.
S. Ames, C. Hazay, Y. Ishai, M. Venkitasubramaniam, Ligero: lightweight sublinear arguments without a trusted setup, in

*CCS*(2017), pp. 2087–2104 - 2.
B. Applebaum, Y. Ishai, E. Kushilevitz, Cryptography in \(NC^0\), in

*FOCS*(2004), pp. 166–175 - 3.
B. Applebaum, Y. Ishai, E. Kushilevitz, Cryptography in nc\({}^{\text{0 }}\).

*SIAM J. Comput*.**36**(4), 845–888 (2006) - 4.
B. Applebaum, Y. Ishai, E. Kushilevitz, From secrecy to soundness: efficient verification via secure computation, in

*ICALP*(2010), pp. 152–163 - 5.
S. Agrawal, Y. Ishai, D. Khurana, A. Paskin-Cherniavsky, Statistical randomized encodings: a complexity theoretic view, in

*ICALP*(2015), pp. 1–13 - 6.
B. Applebaum, Y. Ishai, E. Kushilevitz, B. Waters, Encoding functions with constant online rate or how to compress garbled circuits keys, in

*CRYPTO*(2013), pp. 166–184 - 7.
B. Applebaum, Key-dependent message security: generic amplification and completeness.

*J. Cryptol*.**27**(3), 429–451 (2014) - 8.
G. Brassard, D. Chaum, C. Crépeau, Minimum disclosure proofs of knowledge.

*J. Comput. Syst. Sci*.**37**(2), 156–189 (1988) - 9.
D. Beaver, Correlated pseudorandomness and the complexity of private computations, in

*STOC*(1996), pp. 479–488 - 10.
M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract), in

*STOC*(1988), pp. 1–10 - 11.
B. Barak, I. Haitner, D. Hofheinz, Y. Ishai, Bounded key-dependent message security, in

*EUROCRYPT*(2010), pp. 423–444 - 12.
M. Bellare, V. T. Hoang, P. Rogaway, Foundations of garbled circuits, in

*CCS*(2012), pp. 784–796 - 13.
M. Bellare, S. Micali, R. Ostrovsky, Stoc., 482–493 (1990)

- 14.
D. Beaver, S. Micali, P. Rogaway, The round complexity of secure protocols (extended abstract), in

*STOC*(1990), pp. 503–513 - 15.
R. Canetti, Security and composition of multiparty cryptographic protocols.

*J. Cryptol.***13**(1), 143–202 (2000) - 16.
D. Chaum, C. Crépeau, I. Damgård, Multiparty unconditionally secure protocols (abstract), in

*CRYPTO*(1987), p. 462 - 17.
R. Canetti, I. Damgård, S. Dziembowski, Y. Ishai, T. Malkin, Adaptive versus non-adaptive security of multi-party protocols.

*J. Cryptol.***17**(3), 153–207 (2004) - 18.
I. Cascudo, I. Damgård, B. M. David, I. Giacomelli, J. B. Nielsen, R. Trifiletti, Additively homomorphic UC commitments with optimal amortized overhead, in

*PKC*(2015), pp. 495–515 - 19.
M. Chase, D. Derler, S. Goldfeder, C. Orlandi, S. Ramacher, C. Rechberger, D. Slamanig, G. Zaverucha, Post-quantum zero-knowledge and signatures from symmetric-key primitives, in

*CCS*(2017), pp. 1825–1842 - 20.
R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable two-party and multi-party secure computation, in

*STOC*(2002), pp. 494–503 - 21.
M. Ciampi, G. Persiano, A. Scafuro, L. Siniscalchi, I. Visconti, Improved or-composition of sigma-protocols, in

*TCC*(2016), pp. 112–141 - 22.
M. Ciampi, G. Persiano, A. Scafuro, L. Siniscalchi, I. Visconti, Online/offline OR composition of sigma protocols, in

*EUROCRYPT*(2016), pp. 63–92 - 23.
R. Canetti, O. Poburinnaya, M. Venkitasubramaniam, Equivocating yao: constant-round adaptively secure multiparty computation in the plain model, in

*STOC*(2017), pp. 497–509 - 24.
C. Crépeau, J. van de Graaf, A. Tapp, Committed oblivious transfer and private multi-party computation, in

*CRYPTO*(1995), pp. 110–123 - 25.
I. Damgård, On \(\Sigma \)-protocols. http://www.cs.au.dk/~ivan/Sigma.pdf (2010)

- 26.
I. Damgård, Y. Ishai, Scalable secure multiparty computation, in

*CRYPTO*(2006), pp. 501–520 - 27.
I. Damgård, J. B. Nielsen, Improved non-committing encryption schemes based on a general complexity assumption, in

*CRYPTO*(2000), pp. 432–450 - 28.
I. Damgård, T. P. Pedersen, B. Pfitzmann, On the existence of statistically hiding bit commitment schemes and fail-stop signatures, in

*CRYPTO*(1993), pp. 250–265 - 29.
U. Feige, J. Kilian, M. Naor, A minimal model for secure computation (extended abstract), in

*STOC*(1994), pp. 554–563 - 30.
U. Feige, D. Lapidot, A. Shamir, Multiple noninteractive zero knowledge proofs under general assumptions.

*SIAM J. Comput*.**29**(1), 1–28 (1999) - 31.
U. Feige, A. Shamir, Zero knowledge proofs of knowledge in two rounds, in

*CRYPTO*(1989), pp. 526–544 - 32.
R. Gennaro, C. Gentry, B. Parno, Non-interactive verifiable computing: Outsourcing computation to untrusted workers, in

*CRYPTO*(2010), pp. 465–482 - 33.
V. Goyal, Y. Ishai, A. Sahai, R. Venkatesan, A. Wadia, Founding cryptography on tamper-proof hardware tokens, in

*TCC*(2010), pp. 308–326 - 34.
O. Goldreich, A. Kahan, How to construct constant-round zero-knowledge proof systems for NP.

*J. Cryptol.***9**(3), 167–190 (1996) - 35.
C. Ganesh, Y. Kondi, A. Patra, P. Sarkar, Efficient adaptively secure zero-knowledge from garbled circuits, in

*PKC*(2018), pp. 499–529 - 36.
S. Goldwasser, Y. T. Kalai, G. N. Rothblum, One-time programs, in

*CRYPTO*(2008), pp. 39–56 - 37.
V. Goyal, C.-K. Lee, R. Ostrovsky, I. Visconti, Constructing non-malleable commitments: a black-box approach, in

*FOCS*(2012), pp. 51–60 - 38.
I. Giacomelli, J. Madsen, C. Orlandi, Zkboo: faster zero-knowledge for boolean circuits, in

*USENIX*(2016), pp. 1069–1083 - 39.
S. Goldwasser, S. Micali, C. Rackoff, The knowledge complexity of interactive proof systems.

*SIAM J. Comput*.**18**(1), 186–208 (1989) - 40.
O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or A completeness theorem for protocols with honest majority, in

*STOC*(1987), pp. 218–229 - 41.
O. Goldreich,

*Foundations of Cryptography: Basic Tools*(Cambridge University Press, Cambridge, 2001) - 42.
V. Goyal, R. Ostrovsky, A. Scafuro, I. Visconti, Black-box non-black-box zero knowledge, in

*STOC*(2014), pp. 515–524 - 43.
J. A. Garay, D. Wichs, H.-S. Zhou, Somewhat non-committing encryption and efficient adaptively secure oblivious transfer, in

*CRYPTO*(2009), pp. 505–523 - 44.
D. Harnik, Y. Ishai, E. Kushilevitz, J. B. Nielsen, Ot-combiners via secure computation, in

*TCC*(2008), pp. 393–411 - 45.
B. Hemenway, Z. Jafargholi, R. Ostrovsky, A. Scafuro, D. Wichs, Adaptively secure garbled circuits from one-way functions, in

*CRYPTO*(2016), pp. 149–178 - 46.
S. Halevi, S. Micali, Practical and provably-secure commitment schemes from collision-free hashing, in

*CRYPTO*(1996), pp. 201–215 - 47.
I. Haitner, O. Reingold, A new interactive hashing theorem, in

*CCC*(2007), pp. 319–332 - 48.
Y. Ishai, E. Kushilevitz, Randomizing polynomials: a new representation with applications to round-efficient secure computation, in

*FOCS*(2000), pp. 294–304 - 49.
Y. Ishai, E. Kushilevitz, Perfect constant-round secure computation via perfect randomizing polynomials, in

*ICALP*(2002), pp. 244–256 - 50.
Y. Ishai, E. Kushilevitz, R. Ostrovsky, A. Sahai, Zero-knowledge from secure multiparty computation, in

*STOC*(2007), pp. 21–30 - 51.
Y. Ishai, E. Kushilevitz, R. Ostrovsky, A. Sahai, Zero-knowledge proofs from secure multiparty computation.

*SIAM J. Comput*.**39**(3), 1121–1152 (2009) - 52.
Y. Ishai, E. Kushilevitz, M. Prabhakaran, A. Sahai, C.-H. Yu, Secure protocol transformations, in

*CRYPTO*(2016), pp. 430–458 - 53.
T. Itoh, Y. Ohta, H. Shizuya, A language-dependent cryptographic primitive.

*J. Cryptol.***10**(1), 37–50 (1997) - 54.
Y. Ishai, M. Prabhakaran, A. Sahai, Founding cryptography on oblivious transfer—efficiently, in

*CRYPTO*(2008), pp. 572–591 - 55.
Y. Ishai, M. Prabhakaran, A. Sahai, Secure arithmetic computation with no honest majority, in

*TCC*(2009), pp. 294–314 - 56.
Y. Ishai, M. Weiss, Probabilistically checkable proofs of proximity with zero-knowledge, in

*TCC*(2014), pp. 121–145 - 57.
Z. Jafargholi, A. Scafuro, D. Wichs, Adaptively indistinguishable garbled circuits, in

*TCC*(2017), pp. 40–71 - 58.
Z. Jafargholi, D. Wichs, Adaptive security of yao’s garbled circuits, in

*TCC*(2016), pp. 433–458 - 59.
J. Kilian, Founding cryptography on oblivious transfer, in

*STOC*(1988), pp. 20–31 - 60.
J. Katz, R. Ostrovsky, Round-optimal secure two-party computation, in

*CRYPTO*(2004), pp. 335–354 - 61.
Y. Lindell, B. Pinkas, A proof of security of Yao’s protocol for two-party computation.

*J. Cryptol.***22**(2), 161–188 (2009) - 62.
D. Lapidot, A. Shamir, Publicly verifiable non-interactive zero-knowledge proofs, in

*CRYPTO*(1990), pp. 353–365 - 63.
Y. Lindell, H. Zarosim, Adaptive zero-knowledge proofs and adaptively secure oblivious transfer.

*J. Cryptol.***24**(4), 761–799 (2011) - 64.
M. Naor, Bit commitment using pseudorandomness.

*J. Cryptol.***4**(2), 151–158 (1991) - 65.
R. Ostrovsky, A. Scafuro, M. Venkitasubramaniam, Resettably sound zero-knowledge arguments from OWFs: the (semi) black-box way, in

*TCC*(2015), pp. 345–374 - 66.
S. J. Ong, S. P. Vadhan, An equivalence between zero knowledge and commitments, in

*TCC*(2008), pp. 482–500 - 67.
B. Pinkas, T. Schneider, N. P. Smart, S. C. Williams, Secure two-party computation is practical, in

*ASIACRYPT*(2009), pp. 250–267 - 68.
R. Pass, H. Wee, Black-box constructions of two-party protocols from one-way functions, in

*TCC*(2009), pp. 403–418 - 69.
A. C.-C. Yao, How to generate and exchange secrets (extended abstract), in

*FOCS*(1986), pp. 162–167 - 70.
Y. Lindell, H. Zarosim, Adaptive zero-knowledge proofs and adaptively secure oblivious transfer, in

*TCC*(2009), pp. 183–201

## Author information

### Affiliations

### Corresponding author

## Additional information

### Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Carmit Hazay: Research was partially supported by the European Research Council under the ERC consolidators Grant Agreement No. 615172 (HIPS), and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office. Research partially supported by a grant from the Israel Ministry of Science and Technology (Grant No. 3-10883). Muthuramakrishnan Venkitasubramaniam: Research supported by Google Faculty Research Grant and NSF Award CNS-1526377.

Communicated by Nigel Smart.

## Rights and permissions

## About this article

### Cite this article

Hazay, C., Venkitasubramaniam, M. On the Power of Secure Two-Party Computation.
*J Cryptol* **33, **271–318 (2020). https://doi.org/10.1007/s00145-019-09314-2

Received:

Revised:

Published:

Issue Date:

### Keywords

- Adaptive zero-knowledge proofs
- Secure two-party computation
- Randomized encoding
- Instance-dependent commitments