On the Power of Secure Two-Party Computation


Ishai, Kushilevitz, Ostrovsky and Sahai (STOC 2007; SIAM J Comput 39(3):1121–1152, 2009) introduced the powerful “MPC-in-the-head” technique that provided a general transformation of information-theoretic MPC protocols secure against passive adversaries to a ZK proof in a “black-box” way. In this work, we extend this technique and provide a generic transformation of any semi-honest secure two-party computation (2PC) protocol (with mild adaptive security guarantees) in the so-called oblivious-transfer hybrid model to an adaptive ZK proof for any \(\textsf {NP}\) language, in a “black-box” way assuming only one-way functions. Our basic construction based on Goldreich–Micali–Wigderson’s 2PC protocol yields an adaptive ZK proof with communication complexity proportional to quadratic in the size of the circuit implementing the \(\textsf {NP}\) relation. Previously such proofs relied on an expensive Karp reduction of the \(\textsf {NP}\) language to Graph Hamiltonicity [Lindell and Zarosim (TCC 2009; J Cryptol 24(4):761–799, 2011)]. As an application of our techniques, we show how to obtain a ZK proof with an “input-delayed” property for any \(\textsf {NP}\) language without relying on expensive Karp reductions that is black box in the underlying one-way function. Namely, the input-delayed property allows the honest prover’s algorithm to receive the actual statement to be proved only in the final round. We further generalize this to obtain a “commit-and-prove” protocol with the same property where the prover commits to a witness w in the second message and proves a statement x regarding the witness w in zero-knowledge where the statement is determined only in the last round. This improves a previous construction of Lapidot and Shamir (Crypto 1990) that was designed specifically for the Graph Hamiltonicity problem and relied on the underlying primitives in a non-black-box way. Additionally, we provide a general transformation to construct a randomized encoding of a function f from any 2PC protocol that securely computes a related functionality (in a black-box way) from one-way functions. We show that if the 2PC protocol has mild adaptive security guarantees (which are satisfied by both the Yao’s and GMW’s protocol), then the resulting randomized encoding can be decomposed to an offline/online encoding.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5


  1. 1.

    Namely, against computationally unbounded adversaries.

  2. 2.

    If one is willing to provide ideal access to an oblivious-transfer functionality, then one can achieve information-theoretic security even in the honest minority setting [24, 40, 54].

  3. 3.

    The functionality f can be efficiently defined by making only a black-box (oracle) access to the \(\textsf {NP}\) relation \(\mathcal{R}\). This notion is formalized as an “oracle call” to a protocol in [52].

  4. 4.

    Where all parties have access to an idealized primitive that implements the OT functionality, namely, the functionality upon receiving input \((s_0,s_1)\) from the sender and a bit b from the receiver, returns \(s_b\) to the receiver and nothing the sender.

  5. 5.

    To obtain a proof, we will be able to instantiate our commitment schemes using a statistically binding commitment scheme [64] for commitments made by the prover in the ZK protocol, and by a statistically hiding commitment scheme for commitments made by the verifier. Both these schemes can be instantiated from one-way functions [47, 64].

  6. 6.

    By “black-box” use of a protocol, we mean that the next-message function of the resulting protocol uses the next-message function of the underlying protocol as an oracle. However, it could be the case that the underlying protocol might depend on the implemented functionality in a non-black-box manner. This notion is formalized and explored in [52].

  7. 7.

    The security notion in which one party is statically corrupted, whereas the second party is adaptively corrupted is known by semi-adaptive security [43].

  8. 8.

    Note that in Naor’s statistically binding commitment scheme [64] the decommitment information is the inverse under a pseudorandom generator that is uniformly sampled, and hence can be placed in the random tape.

  9. 9.

    We note that the online complexity can be improved by relying on the work of [6].

  10. 10.

    This notion has been considered in the past in the context of oblivious public-key encryption schemes requiring the ability to sample a public-key without knowing the secret key or sampling a ciphertext without the knowledge of the plaintext [27], and to switch from a real to an oblivious object.

  11. 11.

    Note that the notion of decomposability is similar to the notion of projective garbled schemes specified in [12].

  12. 12.

    More formally, let \(\mathrm {F}:\{0,1\}^\kappa \times \{0,1\}^\kappa \mapsto \{0,1\}^\kappa \) denote a PRF function. Then encrypting a message \(m\in \{0,1\}^\kappa \) is carried out by sampling a random \(r\leftarrow \{0,1\}^\kappa \) and returning \((\mathrm {F}_k(r)\oplus m, r)\). Furthermore, obliviously sampling a ciphertext is achieved by sampling two \(\kappa \)-bits strings. By the pseudorandomness of \(\mathrm {F}\), an obliviously generated ciphertext is indistinguishable from a real one.

  13. 13.

    However, with our modification, indirectly the encrypted values of the sender’s real inputs are in the transcript.

  14. 14.

    M will be chosen to be proportional to the width of the circuit implementing the function f.

  15. 15.

    We have not optimized the parameters as our focus is to demonstrate theoretical feasibility of such protocols.

  16. 16.

    More explicitly, we assume that the common statement x is embedded inside the circuit and only \(\omega \) is given as its input.


  1. 1.

    S. Ames, C. Hazay, Y. Ishai, M. Venkitasubramaniam, Ligero: lightweight sublinear arguments without a trusted setup, in CCS (2017), pp. 2087–2104

  2. 2.

    B. Applebaum, Y. Ishai, E. Kushilevitz, Cryptography in \(NC^0\), in FOCS (2004), pp. 166–175

  3. 3.

    B. Applebaum, Y. Ishai, E. Kushilevitz, Cryptography in nc\({}^{\text{0 }}\). SIAM J. Comput. 36(4), 845–888 (2006)

    MathSciNet  Article  Google Scholar 

  4. 4.

    B. Applebaum, Y. Ishai, E. Kushilevitz, From secrecy to soundness: efficient verification via secure computation, in ICALP (2010), pp. 152–163

  5. 5.

    S. Agrawal, Y. Ishai, D. Khurana, A. Paskin-Cherniavsky, Statistical randomized encodings: a complexity theoretic view, in ICALP (2015), pp. 1–13

  6. 6.

    B. Applebaum, Y. Ishai, E. Kushilevitz, B. Waters, Encoding functions with constant online rate or how to compress garbled circuits keys, in CRYPTO (2013), pp. 166–184

  7. 7.

    B. Applebaum, Key-dependent message security: generic amplification and completeness. J. Cryptol. 27(3), 429–451 (2014)

    MathSciNet  Article  Google Scholar 

  8. 8.

    G. Brassard, D. Chaum, C. Crépeau, Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)

    MathSciNet  Article  Google Scholar 

  9. 9.

    D. Beaver, Correlated pseudorandomness and the complexity of private computations, in STOC (1996), pp. 479–488

  10. 10.

    M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract), in STOC (1988), pp. 1–10

  11. 11.

    B. Barak, I. Haitner, D. Hofheinz, Y. Ishai, Bounded key-dependent message security, in EUROCRYPT (2010), pp. 423–444

  12. 12.

    M. Bellare, V. T. Hoang, P. Rogaway, Foundations of garbled circuits, in CCS (2012), pp. 784–796

  13. 13.

    M. Bellare, S. Micali, R. Ostrovsky, Stoc., 482–493 (1990)

  14. 14.

    D. Beaver, S. Micali, P. Rogaway, The round complexity of secure protocols (extended abstract), in STOC (1990), pp. 503–513

  15. 15.

    R. Canetti, Security and composition of multiparty cryptographic protocols. J. Cryptol.13(1), 143–202 (2000)

    MathSciNet  Article  Google Scholar 

  16. 16.

    D. Chaum, C. Crépeau, I. Damgård, Multiparty unconditionally secure protocols (abstract), in CRYPTO (1987), p. 462

  17. 17.

    R. Canetti, I. Damgård, S. Dziembowski, Y. Ishai, T. Malkin, Adaptive versus non-adaptive security of multi-party protocols. J. Cryptol.17(3), 153–207 (2004)

    MathSciNet  Article  Google Scholar 

  18. 18.

    I. Cascudo, I. Damgård, B. M. David, I. Giacomelli, J. B. Nielsen, R. Trifiletti, Additively homomorphic UC commitments with optimal amortized overhead, in PKC (2015), pp. 495–515

  19. 19.

    M. Chase, D. Derler, S. Goldfeder, C. Orlandi, S. Ramacher, C. Rechberger, D. Slamanig, G. Zaverucha, Post-quantum zero-knowledge and signatures from symmetric-key primitives, in CCS (2017), pp. 1825–1842

  20. 20.

    R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable two-party and multi-party secure computation, in STOC (2002), pp. 494–503

  21. 21.

    M. Ciampi, G. Persiano, A. Scafuro, L. Siniscalchi, I. Visconti, Improved or-composition of sigma-protocols, in TCC (2016), pp. 112–141

  22. 22.

    M. Ciampi, G. Persiano, A. Scafuro, L. Siniscalchi, I. Visconti, Online/offline OR composition of sigma protocols, in EUROCRYPT (2016), pp. 63–92

  23. 23.

    R. Canetti, O. Poburinnaya, M. Venkitasubramaniam, Equivocating yao: constant-round adaptively secure multiparty computation in the plain model, in STOC (2017), pp. 497–509

  24. 24.

    C. Crépeau, J. van de Graaf, A. Tapp, Committed oblivious transfer and private multi-party computation, in CRYPTO (1995), pp. 110–123

  25. 25.

    I. Damgård, On \(\Sigma \)-protocols. http://www.cs.au.dk/~ivan/Sigma.pdf (2010)

  26. 26.

    I. Damgård, Y. Ishai, Scalable secure multiparty computation, in CRYPTO (2006), pp. 501–520

  27. 27.

    I. Damgård, J. B. Nielsen, Improved non-committing encryption schemes based on a general complexity assumption, in CRYPTO (2000), pp. 432–450

  28. 28.

    I. Damgård, T. P. Pedersen, B. Pfitzmann, On the existence of statistically hiding bit commitment schemes and fail-stop signatures, in CRYPTO (1993), pp. 250–265

  29. 29.

    U. Feige, J. Kilian, M. Naor, A minimal model for secure computation (extended abstract), in STOC (1994), pp. 554–563

  30. 30.

    U. Feige, D. Lapidot, A. Shamir, Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1–28 (1999)

    MathSciNet  Article  Google Scholar 

  31. 31.

    U. Feige, A. Shamir, Zero knowledge proofs of knowledge in two rounds, in CRYPTO (1989), pp. 526–544

  32. 32.

    R. Gennaro, C. Gentry, B. Parno, Non-interactive verifiable computing: Outsourcing computation to untrusted workers, in CRYPTO (2010), pp. 465–482

  33. 33.

    V. Goyal, Y. Ishai, A. Sahai, R. Venkatesan, A. Wadia, Founding cryptography on tamper-proof hardware tokens, in TCC (2010), pp. 308–326

  34. 34.

    O. Goldreich, A. Kahan, How to construct constant-round zero-knowledge proof systems for NP. J. Cryptol.9(3), 167–190 (1996)

    MathSciNet  Article  Google Scholar 

  35. 35.

    C. Ganesh, Y. Kondi, A. Patra, P. Sarkar, Efficient adaptively secure zero-knowledge from garbled circuits, in PKC (2018), pp. 499–529

  36. 36.

    S. Goldwasser, Y. T. Kalai, G. N. Rothblum, One-time programs, in CRYPTO (2008), pp. 39–56

  37. 37.

    V. Goyal, C.-K. Lee, R. Ostrovsky, I. Visconti, Constructing non-malleable commitments: a black-box approach, in FOCS (2012), pp. 51–60

  38. 38.

    I. Giacomelli, J. Madsen, C. Orlandi, Zkboo: faster zero-knowledge for boolean circuits, in USENIX (2016), pp. 1069–1083

  39. 39.

    S. Goldwasser, S. Micali, C. Rackoff, The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)

    MathSciNet  Article  Google Scholar 

  40. 40.

    O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or A completeness theorem for protocols with honest majority, in STOC (1987), pp. 218–229

  41. 41.

    O. Goldreich, Foundations of Cryptography: Basic Tools (Cambridge University Press, Cambridge, 2001)

    Google Scholar 

  42. 42.

    V. Goyal, R. Ostrovsky, A. Scafuro, I. Visconti, Black-box non-black-box zero knowledge, in STOC (2014), pp. 515–524

  43. 43.

    J. A. Garay, D. Wichs, H.-S. Zhou, Somewhat non-committing encryption and efficient adaptively secure oblivious transfer, in CRYPTO (2009), pp. 505–523

  44. 44.

    D. Harnik, Y. Ishai, E. Kushilevitz, J. B. Nielsen, Ot-combiners via secure computation, in TCC (2008), pp. 393–411

  45. 45.

    B. Hemenway, Z. Jafargholi, R. Ostrovsky, A. Scafuro, D. Wichs, Adaptively secure garbled circuits from one-way functions, in CRYPTO (2016), pp. 149–178

  46. 46.

    S. Halevi, S. Micali, Practical and provably-secure commitment schemes from collision-free hashing, in CRYPTO (1996), pp. 201–215

  47. 47.

    I. Haitner, O. Reingold, A new interactive hashing theorem, in CCC (2007), pp. 319–332

  48. 48.

    Y. Ishai, E. Kushilevitz, Randomizing polynomials: a new representation with applications to round-efficient secure computation, in FOCS (2000), pp. 294–304

  49. 49.

    Y. Ishai, E. Kushilevitz, Perfect constant-round secure computation via perfect randomizing polynomials, in ICALP (2002), pp. 244–256

  50. 50.

    Y. Ishai, E. Kushilevitz, R. Ostrovsky, A. Sahai, Zero-knowledge from secure multiparty computation, in STOC (2007), pp. 21–30

  51. 51.

    Y. Ishai, E. Kushilevitz, R. Ostrovsky, A. Sahai, Zero-knowledge proofs from secure multiparty computation. SIAM J. Comput. 39(3), 1121–1152 (2009)

    MathSciNet  Article  Google Scholar 

  52. 52.

    Y. Ishai, E. Kushilevitz, M. Prabhakaran, A. Sahai, C.-H. Yu, Secure protocol transformations, in CRYPTO (2016), pp. 430–458

  53. 53.

    T. Itoh, Y. Ohta, H. Shizuya, A language-dependent cryptographic primitive. J. Cryptol.10(1), 37–50 (1997)

    MathSciNet  Article  Google Scholar 

  54. 54.

    Y. Ishai, M. Prabhakaran, A. Sahai, Founding cryptography on oblivious transfer—efficiently, in CRYPTO (2008), pp. 572–591

  55. 55.

    Y. Ishai, M. Prabhakaran, A. Sahai, Secure arithmetic computation with no honest majority, in TCC (2009), pp. 294–314

  56. 56.

    Y. Ishai, M. Weiss, Probabilistically checkable proofs of proximity with zero-knowledge, in TCC (2014), pp. 121–145

  57. 57.

    Z. Jafargholi, A. Scafuro, D. Wichs, Adaptively indistinguishable garbled circuits, in TCC (2017), pp. 40–71

  58. 58.

    Z. Jafargholi, D. Wichs, Adaptive security of yao’s garbled circuits, in TCC (2016), pp. 433–458

  59. 59.

    J. Kilian, Founding cryptography on oblivious transfer, in STOC (1988), pp. 20–31

  60. 60.

    J. Katz, R. Ostrovsky, Round-optimal secure two-party computation, in CRYPTO (2004), pp. 335–354

  61. 61.

    Y. Lindell, B. Pinkas, A proof of security of Yao’s protocol for two-party computation. J. Cryptol.22(2), 161–188 (2009)

    MathSciNet  Article  Google Scholar 

  62. 62.

    D. Lapidot, A. Shamir, Publicly verifiable non-interactive zero-knowledge proofs, in CRYPTO (1990), pp. 353–365

  63. 63.

    Y. Lindell, H. Zarosim, Adaptive zero-knowledge proofs and adaptively secure oblivious transfer. J. Cryptol.24(4), 761–799 (2011)

    MathSciNet  Article  Google Scholar 

  64. 64.

    M. Naor, Bit commitment using pseudorandomness. J. Cryptol.4(2), 151–158 (1991)

    Article  Google Scholar 

  65. 65.

    R. Ostrovsky, A. Scafuro, M. Venkitasubramaniam, Resettably sound zero-knowledge arguments from OWFs: the (semi) black-box way, in TCC (2015), pp. 345–374

  66. 66.

    S. J. Ong, S. P. Vadhan, An equivalence between zero knowledge and commitments, in TCC (2008), pp. 482–500

  67. 67.

    B. Pinkas, T. Schneider, N. P. Smart, S. C. Williams, Secure two-party computation is practical, in ASIACRYPT (2009), pp. 250–267

  68. 68.

    R. Pass, H. Wee, Black-box constructions of two-party protocols from one-way functions, in TCC (2009), pp. 403–418

  69. 69.

    A. C.-C. Yao, How to generate and exchange secrets (extended abstract), in FOCS (1986), pp. 162–167

  70. 70.

    Y. Lindell, H. Zarosim, Adaptive zero-knowledge proofs and adaptively secure oblivious transfer, in TCC (2009), pp. 183–201

Download references

Author information



Corresponding author

Correspondence to Carmit Hazay.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Carmit Hazay: Research was partially supported by the European Research Council under the ERC consolidators Grant Agreement No. 615172 (HIPS), and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office. Research partially supported by a grant from the Israel Ministry of Science and Technology (Grant No. 3-10883). Muthuramakrishnan Venkitasubramaniam: Research supported by Google Faculty Research Grant and NSF Award CNS-1526377.

Communicated by Nigel Smart.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Hazay, C., Venkitasubramaniam, M. On the Power of Secure Two-Party Computation. J Cryptol 33, 271–318 (2020). https://doi.org/10.1007/s00145-019-09314-2

Download citation


  • Adaptive zero-knowledge proofs
  • Secure two-party computation
  • Randomized encoding
  • Instance-dependent commitments