Cryptography in the Multi-string Model

  • Jens Groth
  • Rafail Ostrovsky
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4622)


The common random string model introduced by Blum, Feldman and Micali permits the construction of cryptographic protocols that are provably impossible to realize in the standard model. We can think of this model as a trusted party generating a random string and giving it to all parties in the protocol. However, the introduction of such a third party should set alarm bells going off: Who is this trusted party? Why should we trust that the string is random? Even if the string is uniformly random, how do we know it does not leak private information to the trusted party? The very point of doing cryptography in the first place is to prevent us from trusting the wrong people with our secrets.

In this paper, we propose the more realistic multi-string model. Instead of having one trusted authority, we have several authorities that generate random strings. We do not trust any single authority; we only assume a majority of them generate the random string honestly. This security model is reasonable, yet at the same time it is very easy to implement. We could for instance imagine random strings being provided on the Internet, and any set of parties that want to execute a protocol just need to agree on which authorities’ strings they want to use.

We demonstrate the use of the multi-string model in several fundamental cryptographic tasks. We define multi-string non-interactive zero-knowledge proofs and prove that they exist under general cryptographic assumptions. Our multi-string NIZK proofs have very strong security properties such as simulation- extractability and extraction zero-knowledge, which makes it possible to compose them with arbitrary other protocols and to reuse the random strings. We also build efficient simulation-sound multi-string NIZK proofs for circuit satisfiability based on groups with a bilinear map. The sizes of these proofs match the best constructions in the single common random string model.

We suggest a universally composable commitment scheme in the multi-string model. It has been proven that UC commitment does not exist in the plain model without setup assumptions. Prior to this work, constructions were only known in the common reference string model and the registered public key model. One of the applications of the UC commitment scheme is a coin-flipping protocol in the multi-string model. Armed with the coin-flipping protocol, we can securely realize any multi-party computation protocol.


Common random string model multi-string model non-interactive zero-knowledge universally composable commitment multi-party computation 


  1. [Adl78]
    Adleman, L.M.: Two theorems on random polynomial time. In: Proceedings of FOCS 1978, pp. 75–83 (1978)Google Scholar
  2. [BBS04]
    Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)Google Scholar
  3. [BCNP04]
    Barak, B., Canetti, R., Nielsen, J.B., Pass, R.: Universally composable protocols with relaxed set-up assumptions. In: Proceedings of FOCS 2004, pp. 186–195 (2004)Google Scholar
  4. [BDMP91]
    Blum, M., De Santis, A., Micali, S., Persiano, G.: Noninteractive zero-knowledge. SIAM Jornal of Computation 20(6), 1084–1118 (1991)zbMATHCrossRefGoogle Scholar
  5. [BF03]
    Boneh, D., Franklin, M.K.: Identity-based encryption from the weil pairing. SIAM Journal of Computing 32(3), 586–615 (2003)zbMATHCrossRefGoogle Scholar
  6. [BFM88]
    Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications. In: Proceedings of STOC 1988, pp. 103–112 (1988)Google Scholar
  7. [Can01]
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: Proceedings of FOCS 2001, pp. 136–145 (2001) Full paper available at
  8. [CF01]
    Canetti, R., Fischlin, M.: Universally composable commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 19–40. Springer, Heidelberg (2001), Google Scholar
  9. [CLOS02]
    Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable two-party and multi-party secure computation. In: Proceedings of STOC 2002, pp. 494–503 (2002), Full paper available at
  10. [Dam92]
    Damgård, I.: Non-interactive circuit based proofs and non-interactive perfect zero-knowledge with proprocessing. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 341–355. Springer, Heidelberg (1993)Google Scholar
  11. De Santis, A., Di Crescenzo, G., Ostrovsky, R., Persiano, G., Sahai, A.: Robust non-interactive zero knowledge. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 566–598. Springer, Heidelberg (2001)Google Scholar
  12. [DDP99]
    De Santis, A., Di Crescenzo, G., Persiano, G.: Non-interactive zero-knowledge: A low-randomness characterization of np. In: Wiedermann, J., van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 271–280. Springer, Heidelberg (1999)Google Scholar
  13. [DDP02]
    De Santis, A., Di Crescenzo, G., Persiano, G.: Randomness-optimal characterization of two np proof systems. In: Rolim, J.D.P., Vadhan, S.P. (eds.) RANDOM 2002. LNCS, vol. 2483, pp. 179–193. Springer, Heidelberg (2002)Google Scholar
  14. [DN02]
    Damgård, I., Nielsen, J.B.: Perfect hiding and perfect binding universally composable commitment schemes with constant expansion factor. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 581–596. Springer, Heidelberg (2002)Google Scholar
  15. [DP92]
    De Santis, A., Persiano, G.: Zero-knowledge proofs of knowledge without interaction. In: Proceedings of FOCS ’92, pp. 427–436 (1992)Google Scholar
  16. [FLS99]
    Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs under general assumptions. SIAM Journal of Computing 29(1), 1–28 (1999)zbMATHCrossRefGoogle Scholar
  17. [GMR89]
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proofs (First published at STOC 1985). SIAM Journal of Computing 18(1), 186–208 (1989)zbMATHCrossRefGoogle Scholar
  18. [GMW87]
    Goldreich, O., Micali, S., Wigderson, A.: How to play ANY mental game, or A completeness theorem for protocols with honest majority. In: Proceedings of STOC ’87, pp. 218–229 (1987)Google Scholar
  19. [GO94]
    Goldreich, O., Oren, Y.: Definitions and properties of zero-knowledge proof systems. Journal of Cryptology 7(1), 1–32 (1994)zbMATHCrossRefGoogle Scholar
  20. [GO07]
    Groth, J., Ostrovsky, R.: Cryptography in the multi-string model. In: Proceedings of CRYPTO 2007. LNCS (2007), Full paper available at
  21. [GOS06a]
    Groth, J., Ostrovsky, R., Sahai, A.: Non-interactive zaps and new techniques for nizk. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 97–111. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  22. [GOS06b]
    Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero-knowledge for np. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  23. [GP90]
    Granville, A., Pomerance, C.: On the Least Prime in Certain Arithmetic Progressions. Journal of the London Mathematical Society s2-41(2), 193–200 (1990)CrossRefGoogle Scholar
  24. [Gro06]
    Groth, J.: Simulation-sound nizk proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, Springer, Heidelberg (2006), CrossRefGoogle Scholar
  25. [KP98]
    Kilian, J., Petrank, E.: An efficient noninteractive zero-knowledge proof system for np with general assumptions. Journal of Cryptology 11(1), 1–27 (1998)zbMATHCrossRefGoogle Scholar
  26. [PPS06]
    Padney, O., Prabhakaran, M., Sahai, A.: personal communication (November 2006)Google Scholar
  27. [RCW07]
    Canetti, R.P.R., Dodis, Y., Walfish, S.: Universally composable security with pre-existing setup. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 61–85. Springer, Heidelberg (2007), CrossRefGoogle Scholar
  28. [Sah01]
    Sahai, A.: Non-malleable non-interactive zero-knowledge and adaptive chosen-ciphertext security. In: Proceedings of FOCS 2001, pp. 543–553 (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Jens Groth
    • 1
  • Rafail Ostrovsky
    • 1
  1. 1.University of California, Los Angeles, CA 90095 

Personalised recommendations