Skip to main content

MPC-in-Multi-Heads: A Multi-Prover Zero-Knowledge Proof System

(or: How to Jointly Prove Any NP Statements in ZK)

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12973)

Abstract

With the rapid development of distributed computing, the traditional zero-knowledge proofs (ZKP) are becoming less adequate for privacy-preserving applications in the distributed setting. Take “double financing” as an example: multiple financial providers jointly prove that the sum of their committed values is no more than a given threshold, which generalizes the “range proof” to the multiple-prover setting. Therefore, traditional zero-knowledge proof does not seemingly lend itself to this problem on its own.

   We identify and fill this gap by formalizing the ZKP system in the multi-prover setting (MPZK) that proves arbitrary NP statements with distributed witnesses. Our MPZK system offers zero-knowledge as long as one prover is honest (while others can collude arbitrarily), and thus is applicable to “double financing”, “credit checking”, and various other multi-prover applications. We then propose a generic black-box construction from multiparty computation, referred to as “MPC-in-Multi-Heads”, and prove its security under the simulation-based paradigm. We also offer a proof-of-concept implementation and present its experimental results.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88428-4_17
  • Chapter length: 20 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88428-4
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.

Notes

  1. 1.

    This notion is already present in other context. For example, it refers to functions with low (multiplicative) circuit size and depth, which can be efficiently computed using MPC protocols.

References

  1. Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: lightweight sublinear arguments without a trusted setup. In: Thuraisingham et al. [TEMX17], pp. 2087–2104

    Google Scholar 

  2. Asharov, G., Orlandi, C.: Calling out cheaters: covert security with public verifiability. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 681–698. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_41

    CrossRef  Google Scholar 

  3. Boneh, D., Boyle, E., Corrigan-Gibbs, H., Gilboa, N., Ishai, Y.: Zero-knowledge proofs on secret-shared data via fully linear PCPs. In: Boldyreva and Micciancio [BM19], pp. 67–97

    Google Scholar 

  4. Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12

    CrossRef  MATH  Google Scholar 

  5. Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive Oracle proofs. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 31–60. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_2

    CrossRef  Google Scholar 

  6. Baum, C., Cozzo, D., Smart, N.P.: Using TopGear in overdrive: a more efficient ZKPoK for SPDZ. In: Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, pp. 274–302. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38471-5_12

    CrossRef  MATH  Google Scholar 

  7. Baum, C., Damgård, I., Orlandi, C.: Publicly auditable secure multi-party computation. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 175–196. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10879-7_11

    CrossRef  Google Scholar 

  8. Babai, L., Fortnow, L.: A characterization of \(\sharp {P}\) arithmetic straight line programs. In: FOCS 1990 [FOC90], pp. 26–34

    Google Scholar 

  9. Bhadauria, R., Fang, Z., Hazay, C., Venkitasubramaniam, M., Xie, T., Zhang, Y.: Ligero++: a new optimized sublinear IOP. In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) ACM CCS 20, pp. 2025–2038. ACM Press, November 2020

    Google Scholar 

  10. Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: STOC 1988 [STO88], pp. 103–112

    Google Scholar 

  11. Boyle, E., Gilboa, N., Ishai, Y., Nof, A.: Practical fully secure three-party computation via sublinear distributed zero-knowledge proofs. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) ACM CCS 2019, pp. 869–886. ACM Press, November 2019

    Google Scholar 

  12. Boyle, E., Gilboa, N., Ishai, Y., Nof, A.: Efficient fully secure computation via distributed zero-knowledge proofs. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12493, pp. 244–276. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_9

    CrossRef  Google Scholar 

  13. Ben-Or, M., Goldwasser, S., Kilian, J., Wigderson, A.: Multi-prover interactive proofs: how to remove intractability assumptions. In: STOC 1988 [STO88], pp. 113–131

    Google Scholar 

  14. Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). In: STOC 1988 [STO88], pp. 1–10

    Google Scholar 

  15. Boldyreva, A., Micciancio, D. (eds.): CRYPTO 2019. LNCS, vol. 11694. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8References [BM19, FOC90, STO88, TEMX17] are given in the list but not cited in the text. Please cite these in text or delete these from the list.

    CrossRef  MATH  Google Scholar 

  16. Baum, C., Orsini, E., Scholl, P., Soria-Vazquez, E.: Efficient constant-round MPC with identifiable abort and public verifiability. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 562–592. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_20

    CrossRef  Google Scholar 

  17. Chaum, D., Crépeau, C., Damgård, I.: Multiparty unconditionally secure protocols (extended abstract). In: STOC 1988 [STO88], pp. 11–19

    Google Scholar 

  18. Chase, M., et al.: Post-quantum zero-knowledge and signatures from symmetric-key primitives. In: Thuraisingham et al. [TEMX17], pp. 1825–1842

    Google Scholar 

  19. Campanelli, M., Gennaro, R., Goldfeder, S., Nizzardo, L.: Zero-knowledge contingent payments revisited: attacks and payments for services. In: Thuraisingham et al. [TEMX17], pp. 229–243

    Google Scholar 

  20. Fitzi, M., Gisin, N., Maurer, U., von Rotz, O.: Unconditional byzantine agreement and multi-party computation secure against dishonest minorities from scratch. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 482–501. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_32

    CrossRef  Google Scholar 

  21. Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs based on a single random string (extended abstract). In: FOCS 1990 [FOC90], pp. 308–317

    Google Scholar 

  22. 31st FOCS. IEEE Computer Society Press, October 1990

    Google Scholar 

  23. Fiat, A., Shamir, A.: Polymorphic arrays: a novel VLSI layout for systolic computers. In: 25th FOCS, pp. 37–45. IEEE Computer Society Press, October 1984

    Google Scholar 

  24. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12

    CrossRef  Google Scholar 

  25. Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_37

    CrossRef  Google Scholar 

  26. Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: interactive proofs for muggles. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 113–122. ACM Press, May 2008

    Google Scholar 

  27. Giacomelli, I., Madsen, J., Orlandi, C.: ZKBoo: faster zero-knowledge for Boolean circuits. In: Holz, T., Savage, S. (eds.) USENIX Security 2016, pp. 1069–1083. USENIX Association, August 2016

    Google Scholar 

  28. Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems (extended abstract). In: 17th ACM STOC, pp. 291–304. ACM Press, May 1985

    Google Scholar 

  29. Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity and a methodology of cryptographic protocol design (extended abstract). In: 27th FOCS, pp. 174–187. IEEE Computer Society Press, October 1986

    Google Scholar 

  30. Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 38(3), 691–729 (1991)

    MathSciNet  CrossRef  Google Scholar 

  31. Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_19

    CrossRef  Google Scholar 

  32. Hong, C., Katz, J., Kolesnikov, V., Lu, W., Wang, X.: Covert security with public verifiability: faster, leaner, and simpler. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 97–121. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_4

    CrossRef  Google Scholar 

  33. Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: Johnson, D.S., Feige, U. (eds.) 39th ACM STOC, pp. 21–30. ACM Press, June 2007

    Google Scholar 

  34. Ishai, Y., Prabhakaran, M., Sahai, A.: Founding cryptography on oblivious transfer – efficiently. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 572–591. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_32

    CrossRef  Google Scholar 

  35. Kilian, J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: 24th ACM STOC, pp. 723–732. ACM Press, May 1992

    Google Scholar 

  36. Katz, J., Kolesnikov, V., Wang, X.: Improved non-interactive zero knowledge with applications to post-quantum signatures. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 525–537. ACM Press, October 2018

    Google Scholar 

  37. Kolesnikov, V., Malozemoff, A.J.: Public verifiability in the covert model (almost) for free. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 210–235. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_9

    CrossRef  MATH  Google Scholar 

  38. Lindell, Y.: How to simulate it - a tutorial on the simulation proof technique. Cryptology ePrint Archive, Report 2016/046 (2016). http://eprint.iacr.org/2016/046

  39. Micali, S.: CS proofs (extended abstracts). In: 35th FOCS, pp. 436–453. IEEE Computer Society Press, November 1994

    Google Scholar 

  40. 20th ACM STOC. ACM Press, May 1988

    Google Scholar 

  41. Schoenmakers, B., Veeningen, M.: Universally verifiable multiparty computation from threshold homomorphic cryptosystems. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 3–22. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28166-7_1

    CrossRef  Google Scholar 

  42. Thuraisingham, B.M., David, E., Tal, M., Xu, D. (eds.): ACM CCS 2017. ACM Press, October/November (2017)

    Google Scholar 

  43. Xie, T., Zhang, J., Zhang, Y., Papamanthou, C., Song, D.: Libra: succinct zero-knowledge proofs with optimal prover computation. In: Boldyreva and Micciancio [BM19], pp. 733–764

    Google Scholar 

  44. Zhang, J., Xie, T., Zhang, Y., Song, D.: Transparent polynomial delegation and its applications to zero knowledge proof. In: 2020 IEEE Symposium on Security and Privacy, pp. 859–876. IEEE Computer Society Press, May 2020

    Google Scholar 

Download references

Acknowledgements

We would like to thank the reviewers for their helpful suggestions. Yu Chen is supported by National Natural Science Foundation of China (Grant No. 61772522, No. 61932019). Zhen Liu is supported by the National Natural Science Foundation of China (Grant No. 62072305) and the National Cryptography Development Fund (Grant No. MMJJ20170111). Yu Yu was supported by the National Key Research and Development Program of China (Grant Nos. 2020YFA0309705 and 2018YFA0704701) and the National Natural Science Foundation of China (Grant Nos. 62125204, 61872236, and 61971192).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Yu Yu .

Editor information

Editors and Affiliations

A Missing Proofs

A Missing Proofs

In this section, we present the missing proofs in the body.

Proof (of Thm. 1)

The \((m - 1) \cdot (t + 1)\)-threshold security of \(\pi \) implies the existence of a simulator \({S}^{\pi }_{\mathcal {A}^\prime }\) such that for any \(\mathrm {PPT}\) adversary \(\mathcal {A}^\prime \) corrupting at most \((m - 1) \cdot (t + 1)\) parties, the concatenated outputs of all parties in the real world is indistinguishable with that in the ideal world where the simulator \({S}^{\pi }_{\mathcal {A}^\prime }\) interacts with the ideal functionality \(\mathcal {F}^{\mathsf {ext}}_{R^m,t}\) and \(\mathcal {A}\).

We then explain in the following two corruption cases how adversarial actions translate to efficient simulation in the ideal world.

Case 1a. In this case, the adversary may actively control any strict subset \(\mathcal {I}\) of the provers and passively control the verifier. The simulator \({S}^{\mathsf {zk}}\) in this case runs as follows:

  1. 1.

    It first simulates the preparation phase of \(\varPi ^{\pi }_{R^m}\). In particular, let \(w_{\mathcal {I}}^{1},\ldots ,w_{\mathcal {I}}^{t+1}\) be the extracted witness of virtual parties simulated by \(\mathcal {A}\) returned by \({S}^{\pi }\), the outer simulator \({S}^{\mathsf {zk}}\) computes and sends \(w_{\mathcal {I}} = \sum _j w_{\mathcal {I}}^j\) to ideal functionality \(\mathcal {F}^{\mathsf {zk}}_{R^m}\) and sends the result \(y\in \{0,1\}\) to \(\mathcal {A}\) via \({S}^{\pi }\). In addition, the simulator \({S}^{\mathsf {zk}}\) relays any aborting command of \(\mathcal {A}\) to \(\mathcal {F}^{\mathsf {zk}}_{R^m}\).

  2. 2.

    Then through the simulation of the ideal commitment oracle \(\mathcal {F}^{\mathsf {com}}\), simulator \({S}^{\mathsf {zk}}\) can observe the committed views \(V_{\mathcal {I}}\) from \(\mathcal {A}\). By these views and the previous simulation of \(\pi \), \({S}^{\mathsf {zk}}\) can define a consistency graph G: one node for each virtual party and two nodes are connected iff. they are inconsistent.

  3. 3.

    Then \({S}^{\mathsf {zk}}\) simulates an honest verifier and sends (\(\mathsf sid\), \(\mathsf abort\)) to \(\mathcal {F}^{\mathsf {zk}}_{R^m}\) if inconsistency is detected.

  4. 4.

    Otherwise, \({S}^{\mathsf {zk}}\) sends (\(\mathsf sid\), \(\mathsf contine\)) and concludes the simulation process.

Next, we argue the effectiveness of the above simulation. Consider the following three cases.

First of all, if \(|G.E| = 0\) (i.e. no inconsistency) then correctness of \(\pi \) ensures the above simulation is correct.

The second case is \(0 < |G.E| \le t\). First, we claim verifier will abort with the same probability in both worlds. This holds because the simulation of the verifier is perfect (since it does not require any trapdoor or correlation). Conditioned on verifier does not abort, we then claim the verifier in both worlds always output the same y except with negligible probability.

The effectiveness of \({S}^{\pi }\) implies that in the real world honest provers (who at least controls \(t+1\) virtual parties) output y as in the ideal world except with negligible probability. Thus the probability of a real verifier being convinced on false output \(\bar{y}\) is smaller than that of a random challenge is “concentrated on” \(\mathcal {A}\) controlled views (denoted as Miss), which is negligible. In particular we have

$$\begin{aligned} \Pr [\bar{y} \leftarrow {V}] \le \Pr [\mathsf{Miss}] \le \frac{\left( {\begin{array}{c}(m-1)(t+1)\\ t\end{array}}\right) }{\left( {\begin{array}{c}m(t+1\\ t\end{array}}\right) } \le \left( 1 - \frac{1}{m-1}\right) ^{t} = \mathsf {negl}(\lambda ). \end{aligned}$$

Finally, if \(|G.E| > t\), then G must have a minimal matching bigger than t/2. And thus the verifier (whether real or simulated) will abort except with \((t/n)^t = 2^{-\varOmega (\lambda )}\) probability, which means the two worlds have the same behavior except with negligible probability.

Case 1b. In this case, the adversary \(\mathcal {A}\) only passively controls the verifier. Notice that

  • the verifier only observes t views in its transcript;

  • the active-\((t+1)\cdot (m-1)\) security of \(\pi \) implies a passive simulator that generates any t views given output y.

Together this implies the passive simulation of \(\mathcal {A}\)’s view, in this case, is efficient.

Case 2. In this case the adversary actively controls all provers. The simulator \({S}^{\mathsf {zk}}\) runs the following steps (since all provers are corrupted, the preparation phase does not need to be simulated):

  1. 1.

    From the input to \(\mathcal {F}^{\mathsf {com}}\), \({S}^{\mathsf {zk}}\) can efficiently compute its consistency graph G.

  2. 2.

    Let \(\mathsf VC\) be a minimal vertex cover of G. If \(|\mathsf{VC}| \ge t\) it sends (\(\mathsf sid\), \(\mathsf abort\)) to \(\mathcal {F}^{\mathsf {zk}}_{R^m}\).

  3. 3.

    Otherwise, it uses \({S}^{\pi }\) to extract inputs \(w_\mathsf{VC}\) from virtual parties in \(\mathsf VC\). It then sends \(w_\mathsf{VC}\) and \(w_\mathsf{\overline{VC}}\) (inputs of parties outside \(\mathsf VC\)) to \(\mathcal {F}^{\mathsf {zk}}_{R^m}\), and gets output \(y \in \{0,1\}\).

  4. 4.

    It then simulates an honest verifier and sends (\(\mathsf sid\), \(\mathsf abort\)) if inconsistency is detected and (\(\mathsf sid\), \(\mathsf continue\)) otherwise.

Next, we argue the effectiveness of simulation. From the arguments in Case 1a, it holds when the consistency graph has a minimal vertex cover of size \(>t\) then the verifier will abort in the real world. Together with the fact that the simulation of the verifier is perfect, we conclude that the verifier will abort with the same probability (except with negligible difference) in both worlds.

Conditioned on abort does not occur, we claim that honest parties will output the same in both worlds, which suffices for proving the effectiveness of the above simulation. This holds because the effectiveness of \({S}^{\pi }\) implies that \(y=C(w_\mathsf{VC}, w_\mathsf{\overline{VC}})\) as returned by \(\mathcal {F}^{\mathsf {zk}}_{R^m}\) is indistinguishable from outputs in the real execution of \(\pi \) (as reported in \(\mathcal {F}^{\mathsf {com}}\)). And thus views corresponding to output y and the probability that honest parties output is at most \(1/\left( {\begin{array}{c}n\\ t\end{array}}\right) \) which is negligible.

Proof (of Theorem 2). The optimal threshold security of \(\pi \) implies simulation against passive corruption is efficient. And thus we only have to focus on the case of active corruption on all provers. In this case the simulator \({S}^{\mathsf {zk}}\) perform the following steps:

  1. 1.

    From inputs to \(\mathcal {F}^{\mathsf {com}}\) in every \(\ell \) rounds, \({S}^{\mathsf {zk}}\) simulates the honest verifier’s check and sends (\(\mathsf sid\), \(\mathsf abort\)) if inconsistency is detected.

  2. 2.

    If the previous step does not abort, then the verifier checks every \(\ell \) inputs to \(\mathcal {F}^{\mathsf {com}}\) and (\(\mathsf sid\), \(\mathsf abort\)) if no such \(w : y = C(w,x)\) is found where y is the verifier’s output.

  3. 3.

    \({S}^{\mathsf {zk}}\) sends w to \(\mathcal {F}^{\mathsf {zk}}_{R^m}\) and concludes the simulation.

As argued in the previous proof, simulation of the honest verifier is perfect, and thus the verifier will abort with the same probability in both worlds. Conditioned on abort does not occur, we claim that honest verifier always returns the output y returned by \(\mathcal {F}^{\mathsf {zk}}_{R^m}\) except with negligible probability.

The only difference is the case that during simulation, the simulated verifier does not abort and outputs y for which \({S}^{\mathsf {zk}}\) cannot extract a corresponding w. This implies that inputs w for every \(\ell \) rounds would results \(\bar{y}\), in other words, inconsistency exists in every round. But by the parameter setting, this occurs except with probability \((t/t+1)^\ell < 2^{-\lambda }\).

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Cui, H., Zhang, K., Chen, Y., Liu, Z., Yu, Y. (2021). MPC-in-Multi-Heads: A Multi-Prover Zero-Knowledge Proof System. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12973. Springer, Cham. https://doi.org/10.1007/978-3-030-88428-4_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88428-4_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88427-7

  • Online ISBN: 978-3-030-88428-4

  • eBook Packages: Computer ScienceComputer Science (R0)