Abstract
Distributed Zero-Knowledge (dZK) proofs, recently introduced by Boneh et al. (CRYPTO‘19), allow a prover \(\mathcal{P}\) to prove NP statements on an input x which is distributed between k verifiers \(\mathcal{V}_1,\ldots ,\mathcal{V}_k\), where each \(\mathcal{V}_i\) holds only a piece of x. As in standard ZK proofs, dZK proofs guarantee Completeness when all parties are honest; Soundness against a malicious prover colluding with t verifiers; and Zero Knowledge against a subset of t malicious verifiers, in the sense that they learn nothing about the NP witness and the input pieces of the honest verifiers.
Unfortunately, dZK proofs provide no correctness guarantee for an honest prover against a subset of maliciously corrupted verifiers. In particular, such verifiers might be able to “frame” the prover, causing honest verifiers to reject a true claim. This is a significant limitation, since such scenarios arise naturally in dZK applications, e.g., for proving honest behavior, and such attacks are indeed possible in existing dZKs (Boneh et al., CRYPTO‘19).
We put forth and study the notion of strong completeness for dZKs, guaranteeing that true claims are accepted even when t verifiers are maliciously corrupted. We then design strongly-complete dZK proofs using the “MPC-in-the-head” paradigm of Ishai et al. (STOC‘07), providing a novel analysis that exploits the unique properties of the distributed setting.
To demonstrate the usefulness of strong completeness, we present several applications in which it is instrumental in obtaining security. First, we construct a certifiable version of Verifiable Secret Sharing (VSS), which is a VSS in which the dealer additionally proves that the shared secret satisfies a given NP relation. Our construction withstands a constant fraction of corruptions, whereas a previous construction of Ishai et al. (TCC‘14) required \(k={\textsf{poly}}\left( t\right) \). We also design a reusable version of certifiable VSS that we introduce, in which the dealer can prove an unlimited number of predicates on the same shared secret.
Finally, we extend a compiler of Boneh et al. (CRYPTO‘19), who used dZKs to transform a class of “natural” semi-honest protocols in the honest-majority setting into maliciously secure ones with abort. Our compiler uses strongly-complete dZKs to obtain identifiable abort.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Various works have considered other models, e.g., when security is only computational, or when the input statement is known in full to all verifiers. These models are discussed in Sect. 1.5, but similar to [BBC+19b] our focus is on information-theoretic security when the input statement is distributed between the verifiers.
- 2.
More specifically, this paradigm applies to a class of natural protocols which guarantee, among other things, that privacy is preserved up to the final round even in the presence of malicious corruptions; see the full version for further details.
- 3.
Roughly, this holds in their protocols because the verifiers do not have any private coins, and \(\mathcal{P}\) knows the entire input statement x.
- 4.
Notice that the dZK proof is for input statements that are distributed between the verifiers using a robust encoding. [BBC+19b] make the same assumption. The reason to focus on such languages is because they show [BBC+19a, Sec. 6.3.2] limitations on the existence of dZK proofs for languages that are not robustly encoded.
- 5.
See Sect. 1.5 for a comparison between our construction and other constructions using this technique in the two-party and in other distributed settings.
- 6.
The messages sent from party i to party j appear explicitly in the view of party j, and the messages it sent to party i can be computed from its view.
- 7.
[AKP22] also obtain a fully information-theoretically secure VRS assuming ideal non-interactive commitments, as well as a computationally sound and statistically ZK (statistically sound and computationally ZK, respectively) VRS based on computationally binding and statistically hiding (statistically binding and computationally hiding, respectively) non-interactive commitments [App22].
- 8.
In the computational setting one can use standard tools such as commitments to help resolve disputes between parties, but in the information theoretic setting this seems to require a more sophisticated dispute-resolution sub-protocol.
- 9.
Notice that if \(\textsf{Enc}\) is randomized then x might have several corresponding k-distributed inputs X.
- 10.
We note that w may also be the empty string, e.g., if \(\widehat{\mathcal{R}}\) corresponds to a language in \(\textsf {P}\).
References
Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: lightweight sublinear arguments without a trusted setup. In: CCS, pp. 2087–2104 (2017)
Applebaum, B., Kachlon, E., Patra, A.: The resiliency of MPC with low interaction: the benefit of making errors (extended abstract). In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12551, pp. 562–594. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_20
Applebaum, B., Kachlon, E., Patra, A.: Verifiable relation sharing and multi-verifier zero-knowledge in two rounds: trading NIZKs with honest majority: (extended abstract). In: Dodis, Y., Shrimpton, T. (eds.) Advances in Cryptology – CRYPTO 2022, Part IV, pp. 33–56. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15985-5_2
Benny Applebaum. Private communication (2022)
Boneh, D., Boyle, E., Corrigan-Gibbs, H., Gilboa, N., Ishai, Y.: How to prove a secret: zero-knowledge proofs on distributed data via fully linear PCPs. IACR Cryptol. ePrint Arch. 188 (2019)
Boneh, D., Boyle, E., Corrigan-Gibbs, H., Gilboa, N., Ishai, Y.: Zero-knowledge proofs on secret-shared data via fully linear PCPs. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 67–97. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_3
Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Fast Reed-Solomon interactive oracle proofs of proximity. In: ICALP, pp. 14:1–14:17 (2018)
Ben-Sasson, E., Carmon, D., Ishai, Y., Kopparty, S., Saraf, S.: Proximity gaps for Reed-Solomon codes. In: FOCS, pp. 900–909 (2020)
Burmester, M., Desmedt, Y.: Broadcast interactive proofs. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 81–95. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_7
Bhadauria, R., Fang, Z., Hazay, C., Venkitasubramaniam, M., Xie, T., Zhang, Y.: Ligero++: a new optimized sublinear IOP. In: CCS, pp. 2025–2038 (2020)
Boyle, E., Gilboa, N., Ishai, Y.: Function secret sharing: improvements and extensions. In: CCS, pp. 1292–1303. ACM (2016)
Boyle, E., Gilboa, N., Ishai, Y., Nof, A.: Practical fully secure three-party computation via sublinear distributed zero-knowledge proofs. In: CCS, pp. 869–886. ACM (2019)
Boyle, E., Gilboa, N., Ishai, Y., Nof, A.: Efficient fully secure computation via distributed zero-knowledge proofs. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12493, pp. 244–276. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_9
Boyle, E., Gilboa, N., Ishai, Y., Nof, A.: Sublinear GMW-style compiler for MPC with preprocessing. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12826, pp. 457–485. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_16
Baum, C., Jadoul, R., Orsini, E., Scholl, P., Smart, N.P.: Feta: efficient threshold designated-verifier zero-knowledge proofs. In: CCS, pp. 293–306. ACM (2022)
Brandt, N.-P., Maier, S., Müller, T., Müller-Quade, J.: Constructing secure multi-party computation with identifiable abort. IACR Cryptol. ePrint Arch. 153 (2020)
Baum, C., Orsini, E., Scholl, P.: Efficient secure multiparty computation with identifiable abort. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9985, pp. 461–490. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53641-4_18
Baum, C., Orsini, E., Scholl, P., Soria-Vazquez, E.: Efficient constant-round MPC with identifiable abort and public verifiability. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 562–592. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_20
Brandt, N.: Tight setup bounds for identifiable abort. IACR Cryptol. ePrint Arch. 684 (2021)
Corrigan-Gibbs, H., Boneh, D.: Prio: private, robust, and scalable computation of aggregate statistics. In: USENIX, pp. 259–282 (2017)
Corrigan-Gibbs, H., Boneh, D., Mazières, D.: Riposte: an anonymous messaging system handling millions of users. In: SP, pp. 321–338 (2015)
Chase, M., et al.: Post-quantum zero-knowledge and signatures from symmetric-key primitives. In: CCS, pp. 1825–1842 (2017)
Cunningham, R.K., Fuller, B., Yakoubov, S.: Catching MPC cheaters: identification and openability. In: ICITS, pp. 110–134 (2017)
Cohen, R., Lindell, Y.: Fairness versus guaranteed output delivery in secure multiparty computation. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 466–485. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_25
Cleve, R.: Limits on the security of coin flips when half the processors are faulty (extended abstract). In: STOC (1986)
Damgård, I., Ishai, Y.: Scalable secure multiparty computation. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 501–520. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_30
Gennaro, R., Ishai, Y., Kushilevitz, E., Rabin, T.: On 2-round secure multiparty computation. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 178–193. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_12
Giacomelli, I., Madsen, J., Orlandi, C.: ZKBoo: faster zero-knowledge for boolean circuits. In: USENIX, pp. 1069–1083 (2016)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems (extended abstract). In: STOC, pp. 291–304. ACM (1985)
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: STOC, pp. 218–229. ACM (1987)
Groth, J., Ostrovsky, R.: Cryptography in the multi-string model. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 323–341. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_18
Gvili, Y., Scheffler, S., Varia, M.: BooLigero: improved sublinear zero knowledge proofs for boolean circuits. In: Borisov, N., Diaz, C. (eds.) FC 2021. LNCS, vol. 12674, pp. 476–496. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-662-64322-8_23
Hazay, C., Venkitasubramaniam, M., Weiss, M.: Your reputation’s safe with me: framing-free distributed zero-knowledge proofs. IACR Cryptol. ePrint Arch. 2022(1523) (2022). https://eprint.iacr.org/2022/1523
Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation, pp. 21–30. In: STOC (2007)
Ishai, Y., Ostrovsky, R., Zikas, V.: Secure multi-party computation with identifiable abort. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 369–386. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_21
Ishai, Y., Weiss, M.: Probabilistically checkable proofs of proximity with zero-knowledge. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 121–145. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_6
Katz, J., Kolesnikov, V., Wang, X.: Improved non-interactive zero knowledge with applications to post-quantum signatures. In: CCS, pp. 525–537 (2018)
Spini, G., Fehr, S.: Cheater detection in SPDZ multiparty computation. In: Nascimento, A.C.A., Barreto, P. (eds.) ICITS 2016. LNCS, vol. 10015, pp. 151–176. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49175-2_8
Simkin, M., Siniscalchi, L., Yakoubov, S.: On sufficient oracles for secure computation with identifiable abort. In: Galdi, C., Jarecki, S. (eds.) Security and Cryptography for Networks: 13th International Conference, SCN 2022, Proceedings, pp. 494–515. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-14791-3_22
Yang, K., Wang, X.: Non-interactive zero-knowledge proofs to multiple verifiers. In: Agrawal, S., Lin, D. (eds.) Advances in Cryptology – ASIACRYPT 2022. LNCS, vol. 13793, pp. 517–546. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22969-5_18
Acknowledgment
We thank Benny Applebaum for helpful discussions and for pointing out to us the reduction from VRS to dZK. The first and third authors are supported by the BIU Center for Research in Applied Crypytography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office. The first author is supported by ISF grant No. 1316/18. The first and second authors are supported by DARPA under Contract No. HR001120C0087. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or DARPA. The first author is supported by the Algorand Centres of Excellence programme managed by Algorand Foundation. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of Algorand Foundation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Hazay, C., Venkitasubramaniam, M., Weiss, M. (2023). Your Reputation’s Safe with Me: Framing-Free Distributed Zero-Knowledge Proofs. In: Rothblum, G., Wee, H. (eds) Theory of Cryptography. TCC 2023. Lecture Notes in Computer Science, vol 14369. Springer, Cham. https://doi.org/10.1007/978-3-031-48615-9_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-48615-9_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-48614-2
Online ISBN: 978-3-031-48615-9
eBook Packages: Computer ScienceComputer Science (R0)
