On the Power of Secure Two-Party Computation

  • Carmit HazayEmail author
  • Muthuramakrishnan Venkitasubramaniam


Ishai, Kushilevitz, Ostrovsky and Sahai (STOC 2007; SIAM J Comput 39(3):1121–1152, 2009) introduced the powerful “MPC-in-the-head” technique that provided a general transformation of information-theoretic MPC protocols secure against passive adversaries to a ZK proof in a “black-box” way. In this work, we extend this technique and provide a generic transformation of any semi-honest secure two-party computation (2PC) protocol (with mild adaptive security guarantees) in the so-called oblivious-transfer hybrid model to an adaptive ZK proof for any \(\textsf {NP}\) language, in a “black-box” way assuming only one-way functions. Our basic construction based on Goldreich–Micali–Wigderson’s 2PC protocol yields an adaptive ZK proof with communication complexity proportional to quadratic in the size of the circuit implementing the \(\textsf {NP}\) relation. Previously such proofs relied on an expensive Karp reduction of the \(\textsf {NP}\) language to Graph Hamiltonicity [Lindell and Zarosim (TCC 2009; J Cryptol 24(4):761–799, 2011)]. As an application of our techniques, we show how to obtain a ZK proof with an “input-delayed” property for any \(\textsf {NP}\) language without relying on expensive Karp reductions that is black box in the underlying one-way function. Namely, the input-delayed property allows the honest prover’s algorithm to receive the actual statement to be proved only in the final round. We further generalize this to obtain a “commit-and-prove” protocol with the same property where the prover commits to a witness w in the second message and proves a statement x regarding the witness w in zero-knowledge where the statement is determined only in the last round. This improves a previous construction of Lapidot and Shamir (Crypto 1990) that was designed specifically for the Graph Hamiltonicity problem and relied on the underlying primitives in a non-black-box way. Additionally, we provide a general transformation to construct a randomized encoding of a function f from any 2PC protocol that securely computes a related functionality (in a black-box way) from one-way functions. We show that if the 2PC protocol has mild adaptive security guarantees (which are satisfied by both the Yao’s and GMW’s protocol), then the resulting randomized encoding can be decomposed to an offline/online encoding.


Adaptive zero-knowledge proofs Secure two-party computation Randomized encoding Instance-dependent commitments 



  1. 1.
    S. Ames, C. Hazay, Y. Ishai, M. Venkitasubramaniam, Ligero: lightweight sublinear arguments without a trusted setup, in CCS (2017), pp. 2087–2104Google Scholar
  2. 2.
    B. Applebaum, Y. Ishai, E. Kushilevitz, Cryptography in \(NC^0\), in FOCS (2004), pp. 166–175Google Scholar
  3. 3.
    B. Applebaum, Y. Ishai, E. Kushilevitz, Cryptography in nc\({}^{\text{0 }}\). SIAM J. Comput. 36(4), 845–888 (2006)MathSciNetzbMATHGoogle Scholar
  4. 4.
    B. Applebaum, Y. Ishai, E. Kushilevitz, From secrecy to soundness: efficient verification via secure computation, in ICALP (2010), pp. 152–163Google Scholar
  5. 5.
    S. Agrawal, Y. Ishai, D. Khurana, A. Paskin-Cherniavsky, Statistical randomized encodings: a complexity theoretic view, in ICALP (2015), pp. 1–13Google Scholar
  6. 6.
    B. Applebaum, Y. Ishai, E. Kushilevitz, B. Waters, Encoding functions with constant online rate or how to compress garbled circuits keys, in CRYPTO (2013), pp. 166–184Google Scholar
  7. 7.
    B. Applebaum, Key-dependent message security: generic amplification and completeness. J. Cryptol. 27(3), 429–451 (2014)MathSciNetzbMATHGoogle Scholar
  8. 8.
    G. Brassard, D. Chaum, C. Crépeau, Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)MathSciNetzbMATHGoogle Scholar
  9. 9.
    D. Beaver, Correlated pseudorandomness and the complexity of private computations, in STOC (1996), pp. 479–488Google Scholar
  10. 10.
    M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract), in STOC (1988), pp. 1–10Google Scholar
  11. 11.
    B. Barak, I. Haitner, D. Hofheinz, Y. Ishai, Bounded key-dependent message security, in EUROCRYPT (2010), pp. 423–444Google Scholar
  12. 12.
    M. Bellare, V. T. Hoang, P. Rogaway, Foundations of garbled circuits, in CCS (2012), pp. 784–796Google Scholar
  13. 13.
    M. Bellare, S. Micali, R. Ostrovsky, Stoc., 482–493 (1990)Google Scholar
  14. 14.
    D. Beaver, S. Micali, P. Rogaway, The round complexity of secure protocols (extended abstract), in STOC (1990), pp. 503–513Google Scholar
  15. 15.
    R. Canetti, Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000)MathSciNetzbMATHGoogle Scholar
  16. 16.
    D. Chaum, C. Crépeau, I. Damgård, Multiparty unconditionally secure protocols (abstract), in CRYPTO (1987), p. 462Google Scholar
  17. 17.
    R. Canetti, I. Damgård, S. Dziembowski, Y. Ishai, T. Malkin, Adaptive versus non-adaptive security of multi-party protocols. J. Cryptol. 17(3), 153–207 (2004)MathSciNetzbMATHGoogle Scholar
  18. 18.
    I. Cascudo, I. Damgård, B. M. David, I. Giacomelli, J. B. Nielsen, R. Trifiletti, Additively homomorphic UC commitments with optimal amortized overhead, in PKC (2015), pp. 495–515Google Scholar
  19. 19.
    M. Chase, D. Derler, S. Goldfeder, C. Orlandi, S. Ramacher, C. Rechberger, D. Slamanig, G. Zaverucha, Post-quantum zero-knowledge and signatures from symmetric-key primitives, in CCS (2017), pp. 1825–1842Google Scholar
  20. 20.
    R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable two-party and multi-party secure computation, in STOC (2002), pp. 494–503Google Scholar
  21. 21.
    M. Ciampi, G. Persiano, A. Scafuro, L. Siniscalchi, I. Visconti, Improved or-composition of sigma-protocols, in TCC (2016), pp. 112–141Google Scholar
  22. 22.
    M. Ciampi, G. Persiano, A. Scafuro, L. Siniscalchi, I. Visconti, Online/offline OR composition of sigma protocols, in EUROCRYPT (2016), pp. 63–92Google Scholar
  23. 23.
    R. Canetti, O. Poburinnaya, M. Venkitasubramaniam, Equivocating yao: constant-round adaptively secure multiparty computation in the plain model, in STOC (2017), pp. 497–509Google Scholar
  24. 24.
    C. Crépeau, J. van de Graaf, A. Tapp, Committed oblivious transfer and private multi-party computation, in CRYPTO (1995), pp. 110–123Google Scholar
  25. 25.
    I. Damgård, On \(\Sigma \)-protocols. (2010)
  26. 26.
    I. Damgård, Y. Ishai, Scalable secure multiparty computation, in CRYPTO (2006), pp. 501–520Google Scholar
  27. 27.
    I. Damgård, J. B. Nielsen, Improved non-committing encryption schemes based on a general complexity assumption, in CRYPTO (2000), pp. 432–450Google Scholar
  28. 28.
    I. Damgård, T. P. Pedersen, B. Pfitzmann, On the existence of statistically hiding bit commitment schemes and fail-stop signatures, in CRYPTO (1993), pp. 250–265Google Scholar
  29. 29.
    U. Feige, J. Kilian, M. Naor, A minimal model for secure computation (extended abstract), in STOC (1994), pp. 554–563Google Scholar
  30. 30.
    U. Feige, D. Lapidot, A. Shamir, Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1–28 (1999)MathSciNetzbMATHGoogle Scholar
  31. 31.
    U. Feige, A. Shamir, Zero knowledge proofs of knowledge in two rounds, in CRYPTO (1989), pp. 526–544Google Scholar
  32. 32.
    R. Gennaro, C. Gentry, B. Parno, Non-interactive verifiable computing: Outsourcing computation to untrusted workers, in CRYPTO (2010), pp. 465–482Google Scholar
  33. 33.
    V. Goyal, Y. Ishai, A. Sahai, R. Venkatesan, A. Wadia, Founding cryptography on tamper-proof hardware tokens, in TCC (2010), pp. 308–326Google Scholar
  34. 34.
    O. Goldreich, A. Kahan, How to construct constant-round zero-knowledge proof systems for NP. J. Cryptol. 9(3), 167–190 (1996)MathSciNetzbMATHGoogle Scholar
  35. 35.
    C. Ganesh, Y. Kondi, A. Patra, P. Sarkar, Efficient adaptively secure zero-knowledge from garbled circuits, in PKC (2018), pp. 499–529Google Scholar
  36. 36.
    S. Goldwasser, Y. T. Kalai, G. N. Rothblum, One-time programs, in CRYPTO (2008), pp. 39–56Google Scholar
  37. 37.
    V. Goyal, C.-K. Lee, R. Ostrovsky, I. Visconti, Constructing non-malleable commitments: a black-box approach, in FOCS (2012), pp. 51–60Google Scholar
  38. 38.
    I. Giacomelli, J. Madsen, C. Orlandi, Zkboo: faster zero-knowledge for boolean circuits, in USENIX (2016), pp. 1069–1083Google Scholar
  39. 39.
    S. Goldwasser, S. Micali, C. Rackoff, The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)MathSciNetzbMATHGoogle Scholar
  40. 40.
    O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or A completeness theorem for protocols with honest majority, in STOC (1987), pp. 218–229Google Scholar
  41. 41.
    O. Goldreich, Foundations of Cryptography: Basic Tools (Cambridge University Press, Cambridge, 2001)zbMATHGoogle Scholar
  42. 42.
    V. Goyal, R. Ostrovsky, A. Scafuro, I. Visconti, Black-box non-black-box zero knowledge, in STOC (2014), pp. 515–524Google Scholar
  43. 43.
    J. A. Garay, D. Wichs, H.-S. Zhou, Somewhat non-committing encryption and efficient adaptively secure oblivious transfer, in CRYPTO (2009), pp. 505–523Google Scholar
  44. 44.
    D. Harnik, Y. Ishai, E. Kushilevitz, J. B. Nielsen, Ot-combiners via secure computation, in TCC (2008), pp. 393–411Google Scholar
  45. 45.
    B. Hemenway, Z. Jafargholi, R. Ostrovsky, A. Scafuro, D. Wichs, Adaptively secure garbled circuits from one-way functions, in CRYPTO (2016), pp. 149–178Google Scholar
  46. 46.
    S. Halevi, S. Micali, Practical and provably-secure commitment schemes from collision-free hashing, in CRYPTO (1996), pp. 201–215Google Scholar
  47. 47.
    I. Haitner, O. Reingold, A new interactive hashing theorem, in CCC (2007), pp. 319–332Google Scholar
  48. 48.
    Y. Ishai, E. Kushilevitz, Randomizing polynomials: a new representation with applications to round-efficient secure computation, in FOCS (2000), pp. 294–304Google Scholar
  49. 49.
    Y. Ishai, E. Kushilevitz, Perfect constant-round secure computation via perfect randomizing polynomials, in ICALP (2002), pp. 244–256Google Scholar
  50. 50.
    Y. Ishai, E. Kushilevitz, R. Ostrovsky, A. Sahai, Zero-knowledge from secure multiparty computation, in STOC (2007), pp. 21–30Google Scholar
  51. 51.
    Y. Ishai, E. Kushilevitz, R. Ostrovsky, A. Sahai, Zero-knowledge proofs from secure multiparty computation. SIAM J. Comput. 39(3), 1121–1152 (2009)MathSciNetzbMATHGoogle Scholar
  52. 52.
    Y. Ishai, E. Kushilevitz, M. Prabhakaran, A. Sahai, C.-H. Yu, Secure protocol transformations, in CRYPTO (2016), pp. 430–458Google Scholar
  53. 53.
    T. Itoh, Y. Ohta, H. Shizuya, A language-dependent cryptographic primitive. J. Cryptol. 10(1), 37–50 (1997)MathSciNetzbMATHGoogle Scholar
  54. 54.
    Y. Ishai, M. Prabhakaran, A. Sahai, Founding cryptography on oblivious transfer—efficiently, in CRYPTO (2008), pp. 572–591Google Scholar
  55. 55.
    Y. Ishai, M. Prabhakaran, A. Sahai, Secure arithmetic computation with no honest majority, in TCC (2009), pp. 294–314Google Scholar
  56. 56.
    Y. Ishai, M. Weiss, Probabilistically checkable proofs of proximity with zero-knowledge, in TCC (2014), pp. 121–145Google Scholar
  57. 57.
    Z. Jafargholi, A. Scafuro, D. Wichs, Adaptively indistinguishable garbled circuits, in TCC (2017), pp. 40–71Google Scholar
  58. 58.
    Z. Jafargholi, D. Wichs, Adaptive security of yao’s garbled circuits, in TCC (2016), pp. 433–458Google Scholar
  59. 59.
    J. Kilian, Founding cryptography on oblivious transfer, in STOC (1988), pp. 20–31Google Scholar
  60. 60.
    J. Katz, R. Ostrovsky, Round-optimal secure two-party computation, in CRYPTO (2004), pp. 335–354Google Scholar
  61. 61.
    Y. Lindell, B. Pinkas, A proof of security of Yao’s protocol for two-party computation. J. Cryptol. 22(2), 161–188 (2009)MathSciNetzbMATHGoogle Scholar
  62. 62.
    D. Lapidot, A. Shamir, Publicly verifiable non-interactive zero-knowledge proofs, in CRYPTO (1990), pp. 353–365Google Scholar
  63. 63.
    Y. Lindell, H. Zarosim, Adaptive zero-knowledge proofs and adaptively secure oblivious transfer. J. Cryptol. 24(4), 761–799 (2011)MathSciNetzbMATHGoogle Scholar
  64. 64.
    M. Naor, Bit commitment using pseudorandomness. J. Cryptol. 4(2), 151–158 (1991)zbMATHGoogle Scholar
  65. 65.
    R. Ostrovsky, A. Scafuro, M. Venkitasubramaniam, Resettably sound zero-knowledge arguments from OWFs: the (semi) black-box way, in TCC (2015), pp. 345–374Google Scholar
  66. 66.
    S. J. Ong, S. P. Vadhan, An equivalence between zero knowledge and commitments, in TCC (2008), pp. 482–500Google Scholar
  67. 67.
    B. Pinkas, T. Schneider, N. P. Smart, S. C. Williams, Secure two-party computation is practical, in ASIACRYPT (2009), pp. 250–267Google Scholar
  68. 68.
    R. Pass, H. Wee, Black-box constructions of two-party protocols from one-way functions, in TCC (2009), pp. 403–418Google Scholar
  69. 69.
    A. C.-C. Yao, How to generate and exchange secrets (extended abstract), in FOCS (1986), pp. 162–167Google Scholar
  70. 70.
    Y. Lindell, H. Zarosim, Adaptive zero-knowledge proofs and adaptively secure oblivious transfer, in TCC (2009), pp. 183–201Google Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Carmit Hazay
    • 1
    Email author
  • Muthuramakrishnan Venkitasubramaniam
    • 2
  1. 1.Bar-Ilan UniversityRamat GanIsrael
  2. 2.University of RochesterRochesterUSA

Personalised recommendations