TY - GEN
T1 - How to Share an NP Statement or Combiners for Zero-Knowledge Proofs
AU - Applebaum, Benny
AU - Kachlon, Eliran
N1 - Publisher Copyright:
© International Association for Cryptologic Research 2025.
PY - 2025
Y1 - 2025
N2 - In Crypto’19, Goyal, Jain, and Sahai (GJS) introduced the elegant notion of secret-sharing of anNPstatement (NPSS). Roughly speaking, a t-out-of-n secret sharing of an NP statement is a reduction that maps an instance-witness pair to n instance-witness pairs such that any subset of (t-1) reveals no information about the original witness, while any subset of t allows full recovery of the original witness. Although the notion was formulated for general t≤n, the only existing construction (due to GJS) applies solely to the case where t=n and provides only computational privacy. In this paper, we further explore NPSS and present the following contributions. Definition. We revisit the notion of NPSS by formulating a new definition of information-theoretically secure NPSS. This notion serves as a cryptographic analogue of standard NP-reductions and can be compiled into the GJS definition using any one-way function.Construction. We construct information-theoretic t-out-of-n NPSS for any values of t≤n with complexity polynomial in n. Along the way, we present a new notion of secure multiparty computation that may be of independent interest.Applications. Our NPSS framework enables the non-interactive combination of n instances of zero-knowledge proofs, where only ts of them are sound and only tz are zero-knowledge, provided that ts+tz>n. Our combiner preserves various desirable properties, such as the succinctness of the proof. Building on this, we establish the following results under the minimal assumption of one-way functions: 1. Standard NIZK implies NIZK in the Multi-String Model (Groth and Ostrovsky, J. Cryptology, 2014), where security holds as long as a majority of the n common reference strings were honestly generated. Previously, such a transformation was only known in the common random string model, where the reference string is uniformly distributed. 2. A Designated-Prover NIZK in the Multi-String Model, achieving a strong form of two-round Multi-Verifier Zero-Knowledge in the honest-majority setting. 3. A three-round secure multiparty computation protocol for general functions in the honest-majority setting. The round complexity of this protocol is optimal, resolving a line of research that previously relied on stronger assumptions (Asharov et al., Eurocrypt’12; Gordon et al., Crypto’15; Ananth et al., Crypto’18; Badrinarayanan et al., Asiacrypt’20; Applebaum et al., TCC’22). Definition. We revisit the notion of NPSS by formulating a new definition of information-theoretically secure NPSS. This notion serves as a cryptographic analogue of standard NP-reductions and can be compiled into the GJS definition using any one-way function. Construction. We construct information-theoretic t-out-of-n NPSS for any values of t≤n with complexity polynomial in n. Along the way, we present a new notion of secure multiparty computation that may be of independent interest. Applications. Our NPSS framework enables the non-interactive combination of n instances of zero-knowledge proofs, where only ts of them are sound and only tz are zero-knowledge, provided that ts+tz>n. Our combiner preserves various desirable properties, such as the succinctness of the proof. Building on this, we establish the following results under the minimal assumption of one-way functions: 1. Standard NIZK implies NIZK in the Multi-String Model (Groth and Ostrovsky, J. Cryptology, 2014), where security holds as long as a majority of the n common reference strings were honestly generated. Previously, such a transformation was only known in the common random string model, where the reference string is uniformly distributed. 2. A Designated-Prover NIZK in the Multi-String Model, achieving a strong form of two-round Multi-Verifier Zero-Knowledge in the honest-majority setting. 3. A three-round secure multiparty computation protocol for general functions in the honest-majority setting. The round complexity of this protocol is optimal, resolving a line of research that previously relied on stronger assumptions (Asharov et al., Eurocrypt’12; Gordon et al., Crypto’15; Ananth et al., Crypto’18; Badrinarayanan et al., Asiacrypt’20; Applebaum et al., TCC’22).
AB - In Crypto’19, Goyal, Jain, and Sahai (GJS) introduced the elegant notion of secret-sharing of anNPstatement (NPSS). Roughly speaking, a t-out-of-n secret sharing of an NP statement is a reduction that maps an instance-witness pair to n instance-witness pairs such that any subset of (t-1) reveals no information about the original witness, while any subset of t allows full recovery of the original witness. Although the notion was formulated for general t≤n, the only existing construction (due to GJS) applies solely to the case where t=n and provides only computational privacy. In this paper, we further explore NPSS and present the following contributions. Definition. We revisit the notion of NPSS by formulating a new definition of information-theoretically secure NPSS. This notion serves as a cryptographic analogue of standard NP-reductions and can be compiled into the GJS definition using any one-way function.Construction. We construct information-theoretic t-out-of-n NPSS for any values of t≤n with complexity polynomial in n. Along the way, we present a new notion of secure multiparty computation that may be of independent interest.Applications. Our NPSS framework enables the non-interactive combination of n instances of zero-knowledge proofs, where only ts of them are sound and only tz are zero-knowledge, provided that ts+tz>n. Our combiner preserves various desirable properties, such as the succinctness of the proof. Building on this, we establish the following results under the minimal assumption of one-way functions: 1. Standard NIZK implies NIZK in the Multi-String Model (Groth and Ostrovsky, J. Cryptology, 2014), where security holds as long as a majority of the n common reference strings were honestly generated. Previously, such a transformation was only known in the common random string model, where the reference string is uniformly distributed. 2. A Designated-Prover NIZK in the Multi-String Model, achieving a strong form of two-round Multi-Verifier Zero-Knowledge in the honest-majority setting. 3. A three-round secure multiparty computation protocol for general functions in the honest-majority setting. The round complexity of this protocol is optimal, resolving a line of research that previously relied on stronger assumptions (Asharov et al., Eurocrypt’12; Gordon et al., Crypto’15; Ananth et al., Crypto’18; Badrinarayanan et al., Asiacrypt’20; Applebaum et al., TCC’22). Definition. We revisit the notion of NPSS by formulating a new definition of information-theoretically secure NPSS. This notion serves as a cryptographic analogue of standard NP-reductions and can be compiled into the GJS definition using any one-way function. Construction. We construct information-theoretic t-out-of-n NPSS for any values of t≤n with complexity polynomial in n. Along the way, we present a new notion of secure multiparty computation that may be of independent interest. Applications. Our NPSS framework enables the non-interactive combination of n instances of zero-knowledge proofs, where only ts of them are sound and only tz are zero-knowledge, provided that ts+tz>n. Our combiner preserves various desirable properties, such as the succinctness of the proof. Building on this, we establish the following results under the minimal assumption of one-way functions: 1. Standard NIZK implies NIZK in the Multi-String Model (Groth and Ostrovsky, J. Cryptology, 2014), where security holds as long as a majority of the n common reference strings were honestly generated. Previously, such a transformation was only known in the common random string model, where the reference string is uniformly distributed. 2. A Designated-Prover NIZK in the Multi-String Model, achieving a strong form of two-round Multi-Verifier Zero-Knowledge in the honest-majority setting. 3. A three-round secure multiparty computation protocol for general functions in the honest-majority setting. The round complexity of this protocol is optimal, resolving a line of research that previously relied on stronger assumptions (Asharov et al., Eurocrypt’12; Gordon et al., Crypto’15; Ananth et al., Crypto’18; Badrinarayanan et al., Asiacrypt’20; Applebaum et al., TCC’22).
UR - https://www.scopus.com/pages/publications/105014139322
U2 - 10.1007/978-3-032-01907-3_16
DO - 10.1007/978-3-032-01907-3_16
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:105014139322
SN - 9783032019066
T3 - Lecture Notes in Computer Science
SP - 480
EP - 513
BT - Advances in Cryptology – CRYPTO 2025 - 45th Annual International Cryptology Conference, Proceedings
A2 - Tauman Kalai, Yael
A2 - Kamara, Seny F.
PB - Springer Science and Business Media Deutschland GmbH
T2 - 45th Annual International Cryptology Conference, CRYPTO 2025
Y2 - 17 August 2025 through 21 August 2025
ER -