From Secure MPC to Efficient Zero-Knowledge

Transcription

1 From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017

2 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time verifier R such that x L w 0,1 poly x R x, w = 1

3 Interactive Proof Systems [GMR85] NP admits efficient non-interactive proofs G is 3- colorable G = public graph prover verifier

4 Interactive Proof Systems [GMR85] IP: class of languages that have an interactive proof system G is not 3- colorable prover and verifier exchange a sequence of messages accept prover verifier

5 Interactive Proof Systems [GMR85] Interactive proof system modeled by two algorithms P, V with following properties: Completeness: x L Pr P, V (x) = 1 = 1 Soundness: x L, P Pr P, V (x) = 0 = 1 prover verifier

6 Interactive Proof Systems [GMR85] Interactive proof system modeled by two algorithms P, V with following properties: Completeness: x L Pr P, V (x) = 1 = 1 Soundness: x L, P Pr P, V (x) = 0 = 1 can also allow soundness error ε prover verifier

7 Interactive Proof Systems [GMR85] Interactive proof system modeled by two algorithms P, V with following properties: Completeness: x L Pr P, V (x) = 1 = 1 Soundness: x L, P Pr P, V (x) = 0 = 1 Efficiency: V runs in polynomial time (in x ) computationally unbounded randomized, efficient prover verifier

8 Interactive Proof Systems [GMR85] IP: class of languages that have an interactive proof system dip = NP (dip: interactive proofs with deterministic verifier) IP = PSPACE [LFKN90, Sha90] prover verifier

9 Zero-Knowledge Proofs [GMR85] G is 3- colorable G = The proof reveals the witness! Can we prove to a verifier that a statement x is in a language L without revealing anything more about x other than the fact that x L?

10 Zero-Knowledge Proofs [GMR85] common input: statement x L P, V x c S(x) real distribution ideal distribution Zero-Knowledge: for all efficient verifiers V, there exists an efficient simulator S such that: x L P, V x c S(x)

11 Zero-Knowledge Proofs [GMR85] common input: statement x L P, V x c S(x) honest verifier zero-knowledge (HVZK): simulator exists only for honest verifier real distribution ideal distribution Zero-Knowledge: for all efficient verifiers V, there exists zero-knowledge an efficient simulator S such that: x L P, V x c S(x) can also consider statistical zero-knowledge and perfect

12 Zero-Knowledge Proofs [GMR85] common input: statement x L P, V x c S(x) real distribution ideal distribution Assuming the existence of one-way functions (OWFs), every NP (in fact, IP) language has a computational zero-knowledge proof system [GMW86]

13 Two-Party Computation Zero knowledge is special case of two-party computation w 1 w 2 r 1 r 2 P 1 P 2 f

14 Two-Party Computation Every message is a deterministic function of the party s input, its internal randomness, and the set of messages it has received Zero knowledge is special case of two-party computation w 1 w 2 m 1 m 2 r 1 r 2 m 3 P 1 P 2 f

15 Two-Party Computation Zero knowledge is special case of two-party computation w 1 w 2 m 1 m 2 r 1 r 2 m 3 P 1 P 2 y 1 y 2 Correctness: y 1 = f w 1, w 2 = y 2 f

16 Two-Party Computation Zero knowledge is special case of two-party computation w 1 w 2 m 1 m 2 r 1 r 2 m 3 P 1 P 2 y 1 y 2 f View Pi w 1, w 2 ; r 1, r 2 = w i, r i, m i

17 Two-Party Computation Zero knowledge is special case of two-party computation w 1 w 2 m 1 m 2 r 1 r 2 m 3 P 1 P 2 y 1 y 2 f View Pi w 1, w 2 ; r 1, r 2 = w i, r i, m i y i = Π f,i View Pi w ; r

18 Multiparty Computation (MPC) Correctness: For all inputs w and all i n Pr Π f,i View Pi w ; r = f w = 1 w 1 w 5 w 2 w 4 w 3

19 Multiparty Computation (MPC) Correctness: For all inputs w and all i n Pr Π f,i View Pi w ; r = f w = 1 y 1 = f(w) y 5 = f(w) y 2 = f(w) y 4 = f(w) y 3 = f(w)

20 Multiparty Computation (MPC) t-privacy: For all T [n] where T t, there exists an efficient simulator S T such that for all inputs w: View Pi w ; r S i T T f, w i i A, f w w 1 w 5 w 2 w 4 w 3

21 Multiparty Computation (MPC) t-privacy: For all T [n] where T t, there exists an efficient simulator S T such that for all inputs w: View Pi w ; r S i T T f, w i i A, f w w 1 w 5 w 2 Views of any t-subset of the parties do not reveal anything more about the private inputs of any other party w 4 w 3

22 Multiparty Computation (MPC) t-robustness: For all T [n] where T t, and for all f where f w = 0 for all w, then Pr Π f,i View Pi w ; r = 1 = 0 for all i [n] T even if the players in T have been arbitrarily corrupted w 1 w 5 w 2 w 4 w 3

23 Multiparty Computation (MPC) t-robustness: For all T [n] where T t, and for all f where f w = 0 for all w, then Pr Π f,i View Pi w ; r = 1 = 0 for all i [n] T even if the players in T have been arbitrarily corrupted y 1 = 0 y 5 = 0 y 4 = 0 If there are no inputs w to f where f w = 1, then a malicious adversary corrupting up to t parties cannot cause an honest party to output 1

24 Zero-Knowledge from Two-Party Computation Zero knowledge is special case of two-party computation Given a statement x for an NP relation R, define the function f x w = R(x, w) We require a 1-private, 1-robust two-party computation protocol Π fx for f x The prover and verifier execute Π fx Prover s input: the witness w Verifier s input: none The verifier accepts if the output of Π fx is 1

25 Zero-Knowledge from Two-Party Computation Zero knowledge is special case of two-party computation General two-party computation with robustness against malicious adversaries requires oblivious transfer (OT) [Yao86, GMW87] and thus, cannot be instantiated from one-way functions On the other hand, zero knowledge for NP is known from one-way functions (OWFs) [GMW86] Constructions very inefficient relies on running a Karp reduction to an NPcomplete problem (e.g., 3-coloring) This talk: constructing zero-knowledge for NP from OWFs + black-box use of any (semi-honest) MPC protocol

26 MPC in the Head [IKOS07] Let R(x, w) be an NP relation and define the function f x w 1,, w n = R x, w 1 w n, where n 3 Key idea: Prover simulates an n-party MPC protocol Π fx for the function f x Verifier checks that the simulation is correct Key advantage: relies only on OWFs and semi-honest secure MPC

27 MPC in the Head [IKOS07] Key cryptographic primitive: commitment scheme Commit m; r c m Open c, r m m

28 MPC in the Head [IKOS07] Key cryptographic primitive: commitment scheme Perfectly binding: each commitment can be opened in exactly one way r 0, r 1 Commit m 0 ; r 0 = Commit m 1 ; r 1 m 0 = m 1 Computationally hiding: commitment hides committed value to any bounded adversary: Commit m 0 ; r c Commit(m 1 ; r) Non-interactive commitments can be constructed from any injective OWF [Blu81] Interactive commitments can be constructed from any OWF

29 MPC in the Head [IKOS07] f x w 1,, w n = R x, w 1 w n (x, w) R(x, w) is an NP relation Π fx

30 MPC in the Head [IKOS07] f x w 1,, w n = R x, w 1 w n w = w 1 w 2 w 3 w 4 w 5 uniformly random strings Step 1: Secret share the witness Π fx

31 MPC in the Head [IKOS07] f x w 1,, w n = R x, w 1 w n w 1 w = w 1 w 2 w 3 w 4 w 5 w 5 w 2 uniformly random strings Step 2: Simulate Π fx using randomness r w 4 w 3 Π fx

32 MPC in the Head [IKOS07] f x w 1,, w n = R x, w 1 w n w 1 w 5 w 2 c 1 = Commit View P1 w; r ; r 1 c n = Commit View Pn w; r ; r n Step 3: Commit to the view of each party w 4 w 3 Π fx

33 MPC in the Head [IKOS07] public input: statement x (x, w) c 1, c 2,, c n Step 4: Prover sends the commitments to the verifier

34 MPC in the Head [IKOS07] public input: statement x (x, w) c 1, c 2,, c n 1 i < j n Step 5: Verifier challenges prover to open two of the views (at random)

35 MPC in the Head [IKOS07] public input: statement x (x, w) c 1, c 2,, c n 1 i < j n Open c i, r i, Open(c j, r j ) Step 6: Prover opens up commitments to requested views

36 MPC in the Head [IKOS07] Verification conditions: 1. Commitments are correctly opened 2. The outputs of both P i and P j is 1 3. The views View Pi and View Pj are consistent with an honest execution of Π fx (x, w) c 1, c 2,, c n 1 i < j n Open c i, r i, Open(c j, r j ) Step 7: Verifier checks the proof

37 MPC in the Head [IKOS07] Theorem [IKOS07]. Suppose the commitment scheme is perfectly binding and computationally hiding and that Π fx is perfectly correct and is 2-private (against semihonest adversaries), then this protocol is a zero-knowledge proof for the NP-relation R. Completeness: Suppose R x, w = 1 Prover is honest so w = w 1 w n By construction, f x w 1,, w n = R x, w = 1 Perfect correctness of Π fx implies that all parties in honest execution output f x w 1,, w n = 1

38 MPC in the Head [IKOS07] Theorem [IKOS07]. Suppose the commitment scheme is perfectly binding and computationally hiding and that Π fx is perfectly correct and is 2-private (against semihonest adversaries), then this protocol is a zero-knowledge proof for the NP-relation R. Soundness: Suppose R x, w = 0 for all w By perfect correctness of Π fx, for all choices of w 1,, w n, parties in an honest execution of Π fx will output 0 Either all outputs are 0 or there is at least one pair of views that are inconsistent Verifier rejects with probability at least 1/n 2 (commitments are perfectly binding)

39 MPC in the Head [IKOS07] Theorem [IKOS07]. Suppose the commitment scheme is perfectly binding and computationally hiding and that Π fx is perfectly correct and is 2-private (against semihonest adversaries), then this protocol is a zero-knowledge proof for the NP-relation R. Can be amplified by running the protocol multiple times (κn 2 Soundness: Suppose R x, w = 0 for all w times to achieve negligible By perfect correctness of Π fx, for all choices of w 1,, w n, parties in an honest soundness error 2 κ ) execution of Π fx will output 0 Either all outputs are 0 or there is at least one pair of views that are inconsistent Verifier rejects with probability at least 1/n 2 (commitments are perfectly binding)

40 MPC in the Head [IKOS07] Theorem [IKOS07]. Suppose the commitment scheme is perfectly binding and computationally hiding and that Π fx is perfectly correct and is 2-private (against semihonest adversaries), then this protocol is a zero-knowledge proof for the NP-relation R. Zero-Knowledge: Suppose that R x, w = 1 View of verifier consists of committed views to all parties, and views View Pi (w; r) and View Pj (w; r) (which include w i and w j ) for two of the parties When n 3, w i, w j are uniformly random strings By 2-privacy of Π fx, View Pi (w; r) and View Pj (w; r) can be simulated given just f x, w i, w j, f x w = 1

41 MPC in the Head [IKOS07] Theorem [IKOS07]. Suppose the commitment scheme is perfectly binding and computationally hiding and that Π fx is perfectly correct and is 2-private (against semihonest adversaries), then this protocol is a zero-knowledge proof for the NP-relation R. Zero-Knowledge: Since prover is honest here, Suppose the that proof R x, w only = 1requires privacy against semi-honest parties View of verifier consists of committed views to all parties, and views View Pi (w; r) and View Pj (w; r) (which include w i and w j ) for two of the parties When n 3, w i, w j are uniformly random strings By 2-privacy of Π fx, View Pi (w; r) and View Pj (w; r) can be simulated given just f x, w i, w j, f x w = 1

42 MPC in the Head [IKOS07] Theorem [IKOS07]. Suppose the commitment scheme is perfectly binding and computationally hiding and that Π fx is perfectly correct and is 2-private (against semihonest adversaries), then this protocol is a zero-knowledge proof for the NP-relation R. Concrete instantiations: Information-theoretic: 5-party BGW protocol [BGW88] Computational (based on OT): 3-party GMW protocol [GMW87] and many more

43 MPC in the Head [IKOS07] Using an n-party MPC protocol, the soundness error is 1 1/n 2 Consequence: achieving negligible soundness 2 κ requires Ω(κ) repetitions of the protocol Can we obtain negligible soundness error without performing the Ω(κ) repetitions of the protocol?

44 MPC in the Head [IKOS07] Using an n-party MPC protocol, the soundness error is 1 1/n 2 Soundness error is large because verifier checks only a single view Can reduce the soundness error by having the prover open up more views (e.g., t = Θ(κ) views) Zero-knowledge maintained as long as Π fx is t-private Soundness amplification will rely on leveraging robustness of Π fx

45 MPC in the Head [IKOS07] Using an n-party MPC protocol, the soundness error is 1 1/n 2 Soundness error is large because verifier Without checks robustness, only a single even view if the prover open n 1 views, the Can reduce the soundness error by having the prover open up more views (e.g., t = Θ(κ) views) soundness error can still be O 1 n Zero-knowledge maintained as long as Π fx is t-private Soundness amplification will rely on leveraging robustness of Π fx

46 MPC in the Head [IKOS07] n = Θ(κ) t = Θ(n) Suppose Π fx is an n-party MPC protocol that is t-private and t-robust (x, w) c 1, c 2,, c n T [n] where T = t Open c i, r i i [T] Verifier can now ask for t openings without compromising zero-knowledge

47 MPC in the Head [IKOS07] Suppose Π fx is an n-party MPC protocol that is t-private and t-robust To analyze soundness, define the inconsistency graph G for the prover s simulated MPC protocol: 1 Nodes correspond to parties An edge between i and j denotes an inconsistency between View Pi and View Pj

48 MPC in the Head [IKOS07] Suppose Π fx is an n-party MPC protocol that is t-private and t-robust To analyze soundness, define the inconsistency graph G for the prover s simulated MPC protocol: Verifier chooses some subset of nodes and rejects if induced subgraph on those nodes contains an edge Verifier rejects

49 Verifier may accept MPC in the Head [IKOS07] Suppose Π fx is an n-party MPC protocol that is t-private and t-robust To analyze soundness, define the inconsistency graph G for the prover s simulated MPC protocol: Verifier chooses some subset of nodes and rejects if induced subgraph on those nodes contains an edge

50 MPC in the Head [IKOS07] Suppose Π fx is an n-party MPC protocol that is t-private and t-robust Case 1: Suppose G contains a vertex cover B of size at most t small number of corrupted parties most parties are honest and will output 0 by robustness B = 4,5

51 MPC in the Head [IKOS07] Suppose Π fx is an n-party MPC protocol that is t-private and t-robust Case 1: Suppose G contains a vertex cover B of size at most t corrupted nodes 5 B By definition, views of all nodes not in B are consistent (i.e., correspond to an honest protocol execution) Π fx is t-robust, so all nodes not in B output 0 on a false statement honest nodes

52 MPC in the Head [IKOS07] Suppose Π fx is an n-party MPC protocol that is t-private and t-robust Failure only if all nodes chosen by verifier fall in B Case 1: Suppose G contains a vertex cover B of size at most t corrupted nodes 5 B honest nodes By definition, views of all nodes not in B are consistent (i.e., correspond to an honest protocol execution) Π fx is t-robust, so all nodes not in B output 0 on a false statement Verifier can only accept if T B, so soundness error is bounded by t n t Ω n Ω κ = 2 = 2

53 MPC in the Head [IKOS07] Suppose Π fx is an n-party MPC protocol that is t-private and t-robust Case 2: Suppose the minimum vertex cover of G has size greater than t large number of corrupted parties likely to be detected by verifier 4 3

54 MPC in the Head [IKOS07] Suppose Π fx is an n-party MPC protocol that is t-private and t-robust Case 2: Suppose the minimum vertex cover of G has size greater than t Then G has a matching of size greater than t/2 Verifier accepts only if no edges in G between any of the nodes in T, and in particular, no edges in the matching Since t = Θ(n), the verifier misses all edges in the matching with probability 2 Ω n = 2 Ω κ

55 MPC in the Head [IKOS07] Theorem [IKOS07]. Suppose that the following holds: the commitment scheme is perfectly binding and computationally hiding, Π fx is t-private (against semi-honest adversaries), and t-robust (against malicious adversaries) n-party protocol for f x. If t = Θ(κ) and n = Θ(t), then this protocol is an honest-verifier zeroknowledge proof for the NP-relation R with soundness error 2 κ. Relies only on OWFs (for the commitments) and black-box access to Π fx.

56 MPC in the Head [IKOS07] Theorem [IKOS07]. Suppose that the following holds: the commitment scheme is perfectly binding and computationally Can be boosted to zero-knowledge hiding, by having the verifier commit to its Π fx is t-private (against semi-honest queries adversaries), using a statistically-hiding and t-robust commitment scheme [Ros04] (against malicious adversaries) n-party protocol for f x. If t = Θ(κ) and n = Θ(t), then this protocol is an honest-verifier zeroknowledge proof for the NP-relation R with soundness error 2 κ. Relies only on OWFs (for the commitments) and black-box access to Π fx.

57 MPC in the Head [IKOS07] Theorem [IKOS07]. Suppose that the following holds: the commitment scheme is perfectly binding and computationally hiding, Concrete parameters: for Π fx is t-private (against semi-honest adversaries), 2 80 soundness and error, t-robust can use (n, t, r) = 92,64,64 (against malicious adversaries) n-party protocol for f x. If t = Θ(κ) and n = Θ(t), then this protocol is an honest-verifier zeroknowledge proof for the NP-relation R with soundness error 2 κ. Relies only on OWFs (for the commitments) and black-box access to Π fx.

58 ZKBoo [GMO16] c 1, c 2,, c n S [n] where S = t 1 Open c i, r i i [S] For concrete soundness targets (e.g., 2 80 ), most efficient instantiation of IKOS is to use simple, non-robust multiparty computation protocol and amplify soundness by repeating the protocol

59 ZKBoo [GMO16] c 1, c 2,, c n S [n] where S = t 1 n-party BGW protocol obtaining soundness error 2 80 requires n = 1122, t = 374 Open c i, r i i [S] iterating a 3-party protocol with 2- privacy yields proofs which contain 274 bits per multiplication gate for 2 80 soundness For concrete soundness targets (e.g., 2 80 ), most efficient instantiation of IKOS is to use simple, non-robust multiparty computation protocol and amplify soundness by repeating the protocol

60 ZKBoo [GMO16] Emulating an MPC protocol cheaper than running the MPC protocol in the standard model w 1 m w 5 w 2 point-to-point channel m w 4 w 3

61 ZKBoo [GMO16] Emulating an MPC protocol cheaper than running the MPC protocol in the standard model w 1 m 0, m 1 b 0,1 w 5 w 2 OT channel m b w 4 w 3

62 ZKBoo [GMO16] Emulating an MPC protocol cheaper than running the MPC protocol in the standard model w 1 x y w 5 w 2 arbitrary channel f(x, y) w 4 w 3

63 ZKBoo [GMO16] Emulating an MPC protocol cheaper than running the MPC protocol in the standard model In MPC setting, channels are implemented using secure two-party computation In MPC-in-the-head, can model them as ideal functionalities (e.g., as an oracle to the function f) x arbitrary channel y f(x, y)

64 ZKBoo [GMO16] Emulating an MPC protocol cheaper than running the MPC protocol in the standard model In MPC does setting, not trivialize channels the are implemented problem since using protocol secure must two-party computation still provide privacy In MPC-in-the-head, can model them as ideal functionalities (e.g., as an oracle to the function f) x arbitrary channel y f(x, y)

65 ZKBoo [GMO16] Emulating an MPC protocol cheaper than running the MPC protocol in the standard model In MPC setting, channels are implemented using secure two-party computation In MPC-in-the-head, can model them as ideal functionalities (e.g., as an oracle to the function f) New design space for MPC protocols x arbitrary channel y f(x, y)

66 ZKBoo [GMO16] f x w 1,, w n = R x, w 1 w n w 1 (x, w) w 5 w 2 How to construct Π fx? w 4 w 3 Π fx

67 (2, 3)-Function Decompositions [GMO16] A variant of the GMW protocol (can also be viewed as a function decomposition) w 1 0 w 2 0 w 3 0 w = w 1 + w 2 + w 3 Function evaluation on secret sharedinputs

68 (2, 3)-Function Decompositions [GMO16] A variant of the GMW protocol (can also be viewed as a function decomposition) protocol execution proceeds in a series of rounds gate-by-gate evaluation of f w 1 1 w 1 0 f 1 (1) f 1 (2) w 2 1 w 2 0 f 2 (1) f 2 (2) w 3 1 w 3 0 f 3 (1) f 3 (2) w = w 1 + w 2 + w 3 Each party communicates with one other party y 1 y 2 y 3 y = y 1 + y 2 + y 3

69 (2, 3)-Function Decompositions [GMO16] A variant of the GMW protocol (can also be viewed as a function decomposition) w 1 0 w 2 0 w 3 0 f 1 (1) f 2 (1) f 3 (1) View Pi w ; r = w i 0,, w i N w 1 1 w 2 1 w 3 1 f 1 (2) f 2 (2) f 3 (2) y 1 y 2 y 3 protocol is 2-private

70 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F x Add α x + α x y Add x + y x Multiply α αx x y Multiply xy

71 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F no interaction needed x = x 1 + x 2 + x 3 x 1 x 2 x 3 x Add α x + α f 1 f 2 f 3 x 1 + α x 2 x 3 x 1 + α + x 2 + x 3 = x + α

72 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F no interaction needed x = x 1 + x 2 + x 3 x 1 x 2 x 3 x Multiply α αx f 1 f 2 f 3 αx 1 αx 2 αx 3 αx 1 + αx 2 + αx 3 = αx

73 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F x y no interaction needed Add x + y x = x 1 + x 2 + x 3 y = y 1 + y 2 + y 3 x 1, y 1 x 2, y 2 x 3, y 3 f 1 f 2 f 3 x 1 + y 1 x 2 + y 2 x 3 + y 3 x 1 + y 1 + x 2 + y 2 + x 3 + y 3 = x + y

74 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F x = x 1 + x 2 + x 3 y = y 1 + y 2 + y 3 x 1, y 1 x 2, y 2 x 3, y 3 x y Multiply xy only depends on x 1,y 1,x 2,y 2 only depends on x 2,y 2,x 3,y 3 x 1 y 1 + x 2 y 1 + x 1 y 2 + x 2 y 2 + x 3 y 2 + x 2 y 3 + x 3 y 3 + x 1 y 3 + x 3 y 1 only depends on x 1,y 1,x 3,y 3 = x 1 + x 2 + x 3 y 1 + y 2 + y 3 = xy

75 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F x = x 1 + x 2 + x 3 y = y 1 + y 2 + y 3 x 1, y 1 x 2, y 2 x 3, y 3 x y Multiply xy f 1 f 2 f 3 x 1 y 1 + x 2 y 1 + x 1 y 2 x 2 y 2 + x 3 y 2 + x 2 y 3 x 3 y 3 + x 1 y 3 + x 3 y 1 only depends on x 1,y 1,x 2,y 2 only depends on x 2,y 2,x 3,y 3 x 1 y 1 + x 2 y 1 + x 1 y 2 + x 2 y 2 + x 3 y 2 + x 2 y 3 + x 3 y 3 + x 1 y 3 + x 3 y 1 only depends on x 1,y 1,x 3,y 3 = x 1 + x 2 + x 3 y 1 + y 2 + y 3 = xy

76 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F x = x 1 + x 2 + x 3 y = y 1 + y 2 + y 3 x 1, y 1 x 2, y 2 x 3, y 3 x y Multiply xy cannot be 2-private: information about x 3, y 3 revealed x 1 y 1 + x 2 y 1 + x 1 y 2 x 2 y 2 + x 3 y 2 + x 2 y 3 x 3 y 3 + x 1 y 3 + x 3 y 1 only depends on x 1,y 1,x 2,y 2 only depends on x 2,y 2,x 3,y 3 x 1 y 1 + x 2 y 1 + x 1 y 2 + x 2 y 2 + x 3 y 2 + x 2 y 3 + x 3 y 3 + x 1 y 3 + x 3 y 1 only depends on x 1,y 1,x 3,y 3 = x 1 + x 2 + x 3 y 1 + y 2 + y 3 = xy

77 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F similar to GMW, blind each intermediate product x y Multiply xy x = x 1 + x 2 + x 3 y = y 1 + y 2 + y 3 x 1, y 1 x 2, y 2 x 3, y 3 f 1 f 2 f 3 x 1 y 1 + x 2 y 1 + x 1 y 2 + R 1 c R 2 (c) x 3 y 3 + x 1 y 3 + x 3 y 1 + R 3 c R 1 (c) x 2 y 2 + x 3 y 2 + x 2 y 3 + R 2 c R 3 (c) only depends on x 1,y 1,x 2,y 2 only depends on x 2,y 2,x 3,y 3 x 1 y 1 + x 2 y 1 + x 1 y 2 + x 2 y 2 + x 3 y 2 + x 2 y 3 + x 3 y 3 + x 1 y 3 + x 3 y 1 only depends on x 1,y 1,x 3,y 3 = x 1 + x 2 + x 3 y 1 + y 2 + y 3 = xy

78 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F similar to GMW, blind each intermediate product x y Multiply xy x = x 1 + x 2 + x 3 y = y 1 + y 2 + y 3 x 1, y 1 x 2, y 2 x 3, y 3 random blinding factors (R i (c) is randomness used by i th party on gate c) f 1 f 2 f 3 x 1 y 1 + x 2 y 1 + x 1 y 2 + R 1 c R 2 (c) x 3 y 3 + x 1 y 3 + x 3 y 1 + R 3 c R 1 (c) x 2 y 2 + x 3 y 2 + x 2 y 3 + R 2 c R 3 (c) only depends on x 1,y 1,x 2,y 2 only depends on x 2,y 2,x 3,y 3 x 1 y 1 + x 2 y 1 + x 1 y 2 + x 2 y 2 + x 3 y 2 + x 2 y 3 + x 3 y 3 + x 1 y 3 + x 3 y 1 only depends on x 1,y 1,x 3,y 3 = x 1 + x 2 + x 3 y 1 + y 2 + y 3 = xy

79 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F similar to GMW, blind each intermediate product x y Multiply xy x = x 1 + x 2 + x 3 y = y 1 + y 2 + y 3 x 1, y 1 x 2, y 2 x 3, y 3 f 1 f 2 f 3 1 bit per multiplication x 1 y 1 + x 2 y 1 + x 1 y 2 + R 1 c R 2 (c) x 3 y 3 + x 1 y 3 + x 3 y 1 + R 3 c R 1 (c) x 2 y 2 + x 3 y 2 + x 2 y 3 + R 2 c R 3 (c) only depends on x 1,y 1,x 2,y 2 only depends on x 2,y 2,x 3,y 3 x 1 y 1 + x 2 y 1 + x 1 y 2 + x 2 y 2 + x 3 y 2 + x 2 y 3 + x 3 y 3 + x 1 y 3 + x 3 y 1 only depends on x 1,y 1,x 3,y 3 = x 1 + x 2 + x 3 y 1 + y 2 + y 3 = xy

80 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F x Add α x + α x y Add x + y x Multiply α αx x y Multiply xy Computation on local shares Two-party computation

81 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F x Add α x + α x y Add x + y x Multiply α αx x y xy 137 iterations + open 2 views = Multiply 274 bits of communication per multiplication gate in ZKBoo Computation on local shares Two-party computation

82 Summary MPC in the head gives new paradigm for constructing efficient zero-knowledge proof systems New directions in designing efficient MPC protocols for zero-knowledge can be quite efficient in practice Zero-knowledge protocols can also be used for signature schemes (Fiat-Shamir) including postquantum signatures!

83 Open Directions Designing new MPC protocols for more efficient zeroknowledge Many theoretical MPC protocols with better communication complexity shorter proofs and (postquantum) signatures Alternative viewpoints: MPC in the head as a PCP with large alphabet (i.e., each party s view)