Ishai, Kushilevitz, Ostrovsky and Sahai (STOC 2007 ; SIAM J Comput 39(3):1121–1152, 2009 ) introduced the powerful “MPC-in-the-head” technique that provided a general transformation of information-theoretic MPC protocols secure against passive adversaries to a ZK proof in a “black-box” way. In this work, we extend this technique and provide a generic transformation of any semi-honest secure two-party computation (2PC) protocol (with mild adaptive security guarantees) in the so-called oblivious-transfer hybrid model to an adaptive ZK proof for any $$\textsf {NP}$$ NP language, in a “black-box” way assuming only one-way functions. Our basic construction based on Goldreich–Micali–Wigderson’s 2PC protocol yields an adaptive ZK proof with communication complexity proportional to quadratic in the size of the circuit implementing the $$\textsf {NP}$$ NP relation. Previously such proofs relied on an expensive Karp reduction of the $$\textsf {NP}$$ NP language to Graph Hamiltonicity [Lindell and Zarosim (TCC 2009 ; J Cryptol 24(4):761–799, 2011 )]. As an application of our techniques, we show how to obtain a ZK proof with an “input-delayed” property for any $$\textsf {NP}$$ NP language without relying on expensive Karp reductions that is black box in the underlying one-way function. Namely, the input-delayed property allows the honest prover’s algorithm to receive the actual statement to be proved only in the final round. We further generalize this to obtain a “commit-and-prove” protocol with the same property where the prover commits to a witness w in the second message and proves a statement x regarding the witness w in zero-knowledge where the statement is determined only in the last round. This improves a previous construction of Lapidot and Shamir (Crypto 1990 ) that was designed specifically for the Graph Hamiltonicity problem and relied on the underlying primitives in a non-black-box way. Additionally, we provide a general transformation to construct a randomized encoding of a function f from any 2PC protocol that securely computes a related functionality (in a black-box way) from one-way functions. We show that if the 2PC protocol has mild adaptive security guarantees (which are satisfied by both the Yao’s and GMW’s protocol), then the resulting randomized encoding can be decomposed to an offline/online encoding.

中文翻译：

---

论安全两方计算的威力

Ishai、Kushilevitz、Ostrovsky 和 ​​Sahai (STOC 2007 ; SIAM J Comput 39(3):1121–1152, 2009 ) 介绍了强大的“MPC-in-the-head”技术，该技术提供了信息理论 MPC 协议安全的一般转换以“黑盒”方式对抗 ZK 证明的被动对手。在这项工作中，我们扩展了这项技术，并提供了从所谓的不经意转移混合模型中的任何半诚实安全两方计算 (2PC) 协议（具有温和的自适应安全保证）到自适应 ZK 证明的通用转换任何 $$\textsf {NP}$$ NP 语言，以“黑盒”方式假设只有单向函数。我们基于 Goldreich-Micali-Wigderson 的 2PC 协议的基本构造产生了一个自适应 ZK 证明，其通信复杂度与实现 $$\textsf {NP}$$ NP 关系的电路大小的二次方成正比。以前，此类证明依赖于将 $$\textsf {NP}$$ NP 语言昂贵的 Karp 减少到图哈密顿性 [Lindell 和 Zarosim (TCC 2009 ; J Cryptol 24(4):761–799, 2011 )]。作为我们技术的应用，我们展示了如何为任何 $$\textsf {NP}$$ NP 语言获得具有“输入延迟”属性的 ZK 证明，而不依赖于底层语言中的黑盒昂贵的 Karp 减少-路功能。即，输入延迟属性允许诚实证明者的算法仅在最后一轮中接收要证明的实际语句。我们进一步概括这一点以获得具有相同属性的“提交并证明”协议，其中证明者在第二条消息中向证人 w 提交，并在零知识中证明关于证人 w 的陈述 x，其中该陈述仅被确定在最后一轮。这改进了 Lapidot 和 Shamir (Crypto 1990) 的先前构造，该构造专为图哈密顿性问题而设计，并以非黑盒方式依赖于底层原语。此外，我们提供了一种通用转换来构造来自任何 2PC 协议的函数 f 的随机编码，该协议从单向函数安全地计算相关功能（以黑盒方式）。我们表明，如果 2PC 协议具有温和的自适应安全保证（Yao 和 GMW 的协议都满足），