Paper 2025/334

How to Share an NP Statement or Combiners for Zero-Knowledge Proofs

Abstract

In Crypto'19, Goyal, Jain, and Sahai (GJS) introduced the elegant notion of *secret-sharing of an NP statement* (NPSS). Roughly speaking, a $$-out-of-$$ secret sharing of an NP statement is a reduction that maps an instance-witness pair to $$ instance-witness pairs such that any subset of $$ reveals no information about the original witness, while any subset of $$ allows full recovery of the original witness. Although the notion was formulated for general $$, the only existing construction (due to GJS) applies solely to the case where $$ and provides only computational privacy. In this paper, we further explore NPSS and present the following contributions. 1. **Definition.** We introduce a refined definition of information-theoretically secure NPSS. This notion can be seen as a cryptographic variant of standard NP-reductions and can be compiled into the GJS definition using any one-way function. 2. **Construction.** We construct information-theoretic $$-out-of-$$ NPSS for any values of $$ with complexity polynomial in $$. Along the way, we present a new notion of secure multiparty computation that may be of independent interest. 3. **Applications.** Our NPSS framework enables the *non-interactive combination* of $$ instances of zero-knowledge proofs, where only $$ of them are sound and only $$ are zero-knowledge, provided that $$. Our combiner preserves various desirable properties, such as the succinctness of the proof. Building on this, we establish the following results under the minimal assumption of one-way functions: (i) *Standard NIZK implies NIZK in the Multi-String Model* (Groth and Ostrovsky, J. Cryptology, 2014), where security holds as long as a majority of the $$ common reference strings were honestly generated. Previously, such a transformation was only known in the common random string model, where the reference string is uniformly distributed. (ii) A *Designated-Prover NIZK in the Multi-String Model*, achieving a strong form of two-round Multi-Verifier Zero-Knowledge in the honest-majority setting. (iii) A *three-round secure multiparty computation protocol* for general functions in the honest-majority setting. The round complexity of this protocol is optimal, resolving a line of research that previously relied on stronger assumptions (Aharonov et al., Eurocrypt'12; Gordon et al., Crypto'15; Ananth et al., Crypto'18; Badrinarayanan et al., Asiacrypt'20; Applebaum et al., TCC'22).