Collaborative CP-NIZKs: Modular, Composable Proofs for Distributed Secrets

TL;DR

This paper introduces a new, modular framework for collaborative non-interactive zero-knowledge proofs that are composable, enabling efficient, distributed proofs with minimal overhead and significant performance improvements over prior methods.

Contribution

It defines a general concept for collaborative CP-NIZKs and provides protocols for their implementation, demonstrating practical efficiency and broad applicability.

Findings

Composability incurs minor overhead, especially for large circuits.

Protocols reduce latency by 18-55x compared to previous work.

Communication overhead is reduced to 0.2% of prior methods.

Abstract

Non-interactive zero-knowledge (NIZK) proofs of knowledge have proven to be highly relevant for securely realizing a wide array of applications that rely on both privacy and correctness. They enable a prover to convince any party of the correctness of a public statement for a secret witness. However, most NIZKs do not natively support proving knowledge of a secret witness that is distributed over multiple provers. Previously, collaborative proofs [51] have been proposed to overcome this limitation. We investigate the notion of composability in this setting, following the Commit-and-Prove design of LegoSNARK [17]. Composability allows users to combine different, specialized NIZKs (e.g., one arithmetic circuit, one boolean circuit, and one for range proofs) with the aim of reducing the prove generation time. Moreover, it opens the door to efficient realizations of many applications in the collaborative setting such as mutually exclusive prover groups, combining collaborative and single-party proofs and efficiently implementing publicly auditable MPC (PA-MPC). We present the first, general definition for collaborative commit-and-prove NIZK (CP-NIZK) proofs of knowledge and construct distributed protocols to enable their realization. We implement our protocols for two commonly used NIZKs, Groth16 and Bulletproofs, and evaluate their practicality in a variety of computational settings. Our findings indicate that composability adds only minor overhead, especially for large circuits. We experimented with our construction in an application setting, and when compared to prior works, our protocols reduce latency by 18-55x while requiring only a fraction (0.2%) of the communication.