Non-interactive zero-knowledge (NIZK) proofs of knowledge have proven to be highly relevant for securely realizing a wide array of applications that rely on both privacy and correctness. They enable a prover to convince any party of the correctness of a public statement for a secret witness. However, most NIZKs do not natively support proving knowledge of a secret witness that is distributed over multiple provers. Previously, collaborative proofs [51] have been proposed to overcome this limitation. We investigate the notion of composability in this setting, following the Commit-and-Prove design of LegoSNARK [17]. Composability allows users to combine different, specialized NIZKs (e.g., one arithmetic circuit, one boolean circuit, and one for range proofs) with the aim of reducing the prove generation time. Moreover, it opens the door to efficient realizations of many applications in the collaborative setting such as mutually exclusive prover groups, combining collaborative and single-party proofs and efficiently implementing publicly auditable MPC (PA-MPC). We present the first, general definition for collaborative commit-and-prove NIZK (CP-NIZK) proofs of knowledge and construct distributed protocols to enable their realization. We implement our protocols for two commonly used NIZKs, Groth16 and Bulletproofs, and evaluate their practicality in a variety of computational settings. Our findings indicate that composability adds only minor overhead, especially for large circuits. We experimented with our construction in an application setting, and when compared to prior works, our protocols reduce latency by 18-55x while requiring only a fraction (0.2%) of the communication.

翻译：非交互式零知识知识证明已被证明对于安全实现众多依赖隐私性与正确性的应用至关重要。它使证明者能够向任何参与方证实一个公开陈述对于某个秘密见证的正确性。然而，大多数NIZK本身并不支持证明分布在多个证明者之间的秘密见证的知识。此前，协作式证明[51]被提出以克服这一限制。我们遵循LegoSNARK[17]的承诺-证明设计范式，在此背景下研究可组合性概念。可组合性允许用户组合不同的专用NIZK（例如一个用于算术电路、一个用于布尔电路、另一个用于范围证明），旨在减少证明生成时间。此外，它为协作式场景下众多应用的高效实现开辟了道路，例如互斥的证明者群组、协作式与单方证明的结合，以及高效实现公开可审计的安全多方计算。我们首次提出了协作式承诺-证明NIZK知识证明的通用定义，并构建了分布式协议以实现该机制。我们针对两种常用NIZK（Groth16和Bulletproofs）实现了协议，并在多种计算环境下评估了其实用性。实验结果表明，可组合性仅带来轻微开销，对于大型电路尤为明显。我们在应用场景中测试了构建方案，与现有工作相比，我们的协议将延迟降低了18-55倍，同时仅需极少的通信量（0.2%）。