A zero-knowledge proof allows a prover to convince a verifier of an assertion without revealing any further information beyond the fact that the assertion is true. Secure multiparty computation allows n mutually suspicious players to jointly compute a function of their local inputs without revealing to any t corrupted players additional information beyond the output of the function. We present a new general connection between these two fundamental notions. Specifically, we present a general

more »

... truction of a zero-knowledge proof for an NP relation R(x, w) which only makes a black-box use of any secure protocol for a related multi-party functionality f . The latter protocol is only required to be secure against a small number of "honest but curious" players. We also present a variant of the basic construction that can leverage security against a large number of malicious players to obtain better efficiency. As an application, one can translate previous results on the efficiency of secure multiparty computation to the domain of zero-knowledge, improving over previous constructions of efficient zeroknowledge proofs. In particular, if verifying R on a witness of length m can be done by a circuit C of size s, and assuming one-way functions exist, we get the following types of zero-knowledge proof protocols: • Approaching the witness length. If C has constant depth over ∧, ∨, ⊕, ¬ gates of unbounded fan-in, we get a zero-knowledge proof protocol with communication complexity m · poly(k) · polylog(s), where k is a security parameter. • "Constant-rate" zero-knowledge. For an arbitrary circuit C of size s and a bounded fan-in, we get a zero-knowledge protocol with communication complexity O(s) + poly(k, log s). Thus, for large circuits, the ratio between the communication complexity and the circuit size approaches a constant. This improves over the O(ks) complexity of the best previous protocols.