Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.

Similar presentations

Presentation on theme: "1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting."— Presentation transcript:

1 1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting

2 2 Non Black Box Simulation [Barak’01] ZK and simulation [Goldwasser-Micali-Rackoff’85]. All initial simulators used code of adv in a black-box way Barak introduced non-black-box simulation in cryptography Gave a new ZK protocol: public-coin, based on CRHFs, “straight-line” strict poly time simulation Helped changed the landscape of cryptographic protocols: useful in resettable protocols, non-malleable protocols, concurrent secure computation protocols ….

3 3 Our Contribution A main limitation of Barak’s technique was in the concurrent setting –Simulator only worked in standalone or bounded concurrent setting Main contribution: extend Barak’s technique to the fully concurrent setting We give a new ZK protocol: as with Barak’s, ours is public-coin, based on CRHFs, and has a “straight-line” strict poly-time simulator –However simulation works in the fully concurrent setting Not a strict improvement over Barak’s: round complexity of our construction is n (where it was only a constant in Barak’s)

4 4 Talk Overview Recall Barak’s construction and the problems in fully concurrent setting Our ZK construction –Reduce the core challenge to a purely combinatorial problem –Relatively simple and short proof –Arguably the simplest concurrent ZK protocol Applications Simplifying Assumption: Assume a non-interactive WI universal argument system (one message from Prover to Verifier)

5 5 Barak’s ZK Construction Statement: x in L Com(h(M)) Random r WI-UA: x in L or M outputs r Prover Verifier ZK simulator: M is the code/state of the verifier machine slot Soundness: r is long and random

6 6 Concurrent setting: problem Com(h(M)) r.... UA: M outputs r M doesn’t output r Fix: M contains the state of system (simulator + verifier) M regenerates the entire slot transcript and finally arrives at r The UA takes time c.k to compute c c.k steps

7 7 Exponential time simulator Com(h(M)) r c 1-heavy 2-heavy Messages except UA: 0-heavy If slot has i-heavy messages: i-heavy slot UA regenerating transcript of i-heavy slot: (i+1) heavy UA If i-heavy for superconstant i => simulation exponential time c.k steps c.k 2 steps 0-heavy c’ = c.k Session 1 Session 2 1-heavy

8 8 A failed attempt: have many slots Com(h(M 1 )) r1r1 UA: x in L or M i outputs r i for some i.... Com(h(M n )) rnrn UA still “heavy” Repeat in parallel n times to get n different 1-heavy UAs Next session: Make n slots 1- heavy 1-heavy

9 9 Our Idea: Have many UA’s Com(h(M 1 )) r1r1.... Com(h(M n )) rnrn heavy UA 1 UA n

10 10 Our Protocol: Basic Idea Com(h(M i )) riri UA: M i output r i For i =1 to n Com(UA i ) WIAOK: x in L or i-th UA convincing for some i Only one UA needs to be picked for simulation in each session Adv doesn’t know which one it is

11 11 Basic combinatorial problem: construct a marking strategy Simulator has to mark each outgoing UA message either SIMULATE or BLANK UA marked BLANK: 0-heavy i-heavy slot: contains i-heavy UA –If slot doesn’t have a simulated UA, 0-heavy UA marked SIMULATE: (i+1)-heavy iff the slot is i-heavy Constraint –At least one UA in each session marked SIMULATE. –No i-heavy UA for any super-constant i

12 12 Example Say we mark the first UA message SIMULATE in all sessions 0-heavy 1-heavy 0-heavy heavy 2-heavy 0-heavy heavy 3-heavy 0-heavy.... Session 3 Session 2 Session 1 i-heavy UA for super-constant i Randomized marking strategy: paper for details

13 13 Sample of Applications First public-coin concurrent ZK –Earlier negative result with BB simulation [Pass-Tseng-Wikstrom’09] First concurrent blind signatures as per ideal/real definition –Earlier negative result for BB simulation by [Lindell’03] Resolving the bounded pseudoentropy conjecture [Goyal’12] Improvements in both the round complexity as well as the class of realizable functionalities for concurrent secure computation

14 14 Thank You!

Download ppt "1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting."

Similar presentations

Ads by Google