Download presentation

Presentation is loading. Please wait.

Published byDevonte Dimit Modified over 2 years ago

1
1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting

2
2 Non Black Box Simulation [Barak’01] ZK and simulation [Goldwasser-Micali-Rackoff’85]. All initial simulators used code of adv in a black-box way Barak introduced non-black-box simulation in cryptography Gave a new ZK protocol: public-coin, based on CRHFs, “straight-line” strict poly time simulation Helped changed the landscape of cryptographic protocols: useful in resettable protocols, non-malleable protocols, concurrent secure computation protocols ….

3
3 Our Contribution A main limitation of Barak’s technique was in the concurrent setting –Simulator only worked in standalone or bounded concurrent setting Main contribution: extend Barak’s technique to the fully concurrent setting We give a new ZK protocol: as with Barak’s, ours is public-coin, based on CRHFs, and has a “straight-line” strict poly-time simulator –However simulation works in the fully concurrent setting Not a strict improvement over Barak’s: round complexity of our construction is n (where it was only a constant in Barak’s)

4
4 Talk Overview Recall Barak’s construction and the problems in fully concurrent setting Our ZK construction –Reduce the core challenge to a purely combinatorial problem –Relatively simple and short proof –Arguably the simplest concurrent ZK protocol Applications Simplifying Assumption: Assume a non-interactive WI universal argument system (one message from Prover to Verifier)

5
5 Barak’s ZK Construction Statement: x in L Com(h(M)) Random r WI-UA: x in L or M outputs r Prover Verifier ZK simulator: M is the code/state of the verifier machine slot Soundness: r is long and random

6
6 Concurrent setting: problem Com(h(M)) r.... UA: M outputs r M doesn’t output r Fix: M contains the state of system (simulator + verifier) M regenerates the entire slot transcript and finally arrives at r The UA takes time c.k to compute c c.k steps

7
7 Exponential time simulator Com(h(M)) r c 1-heavy 2-heavy Messages except UA: 0-heavy If slot has i-heavy messages: i-heavy slot UA regenerating transcript of i-heavy slot: (i+1) heavy UA If i-heavy for superconstant i => simulation exponential time c.k steps c.k 2 steps 0-heavy c’ = c.k Session 1 Session 2 1-heavy

8
8 A failed attempt: have many slots Com(h(M 1 )) r1r1 UA: x in L or M i outputs r i for some i.... Com(h(M n )) rnrn UA still “heavy” Repeat in parallel n times to get n different 1-heavy UAs Next session: Make n slots 1- heavy 1-heavy

9
9 Our Idea: Have many UA’s Com(h(M 1 )) r1r1.... Com(h(M n )) rnrn heavy UA 1 UA n

10
10 Our Protocol: Basic Idea Com(h(M i )) riri UA: M i output r i For i =1 to n Com(UA i ) WIAOK: x in L or i-th UA convincing for some i Only one UA needs to be picked for simulation in each session Adv doesn’t know which one it is

11
11 Basic combinatorial problem: construct a marking strategy Simulator has to mark each outgoing UA message either SIMULATE or BLANK UA marked BLANK: 0-heavy i-heavy slot: contains i-heavy UA –If slot doesn’t have a simulated UA, 0-heavy UA marked SIMULATE: (i+1)-heavy iff the slot is i-heavy Constraint –At least one UA in each session marked SIMULATE. –No i-heavy UA for any super-constant i

12
12 Example Say we mark the first UA message SIMULATE in all sessions 0-heavy 1-heavy 0-heavy.... 1-heavy 2-heavy 0-heavy.... 2-heavy 3-heavy 0-heavy.... Session 3 Session 2 Session 1 i-heavy UA for super-constant i Randomized marking strategy: paper for details

13
13 Sample of Applications First public-coin concurrent ZK –Earlier negative result with BB simulation [Pass-Tseng-Wikstrom’09] First concurrent blind signatures as per ideal/real definition –Earlier negative result for BB simulation by [Lindell’03] Resolving the bounded pseudoentropy conjecture [Goyal’12] Improvements in both the round complexity as well as the class of realizable functionalities for concurrent secure computation

14
14 Thank You!

Similar presentations

OK

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google