vipul goyal microsoft research india
DESCRIPTION
Non-Black-Box Simulation in the Fully Concurrent Setting. Vipul Goyal Microsoft Research India. Non Black Box Simulation [Barak’01]. ZK and simulation [Goldwasser-Micali-Rackoff’85]. All initial simulators used code of adv in a black-box way Barak introduced non-black-box simulation in - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Vipul Goyal Microsoft Research India](https://reader034.vdocuments.mx/reader034/viewer/2022051623/56815a8b550346895dc8016f/html5/thumbnails/1.jpg)
1
Vipul GoyalMicrosoft Research India
Non-Black-Box Simulation in the Fully Concurrent Setting
![Page 2: Vipul Goyal Microsoft Research India](https://reader034.vdocuments.mx/reader034/viewer/2022051623/56815a8b550346895dc8016f/html5/thumbnails/2.jpg)
2
Non Black Box Simulation [Barak’01]• ZK and simulation [Goldwasser-Micali-Rackoff’85]. All initial
simulators used code of adv in a black-box way
• Barak introduced non-black-box simulation in
cryptography
• Gave a new ZK protocol: public-coin, based on CRHFs, “straight-line” strict poly time simulation
• Helped changed the landscape of cryptographic protocols: useful in resettable protocols, non-malleable protocols, concurrent secure computation protocols ….
![Page 3: Vipul Goyal Microsoft Research India](https://reader034.vdocuments.mx/reader034/viewer/2022051623/56815a8b550346895dc8016f/html5/thumbnails/3.jpg)
3
Our Contribution
• A main limitation of Barak’s technique was in the concurrent setting– Simulator only worked in standalone or bounded concurrent setting
• Main contribution: extend Barak’s technique to the fully concurrent setting
• We give a new ZK protocol: as with Barak’s, ours is public-coin, based on CRHFs, and has a “straight-line” strict poly-time simulator– However simulation works in the fully concurrent setting
• Not a strict improvement over Barak’s: round complexity of our construction is nϵ (where it was only a constant in Barak’s)
![Page 4: Vipul Goyal Microsoft Research India](https://reader034.vdocuments.mx/reader034/viewer/2022051623/56815a8b550346895dc8016f/html5/thumbnails/4.jpg)
4
Talk Overview
• Recall Barak’s construction and the problems in fully concurrent setting
• Our ZK construction– Reduce the core challenge to a purely combinatorial problem– Relatively simple and short proof– Arguably the simplest concurrent ZK protocol
• Applications
• Simplifying Assumption: Assume a non-interactive WI universal argument system (one message from Prover to Verifier)
![Page 5: Vipul Goyal Microsoft Research India](https://reader034.vdocuments.mx/reader034/viewer/2022051623/56815a8b550346895dc8016f/html5/thumbnails/5.jpg)
5
Barak’s ZK Construction
Statement: x in L
Com(h(M))
Random r
WI-UA: x in L or M outputs r
ProverVerifier
ZK simulator: M is the code/state of the verifier machine
slot
Soundness: r is long and random
![Page 6: Vipul Goyal Microsoft Research India](https://reader034.vdocuments.mx/reader034/viewer/2022051623/56815a8b550346895dc8016f/html5/thumbnails/6.jpg)
6
Concurrent setting: problem
Com(h(M))
r
.
.
UA: M outputs r
• M doesn’t output r
• Fix: M contains the state of system (simulator + verifier)
• M regenerates the entire slot transcript and finally arrives at r
• The UA takes time c.k to compute
c
c.k steps
![Page 7: Vipul Goyal Microsoft Research India](https://reader034.vdocuments.mx/reader034/viewer/2022051623/56815a8b550346895dc8016f/html5/thumbnails/7.jpg)
7
Exponential time simulator
Com(h(M))
r c
1-heavy
2-heavy
• Messages except UA: 0-heavy• If slot has i-heavy messages: i-heavy slot• UA regenerating transcript of i-heavy slot: (i+1) heavy UA• If i-heavy for superconstant i => simulation exponential time
c.k steps
c.k2 steps
0-heavy
c’ = c.k
Session 1Session 2
1-heavy
![Page 8: Vipul Goyal Microsoft Research India](https://reader034.vdocuments.mx/reader034/viewer/2022051623/56815a8b550346895dc8016f/html5/thumbnails/8.jpg)
8
A failed attempt: have many slots
Com(h(M1))
r1
UA: x in L or Mi outputs ri for some i
.
.
Com(h(Mn))
rnUA still “heavy”
Repeat in parallel n times to get n different 1-heavy UAs
Next session: Make n slots 1-heavy
1-heavy
![Page 9: Vipul Goyal Microsoft Research India](https://reader034.vdocuments.mx/reader034/viewer/2022051623/56815a8b550346895dc8016f/html5/thumbnails/9.jpg)
9
Our Idea: Have many UA’s
Com(h(M1))
r1
.
.
Com(h(Mn))
rn
heavyUA1
UAn
![Page 10: Vipul Goyal Microsoft Research India](https://reader034.vdocuments.mx/reader034/viewer/2022051623/56815a8b550346895dc8016f/html5/thumbnails/10.jpg)
10
Our Protocol: Basic Idea
Com(h(Mi))
ri
UA: Mi output ri
For i =1 to n
Com(UAi)
WIAOK: x in L or i-th UA convincing for
some i
• Only one UA needs to be picked for simulation in each session
• Adv doesn’t know which one it is
![Page 11: Vipul Goyal Microsoft Research India](https://reader034.vdocuments.mx/reader034/viewer/2022051623/56815a8b550346895dc8016f/html5/thumbnails/11.jpg)
11
Basic combinatorial problem: construct a marking strategy
• Simulator has to mark each outgoing UA message either SIMULATE or BLANK
• UA marked BLANK: 0-heavy
• i-heavy slot: contains i-heavy UA – If slot doesn’t have a simulated UA, 0-heavy
• UA marked SIMULATE: (i+1)-heavy iff the slot is i-heavy
• Constraint– At least one UA in each session marked SIMULATE.– No i-heavy UA for any super-constant i
![Page 12: Vipul Goyal Microsoft Research India](https://reader034.vdocuments.mx/reader034/viewer/2022051623/56815a8b550346895dc8016f/html5/thumbnails/12.jpg)
12
Example• Say we mark the first UA message SIMULATE in all sessions
0-heavy
1-heavy
0-heavy
0-heavy
.
.
1-heavy
2-heavy
0-heavy
0-heavy
.
.
2-heavy
3-heavy
0-heavy
0-heavy
.
.
Session 3 Session 2 Session 1
i-heavy UA for super-constant i
• Randomized marking strategy: paper for details
![Page 13: Vipul Goyal Microsoft Research India](https://reader034.vdocuments.mx/reader034/viewer/2022051623/56815a8b550346895dc8016f/html5/thumbnails/13.jpg)
13
Sample of Applications
• First public-coin concurrent ZK– Earlier negative result with BB simulation [Pass-Tseng-Wikstrom’09]
• First concurrent blind signatures as per ideal/real definition– Earlier negative result for BB simulation by [Lindell’03]
• Resolving the bounded pseudoentropy conjecture [Goyal’12]
• Improvements in both the round complexity as well as the class of realizable functionalities for concurrent secure computation
![Page 14: Vipul Goyal Microsoft Research India](https://reader034.vdocuments.mx/reader034/viewer/2022051623/56815a8b550346895dc8016f/html5/thumbnails/14.jpg)
14
Thank You!