1

Vipul GoyalMicrosoft Research India

Non-Black-Box Simulation in the Fully Concurrent Setting

2

Non Black Box Simulation [Barak’01]• ZK and simulation [Goldwasser-Micali-Rackoff’85]. All initial

simulators used code of adv in a black-box way

• Barak introduced non-black-box simulation in

cryptography

• Gave a new ZK protocol: public-coin, based on CRHFs, “straight-line” strict poly time simulation

• Helped changed the landscape of cryptographic protocols: useful in resettable protocols, non-malleable protocols, concurrent secure computation protocols ….

3

Our Contribution

• A main limitation of Barak’s technique was in the concurrent setting– Simulator only worked in standalone or bounded concurrent setting

• Main contribution: extend Barak’s technique to the fully concurrent setting

• We give a new ZK protocol: as with Barak’s, ours is public-coin, based on CRHFs, and has a “straight-line” strict poly-time simulator– However simulation works in the fully concurrent setting

• Not a strict improvement over Barak’s: round complexity of our construction is nϵ (where it was only a constant in Barak’s)

4

Talk Overview

• Recall Barak’s construction and the problems in fully concurrent setting

• Our ZK construction– Reduce the core challenge to a purely combinatorial problem– Relatively simple and short proof– Arguably the simplest concurrent ZK protocol

• Applications

• Simplifying Assumption: Assume a non-interactive WI universal argument system (one message from Prover to Verifier)

5

Barak’s ZK Construction

Statement: x in L

Com(h(M))

Random r

WI-UA: x in L or M outputs r

ProverVerifier

ZK simulator: M is the code/state of the verifier machine

slot

Soundness: r is long and random

6

Concurrent setting: problem

Com(h(M))

r

.

.

UA: M outputs r

• M doesn’t output r

• Fix: M contains the state of system (simulator + verifier)

• M regenerates the entire slot transcript and finally arrives at r

• The UA takes time c.k to compute

c

c.k steps

7

Exponential time simulator

Com(h(M))

r c

1-heavy

2-heavy

• Messages except UA: 0-heavy• If slot has i-heavy messages: i-heavy slot• UA regenerating transcript of i-heavy slot: (i+1) heavy UA• If i-heavy for superconstant i => simulation exponential time

c.k steps

c.k2 steps

0-heavy

c’ = c.k

Session 1Session 2

1-heavy

8

A failed attempt: have many slots

Com(h(M1))

r1

UA: x in L or Mi outputs ri for some i

.

.

Com(h(Mn))

rnUA still “heavy”

Repeat in parallel n times to get n different 1-heavy UAs

Next session: Make n slots 1-heavy

1-heavy

9

Our Idea: Have many UA’s

Com(h(M1))

r1

.

.

Com(h(Mn))

rn

heavyUA1

UAn

10

Our Protocol: Basic Idea

Com(h(Mi))

ri

UA: Mi output ri

For i =1 to n

Com(UAi)

WIAOK: x in L or i-th UA convincing for

some i

• Only one UA needs to be picked for simulation in each session

• Adv doesn’t know which one it is

11

Basic combinatorial problem: construct a marking strategy

• Simulator has to mark each outgoing UA message either SIMULATE or BLANK

• UA marked BLANK: 0-heavy

• i-heavy slot: contains i-heavy UA – If slot doesn’t have a simulated UA, 0-heavy

• UA marked SIMULATE: (i+1)-heavy iff the slot is i-heavy

• Constraint– At least one UA in each session marked SIMULATE.– No i-heavy UA for any super-constant i

12

Example• Say we mark the first UA message SIMULATE in all sessions

0-heavy

1-heavy

0-heavy

0-heavy

.

.

1-heavy

2-heavy

0-heavy

0-heavy

.

.

2-heavy

3-heavy

0-heavy

0-heavy

.

.

Session 3 Session 2 Session 1

i-heavy UA for super-constant i

• Randomized marking strategy: paper for details

13

Sample of Applications

• First public-coin concurrent ZK– Earlier negative result with BB simulation [Pass-Tseng-Wikstrom’09]

• First concurrent blind signatures as per ideal/real definition– Earlier negative result for BB simulation by [Lindell’03]

• Resolving the bounded pseudoentropy conjecture [Goyal’12]

• Improvements in both the round complexity as well as the class of realizable functionalities for concurrent secure computation

14

Thank You!