Journal of Cryptology

, Volume 21, Issue 3, pp 303–349 | Cite as

Handling Expected Polynomial-Time Strategies in Simulation-Based Security Proofs

  • Jonathan Katz
  • Yehuda LindellEmail author


The standard class of adversaries considered in cryptography is that of strict polynomial-time probabilistic machines. However, expected polynomial-time machines are often also considered. For example, there are many zero-knowledge protocols for which the only known simulation techniques run in expected (and not strict) polynomial time. In addition, it has been shown that expected polynomial-time simulation is essential for achieving constant-round black-box zero-knowledge protocols. This reliance on expected polynomial-time simulation introduces a number of conceptual and technical difficulties. In this paper, we develop techniques for dealing with expected polynomial-time adversaries in simulation-based security proofs.


Expected polynomial-time Black-box simulation Secure multiparty computation Zero-knowledge 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    B. Barak, How to go beyond the black-box simulation barrier, in 42nd FOCS, 2001, pp. 106–115 Google Scholar
  2. [2]
    B. Barak, O. Goldreich, Universal arguments and their applications, in 17th IEEE Conference on Computational Complexity, 2002, pp. 194–203 Google Scholar
  3. [3]
    B. Barak, Y. Lindell, Strict polynomial-time in simulation and extraction, SIAM J. Comput. 33(4), 783–818 (2004) zbMATHCrossRefMathSciNetGoogle Scholar
  4. [4]
    P. Billingsley, Probability and Measure, 2nd edn. (Wiley, New York, 1986) zbMATHGoogle Scholar
  5. [5]
    R. Canetti, Security and composition of multiparty cryptographic protocols, J. Cryptol. 13(1), 143–202 (2000) zbMATHCrossRefMathSciNetGoogle Scholar
  6. [6]
    R. Canetti, Universally composable security: a new paradigm for cryptographic protocols, in 42nd FOCS, 2001, pp. 136–145 Google Scholar
  7. [7]
    R. Canetti, O. Goldreich, S. Goldwasser, S. Micali, Resettable zero-knowledge, in 32nd STOC, 2000, pp. 235–244 Google Scholar
  8. [8]
    U. Feige, Alternative models for zero knowledge interactive proofs. Ph.D. Thesis, Weizmann Institute, 1990 Google Scholar
  9. [9]
    U. Feige, A. Shamir, Zero-knowledge proofs of knowledge in two rounds, in CRYPTO’89. LNCS, vol. 435 (Springer, Berlin, 1989), pp. 526–544 Google Scholar
  10. [10]
    O. Goldreich, Basic Tools. Foundations of Cryptography, vol. 1 (Cambridge University Press, Cambridge, 2001) zbMATHGoogle Scholar
  11. [11]
    O. Goldreich, Basic Applications. Foundations of Cryptography, vol. 2 (Cambridge University Press, Cambridge, 2004) zbMATHGoogle Scholar
  12. [12]
    O. Goldreich, A. Kahan, How to construct constant-round zero-knowledge proof systems for NP, J. Cryptol. 9(3), 167–190 (1996) zbMATHCrossRefMathSciNetGoogle Scholar
  13. [13]
    O. Goldreich, Y. Oren, Definitions and properties of zero-knowledge proof systems, J. Crypt. 7(1), 1–32 (1994) zbMATHMathSciNetGoogle Scholar
  14. [14]
    O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions, J. ACM 33(4), 792–807 (1986) MathSciNetGoogle Scholar
  15. [15]
    O. Goldreich, S. Micali, A. Wigderson, How to play any mental game—a completeness theorem for protocols with honest majority, in 19th STOC, 1987, pp. 218–229. For details see [11] Google Scholar
  16. [16]
    O. Goldreich, S. Micali, A. Wigderson, Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems, J. ACM 38(1), 691–729 (1991) zbMATHMathSciNetGoogle Scholar
  17. [17]
    S. Goldwasser, S. Micali, C. Rackoff, The knowledge complexity of interactive proof systems, SIAM J. Comput. 18(1), 186–208 (1989) zbMATHCrossRefMathSciNetGoogle Scholar
  18. [18]
    J. Håstad, R. Impagliazzo, L.A. Levin, M. Luby, A pseudorandom generator from any one-way function, SIAM J. Comput. 28(4), 1364–1396 (1999) zbMATHCrossRefMathSciNetGoogle Scholar
  19. [19]
    Y. Lindell, Parallel coin-tossing and constant-round secure two-party computation, J. Cryptol. 16(3), 143–184 (2003) zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2007

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of MarylandCollege ParkUSA
  2. 2.Department of Computer ScienceBar-Ilan UniversityRamat GanIsrael

Personalised recommendations