Concurrent Secure Computation via NonBlack Box Simulation
 2 Citations
 2.5k Downloads
Abstract

We give first positive results for concurrent blind signatures and verifiable random functions in the plain model as per the ideal/real world security definition. Our positive result is somewhat surprising in light of the impossibility result of Lindell (STOC’03) for blackbox simulation. We circumvent this impossibility using nonblack box simulation. This gives us a quite natural example of a functionality in concurrent setting which is impossible to realize using blackbox simulation but can be securely realized using nonblack box simulation.

Moreover, we expand the class of realizable functionalities in the concurrent setting. Our main theorem is a positive result for concurrent secure computation as long as the ideal world satisfies the bounded pseudoentropy condition (BPC) of Goyal (FOCS’12). The BPC requires that in the ideal world experiment, the total amount of information learnt by the adversary (via calls to the ideal functionality) should have “bounded pseudoentropy”.

We also improve the round complexity of protocols in the singleinput setting of Goyal (FOCS’12) both qualitatively and quantitatively. In Goyal’s work, the number of rounds depended on the length of honest party inputs. In our protocol, the round complexity depends only on the security parameter, and is completely independent of the length of the honest party inputs.
Our results are based on a nonblack box simulation technique using a new language (which allows the simulator to commit to an Oracle program that can access information with bounded pseudoentropy), and a simulationsound version of the concurrent zeroknowledge protocol of Goyal (STOC’13). We assume the existence of collision resistant hash functions and constant round semihonest oblivious transfer.
Keywords
Secure Computation Blind Signature Security Parameter Random String Ideal World1 Introduction
Secure computation protocols enable a set of mutually distrustful parties to securely perform a task by interacting with each other. Traditional security notions for secure computation [21, 49] were defined for the standalone setting where security holds only if a single protocol session is executed in isolation. In today’s connected world (and especially over internet), many instances of these protocols may be executing concurrently. In such a scenario, a protocol that is secure in the classical standalone setting may become completely insecure [5, 37]. Ambitious efforts have been made to generalize the results for the standalone setting, starting with concurrentlysecure zeroknowledge protocols [7, 14, 34, 45, 47].
However, in the plain model, the effort to go beyond the zeroknowledge functionality were, unfortunately, less than fully satisfactory. In fact, for the plain model far reaching unconditional impossibility results were shown in a series of works [1, 5, 8, 19, 24, 37, 38]. Two notable exceptions giving positive results in the plain model are the works on bounded concurrency [36, 43, 44] (where there is an apriori fixed bound on the total number of concurrent sessions in the system and the protocol in turn can depend on this bound), and, the positive results for a large class of functionalities in the so called “single input” setting [24]. In this setting, there is a server interacting with multiple clients concurrently with the restriction that the server (if honest) is required to use the same input in all sessions. There is a large body of literature on getting concurrently secure computation in weaker models such as using a superpolynomial time simulator, or a trusted setup. A short survey of these works is given later in this section. We emphasize that in this work, we are interested in concurrently secure computation protocols with no trusted set up assumptions where the security holds according to standard ideal/real paradigm.
An intriguing functionality that cannot be realized in the fully concurrent setting by these results is blind signatures in the plain model. The blind signature functionality, introduced by [11], allows users to obtain unforgeable signatures on messages of their choice without revealing the message being signed to the signer (blindness property). The question of whether a concurrentlysecure protocol for this functionality can be constructed as per the ideal/real model simulation paradigm has been open so far. Moreover, given the impossibility result for concurrent blind signatures for black box simulation by Lindell [37], it is clear that we need to use nonblack box techniques. Until recently, no nonblack box technique was known which applies to full concurrency with polynomial time simulation. However, Goyal [25] recently proposed new nonblack box simulation techniques for (fully) concurrent zeroknowledge with straight line simulation. Unfortunately, the result of Goyal is limited to the setting of concurrent zeroknowledge. We ask the question: Can we construct nonbox black techniques for (fully) concurrent secure computation, building upon the work of Goyal [25]?
Our Contributions. The main contribution of our work is a secure computation protocol in the fully concurrent setting with a straightline simulator, that allows us to achieve several new results. In short, we expand the class of realizable functionalities in the concurrent setting and give the first positive results for concurrent blind signatures and verifiable random functions in the plain model as per the ideal/real world security definition. Moreover, the round complexity of our protocol depends only on the security parameter and hence, improves the round complexity of [24] both qualitatively and quantitatively. Finally, our work can be seen as a unifying framework, which essentially subsumes all the previous work on positive results for concurrent secure computation achieving polynomial time simulation based security in the plain model. For detailed description of our results, see Sect. 1.1.
Other Models. In order to circumvent the above mentioned impossibility results in the plain model, there has been quite some work studying various trust assumptions such as common reference string (CRS) model and tamper proof hardware tokens [3, 10, 32]. Another interesting line of work has studied weaker security definitions [16, 39, 42, 46] while still remaining in the plain model, and most notably obtains positive results in models like super polynomial time simulation [6, 9, 17, 46] and input indistinguishable security [17, 39].
Note that these trust assumptions and these relaxed notions of security are sometimes restrictive and are not applicable to many situations. We again emphasize that the focus of this work is concurrent secure computation in the plain model achieving polynomial time simulation. In the plain model, there are point to point authenticated channels between the parties, but there is no global trusted third party.
What Goes Wrong in Concurrent Setting in Plain Model? A well established approach to constructing secure computation protocols is to use the GMW compiler: take a semihonest secure computation protocol and “compile” it with zeroknowledge arguments. The natural starting point in the concurrent setting is to follow the same principles: somehow compile a semihonest secure computation protocol with a concurrent zeroknowledge protocol (actually compile with concurrent nonmalleable zeroknowledge [5]). Does such an approach (or minor variants) already give us protocols secure according to the standard ideal/real world definition in the plain model?
There is a fundamental problem with this approach which poses a key bottleneck in a number of previous works (see [17, 24, 26, 28, 29, 30]). All known concurrent zeroknowledge simulators in the fully concurrent setting work by rewinding the adversarial parties. Such an approach is highly problematic for secure computation in the concurrent setting, where the adversary controls the scheduling of the messages of different sessions. For instance, consider the following scenario: Due to nesting of sessions by the adversary, a rewinding based simulator may need to execute some sessions more than once. Since the adversary can choose a different input in each execution (e.g. based on transcript so far), the simulator would have to query the ideal functionality for than once. However, for any session, the simulator is allowed at most one query! Indeed, such problems are rather inherent as indicated by various impossibility results [5, 38].
Trying to solve this bottleneck of “handling extra queries” in various ways has inspired a number of different works which revolve around a unified theme: first construct a protocol where the simulator requires multiple queries per session in the ideal world, and then, somehow manage to either eliminate or answer these extra queries by exploiting some property of the specific setting in question. Examples of these include Resettable and Stateless computation [29, 30], Multiple Ideal Query model [26, 27, 28], SingleInput setting [24], Leaky Ideal Query model [26], etc^{1}.
Indeed, as is natural to expect, there are limitations on how much one can achieve using the above paradigm of constructing protocols. A very natural question that arises is whether there exists a different approach which allows us to construct concurrent secure computation protocols in the plain model without the need of additional output queries? Moreover, if such a different approach does exist, we know that due to impossibility results [1, 5, 8, 19, 24, 37, 38], there will be some limitations on the scope of its applicability. This leads to some more natural questions. What all can we achieve using this approach? In particular, can we expand the class of realizable functionalities in the concurrent setting? Can we improve the parameters (e.g. round complexity) of the protocols which exist in the plain model?
1.1 Our Results
The key contribution of this work is a new way of approaching the problem of concurrent secure computation in the plain model facilitated by recent advances in concurrent nonblack box simulation [25]. We give a protocol with nonblack box and straightline simulator. Since, very informally, our simulator does not rely on rewinding at all, we are able to avoid the key bottleneck of additional output queries to the ideal functionality during the rewinds.
However, our simulator has to overcome a number of additional obstacles not present in [25]. Note that unlike secure computation, an adversary in concurrent zeroknowledge does not receive any outputs. Dealing with the outputs given to the adversary in each session is a key difficulty we have to overcome. In particular, one might think that a straightline simulator for concurrent zeroknowledge should give a concurrently secure computation protocol trivially for all functionalities and in particular for concurrently secure oblivious transfer. Note that this cannot be true given unconditional impossibility results for oblivious transfer. For more on such technical hurdles, please refer to the technical overview (Sect. 1.2).
Informally stated, our main theorem is a general positive result for concurrent secure computation as long as the ideal world satisfies our so called bounded pseudoentropy condition (BPC). Very informally, the bounded pseudoentropy condition requires that in the ideal world experiment, the total amount of information learnt by the adversary (via calls to the trusted party) should have “bounded pseudoentropy”. The origin of the bounded pseudoentropy condition comes from a conjecture of Goyal [24]. More precisely, the bounded pseudoentropy condition says the following:
Definition 1

All valid output vectors corresponding to the input vector \(\mathbf {I}\) of the adversary are contained in S. Observe that for a given \(\mathbf {I}\), for different honest party input vectors, the output vectors may be different. We require that any such output vector be contained in S. Furthermore, \(S \le 2^B\).

For every \(\mathbf {O} \in S\), \(\mathcal {T}(\mathbf {I}, \mathbf {O}) = 1\), and for every \(\mathbf {O} \notin S\), \(\mathcal {T}(\mathbf {I}, \mathbf {O}) = 0\). That is, the set S is efficiently recognizable.
Intuitively, this condition says the following: The adversary might be scheduling an unbounded polynomial number of sessions and gaining information from each of the outputs obtained. However for any vector of adversarial inputs, the number of possible output vectors is bounded (and hence so is the information that adversary learns). Further note that this condition places a restriction only on the ideal world experiment, which consists of the functionality being computed and the honest party inputs. There is no restriction on the ideal world adversary, which may follow any (possibly unbounded state) polynomial time strategy.
It can be seen that in concurrent zeroknowledge, as well as, in the bounded concurrency setting, the BPC is satisfied. Also note that the class of ideal worlds which satisfy BPC is significantly more general compared to the single input setting of [24]. For a formal proof of this claim, refer to Sect. 2. In our work, we prove the following main theorem.
Theorem 1
Assume the existence of collision resistant hash functions and constantround semihonest oblivious transfer. If the ideal world for the functionality \(\mathcal {F}\) satisfies the bounded pseudoentropy condition in Definition 1, then for any constant \(\epsilon \), there exists a \(O(n^\epsilon )\) round real world protocol \(\varPi \) which securely realizes the ideal world for functionality \(\mathcal {F}\).

Resolving the Bounded Pseudoentropy Conjecture. Goyal [24] considered the so called “single input setting” and obtained a positive result for many functionalities in the plain model. Goyal further left open the so called bounded pseudoentropy conjecture which if resolved would give a more general and cleaner result (see [24] for the exact statement).
Our BPC is inspired from this conjecture (and can be seen as one way of formalizing it). Thus, Theorem 1 allows us to resolve the bounded pseudoentropy conjecture in the positive. Our positive result for the BPC subsumes most known positive results for concurrent secure computation in the plain model such as for zeroknowledge [34, 45, 47], bounded concurrent computation [36, 43, 44], and the positive results in the single input setting [24].

Improving the Round Complexity of Protocols in the Single Input Setting. The round complexity of the construction of Goyal [24] in the single input setting was a large polynomial depending not only upon the security parameter but also on the length of the input and the nature of the functionality. For example, for concurrent private information retrieval, the round complexity would depend multiplicatively of the number of bits in the database and the security parameter. Our construction only has \(n^\epsilon \) rounds, where n is the security parameter. Therefore, we obtain a significant qualitative improvement in the round complexity for protocols in the single input setting.

Expanding the Class of Realizable Functionalities, and, Getting Blind Signatures. The blind signature functionality is an interesting case in the paradigm of secure computation both from theoretical as well as practical standpoints. The question of whether concurrent blind signatures (secure as per the ideal/real model simulation paradigm) exist is currently unresolved. Lindell [36, 38] showed an impossibility result for concurrent blind signature based on blackbox simulation. This result has also been used as a motivation to resort to weaker security notions (such as game based security) or setup assumptions in various subsequent works (see e.g., [15, 18, 20, 31, 33, 41]). We show that a positive result for BPC directly implies a construction of concurrent blind signatures secure in the plain model as per the standard ideal/real world security notion. Prior to our work, the only known construction of concurrently secure blind signatures was according to the weaker game based security notion due to Hazay et al. [31].
This implies that concurrent blind signatures is a “natural” example of a functionality which is impossible to realize using blackbox simulation but can be securely realized using nonblack box simulation in the concurrent setting.^{2} The only previous such example known [29] was for a reactive (and arguably rather contrived) functionality. Another concrete (and related) example of a new functionality that can be directly realized using our techniques is that of a secure verifiable random function.
It would also be interesting to see what our approach yields in the plain model for different settings and security notions where the previous rewinding based approach has been useful (such as resettable computation, superpolynomial simulation, etc.). We leave that as future work.
1.2 Our Techniques
Our protocol and analysis for the concurrent secure computation is admittedly quite complex and we face a number of hurdles on the way. Below, we try to sketch the main difficulties and our ideas to circumvent them at a high level.
To construct concurrent secure computation, we roughly follow the [21] strategy of first constructing an appropriate zeroknowledge protocol, and then “somehow compiling” a semi honest secure computation protocol using that. In our concurrent setting, in order to avoid the multiple output queries per session, we need a concurrently secure protocol for zeroknowledge with a straightline simulator. Recently, the first such protocol was given by Goyal [25] based on nonblack box techniques^{3}.
Another property of the zeroknowledge protocol which is crucial for compilation is simulationsoundness. Our first (and arguably smaller) technical hurdle is to construct a simulationsound version of Goyal’s protocol. This is necessary because the simulator would rely on the soundness of the proofs given by the adversary while simulating the proofs where it is acting as the prover. Another issue is that in our protocol for concurrent secure computation, the adversary is allowed to choose the statement proved till a very late stage in the protocol. Hence, we need simulationsoundness to hold even when the statements to prove are being chosen adaptively by the adversary. We note that this issue is somewhat subtle to deal with. Our construction of simulationsound concurrent zeroknowledge relies on the following ingredients: Goyal’s concurrent simulation strategy, a robust nonmalleable commitment scheme [35], and a special language to be used in the universal arguments. The final construction along with a description of the main ideas is given in Sect. 3.
The next (and arguably bigger) difficulty is the following. In secure computation, the adversary receives an output in each session (this is unlike the case of zeroknowledge). It turns that it is not clear how to handle these outputs while performing nonblack box simulation. Note that some such challenge is inherent in the light of the long list of general impossibility results known [5, 38]. Before we describe the challenge faced in detail, it would be helpful to recall how the nonblack box techniques based on [2] work at a high level.

Nonblack Box Technique. In each session, the simulator has to commit to a program \(\varPi \), which has to generate the adversary’s random string r in that session. In the transcript between the commitment to \(\varPi \) and r, there may be messages of other sessions, which \(\varPi \) has to regenerate. Even if the program \(\varPi \) consists of the entire state of the simulator and the adversary at the point of the commitment, it runs into a problem in the case of secure computation (where the adversary is getting nontrivial output in each session).

Key Challenge. Note that to reach from the commitment of \(\varPi \) to the message r, the simulator makes use of some external information: namely the outputs it learns by querying the ideal functionality as it proceeds in the simulation. This information, however, is not available with the program \(\varPi \) (since the simulator may query the ideal functionality after the program \(\varPi \) was committed to). Also, note that the number of outputs learnt could be any unbounded polynomial. Hence, it is not clear how to regenerate the transcript.
The first obvious solution, which does not work, is to allow the program \(\varPi \) to take inputs of unbounded length. This would allow the simulator to pass all the outputs obtained to the program \(\varPi \). But now the soundness of the protocol seems to be completely compromised. On the other hand, if \(\varPi \) does not receive all the outputs, it cannot regenerate the transcript!
To resolve this issue, we use the idea of “Oracle programs” due to Deng, Goyal, and Sahai [13]. The program \(\varPi \), while running, is allowed to make any (polynomially unbounded) number of queries (to be answered by the simulator) as long as the response to each query is information theoretically fixed by the query. The soundness is still preserved: an adversarial prover still cannot communicate any information about the verifier’s random string r to \(\varPi \). However, the program \(\varPi \) can still access a potentially unbounded length string using such an “Oracle interface”.
Unfortunately, the above idea is still not sufficient for our purpose: the outputs given by the ideal functionality are not fixed given the adversary’s input in the session. Here we rely on the fact that we are only considering the ideal worlds which satisfy the bounded pseudoentropy condition. Very roughly, it is guaranteed that the entire output vector has only bounded pseudoentropy (B), given the input of the adversary. Moreover, given the adversary’s input vector, all possible output vectors are efficiently testable by the PPT algorithm \(\mathcal {T}\). In other words, for every vector of queries, there is only a bounded (although potentially exponential) number of response vectors accepted by \(\mathcal {T}\). We allow the program \(\varPi \) to make any number of queries such that the response vector is accepted by \(\mathcal {T}\). More details regarding our precise language for nonblack box simulation may be found in Fig. 1. This idea allows the simulator to supply the entire output vector (learnt from the ideal functionality) to \(\varPi \) while still preserving soundness. The soundness proof relies on the fact that the queries only allow for communication of up to Bbit string to \(\varPi \), which is still not sufficient for communicating the string r.
Finally, there are additional challenges due to the requirement of straightline extraction. Towards that end, we rely on input indistinguishable computation introduced by Micali, Pass, and Rosen [39]. Challenges also arise with performing hybrid arguments in the setting where the code of the simulator itself is committed (because of nonblack box simulation). The full construction along with the main ideas is given in Sect. 4.
Other Related Work: Though Goyal et al. [25] gave the first protocol for concurrent zeroknowledge with a straightline simulator, recently, Chung et al. [12] gave a constant round concurrent zeroknowledge protocol for uniform adversaries based on a new assumption of Pcertificates, which is also straightline simulatable. Their protocol represents an exciting idea which opens an avenue for getting constant round concurrently secure computation protocols (albeit for uniform adversaries only, and, based on a new assumption). We believe that our techniques could also be applicable in constructing concurrent secure computation protocols using the protocol of [12].
2 Concurrently Secure Computation: Our Model
In this section, we begin by giving a brief sketch of our model. For formal description (building upon the model of [38]) of our model, see full version. In this work, we consider a malicious, static and probabilistic polynomial time adversary that chooses whom to corrupt before the execution of the protocol and controls the scheduling of the concurrent executions. Additionally, the adversary can choose the inputs of different sessions adaptively. We denote the security parameter by n. We give a real world/ideal world based security definition. There are k parties \(Q_1, Q_2, \ldots , Q_k\), where each party may be involved in multiple sessions with possibly interchangeable roles. In the ideal world, there is a trusted party for computing the desired twoparty functionality \(\mathcal {F}: \{0,1\}^{r_1} \times \{0,1\}^{r_2} \rightarrow \{0,1\}^{s_1} \times \{0,1\}^{s_2}\). Let the total number of executions be \(m = m(n)\). Note that there is no apriori bound on the number of sessions m and the adversary can start any (possibly unbounded) polynomial number of sessions. On the other hand, in the real world there is no trusted party and the two parties involved in a session, say \(P_1\) and \(P_2\), execute a two party protocol \(\varPi \) for computing \(\mathcal {F}\). Our security definition requires that any adversary in the real model can be emulated by an adversary in the ideal model.
2.1 Our Result and Its Applications
As mentioned in the introduction, our main result (see Theorem 1, Sect. 1.1) is a general positive result for concurrent secure computation as long as the ideal world satisfies the bounded pseudoentropy condition (Definition 1, Sect. 1.1).
Next, we show that our theorem not only subsumes the positive results of [24] in the single input setting but also improves the round complexity.
Comparing Our Results with [24]. In [24], Goyal showed that if the ideal world satisfies the “key technical property” (KTP), then there exists a real world protocol which securely realizes this ideal world. The key technical property, taken verbatim from [24], is as follows:
Definition 2
For the ideal worlds which satisfy KTP, [24] gave a \(O(n^3 D^2)\) round secure protocol which realizes the functionality, where D is the parameter in Definition 2.
In our full version, we prove the following lemma:
Lemma 1
If an ideal world experiment satisfies the key technical property (Definition 2), then it also satisfies the bounded pseudoentropy condition (Definition 1).
As mentioned before, the round complexity of Goyal [24] is \(O(n^3 D^2)\) which is a polynomial in security parameter n as well as D (which depends upon length of single input as well as nature of functionality). Our Theorem 1 and Lemma 1 imply a quantitative and qualitative improvement in round complexity. This leads to lower round protocols for applications like private database search, secure set intersection, computing \(k^{th}\) ranked element etc. For details see the full version.
Moreover, [24] only gave a positive result for functionalities with hardness free ideal world, i.e. in the ideal world the trusted party is not required to perform any cryptographic operations. There is no such restriction in our setting. In fact, we show that blind signatures and verifiable random functions satisfy the bounded pseudoentropy condition. More interestingly, they do not satisfy the key technical property. We next describe our results for these functionalities.
Blind Signatures. Blind signatures, introduced by [11], allow users to obtain signatures on messages of their choice without revealing the message being signed to the signer (blindness property). In addition, they also need to satisfy the unforgeability property of the digital signature schemes. In this work, we give the following positive result for concurrent blind signatures.
Theorem 2
Assume the existence of collision resistant hash functions and constantround semihonest oblivious transfer. Then for any constant \(\epsilon \), there exists a \(O(n^\epsilon )\) round secure protocol which realizes the ideal world for concurrent blind signature functionality.
We prove this theorem by using unique signatures [22] as the underlying signature scheme and showing that blind signatures satisfy the bounded pseudoentropy condition when the underlying signature scheme is unique. (Note that Lindell’s black box impossibility result also holds in this setting.) A signature scheme is said to be unique if for each public key and each message, there exists at most one valid signature which verifies.
We can model blind signature as a two party computation between the signer and the user for the circuit for generating signatures. Note that the circuit will have the verification key \(\mathsf {vk}\) hardcoded. At the end of the protocol, the user outputs a valid signature \(\sigma \) if obtained, and signer always outputs \(\bot \). Now we show that this functionality satisfies BPC for \(B= 0\) and \(\mathcal {T}\) algorithm which is same as the signature verification algorithm. Note that if the adversary is playing the role of the user, its output is unique and is completely determined by its input message since \(\mathsf {vk}\) is fixed by the function being computed. If the adversary is playing the role of the signer, its output is always \(\bot \). Hence, set S will contain only one output vector, which is information theoretically fixed by the adversary inputs and the ideal world experiment (which fixes the verification keys for all the sessions). The algorithm \(\mathcal {T}\) simply verifies the user’s signatures w.r.t. corresponding \(\mathsf {vk}\) and ensures that signer’s outputs are \(\bot \).
Finally note that blind signatures will not satisfy the key technical property. Consider the case when the adversary is acting as the user in all the sessions. By the unforgeability property of the scheme, any PPT predictor which receives k valid input/output (message/signature) pairs cannot predict the signature on the next message with nonnegligible probability. Also, note that blind signatures will not satisfy the generalized key technical property discussed in the full version [23] for the same reason.
Verifiable Random Functions. Verifiable random functions (VRFs) were introduced by Micali, Rabin, and Vadhan [40]. They combine the properties of pseudorandom functions with the verifiability property. Intuitively, they are pseudorandom functions with a public key and proofs for verification. Along with pseudorandomness, they are required to satisfy uniqueness, i.e., given the public key, for any input x, there is a unique y which can verify. In this work, we show the following:
Theorem 3
Assume the existence of collision resistant hash functions and constantround semihonest oblivious transfer. Then for any constant \(\epsilon \), there exists a \(O(n^\epsilon )\) round concurrent real world protocol which realizes the ideal world experiment for verifiable random functions.
We again prove this theorem by showing that VRFs satisfy BPC for \(B= 0\) and \(\mathcal {T}\) algorithm which is same as verification algorithm. Here, we again rely on the uniqueness property. Finally, note that VRFs too will not satisfy the key technical property due to pseudorandomness guarantee. For details see the full version.
3 Our SimulationSound NonBlack Box ZeroKnowledge Protocol
Constructing a family of polynomially many zeroknowledge protocols which are simulationsound with respect to each other under (unbounded polynomially many) concurrent executions is one of the difficulties in constructing protocols for fully concurrent multiparty computation (MPC). Simulationsoundness, introduced by Sahai [48], means that the soundness of each of the proofs given by the adversary should hold even when the adversary is getting unbounded polynomial number of simulated proofs. To avoid the problem of providing multiple outputs due to a rewinding based simulator for concurrent MPC, we need to construct simulationsound zeroknowledge protocols which are straightline simulatable. Note that Pass [43] also gave a construction of polynomially many protocols which are concurrent zeroknowledge and simulationsound w.r.t. each other in the restricted setting of bounded concurrency. In this work, we construct such simulationsound zeroknowledge protocols building upon the nonblack box public coin concurrent zeroknowledge protocol of Goyal [25].
First, we give a brief overview of [25]. Some of the text has been taken verbatim from [25]. One of the main technical ideas in [25] is to have \(N= n^\epsilon \) nonblack box slots, for any constant \(\epsilon \) (each consisting of a commitment to a machine and a verifier challenge string). Each slot is followed by a universal argument (UA) execution. Any of the UA’s in a session may be picked for simulation. If a UA is picked for simulation, to make the analysis go through, the simulator could choose of any of the previously completed slots and prefer the slots which are computationally lighter. In a UA execution, the prover proves that in one of the completed slots, the machine committed successfully outputs the verifier challenge string. Other main idea was to have encrypted executions of the UAs (using its public coin property) to hide the location of the convincing UA executions in the transcript. Finally there is an execution of a witnessindistinguishable argument of knowledge (WIAOK), where the prover proves that either the statement \(x \in L\) or there exists a decryption of one of the UAs which is accepting. In the subsequent discussion, we will refer to the part of the protocol with non black box slots and encrypted UAs as the preamble phase and last phase as the wiaok phase.
Two main ideas are required to transform the above described protocol into simulationsound zeroknowledge protocols, which can then be used to construct protocols for concurrent MPC. Firstly, observe that unless the parties have identities it is impossible to construct a simulationsound protocol because a maninthemiddle attack cannot be prevented. Hence, we focus on a setting where each party has a unique identity of \(n\) bits. Let \(\mathsf {NMCom}\) be a krobust identitybased nonmalleable commitment scheme. Now, after the preamble phase of the protocol, the prover with identity \(\mathsf {id}\) gives a nonmalleable commitment to the witness under its identity \(\mathsf {id}\). More precisely, the prover, having witness w to \(x \in L\), gives a commitment \(c = \mathsf {NMCom}(w)\) under his identity \(\mathsf {id}\). In the final wiaok phase, the prover proves that either there exists a w such that \(c = \mathsf {NMCom}(w)\) and \(w \in R_L(x)\) or one of the UA executions was convincing. We will be able to prove the simulationsoundness of our protocol using the nonmalleability and krobustness of \(\mathsf {NMCom}\). Note that (as described later) our protocol will be simulationsound even when the adversary is allowed to choose the statements to be proven adaptively till the point when he gives this nonmalleable commitment.
Intuition Behind the Oracle Queries \(\mathsf {output}(\cdot )\) in Language \(\varLambda \) . The algorithm \(\mathcal {T}\) and the bound \(B\) are introduced to capture the information learnt by the adversary. When only concurrent sessions of zeroknowledge are running, there is no information passed to the adversary, hence we can have \(\mathcal {T}\) to reject all outputs and still be able to simulate the view of the adversary. This notion will be important for the concurrent executions of multiparty computation because the adversary learns nontrivial information from calls to the trusted party. In particular, it learns the output of the function in each session. We will use the oracle queries \(\mathsf {output}(\cdot )\) to communicate the information learnt from the trusted party to the adversary in the ideal world. But still to get our positive result, we will need to bound the amount of information learnt by the adversary. The bound \(B\) will be the number of bits of information passed on to the adversary. This is intuitively captured by the condition that there are only \(2^B\) vectors of oracle responses which might be accepted by \(\mathcal {T}\). Looking ahead, the description of \(\mathcal {T}\) will depend on the functionality being computed.
Formal Protocol Description. Let \(\textsc {com}(\cdot )\) denote a noninteractive perfectly binding commitment scheme. Whenever we need to be explicit about the randomness, we denote by \(\textsc {com}(s;r)\) a commitment to a string s computed with randomness r. Unless stated otherwise, all commitments in the protocol are executed using this commitment scheme. Let \(\mathsf {NMCom}\) be the krobust nonmalleable commitment scheme, where k is a parameter computed later. Let \(\mathsf {len}= n^2 + B+ \eta \), where \(B\) and \(\eta \) are parameters computed later.
The common input to P and V is the security parameter \(n\). The input to P is x in the language \(L \in NP\), and a witness w to \(x \in L\). Let \(\mathsf {id}\) be the \(n\) bit identity of the prover. Our protocol \(\langle P,V\rangle \) or \(c\mathcal {ZK}_\mathsf {id}\), where \(\mathsf {id}\) is the identity of the prover, proceeds as follows: Parts of the protocol have been taken verbatim from [25].
 1.
The verifier V chooses a random collision resistant hash function h from a function family \(\mathcal {H}\) and sends it to P.
 2.For \(i \in [n^6]\), the protocol proceeds as follows:^{4}

The prover P computes \(z_i = \textsc {com}(h(0))\) and sends it to V.

The verifier V selects a challenge string \(r_i \mathop {\leftarrow }\limits ^{\$} \{0,1\}^{\mathsf {len}}\) and sends it to the prover P. The above two messages (consisting of the prover commitment and the verifier challenge) are referred to as a “slot”.

The prover P and the verifier V will now start a threeround public coin universal argument (of knowledge) [4] where P proves to V that there exists \(j \le i\) , s.t., \(\tau _j (= (h, z_j, r_j))\) is in the language \(\varLambda \) (see Fig. 1).
The three messages of this UA protocol are called as the first UA message, verifier UA challenge, and, the last UA message. Observe that the UA does not just refer to the slot immediately preceding it but rather has a choice of using any of the slots that have completed in the protocol so far.

The prover computes the first UA message and sends a commitment to this message to the verifier. The honest prover will simply commit to a random string of appropriate size.

The verifier now sends the UA challenge message.

The prover computes the last UA message and again sends only a commitment to this message to the verifier. The honest prover will simply commit to a random string of appropriate size.

 3.
The prover declares the statement \(x \in L\) and commits to the witness w using the nonmalleable commitment scheme \(\mathsf {NMCom}\) under prover’s identity \(\mathsf {id}\). Note that a cheating prover can adaptively choose the statement x here.
 4.Finally, the prover proves the following statement to V using WIAOK
 1.
The value committed to in Step 3 is a value w such that it is a valid witness to \(x \in L\), (i.e. \(w \in R_L(x)\)), or
 2.
There exists i such that the ith UA execution was “convincing”. That is, there exists an \(i \in [n^6]\) such that there exists an opening to the prover first and last UA messages such that an honest verifier would have accepted the transcript of the UA execution.
An honest prover simply commits to the witness for \(x \in L\) in Step 3 and uses the first part of the statement to complete the witnessindistinguishable argument of knowledge protocol.
Observe that a witness to the second part of the above statement would be the opening of the commitments to the UA first and last messages. Hence, the size of the witness is fixed and depends only upon the communication complexity of the 3round UA system being used.
 1.
Remark 1
We call the Steps 1 and 2 of the protocol as nonblack box preamble, step 3 as the nmcom phase and step 4 as the wiaok phase.
Parameter k . We set k to be the round complexity of WIAOK. Hence, we set \(k = 3\).
Parameter \(B\) . Note that the parameter \(B\) in \(\mathsf {len}\) is same as the one in Fig. 1, i.e. the parameter specified for algorithm \(\mathcal {T}\) in the description of language \(\varLambda \).
Looking ahead, (very informally) while proving the simulationsoundness of the above protocol, different parts of the protocol will be taken externally and \(\mathsf {NMCom}\) given by the adversary will be exposed to an external receiver, etc. Hence, different parts of the protocol will be given externally to the machine committed by the simulator as part of the string \(y_1\) in \(\varLambda \).
Note that the entire \(\langle P, V\rangle _{}\) protocol is run w.r.t. to language \(\varLambda \) having a specific algorithm \(\mathcal {T}\) and bound \(B\). We will prove that the security properties hold for any such \(\mathcal {T}\) and bound \(B\) when \(\eta \) is chosen as above. Next, we prove the soundness of the protocol for any fixed value of \(B\). Then we will prove the simulationsoundness of the protocol. Our ZK simulator will not use the oracle queries of the type \(\mathsf {output}(\cdot )\). Later on our MPC simulator will make a nontrivial use of these oracle queries.
The proof of security of simulationsound nonblack box zeroknowledge protocol proceeds along the lines discussed in the introduction (see Sect. 1.2). We give a detailed formal proof of security in the full version.
4 Concurrently Secure Computation: Our Protocol
In this section, we will describe our protocol \(\varSigma \) for concurrently secure computation for ideal world experiments which satisfy the bounded pseudoentropy condition (Definition 1) for some parameter \(B\in \mathbb {N}\) and algorithm \(\mathcal {T}\).
Our Construction. In order to describe our construction, we first recall the notation associated with the primitives that we use in our protocol. Let \(\textsc {com}(\cdot )\) denote the commitment function of a noninteractive perfectly binding commitment scheme. Let \(\langle P, V\rangle _{}\) denote the simulationsound nonblack box concurrent zeroknowledge protocol as described in Sect. 3 with length of challenge strings modified to be \(\mathsf {len}= n^2 + B+ \theta \), where \(\theta \) is a parameter computed later. Let \(\langle P_{1}^\mathsf{iic }, P_{2}^\mathsf{iic } \rangle \) be the constant round protocol for input indistinguishable computation [17, 39]. Let \(\mathsf {NMCom}\) be the krobust nonmalleable commitment scheme, where k is a parameter computed later. Further, let \(\langle P_\mathsf{wi },V_\mathsf{wi } \rangle \) denote a witness indistinguishable argument and let \(\langle P_{1}^\mathsf{sh }, P_{2}^\mathsf{sh } \rangle \) denote a constant round semihonest two party computation protocol \(\langle P_{1}^\mathsf{sh }, P_{2}^\mathsf{sh } \rangle \) that securely computes \(\mathcal {F}\) in the standalone setting as per the standard definition of secure computation.
Let \(P_{1}\) and \(P_{2}\) be two parties with inputs \(x_{1}\) and \(x_{2}\). Let \(n\) be the security parameter. Protocol \(\varSigma =\langle P_{1}, P_{2}\rangle \) proceeds as follows:
 1.
\(P_{1}\Rightarrow P_{2}:\) \(P_{1}\) and \(P_{2}\) engage in the preamble phase of \(\langle P, V\rangle _{}\) where \(P_{1}\) is the prover. Next, in the nmcom phase, \(P_{1}\) creates a nonmalleable commitment \(\mathsf {com}_{1}\) to bit 0, i.e. \(\mathsf {com}_{1}=\mathsf {NMCom}(0)\) and sends \(\mathsf {com}_{1}\) to \(P_{2}\). \(P_{1}\) and \(P_{2}\) now engage in the wiaok phase where \(P_{1}\) proves that either (1) \(\mathsf {com}_{1}\) is a commitment to 0 , or (2) there exists i such that the ith UA execution in the preamble phase was “convincing".
 2.
\(P_{2}\Rightarrow P_{1}:\) \(P_{2}\) now acts symmetrically. \(P_{1}\) and \(P_{2}\) engage in the preamble phase of \(\langle P, V\rangle _{}\) where \(P_{2}\) is the prover. Next, \(P_{2}\) creates a nonmalleable commitment \(\mathsf {com}_{2}\) to bit 0, i.e. \(\mathsf {com}_{2}=\mathsf {NMCom}(0)\) to bit 0 and sends \(\mathsf {com}_{2}\) to \(P_{1}\). \(P_{1}\) and \(P_{2}\) now engage in the wiaok phase where \(P_{2}\) proves that either (1) \(\mathsf {com}_{2}\) is a commitment to 0 , or (2) there exists i such that the ith UA execution in the preamble phase was “convincing”.
 1.
\(P_{1}\) first samples a random string \(r_{1}\) (of appropriate length, to be used as \(P_{1}\)’s randomness in the execution of \(\langle P_{1}^\mathsf{sh }, P_{2}^\mathsf{sh } \rangle \) in Phase III) and uses input \(z_1 = x_{1}\Vert r_{1}\) and \({\mathsf {td}}_1 = \bot \) in execution of \(\langle P_{1}^\mathsf{iic }, P_{2}^\mathsf{iic } \rangle \) for \(f_{\mathsf {com}_{1},\mathsf {com}_{2}}\).
 2.
\(P_{2}\Rightarrow P_{1}:\) \(P_{2}\) now acts symmetrically. \(P_{2}\) first samples a random string \(r_{2}\) (of appropriate length, to be used as \(P_{2}\)’s randomness in the execution of \(\langle P_{1}^\mathsf{sh }, P_{2}^\mathsf{sh } \rangle \) in Phase III) and uses input \(z_2 = x_{2}\Vert r_{2}\) and \({\mathsf {td}}_2 = \bot \) in execution of \(\langle P_{1}^\mathsf{iic }, P_{2}^\mathsf{iic } \rangle \) for \(f_{\mathsf {com}_{1},\mathsf {com}_{2}}\).
Informally speaking, the purpose of this phase is to aid the simulator in extracting the adversary’s input and randomness with the help of the trapdoor obtained in the previous phase. As we will show later, an adversary will never be able to input a valid trapdoor.
 1.
\(P_{1}\leftrightarrow P_{2}:\) \(P_{1}\) samples a random string \(r'_{2}\) (of same length as \(r_2\)) and sends it to \(P_{2}\). Similarly, \(P_{2}\) samples a random string \(r'_{1}\) (of same length as \(r_1\)) and sends it to \(P_{1}\). Let \(r''_{1}=r_{1}\oplus r'_{1}\) and \(r''_{2}=r_{2}\oplus r'_{2}\). Now, \(r''_{1}\) and \(r''_{2}\) are the random coins that \(P_{1}\) and \(P_{2}\) will use during the execution of \(\langle P_{1}^\mathsf{sh }, P_{2}^\mathsf{sh } \rangle \).
 2.Let q be the number of rounds in \(\langle P_{1}^\mathsf{sh }, P_{2}^\mathsf{sh } \rangle \), where one round consists of a message from \(P_{1}^\mathsf{sh }\) followed by a reply from \(P_{2}^\mathsf{sh }\). Let transcript \(T_{1,j}\) (resp., \(T_{2,j}\)) be defined to contain all the messages exchanged between \(P_{1}^\mathsf{sh }\) and \(P_{2}^\mathsf{sh }\) before the point \(P_{1}^\mathsf{sh }\) (resp., \(P_{2}^\mathsf{sh }\)) is supposed to send a message in round j. For \(j=1,\ldots ,q\):
 (a)\(P_{1}\Rightarrow P_{2}:\) Compute \(\beta _{1,j} =P_{1}^\mathsf{sh }(T_{1,j},x_{1},r''_{1})\) and send it to \(P_{2}\). \(P_{1}\) and \(P_{2}\) now engage in an execution of \(\langle P_\mathsf{wi },V_\mathsf{wi } \rangle \), where \(P_{1}\) proves the following statement:
 i.
either there exist values \(\hat{x}_{1}\), \(\hat{r}_{1}\) and \(\hat{{\mathsf {td}}}_1\) such that (a) the \(f_{\mathsf {com}_{1},\mathsf {com}_{2}}\) is valid with respect to the value \(\hat{z}_1 = \hat{x}_{1}\Vert \hat{r}_{1}\) and \(\hat{{\mathsf {td}}}_1\) and (b) \(\beta _{1,j}=P_{1}^\mathsf{sh }(T_{1,j},\hat{x}_{1},\hat{r}_{1}\oplus r'_{1})\)
 ii.
or, the nonmalleable commitment \(\mathsf {com}_{1}\) is a commitment to bit 1.
 i.
 (b)
\(P_{2}\Rightarrow P_{1}:\) \(P_{2}\) now acts symmetrically.
 (a)
This completes the description of the protocol \(\varSigma =\langle P_{1}, P_{2}\rangle \). Note that \(\varPi \) consists of several instances of WI, such that the proof statement for each WI instance consists of two parts. Specifically, the second part of the statement states that prover committed to bit 1 in the nonblack box simulation phase. In the sequel, we will refer to the second part of the proof statement as the trapdoor condition. Further, we will call the witness corresponding to the first part of the statement as real witness and that corresponding to the second part of the statement as the trapdoor witness.
The proof of Theorem 1 proceeds along the lines discussed in the introduction (see Sect. 1.2). For a complete proof refer to the full version of the paper.
Footnotes
 1.
For a detailed survey of these works, see our full version.
 2.
Previous separations between the power of blackbox and nonblack box simulation are known only if we place additional constraints on the design of the real world protocol (e.g., it should be public coin, or constant rounds, etc.).
 3.
Before this, all the (fully) concurrent zeroknowledge protocols were based on rewinding techniques, while, the construction of [2] (which had a nonrewinding simulator) worked only in the bounded concurrent setting. The main result in [25] was the first publiccoin concurrent zeroknowledge protocol where the nonrewinding nature of the simulation technique was not crucial. However in the current work, we would crucially exploit the fact that the simulation strategy was straightline.
 4.
Note that the round complexity of our protocol can be made \(n^\epsilon \) using standard techniques involving “scaling down” the security parameter.
 5.
Part of the text in this phase has been taken verbarim from [17].
References
 1.Agrawal, S., Goyal, V., Jain, A., Prabhakaran, M., Sahai, A.: New impossibility results for concurrent composition and a noninteractive completeness theorem for secure computation. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 443–460. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 2.Barak, B.: How to go beyond the blackbox simulation barrier. In: FOCS (2001)Google Scholar
 3.Barak, B., Canetti, R., Nielsen, J.B., Pass, R.: Universally composable protocols with relaxed setup assumptions. In: FOCS (2004)Google Scholar
 4.Barak, B., Goldreich, O.: Universal arguments and their applications. In: IEEE Conference on Computational Complexity (2002)Google Scholar
 5.Barak, B., Prabhakaran, M., Sahai, A.: Concurrent nonmalleable zero knowledge. In: FOCS (2006)Google Scholar
 6.Barak, B., Sahai, A.: How to play almost any mental game over the net  concurrent composition via superpolynomial simulation. In: FOCS (2005)Google Scholar
 7.Canetti, R., Kilian, J., Petrank, E., Rosen, A.: Blackbox concurrent zeroknowledge requires \(\stackrel{\sim }{\Omega }(\log n)\) rounds. In: STOC (2001)Google Scholar
 8.Canetti, R., Kushilevitz, E., Lindell, Y.: On the limitations of universally composable twoparty computation without setup assumptions. In: Biham, E. (ed.) EUROCRYPT 2003, vol. 2656, pp. 68–86. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 9.Canetti, R., Lin, H., Pass, R.: Adaptive hardness and composable security from standard assumptions. In: FOCS (2010)Google Scholar
 10.Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable twoparty and multiparty secure computation. In: STOC (2002)Google Scholar
 11.Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Blind Signatures for Untraceable Payments, pp. 199–203. Springer, New York (1982)Google Scholar
 12.Chung, K.M., Lin, H., Pass, R.: Constantround concurrent zero knowledge from pcertificates. In: FOCS (2013)Google Scholar
 13.Deng, Y., Goyal, V., Sahai, A.: Resolving the simultaneous resettability conjecture and a new nonblackbox simulation strategy. In: FOCS (2009)Google Scholar
 14.Dwork, C., Naor, M., Sahai, A.: Concurrent zeroknowledge. In: STOC (1998)Google Scholar
 15.Fischlin, M.: Roundoptimal composable blind signatures in the common reference string model. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 60–77. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 16.Garay, J.A., MacKenzie, P.D.: Concurrent oblivious transfer. In: FOCS (2000)Google Scholar
 17.Garg, S., Goyal, V., Jain, A., Sahai, A.: Concurrently secure computation in constant rounds. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 99–116. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 18.Garg, S., Gupta, D.: Efficient round optimal blind signatures. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 477–495. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 19.Garg, S., Kumarasubramanian, A., Ostrovsky, R., Visconti, I.: Impossibility results for static input secure computation. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 424–442. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 20.Garg, S., Rao, V., Sahai, A., Schröder, D., Unruh, D.: Round optimal blind signatures. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 630–648. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 21.Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: STOC (1987)Google Scholar
 22.Goldwasser, S., Ostrovsky, R.: Invariant signatures and noninteractive zeroknowledge proofs are equivalent. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 228–245. Springer, Heidelberg (1993) CrossRefGoogle Scholar
 23.Goyal, V.: Positive results for concurrently secure computation in the plain model. IACR Cryptology ePrint Archive 2011 (2011)Google Scholar
 24.Goyal, V.: Positive results for concurrently secure computation in the plain model. In: FOCS (2012)Google Scholar
 25.Goyal, V.: Nonblackbox simulation in the fully concurrent setting. In: STOC (2013)Google Scholar
 26.Goyal, V., Gupta, D., Jain, A.: What information is leaked under concurrent composition? In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 220–238. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 27.Goyal, V., Jain, A.: On concurrently secure computation in the multiple ideal query model. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 684–701. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 28.Goyal, V., Jain, A., Ostrovsky, R.: Passwordauthenticated sessionkey generation on the internet in the plain model. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 277–294. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 29.Goyal, V., Maji, H.K.: Stateless cryptographic protocols. In: FOCS (2011)Google Scholar
 30.Goyal, V., Sahai, A.: Resettably secure computation. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 54–71. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 31.Hazay, C., Katz, J., Koo, C.Y., Lindell, Y.: Concurrentlysecure blind signatures without random oracles or setup assumptions. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 323–341. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 32.Katz, J.: Universally composable multiparty computation using tamperproof hardware. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 115–128. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 33.Kiayias, A., Zhou, H.S.: Concurrent blind signatures without random oracles. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 49–62. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 34.Kilian, J., Petrank, E.: Concurrent and resettable zeroknowledge in polyloalgorithm rounds. In: STOC (2001)Google Scholar
 35.Lin, H., Pass, R.: Nonmalleability amplification. In: STOC (2009)Google Scholar
 36.Lindell, Y.: Boundedconcurrent secure twoparty computation without setup assumptions. In: STOC (2003)Google Scholar
 37.Lindell, Y.: General composition and universal composability in secure multiparty computation. In: FOCS (2003)Google Scholar
 38.Lindell, Y.: Lower bounds and impossibility results for concurrent self composition. J. Cryptology 21(2), 200–249 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
 39.Micali, S., Pass, R., Rosen, A.: Inputindistinguishable computation. In: FOCS (2006)Google Scholar
 40.Micali, S., Rabin, M.O., Vadhan, S.P.: Verifiable random functions. In: FOCS (1999)Google Scholar
 41.Okamoto, T.: Efficient blind and partially blind signatures without random oracles. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 80–99. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 42.Pass, R.: Simulation in quasipolynomial time, and its application to protocol composition. In: Biham, E. (ed.) EUROCRYPT 2003, vol. 2656, pp. 160–176. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 43.Pass, R.: Boundedconcurrent secure multiparty computation with a dishonest majority. In: STOC (2004)Google Scholar
 44.Pass, R., Rosen, A.: Boundedconcurrent secure twoparty computation in a constant number of rounds. In: FOCS (2003)Google Scholar
 45.Prabhakaran, M., Rosen, A., Sahai, A.: Concurrent zero knowledge with logarithmic roundcomplexity. In: FOCS (2002)Google Scholar
 46.Prabhakaran, M., Sahai, A.: New notions of security: achieving universal composability without trusted setup. In: STOC (2004)Google Scholar
 47.Richardson, R., Kilian, J.: On the concurrent composition of zeroknowledge proofs. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 415–431. Springer, Heidelberg (1999) CrossRefGoogle Scholar
 48.Sahai, A.: Nonmalleable noninteractive zero knowledge and adaptive chosenciphertext security. In: FOCS (1999)Google Scholar
 49.Yao, A.C.C.: How to generate and exchange secrets (extended abstract). In: FOCS (1986)Google Scholar