Stateless Cryptographic Protocols

Vipul GoyalMicrosoft Research, India.Email: vipul@microsoft.com

Hemanta K. Maji ∗

Department of Computer Science,University of Illinois at Urbana-Champaign.

Email: hmaji2@uiuc.edu

Abstract— Secure computation protocols inherently involvemultiple rounds of interaction among the parties where, typically aparty has to keep a state about what has happened in the protocolso far and then wait for the other party to respond. We study ifthis is inherent. In particular, we study the possibility of design-ing cryptographic protocols where the parties can be completelystateless and compute the outgoing message by applying a singlefixed function to the incoming message (independent of any state).The problem of designing stateless secure computation protocolscan be reduced to the problem of designing protocols satisfying thenotion of resettable computation introduced by Canetti, Goldreich,Goldwasser and Micali (FOCS’01) and widely studied thereafter.

The current start of art in resettable computation allows forconstruction of protocols which provide security only when a singlepredetermined party is resettable [15]. An exception is for thecase of the zero-knowledge functionality for which a protocol inwhich both parties are resettable was recently obtained by Deng,Goyal and Sahai (FOCS’09). The fundamental question left openin this sequence of works is, whether fully-resettable computationis possible, when:

1) An adversary can corrupt any number of parties, and2) The adversary can reset any party to its original state during

the execution of the protocol and can restart the protocol.In this paper, we resolve the above problem by constructing

secure protocols realizing any efficiently computable multi-partyfunctionality in the plain model under standard cryptographic as-sumptions. First, we construct a Fully-Resettable Simulation SoundZero-Knowledge (ss-rs-rZK) protocol. Next, based on these ss-rs-rZK protocols, we show how to compile any semi-honest secureprotocol into a protocol secure against fully resetting adversaries.

Next, we study a seemingly unrelated open question: “Does thereexist a functionality which, in the concurrent setting, is impossibleto securely realize using BB simulation but can be realized usingNBB simulation?”. We resolve the above question in the affirmativeby giving an example of such a (reactive) functionality. Somewhatsurprisingly, this is done by making a connection to the existenceof a fully resettable simulation sound zero-knowledge protocol.

1. INTRODUCTION

General feasibility results for secure computation wereobtained more than two decades ago [26], [11]. Securecomputation protocols inherently involve multiple rounds ofinteraction among the parties where, typically a party hasto keep a state about what has happened in the protocol sofar and then wait for the other party to respond. We studyif this is inherent. In particular, we study the possibility ofdesigning cryptographic protocols where the parties can becompletely stateless and compute the outgoing message by

∗Work done in part while interning at Microsoft Research, India.

applying a single fixed function to the incoming message.Being stateless is a highly desirable property in the designof network protocols since it allows for the construction ofmore robust and easy to maintain systems. SYN floodingand related attacks are well known as a tool to launch adenial of service attack against a system running a statefulprotocol. It has been argued that internet has been going inthe direction of using stateless protocol (from using statefulones) [16]. In this work, we study of question of obtainingstateless cryptographic secure computation protocols.

Question of designing stateless secure computation proto-cols is intimately connected to the notion of resettably secureprotocols. The study of resettable protocols was initiated inthe seminal work of Canetti, Goldreich, Goldwasser, andMicali [5] who introduced the notion of resettable zero-knowledge (ZK). In resettable zero knowledge, the zeroknowledge property is required to hold even if a maliciousverifier can reset the prover to the initial state and starta new interaction where the prover uses the same randomtape. Canetti et al. [5] proposed constructions of resettablezero knowledge protocols based on standard cryptographicassumptions. Barak, Goldreich, Goldwasser, and Lindell [3]showed how to construct zero knowledge protocols foropposite setting (where soundness is required to hold evenif the verifier can be reset and restarted with the samerandom tape), which following Micali and Reyzin [17]1

they call resettably sound (rS) zero-knowledge. Goyal andSahai [15] extended the study of resettable protocol fromzero-knowledge to general functionalities and presented aconstruction where only a single predetermined party canbe reset.

In a cryptographic protocol, if a set of parties is resettable,there is a simple compiler to construct another protocol inwhich those set of parties can be made completely stateless[15]. Thus, the task of obtaining stateless secure computationprotocols can be reduced to the task of obtaining resettablysecure protocols. The existence of resettably secure proto-cols also has interesting implications for the fundamentalquestion of reusing randomness in cryptographic protocols.

Subsequent to the works of Canetti et al. [5] and Baraket al. [3], there have been a number of works studying

1Micali and Reyzin defined resettable soundness (and other soundnessnotions) in a public-key model, but did not consider the plain model, whichis the focus of the present work.

2011 52nd Annual IEEE Symposium on Foundations of Computer Science

0272-5428/11 $26.00 © 2011 IEEE

DOI

666

2011 52nd Annual IEEE Symposium on Foundations of Computer Science

0272-5428/11 $26.00 © 2011 IEEE

DOI 10.1109/FOCS.2011.74

678

2011 52nd Annual IEEE Symposium on Foundations of Computer Science

0272-5428/11 $26.00 © 2011 IEEE

DOI 10.1109/FOCS.2011.74

678

2011 IEEE 52nd Annual Symposium on Foundations of Computer Science

0272-5428/11 $26.00 © 2011 IEEE

DOI 10.1109/FOCS.2011.74

678

protocols in the setting where only a single predeterminedparty is resettable (see the related work subsection formore details). Barak et al. [3] conjectured the existenceof zero-knowledge protocols where both the parties maybe resettable. This conjecture remained open despite partialprogress over several years and was resolved only recentlyby Deng, Goyal and Sahai [8]. Deng et al. constructeda protocol for the zero-knowledge functionality where thesecurity holds if either of the party maybe resettable.2 Incontrast, the construction of Goyal and Sahai [15] is forall functionalities but the security holds when only a singlepredetermined party may be reset. In the work of Goyal andSahai, if any party other than the predetermined one is resetby the adversary, the protocol completely breaks and thereis an explicit attack that the adversary can launch. This stateof affairs leads to the following natural question:

“Do there exist protocols for functionalities other thanzero-knowledge where more than one party may be reset?”

The above can be considered as the last step in theunderstanding of the feasibility (as opposed to efficiency)of resettable protocols.

1.1. Our Contributions

We resolve the above question in the affirmative. We pro-vide a construction for all (PPT computable) functionalitiesin the multi-party setting where, in fact, all the parties maybe fully resettable. This subsumes most known feasibilityresults in the area of resettable protocols. The key ingredientin our construction is a non-malleable fully resettable zero-knowledge protocol which we believe to be of independentinterest.

Fully Stateless Protocols: A key implication of ourresult is the first construction of truly stateless protocolsfor all (PPT computable) functionalities. In other words, forany functionality in question, we now have a cryptographicprotocol where all the parties can be fully stateless andcompute the next outgoing message by applying a fixed (nextmessage) function to the incoming message (independent ofany state).

Obfuscating interactive Turing machines with hardwaretokens: In a cryptographic protocol, we typically assumethat all internal working of an (honest) participating partiesis hidden from the adversary. In other words, the party ismodeled as a black box interactive Turing machine. By re-lying on our results (and on the existence of obfuscation witha stateless hardware token [14]), we show this assumptioncan be significantly relaxed. We show it is possible to designsecure computation protocols where all internal state of allhonest parties except a small stateless black-box (with sizedependent only on the security parameter) may be leaked tothe adversary. This can be done as follows.

2This is called a fully resettable zero-knowledge protocol. Note that thisimplies the existence of stateless zero-knowledge protocols.

• We first obtain a stateless secure computation protocolfor the desired functionality. In such a protocol, eachparticipating party simply applies a fixed next-messagefunction to the incoming message to compute theoutgoing message.

• We now obfuscate the next message function using astateless hardware token whose size is dependent onlyon the security parameter.

Thus, we end up with a software-hardware package (inthe terminology of Goldreich and Ostrovsky [12]) whichis capable of running secure computation protocols for any(PPT computable) functionality.

Concurrently Secure Computation: Separating thePower of Non-black-box and Black-box Simulation: Therehave been a number of tasks which are shown to beimpossible using black-box (BB) simulation but becomepossible once we resort to non-black-box (NBB) simulation.Examples are constant round bounded concurrent zero-knowledge [1], public coin concurrent zero-knowledge [24],constant round covert computation [13], etc. However so far,we don’t know of any example of a functionalities whichin the concurrent setting: (a) is possible to realize usinga NBB simulator, but, (b) is impossible to realize usinga BB simulator. Indeed, all such separations between thepower of BB and NBB simulation are known only if weplace additional constraints on the design of the real worldprotocol (e.g., it should be public coin, or constant rounds,or should have the covertness property, etc). Thus, we havethe following natural question:

“Does there exist a functionality which, in the concurrentsetting, is impossible to realize using BB simulation (in anypolynomial number of rounds) but can be realized using NBBsimulation?”

We answer the above question in the affirmative by givingan example of such a (reactive) functionality. Somewhatsurprisingly, this is done by making a connection of theabove question to the existence of non-malleable (nm)fully resettable (rs-rZK) zero-knowledge (which is the keyingredient behind our stateless computation protocols asmentioned above). We consider the ideal world functionalitywhere the verifier runs the NM-SR-ZK protocol with thetrusted party (who gets the witness from the prover). Torule out the existence of a real world protocol realizing thisfunctionality with a BB simulator, we rely on the resettablesoundness and non-malleability of the protocol being runin the ideal world. To show the existence of a real worldprotocol realizing this functionality with a NBB simulator,we rely on the ideal world protocol being a concurrent zero-knowledge protocol.

1.2. Related Works.

The only other work to consider the issue of non-malleability in the setting of resettable protocols is therecent work by Ostrovsky, Pandey, Sahai and Visconti [19].

667679679679

However [19] is only able to construct protocols whereonly a single predetermined party is resettable. Hence theprotocols in [19] don’t have any direct application towardsobtaining new results for resettable / stateless secure compu-tation protocols. The techniques used in our work are quitedifferent from the ones used in [19].

Subsequent to the works of Canetti et al. [5] and Barak etal. [3] described above, a number of works have investigatedthe problem of security against resetting attacks for zero-knowledge protocols in the plain model. Barak, Lindell, andVadhan [4] constructed the first constant-round public-coinargument that is bounded resettable zero-knowledge. Dengand Lin [9] showed a zero-knowledge argument system thatis bounded resettable zero-knowledge and satisfies a weakform of resettable soundness.

A larger body of work has investigated the same problemsin a relaxed setting, called the “bare public key” (BPK)model, introduced by [5], which assumes that parties mustregister (arbitrarily chosen) public keys prior to any attacktaking place. See [7], [27] and the references therein.

Note that the problem of constructing resettable protocols(for functionalities other than zero-knowledge) where morethan one party can be reset was open even in the BPK model.

There have been other works using the notion of resettableprotocols towards solving unrelated questions (c.f., [21],[6]).

2. PRELIMINARIES

In this section, we introduce some basic definitions per-taining to our simulation based definition of Resettablecomputation and zero-knowledge protocols.

2.1. ZK Background

In this section, we introduce some definitions related toZero-Knowledge and Simulation Soundness. We first recallthe definition of a relaxed concurrent adversary from [8].Informally speaking, a relaxed concurrent adversary A, inthe beginning of a particular session, chooses a randomr (using any adversarial strategy) and then behaves as anhonest verifier using that tape r in that session. Hence,messages of A are independent of the prover messages sentin other sessions during the execution of this session.

Definition 1 (Relaxed Concurrent Adversaries [8]): Anadversary A interacting with the prover P concurrentlyin several sessions is a relaxed concurrent adversary, if atthe beginning of every session, it writes a string s to aspecial tape such that, there exists a fixed function f (notnecessarily efficiently computable) such that r = f(s) andA interacts in the session as the honest verifier V withrandom tape r.

Note that any concurrent ZK protocol secure againstrelaxed concurrent adversaries can be made secure againstgeneral concurrent adversaries by asking the verifier tocommit to its randomness in the beginning and then with

every outgoing message, requiring it to prove in (standalone)ZK that it has behaved honestly using that randomness.

Definition 2 (Resettable Soundness (rs) [3]): A resettingattack of a cheating prover P ∗ on a resettable verifier V isdefined by the following two-step random process, indexedby a security parameter n.

1) Uniformly select and fix t = poly(n) random-tapes,denoted r1, . . . , rt, for V , resulting in deterministicstrategies V (j)(x) = V x,rj defined by V x,rj (α) =V (x, rj , α), where x ∈ {0, 1}n and j ∈ [t]. EachV (j)(x) is called an incarnation of V .

2) On input 1n, machine P ∗ is allowed to initiatepoly(n)-many interactions with the V (j)(x)’s. Theactivity of P ∗ proceeds in rounds. In each roundP ∗ chooses x ∈ {0, 1}n and j ∈ [t], thus definingV (j)(x), and conducts a complete session with it.

Let P and V be some pair of interactive machines,and suppose that V is implementable in probabilisticpolynomial-time. We say that (P ,V ) is a resettably-soundproof system for L (resp., resettably-sound argument systemfor L) if the following two conditions hold:

• Resettable-completeness: Consider an arbitrary reset-ting attack (resp., polynomial-size resetting attack),and suppose that in some session after selecting anincarnation V j(x), the attacker follows the strategy P .The, if x ∈ L then V (j)(x) accepts with negligibleprobability.

• Resettable-soundness: For every resetting attack (resp.,polynomial size resetting attack), the probability that insome session the corresponding V (j)(x) has acceptedand x /∈ L is negligible.Verifier Admissible Proof Systems and Hybrid-

Soundness: Instead of achieving full resettable-soundness,it is sometimes easier to achieve a weaker form of guaranteecalled “hybrid-soundness.” In this section we will introducethe definitions of Hybrid-Soundness and Verifier AdmissibleProof Systems. Informally speaking, in such a system, thefirst message of the prover determines all its subsequent“important” messages (for the given verifier).

Definition 3 (Verifier-admissible proof-system): A proof-system (P ,V ) is called “verifier-admissible” if the follow-ing requirements hold:

1) The verifier V consists of two parts V 1,V 2. Simi-larly, the verifier’s random input ω is partitioned intotwo disjoint parts, ω(1), ω(2), where ω(i) is given toV i

2) A message sent by the prover may either be labeledas “main” message or an “authenticator” message.The first main message sent by the prover in theprotocol is called the “determining” message. Eachprover message is first received by V 1. In each roundof interaction, the prover and V 1 exchange a numberof messages in which exactly one of the messages

668680680680

is a main message while the rest are authenticatormessages. At the end of an interaction round, V 1

decides whether to accept the (only) main messagereceived based on the transcript of interaction rounditself and the transcript of the prover main messagesand the corresponding replies of V 2 so far. If V 1

accepts, it forwards the main message to V 2 whogenerates the reply.

3) Let P ∗ be an arbitrary (deterministic) polynomial-size circuit, where P ∗ may execute a resetting-attackon V (see Definition 2). Let P ∗ interact with someincarnation of V = (V 1,V 2). Then, except withnegligible probability, P ∗ is unable to generate twodifferent main messages, both accepted by V 1, forsome round ` in two different interactions with V withthe same determining message.

Hybrid Model: In our hybrid model, the prover is giventhe ability to “partially reset” the verifier (while otherwiseinteracting in the concurrent setting). More precisely, in theverifier admissible proof system, each incarnation of theverifier is identified by three indices: V i,j,k = V xi,yi,ωj,k

,where ωj,k = (ω(1)

j , ω(2)k ). The string ω

(1)j represents the

random input to V 1 while ω(2)k represents the random

input to V 2. The prover is allowed to interact concurrentlywith these incarnations with at most one session of everyincarnation active at any time. However, the prover isnot allowed to interact with two incarnations (i, j, k) and(i′, j′, k′) such that k = k′. Moreover, the prover canrestart V 1 in an incarnation from the beginning althoughit leaves V 2 in its current state. After being restarted, V 1

operates as usual using the same random tape ω(1) expectthe following. V 1 aborts if the prover sends a differentdetermining message in the first round of the interaction afterV 1 restarts. Furthermore, in a round of interaction with theprover, V 1 does not forward the received main message toV 2 (even if it is accepted) in case a main message in thatround had been forwarded earlier. Instead V 1 simply sendsaccept or reject to the verifier. V 1 then waits for theverifier messages for the next round as if V 2 had sent thesame reply it sent earlier in that round before V 1 restartedthe interaction. Intuitively, such a setting ensures that V 1

and V 2 do not go out of sync even though only V 1 restartsthe interaction (with the same randomness).

Definition 4 (Hybrid Soundness (hs)): A “hybrid cheat-ing prover” P ∗ works against verifier-admissible proof sys-tems in the hybrid model as described above. A proof systemis hs if it is verifier admissible and satisfies Definition 2 withrespect to hybrid cheating provers.

Simulation Soundness: Simulation Soundness, intu-itively, refers to the robustness of proof systems where aman-in-middle adversary is not able to violate the sound-ness of the verifier in the right interaction, even though itparticipates as a verifier in other simulated proofs in the left

interaction.Definition 5 ((1− ε) Simulation Sound): Consider any

arbitrary man-in-middle adversary A which is actingas a verifier of Π ZK-protocols in the left interactionand is trying to prove a statement “x ∈ L” in its rightinteraction by acting as the prover for a Σ protocol. Wewill use n to represent the security parameter. The lengthof the adversarial code is at most a polynomial in n, i.e.|A| ≤ nΘ(1), and we will assume that A terminates withinnΘ(1) time.

In the left interaction, A could possible interact with sev-eral concurrent sessions of Π proving statements “xi ∈ L.”If A violates the soundness of Σ with probability ε, whenA is provided with simulated Π proofs, then we say: Σ is(1−ε) Simulation Sound with respect to the protocol Π andman-in-middle adversary A.

When we consider man-in-middle adversaries A, then thepermissible actions of A in the left and the right interactionswill be clear from the context. For example, consider thecase when Π is a relaxed-concurrent-ZK protocol and Σis a resettably-sound protocol. In this case, A can interactwith several concurrent sessions of Π in the left interaction,scheduled according to its strategy, but in each session Ahas to act like a relaxed adversary. Moreover, in the rightinteraction A can reset the protocol Σ.

For any adversary A, if there exists a negligible functionν such that Σ is (1−ε) Simulation Sound with respect to theprotocol Π and man-in-middle adversary A, and ε ≤ ν(n),then Σ is Simulation Sound with respect to Π. If Π andΣ are identical, then we say: Σ is Simulation Sound. Thisdefinition of Simulation Soundness is consistent with theone introduced by Sahai in [25] for Simulation Sound Non-Interactive Zero-Knowledge.

2.2. Fully Resettable Computation

We consider n parties indexed by [n] trying to compute afunction of their local inputs using an interactive protocol.The l-th incarnation of a party i is defined by its input x

(i)l

and random tape ω(i)l . Let X(i) be the vector of input and

random tape pair for party i for all incarnations; and Xrepresent (X(1), . . . , X(n)). We assume that all the incarna-tions to be used in the protocol are agreed before the protocolbegins. Every incarnation has its random tape independentlychosen but when an adversary resets an incarnations, itreuses the same random tape. The adversary S controls theparties indexed by [m] and at any point during the executionof the protocol it can reset any of the honest parties. We willconsider computation security against parties which havebeen statically corrupted by the adversary S.

Ideal Model: In the ideal world there is a mutuallytrusted party which can aggregate the inputs provided toit by the various parties, perform the computation f(·) ontheir behalf and provide them their respective outputs. Theexecution in the Ideal world proceeds as follows:

669681681681

Select Incarnation. The adversary S selects the incarna-tion for each of the honest parties. The trusted party forwardseach honest party [n]\[m] their respective incarnation index.

Inputs. Each party i has input xi. Honest parties send theirinputs to the trusted party; but corrupted parties may decideto send modified inputs to the trusted party.

Computation. The trusted party computes the function fon all the inputs provided to it by various parties and, say,z represents the outcome of the function.

Output to Malicious parties. The trusted party sends z toevery malicious party [m].

Output to Honest parties. The adversary prepares a list ofhonest parties which should receive the outcome. The trustedparty forwards z to all parties whom the adversary intendsto receive their output. Remaining honest parties receive ⊥.

Reset. The adversary can reset the ideal world at any pointof time. When the adversary decides to reset the ideal world,it requests the trusted party to reset all honest parties andthe trusted party sends a reset signal to all honest parties.At this point, the ideal world returns to the first stage wherethe adversary can select an incarnation for all parties.

Output. Any honest party i always reports the outcome z itreceives from the trusted party. By convention, all maliciousparties report ⊥. The adversary outputs an arbitrary functionof its entire view and the view of all malicious parties [m].

The output of the Ideal world interaction with adversaryS is represented by IDEALf,S(X).

Real Model: For a n-party protocol Σ, honest partiesindexed by [n] \ [m] follow the protocol honestly whileall the malicious parties, indexed by [m], launch an attachcoordinated by an adversary A. The adversary can resetany honest party at any point of time during the executionof the protocol. At the end of the protocol, honest partiesreport their outputs as instructed by the protocol Σ and allmalicious parties report ⊥. The adversary outputs its wholeview. The output of the real world execution of Σ on Xaccording to the procedure mentioned above is representedby REALΣ,A(X).

Definition 6 (Fully Resettable Secure Computation): Letf be a multi-party function and Σ be a protocol in the realworld. The protocol Σ is a secure protocol for computing fif for every PPT adversary A in the real world, there existsan EPPT adversary S in the ideal world such that:

{IDEALf,S(X)}X∈({0,1}∗)n ≈c {REALΣ,A(X)}X∈({0,1}∗)n

The simulator may need to reset an incarnation in the IdealWorld several times, i.e. it will invoke the Ideal functionalityseveral times on the same honest party inputs. And thenumber of times an incarnation is reset by the simulatorcould possibly be more than the resets performed by theadversary in the Real World, though this number will bebounded by a polynomial in the security parameter.

2.3. Resettable to Stateless

Any protocol which is resettably secure can be trans-formed to a stateless protocol using relatively standardtechniques. In other words, the parties which were allowed tobe resettable in the original protocol need not maintain anystate at all in the transformed protocol. By a stateless devicewe mean that the device only supports a “request-reply”interaction (i.e., the device just outputs f(x) when fed withx for some fixed f ). We describe the case of two party firstassuming both the parties are resettable. Let parties P 1 andP 2 participating in the original resettably secure protocolΣ. Now we define a protocol Σ′ having parties P ′

1 and P ′2.

Each of these parties will have a secret key of a CCA-2secure encryption scheme and a secret MAC key. The partyP ′

1 computes the first message to be sent in the protocol Σ′

by running P 1 internally. However it then sends to P ′2 not

only the computed message but also an encryption of thecurrent state of P 1 and a MAC on it. Party P ′

2 similarlycomputes the reply by feeding the received message to P 2

and sends to P ′1 not only the computed reply but also (a)

the received encrypted state of P 1 and the MAC, and, (b) anencryption of the current state of P 2 and a MAC on it usingits own keys. Thus for the next round, P ′

1 can decrypt, verifyand load the received state into P 1, feed it the incomingreply and then compute the next outgoing message. P 2 cansimilarly continue with the protocol. The case of multi-partyprotocols can also be handled by first transforming the givenprotocol into one where only one party sends a message inany given round and then applying ideas similar to the onefor the two party case to this resulting protocol.

3. SIMULATION SOUND FULLY RESETTABLE ZK3.1. Technical Overview

Our starting point in this section is the fully resettableZK protocol provided in [8]. The major step in constructingsuch a protocol is the construction of a relaxed concurrenthybrid sound ZK protocol (called the DGS protocol fromthis point onwards). Once a relaxed concurrent hybrid soundZK protocol is obtained, it can then be compiled into afully resettable ZK protocol using known techniques [8].Following the modular approach of [8], we first construct asimulation sound relaxed concurrent hybrid sound ZK. Oncewe obtain such a protocol, we present a compiler to convertit into a simulation sound fully resettable ZK protocol.

In [8], the key ingredient in obtaining a relaxed concurrenthybrid sound ZK was a novel NBB simulation technique. Inthe DGS protocol, in any given session, the prover makes useof several NBB ZK executions proving different statements.In each NBB ZK execution, as in Barak’s protocol [1], theidea is to have the prover commit in advance to a programthat claims to predict (using an input of small length) astring that is later randomly chosen by the verifier. Theprover then must prove that either its committed programreally can predict the verifiers string, or that the statement

670682682682

is true. However since the setting in [8] is more demandingcompared to [1], to make the simulation go though, thecommitted program is additionally allowed access to anoracle. The prover then must prove that there exists an oraclesuch that its committed program (on given the small inputand queries to that oracle) can really predict the verifier’sstring, or, that the statement is true.

Our key modification in order to make the DGS protocol[8] simulation sound is to introduce non-malleability featuresin the NBB ZK protocol described above. Towards that end,we rely on “two-slot” simulation technique of Pass [20] (seealso [23]). We introduce two slots for simulation in our NBBZK protocol (as in [20]) while still keeping oracle access tothe committed program (as in [8]) in both the slots. The fullprotocol nm-ZKTAG and the description of the language isgiven in Figure 1. Our NBB ZK protocol nm-ZKTAG can stillbe used in the DGS construction (since essentially the sameproof of security goes through). Furthermore, following[20], the protocol nm-ZKTAG is also simulation sound in thestandalone (as well as in the bounded concurrent) setting.

With this modification, however, it is still far from clearthat the final resulting construction rel-conc-hs-ZKTAG (ob-tained by using the nm-ZKTAG in the DGS construction) issimulation sound. This is because our setting is significantlymore demanding than that of [20], [23]. Firstly, there isno apriori fixed bound on the number of left executions.Hence, a man-in-the-middle gets to see any unbounded(polynomial) number of concurrent executions of nm-ZKTAG

(and of rel-conc-hs-ZKTAG in general of which nm-ZKTAG is acomponent). Secondly, the man-in-the-middle is additionallyallowed to reset the verifier on the right. Thus, it seems likewe need the protocol nm-ZKTAG to be simulation sound inthe fully concurrent setting in the presence of reset attacksagainst the verifier. However, this is precisely the goal thatwe started with!

The key observation which allows us to still move forwardis a specific property of the DGS rewinding strategy. Notethat the DGS rewinding strategy can be seen as giving riseto a main thread and several “look ahead threads”. In theDGS protocol, in any given thread, only a constant numberof NBB ZK arguments are replaced (even though over thecourse of the entire simulation, every NBB ZK argumentwill be simulated). Thus, in the left interaction in any giventhread, the man-in-the-middle gets to see an unbounded(polynomial) number of executions of nm-ZKTAG out ofwhich only a constant number are being simulated. This, fora standalone verifier, allows us to argue that the soundnessof the right execution of nm-ZKTAG is still maintained.However, in our setting, the verifier on the right is resettable.To deal with such a scenario and complete the argument,we first observe that fortunately, the protocol nm-ZKTAG

is a constant round public coin protocol (since NBB ZKarguments in both [20] as well as [8] are public coin). Wethen rely on the ideas behind the BGGL transformation [3]

to obtain resettable soundness from constant round publiccoin protocols.

Once we show that in the right interaction, the pro-tocol nm-ZKTAG remains sound even if there are severalconcurrent executions of the protocol rel-conc-hs-ZKTAG onthe left, we finally move forward to show that protocolrel-conc-hs-ZKTAG is simulation sound. To do this, we con-vert any attack on protocol rel-conc-hs-ZKTAG into an attackon either nm-ZKTAG or the soundness the ZAP system. Moredetails are given in the next sections.

3.2. Our NBB Technique: Constructing Non-malleable ZKIn this section we define a tag based zero-knowledge

argument system ZKTAG, where the parameter TAG ∈ [M ],where M is polynomial in the security parameter. Weassume Com(·; ·) is a perfectly binding commitment scheme.The description of the protocol nm-ZKTAG is summarized inFigure 1.

In this protocol, there are two slots 1 and 2. In each slot,the prover commits to a challenge and the verifier revealsa random string of appropriate length. The length of theresponse string of the verifier in slot 1 and 2 are respectively,TAG ·n4 and (M − TAG + 1) ·n4. It has been shown in [22]that the the proposed scheme is standalone sound.

Lemma 1 ([22]): For any TAG ∈ [M ], the ZKTAG zero-knowledge argument Protocol nm-ZKTAG (refer Figure 1) isstandalone sound.

We re-iterate that Protocol nm-ZKTAG is a constant roundpublic coin zero-knowledge argument system. By compilingProtocol nm-ZKTAG using the BGGL compiler proposedin [3] we can obtain a zero-knowledge argument systemwhich is resettably-sound. We call the compiled protocol asProtocol nm-rs-ZKTAG and will use Protocol nm-rs-ZKTAG inour later constructions.

3.3. Relaxed-concurrent Hybrid-sound ZKIn this section we will use nm-rs-ZKTAG, which is a

BGGL compilation of nm-ZKTAG, to construct a Relaxed-Concurrent Hybrid-Sound ZK (and will further prove itssimulation soundness in the next subsection). This construc-tion is inspired by the construction provided in [8] and isdescribed in Figure 2.

This protocol is identical to the protocol provided in[8] except that the non-black box ZK it uses is slightlymodified. Instead of the non-black box scheme inspiredby Barak’s construction [1] we use Protocol nm-rs-ZKTAG.We state without proof the following result which followsimmediately from the results in [22], [8]:

Lemma 2 ([22], [8]): Protocol rel-conc-hs-ZKTAG is aRelaxed-concurrent Hybrid-sound (tag based) ZK protocol.We emphasize that the “relaxed-concurrent” property of theadversary is utilized by the Simulator to provide simulatedproofs for Protocol nm-rs-ZKTAG to the adversary using thesimulator of Protocol nm-rs-ZKTAG which is not guaranteedto work in the general concurrent setting.

671683683683

Common Input to P and V . x′ supposedly in the language L′ ∈ NP.Auxiliary input to P . A NP-witness w for x′ ∈ L′.Protocol. The zero-knowledge argument ZKTAG proceeds as follows:

1) The verifier V chooses a hash function h uniformly at random from a family of collision resistant hash functions H and sendsit to P .

2) The prover P sends the commitment z1 = Com(h(0)) to the verifier V .3) The verifier selects a string r1

$←−− {0, 1}TAG·n4and sends it to the prover P .

4) The prover P sends the commitment z2 = Com(h(0)) to the verifier V .5) The verifier selects a string r2

$←−− {0, 1}(M−TAG+1)·n4and sends it to the prover P .

6) The prover P and the verifier V execute a witness indistinguishable constant round public coin universal argument a [2], whereP proves to V :• x′ ∈ L′, or• The transcript τ = (h, z1, r1, z2, r2) generated above belongs to the language ΛTAG described below.

We require the communication complexity of this universal argument to be at most O(n2).Language ΛTAG. A string (h, z1, r1, z2, r2) ∈ ΛTAG if there exists 〈M, y1, y2, r

′〉 such that (〈h, z1, r1〉, 〈M, y1, y2, r′〉) ∈ R(TAG · n4)

or (〈h, z2, r2〉, 〈M, y1, y2, r′〉) ∈ R((M − TAG + 1) · n4).

A string (〈h, z, r〉, 〈M, y1, y2, r′〉) satisfies the relation R(i) if the following conditions hold:

1) |y2| ≤ nlog log n, |r| = i, |y1| ≤ i− n,2) z = Com(h(M); r′)3) The oracle machine M makes calls to y2 with a query q expecting a reply (s, r) such that q = Com(s; r). It expects the entry

(q, s, r) corresponding to this query to lie in y2; otherwise, if such an entry does not exist in y2 then M aborts. The machineM, with oracle access to y2 on input y1, outputs r in at most nlog log n steps.

aThis protocol has a weak proof of knowledge guarantee. There exists an extractor such that, if the prover succeeds to prove a statement with probabilityρ then, it extracts a witness for the statement with probability ρk , for some constant k ≥ 1.

Figure 1. Protocol nm-ZKTAG for Non Black-box zero-knowledge argument system ZKTAG .

Common input to P and V . x supposedly in L ∈ NP.Auxiliary input to P . A NP-witness w for x ∈ L.Protocol. The Relaxed Concurrent Hybrid Sound ZKTAG proceeds as follows:

1) The prover P chooses 2n2 challenge strings chi$←−− {0, 1}n and sends the verifier V the commitments to each of them, i.e. it

sends zi = Com(chi), for all i ∈ [2n2].2) The verifier V prepares a trapdoor trap= Com(1) and sends it to the prover P . For the last step of this protocol, the verifier V

sends the first message σ of a rZAP to the prover P . Now, the verifier proceeds to prepare the first message of 2n3 instances ofthe Blum’s 3-round protocol for the statement “trap is a commitment to 1”. And sends all these messages to the prover P .

3) For each i ∈ [2n2] the following is performed:a) The prover P sends the string chi to the verifier V . Using the rs-ZKTAG protocol nm-rs-ZKTAG, P proves to V that: “chi

is the correct opening of zi, or x ∈ L.” If the verifier accepts the proof then the bits of the string chi are interpreted as nchallenges corresponding to the second message of the 3-round Blum protocol.

b) For each j ∈ [n], the verifier V interprets the j-th bit of chi, represented by chi[j ], as the challenge bit for the ((i−1)n+j)-th execution of 3-round Blum-protocol. The verifier responds suitably as required by the challenge bit chi[j ].

4) The prover P provides a rZAP to the verifier for the statement: “trap is a commitment to 1, or x ∈ L.”

Figure 2. Protocol rel-conc-hs-ZKTAG realizing Relaxed Concurrent Hybrid-Sound ZKTAG .

3.4. Simulation Soundness

In this section, we intend to show that rel-conc-hs-ZKTAG

is in fact simulation sound as well. We start by proving twofundamental results:

Lemma 3 ([8]): The rZAP protocol is Simulation-Soundwith respect to protocol rel-conc-hs-ZKTAG.

Any man-in-middle adversary A in the above experimentcan perform the following actions:

1) A acts as relaxed-adversary for concurrent sessions ofprotocol rel-conc-hs-ZKTAG in the left interaction, and

2) A can reset the rZAP protocol in the right interaction.

In fact, we can claim that the rZAP protocol is simula-tion sound with respect to any concurrent zero-knowledgeprotocol π.

Proof Sketch. Interested readers may refer to the fullversion for the complete proof. We consider a newman-in-middle adversary which learns the first message sentby the rZAP protocol in the right interaction and then resetsit. Then it simulates all the rZAP interaction in the right handinteraction on its own; except for one, the reply is forwardedto the external rZAP verifier. The left side interactions canbe easily simulated by Sπ .

672684684684

The next lemma, shows that a man-in-middle adver-sary cannot violate the resettable-soundness of Protocolnm-rs-ZKTAG be interacting with several rel-conc-hs-ZKTAG

provers in the left:Lemma 4 ([3], [22], [8]): The nm-rs-ZKTAG protocol

is Simulation-Sound with respect to protocolrel-conc-hs-ZKTAG.

Any man-in-middle adversary which tries to violate thesoundness of nm-rs-ZKTAG after seeing rel-conc-hs-ZKTAG

proofs can perform the following actions:1) A acts as relaxed-concurrent adversary of

rel-conc-hs-ZKTAG in the left interaction, and2) A can reset the verifier of nm-rs-ZKTAG in the right

interaction.Proof Sketch. Here we explain the two key ideas used

to show this result and defer the complete proof to thefull version. If there exists a man-in-middle adversary Awhich violates the soundness of nm-rs-ZKTAG in the rightinteraction with non-negligibly probability, then we canconstruct another non-resetting man-in-middle A′ which canviolate the soundness of nm-ZKTAG in the right interactionwith non-negligble probability. This new adversary simulatesall incarnations of the verifier V nm-rs-ZKTAG

using a randomtape R; except one randomly chosen incarnation, for whichit uses an external V nm-ZKTAG

verifier. The second part ofthe reduction shows that if such a man-in-middle adversaryA′ exists then it can be used to construct a standaloneadversary A′′ which violates the soundness of nm-ZKTAG

with non-negligible. The main hurdle is to simulate the leftinteractions of A′ when the adversary gets additional inputfrom the external V nm-ZKTAG

. To show that we can efficientlysimulate the left interactions of A′ we need to combine thetechniques introduced in [8] and [22].

Simulation Soundness of rel-conc-hs-ZKTAG : Themain component of our proof is to show that Proto-col rel-conc-hs-ZKTAG is Simulation-Sound. Consider aman-in-middle adversary which participates as relaxed con-current verifier in rel-conc-hs-ZKTAG incarnations in the leftand as a prover of rel-conc-hs-ZKTAG in the right interaction.We prove the result by showing that any soundness violationof rel-conc-hs-ZKTAG in the right interaction can be attributedto soundness violation of nm-rs-ZKTAG or rZAP protocol.Suppose, there exists a man-in-middle adversary A whichviolates the soundness of Protocol rel-conc-hs-ZKTAG in theright interaction. We consider the event that the adversary Aviolates the soundness of Protocol nm-rs-ZKTAG associatedwith one of the challenges in the right interaction withsignificant probability or not. If this event occurs then wecan construct a man-in-middle adversary which violates thesimulation soundness of Protocol nm-rs-ZKTAG with respectto Protocol rel-conc-hs-ZKTAG. Otherwise, i.e. the adversarynever, except with negligible probability, violates the sound-ness of any nm-rs-ZKTAG associated with any challenge, thenwe can construct a man-in-middle adversary which violates

the simulation soundness of rZAP protocol with respect toProtocol rel-conc-hs-ZKTAG.

Lemma 5: The rel-conc-hs-ZKTAG protocol is SimulationSound. The man-in-middle adversary A can perform thefollowing operations:

1) A is a relaxed-concurrent verifier for polynomiallymany sessions of Protocol rel-conc-hs-ZKTAG in theleft interaction, and

2) A acts as a hybrid-prover for Protocolrel-conc-hs-ZKTAG running in the right interaction,i.e. it can partially reset the verifier. It can runseveral concurrent sessions with various hybrid-verifier incarnations for the protocol and restart theauthenticator part of the hybrid-verifier, althoughleaving the main part of the hybrid-verifier in thesame state.

Proof Sketch. Here we provide the key ideas necessaryto prove the statement and the complete proof is deferredto the full version. There are two main cases to consider.First, suppose a man-in-middle adversary A is able toprove a false statement “x ∈ L” in some slot of the rightinteraction by launching a hybrid attack on the verifierV rel-conc-hs-ZKTAG

of rel-conc-hs-ZKTAG after seeing simulatedproofs in the left interaction with non-negligible probability.Then we can convert it into a man-in-middle adversarywho can violate the resettable soundness of a nm-rs-ZKTAG

protocol after seeing simulated rel-conc-hs-ZKTAG proofs inthe left interaction. The second case considers the event thatthe adversary does not, except with negligible probability,break the resettable soundness of nm-rs-ZKTAG in any slotin the right interaction. For this case, we can show thatviolation of the soundness on rel-conc-hs-ZKTAG in the rightinteraction implies that the soundness of the rZAP protocolwas violated. Furthermore, we can construct a standalonesimulator violating the soundness guarantee of the rZAPprotocol which, due to Lemma 3, is impossible.

Theorem 1 (Main Theorem): Protocol rs-rZKTAG is Sim-ulation Sound Resettably-sound Resettable-ZK.

4. FULLY RESETTABLE COMPUTATION

Suppose the parties participating in the protocol are in-dexed by [n] and they wish to securely compute a functionf of their local inputs x(1), . . . , x(n). Given a semi-honestsecure protocol Π realizing this function, we will provide ageneral compiler to transform it into a protocol Σ which isfully resettable secure. The compiler is described in Figure 3Without loss of generality, we will assume that parties [m]are corrupt and {m+1, . . . , n} are honest. As a conventionfor our notation, we will always use the superscript (i) torepresent a variable of party i, for example the input of partyi is denoted by x(i). To prove a statement, party i will alwaysuse Protocol rs-rZKTAG with tag i and M ≥ n. Simulationsoundness of rs-rZKTAG will imply that any adversarial partyi ∈ [m] cannot violate the simulation soundness of Protocol

673685685685

rs-rZKTAG with tag i even if it gets to see several Protocolrs-rZKTAG proofs, possibly simulated ones, with tag j 6= i.

First, we reduce randomized functionalities to determin-istic functionalities. We can assume that any randomizedfunctionality is of the following form: The ideal functionalitygenerates a uniform random tape r and then the functionalitybehaves as a deterministic function of the inputs providedby the parties and the random tape r. Consider the follow-ing deterministic functionality instead: Every party sendsa random tape r(i), its input x(i) and a pseudorandomfunction G(i); and the random tape r used by the idealfunctionality is defined as ⊕n

i=1G(i)(r(i) ‖ x(i)) strings sent

by the parties. Henceforth, we shall restrict ourselves todeterministic functionalities only.

Figure 3 summaries our fully resettable secure compu-tation protocol for any deterministic functionality. It runsin four phases. At the end of every phase, every partyproves to other parties that it has followed the protocolhonestly using rs-rZKTAG. In the first phase, parties generatea determining phase where each party commits to its inputx(i), local random tape R(i), a pseudorandom function G(i)

and seed s(i). Each party also generates a lossy functionindex u(i) and, finally, broadcasts the determining messageD(i) is defined as the concatenation of these commitmentsand the lossy function index. In the next phase, everyparty leaks x(i) ‖ R(i) ‖ G(i) ‖ s(i) using a semantically-secure encryption scheme with key u(j) to party j, suchthat it satisfies the following property: If u(j) is an injectivefunction index then the message can be recovered from thecipher text; otherwise, if it is a lossy function index, thenit cannot be recovered. In the third phase, a random padis generated which is uniform if any one of the partiesis honest. Each party applies the pseudorandom functionG(i) to the concatenation of all determining messages D =D(1) ‖ D(2) ‖ · · · ‖ D(n). The XOR of these respectiverandom tapes forms a global random mask and every partyuses an exclusive portion of this pad in further computations.Finally, parties simulate the semi-honest protocol using arandom tape generated from their local random tape andtheir portion of the global mask generated in the previousphase.

Interested readers can refer to the full version for detailsof the simulator and the proof of security.

5. CONCURRENT SECURE COMPUTATION: SEPARATINGTHE POWER OF NBB SIMULATION FROM BB

SIMULATION

Let Σ be a non-malleable tag-based rs-ZK protocol.Consider a functionality F running between a prover P anda verifier V . Let F be the following functionality:

1) The prover P sends a witness w and the statement“x ∈ L” to the trusted party.

2) The trusted party verifies whether w is a witness for“x ∈ L” or not. If it is not a witness of “x ∈ L” then

it sends ⊥ to the verifier V . Otherwise, the trustedparty picks a secret key sk, sends pk = Gen(sk)to the verifier V . Next, the trusted party acts as aprover of the protocol Σ with tag pk and engagesin an interactive protocol with the verifier V (whoacts as a verifier of Σ). The protocol Σ with tagpk = pk1pk2 . . . pkl is a parallel repetition of protocolΣ′ with tags (i, pki) for all i ∈ [l]. Finally, the trustedparty signs the transcript τ generated by the protocolΣ with the secret key sk and sends the signatureσ = Signsk(τ) to the verifier. The proof is accepted ifand only if the verifier of Σ accepts all the Σ′ proofsand σ verifies as a valid signature of τ using the publickey pk, i.e. V erpk(τ, σ) = 1.

We crucially rely on the non-malleability of the zero-knowledge protocol and the security of the digital signaturescheme in our argument, details of which can be found inthe full version.

ACKNOWLEDGEMENT

We would like to thank Abhishek Jain for discussions onextending the result to randomized functionalities.

REFERENCES

[1] Boaz Barak. How to go beyond the black-box simulationbarrier. In Proc. 42nd FOCS, pages 106–115. IEEE, 2001.Preliminary full version available on http://www.math.ias.edu/∼boaz.

[2] Boaz Barak and Oded Goldreich. Universal argumentsand their applications. Cryptology ePrint Archive, Report2001/105, 2001. Extended abstract appeared in CCC’ 2002.

[3] Boaz Barak, Oded Goldreich, Shafi Goldwasser, and YehudaLindell. Resettably-sound zero-knowledge and its applica-tions. Record 2001/063, Cryptology ePrint Archive, August2001. Preliminary version appeared in FOCS’ 01.

[4] Boaz Barak, Yehuda Lindell, and Salil P. Vadhan. Lowerbounds for non-black-box zero knowledge. In FOCS, pages384–393, 2003.

[5] Ran Canetti, Oded Goldreich, Shafi Goldwasser, and SilvioMicali. Resettable zero-knowledge. In Proc. 32th STOC,pages 235–244. ACM, 2000.

[6] Nishanth Chandran, Vipul Goyal, and Amit Sahai. Newconstructions for uc secure computation using tamper-proofhardware. In Nigel P. Smart, editor, EUROCRYPT, volume4965 of Lecture Notes in Computer Science, pages 545–562.Springer, 2008.

[7] Yi Deng, Dengguo Feng, Vipul Goyal, Dongdai Lin, AmitSahai, and Moti Yung. Constant-round simultaneously reset-table zero-knowledge in the bpk model. In Manuscript, 2011.

[8] Yi Deng, Vipul Goyal, and Amit Sahai. Resolving thesimultaneous resettability conjecture and a new non-black-box simulation strategy. In FOCS, pages 251–260, 2009.

[9] Yi Deng and Dongdai Lin. Instance-dependent verifiablerandom functions and their application to simultaneous re-settability. In Naor [18], pages 148–168.

[10] Oded Goldreich. Foundations of Cryptography: Basic Appli-cations. Cambridge University Press, 2004.

674686686686

Algorithm for Party i: Local input x(i) for Π, local random tape R(i), a pseudorandom function G(i) chosen uniformly at randomfrom the family G and a random seed s(i) for lossy function generation. A (2n′, n′)-lossy trapdoor function is defined by the four tupleof PPT algorithms (Sinj, Sloss, Fltdf, F

−1ltdf ). Let H2−univ be a 2-universal hash function family from 2n′ bits to n′ bits. Given a function

index u, the encryption of x using u is defined as Enc(x; u) = (x⊕h(r)) ‖ h ‖ Fltdf(u, r) for a randomly chosen r and h$←−− H2−univ.

1) Determining Message Generation:a) Compute the commitments α

(i)1 = Com(x(i)), α

(i)2 = Com(R(i)), α

(i)3 = Com(G(i)), α

(i)4 = Com(s(i)).

b) Let u(i) be the index of the lossy function obtained by running (u(i),⊥) = Sloss(s(i)).

c) Interpret R(i) = r(i)1 ‖ r

(i)2 . Use the random tape r

(i)2 to obtain randomness for all prover/verifier algorithms to run Protocol

rs-rZKTAG.d) Broadcast the determining message D(i) = α

(i)1 ‖ α

(i)2 ‖ α

(i)3 ‖ α

(i)4 ‖ u(i). Using protocol rs-rZKTAG with tag i, prove to

party j ∈ [n] \ {i} that: “∃ x, r, g, s such that, (i) α(i)1 , α

(i)2 , α

(i)3 and α

(i)4 are commitments to x, r, g and s respectively,

and (ii) (u(i),⊥) = Sloss(s).2) Simulation Extraction Phase:

a) After receiving the determining message D(k) for every k ∈ [n] \ {i} and verifying their associated proof, calculateβ

(i)k = Enc(x(i) ‖ R(i) ‖ G(i); u(k)).

b) Broadcast β(i) = β(i)1 ‖ β

(i)2 ‖ . . . ‖ β

(i)n , where β

(i)i is an all 0 string. Using Protocol rs-rZKTAG with tag i, prove to party

j ∈ [n] \ {i} that: “∃ x, r, g, s such that, (i) α(i)1 , α

(i)2 , α

(i)3 and α

(i)4 are commitments to x, r, g and s respectively, (ii)

(u(i),⊥) = Sloss(s), and (iii) For all k ∈ [n] \ {i}, β(i)k = Enc(x ‖ r ‖ g; u(k)).”

3) Coin Tossing Phase:a) Let D = D(1) ‖ D(2) ‖ · · · ‖ D(n)) and evaluate r

(i)3 = G(i)(D).

b) Broadcast r(i)3 and use Protocol rs-rZKTAG with tag i to prove to every other party j ∈ [n] \ {i} that “∃ g such that

α(i)3 = Com(g) and r

(i)3 = g(D).”

c) After receiving r(j)3 for all j ∈ [n] \ {i}, compute a(1) ‖ a(2) ‖ · · · ‖ a(n) = a = ⊕k∈[n] r

(k)3 . Define r(i) = a(i) ⊕ r

(i)1 .

4) Computation Phase: Before broadcasting the message for round t of the protocol Π, let the party’s current view be V(i)

t =(τt−1, x

(i), r(i)).a) Let msg

(i)t be the next message obtained by applying the next message function of Π on the view V

(i)t .

b) Broadcast msg(i)t and prove to every party j ∈ [n] \ {i} the statement “∃ v such that msg

(i)t is the next message for view

v in protocol Π,” using Protocol rs-rZKTAG with tag i.Figure 3. Fully Resettable Secure Computation.

[11] Oded Goldreich, Silvio Micali, and Avi Wigderson. How toplay ANY mental game. In ACM, editor, Proc. 19th STOC,pages 218–229. ACM, 1987. See [10, Chap. 7] for moredetails.

[12] Oded Goldreich and Rafail Ostrovsky. Software protectionand simulation on oblivious rams. J. ACM, 43(3):431–473,1996.

[13] Vipul Goyal and Abhishek Jain 0002. On the round complex-ity of covert computation. In Leonard J. Schulman, editor,STOC, pages 191–200. ACM, 2010.

[14] Vipul Goyal, Yuval Ishai, Amit Sahai, Ramarathnam Venkate-san, and Akshay Wadia. Founding cryptography on tamper-proof hardware tokens. In Daniele Micciancio, editor, TCC,volume 5978 of Lecture Notes in Computer Science, pages308–326. Springer, 2010.

[15] Vipul Goyal and Amit Sahai. Resettably secure computation.In EUROCRYPT, pages 54–71, 2009.

[16] S. Huang, D. MacCallum, and D.Z. Du. Network Security.Springer, 2010.

[17] Silvio Micali and Leonid Reyzin. Soundness in the public-keymodel. In CRYPTO, pages 542–565, 2001.

[18] Moni Naor, editor. Advances in Cryptology - EUROCRYPT2007, 26th Annual International Conference on the Theoryand Applications of Cryptographic Techniques, Barcelona,Spain, May 20-24, 2007, Proceedings, volume 4515 of Lec-ture Notes in Computer Science. Springer, 2007.

[19] Rafail Ostrovsky, Omkant Pandey, Amit Sahai, and IvanVisconti. Non-malleability under reset attacks. In Manuscript,2011.

[20] Rafael Pass. Bounded-concurrent secure multi-party compu-tation with a dishonest majority. In Proc. 36th STOC, pages232–241. ACM, 2004.

[21] Rafael Pass. Limits of security reductions from standardassumptions. In STOC, 2011.

[22] Rafael Pass and Alon Rosen. Concurrent non-malleablecommitments. In FOCS, pages 563–572, 2005.

[23] Rafael Pass and Alon Rosen. New and improved construc-tions of non-malleable cryptographic protocols. In Proc. 37thSTOC. ACM, 2005.

[24] Rafael Pass, Wei-Lung Dustin Tseng, and Douglas Wikstrom.On the composition of public-coin zero-knowledge protocols.In Shai Halevi, editor, CRYPTO, volume 5677 of LectureNotes in Computer Science, pages 160–176. Springer, 2009.

[25] Amit Sahai. Non-malleable non-interactive zero knowledgeand adaptive chosen-ciphertext security. In FOCS, pages 543–553, 1999.

[26] Andrew Chi-Chih Yao. Protocols for secure computation. InProc. 23rd FOCS, pages 160–164. IEEE, 1982.

[27] Moti Yung and Yunlei Zhao. Generic and practical resettablezero-knowledge in the bare public-key model. In Naor [18],pages 129–147.

675687687687