Universally Composable Security A new paradigm for通用可组合安全的新范式.pptVIP

6.897: Selected Topics in CryptographyLectures 11 and 12 Lecturers: Ran Canetti, Ron Rivest Scribes? Highlights of last week’s lectures Formulated the ideal commitment functionality for a single instance, Fcom. Showed that it’s impossible to realize Fcom in the plain model (even when given ideal authentication). Formulated the “CRS model” as the Fcrs-hybrid model. Showed how to realize Fcom in the Fcrs-hybrid model. Showed how to do multiple commitments with the same CRS: Formulated the multi-instance ideal commitment functionality, Fmcom. Showed how to realize Fmcom given a single copy of Fcrs. This week: Show how to obtain UC ZK from UC commitments (this is “easy”, or “information-theoretic”) Show how to realize any multi-party functionality, for any number of faults, in the Fcrs-hybrid model (using the [GMW87] paradigm). Mention how can be done in the plain model when there is honest majority (using elements from [BGW88]). UC Zero-Knowledge from UC commitments Recall the ZK ideal functionality, Fzk, and the version with weak soundness, Fwzk. Recall the Blum Hamiltonicity protocol Show that, when cast in the Fcom-hybrid model, a single iteration of the protocol realizes Fwzk. (This result is unconditional, no reductions or computational assumptions are necessary.) Show that can realize Fz