How to Rewind with Minimal Interaction
- Author(s): Khurana, Dakshita
- Advisor(s): Ostrovsky, Rafail
- Sahai, Amit
- et al.
The notion of simulation is central to cryptography: often, to demonstrate that an adversary did not recover any information about private inputs of other participants, we exhibit the existence of a simulator that generates the adversary's view without access to inputs of honest participants. The primary method used to build simulators is rewinding, where a simulator resets the adversary to a previous point in the protocol and tries to complete the protocol tree multiple times until it achieves a favorable outcome.
First introduced in the context of zero-knowledge proof systems and secure computation, today the rewinding technique is synonymous with protocol security and polynomial simulation. Prior to this work, all known rewinding techniques in the plain model required multiple rounds of back-and-forth interaction between participants.
In this thesis, we demonstrate the first rewinding techniques that require only a single message from each participant. Using these techniques, we overcome several barriers from literature to construct for the first time, based on standard sub-exponential cryptographic assumptions, the following core protocols, and several subsequent applications:
- Two message commitments satisfying non-malleability (with respect to commitment).
- Two-message delayed-input weak zero-knowledge arguments for NP. These imply arguments for NP satisfying witness hiding and strong witness indistinguishability.