Distinguisher-Dependent Simulation in Two Rounds and its Applications

We devise a novel simulation technique that makes black-box use of the adversary as well as the distinguisher. Using this technique we construct several round-optimal protocols, many of which were previously unknown even using non-black-box simulation techniques: ◦ Two-round witness indistinguishable (WI) arguments for NP from different assumptions than previously known. ◦ Two-round arguments and three-round arguments of knowledge for NP that achieve strong WI, witness hiding (WH) and distributional weak zero knowledge (WZK) properties in a setting where the instance is only determined by the prover in the last round of the interaction. The soundness of these protocols is guaranteed against adaptive provers. ◦ Three-round two-party computation satisfying input-indistinguishable security as well as a weaker notion of simulation security against malicious adversaries. ◦ Three-round extractable commitments with guaranteed correctness of extraction from polynomial hardness assumptions. Our three-round protocols can be based on DDH or QR or N residuosity and our two-round protocols require quasi-polynomial hardness of the same assumptions. In particular, prior to this work, two-round WI arguments for NP were only known based on assumptions such as the existence of trapdoor permutations, hardness assumptions on bilinear maps, or the existence of program obfuscation; we give the first construction based on (quasi-polynomial) DDH or QR or N residuosity. Our simulation technique bypasses known lower bounds on black-box simulation [GoldreichKrawcyzk’96] by using the distinguisher’s output in a meaningful way. We believe that this technique is likely to find additional applications in the future. ∗Department of Computer Science, Johns Hopkins University, Baltimore, USA. Supported in part by a DARPA/ARL Safeware Grant W911NF-15-C-0213. †Microsoft Research, Cambridge, USA. ‡Department of Computer Science, UCLA, USA. §Department of Computer Science, MIT, Cambridge, USA. Partially supported by the grants: NSF MACS CNS1413920, DARPA IBM W911NF-15-C-0236 and SIMONS Investigator award Agreement Dated 6-5-12.