Study Questions for Fulcher's "What is Capitalism?"
1) What is the overall theme of this article and what is the definition of capitalism?
This article brings to focus the change that the word "capitalism" had endured throughout history. There are differe
598
R. Pass and M. Venkitasubramaniam
2. V sends an unlikely message m: Let pm be the probability that V
sends m conditioned on transi1 being the transcript at the end of i 1
rounds. We say that m is unlikely if pm 22li +21 log d . Using a union bound
ov
604
R. Pass and M. Venkitasubramaniam
Recently, Pass, Tseng and Wikstrom in [21] prove that only languages in BPP
have public-coin black-box concurrent zero-knowledge proofs or arguments. As
the result of Goldreich-Krawczyk [8], this proof uses the simula
584
E. Birrell and S. Vadhan
c = 0, then P uses the ZKPOK to demonstrate that he knows (i, ri ) consistent
with the transcript t. If c = 0, V demonstrates knowledge of (j, rj ) using the
same ZKPOK. If the proof is successful and the transcript is valid (
580
E. Birrell and S. Vadhan
Overview of the Goldreich-Krawczyk Construction [16]. In the proof of Theorem 3.1, the key to constructing a zero-knowledge protocol that breaks under
sequential composition lies in taking advantage of the dierence in computat
536
1
R. Ostrovsky, O. Pandey, and I. Visconti
Introduction
In this paper, we consider Zero-Knowledge argument systems that are nonmalleable and secure against concurrent man-in-the-middle attacks. In such systems, the adversary has complete control over
532
R. Pass, W.-L. Dustin Tseng, and M. Venkitasubramaniam
The basic idea behind the simulation is similar to [PV08]: We wish to define
little time appropriately, so that some slot of every session is rewound and
that expected running time is bounded. For
564
E. Bangerter, J. Camenisch, and S. Krenn
The prover P is adopted as described next. It maintains a list L, which is
initially empty, and sets u := 0. On random input , it performs the following
steps:
(i) For each i , it checks whether there is a pair
540
R. Ostrovsky, O. Pandey, and I. Visconti
Completeness. For every x, y such that RL (x, y) = 1, P (x, y) makes V accept
with probability 1.
Soundness, Zero Knowledge, and Non-malleability. For every PPT adversary M launching a concurrent non-malleable
550
5
R. Ostrovsky, O. Pandey, and I. Visconti
Eciency
The Actual Cost. It is easy to see that the additional overhead incurred by the
new prover and verifier, is dominated by three steps (overhead from all other
steps is a small additive constant). First
548
R. Ostrovsky, O. Pandey, and I. Visconti
Note that H1 simulates honest verifiers V1 , . . . , VmR on right, and runs real
provers P1 , . . . , PmL on left of M (x, z) in executing all the threads. If extraction
of kp/prs-secrets fails, (i.e., kp/prs-s
530
3.3
R. Pass, W.-L. Dustin Tseng, and M. Venkitasubramaniam
Simulator Overview
At a very high-level our simulator follows that of Feige and Shamir [FS90].
The simulator will attempt to rewind one of the special-sound proofs (i.e., the
slots), because w
582
E. Birrell and S. Vadhan
Theorem 4.1 (Goldreich and Krawczyk [16]). There exists an auxiliaryinput zero knowledge proof whose 2-fold parallel composition is not auxiliaryinput zero knowledge (or even plain zero knowledge with respect to nonuniform
dis
576
E. Birrell and S. Vadhan
For the purposes of this paper, we consider two dierent definitions of zero
knowledge. The first, which has primarily been of interest for historical reasons,
is the one originally introduced by Goldwasser, Micali, and Racko [
546
R. Ostrovsky, O. Pandey, and I. Visconti
we will show how to simulate the joint view of M and V1 , . . . , VmR , while simultaneously extracting a witness for each x
whenever V s view is accepting and
= transh (for all h). Assume M to be determinist
594
R. Pass and M. Venkitasubramaniam
Completeness: There is a negligible function (), such that for every n,
x L cfw_0, 1n,
!
"
Pr P O , V O (x) = 1 1 (n)
where the probability is taken over all the internal coin tosses of P , V and
uniformly chosen O O
560
E. Bangerter, J. Camenisch, and S. Krenn
that the order of the co-domain (image of (), denoted by Im () cannot be
computed with non-negligible probability. More precisely, using the formalization of Damg
ard/Koprowski [27], we let be the largest prime
600
R. Pass and M. Venkitasubramaniam
1
P with probability p(n)
. Recall that, P, V is a fully black-box zero-knowledge
based on one-way permutations, there exists a PPT machine B , that with or
acle access to DSamd and V Samd inverts (over a random Samd
590
R. Pass and M. Venkitasubramaniam
In Section 3, we discuss the complexity of BPPSam . We observe that the
class SZK, of languages having statistical zero-knowledge proofs, is contained in
BPPSam . This should not be surprising as Ong and Vadhan provid
570
E. Bangerter, J. Camenisch, and S. Krenn
25. Pass, R.: On deniability in the common reference string and random oracle model.
In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 316337. Springer,
Heidelberg (2003)
26. Shoup, V.: On the security of a
562
E. Bangerter, J. Camenisch, and S. Krenn
Finally, a protocol designer can deduce from Theorem 6 how an alternative for the -protocol must not look like. Namely, it must either not be
a generic -protocol, or the protocol must have a non-generic knowle
552
R. Ostrovsky, O. Pandey, and I. Visconti
15. De Santis, A., Di Crescenzo, G., Ostrovsky, R., Persiano, G., Sahai, A.: Robust noninteractive zero knowledge. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139,
pp. 566598. Springer, Heidelberg (2001)
16.
556
E. Bangerter, J. Camenisch, and S. Krenn
indicating that there are inherent eciency limitations for -protocols. On the
other hand, the cases that are not covered by our results also seem to be valuable,
since they provide cues for protocol designers o
542
R. Ostrovsky, O. Pandey, and I. Visconti
Statistical Simulation with respect to lucky Provers. In general, mp is only
computational zk, since the prover commits to 0 while the simulator commits
to v (the message opened by Vmp ). However, consider a pr
574
E. Birrell and S. Vadhan
ecient prover, under the assumption that the discrete logarithm is hard, or
more generally under the assumptions that UP BPP and one-way functions
exist. We are interested in whether the complexity assumption used by Feige
and
Composition of Zero-Knowledge Proofs
with Ecient Provers
Eleanor Birrell1 and Salil Vadhan2
1
2
Department of Computer Science, Cornell University
eleanor@cs.cornell.edu
School of Engineering and Applied Sciences and Center for Research on
Computation and
HOMEWORK 3A
Southern Film Company (SFC) is preparing to make a bid for the rights to produce a
cartoon version of the upcoming James Bond movie Spectre. SGC is trying to decide
whether to place a high bid of $16 million or a low bid of $7 million. SGC exp
PAYOFF TABLE
NFC Bid 6 Million
NFC Bid 10 Million
SFC Low Bid 7 Milli
SFC High Bid 16 Mil
15.8
6.8
0
6.8
PROBABILITY
0.6
0.4
CHANGE THIS ONE
RESULTS
EV of Decision
Decision
9.48
SFC Low Bid 7 Million
P(NFC Bid 10 Million)
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
592
R. Pass and M. Venkitasubramaniam
If trans was an output of a previous query, Sam samples a random tape for
M among all random tapes that are consistent with trans, and generates
M s next message m using and outputs trans : m.
Otherwise, outputs .
D
538
R. Ostrovsky, O. Pandey, and I. Visconti
To explain the main conceptual ideas/dierences, we now sketch our transformation.2 At a very high level, our transformation has following structure: (1) Our
verifier, V, first executes a kp/prs preamble for a s
578
E. Birrell and S. Vadhan
Theorem 3.1 (Goldreich and Krawczyk [16]). There exists a plain zeroknowledge proof (with respect to nonuniform distinguishers) whose 2-fold sequential composition is not plain zero-knowledge.
The second significant result to
Private Coins versus Public Coins in
Zero-Knowledge Proof Systems
Rafael Pass and Muthuramakrishnan Venkitasubramaniam
Cornell University
cfw_rafael,vmuthu@cs.cornell.edu
Abstract. Goldreich-Krawczyk (Siam J of Comp96) showed that only
languages in BPP ha
558
E. Bangerter, J. Camenisch, and S. Krenn
with (w ord G)/ ord G being negligibly small. The rest of the protocol remains
unchanged. This approach can be generalized also to the case G = Zu for some
integer u. For more details see, e.g., [5,23].
It is w