Universally Composable Zero-Knowledge Arguments and Commitments from Signature Cards

中国科学英文版模板1.Identification of Wiener systems with nonlinearity being piece wise-linear function HUANG YiQing，CHEN HanFu，FANG HaiTao2.A novel algorithm for explicit optimal multi-degree reduction of triangular surfaces HU QianQian，WANG GuoJin3.New approach to the automatic segmentation of coronary arte ry in X-ray angiograms ZHOU ShouJun，YANG Jun，CHEN WuFan，WANG YongTian4.Novel Ω-protocols for NP DENG Yi，LIN DongDai5.Non-coherent space-time code based on full diversity space-ti me block coding GUO YongLiang，ZHU ShiHua6.Recursive algorithm and accurate computation of dyadic Green 's functions for stratified uniaxial anisotropic media WEI BaoJun，ZH ANG GengJi，LIU QingHuo7.A blind separation method of overlapped multi-components b ased on time varying AR model CAI QuanWei，WEI Ping，XIAO Xian Ci8.Joint multiple parameters estimation for coherent chirp signals using vector sensor array WEN Zhong，LI LiPing，CHEN TianQi，ZH ANG XiXiang9.Vision implants: An electrical device will bring light to the blind NIU JinHai，LIU YiFei，REN QiuShi，ZHOU Yang，ZHOU Ye，NIU S huaibining search space partition and search Space partition and ab straction for LTL model checking PU Fei，ZHANG WenHui2.Dynamic replication of Web contents Amjad Mahmood3.On global controllability of affine nonlinear systems with a tria ngular-like structure SUN YiMin，MEI ShengWei，LU Qiang4.A fuzzy model of predicting RNA secondary structure SONG D anDan，DENG ZhiDong5.Randomization of classical inference patterns and its applicatio n WANG GuoJun，HUI XiaoJing6.Pulse shaping method to compensate for antenna distortion in ultra-wideband communications WU XuanLi，SHA XueJun，ZHANG NaiTong7.Study on modulation techniques free of orthogonality restricti on CAO QiSheng，LIANG DeQun8.Joint-state differential detection algorithm and its application in UWB wireless communication systems ZHANG Peng，BI GuangGuo，CAO XiuYing9.Accurate and robust estimation of phase error and its uncertai nty of 50 GHz bandwidth sampling circuit ZHANG Zhe，LIN MaoLiu，XU QingHua，TAN JiuBin10.Solving SAT problem by heuristic polarity decision-making al gorithm JING MingE，ZHOU Dian，TANG PuShan，ZHOU XiaoFang，ZHANG Hua1.A novel formal approach to program slicing ZHANG YingZhou2.On Hamiltonian realization of time-varying nonlinear systems WANG YuZhen，Ge S. S.，CHENG DaiZhan3.Primary exploration of nonlinear information fusion control the ory WANG ZhiSheng，WANG DaoBo，ZHEN ZiYang4.Center-configur ation selection technique for the reconfigurable modular robot LIU J inGuo，WANG YueChao，LI Bin，MA ShuGen，TAN DaLong5.Stabilization of switched linear systems with bounded disturba nces and unobservable switchings LIU Feng6.Solution to the Generalized Champagne Problem on simultane ous stabilization of linear systems GUAN Qiang，WANG Long，XIA B iCan，YANG Lu，YU WenSheng，ZENG ZhenBing7.Supporting service differentiation with enhancements of the IE EE 802.11 MAC protocol: Models and analysis LI Bo，LI JianDong，R oberto Battiti8.Differential space-time block-diagonal codes LUO ZhenDong，L IU YuanAn，GAO JinChun9.Cross-layer optimization in ultra wideband networks WU Qi，BI JingPing，GUO ZiHua，XIONG YongQiang，ZHANG Qian，LI ZhongC heng10.Searching-and-averaging method of underdetermined blind s peech signal separation in time domain XIAO Ming，XIE ShengLi，F U YuLi11.New theoretical framework for OFDM/CDMA systems with pe ak-limited nonlinearities WANG Jian，ZHANG Lin，SHAN XiuMing，R EN Yong1.Fractional Fourier domain analysis of decimation and interpolat ion MENG XiangYi，TAO Ran，WANG Yue2.A reduced state SISO iterative decoding algorithm for serially concatenated continuous phase modulation SUN JinHua，LI JianDong，JIN LiJun3.On the linear span of the p-ary cascaded GMW sequences TA NG XiaoHu4.De-interlacing technique based on total variation with spatial-t emporal smoothness constraint YIN XueMin，YUAN JianHua，LU Xia oPeng，ZOU MouYan5.Constrained total least squares algorithm for passive location based on bearing-only measurements WANG Ding，ZHANG Li，WU Ying6.Phase noise analysis of oscillators with Sylvester representation for periodic time-varying modulus matrix by regular perturbations FAN JianXing，YANG HuaZhong，WANG Hui，YAN XiaoLang，HOU ChaoHuan7.New optimal algorithm of data association for multi-passive-se nsor location system ZHOU Li，HE You，ZHANG WeiHua8.Application research on the chaos synchronization self-mainten ance characteristic to secret communication WU DanHui，ZHAO Che nFei，ZHANG YuJie9.The changes on synchronizing ability of coupled networks fro m ring networks to chain networks HAN XiuPing，LU JunAn10.A new approach to consensus problems in discrete-time mult iagent systems with time-delays WANG Long，XIAO Feng11.Unified stabilizing controller synthesis approach for discrete-ti me intelligent systems with time delays by dynamic output feedbac k LIU MeiQin1.Survey of information security SHEN ChangXiang，ZHANG Hua ngGuo，FENG DengGuo，CAO ZhenFu，HUANG JiWu2.Analysis of affinely equivalent Boolean functions MENG QingSh u，ZHANG HuanGuo，YANG Min，WANG ZhangYi3.Boolean functions of an odd number of variables with maximu m algebraic immunity LI Na，QI WenFeng4.Pirate decoder for the broadcast encryption schemes from Cry pto 2005 WENG Jian，LIU ShengLi，CHEN KeFei5.Symmetric-key cryptosystem with DNA technology LU MingXin，LAI XueJia，XIAO GuoZhen，QIN Lei6.A chaos-based image encryption algorithm using alternate stru cture ZHANG YiWei，WANG YuMin，SHEN XuBang7.Impossible differential cryptanalysis of advanced encryption sta ndard CHEN Jie，HU YuPu，ZHANG YueYu8.Classification and counting on multi-continued fractions and its application to multi-sequences DAI ZongDuo，FENG XiuTao9.A trinomial type of σ-LFSR oriented toward software implemen tation ZENG Guang，HE KaiCheng，HAN WenBao10.Identity-based signature scheme based on quadratic residues CHAI ZhenChuan，CAO ZhenFu，DONG XiaoLei11.Modular approach to the design and analysis of password-ba sed security protocols FENG DengGuo，CHEN WeiDong12.Design of secure operating systems with high security levels QING SiHan，SHEN ChangXiang13.A formal model for access control with supporting spatial co ntext ZHANG Hong，HE YePing，SHI ZhiGuo14.Universally composable anonymous Hash certification model ZHANG Fan，MA JianFeng，SangJae MOON15.Trusted dynamic level scheduling based on Bayes trust model WANG Wei，ZENG GuoSun16.Log-scaling magnitude modulated watermarking scheme LING HeFei，YUAN WuGang，ZOU FuHao，LU ZhengDing17.A digital authentication watermarking scheme for JPEG image s with superior localization and security YU Miao，HE HongJie，ZHA NG JiaShu18.Blind reconnaissance of the pseudo-random sequence in DS/ SS signal with negative SNR HUANG XianGao，HUANG Wei，WANG Chao，L(U) ZeJun，HU YanHua1.Analysis of security protocols based on challenge-response LU O JunZhou，YANG Ming2.Notes on automata theory based on quantum logic QIU Dao Wen3.Optimality analysis of one-step OOSM filtering algorithms in t arget tracking ZHOU WenHui，LI Lin，CHEN GuoHai，YU AnXi4.A general approach to attribute reduction in rough set theory ZHANG WenXiuiu，QIU GuoFang，WU WeiZhi5.Multiscale stochastic hierarchical image segmentation by spectr al clustering LI XiaoBin，TIAN Zheng6.Energy-based adaptive orthogonal FRIT and its application in i mage denoising LIU YunXia，PENG YuHua，QU HuaiJing，YiN Yong7.Remote sensing image fusion based on Bayesian linear estimat ion GE ZhiRong，WANG Bin，ZHANG LiMing8.Fiber soliton-form 3R regenerator and its performance analysis ZHU Bo，YANG XiangLin9.Study on relationships of electromagnetic band structures and left/right handed structures GAO Chu，CHEN ZhiNing，WANG YunY i，YANG Ning10.Study on joint Bayesian model selection and parameter estim ation method of GTD model SHI ZhiGuang，ZHOU JianXiong，ZHAO HongZhong，FU Qiang。

2022年考研考博-考博英语-湖南师范大学考试全真模拟易错、难点剖析AB卷（带答案）一.综合题(共15题)1.单选题We shall probably never be able to（） the exact nature of these sub-atomic particles.问题1选项A.assertrmC.ascertainD.notify【答案】C【解析】assert断言，声称；inform通知；ascertain探明，确定；notify通知，公布。

句意：我们可能永远无法确定这些亚原子粒子的确切性质。

选项C符合句意。

2.单选题Among all societies legal marriage is usually accompanied by some kind of ceremony that express group（）of the union.问题1选项A.opinionB.consistencyC.insistenceD.approval 【答案】D【解析】opinion观点, 主张；consistency一致性, 相容性；insistence坚持, 强调；approval批准, 认可, 赞同。

句意：在所有社会中, 合法的婚姻通常伴随着某种仪式, 表达群体对婚姻的认可。

选项D符合语境。

3.单选题Back in 1992, Thomas Edison predicted that “the motion picture is destined to revolutionize our educational system and .... in a few years it will supplant largely, if not entirely, the use of textbooks.” Well, we all make mistakes. But at least Edison did not squander vast quantities of public money on installing cinema screens in schools around the country.With computers, the story has been different. Many governments have packed them into schools, convinced that their presence would improve the pace and efficiency of learning. Large numbers of studies, some more academically respectable than others, have purported to show that computers help children to learn. Now, however, a study that compares class with computers against similar classes without them casts doubt on that view.In the current Economic Journal, Joshua Angrist of the Massachusetts Institute of Technology and Victor Lavy of the Hebrew University of Jerusalem look at a scheme which put computers into many of Israel’s primary and middle schools in the mid-1990s. Dr Angrist and Dr Lavy compare the test scores for math and Hebrew achieved by children in the fourth and eighth grades (ie, aged about nine and 13) in schools with and without computers. They also asked the classes’ teachers how they used various teaching materials, such as Xeroxed worksheets and, of course, computer programs. The researchers found that the Israeli scheme had much less effect on teaching methods in middle schools than in elementary schools. It also found no evidence that the use of computers improved children’s test scores. In fact, it found the reverse. In the case of the math scores of fourth-graders, there was a consistently negative relationship between computer use and test scores.The authors offer three possible explanations of why this might be. First, the introduction of computers into classrooms might have gobbled up cash that would otherwise have paid for other aspects of education. But that is unlikely in this case since the money for the programmer came from the national lottery, and the study found no significant change in teaching resources, methods or training in schools that acquired computers through the scheme.A second possibility is that the transition to using computers in instruction takes time to have an effect. Maybe, say the author, but the schools surveyed had been using the scheme’s computers for a full school year. That was enough for the new computers to have had a large (and apparently malign) influence on fourth-grade math scores. The third explanation is the simplest: that the use of computers in teaching is no better (and perhaps worse) than other teaching methods.The bottom line, says Dr Angrist, is that “the costs are clear-cut and the benefits aremurky”. The burden of proof now lies with the promoters of classroom computers. And the only reliable way to make their case is ,surely, to conduct a proper study, with children randomly allocated to teachers who use computers and teachers who use other methods, including the cheapest of all: chalk and talk.1.We can learn from the first paragraph that（）.2.Dr. Angrist and Dr. Lavy have done the following except（）.3.According to Dr. Angrist and Dr. Lavy, in the Israeli scheme, students didn’t make improvement in their test scores because（）.4.It can be inferred from the last paragraph that（）.5.The author’s attitude towards governments’ packing computers in schools seems to be（）.问题1选项A.motion picture has revolutionized education systemB.Edison’s prediction has been proved wrongC.Edison encouraged schools to install cinema screensD.Schools are cautious about Edison’s idea问题2选项paring the test scores of students in different age groups.B.interviewing teachers about their teaching methods.unching the computer program in many Israeli schools.D.explaining students’ school performance.问题3选项A.other aspects of education were affected due to cash shortageB.it was not long enough for the program to take effectC.there was a negative relationship between computer use and test scoresD.the use of computer was no better than other teaching methods问题4选项A.there hasn’t been a proper study on this issue yetB.school authorities should provide proof to support the computer programC.installing computers in schools costs too much, but has little or no effectD.chalk and talk work better than computer in teaching问题5选项A.biasedB.indifferentC.disapprovingD.puzzling【答案】第1题:B第2题:C第3题:D第4题:A第5题:C【解析】1.细节事实题。

Zero Knowledge and Soundness are Symmetric∗Shien Jin Ong†Salil Vadhan†School of Engineering and Applied SciencesHarvard UniversityCambridge,Massachusetts,USA.E-mail:{shienjin,salil}@March23,2007AbstractWe give a complexity-theoretic characterization of the class of problems in NP having zero-knowledge argument systems.This characterization is symmetric in its treatment of the zeroknowledge and the soundness conditions,and thus we deduce that the class of problems inNP∩coNP having zero-knowledge arguments is closed under complement.Furthermore,weshow that a problem in NP has a statistical zero-knowledge argument system if and only ifits complement has a computational zero-knowledge proof system.What is novel about theseresults is that they are unconditional,i.e.,do not rely on unproven complexity assumptions suchas the existence of one-way functions.Our characterization of zero-knowledge arguments also enables us to prove a variety of other unconditional results about the class of problems in NP having zero-knowledge arguments,suchas equivalences between honest-verifier and malicious-verifier zero knowledge,private coins andpublic coins,inefficient provers and efficient provers,and non-black-box simulation and black-boxsimulation.Previously,such results were only known unconditionally for zero-knowledge proofsystems,or under the assumption that one-way functions exist for zero-knowledge argumentsystems.Keywords:zero-knowledge argument systems,statistical zero knowledge,complexity classes,clo-sure under complement,distributional one-way functions.1IntroductionZero-knowledge protocols are interactive protocols whereby one party,the prover,convinces another party,the verifier,that some assertion is true with the remarkable property that the verifier“learns nothing”other than the fact that the assertion being proven is true.Since their introduction by Goldwasser,Micali,and Rackoff[GMR],zero-knowledge protocols have played a central role in the design and study of cryptographic protocols.Zero-knowledge protocols come in severalflavors,depending on how one formulates the two security conditions:(1)the zero-knowledge condition,which says that the verifier“learns nothing”other than the fact the assertion being proven is true,and(2)the soundness conditions,which says that the prover cannot convince the verifier of a false assertion.In statistical zero knowledge,the zero-knowledge condition holds regardless of the computational resources the verifier invests into trying to learn something from the interaction.In computational zero knowledge,we only require that a probabilistic polynomial-time verifier learns nothing from the interaction.1Similarly,for soundness,we have statistical soundness,giving rise to proof systems,where even a computation-ally unbounded prover cannot convince the verifier of a false statement(except with negligible probability),and computational soundness,giving rise to argument systems[BCC],where we only require that a polynomial-time prover cannot convince the verifier of a false ing a prefix of S or C to indicate whether the zero knowledge is statistical or computational and a suffix of P or A to indicate whether we have a proof system or argument system,we obtain four complexity classes corresponding to the different types of zero-knowledge protocols:SZKP,CZKP,SZKA, CZKA.More precisely,these are the classes of decision problemsΠhaving the correponding type of zero-knowledge protocol.In such a protocol,the prover and verifier are given as common input an instance x ofΠ,and the prover is trying convince the verifier that x is a yes instance ofΠ.These two security conditions seem to be of very differentflavors;zero knowledge is a‘secrecy’condition,whereas soundness is more like an‘unforgeability’condition.However,in a remarkable paper,Okamoto[Oka]showed that they are actually symmetric in the case of statistical security. Theorem1.1([Oka,GSV]2).The class SZKP of problems having statistical zero-knowledge proofs is closed under complement.That is,Π∈SZKP if and only if1More precisely,in statistical zero knowledge,we require that the verifier’s view of the interaction can be efficiently simulated up to negligible statistical distance,whereas in computational zero knowledge,we only require that the simulation be computationally indistinguishable from the verifier’s view.2Okamoto’s result was actually for the class of languages having honest-verifier statistical zero-knowledge proofs, but in[GSV]it was shown this is the same as the class of languages having general statistical zero-knowledge proofs.1that the existence of one-way functions(OWF)suffices for the construction of computational zero-knowledge proof systems and statistical zero-knowledge argument systems for every problem in NP[Nao,HILL,NOV].Thus,the existence of one-way functions implies that computational zero knowledge and computational soundness are symmetric for problems in NP∩coNP,by implying that all problems in NP∩coNP and their complements have computational zero-knowledge ar-guments.We note that here,and throughout the paper,we usually restrict attention to problems in NP,because argument systems are mainly of interest when the prover can be implemented in polynomial time given a witness of membership,which only makes sense for problems in NP.3 In this paper,we establish an unconditional symmetry between computational zero knowledge and computational soundness.Theorem1.2(Symmetry Theorem).1.(CZKA versus co-CZKA)ProblemΠ∈NP∩coNP has a computational zero-knowledgeargument system if and only if its complementΠhas a computational zero-knowledge proof system.Observe how the quality of the zero-knowledge condition forΠtranslates to the quality of the soundness condition for3Actually polynomial-time provers also make sense for problems in MA,which is a variant of NP where the verification of witnesses is probabilistic.All of our results easily extend to MA,but we state them for NP for simplicity.2•There exists a polynomial-time computable function f x :{0,1}n (|x |)→{0,1}m (|x |),with n (·)and m (·)being polynomials and instance x given as an auxiliary input,such that for every nonuniform probabilistic polynomial-time adversary A ,and for every constant c >0,we havePr y ←{0,1}n (|x |)A (f x (y ))∈f −1x (f x (y )) ≤|x |−c ,for every sufficiently long x ∈I .We call I the set of owf instances ,I ∩ΠY the set of owf yes instances ,and I ∩ΠN the set of owf no instances .We use the SZKP–OWF Condition to characterize the classes of problems having zero-knowledge protocols.Theorem 1.4(SZKP–OWF Characterization of Zero Knowledge).1.(SZKP [trivial])Problem Π∈IP has a statistical zero-knowledge proof system if and only if Πsatisfies the SZKP–OWF Condition without owf instances,namely I =∅.2.(CZKP [Vad])Problem Π∈IP has a computational zero-knowledge proof system if and only if Πsatisfies the SZKP–OWF Condition without owf no instances,namely I ∩ΠN =∅.3.(SZKA [new])Problem Π∈NP has a statistical zero-knowledge argument system if and only if Πsatisfies the SZKP–OWF Condition without owf yes instances,namely I ∩ΠY =∅.4.(CZKA [new])Problem Π∈NP has a computational zero-knowledge argument system if and only if Πsatisfies the SZKP–OWF Condition .Theorem 1.2,our Symmetry Theorem between computational zero knowledge and computa-tional soundness,follows directly from:(i)Theorem 1.4above,(ii)Okamoto’s Theorem that SZKP is closed under complement (Theorem 1.1),and (iii)the symmetric role played by the set of owf instances I in the SZKP–OWF Condition .The advantage of the SZKP–OWF Characterization Theorem is that it reduces the study of the various forms of zero-knowledge protocols to the study of SZKP together with the study of the consequences of one-way functions,both of which are by now quite well-developed.Indeed,we also use these characterizations to prove many other unconditional theorems about the classes of problems in NP possessing zero-knowledge arguments,such as equivalences between honest-verifier and malicious-verifier zero knowledge,private coins and public coins,inefficient provers and efficient provers,and non-black-box simulation and black-box simulation.Previously,such results were only known unconditionally for the case of zero-knowledge proof systems [Oka,GSV,Vad,NV],or were known under the complexity assumptions like the existence of one-way functions for the case of zero-knowledge argument systems [GMW,Nao,HILL,NOV].While our characterizations of SZKA and CZKA (Items 3and 4)are similar in spirit to the CZKP characterization of [Vad](Item 2),both directions of the implications require new ingredients that were not present in [Vad].In the forward direction,going from CZKA or SZKA to an SZKP–OWF Condition ,we combine the work of [Vad]with an idea of Ostrovsky [Ost]to construct a one-way function on no3instances in I∩ΠN.Ostrovsky showed that if a hard-on-average problem has a statistical zero-knowledge argument system,then(standard)one-way functions exist.4(This was later generalized to computational zero knowledge in[OW].)We use the same construction,but with a slightly different analysis.In Ostrovsky’s work,the hardness of inverting the one-way function is derived from the assumed(average-case)hardness of the problem having the zero-knowledge protocol,and it is shown to be hard to invert on yes instances.In our proof,the hardness of inverting the one-way function is instead derived from a gap between between statistical soundness and computational soundness,and it is analyzed on no instances.In the reverse direction,going from an SZKP–OWF Condition to CZKA or SZKA,there were more fundamental obstacles in extending the work of[Vad].First,the construction of[Vad] made use of a computationally unbounded prover in an essential way(as did the previous work on SZKP,such as[Oka]),whereas argument systems are rather unnatural with unbounded provers and hence are typically defined with respect to efficient provers.Second,at the time we did not know of a construction of statistical zero-knowledge arguments for NP from any one-way function, which is necessary to make use of the one-way functions constructed from instances in I∩ΠN—this is clear when trying to characterize SZKA,but it also turns out to be important for characterizing CZKA.Fortunately,both of these obstacles have been recently overcome in[NV]and[NOV], respectively.In more detail,we prove the reverse direction by showing that every problem satisfying the SZKP–OWF Condition has an instance-dependent commitment scheme5[BMO,IOS,MV], and then using techniques from[GMW,IOS],we show that every problem in NP with such a commitment scheme has a zero-knowledge argument system.In the original version of this pa-per[OV],our instance-dependent commitment scheme inherited a certain“1-out-of-2”binding property from[NV]and[NOV].This property is weaker and more complicated than the standard binding property of commitments,but sufficed for establishing our main theorems(Theorems1.2 and1.4).Subsequently,the results of[NV]and[NOV]have been improved to yield standard-binding commitments,the latter by Haitner and Reingold[HR]and the former by[HORV].Thus in this version,we use standard-binding instance-dependent commitments,as it simplifies our pre-sentation.2PreliminariesIf X is a random variable taking values in afinite set U,then we write x←X to indicate that x is selected according to X.If S is a subset of U,then x←S means that x is selected according to the uniform distribution on S.We adopt the convention that when the same random variable occurs several times in an expression,they refer to a single sample.For example,Pr[f(X)=X] is defined to be the probability that when x←X,we have f(x)=x.We write U n to denote the random variable distributed uniformly over{0,1}n.A functionε:N→[0,1]is called negligible ifε(n)=n−ω(1).We let neg(n)denote an arbitrary negligible function(i.e.,when we say that f(n)<neg(n)we mean that there exists a negligiblefunctionε(n)such that for every n,f(n)<ε(n)).Likewise,poly(n)denotes an arbitrary functionf(n)=n O(1).PPT refers to probabilistic algorithms(i.e.,Turing machines)that run in strict polynomialtime.A nonuniform PPT algorithm is a pair(A,¯z),where¯z=z1,z2,...is an infinite sequence ofstrings where|z n|=poly(n),and A is a PPT algorithm that receives pairs of inputs of the form (x,z|x|).(The string z n is the called the advice string for A for inputs of length n.)NonuniformPPT algorithms are equivalent to(nonuniform)families of polynomial-sized Boolean circuits.Statistical Difference.The statistical difference(a.k.a.variation distance)between random variables X and Y taking values in U is defined to be∆(X,Y)=max S⊂U|Pr[X∈S]−Pr[Y∈S]|. We say that X and Y areε-close if∆(X,Y)≤ε.Conversely,we say that X and Y areε-far if ∆(X,Y)>ε.For basic facts about this metric,see[SV,Sec2.3].2.1Promise ProblemsA promise problem[ESY],stated informally,is a decision problem where some inputs are excluded. Formally,a promise problem is specified by two disjoint sets of stringsΠ=(ΠY,ΠN),where we callΠY the set of yes instances andΠN the set of no instances.Such a promise problem is associated with the following computational problem:given an input that is“promised”to lie in ΠY∪ΠN,decide whether it is inΠY or inΠN.Note that languages are a special case of promise problems(namely,a language L over alphabetΣcorresponds to the promise problem(L,Σ∗\L)). Thus working with promise problems makes our results more general.Moreover,even to prove our results just for languages,it turns out to be extremely useful to work with promise problems along the way.The complement of a promise problemΠ=(ΠY,ΠN)is the promise problemDefinition 2.1.An instance-dependent function is a family F ={f x :{0,1}n (|x |)→{0,1}m (|x |)}x ∈{0,1}∗,where n (·)and m (·)are polynomials.We call F polynomial-time computable if there is a deter-ministic polynomial-time algorithm F such that for every x ∈{0,1}∗and y ∈{0,1}n (|x |),we have F (x,y )=f x (y ).To simplify notation,we often write f x :{0,1}n (|x |)→{0,1}m (|x |)to mean the instance-dependent function {f x :{0,1}n (|x |)→{0,1}m (|x |)}x ∈{0,1}∗.Definition 2.2(Instance-Dependent One-Way Function).For any set I ⊆{0,1}∗,a polynomial-time computable instance-dependent function f x :{0,1}n (|x |)→{0,1}m (|x |)is an instance-dependent one-way function on I if for every nonuniform PPT adversary A ,there exists a negligible function εsuch that for every x ∈I ,Pr y ←{0,1}n (|x |)A (x,f x (y ))∈f −1x (f x (y )) ≤ε(|x |).Next we consider an instance-dependent variant of distributionally one-way functions ,which are functions that are hard for PPT adversaries to invert in a distributional manner—that is,given y it is hard for PPT adversaries to output a random preimage f −1(y ).The standard definition of distributionally one-way function is given by Impagliazzo and Luby [IL];here we give the instance-dependent analogue.Definition 2.3(Instance-Dependent Distributionally One-Way Function).For any set I ⊆{0,1}∗,a polynomial-time computable instance-dependent function f x :{0,1}n (|x |)→{0,1}m (|x |)is an instance-dependent distributionally one-way function on I if there exists a polynomial p (·)such that for every nonuniform PPT adversary A ,the random variables (U n (|x |),f x (U n (|x |)))and (A (f x (U n (|x |))),f x (U n (|x |)))are 1/p (|x |)-far for all sufficiently long x ∈I .Asking to invert in a distributional manner is a stronger requirement that just finding a preim-age,therefore distributionally one-way functions might seem weaker than one-way functions.How-ever,Impagliazzo and Luby [IL]proved that they are in fact equivalent.Like almost all reductions between cryptographic primitives,this result immediately extends to the instance-dependent ana-logue (using the same proof).Proposition 2.4(based on [IL,Lemma 1]).For every set I ⊆{0,1}∗,there exists an instance-dependent one-way function on I if and only if there exists an instance-dependent distributionally one-way function on I .Indistinguishability of Instance-Dependent Ensembles.The notions of statistical and com-putational indistinguishability have instance-dependent analogues.But first,we define an instance-dependent analogue of probability ensembles.Definition 2.5.An instance-dependent probability ensemble is a collection of random variables {A x }x ∈{0,1}∗,where A x takes values in {0,1}p (|x |)for some polynomial p .We call such an ensemble samplable if there is a probabilistic polynomial-time algorithm M such that for every x ,the output M (x )is distributed according to A x .6Definition2.6.Two instance-dependent probability ensembles{A x}x∈{0,1}∗and{B x}x∈{0,1}∗are computationally indistinguishable on I⊆{0,1}∗if for every nonuniform PPT D,there exists a negligible functionεsuch that for all x∈I,|Pr[D(x,A x)=1]−Pr[D(x,B x)=1]|≤ε(|x|).Similarly,we say that{A x}x∈{0,1}∗and{B x}x∈{0,1}∗are statistically indistinguishable on I⊆{0,1}∗if the above is required for all functions D,instead of only nonuniform PPT ones.Equivalently, {A x}x∈{0,1}∗and{B x}x∈{0,1}∗are statistically indistinguishable on I iffA x and B x areε(|x|)-close for some negligible functionεand all x∈I.We write≈c and≈s to denote computational and statistical indistinguishability,respectively.Instance-Dependent Commitment Schemes.Recall that a(standard)commitment scheme is a two-stage protocol between a sender and a receiver.In thefirst stage,called the commit stage, the sender“commits”to a private message m.In the second stage,called the reveal stage,the sender reveals m and“proves”that it was the message to which she committed in thefirst stage. We require two properties of commitment schemes.The hiding property says that the receiver learns nothing about m in the commit stage.The binding property says that after the commit stage,the sender is bound to a particular value of m;that is,she cannot successfully open the commitment to two different bits in the reveal stage.Instance dependent analogues of commitments schemes are commitments schemes that are tailored specifically to a specific problemΠ.More precisely,instance-dependent commitment schemes[BMO,IOS,MV]receive an instance x of the problemΠas auxiliary input,and are required to be hiding when x∈ΠY and be binding when x∈ΠN.Thus,they are a relaxation of standard commitment schemes,since we do not require that the hiding and binding properties hold at the same time.Nevertheless,as observed in[IOS],this relaxation is still useful in constructing zero-knowledge protocols.The reason is that zero-knowledge protocols based on commitments(for example,the protocol of[GMW])typically use only the hiding property in proving zero knowledge (which is required only when x is a yes instance)and use only the binding property in proving soundness(which is required only when x is a no instance).We give a definition of instance-dependent commitment schemes that extends the standard (that is,non-instance dependent)definition of commitment schemes in a natural way.Note that in our definition below,the reveal stage is noninteractive(that is,consisting of a single message from the sender to the receiver).This because in the reveal stage,without loss of generality,we can have the sender provide the receiver the random coin tosses it used in the commit stage,and the receiver verifies consistency.Definition2.7(instance-dependent commitment schemes).An instance-dependent commitment scheme is a family{Com x}x∈{0,1}∗with the following properties:1.Scheme Com x consists of a commit and a reveal stage.In both stages,the sender and thereceiver receive instance x as common input,and hence we denote them as S x and R x, respectively,and write Com x=(S x,R x).2.At the beginning of the commit stage,sender S x receives a private input b∈{0,1}.At theend of the commit stage,both sender S x and receiver R x output a commitment c.73.In the reveal stage,sender S x sends a pair(b,d),where d is interpreted as the decommitmentstring for bit b.Receiver R x accepts or rejects based on x,b,d,and c.4.The sender S x and receiver R x algorithms are computable in polynomial time(in|x|),givenx as auxiliary input.5.For every x∈{0,1}∗,R x will always accept(with probability1)if both sender S x and receiverR x follow their prescribed strategy.Instance-dependent commitment scheme{Com x=(S x,R x)}x∈{0,1}∗is public coin if for every x∈{0,1}∗,all messages sent by R x in the commit phase are independent random coins.To simplify notation,we write Com x or(S x,R x)to denote instance-dependent commitment scheme{Com x=(S x,R x)}x∈{0,1}∗.Next,we define the hiding and binding properties of instance-dependent commitments.Definition2.8(hiding).Instance-dependent commitment scheme Com x=(S x,R x)is statistically [resp.,computationally]hiding on I⊆{0,1}∗if for every[resp.,nonuniform PPT]R∗,the ensem-bles{view R∗(S x(0),R∗)}x∈I and{view R∗(S x(1),R∗)}x∈I are statistically[resp.,computationally] indistinguishable,where random variable view R∗(S x(b),R∗)denotes the view of R∗in the commit stage interacting with S x(b).Definition2.9(binding).Instance-dependent commitment scheme Com x=(S x,R x)is statistically [resp.,computationally]binding on I⊆{0,1}∗if for every[resp.,nonuniform PPT]S∗,there exists a negligible functionεsuch that for all x∈I,the adversarial sender S∗succeeds in the following game with probability at mostε(|x|).S∗interacts with R x in the commit stage obtaining commitment c.Then S∗outputspairs(0,d0)and(1,d1),and succeeds if in the reveal stage,R x(0,d0,c)=R x(1,d1,c)=accept.For a problemΠ=(ΠY,ΠN),we say that instance-dependent commitment scheme Com x forΠis statistically[resp.,computationally]binding on the no instances if Com x is statistically[resp., computationally]binding onΠN.2.3Zero-Knowledge Protocols—Brief IntroductionFor the benefit of more experienced readers,we briefly recall the variants of zero knowledge that we use.Section2.4contains a more detailed introduction with complete defirmal descriptions of the complexity classes used are listed below.•IP denotes the class of promise problems possessing interactive proof systems.•HV-SZKP and HV-CZKP denote the classes of promise problems having honest-verifier statistical and computational zero-knowledge proofs,respectively.Analogously,HV-SZKA and HV-CZKA denote the classes of promise problems having honest-verifier statistical and computational zero-knowledge arguments,respectively.•SZKP and CZKP are the classes of promise problems possessing statistical and computa-tional(auxiliary-input)zero-knowledge proofs,respectively.Analogously,SZKA and CZKA are the classes of promise problems possessing statistical and computational(auxiliary-input) zero-knowledge arguments,respectively.8We highlight the following points.1.Proof versus argument systems:Interactive argument systems refer to protocols whose sound-ness condition is computational.That is,only nonuniform PPT cheating provers are guaran-teed not to be able to convince the verifier of false statements except with negligible probabil-ity;this is a weaker condition than proof systems,where the soundness condition is requiredof all cheating provers instead of just nonuniform PPT ones.Hence,we say that proof systems have statistical soundness.2.Prover complexity:In interactive proofs and interactive arguments,and in their zero-knowledgeanalogues,we allow the honest prover to be computationally unbounded,unless we specifyefficient prover,which means a polynomial-time honest prover strategy given a witness formembership.It was shown in[NV]that for problems in NP,any zero-knowledge proof sys-tem with an unbounded prover can be transformed into one with an efficient prover;we willshow the same for argument systems.2.4Zero-Knowledge Protocols—Detailed IntroductionAn interactive protocol(A,B)consists of two algorithms that compute the next-message functionof the(honest)parties in the protocol.Specifically,A(x,a,α1,...,αk;r)denotes the next message αk+1sent by party A when the common input is x,A’s auxiliary input is a,A’s coin tosses arer,and the messages exchanged so far areα1,...,αk.There are two special messages,accept andreject,which immediately halt the interaction.We say that party A(resp.B)is probabilistic polynomial time(PPT)if its next-message function can be computed in polynomial time(in|x|+|a|+|α1|+···+|αk|).Sometimes(though not in this section)we will refer to protocols with a joint output;such an output is specified by a deterministic,polynomial-time computable functionof the messages exchanged.For an interactive protocol(A,B),we write(A(a),B(b))(x)to denote the random processobtained by having A and B interact on common input x,(private)auxiliary inputs a and b toA and B,respectively(if any),and independent random coin tosses for A and B.We call(A,B)polynomially bounded if there is a polynomial p such that for all x,a,b,the total length of all messages exchanged in(A(a),B(b))(x)is at most p(|x|)with probability1.Moreover,if B∗is any interactive algorithm,then A will immediately halt and reject in(A(a),B∗(b))(x)if the total length of the messages ever exceeds p(|x|),and similarly for B interacting with any A∗.We write view A(A(a),B(b))(x)to denote A’s view of the interaction,that is a transcript(x,γ1,γ2,...,γt;r),where theγi’s are all the messages exchanged and r is A’s coin tosses.(Sim-ilarly,we define view B(A(a),B(b))(x)to denote B’s view of the interaction.)When dealing withinteractive protocol(P,V),we also write P,V (x)to denote V’s view of the interaction,that isP,V (x)=view V(P,V)(x).Let transcript(A(a),B(b))(x)denote the messages exchanged in the protocol including the common input x,i.e.,(x,γ1,γ2,...,γt).The number of rounds in an execution of the protocol is the total number of messages exchangedbetween A and B,not including thefinal accept/reject message.We call the protocol(A,B) public coin if all of the messages sent by B are simply the output of its coin-tosses(independent of the history),except for thefinal accept/reject message which is computed as a deterministic function of the transcript.(Such protocols are also sometimes known as Arthur-Merlin games[BM].)9Definition2.10(interactive proofs).An interactive protocol(P,V)is an interactive proof system for a promise problemΠif exist functions c,s:N→[0,1]such that1−c(n)>s(n)+1/poly(n) and the following conditions hold.•Efficiency:(P,V)is polynomially bounded,and V is computable in probabilistic polynomial time.•Completeness:If x∈ΠY,then V accepts in(P,V)(x)with probability at least1−c(|x|),•Soundness:If x∈ΠN,then for every P∗,V accepts in(P∗,V)(x)with probability at most s(|x|).We call c(·)the completeness error and s(·)the soundness error.We say that(P,V)has negligible error if both c and s are negligible.We say that it has perfect completeness if c=0.We denote by IP the class of promise problems possessing interactive proof systems.We denote MA to be the class of promise problems possessing single-round interactive proof systems;that is,the prover P just sends a single message to V,and V uses the prover’s message and its own random coins in deciding whether to accept or reject.We can think of MA as a generalization of NP where the verification of witnesses is proba-bilistic.An equivalent definition of IP is the class of problems possessing public-coin interactive proof systems with perfect completeness and negligible soundness error[GS,FGM+].Definition2.11(interactive arguments).We say that(P,V)is an interactive argument system forΠif the soundness condition in Definition2.10holds against all nonuniform PPT P∗,instead of every(computationally unbounded)P∗.Specifically,we require both the efficiency and com-pleteness conditions in Definition2.10to hold,and the new(weaker)soundness condition is the following.•Soundness:If x∈ΠN,then for every nonuniform PPT P∗,V accepts in(P∗,V)(x)with probability at most s(|x|).We denote by IA the class of promise problems possessing interactive argument systems.Unlike interactive proofs,the complexity-theoretic characterization of IA is not well-studied. In particular,we do not know if general interactive arguments can be made to have public coin or to have perfect completeness.The completeness and soundness error,however,can be made negligibly small by sequential repetition.There are various notions of zero knowledge,referring to how rich a class of verifier strategies are considered.The weakest is to consider only the“honest verifier,”the one that follows the specified protocol.6Definition2.12(honest-verifier zero knowledge).An interactive proof system(P,V)for a promise problemΠis statistical[resp.,computational]honest-verifier zero knowledge if there exists a prob-abilistic polynomial-time simulator S such that the ensembles{ P,V (x)}and{S(x)}are statisti-cally[resp.,computationally]indistinguishable onΠY.。

武汉市2024 届高中毕业生二月调研考试英语试卷养成良好的答题习惯，是决定高考英语成败的决定性因素之一。

做题前，要认真阅读题目要求、题干和选项，并对答案内容作出合理预测;答题时，切忌跟着感觉走，最好按照题目序号来做，不会的或存在疑问的，要做好标记，要善于发现，找到题目的题眼所在，规范答题，书写工整;答题完毕时，要认真检查，查漏补缺，纠正错误。

命题&审题：武汉市教育科学研究院第一部分听力 ( 共两节，满分 3 0 分 )做题时，先将答案标在试卷上。

录音内容结束后，你将有两分钟的时间将试卷上的答案转涂到答题卡上。

第一节(共5小题；每小题1.5分，满分7.5分)听下面5段对话。

每段对话后有一个小题，从题中所给的A 、B 、C 三个选项中选出最佳选项，并标在试卷的相应位置。

听完每段对话后，你都有10秒钟的时间来回答有关小题和阅读下一小题。

每段对话仅读一遍。

1.What are the speakers probably doing?A.Discussing at work.B.Talking on phoneC.Driving on the way2.What will the man do next?A.Have a dessert.B.Pay the check.C.Ask for a beer.3.What do we know about the hamburger?A.It might go bad.B.It's good-lookingC.It looked funny4.What are the speakers mainly talking about?A.The sceneryB.The transport.C.The weather.5.How does the woman sound in the end?A.Glad.B.Surprised.C.Impatient.第二节(共15小题；每小题1.5分，满分22.5分)听下面5段对话或独白。

Universally Composable Security:A New Paradigm for Cryptographic Protocols(Extended Abstract)Ran CanettiAbstractWe propose a new paradigm for defining security of cryp-tographic protocols,called universally composable secu-rity.The salient property of universally composable defini-tions of security is that they guarantee security even when a secure protocol is composed with an arbitrary set of pro-tocols,or more generally when the protocol is used as a component of an arbitrary system.This is an essential prop-erty for maintaining security of cryptographic protocols in complex and unpredictable environments such as the Inter-net.In particular,universally composable definitions guar-antee security even when an unbounded number of proto-col instances are executed concurrently in an adversarially controlled manner,they guarantee non-malleability with re-spect to arbitrary protocols,and more.We show how to formulate universally composable def-initions of security for practically any cryptographic task. Furthermore,we demonstrate that practically any such def-inition can be realized using known techniques,as long as only a minority of the participants are corrupted.We then proceed to formulate universally composable definitions of a wide array of cryptographic tasks,including authenti-cated and secure communication,key-exchange,public-key encryption,signature,commitment,oblivious transfer,zero knowledge and more.We also make initial steps towards studying the realizability of the proposed definitions in var-ious settings.Keywords:cryptographic protocols,security analysis of protocols,concurrent composition.1IntroductionRigorously demonstrating that a protocol“does its job securely”is an essential component of cryptographic pro-tocol design.This requires coming up with an appropri-ate mathematical model for representing protocols,and then IBM T.J.Watson Research Center.Email:canetti@.formulating,within that model,a definition of security thatcaptures the requirements of the task at hand.Once such a definition is in place,we can show that a protocol“does itsjob securely”by demonstrating that it satisfies the definitionof security in the devised mathematical model.However,coming up with a good mathematical modelfor representing protocols,and even more so formulatingappropriate definitions of security within the devised model, turns out to be a tricky business.The model should be richenough to represent a large variety of realistic adversarial behaviors,and the definition should guarantee that the intu-itive notion of security is captured,for any adversarial be-havior under consideration.This in particular means that security should be maintained when the protocol is used asa component within a larger system.In contrast,cryptographic primitives(or,tasks)were tra-ditionallyfirst defined as stand-alone protocol problems.This allowed for relatively concise and intuitive problem statement,as well as simple analysis of protocols.How-ever,in many cases it turned out that the initial definitionswere insufficient in more complex contexts,and especially when deploying protocols within larger systems or pro-tocol environments.Examples include encryption(wheresemantic security[GM84]was later augmented with sev-eralflavors of security against chosen ciphertext attacks,e.g.[NY90,DDN00,RS91,BDPR98]and adaptive secu-rity[BH92,CFGN96]),commitment(where the original no-tions were augmented with someflavors of non-malleability[DDN00,DIO98,FF00]and equivocability,e.g.,[BCC88, B96]),Zero-Knowledge protocols(where the original no-tions[GMR a89,GO94]were shown not to be closed underparallel and concurrent composition[GK88,F91,DNS98]), Key Exchange[BR93,BCK98,S h99,CK01],ObliviousTransfer[R81,EGL85,GM00],and more.One way to capture the security concerns that arise in some specific protocol environment or in a given applica-tion is to directly represent the given environment or ap-plication within an extended definition of security.(Such an approach was taken,for instance in the cases of concur-rent zero-knowledge and oblivious transfer[DNS98,GM00]as well as non-malleability of protocols[DDN00],where the definitions explicitly model several adversarially coordi-nated instances of the protocol in question.)This approach,however,results in definitions with ever-growing complex-ity,and is inherently limited in scope since it addresses onlyspecific environments and concerns.An alternative approach,taken in this work,is to use def-initions that treat the protocol as stand-alone but guaranteesecure composition.That is,here definitions of security inspect only a single copy of the protocol in vitro.Secu-rity in complex settings(where a protocol instance may runconcurrently with many other protocol instances,on poten-tially related inputs and in an adversarially controlled way)is guaranteed via a general composition theorem.On top of simplifying the process of formulating definitions and ana-lyzing protocols,this approach guarantees security in arbi-trary protocol environments,even unpredictable ones which have not been explicitly stated.In order to make such an approach(and in particular,such a composition theorem)meaningful,wefirst need to have a general framework in which to represent crypto-graphic protocols and the security requirements of crypto-graphic tasks.Indeed,several general definitions of secureprotocols were developed over the years,e.g.[GL90,MR91, B91,BCG93,PW94,C00,HM00,DM00,PSW00,PW00]. Some of these definitions were shown to maintain securityunder natural composition operations.These definitions areobvious candidates for such a general framework.However, the composition operations considered in those works fall short of guaranteeing general secure composition of cryp-tographic protocols,especially in settings where security holds only for computationally bounded adversaries and nu-merous protocols may be running concurrently in an adver-sarially coordinated way.Moreover,many of these works choose to concentrate on the task of secure function evalu-ation which,in spite of its generality,does not capture the requirements of many cryptographic primitives,which are reactive in nature.(Secure function evaluation is the task where a set of parties wish to jointly compute a known func-tion of their secret inputs.)We further elaborate on some of these works and their relation to the present one in Sec-tion1.4.This work proposes a new framework for representingand analyzing cryptographic protocols.Within this frame-work,we propose a general methodology for expressing the security requirements of practically any cryptographic task in a clear,concise and intuitively satisfying way.The salient property of definitions of security generated using this methodology is that they guarantee security even when the given protocol is running in an arbitrary and unknown multi-party environment.In particular,security is preserved under a very general composition operation that captures,as special cases,the standard notions of concurrent composi-tion(with arbitrarily many instances of either the same pro-tocol or other protocols),non-malleability,and more.Wecall this composition operation universal composition,andsay that definitions of security in this framework are univer-sally composable(UC).UC definitions of security tend to be more stringent than other definitions of security.Nonetheless,we show that insettings where parties have access to a set of servers,atmost a minority of which may be corrupted,standard cryp-tographic techniques(e.g.,[BGW88,RB89,CFGN96])canbe used to carry out practically any cryptographic task in auniversally composable way.We also formulate UC defini-tions of a number of well known cryptographic tasks,suchas authenticated and secure communication,key-exchange, public-key encryption,signature,commitment,oblivioustransfer,Zero-Knowledge,secret sharing,and general func-tion evaluation.In some cases,we present initial results regarding the realizability of the definitions.In other casesrealizing the definitions is left open.1.1The proposed frameworkWe briefly sketch the proposed framework and highlight some of its properties.Let usfirst briefly sketch the defini-tional approach of[C00],which is the starting point of thiswork.(The work of[C00]is,in turn,based to a large ex-tent on[B91,MR91,GL90]).This work is geared towardscapturing the task of secure function evaluation in a syn-chronous,ideally authenticated network.The idea is tofirst formulate a model representing the process of protocol exe-cution in real-life.This is called the real-life model.Next, in order to capture the security requirements of a given task,formulate an ideal process for carrying out the task.Thensay that a protocol securely realizes the task at hand if run-ning the protocol in the real-life model amounts to“emulat-ing”the ideal process for that task.The real-life model of computation in[C00]consists of a set of interactive Turing machines(ITMs)representing theparties running the protocol,plus an ITM representing the adversary.The parties and adversary interact on a given setof inputs and each party generates local output.The con-catenation of the local outputs of all parties and adversary is called the global output.The ideal process for evaluat-ing some function is defined similarly,with the impor-tant exception that the parties hand their inputs to an in-corruptible trusted party,which evaluates and hands thecorresponding outputs back to the parties.A protocol se-curely evaluates a function if for any real-life adversary there exists an ideal-process adversary such that,for any input vector,the global output of running with in the real-life model is indistinguishable from the global out-put of the ideal process for with adversary.This def-initional approach is sufficient for capturing“stand-alone”security of protocols.It is also shown to be closed under non-concurrent composition.The present framework preserves the overall structure of that approach.The difference lies in new formulations of the models of computation and the notion of“emulation”. Specifically,we introduce an additional computational en-tity,called the environment machine,to both the real-life model and the the ideal process.The environment machine is an ITM that represents“whatever is external to the cur-rent protocol execution”.This includes other protocol exe-cutions and their adversaries,human users,etc.The envi-ronment provides all the inputs to all parties and reads all their outputs.More importantly,the environment interacts with the adversary freely throughout the computation.That is,between any two atomic operations carried out by the adversary(e.g.,delivery of a message,or corruption of a party)the adversary and the environment may exchange ar-bitrary information.The security requirement is now that executing the protocol in the real-life model should“look the same”as the ideal process from the point of view of the environment.More precisely,a protocol securely realizes a trusted party for some function if for any real-life adver-sary there exists an ideal-process adversary such that no feasible environment can tell with non-negligible proba-bility whether it is interacting with and in the real-life model or with in the ideal process for.In a way,the en-vironment serves as an“interactive distinguisher”between the protocol execution and the ideal process.Note that the same ideal-process adversary is required to work for all environments.Thus,the interaction between and the en-vironment is inherently“black-box”from the point of view of.This requirement is essential for our proof of the com-position theorem.1Another modification to the definition allows capturing not only secure function evaluation but also reactive tasks where new input values become known throughout the com-putation,and may depend on previously generated output values.This is obtained by replacing the“trusted party”in the ideal process for secure function evaluation with a gen-eral algorithmic entity called an ideal functionality.The ideal functionality,which is modeled as another ITM,re-peatedly receives inputs from the parties and provides them with appropriate output values.This way,it is guaranteed that the outputs of the parties in the ideal process have the expected properties with respect to the inputs,even when new inputs are chosen adaptively based on previous outputs.1A very limited variant of the notion of environment appears in[C00]. That variant,aimed at providing non-concurrent composition in the pres-ence of an adaptive adversary,interacts with the parties and the adversary only at few occasions throughout the computation.In particular,the variant there is not known to be sufficient for preserving security under concurrent composition.Yet another difference from[C00]is that here we model networks where the communication is open,unauthenti-cated,and asynchronous(without guaranteed delivery of messages).We also concentrate on the case where the ad-versary is probabilistic polynomial time(PPT).This model-ing seems more suitable for analyzing protocols in realistic settings.Universal Composition.We show that the following prop-erty holds with respect to a protocol that securely realizes some ideal functionality.Let be some arbitrary proto-col(we think of as an“application protocol”)that oper-ates in a model where all parties have ideal access to multi-ple instances of.That is,in this model(which we call the -hybrid model)the parties,the adversary and the environ-ment interact as in the real-life model,and in addition theparties can privately communicate with as many instances of as they wish.It is stressed that the different instances of are running at the same time without any global co-ordination.They are distinguished via special identifiers, generated by the calling protocol.Now,construct the composed protocol from by re-placing each call to a new instance of with an invocation of a fresh copy of.Similarly,a message sent to an ex-isting instance of is replaced with an input value given to the corresponding invocation of,and any output of an invocation of is treated as a message received from the corresponding instance of.(Note that a run of protocol may have an unbounded number of copies of which are running concurrently on related inputs.)The universal composition theorem states that running protocol in the plain real-life model has essentially the same effect as running protocol in the-hybrid model. More precisely,it guarantees that for any real-life adversary there exists an adversary in the-hybrid model such that no environment machine can tell with non-negligible probability whether it is interacting with and parties run-ning in the plain real-life model,or with and parties running in the-hybrid model.In particular,if securely realizes some ideal functionality in the-hybrid model then securely realizes from scratch.Notice that,while other composition theorems address only the case where a single protocol instance is composed with another protocol,here the hybrid model allows for an unbounded number of instances of the composed protocol to run concurrently.It may appear that this more complex formulation of the composition operation is not necessary, since it can be obtained by iteratively composing all in-stances of the protocol,one at a time,with an outside pro-tocol.However,in our computational setting the composi-tion theorem can be safely applied only a constant number of times,otherwise the complexity of the adversary in the hybrid model may become super-polynomial.Conse-quently,this weaker formulation of the composition theo-rem only guarantees secure composition of a constant num-ber of protocol instances running concurrently. Interpreting the composition theorem.Traditionally,com-position theorems are treated as tools for modular design and analysis of complex protocols.(For instance,this is the main motivation in[MR91,C00,DM00,PW00].)That is,given a complex task,first partition the task to several, simpler sub-tasks.Then,design protocols for securely re-alizing the sub-tasks,and in addition design a protocol for realizing the given task in a model where ideal evaluation of the sub-tasks is possible.Finally,use the composition theo-rem to argue that the protocol composed from the already-designed sub-protocols securely realizes the given task.(An example of a context where this interpretation is put to use is the proof of security in[CKOR00].)Note that for this application it suffices to use composition theorems where it is known in advance which protocol instances are running together and how the protocol executions are going to be interleaved.In contrast,here we use the composition theorem as a tool for gaining confidence in the sufficiency of a definition of security in some protocol environment.Indeed,protocols that satisfy a universally composable definition are guar-anteed to maintain their security within any protocol envi-ronment—even environments that are not known a-priori, and even environments where the participants in a proto-col execution are unaware of other instances of the protocol (or other protocols altogether)that may be running concur-rently in the system in an adversarially coordinated manner. This is a strong guarantee.1.2General satisfiability of the definitionsDefinitions of security in the proposed framework tend to be more stringent than other definitions.Moreover,the existing proofs of security of many known protocols do not work in the present framework.Examples include most known Zero-Knowledge protocols,the protocol generator of[GMW87,G98]and more.This is mainly due to the fact that a common proof-technique,namely black-box simula-tion with rewinding of the adversary,does not work in the present framework.(Indeed,here the ideal-process adver-sary has to interact with the environment machine which cannot be“rewound”.)Nonetheless,it can be seen that some known protocols for the general task of secure function evaluation are,in fact, universally composable.For instance,the[BGW88]proto-col(say,with the simplification of[GRR98]),together with encrypting each message using non-committing encryption [CFGN96],is universally composable as long as less than a third of the parties are ing[RB89],any cor-rupted minority is tolerable.The asynchronous setting can be handled using the techniques of[BCG93,BKR94].We use this fact to demonstrate that practically any ideal functionality—even reactive ones and even“two-party functionalities”(i.e.,functionalities where only two par-ties have inputs and outputs)—can be securely realized in the proposed framework.Specifically,our solution assumes that the network contains a set of parties(called“servers”) such that only a minority of these parties can ever be cor-rupted.The servers have no local inputs or outputs;they only assist other parties in realizing the given functionality. All parties share their inputs among the servers,who run the appropriate multiparty function evaluation protocol and send the output values to the appropriate parties.Iterated evaluations(which may involve implementing ideal func-tionalities that maintain internal state between invocations) are handled in standard ways.1.3UC definitions of some specific tasksWe formulate and study universally composable defini-tions of a number of standard cryptographic tasks.In fact, much of the definitional work is already done by the gen-eral framework described above.All that is left to do on the definitional side is to formulate ideal functionalities that capture the security requirements of these tasks.Wefirst address the task of message authentication:the corresponding functionality,AUTH,is invoked with a re-quest by some party,,to transmit a message to another party,.Then AUTH ideally sends to and the adversary,and halts.(Forwarding to the adversarycaptures the fact that secrecy is not provided.)This way,the standard computational model where the communication is ideally authenticated is rephrased as the AUTH-hybrid model.This notion is the natural universally composable extension of the authenticators of[CHH00,BCK98].In particular,the two authenticators presented in[BCK98]se-curely realize AUTH given an authenticated initialization phase.The task of providing secure(i.e.,authenticated and se-cret)transmission of individual messages is addressed next. It is seen that standard semantically secure encryption(or alternatively non-committing encryption for adaptive adver-saries)are sufficient in order to realize the secure communi-cation functionality in the AUTH-hybrid model,if any mes-sage is encrypted using a different public/private key pair.Next we formulate ideal functionalities that capture the tasks of secure sessions and key exchange.Secure sessions is an extension of secure transmission of individual mes-sages to the case where a sequence of messages between a pair of parties are secured together.The main advantage of this functionality over the previous ones is that it allows for more efficient realizations,via key-exchange combined with symmetric cryptography using the generated keys.The key exchange functionality essentially provides parties with“ideally chosen keys.”In particular,protocols that securely realize KE are guaranteed to satisfy the security notion of [CK01].Furthermore,most of the Key-Exchange protocols presented in[CK01]securely realize KE.Next the tasks of public-key encryption and digital sig-natures are addressed.Securely realizing the signature ideal functionality turns out to be essentially equivalent to exis-tential security against chosen message attacks as in Gold-wasser Micali and Rivest[GMR i88].In the case of public-key encryption(where many messages may be encrypted by different parties using the same key),securely realizing the proposed functionality turns out to be closely related(but incomparable)to security against adaptive chosen cipher-text attacks[DDN00,RS91,BDPR98].We then proceed to formulate UC definitions of“clas-sic”two-party primitives such as coin-tossing,commitment, zero-knowledge,and oblivious-transfer.These primitives are treated as two-party protocols in a multi-party setting. As usual,the composition theorem guarantees that secu-rity is maintained under concurrent composition,either with other copies of the same protocol or with other protocols, and within any application protocol.In particular,non-malleability with respect to an arbitrary set of protocols is guaranteed.Unfortunately,these functionalities cannot be securely realized by two-party protocols in the bare model of computation(or even in the AUTH-hybrid model).This result is shown in[CF01]for the cases of commitment and ing similar techniques,we extend this re-sult to the cases of oblivious transfer and zero-knowledge. Nonetheless,as demonstrated in[CF01],the commitment and zero-knowledge functionalities can be securely real-ized by two-party protocols in a hybrid model with ideal access to the coin-tossing functionality.(It is interesting to note that hybrid model with ideal access to the coin-tossing functionality turns out to essentially identical to the popular common random string model of[BFM89].)Finally,we formulate ideal functionalities that capture traditional multi-party tasks such as Verifiable Secret Shar-ing and Secure Function Evaluation in synchronous net-works.In particular,we obtain thefirst definition of pro-tocols for secure function evaluation that is closed under concurrent composition in a setting where all the communi-cation is public.(Two-party Secure Function Evaluation is obtained as a special case.)1.4Related workNumerous definitional works on security of protocols have been carried out over the years.The works of [GL90,MR91,B91,C95]are surveyed in[C00].Here we very briefly review some definitional efforts that are closely related to the present work.Pfitzmann et.al.[PW94,PSW00,PSW00a,PW00,PW01]were thefirst to formally model the security require-ments of general reactive systems.In a series of works that contain many interesting ideas,they model security of re-active systems in an extendedfinite-state machine model of computation that is essentially equivalent to the I/O au-tomata model of[L96].In particular,they introduce the notion of an honest user that‘sees’the functionality(i.e., the inputs and outputs)of a given system,and say that one system“simulates”another if the honest user cannot tell the difference between the two systems.However,they stop short of defining security of protocols for realizing a given task.They also state a composition theorem with respect to their framework;their composition theorem is weaker than the one here in that it deals only with the case where a single protocol execution is carried out concurrently with the call-ing protocol.(In contrast,much of the complexity in pro-tocol composition appears only when the number of com-posed copies is not a-priori bounded.)These works contain also descriptions of ideal systems for public-key encryption and certified mail.Canetti[C00]presents a definition of secure function evaluation in a variety of computational settings,including the case where the communication is public and security is guaranteed only against a computationally bounded adver-sary.Some of the definitions there also use an“environment machine”.however,there both the purpose of the environ-ment and its pattern of interaction with the other participants are different than here.The definitions of[C00]are shown to be closed under a composition theorem similar to the one here,but only in the non-concurrent case where no more than a single protocol execution is running at any point in time.Dodis and Micali[DM00]build on the definition of Mi-cali and Rogaway[MR91]for information-theoretically se-cure function evaluation in synchronous networks,where ideally private communication channels are assumed.In that setting,they prove that their definition of security is closed under a general concurrent composition operation similar to the one in this work.They also formulate an ad-ditional and interesting composition operation(called syn-chronous composition)that provides stronger security guar-antees,and show that their definition is closed under that composition operation in cases where the scheduling of the various invocations of the protocols can be controlled. However,their definition applies only to settings where the communication is ideally private.It is not clear how to ex-tend this definitional approach to realistic settings where the adversary can eavesdrop to the communication between honest parties.The pioneering work of Dolev,Dwork and Naor [DDN00]points out some important security concerns that arise when running cryptographic protocols within a larger system.In particular,they define and construct encryp-tion schemes secure against chosen ciphertext attacks,non-malleable commitment schemes,and more.That work pro-vides motivation for the present one.In particular,making sure that the concerns pointed out in[DDN00]are answered plays a central role in the present framework. Connections with the formal-methods approach to an-alyzing security.A large body of work on analyzing se-curity of protocols using techniques for formal verification of computer programs has been carried out over the years (a very partial list of works includes[DY83,BAN90,M94, KMM94,L96,AG97]).The approach and framework pre-sented here may serve as a“bridge”for connecting that approach with the complexity-based approach pursued inthe cryptographic community,with advantages to both ap-proaches.See more details in our Technical Report[C01]. Organization.Section2defines the notion of securely re-alizing an ideal functionality.Section3presents the compo-sition theorem and very briefly outlines the proof.Section 4states the general satisfiability theorem.Throughout,the presentation is kept high-level and informal for brevity and clarity.Details are available in our Technical Report[C01]. UC definitions of the tasks mentioned in Section1.3also appear there.2The basic frameworkAs sketched in Section1.1,protocols that securely carry out a given task(or,protocol problem)are defined in three steps,as follows.First,the process of executing a protocol in the presence of an adversary and in a given computational environment is formalized.Next,an“ideal process”for car-rying out the task at hand is formalized.In the ideal process the parties do not communicate with each other.Instead they have access to an“ideal functionality”,which is essen-tially an incorruptible“trusted party”that is programmed to capture the desired functionality of the task at hand.A protocol is said to securely realize an ideal functionality if the process of running the protocol amounts to“emulating”the ideal process for that ideal functionality.In the rest of this subsection we overview the model for protocol execu-tion(called the real-life model),the ideal process,and the notion of protocol emulation.We concentrate mainly on the following standard model, aimed at representing current realistic communication net-works(such as the Internet).The network is asynchronous without guaranteed delivery of messages.The communica-tion is public and unauthenticated.That is,the adversary may delete,modify,and generate messages at wish.Par-ties may be broken into(i.e.,become corrupted)throughout the computation,and once corrupted their behavior is arbi-trary(or,Byzantine).Finally,all the involved entities are restricted to probabilistic polynomial time(or,“feasible”)computation.Most other standard models of computation(e.g.,authenticated communication,synchronous message delivery,the common reference string model,or computa-tionally unbounded adversaries)can be captured via appro-priate modifications to the basic model.See more details within.Protocol syntax.Following[GMR a89,G01],a protocol is represented as a system of interactive Turing machines(ITMs),where each ITM represents the program to be runwithin a different party.Specifically,the input and output tapes model inputs and outputs that are received from andgiven to other programs running on the same machine,andthe communication tapes model messages sent to and re-ceived from the network.Adversarial entities are also mod-eled as ITMs.We concentrate on a model where the ad-versaries have an arbitrary additional input,or an“advice”.From a complexity-theoretic point of view,this essentiallyimplies that adversaries are non-uniform ITMs.Protocol execution in the real-life model.We sketch theprocess of executing a given protocol(run by parties)with some adversary and an environment ma-chine with input.All parties have a security parameter and are polynomial in.The execution consists of a sequence of activations,where in each activation a singleparticipant(either,,or some)is activated.The en-vironment is activatedfirst.In each activation it may read the contents of the output tapes of all parties,and may write information on the input tape of either one of the parties or of the adversary.Once the activation of the environment is complete(i,e,once the environment enters a special waiting state),the entity whose input tape was written on is acti-vated next.Once the adversary is activated,it may read its own tapesand in addition the contents of the outgoing communication tapes of all parties.It may either deliver a message to some party by writing this message on the party’s incoming com-munication tape2,or corrupt a party.Upon corrupting a party,the adversary gains access to all the tapes of that party and controls all the party’s future actions.Finally,the ad-versary may write arbitrary information on its output tape. If the adversary delivered a message to some uncorrupted party in an activation then this party is activated once the activation of the adversary is complete.Otherwise the envi-ronment is activated next.Once a party is activated(either due to an input given by the environment or due to a message delivered by the adversary),it follows its code and possibly writes local out-puts on its output tape and outgoing messages on its outgo-ing communication tape.Once the activation of the party is complete the environment is activated.The protocol exe-2In the bare model we do not make any restrictions on the delivered messages.In particular,they need not be related to any of the messages generated by the parties.。

2021年2月Journal on Communications February 2021 第42卷第2期通信学报V ol.42No.2安全高效的两方协同ECDSA签名方案王婧1，吴黎兵1,2，罗敏2，何德彪2（1. 武汉大学计算机学院，湖北武汉 430070；2. 武汉大学国家网络安全学院，湖北武汉 430070）摘 要：为了解决签名私钥易泄露和签名权利过度集中的问题，针对基于区块链技术的网络交易系统，提出了一种安全高效的两方协同ECDSA签名方案。

通过预计算一次一密的Beaver三元组，进而利用基于Beaver三元组的安全两方乘法技术，有效避免使用计算繁重的同态加密和通信开销较大的不经意传输等操作，实现高效的两方协同ECDSA签名，保证2个签名参与方在不重构完整签名私钥的情况下输出合法的ECDSA签名。

方案的安全性在通用可组合框架中的混合模型下被证明。

理论分析与实验结果表明，与现有的2种两方协同ECDSA签名方案相比，所提方案在协同签名运行效率和带宽要求方面均具有明显优势。

关键词：私钥泄露；密钥保护；签名效率；两方签名中图分类号：TP309文献标识码：ADOI: 10.11959/j.issn.1000−436x.2021019Secure and efficient two-party ECDSA signature schemeWANG Jing1, WU Libing1,2, LUO Min2, HE Debiao21. School of Computer Science, Wuhan University, Wuhan 430070, China2. School of Cyber Science and Engineering, Wuhan University, Wuhan 430070, ChinaAbstract: To solve the easy disclosure of signature private key and excessive concentration of signature rights, a secure and efficient two-party ECDSA signature scheme was proposed for the blockchain based network trading systems. By pre-computing one-time pad Beaver’s triple, and utilizing the Beaver’s triple based secure two-party multiplication tech-nology, some computationally intensive homomorphic encryption operations and oblivious transfer operations with high communication overhead were effectively avoided, and thereby an efficient two-party ECDSA signing was realized, which could ensure that the two signing parties output valid ECDSA signature without reconstructing the complete pri-vate key. The proposed scheme was proved to be provably secure under the hybrid model of the universally composable framework. Theoretical analysis and simulation results demonstrate that the proposed scheme has significant advantages in terms of signing efficiency and bandwidth requirements when compared with the existing two two-party ECDSA sig-nature schemes.Keywords: private key leakage, key protection, signing efficiency, two-party signature1 引言椭圆曲线数字签名算法（ECDSA, elliptic curve digital signature algorithm）是椭圆曲线加密（ECC, elliptic curve cryptography）与数字签名算法（DSA, digital signature algorithm）的结合，于1999年成为收稿日期：2020−09−02；修回日期：2020−12−05通信作者：吴黎兵，**************基金项目：国家自然科学基金资助项目（No.61932016, No.61972294, No.61772377, No.61672257, No.91746206）；湖北省自然科学基金资助项目（No.2017CFA007）；深圳市科技计划基金资助项目（No.JCYJ20170818112550194）Foundation Items: The National Natural Science Foundation of China (No.61932016, No.61972294, No.61772377, No.61672257, No.91746206), The Natural Science Foundation of Hubei Province (No.2017CFA007), The Science and Technology Planning Project of Shenzhen (No.JCYJ20170818112550194)第2期王婧等：安全高效的两方协同ECDSA签名方案·13·美国国家标准学会（ANSI, America National Stan-dards Institute）标准，并于2000年成为电气和电子工程师协会（IEEE, Institute of Electrical and Elec-tronics Engineers）、美国国家标准与技术研究院（NIST, National Institute of Standards and Technolo-gy）标准[1]。