Fully Simulatable Multiparty Computation

We introduce and realize the notion of fully simulatable multiparty computation. Unlike any of the previous models, our notion simultaneously enjoys the following features: • Main feature: The simulator does not have any extra power over the “real-life” adversary. In particular, it cannot program any public parameters or run in super-polynomial time. Thus, our implementation is fully deniable for tasks such as authentication and zero-knowledge (unlike the previous solutions in the common reference string model). • Universal composability (in particular, straight-line simulation). • No PKI (although there exists one “non-programmable” public key; see below). • Adaptive security. We remark that it might seem impossible to realize all (or even the main) of the above features, even for relatively simple tasks such as zero-knowledge [10]. The way we overcome this apparent contradiction is by introducing a polynomial-time, fully off-line trusted party T to our model. T publishes a single certified public key pk and never has to participate again in any of the protocols. However, any party P has an option of contacting T and requesting an identity-based secret key skP . We stress, though, that no honest party actually needs to (and correspondingly will not) contact T , while the security will hold even against corrupted parties who do contact T . We believe that the addition of fully off-line T is a minimal and very realistic way to overcome the impossibility results in the “standard” model. Additionally, the introduction of T could naturally support other desirable properties impossible in the standard model (such as optimistic fairness with faulty majority). The main building block of our construction is the notion of identity-based chameleon hash functions [1]. We give an elegant, generic construction of such hash functions from any signature scheme possessing a certain Σ-protocol. By showing several efficient implementations of such protocols, we give the first constructions of identity-based chameleon hash functions without random oracles, which is of independent interest.