1 / 12

Non-interactive and Reusable Non-malleable Commitments

Non-interactive and Reusable Non-malleable Commitments. Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S. Common reference string (CRS) or public key (pk). c. m. d. Alice. Bob. (c,d) = commit pk (m;r). m = decommit pk (c,d).

morna
Download Presentation

Non-interactive and Reusable Non-malleable Commitments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S

  2. Common reference string (CRS) or public key (pk). c m d Alice Bob (c,d) = commitpk(m;r) m = decommitpk(c,d) Binding: Alice cannot change the message in c. Hiding: Bob cannot guess the message in c. Commitments

  3. Pedersen commitment: pk = (g,h) c = grhm d = (m,r) c´ = ch d´ = (m+1,r) c c´ d d´ M A D m m´ related to m Non-malleability

  4. c1,...,ct d1,...,dt d1´,...,du´ c1´,...,cu´ m1´,...,mu´ m1,...,mtm1´,...,mu´ m1,...,mt t A m1,...,mtm1´,...,mu´ m1,...,mt S Reusable Non-malleability (t >1,1)-security stronger than (1,1)-security (1,u >1)-security stronger than (1,1)-security

  5. Known Schemes Dolev, Dwork, Naor: interactive, 1-way, not practical Di Crescenzo, Ishai, Ostrovsky: non-interact., 1-way, not practical Fischlin, Fischlin: interactive, Dlog/RSA, practical Di Crescenzo, Katz, Ostrovsky, Smith: non-interactive, 1-way, practical Garay, MacKenzie, Yang: non-interactive, DSA, practical UC protocols are intuitively like having a trusted third party Canetti, Fischlin: non-interactive, claw-free permutations, not practical Damgård, Nielsen: interact., decisional composite residuosity, practical Canetti, Lindell, Ostrovsky, Sahai: non-int., trapdoor perm., not practical

  6. Our Results • Non-interactive, reusable, trapdoor commitments • 1-way functions – not practical • Strong RSA – very efficient • Unconditional binding or hiding on minimal assumptions Common reference string (CRS) UC commitment (interactive or not) implies Secret Key Agreement Uniform reference string UC commitment implies Oblivious Transfer Application: Shorter CRS in Damgård-Nielsen UC commitment

  7. x  L a m z Prover Verifier verify(x,a,m,z) = 1 Special soundness: From valid (a,m,z) and (a,m´,z´) a witness w can be extracted. Special honest verifier ZK: (a,m,z)  Sim(x,m) Sigma-protocols

  8. Signatures Signatures that are secure against existential forgery under adaptive chosen message attack can be built from 1-way functions (only need known message attack). (vk,sk) SignatureKeyGenerator Place vk on the CRS To commit simulate (a,m,z)  Sim((vk,),m) a proof of knowledge of a signature on . Commitment: c = a Decommitment: d = (m,z)

  9. Commitment Scheme CRS: vk for signatures, pk for unconditionally hiding honest sender commitment, hash a UOWHF • (c,d) = HScommitpk(ak) •  = hash(c) • (a,m,z) = Sim((vk,),m) • mac = MACak(a) C = (c,a,mac) D = (d,m,z)

  10. c1,...,ct c1´,...,cu´ d1´,...,du´ Essence of Lemma 5 (flaw found by Phil MacKenzie): A m1,...,mt d1,...,dt ... m1,...,mt d1,...,dt m1´,...,mu´ Sketch of Security Proof Trapdoor commitment scheme. If we know the signature key sk we may open commitments as anything, since we can answer any challenge m.

  11. m1´,...,mu´ d1,...,dt d1,...,dt d1´,...,du´ t S c1,...,ct c1´,...,cu´ m1,...,mt ... ... simulated A simulated M m1,...,mt d1´,...,du´ Sketch of Security Proof II

  12. Open Problems • Non-interactive NM commitment without a CRS. • Construction that allows histories, i.e., the adversary gets both commitments and some extra information about the contents. • UC secure Oblivious Transfer from UC commitment.

More Related