Non-interactive and Reusable
Non-malleable Commitments
Ivan Damgård, BRICS, Aarhus
University
Jens Groth, Cryptomathic A/S
Commitments
Common reference string (CRS) or public key (pk).
c
m
d
Alice
(c,d) = commitpk(m;r)
Bob
m = decommitpk(c,d)
Binding: Alice cannot change the message in c.
Hiding: Bob cannot guess the message in c.
Non-malleability
Pedersen commitment: pk = (g,h)
c = grhm
c´ = ch
d = (m,r)
d´ = (m+1,r)
c
c´
d
d´
M
A
m
D
m´ related to m
Reusable Non-malleability
c1,...,ct
c1´,...,cu´
d1,...,dt
d1´,...,du´
m1,...,mt
A
t
m1,...,mt
m1,...,mt
m1´,...,mu´
m1´,...,mu´
S
m1,...,mt
m1´,...,mu´
(t >1,1)-security stronger than (1,1)-security
(1,u >1)-security stronger than (1,1)-security
Known Schemes
Dolev, Dwork, Naor:
interactive, 1-way, not practical
Di Crescenzo, Ishai, Ostrovsky:
non-interact., 1-way, not practical
Fischlin, Fischlin:
interactive, Dlog/RSA, practical
Di Crescenzo, Katz, Ostrovsky, Smith: non-interactive, 1-way, practical
Garay, MacKenzie, Yang:
non-interactive, DSA, practical
UC protocols are intuitively like having a trusted third party
Canetti, Fischlin: non-interactive, claw-free permutations, not practical
Damgård, Nielsen: interact., decisional composite residuosity, practical
Canetti, Lindell, Ostrovsky, Sahai: non-int., trapdoor perm., not practical
Our Results
Non-interactive, reusable, trapdoor commitments
• 1-way functions – not practical
• Strong RSA – very efficient
Unconditional binding or hiding on minimal assumptions
Common reference string (CRS) UC commitment (interactive or
not) implies Secret Key Agreement
Uniform reference string UC commitment implies Oblivious
Transfer
Application: Shorter CRS in Damgård-Nielsen UC commitment
Sigma-protocols
xL
a
m
Prover
z
Verifier
verify(x,a,m,z) = 1
Special soundness: From valid (a,m,z) and (a,m´,z´) a
witness w can be extracted.
Special honest verifier ZK: (a,m,z)  Sim(x,m)
Signatures
Signatures that are secure against existential forgery
under adaptive chosen message attack can be built from
1-way functions (only need known message attack).
(vk,sk) SignatureKeyGenerator
Place vk on the CRS
To commit simulate (a,m,z)  Sim((vk,),m)
a proof of knowledge of a signature on .
Commitment: c = a
Decommitment: d = (m,z)
Commitment Scheme
CRS: vk for signatures, pk for unconditionally hiding
honest sender commitment, hash a UOWHF
• (c,d) = HScommitpk(ak)
•  = hash(c)
• (a,m,z) = Sim((vk,),m)
• mac = MACak(a)
C = (c,a,mac)
D = (d,m,z)
Sketch of Security Proof
Trapdoor commitment scheme. If we know the
signature key sk we may open commitments as
anything, since we can answer any challenge m.
Essence of Lemma 5 (flaw found by Phil MacKenzie):
c1,...,ct
m1,...,mt
m1,...,mt
d1,...,dt
.
.
.
d1,...,dt
c1´,...,cu´
d1´,...,du´
A
m1´,...,mu´
Sketch of Security Proof II
t
m1´,...,mu´
S
c1,...,ct
c1´,...,cu´
m1,...,mt d1,...,dt
simulated M
.
.
.
m1,...,mt d1,...,dt
d1´,...,du´
simulated A
.
.
.
d1´,...,du´
Open Problems
• Non-interactive NM commitment without a
CRS.
• Construction that allows histories, i.e., the
adversary gets both commitments and some
extra information about the contents.
• UC secure Oblivious Transfer from UC
commitment.