Chinese Journal of Electronics
Vol.22, No.1, Jan. 2013
Instance-Dependent Commitment and Its
Non-Malleability∗
JING Wenpan, XU Haixia and LI Bao
(Graduate University of Chinese Academy of Sciences, Beijing 100049, China)
Abstract — In this paper, we define a new security property called “instance-non-malleability” for the
Instance-dependent commitment (IDC). Our definition can
be consistent with the definition of non-malleability for
zero-knowledge proofs, which was not the case for previous
definitions of non-malleability for commitments. Our definition of instance-non-malleable instance-dependent commitment requires the non-malleability of the instances as
well as the committed messages. We also present a DDHbased IDC scheme, which satisfies previous definitions of
non-malleability but not our definition of instance-nonmalleable IDC, to show that instance-non-malleability is
a stronger notion. Finally, we modify our DDH-based construction to satisfy our definition of instance-non-malleable
IDC. The security of our construction is proved in the random oracle model.
Key words — Non-malleability, Instance-dependent
commitment, Zero-knowledge proof.
I. Introduction
1. Background
Commitment scheme is an important cryptography primitive
that is widely used in building secure protocols. Informally speaking, a commitment scheme (C, R) is a two-phase protocol. Two parties C and R, called the sender (or the committer) and the receiver,
are involved. In the commitment phase, C computes a commitment
c to a message m and sends c to R; in the open phase, C reveals
the value m along with the random coins being used in the commitment phase, and R checks the validity of the commitment c.
The two basic properties of a secure commitment scheme are hiding (which means that R cannot obtain any information about m
through c) and binding (which means that once c is given, it can be
opened to only one corresponding message).
It has shown that commitment schemes and zero-knowledge protocols have some symmetric properties[1] . The hiding and binding
properties of the commitment schemes can be translated to the zeroknowledge and soundness properties of the zero-knowledge protocols
respectively. According to the computational capability of the adversary, these properties can be perfect, statistical, (which are secure
against computationally unbounded adversaries) or computational
(which is secure against polynomial time adversaries). Since it is impossible for a commitment to be both statistically hiding and statistically binding at the same time, there are difficulties in translating
SZKP (zero-knowledge protocols for which both zero-knowledge and
soundness properties are statistically achieved), to a corresponding
commitment scheme. Itoh et al. proposed a cryptographic primitive called the “Instance-dependent commitment (IDC)” in 1994[2] ,
which can be applied to solve this problem. An IDC scheme takes an
instance “x” in a promise problem
as a public input to separate
the requirements for the hiding and binding properties. A promise
problem is composed of two non-intersection sets, with one of the
subsets containing the “yes-instances” and the other containing the
“no-instances” (see Definition 1). For a zero-knowledge proof pro
tocol, we consider the zero-knowledge property while “x ∈ Yes ” to
protect the prover, and we require soundness while “x ∈ No ” to
ensure that the receiver cannot be cheated. Correspondingly, the
instance-dependent commitment achieves statistical hiding while
“x ∈ Yes ” and statistical binding while “x ∈ No ”. For a promise
problem, if there exists a statistical hiding and statistical binding
instance-dependent commitment, an SZKP can be constructed[1] .
With these special properties, instance-dependent commitment
scheme can replace some of the ordinary commitment schemes in
constructing zero-knowledge protocols. Therefore, studying special
security properties of an instance-dependent commitment such as
non-malleability can help us build upper-level protocols that are
more secure.
Non-malleability was first proposed by Dolev et al. in 1991[3] .
Informally, non-malleability is a security requirement against the
man-in-the-middle attack. Non-malleability for commitment is normally divided into two flavors: non-malleability with respect to commitment and non-malleability with respect to opening. For an perfect hiding commitment, non-malleability with respect to commitment makes no sense, and for an perfect binding commitment, both
flavors make sense while non-malleability with respect to opening is
stronger[4] . We consider non-malleability with respect to opening
for the IDC in the following context.
2. Motivation
We observe that for a promise problem with “hard relations”
(see Definition 1 and Remark 1), an SZKP as defined in Ref.[5]
sometimes can be generally constructed with an IDC using a pattern called the “commit-challenge-answer” pattern. However, the
non-malleable commitments according to previous definition[4] cannot assure the non-malleability of the ZKP. Therefore, a stronger
definition of non-malleability for the commitments is inspired. We
try to let the new definition of non-malleability of the commitments
be consistent with the non-malleability of the ZKP and thus provide
stronger security for the upper-level protocols. We only consider the
ZKP and the commitment schemes in the CRS model in the following context. The public input crs represents the public parameters
which are normally previous chosen by an certificated authority and
∗ Manuscript Received Sept. 2011; Accepted May 2012. This work is supported by the National Natural Science Foundation of China
(No.61070171), the National Basic Research Program of China (973 Program) (No.2007CB311201) and the Strategic Priority Research
Program of Chinese Academy of Sciences (No.XDA06010702).
182
Chinese Journal of Electronics
remain unchanged for many times of executions. However, x is an
instance in the promise which is given by a third party according to
upper-level protocols each time of execution and can be changed.
The “commit-challenge-answer” pattern is described as following.
To prove that x ∈ L:
− Commit: With public inputs x and crs, the verifier chooses
two messages m0 and m1 and sends them to the prover. The prover
and verifier then execute the commitment phase of the IDC and
come to a commitment com as the prover’s commitment.
− Challenge: The verifier challenges the prover with the message mb , (b ∈ {0, 1}).
− Answer: If the prover can open com to mb , the verifier accepts; otherwise, it rejects.
Proposition 1
If there is an IDC with perfect hiding and
perfect binding properties, a perfect zero-knowledge proof can be
derived from the above construction.
(We omit the proof for this proposition for it is simple and
not a central.) For an SZKP, non-malleability requires that for
any polynomial-time adversary, given an instance x and a proof π,
the adversary cannot generate a related x and its own proof π .
We can see that a non-malleable commitment according to previous definition[4] cannot assure the non-malleability of the SZKP in
above pattern, since in previous definition of the non-malleable commitment, all public parameters including x are required to remain
unchanged and only the committed message is taken into consideration while measuring non-malleability. Therefore, even the commitment is non-malleable according to previous definitions, given a
commitment to m, there might be an adversary who is able to generate a commitment to a related message m using a different instance
x which is related with the x. Then the ZKP will be malleable.
While studying the non-malleability of the IDC, we propose to
consider the relations between (x, m) and (x , m ) instead of the
relations just between m and m and to build more secure IDCs.
3. Our contribution
In this paper, we first study the non-malleability of the IDC and
make a new definition called instance-non-malleability. We then explain why the instance should be taken into consideration when
making definitions by presenting a counter-example.
We present a definition of non-malleability for the IDC called
instance-non-malleability.
We consider a binary relationship
R((x, m), (xA , mA )) in our definition instead of only R(m, mA ) considered in previous definitions of non-malleability.
We also present an efficient construction of non-malleable
IDC based on Fischlins’ DL-based non-malleable commitment
scheme[6] . This construction achieves previous definitions of nonmalleability[6] , but is vulnerable to a man-in-the-middle attack according to our definition of instance-non-malleability.
We conclude that instance-non-malleability is a stronger definition than non-malleability for IDCs. Through slight modification,
the construction then achieves instance-non-malleability under random oracle model.
4. Related works
Related works have been published by Fischlin[7] , who proposed
in defining non-malleability of public key cryptography scheme,
instead of investigating the relationship R(m, mA ), investigating
R((pk, m), (pkA , mA )). The new definition is called complete nonmalleability. Ventre et al. extend Fischlin’s definition[7] of complete
non-malleability to a new game based one[8] . Manuel et al. proposed
the notions of Strong CCA and Strong PA and discussed the relations between these notions and the complete non-malleability[9,10] .
5. Organization
The paper is organized as follows. In Section II, we provide
some preliminaries and basic notions. Section III gives the definition of instance-non-malleable IDC. In Section IV, we give a counterexample that shows that instance-non-malleability is stronger than
previous definitions of non-malleability. The scheme is then modi-
2013
fied to satisfy the definition of instance-non-malleability and proved
to be secure under random oracle model. Finally, conclusions and
future works are discussed in Section V.
II. Preliminaries
1. Notations
We write y ← A(x) to denote that algorithm A takes x as input
and outputs y, and y ←R A(x) means the algorithm A is a randomized algorithm. We write y ←< A(x), B(z) > (w) to denote an
interactive machine. A and B take w as public inputs and x and z
as private input respectively.
2. Definitions
[11] ) A promise problem
Definition 1 (Promise problems
is a pair of non-intersecting sets, denoted ( Yes , No ); that is,
∗
Yes ,
No ⊆ {0, 1} and
Yes ∩
No = ∅. The set
Yes ∪
No is
called the promise.
Remark 1 We see that all decisional problems are promise
problems. Specifically, each language has a promise problem: we can
treat the set {x | x ∈ L} as the set Yes , and the set {x | x ∈ L}
as the set No . In the following context, we only discuss “hard
promise problems”, for which the following conditions are satisfied.
(1) It is easy to recognize an instance in the promise: there is a
polynomial time algorithm to decide if “x ∈ ” with high success
probabilities.
(2) For each “x ∈
Yes ”, there is a witness w and a rela
tion R Yes such that “(x, w) ∈ R Yes ” and there is a probabilistic polynomial time algorithm that on input 1k outputs a pair
(x, w) ∈ R Yes . Additionally, given a pair (x, w), it is easy to
establish whether (x, w) ∈ R Yes . Moreover, for any x ∈
No ,
the probability of finding a witness w such that (x, w) ∈ R Yes is
negligible.
(3) Given a instance x ∈
, the probability of any probabilistic polynomial time machine outputting a witness w such that
(x, w) ∈ R Yes is negligible.
DDH Problem Informally, the Decisional Diffie-Hellman
(DDH) problem is stated as follows. Given g ∈ G, with g = 1,
along with g x , g y , and g z , we want to know if z = xy (mod q),
(x, y, z ∈ Zq ). The DDH assumption is that there is no probabilistic
polynomial time algorithm to solve this problem.
In our construction, let p be a prime, q a prime divisor
in p − 1, g0 and g1 elements of order q in Zp ∗ . We take
the quadruple (g0 , g1 , h0 , h1 ) as our promise
, where Yes =
r
r
{(g0 , g1 , h0 , h1 ) | ∃r ∈ Zq s.t. h0 = g0 , h1 = g1 } and No =
{(g0 , g1 , h0 , h1 ) | ∃r1 = r2 ∈ Zq , s.t. h0 = g0 r0 , h1 = g1 r1 }.
Random Oracle Model We use the random oracle model
proposed by Bellare and Rogaway[12] to idealize the hash function
in the following context. We assume that all machines can query a
random oracle O for the image of a string. The random oracle maps
strings from {0, 1}∗ to {0, 1}∞ . The random oracle has properties
that include one-wayness, randomness (the outputs of a random oracle are truly random), determinism (once a string has been queried,
its image is fixed), target collision-resistance and non-malleability.
Let
2 (Instance-dependent commitment)
Definition
= Yes ∪ No be a promise problem. An instance-dependent
commitment scheme with the third trusted party is a protocol
< T , C, R > involves a third trusted party T , a committer C and
a receiver R. Let “crs” denotes all the common inputs other than
x ∈ . “k” is the security parameter. The protocol has three parts:
− The setup phase. T generates all common inputs including
crs and x and makes them public.
− The commit phase. If C and R follow the protocol, after
the commit phase, R obtains a commitment com ←< C(m), R >
(crs, x), which includes all the messages exchanged between C and
R in this phase.
− The reveal phase. In this phase, C sends the message m being
committed to, and all the randomness (denoted by dec) being used,
Instance-Dependent Commitment and Its Non-Malleability
to R. The receiver outputs either “accept” or “reject” (which is
denoted by “1” and “0” in the following context).
The protocol satisfies hiding and binding properties on varying
degrees according to x ∈ Yes or x ∈ No :
− Hiding property:
⎡
⎤
(crs, x) ← T (1k ), where x ∈ ;
k
⎢
⎥
(m0 , m1 ) ←R M(1 );
⎢
⎥
⎢ comb ←< C(mb ), R > (crs, x); ⎥
⎢
⎥
⎢
⎥ ≤ 1/2 + neg(k)
Pr ⎢
b ← D(crs, x, comb );
⎥
⎢ decb , mb ← C(crs, x, comb , mb ); ⎥
⎢
⎥
⎣ accept ← R(crs, x, comb , decb , mb ) : ⎦
b = b
where M is a random sampling algorithm on the message space, D
is a distinguish algorithm and b, b ∈ {0, 1}.
− Binding property:
⎡
⎤
(crs, x) ← T (1k ), where x ∈ ;
⎢
⎥
com ←< C, R > (crs, x);
⎢
⎥
⎢ {(m, dec)(m , dec )} ← C(crs, x, com) : ⎥
⎥
Pr ⎢
⎢ accept ← R(prs, com, dec, m) ∩ accept ⎥ ≤ neg(k)
⎢
⎥
⎣
⎦
← R(prs, com, dec , m ),
m = m
The commitment is an instance-dependent commitment scheme
on the promise problem, if the following conditions are satisfied:
(1) While x ∈ Yes , for any probabilistic polynomial time algorithm C, and any computationally unbounded algorithms R and
D, the above properties hold.
(2) While x ∈ No , for any computationally unbounded algorithm C, and any probabilistic polynomial time algorithms R and
D, the above properties hold.
Note that there are some differences between our definition of
IDC and previous definitions[1,13] . We let the commitment achieve
computational binding for yes-instances, so it will not help the probabilistic polynomial time adversary to tell if the instance is a yesinstance; and we let the commitment achieve computational hiding
for no-instances, because if it is not hiding at all, non-malleability
does not make any sense, the adversary can trivially commit to any
value related to the value in the left interaction.
III. Instance-Non-Malleable IDC
Before we give a formal definition for the instance-nonmalleability of an IDC , we clarify the model of man-in-the-middle
attacks for a protocol and recall the previous definitions of the nonmalleability for the commitment and the zero-knowledge proof first.
The previous definitions are following[4] .
1. Previous definitions of non-malleability for zeroknowledge proof and commitment
We consider adversaries in a man-in-the-middle execution and
in a stand-alone execution for a commitment scheme or a zeroknowledge proof protocol. Non-malleability for commitment is defined as requiring the difference in the probability of decommitting
to a message related with the target message in both executions to
be negligible. Non-malleability for zero-knowledge proof is defined
as requiring the difference in the probability of generating acceptable proof for an instance that is related to the target instance in
both executions to be negligible.
Man-in-the-middle attack During a man-in-the-middle attack, the adversary simultaneously participates in two executions,
which are called the left and right interactions. In the left interaction, the adversary acts as a verifier and obtains messages from a
real sender. In the right interaction, the adversary acts as a sender
who composes messages that are related to the real sender’s messages. An honest receiver would not be able to tell the difference
between interactions with a real sender and with the adversary. For
simplicity and without loss of generality , we make the following
assumptions. (1) The adversary does not mix the order of messages
183
in the left and right executions, but outputs each of its messages immediately after learning the corresponding messages from the real
sender, and once it obtains randomness from the real receiver, it
sends its response to the real sender immediately. (2) Only the executions when A outputs accepting transcripts are considered. (3)
Once a protocol starts, it must be executed sequentially until it finishes or is halted, and rewinding is not allowed in real interaction.
Moreover, we only consider the cases of the protocol being fully
executed when calculating the success probability.
Stand-alone Execution In this execution, the adversary A
only obtains the public inputs as in the man-in-the-middle execution. It then interacts with a real receiver until the protocol is fully
executed.
It is assumed that the public inputs other than the instance x,
denoted as crs, are previously chosen by a third thrusted party and
are unchanged in all executions of the protocol.
For an interactive zero-knowledge proof protocol < P, V >, the
inputs of the prover P are (x, w), where x is an yes-instance of
and w is its witness. The inputs of the verifier V are only x. Let
minA
V (x, w, z) denotes the random variable describing the final outputs of V in the man-in-the-middle execution, where z is the auxil
iary input of A, and let staA
V (x, w, z) describe the random variable
describing the output of V in the stand-alone execution.
Definition 3 (Non-malleable zero-knowledge proof[4] )
An interactive proof < P, V > for yes-instances in
is nonmalleable if for every probabilistic polynomial time man-in-themiddle adversary A there exists a probabilistic polynomial time
stand-alone prover A , such that for every x ∈ Yes :
A
Pr[min(x, w, z) = 1] − Pr[staA
V (x, w, z) = 1] ≤ neg(k)
V
For a commitment scheme C, R in the man-in-the-middle execution, let m denote the message being committed by the real
committer in the left interaction, and m denote the message being
committed by the adversary A and z denote the auxiliary input of
A. We have minA
R (R, m, z) = 1 if A’s commitment in the right interaction is decommitted to m that an honest verifier accepts and
there is a non-trivial relation R such that R(m, m ) = 1.
In the stand-alone execution, m is chosen prior to the interactions of the stand-alone adversary A and the verifier. After the
commitment of A has been made, A receives m and attempts to
decommit to m . We have staA
R (R, m, z) = 1 if A ’s commitment
is decommitted to m that the honest verifier accepts, and for the
same non-trivial relation R, R(m, m ) = 1.
Definition 4 (Non-malleable commitment with respect
to open[4] ) A commitment scheme C, R is non-malleable with
respect to opening if for every probabilistic polynomial-time manin-the-middle adversary A, there exists a probabilistic polynomialtime stand-alone simulator A , such that for every non-reflexive
polynomial-time computable relation R, we have:
A
Pr[min(R, m, z) = 1] − Pr[staA
R (R, m, z) = 1] ≤ neg(k)
R
2. Instance-non-malleable IDC
For an IDC, we consider the malleability of the instance, and
assume that the other parameters are generated by a certificate authority and remain the same for a period of time. They cannot be
forged by the adversary. We basically do not wish a man-in-themiddle adversary to gain the ability to choose instances in the same
subset of
with the real commitment process without any witness
and make a related commitment.
Remark 2 One may wonder why we do not consider the malleability between subsets. The answer is that it does not occur.
On one hand, if in the left execution there is x ∈ Yes while in
the right execution A chooses xA ∈ No , since the left execution
has perfect hiding property (the commitment is equivocal) and the
message being committed in the right execution is fixed, we would
have Pr[R(m, mA ) = 1] ≤ neg(k). On the other hand, if in the left
Chinese Journal of Electronics
184
execution there is x ∈ No and in the right execution A is sup
posed to choose xA ∈ Yes , since x contains no information of the
set of witnesses, the man-in-the-middle execution will not increase
the ability of any adversary to obtain a yes-instance than in standalone execution. Therefore, we only consider the malleability of the
commitments, and of the instances that are from the same subset.
For an IDC scheme T , C, R, in the man-in-the-middle execution, T generates an instance x, A receives x and outputs xA to
the receiver, and the left and right interactions then proceed. Let
m denote the message being decommitted by the real committer in
the left interaction, mA denote the message being decommitted by
the adversary A and z denote the auxiliary input of A.
We have minA
R (R, x, m, z) = 1 if A’s commitment in the right interaction is decommitted to mA that an honest verifier accepts and
there is a non-trivial binary relation R s.t. R((x, m), (xA , mA )) = 1.
In the stand-alone execution, T generates an instance x, and a
stand-alone adversary A receives x and outputs x to the receiver.
m is chosen prior to the interactions between A and the verifier but
is only passed on to A after the commitment phase.
We have staA
R (R, x, m, z) = 1 if A ’s commitment is decommitted to mA that the honest verifier accepts, and for the same
non-trivial binary relation R, we have R((x, m), (xA , mA )) = 1.
Definition 5 (Instance-non-malleable IDC)
Let
T , C, R be an instance-dependent commitment on a promise
problem
= { Yes , No } and k be the security parameter. We
say that T , C, R is instance-non-malleable if for any probabilistic polynomial time man-in-the-middle adversary A, there exists
a polynomial time stand-alone simulator A , such that for every
non-reflexive polynomial-time computable relation R:
A
Pr[min(R, x, m, z) = 1] − Pr[staA
R (R, x, m, z) = 1] ≤ neg(k)
R
IV. Construction
In this section, we present our example of the IDC that is nonmalleable according to previous definitions but is malleable according to our definition of instance-non-malleability. Then, through
modification, the scheme is proved to be instance-non-malleable.
The scheme we present is based on Fischlin’s DL-Based NonMalleable Commitment Scheme[7] .
1. DDH-based IDC
A DDH-based IDC is described as follows.
Setup The public random strings, p, q with q|(p − 1), subgroup Gq ⊆ Zp ∗ and g2 , h2 ∈R Gq , which are generated by the
certificated authority previous the execution of the scheme and remain unchanged for a period of time, are shared by all the parties.
A third party generates the instance and passes it to both the committer and the verifier each time of execution. The instance x:
g0 , g1 , h0 = g0 tr0 , h1 = g1 tr1 . If tr0 = tr1 it is a yes-instance;
otherwise, it is a no-instance.
Commit When inputting m, the committer randomly chooses
a0 , a1 , r, s0 , s1 , t0 , t1 , u0 , u1 ∈R Zq , computes
M0 = g 0 m h 0 r , M1 = g 1 m h 1 r
a0
A0 = (g2 · M0 )
S0 = g 0
s0
h2
u0
t0
(1)
a1
, A1 = (g2 · M1 )
h 0 , S1 = g 1
s1
h1
h2
u1
t1
(2)
(3)
and sends M0 , M1 , A0 , A1 , S0 , S1 to the receiver.
The receiver answers with a random string b ∈R Zq . The committer then sets
c0 = a0 + b (mod q),
c1 = a1 + b (mod q)
(4)
y0 = s0 + c0 m (mod q),
y1 = s1 + c1 m (mod q)
(5)
z0 = t0 + c0 r (mod q),
z1 = t1 + c1 r (mod q)
(6)
and sends a0 , a1 , u0 , u1 , y0 , y1 , z0 , z1 to the receiver.
2013
The receiver sets c0 = a0 + b(mod q), c1 = a1 + b(mod q) and
checks if Ai = (g2 · Mi )ai h2 ui and if Si Mi ci = gi yi hi zi where
i = 0, 1.
Decommit The committer sends m, r to the receiver and the
receiver checks if M0 = g0 m h0 r and M1 = g1 m h1 r .
2. Security
Proposition 2 The DDH-based IDC scheme above is an IDC
under the DDH assumption according to Definition 2.
Proof First, the computational hiding and binding properties are obviously assured for this scheme no matter what subset the instance is in. Moreover, we have M0 = g0 m+r·tr0 and
M1 = g1 m+r·tr1 . When tr0 = tr1 , these equations have multiple
solutions, and when tr0 = tr1 , there is only one solution. Therefore,
the scheme has perfect hiding when x ∈ Yes and perfect binding
when x ∈ No . Thus, the proposition is true.
Theorem 1 The DDH-based IDC scheme above is a nonmalleable IDC, but not a instance-non-malleable IDC.
Proof We prove this theorem by prove the following two lemmas.
Lemma 1 The scheme is non-malleable according to Definition 4.
In this situation, the instance is fixed and is the same in the left
and right executions of a man-in-the-middle attack as well as the
other public parameters.
To prove the scheme is non-malleable, we show how a simulator
S = {S1 , S2 } extracts the message mA of the man-in-the-middle
adversary A. The simulator S1 randomly chooses all the public
parameters and generates M0 , M1 , S0 , S1 , c0 , c1 , y0 , y1 , z0 , z1
following the scheme. The simulator S2 works as we illustrated
in Fig.1. Then assuming the scheme is malleable, we could have
R(m, mA ) = 1 with non-negligible probability. Since the scheme
has perfect hiding property for a yes-instance as input, if mA is
fixed, we always have R(m, mA ) = 0. Therefore, if R(m, mA ) = 1,
the instance should be a no-instance. The simulator can use A to
decide a DDH quadruple with the same advantage, which contradicts the DDH assumption. Hence, the non-malleable property is
proved.
Proof
As shown in Fig.1, the simulator S2 sets g2 =
(M1 tr /M0 tr )1/(tr−tr ) and h2 = (g2 M0 )t r = (g2 M1 )tr =
tr
·tr/(tr−tr
)
. It has the trapdoor logg2 M0 h2 = tr and
(M1 /M0 )
logg2 M1 h2 = tr to help reveal ail to different values, where the
index i represents 0, 1 and l indicates different loops of rewinding in
the following context. We see that although ail changes according
to different bAl , cil , yil , and zil remain the same. Therefore, m
cannot be extracted.
First, we show that if aiAl remains unchanged for different
loops, mA can be extracted. Since bl is randomly selected by the
receiver, we have bv = bj with probability 1 − 1/q, where v = j
indicates different loops. Therefore, ciAv = ciAj , yiAv = yiAj ,
ziAv = ziAj . mA then can be calculated from Eq.(5) for different
loops. Therefore, as we explained above the scheme being malleable
contradicts the DDH assumption.
We are then interested in the events in which A is able to present
different aiAl in different loops. We show that this situation occurs
with negligible probability; otherwise, we will derive a contradiction
of the intractability of the DL problem.
We are given p, q, g, X ∈ Gq as the input and our goal is to
use A to compute logg X. Instead of passing M from a third
party S1 to S2 as in Fig.1, S2 randomly chooses its message m
and w0 , w1 , w2 , d0 and d1 ∈R Zq ∗ randomly, and sets g2 = g,
h2 = X w2 , {g0 , g1 , h0 , h1 } = {g −1/m X d0 , g −1/m X d1 , X w0 , X w1 }.
Mi , Ai , Si , ci , yi , zi are calculated according to the scheme.
Thus, we have tr = logg2 M0 h2 = w2 /(d0 m + w0 r) (mod q) and
tr = logg2 M1 h2 = w2 /(d1 m + w1 r) (mod q) as the trapdoor.
The challenge ci is then fixed and we enter the loop as in Fig.1,
revealing different ail using the trapdoor according to bl . We consider the case that A finds aiAv = aiAj for two accepting tran-
Instance-Dependent Commitment and Its Non-Malleability
scripts with non-negligible probability. Let uiAv and uiAj denote
the corresponding decommitment of AiA . We proceed to decommit Mi by revealing m and r after loop j, and obtain mAj ,rAj
satisfying MiA = gi mAj hi rAj from the adversary. We then have
(g2 MiA )aiAv h2 uiAv /(g2 MiA )aiAj h2 uiAj = 1. Since aiAv = aiAj ,
uiAv = uiAj , and mAj = m, and from h2 = X w2 , we have:
logg X = (1 − mAj /m)/[w2 (uiAv − uiAj )/(aiAj − aiAv )− (mAj di +
rAj wi )] (mod q).
To summarize, the situation that A opens to different aiA in
different loops does not happen with non-negligible probability; otherwise, the DL problem could be efficiently solved. Moreover, if A
always opens to aiA , we extract mA . Then, if the scheme is malleable, the DDH assumption is violated. Hence, the DDH-base IDC
is a non-malleable scheme.
185
Therefore, if an IDC is instance-non-malleable, it is non-malleable
for sure. Along with Theorem 1, we conclude this theorem.
3. The modified DDH-based IDC
In the variant, we replace m in M0 and M1 by a hash value
f (m). The setup algorithm remains almost the same except that
a hash function f is additionally chosen and published. In the
commitment stage, the committer sets M0 = g0 f (m) h0 r , M1 =
g1 f (m) h1 r , and in the decommitment stage, after receiving (m, r),
the verifier checks if the above equations hold. Other parts of the
protocol remain the same.
Security proof for the modified DDH-based IDC We
then show that the modification allows the proof of instance-nonmalleability.
Proposition 3 The modified commitment scheme is still an
IDC scheme according to Definition 2.
This proposition is obviously true for the same reason that
S2
A
R
proposition 2 is true.
Input:
Theorem 3 The modified DDH-based IDC scheme is
p, q, g0 , g1 , h0 , h1
instance-non-malleable according to Definition 5.
m, r, s0 , s1 , t0 , t1 , c0 , c1 ∈R Zq
Proof First, we explain that there exists a simulative maM 0 , M 1 , S0 , S1 , c 0 , c 1 , y 0 , y 1 , z 0 , z 1
chine such that when interacting with the real committer and when
Randomly choose:
with the simulative machine, the verifier’s views are statistically
x, x , a0 , a1 , u0 , u1 ∈R Zq
close. With the public parameters x and g2 , h2 as input, the simSet:
1
ulator randomly chooses a value f and outputs M0 = g0 f h0 r and
g2 = (M1x /M0 ) x−x
M1 = g1 f h1 r as its commitment (A0 , A1 , S0 and S1 are generated
h2 = (g2 M0 )x = (g2 M1 )x
the same way as a real committer). To simulate the random ora0
A0 = (g2 M0 )a0 hu
cle, the simulator maintains a list that is initially blank. When the
2
1
A1 = (g2 M1 )a1 hu
adversary queries the random oracle with a value m, the simulator
2
M0 ,M1 ,A0 ,A1 ,S0 ,S1
looks up the list for the record of the image of m. If the record
−→
can be found, the simulator outputs the image. If there is not any
M0A ,M1A ,A0A ,A1A ,S0A ,S1A
−→
record of m, the simulator randomly chooses a value as its image
Rewind point (loop l = 1, 2, · · ·)
f (m) and then records the pair of mapping (m, f (m)) in the list.
Randomly choose:
In the decommit phase, the simulator randomly chooses a value as
bl ∈R Zq
the preimage for f , records the mapping in the list, and makes its
bl
decommitment the same way as a real committer. We can easily
←−
bAl
find that the views of the verifier in a real man-in-the-middle exe←−
cution and in the man-in-the-middle execution with the simulative
Set:
committer are statistically indistinguishable.
a0l = c0 − bAl (mod q)
We then consider the same man-in-the-middle adversary for two
a1l = c1 − bAl (mod q)
different executions, referred to as games 1 and 2.
u01 = u0 + (a0 − a0l )/x(mod q)
In games 1 and 2, with the same public input and instance x,
u1l = u1 + (a1 − a1l )/x (mod q)
we assume that a simulative committer S and the adversary carry
a0l ,a1l ,u0l ,u1l ,y0 ,y1 ,z0 ,z1
−→
out left and right man-in-the-middle executions. The random tapes
a0Al ,a1Al ,u0Al ,u1Al ,y0Al ,y1Al ,z0Al ,z1Al
−→
of S and A are the same for both games. The two games use different oracles, which we refer to as O1 and O2 . We assume that
Fig. 1. Knowledge extraction of the DDH-based IDC
A queries the random oracle about the images of m1 , m2 , · · · , mi
before deciding its own commitment, and that before giving its deLemma 2 There exists efficient man-in-the-middle attacks for
commitment, it queries mi+1 , · · · , mn . The simulator simulates the
the above construction according to Definition 5.
random oracles and output the same images for m1 , m2 , · · · , mi and
Proof In the definition of instance-non-malleability, the addifferent images for mi+1 , · · · , mn in game 1 and 2.
versary is allowed to select its own instance x , the instances can
In both games 1 and 2, S outputs M0 = g0 f h0 r and M1 =
be different in the left and right executions of a man-in-the-middle
g1 f h1 r as its commitment. Since the random tapes are the same,
attack.
the instance and commitments of A are also the same in both games:
Assume there is a man-in-the-middle adversary has a DDH
x = (g0A , g1A , h0A , h1A ) and M0A and M1A . Then in different
quadruple {g0 , g1 , h0 , h1 } as input in the left execution, it chooses
2
2
games, in the decommitment phase, the simulator opens to m and
its own instance as {g0A = g0 , g1A = g1 , h0A = h0 , h1A = h1 }.
m as the preimage for f , (m = m ∈ {m0 , m1 , · · · , mi }). The
We can easily figure that xA and x are in the same subset of .
adversary decommits to mA and mA respectively. Since the imAfterwards, the adversary copies the real committer and reages for m1 , m2 , · · · , mi are randomly choosen, the probability that
ceivers message in the commitment phase, except it sets y0A =
f (mj ) = f, (j = 0, 1 · · · , i) is negligible.
y0 /2 and y1A = y1 /2. In the opening phase, the adversary
− We now prove that the situation that mA = mA and
can always decommits its commitment to mA = m. We have
A
R((x, m), (xA , mA )) = 1 and R(xA , comA , mA , decA ) = accept.
Pr[minA
R (R, x, w, m, z) = 1] − Pr[staR (R, x, w, m, z) = 1] ≥ neg(k)
A
A
Therefore, Pr[minR (R, x, w, m, z) = 1]−Pr[staR (R, x, w, m, z) = does not occur.
If mA = mA , then since mA and mA are successfully decom1] ≥ 1 − neg(k), The man-in-the-middle attack is successful.
Theorem 2 For an IDC, instance-non-malleability is strictly
mitted to with noneligible probability, they must have been queried
stronger than non-malleability according to previous definitions.
to the random oracle before the commitments are generated. In
Proof According to Definitions 4 and 5, non-malleability is
both games 1 and 2, the oracle queries and answers before A dejust a special case of instance-non-malleability when setting xA = x.
cides its commitment are the same. The simulator S randomly
Chinese Journal of Electronics
186
chooses {f1 , f2 , · · · , fi } as the image for {m1 , m2 , · · · , mi }. Therefore, there exists j, l such that j, l ∈ {1, 2 · · · , i}, j = l, mj = mA
and ml = mA . We have Pr[f (mA ) = f2 (mA )] ≥ 1 − neg(k).
We denote the hash value as fj and fl in separate games. We
f
r
f
r
have M0 = g0j h0j = g0l h0l and M1 = g1j h1j = g1l h1l . Therefore, there is tr0 = logg0 h0 = (fj − fl )/(ri − rj ) (mod q) and
tr1 = logg1 h1 = (fj − fl )/(ri − rj ) (mod q). Since tr0 = tr1 , x
must be in Yes and a polynomial machine can extract the witness
for x by invoking A in both games. A has knowledge of the witness for x . Therefore, whatever A can do in a man-in-the-middle
execution can also been done in the stand-alone execution. We have
A
Pr[minA
R (R, x, w, m, z) = 1]−Pr[staR (R, x, w, m, z) = 1] ≤ neg(k).
− We are left with the situation mA = mA and
Pr[minA
(R, x, w, m, z) = 1]−Pr[staA
R
R (R, x, w, m, z) = 1] ≥ neg(k).
If x ∈ Yes , as we explained in Section III.2, x has to be in Yes .
However, A’s message is fixed in the man-in-the-middle executions
of games 1 and 2, while the commitment of a real committer is
equivocable. We have Pr[R(mA , m) = 0]≥ 1 − neg(k).
Therefore,
this situation does not occur when x ∈ Yes . If x ∈ No , we get
x ∈ No (as explained in Section III.2).
Sum up the above two cases, if the scheme is not instancenon-malleable, by invoking the above man-in-the-middle executions
between the simulator and adversary in games 1 and 2, we have
the same advantage in deciding whether a DDH quadruple is a noinstance. This contradicts the DDH assumption.
In summary, the modified DDH-based instance-dependent commitment scheme is instance-non-malleable according to Definition 5.
f
r
f
r
V. Conclusions and Future Works
In this paper, we explained that the notions of non-malleability
for commitment schemes defined previously are insufficient for the
IDC. We then analyzed the instance-non-malleability of an IDC and
proposed a formal definition. We gave a DDH-based construction
of IDC to prove that instance-non-malleable is stronger than nonmalleable and then modify the scheme to be instance-non-malleable
under the random oracle model.
We hope that more practical instance-non-malleable IDC, which
can be applied to construct an upper-level protocol such as SZKP,
can be developed in the future.
References
[1] S. Ong, S. Vadhan, “An equivalence between zero knowledge
and commitments”, Proc. of Theory of Cryptography Conference, New York, USA, pp.482–500, 2008.
[2] T. Itoh, Y. Ohta, H. Shizuya, “A language-dependent cryptographic primitive”, Journal of Cryptology, Vol.10, No.1, pp.37–
49, 1997.
[3] D. Dolev, C. Dwork, M. Naor, “Non-malleable cryptography”,
Proc. of the Twenty-Third Annual ACM Symposium on Theory
of Computing, New York, USA, pp.542–552, 1991.
[4] R. Pass, A. Rosen, “New and improved constructions of nonmalleable cryptographic protocols”, Proc. of the Thirty-seventh
Annual ACM Symposium on Theory of Computing, New York,
USA, pp.542–552, 2005.
[5] O. Goldreich, Foundations of Cryptography: Basic Tools, Cambridge University Press, Cambridge, UK, 2001.
[6] M. Fischlin, R. Fischlin, “Efficient non-malleable commitment
schemes”, Proc. of the Twentith Annuel International Cryptology Conference, Santa Barbara, USA, pp.413–431, 2000.
[7] M. Fischlin, “Completely non-malleable schemes”, Proc. Automata, Languages and Programming 32nd International Colloquium, Lisbon, Portugal, pp.779–790, 2005.
2013
[8] C. Ventre, I. Visconti, “Completely non-malleable encryption
revisited”, Proc. of the 11th International Workshop on Practice and Theory in Public-Key Cryptography, Barcelona, Spain,
pp.65–84, 2008.
[9] Manuel Barbosa, Pooya Farshim, “Strong knowledge extractors
for public-key encryption schemes”, Proc. Information Security
and Privacy 15th Australasian Conference, Sydney, Australia,
pp.164–181, 2010.
[10] B. Manuel, F. Pooya, “Relations among notions of complete
non-malleability: Indistinguishability characterization and efficient construction without random oracles”, Proc. Information
Security and Privacy 15th Australasian Conference, Sydney,
Australia, pp.145–163, 2010.
[11] O. Goldreich, “On promise problems (a survey in memory of
Shimon Even [1935-2004])”, Electronic Colloquium on Computational Complexity, Potsdam, Germany, Technique Report 05018, 2005.
[12] M. Bellare, P. Rogaway, “Random oracles are practical: A
paradigm for designing efficient protocols”, Proc. of the 1st
Annual ACM Symposium on Theory of Computing, New York,
USA, pp.62–73, 1993.
[13] P.S. Vadhan, “An unconditional study of computational zero
knowledge”, Proc. of 45th Annual IEEE Symposium on Foundations of Computer Science, Massachusetts, USA, pp.176–185,
2004.
[14] G. Di Crescenzo, Y. Ishai, R. Ostrovsky, “Non-interactive and
non-malleable commitment”, Proc. of the Thirtieth Annual
ACM Symposium on Theory of Computing, New York, USA,
pp.40–59, 1998.
JING Wenpan
is now a Ph.D.
candidate at the Graduate University of
Chinese Academy of Sciences. Her research interests focus on the public key
cryptography, cryptographic protocols and
provably security technology.
(Email:
[email protected])
XU Haixia (corresponding author)
is now an associate researcher at the State
Key Laboratory of Information Security,
Institute of Information Engineering, Chinese Academy of Sciences. She received
Ph.D. degree in Mathematics from Capital
Normal University in 2001. From 2001 to
2003, she was a postdoctoral fellow in the
Graduate University of Chinese Academy
of Sciences. Her current research interests
include theory of cryptography, cryptographic protocols, and cloud
computing security. (Email: [email protected])
LI Bao is a researcher and doctoral
advisor at the State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences. He has also been in charge of several
national basic research programs on various aspects of cryptography. His current
research focus on the foundation of cryptography, including cryptographic protocols, elliptic curve cryptography, quantum
cryptography and especially provably security technology. (Email:
[email protected])