Title: Non-interactive and Reusable Non-malleable Commitments
1Non-interactive and Reusable Non-malleable
Commitments
- Ivan Damgård, BRICS, Aarhus University
- Jens Groth, Cryptomathic A/S
2Commitments
3Non-malleability
4Reusable Non-malleability
(t gt1,1)-security stronger than
(1,1)-security (1,u gt1)-security stronger than
(1,1)-security
5Known Schemes
Dolev, Dwork, Naor interactive, 1-way, not
practical Di Crescenzo, Ishai, Ostrovsky
non-interact., 1-way, not practical Fischlin,
Fischlin interactive, Dlog/RSA, practical Di
Crescenzo, Katz, Ostrovsky, Smith
non-interactive, 1-way, practical Garay,
MacKenzie, Yang non-interactive, DSA, practical
UC protocols are intuitively like having a
trusted third party
Canetti, Fischlin non-interactive, claw-free
permutations, not practical Damgård, Nielsen
interact., decisional composite residuosity,
practical Canetti, Lindell, Ostrovsky, Sahai
non-int., trapdoor perm., not practical
6Our Results
- Non-interactive, reusable, trapdoor commitments
- 1-way functions not practical
- Strong RSA very efficient
- Unconditional binding or hiding on minimal
assumptions
Common reference string (CRS) UC commitment
(interactive or not) implies Secret Key
Agreement Uniform reference string UC commitment
implies Oblivious Transfer
Application Shorter CRS in Damgård-Nielsen UC
commitment
7Sigma-protocols
8Signatures
Signatures that are secure against existential
forgery under adaptive chosen message attack can
be built from 1-way functions (only need known
message attack).
(vk,sk) ?SignatureKeyGenerator Place vk on the
CRS To commit simulate (a,m,z) ? Sim((vk,?),m) a
proof of knowledge of a signature on
?. Commitment c a Decommitment d (m,z)
9Commitment Scheme
CRS vk for signatures, pk for unconditionally
hiding honest sender commitment, hash a UOWHF
- (c,d) HScommitpk(ak)
- ? hash(c)
- (a,m,z) Sim((vk,?),m)
- mac MACak(a)
C (c,a,mac) D (d,m,z)
10Sketch of Security Proof
Trapdoor commitment scheme. If we know the
signature key sk we may open commitments as
anything, since we can answer any challenge m.
11Sketch of Security Proof II
12Open Problems
- Non-interactive NM commitment without a CRS.
- Construction that allows histories, i.e., the
adversary gets both commitments and some extra
information about the contents. - UC secure Oblivious Transfer from UC commitment.