Non-interactive and Reusable Non-malleable Commitments - PowerPoint PPT Presentation

1 / 12
About This Presentation
Title:

Non-interactive and Reusable Non-malleable Commitments

Description:

(t 1,1)-security stronger than (1,1)-security (1,u 1)-security stronger than (1,1) ... Di Crescenzo, Katz, Ostrovsky, Smith: non-interactive, 1-way, practical ... – PowerPoint PPT presentation

Number of Views:14
Avg rating:3.0/5.0
Slides: 13
Provided by: gormsal
Category:

less

Transcript and Presenter's Notes

Title: Non-interactive and Reusable Non-malleable Commitments


1
Non-interactive and Reusable Non-malleable
Commitments
  • Ivan Damgård, BRICS, Aarhus University
  • Jens Groth, Cryptomathic A/S

2
Commitments
3
Non-malleability
4
Reusable Non-malleability
(t gt1,1)-security stronger than
(1,1)-security (1,u gt1)-security stronger than
(1,1)-security
5
Known Schemes
Dolev, Dwork, Naor interactive, 1-way, not
practical Di Crescenzo, Ishai, Ostrovsky
non-interact., 1-way, not practical Fischlin,
Fischlin interactive, Dlog/RSA, practical Di
Crescenzo, Katz, Ostrovsky, Smith
non-interactive, 1-way, practical Garay,
MacKenzie, Yang non-interactive, DSA, practical
UC protocols are intuitively like having a
trusted third party
Canetti, Fischlin non-interactive, claw-free
permutations, not practical Damgård, Nielsen
interact., decisional composite residuosity,
practical Canetti, Lindell, Ostrovsky, Sahai
non-int., trapdoor perm., not practical
6
Our Results
  • Non-interactive, reusable, trapdoor commitments
  • 1-way functions not practical
  • Strong RSA very efficient
  • Unconditional binding or hiding on minimal
    assumptions

Common reference string (CRS) UC commitment
(interactive or not) implies Secret Key
Agreement Uniform reference string UC commitment
implies Oblivious Transfer
Application Shorter CRS in Damgård-Nielsen UC
commitment
7
Sigma-protocols
8
Signatures
Signatures that are secure against existential
forgery under adaptive chosen message attack can
be built from 1-way functions (only need known
message attack).
(vk,sk) ?SignatureKeyGenerator Place vk on the
CRS To commit simulate (a,m,z) ? Sim((vk,?),m) a
proof of knowledge of a signature on
?. Commitment c a Decommitment d (m,z)
9
Commitment Scheme
CRS vk for signatures, pk for unconditionally
hiding honest sender commitment, hash a UOWHF
  • (c,d) HScommitpk(ak)
  • ? hash(c)
  • (a,m,z) Sim((vk,?),m)
  • mac MACak(a)

C (c,a,mac) D (d,m,z)
10
Sketch of Security Proof
Trapdoor commitment scheme. If we know the
signature key sk we may open commitments as
anything, since we can answer any challenge m.
11
Sketch of Security Proof II
12
Open Problems
  • Non-interactive NM commitment without a CRS.
  • Construction that allows histories, i.e., the
    adversary gets both commitments and some extra
    information about the contents.
  • UC secure Oblivious Transfer from UC commitment.
Write a Comment
User Comments (0)
About PowerShow.com