Statistical Concurrent Non-Malleable Zero-Knowledge from One-Way Functions

Abstract

Concurrent non-malleable zero-knowledge (\(\mathrm {CNMZK}\)) protocols are zero-knowledge protocols that provides security even when adversaries interact with multiple provers and verifiers simultaneously. It is known that \(\mathrm {CNMZK}\) arguments for \(\mathcal {NP}\) can be constructed in the plain model. Furthermore, it was recently shown that statistical\(\mathrm {CNMZK}\) arguments for \(\mathcal {NP}\) can also be constructed in the plain model. However, although the former requires only the existence of one-way functions, the latter requires the DDH assumption. In this paper, we construct a statistical \(\mathrm {CNMZK}\) argument for \(\mathcal {NP}\) assuming only the existence of one-way functions. The security is proven via black-box simulation, and the round complexity is \(\mathsf {poly}(n)\). Under the existence of collision-resistant hash functions, the round complexity is reduced to \(\omega (\log n)\), which is essentially optimal for black-box concurrent zero-knowledge protocols.

Appendices

A. Constant-Round One-One CCA-Secure Commitment Scheme from OWF

In this section, we observe that from a result by Goyal et al. [12], it follows almost immediately that we can obtain a constant-round one-one CCA-secure commitment scheme from one-way functions.

Theorem 3

Assume the existence of one-way functions. Then, for any constant \(\kappa \in \mathbb {N}\), there exists a constant-round \(\kappa \)-robust one-one CCA-secure commitment scheme \(\mathsf {CCACom}^{1:1}\).

We use the following building blocks, where all of them can be constructed from one-way functions.

• Constant-round non-malleable commitment scheme \(\mathsf {NMCom}\) that is also non-malleable w.r.t. any 4-round protocol. Specifically, we use the scheme by Lin and Pass [21, 23]. We remark that, like many other non-malleable commitment schemes, the scheme by [21, 23] also satisfies extractability.¹¹ (For the definitions of non-malleability and extractability, see Appendix B.)

• Four-round witness-indistinguishable proof \(\mathsf {WIProof}\).

• Constant-round zero-knowledge argument \(\mathsf {ZKArg}\) [11].

• Concurrently extractable commitment scheme \(\mathsf {CECom}\) of Micciancio et al. [26] with parameter \(\ell = \max (\kappa , r_{\textsc {nm}}, 4) + 1\), where \(r_{\textsc {nm}}\) is the round complexity of \(\mathsf {NMCom}\). (See Sect. 3.3.)

  When \(\ell = \max (\kappa , r_{\textsc {nm}}, 4) + 1 = O(1)\), \(\mathsf {CECom}\) does not guarantee concurrent extractability. It is easy to see, however, that it guarantees the following “robust extractability” property: For any adversarial committer \(C^*\) that commits to a value in a single session of \(\mathsf {CECom}\) and simultaneously participates an arbitrary \(\max (\kappa , r_{\textsc {nm}}, 4)\)-round protocol \(\Pi \), the extractor can extract the value that is committed by \(C^*\) without rewinding \(\Pi \). For details, see Appendix C.

\(\mathsf {CCACom}^{1:1}\) is shown in Fig. 8. We remark that \(\mathsf {CCACom}^{1:1}\) is almost identical to the CCA-secure commitment scheme of Goyal et al. [12]; essentially, the only difference is the parameter \(\ell \) of \(\mathsf {CECom}\). We prove its one-one CCA security in Section A.1 and prove its robustness in Section A.2.

Fig. 8

Constant-round one-one CCA-secure commitment scheme \(\mathsf {CCACom}^{1:1}\)

1.1 A.1 Proof of One-One CCA Security

For any adversary \(\mathcal {A}\) that interacts with the committed-value oracle only in a single session, we show that the following ensembles are computationally indistinguishable.

• \(\left\{ \mathsf {IND}_0(\langle C,R \rangle , \mathcal {A}, n, z) \right\} _{n\in \mathbb {N}, z\in \{0,1 \}^*}\)

• \(\left\{ \mathsf {IND}_1(\langle C,R \rangle , \mathcal {A}, n, z) \right\} _{n\in \mathbb {N}, z\in \{0,1 \}^*}\)

Toward this end, we consider a sequence of hybrid experiments in which the left session of \(\mathsf {IND}_b(\langle C,R \rangle , \mathcal {A}, n, z)\) is gradually modified so that \(\mathcal {A}\) receives no information about \(v_b\) in the last hybrid.

• Hybrid\(H_{0}^{b}(n, z)\) is the same as \(\mathsf {IND}_b(\langle C,R \rangle , \mathcal {A}, n, z)\).

• Hybrid\(H_{1}^{b}(n, z)\) is the same as \(H_{0}^{b}(n, z)\) except for the following.

  • In Stage 1 of the left session, the committed value r of the \(\mathsf {CECom}\) commitment is extracted by brute force. If the \(\mathsf {CECom}\) commitment is invalid or has more then one committed value, r is defined to be a random value.

  • In Stage 3 of the left session, the committed value of \(\mathsf {NMCom}\) is switched from \(0^n\) to r.

• Hybrid\(H_{2}^{b}(n, z)\) is the same as \(H_{1}^{b}(n, z)\) except that in Stage 5 of the left session, the \(\mathsf {WIProof}\) proof is computed by using the witness for the fact that the committed value of the \(\mathsf {NMCom}\) commitment in Stage 3 is r. (Notice that from the statistical binding property of \(\mathsf {CECom}\), the probability that \(\mathcal {A}\) correctly decommits the \(\mathsf {CECom}\) commitment in Stage 1 to a value other than r is negligible.)

• Hybrid\(H_{3}^{b}(n, z)\) is the same as \(H_{2}^{b}(n, z)\) except that in Stage 2 of the left session, the committed value of \(\mathsf {CECom}\) is switched from \(v_b\) to \(0^{n}\).

For each \(i\in \{0,1,2,3 \}\) and \(b\in \{0,1 \}\), let \(\mathsf {H}_i^b(n, z)\) be the random variable representing the output of \(H_i^b(n, z)\). From the construction, \(\mathcal {A}\) receives no information about \(v_b\) in \(H_{3}^{0}(n, z)\) and \(H_{3}^{1}(n, z)\) and hence \(\mathsf {H}_3^0(n, z)\) and \(\mathsf {H}_3^1(n, z)\) are identically distributed. Therefore, to show the indistinguishability between the above two ensembles, it suffices to prove that the outputs of each neighboring hybrids are computationally indistinguishable.

Our strategy for proving the indistinguishability of each neighboring hybrids is to reduce their indistinguishability to the security of \(\mathsf {NMCom}\), \(\mathsf {WIProof}\), and \(\mathsf {CECom}\). The problem of this strategy is the existence of the committed-value oracle: Since the oracle runs in super-polynomial time, the security of \(\mathsf {NMCom}\), \(\mathsf {WIProof}\), and \(\mathsf {CECom}\) might not hold against the adversaries that interact with the oracle. We overcome this problem by showing that the oracle can be emulated efficiently without “disturbing” the security of \(\mathsf {NMCom}\), \(\mathsf {WIProof}\), and \(\mathsf {CECom}\). Specifically, we show that the oracle can be emulated by extracting the committed value of the \(\mathsf {CECom}\) commitment in Stage 2 of the right session using the extractability of \(\mathsf {CECom}\); since \(\mathsf {CECom}\) provides a robust extractability property, the extraction from \(\mathsf {CECom}\) does not disturb the security of \(\mathsf {NMCom}\), \(\mathsf {WIProof}\), and \(\mathsf {CECom}\). We remark that in the formal argument given below, we first show that \(\mathcal {A}\) “cheats” in the hybrids only with negligible probability, meaning that in the right session, the committed value of the \(\mathsf {NMCom}\) commitment in Stage 3 is equal to the committed value of the \(\mathsf {CECom}\) commitment in Stage 1 only with negligible probability. Showing that \(\mathcal {A}\) cheats only with negligible probability is crucial to showing that the oracle can be efficiently emulated. In particular, once we show that \(\mathcal {A}\) cheats only with negligible probability, we can use the soundness of \(\mathsf {WIProof}\) to argue that the \(\mathsf {CECom}\) commitment in Stage 2 is valid in the accepted right session except with negligible probability, and thus we can conclude that the extracted value is equal to the committed value when the right session is accepted. The formal argument is given below.

Let us say that \(\mathcal {A}\)cheats if the committed value of \(\mathsf {NMCom}\) in Stage 3 is equal to the committed value \(\widetilde{r}\) of \(\mathsf {CECom}\) in Stage 1 in the accepted right session. First, we show that \(\mathcal {A}\) cheats in \(H_0^b(n, z)\) only with negligible probability.

Claim 6

The probability that \(\mathcal {A}\) cheats in \(H_0^b(n, z)\) is negligible for each \(b\in \{0,1 \}\).

Proof

Roughly speaking, this claim follows from the hiding property of \(\mathsf {CECom}\)—when the adversary cheats, we can obtain \(\widetilde{r}\) by extracting the committed value from \(\mathsf {NMCom}\), and thus we can obtain the committed value of a \(\mathsf {CECom}\) commitment before it is decommitted to. To formally implement this idea, it is important that no super-polynomial-time computation is performed during the execution of \(\mathsf {CECom}\) in Stage 1 of the right session. Fortunately, in \(H_0^b(n, z)\) no super-polynomial-time computation is indeed performed during \(\mathsf {CECom}\) of the right session, as super-polynomial-time computation is performed only at the end of the right session. (Recall the in the setting of one-one CCA security, \(\mathcal {A}\) interacts with the oracle only in a single session.) The formal argument is given below.

Assume for contradiction that there exists \(b\in \{0,1 \}\) such that \(\mathcal {A}\) cheats in \(H_0^b(n, z)\) with non-negligible probability. Fix any such b. To derive a contradiction, we consider the following hybrid experiments.

Hybrid\(H_{0:1}^b(n, z)\):

is the same as \(H_0^b(n, z)\) except that in Stage 3 of the right session, the committed value of the \(\mathsf {NMCom}\) commitment is extracted by using the extractability of \(\mathsf {NMCom}\). Clearly, the probability that \(\mathcal {A}\) cheats is still non-negligible in \(H_{0:1}^b(n, z)\). Hence, from the extractability of \(\mathsf {NMCom}\), the extracted value is equal to \(\widetilde{r}\) with non-negligible probability.

Hybrid\(H_{0:2}^b(n, z)\):

is the same as \(H_{0:1}^b(n, z)\) except that in Stage 1 of the right session, the \(\mathsf {ZKArg}\) proof is generated by using the simulator of \(\mathsf {ZKArg}\). From the zero-knowledge property of \(\mathsf {ZKArg}\), the probability that \(\widetilde{r}\) is extracted from \(\mathsf {NMCom}\) is still non-negligible in \(H_{0:2}^b(n, z)\).

We derive a contradiction by constructing an adversary \(\mathcal {B}\) that breaks the hiding property of \(\mathsf {CECom}\). Externally, \(\mathcal {B}\) interacts with a committer of \(\mathsf {CECom}\): It sends random \(\widetilde{r}_0, \widetilde{r}_1 \in \{0,1 \}^{n}\) to the committer and receives a \(\mathsf {CECom}\) commitment in which either \(\widetilde{r}_0\) or \(\widetilde{r}_1\) is committed. Internally, \(\mathcal {B}\) invokes \(\mathcal {A}\) and emulates \(H_{0:2}^b(n, z)\) for \(\mathcal {A}\) honestly except that in Stage 1 of the right session, \(\mathcal {B}\) forwards the \(\mathsf {CECom}\) commitment from the external committer to internal \(\mathcal {A}\). Finally, if the value extracted from \(\mathsf {NMCom}\) is \(\widetilde{r}_1\) in internally emulated \(H_{0:2}^b(n, z)\), \(\mathcal {B}\) outputs 1, and otherwise, it outputs 0. If \(\mathcal {B}\) receives a commitment to \(\widetilde{r}_1\), it outputs 1 with non-negligible probability from the above argument. On the other hand, if \(\mathcal {B}\) receives a commitment to \(\widetilde{r}_0\), it outputs 1 only with negligible probability since internal \(\mathcal {A}\) receives no information about \(\widetilde{r}_1\). Hence, \(\mathcal {B}\) breaks the hiding property of \(\mathsf {CECom}\). \(\square \)

Next, we show that \(\mathcal {A}\) cheats only with negligible probability in \(H_1^b(n, z)\), and we use it to prove that \(\mathsf {H}_0^b(n, z)\) and \(\mathsf {H}_1^b(n, z)\) are indistinguishable.

Claim 7

For each \(b\in \{0,1 \}\), the following hold.

• The probability that \(\mathcal {A}\) cheats in \(H_1^b(n, z)\) is negligible.

• \(\{\mathsf {H}_0^b(n, z) \}_{n\in \mathbb {N}, z\in \{0,1 \}^*}\) and \(\{\mathsf {H}_1^b(n, z) \}_{n\in \mathbb {N}, z\in \{0,1 \}^*}\) are computationally indistinguishable.

Proof

First, we show that \(\mathcal {A}\) cheats in \(H_1^b(n, z)\) with negligible probability for each \(b\in \{0,1 \}\). Roughly speaking, this follows from the non-malleability of \(\mathsf {NMCom}\): Since \(H_1^b(n, z)\) differs from \(H_0^b(n, z)\) only in the value committed to in \(\mathsf {NMCom}\) in the left session, the value that \(\mathcal {A}\) commits to by using \(\mathsf {NMCom}\) in the right session of \(H_1^b(n, z)\) is indistinguishable from the value that \(\mathcal {A}\) commits to by using \(\mathsf {NMCom}\) in the right session of \(H_0^b(n, z)\); hence, from Claim 6, the probability that \(\mathcal {A}\) cheats in \(H_1^b(n, z)\) is negligible. We remark that since the left session in \(H_1^b(n, z)\) involves the brute-force extraction of \(\mathsf {CECom}\) in Stage 1, in the formal argument given below we consider a hybrid experiment in which brute-force extraction is replaced with the rewinding extraction. Since we want to use the non-malleability of \(\mathsf {NMCom}\), this extraction is performed in such a way that \(\mathsf {NMCom}\) in the right session is not rewound. The formal argument is given below.

Assume for contradiction that there exists \(b\in \{0,1 \}\) such that \(\mathcal {A}\) cheats in \(H_1^b(n, z)\) with non-negligible probability. Fix any such b. To derive a contradiction, we consider the following hybrid experiment for \(i\in \{0,1 \}\).

• Hybrid\(G_{i}^b(n, z)\) is the same as \(H_{i}^b(n, z)\) except for the following.

  • In Stage 1 of the left session, the committed value r of the \(\mathsf {CECom}\) commitment is extracted by using the extractability of \(\mathsf {CECom}\) instead of by brute force. Furthermore, this extraction is performed in such a way that the \(\mathsf {NMCom}\) commitment in the right session is not rewound (see Appendix C).

  • \(G_{i}^b(n, z)\) terminates immediately after \(\mathsf {NMCom}\) ends in Stage 3 of the right session.

  From the soundness of \(\mathsf {ZKArg}\), the \(\mathsf {CECom}\) commitment in Stage 1 of the left session is valid when the \(\mathsf {ZKArg}\) proof in Stage 1 of the left session is accepted. Hence, when Stage 3 is executed in the left session, the value extracted from the \(\mathsf {CECom}\) commitment in Stage 1 is equal to its (unique) committed value. Since the only difference from \(G_{i}^b(n, z)\) and \(H_{i}^b(n, z)\) is how r is extracted, the view of \(\mathcal {A}\) in \(G_{i}^b(n, z)\) is statistically close to that in \(H_{i}^b(n, z)\). Therefore, \(\mathcal {A}\) cheats in \(G_{0}^b(n, z)\) with negligible probability from Claim 6, and \(\mathcal {A}\) cheats in \(G_{1}^b(n, z)\) with non-negligible probability from our hypothesis.

We then derive a contradiction by constructing an adversary \(\mathcal {M}\) that breaks the non-malleability of \(\mathsf {NMCom}\). Externally, \(\mathcal {M}\) interacts with a committer and a receiver of \(\mathsf {NMCom}\): It sends \(0^{n}\) and \(r\in \{0,1 \}^{n}\) to the committer and receives a \(\mathsf {NMCom}\) commitment in which either \(0^{n}\) or r is committed to; at the same time, it sends a \(\mathsf {NMCom}\) commitment to the receiver. Internally, \(\mathcal {M}\) invokes \(\mathcal {A}\) and emulates \(G_{0}^b(n, z)\) for \(\mathcal {A}\) honestly except for the following.

• After r is extracted in Stage 1 of the left session, \(\mathcal {M}\) sends \(0^{n}\) and r to the external committer.

• In Stage 3 of the left session, \(\mathcal {M}\) forwards the \(\mathsf {NMCom}\) commitment from the external committer to internal \(\mathcal {A}\).

• In Stage 3 of the right session, \(\mathcal {M}\) forwards the \(\mathsf {NMCom}\) commitment from the internal \(\mathcal {A}\) to the external receiver.

From the construction, \(\mathcal {M}\) perfectly emulates \(G_0^b(n, z)\) when it receives a \(\mathsf {NMCom}\) commitment to \(0^{n}\), and it perfectly emulates \(G_1^b(n, z)\) when it receives a \(\mathsf {NMCom}\) commitment to r. Hence, when \(\mathcal {M}\) receives a \(\mathsf {NMCom}\) commitment to \(0^{n}\), internal \(\mathcal {A}\) cheats with negligible probability, and when \(\mathcal {M}\) receives a \(\mathsf {NMCom}\) commitment to r, internal \(\mathcal {A}\) cheats with non-negligible probability. Then, since the cheating of \(\mathcal {A}\) is efficiently recognizable given the view of \(\mathcal {M}\) and the committed value of the \(\mathsf {NMCom}\) commitment in the right session, \(\mathcal {M}\) breaks the non-malleability of \(\mathsf {NMCom}\).

Next, we show that \(\{\mathsf {H}_0^b(n, z) \}_{n\in \mathbb {N}, z\in \{0,1 \}^*}\) and \(\{\mathsf {H}_1^b(n, z) \}_{n\in \mathbb {N}, z\in \{0,1 \}^*}\) are computationally indistinguishable. Roughly speaking, this indistinguishability follows from the hiding of \(\mathsf {NMCom}\): Since \(\mathcal {A}\) cheats only with negligible probability both in \(H_0^b(n, z)\) and in \(H_1^b(n, z)\), the \(\mathsf {CECom}\) commitment in Stage 2 is valid in the accepted right session in both hybrids; hence the committed-value oracle can be efficiently emulated by extracting the committed value of the \(\mathsf {CECom}\) commitment in Stage 2, and thus the indistinguishability follows from the hiding property of \(\mathsf {NMCom}\). Here, since we want to use the hiding property of \(\mathsf {NMCom}\), the extraction from \(\mathsf {CECom}\) is performed in such a way that \(\mathsf {NMCom}\) in the left session is not rewound. The formal argument is given below.

Assume for contradiction that there exists \(b\in \{0,1 \}\) such that \(\{\mathsf {H}_0^b(n, z) \}_{n\in \mathbb {N}, z\in \{0,1 \}^*}\) and \(\{\mathsf {H}_1^b(n, z) \}_{n\in \mathbb {N}, z\in \{0,1 \}^*}\) are distinguishable. Fix any such b. From Claim 6 and what is shown above, \(\mathcal {A}\) cheats only with negligible probability both in \(H_0^b(n, z)\) and in \(H_1^b(n, z)\). Hence, from the soundness of \(\mathsf {WIProof}\), the \(\mathsf {CECom}\) commitment in Stage 2 is invalid in the accepted right session only with negligible probability. Therefore, for infinitely many \(n\), there exists \(z\in \{0,1 \}^{*}\) and a polynomial \(p(\cdot )\) such that (i) \(\mathsf {H}_0^b(n, z)\) and \(\mathsf {H}_1^b(n, z)\) are distinguishable with advantage \(1/p(n)\) and (ii) the \(\mathsf {CECom}\) commitment in Stage 2 of the right session is invalid in the accepted right session with probability at most \(1/2p(n)\) in both \(H_0^b(n, z)\) and \(H_1^b(n, z)\). Fix any such \(n\) and z. From an average argument, there exists a partial transcript \(\rho \) of \(H_0^b(n, z)\) up until the end of Stage 1 of the left session such that under the condition that a prefix of the transcript is \(\rho \), both of the above (i) and (ii) hold. Let r be the value that is committed to in Stage 1 of the left session in \(\rho \). (If the committed value is not uniquely determined, r is a random value.) We consider the following two cases.

Case 1. Stage 2 of the right session has already started in\(\rho \). Since the committed value of a \(\mathsf {CECom}\) commitment is determined by the first message, \(\rho \) uniquely determined the committed value \(\widetilde{v}\) of the \(\mathsf {CECom}\) commitment in Stage 2 of the right session. Notice that given \(\rho \), r, and \(\widetilde{v}\) as auxiliary input, \(H_0^b(n, z)\) and \(H_1^b(n, z)\) can be executed from \(\rho \) in polynomial time. Hence, we can derive a contradiction by considering an adversary that breaks the hiding property of \(\mathsf {NMCom}\) by internally emulating \(H_0^b(n, z)\) from \(\rho \) and forwarding a \(\mathsf {NMCom}\) commitment from the external committer (who commits to either \(0^{n}\) or r) to internally emulated \(\mathcal {A}\).

Case 2. Stage 2 of the right session starts after\(\rho \). We consider the following hybrid experiment.

• In Hybrid\(F_i^b(n, z)\), \(H_i^b(n, z)\) is executed from \(\rho \) honestly except for the following.

  • In the left session, brute-force extraction of r is not performed, and hardwired r is used.

  • In Stage 2 of the right session, the committed value \(\widetilde{v}\) of the \(\mathsf {CECom}\) commitment is extracted by using the extractability of \(\mathsf {CECom}\) in such a way that \(\mathsf {NMCom}\) in Stage 3 is not rewound in the left session.

  • At the end of the right session, the extracted value \(\widetilde{v}\) is returned to \(\mathcal {A}\) as the committed value of the right session.

From the definition of \(\rho \), the \(\mathsf {CECom}\) commitment in Stage 2 of the right session is invalid in the accepted right session with probability at most \(1/2p(n)\). Since the output of \(F_i^b(n, z)\) differs from that of \(H_i^b(n, z)\) only when the correct committed value is not extracted in the accepted right session (which occurs with probability at most \(1/2p(n)\) from the above), from our hypothesis, the outputs of \(F_0^b(n, z)\) and \(F_1^b(n, z)\) are distinguishable with advantage \(1/2p(n)\). Then, since \(F_0^b(n, z)\) and \(F_1^b(n, z)\) differ only in the value committed to in \(\mathsf {NMCom}\) and since both experiments run in polynomial time, we can derive a contradiction by considering an adversary that internally emulates \(F_0^b(n, z)\) and forwards a \(\mathsf {NMCom}\) commitment from the external committer to internally emulated \(\mathcal {A}\). \(\square \)

In the same way above, we can prove that the outputs of the other neighboring hybrids are also indistinguishable.

Claim 8

For each \(b\in \{0,1 \}\), the following hold.

• The probability that \(\mathcal {A}\) cheats in \(H_2^b(n, z)\) is negligible.

• \(\{\mathsf {H}_1^b(n, z) \}_{n\in \mathbb {N}, z\in \{0,1 \}^*}\) and \(\{\mathsf {H}_2^b(n, z) \}_{n\in \mathbb {N}, z\in \{0,1 \}^*}\) are computationally indistinguishable.

Proof

This claim can be proven in essentially the same way as Claim 7. First, we can show that \(\mathcal {A}\) cheats in \(H_2^b(n, z)\) only with negligible probability by using the same argument except that we use the non-malleability w.r.t. 4-round protocols of \(\mathsf {NMCom}\) instead of its (standard) non-malleability. (Recall that \(H_2^b(n, z)\) differs from \(H_1^b(n, z)\) only in the witness used in \(\mathsf {WIProof}\), which has four rounds.) Next, we can show the indistinguishability between \(\{\mathsf {H}_1^b(n, z) \}_{n\in \mathbb {N}, z\in \{0,1 \}^*}\) and \(\{\mathsf {H}_2^b(n, z) \}_{n\in \mathbb {N}, z\in \{0,1 \}^*}\) by using the same argument except that we use the witness indistinguishability of \(\mathsf {WIProof}\) instead of the hiding property of \(\mathsf {NMCom}\). We omit the formal proof. \(\square \)

Claim 9

For each \(b\in \{0,1 \}\), the following hold.

• The probability that \(\mathcal {A}\) cheats in \(H_3^b(n, z)\) is negligible.

• \(\{\mathsf {H}_2^b(n, z) \}_{n\in \mathbb {N}, z\in \{0,1 \}^*}\) and \(\{\mathsf {H}_3^b(n, z) \}_{n\in \mathbb {N}, z\in \{0,1 \}^*}\) are computationally indistinguishable.

Proof

Like Claim 8, this claim can be proven in essentially the same way as Claim 7. We remark, however, that since the round complexity of \(\mathsf {CECom}\) is much more than four, we need to consider a sequence of intermediate hybrid experiments in which the committed value of \(\mathsf {ExtCom}\) in \(\mathsf {CECom}\) are switched one by one. We omit the formal proof. \(\square \)

This concludes the proof of one-one CCA security.

1.2 A.2 Proof of \(\kappa \)-robustness

We show that there exists a simulator \(\mathcal {S}\) such that for any adversary \(\mathcal {A}\) that interacts with the committed-value oracle only in a single session, and for any \(\kappa \)-round \(\textsc {ppt} \) ITM B, the following are computationally indistinguishable:

• \(\left\{ \mathsf {output}_{B, \mathcal {A}^{\mathcal {O}}}\left[ B(1^{n}, x, y) \leftrightarrow \mathcal {A}^{\mathcal {O}}(1^{n}, x, z) \right] \right\} _{n\in \mathbb {N},x,y,z\in \{0,1 \}^{n}}\)

• \(\left\{ \mathsf {output}_{B, \mathcal {S}^{\mathcal {A}}}\left[ B(1^{n}, x, y) \leftrightarrow \mathcal {S}^{\mathcal {A}}(1^{n}, x, z) \right] \right\} _{n\in \mathbb {N},x,y,z\in \{0,1 \}^{n}}\)

This can be shown easily by using the argument we used in the proof of one-one CCA security. Roughly, we consider a simulator that emulates \(\mathcal {O}\) for \(\mathcal {A}\) efficiently by extracting the committed value of the \(\mathsf {CECom}\) commitment in Stage 2 using the robust extractability of \(\mathsf {CECom}\) in such a way that the interaction with B is not rewound. (Since we set \(\ell = \max (\kappa , r_{\textsc {nm}}, 4)+1\), such extraction is possible.) To show that this simulator indeed emulates the oracle for \(\mathcal {A}\), we need to show that the \(\mathsf {CECom}\) commitment in Stage 2 is invalid in the accepted right session only with negligible probability. This can be shown by using the argument in the proof of Claim 6. Hence, by using this simulator, we can prove the \(\kappa \)-robustness. The formal proof is omitted.

B. Additional Definitions

In this section, we give the definitions that are used in Appendix A.

1.1 B.1 Non-Malleable Commitment Schemes

We recall the definition of non-malleable commitment schemes from [25]. For convenience, we use a slightly different presentation (based on indistinguishability rather than simulation), which is used in [19, 20]. Let \(\langle C,R \rangle \) be a tag-based commitment scheme. For any man-in-the-middle adversary \(\mathcal {M}\), consider the following experiment. On input security parameter \(n\in \mathbb {N}\) and auxiliary input \(z\in \{0,1 \}^*\), \(\mathcal {M}\) participates in one left and one right interactions simultaneously. In the left interaction, \(\mathcal {M}\) interacts with a committer of \(\langle C,R \rangle \) and receives a commitment to value v using identity \(\mathsf {id}\in \{0,1 \}^{n}\) of its choice. In the right interaction, \(\mathcal {M}\) interacts with a receiver of \(\langle C,R \rangle \) and gives a commitment using identity \(\widetilde{\mathsf {id}}\) of its choice. Let \(\widetilde{v}\) be the value that \(\mathcal {M}\) commits to on the right. If the right commitment is invalid or undefined, \(\widetilde{v}\) is defined to be \(\bot \). If \(\mathsf {id}= \widetilde{\mathsf {id}}\), value \(\widetilde{v}\) is also defined to be \(\bot \). Let \(\mathsf {mim}(\langle C,R \rangle , \mathcal {M}, v, z)\) denote a random variable representing \(\widetilde{v}\) and the view of \(\mathcal {M}\) in the above experiment.

Definition 9

A commitment scheme \(\langle C,R \rangle \) is non-malleable if for any \(\textsc {ppt} \) man-in-the-middle adversary \(\mathcal {M}\), the following are computationally indistinguishable.

• \(\{\mathsf {mim}(\langle C,R \rangle , \mathcal {M}, v, z) \}_{n\in \mathbb {N}, v\in \{0,1 \}^{n},v'\in \{0,1 \}^{n},z\in \{0,1 \}^*}\)

• \(\{\mathsf {mim}(\langle C,R \rangle , \mathcal {M}, v',z) \}_{n\in \mathbb {N}, v\in \{0,1 \}^{n},v'\in \{0,1 \}^{n},z\in \{0,1 \}^*}\)

1.1.1 Non-malleability w.r.t. \(\kappa \)-round Protocols

We also recall the definition of non-malleability w.r.t. \(\kappa \)-round protocols [19], which is an additional property for non-malleable commitment schemes. (In [19], this property is also referred to as \(\kappa \)-robustness. We refer to this property as non-malleability w.r.t. \(\kappa \)-round protocols to distinguish it from the \(\kappa \)-robustness for CCA secure commitment schemes, which is also used in this work.)

Consider a man-in-the-middle adversary \(\mathcal {M}\) that participates in a left interaction—communicating with a machine B—and a right interaction—acting as a committer by using the commitment scheme \(\langle C,R \rangle \). As in the standard definition of non-malleability, \(\mathcal {M}\) can choose the identity in the right interaction. We denote by \(\mathsf {mim}(\langle C,R \rangle , B, \mathcal {M}, y, z)\) the random variable consisting of the view of \(\mathcal {M}(z)\) in a man-in-the-middle execution when communicating with B(y) on the left and an honest receiver on the right, combined with the values that \(\mathcal {M}(z)\) commits to on the right. Intuitively, we say that \(\langle C,R \rangle \) is non-malleable w.r.t. B if \(\mathsf {mim}(\langle C,R \rangle , B, \mathcal {M}, y_1, z)\) and \(\mathsf {mim}(\langle C,R \rangle , B, \mathcal {M}, y_2, z)\) are indistinguishable whenever interactions with \(B(y_1)\) and \(B(y_2)\) cannot be distinguished.

Definition 10

Let \(\langle C,R \rangle \) be a commitment scheme and B be a \(\textsc {ppt} \) ITM. We say that the commitment scheme \(\langle C,R \rangle \) is non-malleable w.r.t.B if for every two sequences \(\{y_{n}^{1} \}_{n\in \mathbb {N}}\) and \(\{y_{n}^{2} \}_{n\in \mathbb {N}}\) such that for all \(\textsc {ppt} \) ITM \(\mathcal {A}\) it holds that

$$\begin{aligned}&\left\{ \mathsf {view}_{\mathcal {A}}\left[ B(1^{n}, y_{n}^1) \leftrightarrow \mathcal {A}(1^{n}, z) \right] \right\} _{n\in \mathbb {N}, z\in \{0,1 \}^*} \\&\quad \approx \left\{ \mathsf {view}_{\mathcal {A}}\left[ B(1^{n}, y_{n}^2) \leftrightarrow \mathcal {A}(1^{n}, z) \right] \right\} _{n\in \mathbb {N}, z\in \{0,1 \}^*} , \end{aligned}$$

it also holds that for every \(\textsc {ppt} \) man-in-the-middle adversary \(\mathcal {M}\),

$$\begin{aligned} \left\{ \mathsf {mim}(\langle C,R \rangle , B, \mathcal {M}, y_{n}^1, z) \right\} _{n\in \mathbb {N}, z\in \{0,1 \}^*} \approx \left\{ \mathsf {mim}(\langle C,R \rangle , B, \mathcal {M}, y_{n}^2, z) \right\} _{n\in \mathbb {N}, z\in \{0,1 \}^*} . \end{aligned}$$

We say that \(\langle C,R \rangle \) is non-malleable w.r.t.\(\kappa \)-round protocols if \(\langle C,R \rangle \) is non-malleable w.r.t. any machine B that interacts with the man-in-the-middle adversary in \(\kappa \) rounds.

1.2 B.2 Extractable Commitment Scheme

We recall the definition of extractable commitment schemes from [34]. Roughly speaking, a commitment scheme is extractable if there exists an expected polynomial-time oracle machine (called an extractor) E such that for any committer \(C^*\) that generates a commitment, \(E^{C^*}\) extracts the committed value when the commitment is valid. We note that when the commitment is invalid, E can output an arbitrary garbage value.

Formally, extractable commitment schemes are defined as follows. A commitment scheme \(\langle C,R \rangle \) is extractable if there exists an expected polynomial-time extractor E such that for any ppt committer \(C^*\), the extractor \(E^{C^*}\) outputs a pair \((\tau , \sigma )\) that satisfies the following properties.

• \(\tau \) is identically distributed with the view of \(C^*\) that interacts with an honest receiver R in the commit phase of \(\langle C,R \rangle \). Let \(c_{\tau }\) be the commitment that \(C^*\) gives in \(\tau \).

• If \(c_{\tau }\) is accepting, then \(\sigma \ne \bot \) except with negligible probability.

• If \(\sigma \ne \bot \), then it is statistically impossible to decommit \(c_{\tau }\) to any value other than \(\sigma \).

C. On the Robust Extractability of \(\mathsf {CECom}\)

In this section, we observe that for any constant \(\kappa \in \mathbb {N}\), \(\mathsf {CECom}\) with parameter \(\ell = \kappa + 1\) satisfies the following robust extractability property: For any adversarial committer \(C^*\) that commits to a value in a single session of \(\mathsf {CECom}\) and simultaneously participates an arbitrary \(\kappa \)-round protocol \(\Pi \), the extractor can extract the committed value from \(C^*\) without rewinding \(\Pi \). This property is used to obtain constant-round one-one CCA-secure commitment scheme in Appendix A.

Recall that in \(\mathsf {CECom}\), the extractable commitment scheme \(\mathsf {ExtCom}\) of [34] is executed \(\ell \) times in the following schedule (cf. Fig. 1 in Sect. 3.3).

1. 1.

   First, the commit-stage messages of all the sessions (of \(\mathsf {ExtCom}\)) are exchanged in parallel.

2. 2.

   Subsequently, the challenge-stage message and the reply-stage message of the ith session are exchanged for each \(i\in [\ell ]\) in sequence.

Let us call the pair of the challenge-stage message and the reply-stage message of a \(\mathsf {ExtCom}\) commitment a slot. Since the committed value of a \(\mathsf {ExtCom}\) commitment can be extracted by rewinding the slot and obtaining a new pair of the challenge-stage message and the reply-stage message (see Fig. 2 in Sect. 3.3), the committed value of a \(\mathsf {CECom}\) commitment can be extracted by rewinding any of the \(\ell \) slots.

Consider the following extractor E against any adversarial committer \(C^*\). Externally, E participates in a \(\kappa \)-round protocol \(\Pi \). Internally, E invokes \(C^*\) and forwards all messages of \(\Pi \) from the external party to internal \(C^*\) and vice verse; additionally, E interacts with \(C^*\) in a session of \(\mathsf {CECom}\) as an honest receiver. (Without loss of generality, we assume that after \(C^*\) sends a message of \(\Pi \) [resp., a message of \(\mathsf {CECom}\)], \(C^*\) immediately receives the next message of \(\Pi \) [resp., the next message of \(\mathsf {CECom}\)].) When the session of \(\mathsf {CECom}\) ends, E extracts the committed value of the session by rewinding \(C^*\) in a slot that does not “interleave” with any message of \(\Pi \) (i.e, a slot such that \(C^*\) does not exchange any message of \(\Pi \) after receiving the challenge message of the slot until it sends the reply-message of the slot; notice that such a slot always exists because there are \(\ell = \kappa +1\) sequential slots). Specifically, E continues to rewind such a slot until it obtains a new pair of the challenge-stage message and the reply-stage message. If \(C^*\) requires a message of \(\Pi \) after being rewound, E cuts off the execution of \(C^*\) immediately and rewinds \(C^*\) again. After obtaining a new pair of the challenge-stage message and the reply-stage message, it extracts the committed value by using them.

From the construction, E perfectly emulates the view of \(C^*\) and does not rewind the external protocol \(\Pi \). Also, from the extractability of \(\mathsf {ExtCom}\), the extraction fails only with negligible probability. Hence, it remains to show that E runs in (expected) polynomial time. This can be shown easily by using the standard “\(p \times 1/p\)” argument as follows. For any \(i\in [\ell ]\) and any partial view \(\rho _i\) of \(C^*\) from which the ith slot starts, let \(\mathsf {prefix}_{\rho _i}\) be the event that in the execution of E, the view of internal \(C^*\) up until the beginning of the ith slot is \(\rho _i\). Let \(T_i\) be the random variable representing the number of rewinding in the ith slot in E, and let \(p_{\rho _i}\) be the probability that under the condition that \(\mathsf {prefix}_{\rho _i}\) occurs, the ith slot is accepting and it does not interleave with any message of \(\Pi \). We then have

$$\begin{aligned} \mathrm {E} \left[ T_i \mid \mathsf {prefix}_{\rho _i} \right] \le p_{\rho _i} \cdot 1/p_{\rho _i} = 1 \end{aligned}$$

for any \(\rho _{i}\). Thus, we have

$$\begin{aligned} \mathrm {E} \left[ T_i \right] = \sum _{\rho _i} \mathrm {E} \left[ T_i \mid \mathsf {prefix}_{\rho _i} \right] \Pr \left[ \mathsf {prefix}_{\rho _i} \right] \le \sum _{\rho _i} \Pr \left[ \mathsf {prefix}_{\rho _i} \right] \le 1 . \end{aligned}$$

Hence, from the linearity of expectation, the expected number of rewinding of \(C^*\) in the execution of E is at most \(\ell \), and thus the expected running time of E can be bounded by a polynomial.