Multi-trapdoor Commitments and Their Applications to Proofs of Knowledge Secure Under Concurrent Man-in-the-Middle Attacks

  • Rosario Gennaro
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3152)


We introduce the notion of multi-trapdoor commitmentswhich is a stronger form of trapdoor commitment schemes. We then construct two very efficient instantiations of multi-trapdoor commitment schemes, one based on the Strong RSA Assumption and the other on the Strong Diffie-Hellman Assumption.

The main application of our new notion is the construction of a compiler that takes any proof of knowledge and transforms it into one which is secure against a concurrent man-in-the-middle attack (in the common reference string model). When using our specific implementations, this compiler is very efficient (requires no more than four exponentiations) and maintains the round complexity of the original proof of knowledge.

The main practical applications of our results are concurrently secure identification protocols. For these applications our results are the first simple and efficient solutions based on the Strong RSA or Diffie-Hellman Assumption.


Hash Function Signature Scheme Commitment Scheme Probabilistic Polynomial Time Common Reference String 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bach, E., Shallit, J.: Algorithmic Number Theory -, vol. 1. MIT Press, Cambridge (1996)Google Scholar
  2. 2.
    Barak, B.: How to go beyond the black-box simulation barrier. In: Proc. of 42nd IEEE Symp. on Foundations of Computer Science (FOCS 2001), pp. 106–115 (2001)Google Scholar
  3. 3.
    Barak, B.: Constant-round Coin Tossing with a Man in the Middle or Realizing the Shared Random String Model. In: Proc. of 43rd IEEE Symp. on Foundations of Computer Science (FOCS 2002), pp. 345–355 (2001)Google Scholar
  4. 4.
    Barić, N., Pfitzmann, B.: Collision-free accumulators and Fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997)Google Scholar
  5. 5.
    Bellare, M., Fischlin, M., Goldwasser, S., Micali, S.: Identification Protocols Secure against Reset Attacks. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 495–511. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Goldreich, O.: On defining proofs of knowledge. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 390–420. Springer, Heidelberg (1993)Google Scholar
  7. 7.
    Bleichenbacher, D., Maurer, U.: Optimal Tree-Based One-time Digital Signature Schemes. In: Puech, C., Reischuk, R. (eds.) STACS 1996. LNCS, vol. 1046, pp. 363–374. Springer, Heidelberg (1996)Google Scholar
  8. 8.
    Bleichenbacher, D., Maurer, U.: On the efficiency of one-time digital signatures. In: Kim, K.-c., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 145–158. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  9. 9.
    Boneh, D., Boyen, X.: Short Signatures without Random Oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 382–400. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Boneh, D., Franklin, M.: Identity-Based Encryption from the Weill Pairing. SIAM J. Comp. 32(3), 586–615 (2003)MATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Canetti, R.: Universally Composable Security: A new paradigm for cryptographic protocols. In: Proc. of 42nd IEEE Symp. on Foundations of Computer Science (FOCS 2001), pp. 136–145 (2001)Google Scholar
  12. 12.
    Canetti, R., Fischlin, M.: Universally Composable Commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 19–40. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Canetti, R., Kilian, J., Petrank, E., Rosen, A.: Concurrent Zero-Knowledge requires Ω̃ (log n) rounds. In: Proc. of 33rd ACM Symp. on Theory of Computing (STOC 2001), pp. 570–579 (2001)Google Scholar
  14. 14.
    Cramer, R., Damgård, I.: New Generation of Secure and Practical RSA-based signatures. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 173–185. Springer, Heidelberg (1996)Google Scholar
  15. 15.
    Cramer, R., Shoup, V.: Signature schemes based on the Strong RSA assumption. In: Proc. of 6th ACM Conference on Computer and Communication Security 1999 (1999)Google Scholar
  16. 16.
    Damgård, I.: Efficient Concurrent Zero-Knowledge in the Auxiliary String Model. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 174–187. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  17. 17.
    De Santis, A., Di Crescenzo, G., Ostrovsky, R., Persiano, G., Sahai, A.: Robust Non-Interactive Zero Knowledge. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 566–598. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    Dodis, Y., Gennaro, R., Håstad, J., krawczyk, H., Rabin, T.: Randomness Extraction and Key Derivation using the CBC, Cascade and HMAC Modes. In: This proceedingsGoogle Scholar
  19. 19.
    Dolev, D., Dwork, C., Naor, M.: Non-malleable Cryptography. SIAM J. Comp. 30(2), 391–437 (2000)MATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    Dwork, C., Naor, M., Sahai, A.: Concurrent Zero-Knowledge. In: Proc. of 30th ACM Symp. on Theory of Computing (STOC 1998), pp. 409–418 (1998)Google Scholar
  21. 21.
    Feige, U., Fiat, A., Shamir, A.: Zero-Knowledge Proofs of Identity. J. of Crypt. 1(2), 77–94 (1988)MATHCrossRefMathSciNetGoogle Scholar
  22. 22.
    Garay, J., MacKenzie, P., Yang, K.: Strengthening Zero-Knowledge Protocols Using Signatures. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 177–194. Springer, Heidelberg (2003), Final version at CrossRefGoogle Scholar
  23. 23.
    Gennaro, R., Halevi, S., Rabin, T.: Secure Hash-and-Sign Signatures Without the Random Oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999)Google Scholar
  24. 24.
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems. SIAM. J. Computing 18(1), 186–208 (1989)MATHCrossRefMathSciNetGoogle Scholar
  25. 25.
    Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Computing 17(2), 281–308 (1988)MATHCrossRefMathSciNetGoogle Scholar
  26. 26.
    Guillou, L.C., Quisquater, J.J.: A Practical Zero-Knowledge Protocol Fitted to Security Microprocessors Minimizing both Transmission and Memory. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988)Google Scholar
  27. 27.
    Katz, J.: Efficient and Non-Malleable Proofs of Plaintext Knowledge and Applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 211–228. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  28. 28.
    Lamport, L.: Constructing Digital Signatures from a One-Way Function. Technical Report SRI Intl. CSL 98 (1979)Google Scholar
  29. 29.
    Lindell, Y.: Composition of Secure Multi-Party Protocols. LNCS, vol. 2815. Springer, Heidelberg (2003)MATHCrossRefGoogle Scholar
  30. 30.
    Lindell, Y.: Lower Bounds for Concurrent Self Composition. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 203–222. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  31. 31.
    MacKenzie, P., Yang, K.: On Simulation-Sound Trapdoor Commitments. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 382–400. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  32. 32.
    Maurer, U.: Fast Generation of Prime Numbers and Secure Public-Key Cryptographic Parameters. J. of Crypt. 8(3), 123–156 (1995)MATHMathSciNetGoogle Scholar
  33. 33.
    Pedersen, T.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)Google Scholar
  34. 34.
    Prabhakaran, M., Rosen, A., Sahai, A.: Concurrent Zero-Knowledge with logarithmic round complexity. In: Proc. of 43rd IEEE Symp. on Foundations of Computer Science (FOCS 2002), pp. 366–375 (2002)Google Scholar
  35. 35.
    Rivest, R., Shamir, A., Adelman, L.: A Method for Obtaining Digital Signature and Public Key Cryptosystems. Comm. of ACM 21, 120–126 (1978)MATHCrossRefGoogle Scholar
  36. 36.
    Schnorr, C.P.: Efficient signature generation by smart cards. Journal of Cryptology 4, 161–174 (1991)MATHCrossRefGoogle Scholar
  37. 37.
    Shamir, A.: On the generation of cryptographically strong pseudorandom sequences. ACM Trans. on Computer Systems 1(1), 38–44 (1983)CrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Rosario Gennaro
    • 1
  1. 1.IBM T.J.Watson Research CenterYorktown HeightsUSA

Personalised recommendations