Concurrent Non-Malleable Commitments (and More) in 3 Rounds

Abstract

The round complexity of commitment schemes secure against man-in-the-middle attacks has been the focus of extensive research for about 25 years. The recent breakthrough of Goyal et al. [22] showed that 3 rounds are sufficient for (one-left, one-right) non-malleable commitments. This result matches a lower bound of [41]. The state of affairs leaves still open the intriguing problem of constructing 3-round concurrent non-malleable commitment schemes.

In this paper we solve the above open problem by showing how to transform any 3-round (one-left one-right) non-malleable commitment scheme (with some extractability property) in a 3-round concurrent non-malleable commitment scheme. Our transform makes use of complexity leveraging and when instantiated with the construction of [22] gives a 3-round concurrent non-malleable commitment scheme from one-way permutations secure w.r.t. subexponential-time adversaries.

We also show a 3-round arguments of knowledge and a 3-round identification scheme secure against concurrent man-in-the-middle attacks.

1 Introduction

Commitment schemes are fundamental in Cryptography. They require a sender to fix a message that can not be changed anymore, but that will remain hidden to a receiver until the sender decides to reveal it.

In order to model modern real-world adversaries, commitment schemes have been proposed with additional security properties. Here we consider the intriguing question of constructing a scheme that remains secure against man-in-the-middle (MiM) attacks: a non-malleable (NM) commitment scheme [15].

Pass proved that NM commitments¹ require at least 3 rounds [41] when security is proved through a black-box reduction to a falsifiable (polynomial or subexponential time) hardness assumption. Instead by weakening the security definition admitting an inefficient challenger we know constructions of non-interactive NM commitments [38].

The round complexity of NM commitment schemes in the standard model has puzzled researchers for long time. Starting from the construction of [15] that required a logarithmic number of rounds, various constant-round schemes were proposed [1, 19, 20, 28, 29, 42–44, 46] reducing the round complexity to 4 rounds [5, 11, 23] with respect to concurrent MiM attacks, a setting that corresponds to what can actually happen when sender and receiver are connected through a communication network like the Internet. In such a much more interesting setting a MiM adversary receives multiple commitments from senders and sends his commitments to multiple receivers.

1.1 Towards 3-Round (Concurrent) NM Commitments

The existence of 3-round NM commitment schemes is an important question first because 3 is the best possible constant (in light of the lower bound of [41]), and second because 3 is the smallest number of rounds for a primitive that often makes use of commitment schemes: proofs of knowledge.

The importance of obtaining 3-round (and not just any constant-round) NM commitments motivated the very recent and innovative work of [22] that, by just relying on any non-interactive commitment scheme and exploiting the power of non-malleable codes in the split-state model, shows a 3-round NM commitment scheme. Interestingly, such construction is not claimed to be secure against concurrent man-in-the-middle attacks. Therefore the following natural and important question remains open.

Main Open Question: Can we construct a 3-round concurrent non-malleable commitment scheme matching the lower bound of [41]?

Other 3-Round Challenges. We list here 3 other interesting settings where no 3-round construction is known against concurrent MiM adversaries.

• Proofs² of knowledge are very useful in Cryptography. Despite their importance, there is no construction for 3-round proofs of knowledge (PoK) that is sufficiently secure under concurrent MiM attacks. This is due to the fact that such attacks are in general extremely difficult to deal with. Even though there exist constructions with a constant number of rounds, the case of just 3 rounds so far has remained unsolved.

• In [27]³ Lapidot and Shamir proposed a 3-round public-coin witness indistinguishable PoK for NP (the LS protocol) where the input (except its size) is needed only when playing the 3rd round. This special completeness property named “delayed input” in [12, 13] has been used in many applications (e.g., [14, 24, 26, 48, 49] in particular recently [11, 18, 24, 33]), and in [12, 13] it was considered for the OR composition of \(\varSigma \)-protocols instead of relying on LS. When a PoK is used as sub-protocol the delayed-input feature is instrumental to give a better round complexity to the external protocol. An additional features of delayed-input protocols is that they allow to shift large part of the computation to an off-line phase. Unfortunately the LS protocol and the PoKs of [12, 12] are not secure against concurrent MiM attacks and this penalizes those applications where both round complexity and security against concurrent MiM attacks are important.

• We notice that identification schemes have been often proposed (e.g., [17]) through the paradigm of proving “knowledge” of a secret⁴. Under this formulation there are constant-round constructions that are proven secure against concurrent MiM attacks [2]. However no 3-round scheme known in literature is proven secure in presence of a concurrent MiM adversary.

1.2 Results of This Work

In this work we study 3-round commitment scheme in presence of concurrent MiM attacks and solve in the positive the above open problems.

3-Round Concurrent NM Commitment Schemes. In the main result of this submission, we show a transform that on input any 3-round NM commitment scheme⁵ gives a 3-round concurrent NM commitment scheme. The construction of [22] can be used to instantiate our transform, therefore obtaining a 3-round concurrent NM commitment scheme based on any one-way permutation secure against subexponential-time adversaries. Moreover our scheme (still when instantiated with the one of [22] and using a proper one-way permutation) is public coin and (if desired⁶) has the delayed-input property.

Our transform extends the security of the underlying commitment scheme to multiple receivers. It is known that this implies security also with multiple senders [30]. The crucial idea of our transform is to combine the underlying NM commitment scheme along with a one-time pad, to produce a commitment of a message that by itself, in case of a malleability attack, will have sufficient structure to be recognized by a distinguisher in the session in which it appears. Therefore a successful concurrent MiM even playing multiple commitments with multiple receivers will have to maul the underlying commitment scheme in at least one session. Since the message has sufficient structure with respect to that single session, we are able to translate the concurrent MiM attack into a non-concurrent MiM that violates the security of the underlying (non-concurrent) NM commitment scheme. We will implement the idea of committing to a message with structure by forcing a successful concurrent MiM to commit to the solution of a puzzle in at least one session. We will use complexity leveraging to show that the attack of the concurrent MiM is indistinguishable from the attack of a polynomial-time simulator that plays with receivers only.

Just for completeness, we also show an explicit concurrent MiM adversary \({\mathcal {A}}\) for the scheme of [21]. The crucial point here, following a technique of [16] is that the scheme of [21] allows \({\mathcal {A}}\) to spread the message committed by the honest sender over several commitments that the adversary sends to multiple receivers. The scheme presented in [22] is slightly different and became available after our work was already submitted, therefore when describing \({\mathcal {A}}\) we stick with [21].

3-Round Arguments of Knowledge and ID Schemes Against Concurrent MiM Attacks. Our 3-round concurrent NM commitment scheme is a commit-and-prove argument of knowledge (AoK). This means that one can see our scheme as a commitment followed by an AoK about the committed value. By applying a simple change to the statement of the underlying AoK we obtain a 3-round concurrent NM witness-indistinguishable AoK (concurrent NMWIAoK) a notion introduced in [34] and later on extended in [31]. We stress that the delayed-input and public-coin properties of our commitment scheme are preserved by our concurrent NMWIAoK.

In [34] it is shown how to get concurrent NM zero knowledge (NMZK) in the bare public-key (BPK) model [6] with just two executions of a concurrent NMWIAoK. Therefore we directly obtain a round-efficient concurrent NMZKAoK in the BPK model. By making use of delayed-input completeness the simulator can extend a main thread avoiding issues due to aborting adversaries as discussed in [36, 47].

Finally, we notice that one can get an identification scheme secure in the PoK sense in the concurrent⁷ setting of [2] as well as under the stronger definition based on matching conversations of [3, 25] naturally extended to concurrent sessions. Following [9, 34], the key idea consists in using an identity that has two possible secrets such that knowledge of one witness does not allow to compute the other one in polynomial time. By using our implementation of a concurrent NMWIAoK for proving knowledge of a secret associated to such identity we obtain a 3-round identification scheme secure against concurrent MiM attacks.

Challenges for Future Work. The existence of OWPs is a standard falsifiable hardness assumption. Our scheme relies on a strengthening of this standard assumption w.r.t. subexponential-time adversaries. Notice that the lower bound of [41] still applies in case of subexponential-time hardness, therefore our 3-round concurrent non-malleable scheme is round optimal. Various natural and fascinating questions on commitments and proofs of knowledge remain open after our work and as such we think our results will motivate further research. Examples of open questions about concurrent NM commitments are the following: (1) the existence of 3-round schemes based on standard falsifiable hardness assumptions w.r.t. polynomial-time adversaries only; (2) the existence of 3-round schemes with black-box use of primitives; (3) the existence of practical schemes.

2 Notation, Definitions and Tools

We denote the security parameter by \(\lambda \) and use “|” as concatenation operator (i.e., if a and b are two strings then by a|b we denote the concatenation of a and b). For a finite set Q, \(x\leftarrow Q\) denotes the algorithm that chooses x from Q with uniform distribution. Usually we use the abbreviation ppt that stays for probabilistic polynomial-time. We use \({\mathsf {poly}}(\cdot )\) to indicate a generic polynomial function of the input.

A polynomial-time relation \({\mathsf {Rel}}\) (or polynomial relation, in short) is a subset of \(\{0, 1\}^*\times \{0,1\}^*\) such that membership of (x, w) in \({\mathsf {Rel}}\) can be decided in time polynomial in |x|. For \((x,w)\in {\mathsf {Rel}}\), we call x the instance and w a witness for x. For a polynomial-time relation \({\mathsf {Rel}}\), we define the NP-language \(L_{{\mathsf {Rel}}}\) as \(L_{{\mathsf {Rel}}}=\{x|\exists w: (x, w)\in {\mathsf {Rel}}\}\). Analogously, unless otherwise specified, for an NP-language L we denote by \({\mathsf {Rel}}_\mathsf {L}\) the corresponding polynomial-time relation (that is, \({\mathsf {Rel}}_\mathsf {L}\) is such that \(L=L_{{\mathsf {Rel}}_\mathsf {L}}\)).

Let A and B be two interactive probabilistic algorithms A and B. We denote by \(\langle A(\alpha ),B(\beta )\rangle (\gamma )\) the distribution of B’s output after running on private input \(\beta \) with A using private input \(\alpha \), both running on common input \(\gamma \). Typically, one of the two algorithms receives \(1^\lambda \) as input. A transcript of \(\langle A(\alpha ),B(\beta )\rangle (\gamma )\) consists of the messages exchanged during an execution where A receives a private input \(\alpha \), B receives a private input \(\beta \) and both A and B receive a common input \(\gamma \). Moreover, we will refer to the view of A as the messages it received during the execution of \(\langle A(\alpha ),B(\beta )\rangle (\gamma )\), along with its randomness and its input. We denote by \(A_r\) an algorithm A that receives as randomness r. We say that a protocol (A, B) is public coin if B sends to A random bits only.

A function \(\nu (\cdot )\) from non-negative integers to reals is called negligible, if for every constant \(c > 0\) and all sufficiently large \(\lambda \in \mathbb {N}\) we have \(\nu (\lambda ) < \lambda ^{-c}\). Standard definitions of one-way permutations (OWPs), proof/argument systems, witness indistinguishability (WI) and proofs of knowledge along with their strengthened versions secure again subexponential-time adversaries and adaptive-input selection can be found in the full version of this work [10].

2.1 Commitment Schemes

Definition 1

(Commitment Scheme). Given a security parameter \(1^\lambda \), a commitment scheme \((\mathsf {Sen}, \mathsf {Rec})\) is a two-phase protocol between two ppt interactive algorithms, a sender \(\mathsf {Sen}\) and a receiver \(\mathsf {Rec}\). In the commitment phase \(\mathsf {Sen}\) on input a message m interacts with \(\mathsf {Rec}\) to produce a commitment \(\mathtt{com}\). In the decommitment phase, \(\mathsf {Sen}\) sends to \(\mathsf {Rec}\) a decommitment information \(\mathtt{d}\) such that \(\mathsf {Rec}\) accepts m as the commitment of \(\mathtt {com}\).

Formally, we say that \({\mathtt {CS}}= (\mathsf {Sen}, \mathsf {Rec})\) is a perfectly binding commitment scheme if the following properties hold:

• Correctness:

  • Commitment phase. Let \(\mathtt{com}\) be the commitment of the message m (i.e., \(\mathtt{com}\) is the transcript of an execution of \({\mathtt {CS}}=(\mathsf {Sen},\mathsf {Rec})\) where \(\mathsf {Sen}\) runs on input a message m). Let \(\mathtt{d}\) be the private output of \(\mathsf {Sen}\) in this phase.

  • Decommitment phase⁸. \(\mathsf {Rec}\) on input m and \(\mathtt{d}\) accepts m as decommitment of \(\mathtt{com}\).

• Hiding [32]: for a ppt adversary \({\mathcal {A}}\) and a randomly chosen bit \(b\in \{0,1\}\), consider the following hiding experiment \(\mathsf {ExpHiding}^b_{{\mathcal {A}},{\mathtt {CS}}}(\lambda )\):

  • Upon input \(1^\lambda \), the adversary \({\mathcal {A}}\) outputs a pair of messages \(m_0, m_1\) that are of the same length.

  • \(\mathsf {Sen}\) on input the message \(m_b\) interacts with \({\mathcal {A}}\) to produce a commitment of \(m_b\).

  • \({\mathcal {A}}\) outputs a bit \(b'\) and this is the output of the experiment.

  For any ppt adversary \({\mathcal {A}}\), there exist a negligible function \(\nu \), such that:

  $$\Big |\text{ Prob }\left[ \;\mathsf {ExpHiding}^0_{{\mathcal {A}},{\mathtt {CS}}}(\lambda )=1\;\right] -\text{ Prob }\left[ \; \mathsf {ExpHiding}^1_{{\mathcal {A}},{\mathtt {CS}}}(\lambda )=1\;\right] \Big | <\nu (\lambda ).$$

• Binding: for every commitment \(\mathtt{com}\) generated during the commitment phase by a possibly malicious unbounded sender \(\mathsf {Sen}^\star \) interacting with an honest receiver \(\mathsf {Rec}\), there exists at most one message m that \(\mathsf {Rec}\) accepts as decommitment of \(\mathtt{com}\).

We also consider the definition of a commitment scheme where the hiding property still holds against an adversary \({\mathcal {A}}\) running in time bounded by \(T=2^{\lambda ^\alpha }\) for some positive constant \(\alpha <1\). In this case we will say that a commitment scheme is T-hiding. We will also say that a commitment scheme is \(\tilde{T}\)-breakable to specify that an algorithm running in time \(\tilde{T} = 2^{\lambda ^\beta }\), for some positive constant \(\beta < 1\), recovers the (if any) only message that can be successfully decommitment.

In the rest of the paper we also use a non-interactive commitment schemes, with secure parameter \(\lambda \). In this case we consider a commitment scheme as a pair of ppt algorithms \((\mathsf {NISen}, \mathsf {NIRec})\) where:

• \(\mathsf {NISen}\) takes as input \(( m; \sigma )\), where \(m \in \{0,1\}^{{\mathsf {poly}}({\lambda })}\) is the message to be committed and \(\sigma \leftarrow \{0,1\}^\lambda \) is randomness, and outputs the commitment \(\mathtt {com}\) and the decommitment \(\mathtt {dec}\);

• \(\mathsf {NIRec}\) takes as input (\(\mathtt {dec}\), \(\mathtt {com}\), m) and outputs 1 if it accepts m as a decommitment of \(\mathtt {com}\) and 0 otherwise.

3-Round Extractable Commitment Schemes. Informally, a 3-round commitment scheme is extractable if there exists an efficient extractor that having black-box access to any efficient malicious sender \(\mathrm {ExCom}^{\star }\) that successfully performs the commitment phase, outputs the only committed string that can be successfully decommitted.

Definition 2

(3-Round Extractable Commitment Scheme [45]). A 3-round perfectly binding commitment scheme \({\mathtt {ExCS}}= (\mathrm {ExCom}, \mathrm {ExRec})\) is an extractable commitment scheme if given oracle access to any malicious sender \(\mathrm {ExCom}^{\star }\), there exists an expected ppt extractor \({\mathtt {Ext}}\) that outputs a pair \((\tau , \sigma ^{\star })\) such that the following properties hold:

• Simulatability: the simulated view \(\tau \) is identically distributed to the view of \(\mathrm {ExCom}^{\star }\) (when interacting with an honest \(\mathrm {ExRec}\)) in the commitment phase.

• Extractability: there exists no decommitment of \(\tau \) to \(\sigma \), where \(\sigma \ne \sigma ^\star \).

2.2 Non-Malleable Commitment Schemes

Here we follow [30]⁹. Let \(\mathsf {\Pi }=(\mathsf {Sen},\mathsf {Rec})\) be a statistically binding commitment scheme. Consider MiM adversaries that are participating in left and right sessions in which \({\mathsf {poly}}(\lambda )\) commitments take place. We compare between a MiM and a simulated execution. In the MiM execution the adversary \({\mathcal {A}}\), with auxiliary information z, is simultaneously participating in \({\mathsf {poly}}(\lambda )\) left and right sessions. In the left sessions the MiM adversary \({\mathcal {A}}\) interacts with \(\mathsf {Sen}\) receiving commitments to values \(m_1,\dots ,m_{{\mathsf {poly}}(\lambda )}\) using identities \({{\mathtt {id}}}_1,\dots , {\mathtt {id}}_{{\mathsf {poly}}(\lambda )}\) of its choice. In the right session \({\mathcal {A}}\) interacts with \(\mathsf {Rec}\) attempting to commit to a sequence of related values \(\tilde{m}_1,\dots ,\tilde{m}_{{\mathsf {poly}}(\lambda )}\) again using identities of its choice \(\tilde{{\mathtt {id}}}_1,\dots , \tilde{{\mathtt {id}}}_{\mathsf {poly}}(\lambda )\). If any of the right commitments is invalid, or undefined, its value is set to \(\perp \). For any i such that \(\tilde{{\mathtt {id}}}_i = {\mathtt {id}}_j\) for some j, set \(\tilde{m}_i=\perp \) (i.e., any commitment where the adversary uses the same identity of one of the honest senders is considered invalid). Let \({\mathsf {mim}}^{{\mathcal {A}},m_1,\dots ,m_{{\mathsf {poly}}(\lambda )}}_\mathsf {\Pi }(z)\) denote a random variable that describes the values \(\tilde{m}_1,\dots ,\tilde{m}_{{\mathsf {poly}}(\lambda )}\) and the view of \({\mathcal {A}}\), in the above experiment. In the simulated execution, an efficient simulator S directly interacts with \(\mathsf {Rec}\). Let \({\mathsf {sim}}^S_\mathsf {\Pi }(1^\lambda ,z)\) denote the random variable describing the values \(\tilde{m}_1,\dots ,\tilde{m}_{{\mathsf {poly}}(\lambda )}\) committed by S, and the output view of S; whenever the view contains in the i-th right session the same identity of any of the identities of the left session, then \(\tilde{m}_i\) is set to \(\perp \).

We denote by \(\tilde{\delta }\) a value associated with the right session (where the adversary \({\mathcal {A}}\) plays with a receiver \(\mathsf {MMRec}\)) where \(\delta \) is the corresponding value in the left session. For example, the sender commits to v in the left session while \({\mathcal {A}}\) commits to \(\tilde{v}\) in the right session.

Definition 3

(Concurrent NM Commitment Scheme [30]). A commitment scheme is concurrent NM with respect to commitment (or a many-many NM commitment scheme) if, for every ppt concurrent MiM adversary \({\mathcal {A}}\), there exists a ppt simulator S such that for all \(m_i\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) for \(i=\{1,\dots , {\mathsf {poly}}(\lambda )\}\) the following ensembles are computationally indistinguishable:

$$\{{\mathsf {mim}}_\mathsf {\Pi }^{{\mathcal {A}},m_1,\dots ,m_{{\mathsf {poly}}(\lambda )} }(z)\}_{z\in \{0,1\}^\star } {\; \approx \;} \{{\mathsf {sim}}^S_\mathsf {\Pi }(1^\lambda ,z)\}_{z\in \{0,1\}^\star }.$$

As in [30] we also consider relaxed notions of concurrent non-malleability: one-many and one-one NM commitment schemes. In a one-many NM commitment scheme, \({\mathcal {A}}\) participates in one left and polynomially many right sessions. In a one-one (i.e., a stand-alone secure) NM commitment scheme, we consider only adversaries \({\mathcal {A}}\) that participate in one left and one right session. We will make use of the following proposition of [30].

Proposition 1

Let \((\mathsf {Sen}, \mathsf {Rec})\) be a one-many NM commitment scheme. Then, \((\mathsf {Sen},\mathsf {Rec})\) is also a concurrent (i.e., many-many) NM commitment scheme.

We also consider the definition of a NM commitment scheme secure against a MIM \({\mathcal {A}}\) running in time bounded by \(T=2^{\lambda ^\alpha }\) for some positive constant \(\alpha <1\). In this case we will say that a commitment scheme is T-non-malleable.

When the identity is selected by the sender then the above id-based definitions guarantee non-malleability without ids as long as the MiM does not behave like a proxy (an unavoidable attack). Indeed the sender can pick as \({\mathtt {id}}\) the public key of a strong signature scheme signing the transcript. The MiM will have to use a different \({\mathtt {id}}\) or to break the signature scheme.

2.3 3-Round One-One NM Commitment Scheme

As main tool we need a 3-round one-one NM commitment scheme (NMCS) that enjoys the extractability property. In the rest of the paper we will refer to such a commitment scheme as \(\varPi _{{\mathsf {NM}}}=({\mathsf {Sen}_{\mathsf {NM}}},{\mathsf {Rec}_\mathsf {{\mathsf {NM}}}})\).

In [22] the authors provide the first 3-round one-one NM commitment scheme. Their scheme enjoys also the extractability property¹⁰ and public coin.

By \(\varPi _{{\mathsf {NM}}}=((\mathrm {Sen^1_{{\mathsf {NM}}}},\mathrm {Sen^2_{{\mathsf {NM}}}}), {\mathsf {Rec}_\mathsf {{\mathsf {NM}}}})\) we denote a 3-round one-one NM commitment scheme such that:

• the algorithm \(\mathrm {Sen^1_{{\mathsf {NM}}}}\) takes as input \(( \mathtt {id},m; \rho )\), where \(\mathtt {id} \in \{0,1\}^\lambda \) is the identity, m is the message to be committed and \(\rho \leftarrow \{0,1\}^\lambda \) is a randomness, and outputs \(\mathsf {a}\) that is the first round of the commitment scheme to be sent to the receiver;

• the algorithm \(\mathrm {Sen^2_{{\mathsf {NM}}}}\) takes as input \((\mathtt {id},\mathsf {c}, m;\rho )\), where \(\mathsf {c}\) is the second round received by \(\mathsf {Rec}\), m is the message to be committed, \(\mathtt {id}\) is the same identity received as input by \(\mathrm {Sen^1_{{\mathsf {NM}}}}\), \(\rho \) is the randomness, and outputs \((\mathsf {z},\mathtt {dec})\) where \(\mathsf {z}\) is the last round of the commitment, and \(\mathtt {dec}\) is the decommitment value.

The reveal phase consists in sending \(\mathtt {dec}\) and m to the receiver. The receiver \({\mathsf {Rec}_\mathsf {{\mathsf {NM}}}}\), on input the randomness it used during the commitment phase, the transcript \(\mathtt {com}=(\mathsf {a},\mathsf {c},\mathsf {z}\), \(\mathtt {id}\)), m and \(\mathtt {dec}\) outputs 1 if \(\mathtt {dec}\) is valid w.r.t. \(\mathtt {com}\) and m and outputs 0 otherwise.

2.4 The LS Proof of Knowledge and NMWI Argument Systems

In this paper we use the 3-round public-coin WI adaptive proof of knowledge proposed by Lapidot and Shamir [27], that we denote by LS. LS is delayed-input since the inputs for the prover and the verifier are needed only to play the last round, while only the size of the common input is needed earlier. For this reason we will refer to a prover \({\mathcal {P}}\) as a pair \((\mathsf {P^1},\mathsf {P^2})\). More formally, LS for a relation \({\mathsf {Rel}}\) is a pair \(\varPi =({\mathcal {P}}=(\mathsf {P^1},\mathsf {P^2}),{\mathcal {V}})\), with security parameter \(\lambda \), where \({\mathcal {P}}\) executes the algorithms \(\mathsf {P^1}\) and \(\mathsf {P^2}\) defined as follows. The algorithm \(\mathsf {P^1}\), takes as input \( (\ell ;\alpha )\), \(\ell \) is the instance length and \(\alpha \leftarrow \{0,1\}^\lambda \) is the randomness, and outputs the 1st round of the LS protocol. The algorithm \(\mathsf {P^2}\) takes as input \((x,w,c;\alpha )\), where x, w are such that \((x,w) \in {\mathsf {Rel}}\), c is the challenge sent by \({\mathcal {V}}\) and \(\alpha \) is the randomness¹¹ and outputs the 3rd round of the LS protocol.

In this paper we also consider a definition where the WI property of LS still holds against a distinguisher with running time bounded by \(T=2^{\lambda ^\alpha }\) for some constant positive constant \(\alpha <1\). In this case we say that the instantiation of LS is T-witness indistinguishable (T-WI).

Witness Indistinguishability and MiM Attacks. The definition of non-malleable witness indistinguishability (NMWI) given in [34] requires that the witness encoded in the proof given by the MiM \({\mathcal {A}}\) be independent of the witness used by the honest prover in his proof. For details see [10].

3 3-Round Concurrent Non-Malleable Commitments

In this section we show our transform that takes as input a 3-round extractable one-one NM commitment scheme \(\varPi _{{\mathsf {NM}}}\), a OWP f, a non-interactive perfectly binding commitment scheme \({\mathsf {NI}}\), the 3-round delayed-input adaptive WI/PoK \({\mathsf {LS}}\) and outputs a 3-round fully concurrent (i.e., many-many) NM commitment scheme \(\mathsf {\Pi _{MMCom}}=(\mathsf {MMSen},\mathsf {MMRec})\).

Let m be the message that \(\mathsf {MMSen}\) wants to commit. The high-level idea of our transform is depicted in Fig. 1. The sender \(\mathsf {MMSen}\), on input the session-id \({\mathtt {id}}\) and the message m, computes the 1st round of the protocol by running \({\mathsf {LS}}\) and sending the 1st round of \({{\mathsf {NM}}}\) to commit to a random message \({s_0}\) using \({\mathtt {id}}\) as session-id. In the 2nd round the receiver \(\mathsf {MMRec}\) sends the challenges of \({{\mathsf {NM}}}\) and \({\mathsf {LS}}\), also sends a random value Y in the range of the OWP f ¹². In the last round \(\mathsf {MMSen}\) commits to message m using \({\mathsf {NI}}\), therefore obtaining \(\mathtt {com}\), then computes the last round of \({{\mathsf {NM}}}\), completes the transcript of \({\mathsf {LS}}\), and finally sends a random string \({s_1}\). The protocol \({\mathsf {LS}}\) is used by \(\mathsf {MMSen}\) to prove to \(\mathsf {MMRec}\) that either she knows message m and the randomness used to compute \(\mathtt {com}\), or she knows the values (\(s_0,\mathtt {dec})\), such that \(f({s_0}\oplus {s_1})=Y\) and \(\mathtt {dec}\) is a valid decommitment to \(s_0\) w.r.t. the commitment computed using \(\varPi _{{\mathsf {NM}}}\). We observe that \(\mathsf {MMSen}\) needs m only when computing the 3rd round, therefore our construction enjoys delayed-input correctness.

Fig. 1.

Informal description of our 3-round concurrent NM commitment scheme.

Our transform needs the following tools:

1. 1.

   a OWP f that is secure against ppt adversaries and \(\tilde{{T_f}}\)-breakable;

2. 2.

   a non interactive perfectly binding commitment scheme \({\mathsf {NI}}=(\mathsf {NISen},\mathsf {NIRec})\) that is \(T_{{\mathsf {NI}}}\)-hiding and \(\tilde{T}_{{\mathsf {NI}}}\)-breakable;

3. 3.

   a 3-round extractable one-one NM commitment scheme \(\varPi _{{\mathsf {NM}}}=({\mathsf {Sen}_{\mathsf {NM}}}=(\mathrm {Sen^1_{{\mathsf {NM}}}}, \mathrm {Sen^2_{{\mathsf {NM}}}}), {\mathsf {Rec}_\mathsf {{\mathsf {NM}}}})\) that is \(T_{{{\mathsf {NM}}}}\)-hiding/non-malleable, and \(\tilde{T}_{{{\mathsf {NM}}}}\)-breakable;

4. 4.

   the LS proof system \({\mathsf {LS}}=({\mathcal {P}}=(\mathsf {P^1},\mathsf {P^2}),{\mathcal {V}})\) for the language

   $$\begin{aligned}{\begin{matrix} L=\big \{\big ((a, c, z), Y,{s_1},\mathtt {com}, \mathtt {id}\big ): \exists \ (m,\sigma )\ \text {s.t.}\ \mathtt {com}=\mathsf {NISen}(m;\sigma )\ \mathtt {OR} \big (\exists (\rho ,{s_0})\\ \text {s.t.}\ a=\mathrm {Sen^1_{{\mathsf {NM}}}}(\mathtt {id},{s_0};\rho )\ \mathtt {AND}\ z=\mathrm {Sen^2_{{\mathsf {NM}}}}(\mathtt {id},c,{s_0};\rho )\ \mathtt {AND}\ Y=f(s_0\oplus s_1) \big ) \big \} \end{matrix}}\end{aligned}$$

   that is \({T_{{\mathsf {LS}}}}\)-WI for the corresponding relation \({\mathsf {Rel}}_\mathsf {L}\).

Fig. 2.

Our 3-round concurrent NM commitment scheme.

Let \(\lambda \) be the security parameter of our scheme. We will use wlog \(\lambda \) also as security parameter for the hardness to invert f with respect to polynomial time adversaries. Then we consider the following hierarchy of security levels for the above tools: \( {T_f}<< T_{{\mathsf {NI}}}<< \sqrt{T_{{{\mathsf {NM}}}}}<< T_{{{\mathsf {NM}}}}<< \sqrt{{T_{{\mathsf {LS}}}}}<<{T_{{\mathsf {LS}}}}\) where by \(``T<<T'"\) we mean that \(``T\cdot {\mathsf {poly}}(\lambda ) < T'"\). We also require that: (1) \({\mathsf {NI}}\) is \(T_{{\mathsf {NI}}}\)-hiding, but is also \(\tilde{T}_{\mathsf {NI}}=\sqrt{T_{{{\mathsf {NM}}}}}\)-breakable; (2) \(\varPi _{{\mathsf {NM}}}\) is \(T_{{{\mathsf {NM}}}}\) hiding/non-malleable, but the hiding is also \(\tilde{T}_{{\mathsf {NM}}}=\sqrt{{T_{{\mathsf {LS}}}}}\)-breakable. Now we need to define different security parameters, one for each tool involved in the security proof to be consistent with the hierarchy of security levels defined above (a similar use of security parameters has been proposed in [46]). Given the security parameter \(\lambda \) of our scheme, we will make use of the following security parameters (all polynomially related to \(\lambda \) and such that the above hierarchy of security levels holds): \(\lambda \) for f, \(\lambda _{\mathsf {NI}}\) for \({\mathsf {NI}}\), \(\lambda _{{\mathsf {NM}}}\) for \(\varPi _{{\mathsf {NM}}}\), \(\lambda _{\mathsf {LS}}\) for \({\mathsf {LS}}\).

We denote by \(\mathsf {Params}\) the function that on input \(\lambda \) outputs \((\lambda _{\mathsf {NI}}, \lambda _{{\mathsf {NM}}},\lambda _{\mathsf {LS}},\ell )\) where \(\ell \) is the size of the theorem to be proved using \({\mathsf {LS}}\) ¹³. Our concurrent NM commitment scheme \(\mathsf {\Pi _{MMCom}}=(\mathsf {MMSen},\mathsf {MMRec})\) is fully described in Fig. 2.

Theorem 1

Suppose there exist OWPs secure against subexponential-time adversaries, then \(\mathsf {\Pi _{MMCom}}\) is a perfectly binding delayed-input commitment scheme.

Proof

The delayed-input correctness of \(\mathsf {\Pi _{MMCom}}\) follows by inspection from the delayed-input completeness of \({\mathsf {LS}}\), and the correctness of \(\varPi _{{\mathsf {NM}}}\) and \({\mathsf {NI}}\).

Observe that the message given in output in the decommitment phase of \(\mathsf {\Pi _{MMCom}}\) is the message committed using \({\mathsf {NI}}\). Moreover the decommitment phase of \(\mathsf {\Pi _{MMCom}}\) coincides with the decommitment of \({\mathsf {NI}}\) and \(\varPi _{{\mathsf {NM}}}\). Since \({\mathsf {NI}}\) and \(\varPi _{{\mathsf {NM}}}\) is perfectly binding we have that \(\mathsf {\Pi _{MMCom}}\) is perfectly binding too.

The hiding property follows from the non-malleability property proved in Theorem 2. Indeed the proof of Theorem 2 does not rely on the hiding of \(\mathsf {\Pi _{MMCom}}\).

Theorem 2

Suppose there exist OWPs secure against subexponential-time adversaries, then \(\mathsf {\Pi _{MMCom}}\) is concurrent (i.e., many-many) non-malleable.

Proof

Since we can use Proposition 1, we only need to prove that our commitment enjoys one-many non-malleability. More formally with respect to a one-many adversary \({\mathcal {A}}\), we need to show that for all \(m\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) it holds that: \(\{{\mathsf {mim}}_\mathsf {\Pi _{MMCom}}^{{\mathcal {A}},m}(z)\}_{z\in \{0,1\}^\star } {\; \approx \;} \{{\mathsf {sim}}^S_\mathsf {\Pi _{MMCom}}(1^\lambda ,z)\}_{z\in \{0,1\}^\star }\) where S is the simulator depicted in Fig. 3. This means that the real execution in which the sender runs \(\mathsf {MMSen}\) to commit to a message m must be indistinguishable with respect to an execution in which a simulator \(S\) runs internally the MiM adversarial \({\mathcal {A}}\) sending a commitment of \(0^\lambda \), and then forwards the messages that \({\mathcal {A}}\) sends in the right sessions to receivers \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\).

In the security proof we denote by \(\tilde{\delta }_i\) a value associated with the i-th right session (where the adversary \({\mathcal {A}}\) plays with a receiver \(\mathsf {MMRec}_i\) with \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\)) where \(\delta \) is the corresponding value in the left session. For example, the sender commits to v in the left session while \({\mathcal {A}}\) commits to \(\tilde{v}_i\) in the i-th right session.

To prove the indistinguishability of the above two experiments we show 3 hybrid experiments¹⁴ \({\mathcal {H}}^m_i(z)\) with \(i=1,2,3\), where m is the message committed in the left session. Following [28] we denote by \(\{{\mathsf {mim}}_{{\mathcal {H}}^m_i}^{\mathcal {A}}(z)\}_{z\in \{0,1\}^\star }\) the random variable describing the view of the MiM \({\mathcal {A}}\) combined with the value it commits in the right interaction in hybrid \({\mathcal {H}}^m_i(z)\) (as usual, the committed value is replaced by \(\perp \) if the right interaction does not correspond to a commitment that can be successfully opened or if \({\mathcal {A}}\) has copied the identity of the left interaction).

The 1st hybrid is the experiment \({\mathcal {H}}^m_1(z)\) in which in the left session \(\mathsf {MMSen}\) commits to m, while in the right session we run \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\) for the rights sessions played by \({\mathcal {A}}\).

\(\varvec{{\mathcal {H}}^m_1(z).}\)

• Left session:

  1. 1.

     First round.

     1. 1.1.

        Pick \({s_0}\leftarrow \{0,1\}^{\lambda }\).

     2. 1.2.

        Compute \(\mathsf {a}_{{\mathsf {NM}}}= \mathrm {Sen^1_{{\mathsf {NM}}}}(\mathtt {id},{s_0}; \rho )\).

     3. 1.3.

        Compute \(\mathsf {a_{LS}}=\mathsf {P^1}(1^{\lambda _{\mathsf {LS}}},\ell ; \alpha )\).

     4. 1.4.

        Send \((\mathsf {a}_{{\mathsf {NM}}},\mathsf {a_{LS}})\) to \({\mathcal {A}}\).

  2. 2.

     Third round, upon receiving \((\mathsf {c}_{{\mathsf {NM}}},\mathsf {c_{LS}},Y)\) from \({\mathcal {A}}\).

     1. 2.1.

        Compute \((\mathtt {com},\mathtt {dec})=\mathsf {NISen}(m;\sigma )\).

     2. 2.2.

        Pick \({s_1}\leftarrow \{0,1\}^{\lambda }\).

     3. 2.3.

        Compute \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {dec}_{{\mathsf {NM}}}) = \mathrm {Sen^2_{{\mathsf {NM}}}}(\mathtt {id},\mathsf {c}_{{\mathsf {NM}}}, {s_0};\rho )\).

     4. 2.4.

        Set \(x=\big ((\mathsf {a}_{{\mathsf {NM}}}, \mathsf {c}_{{\mathsf {NM}}}, \mathsf {z}_{{\mathsf {NM}}}), Y,{s_1}, \mathtt {com},\mathtt {id}\big )\) and \(w=(m,\sigma ,\perp ,\perp )\) with (\(|x|=\ell \)). Run \(\mathsf {z_{LS}}=\mathsf {P^2}(x,w,\mathsf {c}_{\mathsf {LS}};\alpha )\).

     5. 2.5.

        Send \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {com},\mathsf {z_{LS}},{s_1})\) to \({\mathcal {A}}\).

• Right sessions: act as a proxy between \({\mathcal {A}}\) and \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\).

We have that for all \(m\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) \(\{{\mathsf {mim}}_{{\mathcal {H}}^m_1}^{\mathcal {A}}(z)\}_{z\in \{0,1\}^\star }\) corresponds to \(\{{\mathsf {mim}}_\mathsf {\Pi _{MMCom}}^{{\mathcal {A}},m}(z)\}_{z\in \{0,1\}^\star }\). We now prove that, for all \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\) \({\mathcal {A}}\) does not manage to invert any values \(\tilde{Y}_i\) in the right sessions by sending a value \(\tilde{s_1}_i\) such that \(f(\tilde{s_0}_i\oplus \tilde{s_1}_i)=\tilde{Y}_i\) where \(\tilde{s_0}_i\) is the message committed in the i-th right session through \({{\mathsf {NM}}}\).

Lemma 1

Let \(p_i\) be the probability that in the i-th right session, for \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), \({\mathcal {A}}\) sends \(\tilde{s_1}_i\) such that \(f(\tilde{s_1}_i\oplus \tilde{s_0}_i)=\tilde{Y}_i\) where \(\tilde{s_0}_i\) is the value committed using \({{\mathsf {NM}}}\). Then \(p_i<\nu (\lambda )\) for some negligible function \(\nu \).

Proof

Suppose by contradiction that for a right session i the claim does not hold. We can construct an adversary \({\mathcal {A}}_f\) that inverts the OWP f in polynomial time. We consider a challenger \({\mathcal {C}}_f\) of f that chooses a random Y in the range of f and sends it to \({\mathcal {A}}_f\). \({\mathcal {A}}_f\) wins if it gives as output y such that \(Y=f(y)\). Before describing the adversary we need to consider the augmented machine \({\mathcal {S}}_{\mathsf {n\rightarrow 1}}\) that will be used by \({\mathcal {A}}_f\). \({\mathcal {S}}_{\mathsf {n\rightarrow 1}}\) internally executes \({\mathcal {A}}\), and interacts with an external receiver \(\mathsf {Rec}_\mathsf {ext}\) of the protocol \(\varPi _{{\mathsf {NM}}}\) acting as the sender.

\(\varvec{{\mathcal {S}}_{\mathsf {n\rightarrow 1}}}(Y, \varphi , z)\)

1. 1.

   Act in the left session with \({\mathcal {A}}\) (that runs using randomness \(\varphi \)) as in \({\mathcal {H}}^m_1(z)\).

2. 2.

   For all \(j\ne i \in \{1,\dots {\mathsf {poly}}(\lambda )\}\) run \(\mathsf {MMRec}_j\) as in \({\mathcal {H}}^m_1(z)\). Instead run \(\mathsf {MMRec}_i\) as described in steps 3, 4 and 5.

3. 3.

   Upon receiving the 1st round of the i-th right session \((\tilde{\mathsf {a}}_{{{\mathsf {NM}}}_i},\tilde{\mathsf {a}}_{{\mathsf {LS}}_i})\) from \({\mathcal {A}}\), send \(\tilde{\mathsf {a}}_{{{\mathsf {NM}}}_i}\) to \(\mathsf {Rec}_\mathsf {ext}\).

4. 4.

   Upon receiving \(\mathsf {\tilde{c}_{{\mathsf {NM}}_i}}\) from \(\mathsf {Rec}_\mathsf {ext}\), run as follows:

   1. 4.1.

      Run \({\mathcal {V}}\) to obtain \(\mathsf {\tilde{c}_{LS_i}}\).

   2. 4.2.

      Set \(\tilde{Y}_i=Y\).

   3. 4.3.

      Send \((\mathsf {\tilde{c}_{{{\mathsf {NM}}}_i}},\mathsf {\tilde{c}_{{\mathsf {LS}}_i}},\tilde{Y}_i)\) to \({\mathcal {A}}\).

5. 5.

   Upon receiving the 3rd round of the i-th right session \((\tilde{\mathsf {z}}_{{{\mathsf {NM}}}_i},\tilde{\mathtt {com}}_i,\tilde{\mathsf {z}}_{{\mathsf {LS}}_i},\tilde{s_1}_i)\), set \(\tilde{x}=\big ( (\tilde{\mathsf {a}}_{{{\mathsf {NM}}}_i}, \tilde{\mathsf {c}}_{{{\mathsf {NM}}}_i}, \tilde{\mathsf {z}}_{{{\mathsf {NM}}}_i}), \tilde{Y}, \tilde{s}_{1_{i}}, \tilde{\mathsf {com}}_i, \tilde{{\mathtt {id}}}\big )\) and abort iff \((\tilde{\mathsf {a}}_{{\mathsf {LS}}_i}, \tilde{\mathsf {c}}_{{\mathsf {LS}}_i}, \tilde{\mathsf {z}}_{{\mathsf {LS}}_i})\) is not accepting for \({\mathcal {V}}\) with respect to \(\tilde{x}\).

6. 6.

   Send \(\tilde{\mathsf {z}}_{{{\mathsf {NM}}}_i}\) to \(\mathsf {Rec}_\mathsf {ext}\).

Notice that the above execution of \({\mathcal {S}}_{\mathsf {n\rightarrow 1}}\) is distributed identically to \({\mathcal {H}}^m_1(z)\) when \(\mathsf {Rec}_\mathsf {ext}\) plays identically as honest receiver. Now we can conclude the proof of this lemma by describing how \({\mathcal {A}}_f\) works. \({\mathcal {A}}_f\) runs the extractor of \(\varPi _{{\mathsf {NM}}}\) using \({\mathcal {S}}_{\mathsf {n\rightarrow 1}}\) as sender (recall that an extractor of \(\varPi _{{\mathsf {NM}}}\) plays only having access to a sender of \(\varPi _{{\mathsf {NM}}}\)). We have that the extractor with non-negligible probability outputs the committed message of an execution that inverts f. By using the randomness \(\varphi \), \({\mathcal {A}}_f\) can reconstruct the view of \({\mathcal {A}}\) and retrive the value \(\tilde{s_1}_i\). Therefore \({\mathcal {A}}\) running in polynomial time¹⁵ outputs with non-negligible probability the value \(y=\tilde{s_0}_i\oplus \tilde{s_1}_i\) such that \(f(y)=Y\).

We now consider the 2nd hybrid experiment \({\mathcal {H}}^m_2(z)\) where in the left session, after receiving Y from \({\mathcal {A}}\), the sender in time \(T_f\) finds a value y such that \(Y=f(y)\). Then the sender sets and sends \({s_1}=y\oplus {s_0}\), where \({s_0}\) is the value committed using \(\varPi _{{\mathsf {NM}}}\). The only difference between this hybrid experiment and \({\mathcal {H}}^m_1(z)\) is that \({\mathcal {H}}^m_2(z)\) runs in time sub-exponential in \(\lambda \), and the value \({s_1}\) is equal to \(y\oplus {s_0}\) where \(Y=f(y)\).

\(\varvec{{\mathcal {H}}^m_2(z).}\)

• Left session:

  1. 1.

     First round.

     1. 1.1.

        Pick \({s_0}\leftarrow \{0,1\}^{\lambda }\).

     2. 1.2.

        Compute \(\mathsf {a}_{{\mathsf {NM}}}= \mathrm {Sen^1_{{\mathsf {NM}}}}(\mathtt {id},{s_0}; \rho )\).

     3. 1.3.

        Compute \(\mathsf {a_{LS}}=\mathsf {P^1}(1^{\lambda _{\mathsf {LS}}},\ell ; \alpha )\).

     4. 1.4.

        Send \((\mathsf {a}_{{\mathsf {NM}}},\mathsf {a_{LS}})\) to \({\mathcal {A}}\).

  2. 2.

     Third round. Upon receiving \((\mathsf {c}_{{\mathsf {NM}}},\mathsf {c_{LS}},Y)\) from \({\mathcal {A}}\).

     1. 2.1.

        Compute \((\mathtt {com},\mathtt {dec})=\mathsf {NISen}(m;\sigma )\).

     2. 2.2.

        .

     3. 2.3.

        .

     4. 2.4.

        Compute \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {dec}_{{\mathsf {NM}}}) = \mathrm {Sen^2_{{\mathsf {NM}}}}(\mathtt {id},\mathsf {c}_{{\mathsf {NM}}}, {s_0};\rho )\).

     5. 2.5.

        Set \(x=\big ((\mathsf {a}_{{\mathsf {NM}}}, \mathsf {c}_{{\mathsf {NM}}}, \mathsf {z}_{{\mathsf {NM}}}), Y,{s_1}, \mathtt {com},\mathtt {id}\big )\) and \(w=(m,\sigma ,\perp ,\perp )\) with (\(|x|=\ell \)). Run \(\mathsf {z_{LS}}=\mathsf {P^2}(x,w,\mathsf {c}_{\mathsf {LS}};\alpha )\).

     6. 2.6.

        Send \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {com},\mathsf {z_{LS}},{s_1})\) to \(\mathsf {MMRec}\).

• Right sessions: Act as a proxy between \({\mathcal {A}}\) and \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\).

When switching from \({\mathcal {H}}_1^m(z)\) to \({\mathcal {H}}_2^m(z)\) we will make sure that the following two properties hold.

1. 1.

   For all message \(m\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) it holds that \({\mathsf {mim}}_{{\mathcal {H}}^m_1}^{\mathcal {A}}(z)\approx {\mathsf {mim}}_{{\mathcal {H}}^m_2}^{\mathcal {A}}(z)\).¹⁶

2. 2.

   Let \(p_i\) be the probability that in the i-th right session of \({\mathcal {H}}_2\), for \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), \({\mathcal {A}}\) sends \(\tilde{s_1}_i\) such that \(f(\tilde{s_1}_i\oplus \tilde{s_0}_i)=\tilde{Y}_i\) where \(\tilde{s_0}_i\) is the value committed using \({{\mathsf {NM}}}\). Then \(p_i<\nu (\lambda )\) for some negligible function \(\nu \).

We now prove that the above two properties hold.

Lemma 2

For all message \(m\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) it holds that \({\mathsf {mim}}_{{\mathcal {H}}^m_1}^{\mathcal {A}}(z)\approx {\mathsf {mim}}_{{\mathcal {H}}^m_2}^{\mathcal {A}}(z)\).

Proof

Suppose by contradiction that the distribution of \({\mathsf {mim}}_{{\mathcal {H}}^m_1}^{\mathcal {A}}(z)\) is distinguishable from \({\mathsf {mim}}_{{\mathcal {H}}^m_2}^{\mathcal {A}}(z)\); this means that there exists a distinguisher \({\mathcal {D}}\) that can tell apart such two distributions. We now use \({\mathcal {D}}\) and \({\mathcal {A}}\) to construct an adversary \({\mathcal {A}}_\mathsf {Hiding}\) that breaks the hiding of \(\varPi _{{\mathsf {NM}}}\) in time \({\mathsf {poly}}(\lambda )\cdot T_{\mathsf {NI}}\) therefore reaching a contradiction¹⁷. Let \({\mathcal {C}}_\mathsf {Hiding}\) be the challenger of the hiding game, we consider two randomly chosen challenge messages \((m_0,m_1)\) sent to \({\mathcal {C}}_\mathsf {Hiding}\). We now provide a formal description of the adversary \({\mathcal {A}}_\mathsf {Hiding}\).

\(\varvec{{\mathcal {A}}}_\mathsf {Hiding}(m_0,m_1, z)\)

1. 1.

   Upon receiving the 1st round \(\mathsf {a}_{{\mathsf {NM}}}\) from \({\mathcal {C}}_\mathsf {Hiding}\), run as follows:

   1. 1.1.

      Compute \(\mathsf {a_{LS}}=\mathsf {P^1}(1^{\lambda _{\mathsf {LS}}},\ell ; \alpha )\).

   2. 1.2.

      Send \((\mathsf {a}_{{\mathsf {NM}}},\mathsf {a_{LS}})\) to \({\mathcal {A}}\).

2. 2.

   Upon receiving \((\mathsf {c}_{{\mathsf {NM}}},\mathsf {c_{LS}},Y)\) from \({\mathcal {A}}\), send \(\mathsf {c}_{{\mathsf {NM}}}\) to \({\mathcal {C}}_{{\mathsf {NM}}}\).

3. 3.

   Upon receiving the 3rd round \(\mathsf {z}_{{\mathsf {NM}}}\) from \({\mathcal {C}}_\mathsf {Hiding}\), run as follows:

   1. 3.1.

      Compute y such that \(Y=f(y)\), set \({s_1}=m_0\oplus y\).

   2. 3.2.

      Compute \((\mathtt {com},\mathtt {dec})=\mathsf {NISen}(m;\sigma )\).

   3. 3.3.

      Set \(x=\big ((\mathsf {a}_{{\mathsf {NM}}}, \mathsf {c}_{{\mathsf {NM}}}, \mathsf {z}_{{\mathsf {NM}}}), Y,{s_1}, \mathtt {com},\mathtt {id}\big )\) and \(w=(m,\sigma ,\perp ,\perp )\) with (\(|x|=\ell \)). Run \(\mathsf {z_{LS}}=\mathsf {P^2}(x,w,\mathsf {c}_{\mathsf {LS}};\alpha )\).

   4. 3.4.

      Send \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {com},\mathsf {z_{LS}},{s_1})\) to \({\mathcal {A}}\).

4. 4.

   Simulate \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\) with \({\mathcal {A}}\) when \({\mathcal {A}}\) plays as a sender.

5. 5.

   Let M be an empty tuple. For all \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), consider \(\tilde{\mathtt {com}}_i\), the non-interactive commitment received by \(\mathsf {MMRec}_i\), run in time \(T_{\mathsf {NI}}\) to compute \(\tilde{m}_i\) such that \(\exists \ \tilde{\mathtt {dec}}: 1=\mathsf {NIRec}(\tilde{\mathtt {com}}_i,\tilde{\mathtt {dec}}, \tilde{m}_i)\) and add \(\tilde{m}_i\) to M.

6. 6.

   Give M and the view of \({\mathcal {A}}\) to the distinguisher \({\mathcal {D}}\) and output what \({\mathcal {D}}\) outputs.

The proof ends with the observation that if \({\mathcal {C}}_\mathsf {Hiding}\) has committed to \(m_0\) then the xor of the committed value with \(s_1\) is equal to y such that \(f(y)=Y\), like in \({\mathcal {H}}_2^m(z)\). If instead \({\mathcal {C}}_\mathsf {Hiding}\) has committed to \(m_1\) then the xor of the committed value and \(s_1\) is equal to a random value, like in \({\mathcal {H}}_1^m(z)\).

Lemma 3

Let \(p_i\) be the probability that in the i-th right session of \({\mathcal {H}}_2\), for \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), \({\mathcal {A}}\) sends \(\tilde{s_1}_i\) such that \(f(\tilde{s_1}_i\oplus \tilde{s_0}_i)=\tilde{Y}_i\) where \(\tilde{s_0}_i\) is the value committed using \({{\mathsf {NM}}}\). Then \(p_i<\nu (\lambda )\) for some negligible function \(\nu \).

Proof

Suppose by contradiction that for a right session i the claim does not hold. We can construct a distinguisher \({\mathcal {D}}_{{\mathsf {NM}}}\) and an adversary \({\mathcal {A}}_{{\mathsf {NM}}}\) that break the non-malleability of \(\varPi _{{\mathsf {NM}}}\). Let \({\mathcal {C}}_{{\mathsf {NM}}}\) be the challenger of the NM commitment and let \((m_0,m_1)\) be two randomly chosen challenge messages given to \({\mathcal {C}}_{{\mathsf {NM}}}\).

\(\varvec{{\mathcal {A}}}_{{{\mathsf {NM}}}}\) \((m_0,m_1, z)\)

• Left session:

  1. 1.

     Act as \({\mathcal {A}}_\mathsf {Hiding}\) acts in the left session.

• Right sessions:

  1. 1.

     For all \(j\ne i \in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\) run \(\mathsf {MMRec}_j\) as in \({\mathcal {H}}^m_2(z)\). Instead run \(\mathsf {MMRec}_i\) as described in steps 1.1, 1.2 and 1.3.

     1. 1.1.

        Forward \(\tilde{\mathsf {a}}_{{{\mathsf {NM}}}_i}\) to \({\mathsf {Rec}_\mathsf {{\mathsf {NM}}}}\).

     2. 1.2.

        Upon receiving \(\tilde{\mathsf {c}}_{{{\mathsf {NM}}}}\) from \({\mathsf {Rec}_\mathsf {{\mathsf {NM}}}}\), pick a random \(\tilde{\mathsf {c}}_{{\mathsf {LS}}_i}\), pick a random \(\tilde{Y}_i\) and send \((\tilde{\mathsf {c}}_{{{\mathsf {NM}}}_i},\tilde{\mathsf {c}}_{{\mathsf {LS}}_i}, \tilde{Y}_i)\) to \({\mathcal {A}}\).

     3. 1.3.

        Upon receiving \(\tilde{\mathsf {z}}_{{{\mathsf {NM}}}_i}\) from \({\mathcal {A}}\), send it to \({\mathsf {Rec}_\mathsf {{\mathsf {NM}}}}\).

Let \({\mathsf {mim}}^{{\mathcal {A}}_{{\mathsf {NM}}}}(z)\) be the view of \({\mathsf {mim}}^{{\mathcal {A}}_{{\mathsf {NM}}}}(z)\) and the tuple of committed messages in the right session. The distinguisher \({\mathcal {D}}_{{\mathsf {NM}}}\) takes as input \({\mathsf {mim}}^{{\mathcal {A}}_{{\mathsf {NM}}}}(z)\) and acts as follows.

\(\varvec{{\mathcal {D}}_{{\mathsf {NM}}}({\mathsf {mim}}^{{\mathcal {A}}_{{\mathsf {NM}}}}(z))\!:}\) Let \(\tilde{s_0}_i\) be the committed message sent in the i-right session by \({\mathcal {A}}_{{\mathsf {NM}}}\) to \(\mathsf {MMRec}\). Reconstruct the output messages of \({\mathcal {A}}\) (using the same randomness of \({\mathsf {mim}}^{{\mathcal {A}}_{{\mathsf {NM}}}}(z)\)) to pick \(\tilde{{s_1}}_i\). If \(f(\tilde{s_1}_i \oplus \tilde{s_0}_i)=\tilde{Y}_i\) output 1 and output 0 otherwise. The proof ends with the observation that if \({\mathcal {C}}_{{\mathsf {NM}}}\) has committed to \(m_0\) then the xor of the committed value with \({s_1}_i\) is equal to y such that \(f(y)=Y\) like in \({\mathcal {H}}_2^m\). If instead \({\mathcal {C}}_\mathsf {Hiding}\) has committed to \(m_1\) then the xor of the committed value with \({s_1}_i\) is equal to a random string as in \({\mathcal {H}}_1^m\).

The 3rd hybrid experiment that we consider is equal to \({\mathcal {H}}^m_2(z)\) with the difference that the LS proof system is executed using \(s_0\) and the randomness of the non-malleable commitment of \({s_0}\). Recall that \(f({s_0}\oplus {s_1})=Y\). We observe that in the left session of \({\mathcal {H}}^m_2(z)\) it already holds that \(f(s_0\oplus s_1)=Y\), therefore we can switch the witness used in \({\mathsf {LS}}\) and complete the execution of the proof system.

\(\varvec{{\mathcal {H}}^m_3(z).}\)

• Left sessions:

  1. 1.

     First round.

     1. 1.1.

        Pick \({s_0}\leftarrow \{0,1\}^{\lambda }\).

     2. 1.2.

        Compute \(\mathsf {a}_{{\mathsf {NM}}}= \mathrm {Sen^1_{{\mathsf {NM}}}}(\mathtt {id},{s_0}; \rho )\).

     3. 1.3.

        Compute \(\mathsf {a_{LS}}=\mathsf {P^1}(1^{\lambda _{\mathsf {LS}}},\ell ; \alpha )\).

     4. 1.4.

        Send \((\mathsf {a}_{{\mathsf {NM}}},\mathsf {a_{LS}})\) to \({\mathcal {A}}\).

  2. 2.

     Third round. Upon receiving \((\mathsf {c}_{{\mathsf {NM}}},\mathsf {c_{LS}},Y)\) from \({\mathcal {A}}\).

     1. 2.1.

        Compute \((\mathtt {com},\mathtt {dec})=\mathsf {NISen}(m;\sigma )\).

     2. 2.2.

        Run in time \(T_f\) to compute y such that \(Y=f(y)\).

     3. 2.3.

        Set \({s_1}={s_0} \oplus y\).

     4. 2.4.

        Compute \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {dec}_{{\mathsf {NM}}}) = \mathrm {Sen^2_{{\mathsf {NM}}}}(\mathtt {id},\mathsf {c}_{{\mathsf {NM}}}, {s_0};\rho )\).

     5. 2.5.

        Compute \((\mathtt {com},\mathtt {dec})=\mathsf {NISen}(1^{\lambda _{\mathsf {NI}}}, m;\sigma )\).

     6. 2.6.

        Set \(x=\big ((\mathsf {a}_{{\mathsf {NM}}}, \mathsf {c}_{{\mathsf {NM}}}, \mathsf {z}_{{\mathsf {NM}}}), Y,{s_1},\mathtt {com}, \mathtt {id}\big )\) and with (\(|x|=\ell \)). Run \(\mathsf {z_{LS}}=\mathsf {P^2}(x,w,\mathsf {c}_{\mathsf {LS}};\alpha )\).

     7. 2.7.

        Send \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {com},\mathsf {z_{LS}},{s_1})\) to \({\mathcal {A}}\).

• Right sessions: Act as a proxy between \({\mathcal {A}}\) and \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\).

Even in this case we need to prove the following two properties.

1. 1.

   For all message \(m\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) it holds that \({\mathsf {mim}}_{{\mathcal {H}}^m_2}^{\mathcal {A}}(z)\approx {\mathsf {mim}}_{{\mathcal {H}}^m_3}^{\mathcal {A}}(z)\).

2. 2.

   Let \(p_i\) be the probability that in the i-th right session of \({\mathcal {H}}_3\), for any \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), \({\mathcal {A}}\) sends \(\tilde{s_1}_i\) such that \(f(\tilde{s_1}_i\oplus \tilde{s_0}_i)=\tilde{Y}_i\) where \(\tilde{s_0}_i\) is the value committed using \({{\mathsf {NM}}}\). Then \(p_i<\nu (\lambda )\) for some negligible function \(\nu \).

Lemma 4

For any message \(m\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) it holds that \({\mathsf {mim}}_{{\mathcal {H}}^m_2}^{\mathcal {A}}(z)\approx {\mathsf {mim}}_{{\mathcal {H}}^m_3}^{\mathcal {A}}(z)\).

Proof

Suppose by contradiction that there exist a adversary \({\mathcal {A}}\) and a distinguisher \({\mathcal {D}}\) that can tell apart such two distributions. We can use this adversary and the associated distinguisher to construct an adversary \({\mathcal {A}}_{\mathsf {LS}}\) for the \(T_{\mathsf {LS}}\)-witness-indistinguishable property of the \({\mathsf {LS}}\) protocol. Let \({\mathcal {C}}_{\mathsf {LS}}\) be the WI challenger, the adversary works as follows.

\(\varvec{{\mathcal {A}}}_{\mathsf {LS}}(z)\)

1. 1.

   Pick \({s_0}\leftarrow \{0,1\}^{\lambda }\).

2. 2.

   Compute \(\mathsf {a}_{{\mathsf {NM}}}= \mathrm {Sen^1_{{\mathsf {NM}}}}(\mathtt {id},{s_0}; \rho )\).

3. 3.

   Upon receiving \(\mathsf {a_{LS}}\) from \({\mathcal {C}}_{\mathsf {LS}}\), send \((\mathsf {a}_{{\mathsf {NM}}},\mathsf {a_{LS}})\) to \({\mathcal {A}}\).

4. 4.

   Upon receiving \((\mathsf {c}_{{\mathsf {NM}}},\mathsf {c_{LS}},Y)\) from \({\mathcal {A}}\) run as follows:

   1. 4.1.

      Run in time \(T_f\) to compute y such that \(Y=f(y)\).

   2. 4.2.

      Set \({s_1}={s_0} \oplus y\).

   3. 4.3.

      Compute \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {dec}_{{\mathsf {NM}}}) = \mathrm {Sen^2_{{\mathsf {NM}}}}(\mathtt {id},\mathsf {c}_{{\mathsf {NM}}}, {s_0};\rho )\).

   4. 4.4.

      Compute \((\mathtt {com},\mathtt {dec})=\mathsf {NISen}(1^{\lambda _{\mathsf {NI}}}, m;\sigma )\).

   5. 4.5.

      Set \(x=\big ((\mathsf {a}_{{\mathsf {NM}}}, \mathsf {c}_{{\mathsf {NM}}}, \mathsf {z}_{{\mathsf {NM}}}), Y,{s_1}, \mathtt {com},\mathtt {id}\big )\), \(w_0=(\perp ,\perp , s_0,\rho ), w_1=(m,\sigma ,\perp ,\perp )\) and send \((x,\mathsf {c}_{\mathsf {LS}},w_0,w_1)\) to \({\mathcal {C}}_{\mathsf {LS}}\).

5. 5.

   Upon receiving \(\mathsf {z_{LS}}\) from \({\mathcal {C}}_{\mathsf {LS}}\), send \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {com},\mathsf {z_{LS}})\) to \({\mathcal {A}}\).

6. 6.

   Simulate \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\) with \({\mathcal {A}}\), when \({\mathcal {A}}\) plays as a sender.

7. 7.

   Let M be an empty tuple. For all \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), consider \(\tilde{\mathtt {com}}_i\), the non-interactive commitment received by \(\mathsf {MMRec}_i\), and run in time \(\tilde{T}_{\mathsf {NI}}\) to compute \(\tilde{m}_i\) such that \(\exists \ \tilde{\mathtt {dec}}: 1=\mathsf {NIRec}(\tilde{\mathtt {com}}_i,\tilde{\mathtt {dec}}, \tilde{m}_i)\) and add \(\tilde{m}_i\) to M.

8. 8.

   Give M and the view of \({\mathcal {A}}\) to the distinguisher \({\mathcal {D}}\).

9. 9.

   Output what \({\mathcal {D}}\) outputs.

The proof ends with the observation that if \({\mathcal {C}}_{\mathsf {LS}}\) has has used as witness the randomness of the non-malleable commitment of the value \({s_0}\) such that \(f({s_0}\oplus {s_1})=Y\) then we are in the hybrid experiment \({\mathcal {H}}_3^m(z)\). If instead \({\mathcal {C}}_{\mathsf {LS}}\) has used as a witness the randomness used to compute the non-interactive commitment \({\mathsf {NI}}\) then we are in the hybrid experiment \({\mathcal {H}}_2^m(z)\).

Lemma 5

Let \(p_i\) be the probability that in the i-th right session of \({\mathcal {H}}_3^m\), for \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), \({\mathcal {A}}\) sends \(\tilde{s_1}_i\) such that \(f(\tilde{s_1}_i\oplus \tilde{s_0}_i)=\tilde{Y}_i\) where \(\tilde{s_0}_i\) is the value committed using \({{\mathsf {NM}}}\). Then \(p_i<\nu (\lambda )\) for some negligible function \(\nu \).

Proof

Suppose by contradiction that for a right session i the claim does not hold, then we can construct an adversary \({\mathcal {A}}_{\mathsf {LS}}'\) for the \(T_{\mathsf {LS}}\) witness-indistinguishable property of the \({\mathsf {LS}}\) protocol. Let \({\mathcal {C}}_{\mathsf {LS}}\) be the WI challenger, the adversary works as follows.

\(\varvec{{\mathcal {A}}}_{\mathsf {LS}}'(z)\)

1. 1.

   Pick \({s_0}\leftarrow \{0,1\}^{\lambda }\).

2. 2.

   Compute \(\mathsf {a}_{{\mathsf {NM}}}= \mathrm {Sen^1_{{\mathsf {NM}}}}(\mathtt {id},{s_0}; \rho )\).

3. 3.

   Upon receiving \(\mathsf {a_{LS}}\) from \({\mathcal {C}}_{\mathsf {LS}}\), send \((\mathsf {a}_{{\mathsf {NM}}},\mathsf {a_{LS}})\) to \({\mathcal {A}}\).

4. 4.

   Upon receiving \((\mathsf {c}_{{\mathsf {NM}}},\mathsf {c_{LS}},Y)\) from \({\mathcal {A}}\), run as follow:

   1. 4.1.

      Run in time \(T_f\) to compute y such that \(Y=f(y)\).

   2. 4.2.

      Set \({s_1}={s_0} \oplus y\).

   3. 4.3.

      Compute \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {dec}_{{\mathsf {NM}}}) = \mathrm {Sen^2_{{\mathsf {NM}}}}(\mathtt {id},\mathsf {c}_{{\mathsf {NM}}}, {s_0};\rho )\).

   4. 4.4.

      Compute \((\mathtt {com},\mathtt {dec})=\mathsf {NISen}(1^{\lambda _{\mathsf {NI}}}, m;\sigma )\).

   5. 4.5.

      Set \(x=\big ((\mathsf {a}_{{\mathsf {NM}}}, \mathsf {c}_{{\mathsf {NM}}}, \mathsf {z}_{{\mathsf {NM}}}), Y,{s_1}, \mathtt {com},\mathtt {id}\big )\), \(w_0=(\perp ,\perp , s_0,\rho ), w_1=(m,\sigma ,\perp ,\perp )\) and send \((x,\mathsf {c}_{\mathsf {LS}},w_0,w_1)\) to \({\mathcal {C}}_{\mathsf {LS}}\).

5. 5.

   Upon receiving \(\mathsf {z_{LS}}\) from \({\mathcal {C}}_{\mathsf {LS}}\), send \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {com},\mathsf {z_{LS}})\) to \({\mathcal {A}}\).

6. 6.

   Simulate \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\) with \({\mathcal {A}}\), when \({\mathcal {A}}\) plays as a sender.

7. 7.

   Run in time \(\tilde{T}_{{\mathsf {NM}}}\) to extract the value \(\tilde{{s_0}}_i\) from the non-malleable commitment sent by \({\mathcal {A}}\) in the i-th session. Output 1 if \(f(\tilde{{s_0}}_i\oplus \tilde{{s_1}}_i)=\tilde{Y}_i\) and output 0 otherwise.

The proof ends with the observation that if \({\mathcal {C}}_{\mathsf {LS}}\) has used \(w_0=(\perp ,\perp ,s_0,\rho )\) as a witness then \({\mathcal {A}}\) acts as in \({\mathcal {H}}_3^m(z)\), sending with non-negligible probability two shares such that the xor of them gives a puzzle solution. If \({\mathcal {C}}_{\mathsf {LS}}\) has used \(w_1=(m,\sigma ,\perp ,\perp )\) then the xor of the two shares is with overwhelming probability different from a puzzle solution as in \({\mathcal {H}}_2^m(z)\).

The next hybrid experiment that we consider is \({\mathcal {H}}_3^0(z)\). The only differences between this hybrid experiment and \({\mathcal {H}}_3^m(z)\) is that the sender, using \({\mathsf {NI}}\), commits to a message \(0^\lambda \) instead of m.

\(\varvec{{\mathcal {H}}_3^0(z).}\)

• Left session:

  1. 1.

     First round.

     1. 1.1.

        Pick \({s_0}\leftarrow \{0,1\}^{\lambda }\).

     2. 1.2.

        Compute \(\mathsf {a}_{{\mathsf {NM}}}= \mathrm {Sen^1_{{\mathsf {NM}}}}(\mathtt {id},{s_0}; \rho )\).

     3. 1.3.

        Compute \(\mathsf {a_{LS}}=\mathsf {P^1}(\ell ; \alpha )\).

     4. 1.4.

        Send \((\mathsf {a}_{{\mathsf {NM}}},\mathsf {a_{LS}})\) to \({\mathcal {A}}\).

  2. 2.

     Third round. Upon receiving \((\mathsf {c}_{{\mathsf {NM}}},\mathsf {c_{LS}},Y)\) from \({\mathcal {A}}\), run as follows:

     1. 2.1.

        Run in time \(T_f\) to compute y such that \(Y=f(y)\).

     2. 2.2.

        Set \({s_1}={s_0} \oplus y\).

     3. 2.3.

        Compute \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {dec}_{{\mathsf {NM}}}) = \mathrm {Sen^2_{{\mathsf {NM}}}}(\mathtt {id},\mathsf {c}_{{\mathsf {NM}}}, {s_0};\rho )\).

     4. 2.4.

        Compute \((\mathtt {com},\mathtt {dec})=\underline{\mathsf {NISen}(0^\lambda ;\sigma )}\).

     5. 2.5.

        Set \(x=\big ((\mathsf {a}_{{\mathsf {NM}}}, \mathsf {c}_{{\mathsf {NM}}}, \mathsf {z}_{{\mathsf {NM}}}), Y,{s_1},\mathtt {com}, {\mathtt {id}}\big )\) and \(w=(\perp ,\perp , s_0,\rho )\) with (\(|x|=\ell \)). Run \(\mathsf {z_{LS}}=\mathsf {P^2}(x,w,\mathsf {c}_{\mathsf {LS}};\alpha )\).

     6. 2.6.

        Send \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {com},\mathsf {z_{LS}},{s_1})\) to \({\mathcal {A}}\).

• Right sessions: Act as a proxy between \({\mathcal {A}}\) and \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\).

We now prove the following properties.

1. 1.

   Let \(p_i\) be the probability that in the i-th right session of \({\mathcal {H}}_3^0\), for any \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), \({\mathcal {A}}\) sends \(\tilde{s_1}_i\) such that \(f(\tilde{s_1}_i\oplus \tilde{s_0}_i)=\tilde{Y}_i\) where \(\tilde{s_0}_i\) is the value committed using \({{\mathsf {NM}}}\). Then \(p_i<\nu (\lambda )\) for some negligible function \(\nu \).

2. 2.

   For any message \(m\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) it holds that \({\mathsf {mim}}_{{\mathcal {H}}^m_3}^{\mathcal {A}}(z)\approx {\mathsf {mim}}_{{\mathcal {H}}^0_3}^{\mathcal {A}}(z)\).

Lemma 6

  Let \(p_i\) be the probability that in the i-th right session of \({\mathcal {H}}_3^0\), for \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), \({\mathcal {A}}\) sends \(\tilde{s_1}_i\) such that \(f(\tilde{s_1}_i\oplus \tilde{s_0}_i)=\tilde{Y}_i\) where \(\tilde{s_0}_i\) is the value committed using \({{\mathsf {NM}}}\). Then \(p_i<\nu (\lambda )\) for some negligible function \(\nu \).

Proof

Suppose by contradiction that there exists a right session \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\) in which \({\mathcal {A}}\) commit to a string \(\tilde{s_0}\) such that \(f(\tilde{{s_0}}_i\oplus \tilde{{s_1}}_i)=\tilde{Y}_i\) using \(\varPi _{{\mathsf {NM}}}\). Then we can construct an adversary \({\mathcal {A}}_{\mathsf {NI}}\) that breaks the hiding property of the non interactive commitment scheme \({\mathsf {NI}}\). Let \({\mathcal {C}}_{\mathsf {NI}}\) be the challenger that on input \(m_0=0^\lambda \) and \(m_1=m\), picks a random bit b, computes \((\mathtt {com},\mathtt {dec})=\mathsf {NISen}(1^{\lambda _{\mathsf {NI}}}, m_b;\sigma )\) and sends \(\mathtt {com}\) to \({\mathcal {A}}_{\mathsf {NI}}\).

Before describing \({\mathcal {A}}_{\mathsf {NI}}\) we need to consider, as in the proof of Lemma 1, a machine \({\mathcal {S}}_{\mathsf {n\rightarrow 1}}\) that internally executes \({\mathcal {A}}\), and interacts with a receiver \(\mathsf {Rec}_\mathsf {ext}\) of the protocol \(\varPi _{{\mathsf {NM}}}\) acting as the sender.

\(\varvec{{\mathcal {S}}_{\mathsf {n\rightarrow 1}}}(\mathtt {com}, \varphi , z)\) Run \({\mathcal {A}}\) using randomness \(\varphi \).

1. 1.

   Pick \({s_0}\leftarrow \{0,1\}^{\lambda }\).

2. 2.

   Compute \(\mathsf {a}_{{\mathsf {NM}}}= \mathrm {Sen^1_{{\mathsf {NM}}}}(\mathtt {id},{s_0}; \rho )\).

3. 3.

   Compute \(\mathsf {a_{LS}}=\mathsf {P^1}(1^{\lambda _{\mathsf {LS}}},\ell ; \alpha )\).

4. 4.

   Send \((\mathsf {a}_{{\mathsf {NM}}},\mathsf {a_{LS}})\) to \({\mathcal {A}}\).

5. 5.

   Upon receiving \((\mathsf {c}_{{\mathsf {NM}}},\mathsf {c_{LS}},Y)\) from \({\mathcal {A}}\), run as follows:

   1. 5.1.

      Run in time \(T_f\) to compute y such that \(Y=f(y)\).

   2. 5.2.

      Set \({s_1}={s_0} \oplus y\).

   3. 5.3.

      Compute \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {dec}_{{\mathsf {NM}}}) = \mathrm {Sen^2_{{\mathsf {NM}}}}(\mathtt {id},\mathsf {c}_{{\mathsf {NM}}}, {s_0};\rho )\).

   4. 5.4.

      Set \(x=\big ((\mathsf {a}_{{\mathsf {NM}}}, \mathsf {c}_{{\mathsf {NM}}}, \mathsf {z}_{{\mathsf {NM}}}), Y,{s_1},\mathtt {com},{\mathtt {id}}\big )\) and \(w=(\perp ,\perp , s_0,\rho )\) with (\(|x|=\ell \)). Run \(\mathsf {z_{LS}}=\mathsf {P^2}(x,w,\mathsf {c}_{\mathsf {LS}};\alpha )\).

   5. 5.5.

      Send \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {com},\mathsf {z_{LS}},{s_1})\) to \({\mathcal {A}}\).

6. 6.

   Let \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\) be the right session that contradicts the claim. For all \(j\ne i \in \{1,\dots {\mathsf {poly}}(\lambda )\}\) run \(\mathsf {MMRec}_j\) as in \({\mathcal {H}}_4(m,z)\). Run \(\mathsf {MMRec}_i\) as follows.

   1. 6.1.

      Upon receiving the 1rd round of the i-th right session \((\tilde{\mathsf {a}}_{{{\mathsf {NM}}}_i},\tilde{\mathsf {a}}_{{\mathsf {LS}}_i})\) from \({\mathcal {A}}\), send \(\tilde{\mathsf {a}}_{{{\mathsf {NM}}}_i}\) to the external receiver \(\mathsf {Rec}_\mathsf {ext}\).

   2. 6.2.

      Upon receiving \(\mathsf {\tilde{c}_{{\mathsf {NM}}_i}}\) from \(\mathsf {Rec}_\mathsf {ext}\), run as follows:

      1. i.

         Run \({\mathcal {V}}\) to obtain \(\mathsf {\tilde{c}_{LS_i}}\).

      2. ii.

         Pick a random \(\tilde{Y}_i\).

      3. iii.

         Send \((\mathsf {\tilde{c}_{{{\mathsf {NM}}}_i}},\mathsf {\tilde{c}_{{\mathsf {LS}}_i}},\tilde{Y}_i)\) to \({\mathcal {A}}\).

   3. 6.3.

      Upon receiving the 3rd round of the i-th right session \((\tilde{\mathsf {z}}_{{{\mathsf {NM}}}_i},\tilde{\mathtt {com}}_i,\tilde{\mathsf {z}}_{{\mathsf {LS}}_i},\tilde{s_1}_i)\), set \(\tilde{x}=\big ((\tilde{\mathsf {a}}_{{{\mathsf {NM}}}_i}, \tilde{\mathsf {c}}_{{{\mathsf {NM}}}_i}, \tilde{\mathsf {z}}_{{{\mathsf {NM}}}_i}), \tilde{Y}, \tilde{s_1}_i, \tilde{\mathtt {com}}_i, \tilde{{\mathtt {id}}}\big )\) and abort iff \((\tilde{\mathsf {a}}_{{\mathsf {LS}}_i}, \tilde{\mathsf {c}}_{{\mathsf {LS}}_i}, \tilde{\mathsf {z}}_{{\mathsf {LS}}_i})\) is not accepted by \({\mathcal {V}}\) with respect to \(\tilde{x}\).

   4. 6.4.

      Send \(\tilde{\mathsf {z}}_{{{\mathsf {NM}}}_i}\) to \(\mathsf {Rec}_\mathsf {ext}\).

Now we can conclude the proof of this lemma by describing how \({\mathcal {A}}_{\mathsf {NI}}\) works. \({\mathcal {A}}_{\mathsf {NI}}\) runs the extractor of the protocol \(\varPi _{{\mathsf {NM}}}\) using \({\mathcal {S}}_{\mathsf {n\rightarrow 1}}\) as sender (recall that an extractor of \(\varPi _{{\mathsf {NM}}}\) plays only having access to a sender of \(\varPi _{{\mathsf {NM}}}\)). Since the extractor with non-negligible probability outputs the committed message we have that \({\mathcal {A}}_{\mathsf {NI}}\) retrives \(\tilde{s_0}_i\). Moreover \({\mathcal {A}}_{\mathsf {NI}}\) gets \(\tilde{s_1}_i\) by reconstructing the view of \({\mathcal {A}}\) using the randomness \(\varphi \). Since by contradiction \({\mathcal {A}}\) contradicts the claim of this lemma, we have that \({\mathcal {A}}_{\mathsf {NI}}\) can break the hiding of \({\mathsf {NI}}\) because \(f(\tilde{s_0}_i \oplus \tilde{s_1}_i)=\tilde{Y}\) with non-negligible probability in \({\mathcal {H}}_3^0(z)\) where \(m_0=0^\lambda \) is committed in \(\mathtt {com}\), while the same happens with negligible probability only in \({\mathcal {H}}_3^m(z)\) where \(m_1=m\). Therefore if this happens, \({\mathcal {A}}_{\mathsf {NI}}\) outputs 0, otherwise \({\mathcal {A}}_{\mathsf {NI}}\) outputs a random bit.

Lemma 7

For any message \(m\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) it holds that \({\mathsf {mim}}_{{\mathcal {H}}_3^m}^{\mathcal {A}}(z)\approx {\mathsf {mim}}_{{\mathcal {H}}_3^0}^{\mathcal {A}}(z)\).

Proof

Suppose by contradiction that there exists a distinguisher \({\mathcal {D}}\) and an adversary \({\mathcal {A}}\) such that \({\mathsf {mim}}_{{\mathcal {H}}_3^m}^{\mathcal {A}}(z)\) is distinguishable from \({\mathsf {mim}}_{{\mathcal {H}}_3^0}^{\mathcal {A}}(z)\) then we can construct an adversary \({\mathcal {A}}_{\mathsf {NI}}\) that breaks the hiding property of the non-interactive commitment scheme \({\mathsf {NI}}\). Let \({\mathcal {C}}_{\mathsf {NI}}\) be the challenger that on input \(m_0=0^\lambda \) and \(m_1=m\), picks a random bit b, computes \((\mathtt {com},\mathtt {dec})=\mathsf {NISen}(1^{\lambda _{\mathsf {NI}}}, m_b;\sigma )\) and sends \(\mathtt {com}\) to \({\mathcal {A}}_{\mathsf {NI}}\). Before describing \({\mathcal {A}}_{\mathsf {NI}}\), we consider the following experiment \({\mathcal {E}}_{m_b}(\varphi ,\mathtt {com},z)\).

\(\varvec{{\mathcal {E}}_{m_b}(\varphi , \mathtt {com}, z).}\)

The randomness required from all next steps is take from \(\varphi \).

• Run \({\mathcal {A}}(z)\).

• Left session:

  1. 1.

     First round.

     1. 1.1.

        Pick \({s_0}\leftarrow \{0,1\}^{\lambda }\).

     2. 1.2.

        Compute \(\mathsf {a}_{{\mathsf {NM}}}= \mathrm {Sen^1_{{\mathsf {NM}}}}(\mathtt {id},{s_0}; \rho )\).

     3. 1.3.

        Compute \(\mathsf {a_{LS}}=\mathsf {P^1}(\ell ; \alpha )\).

     4. 1.4.

        Send \((\mathsf {a}_{{\mathsf {NM}}},\mathsf {a_{LS}})\) to \({\mathcal {A}}\).

  2. 2.

     Third round. Upon receiving \((\mathsf {c}_{{\mathsf {NM}}},\mathsf {c_{LS}},Y)\) from \({\mathcal {A}}\), run as follows:

     1. 2.1.

        Run in time \(T_f\) to compute y such that \(Y=f(y)\).

     2. 2.2.

        Set \({s_1}={s_0} \oplus y\).

     3. 2.3.

        Compute \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {dec}_{{\mathsf {NM}}}) = \mathrm {Sen^2_{{\mathsf {NM}}}}(\mathtt {id},\mathsf {c}_{{\mathsf {NM}}}, {s_0};\rho )\).

     4. 2.4.

        Set \(x=\big ((\mathsf {a}_{{\mathsf {NM}}}, \mathsf {c}_{{\mathsf {NM}}}, \mathsf {z}_{{\mathsf {NM}}}), Y,{s_1},\mathtt {com}, {\mathtt {id}}\big )\) and \(w=(\perp ,\perp , s_0,\rho )\) with (\(|x|=\ell \)). Run \(\mathsf {z_{LS}}=\mathsf {P^2}(x,w,\mathsf {c}_{\mathsf {LS}};\alpha )\).

     5. 2.5.

        Send \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {com},\mathsf {z_{LS}},{s_1})\) to \({\mathcal {A}}\).

• Right sessions: Act as a proxy between \({\mathcal {A}}\) and \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\).

Now we are ready to describe the adversary \({\mathcal {A}}_{\mathsf {NI}}\) for the hiding of \({\mathsf {NI}}\). \({\mathcal {A}}_{\mathsf {NI}}\) executes the following steps.

1. 1.

   Let M be an empty tuple. \({\mathcal {A}}_{\mathsf {NI}}\) runs \(\varvec{{\mathcal {E}}_{m_b}(\varphi , \mathtt {com}, z)}.\)

2. 2.

   For all \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), \({\mathcal {A}}_{\mathsf {NI}}\) runs the extractor of LS on the i-th right session of the execution of \(\varvec{\mathcal {E}_{m_b}(\varphi , \mathtt {com}, z)}\) obtaining \(\tilde{m}_i\) and adds it to M.

3. 3.

   Using the randomness \(\varphi \), \({\mathcal {A}}_{\mathsf {NI}}\) reconstructs the view of \({\mathcal {A}}\) in the execution of \(\varvec{\mathcal {E}_{m_b}(\varphi , \mathtt {com}, z)}\). Use such view and M as input to \(\mathcal {D}\).

4. 4.

   Output what \(\mathcal {D}\) outputs.

The proof ends with the observation that if \(\mathcal {C}_{\mathsf {NI}}\) has committed to \(0^\lambda \) then the view of \({\mathcal {A}}\) and the distribution of the committed messages coincide with \({\mathcal {H}}_3^0(z)\), otherwise they coincide with \({\mathcal {H}}_3^m(z)\).

Fig. 3.

The simulator \(S\).

The entire security proof now is almost over because we have proved that for all \(m\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) the following relation holds:

$$\begin{aligned}{\begin{matrix} \{{\mathsf {mim}}_\mathsf {\Pi _{MMCom}}^{{\mathcal {A}},m }(z)\}_{z\in \{0,1\}^\star }= \{{\mathsf {mim}}_{{\mathcal {H}}_1^m}^{\mathcal {A}}(z)\}_{z\in \{0,1\}^\star } \approx \{{\mathsf {mim}}_{{\mathcal {H}}_2^m}^{\mathcal {A}}(z)\}_{z\in \{0,1\}^\star } \approx \\ \{{\mathsf {mim}}_{{\mathcal {H}}_3^m}^{\mathcal {A}}(z)\}_{z\in \{0,1\}^\star } \approx \{{\mathsf {mim}}_{{\mathcal {H}}_3^0}^{\mathcal {A}}(z)\}_{z\in \{0,1\}^\star } \approx \{{\mathsf {mim}}_{{\mathcal {H}}_2^0}^{\mathcal {A}}(z)\}_{z\in \{0,1\}^\star } \approx \\ \qquad \qquad \qquad \{{\mathsf {mim}}_{{\mathcal {H}}_1^0}^{\mathcal {A}}(z)\}_{z\in \{0,1\}^\star } =\{{\mathsf {sim}}^S_\mathsf {\Pi _{MMCom}}(1^\lambda ,z)\}_{z\in \{0,1\}^\star }. \end{matrix}}\end{aligned}$$

We observe that in this proof we had to consider a delayed-input version of our commitment scheme. Indeed, the sender can choose the message m to be committed by sending the non-interactive commitment \(\mathtt {com}\) of the message m in the 3rd round. It is easy to see that the same security proof still works when the non-interactive commitment is sent in the 1st round, but then clearly the delayed-input property is lost.

4 More Protocols Against Concurrent MiM Attacks

In this section we show 3-round arguments of knowledge and identification schemes that are secure against concurrent MiM attacks.

4.1 Non-Malleable WI Arguments of Knowledge

Our concurrent NM commitment scheme when instantiated without sessions ids, can be used to obtain almost directly a commit-and-prove AoK. Recall that in our scheme there is a non-interactive commitment \(\mathtt {com}\) of m and then rest of the protocol is an AoK. This AoK is used by the sender to claim that either he knows the message committed in \(\mathtt {com}\), or he committed through \(\varPi _{{{\mathsf {NM}}}}\) to a share \(s_0\) that allows to compute the solution of the puzzle.

In order to be fully compliant with the notion of commit-and-prove AoK, we just need to make a trivial change to the statement of the LS subprotocol. Given an instance \(x\in L\) and a witness w the prover of our commit-and-prove AoK uses the non-interactive commitment to commit to w, and uses the rest to prove that either he knows the committed message w that moreover is a witness for \(x\in L\) or again, he committed through \(\varPi _{{{\mathsf {NM}}}}\) to a share \(s_0\) that allows to compute the solution of the puzzle.

More formally, we define a commit-and-prove AoK \(\mathsf {\Pi }_\mathsf {CaP}=({\mathcal {P}}_\mathsf {CaP},{\mathcal {V}}_\mathsf {CaP})\) that corresponds to our concurrent NM commitment scheme with some minimal changes. First, \({\mathcal {P}}_\mathsf {CaP}\) and \({\mathcal {V}}_\mathsf {CaP}\) have as a common input an instance \(x\in L\), where L is an NP-language. Second, \({\mathcal {P}}_\mathsf {CaP}\) has as private input w such that \((x,w)\in {\mathsf {Rel}}_\mathsf {L}\). Third, \({\mathcal {P}}_\mathsf {CaP}\) runs \(\mathsf {MMSen}\) on w, while \({\mathcal {V}}_\mathsf {CaP}\) runs \(\mathsf {MMRec}\) with the exception of running \({\mathsf {LS}}\) for the statement:

$$\begin{aligned}{\begin{matrix} L_\mathsf {CaP}=\big \{\big (x,(a, c, z), Y,{s_1},\mathtt {com}, \mathtt {id}\big ): (\exists \ (w,\sigma )\ \text {s.t.}\ \mathtt {com}=\mathsf {NISen}(w;\sigma )\ \mathtt {AND}\ (x,w)\in {\mathsf {Rel}}_\mathsf {L})\\ \mathtt {OR}\ \big (\exists (\rho ,{s_0})\ \text {s.t.}\ a=\mathrm {Sen^1_{{\mathsf {NM}}}}(\mathtt {id},{s_0};\rho )\ \mathtt {AND}\ z=\mathrm {Sen^2_{{\mathsf {NM}}}}(\mathtt {id},c,{s_0};\rho )\ \mathtt {AND}\ Y=f(s_0\oplus s_1) \big ) \big \} \end{matrix}}\end{aligned}$$

that is WI for the corresponding NP relation \({\mathsf {Rel}}_\mathsf {L_\mathsf {CaP}}\).

Theorem 3

Suppose there exist OWPs w.r.t. subexponential-time adversaries, then \(\mathsf {\Pi }_\mathsf {CaP}\) is a 3-round concurrent NMWI argument of knowledge.

Proof

The proof of this theorem is pretty straightforward given the previous proof for the concurrent non-malleability of our commitment scheme, therefore here we just point out the main intuition.

First of all, \(\mathsf {\Pi }_\mathsf {CaP}\) is clearly a commit-and-prove AoK. Indeed, there exists a commitment of the witness and there is an AoK proving that the committed message is a witness. In order to see this, notice that for any ppt malicious prover succeeding with non-negligible probability in proving a statement \(x\in L\), the extractor of \({\mathsf {LS}}\) (of course this needs to be run against an augmented machine) would return (in expected polynomial time and with overwhelming probability) the committed witness since otherwise it would return a share \(s_0\) that combined with \(s_1\) allows to invert the OWP in polynomial time.

We can now focus on the concurrent NMWI property, and we can assume (by contradiction) that the adversary succeeds in encoding in the right sessions witnesses that are related to the witnesses encoded in the left sessions. Notice that the proof is almost identical to the one of Theorem 2. We can indeed prove the case of one prover and multiple verifiers (i.e., one-many), and then we can apply the fact that any one-many NMWIAoK is also a concurrent NMWIAoK. Indeed this was used in [34] and follows similar arguments given in [30, 42]. For the one-many case we can therefore follow the proof of Theorem 2 with the following trivial change. Instead of running hybrid experiments starting with a message m and ending with a message 0, in the proof of one-many concurrent NMWI we start with a witness \(w_0\) and end with a witness \(w_1\). Everything else remains untouched and all the reductions work directly.

\(\mathsf {\Pi }_\mathsf {CaP}\) can be instantiated to be public-coin and delayed-input, precisely as our concurrent NM commitment scheme. While what we discussed above applies to arguments only, techniques to obtain proofs can be found in [8].

Instances with Just One Witness and Non-Transferability. Recall that the definition of NMWI considers two experiments that differ only on the witness used by the prover. Therefore it is unclear which security is given by a NMWIAoK when the instance has only one witness. In order to understand the security guaranteed by \(\mathsf {\Pi }_\mathsf {CaP}\) in such a case, consider the proof of concurrent NMWI, and thus, in turn, consider the proof of concurrent non-malleability of our commitment scheme. Notice that while the sequence of hybrids goes from an experiment where the committed message is m to an experiment where the committed message is 0, there is an experiment \({\mathcal {H}}_3(\cdot ,z)\) in which the committed message is irrelevant. Indeed, the entire execution is based on inverting the OWP, in encrypting it through the shares \(s_0\) and \(s_1\) and in using this witness in the execution of \({\mathsf {LS}}\). This experiment can be seen as the execution of a quasi-polynomial time simulator that breaks the puzzle¹⁸ following the approach of [39]¹⁹. Therefore following the same observations of [39, 40] on the security offered by quasi-polynomial time simulation, our concurrent NMWIAoK even for instances with just one witness would not help the adversary in proving a statement whose witness is much harder to compute than breaking the puzzle.

The above discussion explains also the non-transferability flavor of \(\mathsf {\Pi }_\mathsf {CaP}\). Indeed, at first sight, a MiM attack of an adversary \({\mathcal {A}}\) to an AoK should be an attempt of \({\mathcal {A}}\) to transfer the proof that it gets from the prover to a verifier. As such, an AoK that is secure against concurrent MiM attacks should provide some non-transferability guarantee. Since the success of \({\mathcal {A}}\) during a MiM attack can be replicated without a MiM attack by a quasi-polynomial time simulator, we have that \(\mathsf {\Pi }_\mathsf {CaP}\) guarantees non-transferability whenever computing the witnesses for the considered instances is assumed to be harder than breaking the puzzle.

NMWI for NMZK in the Bare Public-Key (BPK) Model. In [34] it is shown that a concurrent NMWIAoK \(\varPi \) gives directly a concurrent NMZKAoK in the BPK model. The construction is straightforward as it just consists of running \(\varPi \) twice, first from the verifier to the prover (proving knowledge of one out of two secrets) and then from the prover to the verifier (proving knowledge of either a witness for \(x\in L\) or of one out of the two secrets of the verifier). Our construction from Theorem 3 when combined with the construction of [34] gives a candidate round-efficient concurrent NMZKAoK in the BPK model.

4.2 Identification Schemes

We show here a 3-round identification scheme secure against concurrent MiM attacks following the concept of proving knowledge of a secret.

Identification Schemes Based on Proving Knowledge of a Secret. The importance of this setting was for instance discussed in [9] mentioning the following example. Consider a verifier \({\mathcal {V}}\) that provides a service to restricted group of provers \({\mathcal {P}}\). A malicious prover \({\mathcal {P}}^\star \) could give to another party B that is not part of the group, some partial information about his secret that is sufficient for B to obtain the service from \({\mathcal {V}}\), while still B does not know \({\mathcal {P}}^\star \)’s secret. The paradigm of proving knowledge of a secret in an identification scheme allows to prevent attacks like the one just described. When the identification scheme consists in proving knowledge of a secret the sole fact that B convinces \({\mathcal {V}}\) is sufficient to claim that one can extract the whole secret from B. This implies that B obtained \({\mathcal {P}}^\star \)’s secret corresponding to his identity, and thus B is actually \({\mathcal {P}}^\star \) ²⁰.

We give a security definition that considers concurrent MiM attacks similarly to the definition CR2 (concurrent-reset on-line) of [2]. The definition of [2] also includes possible reset attacks in addition to allowing \({\mathcal {A}}\) to invoke multiple concurrent executions of the prover in the left sessions while \({\mathcal {A}}\) is interacting with the verifier. In the remaining part of this section we will ignore reset attacks since they are out of the purpose of our work. As described in [25] in most network-based settings reset attacks are not an issue. Following the notation of [25] we now give a formal security definitions for an identification scheme.

Definition 4

Let \(\varPi =(\mathcal {K},{\mathcal {P}},{\mathcal {V}})\) be a tuple of ppt algorithms. We say \(\varPi \) is an identification scheme secure against MiM attacks if the following two properties hold. (1) Correctness. For all \((\mathsf{pk},\mathsf{sk})\leftarrow \mathcal {K}(1^\lambda )\), \(\text{ Prob }\left[ \;\langle {\mathcal {P}}(\mathsf{sk}), {\mathcal {V}}\rangle (\mathsf{pk})=1\;\right] =1.\) (2) Security. For all ppt adversaries \({\mathcal {A}}\) there exists a negligible function \(\nu \) such that \(\text{ Prob }\left[ \;(\mathsf{pk},\mathsf{sk})\leftarrow \mathcal {K}(1^\lambda ):\langle {\mathcal {A}}^{{\mathcal {P}}(\mathsf{sk})}, {\mathcal {V}}\rangle (\mathsf{pk})=1 \texttt { AND }\ \tau \ \notin T\;\right] <\nu (\lambda ),\) where \({\mathcal {A}}\) has oracle access to a stateful (i.e., non-resettable) \({\mathcal {P}}(\mathsf{sk})\), T is defined as the transcripts set of the interactions between \({\mathcal {P}}(\mathsf{sk})\) and \({\mathcal {A}}\), and \(\tau \) is defined as the transcript of one of the interactions between \({\mathcal {A}}\) and \({\mathcal {V}}\). All interactions can be arbitrarily interleaved and \({\mathcal {A}}\) controls the scheduling of the messages.

Identification Scheme from NMWI. Our construction \({{\varPi _\mathsf {ID}}}=({\mathcal {K}}_{\mathsf {ID}},{\mathcal {P}}_{\mathsf {ID}},{\mathcal {V}}_{\mathsf {ID}})\) follows the approach of [9, 34]. Let \(f:\{0,1\}^\lambda \rightarrow \{0,1\}^\lambda \) be a OWP, let \(\lambda \) be the security parameter. The public key of \({\mathcal {P}}_{\mathsf {ID}}\) is the pair \((\mathsf {pk_0},\mathsf {pk_1})\), the secret key is \(\mathsf{sk}_b\) for a randomly chosen bit b, such that \(\mathsf {pk_b} = f(\mathsf{sk}_b)\). Therefore the algorithm \({\mathcal {K}}_{\mathsf {ID}}\) takes as input the security parameter and outputs \(((\mathsf {pk_0},\mathsf {pk_1}),\mathsf{sk}_b)\) as described above. The protocol simply consists in \({\mathcal {P}}_{\mathsf {ID}}\) running our 3-round concurrent NMWIAoK \(\mathsf {\Pi }_\mathsf {CaP}\) with \({\mathcal {V}}_{\mathsf {ID}}\) to prove that it knows the pre-image of either \(\mathsf {pk_0}\) or \(\mathsf {pk_1}\). Formally, let \(L_{\mathtt {id}}\) be the following language \(L_{\mathtt {id}}= \{(y_0,y_1): \exists \ x\ \in \{0,1\}^\lambda \) such that \(y_0= f(x)\) \(\vee \ y_1= f(x) \}\), then the identification scheme consists of \({\mathcal {P}}_{\mathsf {ID}}\) proving the statement \((\mathsf {pk_0},\mathsf {pk_1})\in L_{\mathtt {id}}\) using \(\mathsf {\Pi }_\mathsf {CaP}\).

Theorem 4

Assuming the existence of OWPs w.r.t. subexponential-time adversaries, there is an identification scheme secure against concurrent MiM attacks.

The proof is again straight-forward. If a PPT \({\mathcal {A}}\) succeeds then concurrent NMWI of \(\mathsf {\Pi }_\mathsf {CaP}\) guarantees that the witness that he encoded in the proof is independent of the one encoded in the proofs given by \({\mathcal {P}}\). Therefore by using the AoK property of \(\mathsf {\Pi }_\mathsf {CaP}\) we can invert f with non-negligible probability.

5 Concurrent Malleability of [21]

Here we briefly explain the intuition behind the fact that the 3-round NM commitment scheme \(\varPi _{{\mathsf {NM}}}=({\mathsf {Sen}_{\mathsf {NM}}},{\mathsf {Rec}_\mathsf {{\mathsf {NM}}}})\) of [21] is malleable with respect to a concurrent MiM attack. We use ideas from [16]. We describe a succeeding concurrent MiM adversary \({\mathcal {A}}\) along with a distinguisher \({\mathcal {D}}\). We will refer to a NM commitment of the message m using the scheme \(\varPi _{{\mathsf {NM}}}\) as \(\mathsf {nmcom}(m)\). We stress that \(\mathsf {nmcom}(m)\) is the result of a 3-round interaction between the sender \({\mathsf {Sen}_{\mathsf {NM}}}\) and the receiver \({\mathsf {Rec}_\mathsf {{\mathsf {NM}}}}\). We start by describing the high-level idea of the protocol \(\varPi _{{\mathsf {NM}}}\). In the 1st round a left-state \(\mathsf {L}\) is computed using a special split-state non-malleable code. Let \(n=|\mathsf {L}|\). Then a non-interactive commitment \(\mathtt {com}_\mathsf {L}\) of \(\mathsf {L}\) is sent in the 1st round, while in the 3rd round the sender computes the right-state \(\mathsf {R}\) corresponding to the message m and sends it in the clear. In parallel there is also a PoK of the message \(\mathsf {L}\) committed in \(\mathtt {com}_\mathsf {L}\). This PoK can be seen as a PoK of each bit of \(\mathsf {L}\). Therefore there are n PoKs where the j-th proof is used to prove knowledge of the bit \(\mathsf {L}_j\) of \(\mathsf {L}\).

The actual scheme of [21] is more sophisticated than what we have just described, there are various other components but however they have no impact on the work done by our \({\mathcal {A}}\), so we will omit them from this short description. Essentially, we will show here that a simplified version of the scheme of [21] is concurrently malleable. However all our arguments apply to their full scheme.

The proposed adversary \({\mathcal {A}}\) interacts with one sender \({\mathsf {Sen}_{\mathsf {NM}}}\) in the left session and with many receiver \({\mathsf {Rec}_\mathsf {{\mathsf {NM}}}}_1,\dots ,{\mathsf {Rec}_\mathsf {{\mathsf {NM}}}}_{{\mathsf {poly}}(\lambda )}\) in the right sessions. The behavior of \({\mathcal {A}}\) in the left and right session can be summarized as following.

Left Session. \({\mathsf {Sen}_{\mathsf {NM}}}\) computes the 1st round of \(\varPi _{{\mathsf {NM}}}\) as follows. First, he computes \(\mathsf {L}\), then he computes a perfectly binding commitment \(\mathtt {com}_{\mathsf {L}}\) of \(\mathsf {L}\) and computes n PoKs one for each bit of the message committed in \(\mathtt {com}_{\mathsf {L}}\). In the last round of \(\varPi _{{\mathsf {NM}}}\) \({\mathsf {Sen}_{\mathsf {NM}}}\) completes the n PoKs and sends \(\mathsf {R}\) to \({\mathcal {A}}\) such that the pair \((\mathsf {L},\mathsf {R})\) is a valid encoding of m according to the special non-malleable code. Hence in the left session \({\mathcal {A}}\) receives \(\mathtt {com}_{\mathsf {L}}\), \(\mathsf {R}\) and n PoKs one for each bit of the string committed in \(\mathtt {com}_{\mathsf {L}}\), therefore a PoK for each bit \(\mathsf {L}_j\) of \(\mathsf {L}\).

Fig. 4.

The one-many MiM \({\mathcal {A}}\).

Right Sessions. In the right sessions \({\mathcal {A}}\) interacts with \({\mathsf {Rec}_\mathsf {{\mathsf {NM}}}}_1,\dots ,{\mathsf {Rec}_\mathsf {{\mathsf {NM}}}}_{{\mathsf {poly}}(\lambda )}\) mauling the commitments received on the left. More specifically, it starts 2n right sessions where n of them should correspond to \(\mathsf {nmcom}(\mathsf {L}_1),\dots ,\mathsf {nmcom}(\mathsf {L}_n)\) such that \(\mathsf {L}=\mathsf {L}_1\dots \mathsf {L}_n\), and the other n sessions should correspond to invalid commitments (we refer to such commitments as \(\mathsf {nmcom}(\perp )\)).

More precisely, our adversary computes, for each bit \(\mathsf {L}_j\) of \(\mathsf {L}\), two NM commitments \(\mathsf {nmcom}(1^\lambda )\), \(\mathsf {nmcom}(0^\lambda )\) such that if \(\mathsf {L}_j=1\) then \(\mathsf {nmcom}(0^\lambda )\) is invalid, otherwise \(\mathsf {nmcom}(1^\lambda )\) is invalid. In order to poison one out of \(\mathsf {nmcom}(0^\lambda )\) and \(\mathsf {nmcom}(1^\lambda )\), \({\mathcal {A}}\) will rely on the PoK of \(\mathsf {L}_j\) received on the left. The PoK of \(\mathsf {L}_j\) will be plugged in the PoKs of \(\mathsf {nmcom}(0^\lambda )\) and in the PoKs of \(\mathsf {nmcom}(1^\lambda )\). More precisely one of the n PoKs of \(\mathsf {nmcom}(0^\lambda )\) that correspond to a PoK of the bit 0 will be replaced with the PoK of \(\mathsf {L}_j\). The same approach is applied when \({\mathcal {A}}\) computes \(\mathsf {nmcom}(1^\lambda )\) with the only difference that the PoK that \({\mathcal {A}}\) will replace corresponds to a PoK of a bit 1. In this way only one out of \(\mathsf {nmcom}(0^\lambda )\) and \(\mathsf {nmcom}(1^\lambda )\) still remain a valid commitment. In particular \(\mathsf {nmcom}(\mathsf {L}_j)\) will remain a valid commitment while \(\mathsf {nmcom}({1-\mathsf {L}_j})\) will be poisoned and thus will correspond to an invalid commitment (Fig. 4).

There is however a subtlety. Since the PoK played on the right is for one component copied from the PoK played on the left, it can be completed successfully with constant probability and the adversary has to abort the session if it can not complete the PoK. Therefore each of the above 2n right sessions could be repeated multiple times, but however the total amount of right sessions will still be polynomial in the security parameter. Finally our distinguisher \({\mathcal {D}}\) given as input the committed bits \(\mathsf {L}_1,\dots , \mathsf {L}_n\) and \(\mathsf {R}\) contained in the view of \({\mathcal {A}}\), can easily recover the message m committed in the left interaction.