Abstract
The round complexity of commitment schemes secure against man-in-the-middle attacks has been the focus of extensive research for about 25 years. The recent breakthrough of Goyal et al. [22] showed that 3 rounds are sufficient for (one-left, one-right) non-malleable commitments. This result matches a lower bound of [41]. The state of affairs leaves still open the intriguing problem of constructing 3-round concurrent non-malleable commitment schemes.
In this paper we solve the above open problem by showing how to transform any 3-round (one-left one-right) non-malleable commitment scheme (with some extractability property) in a 3-round concurrent non-malleable commitment scheme. Our transform makes use of complexity leveraging and when instantiated with the construction of [22] gives a 3-round concurrent non-malleable commitment scheme from one-way permutations secure w.r.t. subexponential-time adversaries.
We also show a 3-round arguments of knowledge and a 3-round identification scheme secure against concurrent man-in-the-middle attacks.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Commitment schemes are fundamental in Cryptography. They require a sender to fix a message that can not be changed anymore, but that will remain hidden to a receiver until the sender decides to reveal it.
In order to model modern real-world adversaries, commitment schemes have been proposed with additional security properties. Here we consider the intriguing question of constructing a scheme that remains secure against man-in-the-middle (MiM) attacks: a non-malleable (NM) commitment scheme [15].
Pass proved that NM commitmentsFootnote 1 require at least 3 rounds [41] when security is proved through a black-box reduction to a falsifiable (polynomial or subexponential time) hardness assumption. Instead by weakening the security definition admitting an inefficient challenger we know constructions of non-interactive NM commitments [38].
The round complexity of NM commitment schemes in the standard model has puzzled researchers for long time. Starting from the construction of [15] that required a logarithmic number of rounds, various constant-round schemes were proposed [1, 19, 20, 28, 29, 42–44, 46] reducing the round complexity to 4 rounds [5, 11, 23] with respect to concurrent MiM attacks, a setting that corresponds to what can actually happen when sender and receiver are connected through a communication network like the Internet. In such a much more interesting setting a MiM adversary receives multiple commitments from senders and sends his commitments to multiple receivers.
1.1 Towards 3-Round (Concurrent) NM Commitments
The existence of 3-round NM commitment schemes is an important question first because 3 is the best possible constant (in light of the lower bound of [41]), and second because 3 is the smallest number of rounds for a primitive that often makes use of commitment schemes: proofs of knowledge.
The importance of obtaining 3-round (and not just any constant-round) NM commitments motivated the very recent and innovative work of [22] that, by just relying on any non-interactive commitment scheme and exploiting the power of non-malleable codes in the split-state model, shows a 3-round NM commitment scheme. Interestingly, such construction is not claimed to be secure against concurrent man-in-the-middle attacks. Therefore the following natural and important question remains open.
Main Open Question: Can we construct a 3-round concurrent non-malleable commitment scheme matching the lower bound of [41]?
Other 3-Round Challenges. We list here 3 other interesting settings where no 3-round construction is known against concurrent MiM adversaries.
-
ProofsFootnote 2 of knowledge are very useful in Cryptography. Despite their importance, there is no construction for 3-round proofs of knowledge (PoK) that is sufficiently secure under concurrent MiM attacks. This is due to the fact that such attacks are in general extremely difficult to deal with. Even though there exist constructions with a constant number of rounds, the case of just 3 rounds so far has remained unsolved.
-
In [27]Footnote 3 Lapidot and Shamir proposed a 3-round public-coin witness indistinguishable PoK for NP (the LS protocol) where the input (except its size) is needed only when playing the 3rd round. This special completeness property named “delayed input” in [12, 13] has been used in many applications (e.g., [14, 24, 26, 48, 49] in particular recently [11, 18, 24, 33]), and in [12, 13] it was considered for the OR composition of \(\varSigma \)-protocols instead of relying on LS. When a PoK is used as sub-protocol the delayed-input feature is instrumental to give a better round complexity to the external protocol. An additional features of delayed-input protocols is that they allow to shift large part of the computation to an off-line phase. Unfortunately the LS protocol and the PoKs of [12, 12] are not secure against concurrent MiM attacks and this penalizes those applications where both round complexity and security against concurrent MiM attacks are important.
-
We notice that identification schemes have been often proposed (e.g., [17]) through the paradigm of proving “knowledge” of a secretFootnote 4. Under this formulation there are constant-round constructions that are proven secure against concurrent MiM attacks [2]. However no 3-round scheme known in literature is proven secure in presence of a concurrent MiM adversary.
1.2 Results of This Work
In this work we study 3-round commitment scheme in presence of concurrent MiM attacks and solve in the positive the above open problems.
3-Round Concurrent NM Commitment Schemes. In the main result of this submission, we show a transform that on input any 3-round NM commitment schemeFootnote 5 gives a 3-round concurrent NM commitment scheme. The construction of [22] can be used to instantiate our transform, therefore obtaining a 3-round concurrent NM commitment scheme based on any one-way permutation secure against subexponential-time adversaries. Moreover our scheme (still when instantiated with the one of [22] and using a proper one-way permutation) is public coin and (if desiredFootnote 6) has the delayed-input property.
Our transform extends the security of the underlying commitment scheme to multiple receivers. It is known that this implies security also with multiple senders [30]. The crucial idea of our transform is to combine the underlying NM commitment scheme along with a one-time pad, to produce a commitment of a message that by itself, in case of a malleability attack, will have sufficient structure to be recognized by a distinguisher in the session in which it appears. Therefore a successful concurrent MiM even playing multiple commitments with multiple receivers will have to maul the underlying commitment scheme in at least one session. Since the message has sufficient structure with respect to that single session, we are able to translate the concurrent MiM attack into a non-concurrent MiM that violates the security of the underlying (non-concurrent) NM commitment scheme. We will implement the idea of committing to a message with structure by forcing a successful concurrent MiM to commit to the solution of a puzzle in at least one session. We will use complexity leveraging to show that the attack of the concurrent MiM is indistinguishable from the attack of a polynomial-time simulator that plays with receivers only.
Just for completeness, we also show an explicit concurrent MiM adversary \({\mathcal {A}}\) for the scheme of [21]. The crucial point here, following a technique of [16] is that the scheme of [21] allows \({\mathcal {A}}\) to spread the message committed by the honest sender over several commitments that the adversary sends to multiple receivers. The scheme presented in [22] is slightly different and became available after our work was already submitted, therefore when describing \({\mathcal {A}}\) we stick with [21].
3-Round Arguments of Knowledge and ID Schemes Against Concurrent MiM Attacks. Our 3-round concurrent NM commitment scheme is a commit-and-prove argument of knowledge (AoK). This means that one can see our scheme as a commitment followed by an AoK about the committed value. By applying a simple change to the statement of the underlying AoK we obtain a 3-round concurrent NM witness-indistinguishable AoK (concurrent NMWIAoK) a notion introduced in [34] and later on extended in [31]. We stress that the delayed-input and public-coin properties of our commitment scheme are preserved by our concurrent NMWIAoK.
In [34] it is shown how to get concurrent NM zero knowledge (NMZK) in the bare public-key (BPK) model [6] with just two executions of a concurrent NMWIAoK. Therefore we directly obtain a round-efficient concurrent NMZKAoK in the BPK model. By making use of delayed-input completeness the simulator can extend a main thread avoiding issues due to aborting adversaries as discussed in [36, 47].
Finally, we notice that one can get an identification scheme secure in the PoK sense in the concurrentFootnote 7 setting of [2] as well as under the stronger definition based on matching conversations of [3, 25] naturally extended to concurrent sessions. Following [9, 34], the key idea consists in using an identity that has two possible secrets such that knowledge of one witness does not allow to compute the other one in polynomial time. By using our implementation of a concurrent NMWIAoK for proving knowledge of a secret associated to such identity we obtain a 3-round identification scheme secure against concurrent MiM attacks.
Challenges for Future Work. The existence of OWPs is a standard falsifiable hardness assumption. Our scheme relies on a strengthening of this standard assumption w.r.t. subexponential-time adversaries. Notice that the lower bound of [41] still applies in case of subexponential-time hardness, therefore our 3-round concurrent non-malleable scheme is round optimal. Various natural and fascinating questions on commitments and proofs of knowledge remain open after our work and as such we think our results will motivate further research. Examples of open questions about concurrent NM commitments are the following: (1) the existence of 3-round schemes based on standard falsifiable hardness assumptions w.r.t. polynomial-time adversaries only; (2) the existence of 3-round schemes with black-box use of primitives; (3) the existence of practical schemes.
2 Notation, Definitions and Tools
We denote the security parameter by \(\lambda \) and use “|” as concatenation operator (i.e., if a and b are two strings then by a|b we denote the concatenation of a and b). For a finite set Q, \(x\leftarrow Q\) denotes the algorithm that chooses x from Q with uniform distribution. Usually we use the abbreviation ppt that stays for probabilistic polynomial-time. We use \({\mathsf {poly}}(\cdot )\) to indicate a generic polynomial function of the input.
A polynomial-time relation \({\mathsf {Rel}}\) (or polynomial relation, in short) is a subset of \(\{0, 1\}^*\times \{0,1\}^*\) such that membership of (x, w) in \({\mathsf {Rel}}\) can be decided in time polynomial in |x|. For \((x,w)\in {\mathsf {Rel}}\), we call x the instance and w a witness for x. For a polynomial-time relation \({\mathsf {Rel}}\), we define the NP-language \(L_{{\mathsf {Rel}}}\) as \(L_{{\mathsf {Rel}}}=\{x|\exists w: (x, w)\in {\mathsf {Rel}}\}\). Analogously, unless otherwise specified, for an NP-language L we denote by \({\mathsf {Rel}}_\mathsf {L}\) the corresponding polynomial-time relation (that is, \({\mathsf {Rel}}_\mathsf {L}\) is such that \(L=L_{{\mathsf {Rel}}_\mathsf {L}}\)).
Let A and B be two interactive probabilistic algorithms A and B. We denote by \(\langle A(\alpha ),B(\beta )\rangle (\gamma )\) the distribution of B’s output after running on private input \(\beta \) with A using private input \(\alpha \), both running on common input \(\gamma \). Typically, one of the two algorithms receives \(1^\lambda \) as input. A transcript of \(\langle A(\alpha ),B(\beta )\rangle (\gamma )\) consists of the messages exchanged during an execution where A receives a private input \(\alpha \), B receives a private input \(\beta \) and both A and B receive a common input \(\gamma \). Moreover, we will refer to the view of A as the messages it received during the execution of \(\langle A(\alpha ),B(\beta )\rangle (\gamma )\), along with its randomness and its input. We denote by \(A_r\) an algorithm A that receives as randomness r. We say that a protocol (A, B) is public coin if B sends to A random bits only.
A function \(\nu (\cdot )\) from non-negative integers to reals is called negligible, if for every constant \(c > 0\) and all sufficiently large \(\lambda \in \mathbb {N}\) we have \(\nu (\lambda ) < \lambda ^{-c}\). Standard definitions of one-way permutations (OWPs), proof/argument systems, witness indistinguishability (WI) and proofs of knowledge along with their strengthened versions secure again subexponential-time adversaries and adaptive-input selection can be found in the full version of this work [10].
2.1 Commitment Schemes
Definition 1
(Commitment Scheme). Given a security parameter \(1^\lambda \), a commitment scheme \((\mathsf {Sen}, \mathsf {Rec})\) is a two-phase protocol between two ppt interactive algorithms, a sender \(\mathsf {Sen}\) and a receiver \(\mathsf {Rec}\). In the commitment phase \(\mathsf {Sen}\) on input a message m interacts with \(\mathsf {Rec}\) to produce a commitment \(\mathtt{com}\). In the decommitment phase, \(\mathsf {Sen}\) sends to \(\mathsf {Rec}\) a decommitment information \(\mathtt{d}\) such that \(\mathsf {Rec}\) accepts m as the commitment of \(\mathtt {com}\).
Formally, we say that \({\mathtt {CS}}= (\mathsf {Sen}, \mathsf {Rec})\) is a perfectly binding commitment scheme if the following properties hold:
-
Correctness:
-
Commitment phase. Let \(\mathtt{com}\) be the commitment of the message m (i.e., \(\mathtt{com}\) is the transcript of an execution of \({\mathtt {CS}}=(\mathsf {Sen},\mathsf {Rec})\) where \(\mathsf {Sen}\) runs on input a message m). Let \(\mathtt{d}\) be the private output of \(\mathsf {Sen}\) in this phase.
-
Decommitment phaseFootnote 8. \(\mathsf {Rec}\) on input m and \(\mathtt{d}\) accepts m as decommitment of \(\mathtt{com}\).
-
-
Hiding [32]: for a ppt adversary \({\mathcal {A}}\) and a randomly chosen bit \(b\in \{0,1\}\), consider the following hiding experiment \(\mathsf {ExpHiding}^b_{{\mathcal {A}},{\mathtt {CS}}}(\lambda )\):
-
Upon input \(1^\lambda \), the adversary \({\mathcal {A}}\) outputs a pair of messages \(m_0, m_1\) that are of the same length.
-
\(\mathsf {Sen}\) on input the message \(m_b\) interacts with \({\mathcal {A}}\) to produce a commitment of \(m_b\).
-
\({\mathcal {A}}\) outputs a bit \(b'\) and this is the output of the experiment.
For any ppt adversary \({\mathcal {A}}\), there exist a negligible function \(\nu \), such that:
$$\Big |\text{ Prob }\left[ \;\mathsf {ExpHiding}^0_{{\mathcal {A}},{\mathtt {CS}}}(\lambda )=1\;\right] -\text{ Prob }\left[ \; \mathsf {ExpHiding}^1_{{\mathcal {A}},{\mathtt {CS}}}(\lambda )=1\;\right] \Big | <\nu (\lambda ).$$ -
-
Binding: for every commitment \(\mathtt{com}\) generated during the commitment phase by a possibly malicious unbounded sender \(\mathsf {Sen}^\star \) interacting with an honest receiver \(\mathsf {Rec}\), there exists at most one message m that \(\mathsf {Rec}\) accepts as decommitment of \(\mathtt{com}\).
We also consider the definition of a commitment scheme where the hiding property still holds against an adversary \({\mathcal {A}}\) running in time bounded by \(T=2^{\lambda ^\alpha }\) for some positive constant \(\alpha <1\). In this case we will say that a commitment scheme is T-hiding. We will also say that a commitment scheme is \(\tilde{T}\)-breakable to specify that an algorithm running in time \(\tilde{T} = 2^{\lambda ^\beta }\), for some positive constant \(\beta < 1\), recovers the (if any) only message that can be successfully decommitment.
In the rest of the paper we also use a non-interactive commitment schemes, with secure parameter \(\lambda \). In this case we consider a commitment scheme as a pair of ppt algorithms \((\mathsf {NISen}, \mathsf {NIRec})\) where:
-
\(\mathsf {NISen}\) takes as input \(( m; \sigma )\), where \(m \in \{0,1\}^{{\mathsf {poly}}({\lambda })}\) is the message to be committed and \(\sigma \leftarrow \{0,1\}^\lambda \) is randomness, and outputs the commitment \(\mathtt {com}\) and the decommitment \(\mathtt {dec}\);
-
\(\mathsf {NIRec}\) takes as input (\(\mathtt {dec}\), \(\mathtt {com}\), m) and outputs 1 if it accepts m as a decommitment of \(\mathtt {com}\) and 0 otherwise.
3-Round Extractable Commitment Schemes. Informally, a 3-round commitment scheme is extractable if there exists an efficient extractor that having black-box access to any efficient malicious sender \(\mathrm {ExCom}^{\star }\) that successfully performs the commitment phase, outputs the only committed string that can be successfully decommitted.
Definition 2
(3-Round Extractable Commitment Scheme [45]). A 3-round perfectly binding commitment scheme \({\mathtt {ExCS}}= (\mathrm {ExCom}, \mathrm {ExRec})\) is an extractable commitment scheme if given oracle access to any malicious sender \(\mathrm {ExCom}^{\star }\), there exists an expected ppt extractor \({\mathtt {Ext}}\) that outputs a pair \((\tau , \sigma ^{\star })\) such that the following properties hold:
-
Simulatability: the simulated view \(\tau \) is identically distributed to the view of \(\mathrm {ExCom}^{\star }\) (when interacting with an honest \(\mathrm {ExRec}\)) in the commitment phase.
-
Extractability: there exists no decommitment of \(\tau \) to \(\sigma \), where \(\sigma \ne \sigma ^\star \).
2.2 Non-Malleable Commitment Schemes
Here we follow [30]Footnote 9. Let \(\mathsf {\Pi }=(\mathsf {Sen},\mathsf {Rec})\) be a statistically binding commitment scheme. Consider MiM adversaries that are participating in left and right sessions in which \({\mathsf {poly}}(\lambda )\) commitments take place. We compare between a MiM and a simulated execution. In the MiM execution the adversary \({\mathcal {A}}\), with auxiliary information z, is simultaneously participating in \({\mathsf {poly}}(\lambda )\) left and right sessions. In the left sessions the MiM adversary \({\mathcal {A}}\) interacts with \(\mathsf {Sen}\) receiving commitments to values \(m_1,\dots ,m_{{\mathsf {poly}}(\lambda )}\) using identities \({{\mathtt {id}}}_1,\dots , {\mathtt {id}}_{{\mathsf {poly}}(\lambda )}\) of its choice. In the right session \({\mathcal {A}}\) interacts with \(\mathsf {Rec}\) attempting to commit to a sequence of related values \(\tilde{m}_1,\dots ,\tilde{m}_{{\mathsf {poly}}(\lambda )}\) again using identities of its choice \(\tilde{{\mathtt {id}}}_1,\dots , \tilde{{\mathtt {id}}}_{\mathsf {poly}}(\lambda )\). If any of the right commitments is invalid, or undefined, its value is set to \(\perp \). For any i such that \(\tilde{{\mathtt {id}}}_i = {\mathtt {id}}_j\) for some j, set \(\tilde{m}_i=\perp \) (i.e., any commitment where the adversary uses the same identity of one of the honest senders is considered invalid). Let \({\mathsf {mim}}^{{\mathcal {A}},m_1,\dots ,m_{{\mathsf {poly}}(\lambda )}}_\mathsf {\Pi }(z)\) denote a random variable that describes the values \(\tilde{m}_1,\dots ,\tilde{m}_{{\mathsf {poly}}(\lambda )}\) and the view of \({\mathcal {A}}\), in the above experiment. In the simulated execution, an efficient simulator S directly interacts with \(\mathsf {Rec}\). Let \({\mathsf {sim}}^S_\mathsf {\Pi }(1^\lambda ,z)\) denote the random variable describing the values \(\tilde{m}_1,\dots ,\tilde{m}_{{\mathsf {poly}}(\lambda )}\) committed by S, and the output view of S; whenever the view contains in the i-th right session the same identity of any of the identities of the left session, then \(\tilde{m}_i\) is set to \(\perp \).
We denote by \(\tilde{\delta }\) a value associated with the right session (where the adversary \({\mathcal {A}}\) plays with a receiver \(\mathsf {MMRec}\)) where \(\delta \) is the corresponding value in the left session. For example, the sender commits to v in the left session while \({\mathcal {A}}\) commits to \(\tilde{v}\) in the right session.
Definition 3
(Concurrent NM Commitment Scheme [30]). A commitment scheme is concurrent NM with respect to commitment (or a many-many NM commitment scheme) if, for every ppt concurrent MiM adversary \({\mathcal {A}}\), there exists a ppt simulator S such that for all \(m_i\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) for \(i=\{1,\dots , {\mathsf {poly}}(\lambda )\}\) the following ensembles are computationally indistinguishable:
As in [30] we also consider relaxed notions of concurrent non-malleability: one-many and one-one NM commitment schemes. In a one-many NM commitment scheme, \({\mathcal {A}}\) participates in one left and polynomially many right sessions. In a one-one (i.e., a stand-alone secure) NM commitment scheme, we consider only adversaries \({\mathcal {A}}\) that participate in one left and one right session. We will make use of the following proposition of [30].
Proposition 1
Let \((\mathsf {Sen}, \mathsf {Rec})\) be a one-many NM commitment scheme. Then, \((\mathsf {Sen},\mathsf {Rec})\) is also a concurrent (i.e., many-many) NM commitment scheme.
We also consider the definition of a NM commitment scheme secure against a MIM \({\mathcal {A}}\) running in time bounded by \(T=2^{\lambda ^\alpha }\) for some positive constant \(\alpha <1\). In this case we will say that a commitment scheme is T-non-malleable.
When the identity is selected by the sender then the above id-based definitions guarantee non-malleability without ids as long as the MiM does not behave like a proxy (an unavoidable attack). Indeed the sender can pick as \({\mathtt {id}}\) the public key of a strong signature scheme signing the transcript. The MiM will have to use a different \({\mathtt {id}}\) or to break the signature scheme.
2.3 3-Round One-One NM Commitment Scheme
As main tool we need a 3-round one-one NM commitment scheme (NMCS) that enjoys the extractability property. In the rest of the paper we will refer to such a commitment scheme as \(\varPi _{{\mathsf {NM}}}=({\mathsf {Sen}_{\mathsf {NM}}},{\mathsf {Rec}_\mathsf {{\mathsf {NM}}}})\).
In [22] the authors provide the first 3-round one-one NM commitment scheme. Their scheme enjoys also the extractability propertyFootnote 10 and public coin.
By \(\varPi _{{\mathsf {NM}}}=((\mathrm {Sen^1_{{\mathsf {NM}}}},\mathrm {Sen^2_{{\mathsf {NM}}}}), {\mathsf {Rec}_\mathsf {{\mathsf {NM}}}})\) we denote a 3-round one-one NM commitment scheme such that:
-
the algorithm \(\mathrm {Sen^1_{{\mathsf {NM}}}}\) takes as input \(( \mathtt {id},m; \rho )\), where \(\mathtt {id} \in \{0,1\}^\lambda \) is the identity, m is the message to be committed and \(\rho \leftarrow \{0,1\}^\lambda \) is a randomness, and outputs \(\mathsf {a}\) that is the first round of the commitment scheme to be sent to the receiver;
-
the algorithm \(\mathrm {Sen^2_{{\mathsf {NM}}}}\) takes as input \((\mathtt {id},\mathsf {c}, m;\rho )\), where \(\mathsf {c}\) is the second round received by \(\mathsf {Rec}\), m is the message to be committed, \(\mathtt {id}\) is the same identity received as input by \(\mathrm {Sen^1_{{\mathsf {NM}}}}\), \(\rho \) is the randomness, and outputs \((\mathsf {z},\mathtt {dec})\) where \(\mathsf {z}\) is the last round of the commitment, and \(\mathtt {dec}\) is the decommitment value.
The reveal phase consists in sending \(\mathtt {dec}\) and m to the receiver. The receiver \({\mathsf {Rec}_\mathsf {{\mathsf {NM}}}}\), on input the randomness it used during the commitment phase, the transcript \(\mathtt {com}=(\mathsf {a},\mathsf {c},\mathsf {z}\), \(\mathtt {id}\)), m and \(\mathtt {dec}\) outputs 1 if \(\mathtt {dec}\) is valid w.r.t. \(\mathtt {com}\) and m and outputs 0 otherwise.
2.4 The LS Proof of Knowledge and NMWI Argument Systems
In this paper we use the 3-round public-coin WI adaptive proof of knowledge proposed by Lapidot and Shamir [27], that we denote by LS. LS is delayed-input since the inputs for the prover and the verifier are needed only to play the last round, while only the size of the common input is needed earlier. For this reason we will refer to a prover \({\mathcal {P}}\) as a pair \((\mathsf {P^1},\mathsf {P^2})\). More formally, LS for a relation \({\mathsf {Rel}}\) is a pair \(\varPi =({\mathcal {P}}=(\mathsf {P^1},\mathsf {P^2}),{\mathcal {V}})\), with security parameter \(\lambda \), where \({\mathcal {P}}\) executes the algorithms \(\mathsf {P^1}\) and \(\mathsf {P^2}\) defined as follows. The algorithm \(\mathsf {P^1}\), takes as input \( (\ell ;\alpha )\), \(\ell \) is the instance length and \(\alpha \leftarrow \{0,1\}^\lambda \) is the randomness, and outputs the 1st round of the LS protocol. The algorithm \(\mathsf {P^2}\) takes as input \((x,w,c;\alpha )\), where x, w are such that \((x,w) \in {\mathsf {Rel}}\), c is the challenge sent by \({\mathcal {V}}\) and \(\alpha \) is the randomnessFootnote 11 and outputs the 3rd round of the LS protocol.
In this paper we also consider a definition where the WI property of LS still holds against a distinguisher with running time bounded by \(T=2^{\lambda ^\alpha }\) for some constant positive constant \(\alpha <1\). In this case we say that the instantiation of LS is T-witness indistinguishable (T-WI).
Witness Indistinguishability and MiM Attacks. The definition of non-malleable witness indistinguishability (NMWI) given in [34] requires that the witness encoded in the proof given by the MiM \({\mathcal {A}}\) be independent of the witness used by the honest prover in his proof. For details see [10].
3 3-Round Concurrent Non-Malleable Commitments
In this section we show our transform that takes as input a 3-round extractable one-one NM commitment scheme \(\varPi _{{\mathsf {NM}}}\), a OWP f, a non-interactive perfectly binding commitment scheme \({\mathsf {NI}}\), the 3-round delayed-input adaptive WI/PoK \({\mathsf {LS}}\) and outputs a 3-round fully concurrent (i.e., many-many) NM commitment scheme \(\mathsf {\Pi _{MMCom}}=(\mathsf {MMSen},\mathsf {MMRec})\).
Let m be the message that \(\mathsf {MMSen}\) wants to commit. The high-level idea of our transform is depicted in Fig. 1. The sender \(\mathsf {MMSen}\), on input the session-id \({\mathtt {id}}\) and the message m, computes the 1st round of the protocol by running \({\mathsf {LS}}\) and sending the 1st round of \({{\mathsf {NM}}}\) to commit to a random message \({s_0}\) using \({\mathtt {id}}\) as session-id. In the 2nd round the receiver \(\mathsf {MMRec}\) sends the challenges of \({{\mathsf {NM}}}\) and \({\mathsf {LS}}\), also sends a random value Y in the range of the OWP f Footnote 12. In the last round \(\mathsf {MMSen}\) commits to message m using \({\mathsf {NI}}\), therefore obtaining \(\mathtt {com}\), then computes the last round of \({{\mathsf {NM}}}\), completes the transcript of \({\mathsf {LS}}\), and finally sends a random string \({s_1}\). The protocol \({\mathsf {LS}}\) is used by \(\mathsf {MMSen}\) to prove to \(\mathsf {MMRec}\) that either she knows message m and the randomness used to compute \(\mathtt {com}\), or she knows the values (\(s_0,\mathtt {dec})\), such that \(f({s_0}\oplus {s_1})=Y\) and \(\mathtt {dec}\) is a valid decommitment to \(s_0\) w.r.t. the commitment computed using \(\varPi _{{\mathsf {NM}}}\). We observe that \(\mathsf {MMSen}\) needs m only when computing the 3rd round, therefore our construction enjoys delayed-input correctness.
Our transform needs the following tools:
-
1.
a OWP f that is secure against ppt adversaries and \(\tilde{{T_f}}\)-breakable;
-
2.
a non interactive perfectly binding commitment scheme \({\mathsf {NI}}=(\mathsf {NISen},\mathsf {NIRec})\) that is \(T_{{\mathsf {NI}}}\)-hiding and \(\tilde{T}_{{\mathsf {NI}}}\)-breakable;
-
3.
a 3-round extractable one-one NM commitment scheme \(\varPi _{{\mathsf {NM}}}=({\mathsf {Sen}_{\mathsf {NM}}}=(\mathrm {Sen^1_{{\mathsf {NM}}}}, \mathrm {Sen^2_{{\mathsf {NM}}}}), {\mathsf {Rec}_\mathsf {{\mathsf {NM}}}})\) that is \(T_{{{\mathsf {NM}}}}\)-hiding/non-malleable, and \(\tilde{T}_{{{\mathsf {NM}}}}\)-breakable;
-
4.
the LS proof system \({\mathsf {LS}}=({\mathcal {P}}=(\mathsf {P^1},\mathsf {P^2}),{\mathcal {V}})\) for the language
$$\begin{aligned}{\begin{matrix} L=\big \{\big ((a, c, z), Y,{s_1},\mathtt {com}, \mathtt {id}\big ): \exists \ (m,\sigma )\ \text {s.t.}\ \mathtt {com}=\mathsf {NISen}(m;\sigma )\ \mathtt {OR} \big (\exists (\rho ,{s_0})\\ \text {s.t.}\ a=\mathrm {Sen^1_{{\mathsf {NM}}}}(\mathtt {id},{s_0};\rho )\ \mathtt {AND}\ z=\mathrm {Sen^2_{{\mathsf {NM}}}}(\mathtt {id},c,{s_0};\rho )\ \mathtt {AND}\ Y=f(s_0\oplus s_1) \big ) \big \} \end{matrix}}\end{aligned}$$that is \({T_{{\mathsf {LS}}}}\)-WI for the corresponding relation \({\mathsf {Rel}}_\mathsf {L}\).
Let \(\lambda \) be the security parameter of our scheme. We will use wlog \(\lambda \) also as security parameter for the hardness to invert f with respect to polynomial time adversaries. Then we consider the following hierarchy of security levels for the above tools: \( {T_f}<< T_{{\mathsf {NI}}}<< \sqrt{T_{{{\mathsf {NM}}}}}<< T_{{{\mathsf {NM}}}}<< \sqrt{{T_{{\mathsf {LS}}}}}<<{T_{{\mathsf {LS}}}}\) where by \(``T<<T'"\) we mean that \(``T\cdot {\mathsf {poly}}(\lambda ) < T'"\). We also require that: (1) \({\mathsf {NI}}\) is \(T_{{\mathsf {NI}}}\)-hiding, but is also \(\tilde{T}_{\mathsf {NI}}=\sqrt{T_{{{\mathsf {NM}}}}}\)-breakable; (2) \(\varPi _{{\mathsf {NM}}}\) is \(T_{{{\mathsf {NM}}}}\) hiding/non-malleable, but the hiding is also \(\tilde{T}_{{\mathsf {NM}}}=\sqrt{{T_{{\mathsf {LS}}}}}\)-breakable. Now we need to define different security parameters, one for each tool involved in the security proof to be consistent with the hierarchy of security levels defined above (a similar use of security parameters has been proposed in [46]). Given the security parameter \(\lambda \) of our scheme, we will make use of the following security parameters (all polynomially related to \(\lambda \) and such that the above hierarchy of security levels holds): \(\lambda \) for f, \(\lambda _{\mathsf {NI}}\) for \({\mathsf {NI}}\), \(\lambda _{{\mathsf {NM}}}\) for \(\varPi _{{\mathsf {NM}}}\), \(\lambda _{\mathsf {LS}}\) for \({\mathsf {LS}}\).
We denote by \(\mathsf {Params}\) the function that on input \(\lambda \) outputs \((\lambda _{\mathsf {NI}}, \lambda _{{\mathsf {NM}}},\lambda _{\mathsf {LS}},\ell )\) where \(\ell \) is the size of the theorem to be proved using \({\mathsf {LS}}\) Footnote 13. Our concurrent NM commitment scheme \(\mathsf {\Pi _{MMCom}}=(\mathsf {MMSen},\mathsf {MMRec})\) is fully described in Fig. 2.
Theorem 1
Suppose there exist OWPs secure against subexponential-time adversaries, then \(\mathsf {\Pi _{MMCom}}\) is a perfectly binding delayed-input commitment scheme.
Proof
The delayed-input correctness of \(\mathsf {\Pi _{MMCom}}\) follows by inspection from the delayed-input completeness of \({\mathsf {LS}}\), and the correctness of \(\varPi _{{\mathsf {NM}}}\) and \({\mathsf {NI}}\).
Observe that the message given in output in the decommitment phase of \(\mathsf {\Pi _{MMCom}}\) is the message committed using \({\mathsf {NI}}\). Moreover the decommitment phase of \(\mathsf {\Pi _{MMCom}}\) coincides with the decommitment of \({\mathsf {NI}}\) and \(\varPi _{{\mathsf {NM}}}\). Since \({\mathsf {NI}}\) and \(\varPi _{{\mathsf {NM}}}\) is perfectly binding we have that \(\mathsf {\Pi _{MMCom}}\) is perfectly binding too.
The hiding property follows from the non-malleability property proved in Theorem 2. Indeed the proof of Theorem 2 does not rely on the hiding of \(\mathsf {\Pi _{MMCom}}\).
Theorem 2
Suppose there exist OWPs secure against subexponential-time adversaries, then \(\mathsf {\Pi _{MMCom}}\) is concurrent (i.e., many-many) non-malleable.
Proof
Since we can use Proposition 1, we only need to prove that our commitment enjoys one-many non-malleability. More formally with respect to a one-many adversary \({\mathcal {A}}\), we need to show that for all \(m\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) it holds that: \(\{{\mathsf {mim}}_\mathsf {\Pi _{MMCom}}^{{\mathcal {A}},m}(z)\}_{z\in \{0,1\}^\star } {\; \approx \;} \{{\mathsf {sim}}^S_\mathsf {\Pi _{MMCom}}(1^\lambda ,z)\}_{z\in \{0,1\}^\star }\) where S is the simulator depicted in Fig. 3. This means that the real execution in which the sender runs \(\mathsf {MMSen}\) to commit to a message m must be indistinguishable with respect to an execution in which a simulator \(S\) runs internally the MiM adversarial \({\mathcal {A}}\) sending a commitment of \(0^\lambda \), and then forwards the messages that \({\mathcal {A}}\) sends in the right sessions to receivers \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\).
In the security proof we denote by \(\tilde{\delta }_i\) a value associated with the i-th right session (where the adversary \({\mathcal {A}}\) plays with a receiver \(\mathsf {MMRec}_i\) with \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\)) where \(\delta \) is the corresponding value in the left session. For example, the sender commits to v in the left session while \({\mathcal {A}}\) commits to \(\tilde{v}_i\) in the i-th right session.
To prove the indistinguishability of the above two experiments we show 3 hybrid experimentsFootnote 14 \({\mathcal {H}}^m_i(z)\) with \(i=1,2,3\), where m is the message committed in the left session. Following [28] we denote by \(\{{\mathsf {mim}}_{{\mathcal {H}}^m_i}^{\mathcal {A}}(z)\}_{z\in \{0,1\}^\star }\) the random variable describing the view of the MiM \({\mathcal {A}}\) combined with the value it commits in the right interaction in hybrid \({\mathcal {H}}^m_i(z)\) (as usual, the committed value is replaced by \(\perp \) if the right interaction does not correspond to a commitment that can be successfully opened or if \({\mathcal {A}}\) has copied the identity of the left interaction).
The 1st hybrid is the experiment \({\mathcal {H}}^m_1(z)\) in which in the left session \(\mathsf {MMSen}\) commits to m, while in the right session we run \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\) for the rights sessions played by \({\mathcal {A}}\).
\(\varvec{{\mathcal {H}}^m_1(z).}\)
-
Left session:
-
1.
First round.
-
1.1.
Pick \({s_0}\leftarrow \{0,1\}^{\lambda }\).
-
1.2.
Compute \(\mathsf {a}_{{\mathsf {NM}}}= \mathrm {Sen^1_{{\mathsf {NM}}}}(\mathtt {id},{s_0}; \rho )\).
-
1.3.
Compute \(\mathsf {a_{LS}}=\mathsf {P^1}(1^{\lambda _{\mathsf {LS}}},\ell ; \alpha )\).
-
1.4.
Send \((\mathsf {a}_{{\mathsf {NM}}},\mathsf {a_{LS}})\) to \({\mathcal {A}}\).
-
1.1.
-
2.
Third round, upon receiving \((\mathsf {c}_{{\mathsf {NM}}},\mathsf {c_{LS}},Y)\) from \({\mathcal {A}}\).
-
2.1.
Compute \((\mathtt {com},\mathtt {dec})=\mathsf {NISen}(m;\sigma )\).
-
2.2.
Pick \({s_1}\leftarrow \{0,1\}^{\lambda }\).
-
2.3.
Compute \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {dec}_{{\mathsf {NM}}}) = \mathrm {Sen^2_{{\mathsf {NM}}}}(\mathtt {id},\mathsf {c}_{{\mathsf {NM}}}, {s_0};\rho )\).
-
2.4.
Set \(x=\big ((\mathsf {a}_{{\mathsf {NM}}}, \mathsf {c}_{{\mathsf {NM}}}, \mathsf {z}_{{\mathsf {NM}}}), Y,{s_1}, \mathtt {com},\mathtt {id}\big )\) and \(w=(m,\sigma ,\perp ,\perp )\) with (\(|x|=\ell \)). Run \(\mathsf {z_{LS}}=\mathsf {P^2}(x,w,\mathsf {c}_{\mathsf {LS}};\alpha )\).
-
2.5.
Send \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {com},\mathsf {z_{LS}},{s_1})\) to \({\mathcal {A}}\).
-
2.1.
-
1.
-
Right sessions: act as a proxy between \({\mathcal {A}}\) and \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\).
We have that for all \(m\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) \(\{{\mathsf {mim}}_{{\mathcal {H}}^m_1}^{\mathcal {A}}(z)\}_{z\in \{0,1\}^\star }\) corresponds to \(\{{\mathsf {mim}}_\mathsf {\Pi _{MMCom}}^{{\mathcal {A}},m}(z)\}_{z\in \{0,1\}^\star }\). We now prove that, for all \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\) \({\mathcal {A}}\) does not manage to invert any values \(\tilde{Y}_i\) in the right sessions by sending a value \(\tilde{s_1}_i\) such that \(f(\tilde{s_0}_i\oplus \tilde{s_1}_i)=\tilde{Y}_i\) where \(\tilde{s_0}_i\) is the message committed in the i-th right session through \({{\mathsf {NM}}}\).
Lemma 1
Let \(p_i\) be the probability that in the i-th right session, for \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), \({\mathcal {A}}\) sends \(\tilde{s_1}_i\) such that \(f(\tilde{s_1}_i\oplus \tilde{s_0}_i)=\tilde{Y}_i\) where \(\tilde{s_0}_i\) is the value committed using \({{\mathsf {NM}}}\). Then \(p_i<\nu (\lambda )\) for some negligible function \(\nu \).
Proof
Suppose by contradiction that for a right session i the claim does not hold. We can construct an adversary \({\mathcal {A}}_f\) that inverts the OWP f in polynomial time. We consider a challenger \({\mathcal {C}}_f\) of f that chooses a random Y in the range of f and sends it to \({\mathcal {A}}_f\). \({\mathcal {A}}_f\) wins if it gives as output y such that \(Y=f(y)\). Before describing the adversary we need to consider the augmented machine \({\mathcal {S}}_{\mathsf {n\rightarrow 1}}\) that will be used by \({\mathcal {A}}_f\). \({\mathcal {S}}_{\mathsf {n\rightarrow 1}}\) internally executes \({\mathcal {A}}\), and interacts with an external receiver \(\mathsf {Rec}_\mathsf {ext}\) of the protocol \(\varPi _{{\mathsf {NM}}}\) acting as the sender.
\(\varvec{{\mathcal {S}}_{\mathsf {n\rightarrow 1}}}(Y, \varphi , z)\)
-
1.
Act in the left session with \({\mathcal {A}}\) (that runs using randomness \(\varphi \)) as in \({\mathcal {H}}^m_1(z)\).
-
2.
For all \(j\ne i \in \{1,\dots {\mathsf {poly}}(\lambda )\}\) run \(\mathsf {MMRec}_j\) as in \({\mathcal {H}}^m_1(z)\). Instead run \(\mathsf {MMRec}_i\) as described in steps 3, 4 and 5.
-
3.
Upon receiving the 1st round of the i-th right session \((\tilde{\mathsf {a}}_{{{\mathsf {NM}}}_i},\tilde{\mathsf {a}}_{{\mathsf {LS}}_i})\) from \({\mathcal {A}}\), send \(\tilde{\mathsf {a}}_{{{\mathsf {NM}}}_i}\) to \(\mathsf {Rec}_\mathsf {ext}\).
-
4.
Upon receiving \(\mathsf {\tilde{c}_{{\mathsf {NM}}_i}}\) from \(\mathsf {Rec}_\mathsf {ext}\), run as follows:
-
4.1.
Run \({\mathcal {V}}\) to obtain \(\mathsf {\tilde{c}_{LS_i}}\).
-
4.2.
Set \(\tilde{Y}_i=Y\).
-
4.3.
Send \((\mathsf {\tilde{c}_{{{\mathsf {NM}}}_i}},\mathsf {\tilde{c}_{{\mathsf {LS}}_i}},\tilde{Y}_i)\) to \({\mathcal {A}}\).
-
4.1.
-
5.
Upon receiving the 3rd round of the i-th right session \((\tilde{\mathsf {z}}_{{{\mathsf {NM}}}_i},\tilde{\mathtt {com}}_i,\tilde{\mathsf {z}}_{{\mathsf {LS}}_i},\tilde{s_1}_i)\), set \(\tilde{x}=\big ( (\tilde{\mathsf {a}}_{{{\mathsf {NM}}}_i}, \tilde{\mathsf {c}}_{{{\mathsf {NM}}}_i}, \tilde{\mathsf {z}}_{{{\mathsf {NM}}}_i}), \tilde{Y}, \tilde{s}_{1_{i}}, \tilde{\mathsf {com}}_i, \tilde{{\mathtt {id}}}\big )\) and abort iff \((\tilde{\mathsf {a}}_{{\mathsf {LS}}_i}, \tilde{\mathsf {c}}_{{\mathsf {LS}}_i}, \tilde{\mathsf {z}}_{{\mathsf {LS}}_i})\) is not accepting for \({\mathcal {V}}\) with respect to \(\tilde{x}\).
-
6.
Send \(\tilde{\mathsf {z}}_{{{\mathsf {NM}}}_i}\) to \(\mathsf {Rec}_\mathsf {ext}\).
Notice that the above execution of \({\mathcal {S}}_{\mathsf {n\rightarrow 1}}\) is distributed identically to \({\mathcal {H}}^m_1(z)\) when \(\mathsf {Rec}_\mathsf {ext}\) plays identically as honest receiver. Now we can conclude the proof of this lemma by describing how \({\mathcal {A}}_f\) works. \({\mathcal {A}}_f\) runs the extractor of \(\varPi _{{\mathsf {NM}}}\) using \({\mathcal {S}}_{\mathsf {n\rightarrow 1}}\) as sender (recall that an extractor of \(\varPi _{{\mathsf {NM}}}\) plays only having access to a sender of \(\varPi _{{\mathsf {NM}}}\)). We have that the extractor with non-negligible probability outputs the committed message of an execution that inverts f. By using the randomness \(\varphi \), \({\mathcal {A}}_f\) can reconstruct the view of \({\mathcal {A}}\) and retrive the value \(\tilde{s_1}_i\). Therefore \({\mathcal {A}}\) running in polynomial timeFootnote 15 outputs with non-negligible probability the value \(y=\tilde{s_0}_i\oplus \tilde{s_1}_i\) such that \(f(y)=Y\).
We now consider the 2nd hybrid experiment \({\mathcal {H}}^m_2(z)\) where in the left session, after receiving Y from \({\mathcal {A}}\), the sender in time \(T_f\) finds a value y such that \(Y=f(y)\). Then the sender sets and sends \({s_1}=y\oplus {s_0}\), where \({s_0}\) is the value committed using \(\varPi _{{\mathsf {NM}}}\). The only difference between this hybrid experiment and \({\mathcal {H}}^m_1(z)\) is that \({\mathcal {H}}^m_2(z)\) runs in time sub-exponential in \(\lambda \), and the value \({s_1}\) is equal to \(y\oplus {s_0}\) where \(Y=f(y)\).
\(\varvec{{\mathcal {H}}^m_2(z).}\)
-
Left session:
-
1.
First round.
-
1.1.
Pick \({s_0}\leftarrow \{0,1\}^{\lambda }\).
-
1.2.
Compute \(\mathsf {a}_{{\mathsf {NM}}}= \mathrm {Sen^1_{{\mathsf {NM}}}}(\mathtt {id},{s_0}; \rho )\).
-
1.3.
Compute \(\mathsf {a_{LS}}=\mathsf {P^1}(1^{\lambda _{\mathsf {LS}}},\ell ; \alpha )\).
-
1.4.
Send \((\mathsf {a}_{{\mathsf {NM}}},\mathsf {a_{LS}})\) to \({\mathcal {A}}\).
-
1.1.
-
2.
Third round. Upon receiving \((\mathsf {c}_{{\mathsf {NM}}},\mathsf {c_{LS}},Y)\) from \({\mathcal {A}}\).
-
2.1.
Compute \((\mathtt {com},\mathtt {dec})=\mathsf {NISen}(m;\sigma )\).
-
2.2.
.
-
2.3.
.
-
2.4.
Compute \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {dec}_{{\mathsf {NM}}}) = \mathrm {Sen^2_{{\mathsf {NM}}}}(\mathtt {id},\mathsf {c}_{{\mathsf {NM}}}, {s_0};\rho )\).
-
2.5.
Set \(x=\big ((\mathsf {a}_{{\mathsf {NM}}}, \mathsf {c}_{{\mathsf {NM}}}, \mathsf {z}_{{\mathsf {NM}}}), Y,{s_1}, \mathtt {com},\mathtt {id}\big )\) and \(w=(m,\sigma ,\perp ,\perp )\) with (\(|x|=\ell \)). Run \(\mathsf {z_{LS}}=\mathsf {P^2}(x,w,\mathsf {c}_{\mathsf {LS}};\alpha )\).
-
2.6.
Send \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {com},\mathsf {z_{LS}},{s_1})\) to \(\mathsf {MMRec}\).
-
2.1.
-
1.
-
Right sessions: Act as a proxy between \({\mathcal {A}}\) and \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\).
When switching from \({\mathcal {H}}_1^m(z)\) to \({\mathcal {H}}_2^m(z)\) we will make sure that the following two properties hold.
-
1.
For all message \(m\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) it holds that \({\mathsf {mim}}_{{\mathcal {H}}^m_1}^{\mathcal {A}}(z)\approx {\mathsf {mim}}_{{\mathcal {H}}^m_2}^{\mathcal {A}}(z)\).Footnote 16
-
2.
Let \(p_i\) be the probability that in the i-th right session of \({\mathcal {H}}_2\), for \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), \({\mathcal {A}}\) sends \(\tilde{s_1}_i\) such that \(f(\tilde{s_1}_i\oplus \tilde{s_0}_i)=\tilde{Y}_i\) where \(\tilde{s_0}_i\) is the value committed using \({{\mathsf {NM}}}\). Then \(p_i<\nu (\lambda )\) for some negligible function \(\nu \).
We now prove that the above two properties hold.
Lemma 2
For all message \(m\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) it holds that \({\mathsf {mim}}_{{\mathcal {H}}^m_1}^{\mathcal {A}}(z)\approx {\mathsf {mim}}_{{\mathcal {H}}^m_2}^{\mathcal {A}}(z)\).
Proof
Suppose by contradiction that the distribution of \({\mathsf {mim}}_{{\mathcal {H}}^m_1}^{\mathcal {A}}(z)\) is distinguishable from \({\mathsf {mim}}_{{\mathcal {H}}^m_2}^{\mathcal {A}}(z)\); this means that there exists a distinguisher \({\mathcal {D}}\) that can tell apart such two distributions. We now use \({\mathcal {D}}\) and \({\mathcal {A}}\) to construct an adversary \({\mathcal {A}}_\mathsf {Hiding}\) that breaks the hiding of \(\varPi _{{\mathsf {NM}}}\) in time \({\mathsf {poly}}(\lambda )\cdot T_{\mathsf {NI}}\) therefore reaching a contradictionFootnote 17. Let \({\mathcal {C}}_\mathsf {Hiding}\) be the challenger of the hiding game, we consider two randomly chosen challenge messages \((m_0,m_1)\) sent to \({\mathcal {C}}_\mathsf {Hiding}\). We now provide a formal description of the adversary \({\mathcal {A}}_\mathsf {Hiding}\).
\(\varvec{{\mathcal {A}}}_\mathsf {Hiding}(m_0,m_1, z)\)
-
1.
Upon receiving the 1st round \(\mathsf {a}_{{\mathsf {NM}}}\) from \({\mathcal {C}}_\mathsf {Hiding}\), run as follows:
-
1.1.
Compute \(\mathsf {a_{LS}}=\mathsf {P^1}(1^{\lambda _{\mathsf {LS}}},\ell ; \alpha )\).
-
1.2.
Send \((\mathsf {a}_{{\mathsf {NM}}},\mathsf {a_{LS}})\) to \({\mathcal {A}}\).
-
1.1.
-
2.
Upon receiving \((\mathsf {c}_{{\mathsf {NM}}},\mathsf {c_{LS}},Y)\) from \({\mathcal {A}}\), send \(\mathsf {c}_{{\mathsf {NM}}}\) to \({\mathcal {C}}_{{\mathsf {NM}}}\).
-
3.
Upon receiving the 3rd round \(\mathsf {z}_{{\mathsf {NM}}}\) from \({\mathcal {C}}_\mathsf {Hiding}\), run as follows:
-
3.1.
Compute y such that \(Y=f(y)\), set \({s_1}=m_0\oplus y\).
-
3.2.
Compute \((\mathtt {com},\mathtt {dec})=\mathsf {NISen}(m;\sigma )\).
-
3.3.
Set \(x=\big ((\mathsf {a}_{{\mathsf {NM}}}, \mathsf {c}_{{\mathsf {NM}}}, \mathsf {z}_{{\mathsf {NM}}}), Y,{s_1}, \mathtt {com},\mathtt {id}\big )\) and \(w=(m,\sigma ,\perp ,\perp )\) with (\(|x|=\ell \)). Run \(\mathsf {z_{LS}}=\mathsf {P^2}(x,w,\mathsf {c}_{\mathsf {LS}};\alpha )\).
-
3.4.
Send \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {com},\mathsf {z_{LS}},{s_1})\) to \({\mathcal {A}}\).
-
3.1.
-
4.
Simulate \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\) with \({\mathcal {A}}\) when \({\mathcal {A}}\) plays as a sender.
-
5.
Let M be an empty tuple. For all \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), consider \(\tilde{\mathtt {com}}_i\), the non-interactive commitment received by \(\mathsf {MMRec}_i\), run in time \(T_{\mathsf {NI}}\) to compute \(\tilde{m}_i\) such that \(\exists \ \tilde{\mathtt {dec}}: 1=\mathsf {NIRec}(\tilde{\mathtt {com}}_i,\tilde{\mathtt {dec}}, \tilde{m}_i)\) and add \(\tilde{m}_i\) to M.
-
6.
Give M and the view of \({\mathcal {A}}\) to the distinguisher \({\mathcal {D}}\) and output what \({\mathcal {D}}\) outputs.
The proof ends with the observation that if \({\mathcal {C}}_\mathsf {Hiding}\) has committed to \(m_0\) then the xor of the committed value with \(s_1\) is equal to y such that \(f(y)=Y\), like in \({\mathcal {H}}_2^m(z)\). If instead \({\mathcal {C}}_\mathsf {Hiding}\) has committed to \(m_1\) then the xor of the committed value and \(s_1\) is equal to a random value, like in \({\mathcal {H}}_1^m(z)\).
Lemma 3
Let \(p_i\) be the probability that in the i-th right session of \({\mathcal {H}}_2\), for \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), \({\mathcal {A}}\) sends \(\tilde{s_1}_i\) such that \(f(\tilde{s_1}_i\oplus \tilde{s_0}_i)=\tilde{Y}_i\) where \(\tilde{s_0}_i\) is the value committed using \({{\mathsf {NM}}}\). Then \(p_i<\nu (\lambda )\) for some negligible function \(\nu \).
Proof
Suppose by contradiction that for a right session i the claim does not hold. We can construct a distinguisher \({\mathcal {D}}_{{\mathsf {NM}}}\) and an adversary \({\mathcal {A}}_{{\mathsf {NM}}}\) that break the non-malleability of \(\varPi _{{\mathsf {NM}}}\). Let \({\mathcal {C}}_{{\mathsf {NM}}}\) be the challenger of the NM commitment and let \((m_0,m_1)\) be two randomly chosen challenge messages given to \({\mathcal {C}}_{{\mathsf {NM}}}\).
\(\varvec{{\mathcal {A}}}_{{{\mathsf {NM}}}}\) \((m_0,m_1, z)\)
-
Left session:
-
1.
Act as \({\mathcal {A}}_\mathsf {Hiding}\) acts in the left session.
-
1.
-
Right sessions:
-
1.
For all \(j\ne i \in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\) run \(\mathsf {MMRec}_j\) as in \({\mathcal {H}}^m_2(z)\). Instead run \(\mathsf {MMRec}_i\) as described in steps 1.1, 1.2 and 1.3.
-
1.1.
Forward \(\tilde{\mathsf {a}}_{{{\mathsf {NM}}}_i}\) to \({\mathsf {Rec}_\mathsf {{\mathsf {NM}}}}\).
-
1.2.
Upon receiving \(\tilde{\mathsf {c}}_{{{\mathsf {NM}}}}\) from \({\mathsf {Rec}_\mathsf {{\mathsf {NM}}}}\), pick a random \(\tilde{\mathsf {c}}_{{\mathsf {LS}}_i}\), pick a random \(\tilde{Y}_i\) and send \((\tilde{\mathsf {c}}_{{{\mathsf {NM}}}_i},\tilde{\mathsf {c}}_{{\mathsf {LS}}_i}, \tilde{Y}_i)\) to \({\mathcal {A}}\).
-
1.3.
Upon receiving \(\tilde{\mathsf {z}}_{{{\mathsf {NM}}}_i}\) from \({\mathcal {A}}\), send it to \({\mathsf {Rec}_\mathsf {{\mathsf {NM}}}}\).
-
1.1.
-
1.
Let \({\mathsf {mim}}^{{\mathcal {A}}_{{\mathsf {NM}}}}(z)\) be the view of \({\mathsf {mim}}^{{\mathcal {A}}_{{\mathsf {NM}}}}(z)\) and the tuple of committed messages in the right session. The distinguisher \({\mathcal {D}}_{{\mathsf {NM}}}\) takes as input \({\mathsf {mim}}^{{\mathcal {A}}_{{\mathsf {NM}}}}(z)\) and acts as follows.
\(\varvec{{\mathcal {D}}_{{\mathsf {NM}}}({\mathsf {mim}}^{{\mathcal {A}}_{{\mathsf {NM}}}}(z))\!:}\) Let \(\tilde{s_0}_i\) be the committed message sent in the i-right session by \({\mathcal {A}}_{{\mathsf {NM}}}\) to \(\mathsf {MMRec}\). Reconstruct the output messages of \({\mathcal {A}}\) (using the same randomness of \({\mathsf {mim}}^{{\mathcal {A}}_{{\mathsf {NM}}}}(z)\)) to pick \(\tilde{{s_1}}_i\). If \(f(\tilde{s_1}_i \oplus \tilde{s_0}_i)=\tilde{Y}_i\) output 1 and output 0 otherwise. The proof ends with the observation that if \({\mathcal {C}}_{{\mathsf {NM}}}\) has committed to \(m_0\) then the xor of the committed value with \({s_1}_i\) is equal to y such that \(f(y)=Y\) like in \({\mathcal {H}}_2^m\). If instead \({\mathcal {C}}_\mathsf {Hiding}\) has committed to \(m_1\) then the xor of the committed value with \({s_1}_i\) is equal to a random string as in \({\mathcal {H}}_1^m\).
The 3rd hybrid experiment that we consider is equal to \({\mathcal {H}}^m_2(z)\) with the difference that the LS proof system is executed using \(s_0\) and the randomness of the non-malleable commitment of \({s_0}\). Recall that \(f({s_0}\oplus {s_1})=Y\). We observe that in the left session of \({\mathcal {H}}^m_2(z)\) it already holds that \(f(s_0\oplus s_1)=Y\), therefore we can switch the witness used in \({\mathsf {LS}}\) and complete the execution of the proof system.
\(\varvec{{\mathcal {H}}^m_3(z).}\)
-
Left sessions:
-
1.
First round.
-
1.1.
Pick \({s_0}\leftarrow \{0,1\}^{\lambda }\).
-
1.2.
Compute \(\mathsf {a}_{{\mathsf {NM}}}= \mathrm {Sen^1_{{\mathsf {NM}}}}(\mathtt {id},{s_0}; \rho )\).
-
1.3.
Compute \(\mathsf {a_{LS}}=\mathsf {P^1}(1^{\lambda _{\mathsf {LS}}},\ell ; \alpha )\).
-
1.4.
Send \((\mathsf {a}_{{\mathsf {NM}}},\mathsf {a_{LS}})\) to \({\mathcal {A}}\).
-
1.1.
-
2.
Third round. Upon receiving \((\mathsf {c}_{{\mathsf {NM}}},\mathsf {c_{LS}},Y)\) from \({\mathcal {A}}\).
-
2.1.
Compute \((\mathtt {com},\mathtt {dec})=\mathsf {NISen}(m;\sigma )\).
-
2.2.
Run in time \(T_f\) to compute y such that \(Y=f(y)\).
-
2.3.
Set \({s_1}={s_0} \oplus y\).
-
2.4.
Compute \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {dec}_{{\mathsf {NM}}}) = \mathrm {Sen^2_{{\mathsf {NM}}}}(\mathtt {id},\mathsf {c}_{{\mathsf {NM}}}, {s_0};\rho )\).
-
2.5.
Compute \((\mathtt {com},\mathtt {dec})=\mathsf {NISen}(1^{\lambda _{\mathsf {NI}}}, m;\sigma )\).
-
2.6.
Set \(x=\big ((\mathsf {a}_{{\mathsf {NM}}}, \mathsf {c}_{{\mathsf {NM}}}, \mathsf {z}_{{\mathsf {NM}}}), Y,{s_1},\mathtt {com}, \mathtt {id}\big )\) and with (\(|x|=\ell \)). Run \(\mathsf {z_{LS}}=\mathsf {P^2}(x,w,\mathsf {c}_{\mathsf {LS}};\alpha )\).
-
2.7.
Send \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {com},\mathsf {z_{LS}},{s_1})\) to \({\mathcal {A}}\).
-
2.1.
-
1.
-
Right sessions: Act as a proxy between \({\mathcal {A}}\) and \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\).
Even in this case we need to prove the following two properties.
-
1.
For all message \(m\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) it holds that \({\mathsf {mim}}_{{\mathcal {H}}^m_2}^{\mathcal {A}}(z)\approx {\mathsf {mim}}_{{\mathcal {H}}^m_3}^{\mathcal {A}}(z)\).
-
2.
Let \(p_i\) be the probability that in the i-th right session of \({\mathcal {H}}_3\), for any \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), \({\mathcal {A}}\) sends \(\tilde{s_1}_i\) such that \(f(\tilde{s_1}_i\oplus \tilde{s_0}_i)=\tilde{Y}_i\) where \(\tilde{s_0}_i\) is the value committed using \({{\mathsf {NM}}}\). Then \(p_i<\nu (\lambda )\) for some negligible function \(\nu \).
Lemma 4
For any message \(m\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) it holds that \({\mathsf {mim}}_{{\mathcal {H}}^m_2}^{\mathcal {A}}(z)\approx {\mathsf {mim}}_{{\mathcal {H}}^m_3}^{\mathcal {A}}(z)\).
Proof
Suppose by contradiction that there exist a adversary \({\mathcal {A}}\) and a distinguisher \({\mathcal {D}}\) that can tell apart such two distributions. We can use this adversary and the associated distinguisher to construct an adversary \({\mathcal {A}}_{\mathsf {LS}}\) for the \(T_{\mathsf {LS}}\)-witness-indistinguishable property of the \({\mathsf {LS}}\) protocol. Let \({\mathcal {C}}_{\mathsf {LS}}\) be the WI challenger, the adversary works as follows.
\(\varvec{{\mathcal {A}}}_{\mathsf {LS}}(z)\)
-
1.
Pick \({s_0}\leftarrow \{0,1\}^{\lambda }\).
-
2.
Compute \(\mathsf {a}_{{\mathsf {NM}}}= \mathrm {Sen^1_{{\mathsf {NM}}}}(\mathtt {id},{s_0}; \rho )\).
-
3.
Upon receiving \(\mathsf {a_{LS}}\) from \({\mathcal {C}}_{\mathsf {LS}}\), send \((\mathsf {a}_{{\mathsf {NM}}},\mathsf {a_{LS}})\) to \({\mathcal {A}}\).
-
4.
Upon receiving \((\mathsf {c}_{{\mathsf {NM}}},\mathsf {c_{LS}},Y)\) from \({\mathcal {A}}\) run as follows:
-
4.1.
Run in time \(T_f\) to compute y such that \(Y=f(y)\).
-
4.2.
Set \({s_1}={s_0} \oplus y\).
-
4.3.
Compute \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {dec}_{{\mathsf {NM}}}) = \mathrm {Sen^2_{{\mathsf {NM}}}}(\mathtt {id},\mathsf {c}_{{\mathsf {NM}}}, {s_0};\rho )\).
-
4.4.
Compute \((\mathtt {com},\mathtt {dec})=\mathsf {NISen}(1^{\lambda _{\mathsf {NI}}}, m;\sigma )\).
-
4.5.
Set \(x=\big ((\mathsf {a}_{{\mathsf {NM}}}, \mathsf {c}_{{\mathsf {NM}}}, \mathsf {z}_{{\mathsf {NM}}}), Y,{s_1}, \mathtt {com},\mathtt {id}\big )\), \(w_0=(\perp ,\perp , s_0,\rho ), w_1=(m,\sigma ,\perp ,\perp )\) and send \((x,\mathsf {c}_{\mathsf {LS}},w_0,w_1)\) to \({\mathcal {C}}_{\mathsf {LS}}\).
-
4.1.
-
5.
Upon receiving \(\mathsf {z_{LS}}\) from \({\mathcal {C}}_{\mathsf {LS}}\), send \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {com},\mathsf {z_{LS}})\) to \({\mathcal {A}}\).
-
6.
Simulate \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\) with \({\mathcal {A}}\), when \({\mathcal {A}}\) plays as a sender.
-
7.
Let M be an empty tuple. For all \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), consider \(\tilde{\mathtt {com}}_i\), the non-interactive commitment received by \(\mathsf {MMRec}_i\), and run in time \(\tilde{T}_{\mathsf {NI}}\) to compute \(\tilde{m}_i\) such that \(\exists \ \tilde{\mathtt {dec}}: 1=\mathsf {NIRec}(\tilde{\mathtt {com}}_i,\tilde{\mathtt {dec}}, \tilde{m}_i)\) and add \(\tilde{m}_i\) to M.
-
8.
Give M and the view of \({\mathcal {A}}\) to the distinguisher \({\mathcal {D}}\).
-
9.
Output what \({\mathcal {D}}\) outputs.
The proof ends with the observation that if \({\mathcal {C}}_{\mathsf {LS}}\) has has used as witness the randomness of the non-malleable commitment of the value \({s_0}\) such that \(f({s_0}\oplus {s_1})=Y\) then we are in the hybrid experiment \({\mathcal {H}}_3^m(z)\). If instead \({\mathcal {C}}_{\mathsf {LS}}\) has used as a witness the randomness used to compute the non-interactive commitment \({\mathsf {NI}}\) then we are in the hybrid experiment \({\mathcal {H}}_2^m(z)\).
Lemma 5
Let \(p_i\) be the probability that in the i-th right session of \({\mathcal {H}}_3^m\), for \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), \({\mathcal {A}}\) sends \(\tilde{s_1}_i\) such that \(f(\tilde{s_1}_i\oplus \tilde{s_0}_i)=\tilde{Y}_i\) where \(\tilde{s_0}_i\) is the value committed using \({{\mathsf {NM}}}\). Then \(p_i<\nu (\lambda )\) for some negligible function \(\nu \).
Proof
Suppose by contradiction that for a right session i the claim does not hold, then we can construct an adversary \({\mathcal {A}}_{\mathsf {LS}}'\) for the \(T_{\mathsf {LS}}\) witness-indistinguishable property of the \({\mathsf {LS}}\) protocol. Let \({\mathcal {C}}_{\mathsf {LS}}\) be the WI challenger, the adversary works as follows.
\(\varvec{{\mathcal {A}}}_{\mathsf {LS}}'(z)\)
-
1.
Pick \({s_0}\leftarrow \{0,1\}^{\lambda }\).
-
2.
Compute \(\mathsf {a}_{{\mathsf {NM}}}= \mathrm {Sen^1_{{\mathsf {NM}}}}(\mathtt {id},{s_0}; \rho )\).
-
3.
Upon receiving \(\mathsf {a_{LS}}\) from \({\mathcal {C}}_{\mathsf {LS}}\), send \((\mathsf {a}_{{\mathsf {NM}}},\mathsf {a_{LS}})\) to \({\mathcal {A}}\).
-
4.
Upon receiving \((\mathsf {c}_{{\mathsf {NM}}},\mathsf {c_{LS}},Y)\) from \({\mathcal {A}}\), run as follow:
-
4.1.
Run in time \(T_f\) to compute y such that \(Y=f(y)\).
-
4.2.
Set \({s_1}={s_0} \oplus y\).
-
4.3.
Compute \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {dec}_{{\mathsf {NM}}}) = \mathrm {Sen^2_{{\mathsf {NM}}}}(\mathtt {id},\mathsf {c}_{{\mathsf {NM}}}, {s_0};\rho )\).
-
4.4.
Compute \((\mathtt {com},\mathtt {dec})=\mathsf {NISen}(1^{\lambda _{\mathsf {NI}}}, m;\sigma )\).
-
4.5.
Set \(x=\big ((\mathsf {a}_{{\mathsf {NM}}}, \mathsf {c}_{{\mathsf {NM}}}, \mathsf {z}_{{\mathsf {NM}}}), Y,{s_1}, \mathtt {com},\mathtt {id}\big )\), \(w_0=(\perp ,\perp , s_0,\rho ), w_1=(m,\sigma ,\perp ,\perp )\) and send \((x,\mathsf {c}_{\mathsf {LS}},w_0,w_1)\) to \({\mathcal {C}}_{\mathsf {LS}}\).
-
4.1.
-
5.
Upon receiving \(\mathsf {z_{LS}}\) from \({\mathcal {C}}_{\mathsf {LS}}\), send \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {com},\mathsf {z_{LS}})\) to \({\mathcal {A}}\).
-
6.
Simulate \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\) with \({\mathcal {A}}\), when \({\mathcal {A}}\) plays as a sender.
-
7.
Run in time \(\tilde{T}_{{\mathsf {NM}}}\) to extract the value \(\tilde{{s_0}}_i\) from the non-malleable commitment sent by \({\mathcal {A}}\) in the i-th session. Output 1 if \(f(\tilde{{s_0}}_i\oplus \tilde{{s_1}}_i)=\tilde{Y}_i\) and output 0 otherwise.
The proof ends with the observation that if \({\mathcal {C}}_{\mathsf {LS}}\) has used \(w_0=(\perp ,\perp ,s_0,\rho )\) as a witness then \({\mathcal {A}}\) acts as in \({\mathcal {H}}_3^m(z)\), sending with non-negligible probability two shares such that the xor of them gives a puzzle solution. If \({\mathcal {C}}_{\mathsf {LS}}\) has used \(w_1=(m,\sigma ,\perp ,\perp )\) then the xor of the two shares is with overwhelming probability different from a puzzle solution as in \({\mathcal {H}}_2^m(z)\).
The next hybrid experiment that we consider is \({\mathcal {H}}_3^0(z)\). The only differences between this hybrid experiment and \({\mathcal {H}}_3^m(z)\) is that the sender, using \({\mathsf {NI}}\), commits to a message \(0^\lambda \) instead of m.
\(\varvec{{\mathcal {H}}_3^0(z).}\)
-
Left session:
-
1.
First round.
-
1.1.
Pick \({s_0}\leftarrow \{0,1\}^{\lambda }\).
-
1.2.
Compute \(\mathsf {a}_{{\mathsf {NM}}}= \mathrm {Sen^1_{{\mathsf {NM}}}}(\mathtt {id},{s_0}; \rho )\).
-
1.3.
Compute \(\mathsf {a_{LS}}=\mathsf {P^1}(\ell ; \alpha )\).
-
1.4.
Send \((\mathsf {a}_{{\mathsf {NM}}},\mathsf {a_{LS}})\) to \({\mathcal {A}}\).
-
1.1.
-
2.
Third round. Upon receiving \((\mathsf {c}_{{\mathsf {NM}}},\mathsf {c_{LS}},Y)\) from \({\mathcal {A}}\), run as follows:
-
2.1.
Run in time \(T_f\) to compute y such that \(Y=f(y)\).
-
2.2.
Set \({s_1}={s_0} \oplus y\).
-
2.3.
Compute \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {dec}_{{\mathsf {NM}}}) = \mathrm {Sen^2_{{\mathsf {NM}}}}(\mathtt {id},\mathsf {c}_{{\mathsf {NM}}}, {s_0};\rho )\).
-
2.4.
Compute \((\mathtt {com},\mathtt {dec})=\underline{\mathsf {NISen}(0^\lambda ;\sigma )}\).
-
2.5.
Set \(x=\big ((\mathsf {a}_{{\mathsf {NM}}}, \mathsf {c}_{{\mathsf {NM}}}, \mathsf {z}_{{\mathsf {NM}}}), Y,{s_1},\mathtt {com}, {\mathtt {id}}\big )\) and \(w=(\perp ,\perp , s_0,\rho )\) with (\(|x|=\ell \)). Run \(\mathsf {z_{LS}}=\mathsf {P^2}(x,w,\mathsf {c}_{\mathsf {LS}};\alpha )\).
-
2.6.
Send \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {com},\mathsf {z_{LS}},{s_1})\) to \({\mathcal {A}}\).
-
2.1.
-
1.
-
Right sessions: Act as a proxy between \({\mathcal {A}}\) and \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\).
We now prove the following properties.
-
1.
Let \(p_i\) be the probability that in the i-th right session of \({\mathcal {H}}_3^0\), for any \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), \({\mathcal {A}}\) sends \(\tilde{s_1}_i\) such that \(f(\tilde{s_1}_i\oplus \tilde{s_0}_i)=\tilde{Y}_i\) where \(\tilde{s_0}_i\) is the value committed using \({{\mathsf {NM}}}\). Then \(p_i<\nu (\lambda )\) for some negligible function \(\nu \).
-
2.
For any message \(m\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) it holds that \({\mathsf {mim}}_{{\mathcal {H}}^m_3}^{\mathcal {A}}(z)\approx {\mathsf {mim}}_{{\mathcal {H}}^0_3}^{\mathcal {A}}(z)\).
Lemma 6
Let \(p_i\) be the probability that in the i-th right session of \({\mathcal {H}}_3^0\), for \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), \({\mathcal {A}}\) sends \(\tilde{s_1}_i\) such that \(f(\tilde{s_1}_i\oplus \tilde{s_0}_i)=\tilde{Y}_i\) where \(\tilde{s_0}_i\) is the value committed using \({{\mathsf {NM}}}\). Then \(p_i<\nu (\lambda )\) for some negligible function \(\nu \).
Proof
Suppose by contradiction that there exists a right session \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\) in which \({\mathcal {A}}\) commit to a string \(\tilde{s_0}\) such that \(f(\tilde{{s_0}}_i\oplus \tilde{{s_1}}_i)=\tilde{Y}_i\) using \(\varPi _{{\mathsf {NM}}}\). Then we can construct an adversary \({\mathcal {A}}_{\mathsf {NI}}\) that breaks the hiding property of the non interactive commitment scheme \({\mathsf {NI}}\). Let \({\mathcal {C}}_{\mathsf {NI}}\) be the challenger that on input \(m_0=0^\lambda \) and \(m_1=m\), picks a random bit b, computes \((\mathtt {com},\mathtt {dec})=\mathsf {NISen}(1^{\lambda _{\mathsf {NI}}}, m_b;\sigma )\) and sends \(\mathtt {com}\) to \({\mathcal {A}}_{\mathsf {NI}}\).
Before describing \({\mathcal {A}}_{\mathsf {NI}}\) we need to consider, as in the proof of Lemma 1, a machine \({\mathcal {S}}_{\mathsf {n\rightarrow 1}}\) that internally executes \({\mathcal {A}}\), and interacts with a receiver \(\mathsf {Rec}_\mathsf {ext}\) of the protocol \(\varPi _{{\mathsf {NM}}}\) acting as the sender.
\(\varvec{{\mathcal {S}}_{\mathsf {n\rightarrow 1}}}(\mathtt {com}, \varphi , z)\) Run \({\mathcal {A}}\) using randomness \(\varphi \).
-
1.
Pick \({s_0}\leftarrow \{0,1\}^{\lambda }\).
-
2.
Compute \(\mathsf {a}_{{\mathsf {NM}}}= \mathrm {Sen^1_{{\mathsf {NM}}}}(\mathtt {id},{s_0}; \rho )\).
-
3.
Compute \(\mathsf {a_{LS}}=\mathsf {P^1}(1^{\lambda _{\mathsf {LS}}},\ell ; \alpha )\).
-
4.
Send \((\mathsf {a}_{{\mathsf {NM}}},\mathsf {a_{LS}})\) to \({\mathcal {A}}\).
-
5.
Upon receiving \((\mathsf {c}_{{\mathsf {NM}}},\mathsf {c_{LS}},Y)\) from \({\mathcal {A}}\), run as follows:
-
5.1.
Run in time \(T_f\) to compute y such that \(Y=f(y)\).
-
5.2.
Set \({s_1}={s_0} \oplus y\).
-
5.3.
Compute \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {dec}_{{\mathsf {NM}}}) = \mathrm {Sen^2_{{\mathsf {NM}}}}(\mathtt {id},\mathsf {c}_{{\mathsf {NM}}}, {s_0};\rho )\).
-
5.4.
Set \(x=\big ((\mathsf {a}_{{\mathsf {NM}}}, \mathsf {c}_{{\mathsf {NM}}}, \mathsf {z}_{{\mathsf {NM}}}), Y,{s_1},\mathtt {com},{\mathtt {id}}\big )\) and \(w=(\perp ,\perp , s_0,\rho )\) with (\(|x|=\ell \)). Run \(\mathsf {z_{LS}}=\mathsf {P^2}(x,w,\mathsf {c}_{\mathsf {LS}};\alpha )\).
-
5.5.
Send \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {com},\mathsf {z_{LS}},{s_1})\) to \({\mathcal {A}}\).
-
5.1.
-
6.
Let \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\) be the right session that contradicts the claim. For all \(j\ne i \in \{1,\dots {\mathsf {poly}}(\lambda )\}\) run \(\mathsf {MMRec}_j\) as in \({\mathcal {H}}_4(m,z)\). Run \(\mathsf {MMRec}_i\) as follows.
-
6.1.
Upon receiving the 1rd round of the i-th right session \((\tilde{\mathsf {a}}_{{{\mathsf {NM}}}_i},\tilde{\mathsf {a}}_{{\mathsf {LS}}_i})\) from \({\mathcal {A}}\), send \(\tilde{\mathsf {a}}_{{{\mathsf {NM}}}_i}\) to the external receiver \(\mathsf {Rec}_\mathsf {ext}\).
-
6.2.
Upon receiving \(\mathsf {\tilde{c}_{{\mathsf {NM}}_i}}\) from \(\mathsf {Rec}_\mathsf {ext}\), run as follows:
-
i.
Run \({\mathcal {V}}\) to obtain \(\mathsf {\tilde{c}_{LS_i}}\).
-
ii.
Pick a random \(\tilde{Y}_i\).
-
iii.
Send \((\mathsf {\tilde{c}_{{{\mathsf {NM}}}_i}},\mathsf {\tilde{c}_{{\mathsf {LS}}_i}},\tilde{Y}_i)\) to \({\mathcal {A}}\).
-
i.
-
6.3.
Upon receiving the 3rd round of the i-th right session \((\tilde{\mathsf {z}}_{{{\mathsf {NM}}}_i},\tilde{\mathtt {com}}_i,\tilde{\mathsf {z}}_{{\mathsf {LS}}_i},\tilde{s_1}_i)\), set \(\tilde{x}=\big ((\tilde{\mathsf {a}}_{{{\mathsf {NM}}}_i}, \tilde{\mathsf {c}}_{{{\mathsf {NM}}}_i}, \tilde{\mathsf {z}}_{{{\mathsf {NM}}}_i}), \tilde{Y}, \tilde{s_1}_i, \tilde{\mathtt {com}}_i, \tilde{{\mathtt {id}}}\big )\) and abort iff \((\tilde{\mathsf {a}}_{{\mathsf {LS}}_i}, \tilde{\mathsf {c}}_{{\mathsf {LS}}_i}, \tilde{\mathsf {z}}_{{\mathsf {LS}}_i})\) is not accepted by \({\mathcal {V}}\) with respect to \(\tilde{x}\).
-
6.4.
Send \(\tilde{\mathsf {z}}_{{{\mathsf {NM}}}_i}\) to \(\mathsf {Rec}_\mathsf {ext}\).
-
6.1.
Now we can conclude the proof of this lemma by describing how \({\mathcal {A}}_{\mathsf {NI}}\) works. \({\mathcal {A}}_{\mathsf {NI}}\) runs the extractor of the protocol \(\varPi _{{\mathsf {NM}}}\) using \({\mathcal {S}}_{\mathsf {n\rightarrow 1}}\) as sender (recall that an extractor of \(\varPi _{{\mathsf {NM}}}\) plays only having access to a sender of \(\varPi _{{\mathsf {NM}}}\)). Since the extractor with non-negligible probability outputs the committed message we have that \({\mathcal {A}}_{\mathsf {NI}}\) retrives \(\tilde{s_0}_i\). Moreover \({\mathcal {A}}_{\mathsf {NI}}\) gets \(\tilde{s_1}_i\) by reconstructing the view of \({\mathcal {A}}\) using the randomness \(\varphi \). Since by contradiction \({\mathcal {A}}\) contradicts the claim of this lemma, we have that \({\mathcal {A}}_{\mathsf {NI}}\) can break the hiding of \({\mathsf {NI}}\) because \(f(\tilde{s_0}_i \oplus \tilde{s_1}_i)=\tilde{Y}\) with non-negligible probability in \({\mathcal {H}}_3^0(z)\) where \(m_0=0^\lambda \) is committed in \(\mathtt {com}\), while the same happens with negligible probability only in \({\mathcal {H}}_3^m(z)\) where \(m_1=m\). Therefore if this happens, \({\mathcal {A}}_{\mathsf {NI}}\) outputs 0, otherwise \({\mathcal {A}}_{\mathsf {NI}}\) outputs a random bit.
Lemma 7
For any message \(m\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) it holds that \({\mathsf {mim}}_{{\mathcal {H}}_3^m}^{\mathcal {A}}(z)\approx {\mathsf {mim}}_{{\mathcal {H}}_3^0}^{\mathcal {A}}(z)\).
Proof
Suppose by contradiction that there exists a distinguisher \({\mathcal {D}}\) and an adversary \({\mathcal {A}}\) such that \({\mathsf {mim}}_{{\mathcal {H}}_3^m}^{\mathcal {A}}(z)\) is distinguishable from \({\mathsf {mim}}_{{\mathcal {H}}_3^0}^{\mathcal {A}}(z)\) then we can construct an adversary \({\mathcal {A}}_{\mathsf {NI}}\) that breaks the hiding property of the non-interactive commitment scheme \({\mathsf {NI}}\). Let \({\mathcal {C}}_{\mathsf {NI}}\) be the challenger that on input \(m_0=0^\lambda \) and \(m_1=m\), picks a random bit b, computes \((\mathtt {com},\mathtt {dec})=\mathsf {NISen}(1^{\lambda _{\mathsf {NI}}}, m_b;\sigma )\) and sends \(\mathtt {com}\) to \({\mathcal {A}}_{\mathsf {NI}}\). Before describing \({\mathcal {A}}_{\mathsf {NI}}\), we consider the following experiment \({\mathcal {E}}_{m_b}(\varphi ,\mathtt {com},z)\).
\(\varvec{{\mathcal {E}}_{m_b}(\varphi , \mathtt {com}, z).}\)
The randomness required from all next steps is take from \(\varphi \).
-
Run \({\mathcal {A}}(z)\).
-
Left session:
-
1.
First round.
-
1.1.
Pick \({s_0}\leftarrow \{0,1\}^{\lambda }\).
-
1.2.
Compute \(\mathsf {a}_{{\mathsf {NM}}}= \mathrm {Sen^1_{{\mathsf {NM}}}}(\mathtt {id},{s_0}; \rho )\).
-
1.3.
Compute \(\mathsf {a_{LS}}=\mathsf {P^1}(\ell ; \alpha )\).
-
1.4.
Send \((\mathsf {a}_{{\mathsf {NM}}},\mathsf {a_{LS}})\) to \({\mathcal {A}}\).
-
1.1.
-
2.
Third round. Upon receiving \((\mathsf {c}_{{\mathsf {NM}}},\mathsf {c_{LS}},Y)\) from \({\mathcal {A}}\), run as follows:
-
2.1.
Run in time \(T_f\) to compute y such that \(Y=f(y)\).
-
2.2.
Set \({s_1}={s_0} \oplus y\).
-
2.3.
Compute \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {dec}_{{\mathsf {NM}}}) = \mathrm {Sen^2_{{\mathsf {NM}}}}(\mathtt {id},\mathsf {c}_{{\mathsf {NM}}}, {s_0};\rho )\).
-
2.4.
Set \(x=\big ((\mathsf {a}_{{\mathsf {NM}}}, \mathsf {c}_{{\mathsf {NM}}}, \mathsf {z}_{{\mathsf {NM}}}), Y,{s_1},\mathtt {com}, {\mathtt {id}}\big )\) and \(w=(\perp ,\perp , s_0,\rho )\) with (\(|x|=\ell \)). Run \(\mathsf {z_{LS}}=\mathsf {P^2}(x,w,\mathsf {c}_{\mathsf {LS}};\alpha )\).
-
2.5.
Send \((\mathsf {z}_{{\mathsf {NM}}},\mathtt {com},\mathsf {z_{LS}},{s_1})\) to \({\mathcal {A}}\).
-
2.1.
-
1.
-
Right sessions: Act as a proxy between \({\mathcal {A}}\) and \(\mathsf {MMRec}_1,\dots ,\mathsf {MMRec}_{{\mathsf {poly}}(\lambda )}\).
Now we are ready to describe the adversary \({\mathcal {A}}_{\mathsf {NI}}\) for the hiding of \({\mathsf {NI}}\). \({\mathcal {A}}_{\mathsf {NI}}\) executes the following steps.
-
1.
Let M be an empty tuple. \({\mathcal {A}}_{\mathsf {NI}}\) runs \(\varvec{{\mathcal {E}}_{m_b}(\varphi , \mathtt {com}, z)}.\)
-
2.
For all \(i\in \{1,\dots ,{\mathsf {poly}}(\lambda )\}\), \({\mathcal {A}}_{\mathsf {NI}}\) runs the extractor of LS on the i-th right session of the execution of \(\varvec{\mathcal {E}_{m_b}(\varphi , \mathtt {com}, z)}\) obtaining \(\tilde{m}_i\) and adds it to M.
-
3.
Using the randomness \(\varphi \), \({\mathcal {A}}_{\mathsf {NI}}\) reconstructs the view of \({\mathcal {A}}\) in the execution of \(\varvec{\mathcal {E}_{m_b}(\varphi , \mathtt {com}, z)}\). Use such view and M as input to \(\mathcal {D}\).
-
4.
Output what \(\mathcal {D}\) outputs.
The proof ends with the observation that if \(\mathcal {C}_{\mathsf {NI}}\) has committed to \(0^\lambda \) then the view of \({\mathcal {A}}\) and the distribution of the committed messages coincide with \({\mathcal {H}}_3^0(z)\), otherwise they coincide with \({\mathcal {H}}_3^m(z)\).
The entire security proof now is almost over because we have proved that for all \(m\in \{0,1\}^{{\mathsf {poly}}(\lambda )}\) the following relation holds:
We observe that in this proof we had to consider a delayed-input version of our commitment scheme. Indeed, the sender can choose the message m to be committed by sending the non-interactive commitment \(\mathtt {com}\) of the message m in the 3rd round. It is easy to see that the same security proof still works when the non-interactive commitment is sent in the 1st round, but then clearly the delayed-input property is lost.
4 More Protocols Against Concurrent MiM Attacks
In this section we show 3-round arguments of knowledge and identification schemes that are secure against concurrent MiM attacks.
4.1 Non-Malleable WI Arguments of Knowledge
Our concurrent NM commitment scheme when instantiated without sessions ids, can be used to obtain almost directly a commit-and-prove AoK. Recall that in our scheme there is a non-interactive commitment \(\mathtt {com}\) of m and then rest of the protocol is an AoK. This AoK is used by the sender to claim that either he knows the message committed in \(\mathtt {com}\), or he committed through \(\varPi _{{{\mathsf {NM}}}}\) to a share \(s_0\) that allows to compute the solution of the puzzle.
In order to be fully compliant with the notion of commit-and-prove AoK, we just need to make a trivial change to the statement of the LS subprotocol. Given an instance \(x\in L\) and a witness w the prover of our commit-and-prove AoK uses the non-interactive commitment to commit to w, and uses the rest to prove that either he knows the committed message w that moreover is a witness for \(x\in L\) or again, he committed through \(\varPi _{{{\mathsf {NM}}}}\) to a share \(s_0\) that allows to compute the solution of the puzzle.
More formally, we define a commit-and-prove AoK \(\mathsf {\Pi }_\mathsf {CaP}=({\mathcal {P}}_\mathsf {CaP},{\mathcal {V}}_\mathsf {CaP})\) that corresponds to our concurrent NM commitment scheme with some minimal changes. First, \({\mathcal {P}}_\mathsf {CaP}\) and \({\mathcal {V}}_\mathsf {CaP}\) have as a common input an instance \(x\in L\), where L is an NP-language. Second, \({\mathcal {P}}_\mathsf {CaP}\) has as private input w such that \((x,w)\in {\mathsf {Rel}}_\mathsf {L}\). Third, \({\mathcal {P}}_\mathsf {CaP}\) runs \(\mathsf {MMSen}\) on w, while \({\mathcal {V}}_\mathsf {CaP}\) runs \(\mathsf {MMRec}\) with the exception of running \({\mathsf {LS}}\) for the statement:
that is WI for the corresponding NP relation \({\mathsf {Rel}}_\mathsf {L_\mathsf {CaP}}\).
Theorem 3
Suppose there exist OWPs w.r.t. subexponential-time adversaries, then \(\mathsf {\Pi }_\mathsf {CaP}\) is a 3-round concurrent NMWI argument of knowledge.
Proof
The proof of this theorem is pretty straightforward given the previous proof for the concurrent non-malleability of our commitment scheme, therefore here we just point out the main intuition.
First of all, \(\mathsf {\Pi }_\mathsf {CaP}\) is clearly a commit-and-prove AoK. Indeed, there exists a commitment of the witness and there is an AoK proving that the committed message is a witness. In order to see this, notice that for any ppt malicious prover succeeding with non-negligible probability in proving a statement \(x\in L\), the extractor of \({\mathsf {LS}}\) (of course this needs to be run against an augmented machine) would return (in expected polynomial time and with overwhelming probability) the committed witness since otherwise it would return a share \(s_0\) that combined with \(s_1\) allows to invert the OWP in polynomial time.
We can now focus on the concurrent NMWI property, and we can assume (by contradiction) that the adversary succeeds in encoding in the right sessions witnesses that are related to the witnesses encoded in the left sessions. Notice that the proof is almost identical to the one of Theorem 2. We can indeed prove the case of one prover and multiple verifiers (i.e., one-many), and then we can apply the fact that any one-many NMWIAoK is also a concurrent NMWIAoK. Indeed this was used in [34] and follows similar arguments given in [30, 42]. For the one-many case we can therefore follow the proof of Theorem 2 with the following trivial change. Instead of running hybrid experiments starting with a message m and ending with a message 0, in the proof of one-many concurrent NMWI we start with a witness \(w_0\) and end with a witness \(w_1\). Everything else remains untouched and all the reductions work directly.
\(\mathsf {\Pi }_\mathsf {CaP}\) can be instantiated to be public-coin and delayed-input, precisely as our concurrent NM commitment scheme. While what we discussed above applies to arguments only, techniques to obtain proofs can be found in [8].
Instances with Just One Witness and Non-Transferability. Recall that the definition of NMWI considers two experiments that differ only on the witness used by the prover. Therefore it is unclear which security is given by a NMWIAoK when the instance has only one witness. In order to understand the security guaranteed by \(\mathsf {\Pi }_\mathsf {CaP}\) in such a case, consider the proof of concurrent NMWI, and thus, in turn, consider the proof of concurrent non-malleability of our commitment scheme. Notice that while the sequence of hybrids goes from an experiment where the committed message is m to an experiment where the committed message is 0, there is an experiment \({\mathcal {H}}_3(\cdot ,z)\) in which the committed message is irrelevant. Indeed, the entire execution is based on inverting the OWP, in encrypting it through the shares \(s_0\) and \(s_1\) and in using this witness in the execution of \({\mathsf {LS}}\). This experiment can be seen as the execution of a quasi-polynomial time simulator that breaks the puzzleFootnote 18 following the approach of [39]Footnote 19. Therefore following the same observations of [39, 40] on the security offered by quasi-polynomial time simulation, our concurrent NMWIAoK even for instances with just one witness would not help the adversary in proving a statement whose witness is much harder to compute than breaking the puzzle.
The above discussion explains also the non-transferability flavor of \(\mathsf {\Pi }_\mathsf {CaP}\). Indeed, at first sight, a MiM attack of an adversary \({\mathcal {A}}\) to an AoK should be an attempt of \({\mathcal {A}}\) to transfer the proof that it gets from the prover to a verifier. As such, an AoK that is secure against concurrent MiM attacks should provide some non-transferability guarantee. Since the success of \({\mathcal {A}}\) during a MiM attack can be replicated without a MiM attack by a quasi-polynomial time simulator, we have that \(\mathsf {\Pi }_\mathsf {CaP}\) guarantees non-transferability whenever computing the witnesses for the considered instances is assumed to be harder than breaking the puzzle.
NMWI for NMZK in the Bare Public-Key (BPK) Model. In [34] it is shown that a concurrent NMWIAoK \(\varPi \) gives directly a concurrent NMZKAoK in the BPK model. The construction is straightforward as it just consists of running \(\varPi \) twice, first from the verifier to the prover (proving knowledge of one out of two secrets) and then from the prover to the verifier (proving knowledge of either a witness for \(x\in L\) or of one out of the two secrets of the verifier). Our construction from Theorem 3 when combined with the construction of [34] gives a candidate round-efficient concurrent NMZKAoK in the BPK model.
4.2 Identification Schemes
We show here a 3-round identification scheme secure against concurrent MiM attacks following the concept of proving knowledge of a secret.
Identification Schemes Based on Proving Knowledge of a Secret. The importance of this setting was for instance discussed in [9] mentioning the following example. Consider a verifier \({\mathcal {V}}\) that provides a service to restricted group of provers \({\mathcal {P}}\). A malicious prover \({\mathcal {P}}^\star \) could give to another party B that is not part of the group, some partial information about his secret that is sufficient for B to obtain the service from \({\mathcal {V}}\), while still B does not know \({\mathcal {P}}^\star \)’s secret. The paradigm of proving knowledge of a secret in an identification scheme allows to prevent attacks like the one just described. When the identification scheme consists in proving knowledge of a secret the sole fact that B convinces \({\mathcal {V}}\) is sufficient to claim that one can extract the whole secret from B. This implies that B obtained \({\mathcal {P}}^\star \)’s secret corresponding to his identity, and thus B is actually \({\mathcal {P}}^\star \) Footnote 20.
We give a security definition that considers concurrent MiM attacks similarly to the definition CR2 (concurrent-reset on-line) of [2]. The definition of [2] also includes possible reset attacks in addition to allowing \({\mathcal {A}}\) to invoke multiple concurrent executions of the prover in the left sessions while \({\mathcal {A}}\) is interacting with the verifier. In the remaining part of this section we will ignore reset attacks since they are out of the purpose of our work. As described in [25] in most network-based settings reset attacks are not an issue. Following the notation of [25] we now give a formal security definitions for an identification scheme.
Definition 4
Let \(\varPi =(\mathcal {K},{\mathcal {P}},{\mathcal {V}})\) be a tuple of ppt algorithms. We say \(\varPi \) is an identification scheme secure against MiM attacks if the following two properties hold. (1) Correctness. For all \((\mathsf{pk},\mathsf{sk})\leftarrow \mathcal {K}(1^\lambda )\), \(\text{ Prob }\left[ \;\langle {\mathcal {P}}(\mathsf{sk}), {\mathcal {V}}\rangle (\mathsf{pk})=1\;\right] =1.\) (2) Security. For all ppt adversaries \({\mathcal {A}}\) there exists a negligible function \(\nu \) such that \(\text{ Prob }\left[ \;(\mathsf{pk},\mathsf{sk})\leftarrow \mathcal {K}(1^\lambda ):\langle {\mathcal {A}}^{{\mathcal {P}}(\mathsf{sk})}, {\mathcal {V}}\rangle (\mathsf{pk})=1 \texttt { AND }\ \tau \ \notin T\;\right] <\nu (\lambda ),\) where \({\mathcal {A}}\) has oracle access to a stateful (i.e., non-resettable) \({\mathcal {P}}(\mathsf{sk})\), T is defined as the transcripts set of the interactions between \({\mathcal {P}}(\mathsf{sk})\) and \({\mathcal {A}}\), and \(\tau \) is defined as the transcript of one of the interactions between \({\mathcal {A}}\) and \({\mathcal {V}}\). All interactions can be arbitrarily interleaved and \({\mathcal {A}}\) controls the scheduling of the messages.
Identification Scheme from NMWI. Our construction \({{\varPi _\mathsf {ID}}}=({\mathcal {K}}_{\mathsf {ID}},{\mathcal {P}}_{\mathsf {ID}},{\mathcal {V}}_{\mathsf {ID}})\) follows the approach of [9, 34]. Let \(f:\{0,1\}^\lambda \rightarrow \{0,1\}^\lambda \) be a OWP, let \(\lambda \) be the security parameter. The public key of \({\mathcal {P}}_{\mathsf {ID}}\) is the pair \((\mathsf {pk_0},\mathsf {pk_1})\), the secret key is \(\mathsf{sk}_b\) for a randomly chosen bit b, such that \(\mathsf {pk_b} = f(\mathsf{sk}_b)\). Therefore the algorithm \({\mathcal {K}}_{\mathsf {ID}}\) takes as input the security parameter and outputs \(((\mathsf {pk_0},\mathsf {pk_1}),\mathsf{sk}_b)\) as described above. The protocol simply consists in \({\mathcal {P}}_{\mathsf {ID}}\) running our 3-round concurrent NMWIAoK \(\mathsf {\Pi }_\mathsf {CaP}\) with \({\mathcal {V}}_{\mathsf {ID}}\) to prove that it knows the pre-image of either \(\mathsf {pk_0}\) or \(\mathsf {pk_1}\). Formally, let \(L_{\mathtt {id}}\) be the following language \(L_{\mathtt {id}}= \{(y_0,y_1): \exists \ x\ \in \{0,1\}^\lambda \) such that \(y_0= f(x)\) \(\vee \ y_1= f(x) \}\), then the identification scheme consists of \({\mathcal {P}}_{\mathsf {ID}}\) proving the statement \((\mathsf {pk_0},\mathsf {pk_1})\in L_{\mathtt {id}}\) using \(\mathsf {\Pi }_\mathsf {CaP}\).
Theorem 4
Assuming the existence of OWPs w.r.t. subexponential-time adversaries, there is an identification scheme secure against concurrent MiM attacks.
The proof is again straight-forward. If a PPT \({\mathcal {A}}\) succeeds then concurrent NMWI of \(\mathsf {\Pi }_\mathsf {CaP}\) guarantees that the witness that he encoded in the proof is independent of the one encoded in the proofs given by \({\mathcal {P}}\). Therefore by using the AoK property of \(\mathsf {\Pi }_\mathsf {CaP}\) we can invert f with non-negligible probability.
5 Concurrent Malleability of [21]
Here we briefly explain the intuition behind the fact that the 3-round NM commitment scheme \(\varPi _{{\mathsf {NM}}}=({\mathsf {Sen}_{\mathsf {NM}}},{\mathsf {Rec}_\mathsf {{\mathsf {NM}}}})\) of [21] is malleable with respect to a concurrent MiM attack. We use ideas from [16]. We describe a succeeding concurrent MiM adversary \({\mathcal {A}}\) along with a distinguisher \({\mathcal {D}}\). We will refer to a NM commitment of the message m using the scheme \(\varPi _{{\mathsf {NM}}}\) as \(\mathsf {nmcom}(m)\). We stress that \(\mathsf {nmcom}(m)\) is the result of a 3-round interaction between the sender \({\mathsf {Sen}_{\mathsf {NM}}}\) and the receiver \({\mathsf {Rec}_\mathsf {{\mathsf {NM}}}}\). We start by describing the high-level idea of the protocol \(\varPi _{{\mathsf {NM}}}\). In the 1st round a left-state \(\mathsf {L}\) is computed using a special split-state non-malleable code. Let \(n=|\mathsf {L}|\). Then a non-interactive commitment \(\mathtt {com}_\mathsf {L}\) of \(\mathsf {L}\) is sent in the 1st round, while in the 3rd round the sender computes the right-state \(\mathsf {R}\) corresponding to the message m and sends it in the clear. In parallel there is also a PoK of the message \(\mathsf {L}\) committed in \(\mathtt {com}_\mathsf {L}\). This PoK can be seen as a PoK of each bit of \(\mathsf {L}\). Therefore there are n PoKs where the j-th proof is used to prove knowledge of the bit \(\mathsf {L}_j\) of \(\mathsf {L}\).
The actual scheme of [21] is more sophisticated than what we have just described, there are various other components but however they have no impact on the work done by our \({\mathcal {A}}\), so we will omit them from this short description. Essentially, we will show here that a simplified version of the scheme of [21] is concurrently malleable. However all our arguments apply to their full scheme.
The proposed adversary \({\mathcal {A}}\) interacts with one sender \({\mathsf {Sen}_{\mathsf {NM}}}\) in the left session and with many receiver \({\mathsf {Rec}_\mathsf {{\mathsf {NM}}}}_1,\dots ,{\mathsf {Rec}_\mathsf {{\mathsf {NM}}}}_{{\mathsf {poly}}(\lambda )}\) in the right sessions. The behavior of \({\mathcal {A}}\) in the left and right session can be summarized as following.
Left Session. \({\mathsf {Sen}_{\mathsf {NM}}}\) computes the 1st round of \(\varPi _{{\mathsf {NM}}}\) as follows. First, he computes \(\mathsf {L}\), then he computes a perfectly binding commitment \(\mathtt {com}_{\mathsf {L}}\) of \(\mathsf {L}\) and computes n PoKs one for each bit of the message committed in \(\mathtt {com}_{\mathsf {L}}\). In the last round of \(\varPi _{{\mathsf {NM}}}\) \({\mathsf {Sen}_{\mathsf {NM}}}\) completes the n PoKs and sends \(\mathsf {R}\) to \({\mathcal {A}}\) such that the pair \((\mathsf {L},\mathsf {R})\) is a valid encoding of m according to the special non-malleable code. Hence in the left session \({\mathcal {A}}\) receives \(\mathtt {com}_{\mathsf {L}}\), \(\mathsf {R}\) and n PoKs one for each bit of the string committed in \(\mathtt {com}_{\mathsf {L}}\), therefore a PoK for each bit \(\mathsf {L}_j\) of \(\mathsf {L}\).
Right Sessions. In the right sessions \({\mathcal {A}}\) interacts with \({\mathsf {Rec}_\mathsf {{\mathsf {NM}}}}_1,\dots ,{\mathsf {Rec}_\mathsf {{\mathsf {NM}}}}_{{\mathsf {poly}}(\lambda )}\) mauling the commitments received on the left. More specifically, it starts 2n right sessions where n of them should correspond to \(\mathsf {nmcom}(\mathsf {L}_1),\dots ,\mathsf {nmcom}(\mathsf {L}_n)\) such that \(\mathsf {L}=\mathsf {L}_1\dots \mathsf {L}_n\), and the other n sessions should correspond to invalid commitments (we refer to such commitments as \(\mathsf {nmcom}(\perp )\)).
More precisely, our adversary computes, for each bit \(\mathsf {L}_j\) of \(\mathsf {L}\), two NM commitments \(\mathsf {nmcom}(1^\lambda )\), \(\mathsf {nmcom}(0^\lambda )\) such that if \(\mathsf {L}_j=1\) then \(\mathsf {nmcom}(0^\lambda )\) is invalid, otherwise \(\mathsf {nmcom}(1^\lambda )\) is invalid. In order to poison one out of \(\mathsf {nmcom}(0^\lambda )\) and \(\mathsf {nmcom}(1^\lambda )\), \({\mathcal {A}}\) will rely on the PoK of \(\mathsf {L}_j\) received on the left. The PoK of \(\mathsf {L}_j\) will be plugged in the PoKs of \(\mathsf {nmcom}(0^\lambda )\) and in the PoKs of \(\mathsf {nmcom}(1^\lambda )\). More precisely one of the n PoKs of \(\mathsf {nmcom}(0^\lambda )\) that correspond to a PoK of the bit 0 will be replaced with the PoK of \(\mathsf {L}_j\). The same approach is applied when \({\mathcal {A}}\) computes \(\mathsf {nmcom}(1^\lambda )\) with the only difference that the PoK that \({\mathcal {A}}\) will replace corresponds to a PoK of a bit 1. In this way only one out of \(\mathsf {nmcom}(0^\lambda )\) and \(\mathsf {nmcom}(1^\lambda )\) still remain a valid commitment. In particular \(\mathsf {nmcom}(\mathsf {L}_j)\) will remain a valid commitment while \(\mathsf {nmcom}({1-\mathsf {L}_j})\) will be poisoned and thus will correspond to an invalid commitment (Fig. 4).
There is however a subtlety. Since the PoK played on the right is for one component copied from the PoK played on the left, it can be completed successfully with constant probability and the adversary has to abort the session if it can not complete the PoK. Therefore each of the above 2n right sessions could be repeated multiple times, but however the total amount of right sessions will still be polynomial in the security parameter. Finally our distinguisher \({\mathcal {D}}\) given as input the committed bits \(\mathsf {L}_1,\dots , \mathsf {L}_n\) and \(\mathsf {R}\) contained in the view of \({\mathcal {A}}\), can easily recover the message m committed in the left interaction.
Notes
- 1.
We consider the notion of NM commitment w.r.t. commitment.
- 2.
For simplicity in the informal part of the paper we will not make a strict distinction between proofs and arguments. In the formal part we will use appropriate terms.
- 3.
- 4.
Other notions based on signature or decryption capabilities are considered weaker since in some applications the verifier wants to make sure that the prover is the actual entity matching the announced identity. Indeed without a PoK a prover could give some partial information about his secret to others that can still succeed in convincing the verifier, even though they do not know the full secret.
- 5.
We also require the scheme to be extractable. Extractability often comes for free since it is commonly used in the non-malleability proof.
- 6.
Our transform can be instantiated in two ways. In the former the message to commit is required already when playing the first round, while in the latter the message to commit is required when playing the third round only.
- 7.
- 8.
In this paper we consider a non-interactive decommitment phase only.
- 9.
- 10.
Extractability is informally stated in Claim 12 of [21].
- 11.
The same \(\alpha \) is passed to \(\mathsf {P^1}\) and \(\mathsf {P^2}\) so that \(\mathsf {P^2}\) can reconstruct the state of \(\mathsf {P^1}\).
- 12.
When sampling from the range of f corresponds to picking a random string, we have that our commitment scheme is public coin.
- 13.
To compute 1st and 2nd round of \({\mathsf {LS}}\) only the length \(\ell \) of the instance is required.
- 14.
We will describe the hybrid experiments in a succinct way focusing on the key steps (e.g., omitting sampling of randomness, generation of parameters \(\lambda _{\mathsf {NI}}, \lambda _{{\mathsf {NM}}},\lambda _{\mathsf {LS}},\ell \)).
- 15.
The extractor is an expected polynomial-time algorithm while \({\mathcal {A}}_f\) must be a strict polynomial-time algorithm. Therefore \({\mathcal {A}}_f\) will run the extractor up to a given upperbounded number of steps that is higher than the expected running time of the extractor. Obviously with non-negligible probability the truncated extraction procedure will be completed successfully and this is sufficient for \({\mathcal {A}}_f\) to invert f. The same standard argument about truncating the execution of an expected polynomial-time algorithm will be needed later but for simplicity we will not repeat this discussion.
- 16.
To simplify the notation here, and in the rest of the proof, we will omit that the indistinguishability between two distributions must hold for every auxiliary input z.
- 17.
Recall that \(\varPi _{{\mathsf {NM}}}\) is secure against adversaries running in time \({\mathsf {poly}}(\lambda )\cdot T_{\mathsf {NI}}<T_{{\mathsf {NM}}}\).
- 18.
The puzzle can be implemented through a OWP that can be inverted in quasi-polynomial time.
- 19.
The work of Pass did not take into account MiM attacks.
- 20.
This is instead not likely to happen in scenarios where the same secret key is used for other critical tasks such as signatures of any type of document.
References
Barak, B.: Constant-round coin-tossing with a man in the middle or realizing the shared random string model. In: Proceedings of 43rd Symposium on Foundations of Computer Science (FOCS 2002), Vancouver, BC, Canada, 16–19 November 2002, pp. 345–355 (2002)
Bellare, M., Fischlin, M., Goldwasser, S., Micali, S.: Identification protocols secure against reset attacks. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 495–511. Springer, Heidelberg (2001)
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)
Blundo, C., Persiano, G., Sadeghi, A.-R., Visconti, I.: Improved security notions and protocols for non-transferable identification. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 364–378. Springer, Heidelberg (2008)
Brenner, H., Goyal, V., Richelson, S., Rosen, A., Vald, M.: Fast non-malleable commitments. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015, pp. 1048–1057 (2015)
Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable zero-knowledge (extended abstract). In: Proceedings of the Thirty-Second Annual ACM Symposium on Theory of Computing, Portland, OR, USA, 21–23 May 2000, pp. 235–244 (2000). http://doi.acm.org/10.1145/335305.335334
Cao, Z., Visconti, I., Zhang, Z.: Constant-round concurrent non-malleable statistically binding commitments and decommitments. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 193–208. Springer, Heidelberg (2010)
Cao, Z., Visconti, I., Zhang, Z.: On constant-round concurrent non-malleable proof systems. Inf. Process. Lett. 111(18), 883–890 (2011)
Cho, C., Ostrovsky, R., Scafuro, A., Visconti, I.: Simultaneously resettable arguments of knowledge. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 530–547. Springer, Heidelberg (2012)
Ciampi, M., Ostrovsky, R., Siniscalchi, L., Visconti, I.: Concurrent non-malleable commitments (and more) in 3 rounds. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 270–299. Springer, Heidelberg (2016). Cryptology ePrint Archive, Report 2016/566. http://eprint.iacr.org/
Ciampi, M., Ostrovsky, R., Siniscalchi, L., Visconti, I.: On round-efficient non-malleable protocols. Cryptology ePrint Archive, Report 2016/621 (2016). http://eprint.iacr.org/2016/621
Ciampi, M., Persiano, G., Scafuro, A., Siniscalchi, L., Visconti, I.: Improved OR-composition of sigma-protocols. In: Kushilevitz, E., et al. (eds.) TCC 2016-A. LNCS, vol. 9563, pp. 112–141. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49099-0_5
Ciampi, M., Persiano, G., Scafuro, A., Siniscalchi, L., Visconti, I.: Online/offline OR composition of sigma protocols. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 63–92. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49896-5_3
Di Crescenzo, G., Persiano, G., Visconti, I.: Constant-round resettable zero knowledge with concurrent soundness in the bare public-key model. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 237–253. Springer, Heidelberg (2004)
Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography (extended abstract). In: Proceedings of the 23rd Annual ACM Symposium on Theory of Computing, New Orleans, Louisiana, USA, 5–8 May 1991, pp. 542–552 (1991)
Faust, S., Mukherjee, P., Nielsen, J.B., Venturi, D.: Continuous non-malleable codes. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 465–488. Springer, Heidelberg (2014)
Feige, U., Fiat, A., Shamir, A.: Zero knowledge proofs of identity. In: Proceedings of the 19th Annual ACM Symposium on Theory of Computing 1987, New York, USA, pp. 210–217 (1987)
Garg, S., Mukherjee, P., Pandey, O., Polychroniadou, A.: The exact round complexity of secure computation. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 448–476. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49896-5_16
Goyal, V.: Constant round non-malleable protocols using one way functions. In: Proceedings of the 43rd ACM Symposium on Theory of Computing, STOC 2011, San Jose, CA, USA, 6–8 June 2011, pp. 695–704 (2011)
Goyal, V., Lee, C., Ostrovsky, R., Visconti, I.: Constructing non-malleable commitments: a black-box approach. In: 53rd Annual IEEE Symposium on Foundations of Computer Science, FOCS 2012, New Brunswick, NJ, USA, 20–23 October 2012, pp. 51–60 (2012)
Goyal, V., Pandey, O., Richelson, S.: Textbook non-malleable commitments. IACR Cryptology ePrint Archive 2015 (2015). Version 20151210: 144729 (posted10-Dec-2015 14: 47: 29 UTC). http://eprint.iacr.org/2015/1178
Goyal, V., Pandey, O., Richelson, S.: Textbook non-malleable commitments. In: Proceedings of the 48th Annual ACM Symposium on Theory of Computing, STOC 2016, Cambridge, MA, USA, 19–21 June 2016
Goyal, V., Richelson, S., Rosen, A., Vald, M.: An algebraic approach to non-malleability. In: 55th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2014, Philadelphia, PA, USA, 18–21 October 2014, pp. 41–50 (2014)
Hazay, C., Venkitasubramaniam, M.: On the power of secure two-party computation. Cryptology ePrint Archive, Report 2016/074 (2016). http://eprint.iacr.org/
Katz, J.: Efficient cryptographic protocols preventing “Man-in-the-Middle” attacks. Ph.D. thesis, Columbia University (2002)
Katz, J., Ostrovsky, R.: Round-optimal secure two-party computation. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 335–354. Springer, Heidelberg (2004). http://dx.doi.org/10.1007/978-3-540-28628-8_21
Lapidot, D., Shamir, A.: Publicly verifiable non-interactive zero-knowledge proofs. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 353–365. Springer, Heidelberg (1991)
Lin, H., Pass, R.: Constant-round non-malleable commitments from any one-way function. In: Proceedings of the 43rd ACM Symposium on Theory of Computing, STOC 2011, San Jose, CA, USA, 6–8 June 2011, pp. 705–714 (2011)
Lin, H., Pass, R.: Constant-round nonmalleable commitments from any one-way function. J. ACM 62(1), 5:1–5:30 (2015)
Lin, H., Pass, R., Venkitasubramaniam, M.: Concurrent non-malleable commitments from any one-way function. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 571–588. Springer, Heidelberg (2008)
Lin, H., Pass, R., Venkitasubramaniam, M.: A unified framework for concurrent security: universal composability from stand-alone non-malleability. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, May 31–June 2 2009, pp. 179–188 (2009)
Lindell, Y.: Foundations of cryptography 89–856 (2010). http://u.cs.biu.ac.il/~lindell/89-856/complete-89-856.pdf
Mittelbach, A., Venturi, D.: Fiat-shamir for highly sound protocols is instantiable. Cryptology ePrint Archive, Report 2016/313 (2016). http://eprint.iacr.org/
Ostrovsky, R., Persiano, G., Visconti, I.: Constant-round concurrent non-malleable zero knowledge in the bare public-key model. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 548–559. Springer, Heidelberg (2008)
Ostrovsky, R., Persiano, G., Visconti, I.: Simulation-based concurrent non-malleable commitments and decommitments. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 91–108. Springer, Heidelberg (2009)
Ostrovsky, R., Rao, V., Scafuro, A., Visconti, I.: Revisiting lower and upper bounds for selective decommitments. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 559–578. Springer, Heidelberg (2013)
Ostrovsky, R., Visconti, I.: Simultaneous resettability from collision resistance. Electronic Colloquium on Computational Complexity (ECCC) 19, 164 (2012)
Pandey, O., Pass, R., Vaikuntanathan, V.: Adaptive one-way functions and applications. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 57–74. Springer, Heidelberg (2008)
Pass, R.: Simulation in quasi-polynomial time, and its application to protocol composition. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656. Springer, Heidelberg (2003)
Pass, R.: Bounded-concurrent secure multi-party computation with a dishonest majority. In: Proceedings of the 36th Annual ACM Symposium on Theory of Computing, Chicago, IL, USA, 13–16 June 2004, pp. 232–241 (2004)
Pass, R.: Unprovable security of perfect NIZK and non-interactive non-malleable commitments. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 334–354. Springer, Heidelberg (2013)
Pass, R., Rosen, A.: Concurrent non-malleable commitments. In: Proceedings of 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2005), Pittsburgh, PA, USA, 23–25 October 2005, pp. 563–572 (2005)
Pass, R., Rosen, A.: New and improved constructions of non-malleable cryptographic protocols. In: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, 22–24 May 2005, pp. 533–542 (2005)
Pass, R., Rosen, A.: Concurrent nonmalleable commitments. SIAM J. Comput. 37(6), 1891–1925 (2008)
Pass, R., Wee, H.: Black-box constructions of two-party protocols from one-way functions. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 403–418. Springer, Heidelberg (2009)
Pass, R., Wee, H.: Constant-round non-malleable commitments from sub-exponential one-way functions. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 638–655. Springer, Heidelberg (2010)
Scafuro, A., Visconti, I.: On round-optimal zero knowledge in the bare public-key model. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 153–171. Springer, Heidelberg (2012). http://dx.doi.org/10.1007/978-3-642-29011-4_11
Wee, H.: Black-box, round-efficient secure computation via non-malleability amplification. In: 51th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2010, 23–26 October 2010, Las Vegas, Nevada, USA, pp. 531–540. IEEE Computer Society (2010)
Yung, M., Zhao, Y.: Generic and practical resettable zero-knowledge in the bare public-key model. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 129–147. Springer, Heidelberg (2007)
Acknowledgments
We thank Vipul Goyal, and Silas Richelson for remarkable discussions on [22]. Research supported in part by “GNCS - INdAM”, EU COST Action IC1306, NSF grants 1065276, 1118126 and 1136174, US-Israel BSF grant 2008411, OKAWA Foundation Research Award, IBM Faculty Research Award, Xerox Faculty Research Award, B. John Garrick Foundation Award, Teradata Research Award, and Lockheed-Martin Corporation Research Award. This material is based upon work supported in part by DARPA Safeware program. The views expressed are those of the authors and do not reflect the official policy or position of the Department of Defense or the U.S. Government. The work of the 1st, 3rd and 4th authors has been done in part while visiting UCLA.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 International Association for Cryptologic Research
About this paper
Cite this paper
Ciampi, M., Ostrovsky, R., Siniscalchi, L., Visconti, I. (2016). Concurrent Non-Malleable Commitments (and More) in 3 Rounds. In: Robshaw, M., Katz, J. (eds) Advances in Cryptology – CRYPTO 2016. CRYPTO 2016. Lecture Notes in Computer Science(), vol 9816. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-53015-3_10
Download citation
DOI: https://doi.org/10.1007/978-3-662-53015-3_10
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-53014-6
Online ISBN: 978-3-662-53015-3
eBook Packages: Computer ScienceComputer Science (R0)