Non-interactive and Reusable Non-malleable Commitments

1. Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S

2. Common reference string (CRS) or public key (pk). c m d Alice Bob (c,d) = commitpk(m;r) m = decommitpk(c,d) Binding: Alice cannot change the message in c. Hiding: Bob cannot guess the message in c. Commitments

3. Pedersen commitment: pk = (g,h) c = grhm d = (m,r) c´ = ch d´ = (m+1,r) c c´ d d´ M A D m m´ related to m Non-malleability

4. c1,...,ct d1,...,dt d1´,...,du´ c1´,...,cu´ m1´,...,mu´ m1,...,mtm1´,...,mu´ m1,...,mt t A m1,...,mtm1´,...,mu´ m1,...,mt S Reusable Non-malleability (t >1,1)-security stronger than (1,1)-security (1,u >1)-security stronger than (1,1)-security

5. Known Schemes Dolev, Dwork, Naor: interactive, 1-way, not practical Di Crescenzo, Ishai, Ostrovsky: non-interact., 1-way, not practical Fischlin, Fischlin: interactive, Dlog/RSA, practical Di Crescenzo, Katz, Ostrovsky, Smith: non-interactive, 1-way, practical Garay, MacKenzie, Yang: non-interactive, DSA, practical UC protocols are intuitively like having a trusted third party Canetti, Fischlin: non-interactive, claw-free permutations, not practical Damgård, Nielsen: interact., decisional composite residuosity, practical Canetti, Lindell, Ostrovsky, Sahai: non-int., trapdoor perm., not practical

6. Our Results • Non-interactive, reusable, trapdoor commitments • 1-way functions – not practical • Strong RSA – very efficient • Unconditional binding or hiding on minimal assumptions Common reference string (CRS) UC commitment (interactive or not) implies Secret Key Agreement Uniform reference string UC commitment implies Oblivious Transfer Application: Shorter CRS in Damgård-Nielsen UC commitment

7. x  L a m z Prover Verifier verify(x,a,m,z) = 1 Special soundness: From valid (a,m,z) and (a,m´,z´) a witness w can be extracted. Special honest verifier ZK: (a,m,z)  Sim(x,m) Sigma-protocols

8. Signatures Signatures that are secure against existential forgery under adaptive chosen message attack can be built from 1-way functions (only need known message attack). (vk,sk) SignatureKeyGenerator Place vk on the CRS To commit simulate (a,m,z)  Sim((vk,),m) a proof of knowledge of a signature on . Commitment: c = a Decommitment: d = (m,z)

9. Commitment Scheme CRS: vk for signatures, pk for unconditionally hiding honest sender commitment, hash a UOWHF • (c,d) = HScommitpk(ak) •  = hash(c) • (a,m,z) = Sim((vk,),m) • mac = MACak(a) C = (c,a,mac) D = (d,m,z)

10. c1,...,ct c1´,...,cu´ d1´,...,du´ Essence of Lemma 5 (flaw found by Phil MacKenzie): A m1,...,mt d1,...,dt ... m1,...,mt d1,...,dt m1´,...,mu´ Sketch of Security Proof Trapdoor commitment scheme. If we know the signature key sk we may open commitments as anything, since we can answer any challenge m.

11. m1´,...,mu´ d1,...,dt d1,...,dt d1´,...,du´ t S c1,...,ct c1´,...,cu´ m1,...,mt ... ... simulated A simulated M m1,...,mt d1´,...,du´ Sketch of Security Proof II

12. Open Problems • Non-interactive NM commitment without a CRS. • Construction that allows histories, i.e., the adversary gets both commitments and some extra information about the contents. • UC secure Oblivious Transfer from UC commitment.