Non-Malleable Primitives Why and How The case of Commitments - - PDF document

non malleable primitives why and how
SMART_READER_LITE
LIVE PREVIEW

Non-Malleable Primitives Why and How The case of Commitments - - PDF document

Sep 07, 2022 313 likes •536 views

Non-Malleable Primitives Why and How The case of Commitments Rafail Ostrovsky (UCLA, USA) Giuseppe Persiano (Univ. Salerno ITALY) Ivan Visconti (Univ. Salerno ITALY) Commitment Schemes Com m m, Open m Ver Properties:

slide-1
SLIDE 1

1

Non-Malleable Primitives Why and How

The case of Commitments

Rafail Ostrovsky (UCLA, USA) Giuseppe Persiano (Univ. Salerno – ITALY) Ivan Visconti (Univ. Salerno – ITALY)

2

Commitment Schemes

m, ◊

Properties:

–Binding: after giving the safe to Alice, Bob cannot alter the message m written inside –Hiding: Alice cannot determine m until she learns the combination

m

Open m Com Ver

slide-2
SLIDE 2

2

3

Commitment Schemes

m, ◊

Properties:

– Statitical Binding: there is no way to open Com in two different ways

m

Open m Com Ver

4

Commitment Schemes

m, ◊

Properties:

–Statistical Hiding: actually the transcript of the commitment phase does not encode any specific message (in the information theoretic sense), thus Com can be potentially opened to any message

m

Open m Com Ver

slide-3
SLIDE 3

3

5

Commitment Schemes

m, ◊

m

Open m Com Ver Very useful, but often we need more.....

6

Auction

Com1 Com2

Phase I: commit to bid b1 b2

slide-4
SLIDE 4

4

7

Auction

Phase II: reveal bid

Open b1 Open b2

8

Man-in-the-Middle (MiM) Attack m

Com Com’ Open m Open m’ m and m’ could be related

m

slide-5
SLIDE 5

5

9

Man-in-the-Middle (MiM) Attack

we should define commitment schemes that remain secure under such attacks

10

Non-Malleable Commitments

with respect to commitment:

  • the message m’ encoded in the commitment of MiM

should not be related to the message m encoded in the commitment of the sender

  • it does make sense in case of statistical binding
  • it does not make sense in case of statistical hiding

with respect to opening:

  • the MiM Adversary should not be able to produce a

commitment such that the message m’ opened by MiM is related to the message m opened by the committer

  • it does make sense in case of statistical binding
  • it does make sense in case of statistical hiding
slide-6
SLIDE 6

6

11

State-of-the-Art (constant round)

NM commitments with respect to commitment:

  • Common Reference String model: of course! [several

papers]

  • Plain model: [PR05] (non
  • b

lack- b

  • x techniques);

NM commitments with respect to opening:

  • CRS model: of course! [many papers]
  • Plain model: [PR05] (non
  • b

lack- b

  • x techniques);

12

Our Setting: the Plain Model

We focus on: constant

  • r
  • und NM commitments in the plain model…

… therefore we consider the [PR05] paper We are still discussing the definitions, therefore let’s give a more careful look at the [PR05] definitions and results

slide-7
SLIDE 7

7

13

Statistically Hiding NM Commitments with respect to opening [PR05] View Junk m’ <real game> m m is known to the simulator just before the decommitment phase

14

Statistically Binding NM Commitments with respect to commitment [PR05] View <Junk> m’ <real game> no opening ??

slide-8
SLIDE 8

8

15

Statistically Hiding NM Commitments with respect to opening [PR05] View <Junk> m’ <real game> m m is known to the simulator just before the decommitment phase

16

Statistically Binding NM Commitments with respect to commitment [PR05] View <Junk> m’ <real game> no opening ??

slide-9
SLIDE 9

9

17

Statistically Binding NM Commitments [derived from PR05] with respect to opening View <Junk> m’ <real game> m m is known to the simulator just before the decommitment phase

18

Statistically Binding NM Commitments [derived from PR05] with respect to opening View <Junk> m’ m now the simulator should also be able to open to m the committed junk

slide-10
SLIDE 10

10

19

Ok let’s look at the PR05 construction

Commitment Phase:

CR send a statistically binding commitment of m CR use a statistical NMZK argument of knowledge for proving knowledge of the committed message

Decommitment Phase:

CR open the commitment of m

Simulator: it commits to junk and uses the simulator

  • f NMZK argument of knowledge.

No way of opening the commitment of junk to a given message!

20

Ok let’s look at the PR05 construction

Commitment Phase:

CR send a statistically binding commitment of m CR use a statistical NMZK argument of knowledge for proving knowledge of the committed message

Decommitment Phase:

CR open the commitment of m

slide-11
SLIDE 11

11

21

Statistically Hiding NM w.r.t opening

Commitment Phase:

CR send a statistically hiding commitment of m

Decommitment Phase:

CR send m CR use a statistical NMZK argument of knowledge for proving that m is the committed message

Simulator: it commits to junk and during the

decommitment phase it uses the simulator of NMZK argument of knowledge.

22

Statistically Hiding NM w.r.t opening

Commitment Phase:

CR send a statistically hiding commitment of m

Decommitment Phase:

CR send m CR use a statistical NMZK argument of knowledge for proving that m is the committed message

slide-12
SLIDE 12

12

23

Our commitment (based on [PR05] constructions): NM both with respect to commitment and to

  • pening

Commitment Phase:

CR send a statistically binding commitment of m CR use a statistical NMZK argument of knowledge for proving knowledge of the committed message

Decommitment Phase:

CR send m CR use a statistical NMZK argument of knowledge for proving that m is the committed message

Simulator: it commits to junk and uses twice the simulator of

the NMZK argument of knowledge.

24

Concurrent Man-in-the-Middle (MiM) Attack

<m>

<Com> <Open> <m> <Open> <m’> <m> and <m’> could be related

<m>

<Com’>

slide-13
SLIDE 13

13

25

Auction on the Internet

Same MIM Adversary maybe involved in

several concurrent auctions

Still want commitments be independent

from the ones of other players

26

Statistically Binding Concurrent NM Commitments with respect to commitment [PR05b] View <Junk> <m’> no opening ??

slide-14
SLIDE 14

14

27

Let’s look at the PR05b construction

Commitment Phase:

CR send a statistically binding commitment of m CR use a statistical NMZK argument of knowledge for proving knowledge of the committed message

Decommitment Phase:

CR open the commitment of m

28

Let’s look at the PR05b construction

Commitment Phase:

CR send a statistically binding commitment of m CR use a statistical NMZK argument of knowledge for proving knowledge of the committed message

Decommitment Phase:

CR open the commitment of m

let’s try again our fix for the standalone case, maybe it works again…

slide-15
SLIDE 15

15

29

Our commitment (based on [PR05] constructions): NM both with respect to commitment and to

  • pening

Commitment Phase: CR send a statistically binding commitment of m CR use a statistical NMZK argument of knowledge for proving knowledge of the committed message Decommitment Phase: CR send m CR use a statistical NMZK argument of knowledge for proving that m is the committed message Simulator: it commits to junk and uses twice the simulator of the NMZK argument

  • f knowledge.

WHEN CONCURRENCY IS ALLOWED, THE SIMULATOR DOES NOT WORK ANYMORE !!!

30

Our commitment (based on [PR05] constructions): NM both with respect to commitment and to

  • pening

Commitment Phase: CR send a statistically binding commitment of m CR use a statistical NMZK argument of knowledge for proving knowledge of the committed message Decommitment Phase: CR send m CR use a statistical NMZK argument of knowledge for proving that m is the committed message Simulator: it commits to junk and uses twice the simulator of the NMZK argument

  • f knowledge.

In [PR05b] there is no concurrent NM commitment with respect to opening, thus there is no additional technique that can be exploited for a new fix !!!

slide-16
SLIDE 16

16

31

Our commitment (based on [PR05] constructions): NM both with respect to commitment and to

  • pening

Commitment Phase: CR send a statistically binding commitment of m CR use a statistical NMZK argument of knowledge for proving knowledge of the committed message Decommitment Phase: CR send m CR use a statistical NMZK argument of knowledge for proving that m is the committed message m Simulator: it commits to junk and uses twice the simulator of the NMZK argument

  • f knowledge.

Concurrent NM commitment with respect to opening is actually left as an important open problem by PR05b !!!

32

Our Result

We show: a constant- r

  • und concurrent NM commitment scheme

in the plain model… the scheme is NM both with respect to commitment and with respect to opening

slide-17
SLIDE 17

17

33

Our Commitment Scheme

Commitment Phase: RC send TWO statistically binding commitments of random messages r,s RC use a statistical NMZK argument of knowledge for proving knowledge of one of the two committed messages CR send a statistically binding commitment Com of m CR use a statistical NMZK argument of knowledge for proving knowledge of the committed message

34

Our Commitment Scheme

Decommitment Phase: RS open r and s CR send m CR use a statistical NMZK argument of knowledge for proving that m is the committed message in Com OR r is the committed message in Com OR s is the committed message in Com

slide-18
SLIDE 18

18

35

Properties

Binding. By the statistical binding of the used commitment scheme, and by the soundness of the NMZK argument system, the binding property can only by violated if the prover committed to either r or s. However this can be reduced for breaking the hiding property of the commitment scheme.

36

Properties

Hiding. It follows from the statistical ZK property and from the hiding of the used commitment scheme.

slide-19
SLIDE 19

19

37

Properties

Concurrent NM w.r.t. Commitment. We can directly use the simulator of [PR05b] as the decommitment phase can be ignored and the additional steps of the commitment phase can be simply played using the honest committer algorithm.

38

Properties

Concurrent NM w.r.t. Opening. The simulator plays the commitment phase as in [PR05b] and playing the additional steps using the honest committer algorithm. Then the simulator rewinds (one by one) the MiM

  • btaining for each commitment either a valid r or s.

Finally the simulator receives the vector <m> and opens the commitments to <m> using all r and s extracted previously.

slide-20
SLIDE 20

20

39

Summing up

Consider the Game ALPHA where the honest committer commits and opens <m1>. Let <m1’> be the openings of the MIM. Consider the Hybrid Game BETA where the simulator commits to junk and

  • pens <m1>. By hybrid arguments we have that the MIM will still open <m1’>.

Consider the Hybrid Game GAMMA where the simulator commits to junk and

  • pens <m2>. By hybrid arguments we have that the MIM will still open <m1’>.

Consider the Game DELTA where the honest committer commits and opens <m2>. By hybrid arguments we have that the MIM will still open <m1’>. Therefore thus ALPHA and DELTA are indistinguishable and the openings of the MIM do not depend on <m1> and <m2>

40

Conclusion

We have secure auctions on the Internet. Security against man-in-the-middle attacks for commitment

schemes have to be carefully considered as there are two different notions with a controversial interpretation.

Constant-Round protocols in the plain model are hard to

achieve, in particular when the concurrent setting is considered.

We have shown a constant-round concurrent non-malleable

commitment scheme in the plain model that is non-malleable with respect to both notions.

It can also be instanced to be statistically hiding (more work

in the proof).

There still are open problems:

can we obtain statistical binding ?? can we obtain a scheme that is secure even in case commitment and decommitment phases overlap ??