Presentation is loading. Please wait.

Presentation is loading. Please wait.

Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S."— Presentation transcript:

1 Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S

2 Commitments Binding: Alice cannot change the message in c. Hiding: Bob cannot guess the message in c. Common reference string (CRS) or public key (pk). AliceBob m (c,d) = commit pk (m;r) c d m = decommit pk (c,d)

3 Non-malleability Pedersen commitment: pk = (g,h) c = g r h m d = (m,r) c´ = ch d´ = (m+1,r) A c c´ d m d´ m´ related to m M D

4 Reusable Non-malleability (t >1,1)-security stronger than (1,1)-security (1,u >1)-security stronger than (1,1)-security A c 1,...,c t d 1,...,d t d 1 ´,...,d u ´ c 1 ´,...,c u ´ m 1,...,m t m 1,...,m t m 1 ´,...,m u ´ S m 1 ´,...,m u ´t m 1,...,m t m 1 ´,...,m u ´ m 1,...,m t

5 Known Schemes Dolev, Dwork, Naor: interactive, 1-way, not practical Di Crescenzo, Ishai, Ostrovsky: non-interact., 1-way, not practical Fischlin, Fischlin: interactive, Dlog/RSA, practical Di Crescenzo, Katz, Ostrovsky, Smith: non-interactive, 1-way, practical Garay, MacKenzie, Yang: non-interactive, DSA, practical Canetti, Fischlin: non-interactive, claw-free permutations, not practical Damgård, Nielsen: interact., decisional composite residuosity, practical Canetti, Lindell, Ostrovsky, Sahai: non-int., trapdoor perm., not practical UC protocols are intuitively like having a trusted third party

6 Our Results Non-interactive, reusable, trapdoor commitments 1-way functions – not practical Strong RSA – very efficient Unconditional binding or hiding on minimal assumptions Common reference string (CRS) UC commitment (interactive or not) implies Secret Key Agreement Uniform reference string UC commitment implies Oblivious Transfer Application: Shorter CRS in Damgård-Nielsen UC commitment

7 Sigma-protocols Prover Verifier x  L a m z verify(x,a,m,z) = 1 Special soundness: From valid (a,m,z) and (a,m´,z´) a witness w can be extracted. Special honest verifier ZK: (a,m,z)  Sim(x,m)

8 Signatures Signatures that are secure against existential forgery under adaptive chosen message attack can be built from 1-way functions (only need known message attack). (vk,sk)  SignatureKeyGenerator Place vk on the CRS To commit simulate (a,m,z)  Sim((vk,  ),m) a proof of knowledge of a signature on . Commitment: c = a Decommitment: d = (m,z)

9 Commitment Scheme CRS: vk for signatures, pk for unconditionally hiding honest sender commitment, hash a UOWHF (c,d) = HScommit pk (ak)  = hash(c) (a,m,z) = Sim((vk,  ),m) mac = MAC ak (a) C = (c,a,mac) D = (d,m,z)

10 Sketch of Security Proof Trapdoor commitment scheme. If we know the signature key sk we may open commitments as anything, since we can answer any challenge m. d 1,...,d t Essence of Lemma 5 (flaw found by Phil MacKenzie): A c 1,...,c t c 1 ´,...,c u ´ d 1 ´,...,d u ´ m 1 ´,...,m u ´ m 1,...,m t d 1,...,d t...... m 1,...,m t

11 Sketch of Security Proof II S m 1 ´,...,m u ´t simulated A c 1,...,c t d 1,...,d t c 1 ´,...,c u ´ d 1,...,d t d 1 ´,...,d u ´...... m 1,...,m t...... simulated M

12 Open Problems Non-interactive NM commitment without a CRS. Construction that allows histories, i.e., the adversary gets both commitments and some extra information about the contents. UC secure Oblivious Transfer from UC commitment.

Download ppt "Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Short Non-interactive Zero-Knowledge Proofs

Short Non-interactive Zero-Knowledge Proofs
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems Jens Groth BRICS, University of Aarhus Cryptomathic A/S.

Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems Jens Groth BRICS, University of Aarhus Cryptomathic A/S.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.

Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.

Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.

On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.

Similar presentations

Ads by Google