Non-malleable Vector Commitments via Local Equivocability

Vector commitments (VCs), enabling to commit to a vector and locally reveal any of its entries, play a key role in a variety of both classic and recently-evolving applications. However, security notions for VCs have so far focused on passive attacks, and non-malleability notions considering active attacks have not been explored. Moreover, existing frameworks that may enable to capture the non-malleability of VCs seem either too weak (non-malleable non-interactive commitments that do not account for the security implications of local openings) or too strong (non-malleable zero-knowledge sets that support both membership and non-membership proofs). We put forward a rigorous framework capturing the non-malleability of VCs, striking a careful balance between the existing weaker and stronger frameworks: We strengthen the framework of non-malleable non-interactive commitments by considering attackers that may be exposed to local openings, and we relax the framework of non-malleable zero-knowledge sets by focusing on membership proofs. In addition, we strengthen both frameworks by supporting (inherently-private) updates to entries of committed vectors, and discuss the benefits of non-malleable VCs in the context of both UTXO-based and account-based stateless blockchains, and in the context of simultaneous multi-round auctions (that have been adopted by the US Federal Communications Commission as the standard auction format for selling spectrum ranges). Within our framework we present a direct approach for constructing nonmalleable VCs whose efficiency essentially matches that of the existing standard VCs. Specifically, we show that any VC can be transformed into a non-malleable one, relying on a new primitive that we put forth. Our new primitive, locally-equivocable commitments with all-but-one binding, is evidently both conceptually and technically simpler compared to multitrapdoor mercurial trapdoor commitments (the main building block underlying existing non-malleable zero-knowledge sets), and admits more efficient instantiations based on the same number-theoretic assumptions. ? Supported by the European Union’s Horizon 2020 Framework Program (H2020) via an ERC Grant (Grant No. 714253). ?? Supported by the Adams Fellowship Program of the Israel Academy of Sciences and Humanities. 2 L. Rotem and G. Segev

[1]  Mario Di Raimondo,et al.  Zero-Knowledge Sets With Short Proofs , 2008, IEEE Transactions on Information Theory.

[2]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[3]  Josh Benaloh,et al.  One-Way Accumulators: A Decentralized Alternative to Digital Sinatures (Extended Abstract) , 1994, EUROCRYPT.

[4]  R. Cramer,et al.  Linear Zero-Knowledgde. A Note on Efficient Zero-Knowledge Proofs and Arguments , 1996 .

[5]  Tsuyoshi Murata,et al.  {m , 1934, ACML.

[6]  Vitalik Buterin A NEXT GENERATION SMART CONTRACT & DECENTRALIZED APPLICATION PLATFORM , 2015 .

[7]  Rafail Ostrovsky,et al.  Non-interactive and non-malleable commitment , 1998, STOC '98.

[8]  Tal Malkin,et al.  Mercurial Commitments with Applications to Zero-Knowledge Sets , 2005, Journal of Cryptology.

[9]  Amnon Ta-Shma,et al.  Auditable, Anonymous Electronic Cash Extended Abstract , 1999, CRYPTO.

[10]  Joe Kilian,et al.  A note on efficient zero-knowledge proofs and arguments (extended abstract) , 1992, STOC '92.

[11]  Abhi Shelat,et al.  Computing on Authenticated Data , 2012, TCC.

[12]  Rafail Ostrovsky,et al.  Efficient and Non-interactive Non-malleable Commitment , 2001, EUROCRYPT.

[13]  Silas Richelson,et al.  Textbook non-malleable commitments , 2016, STOC.

[14]  Hoeteck Wee,et al.  Black-Box, Round-Efficient Secure Computation via Non-malleability Amplification , 2010, 2010 IEEE 51st Annual Symposium on Foundations of Computer Science.

[15]  Rafail Ostrovsky,et al.  Edinburgh Research Explorer Four-Round Concurrent Non-Malleable Commitments from One-Way Functions , 2016 .

[16]  Yevgeniy Vahlis,et al.  Verifiable Delegation of Computation over Large Datasets , 2011, IACR Cryptol. ePrint Arch..

[17]  Dario Fiore,et al.  Nearly Optimal Verifiable Data Streaming , 2016, Public Key Cryptography.

[18]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[19]  Dragos Velicanu,et al.  A Decentralized Public Key Infrastructure with Identity Retention , 2014, IACR Cryptol. ePrint Arch..

[20]  S. Nakamoto,et al.  Bitcoin: A Peer-to-Peer Electronic Cash System , 2008 .

[21]  Juan A. Garay,et al.  Strengthening Zero-Knowledge Protocols Using Signatures , 2003, EUROCRYPT.

[22]  Dakshita Khurana,et al.  Round Optimal Concurrent Non-malleability from Polynomial Hardness , 2017, TCC.

[23]  Amnon Ta-Shma,et al.  Auditable, anonymous electronic cash , 1999 .

[24]  Matthew Green,et al.  Zerocoin: Anonymous Distributed E-Cash from Bitcoin , 2013, 2013 IEEE Symposium on Security and Privacy.

[25]  Rafael Pass,et al.  Constant-round non-malleable commitments from any one-way function , 2011, STOC '11.

[26]  Lan Nguyen,et al.  Accumulators from Bilinear Pairings and Applications , 2005, CT-RSA.

[27]  Moti Yung,et al.  Concise Mercurial Vector Commitments and Independent Zero-Knowledge Sets with Short Proofs , 2010, TCC.

[28]  Michael Gertz,et al.  A General Model for Authenticated Data Structures , 2004, Algorithmica.

[29]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[30]  Giulio Malavolta,et al.  Subvector Commitments with Application to Succinct Arguments , 2019, CRYPTO.

[31]  Rafael Pass,et al.  Non-malleability amplification , 2009, STOC '09.

[32]  Marten van Dijk,et al.  Iris: a scalable cloud file system with efficient integrity checks , 2012, ACSAC '12.

[33]  Hoeteck Wee,et al.  Constant-Round Non-malleable Commitments from Sub-exponential One-Way Functions , 2010, EUROCRYPT.

[34]  Silvio Micali,et al.  CS proofs , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[35]  Romain Michon,et al.  The Black Box , 2013, NIME.

[36]  Silvio Micali,et al.  Independent Zero-Knowledge Sets , 2006, ICALP.

[37]  Leonid Reyzin,et al.  Zero-knowledge with public keys , 2001 .

[38]  Ivan Visconti,et al.  Mercurial Commitments: Minimal Assumptions and Efficient Constructions , 2006, TCC.

[39]  Marc Fischlin,et al.  Trapdoor commitment schemes and their applications , 2001 .

[40]  Vinod Vaikuntanathan,et al.  Adaptive One-Way Functions and Applications , 2008, CRYPTO.

[41]  Dario Fiore,et al.  Vector Commitments and Their Applications , 2013, Public Key Cryptography.

[42]  Rosario Gennaro,et al.  How to Sign Digital Streams , 1997, Inf. Comput..

[43]  Brent Waters,et al.  Strongly Unforgeable Signatures Based on Computational Diffie-Hellman , 2006, Public Key Cryptography.

[44]  Aggelos Kiayias,et al.  Anonymous Identification in Ad Hoc Groups , 2004, EUROCRYPT.

[45]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[46]  Zhenfei Zhang,et al.  Pointproofs: Aggregating Proofs for Multiple Vector Commitments , 2020, IACR Cryptol. ePrint Arch..

[47]  Boaz Barak,et al.  How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[48]  Rafael Pass,et al.  Concurrent non-malleable commitments , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[49]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[50]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[51]  Leslie Lamport,et al.  Constructing Digital Signatures from a One Way Function , 2016 .

[52]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[53]  Moni Naor,et al.  Bit commitment using pseudorandomness , 1989, Journal of Cryptology.

[54]  Rafael Pass,et al.  Concurrent Non-malleable Commitments from Any One-Way Function , 2008, TCC.

[55]  Dan Boneh,et al.  Batching Techniques for Accumulators with Applications to IOPs and Stateless Blockchains , 2019, IACR Cryptol. ePrint Arch..

[56]  Ivan Damgård,et al.  Non-interactive and reusable non-malleable commitment schemes , 2003, STOC '03.

[57]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[58]  Ittai Abraham,et al.  Aggregatable Subvector Commitments for Stateless Cryptocurrencies , 2020, IACR Cryptol. ePrint Arch..

[59]  Rafail Ostrovsky,et al.  Constructing Non-malleable Commitments: A Black-Box Approach , 2012, 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science.

[60]  Birgit Pfitzmann,et al.  Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees , 1997, EUROCRYPT.

[61]  Moni Naor,et al.  Certificate revocation and certificate update , 1998, IEEE Journal on Selected Areas in Communications.

[62]  Rafael Pass,et al.  New and Improved Constructions of Nonmalleable Cryptographic Protocols , 2008, SIAM J. Comput..

[63]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[64]  Marc Fischlin,et al.  Efficient Non-Malleable Commitment Schemes , 2000, Annual International Cryptology Conference.

[65]  Dario Fiore,et al.  Incrementally Aggregatable Vector Commitments and Applications to Verifiable Decentralized Storage , 2020, ASIACRYPT.

[66]  Martin Bichler,et al.  Market Design: A Linear Programming Approach to Auctions and Matching , 2017 .

[67]  Dan Boneh,et al.  Scaling Verifiable Computation Using Efficient Set Accumulators , 2019, IACR Cryptol. ePrint Arch..

[68]  Silvio Micali,et al.  Zero-knowledge sets , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[69]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[70]  Abhi Shelat,et al.  Computing on Authenticated Data , 2012, Journal of Cryptology.

[71]  Mihir Bellare,et al.  Two-Tier Signatures, Strongly Unforgeable Signatures, and Fiat-Shamir Without Random Oracles , 2007, Public Key Cryptography.