How to Achieve Non-Malleability in One or Two Rounds

Non-malleable commitments, introduced by Dolev, Dwork and Naor (STOC 1991), are a fundamental cryptographic primitive, and their round complexity has been a subject of great interest. And yet, the goal of achieving non-malleable commitments with only one or two rounds} has been elusive. Pass (TCC 2013) captured this difficulty by proving important impossibility results regarding two-round non-malleable commitments. This led to the widespread belief that achieving two-round non-malleable commitments was impossible from standard assumptions. We show that this belief was false. Indeed, we obtain the following positive results:∘ We construct two-message non-malleable commitments satisfying non-malleability with respect to commitment, based on standard sub-exponential assumptions, namely: sub-exponential one-way permutations, sub-exponential ZAPs, and sub-exponential DDH. Furthermore, our protocol is public-coin}.∘ We obtain two-message private-coin} non-malleable commitments with respect to commitment, assuming only sub-exponential DDH or QR or N^{th}-residuosity.∘ We bootstrap the above protocols (under the same assumptions) to obtain two round constant bounded-concurrent non-malleable commitments. In the simultaneous message model, we obtain unbounded concurrent non-malleability in two rounds.∘ In the simultaneous messages model, we obtain one-round} non-malleable commitments, with unbounded concurrent security with respect to opening, under standard sub-exponential assumptions.– This implies non-interactive non-malleable commitments with respect to opening, in a restricted model with a broadcast channel, and a-priori bounded polynomially many parties such that every party is aware of every other party in the system. To the best of our knowledge, this is the first protocol to achieve completely non-interactive non-malleability in any plain model setting from standard assumptions.– As an application of this result, in the simultaneous exchange model, we obtain two-round multi-party pseudorandom coin-flipping.∘ We construct two-message zero-knowledge arguments with super-polynomial strong} simulation (SPSS-ZK), which also serve as an important tool for our constructions of non-malleable commitments.∘ In order to obtain our results, we develop several techniques that may be of independent interest.– We give the first two-round black-box rewinding strategy based on standard sub-exponential assumptions, in the plain model.– We also give a two-round tag amplification technique for non-malleable commitments, that amplifies a 4-tag scheme to a scheme for all tags, while relying on sub-exponential DDH. This includes a more efficient alternative to the DDN encoding.The full version of this paper is available online at: https://eprint.iacr.org/2017/291.pdf.

[1]  Silas Richelson,et al.  An Algebraic Approach to Non-malleability , 2014, 2014 IEEE 55th Annual Symposium on Foundations of Computer Science.

[2]  Amit Sahai,et al.  Round Optimal Concurrent MPC via Strong Simulation , 2017, TCC.

[3]  Boaz Barak,et al.  Constant-round coin-tossing with a man in the middle or realizing the shared random string model , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[4]  Justin M. Reyneri,et al.  Coin flipping by telephone , 1984, IEEE Trans. Inf. Theory.

[5]  Moni Naor,et al.  On Cryptographic Assumptions and Challenges , 2003, CRYPTO.

[6]  Rafael Pass,et al.  Concurrent non-malleable commitments , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[7]  Hoeteck Wee,et al.  Black-Box Constructions of Two-Party Protocols from One-Way Functions , 2009, TCC.

[8]  Silas Richelson,et al.  Textbook non-malleable commitments , 2016, STOC.

[9]  Hugo Krawczyk,et al.  On the Composition of Zero-Knowledge Proof Systems , 1990, ICALP.

[10]  Hoeteck Wee,et al.  Black-Box, Round-Efficient Secure Computation via Non-malleability Amplification , 2010, 2010 IEEE 51st Annual Symposium on Foundations of Computer Science.

[11]  Kai-Min Chung,et al.  Unprovable Security of Two-Message Zero Knowledge , 2012, IACR Cryptol. ePrint Arch..

[12]  Rafail Ostrovsky,et al.  Non-interactive and non-malleable commitment , 1998, STOC '98.

[13]  Moni Naor,et al.  Efficient oblivious transfer protocols , 2001, SODA '01.

[14]  Rafael Pass,et al.  Bounded-concurrent secure multi-party computation with a dishonest majority , 2004, STOC '04.

[15]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[16]  Rafael Pass,et al.  New and improved constructions of non-malleable cryptographic protocols , 2005, STOC '05.

[17]  Daniel Wichs,et al.  Two Round Multiparty Computation via Multi-key FHE , 2016, EUROCRYPT.

[18]  Rafael Pass,et al.  Non-malleability amplification , 2009, STOC '09.

[19]  Hoeteck Wee,et al.  Constant-Round Non-malleable Commitments from Sub-exponential One-Way Functions , 2010, EUROCRYPT.

[20]  Moni Naor,et al.  Non-Malleable Cryptography (Extended Abstract) , 1991, STOC 1991.

[21]  Rafail Ostrovsky,et al.  Constructing Non-malleable Commitments: A Black-Box Approach , 2012, 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science.

[22]  Rafael Pass,et al.  Concurrent Non-malleable Commitments from Any One-Way Function , 2008, TCC.

[23]  Vipul Goyal,et al.  Constant round non-malleable protocols using one way functions , 2011, STOC '11.

[24]  H. Shacham,et al.  4-Round Concurrent Non-Malleable Commitments from One-Way Functions , 2016 .

[25]  Rafael Pass,et al.  New and Improved Constructions of Nonmalleable Cryptographic Protocols , 2008, SIAM J. Comput..

[26]  Amit Sahai,et al.  Breaking the Three Round Barrier for Non-malleable Commitments , 2016, 2016 IEEE 57th Annual Symposium on Foundations of Computer Science (FOCS).

[27]  Rafael Pass,et al.  Constant-round non-malleable commitments from any one-way function , 2011, STOC '11.

[28]  Rafail Ostrovsky,et al.  Round Efficiency of Multi-party Computation with a Dishonest Majority , 2003, EUROCRYPT.

[29]  Vinod Vaikuntanathan,et al.  Adaptive One-Way Functions and Applications , 2008, CRYPTO.

[30]  Rafail Ostrovsky,et al.  Simulation-Based Concurrent Non-malleable Commitments and Decommitments , 2009, TCC.

[31]  Yael Tauman Kalai,et al.  Smooth Projective Hashing and Two-Message Oblivious Transfer , 2005, Journal of Cryptology.

[32]  Rafail Ostrovsky,et al.  Edinburgh Research Explorer Four-Round Concurrent Non-Malleable Commitments from One-Way Functions , 2016 .

[33]  Yuval Ishai,et al.  Two-Message Witness Indistinguishability and Secure Computation in the Plain Model from New Assumptions , 2017, ASIACRYPT.

[34]  Rafael Pass,et al.  Simulation in Quasi-Polynomial Time, and Its Application to Protocol Composition , 2003, EUROCRYPT.

[35]  Rafael Pass,et al.  Two-Round and Non-Interactive Concurrent Non-Malleable Commitments from Time-Lock Puzzles , 2017, 2017 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS).

[36]  Rafael Pass,et al.  A unified framework for concurrent security: universal composability from stand-alone non-malleability , 2009, STOC '09.

[37]  Rafail Ostrovsky,et al.  Concurrent Non-Malleable Commitments (and More) in 3 Rounds , 2016, CRYPTO.

[38]  Yael Tauman Kalai,et al.  Distinguisher-Dependent Simulation in Two Rounds and its Applications , 2017, CRYPTO.

[39]  Sanjam Garg,et al.  The Exact Round Complexity of Secure Computation , 2016, EUROCRYPT.

[40]  Rafael Pass,et al.  Unprovable Security of Perfect NIZK and Non-interactive Non-malleable Commitments , 2013, computational complexity.