Simulation-Based Concurrent Non-malleable Commitments and Decommitments

In this paper we consider commitment schemes that are secure against concurrent man-in-the-middle (cMiM) attacks. Under such attacks, two possible notions of security for commitment schemes have been proposed in the literature: concurrent non-malleability with respect to commitment and concurrent non-malleability with respect to decommitment (i.e., opening). After the original notion of non-malleability introduced by [Dolev, Dwork and Naor STOC 91] that is based on the independence of the committed messages, a new and stronger simulation-based notion of non-malleability has been proposed with respect to openings or with respect to commitment [1,2,3,4] by requiring that for any man-in-the-middle adversary there is a stand-alone adversary that succeeds with the same probability. When commitment schemes are used as sub-protocols (which is often the case) the simulation-based notion is much more powerful and simplifies the task of proving the security of the larger protocols. The main result of this paper is a commitment scheme that is simulation-based concurrent non-malleable with respect to both commitment and decommitment . This property protects against cMiM attacks mounted during both commitments and decommitments which is a crucial security requirement in several applications, as in some digital auctions, in which players have to perform both commitments and decommitments. Our scheme uses a constant number of rounds of interaction in the plain model and is the first scheme that enjoys all these properties under the simulation-based definitions.

[1]  Adi Shamir,et al.  Multiple NonInteractive Zero Knowledge Proofs Under General Assumptions , 1999, SIAM J. Comput..

[2]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[3]  Rafail Ostrovsky,et al.  Concurrent Non-Malleable Witness Indistinguishability and its Applications , 2006, Electron. Colloquium Comput. Complex..

[4]  Silvio Micali,et al.  Proofs that yield nothing but their validity and a methodology of cryptographic protocol design , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[5]  Rafael Pass,et al.  Concurrent non-malleable commitments , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[6]  Rafail Ostrovsky,et al.  Constant-Round Concurrent Non-malleable Zero Knowledge in the Bare Public-Key Model , 2008, ICALP.

[7]  S. D. Chatterji Proceedings of the International Congress of Mathematicians , 1995 .

[8]  Boaz Barak,et al.  Constant-round coin-tossing with a man in the middle or realizing the shared random string model , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[9]  Rafael Pass,et al.  New and improved constructions of non-malleable cryptographic protocols , 2005, STOC '05.

[10]  Manuel Blum,et al.  Coin Flipping by Telephone. , 1981, CRYPTO 1981.

[11]  Rafail Ostrovsky,et al.  Constant-Round Concurrent Non-Malleable Commitments and Decommitments , 2008, IACR Cryptol. ePrint Arch..

[12]  Rafail Ostrovsky,et al.  Efficient and Non-interactive Non-malleable Commitment , 2001, EUROCRYPT.

[13]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[14]  Adi Shamir,et al.  Witness indistinguishable and witness hiding protocols , 1990, STOC '90.

[15]  Manuel Blum,et al.  Coin flipping by telephone a protocol for solving impossible problems , 1983, SIGA.

[16]  Moni Naor,et al.  Concurrent zero-knowledge , 2004, JACM.

[17]  Rafael Pass,et al.  Concurrent Nonmalleable Commitments , 2008, SIAM J. Comput..

[18]  Rafail Ostrovsky,et al.  Non-interactive and non-malleable commitment , 1998, STOC '98.

[19]  Amit Sahai,et al.  Concurrent Non-Malleable Zero Knowledge , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[20]  Manuel Blum,et al.  How to Prove a Theorem So No One Else Can Claim It , 2010 .