Hybrid commitments and their applications to zero-knowledge proof systems

We introduce the notion of hybrid trapdoor commitment schemes. Intuitively a hybrid trapdoor commitment scheme is a primitive which can be either an unconditionally binding commitment scheme or a trapdoor commitment scheme depending on the distribution of commitment parameters. Moreover, such two possible distributions are computationally indistinguishable. Hybrid trapdoor commitments are related but different with respect to mixed commitments (introduced by Damgard and Nielsen at Crypto 2002). In particular hybrid trapdoor commitments can either be polynomially trapdoor commitments or unconditionally binding commitments, while mixed commitments can be either trapdoor commitments or extractable commitments. In this paper we show that strong notions (e.g., simulation sound, multi-trapdoor) of hybrid trapdoor commitments admit constructions based on the sole assumption that one-way functions exist as well as efficient constructions based on standard number-theoretic assumptions. To further stress the difference between hybrid and mixed commitments, we remark here that mixed commitments seem to require stronger theoretical assumptions (and the known number-theoretic constructions are less efficient). Our main result, is to show how to construct concurrent and simulation-sound zero-knowledge proof systems (in contrast to the arguments recently presented in [I. Damgard, Efficient concurrent zero-knowledge in the auxiliary string model, in: Advances in Cryptology - Eurocrypt'00, in: Lecture Notes in Computer Science, vol. 1807, Springer-Verlag, 2000, pp. 418-430; P. MacKenzie, K. Yang, On simulation-sound trapdoor commitments, in: Advances in Cryptology - Eurocrypt'04, in: Lecture Notes in Computer Science, vol. 3027, Springer-Verlag, 2004, pp. 382-400; R. Gennaro, Multi-trapdoor commitments and their applications to proofs of knowledge secure under concurrent man-in-the-middle attacks, in: Advances in Cryptology - Crypto'04, in: Lecture Notes in Computer Science, vol. 3152, Springer-Verlag, 2004, pp. 220-236]) in the common reference string model. We crucially use hybrid trapdoor commitments since we present general constructions based on the sole assumption that one-way functions exist and very efficient constructions based on number-theoretic assumptions.

[1]  Stephen A. Cook,et al.  The complexity of theorem-proving procedures , 1971, STOC.

[2]  Manuel Blum,et al.  Noninteractive Zero-Knowledge , 1991, SIAM J. Comput..

[3]  Adi Shamir,et al.  Zero Knowledge Proofs of Knowledge in Two Rounds , 1989, CRYPTO.

[4]  Jonathan Katz,et al.  Reducing Complexity Assumptions for Statistically-Hiding Commitment , 2009, Journal of Cryptology.

[5]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[6]  Markus Jakobsson,et al.  Round-Optimal Zero-Knowledge Arguments Based on any One-Way Function , 1997, EUROCRYPT.

[7]  Oded Goldreich,et al.  Concurrent zero-knowledge with timing, revisited , 2002, STOC '02.

[8]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[9]  Birgit Pfitzmann,et al.  Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees , 1997, EUROCRYPT.

[10]  Rafael Pass,et al.  Simulation in Quasi-Polynomial Time, and Its Application to Protocol Composition , 2003, EUROCRYPT.

[11]  Emmanuel Bresson,et al.  A Simple Public-Key Cryptosystem with a Double Trapdoor Decryption Mechanism and Its Applications , 2003, ASIACRYPT.

[12]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[13]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[14]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[15]  Amit Sahai,et al.  Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints , 1998, CRYPTO.

[16]  Boaz Barak,et al.  Constant-round coin-tossing with a man in the middle or realizing the shared random string model , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[17]  Marc Fischlin,et al.  Efficient Non-Malleable Commitment Schemes , 2000, Annual International Cryptology Conference.

[18]  Rafail Ostrovsky,et al.  Robust Non-interactive Zero Knowledge , 2001, CRYPTO.

[19]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[20]  Ivan Visconti,et al.  Efficient Zero Knowledge on the Internet , 2006, ICALP.

[21]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[22]  Moni Naor,et al.  Concurrent zero-knowledge , 2004, JACM.

[23]  Lance Fortnow,et al.  The Complexity of Perfect Zero-Knowledge , 1987, Proceeding Structure in Complexity Theory.

[24]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[25]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 2000, TSEC.

[26]  Jan Camenisch,et al.  Group signature schemes and payment systems based on the discrete logarithm problem , 1998 .

[27]  John B. Shoven,et al.  I , Edinburgh Medical and Surgical Journal.

[28]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[29]  Ivan Damgård,et al.  A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System , 2001, Public Key Cryptography.

[30]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[31]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[32]  Giovanni Di Crescenzo,et al.  Constant-Round Resettable Zero Knowledge with Concurrent Soundness in the Bare Public-Key Model , 2004, CRYPTO.

[33]  Stathis Zachos,et al.  Does co-NP Have Short Interactive Proofs? , 1987, Inf. Process. Lett..

[34]  Rosario Gennaro,et al.  Paillier's cryptosystem revisited , 2001, CCS '01.

[35]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[36]  Oded Goldreich,et al.  How to construct constant-round zero-knowledge proof systems for NP , 1996, Journal of Cryptology.

[37]  Joe Kilian,et al.  On the Concurrent Composition of Zero-Knowledge Proofs , 1999, EUROCRYPT.

[38]  Joe Kilian,et al.  Concurrent and resettable zero-knowledge in poly-loalgorithm rounds , 2001, STOC '01.

[39]  Boaz Barak,et al.  How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[40]  Amit Sahai,et al.  Concurrent zero knowledge with logarithmic round-complexity , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[41]  Oded Goldreich,et al.  Concurrent Zero-Knowledge With Timing , 2002 .

[42]  Marc Fischlin,et al.  On the Impossibility of Constructing Non-interactive Statistically-Secret Protocols from Any Trapdoor One-Way Function , 2002, CT-RSA.

[43]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[44]  Marc Fischlin,et al.  Non-Malleable Commitment Schemes , 2009 .

[45]  Ivan Damgård,et al.  Perfect Hiding and Perfect Binding Universally Composable Commitment Schemes with Constant Expansion Factor , 2001, CRYPTO.

[46]  Tatsuaki Okamoto,et al.  A New Public-Key Cryptosystem as Secure as Factoring , 1998, EUROCRYPT.

[47]  Silvio Micali,et al.  Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing , 1996, CRYPTO.

[48]  Rafail Ostrovsky,et al.  Efficient and Non-interactive Non-malleable Commitment , 2001, EUROCRYPT.

[49]  Rosario Gennaro,et al.  Multi-trapdoor Commitments and Their Applications to Proofs of Knowledge Secure Under Concurrent Man-in-the-Middle Attacks , 2004, CRYPTO.

[50]  Ran Canetti,et al.  Black-box concurrent zero-knowledge requires \tilde {Ω} (logn) rounds , 2001, STOC '01.

[51]  Rafael Pass,et al.  Bounded-concurrent secure two-party computation in a constant number of rounds , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[52]  Rafail Ostrovsky,et al.  Non-interactive and non-malleable commitment , 1998, STOC '98.

[53]  Ivan Visconti,et al.  Single-Prover Concurrent Zero Knowledge in Almost Constant Rounds , 2005, ICALP.

[54]  Ivan Visconti,et al.  Mercurial Commitments: Minimal Assumptions and Efficient Constructions , 2006, TCC.

[55]  Ivan Damgård,et al.  Non-interactive and reusable non-malleable commitment schemes , 2003, STOC '03.

[56]  Juan A. Garay,et al.  Strengthening Zero-Knowledge Protocols Using Signatures , 2003, EUROCRYPT.

[57]  Silvio Micali,et al.  Zero-knowledge sets , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[58]  Adi Shamir,et al.  Multiple NonInteractive Zero Knowledge Proofs Under General Assumptions , 1999, SIAM J. Comput..

[59]  S. Micali,et al.  Noninteractive Zero-Knowledge , 1990, SIAM J. Comput..

[60]  Leonid A. Levin,et al.  A hard-core predicate for all one-way functions , 1989, STOC '89.

[61]  J. Kilian,et al.  Concurrent and Resettable Zero-Knowledge in Poly-logarithmic Rounds [ Extended Abstract ] , 2001 .

[62]  Erez Petrank,et al.  Simulatable Commitments and Efficient Concurrent Zero-Knowledge , 2003, EUROCRYPT.

[63]  Moni Naor,et al.  Bit commitment using pseudorandomness , 1989, Journal of Cryptology.

[64]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[65]  Ke Yang,et al.  On Simulation-Sound Trapdoor Commitments , 2004, EUROCRYPT.

[66]  Ivan Visconti,et al.  Hybrid Trapdoor Commitments and Their Applications , 2005, ICALP.

[67]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.