Hybrid Trapdoor Commitments and Their Applications

We introduce the notion of hybrid trapdoor commitment schemes. Intuitively an hybrid trapdoor commitment scheme is a primitive which can be either an unconditionally binding commitment scheme or a trapdoor commitment scheme depending on the distribution of commitment parameters. Moreover, such two distributions are computationally indistinguishable. Hybrid trapdoor commitments are related but different with respect to mixed commitments (introduced by Damgard and Nielsen at Crypto 2002). In particular hybrid trapdoor commitments can either be polynomially trapdoor commitments or unconditionally binding commitments, while mixed commitment can be either trapdoor commitments or extractable commitments. In this paper we show that strong notions (e.g., simulation sound, multi-trapdoor) of hybrid trapdoor commitments admit constructions based on the sole assumption that one-way functions exist as well as efficient constructions based on standard number-theoretic assumptions. To further stress the difference between hybrid and mixed commitments, we remark here that mixed commitments seems to require stronger theoretical assumptions (and the known number-theoretic constructions are less efficient). The main application of our results is that we show how to construct concurrent and simulation-sound zero-knowledge proof (in contrast to the arguments recently presented in [1,2,3]) systems in the common reference string model. We crucially use hybrid commitment since we present general constructions based on the sole assumption that one-way functions exists and very efficient constructions based on number-theoretic assumptions.

[1]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 1999, CCS '99.

[2]  Rosario Gennaro,et al.  Multi-trapdoor Commitments and Their Applications to Proofs of Knowledge Secure Under Concurrent Man-in-the-Middle Attacks , 2004, CRYPTO.

[3]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[4]  Bart Preneel,et al.  Advances in cryptology - EUROCRYPT 2000 : International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000 : proceedings , 2000 .

[5]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[6]  Markus Jakobsson,et al.  Round-Optimal Zero-Knowledge Arguments Based on any One-Way Function , 1997, EUROCRYPT.

[7]  Jacques Stern,et al.  The Hardness of Hensel Lifting: The Case of RSA and Discrete Logarithm , 2002, ASIACRYPT.

[8]  Stathis Zachos,et al.  Does co-NP Have Short Interactive Proofs? , 1987, Inf. Process. Lett..

[9]  Rosario Gennaro,et al.  Paillier's cryptosystem revisited , 2001, CCS '01.

[10]  Markus Jakobsson,et al.  Coercion-resistant electronic elections , 2005, WPES '05.

[11]  D. Catalano,et al.  A fair micro-payment scheme for profit sharing in P2P networks , 2004 .

[12]  Silvio Micali,et al.  The Knowledge Complexity of Interactive Proof Systems , 1989, SIAM J. Comput..

[14]  Moni Naor,et al.  Bit commitment using pseudorandomness , 1989, Journal of Cryptology.

[15]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[16]  Nigel P. Smart,et al.  Identity-Based Encryption Gone Wild , 2006, ICALP.

[17]  Ivan Damgård,et al.  Perfect Hiding and Perfect Binding Universally Composable Commitment Schemes with Constant Expansion Factor , 2001, CRYPTO.

[18]  Rosario Gennaro,et al.  Cramer-Damgård signatures revisited: Efficient flat-tree signatures based on factoring , 2007, Theor. Comput. Sci..

[19]  David Pointcheval,et al.  IPAKE: Isomorphisms for Password-Based Authenticated Key Exchange , 2004, CRYPTO.

[20]  Emmanuel Bresson,et al.  A Simple Public-Key Cryptosystem with a Double Trapdoor Decryption Mechanism and Its Applications , 2003, ASIACRYPT.

[21]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[22]  Ke Yang,et al.  On Simulation-Sound Trapdoor Commitments , 2004, EUROCRYPT.

[23]  Rossano Schifanella,et al.  A P2P Market Place Based on Aggregate Signatures , 2005, ISPA Workshops.

[24]  Lance Fortnow,et al.  The Complexity of Perfect Zero-Knowledge , 1987, Proceeding Structure in Complexity Theory.

[25]  Ivan Visconti,et al.  Mercurial Commitments: Minimal Assumptions and Efficient Constructions , 2006, TCC.

[26]  Ivan Damgård,et al.  Non-interactive and reusable non-malleable commitment schemes , 2003, STOC '03.

[27]  M. Bellare,et al.  Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions , 2008, Journal of Cryptology.

[28]  Emmanuel Bresson,et al.  Improved On-Line/Off-Line Threshold Signatures , 2007, Public Key Cryptography.

[29]  Jacques Stern,et al.  Advances in Cryptology — EUROCRYPT ’99 , 1999, Lecture Notes in Computer Science.

[30]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[31]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[32]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[33]  Oded Goldreich,et al.  How to construct constant-round zero-knowledge proof systems for NP , 1996, Journal of Cryptology.

[34]  Emmanuel Bresson,et al.  Constant Round Authenticated Group Key Agreement via Distributed Computation , 2004, Public Key Cryptography.

[35]  Rosario Gennaro,et al.  The Bit Security of Paillier's Encryption Scheme and Its Applications , 2001, EUROCRYPT.

[36]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[37]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[38]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..