Concurrent Nonmalleable Commitments from Timelock Puzzles Huijia Rachel Lin Rafael Pass Pratik Soni UCSB UCSB Cornell Tech FOCS 2017 Commitment Scheme The digital analogue of sealed envelope ID: 713805
Download Presentation The PPT/PDF document "Two-Round and Non-interactive" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Two-Round and Non-interactiveConcurrent Non-malleable Commitmentsfrom Time-lock Puzzles
Huijia (Rachel) Lin
Rafael Pass
Pratik Soni
UCSB
UCSB
CornellTech
FOCS 2017Slide2
Commitment SchemeThe
digital analogue of sealed envelope
Commit
Decommit
Sender
Receiver
Binding:
Commit phase determines the committed value
C-
Hiding
:
is comp. indistinguishable from
f
or attackers in
circuit class
C
. . .
E.g.,
C
= Poly-size
(default),
Subexp
-size
,
Subexp
-depthSlide3
Hiding is not Enough
Hiding does not imply independence
Many existing commitments are susceptible to mauling attacks
Auctioneer
Bidder 1
Bidder 2
Sealed Auctions:
Slide4
Non-malleable Commitments [DDN91]
Non-malleability
:
Problem
:
MIM can always
copy
!
MIM
Man-in-the-middle
is
independent
of
If
then
MIM controls the schedule of message delivery
Solution
:
Introduce identities
Sender
ReceiverSlide5
1-1 Non-malleability
[LPV08]
∀MIM,
replace with
if
MIM
MIMSlide6
Concurrent Non-malleability
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
∀MIM
,
replace with
if
Slide7
State of the art for conc. NMC
Original Work [DDN91]2-rnd/1-rnd
[Bar02, PR05a, PR05b, LPV08, LP09, PW10, Wee10, Goy11, LP11, GLOV12, GRRV14, GPR16, COSV16b]
#(Rounds) for NMC?
[COSV16a]
[K17]
[PPV08
]
[Pas13]
Question
2-rnd
Poly-hard falsifiable assumption
Well studied assumptions
O(log n)-
rnd
OWFs
O(1)-
rnd
OWFs
4-rnd
OWFs
3-rnd
DDH or QR
2
-rnd
Adaptive injective OWFs
BB red.
n
ew, non-standard
, NM
flavor
?
?
?
Yes!
Slide8
Our Contributions
Thm
:
2-rnd concurrent
NMC fromsubexp 2-rnd WI, Collision-Resistant Hash family,
Injective OWFssubexp Timelock
(TL) puzzlesThm
:
1-rnd concurrent
NMC against
uniform Adv.
from
subexp
NIWI
,
uniform Collision-Resistant Hash
func.
, Injective OWFssubexp TL puzzles
DLog, RSA
Classical puzzles (e.g., OWF)Hard for bounded S-size
Adv.TL puzzlesHard for bounded D-depth
Adv. with very large sizeTimelock
(TL) puzzles
-size hard OWF
-depth hard TL
size
depth
Adv.
hard for
&
hard for
&
}
c
apture
depth-hardness
In comparison, we achieve
Fully concurrent NMC
1-rnd NMC
w.r.t
. commitment
Concurrent Work [KS17]
w/o TL
puzzlesSlide9
Subexp
TL Puzzles [RSW96]
- Efficient generation:
puzzle
u
nique
solution
size
depth
-depth hard TL
- Easy in
-depth/size:
- Hard for
in
-depth & large size:
Solving TL puzzles is an
“inherently sequential”
taskSlide10
TL Puzzles from Repeated Squaring [RSW96]
Hard for
in
-depth & large size:
Repeated Squaring
modulo RSA integer is
“inherently sequential”
Compute s =
by
repeated
squarings
-
Subexp
Repeated Sq. Assumption:
- Easy in
-depth/size: Sol(N)
[
BGJ
+
16]: TL puzzles from
iO
& non-parallelizing lang.
So far, no non-trivial speed up
,
even
-depth hardness
[
BN00] holds
Slide11
Our Idea: NM Size + Depth hardness
-size
hiding
Injective OWFs
-size
hard
-size easy
-size extractor
-depth hiding
TL puzzles
-depth hard
-size easy
-size
extractor
+
1-1 NMC for 1-bit ids
if
, commit using
if
, commit using
poly depth
size
depth
Hiding:
by
brute-force
enumeration
[GL89]
[GL89]
Each commitment is hiding
against extractor of the other
-
is hiding against
-
is hiding against
,
,
Simultaneously harderSlide12
1-1 NMC for 1-bit ids
if
, commit using
if
, commit using
size
depth
Hiding:
Case 1:
C
R
Adv.
C
R
Adv.
MIM
A breaks hiding of
NM in Case 1
-depth hiding of
Slide13
1-1 NMC for 1-bit ids
if
, commit using
if
, commit using
size
depth
Hiding:
Case 1:
C
R
C
R
NM in Case 2
-size hiding of
Slide14
But goal,
Amplify length of ids
Strengthen NM
times
NMC
for
t-bit
ids
NMC
for
-bit
ids
concurrent
1-1
[DDN91]
D-depth and S-size
hiding commitments
&
2-rnd
conc.
NMC for
n-bit
ids
1-rnd
1-1
NMC for
1-bit
ids
So far,1-rnd 1-1
NMC for O(1)-bit
idsStep 1:
Step 2:
NMCfor t-bit ids
1-1concurrent
[This work]
rnd
preserving
in 2-rnds
NMC
for
-bit ids
[LP09, Wee10]
b
lows up # rnds
circumvents lower bound due to [Pas13]
Crucially relies
on size- &
depth-hiding comsSlide15
1-1 NMC for O(1)-bit idsNatural attempt, use 2 pairs
(id = 0) and
(id=1)
-
hiding against
,
-
hiding against
,
Previously, for 1-bit ids
“
simultaneously
harder”
(id = 0)
(id = 2)
simultaneously
harder
2
depth-hiding
size-hiding
com
(
(
,
depth-hiding
depth-hiding
com
(
(
,
simultaneously harder
NOT simultaneously harder
(id=1
)
(id=3
)
size-hiding
size-hiding
(
(
,
comSlide16
Our idea: For every id, use
both
size- & depth-hiding coms
Secret share :
s
tronger depth-
hrd
l
arger id
w
eaker size-
hrd
e
xtractor
<
<
1.
extractor
for
and
are
simultaneously
harder
Proof idea:
2
.
extractor
for
E.g.,
and
are
simultaneously
harder
Extends to O(1)-bit
idsSlide17
But goal,
Amplify length of ids
Strengthen NM
times
NMC
for
t-bit
ids
NMC
for
-bit
ids
concurrent
1-1
[DDN91]
D-depth and S-size
hiding commitments
&
2-rnd
conc.
NMC for
n-bit
ids
1-rnd
1-1
NMC for
1-bit
ids
So far,
1-rnd 1-1 NMC for
O(1)-bit idsStep 1:
Step 2:
NMCfor t-bit ids
1-1concurrent
[This work]
rnd
preserving
in 2-rnds
NMC
for
-bit ids
circumvents lower bound due to [Pas13]Slide18
Strengthen NM
Goal:
2-rnd
1-1 NMC
2-rnd 1-many
NMC
2-rnd conc. NMC
[LPV08]
. . .
. . .
C
R
1- many MIM
As before, we consider
j-
th
right
interaction
?
?
?Slide19
Previous Approach
[LP09]:
C
R
Challenge
(Fake)
OR
(Honest)
. . .
Soundness:
Simulation
Extractability
Challenge
j
. . .
. . .
. . .
1-1 NM
Many sequential
WIPOKs
Proof idea of 1-many NM:
OR
Simulate left session
Extract right committed values
w
hen simulating each component
MIM does not commit to a solution
:
b
lows up #
rndsSlide20
Our Approach:C
R
Challenge
WIPOKs
Proof idea of 1-many NM:
build components (e.g.
Com and
2-rnd WI)
t
hat are
simultaneously
harder
using size- & depth-hiding commitments
2-rnd
2-rnd
2-rnd WI
= collision of h
Soundness
Simulation
Extractability
1-1 NM
Parallelize all components
See paper for more ideas
Several challenges:Slide21
ConclusionTake Home Message
Combining hardness of different
nature can be powerful
Thm: 2-rnd concurrent NMC from
subexp 2-rnd WI, Collision-Resistant Hash family, Injective OWFs
subexp TL puzzles
Thm: 1-rnd concurrent
NMC against
uniform Adv.
from
subexp
NIWI
,
uniform Collision-Resistant Hash
func
.,
Injective OWFs
subexp TL puzzles
D
epth-hardnessSize-
hardnessNMCSlide22
Thanks!
https://eprint.iacr.org
/2017/273
Take Home Message
Combining hardness of different nature can be powerful
D
epth-
hardness
Size-
hardness
NMC