TwoRound and Noninteractive Concurrent Nonmalleable Commitments from Timelock Puzzles Huijia Rachel Lin Rafael Pass Pratik Soni UCSB UCSB Cornell Tech FOCS 2017 Commitment Scheme The digital analogue ID: 761159
Download Presentation The PPT/PDF document "Two-Round and Non-interactive Concurrent..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Two-Round and Non-interactiveConcurrent Non-malleable Commitmentsfrom Time-lock Puzzles Huijia (Rachel) Lin Rafael Pass Pratik Soni UCSB UCSB CornellTech FOCS 2017
Commitment SchemeThe digital analogue of sealed envelope Commit Decommit Sender Receiver Binding: Commit phase determines the committed value C- Hiding : is comp. indistinguishable from f or attackers in circuit class C . . . E.g., C = Poly-size (default), Subexp -size , Subexp -depth
Hiding is not Enough Hiding does not imply independence Many existing commitments are susceptible to mauling attacks Auctioneer Bidder 1 Bidder 2 Sealed Auctions:
Non-malleable Commitments [DDN91] Non-malleability : Problem : MIM can always copy ! MIM Man-in-the-middle is independent of If then MIM controls the schedule of message delivery Solution : Introduce identities Sender Receiver
1-1 Non-malleability [LPV08] ∀MIM, replace with if MIM MIM
Concurrent Non-malleability . . . . . . . . . . . . . . . . . . . . . . . . ∀MIM , replace with if
State of the art for conc. NMC Original Work [DDN91]2-rnd/1-rnd [Bar02, PR05a, PR05b, LPV08, LP09, PW10, Wee10, Goy11, LP11, GLOV12, GRRV14, GPR16, COSV16b] #(Rounds) for NMC? [COSV16a] [K17] [PPV08 ] [Pas13] Question 2-rnd Poly-hard falsifiable assumption Well studied assumptions O(log n)- rnd OWFs O(1)- rnd OWFs 4-rnd OWFs 3-rnd DDH or QR 2 -rnd Adaptive injective OWFs BB red. n ew, non-standard , NM flavor ? ? ? Yes!
Our Contributions Thm : 2-rnd concurrent NMC fromsubexp 2-rnd WI, Collision-Resistant Hash family, Injective OWFssubexp Timelock (TL) puzzlesThm : 1-rnd concurrent NMC against uniform Adv. from subexp NIWI , uniform Collision-Resistant Hash func. , Injective OWFssubexp TL puzzles DLog, RSA Classical puzzles (e.g., OWF)Hard for bounded S-size Adv. TL puzzlesHard for bounded D-depth Adv. with very large size Timelock (TL) puzzles -size hard OWF -depth hard TL size depth Adv. hard for & hard for & } c apture depth-hardness In comparison, we achieve Fully concurrent NMC 1-rnd NMC w.r.t . commitment Concurrent Work [KS17] w/o TL puzzles
Subexp TL Puzzles [RSW96] - Efficient generation: puzzle u nique solution size depth -depth hard TL - Easy in -depth/size: - Hard for in -depth & large size: Solving TL puzzles is an “inherently sequential” task
TL Puzzles from Repeated Squaring [RSW96] Hard for in -depth & large size: Repeated Squaring modulo RSA integer is “inherently sequential” Compute s = by repeated squarings - Subexp Repeated Sq. Assumption: - Easy in -depth/size: Sol(N) [ BGJ + 16]: TL puzzles from iO & non-parallelizing lang. So far, no non-trivial speed up , even -depth hardness [ BN00] holds
Our Idea: NM Size + Depth hardness -size hiding Injective OWFs -size hard -size easy -size extractor -depth hiding TL puzzles -depth hard -size easy -size extractor + 1-1 NMC for 1-bit ids if , commit using if , commit using poly depth size depth Hiding: by brute-force enumeration [GL89] [GL89] Each commitment is hiding against extractor of the other - is hiding against - is hiding against , , Simultaneously harder
1-1 NMC for 1-bit ids if , commit using if , commit using size depth Hiding: Case 1: C R Adv. C R Adv. MIM A breaks hiding of NM in Case 1 -depth hiding of
1-1 NMC for 1-bit ids if , commit using if , commit using size depth Hiding: Case 1: C R C R NM in Case 2 -size hiding of
But goal, Amplify length of ids Strengthen NM times NMC for t-bit ids NMC for -bit ids concurrent 1-1 [DDN91] D-depth and S-size hiding commitments & 2-rnd conc. NMC for n-bit ids 1-rnd 1-1 NMC for 1-bit ids So far,1-rnd 1-1 NMC for O(1)-bit idsStep 1: Step 2: NMCfor t-bit ids 1-1concurrent [This work] rnd preserving in 2-rnds NMC for -bit ids [LP09, Wee10] b lows up # rnds circumvents lower bound due to [Pas13] Crucially relies on size- & depth-hiding coms
1-1 NMC for O(1)-bit idsNatural attempt, use 2 pairs (id = 0) and (id=1) - hiding against , - hiding against , Previously, for 1-bit ids “ simultaneously harder” (id = 0) (id = 2) simultaneously harder 2 depth-hiding size-hiding com ( ( , depth-hiding depth-hiding com ( ( , simultaneously harder NOT simultaneously harder (id=1 ) (id=3 ) size-hiding size-hiding ( ( , com
Our idea: For every id, use both size- & depth-hiding coms Secret share : s tronger depth- hrd l arger id w eaker size- hrd e xtractor < < 1. extractor for and are simultaneously harder Proof idea: 2 . extractor for E.g., and are simultaneously harder Extends to O(1)-bit ids
But goal, Amplify length of ids Strengthen NM times NMC for t-bit ids NMC for -bit ids concurrent 1-1 [DDN91] D-depth and S-size hiding commitments & 2-rnd conc. NMC for n-bit ids 1-rnd 1-1 NMC for 1-bit ids So far,1-rnd 1-1 NMC for O(1)-bit idsStep 1: Step 2: NMCfor t-bit ids 1-1concurrent [This work] rnd preserving in 2-rnds NMC for -bit ids c ircumvents lower bound due to [Pas13]
Strengthen NM Goal: 2-rnd 1-1 NMC 2-rnd 1-many NMC 2-rnd conc. NMC [LPV08] . . . . . . C R 1- many MIM As before, we consider j- th right interaction ? ? ?
Previous Approach [LP09]: C R Challenge (Fake) OR (Honest) . . . Soundness: Simulation Extractability Challenge j . . . . . . . . . 1-1 NM Many sequential WIPOKs Proof idea of 1-many NM: OR Simulate left session Extract right committed values w hen simulating each component MIM does not commit to a solution : b lows up # rnds
Our Approach:C R Challenge WIPOKs Proof idea of 1-many NM: build components (e.g. Com and 2-rnd WI) t hat are simultaneously harder using size- & depth-hiding commitments 2-rnd 2-rnd 2-rnd WI = collision of h Soundness Simulation Extractability 1-1 NM Parallelize all components See paper for more ideas Several challenges:
ConclusionTake Home Message Combining hardness of different nature can be powerful Thm: 2-rnd concurrent NMC from subexp 2-rnd WI, Collision-Resistant Hash family, Injective OWFs subexp TL puzzles Thm: 1-rnd concurrent NMC against uniform Adv. from subexp NIWI , uniform Collision-Resistant Hash func ., Injective OWFs subexp TL puzzles D epth-hardnessSize- hardnessNMC
Thanks! https://eprint.iacr.org /2017/273 Take Home Message Combining hardness of different nature can be powerful D epth- hardness Size- hardness NMC