## AI帮你理解科学

## AI 精读

AI抽取本论文的概要总结

微博一下：

# Efficient and Non-interactive Non-malleable Commitment

IACR Cryptology ePrint Archive, (2001): 40-59

EI

关键词

摘要

We present new constructions of non-malleable commitment schemes, in the public parameter model (where a trusted party makes parameters available to all parties), based on the discrete logarithm or RSA assumptions. The main features of our schemes are: they achieve near-optimal communication for arbitrarily-large messages and are noninter...更多

代码：

数据：

简介

- Commitment protocols are one of the most fundamental cryptographic primitives, used as sub-protocols in such applications as zero-knowledge proofs, secure multi-party computation, contract signing, and many others.
- The non-malleable, perfect commitment schemes presented here achieve commitment size only 3k for arbitrarily-large messages.

重点内容

- Commitment protocols are one of the most fundamental cryptographic primitives, used as sub-protocols in such applications as zero-knowledge proofs, secure multi-party computation, contract signing, and many others
- Constructions of non-malleable public-key encryption schemes have been proposed [11,6,25]. These constructions give non-malleable standard commitment schemes, in the model where public parameters are published by a trusted party
- We present the first efficient constructions of non-interactive, non-malleable perfect commitment schemes
- An equivocable commitment scheme in the public parameter model is one for which there exists an efficient algorithm, substituting for the trusted third party (T T P), which outputs a set of public parameters and a commitment such that: (a) the distribution of the generated public parameters, the commitment, and any decommitment is exactly equivalent to their distribution in a real execution of the protocol; and (b) the commitment can be opened in more than one possible way
- Since our primary constructions are of perfectlyhiding commitment schemes, we present a formal definition of this variant, and refer the reader elsewhere [11,14] for definitions of non-malleability with respect to commitment
- We have developed an efficient non-interactive, non-malleable perfect commitment scheme based on the RSA assumption

结果

- These constructions give non-malleable standard commitment schemes, in the model where public parameters are published by a trusted party.
- The authors work in the same setting as other efficient non-malleable commitment schemes, where public parameters are available to all participants [6,14].
- An equivocable commitment scheme in the public parameter model is one for which there exists an efficient algorithm, substituting for the trusted third party (T T P), which outputs a set of public parameters and a commitment such that: (a) the distribution of the generated public parameters, the commitment, and any decommitment is exactly equivalent to their distribution in a real execution of the protocol; and (b) the commitment can be opened in more than one possible way.
- Note that the size of a standard, non-interactive commitment must be at least M + ω, where M is the message length and k is the security parameter.
- Note that a simple extension of the scheme allows commitment to two messages: let g1, g2, g3 be generators of G, and to commit to messages m1, m2 ∈ ZZq, choose random r and output com = g1m1 g2m2 g3r.
- Assuming the hardness of the discrete logarithm problem in the underlying group, the protocol of Figure 1 is an -non-malleable perfectly-hiding commitment scheme in the public-parameter model.
- It generates public parameters which are distributed identically to the real experiment, but for which the simulator knows some trapdoor information which allows it to perfectly equivocate its commitment.
- Straightforward manipulation, using the fact that Equiv is a perfectly equivocable commitment generator and (T T P, S, R) is a perfect commitment scheme, gives: SuccNAM,D,R(k) = Pr σ ← T T P(1k); m1 ← D; ω ← Ω; r1, r2, r3 ← ZZq; ← S(σ, m1; r1, r2, r3); m2 = R(σ, A(σ, com1; ω), A(σ, com1, dec1; ω)) : R(m1, m2) = 1]

结论

- The authors' schemes produce commitments com = (A, B, T ag) of size 3k, where k is the length of the string representing a group 6 This can be compared to [14] which requires added complications when using an arbitrary hash function and achieves only statistical secrecy.
- Note that this approach does not seem to give provable security for general non-malleable commitment schemes, yet it does work for the particular construction given here.

引用论文

- 2. M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations Among Notions of Security for Public-Key Encryption Schemes. CRYPTO ’98.
- 3. M. Blum, A. De Santis, S. Micali, and G. Persiano. Non-Interactive Zero- Knowledge. SIAM Journal of Computing, vol. 20, no. 6, Dec 1991, pp. 1084–1118.
- 4. M. Blum, P. Feldman, and S. Micali. Non-Interactive Zero-Knowledge and Applications. STOC ’88.
- 6. R. Cramer and V. Shoup. A Practical Public Key Cryptosystem Provably Secure Against Chosen Ciphertext Attack. CRYPTO ’98.
- 7. A. De Santis, G. Di Crescenzo, and G. Persiano. Necessary and Sufficient Assumptions for Non-Interactive Zero-Knowledge Proofs of Knowledge for All NP Relations. ICALP ’00.
- 8. A. De Santis and G. Persiano. Zero-Knowledge Proofs of Knowledge Without Interaction. FOCS ’92.
- 9. G. Di Crescenzo, Y. Ishai, and R. Ostrovsky. Non-Interactive and Non-Malleable Commitment. STOC ’98.
- 10. G. Di Crescenzo and R. Ostrovsky. On Concurrent Zero-Knowledge with Preprocessing. CRYPTO ’99.
- 11. D. Dolev, C. Dwork, and M. Naor. Nonmalleable Cryptography. SIAM J. Comp. 30 (2) 391–437, 2000. A preliminary version appears in STOC ’91.
- 13. S. Even, O. Goldreich, A. Lempel. A Randomized Protocol for Signing Contracts. Communications of the ACM 28(6), 637–647, 1985.
- 14. M. Fischlin and R. Fischlin. Efficient Non-Malleable Commitment Schemes.
- 15. O. Goldreich. Foundations of Cryptography, Fragments of a Book, 1998.
- 16. O. Goldreich, S. Micali, and A. Wigderson. How to Play Any Mental Game or a Completeness Theorem for Protocols with Honest Majority. STOC ’87.
- 17. O. Goldreich, S. Micali, and A. Wigderson. Proofs that Yield Nothing but their Validity or All Languages in NP have Zero-Knowledge Proof Systems. J. ACM 38(3): 691–729 (1991).
- 18. J. Katz and M. Yung. Complete Characterization of Security Notions for Probabilistic Private-Key Encryption. STOC ’00.
- 19. M. Naor. Bit Commitment Using Pseudorandomness. J. Crypto. 4(2): 151–158 (1991).
- 20. M. Naor and M. Yung. Universal One-Way Hash Functions and Their Cryptographic Applications. STOC ’89.
- 21. M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zero-knowledge arguments for NP can be based on general complexity assumptions. J. Cryptology, 11(2):87–108, 1998 (also CRYPTO ’92).
- 23. R. Ostrovsky, R. Venkatesan, and M. Yung. Fair games against an all-powerful adversary. AMS DIMACS Series in Discrete Mathematics and Theoretical Computer Science, Vol. 13 pp. 155-169, 1993.

标签

评论

数据免责声明

页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果，我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问，可以通过电子邮件方式联系我们：report@aminer.cn