AI帮你理解科学

AI 生成解读视频

AI抽取解析论文重点内容自动生成视频


pub
生成解读视频

AI 溯源

AI解析本论文相关学术脉络


Master Reading Tree
生成 溯源树

AI 精读

AI抽取本论文的概要总结


微博一下
We present new constructions of non-malleable commitment schemes, in the public parameter model, based on the discrete logarithm or RSA assumptions

Efficient and Non-interactive Non-malleable Commitment

IACR Cryptology ePrint Archive, (2001): 40-59

引用138|浏览51
EI
下载 PDF 全文
引用
微博一下

摘要

We present new constructions of non-malleable commitment schemes, in the public parameter model (where a trusted party makes parameters available to all parties), based on the discrete logarithm or RSA assumptions. The main features of our schemes are: they achieve near-optimal communication for arbitrarily-large messages and are noninter...更多

代码

数据

简介
  • Commitment protocols are one of the most fundamental cryptographic primitives, used as sub-protocols in such applications as zero-knowledge proofs, secure multi-party computation, contract signing, and many others.
  • The non-malleable, perfect commitment schemes presented here achieve commitment size only 3k for arbitrarily-large messages.
重点内容
  • Commitment protocols are one of the most fundamental cryptographic primitives, used as sub-protocols in such applications as zero-knowledge proofs, secure multi-party computation, contract signing, and many others
  • Constructions of non-malleable public-key encryption schemes have been proposed [11,6,25]. These constructions give non-malleable standard commitment schemes, in the model where public parameters are published by a trusted party
  • We present the first efficient constructions of non-interactive, non-malleable perfect commitment schemes
  • An equivocable commitment scheme in the public parameter model is one for which there exists an efficient algorithm, substituting for the trusted third party (T T P), which outputs a set of public parameters and a commitment such that: (a) the distribution of the generated public parameters, the commitment, and any decommitment is exactly equivalent to their distribution in a real execution of the protocol; and (b) the commitment can be opened in more than one possible way
  • Since our primary constructions are of perfectlyhiding commitment schemes, we present a formal definition of this variant, and refer the reader elsewhere [11,14] for definitions of non-malleability with respect to commitment
  • We have developed an efficient non-interactive, non-malleable perfect commitment scheme based on the RSA assumption
结果
  • These constructions give non-malleable standard commitment schemes, in the model where public parameters are published by a trusted party.
  • The authors work in the same setting as other efficient non-malleable commitment schemes, where public parameters are available to all participants [6,14].
  • An equivocable commitment scheme in the public parameter model is one for which there exists an efficient algorithm, substituting for the trusted third party (T T P), which outputs a set of public parameters and a commitment such that: (a) the distribution of the generated public parameters, the commitment, and any decommitment is exactly equivalent to their distribution in a real execution of the protocol; and (b) the commitment can be opened in more than one possible way.
  • Note that the size of a standard, non-interactive commitment must be at least M + ω, where M is the message length and k is the security parameter.
  • Note that a simple extension of the scheme allows commitment to two messages: let g1, g2, g3 be generators of G, and to commit to messages m1, m2 ∈ ZZq, choose random r and output com = g1m1 g2m2 g3r.
  • Assuming the hardness of the discrete logarithm problem in the underlying group, the protocol of Figure 1 is an -non-malleable perfectly-hiding commitment scheme in the public-parameter model.
  • It generates public parameters which are distributed identically to the real experiment, but for which the simulator knows some trapdoor information which allows it to perfectly equivocate its commitment.
  • Straightforward manipulation, using the fact that Equiv is a perfectly equivocable commitment generator and (T T P, S, R) is a perfect commitment scheme, gives: SuccNAM,D,R(k) = Pr σ ← T T P(1k); m1 ← D; ω ← Ω; r1, r2, r3 ← ZZq; ← S(σ, m1; r1, r2, r3); m2 = R(σ, A(σ, com1; ω), A(σ, com1, dec1; ω)) : R(m1, m2) = 1]
结论
  • The authors' schemes produce commitments com = (A, B, T ag) of size 3k, where k is the length of the string representing a group 6 This can be compared to [14] which requires added complications when using an arbitrary hash function and achieves only statistical secrecy.
  • Note that this approach does not seem to give provable security for general non-malleable commitment schemes, yet it does work for the particular construction given here.
引用论文
  • 2. M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations Among Notions of Security for Public-Key Encryption Schemes. CRYPTO ’98.
    Google ScholarFindings
  • 3. M. Blum, A. De Santis, S. Micali, and G. Persiano. Non-Interactive Zero- Knowledge. SIAM Journal of Computing, vol. 20, no. 6, Dec 1991, pp. 1084–1118.
    Google ScholarLocate open access versionFindings
  • 4. M. Blum, P. Feldman, and S. Micali. Non-Interactive Zero-Knowledge and Applications. STOC ’88.
    Google ScholarFindings
  • 6. R. Cramer and V. Shoup. A Practical Public Key Cryptosystem Provably Secure Against Chosen Ciphertext Attack. CRYPTO ’98.
    Google ScholarFindings
  • 7. A. De Santis, G. Di Crescenzo, and G. Persiano. Necessary and Sufficient Assumptions for Non-Interactive Zero-Knowledge Proofs of Knowledge for All NP Relations. ICALP ’00.
    Google ScholarFindings
  • 8. A. De Santis and G. Persiano. Zero-Knowledge Proofs of Knowledge Without Interaction. FOCS ’92.
    Google ScholarFindings
  • 9. G. Di Crescenzo, Y. Ishai, and R. Ostrovsky. Non-Interactive and Non-Malleable Commitment. STOC ’98.
    Google ScholarFindings
  • 10. G. Di Crescenzo and R. Ostrovsky. On Concurrent Zero-Knowledge with Preprocessing. CRYPTO ’99.
    Google ScholarFindings
  • 11. D. Dolev, C. Dwork, and M. Naor. Nonmalleable Cryptography. SIAM J. Comp. 30 (2) 391–437, 2000. A preliminary version appears in STOC ’91.
    Google ScholarLocate open access versionFindings
  • 13. S. Even, O. Goldreich, A. Lempel. A Randomized Protocol for Signing Contracts. Communications of the ACM 28(6), 637–647, 1985.
    Google ScholarLocate open access versionFindings
  • 14. M. Fischlin and R. Fischlin. Efficient Non-Malleable Commitment Schemes.
    Google ScholarFindings
  • 15. O. Goldreich. Foundations of Cryptography, Fragments of a Book, 1998.
    Google ScholarFindings
  • 16. O. Goldreich, S. Micali, and A. Wigderson. How to Play Any Mental Game or a Completeness Theorem for Protocols with Honest Majority. STOC ’87.
    Google ScholarFindings
  • 17. O. Goldreich, S. Micali, and A. Wigderson. Proofs that Yield Nothing but their Validity or All Languages in NP have Zero-Knowledge Proof Systems. J. ACM 38(3): 691–729 (1991).
    Google ScholarLocate open access versionFindings
  • 18. J. Katz and M. Yung. Complete Characterization of Security Notions for Probabilistic Private-Key Encryption. STOC ’00.
    Google ScholarFindings
  • 19. M. Naor. Bit Commitment Using Pseudorandomness. J. Crypto. 4(2): 151–158 (1991).
    Google ScholarLocate open access versionFindings
  • 20. M. Naor and M. Yung. Universal One-Way Hash Functions and Their Cryptographic Applications. STOC ’89.
    Google ScholarFindings
  • 21. M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zero-knowledge arguments for NP can be based on general complexity assumptions. J. Cryptology, 11(2):87–108, 1998 (also CRYPTO ’92).
    Google ScholarLocate open access versionFindings
  • 23. R. Ostrovsky, R. Venkatesan, and M. Yung. Fair games against an all-powerful adversary. AMS DIMACS Series in Discrete Mathematics and Theoretical Computer Science, Vol. 13 pp. 155-169, 1993.
    Google ScholarLocate open access versionFindings
0
您的评分 :

暂无评分

标签
评论
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn