on simulation-sound trapdoor commitments phil mackenzie, bell labs ke yang, cmu
TRANSCRIPT
![Page 1: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/1.jpg)
On Simulation-Sound Trapdoor Commitments
Phil MacKenzie, Bell LabsKe Yang, CMU
![Page 2: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/2.jpg)
Outline
• Basic commitment properties (informal)– Binding, hiding– Examples: Physical, Cryptographic
• Stronger commitment properties (informal)– Equivocability (trapdoorness)– Non-malleability – Interlude: commitment “tags”– Universal composability
• New property: Simulation-sound binding– Definition– Constructions: DSA, Cramer-Shoup signatures, 1-way functions– Applications: SSZK, NMZK, UCZK– How does it fit in? – comparison to NM commitments
![Page 3: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/3.jpg)
Basic Commitment properties
• A commitment is like a note placed inside a combination safe– Commit stage: Alice writes a note, places
it inside a combination safe, spins the lock, and gives the safe to Bob
– Open stage: Alice tells Bob the combination
• Properties:– Binding: After giving the safe to Bob, Alice
cannot alter the note written inside– Hiding: Bob cannot determine the contents
of the note until he learns the combination
![Page 4: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/4.jpg)
Examples
• Physical: note in a combination safe• Cryptographic:
– Example [P91]: based on DL assumption• Say discrete log of h wrt g is unknown• Commit to a value x: com=grhx
• Open: reveal (x,r)
![Page 5: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/5.jpg)
Stronger properties for commitments
• Equivocability (trapdoor)• Non-malleability• Universal Composability• Simulation Soundness
![Page 6: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/6.jpg)
Stronger properties: Trapdoor commitment scheme [BCC88]
• Equivocability:– There is a trapdoor that would allow a sender to
alter the value of the commitment– Example:
• Discrete log of h wrt g is the trapdoor, say h=gs
• Commit to a value x using “public key” h: com=grhx
• Open:– reveal (x,r)
• To equivocate to x’: – reveal (x’,r’), where r’=r+s(x-x’)
![Page 7: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/7.jpg)
Non-malleable commitment scheme [DDN91],[DIO98]
• Non-malleability (intuition):– Say Alice makes a commitment com to an
(unknown) value v. – [DDN91]: An adversary should not be able to
produce a new commitment com’ to a value v’ related to v with non-negligibly better probability after seeing com than before seeing com.
– [DIO98]: Like [DDN91], except that the adversary is also required to open com’ after com is opened
– We use [DIO98]: “non-malleability wrt opening”
![Page 8: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/8.jpg)
Non-malleable commitment scheme [DDN91],[DIO98]
• Non-malleability (wrt opening):– Experiment 1:
– Experiment 2:
Com
Openv
Openv’
Com’
Com
Openv
Openv’
Com’
Adversary has no advantage in Expt 1 over Expt 2 in producing com’ com and v’ related to v
![Page 9: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/9.jpg)
Interlude: Tag-based definitions
• Each commitment will have an associated tag
• New goal: prevent the adversary from breaking a security property using a commitment with a new tag
• Tags (specifically, identities) are also discussed in [F01], [DKOS01]
![Page 10: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/10.jpg)
Tag-based non-malleable commitment scheme
• Non-malleability (wrt opening):– Experiment 1:
– Experiment 2:
Com
Openv
Openv’
Com’
Com
Openv
Openv’
Com’
Adversary has no advantage in Expt 1 over Expt 2 in producing com’ with tag’ tag and v’ related to v
tag tag’
tag tag’
![Page 11: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/11.jpg)
Example of tag-based security
• Authenticated communication model– Use tag-based non-malleable commitments
with tag=identity– Bob gains nothing by producing a (mauled)
commitment with tag=Alice!
Com(v)Alice
Maul!
Com(v+1)Alice
![Page 12: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/12.jpg)
Stronger properties: Universally composable commitment scheme [CF01]
• Securely realizes the commitment functionality in UC framework– Functionality FCOM
– Intuitively it must have equivocability, non-malleability, and “extractability”
– Extractability requirement increases complexity
FCOM
Commit(x)
Open
Receipt
x
![Page 13: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/13.jpg)
Simulation-sound trapdoor commitments
• Equivocability +• Simulation-sound binding
com’tag’
Adversary should not be able to equivocate a com’ with a new tag’,even though it sees commitments with other tags equivocated
Open v2
Open v1
comtag
(“open”, com, v)
r(“commit”, tag)
![Page 14: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/14.jpg)
Simulation-sound trapdoor commitments
• Why the name?– In proofs, we want a simulator to be able to
equivocate on commitments, but we don’t want this to help the adversary (equivocate on commitments)
– Similar to SSZK: we want a simulator to be able to produce valid proofs of false statements, but we don’t want this to help the adversary (produce valid proofs of false statements)
• Alternative: Simulation-Bound?
![Page 15: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/15.jpg)
Some history…
• Original motivation: in developing an efficient UCZK protocol secure against adaptive adversaries in [GMY03], we needed an efficient commitment scheme with a new security property – We called such a scheme “SSTC”– The property was specific for that application and had a
complicated definition
• After publishing [GMY03], we discovered a simpler, more natural security property, and more applications for commitment schemes with this property– We “borrowed” the name SSTC– Suggest calling the original scheme “SSTC(GMY)”
![Page 16: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/16.jpg)
SSTC scheme based on DSA
• Intuition: use “com=grhx” type of trapdoor commitment, but with the trapdoor being a DSA signature on tag– Adversary may see com equivocated, and
thus may obtain the trapdoor: the DSA sig on tag
– By security of DSA, adversary cannot generate a DSA sig on a new tag’, so he cannot equivocate a com’ with a new tag’
![Page 17: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/17.jpg)
SSTC scheme based on DSA - Details
• DSA signature on m with public key y(=gx):– sig=(r,s), where r=gk, s=k-1(H(m)+xr) – Note: rs = gH(m)yr, so s is the discrete log of
gH(m)yr base r
• SSTC scheme based on DSA:– Commit to v with tag using public key y(=gx):
• com=(r, rahv), where r=gk, h=gH(tag)yr
• Note that for s=DL(h,r), (r,s) is a DSA signature on tag
![Page 18: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/18.jpg)
Other SSTC schemes
• Based on Strong RSA– Construction based on Cramer-Shoup
signatures [CS99]• Based on any one-way function
– Construction based on the UC commitment scheme of [CLOS02] • One-way function replaced by signature on
tag (signature scheme based on one-way function)
• Note: the UC commitment scheme uses a trapdoor permutation (for extractability)
![Page 19: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/19.jpg)
What is the relation between SSTC schemes and signatures?
• From an SSTC scheme it is easy to construct a signature scheme– (pk,sk) the same– Sign(m): Generate a double opening of a
commitment using tag=m
![Page 20: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/20.jpg)
Applications
• SSZK, NMZK, UCZK– Simpler than [GMY03] constructions
![Page 21: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/21.jpg)
Application: SSZK protocol
• Basic “honest-verifier” ZK: “Initiate-challenge-response” paradigm
• New SSZK Protocol (sketch)
Prover“X is true”
Verifier
InitiateChallenge
Response(Verify)
Prover Verifier
InitiateChallenge
Response
(Verify)
“X is true”
Signsk(transcript)
Verify signature with vk
(vk,sk) <-- gen-keys vk
Wrap with signature TC-Commit( )
TC-Open(),
Turns HVZK into Concurrent ZK [D00,JL00]
![Page 22: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/22.jpg)
Application: SSZK protocol
• Basic “honest-verifier” ZK: “Initiate-challenge-response” paradigm
• New SSZK Protocol (sketch)
Prover“X is true”
Verifier
InitiateChallenge
Response(Verify)
Prover Verifier
InitiateChallenge
Response
(Verify)
“X is true”
Signsk(transcript)
Verify signature with vk
(vk,sk) <-- gen-keys vk
Wrap with signatureSSTC-Commit(tag=vk, )
SSTC-Open(),
- To produce valid proofs of false statements, Sim must equivocate on commitment- For adversary to do the same, he must either use same tag (breaking sig), or a new tag (breaking SSTC)
![Page 23: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/23.jpg)
Application: UCZK Protocol
– Ideal functionality FZK
FZK
Prove(Alice,Bob,x,w) Proved(Alice,Bob,x)If R(x,w)
![Page 24: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/24.jpg)
Application: UCZK protocol
• Proof is bound to <sender,receiver> pair• Only need to prevent an adversary from
producing a proof of an incorrect statement that is valid for a different <sender,receiver> pair!
• New UCZK Protocol (sketch)– Internal protocol must be an -protocol (to
allow straightline extraction)
SSTC-Commit(tag=<Alice,Bob>, )
SSTC-Open(),
Prover(Alice) Verifier(Bob)
InitiateChallenge
Response
(Verify)
“X is true”
(Erase random bits before sending last message)
If Charlie must prove something, he must use a different tag (so cannot equivocate)
![Page 25: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/25.jpg)
SSTCs versus NM commitments
• Making it fair:– Consider tag-based NM commitment
schemes• Similar results hold for body-based schemes
– Consider NM Trapdoor Commitments– Allow NM adversary to query an
equivocation oracle– Refine definitions to allow specific
number of equivocated commitments• SSTC(n) and NMTC(n)
![Page 26: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/26.jpg)
SSTCs versus NMTC commitments
SSTC(0) SSTC(1) SSTC(n) SSTC(n+1) SSTC()
NMTC(0) NMTC(1) NMTC(n) NMTC(n+1) NMTC()
… …
… …
NMTC
SSTCTC
![Page 27: On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU](https://reader036.vdocuments.mx/reader036/viewer/2022062804/5697bf811a28abf838c85410/html5/thumbnails/27.jpg)
Conclusion
• You should now believe SSTC schemes are– Interesting– Important– Useful– Efficient– Named correctly