Constructing Non-Malleable Commitments: A Black-Box Approach

Transcription

1 Constructng Non-Malleable Commtments: A Black-Box Approach Vpul Goyal Mcrosoft Research INDIA vpul@mcrosoft.com Chen-Kue Lee UCLA USA jcklee@ucla.edu Ivan Vscont Unversty of Salerno ITALY vscont@da.unsa.t Rafal Ostrovsky UCLA USA rafal@cs.ucla.edu Abstract We propose the frst black-box constructon of non-malleable commtments accordng to the standard noton of non-malleablty w.r.t. commtment. Our constructon addtonally only requres a constant number of rounds and s based only on (black-box use of) one-way functons. Pror to our work, no black-box constructon of non-malleable commtments was known (except for relaxed notons of securty) n any (polynomal) number of rounds based on any cryptographc assumpton. Ths closes the wde gap exstent between black-box and non-black-box constructons for the problem of non-malleable commtments. Our constructon reles on (and can be seen as an nstantaton of) the recent non-malleable commtment scheme of Goyal (STOC 2011). We also show how to get black-box constructons for a host of other cryptographc prmtves. We extend our constructon to get constant-round concurrent non-malleable commtments, constant-round mult-party con tossng (mprovng a recent result of Pass and Wee), and non-malleable statstcally hdng commtments (satsfyng the noton of non-malleablty w.r.t. openng). All of the mentoned results make only a black-box use of one-way functons. Our prmary techncal contrbuton s a novel way of mplementng the proof of consstency typcally requred n the constructons of non-malleable commtments (and other related prmtves). We do ths by relyng on deas from the zero-knowledge from secure mult-party computaton paradgm of Isha, Kushlevtz, Ostrovsky, and Saha (STOC 2007). We extend n a novel way ths computaton n the head paradgm (whch can be though of as brngng powerful error-correctng codes nto purely computatonal settng). To construct a non-malleable commtment scheme, we apply our computaton n the head technques to the recent (constant-round) constructon of Goyal. Along the way, we also present a smplfcaton of the constructon of Goyal where a part of the protocol s mplemented n an nformaton theoretc manner. Such a smplfcaton s crucal for gettng a black-box constructon. Ths s done by makng use of parwse-ndependent hash functons and strong randomness extractors. We show that our technques have multple applcatons, as elaborated n the paper. Hence, we beleve our technques mght be useful n other settngs n future. Work done whle vstng Unversty of Calforna at Los Angeles, USA. 0

2 1 Introducton The noton of non-malleable commtments was ntroduced n the semnal work of Dolev, Dwork and Naor [DDN91] and has been wdely studed snce then. Non-malleable commtments (and related prmtves lke non-malleable zero-knowledge) form the foundatons of modern technques for dealng wth man-nthe-mddle attacks n cryptographc protocols. Man-n-the-mddle attacks could be of concern ether f there s a sngle protocol executon wth multple partes (e.g., non-malleable commtments have been useful n constructng round-effcent mult-party computaton protocols [Bar02, KOS03, Pas04, LP09, Wee10, Goy11]), or, when there are several executons. There has been a large body of lterature on constructng protocols n the concurrent settng (c.f., the lnes of works on gettng concurrent securty n the plan model [Pas03, PS04, BS05, MPR06, VV08, OPV08, OPV10, CLP10, CVZ11] and on gettng unversally composable protocols n varous settngs [CLOS02, BCNP04, Kat07, LPV09]). Many of these works use non-malleable protocols n some form as a crucal techncal tool. After the ntal feasblty results by Dolev et. al., a frutful lne of research has focused on effcency. Round complexty, a natural measure of effcency has been studed n several works. Barak, n a breakthrough work [Bar02] gave the frst constant-round constructon of non-malleable commtments usng the so called non-black-box smulaton technques [Bar01]. Snce then, a number of works have nvestgated the round complexty of non-malleable protocols. There have been super-constant-round protocols based on one-way functons [LP09, Wee10]. Constant-round protocols usng non-standard or sub-exponental hardness assumptons were proposed n [PPV08, PW10]. Constant-round protocols usng non-black-box smulaton technques can be found n [Bar02, PR05a, PR05b, OPV09, CVZ10]. Very recently, constantround constructons based only on one-way functons (OWF) (wth black-box smulaton technques) were proposed ndependently by Goyal [Goy11] and Ln and Pass [LP11]. In all of these works, constructons accordng the the tradtonal securty noton (of non-malleablty w.r.t. commtment) make a non-black-box use of underlyng cryptographc prmtves. Whle round complexty s an mportant measure of effcency, a fundamental step n obtanng effcent protocols s to obtan a black-box constructon (.e., one where the underlyng cryptographc prmtves s used only as an oracle). Constructon makng use of the underlyng prmtve n a non-black-box way can typcally only be seen as a feasblty result (regardless of the round complexty). To see the dfference between black-box and non-black-box constructons, consder the followng example (due to Isha et. al. [IKLP06]). Suppose that due to major advances n cryptanalytc technques, all basc cryptographc prmtves requre a full second of computaton on a fast CPU. Non-black-box technques requre partes to prove (e.g., n zero-knowledge), statements that nvolve the computaton of the underlyng prmtves, say a one-way functon. These zero-knowledge protocols, n turn, nvoke cryptographc prmtves for any gate of a crcut computng a one-way functon. Snce (by our assumpton) a one-way functon takes one second to compute, ts crcut mplementaton contans trllons of gates, thereby requrng the protocol trllons of second to run. A black-box constructon, on the other hand, would make the number of nvocatons of the prmtve ndependent of the complexty of mplementng the prmtve. Obtanng black-box constructons for varous cryptographc prmtves has been an actve lne of research n recent years (c.f., [IKLP06, PW09, Wee10]). However the state of art on constructng nonmalleable commtments makng a black-box use of cryptographc prmtves s far from satsfactory. There have only been results accordng to new and relaxed notons of securty [PW09, Wee10, Goy11] (see the end of ths secton for a more detaled dscusson). To summarze, there s sharp contrast n what s known usng non-black-box constructon (constant-round protocols usng only one-way functons) and black-box constructons (no constructon known as per the tradtonal defnton) for the problem of non-malleable commtments. Ths rases the followng natural queston: Does there exst a black-box constructon of non-malleable commtments followng the tradtonal securty noton [DDN91, PR05b, PR08a, LPV08] from any cryptographc assumpton wth any round complexty? 1

3 The man dffcult n resolvng the above queston seems to be n developng a cut and choose technque havng the approprate codng theoretc propertes [PW09, Wee10]. Our results. We resolve the above queston n the affrmatve by provdng a black-box constructon of non-malleable commtments. Our constructon follows the tradtonal noton of non-malleablty w.r.t. commtment [DDN91, PR05b, PR08a, LPV08]. Our constructon s addtonally optmal n terms of round complexty and cryptographc assumptons. That s, our constructon uses only a constant number of rounds and s based only on (a black-box use of) one-way functons. Ths completely closes the wde gap between the state of knowledge between black-box and non-black-box constructons for non-malleable commtments. Our constructon reles on (and can be seen as an nstantaton of) the recent non-malleable commtment scheme of Goyal [Goy11]. Our key techncal contrbuton relates to the constructon of a commtment scheme whch allows one to prove any arbtrary relaton over the commtted values n zeroknowledge n a black-box manner (whch, n turn, we use n the commtment scheme of Goyal [Goy11]). Once we obtan such a constructon, black-box constructons for several other prmtves can be obtaned n a natural way. We generalze our constructon to get concurrent non-malleable commtments. Ths constructon s constant-round as well and s based on one-way functons. We obtan constant-round mult-party con tossng (wth a broadcast channel) based only on a black-box use of one-way functons. Ths s a drect mprovement over the work of Pass and Wee [PW09] whch provded such a constructon only for the two-party case (ndeed, for the case of two partes, one does not run nto ssues of mann-the-mddle attacks). We also provde a black-box constructon of non-malleable statstcally hdng commtments (satsfyng the noton of non-malleable w.r.t. openng [PR05a, PR08b] 1 ). Our constructon bulds on a stand-alone statstcally hdng commtment and converts t nto a non-malleable statstcally hdng commtment. Ths allows us to get a non-malleable statstcally hdng commtment n constant rounds based on (a black-box use of) collson resstant hash functons. Furthermore, one can also have a constructon based only on one-way functons n O(n/ log(n))-rounds. To our knowledge, ths s the frst black-box constructon of non-malleable statstcally hdng commtments. Along the way we also gve several corollares of ndependent nterest most notably a black-box nonmalleablty amplfcaton preservng securty aganst general (non-synchronzng) adversares. Ths s an mprovement over the analogous result of Wee [Wee10] whch requred non-black-box access to a one-way functon. Techncal Overvew. Tradtonally, constructons of non-malleable commtment schemes have reled on executng a basc protocol block somehow several tmes and then provng consstency among all of them. The proof of consstency typcally makes use of underlyng cryptographc prmtves n a nonblack-box way. The queston of constructng non-malleable commtments n a black-box way has been rased n a number of prevous works [LP09, PW09, Wee10, Goy11]. The man dffculty encountered n prevous works s n comng up wth a cut-and-choose technque havng the rght propertes to replace the zero-knowledge proof of consstency. Our man techncal constructon of ths work s a novel way of mplementng the zero-knowledge proof of consstency that s typcally requred n non-malleable commtment protocols. Our technque s based on deas from the zero-knowledge from secure mult-party computaton paradgm of Isha, Kushlevtz, Ostrovsky, and Saha [IKOS09]. In ths paradgm, we have a prover who runs a mult-party computaton protocol n hs head and proves the correctness of the result to the verfer. Ths form of computaton n the head approach was proposed n [IKOS09] n the context of mprovng the communcaton complexty of zero-knowledge protocols. Our goal and the way we use these deas are somewhat dfferent. Our basc dea wll be as follows. 1 For statstcally hdng commtments, the noton of non-malleablty w.r.t. commtment s meanngless as the commtted value s not well defned. To analyze securty n such a settng, the standard noton of non-malleablty s w.r.t. openng as studed for nstance by Pass and Rosen [PR05a, PR08b]. 2

4 Suppose one needs to commt to a set of strngs S = (s 1,..., s n ) (and prove a statement about these strngs later on). The commtter starts to emulate k vrtual players n hs head. Each player s gven as nput a share of S. Secret sharng s done usng a verfable secret sharng scheme (see, e.g., [CGMA85]). Let the vew of the players so far be vew1 0,..., vew0 k respectvely. The commtter commts to these vews usng a regular computatonally secure commtment scheme. At a later pont n the nteracton, suppose the commtter needs to perform some computaton f on the commtted strngs, reveal the result f(s) to the verfer and prove ts correctness. Ths can now be done as follows: The commtter contnues to emulate the k vrtual player n hs head. The players wll now compute the followng functonalty: the functonalty wll take the share of each player, reconstruct the set S and output f(s) to each player. The players jontly run a secure computaton protocol (startng wth the vews already commtted to) to compute ths functonalty. The secure computaton protocol beng used s nformaton theoretcally secure toleratng up to a constant fracton of corrupted partes such as BGW [BGW88]. Let the new vews of the players up to ths pont be vew1 1,..., vew1 k. The commtter now reveals f(s) and commts to these new vews. The recever chooses a constant fracton of the players at random. The prover decommts to both the vews for the selected players. Ths ncludes the ntal vews vew 0 as well as the new vews vew1 1. The recever checks f the players behaved honestly durng the entre computaton and that ther vews are consstent wth each other (see Secton 2 for the precse noton of consstency). If ths check s successful, most of the vrtual players were correctly emulated by the commtter. Hence the output of the computaton must be correct (snce the protocol anyway tolerates a constant fracton of corrupted players). The securty of the commtter s also preserved snce revealng vews for a constant fracton of players does not reveal anythng about the set of strngs S that he started wth (other than of course the output f(s)). The key dfference from [IKOS09] s that n our settng, the statement we are provng actually nherently nvolve a non-black-box use of the commtment scheme: the evaluaton of f on the set of commtted values results n f(s). The technque of [IKOS09] was later extended (wth multple commtments of vews) by Ostrovsky [Ost11] for provng relatons over commtted values n a black-box fashon and, ndependently, by Goyal, Isha and Saha [GIS11] to get a black-box realzaton of the commt and prove functonalty. However both extensons are nsuffcent to obtan our results. Our technque can also be seen as a way of provng a secret but commtted statement (n a way that does not nvolve the crcut of the commtment scheme n a non-black-box way). We beleve our technque to be of ndependent nterest. The above technque mght allow us to obtan black-box constructons by elmnatng zero-knowledge proofs of consstency n other settngs as well. Notce that we use a non-constant-round mult-party computaton protocol such as BGW [BGW88] n our constructon. Indeed, obtanng a constant-round nformaton theoretcally secure mult-party computaton s currently a major open problem connected to the exstence of short locally decodable codes [IK04]. However our fnal protocol s stll constant-round snce ths computaton needs to be only done n the head of the commtter. To construct non-malleable commtments n a black-box manner, our startng pont s the recent constant-round protocol of Goyal [Goy11] (whch makes use of one-way functons n a non-black-box manner). Goyal s protocol has a zero-knowledge proof of consstency (on commtted strngs) whch we mplement usng the above secure computaton n the head approach. However we note that the protocol of Goyal, very nformally, s stll too non-black-box to admt a smple applcaton of ths dea. The protocol of Goyal uses a proof of complex statements nvolvng the randomness wth whch a commtment s constructed. We present a smplfcaton of the non-malleable commtment scheme of Goyal. Our smplfcaton nvolves makng a part of the protocol purely nformaton theoretc usng parwse-ndependent hash functons and strong randomness extractors. Ths s done n a way such that 3

5 the proof of non-malleablty (w.r.t. commtment) stll goes through. We are fnally left wth a protocol where the only computatonal part s an ntal commtment to a set of random strngs such that the consstency proof only needs to prove a statement above the commtted strngs. Our MPC n the head technque dscussed about s powerful enough to handle such a scenaro. Related Works. Pass and Wee [PW09] gave a constructon of non-malleable commtments n O(log(n)) rounds (and n O(n) rounds for concurrent non-malleable commtments) makng a black-box use of oneway functons. Ther constructon s accordng to a relaxed securty noton called non-malleablty w.r.t. extracton (whch they ntroduce). Wee [Wee10] gave a O(log (n)) round constructon followng the same noton of securty. A lmted black-box constant-round constructon was gven by Goyal [Goy11] for an even weaker noton called non-malleablty w.r.t. replacement. The constructon of Goyal was restrcted to provdng securty only aganst synchronzng adversares 2 (as opposed to general adversary). Ths makes t useful n stand-alone settngs only. However n settngs where there are more than one (uncoordnated) executons, the constructon of Goyal does not provde any securty. Both these weaker notons of securty have been useful n constructng secure protocols for (stand-alone) mult-party computaton n a black-box manner. In both of these notons, the adversary can ndeed correlate (n a lmted way) the value t commts to n the rght executon to the one n the left executon: n partcular, f the value on left s 0, adversary may be able to commt to 0, whle f the value on left s 1, adversary commts to. Such a stuaton rases the possblty of selectve abort attacks. Even n settngs where these notons have been useful, the analyss s more complex than f one were usng the standard noton of non-malleablty w.r.t. commtment. Usng the standard securty noton allows us to construct commtment scheme whch can be useful n a wder range of settngs as well as obtan smpler and cleaner proofs of securty. 2 Defntons and Tools In our constructons, we wll make use of Naor s statstcally bndng commtment scheme [Nao91], statstcally-bndng extractable commtment schemes, secure mult-party computaton wth statstcal securty and perfect completeness, and, a verfable secret sharng scheme wth a determnstc reconstructon phase. Basc notaton. Throughout ths paper, we let N denote the set of all natural numbers and [m] be the set {1, 2,..., m} for any m N. Unless stated otherwse, we denote by k N the securty parameter and all quanttes that are polynomal n k wll be denoted by poly(k). For any x {0, 1}, we denote the length of x (n bts) by x. Next, we recall the formal defntons of some tools and some facts from nformaton theory that we use n our constructon. Parwse-ndependent hash functons. functons. We wll make use of a famly of parwse-ndependent hash Defnton 1 (Parwse-ndependent hash functons) A famly of functons H = { h : {0, 1} n {0, 1} m } s sad to be parwse-ndependent [CW79, WC81] ff x x {0, 1} n, y, y {0, 1} m, [ h(x) = y h(x ) = y ] = 2 2m. Pr h H Theorem 1 (Parwse-ndependent hash functons from lnear maps) Let F be a fnte feld. Then the famly of functons H = {h a,b : F F} a,b F where h a,b = ax + b s parwse ndependent. 2 Roughly, ths means that the man-n-the-mddle M sends the -th round message on the rght mmedately after gettng the -th round message n the left nteracton. 4

6 Seeded Randomness extractors. Assumng perfect randomness s usually a strong assumpton, snce physcal sources of randomness mght fal on some bts. It s therefore very useful to use a randomness extractor [NZ96, NT99] whch s a determnstc polynomal-tme functon that transforms a weak source of randomness nto an almost unformly random dstrbuton. We recall the formal defntons as follow. Defnton 2 (Mn-entropy) Let X be a random varable. Then the mn-entropy of X s 1 } H (X) = mn x {log. Pr [X = x] Defnton 3 For random varables X and Y takng values n U, ther statstcal dfference s defned as We say that X and Y are ɛ-close f (X, Y ) ɛ. (X, Y ) = max T U Pr [X T ] Pr [Y T ]. Defnton 4 (Randomness extractor) A functon Ext(r, s) : {0, 1} r {0, 1} s {0, 1} m s sad to be a randomness (k, ε)-extractor f for every dstrbuton of r wth mn-entropy k and any unformly dstrbuted seed s, the output of Ext(r, s) s ε-close to the unform dstrbuton over {0, 1} m. Defnton 5 (Strong extractors) An extractor Ext(r, s) : {0, 1} r {0, 1} s {0, 1} m s a strong (k, ɛ)-extractor f for every dstrbuton of r wth mn-entropy k, t holds that Ext (x, y) = (y, Ext(x, y)) s a standard (k, ɛ)-extractor. Theorem 2 (Leftover hash lemma) f H = { h : {0, 1} n {0, 1} m } s a parwse-ndependent famly of hash functons where m = k 2 log(1/ɛ), then Ext(x, h) = h(x) s a strong (k, ɛ)-extractor. We wll use to denote perfect ndstngushablty, s to denote statstcal ndstngushablty and to denote computatonal ndstngushablty. We denote by (A, B) a par of nteractve Turng machnes A and B, and denote by A, B the random varable that represents the nteracton between two nteractve Turng machnes A and B. More precsely, we denote by τ = A(x), B(y) the nteractve executon of (A, B) nvoked wth nputs x for A, y for B, and producng τ as the transcrpt of the executon. We now gve the formal defnton of a commtment scheme. Commtment scheme. A (bt) commtment scheme s a two-phase protocol between a sender Com and a recever Rec. In the former phase, called the commtment phase, Com commts to a secret bt b to Rec. Let c be the transcrpt of the nteracton. In the later phase, called the decommtment phase, Com reveals a bt b and proves that t s the same as b that was hdden n the transcrpt c of the commtment phase. Typcally, there are two securty propertes w.r.t. a commtment scheme. The bndng property requres that after the commtment phase, a malcous sender cannot decommtment c to two dfferent values n the decommtment phase. The hdng property guarantees that a malcous recever learns nothng about b n the commtment phase. A commtment scheme can be ether Statstcally Bndng (but Computatonally Hdng) or Statstcally Hdng (but Computatonally Bndng). Defnton 6 (Commtment Scheme) A (bt) commtment scheme CS = (Com, Rec) s a two-phase protocol conssts of a par of ppt Turng machnes Com and Rec. In the commt phase, Com runs on a prvate nput b {0, 1} and a transcrpt c = Com(b), Rec s obtaned after nteractng wth Rec. In the decommtment phase, Com reveals a bt b and Rec accepts the value commtted to be b f and only f Com can convnce Rec that b = b. In a commtment scheme, the followng securty propertes hold for any ppt adversary A. 5

7 Correctness: f sender and recever both follow the protocol, then for all b {0, 1}, when the sender commts and opens to b, Rec outputs b. Hdng: let dst A(z) CS (b) denote the random varable descrbng the output of a ppt adversary A runnng on auxlary nput z, wth a honest sender commttng to a bt b by runnng CS. It holds that for every ppt adversary A and auxlary nput z, the probablty ensembles {dst A(z) CS (0)} k N,z {0,1} and {dst A(z) CS (1)} k N,z {0,1} are computatonally ndstngushable. Bndng: for every ppt adversary A, and for all but a neglgble probablty over the cons of Rec, after the commtment phase, the probablty that A can successfully open the commtment both as 0 and 1 s neglgble. Furthermore, a commtment scheme s statstcally bdng (resp. statstcally hdng) f ts bndng (resp. hdng) property s secure aganst any unbounded adversary A. We wll often use schemes wth non-nteractve openng. That s, the sender opens a commtment by sendng the randomness used n the commt phase. We now recall the exstng commtment schemes that are relevant for our constructons. Statstcally bndng commtment scheme. We wll use Naor s statstcally bndng commtment scheme [Nao91] n our constructon. Naor s scheme only requres a black-box use of a pseudo-random generator (whch can be based on the black-box use of any one-way functon [HILL99]), and we wll use Naor s commtment scheme n a black-box manner. We denote by CS = (Com, Rec), Naor s commtment scheme executed by a sender Com and a recever Rec wth the followng notaton: c = Com σ (b; ω) denotes a commtment to a bt b computed usng randomness ω, where σ s the frst message generated by Rec to construct the commtment. To decommt and verfy the commtment, Com sends (b, ω) and Rec verfes that c = Com σ (b; ω). We stress that Naor s commtment scheme can be used to commt to strngs by teratng t for each bt of the strng. Moreover, we wll use t wth non-nteractve openng. Statstcally hdng commtment scheme. Another complementary noton of commtment schemes s statstcally hdng but computatonally bndng. It s known how to construct a two-round statstcally hdng commtment scheme from any famly of collson-resstant hash functons [HM96] or an O(n/ log n)- round statstcally hdng commtment from any one-way functon [HR07, HNO + 09]. In ths dual settng, the hdng property holds even aganst unbounded adversaral recevers for all but a neglgble probablty (.e., statstcal hdng), whle the bndng property s requred to hold only for polynomally-bounded senders (.e., computatonal bndng). For two-round statstcally hdng commtment scheme, we wll use the same notaton used above for two-round statstcally bndng commtment scheme. Extractable commtment schemes. Informally, a commtment scheme s sad to be extractable f there exsts an effcent extractor that havng black-box access to any effcent malcous sender ExCom that successfully performs the commtment phase, s able to effcently extract the commtted strng. We frst recall the formal defnton from [PW09] n the followng. Defnton 7 (Extractable Commtment Scheme) A commtment scheme ExCS = (ExCom, ExRec) s an extractable commtment scheme f gven an oracle access to any ppt malcous sender ExCom, commttng to a strng, there exsts an expected ppt extractor Ext that outputs a par (τ, σ ) such that the followng propertes hold: Smulatablty: the smulated vew τ s dentcally dstrbuted to the vew of ExCom (when nteractng wth an honest ExRec) n the commtment phase. 6

8 Extractablty: the probablty that τ s acceptng and σ correspond to s neglgble. Moreover the probablty that ExCom opens τto a value dfferent than σ s neglgble. An extractable commtment scheme can be statstcally bndng (n such case also extractablty must hold aganst an unbounded ExCom ) or statstcally hdng. The constructon of an extractable commtment n [PW09] follows the one proposed by Rosen n [Ros04], whch s a non-concurrent verson of the one orgnally proposed by Prabhakaran et al. n [PRS02], and formally defned as concurrent extractable commtment by Ong et al. n [MOSV06]. Snce we do not requre concurrent extractablty, we wll consder the non-concurrent (and round-effcent) verson only. We also brefly recall the extractable commtment scheme from [PW09] n the followng. One can construct an extractable commtment scheme ExCS = (ExCom, ExRec) wth non-nteractve openng from any commtment scheme CS = (Com, Rec) wth non-nteractve openng n a black-box manner as follows. Let ExCom be the sender, ExRec be the recever, and Com(σ; ω) denote the commtment to a message σ computed usng randomness ω. We wll now show the steps of a statstcally-bndng extractable commtment scheme by assumng that f at any tme the receved message s nconsstent wth the protocol specfcaton then the honest player aborts (e.g., the recever would output ). Commtment Phase: 1. ExCom on nput a message σ, generates k random strngs {r 0 } [k] of the same length as σ, and computes {r 1 = σ r 0 } [k], therefore {σ = r 0 r1 } [k]. Then ExCom uses CS to commt to the k pars {(r 0, r1 )} [k]. That s, ExCom and ExRec produce {c 0 = Com(r 0, ω0 ), Rec, c 1 = Com(r 1, ω 1 ), Rec } [k]. 2. ExRec responses to ExCom by sendng a random k-bt challenge strng r = (r 1,..., r k ). 3. ExCom decommts {c r } [k] (.e., non-nteractvely opens k of prevous commtments, one per par). 4. ExRec verfes that commtments have been opened correctly. Decommtment Phase: 1. ExCom sends σ and non-nteractvely decommts the other k commtments {c r } [k], where r = 1 r. 2. ExRec checks that all k pars of random strngs {r 0, r1 } [k] satsfy {σ = r 0 r1 } [k]. If so, ExRec takes the value commtted to be σ and otherwse. The proof of hdng and bndng can be found n [PW09]. The extractor can smply run as a recever, and f any of the k commtments s not acceptng, t outputs σ =. Otherwse, t rewnds (Step 2) and changes the challenge untl another k well formed decommtments are obtaned. Then t verfes that for each decommtment, the XOR of all pars corresponds to the same strng. Then the extractor can extract a value from the responses of these two dstnct challenges. The extractor by playng random challenges n each executon of Step 2 s perfectly smulatng the behavor of the recever and the analyss n [PW09] shows that ts runnng tme s polynomal. However, the extractor descrbed above wll produces over extracton, whch means that the extractor can output a value dfferent from when the transcrpt has no vald openng. In our constructons, we wll also need an extractable commt scheme wthout over extracton, but toleratng extracton falure. Defnton 8 (Weakly Extractable Commtment Scheme) A weakly extractable commtment scheme WExCS = (WExCom, WExRec) s a commtment scheme such that gven oracle access to any ppt malcous sender WExCom, commttng to a strng, there exsts an expected ppt extractor Ext that outputs a par (τ, σ ) such that the followng propertes hold: Smulatablty: the smulated vew τ s dentcally dstrbuted to the vew of WExCom (when nteractng wth an honest WExRec) n the commtment phase. 7

9 Extractablty: the probablty that τ s acceptng and σ correspond to s at most 1/2. Moreover f σ then the probablty that ExCom opens τ to a value dfferent than σ s neglgble. In contrast to the prevous defnton, a weakly extractable commtment scheme can tolerate falures n the extracton procedure. A constructon that satsfes our defnton on top of any commtment scheme CS = (Com, Rec) s as follows: Commtment Phase: 1. WExCom on nput a message σ, generates a random strngs r 0 of the same length as σ, and computes r 1 = σ r 0. That s, WExCom sets σ = r 0 r 1. Then WExCom uses CS to commt to a par of values (r 0, r 1 ). That s, WExCom and WExRec produce c 0 = Com(r 0, ω 0 ), Rec, c 1 = Com(r 1, ω 1 ), Rec. 2. WExRec responses to WExCom by sendng a random bt challenge strng b. 3. WExCom decommts c b (.e., non-nteractvely opens one of prevous commtments). 4. WExRec verfes that c b has been opened correctly. Decommtment Phase: 1. WExCom sends σ and non-nteractvely decommts the other commtment c b, where b = 1 b. 2. WExRec checks that σ = r 0 r 1. If so, WExRec takes the value commtted to be σ and otherwse. The proof of bndng and hdng of WExCS are even smpler than the one gven n [PW09]. Moreover, there s no ssue of over-extracton, rather there s an ssue of under-extracton. Snce the malcous sender mght refuse to open another commtment durng rewnds, wth probablty 1/2, a cheatng sender commts successfully but the extractor fals. We wll show later that ths weak noton of extractablty suffces to prove the securty of our man theorem. Notce that n the two above constructons, when CS s the parallel verson of Naor s commtment scheme (.e., a statstcally bndng strng commtment scheme where the sender commts to pars of strngs whch XOR corresponds to the strng to be commtted), then we obtan a constant-round extractable (resp. weakly extractable) statstcally-bndng strng commtment scheme based on the black-box use of one-way functons. Smlarly, a constant-round (weakly) extractable statstcally-hdng commtment scheme from any famly of collson-resstant hash functons can be obtaned from the scheme of [HM96], and a O(n/ log n)-round (weakly) extractable statstcally-hdng commtment from any one-way functon can be obtaned from the scheme of [HR07, HNO + 09]. Non-malleable commtment schemes. For the non-malleablty of commtments, we follow the defnton ntroduced by Pass and Rosen and by Ln et al. [PR05b, PR08a, LPV08]. Let M be the man-n-themddle adversary runnng on auxlary nput z, and NMCS = (C, R) denote a non-malleable commtment scheme executed by a sender C and a recever R. We brefly dscuss two dfferent types of non-malleablty n the followng. Statstcally bndng non-malleable commtment schemes. We use the noton of non-malleablty w.r.t. commtment from [DDN91] for statstcally bndng non-malleable commtment schemes. In ths settng, the adversary M s sad to succeed n the experment f M can commt to a message σ that s related to the message σ commtted by the honest commtter. Formally, let mm M NMCS (σ, z, tag) denote a random varable that descrbes the value σ that M commts to n the rght executon and the vew of M n the full experment. In the smulated experment, a smulator S drectly nteracts wth R. Let sm S NMCS (z, tag) denote the random varable descrbng the value σ commtted to by S and the output of S. Notce that both n mm M NMCS (σ, z, tag) and n sms NMCS (z, tag) the values σ and σ are well defned snce the commtment scheme s statstcally bndng. We wll consder tag-based commtments, where an addtonal strng referred to as tag s receved n nput by both sender and recever. The goal of M recevng a commtment of σ n an executon wth tag tag, conssts n commttng to a related σ n an executon wth a tag tag such that tag tag. Therefore 8

10 n mm M NMCS (σ, z, tag) we wll assume that when the tag used n the rght-hand executon s equal to the one used n left-hand executon, then the message commtted n mm M NMCS (σ, z, tag) s always defned as. It s well known that tag-based non-malleable commtments mply plan non-malleable commtments snce one can use any sgnature scheme for ths mplcaton. Snce t s known how to construct sgnature schemes by usng a one-way functon n a black-box manner, we have that the sole noton to care about n ths work s that of tag-based non-malleable commtments. Defnton 9 (Non-Malleable Commtments w.r.t Commtment) A tag-based commtment scheme NMCS s sad to be non-malleable f for every ppt man-n-the-mddle adversary M, there exsts a (expected) ppt smulator S such that the followng ensembles are computatonally ndstngushable: {mm M NMCS (σ, z, tag)} tag {0,1} k,σ {0,1} k,k N,z {0,1} {sms NMCS (z, tag)} tag {0,1} k,k N,z {0,1}. Smlarly, one can defne the one-many (resp., many-many) varant of the above defnton where the vew of M along wth the tuple of values t commts to s requred to be ndstngushable regardless of the value (resp., values) commtted to n the left nteracton (resp., nteractons) by the honest sender. We refer the reader to [LPV08] for more detals. We also defne the noton of one-sded non-malleable commtment where we only consder nteractons where the players of the left executon use a common value tag that s smaller than any value tag used n any rght nteracton 3. Statstcally hdng non-malleable commtment schemes. In the statstcally hdng case, the prevous defnton of non-malleablty (w.r.t. commtment) does not make sense, because the commtted value s not necessary well defned. To analyze the non-malleablty n such a settng, the standard noton of non-malleablty s w.r.t. openng and was studed by D Crescenzo et al. [DIO98] and by Pass and Rosen [PR05a, PR08b]. Brefly, n the noton of non-malleablty w.r.t. openng, the adversary s consdered successful f after the commtment phase (where M commts to a message σ), and after observng the decommtment to σ from a honest commtter, M can decommt a message σ that s related to σ. Let mm M NMCS (σ, z, tag) denote a random varable that descrbes the vew of M n the full experment and the value that M decommts to n the rght executon when the sender commts and decommts to σ. In the smulated experment, a smulator S drectly nteracts wth R, and wll receve the value σ only after the commtment phase has been completed. Let sm S NMCS (σ, z, tag) denote the random varable descrbng the output of S. Defnton 10 (Non-Malleable Commtments w.r.t. Openng) A tag-based commtment scheme NMCS s sad to be non-malleable w.r.t. openng f for every ppt man-n-the-mddle adversary M, there exsts a (expected) ppt smulator S such that the followng ensembles are computatonally ndstngushable: {mm M NMCS (σ, z, tag)} tag {0,1} k,σ {0,1} k,k N,z {0,1} {sms NMCS (σ, z, tag)} tag {0,1} k,σ {0,1} k,k N,z {0,1}. Statstcally secure mult-party computaton (MPC). Informally, a secure mult-party computaton (MPC) [BGW88, AL11] scheme allows n players to jontly and correctly compute an n-ary functon based on ther prvate nputs, even n the presence of t corrupted players. More precsely, let n be the number of players and t denotes the number of corrupted players. Under the assumpton that there exsts a synchronous network over secure pont-to-pont channels, n [BGW88] t s shown that for every n-ary 3 If there exsts a rght nteracton wth tag < tag, the value b commtted to n that rght nteracton s defned to be. 9

11 functon f : ({0, 1} ) n ({0, 1} ) n, there exsts a t-secure MPC protocol Π f that securely computes f n the sem-honest model for any t < n/2, and n the malcous model for any t < n/3, wth perfect completeness and securty. That s, gven the prvate nput w of player, after runnng the protocol Π f, each honest player receves n output the -th component of the result of the functon f appled to the nputs of the players, as long as the adversary corrupts less than t players. In addton, nothng s learnt by the adversary from the executon of Π f other than the output. More formally, we denote by A the real-world adversary runnng on auxlary nput z, and by S the deal-world adversary. We then denote by REAL π,a(z),i ( x) the random varable consstng of the output of A controllng the corrupted partes n I and the outputs of the honest partes. Followng a real executon of π where for any [n], party P has nput x and x = (x 1,..., x n ). We denote by IDEAL f,s(z),i ( x) the analogous output of S and honest partes after an deal executon wth a trusted party computng f. Defnton 11 Let f : ({0, 1} ) n ({0, 1} ) n be an n-ary functonalty and let π be a protocol. We say that π (n, t)-statstcally securely computes f f for every probablstc adversary A n the real model, there exsts a probablstc adversary S of comparable complexty 4 n the deal model, such that for every I [n] of cardnalty at most t, every x = (x 1,..., x n ) ({0, 1} ) n where x 1 =... = x n, and every z {0, 1}, t holds that: {IDEAL f,s(z),i ( x)} s {REAL π,a(z),i ( x)}. We wll later use MPC protocols wth perfect completeness and statstcal securty. Theorem 3 (BGW88) Consder a synchronous network wth parwse prvate channels. Then, for every n-ary functonalty f, there exsts a protocol π f that (n, t)-perfectly securely computes f n the presence of a statc sem-honest adversary for any t < n/2, and there exsts a protocol that (n, t)-perfectly securely computes f n the presence of a statc malcous adversary for any t < n/3. We wll refer to such a protocol π f mentoned n the above theorem as an (n, t)-perfectly secure MPC protocol for f. Notce that all the above communcaton requrements to run the MPC protocol wll not result n communcaton requrements for our commtment scheme, snce we wll use vrtual executons of MPC that wll be run only locally by players. Consstency of vews. In an MPC protocol, the vew of a player ncludes all messages receved by that player durng the executon of the protocol, the prvate nputs gven to the player and the randomness used by the player. We further denote by vew the vew of player P. For a honest player P, the fnal output and all messages sent by that player can be nferred from vew by runnng a vrtual executon of the protocol. Next, we recall the followng defnton of vew consstency adapted from [IKOS07]. Defnton 12 (Vew Consstency) A vew of an honest player durng an MPC computaton π contans nput and randomness used n the computaton, and all messages receved/sent from/to the communcaton tapes. We have that a par of vews (vew, vew j ) are consstent wth each other f, (a) both the players P and P j ndvdually computed each outgong message honestly by usng the random tapes, nputs and ncomng messages specfed n vew and vew j respectvely, and, (b) all output messages of P to P j appearng n vew are consstent wth ncomng messages of P j receved from P appearng n vew j, and vce versa. 4 Comparable complexty means that S runs n tme that s polynomal n the runnng tme of A. 10

12 Verfable Secret Sharng (VSS) functonalty. Informally, a verfable secret sharng (VSS) [CGMA85] scheme s a two-stage secret sharng protocol for mplementng the followng functonalty. In the frst stage, a specal player referred to as dealer shares a secret among the other players referred to as shareholders n the presence of at most t corrupted players. In the second stage, players reconstruct the secret shared by the dealer. The functonalty ensures that when the dealer s honest, before the second stage begns, all corrupted players have no nformaton about the secret. Moreover, when the dealer s dshonest, at the end of the share phase the honest players would have realzed t through an accusaton mechansm that dsqualfes the dealer. In contrast to Shamr s Secret Sharng scheme [Sha79], a VSS scheme can tolerate errors on malcous dealer and players on dstrbutng nconsstent or ncorrect shares, ndeed the crtcal property s that even n case the dealer s dshonest but has not been dsqualfed, stll the second stage always reconstruct the same bt among the honest players. We wll consder a VSS scheme mplementng the above VSS functonalty, as defned below. Defnton 13 (VSS Scheme) An (n + 1, t)-perfectly secure VSS scheme conssts of a par of protocols VSS = Share, Recon that mplement respectvely the sharng and reconstructon phases as follows. Share. Player P n+1 referred to as dealer runs on nput a secret s and randomness r n+1, whle any other player P, 1 n, runs on nput a randomness r. Durng ths phase players can send (both prvate and broadcast) messages n multple rounds. Recon. Each shareholder sends ts vew v of the sharng phase to each other player, and on nput the vews of all players (that can nclude bad or empty vews) each player outputs a reconstructon of the secret s. All computatons performed by honest players are effcent. The computatonally unbounded adversary can corrupt up to t players that can devate from the above procedures. The followng securty propertes hold. Commtment: f the dealer s dshonest then one of the followng two cases happen: 1) durng the sharng phase honest players dsqualfy the dealer, therefore they output a specal value and wll refuse to play the reconstructon phase; 2) durng the sharng phase honest players do not dsqualfy the dealer, therefore such a phase determnes a unque value s that belongs to the set of possble legal values that does not nclude, whch wll be reconstructed by the honest players durng the reconstructon phase. Secrecy: f the dealer s honest then the adversary obtans no nformaton about the shared secret before runnng the protocol Recon. Correctness: f the dealer s honest throughout the protocols then each honest player wll output the shared secret s at the end of protocol Recon. Drect mplementatons of (n + 1, n/3 )-perfectly secure VSS schemes can be found n [BGW88, CDD + 99]. However snce we are nterested n a determnstc reconstructon procedure, we wll use the scheme of [GIKR01] that mplements an (n + 1, n/4 )-perfectly secure VSS scheme. We wll denote by Π V SSshare the executon of an (n + 1, n/4 )-perfectly secure protocol that mplements the Share stage of the above VSS functonalty. We wll denote by Π recon the correspondng protocol executed by shareholders to mplement the determnstc Recon stage. Synchronzed Mult-Party Con Tossng Protocol. One of the natural and basc applcatons of the secure mult-party computaton s con tossng, whch allows partes to generate a common unbased 11

13 random strng. We assume that there exsts a broadcast channel and the communcaton s synchronzed but allowng a rushng adversary. That s, our protocol wll proceed n rounds, and n each round, all messages exchanged by the players must be delvered before the next round begns. However, n each round, the adversary s allowed to see all the messages sent by honest players before decdng how the corrupted players should behave n current round. Also, the broadcast channel assures that all players heard the same message and that the message cannot be dsavowed. Note that n ths noton, one strng s tossed n a mult-party protocol, whch s dfferent to the notons n [Ln01, PW09], where many (sngle bt) cons are tossed n parallel (.e, multple protocol pars are executed smultaneous by two partes). In the two-party case, a constant-round parallel con-tossng protocol was proposed by Lndell [Ln01]. In addton, the frst constant-round non-malleable strng-tossng protocol n the plan model s acheved by Barak [Bar02]. Let Π C be a synchronzed mult-party con tossng protocol, let A denotes the real-world adversary runnng on auxlary nputs z, and let S be the deal-world adversary. We then denote by REAL ΠC,A(z)(1 n ) the random varable consstng of the output of A and the outputs of all partes. We denote by IDEAL f,s(z) (1 n ) the analogous output of S and honest partes after an deal executon wth a trusted party computng the n-ary functon f : (1 k ) n {0, 1} k, where each party has only the securty parameter k as ts nput and the output of f s unformly and ndependently chosen from {0, 1} k. Defnton 14 (Synchronzed Mult-Party Con Tossng) A Synchronzed mult-party protocol Π C mplements an n-party con tossng f for every ppt adversary A n the real model, there exsts a ppt adversary S of comparable complexty n the deal model, such that REAL ΠC,A(z)(1 k ) IDEAL f,s(z) (1 k ). 3 Constructon of Non-Malleable Commtments We now descrbe a smplfed verson of our protocol, whch consders short tags wth one-sded nonmalleablty. Moreover securty s guaranteed aganst synchronzed adversares only. A synchronzed adversary s a restrcted adversary that plays the man-n-the-mddle attack by playng exactly one message on the rght executon after a message s receved from the left executon, and playng exactly one message on the left executon after a message s receved from the rght executon. In our scheme we wll use an extractable commtment scheme ExCS as already used n prevous work [PW09]. Such a commtment scheme suffers of over extracton, whch means that the extractor can output a value dfferent than even when the commtted message s not well formed (therefore the commtted message s undefned and can not be opened anymore). In addton, we use the commtment scheme WExCS whch nstead suffers from under extracton as descrbed n Secton 2. We assume that each executon has a sesson dentfer tag [2n], where n s the length of party dentty n bts. Let k be the securty parameter and l = l(k) = k tag. The commtment scheme NMCS = (C, R) between a commtter C and a recever R proceeds as follows to commt to a k-bt strng σ. We assume that λ = k/4. In the descrpton below, we have ncluded some ntuton n talcs. Commtment Phase. 0. Intal setup. R pcks λ out of k players (whch wll be later emulated by the commtter) at random. That s, t randomly selects λ dstnct ndces Λ = {r 1,..., r λ } where r [k] for any [λ]. For each r, R sends an extractable commtment c of r usng ExCS. 1. Prmary slot. Let Π V SSshare be a protocol mplementng the Share phase of a (k + 1, λ)-perfectly secure VSS scheme. We requre the VSS protocol to have a determnstc reconstructon phase. The commtter C s gven a k-bt strng σ to commt. 12

14 1.1. Commt: C frst generates l pars of random strngs {α 0, α1 } [l] of length 4k each, and a k-bt random strng s. Here the strngs are such that the knowledge of both strngs {α 0, α1 } for any par wll allow an extractor to extract the commtted value. The strng s s meant to serve as a seed of a strong extractor used later on n the protocol. The purpose of the next two stages (1.2 and 1.3) s smply to produce a specalzed commtment to the strngs {α 0, α1 } [l], s and σ The commtter C now starts emulatng k + 1 (vrtual) players locally n hs head. C sets the nput of P k+1 (.e., the Dealer) to the concatenaton of σ, s, and {α 0, α1 } [l], whle each other player has no nput. Then C runs Π V SSshare and each player P obtans shares w, for any [k] Let vew1 1,..., vew1 k+1 be the vews of the k +1 players descrbng the executon of Π V SSshare. C uses WExCS to send a commtment V 1 of vew 1 to R, n parallel for any [k]. At ths stage, the commtter s now commtted to σ, s and {α 0, α1 } [l] Challenge: R sends a random l-bt challenge strng ch = (ch 1,..., ch l ) Response: C sends {α ch } [l] to R. The goal of the extractor would be to rewnd and learn a par {α 0, α1 }. To ensure non-malleablty, ths would be done wthout rewndng the (nterleaved) left nteracton. 2. Verfcaton message. Let H be a famly of parwse-ndependent hash functons wth doman {0, 1} 4k and range {0, 1} k, and Ext : {0, 1} 4k {0, 1} k {0, 1} k be a strong randomness (3k, 2 k )- extractor R pcks a functon h at random from H and sends t to C C sends s, {h(α 0 ), h(α1 ), B = σ Ext(α 0, s) Ext(α1, s)} [l] to R. Say that n the prmary slot phase, the extractor rewnds the adversary and receves a value α j. Ths phase enables checkng such a receved value for correctness (and for subsequent recovery of the strng σ). Ths phase s purely nformaton theoretc but stll provdes for the rght bndng propertes. The correspondng mechansm n the constructon of Goyal was mplemented usng complex computatons nvolvng random tapes used to generate varous commtments. 3. Consstency proof. Now the sender needs to prove the correctness of the values revealed n stage 1.5 and Let Π ch be a (k, λ)-perfectly secure MPC protocol such that gven ch as a publc nput and w as the prvate nput of P for any [k], at the end of the computaton {α ch } [l] s receved n output by P for any [k]. C runs nternally Π ch and sends a commtment V 2 of the vew vew 2 of P when executng Π ch usng WExCS n parallel for any [k] to R Let Π h be a (k, λ)-perfectly secure MPC protocol such that gven a hash functon h as a publc nput and w as the prvate nput of P for any [k], at the end of the computaton (s, {h(α 0), h(α1 )} [l], {B = σ Ext(α 0, s) Ext(α1, s)} [l]) s receved n output by P for any [k]. C runs nternally Π h and sends a commtment V 3 of the vew vew 3 of P when executng Π h usng WExCS n parallel for any [k] R decommts {c } [λ] C decommts {Vr 1, Vr 2, Vr 3 } [λ] (.e., t decommts the subset of vews {vewr 1, vewr 2, vewr 3 } [λ].) 3.5. For j = 1, 2, 3, R verfes that all pars of vews n {vewr j } [λ] are consstent (accordng to Defnton 12) and that the dealer P k+1 has not been dsqualfed by any player, otherwse R aborts; moreover for j = 1, 2 and = 1,..., λ, R checks that vewr j s a prefx of vew j+1 otherwse R aborts. Decommtment Phase. 1. C decommts {V 1 } [k] as {vew 1 } [k]. r, 13