1

Vipul Goyal Microsoft Research,

India

Constant Round Non-Malleable Commitments

2

Commitment Schemes [Blum’84]

Com(s)

CombinationReceiverCommitter

s?s?

s

• Commitment like a note placed in a combination safe• Two properties: hiding and binding• Electronic equivalent of such a safe

Opening of Com(s)

3

Contract Bidding: is a commitment sufficient?

Com(s)

• Adversary cheats and creates a winning bid

s?s?Com(s - 1)

4

Non-Malleable Commitments

• Introduced in the seminal work of Dolev, Dwork and Naor [DDN91]

Picture credit: R. Pass

• Important building block towards the bigger goal of designing secure cryptographic protocol for the internet setting

• Well studied primitive

5

NM Commitment: Definition[DDN’91, PR’05, LPV’08]

5

• Value s’ should be “independent” of s• NMcom requirement: MiM Simulator committing to

same value• No copy: each party has a unique identity/tag (tag based

non-malleability)

s s'

s'

Real World

Simulator

66

• Say extractor outputs s’ without rewinding the left honest committer

• By hiding of com: s’ independent of s• Can easily construct a simulator: commit to 0 on left

s s'

NM com: how to prove

Extractor

7

Result 1 (2011)

• This work: Constant round NM commitments using only OWFs

• Long line of work [Dolev-Dwork-Naor’91, ..]; previous state of art included several incomparable results – CRHF + NBB simulation [Barak’02, PR’05]– Super constant rounds [DDN’91,.., LP’09, Wee’10]– Non-standard assumptions [PPV’08, Wee’10]

• Independent work: Lin-Pass’11 obtained similar result using unrelated ideas– Advantage over LP’11: more “amenable” to BB use of OWF; gives

BB construction of MPC

8

Result 2 (upcoming focs)[joint with Lee, Ostrovsky, Visconti]

• Constant round NM com using only a BB use of OWFs

• Earlier: no black-box construction of NM com known without relaxing security notion (any rounds, any assumption)

• Idea: Instantiate the previous protocol from 2011 using “MPC in the head” ideas [IKOS’07]

9

Result1: Basic technical contribution

L pairs of commitments

challenge (short)

open

• Consider a slot (of e.g. PRS preamble, extractable commitments, etc)

• Say adv gets small number of commitment pairs on left; gives large number on right

• Adversary created at least one commitment pair on right on his own; in fact, can extract from right without rewinding left

• Can be seen as making s.p. different for left and right using || repetition

• Conceptual similarty to long-short NBB simulation technique of Pass’04

L’ pairs of commitments

challenge (long)

open

L’ >> L

Preliminaries

• Through out the talk:

• Only consider synchronizing adversaries

• Identities coming from polynomial domain (log length identities)

• Assume id’ > id

id id’

11

Starting protocol

Com(r1), . . ., Com(rid)

ch in [id]

opening of Com(rch) Receiver

Commiter

• Identity id from a polynomial sized domain

• Learning two shares sufficient to extract v

• Identity encoded in length of challenge

v r + ZKP of correctness

id

Generate r, break into r1 to rid using a 2-out-of-id secret sharing

12

Proof of Security

Com(r1), . . ., Com(rid)

ch in [id]

response ReceiverCommiter

• Protocol secure against non-aborting + synchronizing adversaries

• Assume id’ > id throughout the talk (space of chall strings on right bigger)

• At least two right chall mapping to same left chall (pigeon hole )

• Gives possibility to get two responses on right and give only one on left

idCom(r’1), . . ., Com(r’id’)

ch’ in [id’]

response

id’

13

Proof of Security contd..

Com(r1), . . ., Com(rid)

ch in [id]

open rch ExtractorCommiter

• Extractor: Rewind and extract from right w/o rewinding left

• Ext experiments to find a collision (ch’, ch’’ ch)

• Replays the same left message for ch’’

v r + ZKP

idCom(r’1), . . ., Com(r’id’)

ch’ in [id’]

open r’ch’

v’ r’ + ZKP

id’

ch’’ in [id’]

open r’ch’’

Extraction successful !!

14

Initial Protocol

14

• Repeat protocol twice: one with id and one with (n – id)

• We get a simple protocol secure against non-aborting adversaries

• Repeat sequentially to get security against possibly aborting adversaries

• However doesn’t give us a constant round construction

15

(Possibly) Aborting Adversaries

open ExtractorCommiter

• Problem: Adv creates a one to one mapping of left and right challenges (Aborts on the remaining right challenges)

• No Collisions!!

id

open / abort

id’

16

(Possibly) Aborting Adversaries contd..

ch in {0,1}L

Extractor

• Idea: right challenge space exponentially larger than left; see protocol

• If id’ > id, then |ch’| - |ch| ≥ k

• Collisions guaranteed to exist (else adv aborts with overwhelming prob)

• Problem: hard for extractor to find a collision in PPT

• Adv, e.g., might apply a CRHF to compute ch from ch’

id

ch’ in {0,1}L’

id’

L = k.id L’ = k.id’

17

Final protocol

ch in {0,1}L

Send the relevant strings(no openings)

• Need to extract ri for some i

• VM = verification message: two purposes

VM: com(v; r1), …, com(v; rL)L = k.id

ZKP

com(r1[0]), …, com(rL[0])

com(r1[1]), …, com(rL[1])

ri = ri[0] ri[1]

18

Extractor Description

challenge (short)

strings (no opening)

• Extract on right w/o rewinding left

• First run everything honestly on left and right (main thread)

• Rewind and give a new challenge on right

• Give simulated response on left: define unrecovered set

• See right response and try to extract

• rewind again if required

L’ > LLeft commitments: L pairs

challenge (long)

Right commitments: L’ pairs

strings

VM + ZK VM + ZK

19

Extractor Analysis

ch (short)

Simulated response

• Worry: if simulated response on left, all new strings asked on right are incorrect/random

• Even if one pair of coms on right revealed correct with noticeable prob; we are good!

Left coms: L pairs

ch’ (long)

Right coms: L’ pairs

wrong strings

20

Dependent set of commitments (on right)

Left coms: L pairs

ch’

Right coms: L’ pairs

• Intuition: set of right coms created by mauling an unrecovered com on left

• Prefix: first message on left + right

• Dependent set is defined for a prefix + left ch

• Prob over coins after prefix. A com on right belongs to dependent set S if:

1. [Interesting]: prob of string revealed correctly by M is *noticeable* (run many main threads with this prefix), and,

2. [Dependent]: prob of string revealed correctly CONDITIONED on left challenge of M being ch is negligible

ch

strings strings

21

Bounding dependent set of commitments

Left coms: L pairs

ch’

Right coms: L’ pairs

ch

• Lemma1: if |S| > L + log2(k); main thread aborted w.h.p.

Proof:

• Intuition: some commitment from S on right will be selected by ch’ w.h.p.

• M sees ch’, has 2^L choices for ch on left (each choice will define a set S)

• Prob that there exists S s.t. ch’ selects NOTHING from it is

2L / 2L + log2(k)

• Regardless of how M chooses ch, a com dependent (on unrecovered set) selected. M will answer incorrectly on right.

strings strings

22

Strictly Dependent set of commitments (on right)

Left coms: L pairs

ch’

Right coms: L’ pairs

• Defined for a given prefix + ch

• Prob over coins after prefix. A com on right belongs to strictly dependent set G if:

1. [Interesting]: prob of string revealed correctly by M is noticeable, and,

2. [Dependent]: prob of string revealed correctly when simulated response given on left is negligible

• To prove: if even one right pair not in G, we are done!

ch

strings strings

23

Bounding Strictly Dependent set of commitments

Left coms: L pairs

ch’

Right coms: L’ pairs

ch

strings strings

• Lemma2: G is a subset of S w.h.p.

Proof:

• Relies on hiding of com: say there exists a com in G but not S

• [not in S]: Run main thread, noticeable prob of seeing correct string for this com (doesn’t follow from the interesting condition)

• [in G]: Now say left response is simulated; negl prob of seeing correct string

• [in G]: Say left response is real: again noticeable prob of seeing correct string

Distinguish simulated response from real

24

Bounding Strictly Dependent set of commitments: details

Lemma2: more details

•External party ready to given q response from outside; exactly one guaranteed to be real; rest simulated; q is very large

•Hiding says can’t predict with noticeably better than 1/q

Attack:

•Select a random com on right as a candidate in G but not S

•Run main, then rewind q times using an outside response each time to complete

•If string for this com appears in main AND on exactly one other thread, output that response as real

25

Bounding Strictly Dependent set of commitments: details

Analysis:

•Guess for random com correct: 1/2L’

•Run main; say correct string appeared in main thread: prob p1

•Say when given real response, again correct string appears: prob p2

•On simulated resp, correct string appears only with negl prob

•Prob of correct guess at least p1.p2.1/2L’

•If q big enough, contradiction!!

Final Remarks

• We get obtain constant round NM com (and zero-knowledge) based on OWFs

• Implements the ideas from Pass-Rosen’05 (long-short NBB simulation or two slot simulation) using only BB simulation

• Hypothesis: Can replace any application of the long-short NBB simulation technique with this protocol (plus Barak’01)

Applications

• Theorem [tighter Kilian]: Assume there exist constant round OT. Then there exists constant round MPC

• Our techniques also give the first constant round BB MPC using poly time hardness (improvement to IKLP’06, Wee’10)

• Protocol is public-coin: useful in some follow up works to construct constant round secure computation protocols [Garg-Goyal-Jain-Sahai’12, Cho-Garg-Ostrovsky’12]

28

Result2: Black-Box NM com[joint with Lee, Ostrovsky, Visconti]

• Previous protocol: has a zero-knowledge proof of consistency in the end

• Idea: Instantiate this zero-knowledge using “MPC in the head” ideas; make only a BB use of commitment scheme

“Computation in the head” paradigm[Ishai-Kushilevitz-Ostrovsky-Sahai 2007]

• Originally used to improve the communication complexity of zero-knowledge protocols

Sender Receiver

• To prove x in L, emulate k virtual players in head

• Inputs are shares of the witness w

• Run computation for function f s.t. f(w) = 1 iff x in L

• Commit to resulting views

Com(view1), …, com(viewk)

Select k/3 coms at random

Open selected views

• Check output 1 in each view• Check all views are

honest/consistent with each other• ZK: k/3 views don’t leak anything• Soundness: to change output lots

of players need to cheat

30

Previous protocol

ch in {0,1}L

Send the relevant strings

VM: com(v; r1), …, com(v; rL)

L pairs of commitments

• First part: standard statement

• Second part: more complex. Need to implement VM in an information theoretic fashion. Use strong extractors and pairwise independent hash functions

• Require extension of the computation in the head ideas

31

Final Remarks

• Constant round multi-party coin tossing using only OWFs

• Constant Round NM statistically hiding commitments (same asymptotic round complexity)

• Open Question: non-interactive non-malleable commitments

32

Thank You!