MTAT Cryptology II. Commitment Schemes. Sven Laur University of Tartu

Similar documents
Security of Cryptosystems

MTAT Graduate Seminar in Cryptography Duality Between Encryption and Commitments

MTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu

Digital Signatures. Sven Laur University of Tartu

SAS-Based Group Authentication and Key Agreement Protocols

IND-CCA2 secure cryptosystems, Dan Bogdanov

Definitions and Notations

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

CS408 Cryptography & Internet Security

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

Cryptography. Andreas Hülsing. 6 September 2016

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption

Security Against Selective Opening Attacks

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Lecture 8: Cryptography in the presence of local/public randomness

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

More crypto and security

Using Level-1 Homomorphic Encryption To Improve Threshold DSA Signatures For Bitcoin Wallet Security

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS

A New Protocol for Conditional Disclosure of Secrets And Its Applications

Brief Introduction to Provable Security

Public-Key Encryption

Adaptively Secure Computation with Partial Erasures

Computer Security CS 426 Lecture 35. CS426 Fall 2010/Lecture 35 1

Distributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Advanced Cryptography 1st Semester Symmetric Encryption

CSC 5930/9010 Modern Cryptography: Digital Signatures

Universally Composable Commitments

Better 2-round adaptive MPC

Chaum s Designated Confirmer Signature Revisited

CSA E0 312: Secure Computation October 14, Guest Lecture 2-3

Imperfect Decryption and an Attack on the NTRU Encryption Scheme

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Formal Analysis of Chaumian Mix Nets with Randomized Partial Checking

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

Lecture 15: Public Key Encryption: I

Cryptography. Lecture 03

A Parametric Family of Attack Models for Proxy Re-Encryption

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack

A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks

Authenticated encryption

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Katz, Lindell Introduction to Modern Cryptrography

CS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala

Concrete cryptographic security in F*

symmetric cryptography s642 computer security adam everspaugh

Anonymous Signature Schemes

Lecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model

Information Security CS526

SPHF-Friendly Non-Interactive Commitments

SETUP in secret sharing schemes using random values

Strong Privacy for RFID Systems from Plaintext-Aware Encryption

Chosen-Ciphertext Security (II)

Code-Based Cryptography McEliece Cryptosystem

The Twin Diffie-Hellman Problem and Applications

Notion Of Security. February 18, 2009

CRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION

Solutions to exam in Cryptography December 17, 2013

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

A Unified Approach to Constructing Black-box UC Protocols in Trusted Setup Models

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

CSE 127: Computer Security Cryptography. Kirill Levchenko

1 Achieving IND-CPA security

2 Secure Communication in Private Key Setting

Information Security

On the Application of Generic CCA-Secure Transformations to Proxy Re-Encryption

New Constructions for UC Secure Computation using Tamper-proof Hardware

On the Security of Joint Signature and Encryption

Efficient chosen ciphertext secure PKE scheme with short ciphertext

Improvement of Camenisch-Neven-Shelat Oblivious Transfer Scheme

Homework 3: Solution

Topology Hiding Computation on All Graphs. Rio LaVigne

Lecture 10, Zero Knowledge Proofs, Secure Computation

If DDH is secure then ElGamal is also secure w.r.t IND-CPA

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Homomorphic Encryption

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Anonymizable Ring Signature Without Pairing

The Non-interactive Equivocable Non-malleable Commitment and its Applications

Securing Distributed Computation via Trusted Quorums. Yan Michalevsky, Valeria Nikolaenko, Dan Boneh

Goals of Modern Cryptography

6.897: Selected Topics in Cryptography Lectures 9 and 10. Lecturer: Ran Canetti

Chapter 11 : Private-Key Encryption

New Approach to Practical Leakage-Resilient Public-Key Cryptography

A Closer Look at Anonymity and Robustness in Encryption Schemes

Introduction to Secure Multi-Party Computation

Plaintext Awareness via Key Registration

Evaluating Branching Programs on Encrypted Data

On the Security of a Certificateless Public-Key Encryption

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials

A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004

Timed-Release Certificateless Encryption

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Cryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44

Transcription:

MTAT.07.003 Cryptology II Commitment Schemes Sven Laur University of Tartu

Formal Syntax

m M 0 (c,d) Com pk (m) pk Canonical use case Gen c d pk m Open pk (c,d) A randomised key generation algorithm Gen outputs a public parameters pk that must be authentically transferred all participants. A commitment function Com pk : M C D takes in a plaintext and outputs a corresponding digest c and decommitment string d. A commitment can be opened with Open pk : C D M { }. The commitment primitive is functional if for all pk Gen and m M: Open pk (Com pk (m)) = m. MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 1

Binding property A commitment scheme is (t, ε)-binding if for any t-time adversary A: Adv bind (A) = Pr [ G A = 1 ] ε, where the challenge game is following G A pk Gen (c,d 0, d 1 ) A(pk) m i Open pk (c,d i )for i = 0, 1 if m 0 = or m 1 = then return 0? else return [m 0 = m1 ] MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 2

Collision resistant hash functions A function family H is (t, ε)-collision resistant if for any t-time adversary A: Adv cr H(A) = Pr [ G A = 1 ] ε, where the challenge game is following G A h u H (m 0,m 1 ) A(h) if m 0 = m 1 then return 0 else return [h(m 0 ) =? h(m 1 )] MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 3

Hash commitments Let H be (t, ε)-collision resistant hash function family. construct a binding commitment: Then we can The setup algorithm returns h u H as a public parameter. To commit m, return h(m) as digest and m as a decommitment string. The message m is a valid opening of c if h(m) = c. Usage Integrity check for files and file systems in general. Minimisation of memory footprint in servers: 1. A server stores the hash c h(m) of an initial application data m. 2. Data is stored by potentially malicious clients. 3. Provided data m is correct if h(m ) = c. MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 4

Hiding property A commitment scheme is (t, ε)-hiding if for any t-time adversary A: where Adv hid (A) = Pr [ G A 0 = 1 ] Pr [ G A 1 = 1 ] ε, G A 0 pk Gen (m 0, m 1 ) A(pk) (c,d) Com pk (m 0 ) return A(c) G A 1 pk Gen (m 0,m 1 ) A(pk) (c,d) Com pk (m 1 ) return A(c) MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 5

Any cryptosystem is a commitment scheme Setup: Compute (pk,sk) Gen and delete sk and output pk. Commitment: To commit m, sample necessary randomness r R and output: { c Enc pk (m;r), d (m, r). Opening: A tuple (c,m, r) is a valid decommitment of m if c = Enc pk (m;r). MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 6

Security guarantees If a cryptosystem is (t, ε)-ind-cpa secure and functional, then the resulting commitment scheme is (t,ε)-hiding and perfectly binding. We can construct commitment schemes from the ElGamal and Goldwasser-Micali cryptosystems. For the ElGamal cryptosystem, one can create public parameters pk without the knowledge of the secret key sk. The knowledge of the secret key sk allows a participant to extract messages from the commitments. The extractability property is useful in security proofs. MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 7

Simple Commitment Schemes

Modified Naor commitment scheme Setup: Choose a random n-bit string pk u {0,1} n. Let f : {0, 1} k {0, 1} n be a pseudorandom generator. Commitment: To commit m {0,1}, generate d {0, 1} k and compute digest c { f(d), if m = 0, f(d) pk, if m = 1. Opening: Given (c,d) check whether c = f(d) or c = f(d) pk. MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 8

Security guarantees If f : {0,1} k {0,1} n is (t, ε)-secure pseudorandom generator, then the modified Naor commitment scheme is (t, 2ε)-hiding and 2 2k n -binding. Proof Hiding claim is obvious, since we can change f(d) with uniform distribution. For the binding bound note that and thus PK bad = # {pk : d 0, d 1 : f(d 0 ) f(d 1 ) = pk} 2 2k PK all = # {0,1} n = 2 n Adv bind (A) Pr [pk PK bad ] 2 2k n. MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 9

Discrete logarithm Let G = g be a q-element group that is generated by a single element g. Then for any y G there exists a minimal value 0 x q such that g x = y x = log g y. A group G is (t, ε)-secure DL group if for any t-time adversary A Adv dl G(A) = Pr [ G A = 1 ] ε, where G A y u G x A(y) return [g x? = y] MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 10

Pedersen commitment scheme Setup: Let q be a prime and let G = g be a q-element DL-group. Choose y uniformly from G \ {1} and set pk (g, y). Commitment: To commit m Z q, choose r u Z q and output { c g m y r, d (m, r). Opening: A tuple (c,m, r) is a valid decommitment for m if c = g m y r. MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 11

Security guarantees Assume that G is (t, ε)-secure discrete logarithm group. Then the Pedersen commitment is perfectly hiding and (t,ε)-binding commitment scheme. Proof Hiding. The factor y r has uniform distribution over G, since y r = g xr for x 0 and Z q is simple ring: x Z q = Z q. Binding. A valid double opening reveals a discrete logarithm of y: g m 0 y r 0 = g m 1 y r 1 log g y = m 1 m 0 r 0 r 1. Note that r 0 r 1 for valid double opening. Hence, a double opener A can be converted to a discrete logarithm finder. MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 12

Other Useful Properties

Extractability A commitment scheme is (t, ε)-extractable if there exists a modified setup procedure (pk,sk) Gen such that the distribution of public parameters pk coincides with the original setup; there exists an efficient extraction function Extr sk : C M such that for any t-time adversary Adv ext (A) = Pr [ G A = 1 ] ε where G A (pk, sk) Gen (c,d) A(pk) if Open pk (c,d) = then return 0 else return [Open pk (c,d) =? Extr sk (c)] MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 13

Equivocability A commitment scheme is equivocable if there exists a modified setup procedure (pk,sk) Gen a modified fake commitment procedure (ĉ,σ) Com sk an efficient equivocation algorithm ˆd Equiv sk (ĉ,σ, m) such that the distribution of public parameters pk coincides with the original setup; fake commitments ĉ are indistinguishable from real commitments fake commitments ĉ can be opened to arbitrary values m M, (ĉ, σ) Com sk, ˆd Equiv sk (ĉ, σ,m) : Open pk (ĉ, ˆd) m. opening fake and real commitments are indistinguishable. MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 14

Formal security definition A commitment scheme is (t, ε)-equivocable if for any t-time adversary A Adv eqv (A) = Pr [ G A 0 = 1 ] Pr [ G A 1 = 1 ] ε, where G A 0 2 pk Gen repeat m i A (c, d) Com pk (m) Give (c, d) to A 6 until m 4 i = return A G A 1 2 (pk, sk) Gen repeat (c, σ) Com sk, m i A d Equiv sk (c, σ, m) Give (c, d) to A 6 until m 4 i = return A MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 15

A famous example The Pedersen is perfectly equivocable commitment. Setup. Generate x Z q and set y g x. Fake commitment. Generate s Z q and output ĉ g s. Equivocation. To open ĉ, compute r (s m) x 1. Proof Commitment value c has uniform distribution. For fixed c and m, there exists a unique value of r. Equivocation leads to perfect simulation of (c,d) pairs. MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 16

Homomorphic commitments A commitment scheme is -homomorphic if there exists an efficient coordinate-wise multiplication operation defined over C and D such that Com pk (m 1 ) Com pk (m 2 ) Com pk (m 1 m 2 ), where the distributions coincide even if Com pk (m 1 ) is fixed. Examples ElGamal commitment scheme Pedersen commitment scheme MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 17

Active Attacks

Non-malleability wrt opening pk Gen pk pk m M 0 (c,d) Com pk (m) c d c d m Open pk (c, d) A commitment scheme is non-malleable wrt. opening if an adversary who knows the input distribution M 0 cannot alter commitment and decommitment values c,d on the fly so that A cannot efficiently open the altered commitment value c to a message m that is related to original message m. Commitment c does not help the adversary to create other commitments. MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 18

Formal definition G A 0 2 pk Gen M 0 A(pk) m M 0 (c, d) Com pk (m) π( ), ĉ 1,..., ĉ n A(c) ˆd 1,... ˆd n A(d) if c {ĉ 1,..., ĉ n } then return 0 6 4 ˆm i Open pk (ĉ i, ˆd i ) for i = 1,..., n return π(m, ˆm 1,..., ˆm n ) G A 1 2 pk Gen M 0 A(pk) m M 0, m M 0 (c, d) Com pk (m) π( ), ĉ 1,..., ĉ n A(c) ˆd 1,... ˆd n A(d) if c {ĉ 1,..., ĉ n } then return 0 6 4 ˆm i Open pk (ĉ i, ˆd i ) for i = 1,..., n return π(m, ˆm 1,..., ˆm n ) MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 19

Non-malleability wrt commitment pk Gen pk pk m M 0 (c,d) Com pk (m) c d σ c d m Open pk (c, d) A commitment scheme is non-malleable wrt commitment if an adversary A 1 who knows the input distribution M 0 cannot alter the commitment value c on the fly so that an unbounded adversary A 2 cannot open the altered commitment value c to a message m that is related to original message m. Commitment c does not help the adversary to create other commitments even if some secret values are leaked after the creation of c and c. MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 20

Homological classification NM2-CPA NM2-CCA1 NM2-CCA2? NM1-CPA NM1-CCA1 NM1-CCA2? IND-CPA IND-CCA1 IND-CCA2 Can we define decommitment oracles such that the graph depicted above captures relations between various notions where NM1-XXX denotes non-malleability wrt opening, NM2-XXX denotes non-malleability wrt commitment. MTAT.07.003 Cryptology II, Commitment Schemes, 7 April, 2010 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback