TY - GEN
T1 - Two-round and non-interactive concurrent non-malleable commitments from time-lock puzzles
AU - Lin, Huijia
AU - Pass, Rafael
AU - Soni, Pratik
N1 - Publisher Copyright: © 2017 IEEE.
PY - 2017/11/10
Y1 - 2017/11/10
N2 - Non-malleable commitments are a fundamental cryptographic tool for preventing against (concurrent) man-in-the-middle attacks. Since their invention by Dolev, Dwork, and Naor in 1991, the round-complexity of non-malleable commitments has been extensively studied, leading up to constant-round concurrent non-malleable commitments based only on one-way functions, and even 3-round concurrent non-malleable commitments based on subexponential one-way functions.But constructions of two-round, or non-interactive, non-malleable commitments have so far remained elusive; the only known construction relied on a strong and non-falsifiable assumption with a non-malleability flavor. Additionally, a recent result by Pass shows the impossibility of basing two-round non-malleable commitments on falsifiable assumptions using a polynomial-time black-box security reduction.In this work, we show how to overcome this impossibility, using super-polynomial-time hardness assumptions. Our main result demonstrates the existence of a two-round concurrent non-malleable commitment based on sub-exponential standard-type assumptions-notably, assuming the existence of the following primitives (all with subexponential security): (1) non-interactive commitments, (2) ZAPs (i.e., 2-round witness indistinguishable proofs), (3) collision-resistant hash functions, and (4) a weak time-lock puzzle.Primitives (1),(2),(3) can be based on e.g., the discrete log assumption and the RSA assumption. Time-lock puzzles-puzzles that can be solved by brute-force in time 2^t, but cannot be solved significantly faster even using parallel computers-were proposed by Rivest, Shamir, and Wagner in 1996, and have been quite extensively studied since; the most popular instantiation relies on the assumption that 2^t repeated squarings mod N = pq require roughly 2^t parallel time. Our notion of a weak time-lock puzzle, requires only that the puzzle cannot be solved in parallel time 2^{t^∈} (and thus we only need to rely on the relatively mild assumption that there are no huge} improvements in the parallel complexity of repeated squaring algorithms).We additionally show that if replacing assumption (2) for a non-interactive witness indistinguishable proof (NIWI), and (3) for auniform} collision-resistant hash function, then a non-interactive} (i.e., one-message) version of our protocolsatisfies concurrent non-malleability w.r.t. uniform attackers.
AB - Non-malleable commitments are a fundamental cryptographic tool for preventing against (concurrent) man-in-the-middle attacks. Since their invention by Dolev, Dwork, and Naor in 1991, the round-complexity of non-malleable commitments has been extensively studied, leading up to constant-round concurrent non-malleable commitments based only on one-way functions, and even 3-round concurrent non-malleable commitments based on subexponential one-way functions.But constructions of two-round, or non-interactive, non-malleable commitments have so far remained elusive; the only known construction relied on a strong and non-falsifiable assumption with a non-malleability flavor. Additionally, a recent result by Pass shows the impossibility of basing two-round non-malleable commitments on falsifiable assumptions using a polynomial-time black-box security reduction.In this work, we show how to overcome this impossibility, using super-polynomial-time hardness assumptions. Our main result demonstrates the existence of a two-round concurrent non-malleable commitment based on sub-exponential standard-type assumptions-notably, assuming the existence of the following primitives (all with subexponential security): (1) non-interactive commitments, (2) ZAPs (i.e., 2-round witness indistinguishable proofs), (3) collision-resistant hash functions, and (4) a weak time-lock puzzle.Primitives (1),(2),(3) can be based on e.g., the discrete log assumption and the RSA assumption. Time-lock puzzles-puzzles that can be solved by brute-force in time 2^t, but cannot be solved significantly faster even using parallel computers-were proposed by Rivest, Shamir, and Wagner in 1996, and have been quite extensively studied since; the most popular instantiation relies on the assumption that 2^t repeated squarings mod N = pq require roughly 2^t parallel time. Our notion of a weak time-lock puzzle, requires only that the puzzle cannot be solved in parallel time 2^{t^∈} (and thus we only need to rely on the relatively mild assumption that there are no huge} improvements in the parallel complexity of repeated squaring algorithms).We additionally show that if replacing assumption (2) for a non-interactive witness indistinguishable proof (NIWI), and (3) for auniform} collision-resistant hash function, then a non-interactive} (i.e., one-message) version of our protocolsatisfies concurrent non-malleability w.r.t. uniform attackers.
KW - 2-message
KW - Non-malleable commitment
KW - non-interactive
KW - time-lock puzzles
UR - http://www.scopus.com/inward/record.url?scp=85041138956&partnerID=8YFLogxK
U2 - 10.1109/FOCS.2017.59
DO - 10.1109/FOCS.2017.59
M3 - منشور من مؤتمر
T3 - Annual Symposium on Foundations of Computer Science - Proceedings
SP - 576
EP - 587
BT - Proceedings - 58th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2017
PB - IEEE Computer Society
T2 - 58th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2017
Y2 - 15 October 2017 through 17 October 2017
ER -