Non-Malleable Cryptography�Danny Dolevy Cynthia Dworkz Moni NaorxDecember 30, 1998AbstractThe notion of non-malleable cryptography, an extension of semantically secure cryptography,is de�ned. Informally, in the context of encryption the additional requirement is that giventhe ciphertext it is impossible to generate a di�erent ciphertext so that the respectiveplaintexts are related. The same concept makes sense in the contexts of string commitmentand zero-knowledge proofs of possession of knowledge. Non-malleable schemes for each ofthese three problems are presented. The schemes do not assume a trusted center; a userneed not know anything about the number or identity of other system users.Our cryptosystem is the �rst proven to be secure against a strong type of chosen cipher-text attack proposed by Racko� and Simon, in which the attacker knows the ciphertextshe wishes to break and can query the decryption oracle on any ciphertext other than thetarget.Keywords: cryptography, cryptanalysis, randomized algorithms, non-malleabilityAMS subject classi�cations: 68M10, 68Q20, 68Q22, 68R05, 68R10

�A preliminary version of this work appeared in STOC'91.yDept. of Computer Science, Hebrew University Jerusalem, Israel.zIBM Research Division, Almaden Research Center, 650 Harry Road, San Jose, CA 95120. Researchsupported by BSF Grant 32-00032-1. E-mail: dwork@almaden.ibm.com.xDept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Rehovot 76100,Israel. Most of this work performed while at the IBM Almaden Research Center. Research supported byBSF Grant 32-00032-1. E-mail: naor@wisdom.weizmann.ac.il.

1 IntroductionThe notion of non-malleable cryptography, is an extension of semantically secure cryptog-raphy. Informally, in the context of encryption the additional requirement is that given theciphertext it is impossible to generate a di�erent ciphertext so that the respective plain-texts are related. For example, consider the problem of contract bidding: Municipality Mhas voted to construct a new elementary school, has chosen a design, and advertises in theappropriate trade journals, inviting construction companies to bid for the contract. Theadvertisement contains a public key E to be used for encrypting bids, and a FAX number towhich encrypted bids should be sent. Company A places its bid of $1; 500; 000 by FAXingE(15; 000; 000) to the published number over an insecure line. Intuitively, the public-keycryptosystem is malleable if, having access to E(15; 000; 000), Company B is more likely togenerate a bid E(�) such that � � 15; 000; 000 than Company B would be able to do withoutthe ciphertext. Note that Company B need not be able to decrypt the bid of Company Ain order to consistently just underbid. In this paper we describe a non-malleable public-keycryptosystem that prevents such underbidding. Our system does not even require Com-pany A to know of the existence of Company B. It also does not require the municipalityM to know of A or B before the companies bid, nor does it require A or B to have any kindof public key. The system remains non-malleable even under a very strong type of chosenciphertext attack in which the attacker knows the ciphertext she wishes to break (or maul)and can query the decryption oracle on any ciphertext other than the target.A well-established, albeit implicit, notion of non-malleability is existential unforgeabilityof signature schemes [44]. Informally, a signature scheme is existentially unforgeable if, givenaccess to ((m1; S(m1)); : : : ; (mk; S(mk)), where S(mi) denotes a signature on message mi,the adversary cannot construct a single valid (m;S(m)) pair for any new message m {even a nonsense message or a function of m1; : : : ;mk. Thus, existential unforgeability forsignature schemes is the \moral equivalent" of non-malleability for cryptography. We donot construct signature schemes in this paper. However, we introduce the related notionof public-key authentication and present a simple method of constructing a provably securepublic-key authentication scheme based on any non-malleable public-key cryptosystem1.Non-malleability is also important in private-key cryptography. Many common proto-cols, such as Kerberos or the Andrew Secure Handshake, use private key encryption as asort of authentication mechanism: parties A and B share a key KAB . A sends to B theencryption of a nonce N under KAB , and the protocol requires B to respond with the en-cryption under KAB of f(N), where f is some simple function such as f(x) = x� 1. Theunproved and unstated assumption (see, e.g. [16]) is that seeing KAB(N) doesn't help animposter falsely claiming to be B to compute KAB(f(N)). As we shall see, this is preciselythe guarantee provided by non-malleability.Non-malleability is a desirable property in many cryptographic primitives other thanencryption. For example, suppose Researcher A has obtained a proof that P 6= NP andwishes to communicate this fact to Professor B. Suppose that, to protect herself, A provesher claim to B in a zero-knowledge fashion. Is zero-knowledge su�cient protection? Pro-fessor B may try to steal credit for this result by calling eminent Professor E and actingas a transparent prover. Any questions posed by Professor E to Professor B are relayed by1For more on existentially unforgeable signature schemes see [27, 44, 59].1

the latter to A, and A's answers to Professor B are then relayed in turn to Professor E.We solve this problem with a non-malleable zero-knowledge proof of knowledge. ResearcherA will get proper credit even without knowing of the existence of Professor E, and even ifProfessor E is (initially) unaware of Researcher A.Our work on non-malleability was inspired by early attempts to solve the distributedcoin ipping problem. Although t+1 rounds are necessary for solving Byzantine agreementin the presence of t faulty processors [33], in the presence of a global source of randomnessthe problem can be solved in constant expected time [61]. Thus, in the mid-1980's severalattempts were made to construct a global coin by combining the individual sources ofrandomness available to each of the participants in the system. At a very high level, theoriginal attempts involved commitment to coins by all processors, followed by a revelationof the committed values. The idea was that the global coin would be the exclusive-or(or some other function) of the individual committed values. Disregarding the question ofhow to force faulty processors to reveal their committed values, the original attempts erredbecause secrecy was confused with independence. In other words, the issue was malleability:even though the faulty processors could not know the committed values of the non-faultyprocessors, they could potentially force a desired outcome by arranging to commit to aspeci�c function of these (unknown) values.As the examples show, secrecy does not imply independence. The goal of non-malleablecryptography is to force this implication.1.1 Description of Principal ResultsNon-Malleable Public Key CryptographyGoldwasser and Micali de�ne a cryptosystem to be semantically secure if anything com-putable about the cleartext from the ciphertext is computable without the ciphertext [42].This powerful type of security may be insu�cient in the context of a distributed system, inwhich the mutual independence of messages sent by distinct parties often plays a criticalrole. For example, a semantically secure cryptosystem may not solve the contract biddingproblem. Informally, a cryptosystem is non-malleable if the ciphertext doesn't help: giventhe ciphertext it is no easier to generate a di�erent ciphertext so that the respective plain-texts are related than it is to do so without access to the ciphertext. In other words, asystem is non-malleable if, for every relation R, given a ciphertext E(�), one cannot gener-ate a di�erent ciphertext E(�) such that R(�; �) holds any more easily than can be donewithout access to E(�)2. We present public-key cryptosystem that is non-malleable evenagainst what we call a chosen ciphertext attack in the post-processing mode (de�ned infor-mally in Section 2.1 and formally in Section 3). Since non-malleability is an extension ofsemantic security, this yields the �rst public-key cryptosystem that is semantically secureagainst this strong type of chosen ciphertext attack.Our cryptosystem does not assume a trusted center, nor does it assume that any givencollection of users knows the identities of other users in the system. In contrast, all otherresearch touching on this problem of which we are aware requires at least one of these2Clearly, there are certain kinds of relations R that we cannot rule out. For example, if R(�; �) holdsprecisely when � 2 E(�) then from E(�) it is trivial to compute �, and hence E(�), such that R(�; �) issatis�ed. For formal de�nitions and speci�cations see Section 2.2

assumptions (e.g., [20, 21, 62]).Non-Malleable String CommitmentA second important scenario for non-malleability is string commitment. Let A and Brun a string commitment protocol. Assume that A is non-faulty, and that A commits to thestring �. Assume that, concurrently, C and D are also running a commitment protocol inwhich C commits to a string �. If B and C are both faulty, then even though neither of theseplayers knows �, it is conceivable that � may depend on �. The goal of a non-malleablestring commitment scheme is to prevent this.We present a non-malleable string commitment scheme with the property that if theplayers have names (from a possibly unbounded universe), then for all polynomial-timecomputable relations R our scheme ensures that C is no more likely to be able to arrangethat R(�; �) holds than it could do without access to the (A;B) interaction. Again, thescheme works even if A is unaware of the existence of C andD. If the players are anonymous,or the names they claim cannot be veri�ed, then again if � 6= � then the two strings are nomore likely to be related by R.Intuitively, it is su�cient to require that that C know the value to which it is committingin order to guarantee that � and � are unrelated. To see this, suppose C knows � andC also knows that R(�; �) holds. Then C knows \something about" �, thus violatingthe semantic security of the (A;B) string commitment. Proving possession of knowledgerequires specifying a knowledge extractor, which, given the internal state of C, outputs �.In our case, the extractor has access to the (A;B) interaction, but it cannot rewind A.Otherwise it would only be a proof that someone (perhaps A) knows �, but not necessarilythat C does.Non-Malleable Zero-Knowledge ProtocolsUsing non-malleable string commitment as a building block, we can convert any zero-knowledge interaction into a non-malleable one. In particular we obtain non-malleable zero-knowledge proofs of possession of knowledge, in the sense of Feige, Fiat, and Shamir [31].Zero-knowledge protocols [43] may compose in an unexpectedly malleable fashion. A classicexample is the so-called \man-in-the-middle" attack (also known as the \intruder-in-the-middle," \Ma�a scam," and \chess-masters problem") [24] on an identi�cation scheme,similar in spirit to the transparent intermediary problem described above. Let A and D benon-faulty parties, and let B and C be cooperating faulty parties (they could even be thesame party). Consider two zero-knowledge interactive proof systems, in one of which A isproving to B knowledge of some string �, and in the other C is proving to D knowledge ofsome string �. The two proof systems may be operating concurrently; since B and C arecooperating the executions of the (A;B) and (C;D) proof systems may not be independent.Intuitively, non-malleability says that if C can prove knowledge of � to D while A provesknowledge of � to B, then C could prove knowledge of � without access to the (A;B)interaction. The construction in Section 5 yields a non-malleable scheme for zero-knowledgeproof of possession of knowledge.1.2 Some Technical RemarksNon-Malleability in Context 3

In the scenarios we have been describing, there are (at least) two protocol executions in-volved: the (A;B) interaction and the (C;D) interaction. Even if both pairs of players are,say, running string commitment protocols, the protocols need not be the same. Similar ob-servations apply to the cases of non-malleable public-key cryptosystems and non-malleablezero-knowledge proofs of knowledge. Thus non-malleability of a protocol really only makessense with respect to another protocol. All our non-malleable protocols are non-malleablewith respect to themselves. A more general result is mentioned brie y in Section 5.IdentitiesOne delicate issue is the question of identities. Let � and � be as above. If the playershave names, then our commitment and zero-knowledge interaction protocols guarantee that� is independent of �. The names may come from an unbounded universe. Note thatthere are many possibilities for names: timestamps, locations, message histories, and soon. If the players are anonymous, or the names they claim cannot be veri�ed, then it isimpossible to solve the transparent prover problem described earlier. However, the faultyprover must be completely transparent: if � 6= � then the two strings are unrelated by anyrelation R. In particular, recall the scenario described above in which (relatively unknown)Researcher A seeks credit for the P 6= NP result and at the same time needs protectionagainst the transparent prover attack. Instead of proving knowledge of a witness s thatP 6= NP , Researcher A can prove knowledge of a statement � = A� s. In this case the onlydependent statement provable by Professor B is �, which contains the name A. Note thatwe do not assume any type of authenticated channels.Computational complexity assumptionsWe assume the existence of trapdoor functions in constructing our public-key cryptosys-tems. The string commitment protocols and the compiler for zero-knowledge interactionsrequire only one-way functions.2 De�nitions and System ModelSince non-malleability is a concept of interest in at least the three contexts of encryption,bit/string commitment, and zero-knowledge proofs, we give a single general de�nition thatapplies to all of these. Thus, when we speak of a primitive P we can instantiate any of thesethree primitives. We start in Section 2.1 by providing de�nitions for the primitives, as wellas for some of the tools we use. Our presentation of the notion of security is non-standardand we call it semantic security with respect to relations. In Theorem 2.2 we show that ourversion is equivalent to the \traditional" de�nition We prefer this version for several reasons:� It provides a uniform way of treating the security of all the primitives, i.e., the de�-nition of zero-knowledge and semantic security do not seem di�erent.� It generalizes to the non-malleable case in a natural way, whereas the usual notion ofsemantic security (provably) does not.In Section 2.2 we provide the de�nition of non-malleable security. In Section 2.3 we de-�ne the system model which is most relevant to those primitives which involve a lot ofinteraction. 4

The following de�nitions and notation are common to all the sections. We use X 2R Bto mean that X is chosen from B at random. If B is a set then X is simply chosen uniformlyat random from the elements of B. If B is a distribution, then X 2R B means that X ischosen according to B from the support of B.An interactive protocol (A;B)[c; a; b] is an ordered pair of polynomial time probabilisticalgorithms A and B to be run on a pair of interactive Turing machines with common inputc and with private inputs a and b, respectively, where any of a; b; c might be null.We distinguish between the algorithm A and the agent (A) that executes it. We alsouse (A) to denote a faulty agent that is \supposed" to be running A (that is, that thenon-faulty participants expect it to be running A), but has deviated from the protocol.Thus A is the protocol, and (A) is the player.2.1 De�nitions of PrimitivesIn this section we review the de�nitions from the literature of probabilistic public keycryptosystems, string commitment, zero-knowledge interaction and non-interactive zero-knowledge proof systems, all of which are used as primitives in our constructions. Asmentioned above, we provide a unifying treatment of the security of all the primitives.Probabilistic Public Key EncryptionA probabilistic public key encryption scheme (see [42]) consists of:� GP , the key generator. A probabilistic machine that on unary input 1n, where n isthe security parameter, outputs a pair of strings (e; d) (e is the public key and d is thesecret key)� E, the encryption function, gets three inputs: the public key e, b 2 f0; 1g, and arandom string r of length p(n), for some polynomial p. Ee(b; r) is computable inpolynomial time.� D, the decryption function, gets two inputs: c which is a ciphertext and the privatekey d which was produced by GP . Dd(c) is computable in expected polynomial time.� if GP outputs (e; d), then8b 2 f0; 1g 8r 2 f0; 1gp(n) Dd(Ee(b; r)) = b� The system has the property of indistinguishability: for all polynomial time machinesM , for all c > 0 9nc s.t. for n > ncjProb[M(e;Ee(0; r)) = 1]� Prob[M(e;Ee(1; r)) = 1]j < 1ncwhere the probability is taken over the coin ips of GP , M and the choice of r.This de�nition is for bit encryption and the existence of such a method su�ces for ourconstructions. To encrypt longer messages one can concatenate several bit encryptions oruse some other method. The de�nition of indistinguishability in this case becomes that Mcannot �nd two messages (m0;m1) for which it can distinguish with polynomial advantage5

between encryptions of m0 and m1. For implementations of probabilistic encryption see[2, 14, 39, 51, 65]. In particular, such schemes can be constructed from any trapdoorpermutation.When describing the security of a cryptosystem, one must de�ne what the attack isand what it means to break the system. The traditional notion of breaking (since [42])has been a violation of semantic security or, equivalently, a violation of indistinguishability.This work introduces the notion of non-malleable security, and a break will be a violationof non-malleability. We return to this in Section 2.2. We consider three types of attacksagainst a cryptosystem:� Chosen plaintext. This is the weakest form of attack that makes any sense against apublic-key cryptosystem. The attacker can (trivially) see a ciphertext of any plaintextmessage (because she can use the public encryption key to encrypt).� Chosen ciphertext in the sense of [60], sometimes called lunch-break or lunch-timeattacks in the literature; we prefer the term chosen ciphertext attack in the pre-processing mode, abbreviated CCA-pre. Here, the adversary may access a decryptionoracle any polynomial (in the security parameter) number of times. Then the oracleis removed and a \challenge" ciphertext is given to the attacker.� Chosen ciphertext in the sense of Racko� and Simon [62]; we prefer the term chosenciphertext attack in the post-processing mode, abbreviated CCA-post. This is de�nedformally in Section 3. The key point is that the attacker sees the challenge ciphertextbefore the oracle is removed, and can ask the oracle to decrypt any (possibly invalid)ciphertext except the challenge.Our version of semantic security under chosen plaintext attack is the following: Let Rbe a relation. We de�ne two probabilities. Let A be an adversary that gets a key e andproduces a distributionM on messages of length `(n) by producing a description (includinga speci�c time bound) of a polynomial time machine that generates M. A is then given achallenge consisting of a ciphertext c 2R Ee(m), where m 2R M and Ee(m) denotes theset fEe(m; r) s:t: jrj = p(n)g. In addition, A receives a \hint" (or history) about m inthe form of hist(m), where hist is a polynomially computable function. A then produces astring �. We assume that the pre�x of � is the description of M. A is considered to havesucceeded with respect to R if R(m;�). Since � contains a description of M, R is awareof M and may decide to accept or reject based on its description. This rules out achieving\success" by choosing a trivial distribution. Let �(A; R) be the probability that A succeedswith respect to R. The probability is over the choice of e, the coin- ips of A, and the choiceof m, so in particular it is also over the choice of M.For the second probability, we have an adversary simulator A0 who will not have accessto the encryption. On input e, A0 chooses a distributionM0. Choose an m 2R M0 and givehist(m) to A0. A0 produces �. As above, A0 is considered to have succeeded with respectto R if R(m;�). Let �0(A0; R) be the probability that A0 succeeds.Remark 2.1 1. In their seminal paper on probabilistic encryption, Goldwasser and Micaliseparate the power of the adversary into two parts: a message �nder that, intuitively, triesto �nd a pair of messages on which the cryptosystem is weak, and the line tapper, that6

tries to guess which of the two chosen messages is encrypted by a given ciphertext [42].Accordingly, we have let A choose the message space M, on which it will be tested. Byletting A0 choose M0 (rather than \inheriting" M from A), we are letting the simulatorcompletely simulate the behavior of the adversary, so in this sense our de�nition is natural.A second reason for this choice is discussed in Section 3.4.3.2. As noted above, the fact that the description of M or M0 is given explicitly to Rprevents A0 from choosing a trivial distribution, e.g. a singleton, since R can \rule out"such M's.De�nition 2.1 A scheme S for public-key cryptosystems is semantically secure with re-spect to relations under chosen plaintext attack if for every probabilistic polynomial timeadversary A as above there exists a probabilistic polynomial time adversary simulator A0such that for every relation R(m;�) and function hist(m) computable in probabilistic poly-nomial time j�(A; R)� �0(A0; R) j is subpolynomial3.In this de�nition, the chosen plaintext attack is implicit in the de�nition of A. This is aconvention that will be followed throughout the paper.Note the di�erences between our de�nition of semantic security with respect to relationsand the original de�nition of semantic security [42]: in the original de�nition the challengewas to compute f(x) given E(x), where the function f is not necessarily even recursive. Incontrast, here R is a relation and it is probabilistic polynomial time computable. Neverthe-less, the two de�nitions are equivalent, as we prove in Theorem 2.2.We prove the following theorem for the case of chosen plaintext attacks; the proof carriesover to chosen ciphertext attacks in both the pre- and post-processing modes.Theorem 2.2 A public key cryptosystem is semantically secure with respect to relationsunder chosen plaintext attack if and only if it has the indistinguishability property.Proof. Consider the following three experiments. Choose an encryption key e using GP .Given the public-key e, A produces a distribution M. Sample �1; �2 2R M.In the �rst experiment, A is given hist(�1) and Ee(�1) and produces �1. Note that forany relation R Pr[R(�1; �1) holds] = �(A; R):In the second experiment, A is given hist(�1) and Ee(�2) and produces �2. Let� = Pr[R(�1; �2) holds]:Note that if �(A; R) and � di�er polynomially, then we have a distinguisher for encryp-tions of �1 and �2 (which may be converted via a hybrid argument into a distinguisher forencryptions of 0 and 1).For the third experiment, consider an A0 that generates an e using GP and simulatesA on e to get a distribution M. It gives M as the distribution on which it should betested. A0 is then given hist(�) for an � 2R M. A0 generates �0 2R M and gives to the3In an earlier version of the paper the order of quanti�ers here and in De�nition 2.2 was di�erent:8R8A9A0. The two de�nitions are equivalent; we have chosen the current de�nition because it is consistentwith the de�nition of zero-knowledge. The proofs of the theorems are unchanged.7

simulated A the hint hist(�) and the encryption Ee(�0). The simulated A responds withsome �, which is then output by A0. Note that �0(A0; R) = �. Thus, if the cryptosystemhas the indistinguishability property then j�(A; R) � �0(A0; R) j is subpolynomial, so thecryptosystem is semantically secure with respect to relations.We now argue that if a cryptosystem does not have the indistinguishability propertythen it is not semantically secure with respect to relations. If a system does not have theindistinguishability property then there exists a polynomial time machine M that giventhe public-key can �nd two message (m0;m1) for which it can distinguish encryptions ofm0 from encryptions of m1. The speci�cation of A is as follows: Given a key e, A runsM to obtain (m0;m1). Let M = fm0;m1g, where m0 and m1 each has probability 1=2be the message distribution on which A is to be tested. The function hist is the trivialhist(x) = 1 for all x. Given an encryption 2R Ee(m), where m 2R M, A uses M to guessthe value of m and outputs �, the resulting guess plus the description of M. The relationR that witnesses the fact that the cryptosystem is not semantically secure with respect torelations is equality plus a test of consistency with M. Recall that the description of Mis provided explicitly and hence R can also check that M is of the right form. Since Mis by assumption a distinguisher, having access to the ciphertext gives A a polynomialadvantage at succeeding with respect to R over any A0 that does not have access to theciphertext (which has probability 1=2). 2Thus, a scheme is semantically secure with respect to relations if and only if it has theindistinguishability property. It follows from the results in [36, 42, 53] that the notions ofof (traditional) semantic security, indistinguishability and semantically secure with respectto relations are all equivalent.String CommitmentThe literature discusses two types of bit or string commitment: computational and infor-mation theoretic. These terms describe the type of secrecy of the committed values o�eredby the scheme. In computational bit commitment there is only one possible way of openingthe commitment. Such a scheme is designed to be secure against a probabilistic polynomialtime receiver and an arbitrarily powerful sender. In information theoretic commitment it ispossible to open the commitment in two ways, but the assumed computational boundednessof the sender prevents him from �nding the second way. Such a scheme is designed to besecure against an arbitrarily powerful receiver and a probabilistic polynomial time prover.We restrict our attention to computational string commitment.A string commitment protocol between sender A and receiver B consists of two stages:� The commit stage: A has a string � to which she wishes to commit to B. She and Bexchange messages. At the end of this stage B has some information that represents�, but B should gain no information on the value of � from the messages exchangedduring this stage.� The reveal stage: at the end of this stage B knows �. There should be only one stringthat A can reveal.The two requirements of a string commitment protocol are binding and secrecy. Bindingmeans that following the commit stage the A can reveal at most one string. In our scenario8

we require the binding to be unconditional, but probabilistic: with high probability overB's coin- ips, following the commit stage there is at most one string that B accepts (as thevalue committed) in the reveal stage.The type of secrecy we require is semantical security. We specify what this means, usingthe notions of security with respect to relations (however, as above, it is equivalent to the\traditional" way of de�ning semantic security [35]). Let A be an adversary that producesa distribution M on strings of length `(n) computable in probabilistic polynomial time. Astring � 2R M is chosen and A receives hist(�), where hist is a probabilistic polynomialtime computable function. The commitment protocol is executed where (A) follows theprotocol and (B) is controlled by A. The adversary A then produces a string �. Weassume that the pre�x of � is the description of M.A is considered to have succeeded with respect to R if R(�; �). Let �(A; R) be theprobability that A succeeds with respect to R. The probability is over the coin- ips of A,and the choice of �.For the second probability, we have an adversary simulator A0 who will not have accessto the ( (A); (B)) execution of the string commitment protocol. A0 chooses a distributionM0. An � 2R M0 and hist(m) is given to A0. A0 produces �. As above, A0 is considered tohave succeeded with respect to R if R(�; �).De�nition 2.2 A commitment scheme is semantically secure with respect to relations iffor every probabilistic polynomial time adversary A as above there exists a probabilisticpolynomial time adversary simulator A0 such that for every relation R(�; �) and functionhist(m) computable in probabilistic polynomial time j�(A; R)��0(A0; R) j is subpolynomial.Zero-Knowledge Interaction We next present a generalization of a (uniform) zero-knowledge interactive proof of language membership.Let (A;B)[a; b] be an interactive protocol, where (a; b) belongs to a set � of legal inputpairs to A and B. (In the special case of zero-knowledge proofs of language membership,the valid pairs (a; b) have the property that the pre�xes of a and b are the common inputx 2 L.) Roughly speaking, we say that (A;B) is zero-knowledge with respect to B if forevery polynomial time bounded B0, there exists a simulator that can produce conversationsbetween (A;B0) which are indistinguishable from the actual (A;B0) conversation. Moreaccurately, and pursuing the terminology of this section, let A be an adversary that controls (B). A chooses a joint distribution D, consistent with �, on [a; b], and then a pair [a; b]is drawn according to D, (A) gets a, (B) gets b, and the interaction proceeds by (A)following the protocol (while (B)'s actions are controlled by A). The result is a transcriptT of the conversation between (A) and (B). A also produces a string � which containsas a pre�x the description of D (and may contain such information as the state of (B) atthe end of the protocol).Let R be a ternary relation. A is considered to have succeeded with respect to R ifR([a; b]; T; �). Let �(A; R) be the probability that A succeeds with respect to R. Theprobability is over the coin- ips of A, the coin- ips of (A) and the choice of [a; b].On the other hand, we have A0 that selects D0 consistent with �. A pair [a; b] is thendrawn according to D0 and A0 receives b. A0 produces a transcript T 0 and a string �0. A0is considered to have succeeded with respect to R if R([a; b]; T 0; �0). Let �(A0; R) be the9

probability that A succeeds with respect to R. The probability is over the coin- ips of A0and the choice of [a; b].De�nition 2.3 A protocol (A;B) is zero-knowledge with respect B if for all probabilisticpolynomial time adversaries A as above there exists a probabilistic polynomial time adversarysimulator A0 such that for every relation R computable in probabilistic polynomial timej�(A; R)� �0(A0; R) j is subpolynomial.(If (a; b) =2 � then zero-knowledge is not ensured, but other requirements may hold, de-pending on the protocol.)Two interesting examples of zero-knowledge interaction are proof of language member-ship [43, 40] and proofs of knowledge [31]. Both of these can be based on the existence ofstring commitment protocols.Non-Interactive Zero-Knowledge Proof SystemsAn important tool in the construction of our public-key cryptosystem are non-interactivezero-knowledge proof systems. The following explanation is taken almost verbatim from[60]: A (single theorem) non-interactive proof system for a language L allows one partyP to prove membership in L to another party V for any x 2 L. P and V initially sharea string U of length polynomial in the security parameter n. To prove membership of astring x in Ln = L \ f0; 1gn, P sends a message p as a proof of membership. V decideswhether to accept or to reject the proof. Non-interactive zero knowledge proof systems wereintroduced in [12, 13]. A non-interactive zero-knowledge scheme for proving membershipin any language in NP which may be based on any trapdoor permutation is described in[32]. Recently, Kilian and Petrank [48, 49] found more e�cient implementations of suchschemes. Their scheme is for the circuit satis�ability problem. Let k be a security parameter.Assuming a trapdoor permutation on k bits, the length of a proof of a satis�able circuit ofsize L (and the size of the shared random string) is O(Lk2).The shared string U is generated according to some distribution U(n) that can begenerated by a probabilistic polynomial time machine. (In all the examples we know of it isthe uniform distribution on strings of length polynomial in n and k, where the polynomialdepends on the particular protocol, although this is not required for our scheme.)Let L be in NP. For any x 2 L let WL(x) = fzj z is a witness for xg be the set ofstrings that witness the membership of x in L. For the proof system to be of any use, Pmust be able to operate in polynomial time if it is given a witness z 2 WL(x). We callthis the tractability assumption for P. In general z is not available to V.Let P(x; z; U) be the distribution of the proofs generated by P on input x, witness z,and shared string U . Suppose that P sends V a proof p when the shared random string isU . Then the pair (U; p) is called the conversation. Any x 2 L and z 2 WL(x) induces aprobability distribution CONV(x; z) on conversations (U; p) where U 2 U is a shared stringand p 2 P(x; z; U) is a proof.For the system to be zero-knowledge, there must exist a simulator Sim which, on inputx, generates a conversation (U; p). Let Sim(x) be the distribution on the conversationsthat Sim generates on input x, let SimU (x) = SimU be the distribution on the U partof the conversation, and let SimP (x) be the distribution on the proof component. In thede�nitions of [13, 32] the simulator has two steps: it �rst outputs SimU without knowing10

x, and then, given x, it outputs SimP (x). (This requirement, that the simulator not knowthe theorem when producing U , is not essential for our purposes, however, for convenienceour proof in Section 3.3 does assume that the simulator is of this nature.)Let ACCEPT (U; x) = fpjV accepts on input U; x; pgand let REJECT (U; x) = fpjV rejects on input U; x; pg:The following is the de�nition of non-interactive proof systems of [12], modi�ed toincorporate the tractability of P. The uniformity conditions of the system are adoptedfrom Goldreich [35].De�nition 2.4 A triple (P;V;U), where P is a probabilistic polynomial time machine, V isa polynomial time machine, and U is a polynomial time sampleable probability distributionis a non-interactive zero-knowledge proof system for the language L 2 NP if:1. Completeness (if x 2 L then P generates a proof that V accepts): For all x 2 Ln, forall z 2 WL(x), with overwhelming probability for U 2R U(n) and p 2R P(x; z; U),p 2 ACCEPT (U; x). The probability is over the choice of the shared string U and theinternal coin ips of P.2. Soundness (if y 62 L then no prover can generate a proof that V accepts): For all y 62 Lnwith overwhelming probability over U 2R U(n) for all p 2 f0; 1g�, p 2 REJECT (U; y).The probability is over the choices of the shared string U .3. Zero-knowledge: there is a probabilistic polynomial time machine Sim which is a sim-ulator for the system: For all probabilistic polynomial time machines C, if C generatesx 2 L and z 2WL(x) then,jProb[C(w) = 1jw 2R Sim(x)]� Prob[C(w) = 1jw 2R CONV(x; z)]j < 1p(n)for all polynomials p and su�ciently large n.2.2 De�nitions Speci�c to Non-MalleabilityIn any interactive protocol (A;B) for primitive P, party A has an intended value. In thecase of encryption it is the value encrypted in (B)'s public key; in string commitment it isthe string to which (A) commits; in a zero-knowledge proof it is the theorem being provedinteractively. The intended value is a generalization of the notion of an input. Indeed, when (A) is non-faulty we may refer to the intended value as an input to A. However, we do notknow how to de�ne the input to a faulty processor that can, for example, refuse to committo it. In this case we may need to substitute in a default value. The term intended valuecovers cases like this.We sometimes refer to (A) as the Sender and to (B) as the Receiver. We use theverb to send to mean, as appropriate, to send an encrypted message, to commit to, and toprove knowledge of. Intuitively, in each of these cases information is being transmitted, orsent, from the Sender to the Receiver. 11

Interactive protocols (A;B), including the simple sending of an encrypted message,are executed in a context, and the participants have access to the history preceding theprotocol execution. When (A) has intended value �, we assume both parties have accessto hist(�), intuitively, information about the history that leads to (A) running the protocolwith intended value �.In some cases we also assume an underlying probability distribution D on intendedvalues, to which both parties have access (that is, from which they can sample in polynomialtime).An adversarially coordinated system of interactive protocolsh(A;B); (C;D); A : (B)$ (C)iconsists of two interactive protocols (A;B) and (C;D), an adversary A controlling theagents (B) and (C), the communication between these agents, and the times at whichall agents take steps.Generally, we are interested in the situation in which A = C and B = D, for example,when both interactive protocols are the same bit commitment protocol. Thus, for theremainder of the paper, unless otherwise speci�ed, (A;B) = (C;D), but (A); (B); (C)and (D) are all distinct.Consider the adversarially coordinated system h(A;B); (C;D); A : (B) $ (C)i. Inan execution of this system, (A) sends an intended value � 2R D in its conversation with (B), and (C) sends an intended value � in its conversation with (D). If (C) fails todo so { e.g., fails to respond to a query, is caught cheating, or produces invalid ciphertexts{ we take � to be all zeros.We treat \copying" slightly di�erently in the context of encryption, which is non-interactive, and in the commitment and zero-knowledge settings, which are interactive.In particular, our results are stronger for encryption, since our construction rules out any-thing but exact copying of the ciphertext. Thus, seeing the ciphertext does not help theadversary to construct a di�erent encryption of the same message. In the interactive settingwe only ensure that if � 6= �, then the two values are unrelated. We use identities (chosenby the users and not enforced provided by any authentication mechanism) to force � and �to be di�erent. In particular, if the adversary wishes to be a transparent intermediary, thenwe do not bother to rule out the case in which the adversary commits to or proves exactlythe same string as A does, even if it gives a di�erent commitment (to the same value) or adi�erent proof (of the same theorem).We now formally de�ne the non-malleability guarantee in the interactive setting. A re-lation approximator R is a probabilistic polynomial time Turing machine taking two inputs4and producing as output either zero or one. The purpose of the relation approximator isto measure the correlation between � and �. That is, R measures how well the adversarymanages to make � depend on �. In the interactive settings, we restrict our attention tothe special class of relation approximators which on input pairs of the form (x; x) alwaysoutput zero. The intuition here is that we cannot rule out copying, but intuitively this isnot the cases in which the adversary \succeeds."When we discuss composition (or parallel execution) we will extend the de�nition sothat the �rst input is actually a vector V of length k. The intuition here is that C may4Sometimes we will need R to take three inputs, the third being in plaintext.12

have access to several interactions with, and values sent by, non-faulty players. In that case,the approximator must output zero on inputs (V; y) in which y is either a component ofV , corresponding to the case in which (C) sends the same value as one of the non-faultyplayers (in the case of encryption this is ruled out by the de�nition of the adversary).Given a probability distribution on the pair of inputs, there is an a priori probability,taken over the choice of intended values and the coin ips of R, that R will output one. Inorder to measure the correlation between � and � we must compare R's behavior on inputpairs (�; �) generated as described above to its behavior on pairs (�; ), where is sentwithout access to the sending of � (although as always we assume that (C) has access toD and hist(�)).An adversary simulator for a commitment (zero-knowledge proof of knowledge) schemeS with input distribution D and polynomial time computable function hist, is a probabilisticpolynomial time algorithm that, given hist, hist(�), and D, produces an intended value .Consider an adversarially coordinated system of interactive protocols h(A;B); (C;D); A : (B) $ (C)i where (A;B) and (C;D) are both instances of S, and � is the set of legalinput pairs to the two parties executing S. A may choose any probabilistic polynomial timesampleable distribution D on the joint distribution to all four players, (A); (B); (C); (D);respectively, where the inputs to (A) and (B) are consistent with �. Let (�; x; y; �) 2R D.For any relation approximator R, let �(A; R) denote the probability, taken over all choicesof (A), (D), A, and R, that A, given x, y, hist(�), and participation in the (A;B)execution in which (A) sends �, causes (C) to send � in the (C;D) execution, such thatR(�; �) outputs 1, under some speci�ed form of attack (Since (C) is under control of theadversary there is no reason that � should equal y.)Similarly, for an adversary simulator A0 choosing a joint distribution D0 for all fourplayers where the inputs to (A) and (B) are consistent with �, for (�; x; y; �) 2R D0, letA0 have access to x, y, and hist(�), and let A0 send . Let �0(A0; R) denote the probability,taken over the the choices made of A0, and the choices of R, that R(�; ) = 1.De�nition 2.5 A scheme S for a primitive P is non-malleable with respect to itself undera given type of attack G, if for all adversarially coordinated systems h(A;B); (C;D); A : (B)$ (C)i where (A;B) = (C;D) = S, where A mounts an attack of type G, there existsan adversary simulator A0 such that for all relation approximators R, j�(A; R)��0(A0; R) jis subpolynomial5.Note that this de�nition is applicable to all three primitives. As stated above, theprecise attack against the system is crucial to the de�nition of A and hence of �(A; R).In particular, when we discuss encryption in Section 3, we will specify the nature of theadversary precisely. The de�nition makes sense for all types of attack, with the appropriatechoices of �(A; R). Finally, we must specify the \unit" which we are trying to protect, i.e.,is it a single encryption or several.5In the previous version of this paper the order of quanti�ers was 8R8A9A0, yielding a possibly weakerde�nition. However, all the constructions in our work satisfy the stronger order of quanti�ers given here.Now all our de�nitions share a common order of quanti�ers.13

2.3 System ModelWe assume a completely asynchronous model of computing. For simplicity, we assumeFIFO communication links between processors (if the links are not FIFO then this can besimulated using sequence numbers). We do not assume authenticated channels.We do not assume the usual model of a �xed number of mutually aware processors.Rather, we assume a more general model in which a given party does not know which otherparties are currently using the system. For example, consider a number of interconnectedcomputers. A user (\agent") can log into any machine and communicate with a user onan adjacent machine, without knowing whether a given third machine is actually in use atall, or if the second and third machines are currently in communication with each other. Inaddition, the user does not know the set of potential other users, nor need it know anythingabout the network topology.Thus, we do not assume a given user knows the identities of the other users of thesystem. On the other hand, our protocols may make heavy use of user identities. Onedi�culty is that in general, one user may be able to impersonate another. There are severalways of avoiding this. For example, Racko� and Simon [62] propose a model in which eachsender possesses a secret associated with a publicly known identifying key issued by a trustedcenter.In the scenario of interconnected computers described above, an identity could be com-posed of the computer serial number and a timestamp, possibly with the addition of theclaimed name of the user. In the absence of some way of verifying claimed identities, exactcopying of the pair, claimed identity and text, cannot be avoided, but we rule out essentiallyall other types of dependence between intended values.We can therefore assume that the intended value � sent by (A) contains as its �rstcomponent a user identity, which may or may not be veri�able. Fix a scheme S and anadversarially coordinated system of interactive protocols h(A;B); (C;D); A : (B)$ (C)iwhere (A;B) and (C;D) are both instances of S, and let � and � be sent by (A) and (C),respectively. Then, whether or not the identities can be checked, if S is non-malleable and� 6= �, then �'s dependence on � is limited to dependence on hist(�). In addition, if theidentities can be checked then � 6= �.In order to avoid assumptions about the lengths of intended values sent, we assume thespace of legal values is pre�x-free.3 Non-Malleable Public Key CryptosystemsA public-key cryptosystem allows one participant, the owner, to publish a public key, keepingsecret a corresponding private key. Any user that knows the public key can use it to sendmessages to the owner; no one but the owner should be able to read them. In this sectionwe show how to construct non-malleable public key cryptosystems. The de�nitions apply,mutatis mutandi, to private key cryptosystems. As was done by [44] in 1984 in the contextof digital signatures, when de�ning the security of a cryptosystem one must specify (a) thetype of attack considered and (b) what it means to break the cryptosystem.The cryptosystem we construct is secure against chosen ciphertext attacks. In fact itis secure against a more severe attack suggested by Racko� and Simon [62] and which14

we call chosen ciphertext in the post-processing mode (CCA-post): The attacker knowsthe ciphertext she wishes to crack while she is allowed to experiment with the decryptionmechanism. She is allowed to feed it with any ciphertext she wishes, except for the exactone she is interested in. Thus the attacker is like a student who steals a test and canask the professor any question, except the ones on the test. This is the �rst public keycryptosystem to be provably secure against such attacks. Indeed, (plain) RSA [63] and theimplementation of probabilistic encryption based on quadratic residuousity [42] are insecureagainst a chosen ciphertext postprocessing attack.Malleability, as de�ned in Section 2.2 speci�es what it means to \break" the cryptosys-tem. Informally, given a relation R and a ciphertext of a message �, the attacker A isconsidered successful if it creates a ciphertext of � such that R(�; �) = 1. The cryptosys-tem is non-malleable under a given attack G if for every A mounting an attack of type G,there is an A0 that, without access to the ciphertext of �, succeeds with similar probabilityas A in creating a ciphertext of such that R(�; ) = 1. Given the notion of semanticsecurity with respect to relations and Theorem 2.2, non-malleability is clearly an extensionof semantic security. See Section 3.4.2 for the relationship between non-malleability andthe type of attack.We now de�ne precisely the power of the CCA-post adversary A. Let R be a polynomialtime computable relation. Let n be the security parameter. A receives the public keye 2R GP (n) and can adaptively choose a sequence of ciphertexts c1; c2; : : :. On each of themA receives the corresponding plaintext. It then produces a distribution M on messages oflength `(n), for some polynomial `, by giving the polynomial time machine that can generatethis distribution. A then receives as a challenge a ciphertext c 2R Ee(m) where m 2R M,together with some \side-information" about m in the form of hist(m), where hist is somepolynomially computable function. A then engages in a second sequence of adaptivelychoosing ciphertexts c01; c02; : : :. The only restriction is that c 6= c01; c02; : : : : At the end of theprocess, A produces a polynomially bounded length vector of ciphertexts (f1; f2; : : :) notcontaining the challenge ciphertext c, with each fi 2 Ee(�i), and a cleartext string � whichwe assume contains a description of M6. Let � = (�1; �2; : : :). A is considered to havesucceeded with respect to R if R(m;�; �). (We separate � from � because the goal of theadversary is to produce encryptions of the elements in �.) Let �(A; R) be the probabilitythat A succeeds where the probability is over the coin- ips of the key generator, A;M andthe encryption of m.Let A0 be an adversary simulator that does not have access to the encryptions or tothe decryptions, but can pick the distribution M0. On input e, A0 produces M0 and thenm 2R M0 is chosen. A0 receives hist(m) and without the bene�t of the chosen ciphertextattack should produce a vector of ciphertexts (f1; f2; : : :), where each fi 2 Ee(�i), and astring � containing M0. Let � = (�1; �2; : : :). As above, A0 is considered to have succeededwith respect to R if R(m;�; �). Let �0(A0; R) be the probability that A0 succeeds wherethe probability is over the coin- ips of the key generator, A0 and M0.6In the public key context � serves no purpose other than providing the description of M as an inputto R, since in this situation from any plaintexts p 2 M that are part of � it is always possible to computean encryption of �, so we could always add an additional fi 2 Ee(p) to our vector of ciphertexts. However,we introduce the possibility of including plaintexts p in � so that the de�nition can apply to symmetric, orprivate key, encryption. 15

Note that A0 has a lot less power than A: not only does it not have access to theciphertext encrypting �, but it cannot perform any type of chosen ciphertext attack, evenin choosing the distribution M0. Note also that as in the de�nition of semantically securewith respect to relations, the fact that M is given to R prevents A0 from choosing trivialdistributions.De�nition 3.1 A scheme S for public-key cryptosystems is non-malleable with respect tochosen ciphertext attacks in the post-processing mode, if for all probabilistic polynomial timeadversaries A as above there exists a probabilistic polynomial time adversary simulator A0such that for all relations R(�; �; �) computable in probabilistic polynomial time, j�(A; R)��0(A0; R) j is subpolynomial.Note that the de�nition does not require R to be restricted (to a relation approximator) asdescribed in Section 2.2.An illustration of the power of non-malleability under CCA-post attacks is presented inSection 3.5, where we discuss an extremely simple protocol for public key authentication, arelaxation of digital signatures that permits an authenticator A to authenticate messagesm, but in which the authentication needn't (and perhaps shouldn't!) be veri�able by athird party. The protocol requires a non-malleable public key cryptosystem, and is simplyincorrect if the cryptosystem is malleable.Simple Ideas That Do Not WorkA number of simple candidates for non-malleable cryptosystems come to mind. LetE be a cryptosystem semantically secure against a chosen ciphertext attack. Assume forconcreteness that A wishes to send the message m and B wishes to send \1 + the valuesent by A". That is, B, without knowing m, wishes to send m+ 1.One \solution" would be to append to E(m) a non-interactive zero-knowledge proof ofknowledge of the encrypted value m. The problem with this approach is that the proof ofknowledge may itself be malleable: conceivably, given E(m) and a proof of knowledge ofm, it may be possible to generate E(m+ 1) and a proof of knowledge of m+ 1.Another frequently suggested approach is to sign each message. Thus, to send a messagem, party A sends (E(m); SA(E(m))), where SA is a private signing algorithm for which apublic veri�cation key is known. There are two problems with this: �rst, it assumes thatsenders as well as receivers have public keys; second, it misses the point: if E is malleablethen B, seeing (E(m); SA(E(m))), simply ignores the second component, generates E(m+1), say, based on E(m), and sends (E(m+ 1); SB(E(m+ 1))).Yet another suggestion is to put the signature inside the ciphertext: A sends E(m �SA(m)). This still su�ers from the assumption that A has a public veri�cation key corre-sponding to SA, and it again misses the point: B is not trying to produce E(m+1; SA(m+1)), but only E(m + 1 � SB(m + 1)). The unforgeability properties of SA say absolutelynothing about B's ability to produce an encryption of SB(m+ 1).One more suggestion is to append an ID to each message and send, for example, E(A �m). Again, we do not know how to show that, based only on the semantic security of Eagainst chosen ciphertext attack, seeing E(A �m) does not help B to produce E(B �m) orE(B �m+ 1). 16

Overview of the schemeThe public key consists of 3 parts: a collection of n pairs of keys he0i ; e1i i, a random stringU for providing zero-knowledge proofs of consistency in a non-interactive proof system, anda universal one-way hash function providing a mapping that de�nes a choice of a subset ofthe encryption keys. U is uniformly distributed because it is to the advantage of its creator(the veri�er in the non-interactive zero-knowledge proof) that it should be so.The process of encryption consists of 4 parts.1. An \identity" is chosen for the message by creating a public signature veri�cation key;the corresponding signing key is kept private.2. The message is encrypted under several encryption keys chosen from a set of suchkeys as a function of the public signature veri�cation key chosen in the �rst step.3. A (non-interactive zero-knowledge) proof of consistency is provided, showing that thevalue encrypted under all the selected keys is the same one.4. The encryptions and the proof are signed using the private signing key chosen in the�rst step.When a message is decrypted it must �rst be veri�ed that the encryptions are consistent,and only then is the (now well de�ned) plaintext extracted.Non-malleability comes from the fact that the choice of the subsets and the signatureeach authenticate the other. Moreover, as in [60], anyone can decide whether a ciphertext islegitimate, i.e., decrypts to some meaningful message. Thus, no information is ever gainedduring an attack when the decrypting mechanism rejects an invalid ciphertext. Intuitively,given E(�), an attacker with access to a decryption mechanism can generate a legal ci-phertext E(�) and learn �, but non-malleability implies that an adversary simulator cangenerate E( ) without access to E(�), where is distributed essentially as � is distributed.Thus � is unrelated to � (non-malleability), and learning � yields no information about �(semantic security).3.1 The ToolsWe require a probabilistic public key cryptosystem that is semantically secure (see Sec-tion 2.1). Recall that GP denotes the key generator, e and d denote the public and privatekeys, respectively, and E and D denote, respectively, the encryption and decryption algo-rithms.For public keys e1; e2; : : : en a consistent encryption is a string w that is equal toEe1(b; r1); Ee2(b; r2); : : : ; Een(b; rn)for some b 2 f0; 1g and r1; r2; : : : ; rn 2 f0; 1gp(n), for some polynomial p. The languageof consistent encryptions L = fe1; e2; : : : en; wjw is a consistent encryptiong is in NP. For agiven word w = Ee1(b; r1); Ee2(b; r2); : : : ; Een(b; rn), the sequence r1; r2; : : : ; rn is a witnessfor its membership in L. In order to prove consistency we need a non-interactive zero-knowledge proof system for L, as de�ned in Section 2.1. Recall that the system consistsof a prover, a veri�er, and a common random string U known to both the prover and the17

veri�er. Note that the length of U depends only on the security parameter and not on thenumber of messages to be encrypted over the lifetime of this public key.The cryptosystem uses a universal family of one-way hash functions as de�ned in [59].This is a family of functions H such that for any x and a randomly chosen h 2R H theproblem of �nding y 6= x such that h(y) = h(x) is intractable. The family we need shouldcompress from any polynomial in n bits to n bits. In [64] such families are constructed fromany one-way function.Finally we need a one-time signature scheme, which consists of GS, the scheme generatorthat outputs F , the public-key of the signature scheme, and P the private key. Using theprivate key P any message can be signed in such a way that anyone knowing F can verify thesignature and no one who does not know the private key P can generate a valid signatureon any message except the one signed. For exact de�nition and history see [5, 44, 59].3.2 The Non-Malleable Public-Key Encryption SchemeWe are now ready to present the scheme S.Key generation:1. Run GP (n), the probabilistic encryption key generator, 2n times. Denote the outputby (e01; d01); (e11; d11); (e02; d02); (e12; d12); : : : (e0n; d0n); (e1n; d1n):2. Generate random U .3. Generate h 2R H.4. The public encryption key is hh; e01; e11, e02; e12, : : :, e0n; e1n; Ui. The corresponding privatedecryption key is hd01; d11; d02; d12; : : : d0n; d1ni.Encryption: To encrypt a message m = b1; b2; : : : bk:1. Run GS(n), the signature key generator. Let F be the public signature key and P bethe private signature key.2. Compute h(F ). Denote the output by v1v2 : : : vn.3. For each 1 � i � k(a) For 1 � j � ni. generate random rij 2R f0; 1gp(n)ii. generate cij = Eevjj (bi; rij), an encryption of bi using evjj .(b) Run P on ci = ev11 ; ev22 ; : : : ; evnn ; ci1; ci2; : : : cin, with witness ri1; ri2; : : : ; rin andstring U to get a proof pi that ci 2 L.4. Create a signature s of the sequence (c1; p1), (c2; p2), : : : ; (ck; pk) using the privatesignature key P . 18

The encrypted message is hF; s; (c1; p1); (c2; p2) : : : (ck; pk)i:Decryption: to decrypt a ciphertext hF; s; (c1; p1), (c2; p2),: : : ; (ck; pk)i:1. Verify that s is a signature of (c1; p1),(c2; p2),: : : ; (ck; pk) with public signature key F .2. For all 1 � i � k verify that ci is consistent by running the veri�er V on ci; pi; U .3. Compute h(F ). Denote the output by v1v2 : : : vn.4. If V accepts in all k cases, then for all 1 � i � k retrieve bi by decrypting using anyone of hdv11 ; dv22 ; : : : ; dvnn i. Otherwise the output is null.Note that, by the proof of consistency, the decryptions according to the di�erent keys inStep 4 are identical with overwhelming probability.From this description it is clear that the generator and the encryption and decryptionmechanisms can be operated in polynomial time. Also if the decryption mechanism is givena legitimate ciphertext and the right key it produces the message encrypted.3.3 Non-Malleable SecurityWe now prove the non-malleability of the public key encryption scheme S under a chosenciphertext post-processing attack. The approach we take both here and in proving the non-malleability of our string commitment protocol in Section 4 is to de�ne a related schemeS 0. The (malleable) security of S 0 should be straightforward. We then argue that a methodthat breaks S (in the malleability sense) can be translated into one that breaks S 0 (in thesemantic security sense).The Cryptosystem S 0:1. Run GP (n), the probabilistic encryption key generator, n times. Denote the outputby (e1; d1); (e2; d2); : : : (en; dn):The public key is the n-tuple he1; : : : ; eni; the private key is the n-tuple hd1; : : : ; dni.2. To encrypt a message m = b1; b2; : : : bk3. For 1 � j � n� For 1 � i � k(a) generate random rij 2R f0; 1gp(n)(b) generate cij = Eej (bi; rij), an encryption of bi under public key ej usingrandom string rij .� Let cj = c1j ; c2j ; : : : ; ckj (cj is the jth encryption of m).4. The encryption is the n-tuple hc1; c2; : : : ; cni.19

5. To decrypt an encryption h�1; : : : ; �ni, compute mj = Ddj (�j) for 1 � j � n. Ifm1 = m2 = : : : =mn then output m1; otherwise output \invalid encryption."Lemma 3.1 The public key encryption scheme S 0 is semantically secure with respect torelations under chosen plaintext attack. 2We will prove non-malleability of S by reduction to the semantic security of S 0. Tothis end, we de�ne an adversary A0 that, on being given an encryption under S 0, generatesan encryption under S. As above, we abuse notation slightly: given a public key E in S(respectively, E0 in S 0), we let E(m) (respectively, E0(m)) denote the set of encryptions ofm obtained using the encryption algorithm for S (respectively, for S 0) with public key E(respectively, E0).Procedure for A0: Given a public key E0 = he1; : : : ; eni in S 0:Preprocessing Phase:1. Generate n new (e; d) pairs.2. Run the simulator for the non-interactive zero-knowledge proof of consistency to gen-erate a random string U (the simulator should be able to produce a proof of consistencyof n encryptions that will be given to it later on).3. Choose a random hash function h 2R H.4. Run GS(n) to obtain a signature scheme (F; P ), where F is the public veri�cationkey.5. Compute h(F ). Arrange the original n keys and the n new keys so that the keys\chosen" by h(F ) are the original n. Let E denote the resulting public key (instanceof S).Simulation Phase:1. RunA on inputE. A adaptively produces a polynomial length sequence of encryptionsx1; x2; : : :. For each xi produced by A, A0 veri�es the signatures and the proofs ofconsistency. If these veri�cations succeed, A0 decrypts xi by using one of the newdecryption keys generated in Preprocessing Step 1, and returns the plaintext to A.2. A produces a description of M, the distribution of messages it would like to attack.A0 outputsM. We will show that if S is malleable then S 0 is not semantically securewith respect to relations on M.3. A0 is given c0 2R E0(m) and hist(m) for m 2R M. It produces a ciphertext c 2 E(m)using the simulator of Preprocessing Step 2 to obtain a (simulated) proof of consistencyand the private key P generated at Preprocessing Step 5 to obtain the signature.4. Give A the ciphertext c and hist(m). As in Simulation Step 1, A adaptively producesa sequence of encryptions x01; x02; : : : and A0 veri�es their validity, decrypts and returnsthe plaintext to A. 20

Extraction Phase:A produces the vector of encryptions (E(�1); E(�2); : : :). A0 produces � = (�1; �2; : : :) bydecrypting each E(�i) as in the simulation phase. A0 outputs � and �.This concludes the description of A0.The next lemma shows that the simulation phase runs smoothly.Lemma 3.2 Let A be an adversary attacking the original scheme S. On input E0 andc0 2R E0(m), let E be generated by A0 as above, and let c be the encryption of m under Ecreated by A0 in Simulation Step 3. Let � 6= c be any ciphertext under E, generated by A.If the signatures in � are valid (can be veri�ed with the public signature veri�cation key in�), then A0 can decrypt �.Proof. Let F 0 be the public signature veri�cation key in �. If F 0 6= F , then by the security ofthe universal one-way hash functions, h(F 0) 6= h(F ) (otherwise using A one could break H).Thus, at least one of the encryption keys generated in Preprocessing Step 1 of the procedurefor A0 will be used in �. Since A0 generated this encryption key and its correspondingdecryption key, A0 can decrypt.We now argue that F 0 6= F (that is, that we must be in the previous case). Suppose forthe sake of contradiction that F 0 = F . Then by the security of the signature scheme, onlythe original ciphertext c and the proof of consistency of Preprocessing Step 2 and SimulationStep 3 can be signed (otherwise A could be used to break the signature scheme). This forces� = c, contradicting the fact that � 6= c. 2Note that in Step 3 of the simulation the vector c0 is a legitimate encryption under E0and therefore is a vector of consistent encryptions, so the simulated non-interactive proof ofconsistency is a proof of a true theorem. Note also that this is the only place in which a proofis simulated by A0. Thus, even though the shared random string is used to generate manyproofs of consistency during the lifetime of the public key, the zero-knowledge property wewill need for the proof is only for a single theorem, since the only simulated proof will beon the target ciphertext. We these facts in mind, the following lemma is easily proved:Lemma 3.3 For any probabilistic polynomial time relation R, let �0(A0; R) denote the prob-ability that A in the simulation breaks the generated instance of S with respect to R; i.e.,that A (interacting with A0, as described in the Simulation Phase of the Procedure for A0)generates a vector of encryptions (E(�1); E(�2); : : :) and a string � such that R(m;�; �)holds, where � = (�1; �2; : : :).Similarly, let �(A; R) denote the probability that A breaks a random instance of S withrespect to R. Then �0(A0; R) and �(A; R) are subpolynomially close.Proof. The only di�erence between the instance of S generated by A0 and the instance of Sgenerated at random is in the proof of consistency for the target ciphertext: in the formercase this is produced by the simulator (Steps 2 and 3 of the simulation) and in the lattercase it is authentic. The lemma therefore follows immediately from the de�nition of non-interactive zero knowledge (De�nition 2.4): any di�erence between the two probabilitiescan be translated into an ability to distinguish a simulated proof from a true proof. 221

Theorem 3.4 The public-key encryption scheme S is non-malleable against chosen cipher-texts attacks in the post-processing mode.Proof. Let A be any polynomially bounded adversary.Beginning with an encryption key E0 in S 0 A0 generates an encryption key E in S,invokes A on E to obtain a message distribution M, and sets M0 = M. A0 is then givena ciphertext c0 = E0(m), for m 2R M = M0, generates a ciphertext c = E(m), andpresents E and c to A. If A produces valid encryptions E(�i) such that E(�i) 6= E(m),then by Lemma 3.2, A0 can extract the �i. Let � = (�1; �2; : : :). Let R be any probabilisticpolynomial time computable relation. By Lemma 3.3, the probability that R(m;�; �) holdsis subpolynomially close to �(A; R). Moreover, from the semantic security of S 0 we knowthere exists a procedure A00 that, without access to E0(m), produces �00 such that theprobability of R(m;�00; �) is subpolynomially close to the probability of R(m;�; �), andhence to �(A; R). Therefore (A; R) cannot witness the non-malleability of S. 2Corollary 3.5 If public-key cryptosystem semantically secure against chosen plaintext at-tacks exist and non-interactive zero-knowledge satisfying the requirements of De�nition 2.4is possible, then non-malleable public-key cryptosystems secure against chosen ciphertextsattacks in the post-processing mode exist. In particular, if trapdoor permutations exist, thensuch cryptosystems exist.An interesting open problem is whether one can rely on the existence of a public-keycryptosystem semantically secure against chosen plaintext attacks alone to argue that non-malleable public-key cryptosystems secure against chosen ciphertexts attacks in the post-processing mode exist. Two assumptions that are known to be su�cient for semanticallysecure public-key cryptosystems secure against plaintext attacks, but where the existenceof the stronger kind of cryptosystems is not clear are the Di�e-Hellman (search) problemand the unique shortest vector problem (used in the Ajtai-Dwork cryptosystem [1]).3.4 Remarks3.4.1 On Vectors of Encryptions1. We have de�ned non-malleable public key encryptions to cover the case in which Aproduces a vector of encryptions (E(�1); : : : ; E(�n)), having been given access to only asingle E(�). It is natural to ask, what happens if A is given access to to encryptions ofmultiple �'s, (E(�1); : : : ; E(�n)). Security under this type of composition is, intuitively,a sine qua non of encryption. A simple \hybrid" argument shows that any non-malleablepublic key cryptosystem is secure in this sense: seeing the encryptions of multiple �'s doesnot help the adversary to generate an encryption of even one related �.2) The computational di�culty of generating a single E(�) for a related � does notimply the computational di�culty of generating a vector (E(�1); : : : ; E(�n)) such thatR(�; �1; : : : ; �n) holds. We next describe a counter-example in the case of a chosen ci-phertext pre-processing attack. Let E0 be a non-malleable cryptosystem under chosenciphertext pre-processing attack. Let E(m) be constructed as (E00(m0); E01(m1)), wherem = m0 �m1. Given a ciphertext of this form, the adversary can construct two cipher-texts: (E00(m0); E01(0)) and (E00(0); E01(m1)). The parity of the two decrypted values is:22

(m0 � 0) � (0 �m1) = m0 �m1 = m. On the other hand, it can be shown from the non-malleability of the E0i that seeing E(m) is of no assistance in generating a single encryptionE(m0) such that R(m;m0) .3.4.2 Security Taxonomy and ComparisonsWe have discussed two notions of breaking a cryptosystem, semantic security and non-malleability, and three types of attacks:� Chosen plaintext.� Chosen ciphertext attack in the pre-processing mode (CCA-pre).� Chosen ciphertext attack in the post-processing mode (CCA-post).This yields six types of security and the question is whether they are all distinct and whichimplications exist. Two immediate implications are (i) non-malleable security implies se-mantic security under the same type of attack and (ii) security against chosen ciphertextpost-processing attacks implies security against chosen ciphertext attacks in the preprocess-ing mode which in turn implies security against chosen plaintext attacks, using the samenotion of breaking the cryptosystem. We now explore other possibilities - the discussion issummarized in summarized in Figure 1.The �rst observation is that if a cryptosystem is semantically secure against chosenciphertext post-processing attacks, then it is also non-malleable against chosen ciphertextpost-processing attacks, since the power of the adversary allows it to decrypt whateverciphertext it generated. On the other hand, it is not di�cult to start with a cryptosystemthat is secure against chosen ciphertext attack in the preprocessing mode and make itonly secure against a chosen plaintext attack (under any notion of breaking), as we nowexplain. For the case of semantic security, simply add to the decryption mechanism theinstruction that on input all 0's outputs the private-key. The case of non-malleable securityis more subtle. Choose a �xed random ciphertext c0, and instruct the decryption mechanismto output the decryption key when presented with input c0. In addition, instruct thedecryption mechanism to output c0 on input all 0's.There is a simple method for \removing" non-malleability without hurting semanticsecurity: starting with a cryptosystem that is non-malleable against chosen ciphertext pre-processing attacks, one can construct a cryptosystem that is only semantically secure againstchosen ciphertext pre-processing attacks - add to each ciphertext a cleartext bit whose valueis Xor-ed with the �rst bit of the plaintext. Thus, given a ciphertext of a message m itis easy to create a ciphertext of a message where the last bit is ipped, so the scheme ismalleable. However, the semantic security remains, as long as the adversary does not haveaccess to the challenge ciphertext while it can access the decryption box.We do not know whether a scheme that is non-malleable against chosen ciphertextpre-processingis also non-malleable against chosen ciphertext post-processing attack. Weconjecture that whenever deciding whether or not a string represents a legitimate ciphertext(that could have been generated by any user) is easy (to someone not holding the privatekey), non-malleability implies semantic security against a chosen ciphertext post-processingattack. From the above discussion (summarized in Figure 1), we conclude that of the six23

Plaintext

Security Non-malleable

Semantic

Chosen

Attack

Breaking

Security

Chosen Ciphertext

One notion implies the other

Preprocessing Mode

Provable separation

Open question

Chosen CiphertextPostprocessing Mode

?

?

Figure 1: Relationship between security notions.24

possibilities for security of a cryptosystem (combinations of the type of attack and notionof breaking) we have that either four or �ve are distinct7.Note that the type of combination to be used depends on the application. For instance,for the bidding example given in the introduction, if the public-key is not going to be usedfor bidding on more than a single contract, and assuming the bids are not secret after thebids are opened, then the type of security needed is non-malleability against chosen plaintextattacks. If the same public key is to be used for bidding on several contracts successively,but the secrecy of non-winning bids need not be preserved, then non-malleability underchosen ciphertext in the pre-processing mode is required. On the other hand, if the samepublic key is to be used for bidding on several contracts, and the secrecy of non-winningbids must be preserved, one should use a non-malleable cryptosystem secure against chosenciphertext attacks in the post-processing mode.Finally one may wonder what is the \correct" description of the notion of breaking acryptosystem secure against chosen ciphertext post-processing attacks: semantic securityor non-malleable security, given their equivalence under this attack. We think it is morehelpful to think in terms of non-malleability, since the way to think about trying to breaka candidate system is to think of trying to maul the target ciphertext(s). This was done(without the vocabulary of non-malleability) in the recent work Bleichenbacher [11] (seeSection 6).3.4.3 On Allowing A0 to Choose M0In our proof of the non-malleability of S under chosen ciphertext attack in the post-processing mode, the message space M0 chosen by the adversary simulator A0 is exactlythe message space M chosen by the adversary A. We might view this as a coincidence:we started with a semantically secure scheme S 0, and then showed that malleability of Simplies semantic insecurity of S 0, obtaining a contradiction. In such a proof, there is ingeneral no reason why the message space in which S can (by assumption) be mauled shouldbe the same as the space in which S 0 is (consequently) semantically insecure. So in thede�nition of non-malleability it makes sense that there are two message distributions, Mand M0, and they need not be identical. Finally, since non-malleability is an extension ofsemantic security, it makes sense for our de�nition of semantic security to have the same exibility.3.5 Public Key AuthenticationIn this section we informally describe a method for obtaining a public key authenticationscheme based on any non-malleable public key cryptosystem. Our goal is to demonstrate a\real" protocol that allows cheating in case the public-key cryptosystem used is malleable.In a public key authentication scheme, an authenticator A chooses a public key E. Thescheme permits A to authenticate a message m of her choice to a second party B. Similarto a digital signature scheme, an authentication scheme can convince B that A is willing to7For a very recent discussion of the relationship between these notions see Bellare et al. [3], where theyshow that there are indeed �ve distinct possibilities.25

authenticate m. However, unlike the case with digital signatures, an authentication schemeneed not permit B to convince a third party that A has authenticated m.Our notion of security is analogous to that of existential unforgeability under an adaptivechosen plaintext attack for signature schemes [44], where we must make sure to take care of\man-in-the-middle" attacks. Let h(A;B); (C;D); A : (B) $ (C)i be an adversariallycoordinated system in which (A;B) = (C;D) is a public key authentication protocol. Weassume that A is willing to authenticate any number of messages m1;m2; : : :, which maybe chosen adaptively by A. We say that A successfully attacks the scheme if (C) (undercontrol of A and pretending to have A's identity) succeeds in authenticating to D a messagem 6= mi, i = 1; 2; : : :.Protocol P = (A;B) for A to Authenticate Message m to B:A's public key is E, chosen according to S, a non-malleable public key cryptosystemsecure against chosen ciphertext attacks in the postprocessing mode (e.g., the one fromSection 3.2).1. A sends to B: \A wishes to authenticate m." (This step is unnecessary if m haspreviously been determined.)2. B chooses r 2R f0; 1gn and computes and sends the "query" 2R E(m � r) to A.3. A decrypts and retrieves r and m. If the decryption is of the right format (i.e.,the �rst component of the decrypted pair corresponds to the message that is to beauthenticated), then A sends r to B.Lemma 3.6 Given an adversary B that can break the authentication protocol P with prob-ability �, one can construct an adversary A for breaking the (presumed non-malleable)encryption scheme E with probability at least �=p(n)� 2�n for some polynomial p.Proof. The procedure for A to attack the cryptosystem is as follows. Assume A's publickey is E and that the adversary A has access to a decryption box for E. Therefore A cansimulate the system h(A;B); (C;D); B : (B)$ (C)i, where (A;B) = (C;D) = P. Notethat since this is a simulation, A can control the messages sent by (D) in the simulation.Run the system h(A;B); (C;D); B : (B)$ (C)i until (C), under control of B, is aboutto authenticate to D a message m 6= mi, i = 1; 2 : : : not authenticated by A. (In case itis not clear whether D accepts or not, then we just guess when this occurs; whence thepolynomial degradation of �.) The distribution M on messages that A will attempt tomaul is Mm = f(m; r)jr 2R f0; 1gng. Given as the challenge ciphertext, A lets (D)send the query in the simulation. Let r0 be (C)'s reply. A outputs � 2R E(m � r0).The distribution that B sees in the simulation of the adversarially coordinated systemh(A;B); (C;D); B : (B) $ (C)i is exactly as usual. Therefore by assumption theprobability of success in authenticating m is �, and with probability � the value r0 is thecorrect one. The relation that is violated is equality: � and encrypt the same string,whereas given the distribution Mm the probability of producing the correct r withoutaccess to E(m � r) is 2�n. 2This solution will be of practical use as soon as the current constructions of non-malleablecryptosystems are improved to be more practical. The very recent construction of Cramerand Shoup (see Section 6) makes this scheme very attractive.26

Remark 3.7 If the cryptosystem S is malleable, and in particular if given an encryptionof a message � � r it is easy (possibly after mounting a CCA-post or other type of attack)to generate an encryption of a message �0 � r, where �0 6= � (many cryptosystems havethis property), then there is a simple attack on the protocol proposed: as before (C) ispretending to be (A). To forge an authentication of a message m, when D sends challenge = m � r, (B) asks A to authenticate a message m0 by sending the challenge 0 = m0 � r.When A replies with r, (C) sends r to D, who will accept.Remark 3.8 As mentioned above, this protocol provides a weaker form of authenticationthan digital signatures (no third party veri�cation). However, this can be viewed as a feature:there may be situations in which a user does not wish to leave a trace of the messages theuser authenticated (\plausible deniability"). We do not know whether the protocol presentedis indeed zero-knowledge in this sense, i.e., that the receiver could have simulated the con-versation alone (although it is almost surely not black-box zero knowledge [38]). By adding a(malleable) proof of knowledge to the string r this can be ensured in the sequential case. Wedo not know if the resulting zero-knowledge authentication protocol remains zero-knowledgeif many executions, with the same authenticator, execute concurrently. The straightforwardsimulation fails. (See [50] for impossibility results for 4-round black-box concurrent zero-knowledge protocols.) Very recently, an approach for achieving deniable authentication inthe concurrent setting based on timing constraints was suggested by Dwork, Naor and Sa-hai, who also present several e�cient protocols in the standard model (no timing) for thesequential case.3.6 Non-Malleable Encryption in Other SettingsIn this section we brie y mention non-malleable encryption in two additional settings: pri-vate key cryptography and interactive public key cryptography. In both cases we begin witha known semantically secure system and add authentication to achieve non-malleability.Private-key EncryptionAs mentioned in the beginning of Section 3, the de�nition of non-malleable security isapplicable for private (or shared) key cryptography as well. For example, in their celebratedpaper on a logic of authentication [16], Burrows, Abadi, and Needham give the followinganalysis of a scenario (the Needham-Schroeder authentication protocol) in which A and Bshare a key KAB . Party B chooses a nonce Nb, and sends an encryption of Nb under KABto A. A then responds with an encryption of Nb � 1 under KAB in order for B\: : : to be assured that A is present currently : : : Almost any function of Nbwould do as long as B can distinguish his message from A's { thus, subtractionis used to indicate that the message is from A, rather than from B."The unproved and unstated assumption here is thatKAB provides non-malleable encryption;malleability completely destroys their reasoning and their proof of security, even if thereadversary's access to the system is very limited (i.e. an attack weaker than chosen ciphertextin the pre-processing mode).Achieving non-malleability in the private-key setting is much simpler and more e�cientthan in the public-key setting. Let KAB be a private key shared by A and B. We �rst27

describe a system that is semantically secure against a chosen ciphertext attack in the pre-processing mode: Treat KAB as (K1;K2) which will be used as seeds to a pseudo-randomfunction f (see [37] for de�nition of pseudo-random functions, [55, 56] for recent construc-tions and [57] for a recent discussion on using pseudo-random functions for encryption andauthentication). In order to encrypt messages which are n bits long we need a pseudo-random function fK : f0; 1g` 7! f0; 1gn, i.e. it maps inputs of length ` to outputs of lengthn where ` should be large enough so as to prevent "birthdays", i.e. collision of randomlychosen elements. For A to send B a message m, A chooses a random string r 2 f0; 1g` andsends the pair (r;m � fK1(r)). Semantic security of the system against chosen ciphertextattack in the pre-processing mode follows from the fact that the pseudo-random function issecure against adaptive attacks. However, this scheme is malleable and not secure againsta chosen ciphertext attack in the post-processing mode: given a ciphertext (r; c) one cancreate a ciphertext (r; c0) where c0 is obtained from c by ipping the last bit. This impliesthat the corresponding plaintext also has its last bit ipped. In order to thwart such anattack we employ another pseudo-random function gk : f0; 1gn+` 7! f0; 1g` and add a thirdcomponent to the message: gK2(r � (m� fK1(r))):When decrypting a message (r; c; a) one should �rst verify that the third component, a,is indeed proper, i.e. a = gK2(r � c). This acts as an authentication tag for the originalencryption and prevents an adversary from creating any other legitimate ciphertext, exceptthe ones he was given explicitly. (Recall that by de�nition of pseudo-random function,seeing any number of pairs (r; fK2(r)) does not yield any information about (r0; fKAB(r0))for any new r0 and in particular they are unpredictable.)Since it is known that the existence of one-way functions implies the existence of pseudo-random functions [37, 47] we haveTheorem 3.9 If one-way functions exist, then there are non-malleable private-key encryp-tion schemes secure against chosen ciphertext attacks in the post-processing modeSince it is known that in order to have private key cryptography we must have one-wayfunctions [46] we conclude:Corollary 3.10 If any kind of private-key encryption is possible, then non-malleable private-key encryption secure against chosen ciphertext attacks in the post-processing mode is pos-sible.Note that the property of \self-validation" enjoyed by the above construction is strongerthan needed for non-malleability, i.e. there are non-malleable cryptosystems that do nothave this property: one can start with a non-malleable private-key cryptosystem and addto it the possibility of encryption using a pseudo-random permutation; this possibility isnever (or rarely) used by the legitimate encrypter, but may be used by the adversary. Theresulting cryptosystem is still non-malleable but not self-validating, since the adversary cancreate ciphertexts of random messages.For a recent application of the above construction to the security of remotely-keyedencryption see Blaze et al [10].Interactive Encryption 28

The second setting resembles the one studied by Goldwasser, Micali, and Tong [45],in which they constructed an interactive public key cryptosystem secure against chosenciphertext attack (see also [34, 66]). An \interactive public key cryptosystem" requires apublic �le storing information for each message recipient, but this information alone is notsu�cient for encrypting messages. The additional information needed is chosen interactivelyby the sender and receiver. To the best of our knowledge, their paper was the �rst totry to cope with an oracle for distinguishing valid from invalid ciphertexts in any setting(interactive or not). An interactive system is clearly less desirable than what has now cometo be called \public key cryptography," in which the public key is su�cient for sending anencrypted message, without other rounds of interaction.The de�nitions of non-malleable security can be easily adapted to this case, but whendiscussing the attack there is more freedom for the adversary, due to the interactive natureof the communication. In general, we assume that the adversary has complete control overthe communication lines and can intercept and insert any message it wishes. A precisede�nition is outside the scope of this paper.Our non-malleable interactive public key cryptosystem requires a digital signature schemethat is existentially unforgeable against a chosen message attack (see the Introduction foran informal de�nition of existential unforgeability). Let (Si; Pi) denote the private/publicsignature keys of player i (the model assumes that there is a public directory containing Pifor each player i that is to receive messages, but the sender is not required to have a keyin the public directory). The system will also use a public-key cryptosystem semanticallysecure against chosen plaintext attacks.The idea for the system is straightforward: for each interaction the receiver chooses afresh public-key private-key pair that is used only for one message. However, this is notsu�cient, since an active adversary may intercept the keys and substitute its own keys.We prevent this behavior by using signatures. A sender j wishing to send a message m toreceiver i performs the following:1. Sender j chooses a fresh private/public pair of signature keys (sj; pj) and sends thepublic part, pj, to i (lower case is used to distinguish pj from what is in the directory);2. Receiver i chooses a fresh private/public pair of encryption and decryption keys(Eij ;Dij), where Eij is semantically secure against chosen plaintext attack, and sendsEij together with Si(Eij � pj) (i.e. a signature on the fresh public-key Eij concate-nated with the public signature key j chose) to j; j veri�es the signature and that pjis indeed the public key it sent in Step 1.3. Sender j encrypts m using Eij and sends Eij(m) together with sj(Eij(m)) to i. Re-ceiver i veri�es that the message encrypted with Eij is indeed signed with the corre-sponding pj.Note that the sender may use a one-time signature scheme for (sj; pj) and if the receiveruses a signature scheme such as in [27, 22], then the approach is relatively e�cient.29

4 A Non-Malleable Scheme for String CommitmentWe present below a scheme S for string commitment that is non-malleable with respectto itself (De�nition 2.5). We �rst present S and show some properties of S important inproving its security. We then describe a knowledge extractor algorithm that works not onS but on S 0 which is a (malleable) string commitment protocol with a very special relationto S: knowledge extraction for S 0 implies non-malleability of S. Thus, in this section, thenew S 0 plays a role analogous to the role of S 0 in Section 3.Our non-malleable scheme for string commitment requires as a building block a (possiblymalleable) string commitment scheme. Such a scheme, based on pseudo-random generators,is presented in [54] (although any computational scheme will do). The protocol describedthere is interactive and requires two phases: �rst the receiver sends a string and thenthe sender actually commits. However, the �rst step of the protocol can be shared byall subsequent commitments. Thus, following the �rst commitment, we consider stringcommitment to be a one-phase procedure. In the sequel, when we refer to the stringcommitment in [54], we consider only the second stage of that protocol.We also require zero-knowledge proofs satisfying the security requirements in [35]. Thesecan be constructed from any bit commitment protocol.Before we continue it would be instructive to consider the protocol of Chor and Rabin[21]. They considered the \usual" scenario, where all n parties know of one another andthe communication is synchronous and proceeds in rounds. Their goal was for each partyto prove to all other parties possession of knowledge of a decryption key. Every participantengages in a sequence of proofs of possession of knowledge. In some rounds the participantacts as a prover, proving the possession of knowledge of the decryption key, and in othersit acts as a veri�er. The sequence is arranged so that every pair of participants A;C isseparated at least once, in the sense that there exists a round in which C is proving whileA is not. This ensures that C's proof is independent of A's proof.Running this protocol in our scenario is impossible; for example, (1) we make no as-sumptions about synchrony of the di�erent parties, and (2) in our scenario the partiesinvolved do not know of one another. However, we achieve a similar e�ect to the techniqueof Chor and Rabin by designing a carefully ordered sequence of actions a player must make,as a function of an identi�er composed of its external identity, if one exists, and some otherinformation described below.4.1 The Non-Malleable String Commitment Scheme SProtocol S consists of two general stages. The �rst is a string commitment as in [54]. Thesecond stage, Basic Commit with Knowledge, consists of the application of many instancesof a new protocol, called BCK, to the string committed to in the �rst stage.Following the commit stage of two string commitment protocols, deciding whether theyencode the same string is in NP. Therefore there exists a zero-knowledge proof for equalityof two committed values. This will be used repeatedly during each execution of BCK,which we now describe. In the following, n is a security parameter.Protocol BCK(�) (assumes the committer has already committed to �):Concurrently run n instances of the following three steps. All instances of each step are30

(A;B) interaction (C;D) interactionBCK1(�) BCK1(�)BCK2(�)BCK2(�)BCK3(�) BCK3(�)Figure 2: BCK(�) is useful to BCK(�)performed at once.� BCK1 (Commit): Committer selects random x0; x1 2 f0; 1gk , where k = j� j , andcommits to both of them using the protocol in [54].� BCK2 (Challenge): Receiver sends Committer a random bit r 2 f0; 1g.� BCK3 (Response): Committer reveals xr and x1�r � �, and engages in a proof ofconsistency of x1�r � � with the initial commitment to � and the commitment tox1�r in BCK1. The proof of consistency with the initial commitment is done for alln instances together as a single statement.Remark 4.1 From � � x1�r, x1�r, and the proof of consistency, one can obtain �. Thisis why we call the protocol Basic Commit with Knowledge (of �).Note also that the interactive proof is of consistency; it is not a proof of knowledge in thesense of [31].In the rest of the section we consider each BCKi as single operation, thus it can beviewed as an operation on an n-dimensional vector or array. Note that BCK1 and BCK2are indeed \instantaneous," in that each requires a single send, while BCK3, due to itsinteractive nature, requires more time to carry out. We frequently refer to an instance ofBCK as a triple.In the Basic Commit with Knowledge stage of S we apply BCK repeatedly for thesame string, �. However, BCK may itself be malleable. To see this, conceptually labelthe three steps of BCK as commitment, challenge, and response, respectively. Consideran h(A;B); (C;D); A : (B) $ (C)i in which (A;B) = (C;D) = BCK. Then (C) canmake its commitment depend on the commitment of (A); (B) can make its challengeto (A) depend on the challenge that (D) poses to (C), and (C) can respond to thechallenge with the \help" of (A)'s response to (B) (see Figure 2 for the timing of events).In this case the triple between (A) and (B) is, intuitively, useful to (C). The BasicCommit with Knowledge stage of S interleaves executions of BCK so as to ensure that inevery execution there is some triple for which no other triple is useful. This is analogousto Chor and Rabin ensuring that for every pair of participants A;C there exists a round31

in which C is proving knowledge while A is not. We say such a triple is exposed (de�nedprecisely below). This is the key idea in the construction.The next two sixplet protocols perform a pair of distinct instances of BCK(�) in twodi�erent interleaved orders. To distinguish between the two instances of BCK we will referto the operation taking place at each stage and the associated variables. Thus �i and �i+1are two distinct applications of BCK. These Sixplet protocols will be used to ensure theexistence of an exposed triple in the Basic Commit with Knowledge. The intention of thespacing of the presentation is to clarify the di�erence between the protocols. It has nomeaning with respect to the execution of the protocols.0-sixplet 1-sixpletBCK1(�i) BCK1(�i)BCK2(�i)BCK3(�i) BCK1(�i+1)BCK2(�i+1)BCK1(�i+1) BCK3(�i+1)BCK2(�i+1)BCK3(�i+1) BCK2(�i)BCK3(�i)The di�erence between the two protocols is the order in which we interleave the stagesof the two distinct instances of the BCK protocol.Using these sixplets we can present the scheme S. The identi�er I used in the schemeis the concatenation of the original identity with the commitment for � at stage 1 (by the\commitment" we mean a transcript of the conversation). Ij denotes the jth bit of I. Toforce an exposed triple we will use the fact that every two identi�ers di�er in at least onebit. This is exactly the same fact that was exploited by Chor and Rabin in the synchronous\everyone-knows-everyone" model to enforce the condition that for every pair of proversA 6= C, there is a round in which C is proving but A is not [21]. The same fact is used inboth cases for the same purpose, but we do it without any assumption of synchrony andwithout any assumption that each processor knows of all other processors in the system.S: Non-Malleable Commitment to String �:� Commit to � (e.g., using the protocol in [54]).� For j = 1 to j I jExecute an Ij-sixpletExecute a (1� Ij)-sixpletEndFor simplicity we will assume that all identi�ers I are n bits long. Each Ij�sixplet andeach (1� Ij)�sixplet involves two executions of BCK, and each of these in turn requires nconcurrent executions of BCK1, followed by n concurrent executions of BCK2 and thenof BCK3. Thus, a non-malleable string commitment requires invoking each BCKi a totalof 4n2 times. 32

4.2 Properties of SWe now show some properties of S that allow us to prove its non-malleability. Suppose that(A;B) = (C;D) = S, and suppose further that adversary A controls (B) and (C). Letx be the identi�er used by (A) and y that used by (C). If the original identities of (A)and (C) are di�erent or if the strings to which they commit are di�erent, then x 6= y.(Thus the only case not covered is copying.) Note also that, given the proofs of consistency,both sender and receiver know at the end of the commitment protocol whether or not thesender has succeeded in committing to a well-de�ned value. Thus, the event of successfulcommitment to some value by (C) is independent of the value committed to by (A).Each run of the two interactions determines speci�c times at which the two pairs ofmachines exchange messages. The adversary can in uence these times, but the time atwhich an interaction takes place is well de�ned. Let �x and �y be the respective schedules.For 1 � i � 2n, let� � i1 be the time at which BCK1 begins in the ith instance of BCK in �x;� � i2 be the time at which BCK2 ends in the ith instance of BCK in �x.In contradistinction, let� �i1 be the time at which BCK1 ends in the ith instance of BCK in �y;� �i2 be the time at which BCK2 begins in the ith instance of BCK2 in �y.Finally, let� � i3 and �i3 denote the times at which BCK3 ends in the ith instances of BCK in �xand �y, respectively.These values are well de�ned because each BCKi involves sequential operations of a singleprocessor. We do not assume that these values are known to the parties involved { there isno \common clock."We can now formalize the intuition, described above, of what it means for a triple in �xto be useful to a triple in �y. Formally, the ith triple in �x is useful to the jth triple in �yif three conditions hold: (1) � i1 < �i1; (2) �j2 < � i2; and (3) �j3 > � i2 (see Figure 2).Let �(i) = fj j �j1 > � i1 ^ �j2 < � i2 ^ �j3 > � i2g. �(i) is the set of indices of triples between (C) and (D) for which the ith triple between (A) and (B) can be useful. We say thata triple j is exposed if j =2 �(i) for all i. Our goal is to show that there is at least one exposedtriple in any schedule. Intuitively, exposed triples are important because the committer isforced to act on its own, without help from any other concurrent interaction. Technically,exposed triples are important because they allow the knowledge extractor to explore theadversary's response to two di�erent queries, without the cooperation of (A).Claim 4.1 8i j�(i) j � 1.Proof. By inspection of the possible interleavings, there exists at most one j for which�j2 < � i2 and �j3 > � i2. 2 33

Claim 4.2 If j1 2 �(i1) and j2 2 �(i2) and j1 < j2, then sixplet(i1) � sixplet(i2), wheresixplet(i) denotes the index of the sixplet containing the ith triple.Proof. Assume to the contrary that sixplet(i2) < sixplet(i1). This implies that � i22 < � i11 .By de�nition, j1 2 �(i1) implies � i11 < �j11 : Similarly, j2 2 �(i2) implies �j21 < � j22 . Thus,�j21 < �j11 : This contradicts the assumption that j1 < j2. 2Claim 4.3 Let triples 2k � 1; 2k form a 0-sixplet in �x, and let triples 2`� 1; 2` form a1-sixplet in �y. Then there exists a j 2 f2`�1; 2`g such that neither 2k�1 nor 2k is usefulto triple j in �y.Proof. Assume to the contrary that the claim does not hold. Thus, both triples have auseful triple in f2k�1; 2kg. By Claim 4.1 j�(2k�1) j � 1, and j�(2k) j � 1. Therefore, eachof the two triples should be useful. A simple look at the time scale implies that for eithermatching between the pairs, it should be the case that �2k1 < �2`1 . Thus, �2k�12 < �2`2 and�2k�12 < �2`�12 . This implies that 2k�1 is not useful to either of the triples, a contradiction.2Notice that the reverse claim does not hold.Lemma 4.2 For any x 6= y and for any two sequences �x and �y, there exists an exposedtriple in �y.Proof. From Claims 4.1 and 4.2, if none of triples 1 through j are exposed and j 2 �(i),then sixplet(i) � sixplet(j). Since x 6= y, there exists a bit, say the jth one, at which theirID's di�er. Since the scheme uses both an Ij-sixplet and 1� Ij-sixplet, there exists some ksuch that the kth sixplet in �x is a 0-sixplet while the kth sixplet in �y is a 1-sixplet. TheLemma now follows from Claim 4.3. 24.3 The Knowledge ExtractorConsider an adversarially coordinated system h(A;B); (C;D); A : (B) $ (C)i where(A;B) and (C;D) are both instances of S. Intuitively, if (C) succeeds in committing toa string �, then our goal is to extract �. To achieve this we devise a somewhat di�erentprotocol, called S 0, on which the extractor operates, and from which it extracts �. Thisnew protocol is a string commitment protocol that is not necessarily non-malleable. In thenext section we prove that extraction of � from S 0 implies the non-malleability of S.The string commitment scheme S 0 consists of a Committer P and a Receiver Q andtakes a parameter m. (As we will see, m = jIj 16(�2log�) , where � is how close we would likethe extraction probability to be to the probability of successful completion of the protocolby A.)Protocol S 0: P Commits to a string �:� Commit to � (e.g., using the protocol in [54]).� Repeat m times: 34

1. Q chooses a bit b and requests a b-sixplet; according to additional inputs, Qrequests that the b-sixplet be augmented by an additional proof of consistencyin step BCK3 of either triple in the b-sixplet;2. P and Q run a (possibly augmented) b-sixplet;From the semantic security of the regular string commitment protocol and from thezero-knowledge properties, a standard simulation argument yields the following lemma:Lemma 4.3 For any strategy of choosing the sixplets and for any receiver Q0, the stringcommitment protocol S 0 is semantically secure. 2We provide an adapter that allows us to emulate to A (and its controlled machines) aplayer A that executes S, whereas in reality (B) (under control of A) communicates withthe sender P of S 0. S 0 has been designed so that it can actually tolerate communicatingwith many copies of A, with messages from the di�erent copies being \multiplexed" by theadapter.In more detail, suppose that player (P ) is running the sender part of S 0 and that player (B) is supposed to run the receiver part of S. ( (B) might deviate from the protocol aswritten, but the communication steps are as in S.) It is not hard to construct an adapterthat operates between P and B: whenever (A;B) calls for a b-sixplet the adapter \pretendsit is Q" and asks for a b-sixplet; then (B) and (P ) run the b-sixplet. It should beclear that the distribution of conversations that (B) sees when it participates in S andthe distribution of conversations it sees when it participates through the adapter in S 0 areidentical.We are now ready to present the extractor. Suppose that in the adversarially coordinatedsystem the probability that (C) completes its part successfully is �. Following the commitstage (during which C may or may not have committed in any meaningful way), we cannotin general hope to extract � with probability greater than �. However we can get arbitrarilyclose: we will show that for any � we can successfully extract � with probability at least� � �. Thus, given that (C) has successfully committed, we can extract the committedvalue with probability at least ���� .Fix � > 0. The knowledge extractor begins to run S 0 = (P;Q) and S = (C;D) with theadapter arranging that A cannot distinguish this from the adversarially coordinated systemh(A;B); (C;D); A : (B)$ (C)i (see Figure 3) in which (A;B) = (C;D) = S.Once (C) completes the �rst (commitment) stage of S, the extractor freezes the randomtape of A.A now de�nes a tree according to all possible messages sent by A and D. The treecontains A-nodes and D-nodes, according to which of the two is the next one to send amessage. The root of the tree corresponds to the point at which the tape was frozen. Thus,the branching at each node is all possible messages that either A or D can send at thatpoint. In order to exploit Remark 4.1 we will be interested in D-nodes corresponding to aBCK2 step. The branches correspond to the di�erent possible challenge vectors that D cansend in this step. In the sequel, these are the only types of D-node that we will consider.To enable us to follow more than a single path (that is, to fork) in the tree, we keep at eachsuch D-node a snapshot of the current state, i.e., a copy of A's tapes and the states of Aand D. 35

P adaptor Q C D

running S running S running S

adversary controlled

running S’Figure 3: The S 0-adaptor-S system used in constructing the ExtractorA node v is good if all the communication between C and D up to v is legal (accordingto the non-malleable protocol S) and C successfully opened and proved whenever it wasasked to do so. Our goal is to identify two nodes having the following properties: (1) ateach of the two, C has just completed a BCK3 step; (2) the paths to the two nodes departin a branching at a D-node. As noted in Remark 4.1, given two such nodes we can extract�. To identify such a pair of nodes, choose ` = 16(�2log�) , and run the following extractionprocedure ` times, each time starting again at the root of tree. (Recall that the root of thetree corresponds to the point at which the tape was frozen; we do not re-start (C;D) eachtime we run the extraction procedure is repeated.)By Lemma 4.2 every path to a good leaf contains an exposed triple. Run the S 0-adapter-S system until an exposed triple j in �y is reached (or we reach a bad node). We partitionthe exposed triples into two types according to the interleavings (the interleavings are shownpictorially after the types are formally de�ned):� j is of the �rst type if 8i � i1 > �j1 (nothing happened yet in �x between (A) and (B)) or 8i s.t. � i1 < �j1 we have � i2 < �j2 (the challenge in �x ends before the challengein �y begins).� j is of the second type if it is not of the �rst type and 8i s.t. � i1 < �j1 and � i2 � �j2 wehave � i2 > �j3 (the challenge in �x ends after the reply in �y ends, so (C) can't usethe answers from (A;B) to help it answer challenges from (D)).In the �rst type of exposure, for each i there are two possible interleavings:� i1 � i1�j1 or � i2� i2 �j1�j2 �j2 36

Thus, in the �rst type of exposure, there exists a time t, �j1 � t � �j2 such that for all i,� i1 � t ) � i2 � t. The time t is the maximum of �j1 and the maximum over all i such that� i1 � �j1, of � i2. In this case, intuitively, for every i such that the values committed to by (C) in BCK(j) may depend on the values committed to by (P ) in BCK(i), the queriesmade by (Q) to (P ) about these values are independent of the queries made by (D)to (C). It follows that (C) can't get any help from (P ) in answering (D)'s queries inBCK(j).At the point t de�ned above, P has no triples of which step BCK1 has completed butBCK2 has not yet ended, thus A doesn't play a part in S right now. At this point we fork:the extractor creates a new copy of A and D, and runs both this copy and the original,with each copy of D making independent random challenges in BCK2 of triple j. Notethat with overwhelming probability any two such challenge vectors di�er in some position.Since at the point t de�ned above the challenges sent to A in BCK2 of triple i are already�xed, the two copies of BCK3 of triple i will di�er only in the proofs of consistency. Theadapter multiplexes to P the two proofs of consistency. This completes the treatment ofthe �rst type of exposed triple.In the second type of exposed triple, the exposure does not become evident until �j3. Atany point in time there are at most two triples between A and B that are open, in thatstep BCK1 has been executed but BCK2 has not. Say that at �j1 the open triple is theith triple; if there are two open triples then they are the ith and (i + 1)st ones. We knowthat � i1 < � i+11 < �j1 and � i2 > � i+12 > �j1 and � i2 > �j3. We distinguish between two cases: (a)� i+12 < �j2 and (b) � i+12 > �j3 (since j is exposed it cannot be the case that �j2 < � i+12 < �j3).We show the interleavings and mark the forking points with asterisks:Case (a) Case (b)� i1 � i1� i+11 � i+11�j1 �j1� i+12 �� or �j2� i+13 �j3�j2 � i+12�j2 � i+13� i2 � i2In Case (a) we fork right after � i+12 , running a copy of A until the conclusion of triplej in the copy. Although this means there will be two copies of BCK3(i + 1), they willdi�er only in their interactive proofs of consistency: the challenges are �xed by time � i+12 .(Note that we can assume that � i+13 < �j2 because the replies to the challenges and thestatements to be proved by P in BCK3(i + 1) are completely determined by BCK1 andBCK2, and are therefore are completely determined by time � i+12 . Moreover, the challengessent in BCK2(j) by D are independent of BCK2(i+1) because BCK2(i+1) ends beforeBCK2(j) starts and D is non-faulty.) D makes independent challenges in the two runs. We37

will not run the original beyond �j3. The communication with A is limited in the originalexecution to the replies to the challenges sent in BCK2(i+1) and the zero knowledge proofof consistency in BCK3(i + 1). However, since the challenges in the two copies are thesame, and since in S 0 the committer P is willing to repeat this proof, when running thecopy we simply ask for a repeated proof of consistency and continue as before. We stopwhen the copy �nishes BCK3 of the jth triple. Note that in the copy the jth triple neednot be exposed (this depends on � i2).Case (b) is simpler: we fork right after �j1. In the original (B) does not communicatewith P until �j3, so we simply continue with the copy until it �nishes BCK3 of the jthtriple. Here again we have that j need not be exposed in the copy.In exploiting either type of exposure, if in both branches (the original and the copy) theproof of consistency in BCK3(j) succeeds, then in triple j the extractor obtains the answersto two di�erent and independent queries, hence � can be extracted. The signi�cance of thezero-knowledge proof of consistency is that it allows the extractor to know whether anytrial is successful. Therefore if any trial is successful the extractor succeeds.This completes the description of the extractor. We now show that its probability ofsuccess is high.At each node v of the tree we can de�ne the probability of success, �(v), i.e., theprobability that the communication between A and D leads to a good leaf. Let �0 be theprobability of success at the root. Notice that by de�nition, the expected value of �0 is �.Lemma 4.4 In each run of the above experiment the value of � is successfully extractedwith probability �20=4� 1=22n.Proof. Consider a random root-leaf path w in the tree (the randomness is over the coin ipsof A and D). At each node v let �(v) denote the probability, taken over choices of A andof D, of successfully completing the execution from v. Let �(w) be the minimum along theexecution path w. Note that �(w) is a random variable.Claim 4.4 With probability at least �0=2 we have �(w) > �0=2.Proof. The probability of failure is 1��0. Let V be the set of nodes v such that �(v) < �0=2and for no parent u of v is �(u) < �0=2 (i.e. V consists of the \�rst" nodes such that�(v) < �0=2). We know that Pr[�(w) � �0=2] �Pv2V Pr[v is reached]. On the other hand,the probability of failure, 1� �0, isXv2V Pr[v is reached](1� �(v)) � (1� �0=2) Xv s:t: �(v)��0=2Pr[v is reached]:Therefore Pr[�(w) � �0=2] � 1��01��0=2 = 1� �0=21��0=2 < 1� �0=2: 2Thus, with probability �0=2 the main path we take succeeds. The experiment branchesat a point with probability of success �0=2. The probability of success of each branch isindependent. Therefore, the new branch succeeds with probability �0=2. Excluding a smallprobability 1=22n that both branches choose identical strings, the experiment succeeds withprobability �20=4� 1=22n. 2 38

With probability �� �=2 the probability of success at the root, �0, is at least �=2. Theextractor makes ` independent experiments. Because of the proof of consistency, extractionfails only if all experiments fail. This occurs with probability at most (1� �204 )`. The choiceof ` implies that the probability that the extractor succeeds, given that �0 > �=2, is at least1� (1� �204 )` � 1� (1� �24 )` � 1� �=2:Therefore, with probability at least �� � the string � is extracted in at least one of the` experiments. Thus we can conclude that,Lemma 4.5 For any adversarially coordinated system h(A;B); (C;D); A : (B)$ (C)iin which (A;B) = (C;D) = S, there is a knowledge extraction procedure that succeeds withprobability arbitrarily close to �. 2The next claim says, in essence, that the values � obtained by the extractor are \cor-rectly" distributed.Claim 4.5 Let � 2R D and let � be obtained by the extractor. Then for every relationapproximator R, either (1) the probability that R(�; �) outputs 1, where the probabilityspace is over the choice of � and the internal coin ips of the machines involved, is largerthan �(A; R) or (2) these two probabilities are arbitrarily close.4.4 Extraction Implies Non-MalleabilityIn this section we reduce the non-malleability of S to the semantic security of S 0. Let Rbe a relation approximator and let h(A;B); (C;D); A : (B) $ (C)i be an adversariallycontrolled system, where (A;B) and (C;D) are both instances of S.Recall that R(x; x) = 0 for all relation approximators. We view the goal of A (respec-tively, A0) as trying to maximize �(A; R) (respectively, �0(A0; R)). Consider the followingprocedure for an adversary simulator A0 with access to the probability distribution D chosenby A, on inputs to (A).Procedure for A0:1. Set D0 = D.2. Generate � 2R D0 = D.3. Emulate the system h(A;B); (C;D); A : (B) $ (C)i where (A) is running S 0with private input � and A has access to hist(�), and if (C) succeeds in committingto a value , extract .4. Output .The structure of the proof is as follows. Let � 2R D. We de�ne three random variables:1. Let � be the value, if any, committed to by C in an execution of h(A;B); (C;D); A : (B) $ (C)i in which A has input � and A has input hist(�). By de�nition, forany probabilistic polynomial time relation approximator R, Pr[R(�; �)] = �(A; R).39

2. Let �0 be obtained by extraction from A0 in a run of the S 0-adaptor-S system in whichP has input � and A0 has input hist(�). By de�nition, Pr[R(�; �0)] = �0(A0; R).3. Let �00 be obtained by extraction from A0 in a run of the S 0-adaptor-S system in whichP has input � 2R D but A0 has input hist(�). Let ~�0(A0; R) denote Pr[R(�; �00)].We will �rst show that if jPr[R(�; �0)] � Pr[R(�; �00)]j is polynomial, then there is adistinguisher for S 0. By the semantic security of S 0, this means that �0(A0; R) = Pr[R(�; �0)]is very close to ~�0(A0; R) = Pr[R(�; �00)]. In other words, on seeing the history hist(�), A0,interacting with P having input �, is essentially no more successful at committing to avalue related by R to � than A0 can be when it again has history hist(�) but is actuallyinteracting with P having input � (unrelated to �). This means that, for A0, having theinteraction with P doesn't help in committing to a value related to P 's input.Let us say that A0 succeeds in an execution of the S 0-adaptor-S system, if (C) commitsto a value related by R to P 's input (the value to which P commits). Similarly, we say thatA succeeds in an execution of h(A;B); (C;D); A : (B) $ (C)i if (C) it commits to avalue related by R to A's input. Recall that, by Claim 4.5, either A is essentially equallylikely to succeed as A0, or A is less likely to succeed than A0 is. So �(A; R), the probabilitythat A succeeds, is essentially less than or equal to �0(A0; R), which we show in the �rststep of the proof to be close to ~�0(A0; R). From this we conclude the non-malleability of S.Lemma 4.6 If j~�0(A0; R)��0(A0; R)j is polynomial, then there is a distinguisher for S 0 thatviolates the indistinguishability of committed values (equivalent to semantic security [35, 42,53]).Proof. Assume j~�0(A0; R)� �0(A0; R)j is polynomial. The distinguisher is as follows.Distinguisher for S 0:1. Create a random challenge (�1 2R D; �2 2R D);2. Choose i 2R f1; 2g. Emulate the system h(A;B); (C;D); A : (B) $ (C)i, where (A) is running S 0 with private input �i and A has access to hist(�1), and extract �,the value committed to by (C) in the emulation.3. Output R(�1; �).If, in the emulation, the input to (P ) is �1, then the distinguisher outputs 1 withprobability �0(A0; R). Similarly, if in the emulation the input to (P ) is �2, then thedistinguisher outputs 1 with probability ~�0(A0; R). Since by assumption these two quantitiesdi�er polynomially, we have a polynomial distinguisher for commitments in S 0. 2Corollary 4.7 j~�0(A0; R)� �0(A0; R)j is subpolynomial. 2Theorem 4.8 The string commitment scheme S is non-malleable.Proof. By Claim 4.5, �(A; R) < �0(A0; R) or the two are subpolynomially close. ThusA is not polynomially more likely to successfully commit to a value related by R to thevalue committed to by (A) than A0 is able to commit to a value related by R to thevalue committed to by (P ). However, by Lemma 4.6, �0(A0; R) is subpolynomially closeto ~�(A0; R); that is, interacting with P does not help A0 to commit to a value related tothe value committed to by (P ). 2 40

Remark 4.9 The number of rounds in the above protocol is proportional to the length of I.However, the number of rounds may be reduced to log jIj using the following: Let n = jIj.To commit to string �, choose random �1; �2; : : : �n satisfying Lni=1 �1 = �. For each �i(in parallel) commit to �i with identity (i; Ii) (i concatenated with the ith bit of the originalidentity). Let F (for fewer) denote this string commitment protocol.To see why F is secure, consider an adversary with identity I 0 6= I who commits to�0. For I 0 6= I there must be at least one i such that I 0i 6= Ii (we assume some pre�x freeencoding). This i implies the non-malleability of the resulting scheme: Make �j for j 6= ipublic. Since all the identities of the form (j; I 0j) are di�erent than (i; Ii) we can extract allthe �0j's and hence �0.Using this approach, the result of Chor and Rabin [21] can be improved to require log log nrounds of communication, (down from log n rounds). Recall that their model di�ers fromours in that they assume all n parties are aware of each other and that the system iscompletely synchronous.Remark 4.10 1) As we have seen, the proofs of consistency aid in the extraction procedure.Interestingly, they also ensure that if there are many concurrent invocations of (A;B), callthem (A1; B1); : : : ; (Ak; Bk); such that the adversary controls all the (Bi) and (C), thenif C commits to a value � to D then � is essentially unrelated to all the �i committed toby the Ai in their interactions with the Bi. As in Section 3.4.1, this is shown by a hybridargument.2) There is a lack of symmetry between our de�nitions of non-malleable encryptionand non-malleable string commitment: the �rst requires that it should be computation-ally di�cult, given E(�), to generate a vector of encryptions (E(�1); : : : E(�n)) such thatR(�; �1; : : : ; �n) holds, while the second requires only that access to a commitment to a string� should not help in committing to a single related string �. It is possible to modify thede�nition to yield this stronger property. Roughly speaking, we add a �ctitious step afterthe adversary attempts to commit to its values, in which the adversary speci�es which suc-cessfully committed values will be the inputs to the relation approximator R. The extractionprocedure is then modi�ed by �rst running S 0 with a simulation of A to see which commit-ments succeed. Then we argue that with high probability the extraction procedure succeedson all of these. This follows from the high probability of success during any single extraction(Lemma 4.5). We chose not to use the extended de�nition because it would complicate theproofs even beyond their current high level of complexity.3) The weaker de�nition does not imply the stronger one: the protocol F of Remark 4.9is a counterexample. Let (A;B) = F and let (A), running F , commit to � by splitting itinto �1; : : : ; �n. Let (C1;D1) = : : : = (Cn;Dn) = F . If the n + 1 parties (C1); : : : (Cn)have identities such that for each i the ith bit of the identity of (Ci) equals the ith bit ofthe identity of (A), then the parties (B); (C1); : : : (Cn) can collude as follows. Each (Ci) commits to the string �i = �i by splitting it into �i = �i1 � : : :� �in, where �ii = �iand �ij = 0j�ij. In this way the colluding parties can arrange to commit to �1; : : : ; �n suchthat the exclusive-or of the �'s equals �.This counterexample also illustrates why the technique for reducing rounds described inRemark 4.9 cannot be iterated to obtain a constant round protocol.41

5 Zero-Knowledge Proofs and General Non-Malleable Zero-Knowledge InteractionsFor the results in this section we assume the players have unique identities. Let (A;B)[a; b]be a zero-knowledge interactive protocol with valid set � of input pairs. Recall from Section2.1 that (A;B) is zero-knowledge with respect to B if for every (B) under control of apolynomial-time bounded adversary A, there exists a simulator Sim such that the followingtwo ensembles of conversations are indistinguishable. In the �rst ensemble, A chooses adistribution D consistent with �, a pair (�; �) is drawn according to D, (A) gets �, (B)gets �, and the interaction proceeds and produces a conversation. In the second ensemble,and adversary simulator A0 with the same computational power as A chooses a distributionD0 consistent with �, (�; �) 2R D0 is selected, A0 is given �, and produces a simulatedconversation.We construct a compiler C, which, given any zero-knowledge interaction (A;B) producesa zero-knowledge protocol which is non-malleable in the sense described next.Let (A0; B0) be any zero-knowledge protocol and let (A;B) = C(A0; B0). Let (C 0;D0)be any (not necessarily zero knowledge) protocol, and let (C;D) = C(C 0;D0). Considerthe adversarially coordinated system h(A;B); (C;D); A : (B) $ (C)i. Note that, if(A;B) were to be run in isolation, then given the inputs (�; �) and the random tapes of (A) and (B), the conversation between these agents is completely determined. A similarstatement applies to (C;D). For every polynomial time relation approximator R and forevery adversarially coordinated system of the compiled versions with adversary A thereexists an adversary simulator A0 satisfying the following requirement.Let D now denote a distribution for inputs to all four players chosen by A consistentwith the valid inputs for (A;B). Let (�; �; ; �) 2R D, and run the compiled versions ofthe two protocols. Let �(A; R) denote the probability that R(�; �; ; �;D;K(C;D)) = 1,where K(C;D) denotes the conversation between (C) and (D). The probability is overthe coin- ips of A; (A) and (D) and the choice of (�; �; ; �) in D. As above, R rejectsif a conversation is syntactically incorrect.Let D0 (consistent with the legal input pairs for (A;B)) be chosen by A0, and let(�; �; ; �) 2R D0. A0 gets inputs �; . Run an execution of (C;D) in which A0 con-trols (C) and let K0(C;D) denote the resulting conversation. Let �(A0; R) denote theprobability that R(�; �; ; �;D0 ;K0(C;D)) = 1. The probability is over the coin- ips of Aand (D) and the choice of (�; �; ; �) in D0.The non-malleable zero-knowledge security requirement is that for every polynomialtime-boundedA, there exists a polynomial-time boundedA0 such that for every polynomial-time computable relation approximator R j�(A; R)� �0(A0; R)j is subpolynomial.Theorem 5.1 There exists a compiler C that takes as inputs a 2-party protocol and outputsa compiled protocol. Let (A0; B0) be any zero-knowledge protocol and let (A;B) = C(A0; B0).Let (C 0;D0) be any (not necessarily zero knowledge) protocol, and let (C;D) = C(C 0;D0).Then the adversarially coordinated system h(A;B); (C;D); A : (B) $ (C)i is non-malleable zero-knowledge secure.Proof. Our compiler is conceptually extremely simple: A and B commit to their inputsand random tapes and then execute the protocol (A0; B0), at each step proving that the42

messages sent are consistent with the committed values. We have to make sure that thesezero-knowledge proofs of consistency do not interfere with the original protocol. The goalof the preprocessing phases is to make all the players' actions in the rest of the protocolpredetermined. We now describe the action of the compiler on (A0; B0) in more detail.Preprocessing Phase I: Initially A and B choose a random string RA as follows. Anon-malleably commits to a string �A using a sequence of non-malleable bit commitments.B then sends a random string �B . The string RA, not yet known to B, is the bitwiseexclusive-or of �A and �B . A and B then choose a random string RB in the same manner,but with the roles reversed, so that B knows RB while A does not yet know it.Preprocessing Phase II: Each player performs a sequence of pairs of non-malleable bitcommitments. Each pair contains a commitment to zero and a commitment to one, inrandom order.Preprocessing Phase III: Each player commits to its input and to the seed of a crypto-graphically strong pseudo-random bit generator, using the non-malleable scheme for stringcommitment described in Section 4. The pseudo-random sequence is used instead of a trulyrandom sequence whenever the original protocol calls for a random bit. Note in particularthat A and B both begin with a non-malleable commitment to their inputs and randomtapes { this is critical.Executing the Original Protocol The parties execute the original protocol (with thepseudo-random bits), with each player proving at each step that the message it sends at thatstep is the one it should have sent in the unique conversation determined by its committedinput and random tape, and the messages of the original protocol received so far. Thecommitments performed as part of the proofs of consistency are selected from the list ofpairs of commitments generated in Preprocessing Step II. Since proving the consistency ofthe new message with the conversation so far can be done e�ectively (given the randomtape and the input), this has a (malleable) zero-knowledge proof [40] in which the veri�eronly sends random bits. These random bits are taken from RA and RB . In particular, RA isused as the random bits when B proves something to A: A, acting as veri�er and knowingRA, reveals the bits of RA to B as they are needed by opening the necessary commitmentsfrom Preprocessing Phase I. The analogous steps are made when A proves consistency to B.Before sketching the proof, we give some intuition for why we included PreprocessingPhases I and II. (While it is possible that these extra preprocessing steps are not needed,we do not see a complete proof without them.) First, note that the compiler uses a speci�cnon-malleable string commitment scheme (the one from Section 4), rather than any suchprotocol. We used this protocol because of its extraction properties (which we use forproving non-malleability). However, as we saw in Section 4 in order to do the extraction inan adversarially coordinated system h(A;B); (C;D); A : (B)$ (C)i in which (A;B) =(C;D) = S, we needed to de�ne S 0, a relaxed version of S, and construct an S 0-adaptor-Ssystem. We do not know how to construct \relaxed versions" of arbitrary protocols (A0; B0).Since the compiled protocol (A;B) has a very special form, the construction of its relaxationis straightforward.We now sketch the proof that the compiled protocol satis�es the requirements of theTheorem. A's proofs of consistency are zero-knowledge since they use the random bits inRB and in the simulation of this part of the interaction RB can be extracted. A's proofsare sound since its bit commitments performed in Preprocessing Phase II are independent43

of RB (since all the commitments are non-malleable, and in particular, involve proofs ofknowledge).Since A and B commit in Preprocessing Phase III to their random tapes and values, theparts of the compiled communication that correspond to messages in (A0; B0) are completelydetermined before the execution corresponding to the (A0; B0) interaction is carried out.Note that the three stage protocol described above remains zero-knowledge. This is true,since under the appropriate de�nition [41], the sequential composition of zero-knowledgeprotocols is itself zero-knowledge. So in particular, the (A;B) interaction is zero-knowledge.Non-malleable zero-knowledge security is proved as follows. We �rst note that thecommitment of its input and random tape that A makes to B in Preprocessing Phase IIIremains non-malleable despite the proofs of consistency during the execution of the originalprotocol. We then construct an extractor for the committed value in (C;D) in a fashionsimilar to the one constructed in Section 4. To do this, we construct a \relaxed" zero-knowledge protocol analogous to S 0, based on (A;B). We apply Lemma 4.5 to show thatthe probability of extraction is similar to the probability that A succeeds (in the compiled(C;D) protocol). The key point is that an exposed triple remains exposed despite thepresence of the proofs of consistency because the queries in the proofs of consistency havebeen predetermined in Preprocessing Phase I.As in Lemma 4.6, extraction violates the zero-knowledge nature of (the relaxed) (A;B).26 Concluding Remarks and Future WorkThere are several interesting problems that remain to be addressed:1. The issue of preserving the non-malleability of compiled programs (as in Section 5)under concurrent composition is challenging, as, unlike the cases of encryption andstring commitment, in general zero-knowledge proofs are not known to remain zero-knowledge under concurrent composition (see, e.g., [35, 38]). On the other hand, thereare various techniques for changing zero-knowledge protocols so that they becomeparallelizable, such as witness indistinguishability [30] and perfect commitments (SeeChapter 6.9 in [35]). These techniques do not necessarily yield protocols that can beexecuted concurrently while preserving zero-knowledge.2. All our non-malleability results are for protocols that are in some sense zero-knowledge.Extend the de�nition of non-malleability to interactions that are not necessarily zero-knowledge, such as general multi-party computation, and construct non-malleableprotocols for these problems.3. Simplify the constructions in this paper. Bellare and Rogaway present simpli�edconstructions using a random oracle [6, 7]. A challenging open problem is to (de�neand) construct a publicly computable pseudo-random function. Such a constructionis essential if [6, 7] are to be made complexity-based. For a recent discussion onconstructing such functions see [17, 18, 19]; note that none of the proposals there issu�cient to yield non-malleability. 44

Very recently Cramer and Shoup [23] suggested an e�cient construction of a non-malleable cryptosystem secure against chosen ciphertext attacks in the postprocessingmode. The scheme is based on the Decisional Di�e-Hellman assumption (see [56] fora discussion of the assumption) and requires only a few modular exponentiations forencryption and decryption.Recently, Di Crecsenzo et al. [26] showed that in a model in which there is a sharedrandom string, it it possible to obtain non-interactive non-malleable commitmentsbased on the existence of one-way functions.4. Another recent development related to malleability in encryption is the work of Ble-ichenbacher [11] who showed how the ability to mall ciphertexts in the PKCS # 1standard allows for a chosen ciphertext post-processingattack. The interesting factabout this attack is that the only type of feedback the attacker requires is whether agiven string represents a valid ciphertext. This demonstrates yet again the signi�canceof using a provable non-malleable cryptosystem.5. A recent result that utilizes non-malleability in an interesting way is [4] who exploresthe issue of reducing an adversary's success probability via parallel repetition. Theygive an example of a protocol where the fact that the upper bound on the adversary'sprobability of success is 1=2 is due to the non-malleability of a cryptosystem used,while the repeated protocol fails to reduce the error due to the malleability of theprotocol itself.6. The selective decryption problem: a type of chosen ciphertext attack not addressed inthis paper is when the adversary is given the random bits used to generate the cipher-text (in addition to the plaintext). The following problem, phrased here in terms of aCD-ROM, is a concrete instance in which this kind of attack is relevant (the versionpresented here is due to [58], and is a variant of a problem posed by O. Goldreich): ACD-ROM is generated containing the encryptions of 100 images (generally, n images).A user, having a copy of the CD-ROM, chooses any subset, say of size 50, of the im-ages, and purchases the decryption information for the selected images. Suggest anencryption scheme for this problem such that, assuming the decryption informationis signi�cantly shorter than the combined plaintexts of the purchased images, the re-maining encryptions remain secure once the decryption information for the purchasedimages is known. Suppose we start with a semantically secure cryptosystem, andencrypt each image with its own key. Then, if the decryption information is the col-lection of keys for the selected images, it is easy to show that an adversary can't, forany given undecrypted image Pi produce an I related to Pi. The challenge is to showthat no adversary can �nd an I related to, say, all the remaining Pi's. For example,show that the adversary can't �nd the bitwise logical-OR of the remaining pictures.This type of problem is simply ignored in papers on generating session keys (see, e.g.,[8, 9]). If session keys are to be used for encryption, then the selective decryptionproblem must be addressed.7. Design a completely malleable cryptosystem in which, given E(x) and E(y) it is possi-ble to compute E(x+y), E(xy), and E(�x), where �x denotes the bitwise complement of45

x. Such a cryptosystem has application to secure 2-party computation. For example,to compute f(x; y) player A generates a completely malleable E=D pair and sends(E(x); E) to player B. Player B, knowing y and a circuit for f , can return E(f(x; y)).Alternatively, prove the non-malleability conjecture: if a cryptosystem is completelymalleable then it is insecure. A related statement holds for discrete logarithms mod-ulo p, and in general for the black box �eld problem. See the elegant papers of Mau-rer [52] and Boneh and Lipton [15].AcknowledgmentsDiscussions with Moti Yung on achieving independence started this research. Advice andcriticism from Russell Impagliazzo, Charlie Racko� and Dan Simon were critical in theformation of the paper. We thank Ran Canetti, Uri Feige, Hugo Krawczyk, Oded Goldreich,Omer Reingold and Adi Shamir for valuable discussions.References[1] M. Ajtai and C. Dwork, A Public-Key Cryptosystem with Worst-Case/Average-Case Equiva-lence Proc. 29th Annual ACM Symposium on the Theory of Computing, 1997, pp. 284{293,and ECCC Report TR96-065.[2] W. Alexi, B. Chor, O. Goldreich and C. Schnorr, RSA/Rabin Bits are 1=2 + 1=poly Secure,Siam Journal on Computing, 17(2) (1988), pp. 194{209.[3] M. Bellare, A. Desai, D. Pointcheval and P. Rogaway, Relations among notions of security forpublic-key encryption schemes, Advances in Cryptology - Crypto'98, Lecture Notes in ComputerScience No. 1462, Springer-Verlag, 1998, pp. 26{45.[4] M. Bellare, R. Impagliazzo, and M. Naor, Does Parallel Repetition Lower the Error in Computa-tionally Sound Protocols?, Proceedings of 38th Annual Symposium on Foundations of ComputerScience, IEEE, 1997.[5] M. Bellare and S. Micali, How to Sign Given Any Trapdoor Function, J. of the ACM 39, 1992,pp. 214{233.[6] M. Bellare and P. Rogaway, Random Oracles are Practical: A Paradigm for Designing E�cientProtocols, Proc. First ACM Conference on Computer and Communications Security, 1993, pp.62{73.[7] M. Bellare and P. Rogaway, Optimal Asymmetric Encryption { How to Encrypt with RSA,Advances in Cryptology { Eurocrypt'94, Lecture Notes in Computer Science vol. 950, Springer-Verlag, 1994, pp. 92-111.[8] M. Bellare and P. Rogaway, Entity Authentication and key distribution, Advances in Cryptology{ Crypto'93, Lecture Notes in Computer Science No. 773, Springer-Verlag, 1994, pp. 232{249.[9] M. Bellare and P. Rogaway, Provably Secure Session Key Distribution: The Three Party Case,Proc. 27th Annual ACM Symposium on the Theory of Computing, 1995, pp. 57{66.46

[10] M. Blaze, J. Feigenbaum and M. Naor, A Formal Treatment of Remotely Keyed Encryption,Advances in Cryptology { Eurocrypt'98 Proceeding, Lecture Notes in Computer Science No.1403, Springer-Verlag, 1998, pp. 251{265.[11] D. Bleichenbacher, Chosen Ciphertext Attacks Against Protocols Based on the RSA EncryptionStandard PKCS # 1, Advances in Cryptology - Crypto'98 Lecture Notes in Computer ScienceNo. 1462, Springer Verlag, 1998, pp. 1{12.[12] M. Blum, P. Feldman and S. Micali, Non-Interactive Zero-Knowledge Proof Systems, Proc.20th ACM Symposium on the Theory of Computing, Chicago, 1988, pp. 103{112.[13] M. Blum, A. De Santis, S. Micali and G. Persiano, Non-Interactive Zero-Knowledge, SIAM J.Computing, 1991, pp. 1084{1118.[14] M. Blum and S. Goldwasser, An E�cient Probabilistic Public-key Encryption that Hides AllPartial Information, Advances in Cryptology - Crypto'84, Lecture Notes in Computer ScienceNo. 196, Springer Verlag, 1985, pp. 289{299.[15] D. Boneh and R. Lipton, Algorithms for Black-Box �elds and their application to cryptography,Advances in Cryptology - Crypto'96, Lecture Notes in Computer Science No. 1109, SpringerVerlag, 1996, pp. 283{297.[16] M. Burrows, M. Abadi, and R. Needham, A Logic of Authentication, ACM Trans. on ComputerSystems, 8(1) 1990, pp. 18{36.[17] R. Canetti, Towards Realizing Random Oracles: Hash Functions that Hide all Partial Infor-mation, Advances in Cryptology - Crypto 97, Lecture Notes in Computer Science vol. 1294,Springer Verlag, 1997, pp. 455{469.[18] R. Canetti, O. Goldreich, and S. Halevi, The Random Oracle Methodology, Proc. 30th AnnualACM Symposium on the Theory of Computing, Dallas, 1998, pp. 209{218.[19] R. Canetti, D. Miccianco and O. Reingold, Perfectly One-way Probabilistic Hashing, Proc. 30thAnnual ACM Symposium on the Theory of Computing, Dallas, 1998, pp. 131{140.[20] B. Chor, S. Goldwasser, S. Micali and B. Awerbuch, Veri�able Secret Sharing in the Presenceof Faults, Proc. 26th IEEE Symp. on Foundations of Computer Science, 1985, pp. 383{395.[21] B. Chor and M. Rabin, Achieving Independence in Logarithmic Number of Rounds, Proc. 6thACM Symp. on Principles of Distributed Computing, 1987, pp. 260{268.[22] R. Cramer and I. Damgard, New generation of secure and practical RSA-based signaturesAdvances in Cryptology - Crypto '96, Lecture Notes in Computer Science 1109, Springer Verlag,1996, pp. 173-185.[23] R. Cramer and V. Shoup, A practical Public Key Cryptosystem Provable Secure against Adap-tive Chosen Ciphertext Attack, Advances in Cryptology - Crypto'98 Lecture Notes in ComputerScience No. 1462, Springer Verlag, 1998, pp. 13{25.[24] Y. Desmet, C. Goutier and S. Bengio, Special uses and abuses of the Fiat Shamir passportprotocol Advances in Cryptology - Crypto'87, Lecture Notes in Computer Science No. 293,Springer Verlag, 1988, pp. 21{39.[25] A. De Santis and G. Persiano, Non-Interactive Zero-Knowledge Proof of Knowledge Proc. ofthe 33th IEEE Symposium on the Foundation of Computer Science, 1992, pp. 427{436.47

[26] G. Di Crescenzo, Y. Ishai and R. Ostrovsky, Non-Interactive and Non-Malleable Commitment,Proc. 30th Annual ACM Symposium on the Theory of Computing, Dallas, 1998, pp. 141{150.[27] C. Dwork and M. Naor, An E�cient Existentially Unforgeable Signature Scheme and its Ap-plications, Journal of Cryptology, vol 11, 1998, pp. 187-208. Preliminary version: Advances inCryptology { Crypto'94 Proceeding, Springer-Verlag, Lecture Notes in Computer Science 839,1994, pp. 234{246.[28] C. Dwork and M. Naor, Method for message authentication from non-malleable crypto systems,US Patent No. 05539826, issued Aug. 29th 1996.[29] C. Dwork, M. Naor and A. Sahai, Concurrent Zero-Knowledge, Proc. 30th Annual ACM Sym-posium on the Theory of Computing, Dallas, 1998, pp. 409{418.[30] U. Feige and A. Shamir, Witness Hiding and Witness Indistinguishability, Proc. 22nd AnnualACM Symposium on the Theory of Computing, Baltimore, 1990, pp. 416{426.[31] U. Feige, A. Fiat and A. Shamir, Zero Knowledge Proofs of Identity, J. of Cryptology 1 (2), pp77-94. (Preliminary version in STOC 87).[32] U. Feige, D. Lapidot and A. Shamir, Multiple Non-Interactive Zero-Knowledge Proofs Based ona Single Random String, Proc. of 31st IEEE Symposium on Foundations of Computer Science,1990, pp. 308{317.[33] M. J. Fischer, N. A. Lynch, A Lower Bound for the Time to Assure Interactive Consistency,IPL 14(4), 1982, pp. 183{186.[34] Z. Galil, S. Haber and M. Yung, Interactive Public-key Cryptosystems, see Symmetric Public-Key Encryption, Advances in Cryptology { Crypto'85, Lecture Notes in Computer Science No.218, Springer-Verlag, 1986, pp. 128{137.[35] Goldreich, O., Foundations of Cryptography (Fragments of a Book) 1995. Electronic pub-lication: http://www.eccc.uni-trier.de/eccc/info/ECCC-Books/eccc-books.html (ElectronicColloquium on Computational Complexity).[36] O. Goldreich, A Uniform Complexity Encryption of Zero-knowledge, Technion CS-TR 570, June1989.[37] O. Goldreich S. Goldwasser and S. Micali, How to Construct Random Functions , J. of theACM 33 (1986), pp. 792-807.[38] O. Goldreich and H. Krawczyk, On the Composition of Zero-knowledge Proof Systems, Siam J.on Computing 25, 1996, pp. 169{192.[39] O. Goldreich and L. Levin, A Hard Predicate for All One-way Functions , Proc. 21st AnnualACM Symposium on the Theory of Computing, Seattle, 1989, pp. 25-32.[40] O. Goldreich, S. Micali and A. Wigderson, Proofs that Yield Nothing But their Validity, and aMethodology of Cryptographic Protocol Design, J. of the ACM 38, 1991, pp. 691{729.[41] O. Goldreich and Y. Oren, De�nitions and Properties of Zero-Knowledge Proof Systems, J.Cryptology 6, 1993, pp. 1{32.[42] S. Goldwasser and S. Micali, Probabilistic Encryption, J. Com. Sys. Sci. 28 (1984), pp 270-299.48

[43] S. Goldwasser, S. Micali and C. Racko�, The Knowledge Complexity of Interactive Proof-Systems, Siam J. on Computing, 18(1) (1989), pp 186-208.[44] S. Goldwasser, S. Micali and R. Rivest, A Secure Digital Signature Scheme , Siam Journal onComputing, Vol. 17, 2 (1988), pp. 281-308.[45] S. Goldwasser, S. Micali and P. Tong, Why and How to Establish a Private Code on a PublicNetwork, Proc. of the 23rd IEEE Symposium on the Foundation of Computer Science, 1982,pp. 134-144.[46] I. Impagliazzo and M. Luby, One-way functions are essential to computational based cryptog-raphy, Proc. 21st ACM Symposium on Theory of Computing, 1989.[47] I. Impagliazzo, L. Levin and M. Luby, Pseudo-random generation from one-way functions,Proc. 21st ACM Symposium on Theory of Computing, 1989.[48] J. Kilian, On the complexity of bounded-interaction and non-interactive zero-knowledge proofs,Proc. of the 35th IEEE Symposium on the Foundation of Computer Science, 1994, pp. 466{477.[49] J. Kilian and E. Petrank, An e�cient non-interactive zero-knowledge proof system for NP withgeneral assumptions, Journal of Cryptology, vol 11, 1998, pp. 1{27.[50] J. Kilian, E. Petrank and C. Racko�, Lower Bounds for Zero Knowledge on teh Internet, Proc.of the 39th IEEE Symposium on the Foundation of Computer Science, 1998, pp. 484{492.[51] Luby M., Pseudo-randomness and applications, Princeton University Press, 1996.[52] U. Maurer, Towards the equivalence of breaking the Di�e-Hellman protocol and computingdiscrete algorithms, Advances in Cryptology { Crypto'94, Lecture Notes in Computer ScienceNo. 839, 1994, pp. 271{281.[53] S. Micali and C. Racko� and R. Sloan, Notions of Security of Public-Key Cryptosystems, SIAMJ. on Computing 17(2) 1988, pp. 412{426.[54] M. Naor, Bit Commitment Using Pseudo-Randomness, Journal of Cryptology, vol 4, 1991, pp.151-158.[55] M. Naor and O. Reingold, Synthesizers and their application to the parallel construction ofpseudo-random functions, Proc. 36th IEEE Symp. on Foundations of Computer Science, 1995,pp. 170-181.[56] M. Naor and O. Reingold, Number-Theoretic Constructions of E�cient Pseudo-Random Func-tions, Proc. of the 38th IEEE Symposium on the Foundation of Computer Science, 1982, pp.80{91.[57] M. Naor and O. Reingold, From Unpredictability to Indistinguishability: A Simple Constructionof Pseudo-Random Functions from MACs, Advances in Cryptology { Crypto'98 Proceeding,Lecture Notes in Computer Science No. 1462, Springer-Verlag, 1998, pp. 267{282.[58] M. Naor and A. Wool, Access Control and Signatures via Quorum Secret Sharing Proc. ThirdACM Conference on Computer and Communications Security, 1996, pp. 157{168.[59] M. Naor and M. Yung, Universal One-way Hash Functions and their Cryptographic Applica-tions, Proc. 21st Annual ACM Symposium on the Theory of Computing, Seattle, 1989, pp.33{43. 49

[60] M. Naor and M. Yung, Public-key Cryptosystems provably secure against chosen ciphertextattacks Proc. 22nd Annual ACM Symposium on the Theory of Computing, Baltimore, 1990,pp. 427{437.[61] M. O. Rabin, Randomized Byzantine Generals, Proc. of the 24th IEEE Symposium on theFoundation of Computer Science, 1983, pp. 403{409.[62] C. Racko� and D. Simon, Non-interactive zero-knowledge proof of knowledge and chosen cipher-text attack, Advances in Cryptology - Crypto'91, Lecture Notes in Computer ScienceNo. 576, Springer Verlag, 1992, pp. 433{444.[63] R. Rivest, A. Shamir and L. Adleman, A Method for Obtaining Digital Signature andPublic Key Cryptosystems, Comm. of ACM, 21 (1978), pp 120{126.[64] J. Rompel, One-way Function are Necessary and Su�cient for Signatures, Proc. 22ndAnnual ACM Symposium on the Theory of Computing, Baltimore, 1990, pp. 387{394.[65] A. C. Yao, Theory and Applications of Trapdoor functions, Proceedings of the 23thIEEE Symposium on the Foundation of Computer Science, 1982, pp. 80{91.[66] M. Yung, Cryptoprotocols: Subscription to a Public Key, the Secret Blocking and theMulti-Player Mental Poker Game, Advances in Cryptology { Crypto'84, Lecture Notesin Computer Science No. 196, pp. 439{453, 1985.

50