Embed Size (px)
Citation preview
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
A Multi-Trapdoor Commitment Schemefrom the RSA Assumption
Ryo Nishimaki1 Eiichiro Fujisaki1 Keisuke Tanaka2
1—NTT—2—Tokyo Institute of Technology—
July 6, 2010 @ Sydney
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 1 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Outline of This Talk
IntroductionBackgroundsMulti-Trapdoor and Non-Malleable CommitmentOur Result
Construction of Multi-Trapdoor CommitmentDefinitionMain IdeaConstruction
Conclusion
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 2 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Backgrounds
Commitment and Its Security
.
Commitment
.
.
.
. ..
.
.
Digital anologue of sealed envelopes.One of the most fundamental cryptographic primitives.
sender receiver
Basic security: hiding and binding
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 3 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Backgrounds
Commitment and Its Security
.
Commitment
.
.
.
. ..
.
.
Digital anologue of sealed envelopes.One of the most fundamental cryptographic primitives.
sender receiverCommit Phase
Basic security: hiding and binding
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 3 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Backgrounds
Commitment and Its Security
.
Commitment
.
.
.
. ..
.
.
Digital anologue of sealed envelopes.One of the most fundamental cryptographic primitives.
sender receiverCommit Phase
Hiding: cannot know about m
Basic security: hiding and binding
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 3 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Backgrounds
Commitment and Its Security
.
Commitment
.
.
.
. ..
.
.
Digital anologue of sealed envelopes.One of the most fundamental cryptographic primitives.
sender receiverDecommit Phase
Basic security: hiding and binding
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 3 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Backgrounds
Commitment and Its Security
.
Commitment
.
.
.
. ..
.
.
Digital anologue of sealed envelopes.One of the most fundamental cryptographic primitives.
sender receiver
Binding: cannot open to
Decommit Phase
Basic security: hiding and binding
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 3 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Backgrounds
Commitment and Its Security
.
Commitment
.
.
.
. ..
.
.
Digital anologue of sealed envelopes.One of the most fundamental cryptographic primitives.
sender receiver
Binding: cannot open to
Decommit Phase
Basic security: hiding and binding
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 3 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Backgrounds
Trapdoor Commtiment
.
Pedersen Commitment (statistically hiding)
.
.
.
. ..
.
.
Commitment: message m ∈ Zq, randomness rU← Zq, c := gmhr .
Decommitment: (m,d := r). Verify c = gmhr .
If we know a trapdoor, we can open in two different ways.
.
Equivocality
.
.
.
. ..
.
.
If we know t = logg h, can compute r̃ = r + m−m̃t . r̃ is valid decommitment
for m̃. gm̃h̃r = gm̃hr (gt)m−m̃
t = gmhr = c.
used as a buliding block of many cryptographic protocols, zero-knowledge,blind signature, etc.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 4 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Backgrounds
Trapdoor Commtiment
.
Pedersen Commitment (statistically hiding)
.
.
.
. ..
.
.
Commitment: message m ∈ Zq, randomness rU← Zq, c := gmhr .
Decommitment: (m,d := r). Verify c = gmhr .
If we know a trapdoor, we can open in two different ways.
.
Equivocality
.
.
.
. ..
.
.
If we know t = logg h, can compute r̃ = r + m−m̃t . r̃ is valid decommitment
for m̃. gm̃h̃r = gm̃hr (gt)m−m̃
t = gmhr = c.
used as a buliding block of many cryptographic protocols, zero-knowledge,blind signature, etc.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 4 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Backgrounds
Trapdoor Commtiment
.
Pedersen Commitment (statistically hiding)
.
.
.
. ..
.
.
Commitment: message m ∈ Zq, randomness rU← Zq, c := gmhr .
Decommitment: (m,d := r). Verify c = gmhr .
If we know a trapdoor, we can open in two different ways.
.
Equivocality
.
.
.
. ..
.
.
If we know t = logg h, can compute r̃ = r + m−m̃t . r̃ is valid decommitment
for m̃. gm̃h̃r = gm̃hr (gt)m−m̃
t = gmhr = c.
used as a buliding block of many cryptographic protocols, zero-knowledge,blind signature, etc.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 4 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Backgrounds
Trapdoor Commtiment
.
Pedersen Commitment (statistically hiding)
.
.
.
. ..
.
.
Commitment: message m ∈ Zq, randomness rU← Zq, c := gmhr .
Decommitment: (m,d := r). Verify c = gmhr .
If we know a trapdoor, we can open in two different ways.
.
Equivocality
.
.
.
. ..
.
.
If we know t = logg h, can compute r̃ = r + m−m̃t . r̃ is valid decommitment
for m̃. gm̃h̃r = gm̃hr (gt)m−m̃
t = gmhr = c.
used as a buliding block of many cryptographic protocols, zero-knowledge,blind signature, etc.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 4 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Multi-Trapdoor and Non-Malleable Commitment
Multi-Trapdoor Commitment
Gennaro introduced the notion and constructions of multi-trapdoorcommitment in CRYPTO’04 [Gen04] (similar to IBE).
I Family of trapdoor commitments
I master public key (common reference string) and master trapdoor
I each commitment (defined by specific public key) admits its owntrapdoor
I cannot break binding w/o trapdoors
.
Applications
.
.
.
. ..
.
.
I Non-malleable commitment schemes [Gen04]
I Concurrently non-malleable identification schemes [Gen04]
I building blocks of some other cryptographic protocols
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 5 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Multi-Trapdoor and Non-Malleable Commitment
Multi-Trapdoor Commitment
Gennaro introduced the notion and constructions of multi-trapdoorcommitment in CRYPTO’04 [Gen04] (similar to IBE).
I Family of trapdoor commitments
I master public key (common reference string) and master trapdoor
I each commitment (defined by specific public key) admits its owntrapdoor
I cannot break binding w/o trapdoors
.
Applications
.
.
.
. ..
.
.
I Non-malleable commitment schemes [Gen04]
I Concurrently non-malleable identification schemes [Gen04]
I building blocks of some other cryptographic protocols
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 5 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Multi-Trapdoor and Non-Malleable Commitment
Multi-Trapdoor Commitment
Gennaro introduced the notion and constructions of multi-trapdoorcommitment in CRYPTO’04 [Gen04] (similar to IBE).
I Family of trapdoor commitments
I master public key (common reference string) and master trapdoor
I each commitment (defined by specific public key) admits its owntrapdoor
I cannot break binding w/o trapdoors
.
Applications
.
.
.
. ..
.
.
I Non-malleable commitment schemes [Gen04]
I Concurrently non-malleable identification schemes [Gen04]
I building blocks of some other cryptographic protocols
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 5 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Multi-Trapdoor and Non-Malleable Commitment
Multi-Trapdoor Commitment
Gennaro introduced the notion and constructions of multi-trapdoorcommitment in CRYPTO’04 [Gen04] (similar to IBE).
I Family of trapdoor commitments
I master public key (common reference string) and master trapdoor
I each commitment (defined by specific public key) admits its owntrapdoor
I cannot break binding w/o trapdoors
.
Applications
.
.
.
. ..
.
.
I Non-malleable commitment schemes [Gen04]
I Concurrently non-malleable identification schemes [Gen04]
I building blocks of some other cryptographic protocols
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 5 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Multi-Trapdoor and Non-Malleable Commitment
Multi-Trapdoor Commitment
Gennaro introduced the notion and constructions of multi-trapdoorcommitment in CRYPTO’04 [Gen04] (similar to IBE).
I Family of trapdoor commitments
I master public key (common reference string) and master trapdoor
I each commitment (defined by specific public key) admits its owntrapdoor
I cannot break binding w/o trapdoors
.
Applications
.
.
.
. ..
.
.
I Non-malleable commitment schemes [Gen04]
I Concurrently non-malleable identification schemes [Gen04]
I building blocks of some other cryptographic protocols
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 5 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Multi-Trapdoor and Non-Malleable Commitment
Multi-Trapdoor Commitment
Gennaro introduced the notion and constructions of multi-trapdoorcommitment in CRYPTO’04 [Gen04] (similar to IBE).
I Family of trapdoor commitments
I master public key (common reference string) and master trapdoor
I each commitment (defined by specific public key) admits its owntrapdoor
I cannot break binding w/o trapdoors
.
Applications
.
.
.
. ..
.
.
I Non-malleable commitment schemes [Gen04]
I Concurrently non-malleable identification schemes [Gen04]
I building blocks of some other cryptographic protocols
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 5 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Multi-Trapdoor and Non-Malleable Commitment
Multi-Trapdoor Commitment
Gennaro introduced the notion and constructions of multi-trapdoorcommitment in CRYPTO’04 [Gen04] (similar to IBE).
I Family of trapdoor commitments
I master public key (common reference string) and master trapdoor
I each commitment (defined by specific public key) admits its owntrapdoor
I cannot break binding w/o trapdoors
.
Applications
.
.
.
. ..
.
.
I Non-malleable commitment schemes [Gen04]
I Concurrently non-malleable identification schemes [Gen04]
I building blocks of some other cryptographic protocols
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 5 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Multi-Trapdoor and Non-Malleable Commitment
Non-Malleability (with respect to Decommitment)
Man-in-the-middel adversary A may make another commitment to arelated value, ...
sender receiverCommit Phase adversary
cannot open to m̃, m even if A sees the sender’s decommitment.
.
Applications
.
.
.
. ..
.
.
I building blocks of cryptographic protocols (e.g., UC commitment)
I secure Internet auction
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 6 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Multi-Trapdoor and Non-Malleable Commitment
Non-Malleability (with respect to Decommitment)
Man-in-the-middel adversary A may make another commitment to arelated value, ...
sender receiverDecommit Phase adversary
cannot open to m̃, m even if A sees the sender’s decommitment.
.
Applications
.
.
.
. ..
.
.
I building blocks of cryptographic protocols (e.g., UC commitment)
I secure Internet auction
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 6 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Multi-Trapdoor and Non-Malleable Commitment
Non-Malleability (with respect to Decommitment)
Man-in-the-middel adversary A may make another commitment to arelated value, ...
sender receiveradversaryDecommit Phase
cannot open to m̃, m even if A sees the sender’s decommitment.
.
Applications
.
.
.
. ..
.
.
I building blocks of cryptographic protocols (e.g., UC commitment)
I secure Internet auction
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 6 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Multi-Trapdoor and Non-Malleable Commitment
Non-Malleability (with respect to Decommitment)
Man-in-the-middel adversary A may make another commitment to arelated value, ...
sender receiveradversaryDecommit Phase
cannot open to m̃, m even if A sees the sender’s decommitment.
.
Applications
.
.
.
. ..
.
.
I building blocks of cryptographic protocols (e.g., UC commitment)
I secure Internet auction
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 6 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Our Result
Previous Results and Ours
.
New multi-trapdoor commitment scheme
.
.
.
. ..
.
.
based on the standard RSA assumption
Non-interactive and reusable NM commitment w.r.t. decommitmentschemes in the CRS model
from the standard RSA assumption.
References Interaction Reusability Assumptions
[DIO98] NI No one-way function[FF00, FF09] I No DL, RSA, or Factoring[DKOS01] NI No DL or RSA[DG03] NI Yes strong RSA[MY04] NI Yes strong RSA or DSA[Gen04] NI Yes strong RSA or q-SDH
Ours NI Yes RSA
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 7 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Our Result
Previous Results and Ours
.
New multi-trapdoor commitment scheme
.
.
.
. ..
.
.
based on the standard RSA assumption
Non-interactive and reusable NM commitment w.r.t. decommitmentschemes in the CRS model
from the standard RSA assumption.
References Interaction Reusability Assumptions
[DIO98] NI No one-way function[FF00, FF09] I No DL, RSA, or Factoring[DKOS01] NI No DL or RSA[DG03] NI Yes strong RSA[MY04] NI Yes strong RSA or DSA[Gen04] NI Yes strong RSA or q-SDH
Ours NI Yes RSA
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 7 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Our Result
Previous Results and Ours
.
New multi-trapdoor commitment scheme
.
.
.
. ..
.
.
based on the standard RSA assumption
Non-interactive and reusable NM commitment w.r.t. decommitmentschemes in the CRS model from the standard RSA assumption.
References Interaction Reusability Assumptions
[DIO98] NI No one-way function[FF00, FF09] I No DL, RSA, or Factoring[DKOS01] NI No DL or RSA[DG03] NI Yes strong RSA[MY04] NI Yes strong RSA or DSA[Gen04] NI Yes strong RSA or q-SDH
Ours NI Yes RSA
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 7 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Definition
Algorithms of Multi-Trapdoor Commitment
I KGen: master public key PK (CRS) and master trapdoor TK
I Sel: (each) public key pk
I TGen(PK, pk,TK): trapdoor td for pk
I Com(PK,pk,M): commitment C and decommitment D
I Vrfy(PK,pk,M,C,D): 1/0 (accept/reject)
I Equiv(PK, pk,C,D, M̃, td): fake decommitment D̃ (open in a differentway). 1← Vrfy(PK,pk, M̃,C, D̃)
.
Theorem (informal) [Gen04]
.
.
.
. ..
.
.
Multi-trapdoor commitment + one-time signature = reusable NMcommitment w.r.t decommitment.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 8 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Definition
Algorithms of Multi-Trapdoor Commitment
I KGen: master public key PK (CRS) and master trapdoor TK
I Sel: (each) public key pk
I TGen(PK, pk,TK): trapdoor td for pk
I Com(PK,pk,M): commitment C and decommitment D
I Vrfy(PK,pk,M,C,D): 1/0 (accept/reject)
I Equiv(PK, pk,C,D, M̃, td): fake decommitment D̃ (open in a differentway). 1← Vrfy(PK,pk, M̃,C, D̃)
.
Theorem (informal) [Gen04]
.
.
.
. ..
.
.
Multi-trapdoor commitment + one-time signature = reusable NMcommitment w.r.t decommitment.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 8 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Definition
Algorithms of Multi-Trapdoor Commitment
I KGen: master public key PK (CRS) and master trapdoor TK
I Sel: (each) public key pk
I TGen(PK, pk,TK): trapdoor td for pk
I Com(PK,pk,M): commitment C and decommitment D
I Vrfy(PK,pk,M,C,D): 1/0 (accept/reject)
I Equiv(PK, pk,C,D, M̃, td): fake decommitment D̃ (open in a differentway). 1← Vrfy(PK,pk, M̃,C, D̃)
.
Theorem (informal) [Gen04]
.
.
.
. ..
.
.
Multi-trapdoor commitment + one-time signature = reusable NMcommitment w.r.t decommitment.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 8 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Definition
Algorithms of Multi-Trapdoor Commitment
I KGen: master public key PK (CRS) and master trapdoor TK
I Sel: (each) public key pk
I TGen(PK, pk,TK): trapdoor td for pk
I Com(PK,pk,M): commitment C and decommitment D
I Vrfy(PK,pk,M,C,D): 1/0 (accept/reject)
I Equiv(PK, pk,C,D, M̃, td): fake decommitment D̃ (open in a differentway). 1← Vrfy(PK,pk, M̃,C, D̃)
.
Theorem (informal) [Gen04]
.
.
.
. ..
.
.
Multi-trapdoor commitment + one-time signature = reusable NMcommitment w.r.t decommitment.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 8 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Definition
Algorithms of Multi-Trapdoor Commitment
I KGen: master public key PK (CRS) and master trapdoor TK
I Sel: (each) public key pk
I TGen(PK, pk,TK): trapdoor td for pk
I Com(PK,pk,M): commitment C and decommitment D
I Vrfy(PK,pk,M,C,D): 1/0 (accept/reject)
I Equiv(PK, pk,C,D, M̃, td): fake decommitment D̃ (open in a differentway). 1← Vrfy(PK,pk, M̃,C, D̃)
.
Theorem (informal) [Gen04]
.
.
.
. ..
.
.
Multi-trapdoor commitment + one-time signature = reusable NMcommitment w.r.t decommitment.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 8 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Definition
Algorithms of Multi-Trapdoor Commitment
I KGen: master public key PK (CRS) and master trapdoor TK
I Sel: (each) public key pk
I TGen(PK, pk,TK): trapdoor td for pk
I Com(PK,pk,M): commitment C and decommitment D
I Vrfy(PK,pk,M,C,D): 1/0 (accept/reject)
I Equiv(PK, pk,C,D, M̃, td): fake decommitment D̃ (open in a differentway). 1← Vrfy(PK,pk, M̃,C, D̃)
.
Theorem (informal) [Gen04]
.
.
.
. ..
.
.
Multi-trapdoor commitment + one-time signature = reusable NMcommitment w.r.t decommitment.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 8 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Definition
Algorithms of Multi-Trapdoor Commitment
I KGen: master public key PK (CRS) and master trapdoor TK
I Sel: (each) public key pk
I TGen(PK, pk,TK): trapdoor td for pk
I Com(PK,pk,M): commitment C and decommitment D
I Vrfy(PK,pk,M,C,D): 1/0 (accept/reject)
I Equiv(PK, pk,C,D, M̃, td): fake decommitment D̃ (open in a differentway). 1← Vrfy(PK,pk, M̃,C, D̃)
.
Theorem (informal) [Gen04]
.
.
.
. ..
.
.
Multi-trapdoor commitment + one-time signature = reusable NMcommitment w.r.t decommitment.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 8 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Definition
Road Map
Multi-Trapdoor commitment One-time signature
NM commitment
RSA
[Gen04]
?
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 9 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Main Idea
Similarity between MTC and Signature
.
Security requirements of MTC
.
.
.
. ..
.
.
Correctness: valid commitments pass the verification
Information Theoretic Secrecy: commitment is statistically hiding
Secure Binding: cannot open in a different way even if the adversary seesmany equivocations
.
observation
.
.
.
. ..
.
.
the security game of multi-trapdoor commitment (secure binding) is verysimilar to that of signature.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 10 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Main Idea
Similarity between MTC and Signature
.
Security requirements of MTC
.
.
.
. ..
.
.
Correctness: valid commitments pass the verification
Information Theoretic Secrecy: commitment is statistically hiding
Secure Binding: cannot open in a different way even if the adversary seesmany equivocations
.
observation
.
.
.
. ..
.
.
the security game of multi-trapdoor commitment (secure binding) is verysimilar to that of signature.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 10 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Main Idea
(Strongly) Secure Binding Game of MTC
cannot open in a different way even if the adversary gets trapdoors forselected keys
adversary oracle
PK is given after public keys are queried.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 11 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Main Idea
(Strongly) Secure Binding Game of MTC
cannot open in a different way even if the adversary gets trapdoors forselected keys
adversary oracle
PK is given after public keys are queried.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 11 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Main Idea
(Strongly) Secure Binding Game of MTC
cannot open in a different way even if the adversary gets trapdoors forselected keys
adversary oracle
PK is given after public keys are queried.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 11 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Main Idea
(Strongly) Secure Binding Game of MTC
cannot open in a different way even if the adversary gets trapdoors forselected keys
adversary oracle
PK is given after public keys are queried.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 11 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Main Idea
Unforgeability against weak chosen message attacks
cannot make a valid signature even if the adversary gets signatures forselected messages.
adversary oracle
vk is given after messages are queried.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 12 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Main Idea
Unforgeability against weak chosen message attacks
cannot make a valid signature even if the adversary gets signatures forselected messages.
adversary oracle
vk is given after messages are queried.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 12 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Main Idea
Unforgeability against weak chosen message attacks
cannot make a valid signature even if the adversary gets signatures forselected messages.
adversary oracle
vk is given after messages are queried.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 12 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Main Idea
Unforgeability against weak chosen message attacks
cannot make a valid signature even if the adversary gets signatures forselected messages.
adversary oracle
vk is given after messages are queried.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 12 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Main Idea
Concrete Scheme
.
Hohenberger-Waters Signature [HW09]
.
.
.
. ..
.
.
Secure against weak chosen message attacks under the RSA assumption
.
Waters Signature [Wat05]
.
.
.
. ..
.
.
Secure against (weak) chosen message attacks under the CDHassumption
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 13 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Main Idea
Road Map
Multi-Trapdoor commitment One-time signature
NM commitment
Hohenberger-Waters Sig
RSA
[Gen04]
[HW09]
secure against weak chosen message attacks
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 14 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Construction
Trapdoor Commitment using Signature
adversary oracle adversary oracle
.
MTC based on signature
.
.
.
. ..
.
.
I master public key = verification keyI master trapdoor = signing keyI public key = messageI trapdoor for a public key = signature for a messageI equivocation w/o trapdoors = obtaining a trapdoor = forgery
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 15 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Construction
Trapdoor Commitment using Signature
adversary oracle adversary oracle
.
MTC based on signature
.
.
.
. ..
.
.
I master public key = verification keyI master trapdoor = signing keyI public key = messageI trapdoor for a public key = signature for a messageI equivocation w/o trapdoors = obtaining a trapdoor = forgery
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 15 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Construction
Trapdoor Commitment using Signature
adversary oracle adversary oracle
.
MTC based on signature
.
.
.
. ..
.
.
I master public key = verification keyI master trapdoor = signing keyI public key = messageI trapdoor for a public key = signature for a messageI equivocation w/o trapdoors = obtaining a trapdoor = forgery
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 15 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Construction
Road Map
Multi-Trapdoor commitment One-time signature
NM commitment
Hohenberger-Waters Sig
RSA
[Gen04]
[HW09]
secure against weak chosen message attacks
[This work]
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 16 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Construction
Road Map
Multi-Trapdoor commitment One-time signature
NM commitment
Hohenberger-Waters Sig Waters Sig
RSA CDH
[Gen04]
[HW09] [Wat05]
secure against weak chosen message attacks
[This work] [DSW08]
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 16 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Summary of Our results
.
New multi-trapdoor commitment scheme
.
.
.
. ..
.
.
I based on the RSA (or CDH) assumption
I Non-interactive and reusable NM commitment in the CRS model(corollary)
.
construction
.
.
.
. ..
.
.
I similarity between MTC and signature
I MTC based on signature secure against weak chosen messageattacks
I Hohenberger-Waters signature (or Waters signature)
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 17 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Summary of Our results
.
New multi-trapdoor commitment scheme
.
.
.
. ..
.
.
I based on the RSA (or CDH) assumption
I Non-interactive and reusable NM commitment in the CRS model(corollary)
.
construction
.
.
.
. ..
.
.
I similarity between MTC and signature
I MTC based on signature secure against weak chosen messageattacks
I Hohenberger-Waters signature (or Waters signature)
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 17 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
Summary of Our results
.
New multi-trapdoor commitment scheme
.
.
.
. ..
.
.
I based on the RSA (or CDH) assumption
I Non-interactive and reusable NM commitment in the CRS model(corollary)
.
construction
.
.
.
. ..
.
.
I similarity between MTC and signature
I MTC based on signature secure against weak chosen messageattacks
I Hohenberger-Waters signature (or Waters signature)
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 17 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
References I
I. Damgård and J. Groth.Non-interactive and reusable non-malleable commitment schemes.In STOC, pages 426–437. ACM, 2003.
G. Di Crescenzo, Y. Ishai, and R. Ostrovsky.Non-Interactive and Non-Malleable Commitment.In STOC, pages 141–150, 1998.
G. Di Crescenzo, J. Katz, R. Ostrovsky, and A. Smith.Efficient and Non-interactive Non-malleable Commitment.In EUROCRYPT, volume 2045 of Lecture Notes in Computer Science,pages 40–59. Springer, 2001.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 18 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
References II
M. Fischlin and R. Fischlin.Efficient Non-malleable Commitment Schemes.In CRYPTO, volume 1880 of Lecture Notes in Computer Science,pages 413–431. Springer, 2000.
M. Fischlin and R. Fischlin.Efficient Non-malleable Commitment Schemes.Journal of Cryptology, 22(4):530–571, 2009.
R. Gennaro.Multi-trapdoor Commitments and Their Applications to Proofs ofKnowledge Secure Under Concurrent Man-in-the-Middle Attacks.In CRYPTO, volume 3152 of Lecture Notes in Computer Science,pages 220–236. Springer, 2004.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 19 / 20
. . . . .
Introduction
. . . . . . . . .
Construction of Multi-Trapdoor Commitment Conclusion
References III
S. Hohenberger and B. Waters.Short and Stateless Signatures from the RSA Assumption.In CRYPTO, volume 5677 of Lecture Notes in Computer Science,pages 654–670. Springer, 2009.
P. D. MacKenzie and K. Yang.On Simulation-Sound Trapdoor Commitments.In EUROCRYPT, volume 3027 of Lecture Notes in Computer Science,pages 382–400. Springer, 2004.
B. Waters.Efficient Identity-Based Encryption Without Random Oracles.In EUROCRYPT, volume 3494 of Lecture Notes in Computer Science,pages 114–127. Springer, 2005.
Ryo Nishimaki (Ntt and Tokyo Tech) MTC from the RSA assumption July 6, 2010 @ Sydney 20 / 20
