Textbook non-malleable commitments

Goyal, Vipul; Pandey, Omkant; Richelson, Silas

doi:10.1145/2897518.2897657

Cited by 64 publications

(27 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…opening). Recently Goyal et al [35] showed how to construct 3-round non-malleable commitments from standard assumptions when the adversary plays left and right sessions in parallel. Their scheme crucially relies on the power of split-state non-malleable codes.…”

Section: Additional Related Workmentioning

confidence: 99%

Continuously Non-Malleable Codes in the Split-State Model from Minimal Assumptions

Ostrovsky

Persiano

Venturi

et al. 2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

At ICS 2010, Dziembowski, Pietrzak and Wichs introduced the notion of non-malleable codes, a weaker form of error-correcting codes guaranteeing that the decoding of a tampered codeword either corresponds to the original message or to an unrelated value. The last few years established non-malleable codes as one of the recently invented cryptographic primitives with the highest impact and potential, with very challenging open problems and applications. In this work, we focus on so-called continuously non-malleable codes in the split-state model, as proposed by Faust et al. (TCC 2014), where a codeword is made of two shares and an adaptive adversary makes a polynomial number of attempts in order to tamper the target codeword, where each attempt is allowed to modify the two shares independently (yet arbitrarily). Achieving continuous non-malleability in the split-state model has been so far very hard. Indeed, the only known constructions require strong setup assumptions (i.e., the existence of a common reference string) and strong complexity-theoretic assumptions (i.e., the existence of non-interactive zero-knowledge proofs and collision-resistant hash functions). As our main result, we construct a continuously non-malleable code in the split-state model without setup assumptions, requiring only one-toone one-way functions (i.e., essentially optimal computational assumptions). Our result introduces several new ideas that make progress towards understanding continuous non-malleability, and shows interesting connections with protocol-design and proof-approach techniques used in other contexts (e.g., look-ahead simulation in zero-knowledge proofs, non-malleable commitments, and leakage resilience).

show abstract

Section: Additional Related Workmentioning

confidence: 99%

Continuously Non-Malleable Codes in the Split-State Model from Minimal Assumptions

Ostrovsky

Persiano

Venturi

et al. 2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…We run Π OR in parallel with a 4-round public-coin one-one honest-extractable synchronous non-malleable commitment scheme Π nm 6 . A construction for such a scheme in 4 rounds was given by [GPR16]. The prover of the NMZK argument runs Π OR in order to prove either the validity of some N P-statement, or that the non-malleable commitment computed using Π nm contains a trapdoor.…”

Section: Technical Overview On Our Nmzkmentioning

confidence: 99%

“…Indeed if the sender of NM could decide the message to commit in the last round, then Sim NMZK can simply compute the first round of NM, extract the signature, and compute the last round of NM by committing to σ 1 ||σ 2 . It is important to observe that even though the non-malleable commitment scheme of [GPR16] fixes the message to be committed in the third round, there is in general no guarantee that such a scheme is secure against an adversary that adaptively chooses the challenge messages in the last round of the non-malleability security game. Therefore, even though the completeness of our scheme would work without using the trick of [COSV16], it would be unclear, in general, how to prove the security of our final scheme.…”

Section: For More Details)mentioning

confidence: 99%

“…honest sender (honest-extractable) and 3) is public-coin. The non-malleable commitment Π provided in Figure 2 of [GPR16] enjoys non-malleability against synchronous adversary (as proved in Theorem 1 of [GPR16]), is public coin and can be instantiated in 4 rounds relying on OWFs (the protocol can be squeezed to 3 rounds using one-to-one OWFs).…”

Section: A3 Non-malleable Commitmentsmentioning

confidence: 99%

“…Also, as stated in Section 5 of [GPR16], given a commitment computed by the sender of Π one can rewind the sender in order to obtain a new accepting transcript with the same first round (resp., first two rounds if we consider the instantiation that relies on OWFs) in order to extract a message m. Moreover, if the sender is honest, then it is possible to claim that m is the actual message committed by the sender. We remark that we do not require any form of extractability against malicious senders.…”

Section: A3 Non-malleable Commitmentsmentioning

confidence: 99%

See 2 more Smart Citations

Delayed-Input Non-Malleable Zero Knowledge and Multi-Party Coin Tossing in Four Rounds

Ciampi

Ostrovsky

Siniscalchi

et al. 2017

Theory of Cryptography

View full text Add to dashboard Cite

In this work we start from the following two results in the state-of-the art: 1. 4-round non-malleable zero knowledge (NMZK): Goyal et al. in FOCS 2014 showed the first 4-round one-one NMZK argument from one-way functions (OWFs). Their construction requires the prover to know the instance and the witness already at the 2nd round. 2. 4-round multi-party coin tossing (MPCT): Garg et al. in Eurocrypt 2016 showed the first 4-round protocol for MPCT. Their result crucially relies on 3-round 3-robust parallel non-malleable commitments. So far there is no candidate construction for such a commitment scheme under standard polynomial-time hardness assumptions. We improve the state-of-the art on NMZK and MPCT by presenting the following two results: 1. a delayed-input 4-round one-many NMZK argument Π NMZK from OWFs; moreover Π NMZK is also a delayed-input many-many synchronous NMZK argument. 2. a 4-round MPCT protocol Π MPCT from one-to-one OWFs; Π MPCT uses Π NMZK as subprotocol and exploits the special properties (e.g., delayed input, many-many synchronous) of Π NMZK . Both Π NMZK and Π MPCT make use of a special proof of knowledge that offers additional security guarantees when played in parallel with other protocols. The new technique behind such a proof of knowledge is an additional contribution of this work and is of independent interest.

show abstract