{"title":"时间锁谜题的两轮非交互并发非延展性承诺","authors":"Huijia Lin, R. Pass, Pratik Soni","doi":"10.1109/FOCS.2017.59","DOIUrl":null,"url":null,"abstract":"Non-malleable commitments are a fundamental cryptographic tool for preventing against (concurrent) man-in-the-middle attacks. Since their invention by Dolev, Dwork, and Naor in 1991, the round-complexity of non-malleable commitments has been extensively studied, leading up to constant-round concurrent non-malleable commitments based only on one-way functions, and even 3-round concurrent non-malleable commitments based on subexponential one-way functions.But constructions of two-round, or non-interactive, non-malleable commitments have so far remained elusive; the only known construction relied on a strong and non-falsifiable assumption with a non-malleability flavor. Additionally, a recent result by Pass shows the impossibility of basing two-round non-malleable commitments on falsifiable assumptions using a polynomial-time black-box security reduction.In this work, we show how to overcome this impossibility, using super-polynomial-time hardness assumptions. Our main result demonstrates the existence of a two-round concurrent non-malleable commitment based on sub-exponential standard-type assumptions—notably, assuming the existence of the following primitives (all with subexponential security): (1) non-interactive commitments, (2) ZAPs (i.e., 2-round witness indistinguishable proofs), (3) collision-resistant hash functions, and (4) a weak time-lock puzzle.Primitives (1),(2),(3) can be based on e.g., the discrete log assumption and the RSA assumption. Time-lock puzzles—puzzles that can be solved by brute-force in time 2^t, but cannot be solved significantly faster even using parallel computers—were proposed by Rivest, Shamir, and Wagner in 1996, and have been quite extensively studied since; the most popular instantiation relies on the assumption that 2^t repeated squarings mod N = pq require roughly 2^t parallel time. Our notion of a weak time-lock puzzle, requires only that the puzzle cannot be solved in parallel time 2^{t^≥ilon} (and thus we only need to rely on the relatively mild assumption that there are no huge} improvements in the parallel complexity of repeated squaring algorithms).We additionally show that if replacing assumption (2) for a non-interactive witness indistinguishable proof (NIWI), and (3) for auniform} collision-resistant hash function, then a non-interactive} (i.e., one-message) version of our protocolsatisfies concurrent non-malleability w.r.t. uniform attackers.","PeriodicalId":311592,"journal":{"name":"2017 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS)","volume":"26 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"49","resultStr":"{\"title\":\"Two-Round and Non-Interactive Concurrent Non-Malleable Commitments from Time-Lock Puzzles\",\"authors\":\"Huijia Lin, R. Pass, Pratik Soni\",\"doi\":\"10.1109/FOCS.2017.59\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Non-malleable commitments are a fundamental cryptographic tool for preventing against (concurrent) man-in-the-middle attacks. Since their invention by Dolev, Dwork, and Naor in 1991, the round-complexity of non-malleable commitments has been extensively studied, leading up to constant-round concurrent non-malleable commitments based only on one-way functions, and even 3-round concurrent non-malleable commitments based on subexponential one-way functions.But constructions of two-round, or non-interactive, non-malleable commitments have so far remained elusive; the only known construction relied on a strong and non-falsifiable assumption with a non-malleability flavor. Additionally, a recent result by Pass shows the impossibility of basing two-round non-malleable commitments on falsifiable assumptions using a polynomial-time black-box security reduction.In this work, we show how to overcome this impossibility, using super-polynomial-time hardness assumptions. Our main result demonstrates the existence of a two-round concurrent non-malleable commitment based on sub-exponential standard-type assumptions—notably, assuming the existence of the following primitives (all with subexponential security): (1) non-interactive commitments, (2) ZAPs (i.e., 2-round witness indistinguishable proofs), (3) collision-resistant hash functions, and (4) a weak time-lock puzzle.Primitives (1),(2),(3) can be based on e.g., the discrete log assumption and the RSA assumption. Time-lock puzzles—puzzles that can be solved by brute-force in time 2^t, but cannot be solved significantly faster even using parallel computers—were proposed by Rivest, Shamir, and Wagner in 1996, and have been quite extensively studied since; the most popular instantiation relies on the assumption that 2^t repeated squarings mod N = pq require roughly 2^t parallel time. Our notion of a weak time-lock puzzle, requires only that the puzzle cannot be solved in parallel time 2^{t^≥ilon} (and thus we only need to rely on the relatively mild assumption that there are no huge} improvements in the parallel complexity of repeated squaring algorithms).We additionally show that if replacing assumption (2) for a non-interactive witness indistinguishable proof (NIWI), and (3) for auniform} collision-resistant hash function, then a non-interactive} (i.e., one-message) version of our protocolsatisfies concurrent non-malleability w.r.t. uniform attackers.\",\"PeriodicalId\":311592,\"journal\":{\"name\":\"2017 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS)\",\"volume\":\"26 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-10-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"49\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2017 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/FOCS.2017.59\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/FOCS.2017.59","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 49
摘要
不可延展性承诺是防止(并发)中间人攻击的基本加密工具。自1991年Dolev、Dwork和Naor发明不可延展性行为的循环复杂度以来,人们对其进行了广泛的研究,导致了仅基于单向函数的常轮并发不可延性行为,甚至基于次指数单向函数的3轮并发不可延性行为。但迄今为止,两轮承诺或非互动、不可延展性承诺的构建仍然难以捉摸;唯一已知的结构依赖于一个强大的、不可证伪的假设,具有不可延展性。此外,Pass最近的一个结果表明,不可能使用多项式时间黑盒安全约简将两轮不可延展性承诺建立在可证伪假设上。在这项工作中,我们展示了如何使用超多项式时间硬度假设来克服这种不可能性。我们的主要结果证明了基于次指数标准型假设的两轮并发不可延展性承诺的存在性;值得注意的是,假设存在以下原语(都具有次指数安全性):(1)非交互式承诺,(2)zap(即2轮证人不可区分证明),(3)抗碰撞哈希函数,以及(4)弱时间锁难题。基元(1)、(2)、(3)可以基于离散对数假设和RSA假设。时间锁谜题—可以通过暴力破解时间2^t,但即使使用并行计算机也不能明显更快地解决的谜题—由Rivest, Shamir和Wagner在1996年提出,并得到了相当广泛的研究;最流行的实例依赖于假设2^t重复平方mod N = pq大约需要2^t并行时间。我们的弱时间锁难题的概念,只要求难题不能在并行时间2^{t^≥ilon}内解决(因此我们只需要依赖相对温和的假设,即重复平方算法的并行复杂性没有巨大的改进)。我们还表明,如果将假设(2)替换为非交互式见证不可区分证明(NIWI),并将假设(3)替换为统一的防碰撞哈希函数,那么我们协议的非交互式}(即单消息)版本满足并发的非延展性w.r.t.统一攻击者。
Two-Round and Non-Interactive Concurrent Non-Malleable Commitments from Time-Lock Puzzles
Non-malleable commitments are a fundamental cryptographic tool for preventing against (concurrent) man-in-the-middle attacks. Since their invention by Dolev, Dwork, and Naor in 1991, the round-complexity of non-malleable commitments has been extensively studied, leading up to constant-round concurrent non-malleable commitments based only on one-way functions, and even 3-round concurrent non-malleable commitments based on subexponential one-way functions.But constructions of two-round, or non-interactive, non-malleable commitments have so far remained elusive; the only known construction relied on a strong and non-falsifiable assumption with a non-malleability flavor. Additionally, a recent result by Pass shows the impossibility of basing two-round non-malleable commitments on falsifiable assumptions using a polynomial-time black-box security reduction.In this work, we show how to overcome this impossibility, using super-polynomial-time hardness assumptions. Our main result demonstrates the existence of a two-round concurrent non-malleable commitment based on sub-exponential standard-type assumptions—notably, assuming the existence of the following primitives (all with subexponential security): (1) non-interactive commitments, (2) ZAPs (i.e., 2-round witness indistinguishable proofs), (3) collision-resistant hash functions, and (4) a weak time-lock puzzle.Primitives (1),(2),(3) can be based on e.g., the discrete log assumption and the RSA assumption. Time-lock puzzles—puzzles that can be solved by brute-force in time 2^t, but cannot be solved significantly faster even using parallel computers—were proposed by Rivest, Shamir, and Wagner in 1996, and have been quite extensively studied since; the most popular instantiation relies on the assumption that 2^t repeated squarings mod N = pq require roughly 2^t parallel time. Our notion of a weak time-lock puzzle, requires only that the puzzle cannot be solved in parallel time 2^{t^≥ilon} (and thus we only need to rely on the relatively mild assumption that there are no huge} improvements in the parallel complexity of repeated squaring algorithms).We additionally show that if replacing assumption (2) for a non-interactive witness indistinguishable proof (NIWI), and (3) for auniform} collision-resistant hash function, then a non-interactive} (i.e., one-message) version of our protocolsatisfies concurrent non-malleability w.r.t. uniform attackers.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
