The above discussion has considered alternative conceptualizations of X and Q (and non- X and non-Q), when a simulator interacts with ideal commitment functionalities during
a simulation. This conveys that proofs of security may consider different simulatability models, in what concerns the hybrid use of ideal functionalities.
– Plain model.When rewinding is allowed, then it is possible to consider theplain model, without any kind of ideal functionalities. Here, either no setup assumptions are required, or the protocol is augmented with a setup phase that results from interaction between the two parties, without reliance on ideal functionalities. In such model,CXandCQare assumed to be implemented by real sub-protocols between the two parties, in a way that allowsSto have the necessary X and Q capabilities, respectively. In practice, these capabilities may derive either from implicit local rewinding in the respective phases (e.g., within some ZK sub-protocol) or/and from use of a secret trapdoor obtained upon rewinding in some implicit priorsetupphase.
– Hybrid model.In ahybrid model,CX andCQare replaced by respective ideal functionalitiesFX&Q ≡ FMCOM(X&Q)[CX]andFX&Q ≡ FMCOM(X&Q)[CX]. These two are impersonated bySwhen interacting with the black-box malicious party in the simulated execution. As mentioned before, there are two concerns here: i) the protocol must be specified with a syntax of interaction consistent with the used ideal functionalities; ii) the commitments must not cause undesired interferences between themselves, e.g., some kind of malleability (see further notes ahead).
– Nested hybrid model.In thenested hybrid model,CXandCQare replaced by ideal functionalitiesFX≡FMCOM(X&Q)[FX&Q] and FQ≡FMCOM(X&Q)[FX&Q], with the underlying virtualFX&Qnot being impersonatable by the simulator. As mentioned, in practice this model is syntactically equivalent to theFX&Q-hybrid model, but with the constructive (intended) limitation that X and Q are actively isolated, i.e., the simulator cannot take advantage of certain X or Q capabilities. Thus, as desired, this model does not leave room to argue that the proof might require a full-fledged X&Q commitment scheme, as could be argued if one would only know that a proof had been made in the usualFMCOM-hybrid model.
In spite of the distinction between hybrid and nested-hybrid model, for the sake of simplicity the remainder of the paper uses a single notation when defining and analyzing simulations in any sort of hybrid model. In particular, the security analysis will simply refer to a hybrid model using ideal commitment functionalitiesFXandFQ. Also, the syntax of interaction will be as ifFXandFQwere actually both equivalent toFMCOM ≡ FX&Q. Thus, it will remain implicit that the simulation corresponds to what was here defined as the nested-hybrid model. Specifically, in such interpretation one may be assured that when usingFXorFQthe simulator will not even “try” to use Q or X, respectively. This simplification allows this section to not be essential for the understanding of the remaining analysis of the paper, but rather makes it a complementary source of intuition for the interested reader.
Remark (interferingcommitment schemes). The new protocols devised in this paper make use of two underlying commitment schemes (CXandCQ). When using the nested- hybrid model, each of these schemes is replaced by an ideal commitment functionality that ensures complete independence between commitments – as if one were actually
using theFX&Q-hybrid model. However, when considering real cryptographic instantia- tions, there may ariseinterferencesthat jeopardize the intended properties, e.g.,hiding,
binding,extractabilityorequivocabilityof an individual commitment scheme, or even
independenceof committed/opened values (broken by means ofmalleability). One no- table exception, where such questioning is not needed, is if the instantiations are already proven to be universally composable (UC). However, one goal of this paper is precisely to allow use of underlying commitment schemes that are not necessarily full-fledged UC, namely that are not simultaneously X and Q. Also, there may be advantage in considering instantiations ofCXandCQthat are different but related (e.g., same trapdoor – see §D.1). The matter of interfering commitment schemes is further discussed in §D.2.
C
Coin-flipping simulatable-with-rewinding
This section analyzes coin-flipping in a stand-alone setting where simulation with rewinding is allowed. Subsection §C.1 clarifies several aspects aboutcoin-flipping into a well– it reviews the early protocol proposed by Blum for coin-flipping by telephone [Blu83], it discusses the matter ofbiasand the security in case of a single coin-flip. Then, still as a "warm-up", Subsection §C.2 comments on the (non-)simulatability of protocols in the traditional template, in case the underlying commitment scheme lacks extractability (X) or equivocability (Q): the case of X&Q is shown to be non-simulatable; the case of X&Q (as in Blum’s protocol) is left in doubt, but an issue of unknown probability of abort is raised. Subsection §C.3 provides a proof of security (i.e., simulatability) of protocol #1: it specifies a simulator for the case of each corrupted party and analyzes the respective simulation, to argue the indistinguishability of distributions between the ideal and the real worlds. The somewhat intricate analysis of a super-polynomial upper bound to the number of rewindings for the simulation in case of a corrupted P∗Bis left to Subsection §C.4, showing that it leads to an expected polynomial number of rewindings.