D New SPHF-Friendly Commitment Scheme - Removing Erasures with Explainable Hash Proof Systems

In this appendix, we show how to construct SPHFs for our new commitment scheme in Section 5, and give its security proof.

D.1 SPHF

KV-SPHF. Let us consider a commitment C = (ei,b, ui,b, vi,b, wi,b)i,b under some label `. From

the definition, this is a commitment of M if, for i = 1, . . . , m, (ei,Mi, e ξ

i,Mi, ui,Mi, u ξ

i,Mi, vi,Mi, wi,Mi)

is a linear combination of the rows, with coefficients (ri,Mi, ri,Miξ, si,Mi, si,Miξ), of the following

matrix: Γ =     g 1 1 1 ˆh c 1 g 1 1 1 c0 1 1 g 1 h d 1 1 1 g 1 d0     . (1)

Therefore, the hashing key is a random tuple hk = (ηi,j)i,j $

← Zm×6

p , the projection key is

hp = (hp_i,k)i,k ∈ Gm×4 with:

hp_i,1 = gηi,1_{· ˆ}_hηi,5_{· c}ηi,6

hp_i,2 = gηi,2_{· c}0ηi,6

hp_i,3 = gηi,3_{· h}ηi,5_{· c}ηi,6

hp_i,4 = gηi,4_{· d}0ηi,6

and the hash value is:

Hash(hk, (crs, M ), (`, C)) := m Y i=1 eηi,1+ξηi,2 i,Mi · u ηi,3+ξηi,4 i,Mi · v ηi,5 i,Mi · w ηi,6 i,Mi = m Y i=1

hpr_i,1i,Mi · hpξri,Mi

i,2 · hp s_i,Mi i,3 · hp s_i,Mi i,4 =: ProjHash(hp, (crs, M ), (`, C), δ).

GL-SPHF. For a GL-SPHF, ξ is known in advance. So we can use a simpler matrix Γ . In addition, we can re-use the same hp for all bits of the commitment by using a scalar ε of at least K bits (for the sake of simplicity, we suppose that ε_{← Z}$ p). Also notice that ε is not required when m = 1.

More precisely, C is a commitment of M , if, for i = 1, . . . , m, (ei,Mi, ui,Mi, vi,Mi, wi,Mi) is a

linear combination of the rows, with coefficients (ri,Mi, si,Mi), of the following matrix:

Γ =g 1 ˆh c · c

0ξ

1 g h d · d0ξ

Therefore the hashing key is a random tuple hk = (η1, η2, η3, η4, ε) $

← Z5

p, the projection key

is hp = (hp₁, hp₂_{, ε) ∈ G}2_{× Z}

p with:

hp₁ = gη1 _{· ˆ}_hη3 _{· (c · c}0ξ₎η4

Expw-ps-rand-bA (K)

(crs, τ ) $

← C.SetupT(1K₎

(`, M , st)← A$ C.SCom·(τ,·),C.Ext·(τ,·),C.IsBinding·(τ,·,·)_(crs)

for i = 1, . . . , m do

ri,0, ri,1, si,0← Z$ p; si,1← t − si,0

ei,0← gri,0; ui,0← gsi,0; vi,0= ˆhri,0hsi,0

ei,1← gri,1; ui,1← gsi,1; vi,1= ˆhri,1hsi,1

ξ = H(`, (ei,b, ui,b, vi,b)i,b)

for i = 1, . . . , m do wi,Mi← (c r_i,Mi_{· d}s_i,Mi ) · (c0ri,Mi· d0s_i,Mi )ξ if b = 0 then wi, ĚMi← (c r_i,Ę_Mi

· dsi,ĘMi_{) · (c}0ri,ĘMi_{· d}0si,ĘMi₎ξ

else wi, ĚMi

← G C ← (ei,b, ui,b, vi,b, wi,b)i,b

δ ← (ri,Mi, si,Mi)i

return AC.SCom·(τ,·),C.Ext·(τ,·),C.IsBinding·(τ,·,·)(st, C, δ) Fig. 10. w-pseudo-randomness

and the hash value is:

Hash(hk, (crs, M ), (`, C)) := m Y i=1 eη1 i,Mi · u η2 i,Mi· v η3 i,Mi· w η4 i,Mi εi = m Y i=1 hpr₁i,Mi · hpsi,Mi 2 εi =: ProjHash(hp, (crs, M ), (`, C), δ). D.2 Preliminaries: w-Pseudo-Randomness

To prove that our commitment scheme is SPHF-friendly, we will first prove an intermediate property we call w-pseudo-randomness, which is defined by the experiments Expw-ps-rand-b in Figure 10, where the Remark 2 from the definitions in Appendix B.3 still applies. It roughly says that simulating commitments with valid w_{i, Ď}_M_i is indistinguishable from generating them with random w_{i, Ď}_M_i. This can be seen as a pseudo-randomness property for the implicit underlying 2-universal hash proof system.

The proof is close (though slightly different) from the proof of vector-indistinguishability with partial opening under chosen-ciphertexts attacks in [ABB+_{13]. More precisely, the proof first}

consists in aborting as soon as the value ξ of a commitment queried to C.Ext or C.IsBinding is equal to the value ξ in our experiment. Thanks to the collision resistance of the hashing function, this is computationally indistinguishable. Then it consists in the following sequence of hybrid games: in the hybrid game i (i = 0, . . . , m),

(

w_j,Ě_M_j _{← G}$ for j = 1, . . . , i

w_j,Ě_M_j ← (crj, Ě_Mj _{· d}sj, Ě_Mj_{) · (c}0rj, Ě_Mj _{· d}0sj, Ě_Mj₎ξ _{for j = i + 1, . . . , m}

so that the hybrid game 0 is Expw-ps-rand-0_A while the hybrid game m is Expw-ps-rand-1_A . It remains to prove that the hybrid game k is indistinguishable from the hybrid game k + 1. This is done by the following sequence of subgames:

Game G0: This is the hybrid game i − 1. And then for all the indices j ≤ i − 1, wj,ĚMj $

← G, while for the indices j ≥ i, w_j,Ě_M_j ← (crj, Ě_Mj _{· d}sj, Ě_Mj_{) · (c}rj, Ě_Mj _{· d}sj, Ě_Mj₎ξ_.

Game G1: In this game, we compute wi, ĎMi as:

w_{i, Ď}_M_i = eα+ξα_{i, Ď}_M 0 i · u β+ξβ0 i, ĎMi · v γ+ξγ0 i, ĎMi instead of w_{i, Ď}_M_i = (cri, Ě_Mi _{· d}si, Ě_Mi_{) · (c}0ri, Ě_Mi _{· d}0si, Ě_Mi₎ξ_.

This modification is purely syntactical, and this game is perfectly indistinguishable from the previous one.

Game G2: In this game, we pick vi, ĎMi at random, instead of computing it as vi, ĎMi = ˆh r_{i, Ě}_Mi

hsi, Ě_Mi_.

This game is indistinguishable from the previous one, under the DDH assumption. Indeed, given a tuple (g, ˆh, e_{i, Ď}_M_i, v0), we can set v_{i, Ď}_M_i = v0 · hsi, Ě_Mi_{; and if this tuple is a DDH tuple,}

v_{i, Ď}_M_i is computed as in the previous game, and otherwise, it is computed as in this game. Notice that the discrete logarithm r_{i, Ď}_M_i of e_{i, Ď}_M_i is not used, which enables to use the DDH assumption.

Game G3: In this game, we generate h as h ← ga, ˆh ← gaˆ, with a, ˆa $

← Zp. This modification

is purely syntactical and this game is perfectly indistinguishable from the previous one. Game G4: Then, for all commitments C0 = (e0j,b, u

0 j,b, v

0 j,b, w

j,b)j,b with label `0 queried to the

oracle C.Ext or C.IsBinding, each time we need to perform a test of the form:

wj0_,b0 = e? 0α+ξ 0_α0 j0_,b0 · u 0β+ξ0_β0 j0_,b0 · v 0γ+ξγ0 j0_,b0 , (2)

where ξ0 = H(`0, (e0_j,b, u0_j,b, v_j,b0 )j,b), we reject the test as soon as: vj00_,b0 6= u0a_j0_,b0· e0ˆ_ja0_,b0.

This game is statistically indistinguishable from the previous one. To prove it, we use a sequence of hybrid games to add one by one this new test: for each commitment (in order of the queries to C.Ext and C.IsBinding) and then each pair (j0, b0) (e.g., in lexicographical order). We remark that the newly added test for some C0, j0 and b0, the only information (from an information theory point of view) the adversary has about α, α0, β, β0, γ, γ0 is at most:

– log c = α + γˆa and log c0 = α0+ γ0ˆa from the definition of c and c0 (where log is the discrete logarithm in base g)

– log d = β + γa and log d0 = β0+ γ0a from the definition of d and d0

– log w_{i, Ď}_M_i = (α + ξα0) log e_{i, Ď}_M_i + (β + ξβ0) log u_{i, Ď}_M_i + (γ + ξγ0) log v_{i, Ď}_M_i, from the value of w_{i, Ď}_M_i

– and values of the form e00α+ξ_j,b 00α0·u00β+ξ_j,b 0β0·v00γ+ξγ_j,b 0 for commitments C00= (e00_j,b, u00_j,b, v00_j,b, w00_j,b)j,b

with label `00, queried before C0. But in this case, necessarily, v_j,b00 = u00a_j,b·e00ˆa

j,b, since otherwise

this value would not have been computed. And so, this value can be computed by linear combinations of the previous equations (which can be seen easily on the matrix below). Finally, we get that, from the adversary point of view, α, α0, β, β0, γ, γ0 are random values verifying the following system of equations:

      log c log c0 log d log d0 log w_{i, Ď}_M_i       =       1 0 0 0 ˆa 0 0 1 0 0 0 ˆa 0 0 1 0 a 0 0 0 0 1 0 a

log e_{i, Ď}_M_i ξ log e_{i, Ď}_M_i log u_{i, Ď}_M_i ξ log u_{i, Ď}_M_i log v_{i, Ď}_M_i ξ log v_{i, Ď}_M_i       ·         α α0 β β0 γ γ0         .

Since ξ0 6= ξ, if v0

j0_,b0 6= u0a_j0_,b0 · e0ˆ_ja0_,b0, then

log e0_j0_,b0 ξ0log e_j00_,b0 log u0_j0_,b0 ξ0log u0_j0_,b0 log v_j00_,b0 ξ0log v0_j0_,b0

is linearly independent of the rows of the above rectangular matrix, and so e0α+ξ_j0_,b0 0α0 · u 0β+ξ0_β0 j0_,b0 ·

v_j0γ+ξγ0_,b0 0 is completely random, from the adversary point of view. Therefore, with probability

1/p, wj0_,b0 6= e0α+ξ 0_α0 j0_,b0 · u 0β+ξ0_β0 j0_,b0 · v 0γ+ξγ0

j0_,b0 , and the test in Equation Equation (2) would also have

failed. And adding this new test is statistically indistinguishable.

Game G5: In this game, we remark that, from the adversary point of view, before wi, ĎMi is

computed, α, α0, β, β0, γ, γ0 are random values verifying the following system of equations:

    log c log c0 log d log d0     =     1 0 0 0 ˆa 0 0 1 0 0 0 ˆa 0 0 1 0 a 0 0 0 0 1 0 a     ·         α α0 β β0 γ γ0         .

Since, with high probability, v_{i, Ď}_M_i 6= u0a i, ĎMi· e

0ˆa

i, ĎMi (vi, ĎMi being chosen at random), then

log e_{i, Ď}_M_i ξ0log e0_{i, Ď}_M i log u 0 i, ĎMi ξ 0_{log u}0 i, ĎMi log v 0 i, ĎMi ξ 0_{log v}0 i, ĎMi

is linearly independent of the rows of the above rectangular matrix, and so w_{i, Ď}_M_i = e0α+ξ_{i, Ď}_M 0α0

i ·

u0β+ξ_{i, Ď}_M 0β0

i · v

0γ+ξγ0

i, ĎMi is completely random, from the adversary point of view.

So, in this game, we replace w_{i, Ď}_M_i _{by a random value in G, and this is statistically indistin-} guishable from the previous game.

Game G6: In this game, we now remove the extra tests introduced in G4. This game is statis-

tically indistinguishable from the previous one, using a proof similar to the one in G4 (except

this time, it is even easier, since w_{i, Ď}_M_i gives no information on α, α0, β, β0, γ, γ0 to the adversary. Game G7: In this game, we compute again vi, ĎMi as vi, ĎMi = ˆh

r_{i, Ě}_Mi

hsi, Ě_Mi_{, instead of picking it}

at random. This game is computationally indistinguishable from the previous one under the DDH. The proof is similar to the one for G1.

Finally, we remark that this game is exactly the hybrid game i. As a consequence, each hybrid step just involves the DDH assumption.

D.3 Strong Simulation Indistinguishability

The strong simulation indistinguishability can be proven using the following sequence of games: Game G0: This is the game Exps-sim-ind-1A (K) for strong simulation indistinguishability (for b =

1) recalled in Figure 6.

Game G1: In this game, for all queries C.SCom`(τ, M ), we pick the values wi, ĎMi at random (for

all i = 1, . . . , m). With an hybrid proof, applying the w-pseudo-randomness to all simulated commitments, this game is indistinguishable from the previous one.

Game G2: In this game, for all queries C.SCom`(τ, M ), we pick vi, ĎMi at random, instead of

computing it as v_{i, Ď}_M_i = ˆhri, Ě_Mi_hsi, Ě_Mi_{. This game is indistinguishable from the previous one,}

under the DDH assumption. Indeed, given a tuple (g, ˆh, e_{i, Ď}_M_i, v0), we can set v_{i, Ď}_M_i = v0· hsi, Ě_Mi_;

and if this tuple is a DDH tuple, v_{i, Ď}_M_i is computed as in the previous game, and otherwise, it is computed as in this game. Notice that the discrete logarithm r_{i, Ď}_M_i of e_{i, Ď}_M_i is not used, which enables to use the DDH assumption.

This last game is actually exactly the game Exps-sim-ind-0A (K) for strong simulation indistin-

guishability (for b = 0) recalled in Figure 6.

D.4 Robustness

The robustness can be proven using the following sequence of games:

Game G0: This is the game ExprobustA (K) for robustness recalled in Figure 6.

Game G1: In this game, we answer all queries C.SCom`(τ, M ) by C.Com`(M ). In other words,

we replace all simulated commitments by normal ones. This game is indistinguishable from the previous one thanks to the strong simulation indistinguishability.

Game G2: In this game, we generate h as h ← gaand ˆh ← gˆa, with a, ˆa $

← Zp. This modification

is purely syntactical and this game is perfectly indistinguishable from the previous one. Game G3: In this game, we remark that if C.IsBinding`(τ, C, M ) returns 0, and if M

← C.Ext`(τ, C), then there exists i = i∗ such that:

wi∗_,b = eα+ξα 0 i∗_,b · u β+ξβ0 i∗_,b · v γ+ξγ0 i∗_,b for b = 0, 1.

And so, we abort the game if vi∗_,b 6= ua

i∗_,b· ea_iˆ∗_,b for b = 0 or b = 1. This game is statistically

indistinguishable from the previous one. The proof is similar to the one for G4 in the proof

for w-pseudo-randomness in Section D.2.

In this last game, we finally remark that vi∗_,0· v_i∗_,1/(ea_iˆ∗_,0· e_iaˆ∗_,1) = ua_i∗_,0 · ua_i∗_,1 = ht. So if an

adversary breaks this last game, we can break the CDH for the tuple (g, h, T ), by not doing this last check vi∗_,b 6= ua

i∗_,b· eˆa_i∗_,b(and so not knowing the discrete logarithm a of h) and simply

returning vi∗_,0· v_i∗_,1/(e_iaˆ∗_,0· eˆa_i∗_,0) as a candidate CDH value (recall that the discrete logarithm

t of T is no more used, while the discrete logarithm a of h is just used to abort the game).

D.5 Strong Pseudo-Randomness

To prove the strong pseudo-randomness, we use the following sequence of games: Game G0: This game is the experiment Exp

c-s-ps-rand-0

A .

Game G1: In this game, before computing H0, we compute M0 ← C.Ext` 0

(τ, C0) and we abort if C.IsBinding`0(τ, C0, M0) = 0.

This game is indistinguishable from the previous one thanks to the robustness. Game G2: In this game, if M0 6= M , we replace H0 by a random value.

This game is indistinguishable from the previous one thanks to the smoothness of the SPHF, the fact that if M0 6= M and C.IsBinding`0(τ, C0, M0) = 1, then (`0, C0) /∈ L(crs,M ), and the fact

that H could have been computed as follows: δ ← C.Open`(eqk, C, M ) and H ← ProjHash(hp, (crs, M ), (`, C), δ).

Game G3: In this game, we replace (C, eqk) $

← C.Sim`(τ ) by C ← C.Com$ `(M00) for some arbitrary M00 6= M . This game is indistinguishable thanks to strong simulation indistinguishability (since eqk is not used, C.Sim could have been replaced by C.SCom with a M00 as message).

Game G4: In this game, when M0 6= M , we replace H by a random value.

This game is indistinguishable from the previous one thanks to the smoothness of the SPHF, and the fact that M00 6= M , C.IsBinding`(τ, C, M00) = 1 (since C is a real commitment to M00) and so, that (`, C) /∈ L(crs,M ).

Notice that we could not have done this if M0 = M , since, in this case, we still need to use hk to compute the hash value H0 of C0. We are handling this (tricky) case in the following games.

Game G5: Let C = (ei,b, ui,b, vi,b, wi,b)i,b. In this game, we compute vi, ĚM00

i as vi, ĚMi00 = ˆh r_{i, Ę}_{M 00}

i h s_{i, Ę}_{M 00}

instead of picking it at random in G, for all i. This game is indistinguishable from the previous one, under the DDH assumption. Indeed, given a tuple (g, ˆh, e_{i, Ě}_M00

i, v

0_{), we can set v}

i, ĚM_i00 =

v0· hsi, ĘM 00_i _{; and if this tuple is a DDH tuple, v} i, ĚM00

i is computed as in this game, and otherwise,

it is computed as in the previous game. Notice that the discrete logarithm r_{i, Ě}_M00

i of ei, ĚM 00 i is

not used, which enables to use the DDH assumption.

Game G6: In this game, we replace H by a random value, in the case M0 = M . So now H will

be completely random, in all cases (since it was already the case when M0 6= M ). Let C = (ei,b, ui,b, vi,b, wi,b)i,b and C0 = (e0i,b, u

0 i,b, v

0 i,b, w

i,b)i,b. And let ξ = H(`, (ei,b, ui,b, vi,b)i,b)

and ξ0 = H(`0, (e0_i,b, u_i,b0 , v_i,b0 )i,b). Finally, we write ri,b0 = log e 0

i,b and s 0

i,b = log u 0

i,b for all i, b, log

being the discrete logarithm in base g. There are two cases: 1. for all i, v0_i,M_i = ˆhr0i,Mi · hs

i,Mi_{. In this case, since C}0 _{extracts to M , this means that}

w0_i,M i = (e 0α+ξ0_α0 i,Mi · u 0β+ξ0_β0 i,Mi · v 0γ+ξ0_γ0 i,Mi ),

and so from the definition of c and d, we have that:

w_i,M0 _i = (cr0i,Mi _{· d}s 0 i,Mi_{) · (c}0r 0 i,Mi _{· d}0s 0 i,Mi₎ξ_.

This means that (`0, C0) ∈ L(crs,M ), and its hash value H0 could be computed knowing only

hp, (r0_i,M_i)i and (s0i,Mi)i. Therefore, the hash value H of C looks random by smoothness.

2. for some i, v_i,M0

i 6= ˆh

r_i,Mi0 _{· h}s0_i,Mi

. Then since vi,Mi = ˆh

r_i,Mi _{· h}s_i,Mi_{, for the KV-SPHF (in}

Section D.1) the rows of the matrix Γ in Equation 1 (page 34) and the two following vectors

(ei,Mi, e ξ

i,Mi, ui,Mi, u ξ

i,Mi, vi,Mi, wi,Mi)

(e0_i,M i, e 0ξ0 i,Mi, u 0 i,Mi, u 0ξ0 i,Mi, v 0 i,Mi, w 0 i,Mi)

are independent. Then, even given access to the hash value H0 of C0 and the projection key hp, the hash value H of C looks perfectly random.

The following games are just undoing the modifications we have done, but keeping H picked at random

Game G7: Let C = (ei,b, ui,b, vi,b, wi,b)i,b. In this game, we pick vi, ĚM00

i at random, instead of

computing it as v_{i, Ě}_M00 i = ˆh

i, ĘM 00_i_hsi, ĘM 00_i _{, for all i. This game is indistinguishable from the previous}

one, under the DDH assumption. Indeed, given a tuple (g, ˆh, e_{i, Ě}_M00 i, v

0_{), we can set v} i, ĚM00

v0· hsi, ĘM 00_i _{; and if this tuple is a DDH tuple, v}

i, ĚM_i00 is computed as in the previous game, and

otherwise, it is computed as in this game. Notice that the discrete logarithm r_{i, Ě}_M00

i of ei, ĚM 00 i is

not used, which enables to use the DDH assumption.

Game G8: In this game, we now compute C as originally using C.Sim. This game is indistin-

guishable thanks to strong simulation indistinguishability.

Game G9: In this game, if M0 6= M , we compute H0 as originally (as the hash value of C0).

This game is indistinguishable from the previous one thanks to the smoothness of the SPHF, and the fact that if M0 6= M and C.IsBinding`0(τ, C0, M0) = 1, then (`0, C0) /∈ L(crs,M ).

Game G10: In this game, we do not extract M0 from C0nor abort when C.IsBinding`(τ, C, M0) =

0. Thanks to the robustness, this game is indistinguishable from the previous one. We remark that this game is exactly the experiment Expc-s-ps-rand-1_A .

In document Removing Erasures with Explainable Hash Proof Systems (Page 34-41)