The ideal/real simulation paradigm provides a conceptually simple framework to under- stand certain security properties, namely when considering a hybrid model with access to ideal functionalities. For example, properties like extractability (X) and equivocability (Q) derive automatically from the power that a simulator gains by impersonating an ideal commitment functionalityFMCOM during a simulated execution. In particular: X is a consequence of the sender in the ideal world transmitting in clear toFMCOMthe value that is being committed; Q is a consequence of the receiver in the ideal world accepting whatever value the idealFMCOMreveals.
In contrast with the above observation, this paper aims at emphasizing that a X&Q commitment scheme (forlargestrings) can be built from a X-but-possibly-not-Q com- mitment scheme and a separate Q-but-possibly-not-X commitment scheme (both for
shortstrings and invoked only afewtimes). Thus, it is relevant to formally consider the notions of non-extractability and non-equivocability and directly embed them into the ideal world, namely into respective ideal commitment functionalities. These func- tionalities must be different from the typical ideal commitment functionalityFMCOM that is simultaneously X and Q. The pertinent question is:how to formalize an ideal commitment functionalityFXorFQwhose impersonation by a simulator does not pro- vide the simulator with a Q or X capability, respectively, but still allows the use of the functionality in a hybrid model.
B.2 An initial attempt (using a definition with circularity)
As a step to consolidate intuition, Fig. 8 informally sketches a way in which to suppress Q or X properties from the ideal functionality. To suppress Q (in order to get X&Q), in thecommitphase the ideal functionalityFX&Qsends a (stand-alone secure) commitment to the receiver, such thatFX&Qbecomesboundto a single message for the lateropen
phase, but temporarily hiding it from the receiver. To suppress X (in order to get X&Q), in thecommitphase the committer does not send the message in clear text to the ideal functionalityFX&Q, but instead sends a (stand-alone secure) commitment to the message. These ideal functionalities with suppressed properties require an internal instantiation of a commitment scheme, hereafter denoted asvirtual. Thus, when questioning if a real commitment schemeCRemulates one of these ideal functionalities, it is also necessary to consider an additional virtual commitment schemeCV.
When attempting a simulation, it becomes clear thatCRandCVmust be somehow related to each other. For example, consider a simulator (S) acting as a sender Psin a
simulated execution of a real world extractable commitment schemeCR(intended to be extractable), trying to emulate the ideal functionalityFX&Q[CV]and for that purpose acting concurrently as receiverbPrin a respective ideal world execution. In the rolebPr,
during the commit phaseSreceives from the ideal functionality avirtualcommitment (99). Then, in the simulated execution, while impersonating a real sender Ps,Srelays
this commitment to the black-box receiver P∗r(58) who is expecting to receive areal
commitment (i.e., something produced withCR). In particular, in the lateropenphase, whenS(in the role of ideal receiverbPr) receives the opening from the ideal functionality
Templates for different ideal commitment functionalities
Note: in the X&Q and the X&Q cases,CVis a commitment scheme (i.e., with at least computational hiding
and binding properties) that requires instantiation by a real commitment scheme; nonetheless, considering that
it is implemented in the ideal world, it is hereafter denoted as avirtualcommitment scheme.
Ideal functionality FX&Q≡ FMCOM(X&Q)≡ FMCOM(X&Q)
of X&Q commitment scheme Commit phase inputs→bPs: (commit, `, m) (89) b Ps→ FX&Q: (commit, `, m) (90) FX&Q→bPr: (OK, `) (91) Open phase inputs→bPs:open (92) b Ps→ FX&Q:open (93) FX&Q→bPr: (open, m) (94) b Pr→outputr: (open, m) (95)
Template for ideal functionality FX&Q≡ F
MCOM(X&Q)[CV]
of X&Q commitment scheme Commit phase inputs→bPs: (commit, `, m) (96) b Ps→ FX&Q: (commit, `, m) (97) FX&Q: (m, m)←$ CV[m] (98) FX&Q→bPr: (OK, `, m) (99) Open phase inputs→bPs:open (100) b Ps→ FX&Q:open (101) FX&Q→bPr: (open, m, m) (102) b Pr:Verify[CV](m, m, m) (103) b Pr→outputr: (open, m) (104)
Template for ideal functionality FX&Q≡ F
MCOM(X&Q)[CV]
of X&Q commitment scheme Commit phase inputs→bPs: (commit, `, m) (105) b Ps: (m, m)←$CV[m] (106) b Ps→ FX&Q: (commit, `, m) (107) FX&Q→bPr: (OK, `) (108) Open phase inputs→bPs:open (109) b Ps→ FX&Q: (open, m, m) (110) FX&Q:Verify[CV](m, m, m)(111) FX&Q→bPr: (open, m) (112) b Pr→outputr: (open, m) (113)
Fig. 8. Templates for ideal commitment schemes (using succinct notation).For simplicity, the notation assumes thatCVis non-interactive – it would also be possible to use interactive schemes. Given an implicit security parameter1κ, it is assumed that the ideal functionality verifies that |m| ∈O(poly(κ))(if verification fails then it ignores the message). For simplicity, the session identifier (sid) and the sub-session identifier (cid, for commitment identifier) are left implicit, as well as the headers containing the source and destination of messages. In the X&Q case,bPr accepts theopenphase only if the opening of the underlying virtual commitment is correct (i.e., the “Verify” operation is performed even though the ideal functionality is trusted by default) (103). In the X&Q case, the ideal functionality proceeds with theopenphase only ifbPscorrectly opens the underlying virtual commitment, i.e., if the respective verification is successful (111).
real commitment that was previously sent to the black-box P∗r. Thus, the simulation is valid only if therealandvirtualcommitments are indistinguishable, e.g., if they are the same. A corresponding relation (with obvious adjustments) could also be analyzed for the case ofFX&Q.
In spite of the circularity that arises from definingCVequal toCR, the defined ideal functionalities are useful to differentiate real commitment schemes in terms of the ideal functionalities that they emulate. In particular, this enables a definition of X and Q commitment schemes, as follows.
Definition 6(extractable commitment scheme). A real commitment schemeC (by definition alreadyhidingandbiding)18is said to be extractable if it securely emulates the idealFX&Q[C]. This is succinctly expressed in the equation below (114).
(C is extractable)≡(∃S)(∀Z,A)IDEALFX&Q[C],SA,Z c
≈REALC,A,Z
(114)
18This definition is still implicitly based on thehidingandbindingnotions of a commitment scheme. In the next subsection this is replaced by an ideal (virtual) functionality.
Template for ideal functionalityFX&Q[C]≡ FMCOM(X&Q)[C]
LetCbe a commitment scheme (i.e., at least computationally hiding and binding in respect to the implicit security parameter1κ), with respectivecommitandopenphases.F
MCOM(X&Q)[C] activated with session identifiersidproceeds as follows, running with partiesP1, ...,Pn, an adversaryS. (Note: the suffix[`]may be added to the notation to denote the obvious restriction to commitments of bit-strings of length`.)
1. Commit phase.Upon receiving a message (commit,sid,cid,Ps,Pr,(`, m)) fromPs(the sender), if` ∈ O(poly(κ)),m ∈ {0,1}`
ands, r ∈ [n], then: compute a commitment ofmas(m, m) ←$ C
[m], wheremis the public commitment andmis the respective private information needed foropening; then record the tuple (cid,Ps,Pr,(m, m)), send the message (receipt,sid,cid,Ps,Pr,`,m) toPr(the receiver) andSand ignore subsequent messages with header (commit,sid,cid,Ps,Pr, ...); otherwise ignore the message. 2. Open phase.Upon receiving message (open,sid,cid,Ps,Pr) fromPs: if for somema
tuple (cid,Ps,Pr,(m, m)) has been recorded, then send the message (open,sid,cid,Ps,Pr, (m, m)) toPrandSand ignore any subsequent messages with identifiers (...,sid,cid,Ps,
Pr,...); otherwise ignore the message.
3. Abort.Upon receiving a message (abort,sid,cid,Ps,Pr) fromPsorPr, then ignore any subsequent messages with identifiers (...,sid,cid,Ps,Pr, ...).
Fig. 9. Ideal functionality – multiple bit-string commitments X-but-not-Q
For example, consider a real X commitment scheme, where a setup phase endows the simulator with a trapdoor that enables extraction directly from the commitments received in thecommitphase. The emulation is straightforward:
– Simulator for malicious P∗s(simulator can extract).
• Commitphase.The extractor-simulatorSX(in the role of P
rin the simulated
execution) receives from P∗sa (real) commitment (58). Then it uses its power (in this example the trapdoor) to extract the committed value. Then, in the role of
b
P∗sin the ideal world it sends the extracted value toFX&Q(97) – this is similar to what would happen if using the usualFMCOM(90).
• Openphase.If P∗sin the simulated execution successfully opens the previously
extracted value (59), thenSXasksF
X&Qto open the commitment (101) – this is similar to what would happen if using the usualFMCOM(93). Otherwise, if P∗saborts without opening, thenSXemulates an abort.
– Simulator for malicious P∗r(simulator cannot equivocate).
• Commitphase. In the ideal world, after bPs interacts withFX&Q to commit a value, the simulator (S) in the role ofbP
∗
r receives fromFX&Q a (virtual) commitment (99) – compare this against the simple “OK” receipt that would have been received if using the usualFMCOM(91). Then,Sin the role of Psin
the simulated execution sends the commitment to the malicious P∗r(58).
• Openphase.In the ideal world,Sreceives fromFX&Qthe opening of the value (102) and verifies its correctness (103) – compare this against simply receiving the value and trusting on its correctness, as would happen if using the usual
Template for ideal functionalityFX&Q[C]≡ FMCOM(X&Q)[C]
LetCbe a commitment scheme (i.e., at least computationally hiding and binding in respect to the implicit security parameter1κ), with respectivecommitandopenphases.FMCOM(X&Q)[C] activated with session identifiersidproceeds as follows, running with partiesP1, ...,Pn, an adversaryS, and a computational security parameter1κ. (Note: the suffix[`]may be added to the notation to denote the obvious restriction to commitments of bit-strings of length`.)
1. Commit phase.Upon receiving a message (commit,sid,cid,Ps,Pr,(`, m)) fromPs(the sender), if`∈O(poly(κ)),m(from the image set of commitments of messages of size
`) ands, r∈[n], then record the tuple (cid,Ps,Pr,(`, m)), send the message (receipt,
sid,cid,Ps,Pr,`) toPr(the receiver) andSand ignore subsequent messages with header (commit,sid,cid,Ps,Pr, ...); otherwise ignore the message.
2. Open phase.Upon receiving message (open,sid,cid,Ps,Pr,(m, m)) fromPs: if for some
`andma tuple (cid,Ps,Pr,`,m) has been recorded, then: verifyCVerify[1κ](m, m, m) (i.e., that the commitment and opening sent by Ps is consistent with the commitment scheme, the security parameter and the allowed length); then send the message (open,
sid,cid,Ps,Pr,m) toPr andSand ignore any subsequent messages with identifiers (...,sid,cid,Ps,Pr,...); otherwise ignore the message.
3. Abort.Upon receiving a message (abort,sid,cid,Ps,Pr) fromPsorPr, then ignore any subsequent messages with identifiers (...,sid,cid,Ps,Pr, ...).
Fig. 10. Ideal functionality for multiple bit-string commitments not-X-but-Q
the malicious P∗r(59).Soutputs in the end whatever the simulated P∗routputs, including a possible early abort.
Below is the corresponding analysis (with obvious adjustments) for the X&Q case.
Definition 7(equivocable commitment scheme). A real commitment schemeC (by definition alreadyhidingandbiding) is said to be equivocable if it securely emulates the idealFX&Q[C]. This is succinctly expressed in the equation below (115).
(C is equivocable)≡(∃S)(∀Z,A)IDEALFX&Q[C],SA,Z c
≈REALC,A,Z
(115) For example, consider a real Q commitment scheme, where a setup phase endows the simulator with a trapdoor that enables equivocation directly in theopenphase. The emulation is straightforward:
– Simulator for malicious P∗s(simulator cannot extract).
• Commitphase.The simulator (S) in the role of receiver Prin the simulated
execution receives a commitment from P∗s(58). Then, in the role of senderbP ∗ s
in the ideal world,Srelays the commitment toFX&Q(107) – compare against simply revealing the value as would happen if using the usualFMCOM(90).
• Openphase.If the sender P∗sin the simulated execution successfully opens the committed value (59), which requires a successful verification (60), thenSin the ideal world sends the same opening toFX&Q(110) – compare against simply asking the usualFMCOMto open the previously learned value (93). Otherwise, if P∗saborts without opening, thenSemulates an abortin the ideal world.
– Simulator for malicious P∗r(simulator can equivocate).
• Commitphase.The equivocator-simulator (SQ) in the role of sender b
P∗sin the ideal world receives fromFX&Qa receipt that a value has been committed (108) – this is similar to what would happen if using the usualFMCOM(91). Then,SQ in the role of Psin the simulated execution computes a commitment to a random
message (of adequate length) and sends it to P∗r(59).
• Openphase.SQin the ideal world receives the value in clear fromF
X&Q(112) – this is similar to what would happen if using the usualFMCOM (94). Then,
SQin the simulated execution uses its equivocation power (in this example the
trapdoor) toopensuch value to the malicious P∗r(59).Soutputs in the ideal world whatever P∗routputs in the simulated execution.
Remark (length of committed values). A subtle alternative for a X&Q commitment scheme is to have the length`not be revealed to the receiver during thecommitphase (108), but only in theopenphase. By revealing it directly in thecommitphase, this definition becomes closer (in this aspect) to the ideal X&Q commitment functionality, for which (in the UC framework, where rewinding is not possible) the X property requires that the commit phase reveals some information about the length of the committed value.
Remark (separable X and Q). The suppression of properties is defined in the ideal world, not in the real world. Thus, a particular real commitment schemeC that emulates
FX&Q[CX](i.e., which by definition isextractable) might also emulateFX&Q[CX](i.e., it might also beequivocable), and vice-versa. In particular, a commitment schemeCXQ that by definition is X&Q, i.e., one that emulatesFMCOM ≡ FX&Q, is simultaneously (as expected) bothextractableandequivocable, as it respectively emulatesFX&Q[CXQ] andFX&Q[CXQ]. Conversely (and also as intuitively expected), there are extractable commitment schemes and equivocable commitment schemes that are not simultaneously extractable-and-equivocable, i.e., that do not securely-emulateFX&Q.
Remark (hiding and binding properties). Definitions 6 and 7 would make senseper seif the expression “real commitment” in the preamble was omitted, i.e., would make sense beyond the scope of commitment schemes. For example, a two phase scheme where both “commit” and “open” phases correspond to Pssending the value in clear to
Pr(and Prthen simply verifying that the values are equal) is extractable and binding,
but is not a commitment scheme because it is not hiding (and for that reason also not equivocable). Similarly, a two phase scheme where the “commit” phase corresponds to Pssimply informing that a value is committed (but without actually sending anything
else), and the “open” phase corresponds to Pssimply sending the value (and Prsimply
accepting it), is hiding and equivocable, but is not a commitment scheme because it is not binding (and for that reason also not extractable). For these reasons it is mandatory to explicitly enforce that the X schemes and Q schemes are indeed commitment schemes. It is interesting to notice thatequivocabilityof theopenphase implies that thecommit
phase ishidingand the opening phase isrevealing; correspondingly,extractabilityof the
commitphase impliesbinding. In other words, the combination of X-and-Q implies that a scheme is indeed a commitment scheme (i.e., hiding and binding).