In this section we present our adaptively-secure NICOM scheme COM, implemented by
protocolπCOM. The protocolπCOM(described in Fig.12) is universally composable and securely realizes the functionalityFCOM (described in Fig.3) in thecrsmodel under ORO assumption and Discrete Log (over a groupG) assumption. Later in this section,
we demonstrate a protocolπCRSto generate an instance of the Discrete Log problem, as
thecrs, in 4 rounds. Once thecrsis generated, it can be used for subsequent instances of COM. Ourcrsgeneration algorithm is independent of the parties’ inputs and hence it is adaptively-secure, rendering the whole protocol adaptively-secure under the ORO assumption. Our protocol is also secure in the Global Random Oracle model [CJS14] since we generate the localcrswithin the protocol, usingπCRS.
8.1 Protocol Overview
We build upon the commitment scheme of Pedersen [Ped91], that relies on hardness of Discrete Log problem. The Pedersen commitment inherently supports equivocation as the message is statistically hidden in their case. However, for UC security the simulator, acting on behalf ofR, has to extract the message, of a corruptedS∗, from the commit- ment. Our first approach was to apply an observable RO, i.e.FRO1:{0,1}poly(κ)→Zp, on the message being committed, i.e.FRO1(sid||m), and then commit the response of
the ORO query in the Pedersen commitment. This would allow the simulator to ob- serve the queries and obtain candidate message values. However, the simulator cannot uniquely identify the message committed. It is necessary to extract the randomness, say r1, used in the commit phase so that the simulator can match the (message, randomness) with the commitment value. We achieve this by enforcingSto bind tor1using a second ORO, i.e.FRO2 : {0,1}κ×
Zp → {0,1}κ.Scommits tor1by means of the query
FRO2(sid||r1). The hardness of the Discrete Log Problem ensures that a corruptedS∗
is unable construct more than one such (message, randomness) pair that matches the Pedersen commitment.
However, the above technique demands binding tor1using RO which in turn pre- vents equivocation by simulator, acting on behalf ofS. In order to restore the equivocal property,Sis required to padFRO2(sid||r1)with fresh randomnessr2. This allows the simulator to equivocate the commitments by equivocating the first part of the commit- mentc1 (Pedersen commitment on the message) separately, fixingr1to a new value. Now, the second part of the commitmentc2can be equivocated by usingr1and setting r2accordingly.
Fig. 12: Non-Interactive UC-Secure Commitment Scheme COM
πCOM
– Public Inputs: The generator of groupGisg.crs:(g, h)s.t.g=gandh=gx. – Functionalities:Random OraclesFRO1:{0,1}poly(κ)→ZpandFRO2:Zp→ {0,1}κ
denote two random oracles.
– Private Inputs: Shas input messagemandRdoes not have any input.
Commit Phase:
On receiving input(COMMIT,sid, m)Sperforms the following: – Computesa=FRO1(sid||m).
– Samplesr1, r2 ←R Zpand forms COM(m;r1, r2) = (gahr1mod p,FRO2(sid||r1)⊕
r2) = (c1, c2).
– Sends COM(m;r1, r2)toRas commitment tom.
Decommitment Phase:
On receiving input(DECOMMIT,sid),Ssends(m, r1, r2)toR.Rperforms canonical veri-
fication of COMusing(m, r1, r2)and outputsACCEPTif verification succeeds, else outputs
REJECT.
8.2 Static Security
We show that our non-interactive commitment scheme COM is secure against static active adversaries and securely realizes the functionalityFCOM in the UC model by
proving theorem9.
Theorem 9. IfFRO1andFRO2are observable random oracles and solving the Discrete Log Problem is hard in multiplicative groupG, thenπCOM UC-securely realizes the
FCOMfunctionality in thecrsmodel against static active adversaries.
Proof. Our proof is in thecrsmodel where it is assumed thatSimknows the trapdoor xs.t.h=gxfor thecrs−(g;h). The proof proceeds in two cases - first, whereAdv corruptsR∗and second, where theAdvcorruptsS∗.
R∗is corrupted: AdvcorruptsR∗in the real world,SimcorruptsR∗in the ideal world andAdvIntcorruptsR∗in the internal execution. During the commit phase,Simcom-
mits to a random messagem0 using(r01, r20)as randomness, thereby computing COM, similar to an honest sender and sends COM(m0;r01, r02)toAdvInt.Simfurther invokes
FCOM on behalf of R∗ to obtain the message(RECEIPT,sid,S,R). In the decommit
phase,SiminvokesFCOM to obtain the message(DECOMMIT,sid, m). On obtaining
the committed messagem,Simprovides randomness(r1, r2)s.t. COMdecommits to m. The randomness(r1, r2)is computed bySimas follows:
– Leta=FRO1(sid||m)anda0=FRO1(sid||m0).
– The trapdoorxis known toSim.Simgenerates (r1, r2)s.t the values of(c1, c2)
solving equations5and6:
gahr1mod p=ga0hr01mod p =⇒ga+r1xmod p=ga0+r10xmod p =⇒a+r1x=a0+r01x
=⇒r1= (a0−a+r10x)x−1 (5)
FRO2(sid||r1)⊕r2=FRO2(sid||r01)⊕r
0
2
=⇒r2=FRO2(sid||r01)⊕r20 ⊕ FRO2(sid||r1) (6) Simprovides(m, r1, r2), as opening to the commitment COM, toAdvInt.
At the end of the protocol,AdvIntsends its view toSim.Simforwards the view toZ
who halts with an output.
Indistinguishbaility : We show that the real world view ofZ is indistinguishable from the ideal world view by showing that the following two hybrids are statistically indistinguishable.
– HYBR:Real world execution of the protocol.
– HYBI :Same asHYBR, except that,Simcommits to a random message m0 us- ing(r01, r02)as randomness and opens tomin the decommit phase using different randomness(r1, r2).HYBI corresponds to the ideal world view of Z. It follow from Eq.5and6that the committed message remains statistically hidden in COM. Hence,∀m, m0, r10, r20,Simcan always find a consistent pair of randomness(r1, r2) s.t the commitment opens tom, providedSimknows the trapdoor valuex. This proves statistical indistinguishability of the two worlds.
S∗is corrupted: AdvcorruptsS∗in the real world,SimcorruptsS∗in the ideal world andAdvIntcorruptsS∗in the internal execution.Simemulates the role of an honestR
againstAdvIntin the internal execution.Simplays the role ofS∗inFCOM. During the
commit phase,Simobtains the commitment COM(m)fromAdvIntin the internal exe-
cution. He observes the random oracle queries (bothFRO1andFRO2) made byAdvInt
and tries to extract the committed messagem.Simaborts if it fails to extract the mes- sage. Let us assume thatAdvIntmakessrandom oracle queries during the commit phase
andSimrecords them as(q1, q2, . . . , qs). We denote a(qi, qj)pair as valid, ifqi was queried toFRO1,qjwas queried toFRO2and the following holds:
gFRO1(sid||qi)hqj mod p=c1. (7)
where COM(m) = (c1, c2)is received fromAdvIntbySim.Simruns over all pos-
sible pairs of (qi, qj)to find the valid pair(s). Based on the number of valid pair(s) discovered,Simperforms the following :
– If there does not exist any valid pair then Sim samples m0 ←R G and sends (COMMIT,sid, m0)toFCOM.
– If there exists a unique valid (qi, qj)pair then Sim sends (COMMIT,sid, qi)to
FCOM.
– If there exists more than one valid pair thenSimsamplesm0 ←R Gand sends (COMMIT,sid, m0)toFCOM.
In the decommitment phase,AdvIntsends(m, r1, r2)toSim.Simverifies the commit-
ment and aborts if verification fails in the internal execution. Whereas,Simaborts in the ideal world as well as inFCOMif the following holds:
– Case 1:If there was no valid pair.
– Case 2:If there was one valid(qi, qj)pair, andqi6=m. – Case 3:If there exists more than one valid pair.
If none of the above conditions hold, thenSimhas an unique valid(qi, qj)pair, s.t. qi =mandqj =r1. He sends(DECOMMIT,sid)toFCOM to complete simulation of
FCOM. At the end of the protocol,AdvIntsends its view toSim.Simforwards the view
toZwho halts with an output.
Indistinguishability : We show that the real world view ofZis indistinguishable from the ideal world view by showing that the following two hybrids are computationally indistinguishable.
– HYBR:Real world execution of the protocol.
– HYBI :It represents the ideal world execution of the protocolZ can distinguish between the two hybrids (or worlds) ifSimaborts in ideal world andFCOM, while
the honestRcompletes the protocol in real world. This occurs when the decom- mitment to COMprovided byAdvIntverifies correctly butSimfails to extract the
underlying committed message in the internal execution. This event has been cap- tured as an union of three exhaustive cases presented in the simulation. We will show that each case occurs with negligible probability:
- Case 1:This case shows thatAdvIntobtainedFRO1(sid||m)andFRO2(sid||r1)
without queryingmorr1to the random oracle during the commit phase. The random oracle assumption ensures that the query results would be random. HenceAdvIntcan guessFRO1(sid||m)(orFRO2(sid||r1)) without queryingm
(orr1) with negligible probability.
- Case 2:This case demonstrates that eitherAdvIntobtainedFRO1(sid||m)and
FRO2(sid||r1)without queryingmorr1to the random oracle during the com-
mit phase, or theAdvIntpossesses two valid pairs(qi, qj)and(m, r). The first event occurs with negligible probability as we are in the RO model. And the occurrence of the second event implies that the DLP problem can be solved by usingAdvIntas a blackbox. The adversaryAdvDLPwill obtain a challenge in-
stance(g, h) = (g, gx)from the challengerChall
DLPof the DLP game.AdvDLP
will invoke theAdvIntwhile simulating the role of an honestRin the commit-
ment scheme withcrs = (g, h).AdvDLP will observe the queries made by
fromAdvInt. Upon obtaining the decommitment,(m, r), to COM,AdvDLPwill
findxas follows:
gFRO1(sid||qi)hqj =gFRO1(sid||m)hrmod p =⇒ gFRO1(sid||qi)+qjx=gFRO1(sid||m)+rxmod p =⇒ FRO1(sid||qi) +qjx=FRO1(sid||m) +rx
=⇒ x= (FRO1(sid||qi)− FRO1(sid||m))(r−qj)−1 (8) However, we assume that the DLP problem is hard in groupGand hence this
case occurs with negligible probability.
- Case 3:This case indicates thatAdvIntobtains two or more valid pairs. This
again implies that either the DLP problem has been solved byAdvIntorAdvInt
found a collision in the random oracle queries. Let us denote two such valid pairs as(qi, qj)and(q0i, q0j). We will further split this case into two more sub- cases for analysis based on the equality of FRO1(sid||qi) and FRO1(sid||qi0) values.
i. qi6=q0i,FRO1(sid||qi) =FRO1(sid||qi0), qj =qj0: This indicates thatAdvInt
found a collision in the random oracle queries asqi 6=qi0. However, this event occurs with negligible probability as we are in the random oracle model.
ii. qi 6=qi0,FRO1(sid||qi)6=FRO1(sid||q0i), qj 6=q0j: In this case,AdvIntcan
be used as blackbox by AdvDLP to solve the DLP problem.AdvDLP will
invoke theAdvIntwhile simulating the role of an honestRin the commit-
ment scheme withcrs = (g, h).AdvDLP will observe the queries made
by AdvInt to obtain two valid pairs (qi, qj)and(qi0, q0j)s.t. qi 6= qi0 and qj6=q0j.AdvDLPsolves the DLP problem by findingxas follows:
gFRO1(sid||qi)hqj =gFRO1(sid||q0i)hq
0
j mod p
=⇒ gFRO1(sid||qi)+qjx=gFRO1(sid||q0i)+q
0
jxmod p
=⇒ FRO1(sid||qi) +qjx=FRO1(sid||qi0) +qj0x
=⇒ x= (FRO1(sid||qi)− FRO1(sid||q0i))(q0j−qj)−1 (9) However, we assume that the DLP problem is hard in groupGand hence
this case occurs with negligible probability.
The other two cases involve FRO1(sid||qi) = FRO1(sid||qi0), qj 6= qj0 and
FRO1(sid||qi)6=FRO1(sid||qi0), qj =q0jforqi 6=qi0. However, in these cases, it is not possible for both(qi, qj),(q0i, qj0)to be valid pairs (refer condition for valid pair in Eq7) asgFRO1(qi)hqj 6= gFRO1(q0i)hq
0
j. There maybe atmost one
valid pair, for which the analysis follows from Case 1 and 2.
8.3 Adaptive Security
Interestingly, our commitment schemeπCOM(Fig12) also satisfies the stronger security notion of adaptivity under the observable random oracle assumption in thecrssetup. We briefly discuss the proof in this section.
Theorem 10. IfFRO1 andFRO2 are observable random oracles and solving the Dis- crete Log Problem is hard in multiplicative groupG, then protocolπCOMUC-securely realizes the FCOM functionality in thecrsmodel against adaptive active adversaries (without erasures).
Proof. To prove adaptive security, we requireSimto equivocate the views ofRand S appropriately on adaptive corruption in addition to static security. We divide our simulation into cases based on the party being corrupted:
R∗is corrupted: Rdoes not have any private input or input randomness, and so the role ofRin the protocol is restricted to verifying the commitments upon obtaining the message (m) and randomness (r1andr2) during the decommitment phase. WhenAdvInt
corruptsR∗at any stage, i.e. commit phase, decommitment phase or post execution of the protocol,Simreturns a random tape as the internal randomness ofR∗.
S∗ is corrupted: Simclosely imitates the role of the simulator for static corruption whenS∗ gets corrupted adaptively. IfAdvIntcorruptsS∗ in the beginning of the pro-
tocol or before the commitment is sent,Simreturns a random tape as the internal ran- domness ofS∗. IfAdvIntcorruptsS∗after the commitment is sent, i.e. in decommit-
ment phase or post execution, thenSimneeds to equivocate.Siminitially commits to a dummy messagem0and upon corruption ofS∗,Simobtains messagemand success- fully equivocates the commitment to open tomusing randomness(r1, r2)(computed as described in the proof of Theorem9).Zcannot distinguish between the commitment tom0 and commitment to the actual value due to the statistical hiding property of the scheme. Equivocation follows from the equivocal property as proven for the static case.
8.4 Generation ofcrsusing Observable Random Oracle
For our protocol πCOM, the involved parties require acrs of the form (g, h), where h =gx. Also, the simulator should have the knowledge of the trapdoorxin order to perform simulation. Thecrscan be trivially generated if we assume a PRO. The par- ties can generate thecrsasFRO(sid||“com”).Simsamplesxand programs the RO to
return(g, h)s.t.h=gx. This preserves adaptive security ofπ
COMwhen thecrsgen-
eration algorithm is included as part ofπCOM. However we are interested in generating
thecrswithout relying on the programmability of the RO. This can be achieved by exe- cuting a 2PC protocolπCRS(Fig.13) relying solely on the observability property of the
RO. Once thecrsis generated it can be reused for subsequent commitments between the parties. By generating thecrsas part of the protocol it can be concluded that our commitment scheme is adaptively secure in the Global Random Oracle model. Intuition: OurπCRSprotocol proceeds in two phases - coin tossing and zero knowl- edge proof of knowledge (ZKPoK). The parties perform coin tossing to generate ran- dom shareshSandhR. These shares are then used to obtainh=hS.hR. Once the coin tossing is performed, they engage in ZKPoK in order to prove the knowledge of trap- doors to their respective shares, i.e.hS andhR respectively. The ZKPoK enables the
Fig. 13: Generatingcrs= (g, h)forπCOMusingFRO
πCRS – Public Inputs:The generator of groupGisg.
– Functionality: Random oracleFRO:{0,1}poly(κ)→ {0,1}κ. – Private Inputs: The parties do not have any input.
Coin Tossing: – Round 1:
- SsamplesxS←RZp, computeshS=gxSmod p and sendsFRO(sid||hS)toR. - RsamplesxR←RZp, computeshR=gxRmod p and sendsFRO(sid||hR)toS. – Round 2:
- SsendshStoR. - RsendshRtoS. – Computation:
- SverifiesFRO(sid||hR)and computesh=hS.hRmod p, else aborts. - RverifiesFRO(sid||hS)and computesh=hS.hRmod p, else aborts. Zero Knowledge Proof of Knowledge:
SandRperform the following steps in parallel with their roles interchanged. – Round 1:
- Rsamples a challenge stringc←R{0,1}νand sendsFRO(sid||c)toS. – Round 2:
- Scomputesνgarbled circuits, by samplingseedi←R{0,1}κand(GCi,ei,di)←
Gb(PRG(seedi),C)whereCcomputesgx, fori∈[ν]. - SsendsFRO(sid||seedi),FRO(sid||GCi)andditoR. – Round 3:
- RrevealsctoS.SverifiesFRO(sid||c)and aborts if verification fails. – Round 4: (Letcidenoteithbit ofc)
- Ifci= 0, thenGCiis a check circuit andSsendsseeditoR.
- Ifci= 1, thenGCiis an evaluation circuit andSsendsX=En(xS,ei)toR. – Computation:
- Rverifies the check circuitGCiasVe(C,GCi,ei), ifci= 0, else he aborts. - Rcomputesy=De(Ev(GCi,X)), ifci= 1, and aborts ify6=hS. - Rstores(g, h)as thecrs.
to(g, h). Our coin tossing protocol requires 2 rounds and ZKPoK consumes 4 rounds. However, the first 2 rounds of the ZKPoK can be parallelized with the coin tossing pro- tocol, thus yielding a 4 round protocol forcrsgeneration. The coin tossing is performed using the random oracle and the ZKPoK is performed by plugging a simplified ZK ver- sion of [HV16] which uses garbled circuits and random oracle only. Note that we need a ZKPoK protocol which can be implemented using an ORO and without relying on any other setup assumption. This rules out the possibilities of using efficient ZKPoK protocol of [JKO13] since it uses an OT, which would further require other setup as- sumptions. However, the interactive ZKPoK variants of “MPC-in-the-head” protocols [GMO16,AHIV17] also suffices for our purpose.
Static Security: We prove thatπCRSgeneratescrsin the presence of static active ad- versaries. Since our protocol is symmetric, we consider the case whereS∗is corrupted