## Multi-trapdoor Commitments and their Applications to Proofs of Knowledge Secure under Concurrent Man-in-the-middle Attacks (2004)

Venue: | Advances in Cryptology – proc. of CRYPTO ’04, LNCS 3152 |

Citations: | 18 - 2 self |

### BibTeX

@INPROCEEDINGS{Gennaro04multi-trapdoorcommitments,

author = {Rosario Gennaro},

title = {Multi-trapdoor Commitments and their Applications to Proofs of Knowledge Secure under Concurrent Man-in-the-middle Attacks},

booktitle = {Advances in Cryptology – proc. of CRYPTO ’04, LNCS 3152},

year = {2004},

pages = {220--236},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

We introduce the notion of multi-trapdoor commitments which is a stronger form of trapdoor commitment schemes. We then construct two very e#cient instantiations of multi-trapdoor commitment schemes, based on the Strong RSA Assumption and the recently introduced Strong Di#e-Hellman Assumption.

### Citations

3164 | A method for obtaining digital signatures and public key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ... function of N , i.e. #(N) = (p - 1)(q - 1). With Z # N we denote the set of integers between 0 and N - 1 and relatively prime to N . Let e be an integer relatively prime to #(N ). The RSA Assumption =-=[38]-=- states that it infeasible to compute e-roots in Z # N . I.e. given a random element s #R Z # N it is hard to find x such that x e = s mod N . The Strong RSA Assumption (introduced in [4]) states that... |

1080 | The Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Micali, et al.
(Show Context)
Citation Context ...ncurrency 1 . This is however enough to build fully concurrently secure applications like identification and deniable authentication protocols. Prior Work. Zero-knowledge protocols were introduced in =-=[24]-=-. The notion of proof of knowledge (already implicit in [24]) was formalized in [21, 6]. Concurrent zero-knowledge was introduced in [20]. They point out that the typical simulation paradigm to prove ... |

863 | A Digital Signature Scheme Secure Against Adaptive ChosenMessage Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...ature on a message of her choice (chosen after seeing the public key). Then it is infeasible for the adversary to compute the signature of a di#erent message. The following definition is adapted from =-=[25]-=-. Definition 1 (SG, Sig, Ver) is a one-time secure signature if for every probabilistic polynomial time forger F , the following P rob # # # (sk, vk) # SG(1 n ) ; M # F(vk) ; sig # Sig(M, sk) ; F(M, s... |

692 | Public-key cryptosystems based on composite degree residuosity classes - Paillier - 1999 |

666 | Universally composable security: A new paradigm for cryptographic protocols
- Canetti
- 2001
(Show Context)
Citation Context ...cols that arbitrarily compose, not only with themselves, but with any other "secure" protocol in the environment they run in. This is the notion of universal composable security as defined b=-=y Canetti [11]-=-. Universally composable zero-knowledge protocols are in particular concurrently non-malleable. In the common reference string model (which is necessary as proven in [11]), a UCZK protocols for Hamilt... |

618 |
Efficient Signature Generation for Smart Cards
- Schnorr
(Show Context)
Citation Context ...-in-the-middle in a concurrent communication model. As far as we know these are the first e#cient schemes that can be proven concurrently secure. For example, by using Schnorr's identification scheme =-=[39]-=-, together with our techniques, we obtain a very e#cient concurrently secure identification scheme under both the discrete log and Strong RSA Assumption. By using the Guillou-Quisquater identification... |

471 | Nonmalleable cryptography
- Dolev, Dwork, et al.
- 2000
(Show Context)
Citation Context ...ty against a man-in-the-middle who may start concurrent sessions. The problem of malleability in cryptographic algorithms, and specifically in zero-knowledge proofs, was formalized by Dolev et al. in =-=[19]-=-, where a non-malleable ZK proof with a polylogarithmic number of rounds is presented. This protocol, however, is only sequentially non-malleable, i.e. the adversary can only start sessions sequential... |

408 |
Non-interactive and information-theoretic secure verifiable secret sharing
- Pedersen
- 1992
(Show Context)
Citation Context ...an element e # Z q . The specific trapdoor tk of this scheme is the value f e in G, such that f x+e e = g. To commit to a message a # Z q with public key pk = e, the sender runs Pedersen's commitment =-=[36]-=- with bases g, h e , where h e = g e h. I.e., it selects a random r # Z q and computes A = g a h r e . The commitment to a is the value A. To open a commitment the sender reveals a and F = g r . The r... |

324 |
Zero knowledge proofs of identity
- Feige, Fiat, et al.
- 1987
(Show Context)
Citation Context ... like identification and deniable authentication protocols. Prior Work. Zero-knowledge protocols were introduced in [24]. The notion of proof of knowledge (already implicit in [24]) was formalized in =-=[21, 6]-=-. Concurrent zero-knowledge was introduced in [20]. They point out that the typical simulation paradigm to prove that a protocol is zero-knowledge fails to work in a concurrent model. This work sparke... |

295 | Short signatures without random oracles
- Boneh, Boyen
- 2004
(Show Context)
Citation Context ... above must be restated replacing RSA(n) with SRSA(n). 2.3 The Strong Di#e-Hellman Assumption We now briefly recall the Strong Di#e-Hellman (SDH) Assumption, recently introduced by Boneh and Boyen in =-=[9]-=-. Let G be cyclic group of prime order q, generated by g. The SDH Assumption can be thought as an equivalent of the Strong RSA Assumption over cyclic groups. It basically says that no attacker on inpu... |

220 | How to go beyond the black-box simulation barrier
- Barak
- 2001
(Show Context)
Citation Context ...ds on the round complexity of concurrent zero-knowledge in the black-box model [13, 37], unless extra assumptions are used such as a common reference string. Moreover, in a breakthrough result, Barak =-=[2]-=- shows a constant round non-black-box concurrent zero-knowledge protocol, which however is very ine#cient in practice. If one is willing to augment the computational model with a common reference stri... |

204 |
A Practical Zero-Knowledge Protocol Fitted to Security Microprocessors Minimizing both Transmission and
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context ...er with our techniques, we obtain a very e#cient concurrently secure identification scheme under both the discrete log and Strong RSA Assumption. By using the Guillou-Quisquater identification scheme =-=[26]-=-, we obtain a comparable scheme which can be proven secure using only the Strong RSA Assumption. Both schemes require 3 rounds of communication and only 3 modular exponentiations per party. Bellare et... |

197 | Noninteractive zero-knowledge
- Blum, DeSantis, et al.
- 1991
(Show Context)
Citation Context ...m. As it turns out, the common reference string model is necessary also to achieve concurrent nonmalleability (see [32]). In this model, the first theoretical solution to our problem was presented in =-=[18]-=-. Following on the ideas presented in [18] more e#cient solutions were presented in [27, 22, 33]. Katz [27] presents e#cient proofs of plaintext knowledge (a special type of proofs of knowledge) which... |

172 | Collision-free accumulators and fail-stop signature schemes without trees
- Baric, Pfitzmann
- 1997
(Show Context)
Citation Context ... Assumption [38] states that it infeasible to compute e-roots in Z # N . I.e. given a random element s #R Z # N it is hard to find x such that x e = s mod N . The Strong RSA Assumption (introduced in =-=[4]-=-) states that given a random element s in Z # N it is hard to find x, e #= 1 such that x e = s mod N . The assumption di#ers from the traditional RSA assumption in that we allow the adversary to freel... |

172 | Concurrent zero knowledge
- Dwork, Naor, et al.
- 1998
(Show Context)
Citation Context ...ocols. Prior Work. Zero-knowledge protocols were introduced in [24]. The notion of proof of knowledge (already implicit in [24]) was formalized in [21, 6]. Concurrent zero-knowledge was introduced in =-=[20]-=-. They point out that the typical simulation paradigm to prove that a protocol is zero-knowledge fails to work in a concurrent model. This work sparked a long series of papers culminating in the disco... |

161 | Signature Schemes Based on the Strong RSA Assumption
- Cramer, Shoup
(Show Context)
Citation Context ... 3.1 A scheme based on the Strong RSA Assumption. In this section we recall a commitment scheme based on the RSA Assumption. This commitment scheme has been widely used in the literature before (e.g. =-=[14, 16]-=-). We show how under the Strong RSA Assumption this scheme is actually a multi-trapdoor commitment. Let N be the product of two large primes p, q. Let e be a prime such that GCD(e,#(N)) = 1, and s a r... |

151 | Universally composable commitments
- Canetti, Fischlin
- 2001
(Show Context)
Citation Context ...-knowledge protocols are in particular concurrently non-malleable. In the common reference string model (which is necessary as proven in [11]), a UCZK protocols for Hamiltonian Cycle was presented in =-=[12]-=-. Thus UCZK protocols for any NP problem can be constructed, but they are usually ine#cient in practice since they require a reduction to the Hamiltonian Cycle problem. As it turns out, the common ref... |

150 | On defining proofs of knowledge
- Bellare, Goldreich
- 1992
(Show Context)
Citation Context ... like identification and deniable authentication protocols. Prior Work. Zero-knowledge protocols were introduced in [24]. The notion of proof of knowledge (already implicit in [24]) was formalized in =-=[21, 6]-=-. Concurrent zero-knowledge was introduced in [20]. They point out that the typical simulation paradigm to prove that a protocol is zero-knowledge fails to work in a concurrent model. This work sparke... |

130 | Secure hash-and-sign signatures without the random oracle
- Gennaro, Halevi, et al.
- 1999
(Show Context)
Citation Context ...n the other hand, for the Strong RSA based multi-trapdoor commitment, the public keys are prime numbers of the appropriate length. A prime-outputting collision-resistant hash function is described in =-=[23]-=-. However we can do better than that, by modifying slightly the whole protocol. We describe the modifications (inspired by [34, 16]) in this section. 5.1 Modifying the One-Time Signatures First of all... |

115 | Efficient concurrent zero-knowledge in the auxiliary string model
- Damg̊ard, Fujisaki
- 2002
(Show Context)
Citation Context ...the witnesses of the successful executions. In the common reference string it is well known how to fully (i.e. both left and right) simulate proofs of knowledge e#ciently, using the result of Damgard =-=[17]-=-. We use his techniques, so our protocols are fully concurrently zero-knowledge. Extraction is more complicated. Lindell in [32] shows how to do post-protocol extraction for the case of right concurre... |

112 |
Constructing digital signatures from a one-way function
- Lamport
- 1979
(Show Context)
Citation Context ...k) = 1 and (M #= M # or sig #= sig # ) # # # # # is negligible in n. One-time signatures can be constructed more e#ciently than general signatures since they do not require public key operations (see =-=[7, 8, 30]-=-). Virtually all the e#cient one-time signature schemes are strong. 2.2 The Strong RSA Assumption. Let N be the product of two primes, N = pq. With #(N) we denote the Euler function of N , i.e. #(N) =... |

95 | Black-box concurrent zero-knowledge requires (almost) logarithmically many rounds
- Canetti, Kilian, et al.
- 2003
(Show Context)
Citation Context ...urrent model. This work sparked a long series of papers culminating in the discovery of non-constant upper and lower bounds on the round complexity of concurrent zero-knowledge in the black-box model =-=[13, 34]-=-, unless extra assumptions are used such as a common reference string. Moreover, in a breakthrough result, Barak [2] shows a constant round non-black-box concurrent zero-knowledge protocol, which howe... |

85 |
On the Generation of Cryptographically Strong Pseudo-Random Sequences
- Shamir
- 1983
(Show Context)
Citation Context ...s computationally binding under the RSA Assumption. We show that an adversary A who is able to open the commitment scheme in two ways can be used to compute e-roots. The proof uses Shamir's GCD-trick =-=[40]-=-. Given as input the values (N, s, e) we want to compute integer x such that x e = s mod N . We place (N, s, e) as the public parameters of the commitment scheme and run A. The adversary returns a com... |

72 | Constant-round coin-tossing with a man in the middle or realizing the shared random string model
- Barak
- 2002
(Show Context)
Citation Context ...mic number of rounds is presented. This protocol, however, is only sequentially non-malleable, i.e. the adversary can only start sessions sequentially (and non concurrently) with the prover. Barak in =-=[3]-=- shows a constant round non-malleable ZK proof in the non-black-box model (and thus very ine#cient). Using the taxonomy introduced by Lindell [31], we can think of concurrent composition as the most g... |

48 | Concurrent zero knowledge with logarithmic round-complexity
- Prabhakaran, Rosen, et al.
- 2002
(Show Context)
Citation Context ..., as we explain later in the Introduction, we could achieve also right-concurrency if we use so-called #o-cal cols 2 bounds on the round complexity of concurrent zero-knowledge in the black-box model =-=[13, 37]-=-, unless extra assumptions are used such as a common reference string. Moreover, in a breakthrough result, Barak [2] shows a constant round non-black-box concurrent zero-knowledge protocol, which howe... |

39 |
Lower bounds for concurrent self composition
- Lindell
- 2004
(Show Context)
Citation Context ...ht) simulate proofs of knowledge e#ciently, using the result of Damgard [17]. We use his techniques, so our protocols are fully concurrently zero-knowledge. Extraction is more complicated. Lindell in =-=[32]-=- shows how to do post-protocol extraction for the case of right concurrency. We can use his techniques as well. But for many applications what really matters is on-line extraction. We are able to do t... |

39 | Randomness extraction and key derivation using the CBC, cascade and HMAC modes
- Dodis, Gennaro, et al.
- 2004
(Show Context)
Citation Context ...relaxed to asking that the distribution has enough minentropy. 6 This is a reasonable assumption that can be made on families built out of a collisionresistant hash function (such as SHA-1). See also =-=[18]-=- for analysis of this type of function families.we know that this process will stop in polynomial time, i.e. after an expected ℓ iterations. – Since e is of the form 2P R + 1, and P > e 1/3 , primali... |

38 | New generation of secure and practical RSA-based signatures
- Cramer, Damgaard
- 1996
(Show Context)
Citation Context ... 3.1 A scheme based on the Strong RSA Assumption. In this section we recall a commitment scheme based on the RSA Assumption. This commitment scheme has been widely used in the literature before (e.g. =-=[14, 16]-=-). We show how under the Strong RSA Assumption this scheme is actually a multi-trapdoor commitment. Let N be the product of two large primes p, q. Let e be a prime such that GCD(e,#(N)) = 1, and s a r... |

36 | On simulation-sound trapdoor commitments
- MacKenzie, Yang
(Show Context)
Citation Context ...nt non-malleability (see [30]). In this model, the first theoretical solution to our problem was presented in [17]. Following on the ideas presented in [17] more efficient solutions were presented in =-=[27, 22, 31]-=-. Our compiler uses ideas from both the works of Damg˚ard [16] and Katz [27], with the only difference that it uses multi-trapdoor instead of regular trapdoor commitments in order to achieve concurren... |

32 | Identification protocols secure against reset attacks
- Bellare, Fischlin, et al.
- 2001
(Show Context)
Citation Context ...ain a comparable scheme which can be proven secure using only the Strong RSA Assumption. Both schemes require 3 rounds of communication and only 3 modular exponentiations per party. Bellare et al. in =-=[5]-=- present resettable identification schemes, which are in particular also concurrently secure. Our schemes achieve only the weaker property of concurrent composition (and work under a specific assumpti... |

29 | Strengthening zeroknowledge protocols using signatures
- Garay, MacKenzie, et al.
- 2003
(Show Context)
Citation Context ...rrent nonmalleability (see [32]). In this model, the first theoretical solution to our problem was presented in [18]. Following on the ideas presented in [18] more e#cient solutions were presented in =-=[27, 22, 33]-=-. Katz [27] presents e#cient proofs of plaintext knowledge (a special type of proofs of knowledge) which are sequentially non-malleable. These proofs can be made concurrently non-malleable if one make... |

29 | Efficient and non-malleable proofs of plaintext knowledge and applications
- Katz
- 2003
(Show Context)
Citation Context ...able) and also proofs of knowledge (i.e. one can extract the witness from the adversary). When it comes to extraction one also has to make the distinction between in-line and post-protocol extraction =-=[27]-=-. In an on-line extraction, the witness is extracted as soon as the prover successfully convinces the verifier. In a post-protocol extraction procedure, the extractor waits for the end of all the conc... |

28 | Chameleon Hashing and Signature - Krawczyk, Rabin |

25 | On the efficiency of one-time digital signatures
- Bleichenbacher, Maurer
(Show Context)
Citation Context ...k) = 1 and (M #= M # or sig #= sig # ) # # # # # is negligible in n. One-time signatures can be constructed more e#ciently than general signatures since they do not require public key operations (see =-=[7, 8, 30]-=-). Virtually all the e#cient one-time signature schemes are strong. 2.2 The Strong RSA Assumption. Let N be the product of two primes, N = pq. With #(N) we denote the Euler function of N , i.e. #(N) =... |

23 | Fast generation of prime numbers and secure public-key cryptographic parameters
- MAURER
- 1995
(Show Context)
Citation Context ...th. A prime-outputting collision-resistant hash function is described in [23]. However we can do better than that, by modifying slightly the whole protocol. We describe the modifications (inspired by =-=[34, 16]-=-) in this section. 5.1 Modifying the One-Time Signatures First of all, we require the one-time signature scheme (SG,Sig,Ver) to have an extra property: i.e. that the distribution induced by SG over th... |

19 |
Algorithmic Number Theory - Volume 1
- Bach, Shallit
- 1996
(Show Context)
Citation Context ...ed: Completeness For all (y, w) # R n (for all R n ) we have that [P(y, w), V(y)] = 1. Witness Extraction There exist a probabilistic polynomial time knowledge extractor KE, a functions# : {0, 1} # # =-=[0, 1]-=- and a negligible function #, such that for all probabilistic polynomial time concurrent man-in-the-middle adversary A, if #A (n) > #(n) then KE, given rewind access to A, computes w such that (y, w) ... |

19 | Optimal tree-based one-time digital signature schemes
- Bleichenbacher, Maurer
- 1996
(Show Context)
Citation Context ...k) = 1 and (M #= M # or sig #= sig # ) # # # # # is negligible in n. One-time signatures can be constructed more e#ciently than general signatures since they do not require public key operations (see =-=[7, 8, 30]-=-). Virtually all the e#cient one-time signature schemes are strong. 2.2 The Strong RSA Assumption. Let N be the product of two primes, N = pq. With #(N) we denote the Euler function of N , i.e. #(N) =... |

18 |
Composition of Secure Multi-Party Protocols: a comprehensive study, volume 2815
- Lindell
- 2003
(Show Context)
Citation Context ...ially (and non concurrently) with the prover. Barak in [3] shows a constant round non-malleable ZK proof in the non-black-box model (and thus very ine#cient). Using the taxonomy introduced by Lindell =-=[31]-=-, we can think of concurrent composition as the most general form of composition of a protocol with itself (i.e. in a world where only this protocol is run). On the other hand it would be desirable to... |

14 | A practical public key cryptosystem secure against adaptive chosen cipher text attacks - Cramer, Shoup - 1998 |

4 |
On Simulation-Sound Commitments
- MacKenzie, Yang
- 2004
(Show Context)
Citation Context ...rrent nonmalleability (see [32]). In this model, the first theoretical solution to our problem was presented in [18]. Following on the ideas presented in [18] more e#cient solutions were presented in =-=[27, 22, 33]-=-. Katz [27] presents e#cient proofs of plaintext knowledge (a special type of proofs of knowledge) which are sequentially non-malleable. These proofs can be made concurrently non-malleable if one make... |

3 | Ecient Cryptographic Protocols Preventing \Man-in-the-Middle" Attacks - Katz - 2002 |

2 |
Identity-Based Encryption from the Weill Pairing
- Boneh, Franklin
- 2003
(Show Context)
Citation Context ...of choosing w at random and then computing the matching y. 5 Gap-DDH groups where Assumption 2 is believed to hold can be constructed using bilinear maps introduced in the cryptographic literature by =-=[10]-=-. 7 Definition 3 We say that an ensemble of polynomial time relationships is hard if for every probabilistic polynomial time machine A we have that P rob[ R n # IG(1 n ) ; (y, w) # R n : A(y) = w ] is... |

1 |
Concurrent Zero-Knowledge requires #507 n) rounds
- Canetti, Kilian, et al.
- 2001
(Show Context)
Citation Context ..., as we explain later in the Introduction, we could achieve also right-concurrency if we use so-called #o-cal cols 2 bounds on the round complexity of concurrent zero-knowledge in the black-box model =-=[13, 37]-=-, unless extra assumptions are used such as a common reference string. Moreover, in a breakthrough result, Barak [2] shows a constant round non-black-box concurrent zero-knowledge protocol, which howe... |