Cryptology ePrint Archive: Report 2011/536
Revisiting Lower and Upper Bounds for Selective Decommitments
Rafail Ostrovsky and Vanishree Rao and Alessandra Scafuro and Ivan Visconti
Abstract: In [DNRS99, DNRS03], Dwork et al. opened the fundamental question of existence of commitment schemes that are secure against selective opening attacks (SOA, for short). In [BHY09] Bellare, Hofheinz, and Yilek, and Hofheinz in [Hof11] solved this problem positively by presenting a scheme which is based on non-black-box use of a one-way permutation and which has super- constant number of rounds. The achieved solution however opened other challenging questions on improvements of round complexity and on possibility of obtaining fully black-box schemes where access to an underlying primitive and to an adversary are black-box only. Recently, in TCC 2011, Xiao ([Xia11a]) investigated on how to achieve (nearly) optimal SOA-secure commitment schemes where optimality is in the sense of both the round complexity and the black-box use of cryptographic primitives. The work of Xiao focuses on a simulation-based security notion of SOA. Moreover, the various results in [Xia11a] focus only on either parallel or concurrent SOA.
In this work we first point out various issues in the claims of [Xia11a] that actually re-open several of the questions left open in [BHY09, Hof11]. Then, we provide new lower bounds and concrete constructions that produce a very different state-of-the-art compared to the one given in [Xia11a].
More specifically, denoting by (x, y) the round complexity of a scheme that requires x rounds in the commitment phase and y rounds in the decommitment phase, and by considering only (like in [Xia11a]) the setting of black-box simulation for SOA-security, we show that:
1. There is an issue in the result of [Xia11a] on the existence of (3,1)-round schemes for parallel SOA; in fact, we are able to contradict their impossibility result by presenting a (3,1)-round scheme based on black-box use of trapdoor commitments. Moreover, we can instantiate such a scheme with a non-black-box use of a one-way function, thus producing a (3, 1)-round scheme based on any one-way function that improves the result of [BHY09, Hof11] from logarithmic round complexity to 3 (optimal), also under optimal complexity assumptions. We also show a (3, 3)-round scheme based on black-box use of any one-way permutation.
2. There is an issue in the proof of security for parallel composition of the (4, 1)-round scheme given in [Xia11a]; thus such scheme may not be secure. We show instead a (4,1)-round scheme based on black-box use of any weak trapdoor commitment scheme, and a (5,1)-round scheme based on black-box use of any one-way permutation.
3. There is an issue in the proof of security of the concurrent SOA-secure scheme of [Xia11a]. This issue emerges under the case where the simulator cannot itself efficiently sample from the distribution of committed messages. In fact, we contradict the claimed security of this scheme by showing that there can not exist such a scheme, regardless of its round complexity and of the (black-box or non-black-box) use of cryptographic primitives.
All our schemes are secure for parallel SOA composition and also secure for concurrent SOA composition under the restriction that all commitment phases are played before any decommitment phase. Moreover, in all our constructions the simulator does not need to know the distribution of the messages committed to by the sender. In light of our result on the impossibility of a scheme that is SOA-secure under full-fledged concurrent composition (see Item 3 above), the concurrency achieved by our schemes is essentially optimal.
Category / Keywords: Commitment Schemes, Selective Opening Attacks, Black-box Reductions
Date: received 30 Sep 2011, last revised 15 Nov 2012
Contact author: alescafu at gmail com
Available formats: PDF | BibTeX Citation
Note: Feb.22-With respect to the original version, this version includes: improved results, more detailed proofs, simplified protocols. April 23-added acknowledgments.
Version: 20121115:191335 (All versions of this report)
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]