Computational Soundness of Non-Malleable Commitments

Computational Soundness of Non-Malleable Commitments David Galindo1⋆ , Flavio D. Garcia2 , and Peter van Rossum2 1 Departament of Computer Science, University of Malaga, Spain dgalindo@lcc.uma.es 2 Institute for Computing and Information Sciences, Radboud University Nijmegen, The Netherlands. {flaviog,petervr}@cs.ru.nl Abstract. This paper aims to find a proper security notion for commitment schemes to give a sound computational interpretation of symbolic commitments. We introduce an indistinguishability based security definition of commitment schemes that is equivalent to non-malleability with respect to commitment. Then, we give a construction using tag-based encryption and one-time signatures that is provably secure assuming the existence of trapdoor permutations. Finally, we apply this new machinery to give a sound interpretation of symbolic commitments in the Dolev-Yao model while considering active adversaries. 1 Introduction Over the last few decades, two main stream approaches have been developed for the analysis of security protocols. On the one hand, the cryptographic approach considers an arbitrary computationally-bound adversary that interacts with honest participants and tries to break a security goal. This model is satisfactory as it deals with every efficient attacker. On the other hand, the symbolic or Dolev-Yao approach idealizes the security properties of the cryptographic primitives, which are axiomatized in a logic. Moreover, the capabilities of the adversary are also specified by a set of inference rules. This approach is appealing because there are automated techniques for the verification of some security properties. Abadi and Rogaway in [AR02] pioneered the idea of relating these two models and showed that, under appropriate assumptions on the underlying cryptographic primitives, a simple language of encrypted expressions is sound with respect to the computational model in the case of passive adversaries. Such a relation maps symbolic messages m to distributions over bitstrings [[m]]. This map then should relate messages that are observationally equivalent in the symbolic world to indistinguishable distributions over bitstrings. Such a map allows one to use formal methods, possibly even automated, to reason about security properties of protocols and have those reasonings be valid also in the standard computational model. ⋆ partially funded by the Spanish Ministry of Science and Education through the projects ARES (CSD2007-00004) and CRISIS (TIN2006-09242) Several extensions to the original Abadi-Rogaway logic [AR02] have been proposed in the literature. These extensions deal with public key encryption [MW04, Her05], key cycles [ABHS05], partial information leakage [ABS05], active instead of passive adversaries [MW04,JLM05], and more realistic security notions [AW05]. Other extensions add new primitives to the logic such as bilinear pairings [Maz07], modular exponentiation [BLMW07] and hash functions [CKKW06,GvR06,GvR08]. There are also frameworks dealing with generic equational theories [BCK05,ABW06, KM07]. So far there is no work in the literature, that we are aware of, that relates these two approaches for commitment schemes. Commitment schemes are fundamental cryptographic primitives and are used in protocols like zero-knowledge proofs [GMW91], contract signing [EGL85], and can be used for bidding protocols. A commitment consists of two phases: the commitment phase where the principals commit to a message without revealing any information; and the opening phase where the principals reveal the message and it is possible to verify that this message corresponds to the value committed to during the commitment phase. After the commitment phase it should be infeasible to open the commitment to a different value than the one committed. This property is called binding. In the context of bidding protocols, non-malleability is also a desirable property. This means that an adversary cannot modify an intercepted commitment, say into a commitment to a slightly higher bid. Our contribution. The first objective of this paper is to find sufficient security assumptions to give a sound computational interpretation of commitments schemes in the Dolev-Yao model, under active adversaries. Pursuing that objective we propose a new indistinguishability-based security definition for commitment schemes in the presence of adaptive adversaries. Then we give a novel generic construction for a non-malleable commitment scheme based on one-way trapdoor permutations. This construction is secure with respect to our new definition and has some additional properties such as being non-interactive, perfectly binding and reusable, which makes it of independent interest. This new definition allows us to prove soundness of the Dolev-Yao model extended with commitments, following the directions of Micciancio and Warinschi [MW04]. Overview. Section 3 introduces basic notation and definitions from the literature. Section 4 elaborates on different definitions of non-malleability for commitment schemes and discusses the relations among them. In Section 5 we propose a new commitment scheme and we give a security proof. Section 2 describes symbolic protocol executions, its computational counterparts and the map between them and also states the soundness result. Finally in Section 7 there are some concluding remarks. 2 Symbolic Protocols We are going to apply this theory to give sound computational interpretation to symbolic commitments. Recall from the introduction that the symbolic approach to protocol verification deals with symbolic or algebraic messages and idealized cryptographic primitives. In this setting the adversary is unbounded in running time and has full control over the communication media but is completely incapable of breaking the underlying cryptographic primitives. We now describe the message space and the closure operator. These messages are used to formally describe cryptographic protocols. The closure represents the knowledge that can be extracted from a message, and it is used to define what valid algebraic protocol runs are. Intuitively a protocol run is valid if every message sent by a principal can be deduced from its knowledge except maybe for some fresh randomness. Much of this is standard (see, e.g., [AR02, MW04, MP05, GvR06]), except that we model commitments and decommitments as well as encryption. Definition 2.1. Let Nonce be an infinite set of nonce symbols, Const a finite set of constant symbols, Key an infinite set of key symbols, and Random an infinite set of randomness labels. Nonces are denoted by n, n′ , . . . , constants by c, c′ , . . . , keys by k, k ′ , . . . , and randomness labels by r, r′ , . . . . Using these building blocks, messages are constructed using symbolic encryption, commitments, decommitments, and pairing operations: Msg ∋ m := c | n | {|m|}rk | comr(m) | decr(m) | hm, mi. A message of the form {|m|}rk is called an encryption and the set of all such messages is denoted by Enc. Similarly, messages of the form comr(m) are called commitments and the set of all these messages is denoted by Com. The messages of the form decr(m) are called decommitments and the set of all these messages is denoted ′ by Dec. In a protocol run decr(m) is a valid decommitment of comr (m′ ) only if m = m′ and r = r′ . We say that elements in Const ∪ Nonce ∪ Key are primitive and we denote this set by Prim. For a public key k we denote its associated private key as k −1 . The closure of a set U of messages is the set of all messages that can be constructed from U using tupling, detupling, commitment, decommitment, and encryption and decryption. It represents the information an adversary could deduce knowing U . Note that, due to secrecy of the commitment scheme, knowing comr(m) does not provide an adversary with any information about m. Definition 2.2 (Closure). Let U be a set of messages. The closure of U , denoted by U , is the smallest set of messages satisfying: 1. Const ⊆ U ; 2. U ⊆ U ; 3. m, m′ ∈ U =⇒ hm, m′ i ∈ U ; 4. m ∈ U ∧ k ∈ U =⇒ {|m|}rk ∈ U ; 5. {|m|}rk ∈ U ∧ k −1 ∈ U =⇒ m ∈ U ; 6. m ∈ U =⇒ comr(m), decr(m) ∈ U ; 7. decr(m) ∈ U =⇒ m ∈ U ; 8. hm, m′ i ∈ U =⇒ m, m′ ∈ U . Next we need to find the right security notions to give sound computational interpretation to symbolic encryption and commitments. 3 Computational Setup This section introduces syntaxis and security definitions for different cryptographic primitives. Much of this is standard, we refer the reader to [GM84,RS92] and [NY90] for a thorough explanation. Some of this primitives will be used to interpret algebraic operations and some of them are used as building blocks for our construction of Section 5. 3.1 Commitment Schemes Definition 3.1. A commitment scheme is a triple Ω = (TTP, Snd, Rcv) of probabilistic polynomial-time algorithms. TTP, the trusted third party, takes as input the security parameter 1η and produces a common reference string σ. We require that |σ| ≥ p(η) for some non-constant polynomial p. Snd, the sender, takes as input σ and a message m and produces a commitment com to this message and a corresponding decommitment dec. Rcv, the receiver, takes as input σ, com, and dec and produces a message or ⊥. MeaningfulnessΩ (A): σ ← TTP(1η ) m ← A(σ) (com, dec) ← Snd(σ, m) m1 ← Rcv(σ, com, dec) return m 6= m1 SecrecyTTP,Snd (A1 , A2 ): σ ← TTP(1η ) m0 , m1 , s ← A1 (σ) b ← {0, 1} (com, dec) ← Snd(σ, mb ) b′ ← A2 (s, com) return b = b′ BindingTTP,Rcv (A): σ ← TTP(1η ) (com, dec1 , dec2 ) ← A(σ) m1 ← Rcv(σ, com, dec1 ) m2 ← Rcv(σ, com, dec2 ) return m1 6= ⊥ 6= m2 ∧ m1 6= m2 The following three conditions must hold. 1. For all probabilistic polynomial-time algorithms A, the probability P[MeaningfullnessΩ (A)] is a negligible function of η. 2. For all probabilistic polynomial-time algorithms (A1 , A2 ), the advantage |P[SecrecyTTP,Snd (A1 , A2 )] − 1/2| is a negligible function of η. 3. For all probabilistic polynomial-time algorithms A, the probability P[BindingTTP,Rcv (A)] is a negligible function of η. Definition 3.2. A commitment scheme is said to be perfectly binding if for all unbounded algorithms A, the probability P[BindingTTP,Rcv (A)] is zero. Definition 3.3. A commitment scheme is said to be perfectly hiding if for all unbounded algorithms (A0 , A1 ), |P[Secrecy TTP,Snd (A1 , A2 )] − 1/2| is zero. 3.2 Encryption Schemes Definition 3.4. An encryption scheme is a triple Π = (K, E, D) of probabilistic polynomial-time algorithms. K takes as input the security parameter 1η and produces a key pair (pk, sk) where pk is the public encryption key and sk is the private decryption key. E takes as input a public key pk and a plaintext m and outputs a ciphertext. D takes as input a private key sk and a ciphertext and outputs a plaintext or ⊥. It is required that P[(pk, sk) ← K(1η ); c ← E(pk, m); m′ ← D(sk, c) : m = m′ ] = 1. IND-CCA Π (A0 , A1 ) : (pk, sk) ← K(1η ) m0 , m1 , s ← AD 0 (pk) b ← {0, 1} c ← E(pk, mb ) b′ ← A D 1 (s, c) return b = b′ Definition 3.5. An encryption scheme Π = (K, E, D) is said to be IND-CCA secure if for all probabilistic polynomial-time adversaries A = (A0 , A1 ) the advantage of A, defined as |P[IND-CCA Π (A0 , A1 )] − 1/2|, is a negligible function of η. This adversary has access to a decryption oracle D that on input c′ outputs D(sk, c′ ) with the only restriction that c 6= c′ . 3.3 One-time Signatures Definition 3.6. A signature scheme is a triple (Gen, Sign, Vrfy) of probabilistic polynomial-time algorithms. Gen takes as input the security parameter 1η and produces a key pair (vk, sk) where vk is the signature verification key and sk is the secret signing key. Sign takes as input sk and a message m and produces a signature s of m. Vrfy takes as input vk, a message m and a signature s and outputs whether or not s is a valid signature of m. OTSΣ (A0 , A1 ) : (vk, sk) ← Gen(1η ) m, s ← A0 (vk, 1η ) σ ← Sign(sk, m) m′ , σ ′ ← A1 (s, σ) return σ 6= σ ′ ∧ Vrfy(vk, (m′ , σ ′ )) Definition 3.7. A signature scheme Σ = (Gen, Sign, Vrfy) is a strong, one-time signature scheme if the success probability of any probabilistic polynomial-time adversary (A0 , A1 ) in the game OTSΣ (A0 , A1 ) is negligible in the security parameter η. 3.4 Tag-based Encryption Definition 3.8. A tag-based encryption scheme (TBE) handling tags of length ℓ (where ℓ is a polynomially-bounded function) is a triple of probabilistic polynomialtime algorithms (KeyGen, Enc, Dec). KeyGen takes a security parameter 1η and returns a public key pk and secret key sk. The public key pk includes the security parameter 1η and ℓ(η); as well as the description of sets M, R, C, which denote the set of messages, randomness and ciphertexts respectively. These descriptions might depend on the public key pk. Enc takes as inputs pk, a tag t ∈ {0, 1}ℓ and m ∈ M. It returns a ciphertext c ∈ C. Dec takes as inputs the secret key sk, a tag t and c ∈ C, and returns m ∈ M or ⊥ when c is not a legitimate ciphertext. For the sake of consistency, these algorithms must satisfy Dec(sk, t, c) = m for all t ∈ {0, 1}ℓ, m ∈ M, where c = Enc(pk, t, m). Definition 3.9. Let E = (KeyGen, Enc, Dec) be a TBE scheme. We say E is INDTBE-CCA secure if for any 3-tuple of PPT oracle algorithms (A0 , A1 , A2 ) and any polynomially-bounded function ℓ the advantage in the following game is negligible in the security parameter 1η : A0 (1η , ℓ(η)) outputs a target tag t. KeyGen(1η ) outputs (pk, sk) and the adversary is given pk. Then the adversary A1 may ask polynomially-many queries to a decryption oracle D(t′ , c′ ) = Dec(sk, t′ , c′ ) for pairs tag-ciphertext (t′ , c′ ) of its choice, with the restriction t 6= t′ . At some point, A1 outputs two equal length messages m0 , m1 . A bit b ← {0, 1} is chosen at random and the adversary is given a challenge ciphertext c ← Enc(pk, t, mb ). A2 may continue asking the decryption oracle for pairs tag-ciphertext (t′ , c′ ) of its choice, with the restriction t 6= t′ . Finally, A2 outputs a guess b′ . IND-TBE-CCA E (A0 , A1 , A2 ) : t, s1 ← A0 (1η , ℓ(η)) (pk, sk) ← KeyGen(1η ) m 0 , m 1 , s2 ← A D 1 (s1 , pk) b ← {0, 1} c ← Enc(pk, t, mb ) b′ ← A D 2 (s2 , c) return b = b′ We define the advantage of A as |P[IND-TBE-CCA(A)] − 1/2|. 3.5 Interpretation Suppose we have an encryption scheme Π, a commitment scheme Ω and a function that maps symbolic constants to constant bitstrings. Then we can define a mapping [[·]] from algebraic messages m ∈ Msg to distributions over bitstrings [[m]] ∈ Str. This interpretation maps nonces to random bitstrings of length η; encryptions are interpreted by running the encryption algorithm E and for interpreting commitments and decommitments we use the commit algorithm Snd. In order to achieve sound interpretation we will explore the security requirements on these cryptographic primitives. For the case of encryption it is satisfactory to use any IND-CCA encryption scheme as shown in [MW04]. For the case of commitments, using standard security definitions is not straightforward as they are not strong enough nor indistinguishability based. To achieve sound interpretation of the idealized Dolev-Yao model, throughout the next section we elaborate on a convenient security definition for commitment schemes. 4 Definitions of Non-malleability As noticed by Fischlin and Fischlin [FF00], there are two different versions of nonmalleability for commitment schemes, namely: NM with respect to opening (NMO) and NM with respect to commitment (NMC). NMC was the version originally proposed by Dolev, Dwork and Naor in [DDN91]. It means that given a commitment to a message m, the adversary is unable to build a different commitment to m′ , with m related to m′ . This version of non-malleability is appropriate while considering perfectly binding commitments and only makes sense for schemes that are not perfectly hiding. The other version NMO, seemingly weaker, means that an adversary that is first given a commitment to m and on a second stage its decommitment, is unable to find a different commitment-decommitment pair that decommits to a message m′ related to m. This notion was studied by Di Crescenzo, Ishai and Ostrovsky [CIO98] and later by Di Crescenzo, Katz, Ostrovsky and Smith [CKOS01]. Intuitively a commitment scheme is non-malleable if the adversary can do no better than a simulator which has no information at all about the message that was committed to. Next we recall their definition. NMO Ω (A1 , A2 , D, R): ; σ ← TTP(1η ) ; m1 ← D ; com1 , dec1 ← Snd(σ, m1 ) ; com2 ← A1 (σ, com1 ) ; dec2 ← A2 (σ, com1 , com2 , dec1 ) ; m2 ← Rcv(σ, com2 , dec2 ) ; return com1 6= com2 ∧ R(m1 , m2 ) ; SIM(S, D, R): ; m1 ← D ; m2 ← S(1η , D) ; return R(m1 , m2 ) ; Definition 4.1 (Non-malleability [CIO98,CKOS01]). Let Ω = (TTP, Snd, Rcv) be a commitment scheme. Ω is called non-malleable if for all PPT adversaries (A1 , A2 ) there is a PPT simulator S such that for all distributions D and all relations R, P[NMOΩ (A1 , A2 , D, R)] − P[SIM(S, D, R)] is a negligible function of η. Remark 4.2. To prevent that the adversary trivially wins, by refusing to decommit, the following restriction over the relation R is imposed: for all messages m, we have R(m, ⊥) = 0. 4.1 NMC-CCA: Non-malleability Against Chosen Commitment Attacks The previous definition deals with non-malleability with respect to opening. For the relation between symbolic and computational cryptography we need the stronger notion of non-malleability with respect to commitment. Intuitively, this is because in the algebraic setting comr(m′ ) cannot be deduced from comr(m), with m′ somehow related to m. Therefore we adapt the NMO definition to non-malleability with respect to commitment and we strengthen it by incorporating active adaptive security, allowing the adversary to mount chosen commitment attacks (CCA in short). Specifically, we empower the adversary with access to a decommitment oracle D. To do so, from now on, we restrict our attention to non-interactive, perfectly binding trapdoor commitment schemes. The oracle D has access to the trapdoor information. It takes as argument a commitment c with the restriction that c is not equal to the challenge commitment com1 . Then if the commitment c has been correctly generated, the oracle returns a decommitment d which opens c, and otherwise it outputs ⊥. NMC-CCAΩ (A0 , A1 , R): ; σ ← TTP(1η ) ; D, s1 ← AD 0 (σ) ; m1 ← D(σ) ; com1 , dec1 ← Snd(σ, m1 ) ; com2 , sr ← AD 1 (s1 , com1 ) ; dec2 ← D(com2 ) ; m2 ← Rcv(σ, com2 , dec2 ) ; return com1 6= com2 ∧ R(sr , m1 , m2 ) ; SIM-CCATTP (S0 , S1 , R): ; σ ← TTP(1η ) ; D, s1 ← S0 (σ) ; m1 ← D(σ) ; ; com2 , sr ← S1 (s1 ) ; dec2 ← D(com2 ) ; m2 ← Rcv(σ, com2 , dec2 ) ; return R(sr , m1 , m2 ) ; Definition 4.3 (NMC-CCA). Let Ω = (TTP, Snd, Rcv) be a commitment scheme. Ω is called NMC-CCA secure if for all PPT adversaries (A0 , A1 ) there is a PPT simulator (S0 , S1 ) such that for all relations R (with the same restriction as in 4.2), P[NMC-CCAΩ (A0 , A1 , R)] − P[SIM-CCATTP (S0 , S1 , R)] is a negligible function of η. 4.2 An Indistinguishability Based Definition Next we introduce an equivalent formulation of NMC-CCA that is more convenient to prove soundness of the Dolev-Yao model with respect to commitment schemes. IND-COM-CCAb (A0 , A1 ): ; σ ← TTP(1η ) ; m 0 , m 1 , s1 ← A D 0 (σ) ; com1 , dec1 ← Snd(σ, mb ) ; b′ ← A D 1 (s1 , com1 ) ; return b′ ; Definition 4.4 (IND-COM-CCA). Let Ω = (TTP, Snd, Rcv) be a commitment scheme. Ω is said to be IND-COM-CCA secure if for all PPT adversaries (A0 , A1 ) D D D P[ IND-COM-CCA1 (AD 0 , A1 ) = 1] − P[ IND-COM-CCA0 (A0 , A1 ) = 1] is a negligible function of η. Next we show that NMC-CCA and IND-COM-CCA are equivalent. We discuss it briefly as it is basically the proof that NM-CCA and IND-CCA are equivalent, adapted to commitment schemes. Theorem 4.5. Let Ω = (TTP, Snd, Rcv) be a commitment scheme. Then Ω is IND-COM-CCA secure if and only if Ω is NMC-CCA secure. Proof. (IND-COM-CCA ⇐ NMC-CCA) Let (B0 , B1 ) be an adversary for INDCOM-CCA. Then we build the following adversary (A0 , A1 ) against NMC-CCA. Algorithm AD 0 (σ) : m0 , m1 , s1 ← B0D (σ) D ← U ({m0 , m1 }) return D, (σ, m0 , m1 , s1 ) Algorithm AD 1 ((σ, m0 , m1 , s1 ), c1 ) : b ← B1D (s1 , c1 ) c2 ← Snd(σ, mb ) return c2 , ǫ where U is the uniform distribution. Now take the relation R(sr , m1 , m2 ) as m1 equal to m2 . It should be clear, after unfolding (A0 , A1 ) in the NMC-CCA game, that this adversary has the same advantage that (B0 , B1 ) has against IND-COMCCA. (IND-COM-CCA ⇒ NMC-CCA) Let (A0 , A1 ) be an adversary for NMC-CCA. Then we build the following adversary (B0 , B1 ) against IND-COM-CCA. Algorithm B0D (σ) : D, s1 ← AD 0 (σ) m0 , m1 ← D return m0 , m1 , (σ, m0 , m1 , s1 ) Algorithm B1D ((σ, m0 , m1 , s1 ), c1 ) : c2 ← AD 1 (s1 , c1 ) m ← D(c2 ) if m = m1 then return 1 else return 0 Again, just by unfolding these adversaries in the IND-COM-CCA game, it is easy to verify that they have the same advantage that (A0 , A1 ) has against NMC-CCA. It remains to show that such a security notion for a commitment scheme is achievable. In the next section we give a practical construction that achieves INDCOM-CCA security. 5 The Construction We now propose a new construction for IND-COM-CCA that is computationally hiding, perfectly binding, reusable, non-interactive, non-malleable under adaptive adversaries, and provably secure under the assumption that trapdoor permutations exist. Next we outline the idea of our construction. As pointed out by Di Crescenzo, Katz, Ostrovsky and Smith [CKOS01], an IND-CCA secure public key encryption scheme can be converted into a perfectly binding non-malleable commitment scheme. Let Π = (KeyGen, Enc, Dec) be an indistinguishable against adaptive chosen-ciphertext attacks secure public key encryption scheme. The idea is to commit to a message m by encrypting it using random coins r; commitment is set to be the ciphertext c = Enc(pk, m; r); de-commitment is set to be the pair (m, r); finally the opening algorithm takes (c, m, r) and checks whether c = Enc(pk, m; r). When trying to directly use this construction to instantiate an IND-COM-CCA commitment scheme one might not be able to simulate the de-commitment oracle. The reason is that given a ciphertext/commitment c, one recovers the purported embedded message m by using the decryption algorithm, but not necessarily the randomness r. One way to break through this situation is to include in the commitment a second ciphertext c′ = Enc(pk′ , r; r′ ) encrypting the randomness r used in the first ciphertext c = Enc(pk, m; r). This is the key idea of our construction. We additionally use one-time signatures and this together with tag-based encryption schemes ensure the de-commitment oracle does not leak vital information. Let Π = (KeyGen, Enc, Dec) be a tag based encryption scheme and let Σ = (Gen, Sign, Vrfy) be a signature scheme. Define (TTP, Snd, Rcv) as follows: – TTP runs KeyGen(1η ) twice to obtain (pk1 , sk1 ) and (pk2 , sk2 ). The common reference string includes pk1 , pk2 . – To commit to a message m, the sender Snd computes and outputs the commitment C = (vk, c1 , c2 , s) where c1 = Enc(pk1 , vk, m; r1 ), c2 = Enc(pk2 , vk, r1 ; r2 ), with r1 , r2 ← R, (vk, sk) ← Gen(1η ) and s ← Sign(sk, (c1 , c2 )). The decommitment is set to be (m, r1 ). – To de-commit ciphertext C = (vk, c1 , c2 , s) using (m, r1 ), the receiver Rcv first checks if the signature on (c1 , c2 ) is correct, and afterwards whether or not c1 = Enc(pk1 , vk, m; r1 ). We assume R = M. Theorem 5.1. Assume that (KeyGen, Enc, Dec) is an IND-TBE-CCA secure tag based encryption scheme and that (Gen, Sign, Vrfy) is a one-time strongly unforgeable signature scheme. Then (TTP, Snd, Rcv) is an IND-COM-CCA secure commitment scheme. Proof. We transform an adversary A against the IND-COM-CCA security of the commitment scheme into adversaries against the TBE and the OTS. Next we will describe a sequence of games following the methodology advocated in [Sho04, BR06]. Let Xi be the event that A learns the challenge bit b in the i-th game. Game 0. This is the unmodified IND-COM-CCA game. Trivially, |P[X0 ]− 1/2| equals the advantage of A against IND-COM-CCA. Game 1. In this game we disallow decryption queries C = (vk, c1 , c2 , s) s.t. vk = vk⋆ where (vk⋆ , c⋆1 , c⋆2 , s⋆ ) is the challenge commitment. Then, we get that |P[X1 ] − P[X0 ]| is less or equal than the advantage any PPT algorithm has in breaking the one-time strong unforgeability security of the OTS. Game 2. Still decryption queries with vk = vk⋆ are forbidden. In this game we use the IND-CCA security of the second instance of the TBE scheme. The components c⋆1 and c⋆2 of the challenge ciphertext are changed to c⋆1 = Enc(pk⋆1 , vk⋆ , m⋆b ; r1 ), and c⋆2 = Enc(pk⋆2 , vk⋆ , r′ ) where r′ , r1 ← R. Now, we have |P[X2 ] − P[X1 ]| is less or equal than the advantage any PPT algorithm has in breaking the selective INDCCA security of the TBE. Finally it is shown that |P[X2 ] − 1/2]| is bounded by the advantage any PPT algorithm has in breaking the selective IND-CCA security of the first instance of the TBE. Putting everything together, we get that |P[X0 ] − 1/2| is bounded by the advantages in breaking the OTS scheme plus twice the advantage in breaking the selective IND-CCA of the TBE scheme. Next we describe the concrete adversaries, Game 0 ≈ Game 1. Assume that there is an adversary (A0 , A1 ) that is able to distinguish the environments of Game 0 and 1. Then we build an adversary (B0 , B1 ) against the one-time strong unforgeability of the signature scheme. Algorithm B0 (1η , vk) : pk1 , sk1 ← KeyGen(1η ) pk2 , sk2 ← KeyGen(1η ) m 0 , m 1 , s1 ← A D 0 (pk1 , pk2 ) b ← {0, 1} r1 ← R c1 ← Enc(pk1 , vk, mb ; r1 ) c2 ← Enc(pk2 , vk, r1 ) return (c1 , c2 ), (s1 ||vk||c1 ||c2 ||sk1 ||sk2 ) and B1 ((s1 ||vk||c1 ||c2 ||sk1 ||sk2 ), s) = [b′ ← AD 1 (s1 , (vk, c1 , c2 , s))]. Calls to the decommitment oracle D(vk′ , c′1 , c′2 , s′ ) are simulated by firstly verifying the signature Vrfy(vk′ , (c′1 , c′2 ), s′ ). If the verification succeeds then the oracle returns the pair (Dec(sk1 , vk′ , c′1 ), Dec(sk2 , vk′ , c′2 )) and otherwise it outputs ⊥. If the adversary eventually performs a query D(vk′ , c′1 , c′2 , s′ ) with vk′ = vk then the execution of the adversary is aborted and B outputs ((c′1 , c′2 ), s′ ), thus breaking the one-time strong unforgeability of the signature scheme. Game 1 ≈ Game 2. Assume that there is an adversary (A0 , A1 ) that is able to distinguish the environments of Game 1 and 2. Then we build an adversary (B0 , B1 , B2 ) against the IND-CCA security of the second TBE. Take B0 (1η , ℓ(η)) = [(vk, sk) ← Gen(1η ); return vk, (vk||sk)] and B1 (s1 , pk2 ) = [r′ , r1 ← R; return r′ , r1 , (s1 ||r′ ||r1 ||pk2 )] and Osk Algorithm B2 2 ((vk||sk||r ′ ||r1 ||pk2 ), c2 ) : pk1 , sk1 ← KeyGen(1η ) m 0 , m 1 , s1 ← A D 0 (pk1 , pk2 ) b ← {0, 1} c1 ← Enc(pk1 , vk, mb ; r1 ) s ← Sign(sk, (c1 , c2 )) b′ ← A D 1 (s1 , (vk, c1 , c2 , s)) if b = b′ then return 1 else return 0 Calls to the decommitment oracle D(vk, c1 , c2 , s) are simulated by firstly verifying the signature Vrfy(vk, (c1 , c2 ), s). If the verification succeeds then the oracle returns (Dec(sk1 , vk, c1 ), Osk2 (c2 )) and otherwise it outputs ⊥. Finally we show that |P[X2 ] − 1/2]| is bounded by the advantage any PPT algorithm has in breaking the selective IND-CCA security of the first instance of the TBE. Assume that there is an adversary (A0 , A1 ) for Game 2. Then we build an adversary (B0 , B1 , B2 ) against the IND-CCA security of the first TBE. Take B0 (1η , ℓ(η)) = [(vk, sk) ← Gen(1η ); return vk, (vk||sk)] and Osk Algorithm B1 1 ((vk||sk), pk1 ) : pk2 , sk2 ← KeyGen(1η ) m 0 , m 1 , s1 ← A D 0 (pk1 , pk2 ) return (m0 , m1 ), (vk||sk||pk1 ||s1 ||pk2 ||sk2 ) Osk Algorithm B2 1 ((vk||sk||pk1 ||s1 ||pk2 ||sk2 ), c1 ) : r′ ← R c2 ← Enc(pk2 , vk, r ′ ) s ← Sign(sk, (c1 , c2 )) b′ ← A D 1 (s1 , (vk, c1 , c2 , s)) return b′ Calls to the decommitment oracle D(vk, c1 , c2 , s) are simulated by firstly verifying the signature Vrfy(vk, (c1 , c2 ), s). If the verification succeeds then the oracle returns (Osk1 (c1 ), Dec(sk2 , vk, c2 )) and otherwise it outputs ⊥. 6 Protocol Execution and State Traces We now prove that it is possible to port proofs in the symbolic framework to the computational one. First, for the sake of self-containment we describe the adversarial model and the execution environment following the directions of Micciancio and Warinschi [MW04]. We refer the reader to this paper for a thorough explanation. The message space and the closure operator were defined in Section 2. Messages are used to formally describe cryptographic protocols. The closure represents the knowledge that can be extracted from a message, and is used to define what valid algebraic protocol runs are. Intuitively a protocol run is valid if every message sent by a principal can be deduced from its knowledge except maybe for some fresh randomness. In this setting an adversary is in control of the communication media and is able to interact with honest participants. Consider then an adversary that has access to an oracle that will play the role of the honest participants. This adversary can start new sessions of the protocol and send messages to a principal of a given session and get the respective answer back. Formally, the adversary A can perform one of the following queries to the execution oracle O. 1. newsession([I1 . . . In ]) that takes a list of user identities Ii and returns a new session identifier s. 2. send(s, I, m) that delivers the message m to the principal I of session s. Then O updates I’s state and returns the answer to the adversary. In case that the adversary performs a query that is not according to the protocol, for the specific state of the receiver, the oracle aborts the execution of this session. In a formal protocol, the messages exchanged are algebraic expressions from the message algebra. A formal adversary Af will interact with the formal oracle Of in a symbolic protocol run. On the other hand, a computational adversary Ac is a probabilistic polynomialtime Turing machine that operates on bitstrings. For a fixed value of the security parameter there is a set of primitive bitstrings for constants and nonces denoted by Primη . The set of bitstrings Msgη is build from Primη by tupling, encryptions, commitments and decommitments. There is a set Sid of session identifiers; a set Uid of user identities and a set Vars of variables in the abstract protocol description. Let F : Sid × Uid → (Vars → Msg, N) be the state maintained by the formal oracle Of . On input (s, I) it returns the state of principal I in session s together with his instruction pointer. The instruction pointer indicates on which step of the abstract protocol this principal is. Similarly, C : Sid × Uid → (Vars → Msgη , N) is the state maintained by the computational oracle Oc . Assume without loss of generality that all the sessions are created at the beginning. Then, a formal adversary Af is just a sequence of send(s, I, m) queries. We say that a formal adversary Af is a valid Dolev-Yao adversary (Af ∈ DY) if each message he sends to the oracle is in the closure of his initial knowledge plus the answers he gets from the oracle Of . A protocol execution, thus, is the sequence of states F0 , F1 , . . . of the formal oracle Of and is denoted by trace(Af , Of ). After fixing the randomness of the adversary and that of the oracle environment to τA and τO , we can similarly define a computational execution trace trace(Ac (τA ), Oc (τO )) as the sequence of states C0 , C1 , . . . of the computational oracle Oc . Definition 6.1. We say that [[·]]: Prim → Primη is an interpretation function if it is injective and structure preserving (i.e., maps formal nonces to nonce bitstrings, formal commitments to commitments and so on). Definition 6.2. Let F = F0 , F1 , . . . be a formal execution trace and let C = C0 , C1 , . . . be a concrete execution trace. We say that F  C if there exists an interpretation function [[·]] such that [[F0 ]] = C0 , [[F1 ]] = C1 , . . . . The following theorem shows that a computational adversary has no more power than an algebraic adversary. Theorem 6.3. Let (TTP, Snd, Rcv) be an IND-COM-CCA secure commitment scheme and let (K, E, D) be an IND-CCA secure encryption scheme. For any computational adversary Ac , the probability P[ ∃Af ∈ DY : trace(Af , Of )  trace(Ac (τA ), Oc (τO ))] is overwhelming. Here the probability is taken over the random choices τA of the adversary and τO of the oracle. Proof. First fix the randomness τA and τO . Running the computational adversary Ac , it produces a sequence of queries/answers to/from the computational oracle. Because we know all the trapdoor information that the oracle generates and because the adversary has to send properly typed messages, we can de-construct any message sent into primitive terms. Choosing new algebraic terms for each distinct primitive bitstring encountered we build a sequence of algebraic queries which constitutes an algebraic adversary Af . Note that for different random choices of τA and τO we get the same Af (up to renaming) with overwhelming probability. It remains to show that the adversary we just built is Dolev-Yao. Suppose that it is not. Then Af must, at some point, send a query that contains a non-adversarial nonce n⋆ that is not in the closure of the messages he received before. If this nonce occurs inside an encryption (with an unknown key) then one can build an adversary breaking the IND-CCA security of the encryption scheme [MW04]. Assume then that it occurs inside a commitment. We now build an adversary that breaks the IND-COM-CCA security of the commitment scheme. This adversary simulates the environment to Ac using the de-commit oracle when necessary except for the query that contains n⋆ . There it generates two interpretations (n0 , n1 ) for n⋆ and gives them as challenge plaintext for the INDCOM-CCA game. The challenger gives back a commitment to nb where b is the challenge bit. This commitment to nb is used to answer the oracle queries. At the moment AC outputs the interpretation of n⋆ we can check whether it is n0 or n1 . A formal security notion is a predicate Pf on formal traces. A protocol Π |=f Pf if for all adversaries Af ∈ DY holds that trace(Af , Of ) ∈ Pf . Similarly, a computational security notion is a predicate Pc on computational traces. A protocol Π |=c Pc if for all probabilistic polynomial-time adversaries Ac holds that trace(Af , Of ) ∈ Pc with overwhelming probability (taken over the random choices of the adversary and the ones of the oracle environment). The proof of the following theorem follows as in [MW04]. Theorem 6.4. Let (TTP, Snd, Rcv) be a IND-COM-CCA secure commitment scheme and let (K, E, D) be an IND-CCA secure encryption scheme. Let Pf and Pc be respectively formal and computational security notions such that for all formal traces ft and all computational traces ct it holds that (ft ∈ Pf ∧ ft  ct) =⇒ ct ∈ Pc . Then Π |=f Pf =⇒ Π |=c Pc . 7 Conclusions We presented two equivalent security notions for commitment schemes: a simulation based definition and a indistinguishability based one. We then gave a concrete scheme satisfying this security notion. This construction is of interest on itself as it is generic and has some interesting features like being reusable, perfectly binding and secure against adaptive chosen-commitment attacks. We then applied this new machinery to give sound interpretation of symbolic commitments while considering active adversaries. References ABHS05. Pedro Adão, Gergei Bana, Jonathan Herzog, and Andre Scedrov. Soundness of formal encryption in the presence of key-cycles. In ESORICS’05, volume 3679 of LNCS, pages 374–396. Springer, 2005. ABS05. Pedro Adão, Gergei Bana, and Andre Scedrov. Computational and information-theoretic soundness and completeness of formal encryption. In CSFW’05, pages 170–184. IEEE, 2005. ABW06. Martı́n Abadi, Mathieu Baudet, and Bogdan Warinschi. Guessing attacks and the computational soundness of static equivalence. In FOSSACS’06, volume 3921 of LNCS, pages 398–412. Springer, 2006. AR02. Martı́n Abadi and Phillip Rogaway. Reconciling two views of cryptography (the computational soundness of formal encryption). J. Cryptology, 15(2):103– 127, 2002. AW05. Martı́n Abadi and Bogdan Warinschi. Security analysis of cryptographically controlled access to XML documents. In Proceedings of the 24th ACM Symposium on Principles of Database Systems, pages 108–117. ACM Press, 2005. BCK05. Mathieu Baudet, Véronique Cortier, and Steve Kremer. Computationally sound implementations of equational theories against passive adversaries. In ICALP’05, volume 3580 of LNCS, pages 652–663. Springer, 2005. BLMW07. Emmanuel Bresson, Yassine Lakhnech, Laurent Mazaré, and Bogdan Warinschi. A generalization of DDH with applications to protocol analysis and computational soundness. In CRYPTO’07, LNCS. Springer, 2007. BR06. Mihir Bellare and Phillip Rogaway. The security of triple encryption and a framework for code-based game-playing proofs. In EUROCRYPT’06, volume 4004 of LNCS, pages 409–426. Springer, 2006. CIO98. Giovanni Di Crescenzo, Yuval Ishai, and Rafail Ostrovsky. Non-interactive and non-malleable commitment. In STOC’98, pages 141–150. ACM Press, 1998. CKKW06. Véronique Cortier, Steve Kremer, Ralf Küsters, and Bogdan Warinschi. Computationally sound symbolic secrecy in the presence of hash functions. In FSTTCS’06, volume 4337 of LNCS, pages 176–187. Springer, 2006. CKOS01. Giovanni Di Crescenzo, Jonathan Katz, Rafail Ostrovsky, and Adam Smith. Efficient and non-interactive non-malleable commitment. In EUROCRYPT’01, volume 2045, pages 40–59. Springer, 2001. DDN91. Danny Dolev, Cynthia Dwork, and Moni Naor. Non-malleable cryptography. In STOC’91, pages 542–552. ACM Press, 1991. EGL85. FF00. GM84. GMW91. GvR06. GvR08. Her05. JLM05. KM07. Maz07. MP05. MW04. NY90. RS92. Sho04. S. Even, O. Goldreich, and A. Lempel. A randomizing protocol for signing contracts. Comm. ACM, 28(6):637–647, 1985. Marc Fischlin and Roger Fischlin. Efficient non-malleable commitment schemes. In CRYPTO’03, volume 1880 of LNCS, pages 413–431. Springer, 2000. S. Goldwasser and S. Micali. Probabilistic encryption. J. Computer and System Sciences, 28(2):270–299, 1984. O. Goldreich, S. Micali, and A. Wigderson. Proofs that yield nothing but their validity and a methodology of cryptographic protocol design. J. ACM, 38(1):691–729, 1991. Flavio D. Garcia and Peter van Rossum. Sound computational interpretation of symbolic hashes in the standard model. In IWSEC’06, volume 4266 of LNCS, pages 33–47. Springer, 2006. Flavio D. Garcia and Peter van Rossum. Sound and complete computational interpretation of symbolic hashes in the standard model. Theoretical Computer Science, 394(1–2):112–133, 2008. Jonathan Herzog. A computational interpretation of Dolev-Yao adversaries. Theoretical Computer Science, 340(1):57–81, 2005. Romain Janvier, Yassine Lakhnech, and Laurent Mazar. Completing the picture: Soundness of formal encryption in the presence of active adversaries. In ESOP’05, volume 3444 of LNCS, pages 172–185. Springer, 2005. Steve Kremer and Laurent Mazaré. Adaptive soundness of static equivalence. In ESORICS’07, LNCS. Springer, 2007. To appear. Laurent Mazaré. Computationally sound analysis of protocols using bilinear pairings. In WITS’07, pages 6–21, 2007. Daniele Micciancio and Saurabh Panjwani. Adaptive security of symbolic encryption. In TCC’05, volume 3378 of LNCS, pages 169–187. Springer, 2005. Daniele Micciancio and Bogdan Warinschi. Soundness of formal encryption in the presence of active adversaries. In TCC’04, volume 2951 of LNCS, pages 133–151. Springer, 2004. Moni Naor and Moti Yung. Public-key cryptosystems provably secure against chosen ciphertext attack. In STOC’90, pages 427–437. ACM, 1990. C. Rackoff and D.R. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In CRYPTO’91, volume 576 of LNCS, pages 433–444, 1992. Victor Shoup. Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332, 2004. http://eprint.iacr.org/.