Concurrent Non-Malleable Witness Indistinguishability and its Applications

One of the central questions in Cryptography today is proving security of the protocols “on the Internet”, i.e., in a concurrent setting where there are multiple interactions between players, and where the adversary can play so called “man-in-the-middle” attacks, forwarding and modifying messages between two or more unsuspecting players. Indeed, the main challenge in this setting is to provide security with respect to adaptive concurrent composition of protocols and also the non-malleability property, where the “man-in-the-middle” attacks are prevented. Despite much research effort, we do not know how to implement many basic tasks in this setting (which features concurrent composition and man-in-the-middle attacks). Indeed, even for tasks such as zero-knowledge proofs, which play an essential role in Cryptography, it is not known how to construct a protocol in a way that satisfies both security guarantees simultaneously. In this paper, we consider a slightly weaker notion than zero-knowledge, namely witness indistinguishability of proofs, which never-the-less is an extremely important building block in Cryptography. Despite its importance, neither formulations nor constructions that satisfy both concurrent composition and resiliency against man-in-the-middle attacks were known. The main contribution of this paper is to put forward the definition of concurrent nonmalleable witness indistinguishability (in fact, we show two different definitions) and show a constant-round construction using non-black-box techniques. Furthermore, we show that this construction allow us to solve some important open problems. More specifically, based on our construction of a constant-round input-adaptive concurrent non-malleable witness-indistinguishable argument of knowledge, we construct a constantround input-adaptive concurrent non-malleable zero-knowledge argument of knowledge in the Bare Public-Key Model (the BPK model in short) that has been first proposed in [Canetti et al., STOC 2000]. The BPK model makes very minimal set-up assumptions, therefore our result improves the current state-of-the-art as previous results required either the existence of trusted third parties (trusted PKI, common reference string), or made physical assumptions (common reference string) or achieved only quasi security (simulation in super-polynomial time) or quasi concurrency (timing assumptions, bounded concurrency). By plugging our results into known constructions, we achieve constant-round zero-knowledge and then (n − 1)-secure multi-party computation under general concurrent composition in the BPK model. UCLA, USA. E-mail: [email protected]. Università di Salerno, Italy. E-mail: [email protected]. Università di Salerno, Italy. E-mail: [email protected]. Electronic Colloquium on Computational Complexity, Report No. 95 (2006)