Non-malleable Vector Commitments via Local Equivocability

Abstract

Vector commitments (VCs), enabling to commit to a vector and locally reveal any of its entries, play a key role in a variety of both classic and recently evolving applications. However, security notions for VCs have so far focused on passive attacks, and non-malleability notions considering active attacks have not been explored. Moreover, existing frameworks that may enable to capture the non-malleability of VCs seem either too weak (non-malleable non-interactive commitments that do not account for the security implications of local openings) or too strong (non-malleable zero-knowledge sets that support both membership and non-membership proofs). We put forward a rigorous framework capturing the non-malleability of VCs, striking a careful balance between the existing weaker and stronger frameworks: We strengthen the framework of non-malleable non-interactive commitments by considering attackers that may be exposed to local openings, and we relax the framework of non-malleable zero-knowledge sets by focusing on membership proofs. In addition, we strengthen both frameworks by supporting (inherently private) updates to entries of committed vectors, and discuss the benefits of non-malleable VCs in the context of both UTXO-based and account-based stateless blockchains, and in the context of simultaneous multi-round auctions (that have been adopted by the US Federal Communications Commission as the standard auction format for selling spectrum ranges). Within our framework, we present a direct approach for constructing non-malleable VCs whose efficiency essentially matches that of the existing standard VCs. Specifically, we show that any VC can be transformed into a non-malleable one, relying on a new primitive that we put forth. Our new primitive, locally equivocable commitments with all-but-one binding, is evidently both conceptually and technically simpler compared to multi-trapdoor mercurial trapdoor commitments (the main building block underlying existing non-malleable zero-knowledge sets), and admits more efficient instantiations based on the same number-theoretic assumptions.

Appendices

Appendix A: Non-malleability of Merkle Trees in the Random-Oracle Model

In this section, we show that a Merkle tree is a non-malleable static vector commitment scheme in the random-oracle model. Our notion of a non-malleable vector commitment scheme (recall Definition 3.1) naturally extends to the random-oracle model by allowing the scheme itself and the adversary \(\mathcal {A}\) to issue random-oracle queries¹⁰, whereas the simulator \(\mathcal {S}\), the distribution \(\mathcal {D}\) and the distinguisher \(\mathcal {R}\) remain standard-model algorithms.

Notation. For integers \(t \ge 1\) and \(i \in \{0, \ldots , 2^{\ell }-1\}\) we denote by \(\langle i \rangle _\ell \) the \(\ell \)-bit binary representation of i. For a string \(s \in \{0,1\}^*\) we denote by \(\textsf{sibling}(s)\) the string obtained from s by flipping its least-significant bit, by \(\textsf{parent}(s)\) the string obtained from s by chopping off its least-significant bit (that is, \(\textsf{parent}(s)\) is one bit shorter than s), and by \(\textsf{LSB}(s)\) its least-significant bit.

The construction. Let \({\textsf{H}}= \{ {\textsf{H}}_\lambda \}_{\lambda \in {\mathbb {N}}}\) be a hash function such that each \({\textsf{H}}_\lambda : \{0,1\}^{2\lambda } \rightarrow \{0,1\}^\lambda \) for every \(\lambda \in {\mathbb {N}}\). In what follows, for simplicity of presentation we assume that \(q= 2^d\) for some integer d.

Theorem A.1

If \({\textsf{H}}\) is modeled as a random oracle, then for any algorithm \(\mathcal {A}\) issuing at most \(p=p(\lambda )\) queries to the oracle, there exists an algorithm \(\mathcal {S}\) whose running time is polynomial in that of \(\mathcal {A}\), such that for every algorithm \({{\mathcal {R}}}\) it holds that

$$\begin{aligned} \textbf{Adv}^\textsf{NM}_{\textsf{tree}\mathcal{V}\mathcal{C}, q, \mathcal {A}, \mathcal {S}, \mathcal {R}, \mathcal {D}}(\lambda ) < \frac{p^2 + 10\cdot p \cdot q +24\cdot q^2 + 1}{2^\lambda -p-4\cdot q} \end{aligned}$$

for every \(\lambda \in {\mathbb {N}}\).

Proof

Let \(\mathcal {A}\) be an algorithm issuing at most \(p=p(\lambda )\) oracle queries and let \(\mathcal {D} = \{ \mathcal {D_\lambda } \}_{\lambda \in {\mathbb {N}}}\) be a valid distribution over \(\left\{ \left( \{0,1\}^\lambda \right) ^q \right\} _{\lambda \in {\mathbb {N}}}\). Assume without loss of generality that \(\mathcal {A}\) does not issue the same query more than once, and that when receiving a proof \(\pi \) for the ith element \(x_i\) (in Step 6 or 7 of the experiment \(\textsf{Real}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q,\mathcal {A}, \mathcal {D}}(\lambda )\)), it executes \(\textsf{Verify}^{\textsf{H}}(1^\lambda , \bot , \textsf{vcom}, i,x_i, \pi _i)\) where \(\textsf{vcom}\) is the commitment which \(\mathcal {A}\) receives as input in Step 5 of the experiment. Note that this adds at most \(2q-1\) oracle queries to \(\mathcal {A}\), as this is the number of inner nodes in the tree. Further assume without loss of generality, that for each \(j \in \mathcal {J}\) (where \(\mathcal {J}\) is the set outputted by \(\mathcal {A}\) in Step 6 of the experiment), \(\mathcal {A}\) executes \(\textsf{Verify}^{\textsf{H}}(1^\lambda , \bot , {\widehat{\textsf{vcom}}}, j,\widehat{x_j}, \widehat{\pi _j})\), where \({\widehat{\textsf{vcom}}}\) is the commitment outputted by \(\mathcal {A}\) in Step 6 of \(\textsf{Real}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q,\mathcal {A}, R, \mathcal {D}}(\lambda )\), and for each \(j\in \mathcal {J}\), \(\widehat{x_j}\) and \(\widehat{\pi _j}\) are the element and the corresponding proof outputted by \(\mathcal {A}\) in Step 7. This also adds at most \(2q-1\) oracle queries to \(\mathcal {A}\). \(\square \)

Consider the following simulator \(\mathcal {S}\):

Let \(\mathcal {R}\) be an algorithm. We now turn to analyze \(\textbf{Adv}^\textsf{NM}_{\textsf{tree}\mathcal{V}\mathcal{C}, q, \mathcal {A}, \mathcal {S}, \mathcal {R}, \mathcal {D}}(\lambda )\). Let \(p' = p + 4q - 2\), and let \(\textsf{Collision}\) denote the event, defined over the experiment \(\textsf{Real}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q,\mathcal {A}, \mathcal {D}}(\lambda )\), in which \(\mathcal {A}\) issues two oracle queries \(z, z' \in \{0,1\}^\lambda \) such that \({\textsf{H}}(z) = {\textsf{H}}(z')\). By a standard birthday bound argument,

$$\begin{aligned} \Pr \left[ \textsf{Collision} \right] \le \left( p'\right) ^2 \cdot 2^{-\lambda }. \end{aligned}$$

(A.1)

For each \(j\in [q]\), let \(\textsf{Guess}_j\) denote the event in which \(\mathcal {A}\) outputs \(\mathcal {J}\) and \({\widehat{\textsf{vcom}}}\) without having queried (before outputting \(\mathcal {J}\) and \({\widehat{\textsf{vcom}}}\)) a complete proof in the tree whose root is \({\widehat{\textsf{vcom}}}\) for some element \(\widehat{x_j}\) in the j-th location. That is, the complementing event \(\overline{\textsf{Guess}_j}\) is the event in which there is a value \(\widehat{x_j}\in \{0,1\}^\lambda \) and a proof \(\widehat{\pi _j}\in \{ 0,1 \}^{\lambda \cdot (\log (q)+1)}\) such that:

• \(\mathsf {VC.}\textsf{Verify}^{{\textsf{H}}}(1^\lambda , \bot , {\widehat{\textsf{vcom}}}, j, \widehat{x_j},\widehat{\pi _j})=1\); and

• \(\mathcal {A}\) issued all queries made by the computation \(\textsf{Verify}^{{\textsf{H}}}(1^\lambda , \bot , {\widehat{\textsf{vcom}}}, j, \widehat{x_j},\widehat{\pi _j})\) before outputting \(\mathcal {J}\) and \({\widehat{\textsf{vcom}}}\).

Denote by \(\textsf{Guess}\) the event in which there exists at least one index \(j \in \mathcal {J}\) for which \(\textsf{Guess}_j\) holds. Assume without loss of generality that \({{\mathcal {R}}}\) always outputs 0 on inputs of the form \(((x_1,\ldots ,x_q), (\bot )^q, \mathcal {I})\) (observe that any distinguisher can be transformed to a distinguisher for which this holds without affecting its advantage). Note that

$$\begin{aligned} \Pr \left[ \mathcal {R} \left( \textsf{Real}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q, \mathcal {A}, \mathcal {D}}(\lambda )\right) = 1 | \textsf{Guess} \right] \le p' \cdot 2^{-\lambda }. \end{aligned}$$

(A.2)

This is the case, since the event \(\textsf{Guess}\) occurring means that there exists a \(j \in \mathcal {J}\) for which \(\textsf{Guess}_j\) holds, and (by our assumption) the event \(\mathcal {R}\left( \textsf{Real}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q, \mathcal {A}, \mathcal {D}}(\lambda )\right) = 1\) is contained inside the event in which \(\textsf{Verify}^{{\textsf{H}}}(1^\lambda , \bot , {\widehat{\textsf{vcom}}}, j, \widehat{x_j},\widehat{\pi _j})=1\). But in order for the verification \(\textsf{Verify}^{{\textsf{H}}}(1^\lambda , \bot , j, \widehat{x_j},\widehat{\pi _j})\) to pass conditioned on \(\textsf{Guess}_j\), it must be the case that exists some value \(y \in \{0,1\}^\lambda \), determined by the view of \(\mathcal {A}\) when outputting \({\widehat{\textsf{vcom}}}\), and there exists a \(z \in \{0,1\}^\lambda \) such that \({\textsf{H}}(z)\) was queried by \(\mathcal {A}\) after outputting \({\widehat{\textsf{vcom}}}\) (recall that \(\mathcal {A}\) does not issue the same query twice); and \({\textsf{H}}(z) = y\). For each query \(z'\) made by \(\mathcal {A}\) after outputting \({\widehat{\textsf{vcom}}}\), it holds that \(\Pr \left[ {\textsf{H}}(z) = y \right] = 2^{-\lambda }\). Equation (A.2) then follows by a union bound over all queries made by \(\mathcal {A}\) after outputting \({\widehat{\textsf{vcom}}}\).

Let \(\textsf{kHit}\) denote the event in which \(\mathcal {A}\) queries the oracle for \(k\Vert \left<i\right>_\lambda \) for some \(i\in [q]\). For each \(j \in [p']\), let \(\textsf{kHit}_j\) denote the event in which a query of the form \(k \Vert \left<i\right>_\lambda \) (for some \(i \in [q]\)) is queried within the first j queries of \(\mathcal {A}\), and note that

$$\begin{aligned} \Pr \left[ \textsf{kHit} \right]= & {} \Pr \left[ \textsf{kHit}_1 \right] + \sum _{j = 2}^{p'} \Pr \left[ \textsf{kHit}_j | \overline{\textsf{kHit}_{j-1}} \right] \nonumber \\\le & {} \frac{1}{2^\lambda } + \sum _{j = 2}^{p'} \frac{1}{2^\lambda - j + 1} \end{aligned}$$

(A.3)

$$\begin{aligned}\le & {} \frac{p'}{2^\lambda - p' + 1}, \end{aligned}$$

(A.4)

where inequality (A.3) follow from the fact that if \(\overline{\textsf{kHit}_{j-1}} \) occurs, then conditioned on the view of \(\mathcal {A}\) before the j-th query, the value of k is uniformly distributed in a set of size at least \(2^\lambda - j + 1\).

Let \(\textsf{rHit}\) denote the event in which for some \(i \in \overline{\mathcal {I}}\), \(\mathcal {A}\) queries the oracle with a query \(y \Vert r_i\) before receiving the proofs \((\pi _i)_{i\in \overline{\mathcal {I}}}\). By total probability, it holds that:

$$\begin{aligned} \Pr \left[ \textsf{rHit} \right]\le & {} \Pr \left[ \textsf{rHit} | \overline{\textsf{kHit}}\right] + \Pr \left[ \textsf{kHit} \right] \nonumber \\\le & {} \Pr \left[ \textsf{rHit} | \overline{\textsf{kHit}}\right] + \frac{p'}{2^\lambda - p' + 1} \nonumber \\\le & {} \frac{q \cdot p'}{2^\lambda - p' + 1} + \frac{p'}{2^\lambda - p' + 1} \end{aligned}$$

(A.5)

$$\begin{aligned}\le & {} \frac{2\cdot q \cdot p'}{2^\lambda - p' + 1}. \end{aligned}$$

(A.6)

Inequality (A.5A.6) follows by a similar argument to that used to derive inequality (A.4).

Putting everything together, it holds that

$$\begin{aligned}{} & {} \textbf{Adv}^\textsf{NM}_{\textsf{tree}\mathcal{V}\mathcal{C}, q, \mathcal {A}, \mathcal {S}, \mathcal {R}, \mathcal {D}}(\lambda ) \nonumber \\{} & {} \qquad \qquad = \left| \Pr \left[ \mathcal {R} \left( \textsf{Real}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q, \mathcal {A}, \mathcal {D}}(\lambda )\right) = 1 \right] - \Pr \left[ \mathcal {R} \left( \textsf{Ideal}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q, \mathcal {S}, \mathcal {D}}(\lambda )\right) = 1 \right] \right| \nonumber \\{} & {} \qquad \qquad \le \left| \Pr \left[ \mathcal {R} \left( \textsf{Real}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q, \mathcal {A}, \mathcal {D}}(\lambda ) \right) = 1 | \overline{\textsf{Collision}} \wedge \overline{\textsf{Guess}} \wedge \overline{\textsf{rHit}} \right] \right. \end{aligned}$$

(A.7)

$$\begin{aligned}{} & {} {\qquad \qquad } \quad \left. - \Pr \left[ \mathcal {R} \left( \textsf{Ideal}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q, \mathcal {S}, \mathcal {D}}(\lambda ) \right) = 1| \overline{\textsf{Collision}} \wedge \overline{\textsf{Guess}} \wedge \overline{\textsf{rHit}} \right] \right| \nonumber \\{} & {} {\qquad } \quad \quad \quad \cdot \Pr \left[ \overline{\textsf{Collision}} \wedge \overline{\textsf{Guess}} \wedge \overline{\textsf{rHit}} \right] \nonumber \\{} & {} {\qquad \qquad } \quad + \left| \Pr \left[ \mathcal {R} \left( \textsf{Real}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q, \mathcal {A}, \mathcal {D}}(\lambda ) \right) = 1 \wedge \left( \textsf{Collision} \vee \textsf{Guess} \vee \textsf{rHit} \right) \right] \right. \nonumber \\{} & {} {\qquad \qquad } \quad \quad - \left. \Pr \left[ \mathcal {R} \left( \textsf{Ideal}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q, \mathcal {A}, \mathcal {D}}(\lambda ) \right) = 1 \wedge \left( \textsf{Collision} \vee \textsf{Guess} \vee \textsf{rHit} \right) \right] \right| \nonumber \\{} & {} {\qquad \qquad } \le \max \left\{ \begin{array}{l} \Pr \left[ \mathcal {R} \left( \textsf{Real}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q, \mathcal {A}, \mathcal {D}}(\lambda ) \right) = 1 \wedge \left( \textsf{Collision} \vee \textsf{Guess} \vee \textsf{rHit} \right) \right] , \\ \Pr \left[ \mathcal {R} \left( \textsf{Real}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q, \mathcal {A}, \mathcal {D}}(\lambda ) \right) = 1 \wedge \left( \textsf{Collision} \vee \textsf{Guess} \vee \textsf{rHit} \right) \right] \end{array} \right\} \nonumber \\ \end{aligned}$$

(A.8)

where inequality (A.7A.8) is by total probability, and follows also from the fact that the event \( \overline{\textsf{Collision}} \wedge \overline{\textsf{Guess}} \wedge \overline{\textsf{rHit}} \) is determined by the view of \(\mathcal {A}\), which is identically distributed in both \(\textsf{Real}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q, \mathcal {A}, R, \mathcal {D}}(\lambda )\) and in the experiment simulated by \(\mathcal {S}\) to \(\mathcal {A}\). In particular, \(\Pr \left[ \overline{\textsf{Collision}} \wedge \overline{\textsf{Guess}} \wedge \overline{\textsf{rHit}} \right] \) is equal in both experiments. In order to prove inequality (A.7), we argue that

$$\begin{aligned}{} & {} \Pr \left[ \mathcal {R} \left( \textsf{Real}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q, \mathcal {A}, \mathcal {D}}(\lambda ) \right) = 1 | \overline{\textsf{Collision}} \wedge \overline{\textsf{Guess}} \wedge \overline{\textsf{rHit}} \right] \\{} & {} \qquad \qquad \qquad = \Pr \left[ \mathcal {R}\left( \textsf{Ideal}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q, \mathcal {S}, \mathcal {D}}(\lambda )\right) = 1| \overline{\textsf{Collision}} \wedge \overline{\textsf{Guess}} \wedge \overline{\textsf{rHit}} \right] . \end{aligned}$$

This is true since conditioned on \(\overline{\textsf{Collision}} \wedge \overline{\textsf{Guess}}\), the view of \(\mathcal {A}\) when outputting \({\widehat{\textsf{vcom}}}\) uniquely determines the values \(({\widehat{x}}_j)_{j \in \mathcal {J}}\) which \(\mathcal {A}\) can output in Step 7 of \( \textsf{Real}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q, \mathcal {A}, \mathcal {D}}(\lambda )\). Moreover, conditioned on \(\overline{\textsf{rHit}}\), the view of \(\mathcal {A}\) after Step 7 is independent of the values \((x_i)_{i \in \overline{\mathcal {I}}}\). Hence, the joint distribution of \(\left( (x_i)_{i\in [q]}, ({\widehat{x}}_j)_{j \in \mathcal {J}} \right) \) in the experiment simulated by \(\mathcal {S}\) to \(\mathcal {A}\) is equal to the joint distribution of \(\left( (x_i)_{i\in [q]}, ({\widehat{x}}_j)_{j \in \mathcal {J}} \right) \) in \(\textsf{Real}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q, \mathcal {A}, \mathcal {D}}(\lambda )\).

By the rule of replacement, the union bound and total probability, it holds that

$$\begin{aligned}{} & {} \Pr \left[ \mathcal {R} \left( \textsf{Real}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q, \mathcal {A}, \mathcal {D}}(\lambda ) \right) = 1 \wedge \left( \textsf{Collision} \vee \textsf{Guess} \vee \textsf{rHit} \right) \right] \\{} & {} \qquad \qquad \qquad \le \Pr \left[ \mathcal {R} \left( \textsf{Real}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q, \mathcal {A}, \mathcal {D}}(\lambda ) \right) = 1 | \textsf{Guess} \right] + \Pr \left[ \textsf{Collision} \right] + \Pr \left[ \textsf{rHit} \right] \\{} & {} \qquad \qquad \qquad \le \left( p' \right) ^2 \cdot 2^{-\lambda } + 2^{-\lambda } + \frac{2\cdot q \cdot p'}{2^\lambda - p' + 1} \\{} & {} \qquad \qquad \qquad \le \frac{\left( p' \right) ^2 + 1 + 2\cdot q \cdot p'}{2^\lambda - p' + 1}. \end{aligned}$$

The same analysis can be used to prove that

$$\begin{aligned}{} & {} \Pr \left[ \mathcal {R} \left( \textsf{Ideal}_{{\textsf{tree}\mathcal{V}\mathcal{C}},q, \mathcal {A}, \mathcal {D}}(\lambda ) \right) = 1 \wedge \left( \textsf{Collision} \vee \textsf{Guess} \vee \textsf{rHit} \right) \right] \\{} & {} \qquad \qquad \qquad \le \frac{\left( p' \right) ^2 + 1 + 2\cdot q \cdot p'}{2^\lambda - p' + 1}. \end{aligned}$$

Plugging in \(p' = p + 4\cdot q - 2 < p + 4\cdot q\) to Eq. (A.7), we get that

$$\begin{aligned} \textbf{Adv}^\textsf{NM}_{\textsf{tree}\mathcal{V}\mathcal{C}, q, \mathcal {A}, \mathcal {S}, \mathcal {R}, \mathcal {D}}(\lambda ) < \frac{p^2 + 10\cdot p \cdot q +24\cdot q^2 + 1}{2^\lambda -p-4\cdot q}. \end{aligned}$$

This concludes the proof of Theorem A.1. \(\square \)

Appendix B: Constructions of Locally Equivocable Commitments with All-But-One Binding

1.1 Appendix B.1: A Generic Construction

Our generic construction of a locally equivocable commitment scheme with all-but-one binding relies on any non-interactive equivocable commitment scheme (see Sect. 2.1). Such a scheme can be constructed based on the minimal assumption that one-way functions exist [20, 53], and therefore, this holds for our generic scheme as well. It should be noted, however, that our generic scheme is mainly of theoretical significance (e.g., due to the somewhat impractical yet polynomial length of its common-reference string), and the reader is referred to our number-theoretic constructions for practical alternatives.

Let \(\mathcal{E}\mathcal{Q}=(\mathsf {EQ.Setup}, \mathsf {EQ.Commit}, \mathsf {EQ.Decommit}, \mathsf {EQ.Equiv}_1, \mathsf {EQ.Equiv}_2)\) be an equivocable commitment scheme over a domain \(\mathcal {X} = \{ \mathcal {X}_\lambda \}_{\lambda \in {\mathbb {N}}}\). For any polynomial \(t = t(\lambda )\) we construct a locally equivocable commitment scheme with all-but-one binding \(\mathcal{L}\mathcal{E}= (\mathsf {LE.Setup}, \mathsf {LE.Commit}, \mathsf {LE.}\textsf{Decommit}, \mathsf {LE.AltSetup}, \mathsf {LE.Equiv}_1, \mathsf {LE.Equiv}_2)\) over the domain \(\mathcal {X}\) and the tag space \(\mathcal {T} = \{ \mathcal {T}_\lambda \}_{\lambda \in {\mathbb {N}}}\), where \(\mathcal {T}_{\lambda } = \{0,1\}^{t(\lambda )}\) for any \(\lambda \in {\mathbb {N}}\).

The following theorem establishes the security of the above generic construction:

Theorem B.1

Let \({\mathcal{E}\mathcal{Q}}\) be an equivocable commitment scheme over a domain \(\mathcal {X} = \{ \mathcal {X}_\lambda \}_{\lambda \in {\mathbb {N}}}\). Then, for any polynomial \(t(\lambda )\), the scheme \(\mathcal{L}\mathcal{E}\) is a locally equivocable commitment scheme with all-but-one binding over the domain \(\mathcal {X}\) and the tag space \(\mathcal {T} = \{ \mathcal {T}_\lambda \}_{\lambda \in {\mathbb {N}}}\), where \(\mathcal {T}_{\lambda } = \{0,1\}^{t(\lambda )}\) for any \(\lambda \in {\mathbb {N}}\).

Proof

In order to show that the scheme \(\mathcal{L}\mathcal{E}\) is locally equivocable and all-but-one binding (recall Definitions 4.1 and 4.2), we first observe that the local equivocability of \(\mathcal{L}\mathcal{E}\) follows immediately from the equivocability of \({\mathcal{E}\mathcal{Q}}\). Specifically, the equivocation correctness of \(\mathcal{L}\mathcal{E}\) follows directly from that of \({\mathcal{E}\mathcal{Q}}\), and the equivocation indistinguishability of \(\mathcal{L}\mathcal{E}\) follows via a standard hybrid argument from that of \({\mathcal{E}\mathcal{Q}}\). We therefore focus on proving that \(\mathcal{L}\mathcal{E}\) is all-but-one binding.

Let \(q = q(\lambda )\) be a polynomial, and let \(\mathcal {A}\) be a probabilistic polynomial-time algorithm that participates in the experiment \(\textsf{ABOBind}^{\mathcal{L}\mathcal{E}}_{q, \mathcal {A}}(\lambda )\). We show that there exists a probabilistic polynomial-time algorithm \(\mathcal {B}\) such that

$$\begin{aligned} \textbf{Adv}_{\mathcal{L}\mathcal{E}, q,\mathcal {A}}^{\textsf{ABOBind}} (\lambda ) \le q \cdot t \cdot \textbf{Adv}_{{\mathcal{E}\mathcal{Q}},\mathcal {B}}^\textsf{Bind}(\lambda ) \end{aligned}$$

for every \(\lambda \in {\mathbb {N}}\). Consider the following probabilistic polynomial-time algorithm \(\mathcal {B}\), which on input \((1^\lambda , \textsf{crs})\) is defined as follows:

1. 1.

   Invoke \((\tau ,\textsf{st}_{\mathcal {A}}) \leftarrow \mathcal {A}(1^\lambda )\).

2. 2.

   Sample \(i^*\leftarrow [q]\) and \(j^*\leftarrow [t]\).

3. 3.

   For each \(i \in [q]\setminus \{ i^*\}\) and for each \(j \in [t]\) compute \(({\widehat{\textsf{crs}}}_{i,j,\tau _j},\widehat{c_{i,j}},{\textsf{st}_{i,j}}) \leftarrow \mathsf {EQ.Equiv}_1(1^\lambda )\) and sample \({\widehat{\textsf{crs}}}_{i,j,1-\tau _j} \leftarrow \mathsf {EQ.Setup}(1^\lambda )\).

4. 4.

   For each \(j \in [t] \setminus \{ j^*\}\) compute \(({\widehat{\textsf{crs}}}_{i^{*},j,\tau _j},\widehat{c_{i^*,j}},{\textsf{st}_{i^*,j}}) \leftarrow \mathsf {EQ.Equiv}_1(1^\lambda )\) and sample \({\widehat{\textsf{crs}}}_{i^*,j,1-\tau _j} \leftarrow \mathsf {EQ.Setup}(1^\lambda )\).

5. 5.

   Sample \(({\widehat{\textsf{crs}}}_{i^{*},j^*,\tau _{j^*}},\widehat{c_{i^*,j^*}},{\textsf{st}_{i^*,j^*}}) \leftarrow \mathsf {EQ.Equiv}_1(1^\lambda )\) and set \({\widehat{\textsf{crs}}}_{i^*,j^*,1-\tau _{j^*}} = \textsf{crs}\).

6. 6.

   \((c,d,d',i',\tau ') \leftarrow \mathcal {A}(\textsf{st}_{\mathcal {A}}, \textsf{st}_0, \rho )\), where \(\textsf{st}_{0} = \left( \textsf{crs}_{i,j, 1-\tau _j} \right) _{(i, j)\in [q]\times [t]}\) and \(\rho \) is the concatenation of all random coins used in all invocations of \(\mathsf {EQ.Equiv}_1\) in Steps \(3-5\).

7. 7.

   If \(i' \ne i^*\) or \(\tau _{j^*} = \tau '_{j^*}\), then output \(\bot \) and terminate.

8. 8.

   Compute \(x = \mathsf {LE.}\textsf{Decommit}(1^\lambda , {\widehat{\textsf{crs}}}, c, d, i', \tau ')\) and \(x' = \mathsf {LE.}\textsf{Decommit}(1^\lambda , {\widehat{\textsf{crs}}}, c, d', i', \tau ')\), where \({\widehat{\textsf{crs}}} = ({\widehat{\textsf{crs}}}_{i,j,b})_{(i,j, b) \in [q]\times [t] \times \{0,1\}}\). If \(x = \bot \), \(x' = \bot \) or \(x = x'\) then output \(\bot \) and terminate.

9. 9.

   Parse c as \(c_1 \Vert \cdots \Vert c_j\), d as \(d_1 \Vert \cdots \Vert d_j\) and \(d'\) as \(d'_1 \Vert \cdots \Vert d'_j\).

10. 10.

    Output \((c_{j^*}, d_{j^*}, d'_{j^*})\).

We turn to bound \( \textbf{Adv}_{{\mathcal{E}\mathcal{Q}},\mathcal {B}}^\textsf{Bind}(\lambda )\). Let \(\textsf{Hit}\) denote the event in which \(i' = i^*\) or \(\tau _{j^*} \ne \tau '_{j^*}\), and let \(\textsf{SuccessA}\) denote the event in which \(\tau ' \ne \tau \), \(x \ne \bot \), \(x' \ne \bot \) and \(x \ne x'\) (where x and \(x'\) are as defined in Step 8). Since \(\mathcal {B}\) perfectly simulates the experiment \(\textsf{ABOBind}^{\mathcal{L}\mathcal{E}}_{q, \mathcal {A}} (\lambda )\) to \(\mathcal {A}\), it holds that

$$\begin{aligned} \Pr \left[ \textsf{SuccessA} \right] = \Pr \left[ \textsf{ABOBind}^{\mathcal{L}\mathcal{E}}_{q, \mathcal {A}} (\lambda ) = 1 \right] = \textbf{Adv}_{\mathcal{L}\mathcal{E}, q,\mathcal {A}}^{\textsf{ABOBind}}(\lambda ). \end{aligned}$$

Whenever \(\textsf{Hit}\) and \(\textsf{SuccessA}\) occur, it holds that \(d_{j^*}\) and \(d_{j^*}'\) are decommitments which open \(c_{j^*}\) to x and to \(x'\), respectively, with respect to the common reference string \(\textsf{crs}\) given as input to \(\mathcal {B}\). Moreover, in this case it holds that \(x \ne \bot \), \(x' \ne \bot \) and \(x \ne x'\). Hence, for every \(\lambda \in {\mathbb {N}}\) it holds that

$$\begin{aligned} \textbf{Adv}_{{\mathcal{E}\mathcal{Q}},\mathcal {B}}^\textsf{Bind}(\lambda )= & {} \Pr \left[ \textsf{Hit} \wedge \textsf{SuccessA} \right] \nonumber \\= & {} \Pr \left[ \textsf{Hit} | \textsf{SuccessA} \right] \cdot \Pr \left[ \textsf{SuccessA} \right] \nonumber \\\ge & {} \frac{1}{q \cdot t} \cdot \textbf{Adv}_{\mathcal{L}\mathcal{E}, q,\mathcal {A}}^{\textsf{ABOBind}}(\lambda ), \end{aligned}$$

(B.1)

where (B.1) follows from the fact that conditioned on \(\textsf{SuccessA}\), it holds in particular that \(\tau ' \ne \tau \). Hence, there exists at least one index \({\widetilde{j}} \in [t]\) for which \(\tau _{{\widetilde{j}}} \ne \tau '_{{\widetilde{j}}}\), and this index is independent of the choice of \(j^*\). \(\square \)

1.2 Appendix B.2: An Efficient Construction Based on the Discrete Logarithm Assumption

Let \(\textsf{GroupGen}\) be a probabilistic polynomial-time group-generation algorithm that receives as input the security parameter \(\lambda \in {\mathbb {N}}\) and outputs a triplet \(({\mathbb {G}}, p, g)\), where \({\mathbb {G}}\) is a cyclic group of order p that is generated by g, and p is a \(\lambda \)-bit prime number. The following construction of a locally equivocable commitment scheme with all-but-one binding is based on the hardness of the discrete logarithm problem relative to \(\textsf{GroupGen}\). The scheme’s domain space and tag space are both \({\mathbb {Z}}_p\) (they can both be set, for example, to \(\{0,1\}^{\lambda - 1}\) when injectively embedded into \({\mathbb {Z}}_p\) in order to depend only on the security parameter \(\lambda \)).

The following theorem establishes the security of the above construction:

Theorem B.2

Assuming the hardness of the discrete logarithm problem relative to \(\textsf{GroupGen}\), the scheme \(\mathcal{L}\mathcal{E}_\textsf{DL}\) is a locally equivocable commitment scheme with all-but-one binding.

Proof

In order to show that the scheme \(\mathcal{L}\mathcal{E}_\textsf{DL}\) is locally equivocable and all-but-one binding (recall Definitions 4.1 and 4.2), we first observe that it satisfies the equivocation correctness requirement since

$$\begin{aligned} \left( g_1^\tau \cdot g_2 \right) ^x \cdot g_3^{{\widehat{r}}} = \left( g_1^p \cdot g_3^y \right) ^x \cdot g_3^{u_i - y\cdot x} = g_3^{u_i}= \widehat{c_i}. \end{aligned}$$

In addition, one can easily verify that for any algorithm \(\mathcal {A}\) and for any integer \(q = q(\lambda )\), the views of \(\mathcal {A}\) in the experiments \(\textsf{IndParam}_{\mathcal{L}\mathcal{E}_\textsf{DL}, q,\mathcal {A}, 0}(\lambda )\) and \(\textsf{IndParam}_{\mathcal{L}\mathcal{E}_\textsf{DL}, q,\mathcal {A}, 1}(\lambda )\) are identically distributed, and hence the scheme \(\mathcal{L}\mathcal{E}_\textsf{DL}\) satisfies the equivocation indistinguishability requirement. We therefore focus on proving that \(\mathcal{L}\mathcal{E}_\textsf{DL}\) is all-but-one binding based on the hardness of the discrete logarithm problem.

Let \(q = q(\lambda )\) be a polynomial, and let \(\mathcal {A}\) be a probabilistic polynomial-time algorithm that participates in the experiment \(\textsf{ABOBind}^{\mathcal{L}\mathcal{E}_\textsf{DL}}_{q, \mathcal {A}}(\lambda )\). We show that there exists a probabilistic polynomial-time algorithm \(\mathcal {B}\) such that

$$\begin{aligned} \textbf{Adv}_{\mathcal{L}\mathcal{E}_\textsf{DL}, q,\mathcal {A}}^{\textsf{ABOBind}} (\lambda ) \le \Pr \left[ \mathcal {B} \left( {\mathbb {G}},p,g, g^z \right) = z \right] \end{aligned}$$

for every \(\lambda \in {\mathbb {N}}\), where \(({\mathbb {G}},p,g) \leftarrow \textsf{GroupGen}(1^\lambda ) \) and \(z \leftarrow {\mathbb {Z}}_p\). Consider the following probabilistic polynomial-time algorithm \(\mathcal {B}\), which on input \((1^\lambda , {\mathbb {G}}, p, g, h)\) where \(h = g^z\) is defined as follows:

1. 1.

   Invoke \((\tau , \textsf{st}_{\mathcal {A}}) \leftarrow \mathcal {A}(1^\lambda )\).

2. 2.

   Sample \(u_1, \ldots , u_q,y \leftarrow {\mathbb {Z}}_p\).

3. 3.

   Set \(g_1 = g\), \(g_3 = h\) and \(g_2 = g_1^{p-\tau } \cdot g_3^{y}\).

4. 4.

   Set \(\textsf{st}_{0} = ({\mathbb {G}}, p, g_1, g_3)\), \({\widehat{\textsf{crs}}} = ({\mathbb {G}}, p, g_1, g_2, g_3)\), and for each \(i\in [q]\) set \(\widehat{c_i} = g_3^{u_i}\).

5. 5.

   Invoke \((c,d,d',i,\tau ') \leftarrow \mathcal {A}(\textsf{st}_{\mathcal {A}}, \textsf{st}_{0}, (u_1,\ldots ,u_q,y))\). Parse d as (x, r) and \(d'\) as \((x', r')\).

6. 6.

   If any of the following conditions holds, output \(\bot \) and terminate:

   • \(\tau = \tau '\).

   • \(x = x'\).

   • \(c \ne (g_1^{\tau '} \cdot g_2)^{x}\cdot g_3^{r}\) or \(c \ne (g_1^{\tau '} \cdot g_2)^{x'}\cdot g_3^{r'}\).

7. 7.

   Output \(z' = (\tau '-\tau )\cdot (x - x') \cdot (y\cdot x' - y \cdot x + r' - r)^{-1}\).

We now analyze the success probability of the algorithm \(\mathcal {B}\) in computing the discrete logarithm z of \(h = g^z\). Let \(\textsf{SuccessA}\) denote the event in which \(\tau \ne \tau '\), \(x\ne x'\), \(c = (g_1^{\tau '} \cdot g_2)^{x}\cdot g_3^{r}\) and \(c = (g_1^{\tau '} \cdot g_2)^{x'}\cdot g_3^{r'}\). Since \(\mathcal {B}\) perfectly simulates the experiment \(\textsf{ABOBind}_{\mathcal{L}\mathcal{E}_\textsf{DL}, q, \mathcal {A}} (\lambda )\) to \(\mathcal {A}\), it holds that

$$\begin{aligned} \Pr \left[ \textsf{SuccessA} \right] = \Pr \left[ \textsf{ABOBind}_{\mathcal{L}\mathcal{E}_\textsf{DL},q, \mathcal {A}} (\lambda ) = 1 \right] = \textbf{Adv}_{\mathcal{L}\mathcal{E}_\textsf{DL}, q,\mathcal {A}}^{\textsf{ABOBind}}(\lambda ). \end{aligned}$$

Moreover, conditioned on \(\textsf{SuccessA}\), it holds that

$$\begin{aligned} (g_1^{\tau '} \cdot g_2)^{x}\cdot g_3^{r} = c = (g_1^{\tau '} \cdot g_2)^{x'}\cdot g_3^{r'}. \end{aligned}$$

Using the identity \(g_2 = g_1^{p-\tau }\cdot g_3^y\), we get

$$\begin{aligned} g_1^{(\tau '-\tau )\cdot x} \cdot g_3^{x\cdot y + r} = g_1^{(\tau '-\tau )\cdot x'} \cdot g_3^{x\cdot y + r'}. \end{aligned}$$

Rearranging, it holds that

$$\begin{aligned} g_1^{(\tau '-\tau )\cdot (x-x')} = g_3^{y\cdot x' - y \cdot x + r' - r}. \end{aligned}$$

(B.2)

To conclude the proof, note that conditioned on \(\textsf{SuccessA}\), it holds that \((\tau '-\tau )\cdot (x-x') \ne 0\), since \(\tau ' \ne \tau \) and \(x' \ne x\). Therefore, Eq. (B.2) implies that \(y\cdot x' - y \cdot x + r' - r\) is nonzero and is therefore invertible in \({\mathbb {Z}}_p\). Hence, Eq. (B.2) can be rewritten as

$$\begin{aligned} g_3 = g_1^{(\tau '-\tau )\cdot (x - x') \cdot (y\cdot x' - y \cdot x + r' - r)^{-1}} = g_1^{z'}. \end{aligned}$$

Recall that \(g_1 = g\) and \(g_3 = h\), and therefore \(g^{z'} = h\). In other words, conditioned on \(\textsf{SuccessA}\), the algorithm \(\mathcal {B}\) computes the discrete logarithm of h with respect to g with probability 1. \(\square \)

1.3 Appendix B.3: An Efficient Construction Based on the RSA Assumption

Let \(\textsf{ModGen}\) be a probabilistic polynomial-time modulus-generation algorithm that receives as input the security parameter \(\lambda \in {\mathbb {N}}\) and outputs a pair (N, e), where N is the product of two \(\lambda \)-bit primes and \(\gcd (e, \phi (N)) = 1\). The following construction of a locally equivocable commitment scheme with all-but-one binding is based on the hardness of the RSA problem relative to \(\textsf{ModGen}\). The scheme’s domain space and tag space are both \({\mathbb {Z}}_e\) where \((N,e) \leftarrow \textsf{ModGen}(1^\lambda )\).

The following theorem establishes the security of the above construction:

Theorem B.3

Assuming the hardness of the RSA problem relative to \(\textsf{ModGen}\), the scheme \(\mathcal{L}\mathcal{E}_\textsf{RSA}\) is a locally equivocable commitment scheme with all-but-one binding.

Proof

In order to show that the scheme \(\mathcal{L}\mathcal{E}_\textsf{RSA}\) is locally equivocable and all-but-one binding (recall Definitions 4.1 and 4.2), we first observe that it satisfies the equivocation correctness requirement since

$$\begin{aligned} \left( g^\tau \cdot h \right) ^x \cdot {\widehat{u}}^e = w^{e\cdot x}\cdot \left( \frac{v_i}{w^x} \right) ^e =v_i^e = \widehat{c_i}. \end{aligned}$$

In addition, one can easily verify that for any algorithm \(\mathcal {A}\) and for any integer \(q = q(\lambda )\), the views of \(\mathcal {A}\) in the experiments \(\textsf{IndParam}_{\mathcal{L}\mathcal{E}_\textsf{RSA}, q,\mathcal {A}, 0}(\lambda )\) and \(\textsf{IndParam}_{\mathcal{L}\mathcal{E}_\textsf{RSA}, q,\mathcal {A}, 1}(\lambda )\) are identically distributed, and hence the scheme \(\mathcal{L}\mathcal{E}_\textsf{RSA}\) satisfies the equivocation indistinguishability requirement. We therefore focus on proving that \(\mathcal{L}\mathcal{E}_\textsf{RSA}\) is all-but-one binding based on the hardness of the RSA problem.

Let \(q = q(\lambda )\) be a polynomial, and let \(\mathcal {A}\) be a probabilistic polynomial-time algorithm that participates in the experiment \(\textsf{ABOBind}^{\mathcal{L}\mathcal{E}_\textsf{RSA}}_{q, \mathcal {A}}(\lambda )\). We show that there exists a probabilistic polynomial-time algorithm \(\mathcal {B}\) such that

$$\begin{aligned} \textbf{Adv}_{\mathcal{L}\mathcal{E}_\textsf{RSA}, q,\mathcal {A}}^{\textsf{ABOBind}} (\lambda ) \le \Pr \left[ \mathcal {B} \left( 1^\lambda , N, e, g \right) = g^{1/e} \right] \end{aligned}$$

for every \(\lambda \in {\mathbb {N}}\), where \((N, e) \leftarrow \textsf{ModGen}(1^\lambda ) \) and \(g \leftarrow {\mathbb {Z}}_N^*\). Consider the following probabilistic polynomial-time algorithm \(\mathcal {B}\), which on input \((1^\lambda , N, e, g)\) is defined as follows:

1. 1.

   Invoke \((\tau , \textsf{st}_{\mathcal {A}}) \leftarrow \mathcal {A}(1^\lambda )\).

2. 2.

   Sample \(v_1, \ldots , v_q,w \leftarrow {\mathbb {Z}}_N^*\).

3. 3.

   Compute \(h = w^e/g^\tau \).

4. 4.

   Set \(\textsf{st}_{0} = (N,e,g)\), \({\widehat{\textsf{crs}}} = (N,e,g,h)\), and for each \(i\in [q]\) set \(\widehat{c_i} = v_i^e\).

5. 5.

   Invoke \((c,d,d',i,\tau ') \leftarrow \mathcal {A}(\textsf{st}_{\mathcal {A}}, \textsf{st}_{0}, (v_1,\ldots ,v_q,w))\). Parse d as (x, u) and \(d'\) as \((x', u')\).

6. 6.

   If any of the following conditions holds, output \(\bot \) and terminate:

   • \(\tau = \tau '\).

   • \(x = x'\).

   • \(c \ne (g^{\tau '} \cdot h)^{x}\cdot u^{e}\) or \(c \ne (g^{\tau '} \cdot h)^{x'}\cdot (u')^{e}\).

7. 7.

   Compute integers a and b such that \(a\cdot e + b\cdot (\tau '-\tau )\cdot (x-x') = 1\). Such integers are guaranteed to exist and can be found efficiently using the extended Euclidean algorithm since, as we will later show, if this step is reached then it must be the case that e and \((\tau '-\tau )\cdot (x-x')\) are relatively prime.

8. 8.

   Output \(z = g^a \cdot \left( \frac{w^{x'}\cdot u'}{w^x \cdot u}\right) ^b\).

We turn to bound the advantage of the algorithm \(\mathcal {B}\) in computing the e-th root of g modulo N. Let \(\textsf{SuccessA}\) denote the event in which \(\tau \ne \tau '\), \(x\ne x'\), \(c \ne (g^{\tau '} \cdot h)^{x}\cdot u^{e}\) and \(c \ne (g^{\tau '} \cdot h)^{x'}\cdot (u')^{e}\). Since \(\mathcal {B}\) perfectly simulates the experiment \(\textsf{ABOBind}_{\mathcal{L}\mathcal{E}_\textsf{RSA}, q, \mathcal {A}} (\lambda )\) to \(\mathcal {A}\), it holds that

$$\begin{aligned} \Pr \left[ \textsf{SuccessA} \right] = \Pr \left[ \textsf{ABOBind}_{\mathcal{L}\mathcal{E}_\textsf{RSA}, q, \mathcal {A}} (\lambda ) = 1 \right] = \textbf{Adv}_{\mathcal{L}\mathcal{E}_\textsf{RSA}, q,\mathcal {A}}^{\textsf{ABOBind}}(\lambda ). \end{aligned}$$

Observe that conditioned on \(\textsf{SuccessA}\), it is the case that

$$\begin{aligned} (g^{\tau '} \cdot h)^{x}\cdot u^{e} = c = (g^{\tau '} \cdot h)^{x'}\cdot (u')^{e}, \end{aligned}$$

and since \(h = w^e/g^\tau \), it holds that

$$\begin{aligned} g^{(\tau '-\tau )\cdot x} \cdot \left( w^x \cdot u \right) ^e = g^{(\tau '-\tau )\cdot x'} \cdot \left( w^{x'} \cdot u' \right) ^e \end{aligned}$$

This in turn implies that

$$\begin{aligned} g^{(\tau '-\tau )\cdot (x-x')} = \left( \frac{w^{x'} \cdot u'}{w^x \cdot u} \right) ^e. \end{aligned}$$

(B.3)

Observe that conditioned on \(\textsf{SuccessA}\), it holds \(\tau ' \ne \tau \) and \(x' \ne x\). Since \(\tau , \tau ', x, x' \in {\mathbb {Z}}_e\), this means that \((\tau ' -\tau )\cdot (x-x')\) is coprime to e. This implies that there exist integers a and b such that \(a\cdot e + b\cdot (\tau '-\tau )\cdot (x-x') = 1\) and these are found by \(\mathcal {B}\) in Step 7. Hence, it holds that

$$\begin{aligned} z^e= & {} g^{a\cdot e} \cdot \left( \frac{w^{x'}\cdot u'}{w^x \cdot u}\right) ^{b\cdot e} \\= & {} g^{a \cdot e + b \cdot (\tau ' - \tau )\cdot (x - x')} \\= & {} g. \end{aligned}$$

In other words, conditioned on \(\textsf{SuccessA}\), the algorithm \(\mathcal {B}\) computes the e-th root of g with probability 1. \(\square \)