 Hi, I'm Lior. This is a talk about non-malleable vector commitments via local equivocability, and this is joint work with Gil Segev. Vector commitments, or VCs for short, enable a user to non-interactively commit to a long vector of elements, and then at a later stage to locally open any of the committed vectors entries by revealing its contents, and providing a short proof asserting its correctness with respect to the commitment. The security requirement of such commitments is position binding. An adversary shouldn't be able to produce a commitment, and then open one of its entries to two different values. Without any further requirements, a trivial solution is to simply have the committer commit to each entry of the vector independently, using some standard non-interactive commitment scheme. So, in addition, VCs should also be non-trivially succinct. That is, both the commitment string and the local openings should be of size sublinear in the number Q of entries in the committed vector. Perhaps the earliest construction of VCs is Merkle trees, suggested by Merkel back in the late 80s. Merkel trees produce commitments of length which is independent of the size Q of the underlying vector. The length of the local openings is the depth of the tree, which is logarithmic in Q. More recent constructions that are based on specific algebraic or lattice-based assumptions have both constant size commitments and constant size openings. Furthermore, they offer various functionality improvements, including updateability of entries in the underlying vector, the ability to simultaneously open multiple entries more efficiently and more. Another long-language research regarding commitment schemes deals with non-mallible commitments introduced in the seminal work of the left work and all. In this talk, we'd restrict our attention to non-interactive non-mallible commitments. Informally speaking, such schemes ensure that an adversary that observes a commitment to some value of V cannot produce a commitment to a value of V' which is non-trivially related to V. Over the years, there have been many constructions of non-mallible commitment schemes from different assumptions, satisfying different security notions and different efficiency tradeoffs. In this work, we study non-mallible vector commitments or VCs. Though the two above mentioned notions have been thoroughly studied, the notion of non-mallible VCs has not been explored. As we will see, the main reason why existing frameworks for standard non-mallible non-interactive commitments are insufficient to deal with vector commitments is that they do not consider the security implications of an adversary that is exposed to local openings of some of the vector's entries. A related notion that has been explored is non-mallible or independent zero-knowledge sets. Roughly, this can be seen as VCs that allow for non-membership proofs. That is, one can prove that a certain element is not in the underlying vector. Such schemes were defined and constructed by Genaro and Michali, but their construction, as well as subsequent constructions, rely on the notion of multi-trap dorm or curial-trap toward commitments as a building block. Just to specify these commitments requires no less than 11 algorithms. This high level of intricacy is tailored, at least in part, specifically to support non-membership proofs of non-mallible zero-knowledge sets. So this leaves open the question of can non-mallible VCs that do not require non-membership proofs be constructed within a simplified framework both from a conceptual point of view and from a technical standpoint? With this question in mind, our contributions are the following. First, we put forth a notion of non-malleability for VCs. Our notion strikes a balance between the weaker notion of standard non-malleable non-interactive commitments, which does not account for local openings, and the stronger notion of non-malleable zero-knowledge sets. We then present a general framework for constructing non-malleable VCs. Concretely, we show how to transform any VC into a non-malleable VC using a new intermediate notion that we present, which we call locally equivocable commitments with all but one binding. This notion is simpler and admits somewhat more efficient instantiations than the more intricate notion of multi-trapdoor mercurial trapdoor commitments. The non-malleable VCs that are obtained using our framework essentially preserve the efficiency of the underlying VC. Additionally, in the paper, we show how to extend our notion of non-malleability and our construction of non-malleable VCs to the dynamic setting, allowing for private updates to the committed vector. We also show that Merkel-Trees satisfy our notion of non-malleability in the random oracle model, which is not necessarily the case in the standard model. And finally, we discuss possible applications of non-malleable VCs to provide cross-transaction independence in blockchains and for the integrity of simultaneous multi-round auctions. Unfortunately, we will not be able to cover these contributions in this talk, and you can see the paper for more details. So the remainder of this talk will be organized as follows. First we'll review our notion of non-malleable VCs, then we'll present our formal definition for locally equivocable commitments with all but one binding, then we'll see our construction of non-malleable VCs from any VC, and finally we'll conclude with some closing remarks. So let's start by defining non-malleable VCs. Intuitively, at the most basic level, our notion of non-malleability asks that an efficient adversary receiving a VC to a vector x of elements should not be able to produce a VC to a non-trivially related vector x' In this sense, our notion is based on the standard notion of non-malleability for non-interactive commitments, but we extend it to accommodate adversaries that observe local openings of the vector commitment to x for entries of their choice before having to produce their vector commitments to x' In more detail, our notion of non-malleability relies on a simulation-based definition. We define two experiments, a real one and an ideal one, and we require that for any adversary A, any length Q of vectors, and any distribution D over such vectors, there is a simulator S such that the output of the real experiment with the adversary A is indistinguishable from the output of the ideal experiment with the simulator S. Before we define the experiments, two technical details are in order. First, as is the case for standard VCs and for standard non-interactive non-malleable commitments, our definition is in the CRS model. Secondly, in our formal definition, we have a technical requirement that the distribution D over vectors must satisfy. For ease of presentation, we will ignore both of these facts for now. So the real experiment is defined as follows. First, a vector x1 to xq of values is sampled according to the distribution D, and the adversary is given a commitment to this vector using the vector commitment scheme. Then, the adversary outputs a subset I of indices between 1 and Q, and receives local openings to all the xi's that correspond to this subset I. The adversary then outputs a vector commitment vc' and specifies a subset J. This subset specifies the locations which the adversary will later open with respect to vc' Finally, the adversary receives all remaining local openings with respect to the vector commitment it received, and replies with local openings with respect to vc' to all the indices in the subset J outputted before. We denote each value opened by the adversary by xi' where xi' is simply bought if the index I is not in the subset J. Moreover, if the adversary simply copies the vector commitment it received, or if any of its openings is invalid, then we replace all of the xi' with bought. The output of the experiment is composed of the vector x1 to xq, the vector x1' to xq' of the values opened by the adversary, and the subset I chosen by the adversary. The ideal experiment also begins with sampling a vector x1 to xq of values according to the distribution D, but there are no commitments involved. Instead, the simulator S outputs a subset I, and simply receives the values xi in the clear for every little i in the subset I. The simulator also outputs no commitments, and instead it specifies a subset J, and immediately outputs values xi' for every i in the subset J. As before, for every i not in J, we set xi' to be bought, and the output of the experiment is the vector x1 to xq, the vector of values outputted by the simulator x1' to xq' and the subset I chosen by the simulator. Again, our non-malleability definition requires that this output is indistinguishable from the output of the real experiment described in the previous slide. Note that existing GVCs do not satisfy our notion of non-malleability. First, Merkle trees in the standard model may be malleable. Informally, this is due to the fact that potentially the underlying hash function used to construct the tree can be malleable in and of itself. Second, more recent algebraic constructions are also malleable due to the homomorphic properties. This is often by design as to allow for public updates to the committed vector. You can see the paper for a more in-depth discussion of the malleability of existing VCs. Before describing our construction of non-malleable VCs, we observed that simple approaches failed to satisfy our security notion. First, consider the approach of committing to each entry using some non-malleable commitment scheme, and then committing to the vector of all commitments using a vector commitment scheme. This approach fails due to the potential malleability of the vector commitment scheme. For example, it might be the case that given a VC to some vector, it's easy to commit to the same vector while replacing only its first entry. Another approach might be to first commit to the entire vector using a vector commitment scheme, and then to commit to the resulting commitment using a non-malleable commitment scheme. So this works if you only consider the standard non-malleability notion of non- interactive commitments, but fails when considering our definition that takes into account adversaries that observe local openings. The reason is that after observing a single local opening, the adversary learns the potentially malleable vector commitment to the underlying vector, and then we're back to square one. Okay, so now let's define our notion of locally equivocable commitments with all but one binding. Our notion augments the standard notion of tag-based commitments with two additional properties, local equivocability, and all but one binding. It should also be mentioned that it's related but different from the notion of identity-based script or commitments, and you can see the paper for a complete comparison of the two notions. So let's start by defining the syntax of our locally equivocable commitments. The setup algorithm takes in an integer q and outputs a CRS. The commit algorithm takes the CRS, an index i from 1 to q, and a tag tau and outputs a commitment string c together with a decommitment d. The decommit algorithm takes in the CRS a commitment c, a decommitment d, an index i, and a tag tau, and outputs either an element x or the rejection symbol bot. So everything until now is pretty standard, maybe except the fact that the setup algorithm takes in the integer q and the commitment and the commitment algorithms take in the index i. So this is a good point to talk about instantiations. In the paper we show that existing approaches for constructing equivocable commitment schemes from algebraic assumptions satisfy our notion as well, and we also show a generic construction for many one-way functions which is of theoretical interest. Now the dependency of the setup commitment and decommitment algorithms on q and on i only comes into play in the generic construction for many one-way functions and doesn't come into play in the more efficient algebraic constructions. To the first three algorithms we add three equivocation algorithms. Alt setup takes in q and outputs some state st0, equiv1 takes the state and the tag tau and outputs a common reference string CRS hat, commitments c1 to cq, and an updated state st1. Equiv2 takes an element x, an index i, the state st1 and the tag tau, and outputs an opening d hat. The requirement is that d hat indeed opens ci to the element x with respect to the tag tau. More specifically for every q, tau, i and x the following should hold. So if we first sample a state st0 using alt setup on q and then we invoke a equiv1 on st0 and tau to receive a CRS, CRS hat, commitments c1 to cq and the state st1, and finally invoke equiv2 on the x, i, st1 and tau to receive a decommitment d hat, then decommitting with CRS hat ci, d hat, i and tau we should get back the element x that we used to generate d hat. In addition we ask that the parameters and commitments generated by the equivocation algorithms are indistinguishable from honestly generated parameters and commitments. So on the one hand we generate CRS hat and commitments c1 hat to cq hat and using some specific values x1 to xq we generate decommitments d1 hat to dq hat. All of that is done using the equivocation algorithms. On the other hand we have an honestly generated CRS and honestly generated commitments and decommitments c1 to cq and d1 to dq generated using the honest commitment algorithm and the values x1 to xq which are the same values that we use to generate the decommitments on the left side of the slide. Now we ask that the CRS commitments and decommitments generated using these two processes are indistinguishable even for adversarily chosen tag tau and values x1 to xq. The second property that we require is all but one binding. Intuitively this property requires that even an adversary that produces equivocable commitments with respect to some tag tau shouldn't be able to open these commitments to more than a single value with respect to a different commitment tag tau prime. So this is defined using the following experiment. First we let the adversary a output a tag tau then we sample a state st0 using GAL setup. We invoke equiv1 on st0 and the tag tau outputted by the adversary using some honestly generated randomness row and this gives us among other things a common reference string CRS hat. We give st0 and the randomness row we used in equiv1 to the adversary and then the adversary needs to output a commitment c to decommitments d and d prime and index i and a tag tau prime. The adversary wins if d and d prime are valid decommitments of c with respect to the tag tau prime to different values x and x prime and in addition the tag tau prime is different than the tag tau used to generate the CRS and we require that the probability that the adversary wins is negligible in the security parameter lambda. Okay so equipped with this notion we can now present our construction of non-malleable vcs. The construction that we will see in this talk relies on three building blocks. A vector commitment scheme vc, a locally equivocable commitment scheme le with all but one binding and the one time strongly unforgeable signature sig. In this talk we will make the simplifying assumption that the tag space of le and the verification key space of sig are the same. This is just for simplicity of presentation and in the full flash construction we apply a universal one-way hash function to map verification keys to tags following standard techniques when constructing non-malleable non-interactive commitments. So the CRS of our non-malleable vector commitment scheme is simply the concatenation of the CRS's of vc and le. Then to commit to a vector x1 to xq we sample a signing key sk and the verification key vk. Commit to each element of the vector using the locally equivocable commitment scheme le where the verification key vk is used as the tag for the commitments. Then we commit to all of these commitments using the vector commitment scheme vc and finally we sign the resulting commitment vcom using the signing key sk. The final commitment is then composed of the vector commitment vcom the verification key vk and the signature sigma. To locally open this commitment at position i one simply outputs the corresponding locally equivocable commitment ci together with its opening di and the proof pii that ci is indeed the entry i of the vector underlying vcom. So we won't see a complete proof for the non-malleability of this construction in this talk but we'll see a high level sketch of the main idea. This idea extends the classic template of how to prove the non-malleability of non-interactive commitments to the setting of vcs and locally equivocable commitments. For the sake of simplicity in this sketch we'll ignore the fact that the adversary observes local openings before outputting their vector commitment and we'll assume that the adversary opens all of the entries of the vector commitment that it issues in the security experiment. So the adversary receives a vector commitment according to our construction so it includes a vector commitment vcom, a verification key vk and the signature sigma. It then outputs a different vector commitment which includes a vector commitment vcom hat, a verification key vk hat and a signature sigma hat. The adversary now receives local openings to all of the entries of the vector underlying vcom and outputs local openings to all of the entries of the vector underlying vcom hat. We'll consider two cases. The first is the easy one and in this case the verification key vk hat that the adversary outputs is the same as the verification key vk it receives. In this case in order to have a non-trivial advantage it must be the case that vcom hat is different from vcom or sigma hat is different from sigma. Otherwise the commitment outputted by the adversary is exactly the same as the commitment it receives which informally speaking gives no advantage in the security definition. But this can only be the case if the adversary successfully breaks the strong unforgeability of the underlying signature scheme sig. The second case in which vk hat is different from vk is the more technically involved one. The main observation here is that any advantage that the adversary might have must come from their ability to choose the values to which it provides local openings after already outputting its vector commitment vcom hat. The reason for that is that the commitment vcom that the adversary receives at the beginning of the experiment is indistinguishable from a vector commitment to a vector of locally equivocable commitments. Such a commitment holds no information about the underlying vector x1 to xq and so intuitively speaking any information that the adversary learns about this vector must come from the local openings that it receives. Recall that a non-trivial advantage of the adversary means that it can open vcom hat to values that are non-trivially related to x1 to xq. This means that if we provide the adversary with different local openings to independent values x1 prime to xq prime it should be able to open its vector commitment to different values as well at least in one coordinate i. But this means that the adversary can either open vcom hat at position i to two different values which breaks the position binding of vc or it can open some locally equivocable commitment ci hat to two different values xi hat and xi hat prime. Recall that we are in the case where vk hat is different from vk and so the adversary in fact breaks binding with respect to a tag which is different than the tag used to generate vcom. Hence even though in the proof we switched to equivocable parameters the adversary should still not be able to do so since it breaks the all but one binding of the locally equivocable commitment scheme le. Okay so let's conclude. What we saw in this talk is a notion of non-malleability for vcs and the framework for constructing non-malleable vcs. We presented a new primitive called locally equivocable commitments with all but one binding and presented a generic construction that uses such commitments to transform any vc into a non-malleable one. In the paper we also consider non-malleable dynamic vcs the liability of random oracle model miracle trees and we discussed some applications of non-malleable vcs. An interesting open problem which is not addressed by our construction is to construct non-malleable sub-vector commitments which are vector commitments that allow for sub-vector openings which are more efficient than simply opening each entry independently. Okay so with that I will conclude the talk and thank you for listening.