Skip to main content
Springer Nature Link
Log in

Compact and Efficient UC Commitments Under Atomic-Exchanges

  • Conference paper
  • First Online:
Information Security and Cryptology - ICISC 2014 (ICISC 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8949))

Included in the following conference series:

Abstract

We devise a multiple (concurrent) commitment scheme operating on large messages. It uses an ideal global setup functionality in a minimalistic way. The commitment phase is non-interactive. It is presented in a modular way so that the internal building blocks could easily be replaced by others and/or isolated during the process of design and implementation. Our optimal instantiation is based on the decisional Diffie-Hellman (DDH) assumption and the (adversarially selected group) Diffie-Hellman knowledge (DHK) assumption which was proposed at CRYPTO 1991. It achieves UC security against static attacks in an efficient way. Indeed, it is computationally cheaper than Lindell’s highly efficient UC commitment based on common reference strings and on DDH from EUROCRYPT 2011.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    In [16], a witness indistinguishable PoK is used to create a “weak PKI” as part of a different block, i.e., the initialization/setup block. Our initialization/setup block herein is also more lightweight than the one in [16].

  2. 2.

    We note that the Turing machine \(M\) is deterministic (or an equivalent one, a probabilistic one but with the necessary random coins hard-coded within).

  3. 3.

    Sending to the ideal adversary is necessary for the simulation in the insecure-channel UC model because commitment protocols send the committed message in clear during opening and the ideal adversary must simulate such protocol when both participants are honest, although he cannot get the message by any other mean.

  4. 4.

    It is often the case that, in the real-world execution, the committed input is eventually sent in clear, as part of the opening phase. To get a correct ideal world simulation, this delayed output from the ideal functionality is needed.

  5. 5.

    No WI-PoK, as in [16], will be used in this the implementation of this assertion.

  6. 6.

    In the \(\mathsf {C\text{- }at}\) protocol to be defined (see Fig. 4), a \(\mathsf {Register}\) block could be maliciously used as a \(z\mapsto z^\mathsf {sk}\) oracle, allowing an adversary either to extract or to equivocate a commitment.

  7. 7.

    One-wayness here means for any ppt. algorithm \(\mathcal {A}\) the following probability is negligible in \(\lambda \): \(\Pr _{r_{\mathcal {A}},\mathsf {sk}} [\mathsf {Gen}(1^\lambda , \mathcal {A}(1^\lambda ,\mathsf {pk}; r_{\mathcal {A}})) =\mathsf {pk} \, | \, \mathsf {pk}=\mathsf {Gen}(1^\lambda ,\mathsf {sk})]\).

  8. 8.

    \(V\) sending an atomic \(X_0\) is a syntactic-sugar meaning that \(P\) sends a prior \(\mathsf {Ready}(V,M)\) to \(\mathcal {F}_{\mathsf {atomic}}\) where \(M\) is an algorithm to compute \(M(X_0)=(X,X')\), then \(V\) sends \(\mathsf {Atomic}(P,X_0)\) to \(\mathcal {F}_{\mathsf {atomic}}\). (See [7].)

  9. 9.

    See [20] for details on witness indistinguishable proofs of knowledge (WI-PoK).

  10. 10.

    By global setup, we mean that the environment can access to it as well. This is also called GUC in the literature.

  11. 11.

    So, proving GUC reduces to proving EUC: in a multiparty setting, the participant calling \(\mathcal {F}_{\mathsf {LCOM}}\) with the identifier of another participant defines \(S\) and \(R\). All other participants can be glued into the environment.

References

  1. Backes, M., Pfitzmann, B., Waidner, M.: A general composition theorem for secure reactive systems. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 336–354. Springer, Heidelberg (2004)

    Google Scholar 

  2. Barak, B., Canetti, R., Nielsen, J.B., Pass, R.: Universally composable protocols with relaxed set-up assumptions. In: Proceedings of FOCS 2004, pp. 186–195. IEEE Computer Society, Washington, DC (2004)

    Google Scholar 

  3. Beaver, D.: Foundations of secure interactive computing. In: Feigenbaum, J. (ed.) Advances in Cryptology - CRYPTO 1991. LNCS, vol. 576, pp. 377–391. Springer, Heidelberg (1992)

    Google Scholar 

  4. Beth, T., Desmedt, Y.G.: Identification tokens – or: solving the chess grandmaster problem. In: Menezes, A., Vanstone, S.A. (eds.) Advances in Cryptology - CRYPTO 1990. LNCS, vol. 537, pp. 169–176. Springer, Heidelberg (1991)

    Google Scholar 

  5. Blazy, O., Chevalier, C., Pointcheval, D., Vergnaud, D.: Analysis and improvement of Lindell’s UC-secure commitment schemes. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 534–551. Springer, Heidelberg (2013)

    Google Scholar 

  6. Boneh, D.: The decision Diffie-Hellman problem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998)

    Google Scholar 

  7. Boureanu, I., Vaudenay, S.: Input-aware equivocable commitments and UC-secure commitments with atomic exchanges. In: Susilo, W., Reyhanitabar, R. (eds.) ProvSec 2013. LNCS, vol. 8209, pp. 121–138. Springer, Heidelberg (2013)

    Google Scholar 

  8. Brands, S., Chaum, D.: Distance bounding protocols. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 344–359. Springer, Heidelberg (1994)

    Google Scholar 

  9. Canetti, R.: A unified framework for analyzing security of protocols. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 8, no. 16 (2001)

    Google Scholar 

  10. Canetti, R., Dodis, Y., Pass, R., Walfish, S.: Universally composable security with global setup. Cryptology ePrint Archive, Report 2006/432 (2006). http://eprint.iacr.org/

  11. Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable two-party and multi-party secure computation. In: Procedings of STOC 2002, pp. 494–503 (2002)

    Google Scholar 

  12. Chandran, N., Goyal, V., Sahai, A.: New constructions for uc secure computation using tamper-proof hardware. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 545–562. Springer, Heidelberg (2008)

    Google Scholar 

  13. Cramer, R., Damgård, I.B., Schoenmakers, B.: Proof of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)

    Google Scholar 

  14. Damgård, I.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (ed.) Advances in cryptology - CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992)

    Google Scholar 

  15. Damgård, I., Nielsen, J.B., Wichs, D.: Isolated proofs of knowledge and isolated zero knowledge. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 509–526. Springer, Heidelberg (2008)

    Google Scholar 

  16. Damgård, I., Nielsen, J.B., Wichs, D.: Universally composable multiparty computation with partially isolated parties. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 315–331. Springer, Heidelberg (2009)

    Google Scholar 

  17. Damgård, I., Nielsen, J.B.: Perfect hiding and perfect binding universally composable commitment schemes with constant expansion factor. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 581–596. Springer, Heidelberg (2002)

    Google Scholar 

  18. De Santis, A., Di Crescenzo, G., Persiano, G., Yung, M.: On monotone formula closure of SZK. In: Proceedings of SFCS 1994, pp. 454–465. IEEE Computer Society, Washington, DC (1994)

    Google Scholar 

  19. Dent, A.W.: The hardness of the DHK problem in the generic group model (2006). http://eprint.iacr.org/2006/156

  20. Goldreich, O.: Foundations of Cryptography, vol. 1. Cambridge University Press, New York (2006)

    Google Scholar 

  21. Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity and a methodology of cryptographic protocol design. In: Proceedings of CSWF 1986, pp. 174–187, October 1986

    Google Scholar 

  22. Hancke, G.P.: Security of proximity identification systems. Ph.D. thesis, July 2009

    Google Scholar 

  23. Katz, J.: Universally composable multi-party computation using tamper-proof hardware. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 115–128. Springer, Heidelberg (2007)

    Google Scholar 

  24. Lindell, Y.: Highly-efficient universally-composable commitments based on the DDH assumption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 446–466. Springer, Heidelberg (2011)

    Google Scholar 

  25. Micali, S., Rogaway, P.: Secure computation. In: Feigenbaum, J. (ed.) Advances in Cryptology - CRYPTO 1991. LNCS, vol. 576, pp. 392–404. Springer, Heidelberg (1992)

    Google Scholar 

  26. Monnerat, J., Pasini, S., Vaudenay, S.: Efficient deniable authentication for signatures. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 272–291. Springer, Heidelberg (2009)

    Google Scholar 

  27. Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) Advances in Cryptology - CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Akamai Technologies Limited, London, UK

    Ioana Boureanu

  2. EPFL, Lausanne, Switzerland

    Serge Vaudenay

Authors
  1. Ioana Boureanu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Serge Vaudenay
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ioana Boureanu .

Editor information

Editors and Affiliations

  1. Sejong University, Seoul, Korea, Republic of (South Korea)

    Jooyoung Lee

  2. Kookmin University, Seoul, Korea, Republic of (South Korea)

    Jongsung Kim

A Extensions

A Extensions

1.1 A.1 A Variant Based on \(\mathsf {ag}\text{- }\mathsf {DDH}_{\mathsf {Gen}}\)

We can drop the \(\mathsf {ag}\text{- }\mathsf {DHK0}_{\mathsf {Gen}}\) assumption and solely rely on the \(\mathsf {ag}\text{- }\mathsf {DDH}_{\mathsf {Gen}}\) one. For that, we construct a new \(\mathsf {Register}\) protocol based on a zero-knowledge proof with the Schnorr \(\Sigma \)-protocol. See Fig. 3 on page xx. This would get us closer to [16], where a WI-PoK is used in the key-setup block.

Namely, we enrich the \(\Sigma \)-protocol with a trapdoor commitment \(\mathsf {Hgen}\) on the challenge \(c\), with the trapdoor \(\sigma \) released at the end. It is a trapdoor in the sense that for all \(\gamma \) and all \(c'\), \(\mathsf {Equiv}_\sigma (\gamma ,c')\) has the same distribution as \(u\) and \(H_\kappa (c',\mathsf {Equiv}_\sigma (\gamma ,c'))=\gamma \). This is quite a standard technique [26]. By making the challenge atomic, we obtain a ZK protocol in a regular sense. It is further straightforward to see that \(\mathsf {Register}\) satisfies all requirements, based on the \(\mathsf {ag}\text{- }\mathsf {DDH}_{\mathsf {Gen}}\) assumption. To make it authenticating, we can take advantage of the \(\mathcal {F}_\mathsf {atomic}\) exchange to authenticate \(X\) at the same time as the response is sent.

Fig. 4.
figure 4

\(\mathsf {C\text{- }at}\): A UC-Secure Commitment Protocol with Atomic Exchanges

Full size image

In general we prefer to use the \(\mathsf {ag}\text{- }\mathsf {DHK0}_{\mathsf {Gen}}\) to ascertain the private knowledge of \(\mathsf {sk}\). This may be more efficient in practice than a full implementation of, e.g., a WI-PoK. It essentially requires the selection of appropriate (and efficient) groups to work in, as done in Example 5.

1.2 A.2 Towards \(\mathcal {F}_{\mathsf {MCOM}}\)

The \(\mathcal {F}_{\mathsf {MCOM}}\) functionality is defined as follows:

  • \(\mathsf {Commit}(\mathsf {sid},R,m)\) message from \(S\) . If \(\mathsf {sid}\) is not fresh, abort. Otherwise, store \((\mathsf {sid},S,R,m,\mathsf {sealed})\) and send a \([\mathsf {committed},\mathsf {sid},S]\) message to \(R\) and to the ideal adversary.

  • \(\mathsf {Open}(\mathsf {sid})\) message from \(S\) . If \(\mathsf {sid}\) is new or the record \((\mathsf {sid},S,.,.,.)\) has no matching \(S\), abort. Otherwise, retrieve \((\mathsf {sid},S,R,m,\mathsf {state})\). If \(\mathsf {state}\ne \mathsf {sealed}\), abort. Otherwise, send an \([\mathsf {open},\mathsf {sid},m]\) message to \(R\) and to the ideal adversary, and replace \(\mathsf {state}\) by \(\mathsf {opened}\) in the \((\mathsf {sid},S,R,m,\mathsf {state})\) entry.

To realize this functionality, we use a similar assumption as in [16]: we assume that a participant plays the role of a trusted certificate authority (who is honest but curious), to whom participants register their keys \(\mathsf {sk}_X\) and \(\mathsf {sk}_E\). The first time a participant is involved in a commitment, he must register his keys to the certificate authority (CA) and get the CA’s public key at the same time. The CA would produce a certificate which could be verified with the CA’s public key. Then, the \(\mathsf {Init}\) phase between \(S\) and \(R\) would reduce to sending and verifying this certificate, without any ideal functionality. Due to the extraction nature of our \(\mathsf {Register}\) block, all secret keys would become extractable by the ideal adversary and the UC security would still hold.

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Boureanu, I., Vaudenay, S. (2015). Compact and Efficient UC Commitments Under Atomic-Exchanges. In: Lee, J., Kim, J. (eds) Information Security and Cryptology - ICISC 2014. ICISC 2014. Lecture Notes in Computer Science(), vol 8949. Springer, Cham. https://doi.org/10.1007/978-3-319-15943-0_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-15943-0_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-15942-3

  • Online ISBN: 978-3-319-15943-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics