Keywords

1 Introduction

Secure two-party parallel coin-flipping is a probabilistic functionality that allows two mutually distrustful parties to agree on a common random bit-string of a certain target length. Using a coin-flipping protocol, both parties provide and combine independent contributions so that the output bit-string of an honest party is indistinguishable from random even if at most one party is malicious. The coin-flipping is denoted simulatable if it can be proven secure within the ideal/real simulation paradigm, showing that it emulates a protocol in an ideal world where an ideal functionality would decide and deliver the random bit-string to the two parties. Achieving simulatability is useful for the design of larger protocols, as it guarantees security under some type of composition operation, e.g., non-concurrent modular self-composition [Can00] (a.k.a. the stand-alone setting) or universal composability (UC) [Can01], depending on the type of achievable simulation, namely with-rewinding or one-pass, respectively.

Motivation for this functionality can be found directly in the real-world usefulness of “coin-flipping,” enabling parties to jointly make random decisions (e.g., “who gets the car” [Blu83]). A more-technical motivation for simulatability is the security enhancement of larger cryptographic protocols. An important application is the joint decision of a large common reference string needed as setup condition of one or several follow-up protocols [CR03]. It is also useful for protocols whose probabilistic output needs to directly depend on random bit-strings, such as in S2PC-with-commitments (e.g., [Bra13]), where both parties may want to jointly generate many random commitments.

1.1 Coin-Flipping and Primitives

A protocol for two-party coin-flipping (“by telephone”) was early proposed by Blum [Blu83]. It uses the fundamental notion of commitment scheme, allowing one party (P\(_{\text {A}}\)) to commit her own contribution before knowing anything about the contribution of the other party (P\(_{\text {B}}\)), but hiding it until the contribution of P\(_{\text {B}}\) is revealed, and binding P\(_{\text {A}}\) to only being able to open the committed value. The solution, emulating a coin-flipping into a well, sets the basis for what is hereinafter denoted as the traditional template:

  • Step 1. (Commit phase) P\(_{\text {A}}\) commits to a contribution, hiding it from P\(_{\text {B}}\).

  • Step 2. P\(_{\text {B}}\) selects and sends his random contribution to P\(_{\text {A}}\).

  • Step 3. (Open phase) P\(_{\text {A}}\) opens her contribution to P\(_{\text {B}}\) in a convincing way.

  • Step 4. Each party outputs a combination of both random contributions.

The simulatability of a coin-flipping protocol within this template may depend on the number of coins flipped in parallel, i.e., the length of the contributions, and the type of commitment scheme. When flipping a single coin, any hiding and binding commitment scheme is enough if rewinding is allowed in the simulation [Sect. 7.4.3.1, [Gol04]. Conversely, when doing parallel flipping of coins in number at least linear in the security parameter, or when considering a setting without rewinding, simulatability is facilitated by commitment (Com) schemes with special extractable (Ext) and equivocable (Equiv) properties. In an Ext-Com scheme [SCP00], a simulator is able to extract a contribution that has been committed by another party, in apparent conflict with the hiding property. In an Equiv-Com scheme [Bea96], a simulator is able to equivocate the opening to any contribution, namely to a value different from what had been committed, in apparent conflict with the binding property. The conflict is only apparent, as in comparison with a real party the simulator has extra power, such as capability to rewind the other party in the simulated execution, and/or knowledge of secret information (a trapdoor) obtained from some specially selected setup.

Traditionally, achieving simultaneous Ext and Equiv properties is costly as a function of the target length. For example: in the plain model and when allowing rewinding, by requiring zero-knowledge (ZK) proofs (or ZK proofs of knowledge) about elements of size or in number linear with the target length [Lin03], or cut-and-choose techniques with high communication cost [PW09]; or, in a model with setup assumptions but not allowing rewinding, by requiring Com-schemes based on computationally expensive operations (e.g., exponentiations) in number or size dependent on the target length [CF01, BCPV13].

This paper explores efficiency improvements in two ways: (i) augmenting the traditional template into a new structure that requires less sophisticated commitments (i.e., not necessarily Ext&Equiv); (ii) devising a more efficient Ext&Equiv-Com scheme that can be directly used within the traditional template. Both cases benefit from a pseudo-random generator (PRG) (naturally associated with the generation of bit-strings indistinguishable from random) and a collision-resistant hash function (CR-Hash) (naturally associated with compressing commitments). As the target length increases, the asymptotic communication rate: converges to 1 for each contribution of a party in the stand-alone coin-flipping; converges to a rate close to 1 (i.e., closer than any desired distance), for each phase (commit and open) of the UC-Com scheme. The computational complexity for each party approximates that of applying a PRG and a CR-Hash to produce an output and hash an input, respectively, with length expansion rate asymptotically as close as desired to 1. This is useful given the high efficiency of standardized PRG [BK15] (e.g., based on block or stream ciphers) and CR-Hash [Nat15] constructions. In the UC-Com scheme each party also uses an erasure code to encode a string of length approximately equal to the target length.

The initial (incomplete) intuition comes from the observation that: the Ext of a large string can be reduced to the Ext of one short seed, whose PRG-expansion is used to mask (with a one-time-pad) the large string; the Equiv of a large string can be reduced to the Equiv of a short hash of whatever large string (e.g., the mask) the simulator wants to equivocate. However, a simple triplet composed of a masking of a string, an Ext-but-not-Equiv-Com of the seed of the mask, and an Equiv-but-not-Ext-Com of a hash of the mask does not result in an Ext&Equiv-Com of the string. For example, opening the Ext-Com would disallow equivocability. This paper devises two ways in which to very-efficiently and securely combine the two separate properties, associated with a few commitments of short seeds and hashes (in number independent of the target length), into a unified property extended to a much larger string.

Contributions. In summary, two novel constant-round protocols are devised for two-party parallel coin-flipping (the second stemming from a new UC-Com scheme). They are proven secure in a static, active and computational model; i.e., at most one party is corrupted at the onset of the protocol execution, the corrupted party may deviate from the protocol specification, and both parties are limited to probabilistic polynomial time computations. For simplicity and generality, the protocols and proofs are defined in a hybrid model with access to ideal commitment functionalities \( \mathcal {F} _{\text {X}}\) and \( \mathcal {F} _{\text {Q}}\), from which the simulator only needs to use either the Ext or the Equiv property, respectively, but not the complementary property (Equiv or Ext, respectively).

1.2 Intuition and Overview of Protocol #1

The first protocol (Sect. 4) is simulatable-with-rewinding. It augments the traditional template with a simple preamble, in order to avoid a simulatability difficulty (related with unknown adversarial probabilities of abort) found in the protocol of Blum [Blu83], due to the use of an Equiv-but-not-Ext-Com scheme in the traditional template. The new solution also avoids a full-fledged Ext&Equiv-Com scheme, whose (older) constructions have a larger associated complexity: explicit ZK proof/argument sub-protocols about a committed long-contribution, as required in Lindell’s protocol [Lin03]; a high communication cost, as incurred in Pass and Wee protocol [PW09].

P\(_{\text {A}}\) is still the first party to learn the final bit-string. However, the new protocol starts with P\(_{\text {B}}\) producing an Equiv-Com of his contribution and only then proceeds to the traditional template. This allows the simulator in the role of P\(_{\text {A}}\) in the simulated execution to non-locally extract the contribution of a malicious P\(_{\text {B}}\) (i.e., upon rewinding beyond the respective commit phase), because said value cannot change across rewinding attempts, namely because P\(_{\text {B}}\) commits to it before the contribution of P\(_{\text {A}}\) is committed, and because the decision to open it (vs. aborting) is done while the contribution of P\(_{\text {A}}\) is still semantically hidden. The significant benefit is that now the commitment by P\(_{\text {A}}\) no longer needs to be Equiv, but rather only Ext. Correspondingly, using the Ext property, the simulator in the role of P\(_{\text {B}}\) in the simulated execution can extract the contribution of a malicious P\(_{\text {A}}\), without P\(_{\text {A}}\) opening it.

To the knowledge of the author: this construction has not been analyzed before (which is surprising given its simplicity), and in the mentioned simulatability setting it allows, asymptotically, the most efficient instantiation to date of two-side-simulatable coin-flipping in the plain model (assuming a PRG and CR-Hash instantiation with computational cost linear in the target length). The simulatability motivation to depart from the traditional template is subtle and the analysis is challenging for the case of corrupted P\(_{\text {B}}\) (the simulator is allowed expected-polynomial time). Asymptotically, the protocol requires communication of only two bits per flipped coin. Computationally, each party has to commit and open a short value, and compute a PRG and a CR-Hash of a string with the target length. Assuming intractability of the Decisional Diffie-Hellman (DDH) problem, an instantiation is possible with only five exponentiations per party in a setup phase (allowing the simulator to extract a trapdoor), and four (or six) exponentiations in the online phase. Exponentiations can be avoided altogether, by using PRG-based commitments of short strings or even just bit-commitments (e.g., as in [PW09] or others analyzed in the full version of this paper). In the later example, the simulator exercises Ext and Equiv over the Ext-Com and the Equiv-Com, respectively, using rewinding, and the construction requires more communication rounds and larger concrete communication complexity of the short commitments but is still amortizable.

1.3 Intuition and Overview of Protocol #2

The second protocol (Sect. 5) is a new UC-Com scheme (thus Ext&Equiv) for large bit-strings, with asymptotic communication rate as close to 1 as desired, and computational complexity linear in the string size. It is based on a cut-and-choose method, where the size of each instance in the cut-and-choose is (approximately) inversely proportional to the number of instances. Each instance is a triplet containing: the Ext-Com of a seed; a masking of an “authenticated” fragment (produced by an erasure code) of the string being committed; and an Equiv-Com of the hash of the mask. This allows the simulator to anticipate (before the actual open phase) whether each extracted fragment is correct or not, and reconstruct the original message using only correct fragments. The fragments are also equivocable because the respective pseudo-random masks are equivocable.

The ideal commitment functionalities used for separate Ext and Equiv simulatability properties can also be instantiated with a full-fledged Ext&Equiv-Com functionality. Assuming the existence of a PRG and a CR-Hash, this represents a UC-Com length extension, where a few (commit and open) calls to an Ext&Equiv-Com scheme for short bit-strings enable an Ext&Equiv-Com scheme for a string of a polynomially larger size. At the cost of more interactivity, the Equiv-Coms can be based on Ext-Coms.

Similar amortized asymptotic communication complexity is also achieved by very recent UC-Com scheme proposals [GIKW14, DDGN14, CDD+15]. They explicitly use oblivious transfer (OT), i.e., as an ideal functionality in a hybrid model. In contrast, the protocol in this paper avoids explicit use of OT, and instead uses base Ext-Com and Equiv-Com schemes (besides a PRG and a CR-Hash). Also, [GIKW14, DDGN14] rely on secret sharing schemes with error-correction or verifiability requirements ([CDD+15] works with any linear code), whereas this paper uses a simpler erasure code, facilitated by an authenticator mechanism, with corresponding benefits in terms of encoding parameters. A comparison of tradeoffs allowed by each design is left for future work.

1.4 Roadmap

The paper proceeds as follows: Sect. 2 reviews related work; Sect. 3 mentions background notions about the security model and ideal functionalities; Sect. 4 describes the new protocol for coin-flipping simulatable-with-rewinding; Sect. 5 specifies the new UC commitment scheme.

2 Related Work

2.1 Basic Primitives

One-way permutations or functions are enough in theory to achieve many useful cryptographic primitives, such as PRGs [HILL99, VZ12], one-way hash functions [NY89, Rom90], some types of commitment schemes [Nao91, DCO99] and ZK proofs of knowledge (ZKPoK) [FS90]. CR-Hash functions can also be built from other primitives [Sim98], such as claw-free sets of permutations [Dam88] or pseudo-permutations [Rus95]. Based on such primitives, coin-flipping can be achieved in different ways, e.g., based solely on one-way functions [Lin03, PW09] (with rewinding). In different simulatability settings, coin-flipping can be more directly based on higher level primitives, such as bit or multi-bit Ext&Equiv-Com schemes (e.g., [CF01, DN02, Cre03]) and even from coin-flipping protocols with weaker properties [HMQU06, LN11].

In the computational model (the one considered in this paper), there are known theoretical feasibility results about coin-flipping, covering the stand-alone and the UC security settings. For example, in the UC setting it is possible to achieve coin-flipping extension, i.e., coin-flip a large bit-string when having as basis a single invocation of an ideal functionality realizing coin-flipping of a shorter length [HMQU06]. This paper shares the concern of achieving properties in large strings based on functionalities associated with short strings, but focuses on a base of a few short commitments (not needing to be simultaneously Ext and Equiv) and has a motivation of improving efficiency. The paper does not delve into analyzing implications between different primitives (e.g., see [DNO10] for relations between OT and commitments, under several setup assumptions).

Only in very recent research works (including this one) have UC commitment schemes been devised with an amortized communication cost, with asymptotic rate close to 1. In contrast, similar attention has not been given to coin-flipping in the stand-alone setting, where the most efficient protocols known to be two-side simulatable would not be highly efficient for large strings. While the new results for UC-Com schemes are directly applicable to stand-alone secure coin-flipping, with a corresponding asymptotic efficiency benefit (3 bits per flipped coin), an yet different and more efficient approach (2 bits per flipped coin) is herein devised for the stand-alone setting, without requiring an explicit Ext&Equiv-Com scheme.

In spite of very-efficient realizations of OT-extension [ALSZ15] and free-XOR techniques [KS08] for garbled circuits, a coin-flipping based on a direct (generic) approach of S2PC of bit-wise-XOR would still induce, in communication and computation, a multiplicative cost proportional to the security parameter, by requiring one minicrypt block operation (e.g., block-cipher evaluation) per flipped coin. In contrast, in the approach in this paper each block of bits (e.g., equal to the security parameter) requires a unitary number of minicrypt block operations (e.g., close to 1 block-cipher for the PRG and 1 CR-Hash).

The idea of combining commitments with a CR-Hash (hash then commit) and commitments with a PRG for efficiency reasons is not new. The former resembles the hash then sign paradigm, and it also has applications to non-malleable commitments [DCKOS01]. The later resembles hybrid encryption, where a symmetric key (the analogous to the PRG seed) would be encrypted with a public key system (the analogous to the commitment) and then the message would be encrypted with a symmetric scheme (the analogous to the one-time-pad masking using the PRG expansion). This paper explores ways of combining both techniques, aimed at efficient simulatable coin-flipping and UC commitment schemes.

2.2 Parallel Coin-Flipping Simulatable-with-Rewinding

A parallel coin-flipping using the traditional template is simulatable if the base commitment scheme is Ext&Equiv. Lindell achieved this (in two variant protocols [Lin03, Sects. 5.3 and 6]) by augmenting the commit and open phases with ZK sub-protocols that enable the respective Ext and Equiv properties: an Ext-commit phase (step 1) is a regular commitment followed by a ZK argument of knowledge of the committed value, from which the simulator in the role of receiver can extract the value; an Equiv-open phase (step 3) consists on sending the intended (equivocated) contribution of P\(_{\text {A}}\) (which on its own cannot be verified against the respective commitment) and giving a fake ZK argument that it was the valid committed value. The solution provides a feasibility result for constant-round simulatable parallel coin-flipping. However, for a general commitment scheme applied to a long bit-string, either a ZK proof/argument of knowledge for extraction or a ZK proof/argument for equivocation is typically expensive, if not both. Note: the protocols by Lindell also address an augmented version of coin-flipping into a well, where P\(_{\text {A}}\) receives a random bit-string and P\(_{\text {B}}\) receives the result of applying a known function to such bit-string – the case of the identity function is the one considered in this paper.

In a different approach, Pass and Wee [PW09] use cut-and-choose techniques to achieve Ext and Equiv properties directly from regular commitment schemes (and thus from one-way functions). They show simulatability of coin-flipping in the traditional template, based on an Ext&Equiv-Com scheme constructed from regular commitments in number proportional to the target length multiplied by the statistical parameter. In contrast with the two above referred constructions, protocol #1 in this paper integrates separately the Ext and Equiv properties, in different commitments, in order to improve efficiency, amortizing the cost of base commitment schemes to that of a PRG and CR-Hash.

Goldreich and Kahan [GK96] also joined two types of commitment schemes in a protocol to achieve (what this paper calls) non-local extraction. Their application is constant round ZK interactive proof systems, rather than coin-flipping. They also augment the protocol by introducing an unconditional hiding commitment as preamble, but their goal is achieving statistical soundness in an interactive proof system, rather than providing local equivocability or achieving a communication complexity amortization as in protocol #1 in this paper. They define a simulator that estimates the probability of non-abort of the malicious party, in order to dynamically determine an upper bound on the number of rewindings that should be tried before giving up on obtaining a (second) non-abort by the malicious party. The estimation works because the commitments are used in a way that prevents the probability of abort from depending (i.e., up to a negligible variation) on the value committed by the honest party. This simulation strategy was also used by [Lin03, PW09] for the simulation of ZK sub-protocols, and can also be used to simulate the coin-flipping protocol #1 in this paper, with an expected polynomial number of rewindings. However, the technique is not applicable in the coin-flipping protocol of Blum [Blu83], because there the decision of abort by the party that produced the Equiv-Com (i.e., the decision to open her contribution vs. to abort without opening) is made once already knowing the contribution of the other party.

A similar subtle problem of simulatability derived from unknown probabilities of abort has also been addressed by Rosen [Ros04]. With the goal of simplifying the analysis of simulatability of ZK proofs, Rosen introduces a preamble stage involving an unconditionally-hiding Ext-Com, allowing a prover in a ZK proof system to initially (and locally) extract the challenge of the verifier. Such augmentation is different from the one in this paper. First, the preamble commitment in their ZK proof (Ext-)commits a value (the challenge) that does not influence the actual honest output bit (accept vs. reject) of the ZK. Conversely, herein the value (Equiv-)committed (by P\(_{\text {B}}\)) in the preamble is a contribution with direct impact in the bit-string outputted by the coin-flipping execution. Second, in their ZK application the use of the preamble with the Ext-Com by one party (the verifier) relieves the simulator in the role of the other party (the prover) from having to do non-local equivocation in the subsequent part of the execution. Conversely, herein the preamble (with an Equiv-Com by P\(_{\text {B}}\)) does not relieve the simulator in the role of the other party (P\(_{\text {A}}\)) from having to non-locally equivocate the contribution that it commits to in the remainder of the execution. Third, their proposed Ext-Com scheme is unconditionally hiding, whereas the PRG-based Ext-Com construction used in protocol #1 to commit the contribution of P\(_{\text {A}}\) is (motivated by efficiency) inherently non-unconditionally hiding.

2.3 UC Commitment Schemes

When rewinding is not possible, the simulatability of flipping even a single coin using the traditional template requires the underlying commitment scheme to be simultaneously Ext and Equiv [CR03]. Canetti and Fischlin [CF01] developed non-interactive UC commitments, requiring a unitary number of asymmetric operations per committed bit. The construction assumes a common reference string (CRS) setup and is based on the equivocable bit-commitment from Crescenzo, Ishai and Ostrovsky [DCIO98]. Canetti, Lindell, Ostrovsky, and Sahai [CLOS02] proposed other non-interactive schemes from general primitives, with adaptive security without erasures. Damgård and Nielsen [DN02] then improved with a construction denoted mixed commitment scheme, that is able to commit a linear number of bits using only a unitary number of asymmetric operations, and using a linear number of communicated bits. For some keys they are unconditionally-hiding and equivocable, whereas for other keys they are unconditionally-binding and extractable. Crescenzo [Cre03] devised two non-interactive Ext&Equiv-Com schemes for individual bits, in the public random string model. One construction is based on Equiv-Com schemes and NIZKs, the other is based on one Ext-Com and one Equiv-Com schemes. Damgård and Lunemann [DL09] consider UC in a quantum setting and solve the problem of flipping a single bit, based on UC-Coms from [CF01]. Lunemann and Nielsen [LN11] consider also the quantum setting and achieve secure flipping of a bit-string based on mixed commitments from [DN02]. They consider how to amplify security from weaker security notions of coin-flipping (uncontrollable, random) up to full simulatable (enforceable). The use of Ext-Com and Equiv-Com schemes, together with a cut-and-choose and encoding scheme has been previously considered by Damgård and Orlandi [DO10]. They combine these techniques to enhance security from the passive to the active model for secure computation of arithmetic circuits, in a model where a trusted dealer is able to generate correlated triplets. While they achieve efficient constructions for multiparty computation (also including more than two parties), the efficiency is not amortized to communication rate 1.

More efficient commitment schemes have been proposed for short strings, e.g., [Lin11, FLM11, BCPV13, Fuj14] achieving a low (but greater than one) constant number of group elements of communication and of exponentiations to commit to a group element. Still, the trivial extension of these protocols for larger strings would imply a linear increase in said number of asymmetric operations (modular exponentiations), without amortization. Some of these schemes achieve adaptive security, whereas this paper considers only static security.

Recent independent works achieve asymptotic communication rate 1: [GIKW14] additionally considers selective openings; [DDGN14, CDD+15] additionally consider homomorphic properties and verification of linear relations between committed values; [CDD+15] achieves, comparably to this paper, linear computational complexity. These protocols are based on a hybrid model with an ideal OT functionality. In contrast to OT, the cut-and-choose mechanism in protocol #2 in this paper does not hide from the sender the partition of (check) instances. Also, an authenticator mechanism allows the simulator to recover the fragmented message using an erasure code, thus allowing a cut-and-choose with less instances than what an error correction code would imply (e.g., see Table 1). A more recent concurrent result [FJNT16] improves the complexity of the OT-based protocols (also for additively homomorphic commitments), using an additional consistency check mechanism to also allow an erasure code.

A concrete comparison between different methods – qualitative (e.g., implications between primitives) and quantitative (actual instantiations and implementations) – is left for future work. For example, [GIKW14]) reports 640 exponentiations for a concrete instantiation of the OT setup phase. In this paper, a concrete instantiation of Ext or Equiv commitments has not been explored, though their complexity is naturally upper bounded by that of instantiations of full-fledged UC-Coms for short strings, e.g., requiring less than a dozen group elements per base commitment [BCPV13]. The overall number of commitments of short strings will depend on the erasure code parameters, defined to meet the goals of statistical security and communication rate.

In summary, this paper is focused on the design of protocols that explore the duality between Ext and Equiv commitments, without considering OT as a primitive. About OT only two notes are mentioned here from other work: it is known that UC-OT implies UC-Coms in myriad setup models [DNO10, Fig. 1], e.g., in the uniform, the chosen and the any CRS models (U/C/A-CRS), and in the chosen and the any key registration authority models (C/A-KRA), whereas the reverse implication is proven only in a narrower set of models (e.g., U/A-CRS, A-KRA) [DNO10, Table 1]; while [GIKW14] shows that “the existence of a semi-honest OT protocol is necessary (and sufficient) for UC-Com length extension,” the UC scheme in this paper does not make explicit use of OT and can also be seen as a UC-Com length extension (if replacing the Ext-Com and Equiv-Com schemes with an Ext&Equiv-Com scheme) – these two results do not superpose, since [GIKW14] only allows a single call to the ideal Com-scheme, whereas the extension herein requires several calls.

3 Background Notions

It is here assumed that the reader is familiar with the ideal/real simulation paradigm, as developed in the work of Canetti on composability of protocols [Can00, Can01]. Familiarity is also assumed with the standard ideal functionalities of commitment schemes (\( \mathcal {F} _{\text {MCOM}}\)) and coin-flipping (\( \mathcal {F} _{\text {MCF}}\)), namely in the UC framework. For example, instances can be found in [CF01, Fig. 3] (multiple bit-commitments), [DN02, Sect. 4.2] (multiple message-commitments, there also considering homomorphic relations), [DL09, Fig. 2] (coin-flipping), [Lin03] (general S2PC). A background review of these standard notions and specification of ideal functionalities is given in full version of this paper. For convenience, this section simply states informal notions about extractable and equivocable commitments.

Definition 1

(Extractability). An extractable commitment (Ext-Com) scheme is one whose commit phase in a simulated execution allows \(\mathcal {S}\) in the role of receiver, indistinguishable from an honest receiver in the view of a possibly malicious sender, to extract (i.e., learn) the committed value, with probability equal to or larger than a value negligibly-close to the maximum probability with which the (possibly malicious) sender is able to successfully open said value.

Definition 2

(Equivocability). An equivocable commitment (Equiv-Com) scheme is one whose open phase in a simulated execution allows \(\mathcal {S}\) in the role of sender, indistinguishable from an honest sender in the view of a possibly malicious receiver, to equivocate the opening to any intended value, in the domain of committable values and possibly decided only after the commit phase.

Definition 3

(Locality of Ext and Equiv). Within a protocol using commitments, namely with both commit and open phases, extraction is characterized as local if \(\mathcal {S}\) can extract the committed value within the respective commit phase, i.e., without going beyond that phase in the protocol and without rewinding to a step before that phase. Local equivocation is defined analogously in relation to the open phase. The properties are characterized as non-local if they can be achieved but not locally, i.e., involving rewinding beyond the respective phase.

The protocols hereinafter are described and proven secure in a hybrid model with access to ideal commitment functionalities \( \mathcal {F} _{\text {X}}\) and \( \mathcal {F} _{\text {Q}}\), with which \(\mathcal {S}\) respectively only needs to take advantage of Ext and Equiv, but not both.

4 A New Coin-Flipping Simulatable-with-Rewinding

This section devises a new (constant round) parallel coin-flipping protocol, simulatable-with-rewinding. The intuition has already been given (Sect. 1.2); a textual description follows, along with a specification with succinct notation in Fig. 1.

Fig. 1.
figure 1

Protocol #1 (Parallel coin-flipping (simulatable-with-rewinding). Legend: \(\kappa \) (cryptographic security parameter, e.g., \(128\equiv 1^{128}\)); \(\ell \) (target length, i.e., number of bits to coin-flip in parallel, e.g., \(10^{6}\), satisfying \(\ell \in O(poly(\kappa ))\)); \(\chi _{p}\) (contribution of P\(_{p}\), for \(p\in \left\{ A,B\right\} \)); PRG\([s](\ell )\) (expansion of seed s, using the PRG, into a bit-string of length \(\ell \)); \(\kappa _{\text {PRG}}\) (length of PRG input-seed, consistent with \(\kappa \)); X, Q (indices denoting extractable and equivocable); \((ctx ,x)\) (abbreviation for \((sid , (cfid ,x), \text {P}_{\text {A}}, \text {P}_{\text {B}})\), where \(x\in \left\{ \text {X},\text {Q}\right\} \) – by including X and Q in the context information exchanged with the respective ideal Com functionalities (\( \mathcal {F} _{\text {X}}\), \( \mathcal {F} _{\text {Q}}\)), it is syntactically easier to replace them both by a single full-fledged ideal X&Q (multi-)Com functionality \( \mathcal {F} _{\text {X} \& \text {Q}}\)).

Full size image

4.1 Description of Protocol #1

The protocol implicitly depends on a computational security parameter (1) and a respectively secure PRG and CR-Hash function (2). The execution starts when both parties are activated to initiate a coin-flipping of a certain target length, with an appropriate execution context (3), which in particular encodes the roles of the two parties – P\(_{\text {A}}\) will be the first to learn the final outcome ((4)–(5)) – and the target length. After a possibly implicit setup phase (e.g., in the plain model, to allow the simulator to obtain a trapdoor), P\(_{\text {B}}\) selects his contribution (6) with the target length, calculates its hash (7), and uses \( \mathcal {F} _{\text {Q}}\) to commit to the hash ((8)–(9)). Then, P\(_{\text {A}}\) selects a seed (10) and commits to it using \( \mathcal {F} _{\text {X}}\) ((11)–(12)). P\(_{\text {A}}\) also selects a random bit-string (denoted contribution masking) with the target length (13) and sends it to P\(_{\text {B}}\) (14). Then, P\(_{\text {B}}\) uses \( \mathcal {F} _{\text {Q}}\) to open the committed hash to P\(_{\text {A}}\) ((15)–(16)) and sends his contribution to P\(_{\text {A}}\) (17). P\(_{\text {A}}\) checks that the hash of the contribution of P\(_{\text {B}}\) is equal to the opened hash (18). If not, it Aborts; otherwise it proceeds. Then, P\(_{\text {A}}\) uses \( \mathcal {F} _{\text {X}}\) to open to P\(_{\text {B}}\) the committed seed ((19)–(20)). Finally, each party proceeds concurrently with local computations: expanding the seed of P\(_{\text {A}}\) into a bit-string of the target length (21) (i.e., the mask); computing the bit-wise exclusive-OR (XOR) combination of the mask and the contribution masking, thus determining the contribution of P\(_{\text {A}}\) (22); and locally computing the final outcome as the XOR of the two contributions (23), and deciding that as the final output ((24)–(25)).

4.2 Concrete Instantiations in the Plain Model

In the plain model, \( \mathcal {F} _{\text {X}}\) and \( \mathcal {F} _{\text {Q}}\) can be respectively replaced by actual Ext-Com and Equiv-Com schemes, agreed upon in a setup phase, with Ext-Com being non-malleable with respect to opening of Equiv-Com. An intuition is given here for possible concrete instantiations (more details in the full version).

Based on DDH Intractability Assumption. For the Ext-Com scheme: P\(_{\text {A}}\) commits to the seed by sending a simple El-Gamal encryption [ElG85] of the seed; the simulator can extract if it knows the encryption key (a discrete-log); P\(_{\text {A}}\) opens the seed by revealing the seed and the encryption randomness, thus letting P\(_{\text {B}}\) verify its correctness. For the Equiv-Com scheme: P\(_{\text {B}}\) commits by sending a simple Pedersen commitment [Ped92] of the hash; P\(_{\text {B}}\) opens the hash by revealing the hash and the commitment randomness. The simulator can equivocate the opening if it knows the trapdoor (a discrete-log). Interestingly, both Com-schemes can have the same trapdoor, because the seed extraction and the hash equivocation are needed by the same simulator (in the role of P\(_{\text {B}}\), when interacting with \(\text {P}_{\text {A}}^{*}\)). The parameters can be agreed in a setup phase, with \(\text {P}_{\text {A}}^{*}\) proposing them (two generators in a multiplicative group where the DDH assumption holds) and giving a ZKPoK of their relation (the discrete-log between two generators). Basically, this can be a ZK adaptation of Schnorr’s protocol [Sch91], e.g., as described in [LPS08, Fig. 3]. Overall, this requires only 9 exponentiations from each party (or 11, using more practical parameters), 5 of which are in the setup phase (amortizable across several coin-flippings).

A Concrete Application Example. The S2PC-with-BitComs protocol in [Bra13], simulatable-with-rewinding, requires a simulatable coin-flipping to sample a random group element for each bit of input and output of the regular S2PC. (Improvements of the protocol can reduce the needed number and size of said group-elements.) There, the benchmark evaluation of S2PC-with-BitComs of AES-128 requires a simulatable flipping of about 1.18 million bits. As suggested therein, using a DDH assumption in groups over elliptic curves, an instantiation of the coin-flipping with the protocol of [Lin03] would require (for practical parameters) 7 exponentiations per party per block of 256 bits, and communication of about 12 blocks per block, i.e., overall about 32 thousand exponentiations and 14 megabits. In contrast, the new coin-flipping devised herein would overall require (with the instantiation suggested in the previous paragraph) less than a dozen exponentiations per party and slightly less than 2.5 megabits of communication, thus reducing the coin-flipping sub-protocol complexity by more than 3,000 fold in number of exponentiations and about 6 fold in communication.

Based on PRG-Based Commitments. It is possible to avoid exponentiations by building Ext-Com and Equiv-Com schemes based on more basic primitives, such as regular commitments (i.e., hiding and biding but possibly not Ext and not Equiv). For example, Pass and Wee [PW09] analyze cut-and-choose based constructions (the full version of this paper explores improvements, e.g., using a random-seed-checking type of technique [GMS08]). Comparatively, those constructions require more concrete communication than the DDH based one, but still amortizable because it only applies to two short elements (one seed and one hash), and more online interactivity.

4.3 Security Analysis

Proving security (i.e., simulatability) amounts to show a simulator (\(\mathcal {S}\)) that, with an expected number of rewindings at most polynomial in the security parameter, induces in the ideal world a global output whose distribution is indistinguishable from the one in the real world. In the role of each party in a simulation, \(\mathcal {S}\) must be able (with overwhelming probability) to learn the contribution of the other possibly-malicious (black-box) party and still be in a position to open the needed complementary contribution, as if it was honestly random, and at the same time simulate the correct probability of early abort.

Theorem 1

(Security of Protocol #1). Assuming a cryptographically secure PRG and CR-Hash, protocol #1 securely-emulates (with computational indistinguishability) the ideal functionality \( \mathcal {F} _{\text {MCF}}\) of long bit-string coin-flipping between two-parties, in a stand-alone setting and in the (\( \mathcal {F} _{\text {X}}\),\( \mathcal {F} _{\text {Q}}\))-hybrid model, in the presence of static and computationally active rewindable adversaries. For each (polynomially arbitrarily-long) bit-string coin-flipping execution, each phase (commit and open) of \( \mathcal {F} _{\text {X}}\) and \( \mathcal {F} _{\text {Q}}\) is invoked only once for a short string; simulation is possible: without rewinding in the case of a malicious \(\text {P}_{\text {A}}^{*}\); with an expected polynomial number of rewindings in the case of a malicious \(\text {P}_{\text {B}}^{*}\).

One-Pass Simulation (i.e., Without Rewinding), for Malicious \({\varvec{P}}^*_{\varvec{A}}\) . In the simulated execution, \(\mathcal {S}\) (in the role of P\(_{\text {B}}\)) commits to a random hash value (8). Then, \(\mathcal {S}\) impersonates \( \mathcal {F} _{\text {X}}\) to extract from \(\text {P}_{\text {A}}^{*}\) the seed committed by \(\text {P}_{\text {A}}^{*}\) (11). \(\mathcal {S}\) computes the PRG expansion of the seed (as in (21)). Then, upon receiving the contribution masking of \(\text {P}_{\text {A}}^{*}\) (14), \(\mathcal {S}\) combines it with the PRG-expansion of the extracted seed (as in (22)), in order to learn the contribution of \(\text {P}_{\text {A}}^{*}\). Then, in the ideal world, \(\mathcal {S}\) in the role of the ideal \(\widehat{\text {P}}_{\text {A}}^{*}\) receives from the ideal coin-flipping functionality \( \mathcal {F} _{\text {MCF}}\) the random target coin-flipping bit-string. \(\mathcal {S}\) then computes the needed complementary contribution of P\(_{\text {B}}\), as the XOR between the target outcome and the contribution of \(\text {P}_{\text {A}}^{*}\). \(\mathcal {S}\) computes the hash of this complementary contribution (as in (7)) and in the role of \( \mathcal {F} _{\text {Q}}\) it equivocates its opening to be such hash value (16). Finally, \(\mathcal {S}\) also sends the complementary contribution to \(\text {P}_{\text {A}}^{*}\) (17). Since the ideal \( \mathcal {F} _{\text {X}}\) is impersonated by \(\mathcal {S}\) (respectively, in the plain model, since Equiv-Com is non-malleable with respect to opening of Ext-Com), it follows that \(\text {P}_{\text {A}}^{*}\) can only either open the contribution (19) that has been extracted by \(\mathcal {S}\), or abort without successfully opening her contribution. In case of abort by \(\text {P}_{\text {A}}^{*}\), \(\mathcal {S}\) emulates an abort; otherwise, \(\mathcal {S}\) lets \( \mathcal {F} _{\text {MCF}}\) continue the execution in the ideal world (i.e., send the bit-string to the ideal \(\widehat{\text {P}}\) \(_{\text {B}}\)) and \(\mathcal {S}\) outputs in the ideal world what \(\text {P}_{\text {A}}^{*}\) outputs in the simulation. (In the plain model, extractability of Ext-Com and/or equivocability of Equiv-Com may require either local rewinding or rewinding in a setup phase, but that is irrelevant in the hybrid model).

Simulation with Explicit Rewinding, for Malicious \({{\varvec{P}}}^*_{{\varvec{B}}}\) .

  • First iteration. In the simulated execution, \(\mathcal {S}\) in the role of an honest P\(_{\text {A}}\) interacts until receiving the contribution of \(\text {P}_{\text {B}}^{*}\) and verifying its hash against the respective opening (18). If \(\text {P}_{\text {B}}^{*}\) aborts until this step (including by an invalid opening), then \(\mathcal {S}\) emulates an abort, otherwise it proceeds.

  • Get target outcome. \(\mathcal {S}\) in the role of ideal \(\widehat{\text {P}}_{\text {B}}^{*}\) receives from \( \mathcal {F} _{\text {MCF}}\) in the ideal world the target outcome and uses it to compute the needed complementary contribution of P\(_{\text {A}}\) in the simulated execution, namely the XOR between the target outcome and the contribution of \(\text {P}_{\text {B}}^{*}\).

  • Determine upper-bound of rewindings. \(\mathcal {S}\) determines an upper bound number of rewindings (#rw-bound) needed for the next simulation stage. This can be based on the strategy of Goldreich and Kahan [GK96], which involves rewinding, possibly a super-polynomial number of times, to repeat committing a random contribution of P\(_{\text {A}}\) ((11)–(14)) and expecting to obtain an opening of the contribution of P\(_{\text {B}}\) ((16)–(17)), until indeed obtaining a successful opening (18) an adequate polynomial (e.g., quadratic) number of times, and estimating therefrom an adequate probability of non-abort by P\(_{\text {A}}\), and defining #rw-bound as the inverse of said estimate. An intuition for the expected polynomial number of rewindings is that a negligible probability of non-abort also implies a negligible probability that the simulation reaches this estimation stage. (Using a more involved argument about the hiding property of the PRG-based Ext-Com of the contribution of P\(_{\text {A}}\), the full version of the paper explores the possibility of a different simulation strategy, with a static super-polynomial upper bound #rw-bound, i.e., not depending on a dynamic estimation of the non-abort probability).

  • Induce target outcome. \(\mathcal {S}\) rewinds and selects (10) and commits (11) to a new random seed of P\(_{\text {A}}\). Then, \(\mathcal {S}\) computes and sends to \(\text {P}_{\text {B}}^{*}\) a contribution masking of P\(_{\text {A}}\) (14), computed as the XOR combination of the needed complementary contribution and the PRG-expansion of the seed (instead of a random contribution masking (13)). Since the Ext-Com+PRG-based commitment of the contribution of P\(_{\text {A}}\) is semantically hiding, the probability of abort by \(\text {P}_{\text {B}}^{*}\) changes at most by a negligible amount in comparison with the previous stage. If \(\text {P}_{\text {B}}^{*}\) subsequently opens his contribution successfully ((16)–(18)), then \(\mathcal {S}\) continues the simulation until the end and outputs in the ideal world whatever \(\text {P}_{\text {B}}^{*}\) outputs in the simulated execution, even \(\text {P}_{\text {B}}^{*}\) aborts before receiving the opening of the seed of P\(_{\text {A}}\) (20). Otherwise, if \(\text {P}_{\text {B}}^{*}\) aborts without successfully opening his contribution, \(\mathcal {S}\) rewinds and replays again as just described, again and again until either obtaining a successful opening of the contribution of \(\text {P}_{\text {B}}^{*}\) (equal to the one already known by \(\mathcal {S}\)) and in that case leading the simulation to an end, or until reaching the #rw-bound bound, and in that case it emulates an abort in the ideal world.

5 A New UC Commitment Scheme

This section devises a new UC commitment scheme, thus one-pass-simulatable and with local Ext and Equiv properties, usable in the traditional template of coin-flipping to commit and open the contribution of P\(_{\text {A}}\).

5.1 More Intuition

Besides the Ext-Com, Equiv-Com, PRG and CR-Hash, the new protocol embeds three main ingredients, in a sequence of optimizations:

  • a cut-and-choose: P\(_{\text {A}}\) builds several instances of short commitments and then P\(_{\text {B}}\) checks the correctness of some (the check instances) to gain some confidence that a majority of the others (the evaluation instances) is correct;

  • authenticators: allow the simulator to anticipate whether individual instances are good or bad, thus gaining assurance about correct extraction;

  • an information dispersal algorithm (IDA): allows spliting the target message m into smaller fragments, and allows recovery of the original message from a sufficient number of those fragments (essentially, based on a threshold erasure code); using an IDA enables the size of each instance of the cut-and-choose to be reduced proportionally to the number of instances.

5.1.1 Cut-and-Choose Warmup

A simple (yet innefficient) UC-Com scheme:

  • Commit phase. P\(_{\text {A}}\) produces several seeds, builds an Ext-Com of each, and also an Equiv-Com of a CR-Hash (hereafter denoted global hash) of the sequence of PRG-expansions of all seeds. Then, P\(_{\text {B}}\) cuts the set of instances of seed-commitments into two random complementary subsets, and chooses one for a check operation and the other for an evaluation operation. For each evaluation instance, P\(_{\text {A}}\) uses the respective PRG-expansion to XOR-mask the target message, and sends the respective message masking to P\(_{\text {B}}\).

  • Open phase. P\(_{\text {A}}\) reveals the message m, letting P\(_{\text {B}}\) compute all used masks, one for each evaluation instance, namely the XOR of the message with each respective masking. P\(_{\text {A}}\) also opens all check seeds, letting P\(_{\text {B}}\) compute the respective PRG-expansions. Finally, P\(_{\text {A}}\) opens the committed global hash, letting P\(_{\text {B}}\) verify that it is equal to the one that can be obtained from the learned masks and PRG-expansions. Otherwise, if the global hash verification fails, P\(_{\text {A}}\) rejects the opening of the message m.

This has the needed simulatability properties (though high communication complexity: target length \(\ell \) multiplied by number e of evaluation instances):

  • Hiding. In the commit phase, the maskings hide the message from P\(_{\text {B}}\), due to the XOR one-time-pad between message and PRG-expansions (the masks).

  • Binding. In the open phase, P\(_{\text {A}}\) is bound to open a single message: by collision resistance of CR-Hash, P\(_{\text {A}}\) can know at most one pre-image of the global hash, i.e., at most one sequence of valid masks (one mask per instance). Thus, P\(_{\text {A}}\) can at most successfully open the message that for all evaluation instances is equal to the XOR of the respective mask and masking.

  • Equivocation. In the open phase, the equivocator-simulator (\(\mathcal {S}^Q\)) in the role of P\(_{\text {A}}\) can open any desired fake message, by revealing the message, opening the correct seeds of check instances and then equivocating the needed fake global hash (without revealing the respective seeds of evaluation instances).

  • Extractability. In the commit phase, the extractor-simulator (\(\mathcal {S}^X\)) in the role of P\(_{\text {B}}\) extracts the seed of each evaluation instance, then uses its PRG-expansion to unmask the respective masking into a tentative message. If a majority of the tentative messages are equal, then \(\mathcal {S}^X\) chooses their value as the correct one. Otherwise \(\mathcal {S}^X\) guesses that P\(_{\text {A}}\) will not be able to successfully open any message in the later open phase. Conditioned on a future successful verification of the global hash, the probability that the majority of the extracted seeds are correct is, with adequate cut-and-choose parameters [SS11, Sect. A], overwhelming in the total number of instances. For example, slightly more than 40 bits of statistical security, i.e., a probability of wrong extraction less that two to the minus 40, is obtained using 123 instances, 74 of which for check and 49 of which for evaluation  [Bra13, Table 2].

5.1.2 Authenticator Aid

Statistical security can be improved by giving \(\mathcal {S}^X\) the ability to decide whether isolated evaluation instances are good or bad. This allows \(\mathcal {S}^X\) to extract an incorrect message (or none at all) only if all check instances are good and all evaluation instances are bad, i.e., only if a malicious \(\text {P}_{\text {A}}^{*}\) anticipates the exact cut-and-choose partition. The new rationale about probabilities is similar to that of the forge-and-lose type of technique recently devised for more general S2PC protocols based on a cut-and-choose of garbled-circuits [Bra13, Lin13, HKE13]. The success criterion changes from “at least a majority of correct instances” to “at least one correct instance.” For example, 40 bits of statistical security can now be obtained with 41 or 123 instances, by respectively limiting evaluation instances to be at most 20 or 8. Since only evaluation instances are relevant in terms of communication, with 123 instances this corresponds to a 6-fold reduction in communication (i.e., vs. the previous method with 49 evaluation instances).

The intended verifiability is achieved by augmenting each evaluation instance with a short authenticator that allows \(\mathcal {S}^X\) to verify whether or not each extracted seed is consistent with each respective anticipated tentative message. Specifically, when \(\mathcal {S}^X\) extracts a seed and uses its seed-expansion to unmask the respective masking received from P\(_{\text {A}}\), only two things may happen: either (i) \(\mathcal {S}^X\) gets a correctly authenticated message, which must be the only one that P\(_{\text {A}}\) can later successfully open, i.e., this is a good instance; or (ii) \(\mathcal {S}^X\) gets an incorrectly authenticated message, implying that a successful opening by a malicious \(\text {P}_{\text {A}}^{*}\) will reveal a mask different from the seed-expansion, i.e., this is a bad instance.

The authenticator is implemented as a function that relates the message and a nonce in a non-trivial way, to ensure that it is infeasible for \(\text {P}_{\text {A}}^{*}\) to produce a masking for which two different unmaskings yield authenticated messages. Also, in order to allow equivocation by \(\mathcal {S}^Q\) (when in the role of P\(_{\text {A}}\)), the authenticator is masked by an equivocable mask. The authenticator cannot simply be a CR-Hash function (i.e., without an unpredictable input) of the masked fragment, lest \(\text {P}_{\text {A}}^{*}\) would in that case (by maliciously using a mask different from the seed-expansion) be able to induce a collision by crafting a special mask different from the seed-expansion. Instead, the authenticator can be achieved by means of a universal hash family, such that the probability of collision is independent of the choices of \(\text {P}_{\text {A}}^{*}\). This can be implemented by introducing a random unpredictable value (a nonce) that P\(_{\text {B}}\) discloses to \(\text {P}_{\text {A}}^{*}\) only after \(\text {P}_{\text {A}}^{*}\) becomes bound to her choices, e.g., after committing to the seeds and global hash. This nonce acts like an identifier of the hash from the universal hash family.

In concrete, the authenticator can for example be an algebraic field-multiplication between the nonce and a CR-hash of the message. If the image space of the CR-Hash is the set of bit-strings of some fixed length (e.g., 256 bits), the nonce can be uniformly selected from the non-null elements of a Galois field with characteristic 2, modulo an irreducible polynomial of degree equal to the hash length. This ensures that the authenticators of any two known messages (which by assumption have different CR-Hash) would have an unpredictably offset. Conversely, a successful forgery by \(\text {P}_{\text {A}}^{*}\) would require guessing this offset, in order to make the real mask have such (bit-wise XOR) offset with the seed-expansion. (Optimizations are possible, requiring a more involved explanation and/or correlation-robust type of assumptions – details in the full version.)

5.1.3 IDA Support

Communication is drastically reduced by using a threshold information dispersal algorithm (IDA) [Rab89]. The IDA enables splitting (i.e., dispersing) the original message m into several (e) fragments, such that m can be reconstructed from any subset with at least a threshold number t of good fragments, each with a reduced length (|m|e / t). As |m| increases, the asymptotic communication complexity is thus proportional to e / t, which can be made as close to 1 as desired.

Any t-out-of-e erasure-code can be used, e.g., based on XOR operations and with linear time encoding and somewhat efficient decoding. It does not need to hide the original message, as would a full-fledged secret-sharing scheme [Sha79, Kra94], because in the commit phase P\(_{\text {B}}\) receives maskings of (authenticated) fragments, instead of fragments in clear. It also does not need to support correction of semantic errors [RS60], because the authenticator mechanism gives \(\mathcal {S}^X\) (in the role of P\(_{\text {B}}\)) the ability to detect errors and thus simply discard bad fragments. \(\mathcal {S}^X\) reconstructs m from any subset of at least t good fragments.

It is interesting to notice that parties only need to encode; only the simulator needs to decode. A rateless code is also possible, with appropriate probabilistic considerations – there are very efficient instantiations, e.g., [Lub02, Sho06].

The statistical security is again changed, with the new criterion for successful extraction requiring a number of good evaluation instances at least as high as the recovery threshold. Furthermore, the fragmentation also reduces the sum of all PRG-expansion lengths, as well as the length of the sequence of masks whose hash needs to be calculated. Concrete parameters are given in Table 1.

Fig. 2.
figure 2

Protocol #2 (UC commitment scheme). Legend: legend of Fig. 1 also applies; \(\sigma \) (statistical security parameter, e.g., \(40\equiv 1^{40}\)); nve (numbers of total instances, check instances and evaluation instances); [n] (set of the first n positive integers); Partition[ve](n) (set of possible partitions of [n], into a pair of complementary subsets, the first with v elements, and the second with the remaining e). IDA[t] (information dispersal algorithm (erasure code) with recovery threshold of t fragments; it has sub-algorithms split and recover; if e and v are fixed in a setup phase they must satisfy \(\left( (n-b)!e!\right) /\left( (e-b)s!\right) \le 2^{-{\sigma }}\), where \(b = e-t+1\) is the number of bad instances in an optimal attack); \(\alpha \) (authenticator function); \(\ell _z\) (length of nonce); \(\ell _a\) (length of authenticator output, e.g., 256 bits).

Full size image

5.2 Description of Protocol #2

The protocol is succinctly described in Fig. 2. For further intuition, a pictorial sketch is provided in Fig. 3. The parties agree on security parameters (computational and statistic) and other consistent elements: the cut-and-choose parameters (with a fixed number of check and evaluation instances) (26); a PRG and a CR-Hash functions (27); the IDA scheme and parameters (28); and an authenticator mode (29) (in Fig. 2, the strict mode corresponds to the description given in Sect. 5.1.2) and respective parameters (30). The loose mode (discussed in the full version of the paper) allows removing some steps of the protocol (namely avoiding the Equiv-Com of the hash of the message being committed) but requires a stronger assumption about the authenticator function.

Fig. 3.
figure 3

Sketch of UC commitment scheme. Legend: (seed \(s_j\)); (Ext-Com \(\overline{s}_j\) – like a vault with a single opening); (seed expansion \(s'_j\) – like a tree growing from a seed); (global hash – like a smashed paper); (Equiv-Com \(\overline{h}\) – like a vault with several openings); (message m being committed – like a text file); (message fragment \(m'_j\) – can be combined with other fragments to recover the initial message); (authenticator \(a_j\) – vouches for the correctness of the respective fragment); (masking \(t_j\) – the chess pattern represents something that is masked); auth (authenticator function); C&C (cut-and-choose); \( \mathcal {F} _{\text {X}}\) (ideal extractable-commitment functionality); \( \mathcal {F} _{\text {Q}}\) (ideal equivocable-commitment functionality); \(\mathcal {S}^X\) (simulator with extraction goal). This is a toy example with a cut-and-choose with \({n=5}\) instances, of which \({v=2}\) are selected for check and \({e=3}\) are selected for evaluation. In the extraction example, a malicious \(\text {P}_{\text {A}}^{*}\) constructed one bad instance (\({j=3}\)), selected for the check subset. \(\mathcal {S}^X\) detects the bad instance and thus ignores it when using the IDA to reconstruct the message from only \(t=2\) (the recovery threshold) fragments.

Full size image

5.2.1 Commit Phase (P\(_{\text {A}}\) Commits a Message to P\(_{\text {B}}\))

  • 1.a. Commit instances. Upon being initialized to commit a message m (31), P\(_{\text {A}}\) selects n random seeds (32) (e.g., 119) and uses \( \mathcal {F} _{\text {X}}\) to commit individually to each of them ((33)–(34)). P\(_{\text {A}}\) uses the PRG to expand each seed \(s_j\) into a string \(s'_j\) with a reduced-length (equal to the target length \(\ell \) divided by the IDA recovery-threshold t) extended by an authenticator-length \(\ell _a\) (35). P\(_{\text {A}}\) calculates the global hash h as the CR-hash of the concatenation of all seed-expansions (36). P\(_{\text {A}}\) then uses \( \mathcal {F} _{\text {Q}}\) to commit to h ((37)–(38)). If in the strict mode, P\(_{\text {A}}\) also computes the hash of the message m (39) and then uses \( \mathcal {F} _{\text {Q}}\) to commit to said hash ((40)–(41)).

  • 1.b. Cut-and-choose. P\(_{\text {B}}\) decides a random cut-and-choose partition (42) (e.g., identifying 73 instances for check and 46 for evaluation) and a random nonce z (43) and sends them both to P\(_{\text {A}}\) (44).

  • 1.c. Message masking. P\(_{\text {A}}\) uses the threshold IDA to split her message into as many fragments as the number of evaluation instances (45), each with a reduced length. Then, P\(_{\text {A}}\) computes the authenticator \(a_j\) of each fragment \(m'_j\) as an appropriate function \(\alpha \) of the fragment and the nonce (46); P\(_{\text {A}}\) then uses the extended mask \(s'_j\) to compute the masking \(t_j\) of the fragment concatenated with the authenticator (47). Finally, P\(_{\text {A}}\) sends to P\(_{\text {B}}\) the maskings associated with all evaluation instances (48).

Table 1. UC commitment scheme parameters for 40 bits of statistical security
Full size table

5.2.2 Open Phase (P\(_{\text {A}}\) Opens a Message to P\(_{\text {B}}\))

  • 2.a. Reveal message. Upon being initialized to open the committed message m (49), P\(_{\text {A}}\) sends m to P\(_{\text {B}}\) (50). If using the strict authenticator mode, then P\(_{\text {A}}\) also asks \( \mathcal {F} _{\text {Q}}\) to open to P\(_{\text {B}}\) the hash of the message ((51)–(52)). P\(_{\text {B}}\) then verifies that it is consistent with the hash of the received message (53). If not, it Aborts; otherwise it proceeds.

  • 2.b. Obtain evaluation masks. P\(_{\text {B}}\) uses the IDA to obtain the same fragments that an honest P\(_{\text {A}}\) would (54). P\(_{\text {B}}\) computes the authenticator of the fragment in the same way that an honest P\(_{\text {A}}\) would have, based on the fragment and the nonce (55). Then, P\(_{\text {B}}\) concatenates the tentative fragment and the tentative authenticator, and computes the XOR combination of the resulting string with the extended masking, thus obtaining the tentative extended mask \(s'_j\), supposedly used by P\(_{\text {A}}\) (56).

  • 2.c. Obtain check masks. P\(_{\text {A}}\) uses \( \mathcal {F} _{\text {X}}\) to open to P\(_{\text {B}}\) the seeds of check instances (but not those of evaluation instances) ((57)–(58)). P\(_{\text {B}}\) locally computes the PRG-expansion (of appropriate length) of each check seed (59).

  • 2.d. Verify global hash. P\(_{\text {A}}\) uses \( \mathcal {F} _{\text {Q}}\) to open to P\(_{\text {B}}\) the previously committed global hash ((60)–(61)). Then, P\(_{\text {B}}\) verifies that the global hash of all concatenated masks is equal to the one just opened by P\(_{\text {A}}\) (62). If some verification has failed, then P\(_{\text {B}}\) aborts, otherwise it accepts the message of P\(_{\text {A}}\) as a correct opening (63).

5.3 Concrete Configurations

Table 1 shows optimal configurations of the cut-and-choose and IDA parameters for 40 bits of statistical security and several goals of communication rate. Asymptotically as \(\ell \) increases, it is possible to configure the parameters to yield arbitrary high levels of statistical security and reduce the expansion-rate to values arbitrarily close to 1. With \((n;e;t)=(119;46;23)\), the scheme achieves 40 bits of statistical security and an asymptotic communication expansion-rate \(r=2\) in the commit phase (the open phase always has an asymptotic rate 1). With \((n;e;t)=(775;275;250)\), the rate becomes \(r=1.1\), with the computed PRG output and the hash input being \(r'=3.1\) times the message length. Both r and \(r'\) can be brought arbitrarily close to 1. In comparison, for a communication expansion rate of \(r=1.1\), the protocol from [GIKW14] would require encoding m into 53,020 blocks, and using an error correcting code capable of correcting more than 1198 semantic errors. Table 1 also describes parameters for optimizations of [GIKW14], namely by using k-out-of-n OT instead of \(\delta \)-Rabin OT, reducing the number of instances by up to a factor slightly larger than two.

Remark (Interactivity Tradeoffs). The use of an Equiv-Com scheme with P\(_{\text {A}}\) as sender and P\(_{\text {B}}\) as receiver can be replaced by an Ext-Com scheme with P\(_{\text {B}}\) as sender and P\(_{\text {A}}\) as receiver, and a regular Com scheme (i.e., possibly neither Ext nor Equiv) and further interaction. Basically, the Ext of a short bit-string committed by \(\text {P}_{\text {B}}^{*}\) would allow \(\mathcal {S}\) (in the role of P\(_{\text {A}}\) in the simulated execution) to decide (within the overall open phase of the UC scheme) any desired outcome of a (single-side simulatable) short coin-flipping played between P\(_{\text {A}}\) and P\(_{\text {B}}\). Each bit of this short coin-flipping can be set to determine one-out-of-two positions to open from each pair of (supposedly) copies of a committed bit (and additional redundant checksum bits included to prevent malicious behavior). This allows \(\mathcal {S}\) to equivocate the short-bit string because it could undetectably commit to two different bits in each position (instead of two copies of the same bit) and then open only the convenient ones. In a direction of less interaction, it is conceivably possible to let the cut-and-choose partition and nonce values be computed by P\(_{\text {A}}\) non-interactively, if willing to accept an assumption of a non-programmable random oracle model [Lin15]. This would make all interactivity of the commitment scheme (commit and open) become implicit in the instantiations of the base commitment schemes (Ext and Equiv). The cut-and-choose and IDA (erasure code) parameters would have to increase, letting the statistical security parameter become equal to the cryptographic security parameter, to mitigate the new possibility that P\(_{\text {A}}\) could computationally try a brute-force trial-and-error attempt to exploit the probability of error that would otherwise be negligible only in a low statistical parameter.

5.4 Security Analysis

Proving security amounts to show, without rewiding, that the new commitment scheme is Ext&Equiv, i.e., the commit phase is Ext and the open phase is Equiv. The analysis assumes that the PRG and CR-Hash are cryptographically secure and that the underlying Ext-Com and Equiv-Com schemes are realized (in a hybrid model) by respective ideal functionalities (\( \mathcal {F} _{\text {X}}\), \( \mathcal {F} _{\text {Q}}\)). The proof of security is accomplished by defining respective simulators.

Theorem 2

(Security of Protocol #2). Assuming a cryptographically secure PRG and CR-Hash, and an adequate authenticator, protocol #2 UC-realizes the ideal functionality \( \mathcal {F} _{\text {MCOM}}\) of long bit-string commitments in the (\( \mathcal {F} _{\text {X}}\),\( \mathcal {F} _{\text {Q}}\))-hybrid model, in the presence of static and computationally active adversaries. Each phase of \( \mathcal {F} _{\text {Q}}\) and \( \mathcal {F} _{\text {X}}\) is invoked for short bit-strings only a number of times that is independent of the polynomial target length.

5.4.1 Extractability – Simulatability with Corrupted \(\text {P}_{\text {A}}^{*}\)

The extractor-simulator \(\mathcal {S}^X\) initiates a simulation, with black-box access to \(\mathcal {A}\), letting it believes that it is in the real world controlling \(\text {P}_{\text {A}}^{*}\).

Simulation of the Commit Phase. Once the protocol starts, \(\mathcal {S}^X\) (in the role of honest P\(_{\text {B}}\) and also in the role of \( \mathcal {F} _{\text {X}}\) in the simulated execution) extracts the seeds committed by \(\text {P}_{\text {A}}^{*}\) (33) and later receives from \(\text {P}_{\text {A}}^{*}\) the maskings of authenticated fragments of the message being committed (48). \(\mathcal {S}^X\) then unmasks each masking, using the PRG-expansion of the respective extracted seed, obtaining from each a respective tentative authenticated fragment. \(\mathcal {S}^X\) verifies whether the authentication is correct or not, thus identifying which instances are good. (The security of the described authenticator is statistically derived from the properties of a universal hash family.) If the number of good fragments is at least t (the recovery threshold) then \(\mathcal {S}^X\) uses the IDA recovery algorithm to reconstruct the message from t (the recovery threshold) good fragments. Otherwise, if there are less than t good fragments, then \(\mathcal {S}^X\) realizes that it cannot extract the message from \(\text {P}_{\text {A}}^{*}\), but it does not complain. Instead, \(\mathcal {S}^X\) computes a random message as the assumed extracted message, and in addition it memorizes that the extracted message is corrupted. Finally (in either of the two above cases), in the ideal world, \(\mathcal {S}^X\) (in the role of the ideal \(\widehat{\text {P}}_{\text {A}}^{*}\)) sends the extracted message to the ideal functionality \( \mathcal {F} _{\text {MCOM}}\), thus committing to it.

Simulation of the Open Phase. Once \(\text {P}_{\text {A}}^{*}\) opens the message to P\(_{\text {B}}\) in the simulated execution, \(\mathcal {S}^X\) checks that the opening is successful and that it corresponds to the previously extracted message. If the opening is unsuccessful, e.g., if the global hash verification fails (62), then \(\mathcal {S}^X\) emulates an abort, leading \( \mathcal {F} _{\text {MCOM}}\) to halt the execution associated with this commitment, consequently leading the ideal party \(\widehat{\text {P}}\) \(_{\text {B}}\) to never receive any opening. If (with negligible probability) the opening is successful but different from the value previously extracted from \(\mathcal {S}^X\), then \(\mathcal {S}^X\) outputs Fail (i.e., in this case the simulation fails). Otherwise, if the opening of the expected message is done successfully, then \(\mathcal {S}\) asks \( \mathcal {F} _{\text {MCOM}}\) in the ideal world to open the committed message.

Analysis of the Simulation (Statistical Security). In the commit phase, \(\mathcal {S}\) makes a perfect emulation of the abort distribution, since it only aborts early if and only if \(\text {P}_{\text {A}}^{*}\) also aborts. Thus, distinguishability (by the environment) between real and simulated executions can only happen if \(\text {P}_{\text {A}}^{*}\) is able (with non-negligible probability) to successfully open a message different from the one \(\mathcal {S}^X\) has extracted. However, this is not possible. Based on the (described) authenticator mechanism security (derived directly from the collision-resistance of a CR-Hash, and the statistical properties of a universal hash family), \(\text {P}_{\text {A}}^{*}\) cannot forge a bad authentication, i.e., lead \(\mathcal {S}^X\) to believe that a bad fragment is actually good. Also, based on the default binding property of all underlying commitments, \(\text {P}_{\text {A}}^{*}\) is not able to equivocate any of the Ext-Com or Equiv-Com. It can thus be assumed impossible for \(\mathcal {S}\) to unknowingly mark as good an evaluation fragment (i.e., the result upon unmasking) that is actually bad. Now, a malicious successful opening by \(\text {P}_{\text {A}}^{*}\) requires that all check instances are good selected and at least \(n-t+1\) evaluation instances are bad. However, the probability of this event can be made negligible for appropriate cut-and-choose and IDA parameters (see Table 1). As an example, in the trivial case where \(\text {P}_{\text {A}}^{*}\) would build all check and evaluation instances as bad, \(\mathcal {S}^X\) in the ideal world would still commit to a random valid value, but later in the open phase it would never let the ideal functionality open the value to the honest P\(_{\text {B}}\).

Remark. There is a subtle difference between two types of commitment schemes. There are those where the receiver is ensured that the committer is technically able to open the commitment (if it “wants” to). For example, this is the case when the commit phase includes a ZKPoK of the committed value. There are other schemes where the commit phase is not enough to let the receiver know about the actual ability of the committer to later open a value. It is possible that a maliciously played commit phase prevents the sender (\(\text {P}_{\text {A}}^{*}\)) in advance from being able to later open the commitment accepted by the receiver (P\(_{\text {B}}\)). Protocol #2 is of this second kind. Even if \(\mathcal {S}\) detects, in a non-aborting commit phase, that P\(_{\text {A}}\) is unable to later open the commitment, \(\mathcal {S}\) does not abort before a failed open phase. The protocol can be easily changed to become of the first type (if desired), at the cost of increasing the calls to the Equiv-Com functionality, namely one per instance of the cut-and-choose, while nonetheless retaining an amortized communication complexity. The idea is simple: instead of just producing one Equiv-Com of the global hash, \(\text {P}_{\text {A}}^{*}\) would produce one Equiv-Com for each possible mask (i.e., each PRG-expansion); then, after the cut-and-choose partition is determined, but still within the overall commit phase, \(\text {P}_{\text {A}}^{*}\) would open the check seeds and the check hashes. In this way, \(\mathcal {S}\) immediately knows whether some bad check instance was bad. If any bad check instance is detected, then \(\mathcal {S}\) can immediately emulate an abort; otherwise, \(\mathcal {S}\) accepts an extracted message based on the verification of the authentication of extracted evaluation masks and the associated anticipated fragments. In this case there is a negligible probability that the number of good instances is less than the recovery threshold.

5.4.2 Equivocability – Simulatability with Corrupted \(\text {P}_{\text {B}}^{*}\)

The equivocator-simulator \(\mathcal {S}^Q\) initiates a simulation, with black-box access to \(\mathcal {A}\), letting it believe that it is in the real world controlling \(\text {P}_{\text {B}}^{*}\).

Simulation of the Commit Phase. In the ideal world, \(\mathcal {S}^Q\) in the role of \(\widehat{\text {P}}_{\text {B}}^{*}\), waits to receive from \( \mathcal {F} _{\text {MCOM}}\) a receipt of commitment done by the ideal \(\widehat{\text {P}}\) \(_{\text {A}}\). Then, in the role of P\(_{\text {A}}\) in the simulated execution, \(\mathcal {S}^Q\) plays the whole commit phase to commit a random message to \(\text {P}_{\text {B}}^{*}\). This involves keeping state about the seeds (32) and their Ext-Coms (33), about the Equiv-Com of the global hash of masks (38), possibly about the Equiv-Com of the hash of the random message (41) (i.e., if in the Strict mode), about the cut-and-choose partition and the nounce, and about the maskings of authenticated fragments (48). If \(\text {P}_{\text {B}}^{*}\) aborts at any point before the end of the overall commit phase, then \(\mathcal {S}^Q\) emulates an abort, i.e., in the role of \(\widehat{\text {P}}_{\text {B}}^{*}\) in the ideal world sends abort to \( \mathcal {F} _{\text {MCOM}}\), thus making it ignore further actions related with this commitment sub-session.

Simulation of the Open Phase. \(\mathcal {S}^Q\) waits in the ideal world to receive from \( \mathcal {F} _{\text {MCOM}}\) the opening of the target message (i.e., the one committed by the ideal \(\widehat{\text {P}}\) \(_{\text {A}}\)). Then, \(\mathcal {S}^Q\), in the role of P\(_{\text {A}}\) and also in the role of \( \mathcal {F} _{\text {Q}}\) in the simulated execution, sends to \(\text {P}_{\text {B}}^{*}\) the target message (50), instead of the previously committed random message. If in the strict mode, then \(\mathcal {S}^Q\) in the role of \( \mathcal {F} _{\text {Q}}\) equivocates the opening of the needed hash of the message (52). Then, \(\mathcal {S}^Q\) computes what are the alternative masks \(s'_j\) needed to unmask (the maskings \(t_j\) previously sent) into the target message received from \( \mathcal {F} _{\text {MCOM}}\). This is done in the exact same way that P\(_{\text {B}}\) does as receiver: \(\mathcal {S}^Q\) computes the message fragments (54), then their authenticators (55), and then takes the XOR with the maskings \(t_j\) (56) that were transmitted in the commit phase. Finally, \(\mathcal {S}^Q\) computes the global hash (as in (36), but now using the updated masks), and then impersonates \( \mathcal {F} _{\text {Q}}\) and equivocates the opening of said global hash (61). This allows \(\text {P}_{\text {B}}^{*}\) to perform all verifications as if \(\mathcal {S}^Q\) was in fact an honest P\(_{\text {A}}\). Finally, \(\mathcal {S}^Q\) outputs in the ideal world whatever \(\text {P}_{\text {B}}^{*}\) outputs in the simulated execution (63).

Analysis of the Simulation. The only difference between a real protocol execution and the simulated execution is that \(\mathcal {S}^Q\) commits to a random message and later equivocates it. However, detection by \(\text {P}_{\text {B}}^{*}\) of equivocation would require differentiating the random masks from seed-expansions, which is contrary to the pseudo-randomness assumption of the PRG. Thus, in case of corrupted \(\text {P}_{\text {B}}^{*}\) the distributions between real and ideal world are computationally indistinguishable.

Remark. The cut-and-choose partition does not need to be decided via a simulatable coin-flipping, because equivocation is directly based on the assumed ability to equivocate the global hash (committed with an Equiv-Com), which directly allows equivocation of the masks of all evaluation instances. Thus, to \(\text {P}_{\text {B}}^{*}\), the actions of \(\mathcal {S}^Q\) “appear” as correct independently of the partition. \(\mathcal {S}^Q\) simply produces all commitments of seeds and all maskings correctly (for a random value), so that later all check instances are consistent.