Universally Composable Commitments

Extended Abstract
  • Ran Canetti
  • Marc Fischlin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2139)


We propose a new security measure for commitment protocols, called Universally Composable (UC) Commitment. The measure guarantees that commitment protocols behave like an “ideal commitment service,” even when concurrently composed with an arbitrary set of protocols. This is a strong guarantee: it implies that security is maintained even when an unbounded number of copies of the scheme are running concurrently, it implies non-malleability (not only with respect to other copies of the same protocol but even with respect to other protocols), it provides resilience to selective decommitment, and more.

Unfortunately, two-party uc commitment protocols do not exist in the plain model. However, we construct two-party uc commitment protocols, based on general complexity assumptions, in the common reference string model where all parties have access to a common string taken from a predetermined distribution. The protocols are non-interactive, in the sense that both the commitment and the opening phases consist of a single message from the committer to the receiver.


Commitment schemes concurrent composition non-malleability security analysis of protocols 


  1. [b91]
    D. Beaver, “Secure Multi-party Protocols and Zero-Knowledge Proof Systems Tolerating a Faulty Minority”, J. Cryptology, Springer-Verlag, (1991) 4: 75–122.zbMATHCrossRefGoogle Scholar
  2. [b99]
    D. Beaver, “Adaptive Zero-Knowledge and Computational Equivocation”, 28th Symposium on Theory of Computing (STOC), ACM, 1996.Google Scholar
  3. [bbm00]
    M. Bellare, A. Boldyreva and S. Micali, “Public-Key Encryption in a Multiuser Setting: Security Proofs and Improvements,” Eurocrypt 2000, pp. 259–274, Springer LNCS1807, 2000.CrossRefGoogle Scholar
  4. [bdjr97]
    M Bellare, A. Desai, E. Jokipii and P. Rogaway, “A concrete security treatment of symmetric encryption: Analysis of the DES modes of operations,” 38th Annual Symp. on Foundations of Computer Science (FOCS), IEEE, 1997.Google Scholar
  5. [bdpr98]
    M. Bellare, A. Desai, D. Pointcheval and P. Rogaway, “Relations among notions of security for public-key encryption schemes”, CRYPTO’ 98, 1998, pp. 26–40.Google Scholar
  6. [bm84]
    M. Blum, S. Micali: How to Generate Cryptographically Strong Sequences of Pseudorandom Bits, SIAM Journal on Computation, Vol. 13, pp. 850–864, 1984.zbMATHCrossRefMathSciNetGoogle Scholar
  7. [bcc88]
    G. Brassard, D. Chaum and C. Crépeau. Minimum Disclosure Proofs of Knowledge. JCSS, Vol. 37, No. 2, pages 156–189, 1988.zbMATHGoogle Scholar
  8. [c00]
    R. Canetti, “Security and composition of multi-party cryptographic protocols”, Journal of Cryptology, Vol. 13, No. 1, winter 2000.Google Scholar
  9. [c00a]
    R. Canetti, “A unified framework for analyzing security of Protocols”, manuscript, 2000. Available at
  10. [cf01]
    R. Canetti and M. Fischlin, “Universally Composable Commitments”. Available at
  11. [cs98]
    R. Cramer and V. Shoup, “A paractical public-key cryptosystem provably secure against adaptive chosen ciphertext attack”, CRYPTO’ 98, 1998.Google Scholar
  12. [d89]
    I. Damgard, On the existence of bit commitment schemes and zero-knowledge proofs, Advances in Cryptology-Crypto’ 89, pp. 17–29, 1989.Google Scholar
  13. [d00]
    I. Damgard. Efficient Concurrent Zero-Knowledge in the Auxiliary String Model. Eurocrypt 00, LNCS, 2000.Google Scholar
  14. [dio98]
    G. Di Crescenzo, Y. Ishai and R. Ostrovsky, Non-interactive and non-malleable commitment, 30th STOC, 1998, pp. 141–150.Google Scholar
  15. [dkos01]
    G. Di Crecenzo, J. Katz, R. Ostrovsky and A. Smith. Efficient and Perfectly-Hiding Non-Interactive, Non-Malleable Commitment. Eurocrypt’ 01, 2001.Google Scholar
  16. [dm00]
    Y. Dodis and S. Micali, “Secure Computation”, CRYPTO’ 00, 2000.Google Scholar
  17. [ddn00]
    D. Dolev, C. Dwork and M. Naor, Non-malleable cryptography, SIAM.. J. Computing, Vol. 30, No. 2, 2000, pp. 391–437. Preliminary version in 23rd Symposium on Theory of Computing (STOC), ACM, 1991.zbMATHCrossRefMathSciNetGoogle Scholar
  18. [dnrs99]
    C. Dwork, M. Naor, O. Reingold, and L. Stockmeyer. Magic functions. In 40th Annual Symposium on Foundations of Computer Science, pages 523–534. IEEE, 1999.Google Scholar
  19. [fs90]
    U. Feige and A. Shamir. Witness Indistinguishability and Witness Hiding Protocols. In 22nd STOC, pages 416–426, 1990.Google Scholar
  20. [ff00]
    M. Fischlin and R. Fischlin, “Efficient non-malleable commitment schemes”, CRYPTO’ 00, LNCS 1880, 2000, pp. 413–428.Google Scholar
  21. [ghy88]
    Z. Galil, S. Haber and M. Yung, Cryptographic computation: Secure fauttolerant protocols and the public-key model, CRYPTO’ 87, LNCS 293, Springer-Verlag, 1988, pp. 135–155.Google Scholar
  22. [g95]
    O. Goldreich, “Foundations of Cryptography (Fragments of a book)”, Weizmann Inst. of Science, 1995. (Avaliable at
  23. [g98]
    O. Goldreich. “Secure Multi-Party Computation”, 1998. (Avaliable at
  24. [gmw91]
    O. Goldreich, S. Micali and A. Wigderson, “Proofs that yield nothing but their validity or All Languages in NP Have Zero-Knowledge Proof Systems”, Journal of the ACM, Vol 38, No. 1, ACM, 1991, pp. 691–729. Preliminary version in 27th Symp. on Foundations of Computer Science (FOCS), IEEE, 1986, pp. 174–187.zbMATHMathSciNetGoogle Scholar
  25. [gmw87]
    O. Goldreich, S. Micali and A. Wigderson, “How to Play any Mental Game”, 19th Symposium on Theory of Computing (STOC), ACM, 1987, pp. 218–229.Google Scholar
  26. [gl90]
    S. Goldwasser, and L. Levin, “Fair Computation of General Functions in Presence of Immoral Majority”, CRYPTO’ 90, LNCS 537, Springer-Verlag, 1990.Google Scholar
  27. [gmra89]
    S. Goldwasser, S. Micali and C. Rackoff, “The Knowledge Complexity of Interactive Proof Systems”, SIAM Journal on Comput., Vol. 18, No. 1, 1989, pp. 186–208.zbMATHCrossRefMathSciNetGoogle Scholar
  28. [gmri88]
    S. Goldwasser, S. Micali, R. Rivest: A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks, SIAM Journal on Computing, Vol. 17, No. 2, pp. 281–308, 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  29. [l00]
    Y. Lindell, private communication, 2000.Google Scholar
  30. [mr91]
    S. Micali and P. Rogaway, “Secure Computation”, unpublished manuscript, 1992. Preliminary version in CRYPTO’ 91, LNCS 576, Springer-Verlag, 1991.Google Scholar
  31. [n91]
    M. Naor: Bit Commitment Using Pseudo-Randomness, Journal of Cryptology, vol. 4, pp. 151–158, 1991.zbMATHCrossRefMathSciNetGoogle Scholar
  32. [novy92]
    M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung, Perfect zero-knowledge arguments for NP can be based on general complexity assumptions, Advances in Cryptology-Crypto’ 92, pp. 196–214, 1992.Google Scholar
  33. [pw94]
    B. Pfitzmann and M. Waidner, “A general framework for formal notions of secure systems”, Hildesheimer Informatik-Berichte 11/94, Universität Hildesheim, 1994. Available at
  34. [pw01]
    B. Pfitzmann and M. Waidner, “A model for asynchronous reactive systems and its application to secure message transmission”, IEEE Symposium on Security and Privacy, 2001. See also IBM Research Report RZ 3304 (#93350), IBM Research, Zurich, December 2000.Google Scholar
  35. [rs91]
    C. Rackoff and D. Simon, “Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack”, CRYPTO’ 91, 1991.Google Scholar
  36. [y82]
    A. Yao, Theory and applications of trapdoor functions, In Proc. 23rd Annual Symp. on Foundations of Computer Science (FOCS), pages 80–91. IEEE, 1982.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Ran Canetti
    • 1
  • Marc Fischlin
    • 2
  1. 1.IBM T.J. Watson Research CenterUSA
  2. 2.Goethe-University of FrankfurtGermany

Personalised recommendations