Universally Composable Commitments
We propose a new security measure for commitment protocols, called Universally Composable (UC) Commitment. The measure guarantees that commitment protocols behave like an “ideal commitment service,” even when concurrently composed with an arbitrary set of protocols. This is a strong guarantee: it implies that security is maintained even when an unbounded number of copies of the scheme are running concurrently, it implies non-malleability (not only with respect to other copies of the same protocol but even with respect to other protocols), it provides resilience to selective decommitment, and more.
Unfortunately, two-party uc commitment protocols do not exist in the plain model. However, we construct two-party uc commitment protocols, based on general complexity assumptions, in the common reference string model where all parties have access to a common string taken from a predetermined distribution. The protocols are non-interactive, in the sense that both the commitment and the opening phases consist of a single message from the committer to the receiver.
KeywordsCommitment schemes concurrent composition non-malleability security analysis of protocols
- [b99]D. Beaver, “Adaptive Zero-Knowledge and Computational Equivocation”, 28th Symposium on Theory of Computing (STOC), ACM, 1996.Google Scholar
- [bdjr97]M Bellare, A. Desai, E. Jokipii and P. Rogaway, “A concrete security treatment of symmetric encryption: Analysis of the DES modes of operations,” 38th Annual Symp. on Foundations of Computer Science (FOCS), IEEE, 1997.Google Scholar
- [bdpr98]M. Bellare, A. Desai, D. Pointcheval and P. Rogaway, “Relations among notions of security for public-key encryption schemes”, CRYPTO’ 98, 1998, pp. 26–40.Google Scholar
- [c00]R. Canetti, “Security and composition of multi-party cryptographic protocols”, Journal of Cryptology, Vol. 13, No. 1, winter 2000.Google Scholar
- [c00a]R. Canetti, “A unified framework for analyzing security of Protocols”, manuscript, 2000. Available at http://eprint.iacr.org/2000/067.
- [cf01]R. Canetti and M. Fischlin, “Universally Composable Commitments”. Available at http://eprint.iacr.org/2001.
- [cs98]R. Cramer and V. Shoup, “A paractical public-key cryptosystem provably secure against adaptive chosen ciphertext attack”, CRYPTO’ 98, 1998.Google Scholar
- [d89]I. Damgard, On the existence of bit commitment schemes and zero-knowledge proofs, Advances in Cryptology-Crypto’ 89, pp. 17–29, 1989.Google Scholar
- [d00]I. Damgard. Efficient Concurrent Zero-Knowledge in the Auxiliary String Model. Eurocrypt 00, LNCS, 2000.Google Scholar
- [dio98]G. Di Crescenzo, Y. Ishai and R. Ostrovsky, Non-interactive and non-malleable commitment, 30th STOC, 1998, pp. 141–150.Google Scholar
- [dkos01]G. Di Crecenzo, J. Katz, R. Ostrovsky and A. Smith. Efficient and Perfectly-Hiding Non-Interactive, Non-Malleable Commitment. Eurocrypt’ 01, 2001.Google Scholar
- [dm00]Y. Dodis and S. Micali, “Secure Computation”, CRYPTO’ 00, 2000.Google Scholar
- [dnrs99]C. Dwork, M. Naor, O. Reingold, and L. Stockmeyer. Magic functions. In 40th Annual Symposium on Foundations of Computer Science, pages 523–534. IEEE, 1999.Google Scholar
- [fs90]U. Feige and A. Shamir. Witness Indistinguishability and Witness Hiding Protocols. In 22nd STOC, pages 416–426, 1990.Google Scholar
- [ff00]M. Fischlin and R. Fischlin, “Efficient non-malleable commitment schemes”, CRYPTO’ 00, LNCS 1880, 2000, pp. 413–428.Google Scholar
- [ghy88]Z. Galil, S. Haber and M. Yung, Cryptographic computation: Secure fauttolerant protocols and the public-key model, CRYPTO’ 87, LNCS 293, Springer-Verlag, 1988, pp. 135–155.Google Scholar
- [g95]O. Goldreich, “Foundations of Cryptography (Fragments of a book)”, Weizmann Inst. of Science, 1995. (Avaliable at http://philby.ucsd.edu)
- [g98]O. Goldreich. “Secure Multi-Party Computation”, 1998. (Avaliable at http://philby.ucsd.edu)
- [gmw91]O. Goldreich, S. Micali and A. Wigderson, “Proofs that yield nothing but their validity or All Languages in NP Have Zero-Knowledge Proof Systems”, Journal of the ACM, Vol 38, No. 1, ACM, 1991, pp. 691–729. Preliminary version in 27th Symp. on Foundations of Computer Science (FOCS), IEEE, 1986, pp. 174–187.zbMATHMathSciNetGoogle Scholar
- [gmw87]O. Goldreich, S. Micali and A. Wigderson, “How to Play any Mental Game”, 19th Symposium on Theory of Computing (STOC), ACM, 1987, pp. 218–229.Google Scholar
- [gl90]S. Goldwasser, and L. Levin, “Fair Computation of General Functions in Presence of Immoral Majority”, CRYPTO’ 90, LNCS 537, Springer-Verlag, 1990.Google Scholar
- [l00]Y. Lindell, private communication, 2000.Google Scholar
- [mr91]S. Micali and P. Rogaway, “Secure Computation”, unpublished manuscript, 1992. Preliminary version in CRYPTO’ 91, LNCS 576, Springer-Verlag, 1991.Google Scholar
- [novy92]M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung, Perfect zero-knowledge arguments for NP can be based on general complexity assumptions, Advances in Cryptology-Crypto’ 92, pp. 196–214, 1992.Google Scholar
- [pw94]B. Pfitzmann and M. Waidner, “A general framework for formal notions of secure systems”, Hildesheimer Informatik-Berichte 11/94, Universität Hildesheim, 1994. Available at http://www.semper.org/sirene/lit.
- [pw01]B. Pfitzmann and M. Waidner, “A model for asynchronous reactive systems and its application to secure message transmission”, IEEE Symposium on Security and Privacy, 2001. See also IBM Research Report RZ 3304 (#93350), IBM Research, Zurich, December 2000.Google Scholar
- [rs91]C. Rackoff and D. Simon, “Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack”, CRYPTO’ 91, 1991.Google Scholar
- [y82]A. Yao, Theory and applications of trapdoor functions, In Proc. 23rd Annual Symp. on Foundations of Computer Science (FOCS), pages 80–91. IEEE, 1982.Google Scholar