On the Complexity of UC Commitments
Motivated by applications to secure multiparty computation, we study the complexity of realizing universally composable (UC) commitments. Several recent works obtain practical UC commitment protocols in the common reference string (CRS) model under the DDH assumption. These protocols have two main disadvantages. First, even when applied to long messages, they can only achieve a small constant rate (namely, the communication complexity is larger than the length of the message by a large constant factor). Second, they require computationally expensive public-key operations for each block of each message being committed.
Our main positive result is a UC commitment protocol that simultaneously avoids both of these limitations. It achieves an optimal rate of 1 (strictly speaking, 1 − o(1)) by making only few calls to an ideal oblivious transfer (OT) oracle and additionally making a black-box use of a (computationally inexpensive) PRG. By plugging in known efficient protocols for UC-secure OT, we get rate-1, computationally efficient UC commitment protocols under a variety of setup assumptions (including the CRS model) and under a variety of standard cryptographic assumptions (including DDH). We are not aware of any previous UC commitment protocols that achieve an optimal asymptotic rate.
A corollary of our technique is a rate-1 construction for UC commitment length extension, that is, a UC commitment protocol for a long message using a single ideal commitment for a short message. The extension protocol additionally requires the use of a semi-honest (stand-alone) OT protocol. This raises a natural question: can we achieve UC commitment length extension while using only inexpensive PRG operations as is the case for stand-alone commitments and UC OT? We answer this question in the negative, showing that the existence of a semi-honest OT protocol is necessary (and sufficient) for UC commitment length extension. This shows, quite surprisingly, that UC commitments are qualitatively different from both stand-alone commitments and UC OT.
KeywordsUniversal composability UC commitments oblivious transfer
- 2.Beaver, D.: Correlated pseudorandomness and the complexity of private computations. In: 28th Annual ACM Symposium on Theory of Computing (STOC), pp. 479–488. ACM Press (May 1996)Google Scholar
- 5.Brassard, G., Crepeau, C., Robert, J.-M.: Information theoretic reduction among disclosure problems. In: FOCS, pp. 168–173 (1986)Google Scholar
- 6.Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: 42nd Annual Symposium on Foundations of Computer Science (FOCS), pp. 136–145. IEEE (October 2001)Google Scholar
- 8.Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable two-party and multi-party secure computation. In: 34th Annual ACM Symposium on Theory of Computing (STOC), pp. 494–503. ACM Press (May 2002)Google Scholar
- 11.Crépeau, C.: Equivalence between two flavours of oblivious transfers. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 350–354. Springer, Heidelberg (1988)Google Scholar
- 12.Damgård, I., David, B., Giacomelli, I., Nielsen, J.B.: Homomorphic uc commitments in uc (2013) (manuscript)Google Scholar
- 13.Damgård, I., Groth, J.: Non-interactive and reusable non-malleable commitment schemes. In: 35th Annual ACM Symposium on Theory of Computing (STOC), pp. 426–437. ACM Press (June 2003)Google Scholar
- 17.Franklin, M., Yung, M.: Communication complexity of secure computation. In: STOC, pp. 699–710 (1992)Google Scholar
- 19.Fujisaki, E.: A framework for efficient fully-equipped UC commitments. ePrint 2012/379 (2012)Google Scholar
- 20.Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: 21st Annual ACM Symposium on Theory of Computing (STOC), pp. 25–32. ACM Press (May 1989)Google Scholar
- 26.Kilian, J.: Founding cryptography on oblivious transfer. In: STOC, pp. 20–31 (1988)Google Scholar
- 27.Kraschewski, D.: Complete primitives for information-theoretically secure two-party computation (2013), http://digbib.ubka.uni-karlsruhe.de/volltexte/1000035100 (retrieved October 14, 2013)
- 30.Maji, H., Prabhakaran, M., Rosulek, M.: Cryptographic complexity classes and computational intractability assumptions. In: ICS, pp. 266–289 (2010)Google Scholar
- 33.Nishimaki, R., Fujisaki, E., Tanaka, K.: An eficient non-interactive universally composable string-commitment scheme. IEICE Transactions, 167–175 (2012)Google Scholar