VeryEfficient Simulatable Flipping of Many Coins into a Well
 3 Citations
 876 Downloads
Abstract
This paper presents new cryptographic protocols for a standalone simulatable twoparty parallel coinflipping (into a well) and a universally composable commitment scheme, with near optimal asymptotic communication rate, in the static and computational malicious model. The approach, denoted expandmaskhash, uses in both protocols a pseudorandom generator (PRG) and a collisionresistant hash function (CRHash) to combine separate extractable commitments and equivocable commitments (associated with short bitstrings) into a unified extractableandequivocable property amplified to a larger target length, amortizing the cost of base commitments. The new standalone coinflipping protocol is based on a simple augmentation of the traditional coinflipping template. To the knowledge of the author, it is the first proposal shown to simultaneously be twosidesimulatable and have an asymptotic (as the target length increases) communication rate converging to two bits per flipped coin and computation rate per party converging to that of PRGgenerating and CRhashing a bitstring with the target length. The new universally composable commitment scheme has efficiency comparable to very recent stateoftheart constructions – namely asymptotic communication rate as close to 1 as desired, for each phase (commit and open) – while following a distinct design approach. Notably it does not require explicit use of oblivious transfer and it uses an erasure encoding instead of stronger error correction codes.
Keywords
Coinflipping Commitments Protocols Simulatability Extractability Equivocability Rewinding Universal composability1 Introduction
Secure twoparty parallel coinflipping is a probabilistic functionality that allows two mutually distrustful parties to agree on a common random bitstring of a certain target length. Using a coinflipping protocol, both parties provide and combine independent contributions so that the output bitstring of an honest party is indistinguishable from random even if at most one party is malicious. The coinflipping is denoted simulatable if it can be proven secure within the ideal/real simulation paradigm, showing that it emulates a protocol in an ideal world where an ideal functionality would decide and deliver the random bitstring to the two parties. Achieving simulatability is useful for the design of larger protocols, as it guarantees security under some type of composition operation, e.g., nonconcurrent modular selfcomposition [Can00] (a.k.a. the standalone setting) or universal composability (UC) [Can01], depending on the type of achievable simulation, namely withrewinding or onepass, respectively.
Motivation for this functionality can be found directly in the realworld usefulness of “coinflipping,” enabling parties to jointly make random decisions (e.g., “who gets the car” [Blu83]). A moretechnical motivation for simulatability is the security enhancement of larger cryptographic protocols. An important application is the joint decision of a large common reference string needed as setup condition of one or several followup protocols [CR03]. It is also useful for protocols whose probabilistic output needs to directly depend on random bitstrings, such as in S2PCwithcommitments (e.g., [Bra13]), where both parties may want to jointly generate many random commitments.
1.1 CoinFlipping and Primitives

Step 1. (Commit phase) P\(_{\text {A}}\) commits to a contribution, hiding it from P\(_{\text {B}}\).

Step 2. P\(_{\text {B}}\) selects and sends his random contribution to P\(_{\text {A}}\).

Step 3. (Open phase) P\(_{\text {A}}\) opens her contribution to P\(_{\text {B}}\) in a convincing way.

Step 4. Each party outputs a combination of both random contributions.
The simulatability of a coinflipping protocol within this template may depend on the number of coins flipped in parallel, i.e., the length of the contributions, and the type of commitment scheme. When flipping a single coin, any hiding and binding commitment scheme is enough if rewinding is allowed in the simulation [Sect. 7.4.3.1, [Gol04]. Conversely, when doing parallel flipping of coins in number at least linear in the security parameter, or when considering a setting without rewinding, simulatability is facilitated by commitment (Com) schemes with special extractable (Ext) and equivocable (Equiv) properties. In an ExtCom scheme [SCP00], a simulator is able to extract a contribution that has been committed by another party, in apparent conflict with the hiding property. In an EquivCom scheme [Bea96], a simulator is able to equivocate the opening to any contribution, namely to a value different from what had been committed, in apparent conflict with the binding property. The conflict is only apparent, as in comparison with a real party the simulator has extra power, such as capability to rewind the other party in the simulated execution, and/or knowledge of secret information (a trapdoor) obtained from some specially selected setup.
Traditionally, achieving simultaneous Ext and Equiv properties is costly as a function of the target length. For example: in the plain model and when allowing rewinding, by requiring zeroknowledge (ZK) proofs (or ZK proofs of knowledge) about elements of size or in number linear with the target length [Lin03], or cutandchoose techniques with high communication cost [PW09]; or, in a model with setup assumptions but not allowing rewinding, by requiring Comschemes based on computationally expensive operations (e.g., exponentiations) in number or size dependent on the target length [CF01, BCPV13].
This paper explores efficiency improvements in two ways: (i) augmenting the traditional template into a new structure that requires less sophisticated commitments (i.e., not necessarily Ext&Equiv); (ii) devising a more efficient Ext&EquivCom scheme that can be directly used within the traditional template. Both cases benefit from a pseudorandom generator (PRG) (naturally associated with the generation of bitstrings indistinguishable from random) and a collisionresistant hash function (CRHash) (naturally associated with compressing commitments). As the target length increases, the asymptotic communication rate: converges to 1 for each contribution of a party in the standalone coinflipping; converges to a rate close to 1 (i.e., closer than any desired distance), for each phase (commit and open) of the UCCom scheme. The computational complexity for each party approximates that of applying a PRG and a CRHash to produce an output and hash an input, respectively, with length expansion rate asymptotically as close as desired to 1. This is useful given the high efficiency of standardized PRG [BK15] (e.g., based on block or stream ciphers) and CRHash [Nat15] constructions. In the UCCom scheme each party also uses an erasure code to encode a string of length approximately equal to the target length.
The initial (incomplete) intuition comes from the observation that: the Ext of a large string can be reduced to the Ext of one short seed, whose PRGexpansion is used to mask (with a onetimepad) the large string; the Equiv of a large string can be reduced to the Equiv of a short hash of whatever large string (e.g., the mask) the simulator wants to equivocate. However, a simple triplet composed of a masking of a string, an ExtbutnotEquivCom of the seed of the mask, and an EquivbutnotExtCom of a hash of the mask does not result in an Ext&EquivCom of the string. For example, opening the ExtCom would disallow equivocability. This paper devises two ways in which to veryefficiently and securely combine the two separate properties, associated with a few commitments of short seeds and hashes (in number independent of the target length), into a unified property extended to a much larger string.
Contributions. In summary, two novel constantround protocols are devised for twoparty parallel coinflipping (the second stemming from a new UCCom scheme). They are proven secure in a static, active and computational model; i.e., at most one party is corrupted at the onset of the protocol execution, the corrupted party may deviate from the protocol specification, and both parties are limited to probabilistic polynomial time computations. For simplicity and generality, the protocols and proofs are defined in a hybrid model with access to ideal commitment functionalities \( \mathcal {F} _{\text {X}}\) and \( \mathcal {F} _{\text {Q}}\), from which the simulator only needs to use either the Ext or the Equiv property, respectively, but not the complementary property (Equiv or Ext, respectively).
1.2 Intuition and Overview of Protocol #1
The first protocol (Sect. 4) is simulatablewithrewinding. It augments the traditional template with a simple preamble, in order to avoid a simulatability difficulty (related with unknown adversarial probabilities of abort) found in the protocol of Blum [Blu83], due to the use of an EquivbutnotExtCom scheme in the traditional template. The new solution also avoids a fullfledged Ext&EquivCom scheme, whose (older) constructions have a larger associated complexity: explicit ZK proof/argument subprotocols about a committed longcontribution, as required in Lindell’s protocol [Lin03]; a high communication cost, as incurred in Pass and Wee protocol [PW09].
P\(_{\text {A}}\) is still the first party to learn the final bitstring. However, the new protocol starts with P\(_{\text {B}}\) producing an EquivCom of his contribution and only then proceeds to the traditional template. This allows the simulator in the role of P\(_{\text {A}}\) in the simulated execution to nonlocally extract the contribution of a malicious P\(_{\text {B}}\) (i.e., upon rewinding beyond the respective commit phase), because said value cannot change across rewinding attempts, namely because P\(_{\text {B}}\) commits to it before the contribution of P\(_{\text {A}}\) is committed, and because the decision to open it (vs. aborting) is done while the contribution of P\(_{\text {A}}\) is still semantically hidden. The significant benefit is that now the commitment by P\(_{\text {A}}\) no longer needs to be Equiv, but rather only Ext. Correspondingly, using the Ext property, the simulator in the role of P\(_{\text {B}}\) in the simulated execution can extract the contribution of a malicious P\(_{\text {A}}\), without P\(_{\text {A}}\) opening it.
To the knowledge of the author: this construction has not been analyzed before (which is surprising given its simplicity), and in the mentioned simulatability setting it allows, asymptotically, the most efficient instantiation to date of twosidesimulatable coinflipping in the plain model (assuming a PRG and CRHash instantiation with computational cost linear in the target length). The simulatability motivation to depart from the traditional template is subtle and the analysis is challenging for the case of corrupted P\(_{\text {B}}\) (the simulator is allowed expectedpolynomial time). Asymptotically, the protocol requires communication of only two bits per flipped coin. Computationally, each party has to commit and open a short value, and compute a PRG and a CRHash of a string with the target length. Assuming intractability of the Decisional DiffieHellman (DDH) problem, an instantiation is possible with only five exponentiations per party in a setup phase (allowing the simulator to extract a trapdoor), and four (or six) exponentiations in the online phase. Exponentiations can be avoided altogether, by using PRGbased commitments of short strings or even just bitcommitments (e.g., as in [PW09] or others analyzed in the full version of this paper). In the later example, the simulator exercises Ext and Equiv over the ExtCom and the EquivCom, respectively, using rewinding, and the construction requires more communication rounds and larger concrete communication complexity of the short commitments but is still amortizable.
1.3 Intuition and Overview of Protocol #2
The second protocol (Sect. 5) is a new UCCom scheme (thus Ext&Equiv) for large bitstrings, with asymptotic communication rate as close to 1 as desired, and computational complexity linear in the string size. It is based on a cutandchoose method, where the size of each instance in the cutandchoose is (approximately) inversely proportional to the number of instances. Each instance is a triplet containing: the ExtCom of a seed; a masking of an “authenticated” fragment (produced by an erasure code) of the string being committed; and an EquivCom of the hash of the mask. This allows the simulator to anticipate (before the actual open phase) whether each extracted fragment is correct or not, and reconstruct the original message using only correct fragments. The fragments are also equivocable because the respective pseudorandom masks are equivocable.
The ideal commitment functionalities used for separate Ext and Equiv simulatability properties can also be instantiated with a fullfledged Ext&EquivCom functionality. Assuming the existence of a PRG and a CRHash, this represents a UCCom length extension, where a few (commit and open) calls to an Ext&EquivCom scheme for short bitstrings enable an Ext&EquivCom scheme for a string of a polynomially larger size. At the cost of more interactivity, the EquivComs can be based on ExtComs.
Similar amortized asymptotic communication complexity is also achieved by very recent UCCom scheme proposals [GIKW14, DDGN14, CDD+15]. They explicitly use oblivious transfer (OT), i.e., as an ideal functionality in a hybrid model. In contrast, the protocol in this paper avoids explicit use of OT, and instead uses base ExtCom and EquivCom schemes (besides a PRG and a CRHash). Also, [GIKW14, DDGN14] rely on secret sharing schemes with errorcorrection or verifiability requirements ([CDD+15] works with any linear code), whereas this paper uses a simpler erasure code, facilitated by an authenticator mechanism, with corresponding benefits in terms of encoding parameters. A comparison of tradeoffs allowed by each design is left for future work.
1.4 Roadmap
The paper proceeds as follows: Sect. 2 reviews related work; Sect. 3 mentions background notions about the security model and ideal functionalities; Sect. 4 describes the new protocol for coinflipping simulatablewithrewinding; Sect. 5 specifies the new UC commitment scheme.
2 Related Work
2.1 Basic Primitives
Oneway permutations or functions are enough in theory to achieve many useful cryptographic primitives, such as PRGs [HILL99, VZ12], oneway hash functions [NY89, Rom90], some types of commitment schemes [Nao91, DCO99] and ZK proofs of knowledge (ZKPoK) [FS90]. CRHash functions can also be built from other primitives [Sim98], such as clawfree sets of permutations [Dam88] or pseudopermutations [Rus95]. Based on such primitives, coinflipping can be achieved in different ways, e.g., based solely on oneway functions [Lin03, PW09] (with rewinding). In different simulatability settings, coinflipping can be more directly based on higher level primitives, such as bit or multibit Ext&EquivCom schemes (e.g., [CF01, DN02, Cre03]) and even from coinflipping protocols with weaker properties [HMQU06, LN11].
In the computational model (the one considered in this paper), there are known theoretical feasibility results about coinflipping, covering the standalone and the UC security settings. For example, in the UC setting it is possible to achieve coinflipping extension, i.e., coinflip a large bitstring when having as basis a single invocation of an ideal functionality realizing coinflipping of a shorter length [HMQU06]. This paper shares the concern of achieving properties in large strings based on functionalities associated with short strings, but focuses on a base of a few short commitments (not needing to be simultaneously Ext and Equiv) and has a motivation of improving efficiency. The paper does not delve into analyzing implications between different primitives (e.g., see [DNO10] for relations between OT and commitments, under several setup assumptions).
Only in very recent research works (including this one) have UC commitment schemes been devised with an amortized communication cost, with asymptotic rate close to 1. In contrast, similar attention has not been given to coinflipping in the standalone setting, where the most efficient protocols known to be twoside simulatable would not be highly efficient for large strings. While the new results for UCCom schemes are directly applicable to standalone secure coinflipping, with a corresponding asymptotic efficiency benefit (3 bits per flipped coin), an yet different and more efficient approach (2 bits per flipped coin) is herein devised for the standalone setting, without requiring an explicit Ext&EquivCom scheme.
In spite of veryefficient realizations of OTextension [ALSZ15] and freeXOR techniques [KS08] for garbled circuits, a coinflipping based on a direct (generic) approach of S2PC of bitwiseXOR would still induce, in communication and computation, a multiplicative cost proportional to the security parameter, by requiring one minicrypt block operation (e.g., blockcipher evaluation) per flipped coin. In contrast, in the approach in this paper each block of bits (e.g., equal to the security parameter) requires a unitary number of minicrypt block operations (e.g., close to 1 blockcipher for the PRG and 1 CRHash).
The idea of combining commitments with a CRHash (hash then commit) and commitments with a PRG for efficiency reasons is not new. The former resembles the hash then sign paradigm, and it also has applications to nonmalleable commitments [DCKOS01]. The later resembles hybrid encryption, where a symmetric key (the analogous to the PRG seed) would be encrypted with a public key system (the analogous to the commitment) and then the message would be encrypted with a symmetric scheme (the analogous to the onetimepad masking using the PRG expansion). This paper explores ways of combining both techniques, aimed at efficient simulatable coinflipping and UC commitment schemes.
2.2 Parallel CoinFlipping SimulatablewithRewinding
A parallel coinflipping using the traditional template is simulatable if the base commitment scheme is Ext&Equiv. Lindell achieved this (in two variant protocols [Lin03, Sects. 5.3 and 6]) by augmenting the commit and open phases with ZK subprotocols that enable the respective Ext and Equiv properties: an Extcommit phase (step 1) is a regular commitment followed by a ZK argument of knowledge of the committed value, from which the simulator in the role of receiver can extract the value; an Equivopen phase (step 3) consists on sending the intended (equivocated) contribution of P\(_{\text {A}}\) (which on its own cannot be verified against the respective commitment) and giving a fake ZK argument that it was the valid committed value. The solution provides a feasibility result for constantround simulatable parallel coinflipping. However, for a general commitment scheme applied to a long bitstring, either a ZK proof/argument of knowledge for extraction or a ZK proof/argument for equivocation is typically expensive, if not both. Note: the protocols by Lindell also address an augmented version of coinflipping into a well, where P\(_{\text {A}}\) receives a random bitstring and P\(_{\text {B}}\) receives the result of applying a known function to such bitstring – the case of the identity function is the one considered in this paper.
In a different approach, Pass and Wee [PW09] use cutandchoose techniques to achieve Ext and Equiv properties directly from regular commitment schemes (and thus from oneway functions). They show simulatability of coinflipping in the traditional template, based on an Ext&EquivCom scheme constructed from regular commitments in number proportional to the target length multiplied by the statistical parameter. In contrast with the two above referred constructions, protocol #1 in this paper integrates separately the Ext and Equiv properties, in different commitments, in order to improve efficiency, amortizing the cost of base commitment schemes to that of a PRG and CRHash.
Goldreich and Kahan [GK96] also joined two types of commitment schemes in a protocol to achieve (what this paper calls) nonlocal extraction. Their application is constant round ZK interactive proof systems, rather than coinflipping. They also augment the protocol by introducing an unconditional hiding commitment as preamble, but their goal is achieving statistical soundness in an interactive proof system, rather than providing local equivocability or achieving a communication complexity amortization as in protocol #1 in this paper. They define a simulator that estimates the probability of nonabort of the malicious party, in order to dynamically determine an upper bound on the number of rewindings that should be tried before giving up on obtaining a (second) nonabort by the malicious party. The estimation works because the commitments are used in a way that prevents the probability of abort from depending (i.e., up to a negligible variation) on the value committed by the honest party. This simulation strategy was also used by [Lin03, PW09] for the simulation of ZK subprotocols, and can also be used to simulate the coinflipping protocol #1 in this paper, with an expected polynomial number of rewindings. However, the technique is not applicable in the coinflipping protocol of Blum [Blu83], because there the decision of abort by the party that produced the EquivCom (i.e., the decision to open her contribution vs. to abort without opening) is made once already knowing the contribution of the other party.
A similar subtle problem of simulatability derived from unknown probabilities of abort has also been addressed by Rosen [Ros04]. With the goal of simplifying the analysis of simulatability of ZK proofs, Rosen introduces a preamble stage involving an unconditionallyhiding ExtCom, allowing a prover in a ZK proof system to initially (and locally) extract the challenge of the verifier. Such augmentation is different from the one in this paper. First, the preamble commitment in their ZK proof (Ext)commits a value (the challenge) that does not influence the actual honest output bit (accept vs. reject) of the ZK. Conversely, herein the value (Equiv)committed (by P\(_{\text {B}}\)) in the preamble is a contribution with direct impact in the bitstring outputted by the coinflipping execution. Second, in their ZK application the use of the preamble with the ExtCom by one party (the verifier) relieves the simulator in the role of the other party (the prover) from having to do nonlocal equivocation in the subsequent part of the execution. Conversely, herein the preamble (with an EquivCom by P\(_{\text {B}}\)) does not relieve the simulator in the role of the other party (P\(_{\text {A}}\)) from having to nonlocally equivocate the contribution that it commits to in the remainder of the execution. Third, their proposed ExtCom scheme is unconditionally hiding, whereas the PRGbased ExtCom construction used in protocol #1 to commit the contribution of P\(_{\text {A}}\) is (motivated by efficiency) inherently nonunconditionally hiding.
2.3 UC Commitment Schemes
When rewinding is not possible, the simulatability of flipping even a single coin using the traditional template requires the underlying commitment scheme to be simultaneously Ext and Equiv [CR03]. Canetti and Fischlin [CF01] developed noninteractive UC commitments, requiring a unitary number of asymmetric operations per committed bit. The construction assumes a common reference string (CRS) setup and is based on the equivocable bitcommitment from Crescenzo, Ishai and Ostrovsky [DCIO98]. Canetti, Lindell, Ostrovsky, and Sahai [CLOS02] proposed other noninteractive schemes from general primitives, with adaptive security without erasures. Damgård and Nielsen [DN02] then improved with a construction denoted mixed commitment scheme, that is able to commit a linear number of bits using only a unitary number of asymmetric operations, and using a linear number of communicated bits. For some keys they are unconditionallyhiding and equivocable, whereas for other keys they are unconditionallybinding and extractable. Crescenzo [Cre03] devised two noninteractive Ext&EquivCom schemes for individual bits, in the public random string model. One construction is based on EquivCom schemes and NIZKs, the other is based on one ExtCom and one EquivCom schemes. Damgård and Lunemann [DL09] consider UC in a quantum setting and solve the problem of flipping a single bit, based on UCComs from [CF01]. Lunemann and Nielsen [LN11] consider also the quantum setting and achieve secure flipping of a bitstring based on mixed commitments from [DN02]. They consider how to amplify security from weaker security notions of coinflipping (uncontrollable, random) up to full simulatable (enforceable). The use of ExtCom and EquivCom schemes, together with a cutandchoose and encoding scheme has been previously considered by Damgård and Orlandi [DO10]. They combine these techniques to enhance security from the passive to the active model for secure computation of arithmetic circuits, in a model where a trusted dealer is able to generate correlated triplets. While they achieve efficient constructions for multiparty computation (also including more than two parties), the efficiency is not amortized to communication rate 1.
More efficient commitment schemes have been proposed for short strings, e.g., [Lin11, FLM11, BCPV13, Fuj14] achieving a low (but greater than one) constant number of group elements of communication and of exponentiations to commit to a group element. Still, the trivial extension of these protocols for larger strings would imply a linear increase in said number of asymmetric operations (modular exponentiations), without amortization. Some of these schemes achieve adaptive security, whereas this paper considers only static security.
Recent independent works achieve asymptotic communication rate 1: [GIKW14] additionally considers selective openings; [DDGN14, CDD+15] additionally consider homomorphic properties and verification of linear relations between committed values; [CDD+15] achieves, comparably to this paper, linear computational complexity. These protocols are based on a hybrid model with an ideal OT functionality. In contrast to OT, the cutandchoose mechanism in protocol #2 in this paper does not hide from the sender the partition of (check) instances. Also, an authenticator mechanism allows the simulator to recover the fragmented message using an erasure code, thus allowing a cutandchoose with less instances than what an error correction code would imply (e.g., see Table 1). A more recent concurrent result [FJNT16] improves the complexity of the OTbased protocols (also for additively homomorphic commitments), using an additional consistency check mechanism to also allow an erasure code.
A concrete comparison between different methods – qualitative (e.g., implications between primitives) and quantitative (actual instantiations and implementations) – is left for future work. For example, [GIKW14]) reports 640 exponentiations for a concrete instantiation of the OT setup phase. In this paper, a concrete instantiation of Ext or Equiv commitments has not been explored, though their complexity is naturally upper bounded by that of instantiations of fullfledged UCComs for short strings, e.g., requiring less than a dozen group elements per base commitment [BCPV13]. The overall number of commitments of short strings will depend on the erasure code parameters, defined to meet the goals of statistical security and communication rate.
In summary, this paper is focused on the design of protocols that explore the duality between Ext and Equiv commitments, without considering OT as a primitive. About OT only two notes are mentioned here from other work: it is known that UCOT implies UCComs in myriad setup models [DNO10, Fig. 1], e.g., in the uniform, the chosen and the any CRS models (U/C/ACRS), and in the chosen and the any key registration authority models (C/AKRA), whereas the reverse implication is proven only in a narrower set of models (e.g., U/ACRS, AKRA) [DNO10, Table 1]; while [GIKW14] shows that “the existence of a semihonest OT protocol is necessary (and sufficient) for UCCom length extension,” the UC scheme in this paper does not make explicit use of OT and can also be seen as a UCCom length extension (if replacing the ExtCom and EquivCom schemes with an Ext&EquivCom scheme) – these two results do not superpose, since [GIKW14] only allows a single call to the ideal Comscheme, whereas the extension herein requires several calls.
3 Background Notions
It is here assumed that the reader is familiar with the ideal/real simulation paradigm, as developed in the work of Canetti on composability of protocols [Can00, Can01]. Familiarity is also assumed with the standard ideal functionalities of commitment schemes (\( \mathcal {F} _{\text {MCOM}}\)) and coinflipping (\( \mathcal {F} _{\text {MCF}}\)), namely in the UC framework. For example, instances can be found in [CF01, Fig. 3] (multiple bitcommitments), [DN02, Sect. 4.2] (multiple messagecommitments, there also considering homomorphic relations), [DL09, Fig. 2] (coinflipping), [Lin03] (general S2PC). A background review of these standard notions and specification of ideal functionalities is given in full version of this paper. For convenience, this section simply states informal notions about extractable and equivocable commitments.
Definition 1
(Extractability). An extractable commitment (ExtCom) scheme is one whose commit phase in a simulated execution allows \(\mathcal {S}\) in the role of receiver, indistinguishable from an honest receiver in the view of a possibly malicious sender, to extract (i.e., learn) the committed value, with probability equal to or larger than a value negligiblyclose to the maximum probability with which the (possibly malicious) sender is able to successfully open said value.
Definition 2
(Equivocability). An equivocable commitment (EquivCom) scheme is one whose open phase in a simulated execution allows \(\mathcal {S}\) in the role of sender, indistinguishable from an honest sender in the view of a possibly malicious receiver, to equivocate the opening to any intended value, in the domain of committable values and possibly decided only after the commit phase.
Definition 3
(Locality of Ext and Equiv). Within a protocol using commitments, namely with both commit and open phases, extraction is characterized as local if \(\mathcal {S}\) can extract the committed value within the respective commit phase, i.e., without going beyond that phase in the protocol and without rewinding to a step before that phase. Local equivocation is defined analogously in relation to the open phase. The properties are characterized as nonlocal if they can be achieved but not locally, i.e., involving rewinding beyond the respective phase.
The protocols hereinafter are described and proven secure in a hybrid model with access to ideal commitment functionalities \( \mathcal {F} _{\text {X}}\) and \( \mathcal {F} _{\text {Q}}\), with which \(\mathcal {S}\) respectively only needs to take advantage of Ext and Equiv, but not both.
4 A New CoinFlipping SimulatablewithRewinding
4.1 Description of Protocol #1
The protocol implicitly depends on a computational security parameter (1) and a respectively secure PRG and CRHash function (2). The execution starts when both parties are activated to initiate a coinflipping of a certain target length, with an appropriate execution context (3), which in particular encodes the roles of the two parties – P\(_{\text {A}}\) will be the first to learn the final outcome ((4)–(5)) – and the target length. After a possibly implicit setup phase (e.g., in the plain model, to allow the simulator to obtain a trapdoor), P\(_{\text {B}}\) selects his contribution (6) with the target length, calculates its hash (7), and uses \( \mathcal {F} _{\text {Q}}\) to commit to the hash ((8)–(9)). Then, P\(_{\text {A}}\) selects a seed (10) and commits to it using \( \mathcal {F} _{\text {X}}\) ((11)–(12)). P\(_{\text {A}}\) also selects a random bitstring (denoted contribution masking) with the target length (13) and sends it to P\(_{\text {B}}\) (14). Then, P\(_{\text {B}}\) uses \( \mathcal {F} _{\text {Q}}\) to open the committed hash to P\(_{\text {A}}\) ((15)–(16)) and sends his contribution to P\(_{\text {A}}\) (17). P\(_{\text {A}}\) checks that the hash of the contribution of P\(_{\text {B}}\) is equal to the opened hash (18). If not, it Aborts; otherwise it proceeds. Then, P\(_{\text {A}}\) uses \( \mathcal {F} _{\text {X}}\) to open to P\(_{\text {B}}\) the committed seed ((19)–(20)). Finally, each party proceeds concurrently with local computations: expanding the seed of P\(_{\text {A}}\) into a bitstring of the target length (21) (i.e., the mask); computing the bitwise exclusiveOR (XOR) combination of the mask and the contribution masking, thus determining the contribution of P\(_{\text {A}}\) (22); and locally computing the final outcome as the XOR of the two contributions (23), and deciding that as the final output ((24)–(25)).
4.2 Concrete Instantiations in the Plain Model
In the plain model, \( \mathcal {F} _{\text {X}}\) and \( \mathcal {F} _{\text {Q}}\) can be respectively replaced by actual ExtCom and EquivCom schemes, agreed upon in a setup phase, with ExtCom being nonmalleable with respect to opening of EquivCom. An intuition is given here for possible concrete instantiations (more details in the full version).
Based on DDH Intractability Assumption. For the ExtCom scheme: P\(_{\text {A}}\) commits to the seed by sending a simple ElGamal encryption [ElG85] of the seed; the simulator can extract if it knows the encryption key (a discretelog); P\(_{\text {A}}\) opens the seed by revealing the seed and the encryption randomness, thus letting P\(_{\text {B}}\) verify its correctness. For the EquivCom scheme: P\(_{\text {B}}\) commits by sending a simple Pedersen commitment [Ped92] of the hash; P\(_{\text {B}}\) opens the hash by revealing the hash and the commitment randomness. The simulator can equivocate the opening if it knows the trapdoor (a discretelog). Interestingly, both Comschemes can have the same trapdoor, because the seed extraction and the hash equivocation are needed by the same simulator (in the role of P\(_{\text {B}}\), when interacting with \(\text {P}_{\text {A}}^{*}\)). The parameters can be agreed in a setup phase, with \(\text {P}_{\text {A}}^{*}\) proposing them (two generators in a multiplicative group where the DDH assumption holds) and giving a ZKPoK of their relation (the discretelog between two generators). Basically, this can be a ZK adaptation of Schnorr’s protocol [Sch91], e.g., as described in [LPS08, Fig. 3]. Overall, this requires only 9 exponentiations from each party (or 11, using more practical parameters), 5 of which are in the setup phase (amortizable across several coinflippings).
A Concrete Application Example. The S2PCwithBitComs protocol in [Bra13], simulatablewithrewinding, requires a simulatable coinflipping to sample a random group element for each bit of input and output of the regular S2PC. (Improvements of the protocol can reduce the needed number and size of said groupelements.) There, the benchmark evaluation of S2PCwithBitComs of AES128 requires a simulatable flipping of about 1.18 million bits. As suggested therein, using a DDH assumption in groups over elliptic curves, an instantiation of the coinflipping with the protocol of [Lin03] would require (for practical parameters) 7 exponentiations per party per block of 256 bits, and communication of about 12 blocks per block, i.e., overall about 32 thousand exponentiations and 14 megabits. In contrast, the new coinflipping devised herein would overall require (with the instantiation suggested in the previous paragraph) less than a dozen exponentiations per party and slightly less than 2.5 megabits of communication, thus reducing the coinflipping subprotocol complexity by more than 3,000 fold in number of exponentiations and about 6 fold in communication.
Based on PRGBased Commitments. It is possible to avoid exponentiations by building ExtCom and EquivCom schemes based on more basic primitives, such as regular commitments (i.e., hiding and biding but possibly not Ext and not Equiv). For example, Pass and Wee [PW09] analyze cutandchoose based constructions (the full version of this paper explores improvements, e.g., using a randomseedchecking type of technique [GMS08]). Comparatively, those constructions require more concrete communication than the DDH based one, but still amortizable because it only applies to two short elements (one seed and one hash), and more online interactivity.
4.3 Security Analysis
Proving security (i.e., simulatability) amounts to show a simulator (\(\mathcal {S}\)) that, with an expected number of rewindings at most polynomial in the security parameter, induces in the ideal world a global output whose distribution is indistinguishable from the one in the real world. In the role of each party in a simulation, \(\mathcal {S}\) must be able (with overwhelming probability) to learn the contribution of the other possiblymalicious (blackbox) party and still be in a position to open the needed complementary contribution, as if it was honestly random, and at the same time simulate the correct probability of early abort.
Theorem 1
(Security of Protocol #1). Assuming a cryptographically secure PRG and CRHash, protocol #1 securelyemulates (with computational indistinguishability) the ideal functionality \( \mathcal {F} _{\text {MCF}}\) of long bitstring coinflipping between twoparties, in a standalone setting and in the (\( \mathcal {F} _{\text {X}}\),\( \mathcal {F} _{\text {Q}}\))hybrid model, in the presence of static and computationally active rewindable adversaries. For each (polynomially arbitrarilylong) bitstring coinflipping execution, each phase (commit and open) of \( \mathcal {F} _{\text {X}}\) and \( \mathcal {F} _{\text {Q}}\) is invoked only once for a short string; simulation is possible: without rewinding in the case of a malicious \(\text {P}_{\text {A}}^{*}\); with an expected polynomial number of rewindings in the case of a malicious \(\text {P}_{\text {B}}^{*}\).
OnePass Simulation (i.e., Without Rewinding), for Malicious \({\varvec{P}}^*_{\varvec{A}}\) . In the simulated execution, \(\mathcal {S}\) (in the role of P\(_{\text {B}}\)) commits to a random hash value (8). Then, \(\mathcal {S}\) impersonates \( \mathcal {F} _{\text {X}}\) to extract from \(\text {P}_{\text {A}}^{*}\) the seed committed by \(\text {P}_{\text {A}}^{*}\) (11). \(\mathcal {S}\) computes the PRG expansion of the seed (as in (21)). Then, upon receiving the contribution masking of \(\text {P}_{\text {A}}^{*}\) (14), \(\mathcal {S}\) combines it with the PRGexpansion of the extracted seed (as in (22)), in order to learn the contribution of \(\text {P}_{\text {A}}^{*}\). Then, in the ideal world, \(\mathcal {S}\) in the role of the ideal \(\widehat{\text {P}}_{\text {A}}^{*}\) receives from the ideal coinflipping functionality \( \mathcal {F} _{\text {MCF}}\) the random target coinflipping bitstring. \(\mathcal {S}\) then computes the needed complementary contribution of P\(_{\text {B}}\), as the XOR between the target outcome and the contribution of \(\text {P}_{\text {A}}^{*}\). \(\mathcal {S}\) computes the hash of this complementary contribution (as in (7)) and in the role of \( \mathcal {F} _{\text {Q}}\) it equivocates its opening to be such hash value (16). Finally, \(\mathcal {S}\) also sends the complementary contribution to \(\text {P}_{\text {A}}^{*}\) (17). Since the ideal \( \mathcal {F} _{\text {X}}\) is impersonated by \(\mathcal {S}\) (respectively, in the plain model, since EquivCom is nonmalleable with respect to opening of ExtCom), it follows that \(\text {P}_{\text {A}}^{*}\) can only either open the contribution (19) that has been extracted by \(\mathcal {S}\), or abort without successfully opening her contribution. In case of abort by \(\text {P}_{\text {A}}^{*}\), \(\mathcal {S}\) emulates an abort; otherwise, \(\mathcal {S}\) lets \( \mathcal {F} _{\text {MCF}}\) continue the execution in the ideal world (i.e., send the bitstring to the ideal \(\widehat{\text {P}}\) \(_{\text {B}}\)) and \(\mathcal {S}\) outputs in the ideal world what \(\text {P}_{\text {A}}^{*}\) outputs in the simulation. (In the plain model, extractability of ExtCom and/or equivocability of EquivCom may require either local rewinding or rewinding in a setup phase, but that is irrelevant in the hybrid model).

First iteration. In the simulated execution, \(\mathcal {S}\) in the role of an honest P\(_{\text {A}}\) interacts until receiving the contribution of \(\text {P}_{\text {B}}^{*}\) and verifying its hash against the respective opening (18). If \(\text {P}_{\text {B}}^{*}\) aborts until this step (including by an invalid opening), then \(\mathcal {S}\) emulates an abort, otherwise it proceeds.

Get target outcome. \(\mathcal {S}\) in the role of ideal \(\widehat{\text {P}}_{\text {B}}^{*}\) receives from \( \mathcal {F} _{\text {MCF}}\) in the ideal world the target outcome and uses it to compute the needed complementary contribution of P\(_{\text {A}}\) in the simulated execution, namely the XOR between the target outcome and the contribution of \(\text {P}_{\text {B}}^{*}\).

Determine upperbound of rewindings. \(\mathcal {S}\) determines an upper bound number of rewindings (#rwbound) needed for the next simulation stage. This can be based on the strategy of Goldreich and Kahan [GK96], which involves rewinding, possibly a superpolynomial number of times, to repeat committing a random contribution of P\(_{\text {A}}\) ((11)–(14)) and expecting to obtain an opening of the contribution of P\(_{\text {B}}\) ((16)–(17)), until indeed obtaining a successful opening (18) an adequate polynomial (e.g., quadratic) number of times, and estimating therefrom an adequate probability of nonabort by P\(_{\text {A}}\), and defining #rwbound as the inverse of said estimate. An intuition for the expected polynomial number of rewindings is that a negligible probability of nonabort also implies a negligible probability that the simulation reaches this estimation stage. (Using a more involved argument about the hiding property of the PRGbased ExtCom of the contribution of P\(_{\text {A}}\), the full version of the paper explores the possibility of a different simulation strategy, with a static superpolynomial upper bound #rwbound, i.e., not depending on a dynamic estimation of the nonabort probability).

Induce target outcome. \(\mathcal {S}\) rewinds and selects (10) and commits (11) to a new random seed of P\(_{\text {A}}\). Then, \(\mathcal {S}\) computes and sends to \(\text {P}_{\text {B}}^{*}\) a contribution masking of P\(_{\text {A}}\) (14), computed as the XOR combination of the needed complementary contribution and the PRGexpansion of the seed (instead of a random contribution masking (13)). Since the ExtCom+PRGbased commitment of the contribution of P\(_{\text {A}}\) is semantically hiding, the probability of abort by \(\text {P}_{\text {B}}^{*}\) changes at most by a negligible amount in comparison with the previous stage. If \(\text {P}_{\text {B}}^{*}\) subsequently opens his contribution successfully ((16)–(18)), then \(\mathcal {S}\) continues the simulation until the end and outputs in the ideal world whatever \(\text {P}_{\text {B}}^{*}\) outputs in the simulated execution, even \(\text {P}_{\text {B}}^{*}\) aborts before receiving the opening of the seed of P\(_{\text {A}}\) (20). Otherwise, if \(\text {P}_{\text {B}}^{*}\) aborts without successfully opening his contribution, \(\mathcal {S}\) rewinds and replays again as just described, again and again until either obtaining a successful opening of the contribution of \(\text {P}_{\text {B}}^{*}\) (equal to the one already known by \(\mathcal {S}\)) and in that case leading the simulation to an end, or until reaching the #rwbound bound, and in that case it emulates an abort in the ideal world.
5 A New UC Commitment Scheme
This section devises a new UC commitment scheme, thus onepasssimulatable and with local Ext and Equiv properties, usable in the traditional template of coinflipping to commit and open the contribution of P\(_{\text {A}}\).
5.1 More Intuition

a cutandchoose: P\(_{\text {A}}\) builds several instances of short commitments and then P\(_{\text {B}}\) checks the correctness of some (the check instances) to gain some confidence that a majority of the others (the evaluation instances) is correct;

authenticators: allow the simulator to anticipate whether individual instances are good or bad, thus gaining assurance about correct extraction;

an information dispersal algorithm (IDA): allows spliting the target message m into smaller fragments, and allows recovery of the original message from a sufficient number of those fragments (essentially, based on a threshold erasure code); using an IDA enables the size of each instance of the cutandchoose to be reduced proportionally to the number of instances.
5.1.1 CutandChoose Warmup

Commit phase. P\(_{\text {A}}\) produces several seeds, builds an ExtCom of each, and also an EquivCom of a CRHash (hereafter denoted global hash) of the sequence of PRGexpansions of all seeds. Then, P\(_{\text {B}}\) cuts the set of instances of seedcommitments into two random complementary subsets, and chooses one for a check operation and the other for an evaluation operation. For each evaluation instance, P\(_{\text {A}}\) uses the respective PRGexpansion to XORmask the target message, and sends the respective message masking to P\(_{\text {B}}\).

Open phase. P\(_{\text {A}}\) reveals the message m, letting P\(_{\text {B}}\) compute all used masks, one for each evaluation instance, namely the XOR of the message with each respective masking. P\(_{\text {A}}\) also opens all check seeds, letting P\(_{\text {B}}\) compute the respective PRGexpansions. Finally, P\(_{\text {A}}\) opens the committed global hash, letting P\(_{\text {B}}\) verify that it is equal to the one that can be obtained from the learned masks and PRGexpansions. Otherwise, if the global hash verification fails, P\(_{\text {A}}\) rejects the opening of the message m.

Hiding. In the commit phase, the maskings hide the message from P\(_{\text {B}}\), due to the XOR onetimepad between message and PRGexpansions (the masks).

Binding. In the open phase, P\(_{\text {A}}\) is bound to open a single message: by collision resistance of CRHash, P\(_{\text {A}}\) can know at most one preimage of the global hash, i.e., at most one sequence of valid masks (one mask per instance). Thus, P\(_{\text {A}}\) can at most successfully open the message that for all evaluation instances is equal to the XOR of the respective mask and masking.

Equivocation. In the open phase, the equivocatorsimulator (\(\mathcal {S}^Q\)) in the role of P\(_{\text {A}}\) can open any desired fake message, by revealing the message, opening the correct seeds of check instances and then equivocating the needed fake global hash (without revealing the respective seeds of evaluation instances).

Extractability. In the commit phase, the extractorsimulator (\(\mathcal {S}^X\)) in the role of P\(_{\text {B}}\) extracts the seed of each evaluation instance, then uses its PRGexpansion to unmask the respective masking into a tentative message. If a majority of the tentative messages are equal, then \(\mathcal {S}^X\) chooses their value as the correct one. Otherwise \(\mathcal {S}^X\) guesses that P\(_{\text {A}}\) will not be able to successfully open any message in the later open phase. Conditioned on a future successful verification of the global hash, the probability that the majority of the extracted seeds are correct is, with adequate cutandchoose parameters [SS11, Sect. A], overwhelming in the total number of instances. For example, slightly more than 40 bits of statistical security, i.e., a probability of wrong extraction less that two to the minus 40, is obtained using 123 instances, 74 of which for check and 49 of which for evaluation [Bra13, Table 2].
5.1.2 Authenticator Aid
Statistical security can be improved by giving \(\mathcal {S}^X\) the ability to decide whether isolated evaluation instances are good or bad. This allows \(\mathcal {S}^X\) to extract an incorrect message (or none at all) only if all check instances are good and all evaluation instances are bad, i.e., only if a malicious \(\text {P}_{\text {A}}^{*}\) anticipates the exact cutandchoose partition. The new rationale about probabilities is similar to that of the forgeandlose type of technique recently devised for more general S2PC protocols based on a cutandchoose of garbledcircuits [Bra13, Lin13, HKE13]. The success criterion changes from “at least a majority of correct instances” to “at least one correct instance.” For example, 40 bits of statistical security can now be obtained with 41 or 123 instances, by respectively limiting evaluation instances to be at most 20 or 8. Since only evaluation instances are relevant in terms of communication, with 123 instances this corresponds to a 6fold reduction in communication (i.e., vs. the previous method with 49 evaluation instances).
The intended verifiability is achieved by augmenting each evaluation instance with a short authenticator that allows \(\mathcal {S}^X\) to verify whether or not each extracted seed is consistent with each respective anticipated tentative message. Specifically, when \(\mathcal {S}^X\) extracts a seed and uses its seedexpansion to unmask the respective masking received from P\(_{\text {A}}\), only two things may happen: either (i) \(\mathcal {S}^X\) gets a correctly authenticated message, which must be the only one that P\(_{\text {A}}\) can later successfully open, i.e., this is a good instance; or (ii) \(\mathcal {S}^X\) gets an incorrectly authenticated message, implying that a successful opening by a malicious \(\text {P}_{\text {A}}^{*}\) will reveal a mask different from the seedexpansion, i.e., this is a bad instance.
The authenticator is implemented as a function that relates the message and a nonce in a nontrivial way, to ensure that it is infeasible for \(\text {P}_{\text {A}}^{*}\) to produce a masking for which two different unmaskings yield authenticated messages. Also, in order to allow equivocation by \(\mathcal {S}^Q\) (when in the role of P\(_{\text {A}}\)), the authenticator is masked by an equivocable mask. The authenticator cannot simply be a CRHash function (i.e., without an unpredictable input) of the masked fragment, lest \(\text {P}_{\text {A}}^{*}\) would in that case (by maliciously using a mask different from the seedexpansion) be able to induce a collision by crafting a special mask different from the seedexpansion. Instead, the authenticator can be achieved by means of a universal hash family, such that the probability of collision is independent of the choices of \(\text {P}_{\text {A}}^{*}\). This can be implemented by introducing a random unpredictable value (a nonce) that P\(_{\text {B}}\) discloses to \(\text {P}_{\text {A}}^{*}\) only after \(\text {P}_{\text {A}}^{*}\) becomes bound to her choices, e.g., after committing to the seeds and global hash. This nonce acts like an identifier of the hash from the universal hash family.
In concrete, the authenticator can for example be an algebraic fieldmultiplication between the nonce and a CRhash of the message. If the image space of the CRHash is the set of bitstrings of some fixed length (e.g., 256 bits), the nonce can be uniformly selected from the nonnull elements of a Galois field with characteristic 2, modulo an irreducible polynomial of degree equal to the hash length. This ensures that the authenticators of any two known messages (which by assumption have different CRHash) would have an unpredictably offset. Conversely, a successful forgery by \(\text {P}_{\text {A}}^{*}\) would require guessing this offset, in order to make the real mask have such (bitwise XOR) offset with the seedexpansion. (Optimizations are possible, requiring a more involved explanation and/or correlationrobust type of assumptions – details in the full version.)
5.1.3 IDA Support
Communication is drastically reduced by using a threshold information dispersal algorithm (IDA) [Rab89]. The IDA enables splitting (i.e., dispersing) the original message m into several (e) fragments, such that m can be reconstructed from any subset with at least a threshold number t of good fragments, each with a reduced length (me / t). As m increases, the asymptotic communication complexity is thus proportional to e / t, which can be made as close to 1 as desired.
Any toutofe erasurecode can be used, e.g., based on XOR operations and with linear time encoding and somewhat efficient decoding. It does not need to hide the original message, as would a fullfledged secretsharing scheme [Sha79, Kra94], because in the commit phase P\(_{\text {B}}\) receives maskings of (authenticated) fragments, instead of fragments in clear. It also does not need to support correction of semantic errors [RS60], because the authenticator mechanism gives \(\mathcal {S}^X\) (in the role of P\(_{\text {B}}\)) the ability to detect errors and thus simply discard bad fragments. \(\mathcal {S}^X\) reconstructs m from any subset of at least t good fragments.
It is interesting to notice that parties only need to encode; only the simulator needs to decode. A rateless code is also possible, with appropriate probabilistic considerations – there are very efficient instantiations, e.g., [Lub02, Sho06].
5.2 Description of Protocol #2
5.2.1 Commit Phase (P\(_{\text {A}}\) Commits a Message to P\(_{\text {B}}\))

1.a. Commit instances. Upon being initialized to commit a message m (31), P\(_{\text {A}}\) selects n random seeds (32) (e.g., 119) and uses \( \mathcal {F} _{\text {X}}\) to commit individually to each of them ((33)–(34)). P\(_{\text {A}}\) uses the PRG to expand each seed \(s_j\) into a string \(s'_j\) with a reducedlength (equal to the target length \(\ell \) divided by the IDA recoverythreshold t) extended by an authenticatorlength \(\ell _a\) (35). P\(_{\text {A}}\) calculates the global hash h as the CRhash of the concatenation of all seedexpansions (36). P\(_{\text {A}}\) then uses \( \mathcal {F} _{\text {Q}}\) to commit to h ((37)–(38)). If in the strict mode, P\(_{\text {A}}\) also computes the hash of the message m (39) and then uses \( \mathcal {F} _{\text {Q}}\) to commit to said hash ((40)–(41)).

1.b. Cutandchoose. P\(_{\text {B}}\) decides a random cutandchoose partition (42) (e.g., identifying 73 instances for check and 46 for evaluation) and a random nonce z (43) and sends them both to P\(_{\text {A}}\) (44).

1.c. Message masking. P\(_{\text {A}}\) uses the threshold IDA to split her message into as many fragments as the number of evaluation instances (45), each with a reduced length. Then, P\(_{\text {A}}\) computes the authenticator \(a_j\) of each fragment \(m'_j\) as an appropriate function \(\alpha \) of the fragment and the nonce (46); P\(_{\text {A}}\) then uses the extended mask \(s'_j\) to compute the masking \(t_j\) of the fragment concatenated with the authenticator (47). Finally, P\(_{\text {A}}\) sends to P\(_{\text {B}}\) the maskings associated with all evaluation instances (48).
UC commitment scheme parameters for 40 bits of statistical security

5.2.2 Open Phase (P\(_{\text {A}}\) Opens a Message to P\(_{\text {B}}\))

2.a. Reveal message. Upon being initialized to open the committed message m (49), P\(_{\text {A}}\) sends m to P\(_{\text {B}}\) (50). If using the strict authenticator mode, then P\(_{\text {A}}\) also asks \( \mathcal {F} _{\text {Q}}\) to open to P\(_{\text {B}}\) the hash of the message ((51)–(52)). P\(_{\text {B}}\) then verifies that it is consistent with the hash of the received message (53). If not, it Aborts; otherwise it proceeds.

2.b. Obtain evaluation masks. P\(_{\text {B}}\) uses the IDA to obtain the same fragments that an honest P\(_{\text {A}}\) would (54). P\(_{\text {B}}\) computes the authenticator of the fragment in the same way that an honest P\(_{\text {A}}\) would have, based on the fragment and the nonce (55). Then, P\(_{\text {B}}\) concatenates the tentative fragment and the tentative authenticator, and computes the XOR combination of the resulting string with the extended masking, thus obtaining the tentative extended mask \(s'_j\), supposedly used by P\(_{\text {A}}\) (56).

2.c. Obtain check masks. P\(_{\text {A}}\) uses \( \mathcal {F} _{\text {X}}\) to open to P\(_{\text {B}}\) the seeds of check instances (but not those of evaluation instances) ((57)–(58)). P\(_{\text {B}}\) locally computes the PRGexpansion (of appropriate length) of each check seed (59).

2.d. Verify global hash. P\(_{\text {A}}\) uses \( \mathcal {F} _{\text {Q}}\) to open to P\(_{\text {B}}\) the previously committed global hash ((60)–(61)). Then, P\(_{\text {B}}\) verifies that the global hash of all concatenated masks is equal to the one just opened by P\(_{\text {A}}\) (62). If some verification has failed, then P\(_{\text {B}}\) aborts, otherwise it accepts the message of P\(_{\text {A}}\) as a correct opening (63).
5.3 Concrete Configurations
Table 1 shows optimal configurations of the cutandchoose and IDA parameters for 40 bits of statistical security and several goals of communication rate. Asymptotically as \(\ell \) increases, it is possible to configure the parameters to yield arbitrary high levels of statistical security and reduce the expansionrate to values arbitrarily close to 1. With \((n;e;t)=(119;46;23)\), the scheme achieves 40 bits of statistical security and an asymptotic communication expansionrate \(r=2\) in the commit phase (the open phase always has an asymptotic rate 1). With \((n;e;t)=(775;275;250)\), the rate becomes \(r=1.1\), with the computed PRG output and the hash input being \(r'=3.1\) times the message length. Both r and \(r'\) can be brought arbitrarily close to 1. In comparison, for a communication expansion rate of \(r=1.1\), the protocol from [GIKW14] would require encoding m into 53,020 blocks, and using an error correcting code capable of correcting more than 1198 semantic errors. Table 1 also describes parameters for optimizations of [GIKW14], namely by using koutofn OT instead of \(\delta \)Rabin OT, reducing the number of instances by up to a factor slightly larger than two.
Remark (Interactivity Tradeoffs). The use of an EquivCom scheme with P\(_{\text {A}}\) as sender and P\(_{\text {B}}\) as receiver can be replaced by an ExtCom scheme with P\(_{\text {B}}\) as sender and P\(_{\text {A}}\) as receiver, and a regular Com scheme (i.e., possibly neither Ext nor Equiv) and further interaction. Basically, the Ext of a short bitstring committed by \(\text {P}_{\text {B}}^{*}\) would allow \(\mathcal {S}\) (in the role of P\(_{\text {A}}\) in the simulated execution) to decide (within the overall open phase of the UC scheme) any desired outcome of a (singleside simulatable) short coinflipping played between P\(_{\text {A}}\) and P\(_{\text {B}}\). Each bit of this short coinflipping can be set to determine oneoutoftwo positions to open from each pair of (supposedly) copies of a committed bit (and additional redundant checksum bits included to prevent malicious behavior). This allows \(\mathcal {S}\) to equivocate the shortbit string because it could undetectably commit to two different bits in each position (instead of two copies of the same bit) and then open only the convenient ones. In a direction of less interaction, it is conceivably possible to let the cutandchoose partition and nonce values be computed by P\(_{\text {A}}\) noninteractively, if willing to accept an assumption of a nonprogrammable random oracle model [Lin15]. This would make all interactivity of the commitment scheme (commit and open) become implicit in the instantiations of the base commitment schemes (Ext and Equiv). The cutandchoose and IDA (erasure code) parameters would have to increase, letting the statistical security parameter become equal to the cryptographic security parameter, to mitigate the new possibility that P\(_{\text {A}}\) could computationally try a bruteforce trialanderror attempt to exploit the probability of error that would otherwise be negligible only in a low statistical parameter.
5.4 Security Analysis
Proving security amounts to show, without rewiding, that the new commitment scheme is Ext&Equiv, i.e., the commit phase is Ext and the open phase is Equiv. The analysis assumes that the PRG and CRHash are cryptographically secure and that the underlying ExtCom and EquivCom schemes are realized (in a hybrid model) by respective ideal functionalities (\( \mathcal {F} _{\text {X}}\), \( \mathcal {F} _{\text {Q}}\)). The proof of security is accomplished by defining respective simulators.
Theorem 2
(Security of Protocol #2). Assuming a cryptographically secure PRG and CRHash, and an adequate authenticator, protocol #2 UCrealizes the ideal functionality \( \mathcal {F} _{\text {MCOM}}\) of long bitstring commitments in the (\( \mathcal {F} _{\text {X}}\),\( \mathcal {F} _{\text {Q}}\))hybrid model, in the presence of static and computationally active adversaries. Each phase of \( \mathcal {F} _{\text {Q}}\) and \( \mathcal {F} _{\text {X}}\) is invoked for short bitstrings only a number of times that is independent of the polynomial target length.
5.4.1 Extractability – Simulatability with Corrupted \(\text {P}_{\text {A}}^{*}\)
The extractorsimulator \(\mathcal {S}^X\) initiates a simulation, with blackbox access to \(\mathcal {A}\), letting it believes that it is in the real world controlling \(\text {P}_{\text {A}}^{*}\).
Simulation of the Commit Phase. Once the protocol starts, \(\mathcal {S}^X\) (in the role of honest P\(_{\text {B}}\) and also in the role of \( \mathcal {F} _{\text {X}}\) in the simulated execution) extracts the seeds committed by \(\text {P}_{\text {A}}^{*}\) (33) and later receives from \(\text {P}_{\text {A}}^{*}\) the maskings of authenticated fragments of the message being committed (48). \(\mathcal {S}^X\) then unmasks each masking, using the PRGexpansion of the respective extracted seed, obtaining from each a respective tentative authenticated fragment. \(\mathcal {S}^X\) verifies whether the authentication is correct or not, thus identifying which instances are good. (The security of the described authenticator is statistically derived from the properties of a universal hash family.) If the number of good fragments is at least t (the recovery threshold) then \(\mathcal {S}^X\) uses the IDA recovery algorithm to reconstruct the message from t (the recovery threshold) good fragments. Otherwise, if there are less than t good fragments, then \(\mathcal {S}^X\) realizes that it cannot extract the message from \(\text {P}_{\text {A}}^{*}\), but it does not complain. Instead, \(\mathcal {S}^X\) computes a random message as the assumed extracted message, and in addition it memorizes that the extracted message is corrupted. Finally (in either of the two above cases), in the ideal world, \(\mathcal {S}^X\) (in the role of the ideal \(\widehat{\text {P}}_{\text {A}}^{*}\)) sends the extracted message to the ideal functionality \( \mathcal {F} _{\text {MCOM}}\), thus committing to it.
Simulation of the Open Phase. Once \(\text {P}_{\text {A}}^{*}\) opens the message to P\(_{\text {B}}\) in the simulated execution, \(\mathcal {S}^X\) checks that the opening is successful and that it corresponds to the previously extracted message. If the opening is unsuccessful, e.g., if the global hash verification fails (62), then \(\mathcal {S}^X\) emulates an abort, leading \( \mathcal {F} _{\text {MCOM}}\) to halt the execution associated with this commitment, consequently leading the ideal party \(\widehat{\text {P}}\) \(_{\text {B}}\) to never receive any opening. If (with negligible probability) the opening is successful but different from the value previously extracted from \(\mathcal {S}^X\), then \(\mathcal {S}^X\) outputs Fail (i.e., in this case the simulation fails). Otherwise, if the opening of the expected message is done successfully, then \(\mathcal {S}\) asks \( \mathcal {F} _{\text {MCOM}}\) in the ideal world to open the committed message.
Analysis of the Simulation (Statistical Security). In the commit phase, \(\mathcal {S}\) makes a perfect emulation of the abort distribution, since it only aborts early if and only if \(\text {P}_{\text {A}}^{*}\) also aborts. Thus, distinguishability (by the environment) between real and simulated executions can only happen if \(\text {P}_{\text {A}}^{*}\) is able (with nonnegligible probability) to successfully open a message different from the one \(\mathcal {S}^X\) has extracted. However, this is not possible. Based on the (described) authenticator mechanism security (derived directly from the collisionresistance of a CRHash, and the statistical properties of a universal hash family), \(\text {P}_{\text {A}}^{*}\) cannot forge a bad authentication, i.e., lead \(\mathcal {S}^X\) to believe that a bad fragment is actually good. Also, based on the default binding property of all underlying commitments, \(\text {P}_{\text {A}}^{*}\) is not able to equivocate any of the ExtCom or EquivCom. It can thus be assumed impossible for \(\mathcal {S}\) to unknowingly mark as good an evaluation fragment (i.e., the result upon unmasking) that is actually bad. Now, a malicious successful opening by \(\text {P}_{\text {A}}^{*}\) requires that all check instances are good selected and at least \(nt+1\) evaluation instances are bad. However, the probability of this event can be made negligible for appropriate cutandchoose and IDA parameters (see Table 1). As an example, in the trivial case where \(\text {P}_{\text {A}}^{*}\) would build all check and evaluation instances as bad, \(\mathcal {S}^X\) in the ideal world would still commit to a random valid value, but later in the open phase it would never let the ideal functionality open the value to the honest P\(_{\text {B}}\).
Remark. There is a subtle difference between two types of commitment schemes. There are those where the receiver is ensured that the committer is technically able to open the commitment (if it “wants” to). For example, this is the case when the commit phase includes a ZKPoK of the committed value. There are other schemes where the commit phase is not enough to let the receiver know about the actual ability of the committer to later open a value. It is possible that a maliciously played commit phase prevents the sender (\(\text {P}_{\text {A}}^{*}\)) in advance from being able to later open the commitment accepted by the receiver (P\(_{\text {B}}\)). Protocol #2 is of this second kind. Even if \(\mathcal {S}\) detects, in a nonaborting commit phase, that P\(_{\text {A}}\) is unable to later open the commitment, \(\mathcal {S}\) does not abort before a failed open phase. The protocol can be easily changed to become of the first type (if desired), at the cost of increasing the calls to the EquivCom functionality, namely one per instance of the cutandchoose, while nonetheless retaining an amortized communication complexity. The idea is simple: instead of just producing one EquivCom of the global hash, \(\text {P}_{\text {A}}^{*}\) would produce one EquivCom for each possible mask (i.e., each PRGexpansion); then, after the cutandchoose partition is determined, but still within the overall commit phase, \(\text {P}_{\text {A}}^{*}\) would open the check seeds and the check hashes. In this way, \(\mathcal {S}\) immediately knows whether some bad check instance was bad. If any bad check instance is detected, then \(\mathcal {S}\) can immediately emulate an abort; otherwise, \(\mathcal {S}\) accepts an extracted message based on the verification of the authentication of extracted evaluation masks and the associated anticipated fragments. In this case there is a negligible probability that the number of good instances is less than the recovery threshold.
5.4.2 Equivocability – Simulatability with Corrupted \(\text {P}_{\text {B}}^{*}\)
The equivocatorsimulator \(\mathcal {S}^Q\) initiates a simulation, with blackbox access to \(\mathcal {A}\), letting it believe that it is in the real world controlling \(\text {P}_{\text {B}}^{*}\).
Simulation of the Commit Phase. In the ideal world, \(\mathcal {S}^Q\) in the role of \(\widehat{\text {P}}_{\text {B}}^{*}\), waits to receive from \( \mathcal {F} _{\text {MCOM}}\) a receipt of commitment done by the ideal \(\widehat{\text {P}}\) \(_{\text {A}}\). Then, in the role of P\(_{\text {A}}\) in the simulated execution, \(\mathcal {S}^Q\) plays the whole commit phase to commit a random message to \(\text {P}_{\text {B}}^{*}\). This involves keeping state about the seeds (32) and their ExtComs (33), about the EquivCom of the global hash of masks (38), possibly about the EquivCom of the hash of the random message (41) (i.e., if in the Strict mode), about the cutandchoose partition and the nounce, and about the maskings of authenticated fragments (48). If \(\text {P}_{\text {B}}^{*}\) aborts at any point before the end of the overall commit phase, then \(\mathcal {S}^Q\) emulates an abort, i.e., in the role of \(\widehat{\text {P}}_{\text {B}}^{*}\) in the ideal world sends abort to \( \mathcal {F} _{\text {MCOM}}\), thus making it ignore further actions related with this commitment subsession.
Simulation of the Open Phase. \(\mathcal {S}^Q\) waits in the ideal world to receive from \( \mathcal {F} _{\text {MCOM}}\) the opening of the target message (i.e., the one committed by the ideal \(\widehat{\text {P}}\) \(_{\text {A}}\)). Then, \(\mathcal {S}^Q\), in the role of P\(_{\text {A}}\) and also in the role of \( \mathcal {F} _{\text {Q}}\) in the simulated execution, sends to \(\text {P}_{\text {B}}^{*}\) the target message (50), instead of the previously committed random message. If in the strict mode, then \(\mathcal {S}^Q\) in the role of \( \mathcal {F} _{\text {Q}}\) equivocates the opening of the needed hash of the message (52). Then, \(\mathcal {S}^Q\) computes what are the alternative masks \(s'_j\) needed to unmask (the maskings \(t_j\) previously sent) into the target message received from \( \mathcal {F} _{\text {MCOM}}\). This is done in the exact same way that P\(_{\text {B}}\) does as receiver: \(\mathcal {S}^Q\) computes the message fragments (54), then their authenticators (55), and then takes the XOR with the maskings \(t_j\) (56) that were transmitted in the commit phase. Finally, \(\mathcal {S}^Q\) computes the global hash (as in (36), but now using the updated masks), and then impersonates \( \mathcal {F} _{\text {Q}}\) and equivocates the opening of said global hash (61). This allows \(\text {P}_{\text {B}}^{*}\) to perform all verifications as if \(\mathcal {S}^Q\) was in fact an honest P\(_{\text {A}}\). Finally, \(\mathcal {S}^Q\) outputs in the ideal world whatever \(\text {P}_{\text {B}}^{*}\) outputs in the simulated execution (63).
Analysis of the Simulation. The only difference between a real protocol execution and the simulated execution is that \(\mathcal {S}^Q\) commits to a random message and later equivocates it. However, detection by \(\text {P}_{\text {B}}^{*}\) of equivocation would require differentiating the random masks from seedexpansions, which is contrary to the pseudorandomness assumption of the PRG. Thus, in case of corrupted \(\text {P}_{\text {B}}^{*}\) the distributions between real and ideal world are computationally indistinguishable.
Remark. The cutandchoose partition does not need to be decided via a simulatable coinflipping, because equivocation is directly based on the assumed ability to equivocate the global hash (committed with an EquivCom), which directly allows equivocation of the masks of all evaluation instances. Thus, to \(\text {P}_{\text {B}}^{*}\), the actions of \(\mathcal {S}^Q\) “appear” as correct independently of the partition. \(\mathcal {S}^Q\) simply produces all commitments of seeds and all maskings correctly (for a random value), so that later all check instances are consistent.
Notes
Acknowledgments
The author thanks the anonymous referees for their useful reviewing comments.
References
 [ALSZ15]Asharov, G., Lindell, Y., Schneider, T., Zohner, M.: More efficient oblivious transfer extensions with security for malicious adversaries. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 673–701. Springer, Heidelberg (2015). doi: 10.1007/9783662468005_26. Also at ia.cr/2015/061 Google Scholar
 [BCPV13]Blazy, O., Chevalier, C., Pointcheval, D., Vergnaud, D.: Analysis and improvement of Lindell’s ucsecure commitment schemes. In: Jacobson, M., Locasto, M., Mohassel, P., SafaviNaini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 534–551. Springer, Heidelberg (2013). doi: 10.1007/9783642389801_34. Also at ia.cr/2013123 CrossRefGoogle Scholar
 [Bea96]Beaver, D.: Adaptive zero knowledge and computational equivocation (extended abstract). In: STOC 1996, pp. 629–638. ACM, New York (1996). doi: 10.1145/237814.238014
 [BK15]Barker, E., Kelsey, J.: Recommendation for Random Number Generation Using Deterministic Random Bit Generators, NIST SP80090A Rev. 1, NISTITLCSD, U.S. Department of Commerce, June 2015. doi: 10.6028/NIST.SP.80090Ar1
 [Blu83]Blum, M.: Coin flipping by telephone – a protocol for solving impossible problems. SIGACT News 15, 23–27 (1983). doi: 10.1145/1008908.1008911. Appeared also at CRYPTO 1981CrossRefGoogle Scholar
 [Bra13]Brandão, L.T.A.N.: Secure twoparty computation with reusable bitcommitments, via a cutandchoose with forgeandlose technique. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 441–463. Springer, Heidelberg (2013). doi: 10.1007/9783642420450_23. Also at ia.cr/2013/577 CrossRefGoogle Scholar
 [Can00]Canetti, R.: Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000). doi: 10.1007/s001459910006. Also at ia.cr/1998/018 CrossRefMathSciNetzbMATHGoogle Scholar
 [Can01]Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: FOCS 2001, pp. 136–145. IEEE (2001). doi: 10.1109/SFCS.2001.959888, Also at ia.cr/2000/067
 [CDD+15]Cascudo, I., Damgård, I., David, B., Giacomelli, I., Nielsen, J.B., Trifiletti, R.: Additively homomorphic UC commitments with optimal amortized overhead. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 495–515. Springer, Heidelberg (2015). doi: 10.1007/9783662464472_22. Also at ia.cr/2014/829 Google Scholar
 [CF01]Canetti, R., Fischlin, M.: Universally composable commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 19–40. Springer, Heidelberg (2001). doi: 10.1007/3540446478_2. Also at ia.cr/2001/055 CrossRefGoogle Scholar
 [CLOS02]Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable twoparty and multiparty secure computation. In: STOC 2002, pp. 494–503. ACM, New York (2002). doi: 10.1145/509907.509980, Also at ia.cr/2002/140
 [CR03]Canetti, R., Rabin, T.: Universal composition with joint state. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003). doi: 10.1007/9783540451464_16. Also at ia.cr/2002/047 CrossRefGoogle Scholar
 [Cre03]Di Crescenzo, G.: Equivocable and extractable commitment schemes. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 74–87. Springer, Heidelberg (2003). doi: 10.1007/3540364137_6 CrossRefGoogle Scholar
 [Dam88]Damgård, I.B.: Collision free hash functions and public key signature schemes. In: Price, W.L., Chaum, D. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 203–216. Springer, Heidelberg (1988). doi: 10.1007/3540391185_19 Google Scholar
 [DCIO98]Di Crescenzo, G., Ishai, Y., Ostrovsky, R.: Noninteractive and nonmalleable commitment. In: STOC 1998, pp. 141–150. ACM, New York (1998). doi: 10.1145/276698.276722
 [DCKOS01]Di Crescenzo, G., Katz, J., Ostrovsky, R., Smith, A.: Efficient and noninteractive nonmalleable commitment. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 40–59. Springer, Heidelberg (2001). doi: 10.1007/3540449876_4. Also at ia.cr/2001/032 CrossRefGoogle Scholar
 [DCO99]Di Crescenzo, G., Ostrovsky, R.: On concurrent zeroknowledge with preprocessing (extended abstract). In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 485–502. Springer, Heidelberg (1999). doi: 10.1007/3540484051_31 CrossRefGoogle Scholar
 [DDGN14]Damgård, I., David, B., Giacomelli, I., Nielsen, J.B.: Compact VSS and efficient homomorphic UC commitments. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 213–232. Springer, Heidelberg (2014). doi: 10.1007/9783662456088_12. Also at ia.cr/2014/370 Google Scholar
 [DL09]Damgård, I., Lunemann, C.: Quantumsecure coinflipping and applications. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 52–69. Springer, Heidelberg (2009). doi: 10.1007/9783642103667_4. Also at arXiv:0903.3118 CrossRefGoogle Scholar
 [DN02]Damgård, I.B., Nielsen, J.B.: Perfect hiding and perfect binding universally composable commitment schemes with constant expansion factor. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 581–596. Springer, Heidelberg (2002). doi: 10.1007/3540457089_37. Also at ia.cr/2001/091 CrossRefGoogle Scholar
 [DNO10]Damgård, I., Nielsen, J.B., Orlandi, C.: On the necessary and sufficient assumptions for UC computation. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 109–127. Springer, Heidelberg (2010). doi: 10.1007/9783642117992_8. Also at ia.cr/2009/247 CrossRefGoogle Scholar
 [DO10]Damgård, I., Orlandi, C.: Multiparty computation for dishonest majority: from passive to active security at low cost. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 558–576. Springer, Heidelberg (2010). doi: 10.1007/9783642146237_30. Also at ia.cr/2010/318 CrossRefGoogle Scholar
 [ElG85]El Gamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985). doi: 10.1007/3540395687_2 CrossRefGoogle Scholar
 [FJNT16]Frederiksen, T.K., Jakobsen, T.P., Nielsen, J.B., Trifiletti, R.: On the complexity of additively homomorphic UC commitments. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016A. LNCS, vol. 9562, pp. 542–565. Springer, Heidelberg (2016). doi: 10.1007/9783662490969_23. Also at ia.cr/2015/694 CrossRefGoogle Scholar
 [FLM11]Fischlin, M., Libert, B., Manulis, M.: Noninteractive and reusable universally composable string commitments with adaptive security. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 468–485. Springer, Heidelberg (2011). doi: 10.1007/9783642253850_25 CrossRefGoogle Scholar
 [FS90]Feige, U., Shamir, A.: Zero knowledge proofs of knowledge in two rounds. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 526–544. Springer, New York (1990). doi: 10.1007/0387348050_46 Google Scholar
 [Fuj14]Fujisaki, E.: Allbutmany encryption. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 426–447. Springer, Heidelberg (2014). doi: 10.1007/9783662456088_23. Also at ia.cr/2012/379 Google Scholar
 [GIKW14]Garay, J.A., Ishai, Y., Kumaresan, R., Wee, H.: On the complexity of UC commitments. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 677–694. Springer, Heidelberg (2014). doi: 10.1007/9783642552205_37 CrossRefGoogle Scholar
 [GK96]Goldreich, O., Kahan, A.: How to construct constantround zeroknowledge proof systems for NP. J. Cryptol. 9(3), 167–189 (1996). doi: 10.1007/BF00208001 CrossRefMathSciNetzbMATHGoogle Scholar
 [GMS08]Goyal, V., Mohassel, P., Smith, A.: Efficient two party and multi party computation against covert adversaries. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 289–306. Springer, Heidelberg (2008). doi: 10.1007/9783540789673_17 CrossRefGoogle Scholar
 [Gol04]Goldreich, O.: Foundations of Cryptography. Basic Applications, vol. 2. Cambridge University Press, New York (2004). doi: 10.1017/CBO9780511721656. isbn: 9780521830843CrossRefzbMATHGoogle Scholar
 [HILL99]Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any oneway function. SIAM J. Comput. 28(4), 1364–1396 (1999). doi: 10.1137/S0097539793244708 CrossRefMathSciNetzbMATHGoogle Scholar
 [HKE13]Huang, Y., Katz, J., Evans, D.: Efficient secure twoparty computation using symmetric cutandchoose. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 18–35. Springer, Heidelberg (2013). doi: 10.1007/9783642400841_2. Also at ia.cr/2013/081 CrossRefGoogle Scholar
 [HMQU06]Hofheinz, D., MüllerQuade, J., Unruh, D.: On the (im)possibility of extending coin toss. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 504–521. Springer, Heidelberg (2006). doi: 10.1007/11761679_30. Also at ia.cr/2006/177 CrossRefGoogle Scholar
 [Kra94]Krawczyk, H.: Secret sharing made short. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 136–146. Springer, Heidelberg (1994). doi: 10.1007/3540483292_12 Google Scholar
 [KS08]Kolesnikov, V., Schneider, T.: Improved garbled circuit: free XOR gates and applications. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 486–498. Springer, Heidelberg (2008). doi: 10.1007/9783540705833_40 CrossRefGoogle Scholar
 [Lin03]Lindell, Y.: Parallel cointossing and constantround secure twoparty computation. J. Cryptol. 16(3), 143–184 (2003). doi: 10.1007/s0014500201437. Also at ia.cr/2001/107 CrossRefMathSciNetzbMATHGoogle Scholar
 [Lin11]Lindell, Y.: Highlyefficient universallycomposable commitments based on the DDH assumption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 446–466. Springer, Heidelberg (2011). doi: 10.1007/9783642204654_25. Also at ia.cr/2011/180 CrossRefGoogle Scholar
 [Lin13]Lindell, Y.: Fast cutandchoose based protocols for malicious and covert adversaries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 1–17. Springer, Heidelberg (2013). doi: 10.1007/9783642400841_1. Also at ia.cr/2013/079 CrossRefGoogle Scholar
 [Lin15]Lindell, Y.: An efficient transform from sigma protocols to NIZK with a CRS and nonprogrammable random oracle. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part I. LNCS, vol. 9014, pp. 93–109. Springer, Heidelberg (2015). doi: 10.1007/9783662464946_5. Also at ia.cr/2014/710 Google Scholar
 [LN11]Lunemann, C., Nielsen, J.B.: Fully simulatable quantumsecure coinflipping and applications. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 21–40. Springer, Heidelberg (2011). doi: 10.1007/9783642219696_2. Also at ia.cr/2011/065 CrossRefGoogle Scholar
 [LPS08]Lindell, Y., Pinkas, B., Smart, N.P.: Implementing twoparty computation efficiently with security against malicious adversaries. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 2–20. Springer, Heidelberg (2008). doi: 10.1007/9783540858553_2 CrossRefGoogle Scholar
 [Lub02]Luby, M.: LT codes. In: FOCS 2002, pp. 271–280. IEEE (2002). doi: 10.1109/SFCS.2002.1181950
 [Nao91]Naor, M.: Bit commitment using pseudorandomness. J. Cryptol. 4(2), 151–158 (1991). doi: 10.1007/BF00196774 CrossRefzbMATHGoogle Scholar
 [Nat15]National Institute of Standards and Technology, SHA3 Standard: PermutationBased Hash and ExtendableOutput Functions. FIPS Pub 202, NISTITL, U.S. Department of Commerce, August 2015. doi: 10.6028/NIST.FIPS.202
 [NY89]Naor, M., Yung, M.: Universal oneway hash functions and their cryptographic applications. In: STOC 1989, pp. 33–43. ACM, New York (1989). doi: 10.1145/73007.73011
 [Ped92]Pedersen, T.P.: Noninteractive and informationtheoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). doi: 10.1007/3540467661_9 Google Scholar
 [PW09]Pass, R., Wee, H.: Blackbox constructions of twoparty protocols from oneway functions. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 403–418. Springer, Heidelberg (2009). doi: 10.1007/9783642004575_24 CrossRefGoogle Scholar
 [Rab89]Rabin, M.O.: Efficient dispersal of information for security, load balancing, and fault tolerance. J. ACM 36(2), 335–348 (1989). doi: 10.1145/62044.62050 CrossRefMathSciNetzbMATHGoogle Scholar
 [Rom90]Rompel, J.: Oneway functions are necessary and sufficient for secure signatures. In: STOC 1990, pp. 387–394. ACM, New York (1990). doi: 10.1145/100216.100269
 [Ros04]Rosen, A.: A note on constantround zeroknowledge proofs for NP. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 191–202. Springer, Heidelberg (2004). doi: 10.1007/9783540246381_11 CrossRefGoogle Scholar
 [RS60]Reed, I.S., Solomon, G.: Polynomial codes over certain finite fields. J. SIAM 8(2), 300–304 (1960). doi: 10.1137/0108018 MathSciNetzbMATHGoogle Scholar
 [Rus95]Russell, A.: Necessary and sufficient conditions for collisionfree hashing. J. Cryptol. 8(2), 87–99 (1995). doi: 10.1007/BF00190757 zbMATHGoogle Scholar
 [Sch91]Schnorr, C.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991). doi: 10.1007/BF00196725 CrossRefMathSciNetzbMATHGoogle Scholar
 [SCP00]De Santis, A., Di Crescenzo, G., Persiano, G.: Necessary and sufficient assumptions for noninteractive zeroknowledge proofs of knowledge for all NP relations. In: Welzl, E., Montanari, U., Rolim, J.D.P. (eds.) ICALP 2000. LNCS, vol. 1853, pp. 451–462. Springer, Heidelberg (2000). doi: 10.1007/354045022X_38 CrossRefGoogle Scholar
 [Sha79]Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979). doi: 10.1145/359168.359176 CrossRefMathSciNetzbMATHGoogle Scholar
 [Sho06]Shokrollahi, A.: Raptor codes. IEEE Trans. Inf. Theory 52(6), 2551–2567 (2006). doi: 10.1109/TIT.2006.874390 CrossRefMathSciNetzbMATHGoogle Scholar
 [Sim98]Simon, D.R.: Findings collisions on a oneway street: can secure hash functions be based on general assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998). doi: 10.1007/BFb0054137 CrossRefGoogle Scholar
 [SS11]Shelat, A., Shen, C.: Twooutput secure computation with malicious adversaries. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 386–405. Springer, Heidelberg (2011). doi: 10.1007/9783642204654_22. ia.cr/2011/533 Google Scholar
 [VZ12]Vadhan, S., Zheng, C.J.: Characterizing pseudoentropy and simplifying pseudorandom generator constructions. In: STOC 2012, pp. 817–836. ACM, New York (2012). doi: 10.1145/2213977.2214051