UC Commitments for Modular Protocol Design and Applications to Revocation and Attribute Tokens

  • Jan Camenisch
  • Maria Dubovitskaya
  • Alfredo Rial
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9816)


Complex cryptographic protocols are often designed from simple cryptographic primitives, such as signature schemes, encryption schemes, verifiable random functions, and zero-knowledge proofs, by bridging between them with commitments to some of their inputs and outputs. Unfortunately, the known universally composable (UC) functionalities for commitments and the cryptographic primitives mentioned above do not allow such constructions of higher-level protocols as hybrid protocols. Therefore, protocol designers typically resort to primitives with property-based definitions, often resulting in complex monolithic security proofs that are prone to mistakes and hard to verify.

We address this gap by presenting a UC functionality for non-interactive commitments that enables modular constructions of complex protocols within the UC framework. We also show how the new functionality can be used to construct hybrid protocols that combine different UC functionalities and use commitments to ensure that the same inputs are provided to different functionalities. We further provide UC functionalities for attribute tokens and revocation that can be used as building blocks together with our UC commitments. As an example of building a complex system from these new UC building blocks, we provide a construction (a hybrid protocol) of anonymous attribute tokens with revocation. Unlike existing accumulator-based schemes, our scheme allows one to accumulate several revocation lists into a single commitment value and to hide the revocation status of a user from other users and verifiers.


Universal composability Commitments Attribute tokens Revocation Vector commitments 


  1. 1.
    Camenisch, J., Kohlweiss, M., Soriente, C.: An accumulator based on bilinear maps and efficient revocation for anonymous credentials. In: PKC, pp. 481–500 (2009)Google Scholar
  2. 2.
    Camenisch, J., Kohlweiss, M., Soriente, C.: Solving revocation with efficient update of anonymous credentials. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 454–471. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Camenisch, J., Krenn, S., Lehmann, A., Mikkelsen, G.L., Neven, G., Pedersen, M.Ø.: Formal treatment of privacy-enhancing credential systems. In: Dunkelman, O., et al. (eds.) SAC 2015. LNCS, vol. 9566, pp. 3–24. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-31301-6_1 CrossRefGoogle Scholar
  4. 4.
    Camenisch, J., Lehmann, A., Neven, G., Rial, A.: Privacy-preserving auditing for attribute-based credentials. In: ESORICS, pp. 109–127 (2014)Google Scholar
  5. 5.
    Camenisch, J.L., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 61. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: FOCS, pp. 136–145 (2001)Google Scholar
  7. 7.
    Canetti, R.: Universally composable signature, certification, and authentication. In: CSFW, p. 219 (2004)Google Scholar
  8. 8.
    Canetti, R., Fischlin, M.: Universally composable commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 19. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable two-party and multi-party secure computation. In: STOC, pp. 494–503 (2002)Google Scholar
  10. 10.
    Catalano, D., Fiore, D.: Vector commitments and their applications. In: PKC, pp. 55–72 (2013)Google Scholar
  11. 11.
    Damgård, I.B., Nielsen, J.B.: Perfect hiding and perfect binding universally composable commitment schemes with constant expansion factor. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 581. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Frederiksen, T.K., Jakobsen, T.P., Nielsen, J.B., Trifiletti, R.: On the complexity of additively homomorphic UC commitments. ePrint, Report 2015/694Google Scholar
  13. 13.
    Groth, J.: Homomorphic trapdoor commitments to group elements. ePrint, 2009/007Google Scholar
  14. 14.
    Hofheinz, D., Backes, M.: How to break and repair a universally composable signature functionality. In: ICS, pp. 61–72 (2004)Google Scholar
  15. 15.
    Hofheinz, D., Müller-Quade, J.: Universally composable commitments using random oracles. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 58–76. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  16. 16.
    Katz, J.: Universally composable multi-party computation using tamper-proof hardware. In: EUROCRYPT, pp. 115–128 (2007)Google Scholar
  17. 17.
    Lindell, Y.: Highly-efficient universally-composable commitments based on the DDH assumption. In: EUROCRYPT, pp. 446–466 (2011)Google Scholar
  18. 18.
    MacKenzie, P., Yang, K.: On simulation-sound trapdoor commitments. In: EUROCRYPT, pp. 382–400 (2004)Google Scholar
  19. 19.
    Moran, T., Segev, G.: David, goliath commitments: UC computation for asymmetric parties using tamper-proof hardware. In: EUROCRYPT, pp. 527–544 (2008)Google Scholar
  20. 20.
    Nakanishi, T., Fujii, H., Yuta, H., Funabiki, N.: Revocable group signature schemes with constant costs for signing and verifying. In: IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, pp. 50–62 (2010)Google Scholar
  21. 21.
    Nguyen, L.: Accumulators from bilinear pairings and applications. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 275–292. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: CRYPTO, pp. 129–140 (1992)Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.IBM Reseach - ZurichRüschlikonSwitzerland
  2. 2.University of LuxembourgLuxembourgLuxembourg

Personalised recommendations