ADAPTIVE AND COMPOSABLE NON-INTERACTIVE
STRING-COMMITMENT PROTOCOLS
Huafei Zhu
1
, Tadashi Araragi
2
, Takashi Nishide
3
and Kouichi Sakurai
3
1
Institute for Infocomm Research, A-STAR, Singapore
2
NTT Communication Science Laboratories, Kyoto, Japan
3
Department of Computer Science and Communication Engineering, Kyushu University, Fukuoka, Japan
Keywords:
Non-interactive, String-commitment protocol, Universally composable security.
Abstract:
Designing non-committing encryptions tolerating adaptive adversaries is a challenging task. In this paper,
a simple implementation of non-committing encryptions is presented and analyzed in the strongest security
model. We show that the proposed non-committing encryption scheme is provably secure against adaptive
adversaries in the universally composable framework assuming that the decisional Diffie-Hellman problem is
hard.
1 INTRODUCTION
Informally, a commitment scheme is a two-party pro-
tocol that has two phases: a committing phase, where
a receiver of the commitment obtains some informa-
tion which amounts to a commitment to an unknown
value (sealed by a committer), and a reveal phase,
where the receiver obtains an opening of the com-
mitment to some value (revealed by the committer).
Commitment is an essential building block in many
cryptographic protocols, such as zero-knowledge pro-
tocols (e.g., (Brassard et al., 1988; Goldreich et al.,
1987; Damg˚ard, 1989)), general functional evalua-
tion protocols (e.g., (Goldreich et al., 1987; Galil
et al., 1987)), contract-signing and electronic com-
merce, and more (see (Goldreich, 2001; Goldreich,
2004) for further reference) and has been studied ex-
tensively in the past two decades (e.g., (Blum, 1981;
Naor, 1991; Canetti and Fischlin, 2001; Naor et al.,
9912; Barak et al., 2004; Canetti et al., 2007)).
Universally composable (UC) commitments guar-
antee that a commitment protocol behaves like an
ideal commitment service, even when concurrently
composed with an arbitrary set of protocols. To prove
security of a commitment scheme realizes the UC-
security in the presence of an adaptive adversary, one
must construct an ideal-world adversary such that the
adversary’s view of a real-life execution of a commit-
ment protocol can be simulated given just the data the
adversary is entitled to. That is, to prove the UC-
security, a commitment scheme running between a
committer P
i
and a receiver P
j
in an environment Z
must be equivocable and extractable. To simulate
the case where the honest committer P
i
sends a
commitment c to the receiver P
j
in the real-world,
an ideal-world adversary S must interpret this fake
commitment c as a genuine commitment of a message
m (the value m is revealed by the ideal commitment
functionality during the reveal phase). As such, the
commitment scheme must be equivocable. If the
real-world adversary A sends a commitment c to P
j
on behalf of the corrupted committer P
i
, the ideal-
world adversary S must extract the implicit message
m which is the explicit input to the commitment
functionality. As such, the commitment scheme must
be extractable. It follows that a commitment scheme
that realizes UC-security in the presence of adaptive
adversaries must be equivocable and extractable.
The universally composable security (UC-
security) is so strong a notion that a commit-
ment scheme cannot be implemented in the plain
model (Canetti and Fischlin, 2001). Thus, all known
commitment schemes are worked in the so called
common reference string model. A commitment
scheme is called common-reference-string reusable
(reusable, in short) if a common reference string is
reused for multiple commitments.
354
Zhu H., Araragi T., Nishide T. and Sakurai K. (2010).
ADAPTIVE AND COMPOSABLE NON-INTERACTIVE STRING-COMMITMENT PROTOCOLS.
In Proceedings of the International Conference on Security and Cryptography, pages 354-361
DOI: 10.5220/0002980503540361
Copyright
c
SciTePress
1.1 The State-of-the-art
The state-of-the-art non-interactive commitment
schemes in the universally composable framework
are mainly constructed from the following two
categories: non-interactive, universally compsosably
secure bit-commitment schemes and interactive
universally composable string-commitment schemes.
1.1.1 Universally Composably Non-interactive
Bit-commitment Schemes
Canetti and Fischlin (Canetti and Fischlin, 2001)
have proposed two basic approaches for construc-
tions of non-interactive and universally composable
bit-commitment schemes in the common reference
string model. The first construction of commitment
protocol is based on any trapdoor permutation in the
one-time common reference string model. The sec-
ond construction is based on the existence of claw-
free pairs of trapdoor permutations in the reusable
common reference string model, where the honest
players are assumed that they faithfully erase some
parts of their internal randomness (i.e., their com-
mitment scheme works in the internal randomness
erasure model). Canetti and Fischlin then proposed
an improved bit-commitment scheme based on the
Diffie-Hellman assumption in the (randomness) non-
erasure model.
Canetti, Lindell, Ostrovsky and Sahai (Canetti
et al., 2002) have presented a new universally com-
posable non-interactive bit-commitment protocol that
is secure against adaptive adversary based on the exis-
tence of enhanced trapdoor permutations in the com-
mon reference string model. Their scheme realizes
the UC-security in the the multi-session ideal commit-
ment functionality, an extension of the single-session
ideal commitment functionality presented in (Canetti
and Fischlin, 2001). The Canetti and Fischlin com-
mitment schemes (Canetti and Fischlin, 2001) and the
Canetti, Lindell, Ostrovsky and Sahai commitment
schemes (Canetti et al., 2002) use Ω(λ) bits to commit
a bit, where λ is a security parameter. These pioneer
works are important from point view of the theoretical
research.
1.1.2 Universally Composably Interactive
String-commitment Schemes
Damg˚ard and Nielsen (Damg˚ard and Nielsen,
2002) have presented practical interactive string-
commitment protocols in the common reference
string model. The Damg˚ard and Nielsen interac-
tive string-commitment protocol realizes the UC-
security in the presence of adaptive adversaries but
the size of the common reference string grows lin-
early with the number of participants. Damg˚ard and
Groth (Damg˚ard and Groth, 2003) then proposed an
improved commitment scheme with constant com-
mon reference string size which is independent with
the number of the parties in the commitment protocol.
Camenisch and Shoup (Camenisch and Shoup,
2003) have constructed alternative interactive uni-
versally composably secure string-commitment pro-
tocols in the context of verifiably committed en-
cryptions. Their construction is based on the zero-
knowledge proof of an encryption indeed decrypts
to a valid opening of a commitment. This construc-
tion realizes universally composable security assum-
ing the Diffie-Hellman assumption is hard in the com-
mon reference model.
1.1.3 Universally Composably Non-interactive
String-commitment Schemes
Very recently, Nishimaki, Fujisaki and Tanaka (Nishi-
maki et al., 2009) have proposedan interesting univer-
sally composable non-interactive string-commitment
scheme based on all-but-one trapdoor functions intro-
duced by Peikert and Waters in STOC 2008 (Peikert
and Waters, 2008). The Nishimaki-Fujisaki-Tanaka’s
non-interactive string commitment is one time (a
common reference string is refreshed whenever a new
session starts). The idea of their implementation is
sketched below.
Let Σ =(SKGen, Sign, Veri) be a signature scheme
that is secure against adaptive chosen-message attack
in the sense of Goldwasser, Micali and Rivest (Gold-
wasser et al., 1988). Let ∆ = (EGen, Enc, Dec) be
Damg˚ard-Jurik’s length-flexible public-key encryp-
tion scheme (Damg˚ard and Jurik, 2001). To commit
a message m ∈ M , a common-reference-string gen-
eration algorithm (CRS) invokes the key generation
algorithm SKGen of the underlying signature scheme
to produce a pair of verification key and signing key
(vk
∗
, sk
∗
). CRS then invokes the encryption algorithm
Enc to produce a ciphertxt Enc(vk
∗
) of the public
verification key. The common reference string σ is
Enc(vk
∗
) together with a description of a pair-wise
independent hash function H . Given σ and m, a com-
mitter S invokes SKGen to generate a new pair of ver-
ification and signing key (vk, sk), and then generates a
randomized ciphertext C of the message (vk
∗
− vk)m.
That is, the committer S invokes the encryption algo-
rithm Enc which takes (vk
∗
− vk)m as input to pro-
duce a ciphertextC (=Enc((vk
∗
− vk)m, r
m
)) with ran-
domness r
m
. To simulate the view of the honest com-
mitter S, the lossy branch vk
∗
will be set to vk. As
such, the common-reference-string in the Nishimaki-
Fujisaki-Tanaka’s commitment scheme is one-time.
ADAPTIVE AND COMPOSABLE NON-INTERACTIVE STRING-COMMITMENT PROTOCOLS
355
1.2 This Work
This paper studies non-interactive (no interactive
communication between a committer and a receiver),
reusable (common-reference-string reused for multi-
commitments) string-commitment schemes in the
universally composable framework in the presence
of adaptive adversaries. To the best of our knowl-
edge, no construction of universally composable,
non-interactive string-commitment in the presence of
the adaptive adversary is known. This leaves an inter-
esting research problem: how to construct adaptive
(here ”adaptive” means that any adversary in our
model is adaptive) and composable (here ”compos-
able” means that the protocol is universally compos-
able in the Canetti’s framework) string-commitment
protocols (here ”string-commitment” means that the
length of a committed message is {0, 1}
l
, l > 1) in
the common reference string reusable model (here
”reusable” means that the common reference string
can be used for multi-session and hence it is not
a one-time common reference string model) without
erasure (here ”non-erasure” means that a party is not
assumed to erase its internal state during the protocol
execution)?
1.2.1 The Technique
Our non-interactive string-commitment protocol is
based on Paillier’s homomorphic encryption scheme.
Recall that the difficulty to realize the uc-security
of a commitment protocol is to provide an efficient
method to reach the equivocability and extractability
once a common reference string is given.
1. To realize the extractability, we allow a simula-
tor to run a key generation algorithm of the Pail-
lier’s homomorphic encryption scheme. We al-
low the simulator to randomly select two cipher-
texts K
1
and K
2
. The common reference string is
defined by (K
1
, K
2
). Since the simulator knows
the trapdoor of the underlying public-key encryp-
tion scheme, it follows that the simulator is able to
extract the all encrypted messages (including the
randomness used to generate the common refer-
ence string and extractable keys sketched below).
2. To realize the equivocability, we will construct a
random key K (=K
1
r
1
K
2
r
2
) from the common ref-
erence string (K
1
, K
2
). The random key K is a base
to commit a message m in the form K
m
r
N
m
mod N
2
.
The committer P
i
then invokes 3-move Σ-protocol
and proves the knowledge of (r
1
, r
2
) to a receiver
P
j
. Let PoK be a transcript of the zero-knowledge
derived from the Σ-protocol. The commitment of
a string m is denoted by (K, C, PoK), where
C = K
m
r
N
m
mod N
2
.
Let ψ(k, r) = (1 + N)
k
r
N
mod N
2
be an equivo-
cable key (intuitively, a key is equivocable if it is
of from ψ(0, r), i.e., k = 0, the randomness r of
the equivocable key K is called trapdoor string; a
key K is called extractable if it is of form ψ(k, r)
(k 6= 0)). Let xKey be a set of all extractable keys
and eKey be a set of all equivocable keys. The key
point to reach the equivocability is that we allow a
simulator to select the randomness (r
1
, r
2
) so that
K can be either an extractable key or an equivo-
cable key. In case that K is an extractable key,
the simulator is able to extract the implicit input
message of a corrupted party. In case that K is an
equivocable key, the simulator is able to modify
the internal state when an honest party gets cor-
rupted.
We stress that the standard rewinding technique
for extracting the knowledge of a zero-knowledge
proof is not allowed in the universally composable
framework of Canetti (Canetti, 2001). This means
that we cannot get the implicit input message m by
rewinding a knowledge prover. Fortunately, in our
construction, a simulator knows the secret key of
the Paillier’s encryption scheme and the randomness
(r
1
, r
2
) used to generate K (the base to commit a mes-
sage m) that are sufficient for the simulator to extract
the message m.
We also stress that a straight-forward application
of a 3-move interactive Σ-protocol results in an in-
teractive string-commitment protocol. A well-known
technique for making interactive Σ-protocols non-
interactive is the Fiat-Shamir heuristic, where a ran-
dom challenge string e is computed by the prover as a
hash of the statement proved and the first message K.
Unfortunately, if the Fiat-Shamir heuristic is applied
then the resulting string-commitment protocol works
in the random oracle only. To avoid using of the ran-
dom oracle model, we will apply the Damg˚ard, Fazio
and Nicolosi’s method (Damg˚ard et al., 2006) for
compiling a class of Σ-protocols into non-interactive
zero-knowledge arguments
e
Σ, where a verifier is as-
sumed to hold a pair of registered public/secret keys.
As a result, our non-interactive string-commitment
scheme works in the registered public key model (we
refer to the reader (Damg˚ard et al., 2006) for more
details).
1.2.2 The Result
We claim that the adaptive and composable non-
interactive string-commitment scheme presented
and analyzed in this paper reaches the UC-security
in the presence of adaptive adversaries in the
SECRYPT 2010 - International Conference on Security and Cryptography
356
common reference string model assuming that
the underlying Paillier’s public-key encryption
scheme is semantically secure, and the underlying
Damg˚ard-Fazio-Nicolosi’s non-interactiveprotocol is
zero-knowledge in the registered public-key model.
If the underlying Paillier’s public-key encryption
scheme is replaced by Damg˚ard-Jurik’s length-
flexible public key encryption scheme (Damg˚ard
and Jurik, 2001), then the non-interactive string-
commitment is length-flexible as well.
Since the proposed non-interactive string-
commitment scheme is reusable and length-flexible
and universally composable against, it follows that
our result extends the recent work of Zhu (Zhu, 2009)
which is provably secure against non-adaptive in the
universally composable framework. As a result, we
provide a solution to the open problem posed in (Zhu,
2009).
Road Map. The rest of the paper is organized as
follows. In Section 2, security definition of com-
mit schemes is sketched; Our adaptive and com-
posable non-interactive string-commitment scheme is
presented and analyzed in Section 3. We conclude our
work in Section 4.
2 PRELIMINARIES
2.1 The Universally Composable
Framework
We work in the standard universally composable
framework of Canetti (Canetti, 2001), where all par-
ticipants are modeled as probabilistic polynomial
time (PPT) Turing machines. Security of protocols
is defined by comparing the protocol execution to
an ideal process for carrying out the desired task.
Namely, the process of executing a protocol in the
presence of an adversaryand in a givencomputational
environment is first formalized. Next an ideal pro-
cessing for carrying out the task at hand is formal-
ized. In the ideal processing the parties do not com-
municate with each other; instead they have access to
an ideal functionality which is essentially an incor-
ruptible trust party that is programmed to capture the
desired requirements from the task at hand. A pro-
tocol is said to securely realize a task if the process-
ing of running the protocol emulates the ideal pro-
cess of that task. We assume the reader is familiar
with the standard notion of UC security. The de-
tailed descriptions of the executions, and definitions
of IDEAL
F ,S ,Z
and REAL
π,A ,Z
are omitted and refer
to the reader (Canetti, 2001) for more details.
2.2 The Common Reference String
Model
The functionality of common reference string model
assumes that all participants have access to a common
string that is drawn from some specified distribution
D . The common reference string is chosen ahead of
the time and is made available before any interaction
starts. The common reference string functionality de-
fined below is due to Canetti and Fischlin (Canetti and
Fischlin, 2001).
Functionality F
D
crs
F
D
crs
proceeds as follows, when parameterized by a
distribution D .
• when receiving a message (sid, P
i
, P
j
) from P
i
, let
crs ← D (1
n
) and send (sid, crs) to P
i
, and send
(crs, sid, P
i
, P
j
) to the adversary, where sid is a
session identity. Next when receiving (sid, P
i
, P
j
)
from P
j
(and only from P
j
), send (sid, crs) to p
j
and to the adversary, and halt.
2.3 The Commitment Functionality
To capture the notion of reusability, one must de-
fine the functionality of multi commitment, de-
commitment processes. The commitment functional-
ity defined below is due to Canetti, Lindell, Ostrovsky
and Sahai (Canetti et al., 2002).
Functionality F
mcom
F
mcom
proceeds as follows, running with parties
P
1
, . . . , P
n
and an adversary S
• Commit Phase. Upon receiving a value (commit,
sid, cid, P
i
, P
j
, m ∈ M ), record the tuple (sid, cid,
P
i
, P
j
, m) and send the message (receipt, sid, cid,
P
i
, P
j
) to P
j
and S . Ignore any future commit
messages with the same cid from P
i
to P
j
.
• Open Phase. Upon receiving a value (open, sid,
cid) from P
i
: If a tuple (sid, cid, P
i
, P
j
, m) was pre-
viously recorded, then send the message (open,
sid, cid, P
i
, P
j
, m) to P
j
and S and halt; otherwise
ignore.
Definition. Let F
mcom
be a multi commitment
functionality. A protocol π is said to universally com-
posable realize F
mcom
if for any adversary A , there
exists a simulator S such that for all environments Z ,
the ensemble IDEAL
F
mcom
,S ,Z
is computationally in-
distinguishable with the ensemble REAL
π,A ,Z
.
ADAPTIVE AND COMPOSABLE NON-INTERACTIVE STRING-COMMITMENT PROTOCOLS
357
3 NON-INTERACTIVE
STRING-COMMITMENT
SCHEMES
We will make use of Paillier’s probabilistic public key
system (Paillier, 1999) to construct non-interactive,
universally composable and reusable commitment
schemes in this paper.
3.1 xKeys and eKeys
Borrowing the notations and notions from Damg˚ard
and Jurik (Damg˚ard and Jurik, 2001), we define ex-
tractable keys (xKeys) and equivocable keys (eKeys)
in the context of the Paillier’s encryption scheme. Let
ψ(k, r)= (1+ N)
k
r
N
mod N
2
. A key is called equivo-
cable if it is of from ψ(0, r). The randomness r of the
equivocable key K is called trapdoor string. A key K
is called extractable if it is of form ψ(k, r) (k 6= 0). Let
xKey be a set of all extractable keys and eKey be a set
of all equivocable keys. If the decisional composite
residuosity assumption (DCRA) introduced in (Pail-
lier, 1999) holds, then elements of form ψ(0, r) cannot
be distinguished from the element of the form ψ(k, r),
where r is uniformly from Z
∗
N
and k is any fixed ele-
ment in Z
N
.
3.2 The Damg
˚
ard-Fazio-Nicolosi’s
Non-interactive Zero-knowledge
Protocol
A Σ-protocol for a relation R is an interactive proof
system Σ for L
R
:= {x | ∃w : (x, w) ∈ R} with the con-
versation of form (a, e, z), where (a, z) is computed by
a prover and e is selected by a verifier.
Damg˚ard, Fazio and Nicolosi (Damg˚ard et al.,
2006) provide a method for compiling a class
of 3-move Σ-protocols into non-interactive zero-
knowledge arguments
e
Σ. Their method is based
on homomorphic encryptions (say, Paillier’s encryp-
tion scheme) and does not use random oracles.
The Damg˚ard-Fazio-Nicolosi’s non-interactive zero-
knowledge protocol requires that a private/public key
pair is set up for the verifier (i.e., it works in the
registered public-key model). Below, we sketch the
Damg˚ard-Fazio-Nicolosi’s compiler:
1. Given an instance (x, w) to prove, a prover P gets
a verifier’s registered public key pk
V
derived from
the Paillier’s encryption scheme, together with a
ciphertext c broadcast by the verifier, where c is an
encryption of a random string e (the randomness e
is selected and encrypted by the verifier under the
public-key pk
V
, i.e., c =E
pk
V
(e, r
e
));
2. the prover P generates the first message a using
the randomness r and then computes a random-
ized ciphertext Z = E
pk
V
(r)c
w
. Finally, the prover
sends (x, (a, Z)) to the verifier.
3. Upon receiving (x, (a, Z)), the verifier decrypts Z
to get z (z= r+ ew by the correctness) and checks
that whether (x, (a, e, z)) is valid transcript. If the
transcript (x, (a, e, z)) is valid then accepts; other-
wise, rejects the received transcript.
(due to (Damg˚ard et al., 2006)) Damg˚ard, Fazio and
Nicolosi have shown that the non-interactive zero-
knowledge protocol
e
Σ is complete and sound in the
registered public-key model.
3.3 The Description
The non-interactive string commitment protocol π
presented in this section is based on the Paillier’s en-
cryption scheme. We stress that if the underlying
Paillier’s public-key encryption scheme is replaced by
Damg˚ard-Jurik’s length-flexible public key encryp-
tion scheme (Damg˚ard and Jurik, 2001), then the de-
scribed non-interactive string-commitment is length-
flexible. Below, we describe our string-commitment
protocol in the context of the Pailler’s encryption
scheme (the description of string-commitment proto-
col based on the Damg˚ard-Jurik’s is straight-forward
and thus omitted).
1. Common-reference-string Generation Phase.
On input a security parameter 1
k
, ((p, q), N) ←
Gen(1
k
). Let K
1
← (1 + N)
k
1
r
k
1
N
mod N
2
and
K
2
← (1 + N)
k
2
r
k
2
N
mod N
2
, where k
1
6= 0 and
k
2
6= 0, i.e., both K
1
and K
2
are xKeys. The com-
mon reference string σ =(N, K
1
, K
2
). The trapdoor
string τ is (p, q).
2. The Committing Phase. On input a message
m ∈ Z
N
, the committer P
i
performs the following
computations
• P
i
randomly selects r
1
, r
2
∈ Z
N
and computes K
=K
r
1
1
K
r
2
2
mod N
2
;
• P
i
then invokes the Damg˚ard-Fazio-Nicolosi’s
non-interactive zero-knowledge argument
e
Σ
and proves the knowledge r
1
∈ Z
N
and r
2
∈ Z
n
such that K =K
r
1
1
K
r
2
2
to P
j
. Let PoK be a
transcript of zero-knowledge argument derived
from the Damg˚ard-Fazio-Nicolosi’s protocol
e
Σ;
• P
i
then computes K
m
r
N
m
mod N
2
. Let C =
K
m
r
N
m
mod N
2
.
• Finally P
i
sends (K, PoK, C) to the receiver P
j
.
SECRYPT 2010 - International Conference on Security and Cryptography
358
3. The Opening Phase. Upon receiving (K, PoK,
C) and (m, r
m
), the receiver P
j
first checks the va-
lidity of the received transcript PoK. If it is in-
valid, then outputs ⊥; otherwise, P
j
checks that C
?
= K
m
r
N
m
mod N
2
. If the check is invalid, P
j
out-
puts ⊥, otherwise, it outputs ”accept”.
This ends the description of the non-interactivestring-
commitment scheme
3.4 The Proof of Security
Theorem. The non-interactive string-commitment
protocol π reaches the UC-security in the presence
of adaptive adversaries in the reusable common-
reference-string model assuming that the underly-
ing Paillier’s public-key encryption scheme is seman-
tically secure, and the underlying Damg˚ard-Fazio-
Nicolosi’s non-interactiveprotocol is zero-knowledge
in the registered public-key model.
Proof. We describe the ideal model adversary
S which comprises the following 6 simulation steps
(S. 1 - S. 6):
• S. 1): At the outset of the simulator S prepares a
common reference string σ by invoking the key
generation algorithm K of the underlying Pail-
lier’s encryption scheme and outputs (pk
′
, sk
′
).
Given pk
′
, S randomly selects K
′
1
∈ C and K
′
2
∈ C .
Let σ
′
=(pk
′
, K
′
1
, K
′
2
). The trapdoor string τ
′
is sk
′
.
The simulator keeps τ
′
secret and broadcasts σ
′
to
all participants.
• S. 2): If at the some point in the execution the en-
vironment Z writes a message (commit, sid, cid,
P
i
, P
j
, m) on the tape of the uncorrupted party P
i
,
then the ideal world simulator S who cannot read
the actual message m, generates a simulated view
of the real world committer P
i
via the following
computations:
– On input σ
′
, S extracts (k
′
1
, r
k
′
1
) and (k
′
2
, r
k
′
2
)
from the common reference string σ
′
with the
help of the auxiliary string sk
′
; Note that K
′
1
and
K
′
2
are chosen uniformly at random. As a result,
K
′
1
and K
′
2
are xKeys with overwhelming prob-
ability.
– S randomly chooses r
′
1
∈ Z
N
and computes
r
′
2
∈ Z
N
from the equation k
′
1
r
′
1
+ k
′
2
r
′
2
=
0 mod N; Let K
′
= K
′
1
r
′
1
K
′
2
r
′
2
mod N
2
.
– S then invokes the Damg˚ard-Fazio-Nicolosi’s
non-interactive zero-knowledge protocol
e
Σ and
proves to P
j
the knowledge (r
′
1
, r
′
2
) such that K
′
= K
′
1
r
′
1
K
′
2
r
′
2
mod N
2
. Let PoK
′
be a transcript of
generated by Damg˚ard-Fazio-Nicolosi’s non-
interactivezero-knowledge protocol
e
Σ for prov-
ing the knowledge (r
′
1
, r
′
2
) such that K
′
=
K
′
1
r
′
1
K
′
2
r
′
2
mod N
2
;
– S randomly selects m
′
and r
m
′
and sets
C
′
=K
′
m
′
E (0, r
m
′
).
The simulator S then tells the real world adversary
A that P
i
has sent (K
′
, PoK
′
, C
′
) to P
j
.
• S. 3): If at the some point in the execution Z in-
structs an corrupted party P
i
to open the commit-
ment (open, sid, cid, P
i
, P
j
, m), S learns m
∗
via
the functionality F
mcom
and then modifies the in-
ternal state of (K
′
, PoK
′
, C
′
) such that (K
′
, PoK
′
,
C
′
) looks like a genuine commitment of the string
m
∗
∈ Z
N
from the point view of the environment
Z . That is,
– (equivocation) Since K
′
= K
′
1
r
′
1
K
′
2
r
′
2
mod N
2
is
an eKey (recall that the simulator randomly se-
lects r
′
1
∈ Z
N
and then computes r
′
2
from the
equation k
′
1
r
′
1
+ k
′
2
r
′
2
= 0 mod N), the simula-
tor S must provide (m
∗
, r
m
∗
) such that C = K
′
m
′
E
pk
′
(0, r
m
′
) =K
′
m
∗
E
pk
′
(0, r
m
∗
). This is an easy
task since S knows the trapdoor string sk
′
.
• S. 4): If the simulated adversary A lets the cor-
rupted party P
i
send (commit, sid, cid, P
i
, P
j
,
(K
′
, PoK
′
, C
′
)) to an honest party P
j
. Given K
′
and PoK
′
, the simulator S checks the validity of
PoK
′
. If the check is valid, S performs the follow-
ing computations
– (extraction) S first extracts k
′
from K
′
with the
help of the secret key sk
′
; S then extracts k
′
×
m
′
mod N from C
′
with the help of the secret
key sk
′
. Finally, S sends the extracted message
m
′
to the functionality F
mcom
.
• S. 5): If A tells the corrupted party P
i
to open a
valid commitment C
′
correctly with message m
∗
,
then S compares m
∗
with the previously extracted
message m
′
and stops if they differ; otherwise, S
sends (open, sid, cid, P
i
, P
j
) in name of the party
to the functionality F
mcom
. If P
i
is supposed to
decommit incorrectly, then S also sends an incor-
rect opening to the functionality.
• S. 6): Whenever the simulated A demands to cor-
rupt a party, S corrupts this party in the ideal
model and learns all internal information of the
party. S first adapts possible decommitment in-
formation about the previously given but not yet
unopened commitment of this party, like in the
case if an honest party decommitting. After this,
S gives all this adjusted information to A .
ADAPTIVE AND COMPOSABLE NON-INTERACTIVE STRING-COMMITMENT PROTOCOLS
359
This ends the description of the simulator.
We first show that the distribution of public-key
pk generated by the protocol π is identical to the
public-key pk
′
generated by the simulator. The ran-
dom variables (K
1
, K
2
) in π are xKeys. The random
variables (K
′
1
, K
′
2
) generated by the simulator are ran-
dom ciphertetxts. It follows that the distribution of the
common reference string σ =(pk, K
1
, K
2
) generated in
generated in the protocol π is computationally indis-
tinguishable from the distribution of the common ref-
erence string σ
′
=(pk
′
, K
′
1
, K
′
2
) generated by the simu-
lator.
We then show that the distribution of the view in
the protocol π is computationally indistinguishable
from that of the simulation assuming that the Pail-
lier’s encryption scheme is semantically secure and
the Damg˚ard-Fazio-Nicolosi’s non-interactive proto-
col is zero-knowledge. Let (K, PoK, C) be random
variables generated in π and (K
′
, PoK
′
,C
′
) be random
variables generated by the simulator. Note that K is
an xKey in π (with overwhelming probability) while
K
′
is an eKey in the simulation (with overwhelming
probability). Also notice that C is an xKey in π (with
overwhelming probability) while C
′
is an eKey in the
simulation (with overwhelming probability). Since
the Paillier’s encryption scheme is semantically se-
cure, it follows that the random variables (K,C) and
(K
′
,C
′
) are computationally indistinguishable.
Since the Damg˚ard-Fazio-Nicolosi’s non-
interactive protocol is zero-knowledge, it follows
that the distribution of the random variable PoK and
PoK
′
are identical. As a result, the random variables
(K, PoK, C) and (K
′
, PoK
′
, C
′
) are computation-
ally indistinguishable assuming that the Paillier’s
encryption scheme is semantically secure and the
Damg˚ard-Fazio-Nicolosi’s non-interactive protocol
is zero-knowledge.
Finally, we know that r
′
m
is computed from the
equation r
′
k
m
′
r
m
′
= r
m
k
r
m
mod N. The distribution
of the random variable (m, r
m
)) in π is identical to
the distribution of the random variables generated by
the simulator. As such, the distribution of the view
((K, PoK, C) and (m, r
m
))) generated by the proto-
col π is computationally indistinguishable to the view
((K
′
, PoK
′
, C
′
) and (m
′
, r
m
′
))) generated by the sim-
ulator. As a result, we know that IDEAL
F
mcom
,S ,Z
=
REAL
π,A ,Z
.
4 CONCLUSIONS
In this paper an adaptive and composable non-
interactive string-commitment protocol has presented
and analyzed. We have shown that the proposed com-
mitment protocol realizes the universally composable
security in the presence of the adaptive adversaries in
the reusable common reference string model assum-
ing that the underlying Paillier’s public-key encryp-
tion scheme is semantically secure, and the under-
lying Damg˚ard-Fazio-Nicolosi’s non-interactive pro-
tocol is zero-knowledge in the registered public-key
model.
REFERENCES
Barak, B., Canetti, R., Nielsen, J., and Pass, R. (2004). Uni-
versally composable protocols with relaxed set-up as-
sumptions. In FOCS. IEEE.
Blum, M. (1981). Coin flipping by telephone. In CRYPTO.
Springer.
Brassard, G., Chaum, D., and Cr´epeau, C. (1988). Mini-
mum disclosure proofs of knowledge. In J. Comput.
Syst. Sci. Elsevier.
Camenisch, J. and Shoup, V. (2003). Practical verifiable
encryption and decryption of discrete logarithms. In
CRYPTO. Springer.
Canetti, R. (2001). Universally composable security: A
new paradigm for cryptographic protocols. In FOCS.
IEEE.
Canetti, R., Dodis, Y., Pass, R., and Walfish, S. (2007). Uni-
versally composable security with global setup. In
TCC. Springer.
Canetti, R. and Fischlin, M. (2001). Universally compos-
able commitments. In CRYPTO. Springer.
Canetti, R., Lindell, Y., Ostrovsky, R., and Sahai, A. (2002).
Minimum disclosure proofs of knowledge. In STOC.
IEEE.
Damg˚ard, I. (1989). On the existence of bit commitment
schemes and zero-knowledge proofs. In CRYPTO.
Springer.
Damg˚ard, I., Fazio, N., and Nicolosi, A. (2006). Non-
interactive zero-knowledge from homomorphic en-
cryption. In TCC. Springer.
Damg˚ard, I. and Groth, J. (2003). Non-interactive and
reusable non-malleable commitment schemes. In
STOC. IEEE.
Damg˚ard, I. and Jurik, M. (2001). Non-interactive zero-
knowledge from homomorphic encryption. In PKC.
Springer.
Damg˚ard, I. and Nielsen, J. (2002). Perfect hiding and
perfect binding universally composable commitment
schemes with constant expansion factor. In CRYPTO.
Springer.
Galil, Z., Haber, S., and Yung, M. (1987). Cryptographic
computation: Secure faut-tolerant protocols and the
public-key model. In CRYPTO. Springer.
Goldreich, O. (2001). Foundations of Cryptography, Vol-
ume 1. Cambridge University Press, London, 1st edi-
tion.
SECRYPT 2010 - International Conference on Security and Cryptography
360
Goldreich, O. (2004). Foundations of Cryptography, Vol-
ume 2. Cambridge University Press, London, 1st edi-
tion.
Goldreich, O., Micali, S., and Wigderson, A. (1987). How
to play any mental game or a completeness theorem
for protocols with honest majority. In STOC. IEEE.
Goldwasser, S., Micali, S., and Rivest, R. (1988). A dig-
ital signature scheme secure against adaptive chosen-
message attacks. In SIAM J. Comput. ACM.
Naor, M. (1991). Bit commitment using pseudorandom-
ness. In J. Cryptology. Springer.
Naor, M., Ostrovsky, R., Venkatesan, R., and Yung, M.
(19912). Perfect zero-knowledge arguments for np
can be based on general complexity assumptions. In
CRYPTO. Springer.
Nishimaki, R., Tanaka, K., and Fujisaki, E. (2009). Ef-
ficient non-interactive universally composable string-
commitment schemes. In ProvSec. Springer.
Paillier, P. (1999). Public-key cryptosystems based on com-
posite degree residuosity classes. In EUROCRYPT.
Springer.
Peikert, C. and Waters, B. (2008). Lossy trapdoor functions
and their applications. In STOC. IEEE.
Zhu, H. (2009). New constructions for reusable, non-
erasure and universally composable commitments. In
ISPEC. Springer.
ADAPTIVE AND COMPOSABLE NON-INTERACTIVE STRING-COMMITMENT PROTOCOLS
361
