UNIVERSALLY COMPOSABLE NON-COMMITTING
ENCRYPTIONS IN THE PRESENCE OF ADAPTIVE ADVERSARIES
Huafei Zhu
1
, Tadashi Araragi
2
, Takashi Nishide
3
and Kouichi Sakurai
3
1
Institute for Infocomm Research, A-STAR, Singapore
2
NTT Communication Science Laboratories, Kyoto, Japan
3
Department of Computer Science and Communication Engineering, Kyushu University, Fukuoka, Japan
Keywords:
Adaptive security, Decisional Diffie-Hellman assumption, Non-committing encryptions, Oblivious sampling
and faking algorithms.
Abstract:
Designing non-committing encryptions tolerating adaptive adversaries is a challenging task. In this paper,
a simple implementation of non-committing encryptions is presented and analyzed in the strongest security
model. We show that the proposed non-committing encryption scheme is provably secure against adaptive
adversaries in the universally composable framework assuming that the decisional Diffie-Hellman problem is
hard.
1 NON-COMMITTING
ENCRYPTIONS
Informally, a non-committing encryption protocol is
an encrypted communication that allows a simulator
to open a ciphertext to any plaintextit desires and sim-
ulate the real world adversary’s view before and after
a player is corrupted. Nielsen (Nielsen, 2002) shows
that no non-interactive communication protocol can
be adaptively secure in the asynchronous model.
Beaver and Haber’s protocol (Beaver and Haber,
1992) realizes the functionality of non-commitment
encryption schemes in the erasure model. That is, if
one is willing to trust honest parties can erase sensi-
tive information such that the adversary can find no
trace of it, should he break in, then such adaptively
secure multi-party computation of any function can
be efficiently realized. Subsequently, Beaver (Beaver,
1997) proposed a much simpler scheme based on the
decisional Diffie-Hellman assumption with expansion
factor O(k). The non-committing encryptions pre-
sented in (Beaver, 1997) and (Beaver and Haber,
1992) are designed and analyzed in the stand-alone,
simulation-based framework.
Canetti, Feige, Goldreich and Naor (Canetti et al.,
1996) proposed the first non-committing encryptions
based on so called common-domainpermutations (the
stand-alone non-committing encryption presented in
(Canetti et al., 1996) is secure against adaptive
adversary in the universally composable framework,
see Section 6.3 of (Canetti, 2005) for more details).
To encrypt 1 bit, Θ(k
2
) public key bits are com-
municated. Damg˚ard and Nielsen (Damg˚ard and
Nielsen, 2000) proposed generic constructions of
non-committing encryption schemes based on so
called simulatable public-key encryption schemes in
the universally composable framework (a detailed
analysis of the protocol presented in (Damg˚ard and
Nielsen, 2000) is available in Section 4 of (Nielsen,
2003)). Roughly speaking, a public-key encryption
scheme is simulatable if, in addition to the normal
key generation algorithm procedure, there is an
algorithm to generate a public key without knowing
the corresponding secret key. Moreover, it must be
possible to sample efficiently a random ciphertext
without getting to know the corresponding plaintext.
They showed that a non-committing encryption
scheme can be constructed from any semantically
secure and simulatable public-key system. Although
the Damg˚ard and Nielsen’s construction (Damg˚ard
and Nielsen, 2000) is general, the cost of computation
is expensive since one should obliviously generate
a pair of public keys to communicate 1-bit in open
networks.
Very recently, Choi, Soled, Malkin and
Wee (S.Choi et al., 2009) have presented a new
implementation of non-committing encryptions
389
Zhu H., Araragi T., Nishide T. and Sakurai K. (2010).
UNIVERSALLY COMPOSABLE NON-COMMITTING ENCRYPTIONS IN THE PRESENCE OF ADAPTIVE ADVERSARIES.
In Proceedings of the International Conference on Security and Cryptography, pages 389-398
DOI: 10.5220/0002985003890398
Copyright
c
SciTePress
based on a weaker notion (called trapdoor sim-
ulatable cryptosystems). The idea behind their
construction is that − on input a security parameter
k, a receiver first generates total 4k public keys
where the first k public keys are generated by a
key generation algorithm of the underlying trapdoor
simulatable encryption scheme while the rest 3k
public keys are generated by an oblivious sampling
algorithm. To encrypt a bit b, the sender sends
4k ciphertexts of which k are encrypted b and the
remaining 3k ones are obliviously sampled. Although
the non-committing encryption scheme in (S.Choi
et al., 2009) is at the expense of higher computation
and communication of the Damg˚ard and Nielsen’s
protocol (Damg˚ard and Nielsen, 2000), such an
implementation is definitely interesting since the
subtle failure model in (Damg˚ard and Nielsen, 2000)
is eliminated (i.e., the scheme presented in (S.Choi
et al., 2009) is round-optimal) in their framework.
1.1 This Work
This paper studies non-committing encryptions in the
UC-framework of Canetti. We will show that the pro-
posed non-committing encryption scheme is provably
secure against adaptive adversaries in the universally
composable framework assuming that the decisional
Diffie-Hellman problem is hard.
An Overview of the Protocol. The proposed
non-committing encryption protocol comprises two
phases: a channel setup phase and a communication
phase. The idea behind our construction is simple: to
set up a secure channel, a sender S first picks a ran-
dom bit α ∈ {0, 1}, and then selects a Diffie-Hellman
quadruple e
α
and a garbled quadruple e
1−α
and send
(e
0
, e
1
) to a receiver R. Given (e
0
, e
1
), the receiver
R picks a selection string f
β
and a garbled string
f
1−β
, and then obliviously selects 1-out-of-2 quadru-
ples with the help of the selection string f
β
. If e
α
is
selected, then a secure channel is established; Other-
wise, S and R retry the channel setup procedure.
Main Result. We claim that the non-commitment
protocol π presented in Section 4 realizes the univer-
sally composable security in the presence of adap-
tive adversaries assuming that the Decisional Diffie-
Hellman problem is hard.
The Proof of Security. We will show that for any
real world adversary A there exists an ideal-world ad-
versary S such that no environment Z , on any input,
can tell with non-negligible probability whether it is
interacting with A and players running π, or with S
and F
N
SC
in the ideal executionif the decisional Diffie-
Hellman assumption holds. The core technique ap-
plied to the security proof is a novel application of
oblivious sampling and faking algorithms introduced
and formalized by Canetti and Fischlin in (Canetti and
Fischlin, 2001). Roughly speaking, an oblivious fak-
ing algorithm fake takes g ∈ G as input and outputs
a string r
g
∈ {0, 1}
2|p|
. An oblivious sampling algo-
rithm sample takes r ∈
U
{0, 1}
2|p|
as input and out-
puts an element r
G
∈ G. The oblivious sampling and
faking algorithms engaged in the security proof bene-
fit a PPT simulator to generate subgroup elements of
G ⊆ Z
∗
p
uniformly at random and interprets a Diffie-
Hellman quadruple e
α
as a garbled quadruple e
1−α
.
The oblivious sampling and faking algorithms also
benefit the simulator to interpret a random selection
string as a garbled string. As a result, no environment
Z , on any input, can tell with non-negligible prob-
ability whether it is interacting with A and players
running π, or with S and F
N
SC
in the ideal execution if
the decisional Diffie-Hellman assumption holds.
Efficiency. Our scheme requires 3 messages to
communicate k encrypted bits, where k is the security
parameter. The total communication is O(k) Diffie-
Hellman quadruples and garbled quadruples and O(k)
selection strings and garbled strings and k bits (the
communication of the final k bits of the communica-
tion depend on the actual messages to be sent). Thus,
our universally composably secure non-committing
encryption protocol is as efficient as the stand-alone,
simulation-based(but the notion of environmentis de-
fined in their security definition and the proof of the
protocols) protocol by Beaver (Beaver, 1997) − the
most efficient implementation of non-committing en-
cryptions so far.
Road-map. The rest of this paper is organized
as follows: In Section 2, the building blocks are
sketched;The functionality and security definition of
non-committing encryption protocols are presented
in Section 3. In Section 4, a new non-committing
encryption scheme is proposed and analyzed in the
universally composable framework in the presence of
adaptive adversaries. We conclude our work in Sec-
tion 5.
2 PRELIMINARIES
We assume that a reader is familiar with the
standard notion of universally composable frame-
work (Canetti, 2001). The oblivious sampling and
SECRYPT 2010 - International Conference on Security and Cryptography
390
faking algorithms described below are due to Canetti
and Fischlin (Canetti and Fischlin, 2001). The two al-
gorithms combined together allow a simulator to con-
struct a fake transcript to the environment Z in such
a way that the simulator can open this transcript to
the actual inputs that the simulator receives from the
functionality when the parties get corrupted, a core
task to prove the security of protocols against adap-
tive adversaries in the universally composable secu-
rity model.
The Canetti-Fischlin Oblivious Sampling Algo-
rithm. Let p =wq+1 for some w not divisible by q,
and G is a cyclic group of order q in Z
∗
p
. The Canetti-
Fischlin oblivious sampling algorithm sample takes
r ∈ {0, 1}
2|p|
as input and outputs an element r
G
∈ G
via the following computations
• the sampling algorithm sample chooses a string
r ∈ {0, 1}
2|p|
uniformly at random, where |p| be
the bit length of the prime number p.
• Let r
p
= r mod p and r
G
=r
w
p
mod p.
Lemma 1 (Due to (Canetti and Fischlin, 2001)).
Let X = [X = x : x ∈
U
G], and Y = [Y = y : y ←
sample(r), r ∈
U
{0, 1}
2|p|
], then the distributions be-
tween two random variables X and Y are statistically
indistinguishable.
The Canetti-Fischlin Oblivious Faking Algorithm.
Let p =wq+ 1 for some w not divisible by q, and G is
a cyclic group of order q in Z
∗
p
. The Canetti-Fischlin
oblivious faking algorithm fake takes a random ele-
ment h ∈ G as input and outputs r
h
∈ {0, 1}
2|p|
via the
following computations
• On input h ∈ G, the faking algorithm fake picks
a random integer i ∈ Z
w
. Let h
p
= h
x
g
iq
mod p,
where xw ≡ 1 mod q;
• Let r
h
= Len(
∑
j∈Z
p
jp + h
p
), where Len(x) de-
notes the bit length of an integer x.
Lemma 2 (due to (Canetti and Fischlin, 2001))
Let X = [X = x : x ∈
U
{0, 1}
2|p|
], and Y = [Y = y :
y ← fake(g), g ∈
U
G], then the distributions between
two random variables X and Y are statistically indis-
tinguishable.
2.1 The Decisional Diffie-Hellman
Assumption
Let p = 2q + 1 and p, q be large prime numbers. Let
G ⊆ Z
∗
p
be a cyclic group of order q. Let g be a ran-
dom generator of G. For any 0 6= x ∈ Z
q
, we define
DLog
G
(x) ={(g, g
x
) : g ∈ G}. On input (g
1
, h
1
) ∈
DLog
G
(x
1
), and (g
2
, h
2
) ∈ DLog
G
(x
2
), a mapping φ
called Naor-Pinkas randomizer is defined below:
φ((g
1
, g
2
, h
1
, h
2
)×(s, t)) = (g
s
1
g
t
2
mod p, h
s
1
h
t
2
mod p)
where s, t ∈
U
Z
q
Denote u= g
s
1
g
t
2
mod p and v =h
s
1
h
t
2
mod p. Naor
and Pinkas (Moni Naor, 2001) have shown that
• if x
1
= x
2
(=x), then (u, v) is uniformly random in
DLog
G
(x);
• if x
1
6= x
2
, then (u, v) is uniformly random in G
2
.
3 NON-COMMITTING
ENCRYPTIONS:
FUNCTIONALITY AND
SECURITY DEFINITION
The notion of non-committing encryption scheme in-
troduced in (Canetti et al., 1996) is a protocol used to
realize secure channel in the presence of an adaptive
adversary. In particular, this means that a simulator
can build a fake transcript to the environment Z , in
such a way that the simulator can open this transcript
to the actual inputs, that the simulator receives from
the functionality when the parties get corrupted.
Let N be a non-information oracle which is a PPT
Turing machine that captures the information leaked
to the adversary in the ideal-world. That is, N is
the oracle which takes (Send, sid, P, m) as input and
outputs (Send, sid, P, |m|). Let ChSetup be a chan-
nel setup command which on inputs (ChSetup, sid, S)
produces no output and (Corrupt, sid, P) be a cor-
ruption command which takes (Corrupt, sid, P) pro-
duces no output. The functionality of non-committing
encryption secure channels defined below is due to
Garay, Wichs and Zhou (Garay et al., 2009).
The ideal functionality F
N
SC
Channel setup: upon receiving an input
(ChSetup, sid, S) from party S, initialize the ma-
chine N and record the tuple (sid, N ). Pass the
message (ChSetup, S) to R. In addition, pass this
message to N and forward its output to S ;
Message transfer: Upon receiving an input
(Send, sid, P, m) from party P, where P ∈ {S, R}, find
a tuple (sid, N ), and if none exists, ignore the mes-
sage. Otherwise, send the message (Send, sid, P, m)
to the other party P ={S, R} \ {P}. In addition, in-
voke N with (Send, sid, P, m) and forwards its output
(Send, sid, P, |m|) to the adversary S .
Corruption: Upon receiving a message
(Corrupt, sid, P) from the adversary S , send
UNIVERSALLY COMPOSABLE NON-COMMITTING ENCRYPTIONS IN THE PRESENCE OF ADAPTIVE
ADVERSARIES
391
(Corrupt, sid, P) to N and forward its output to
the adversary. After the first corruption, stop execu-
tion of N and give the adversary S complete control
over the functionality.
Definition (due to (Garay et al., 2009)). We
call the functionality F
N
SC
a non-committing encryp-
tion secure channel. A real-world protocol π which
realizes F
N
SC
is called a non-committing encryption
scheme.
4 NON-COMMITTING
ENCRYPTION
In this section, we first describe an implementation
of non-committing schemes based on the decisional
Diffie-Hellman problem, and then show that the pro-
posed scheme realizes UC-security in the presence of
adaptive adversaries.
4.1 Description of Non-committing
Encryption Scheme
The non-committing encryption protocol comprises
two phases: a channel setup phase and a communica-
tion phase. To set up a secure channel, S prepares two
quadruples e
0
and e
1
, where e
α
is a Diffie-Hellman
quadrupleand e
1−α
is a garbled quadruple, α ∈ {0, 1}.
S now let a receiver R to choose 1-out-of-2 quadru-
ples. If e
α
is selected, a secure channel has been set
up between two parties; Otherwise, S and R retry the
channel setup procedure. The details of protocol are
depicted below.
Initialization the environment Z invokes a system key
generation algorithm G which takes security parame-
ter k as input and outputs (p, q, G), where p is a large
safe prime number (i.e., p=2q + 1, q is a prime num-
ber) and G is a cyclic group with order q.
Channel setup: To set up a secure channel, a sender
S and a receiver R jointly perform the following com-
putations
• On input (p, q, G), S chooses α ∈
U
{0, 1} and per-
forms the following computations
– S generates a random Diffie-Hellman quadru-
ple (g
1,α
, g
2,α
, h
1,α
, h
2,α
), where g
1,α
and g
2,α
are two random generators of G, and h
1,α
and
h
2,α
are two elements in G such that h
1,α
=
g
sk
α
1,α
mod p, and h
2,α
= g
sk
α
2,α
mod p, where
sk
α
∈
U
Z
q
. Let e
α
= (g
1,α
, g
2,α
, h
1,α
, h
2,α
).
– S picks a quadruple (g
1,1−α
, g
2,1−α
, h
1,1−α
,
h
2,1−α
) ∈ G
4
uniformly at random. Let e
1−α
=(g
1,1−α
, g
2,1−α
, h
1,1−α
, h
2,1−α
).
– S sends (e
0
, e
1
) to R.
• Upon receiving (e
0
, e
1
), R checks the conditions
1 6= g
i, j
∈ G and 1 6= h
i, j
∈ G (i =1, 2, j =0, 1),
if any of the conditions are violated, R outputs
⊥; Otherwise, R performs the following compu-
tations
– R chooses β ∈
U
{0, 1} and s
β
, t
β
∈
U
Z
q
and
then computes u
β
= g
s
β
1,β
g
t
β
2,β
mod p and v
β
=h
s
β
1,β
h
t
β
2,β
mod p. Let f
β
= (u
β
, v
β
) and τ
β
=(s
β
, t
β
).
– R picks u
1−β
∈ G and v
1−β
∈ G uniformly at
random. Let f
1−β
=(u
1−β
, v
1−β
).
– R sends ( f
0
, f
1
) to S;
• Upon receiving ( f
0
, f
1
), parsing f
0
as (u
0
, v
0
) and
f
1
as (u
1
, v
1
), S checks that 1 6= u
i
∈ G and 1 6=
v
i
∈ G (i =0, 1), if any of the conditions are vi-
olated, S outputs ⊥; Otherwise, S further checks
the condition v
α
?
= u
sk
α
α
mod p.
– If v
α
6= u
sk
α
α
mod p, S sends b =0 to R and retries
the channel setup procedure;
– If v
α
= u
sk
α
α
mod p, S sends b =1 to R and con-
tinues the message transfer step below.
Message transfer: On input m ∈ {0, 1} and α, S com-
putes m⊕ α. Let c =m⊕ α. S then sends c to R. Upon
receiving a ciphertext c
′
, R obtains m
′
by computing
c
′
⊕ β.
4.2 The Proof of Security
Theorem. Assuming that the Decisional Diffie-
Hellman problem is hard in G, the non-commitment
protocol π depicted above realizes universally com-
posable security in the presence of adaptive adver-
saries.
Proof. There are four cases defined in the follow-
ing proof, depending on when the real world adver-
sary A makes its first corruption request (and thus the
proof is tedious):
• Case 1: the real world adversary A makes its first
corruption request after a secure channel has been
set up successfully;
• Case 2: the real world adversary A makes its first
corruption request after the sender S has received
R’s first message;
• Case 3: the real world adversary A makes its first
corruption request after S has generated its first
message, but before S receives R’s first message;
SECRYPT 2010 - International Conference on Security and Cryptography
392
• Case 4: the real world adversary A makes its first
corruption request before any messages are gen-
erated.
We show that in each case above there exists an
ideal-world adversary S such that no environment Z ,
on any input, can tell with non-negligible probability
whether it is interacting with A and players running
π, or with S and F
N
SC
in the ideal execution if the de-
cisional Diffie-Hellman assumption holds.
To simplify the description of a simulator, we omit
the explicit description of the non-information oracle
N here and what follows since the non-commitment
encryption scheme described in this paper is a well-
structured protocol (informally, a well-structured pro-
tocol requires the message sizes and the number of
rounds are completely determined by the protocol
and are independent of the input values or random
coins of the parties. For the details definition of
well-structured protocol, please refer to (Garay et al.,
2009)). We here and what follows, also omit the ex-
plicit checks that the simulator has seen the previous
steps of the protocol.
Case 1. The first corruption occurs after a secure
channel has been set up successfully. If the real world
adversary A makes its first corruption request after a
secure channel has been set up successfully, an ideal
world adversary S must simulate any of the follow-
ing three cases: 1) the first corruption occurs after R
has received c; or 2) the first corruption occurs after
S has generated c, but before R receives c; or 3) the
first corruption occurs before S generates c. The cor-
responding simulator S is described as follows.
• Step 1: S first picks g
i,0
∈
U
G, g
i,1
∈
U
G,
sk
0
∈
U
Z
q
and sk
1
∈
U
Z
q
, and then computes
h
i,0
= g
sk
0
i,0
mod p, h
i,1
= g
sk
1
i,1
mod p, i
=1, 2. Let e
0
=(g
1,0
, g
2,0
, h
1,0
, h
2,0
) and e
1
=
(g
1,1
, g
2,1
, h
1,1
, h
2,1
). S keeps the auxiliary strings
sk
0
and sk
1
secret.
• Step 2: S then picks s
i
∈
U
Z
q
and t
i
∈
U
Z
q
, and
computes u
i
= g
s
i
1,i
g
t
i
2,i
mod p, v
i
=h
s
i
1,i
h
t
i
2,i
mod p.
Let f
i
= (u
i
, v
i
), i =0, 1. S keeps the auxiliary
strings (s
0
, t
0
) and (s
1
, t
1
) secret.
• Step 3: S outputs a bit b (=1).
Case 1.1. the first corruption occurs after R has re-
ceived c; If a party P ∈ {S, R} gets corrupted, S cor-
rupts the corresponding dummy party
e
P and obtains
m. Let γ =m ⊕ c. Following the steps (Step 1, Step 2
and Step 3) above, we further consider subcases be-
low:
Case 1.1.1. If the sender S gets corrupted in the
first corruption, S invokes the faking algorithm fake
which takes S’s internal state r
S
as input and inter-
prets e
γ
as a Diffie-Hellman quadruple r
e
γ
associated
with the auxiliary string sk
γ
and interprets e
1−γ
as
a garbled quadruple r
e
1−γ
. That is, the faking al-
gorithm fake interprets g
i, j
∈ G as a string r
g
i, j
∈
{0, 1}
2|p|
and h
i, j
∈ G as a string r
h
i, j
∈ {0, 1}
2|p|
(i
=1, 2, j =0, 1). Let r
e
γ
= (r
g
1,γ
, r
g
2,γ
, r
h
1,γ
, r
h
2,γ
) and
r
e
1−γ
= (r
g
1,1−γ
, r
g
2,1−γ
, r
h
1,1−γ
, r
h
2,1−γ
). The auxiliary
string sk
γ
is associated with r
e
γ
such that (r
g
1,γ
, r
h
1,γ
)
∈ Dlog(sk
γ
) and (r
g
2,γ
, r
h
2,γ
) ∈ Dlog(sk
γ
) (Note that
given a string r
g
i, j
∈ {0, 1}
2|p|
, the corresponding
group element g
i, j
∈ G can be efficiently reconstructed
by applying the Canetti-Fischlin’s sampling algo-
rithm). S reveals (r
e
0
, r
e
1
), sk
γ
and m to A .
If R gets corrupted in the second corruption, S
modifies the receiver’s internal state r
R
before it is
revealed to A . That is, S first invokes the faking al-
gorithm fake which takes R’s internal state r
R
as in-
put and interprets f
γ
(=(u
γ
, v
γ
)) as a selection string
r
f
γ
(=(r
u
γ
, r
v
γ
)) associated with the auxiliary string
(s
γ
, t
γ
) and interpreted f
1−γ
(=(u
1−γ
, v
1−γ
)) as a gar-
bled string r
f
1−γ
(=(r
u
1−γ
, r
v
1−γ
)). S reveals (r
f
0
, r
f
1
)
and (s
γ
, t
γ
) to A .
Case 1.1.2. When R gets corrupted in the first cor-
ruption, S corrupts the dummy party
e
R in the ideal
world and obtains m. S then invokes the faking algo-
rithm fake which takes R’s internal state r
R
as input
and interprets f
γ
as a selection string r
f
γ
associated
with the auxiliary string (s
γ
, t
γ
) and interprets f
1−γ
as
a garbled string r
f
1−γ
. S reveals (r
f
0
, r
f
1
) and (s
γ
, t
γ
)
to A .
If S gets corrupted in the second corruption, S cor-
rupts the dummy party
e
S in the ideal world and ob-
tains m. S invokes the faking algorithm fake which
takes r
S
as input and interprets e
γ
as a Diffie-Hellman
quadruple r
e
γ
associated with the auxiliary string sk
γ
and interprets e
1−γ
as a garbled string r
e
1−γ
. S reveals
(r
e
0
, r
e
1
), sk
γ
and m to A .
Case 1.2. The first corruption occurs after S has gen-
erated c, but before R receives c; Following the steps
(Step 1, Step 2 and Step 3) above, we further consider
subcases below:
Case 1.2.1. If S gets corrupted in the first corrup-
tion after it has generated c, but before R receives c.
S corrupts the dummy party
e
S in the ideal world and
obtains m. Let γ = c ⊕ m. S invokes the faking al-
gorithm fake which takes r
S
as input and interprets e
γ
as a Diffie-Hellman quadruple r
e
γ
associated with the
auxiliary string sk
γ
and interprets e
1−γ
as a garbled
string r
e
1−γ
. S reveals (r
e
0
, r
e
1
), sk
γ
and m to A .
If the second corruption occurs before R receives
a ciphertext c
′
(the received ciphertetxt c
′
may not be
UNIVERSALLY COMPOSABLE NON-COMMITTING ENCRYPTIONS IN THE PRESENCE OF ADAPTIVE
ADVERSARIES
393
the same as the ciphertext c generated by S since the
real-world adversary A may change the ciphertext c).
S invokes the faking algorithm fake which takes r
R
as
input and interprets f
γ
as a selection string r
f
γ
asso-
ciated with the auxiliary string (s
γ
, t
γ
) and interprets
f
1−γ
as a garbled string r
f
1−γ
. S reveals (r
f
0
, r
f
1
) and
(s
γ
, t
γ
) to A .
If the second corruption occurs after R has re-
ceived a ciphertext c
′
. The simulator invokes fake
which takes r
R
as input and interprets f
γ
as a selec-
tion string associated with the auxiliary string (s
γ
, t
γ
)
and interprets f
1−γ
as a garbled string. Let m
′
=γ⊕ c
′
.
S reveals (r
f
0
, r
f
1
), (s
γ
, t
γ
) and m
′
to A .
Case 1.2.2. If the receiver R gets corrupted in the
first corruption, S corrupts the corresponding dummy
party
e
R and obtains β. Let γ =β. S invokes the fak-
ing algorithm fake which takes R’s internal state r
R
as
input and interprets f
γ
as a selection string r
f
γ
asso-
ciated with the auxiliary string (s
γ
, t
γ
) and interprets
f
1−γ
as a garbled string r
f
1−γ
. S reveals (r
f
0
, r
f
1
) and
(s
γ
, t
γ
) to A .
If the second corruption occurs, S corrupts the
corresponding dummy party
e
S and obtains m. S then
invokes the faking algorithm fake which takes r
S
as
input and interprets e
γ
as a Diffie-Hellman quadruple
r
e
γ
associated with the auxiliary string sk
γ
and inter-
prets e
1−γ
as a garbled string r
e
1−γ
. S reveals (r
e
0
, r
e
1
),
sk
γ
and m to A .
Case 1.3. The first corruption occurs before S gener-
ates c; Following the simulation steps (Step 1, Step 2
and Step 3) above, we consider the following two sub-
cases:
Case 1.3.1. If the sender S gets corrupted in the
first corruption, S corrupts the corresponding dummy
party
e
S in the ideal world and obtains m. S picks a
random bit γ ∈ {0, 1} uniformly at random. Let α = γ
and β =γ. S invokes the faking algorithm fake which
takes r
S
as input and interprets e
γ
as a Diffie-Hellman
quadruple r
e
γ
associated with the auxiliary string sk
γ
and interprets e
1−γ
as a garbled quadruple r
e
1−γ
. S
reveals (r
e
0
, r
e
1
), sk
γ
and m to A .
If R gets corrupted in the second corruption, S in-
vokes the faking algorithm fake which takes R’s in-
ternal state r
R
as input and interprets f
γ
as a selection
string r
f
γ
associated with the auxiliary string (s
γ
, t
γ
)
and interprets f
1−γ
as a garbled string r
f
1−γ
. S reveals
(r
f
0
, r
f
1
) and (s
γ
, t
γ
) to A .
Case 1.3.2. If the receiver R gets corrupted in the
first corruption, S picks a bit γ ∈ {0, 1} uniformly at
random and then invokes the faking algorithm fake
which takes r
R
as input and interprets f
γ
as a se-
lection string r
f
γ
associated with the auxiliary string
(s
γ
, t
γ
) and interprets f
1−γ
as a garbled string r
f
1−γ
. S
reveals(r
f
0
, r
f
1
) and (s
γ
, t
γ
) to A .
If S gets corrupted in the second corruption, S cor-
rupts the corresponding dummy party
e
S and obtains
m. S invokes the faking algorithm fake which takes r
S
as input and interprets e
γ
as a Diffie-Hellman quadru-
ple r
e
γ
associated with the auxiliary string sk
γ
and in-
terprets e
1−γ
as a garbled quadruple r
e
1−γ
. The simu-
lator reveals (r
e
0
, r
e
1
), sk
γ
and m to A .
Case 2. The first corruption occurs after the sender
S has received R’s first message. If the real world ad-
versary A makes its first corruption after the sender S
has received R’s first message ( f
0
, f
1
), the constructed
ideal world adversary S must simulate any of the fol-
lowing three subcases: 1) the first corruption occurs
after S has generated b and R has received b; or 2)
the first corruption occurs after S has generated b, but
before R receives b; or 3) the first corruption occurs
before S generates b. We describe the corresponding
simulator S below
• Step 1: S picks g
i,0
∈
U
G, g
i,1
∈
U
G, sk
0
∈
U
Z
q
and sk
1
∈
U
Z
q
, and then computes h
i,0
= g
sk
0
i,0
mod p, h
i,1
= g
sk
1
i,1
mod p. Let e
i
=(g
1,i
, g
2,i
, h
1,i
, h
2,i
), i =1, 2. S keeps the auxiliary
strings sk
0
and sk
1
secret.
• Step 2: S picks s
i
∈ Z
q
and t
i
∈ Z
q
uniformly at
random, and then computes u
i
= g
s
i
1,i
g
t
i
2,i
mod p, v
i
=h
s
i
1,i
h
t
i
2,i
mod p. Let f
i
= (u
i
, v
i
), i =0, 1. S keeps
the auxiliary strings (s
0
, t
0
) and (s
1
, t
1
) secret.
Case 2.1. The first corruption occurs after the sender
S has received ( f
0
, f
1
) and R has received a bit b. Fol-
lowing the simulation steps (Step 1 and Step 2) above,
we further consider subcases below:
Case 2.1.1. If b=1 and a party P ∈ {S, R} gets cor-
rupted in the first corruption, the corresponding sim-
ulator can be constructed exactly as that described in
Case 1.
Case 2.1.2. If b=0 and if the sender S gets cor-
rupted in the first corruption, the simulator S cor-
rupts the corresponding dummy party
e
S in the ideal
world and obtains m. S then chooses a random bit
γ ∈
U
{0, 1}. Let α =γ and β =1−γ. S invokes the fak-
ing algorithm fake which takes r
S
as input and inter-
prets e
γ
as a Diffie-Hellman quadruple r
e
γ
associated
with the auxiliary string sk
γ
and interprets e
1−γ
as a
garbled quadruple r
e
1−γ
and reveals (r
e
0
, r
e
1
), sk
γ
and
m to the real world adversary A .
If the receiver R gets corrupted in the second cor-
ruption, S invokes fake which takes r
R
as input and in-
terprets f
1−γ
as a selection string r
f
1−γ
associated with
the auxiliary string (s
1−γ
, t
1−γ
) and interprets f
γ
as a
garbled string r
f
γ
and reveals (r
f
0
, r
f
1
) and (s
1−γ
, t
1−γ
)
to A .
SECRYPT 2010 - International Conference on Security and Cryptography
394
Case 2.1.3. If b=0 and if the receiver R gets cor-
rupted in the first corruption, S picks a bit γ ∈ {0, 1}
uniformly at random and sets β =γ and α =1 − γ. S
invokes the faking algorithm fake which takes r
R
as
input and interprets f
γ
as a selection string r
f
γ
asso-
ciated with the auxiliary string (s
γ
, t
γ
) and interprets
f
1−γ
as a garbled string r
f
1−γ
. S reveals (r
f
0
, r
f
1
) and
(s
γ
, t
γ
) to A .
If the sender S gets corrupted in the second cor-
ruption, the simulator S corrupts the corresponding
dummy party
e
S in the ideal world and obtains m. S
then interprets e
1−γ
as a Diffie-Hellman quadruple
r
e
1−γ
associated with the auxiliary string sk
1−γ
and in-
terprets e
γ
as a garbled quadruple r
e
γ
. S then reveals
(r
e
0
, r
e
1
), sk
1−γ
and m to A .
Case 2.2. The first corruption occurs after S has re-
ceived ( f
0
, f
1
) and S has generated b but before R
receives the bit b. Following the simulation steps
(Step 1 and Step 2) above, we further consider sub-
cases below:
Case 2.2.1. If S gets corrupted in the first cor-
ruption and if b =1, S corrupts a dummy party
e
S and
obtains m. S then picks a bit γ ∈
U
{0, 1}. Let α =γ
and β =γ. S invokes the faking algorithm fake which
takes r
S
as input and interprets e
γ
as a Diffie-Hellman
quadruple r
e
γ
associated with the auxiliary string sk
γ
and interprets e
1−γ
as a garbled quadruple r
e
1−γ
. S
reveals (r
e
0
, r
e
1
), sk
γ
and m to A .
If the receiver R gets corrupted before R receives
the bit b (=1) in the second corruption, S invokes fake
algorithm which takes r
R
as input and interprets f
γ
as a selection string r
f
γ
associated with the auxiliary
string (s
γ
, t
γ
) and interprets f
1−γ
as a garbled string
r
f
1−γ
. S reveals (r
f
0
, r
f
1
) and (s
γ
, t
γ
) to A . If the re-
ceiver R gets corrupted after it has received a bit b
′
(the generated bit might be changed by A ) in the sec-
ond corruption, the corresponding simulator can be
constructed exactly as that described in Case 2.1.
Case 2.2.2. If R gets corrupted in the first cor-
ruption and if b=1, S picks a random bit γ ∈
U
{0, 1}
and sets β =γ and α =γ. S interprets f
γ
as a selection
string r
f
γ
associated with the auxiliary string (s
γ
, t
γ
)
and interprets f
1−γ
as a garbled string r
f
1−γ
. S reveals
(r
f
0
, r
f
1
) and (s
γ
, t
γ
) to A
If S gets corrupted in the second corruption, S cor-
rupts the dummy party
e
S and obtains m. S then inter-
prets e
γ
as a Diffie-Hellman quadruple r
e
γ
associated
with the auxiliary string sk
γ
and interprets e
1−γ
as a
garbled quadruple r
e
1−γ
. S reveals (r
e
0
, r
e
1
), sk
γ
and m
to A .
Case 2.2.3. If S gets corrupted in the first cor-
ruption and if b =0, S corrupts a dummy party S and
obtains m and picks a bit γ ∈ {0, 1} uniformly at ran-
dom. Let α =γ and β =1 − γ. S invokes the faking
algorithm fake which takes r
S
as input and interprets
e
γ
as a Diffie-Hellman quadruple r
e
γ
associated with
the auxiliary string sk
γ
and interprets e
1−γ
as a garbled
quadruple r
e
1−γ
. S reveals (r
e
0
, r
e
1
), sk
γ
and m to A .
If the receiver R gets corrupted before it receives a
bit b
′
in the second corruption, S interprets f
1−γ
a se-
lection string r
f
1−γ
associated with the auxiliary string
(s
1−γ
, t
1−γ
) and interprets f
γ
as a garbled string r
f
γ
. S
reveals the randomness (r
f
0
, r
f
1
), (s
1−γ
, t
1−γ
) to A . If
the receiver R gets corrupted after it has received a
bit b
′
, the simulator can be constructed exactly as that
described in Case 2.1.
Case 2.2.4. If R gets corrupted in the first cor-
ruption and if b=0, S picks a random bit γ ∈ {0, 1}
uniformly at random and sets β =γ and α =1−γ. S in-
terprets f
γ
as a selection string r
f
γ
associated with the
auxiliary string sk
γ
and interprets f
1−γ
as a garbled
string r
f
1−γ
. S then reveals (r
f
0
, r
f
1
), (s
γ
, t
γ
) to A . If
S gets corrupted in the second corruption, S corrupts
e
S and obtains m, and then interprets e
1−γ
as a Diffie-
Hellman quadruple r
e
1−γ
associated with the auxiliary
string sk
1−γ
and interprets e
γ
as a garbled quadruple
r
e
γ
. S reveals (r
e
0
, r
e
1
), sk
1−γ
and m to A .
Case 2.3. The first corruption occurs after the sender
S has received ( f
0
, f
1
), but before S generates b. Fol-
lowing the simulation steps (Step 1 and Step 2) above,
S picks a bit b ∈ {0, 1} uniformly at random. We fur-
ther consider the following subcases
Case 2.3.1. If S gets corrupted in the first corrup-
tion and if b =1, the corresponding simulator S can be
constructed exactly as that described in Case 2.2.1;
Case 2.3.2. If R gets corrupted in the first corrup-
tion and if b =1, the corresponding simulator S can be
constructed exactly as that described in Case 2.2.2;
Case 2.3.3. If S gets corrupted in the first corrup-
tion and if b= 0,the corresponding simulator S can be
constructed exactly as that described in Case 2.2.3;
Case 2.3.4. If R gets corrupted in the first corrup-
tion and if b = 0, the corresponding simulator S can
be constructed exactly as that described in Case 2.2.4.
Case 3. The first corruption occurs after S has gen-
erated its first message, but before it receives R’s first
message. If the real world adversary A makes its first
corruption request after S has generated its first mes-
sage, but before it receives R’s first message, an ideal
world adversary S must simulate any of the follow-
ing subcases: 1) the first corruption occurs after R has
received (e
0
, e
1
) and have generated its first message
( f
0
, f
1
) but before S receives it; or 2) the first cor-
ruption occurs after R has received (e
0
, e
1
) but before
R generates ( f
0
, f
1
); or 3) the first corruption occurs
after S has generated its first message, but before R
UNIVERSALLY COMPOSABLE NON-COMMITTING ENCRYPTIONS IN THE PRESENCE OF ADAPTIVE
ADVERSARIES
395
receives S’ first message.
Case 3.1. If the first corruption occurs after R has re-
ceived (e
0
, e
1
) and R has generated ( f
0
, f
1
) but before
S receives it. The corresponding simulator S can be
constructed as follows.
• Step 1: S picks g
i,0
∈
U
G, g
i,1
∈
U
G, sk
0
∈
U
Z
q
and sk
1
∈
U
Z
q
, and then computes h
i,0
= g
sk
0
i,0
mod p, h
i,1
= g
sk
1
i,1
mod p, i =1,
2. Let e
0
=(g
1,0
, g
2,0
, h
1,0
, h
2,0
) and e
1
=
(g
1,1
, g
2,1
, h
1,1
, h
2,1
). S keeps the auxiliary strings
sk
0
and sk
1
secret.
• Step 2: S then picks s
i
∈
U
Z
q
and t
i
∈
U
Z
q
,
and then computes u
i
= g
s
i
1,i
g
t
i
2,i
mod p, v
i
=h
s
i
1,i
h
t
i
2,i
mod p. Let f
i
= (u
i
, v
i
), i =0, 1. S keeps
the auxiliary strings (s
0
, t
0
) and (s
1
, t
1
) secret.
Following the simulation steps (Step 1 and Step 2)
above, we consider the following subcases:
Case 3.1.1. If S gets corrupted in the first cor-
ruption, S corrupts the corresponding dummy party
e
S
in the ideal world and obtains m. S then picks a bit
γ ∈
U
{0, 1} uniformly at random and sets α= γ; S in-
vokes the faking algorithm fake which takes r
S
as in-
put and interprets e
γ
as a Diffie-Hellman quadruple r
e
γ
associated with the auxiliary string sk
γ
and interprets
e
1−γ
as a garbled quadruple r
e
1−γ
. S reveals (r
e
0
, r
e
1
),
sk
γ
and m to A .
If R gets corrupted in the second corruption, S
chooses a bit b ∈
U
{0, 1} uniformly at random. We
further consider the following cases
• if b = 1, then let β =γ. S invokes the faking algo-
rithm fake which takes r
R
as input and interprets
f
γ
as a selection string r
f
γ
associated with the aux-
iliary string (s
γ
, t
γ
) and interprets f
1−γ
as a garbled
string r
f
1−γ
. S reveals (r
f
0
, r
f
1
) and (s
γ
, t
γ
) to A .
• if b =0, then let β = 1 − γ. S invokes the fak-
ing algorithm fake which takes r
R
as input and in-
terprets f
1−γ
as a selection string r
f
1−γ
associated
with the auxiliary string (s
1−γ
, t
1−γ
) and interprets
f
γ
as a garbled string r
f
γ
. S reveals (r
f
0
, r
f
1
) and
(s
1−γ
, t
1−γ
) to A .
Case 3.1.2. If R gets corrupted in the first corrup-
tion, S picks a bit γ ∈
U
{0, 1} uniformly at random
and sets β= γ; S invokes the faking algorithm fake
which takes r
R
as input and interprets f
γ
as a selection
string r
f
γ
associated with the auxiliary string (s
γ
, t
γ
)
and interprets f
1−γ
as a garbled string r
f
1−γ
. S reveals
(r
f
0
, r
f
1
) and (s
γ
, t
γ
) to A .
If the sender S gets corrupted in the second corrup-
tion, S chooses a bit b ∈
U
{0, 1} uniformly at random.
We further consider the following cases
• if b = 1, let β =γ. S invokes the faking algorithm
fake which takes r
R
as input and interprets f
γ
as
a selection string r
f
γ
associated with the auxiliary
string (s
γ
, t
γ
) and interprets f
1−γ
as a garbled string
r
f
1−γ
. S reveals (r
f
0
, r
f
1
) and (s
γ
, t
γ
) to A .
• if b =0, let β = 1 − γ. S invokes the faking al-
gorithm fake which takes r
R
as input and inter-
prets f
1−γ
as a selection string r
f
1−γ
associated
with the auxiliary string (s
1−γ
, t
1−γ
) and interprets
f
γ
as a garbled string r
f
γ
. S reveals (r
f
0
, r
f
1
) and
(s
1−γ
, t
1−γ
) to A .
Case 3.2. If the first corruption occurs after R has
received (e
0
, e
1
) but before R generates ( f
0
, f
1
), the
corresponding simulator S can be constructed as fol-
lows.
• Step 1: S picks g
i,0
∈
U
G, g
i,1
∈
U
G, sk
0
∈
U
Z
q
and sk
1
∈
U
Z
q
uniformly at random, and then
computes h
i,0
= g
sk
0
i,0
mod p, h
i,1
= g
sk
1
i,1
mod p,
i =1, 2. Let e
0
=(g
1,0
, g
2,0
, h
1,0
, h
2,0
) and e
1
=
(g
1,1
, g
2,1
, h
1,1
, h
2,1
). S keeps the auxiliary strings
sk
0
and sk
1
secret.
Following the simulation Step 1 above, we further
consider subcases below:
Case 3.2.1. If the sender S gets corrupted in the
first corruption, S corrupts the corresponding dummy
party
e
S in the ideal world and obtains m. S then picks
a bit γ ∈ {0, 1} uniformly at random and sets α= γ;
S invokes the faking algorithm fake which takes r
S
as
input and interprets e
γ
as a Diffie-Hellman quadruple
r
e
γ
associated with the auxiliary string sk
γ
and inter-
prets e
1−γ
as a garbled quadruple r
e
1−γ
. S reveals m,
(r
e
0
, r
e
1
) and sk
γ
to A .
• if R gets corrupted before it generates ( f
0
, f
1
) in
the second corruption, S reveals R’s internal state
r
R
to A ; The rest of simulation is trivial since both
parties have already corrupted.
• if R gets corrupted after it has generated ( f
0
, f
1
)
in the second corruption, S picks a bit b ∈ {0, 1}
uniformly at random
1) if b = 1, S invokes the faking algorithm fake
which takes r
R
as input and interprets e
γ
as a
Diffie-Hellman quadruple r
e
γ
associated with the
auxiliary string sk
γ
and interprets e
1−γ
as a garbled
quadruple r
e
1−γ
. S reveals (r
e
0
, r
e
1
) and sk
γ
to A .
2) if b = 0, S invokes the faking algorithm fake
which takes r
R
as input and interprets e
1−γ
as
a Diffie-Hellman quadruple r
e
1−γ
associated with
the auxiliary string sk
1−γ
and interprets e
γ
as a gar-
bled quadruple r
e
γ
. S reveals (r
e
0
, r
e
1
) and sk
1−γ
to A .
SECRYPT 2010 - International Conference on Security and Cryptography
396
Case 3.2.2. If the receiver R gets corrupted in the
first corruption, S simply reveals r
R
to A .
• if S gets corrupted before it obtains ( f
′
0
, f
′
1
) in the
second corruption, S corrupts the corresponding
dummy party
e
S in the ideal world and obtains
m. S picks a bit γ ∈ {0, 1} uniformly at random
and sets α= γ. S invokes the faking algorithm
fake which takes r
S
as input and interprets e
γ
as a
Diffie-Hellman quadruple r
e
γ
associated with the
auxiliary string sk
γ
and interprets e
1−γ
as a garbled
quadruple r
e
1−γ
. S reveals m, (r
e
0
, r
e
1
) and sk
γ
to
A .
• if S gets corrupted after it has received ( f
′
0
, f
′
1
) in
the second corruption. We consider the following
two cases:
1) if ( f
′
0
, f
′
1
) is not well-defined, i.e., any of the
conditions 1 6= u
i
∈ G and 1 6= v
i
∈ G (i =0, 1) are
violated, S picks a bit b ∈ {0, 1} uniformly at ran-
dom. If b = 1, let α =γ; if b =0, let α =1− γ. The
rest work of simulator is same as that described in
Case 2.1.
2) if ( f
′
0
, f
′
1
) is well-defined, i.e., 1 6= u
i
∈ G and
1 6= v
i
∈ G (i =0, 1), S picks a bit b ∈ {0, 1} uni-
formly at random. If b = 1, let β =γ; If b = 0, let β
=1− γ. The rest work of simulator is same as that
described in Case 2.1.
Case 3.3. If the first corruption occurs after S has
generated (e
0
, e
1
) but before R receives it, the corre-
sponding simulator S can be constructed as follows.
• Step 1: S picks g
i,0
∈
U
G, g
i,1
∈
U
G, sk
0
∈
U
Z
q
and sk
1
∈
U
Z
q
, and then computes h
i,0
= g
sk
0
i,0
mod p, h
i,1
= g
sk
1
i,1
mod p, i =1,
2. Let e
0
=(g
1,0
, g
2,0
, h
1,0
, h
2,0
) and e
1
=
(g
1,1
, g
2,1
, h
1,1
, h
2,1
). S keeps the auxiliary strings
sk
0
and sk
1
secret.
Following the simulation Step 1 above, we further
consider subcases below:
Case 3.3.1. If S gets corrupted in the first corrup-
tion, S picks a bit γ ∈ {0, 1} uniformly at random and
sets α= γ; S invokes the faking algorithm fake which
takes r
S
as input and interprets e
γ
as a Diffie-Hellman
quadruple r
e
γ
associated with the auxiliary string sk
γ
and interprets e
1−γ
as a garbled quadruple r
e
1−γ
. S
reveals m, (r
e
0
, r
e
1
) and sk
γ
to A .
• if R gets corrupted before it receives (e
′
0
, e
′
1
) in the
second corruption, S reveals R’s internal state r
R
to A . The rest of simulation is trivial since both
parties have already got corrupted.
• if R gets corrupted after it has received (e
′
0
, e
′
1
). If
(e
′
0
, e
′
1
) is not well-defined, i.e., any of the condi-
tions 1 6= g
i, j
∈ G and 1 6= h
i, j
∈ G (i =1, 2, j =0,
1) are violated, then S reveal r
R
to A ; If (e
′
0
, e
′
1
)
is well-defined, i.e., 1 6= g
i, j
∈ G and 1 6= h
i, j
∈ G
(i =1, 2, j =0, 1), S picks a random bit γ ∈ {0, 1}
and sets α = γ. The rest work of S is same as that
described in Case 3.2.
Case 3.3.2. If R gets corrupted in the first corrup-
tion, S reveals R’s internal state r
R
to A . If S gets
corrupted in the second corruption, we consider the
following two cases:
• if ( f
′
0
, f
′
1
) has not been received, S picks a ran-
dom bit γ ∈
U
{0, 1} and sets α =γ. S then invokes
the faking algorithm fake which takes r
S
as input
and interprets e
γ
as a Diffie-Hellman quadrupler
e
γ
associated with the auxiliary string sk
γ
and inter-
prets e
1−γ
as a garbled quadruple. S reveals m,
(r
e
0
, r
e
1
) and sk
γ
to the real world adversary A .
• if ( f
′
0
, f
′
1
) has been received, and if ( f
′
0
, f
′
1
) is not
well-defined, the rest work of S is same as that
described in Case 3.2; if ( f
′
0
, f
′
1
) has been re-
ceived and if ( f
′
0
, f
′
1
) is well-defined, S can be
constructed exactly as that described in Case 2.3.
Case 4. The first corruption occurs before (e
0
, e
1
) has
been generated. If A makes its first request before S
generates (e
0
, e
1
), the corresponding simulator S can
be constructed as follows.
Case 4.1. If S gets corrupted in the first corruption,
S corrupts the corresponding dummy party
e
S in the
ideal world and obtains m. S reveals its internal state
r
S
together with its input m to A .
• if R gets corrupted before R generates ( f
0
, f
1
) in
the second corruption, S reveals R’s internal state
r
R
to A .
• if R gets corrupted after R has generated ( f
0
, f
1
)
in the second corruption, S picks a bit γ ∈
U
{0, 1}
uniformly at random and sets β = γ. S invokes
the faking algorithm fake which takes r
R
as input
and interprets f
γ
as a selection string r
f
γ
associated
with the auxiliary string (s
γ
, t
γ
) and interprets f
1−γ
as a garbled string r
f
1−γ
. S reveals (r
f
0
, r
f
1
) and
(s
γ
, t
γ
) to A .
Case 4.2. If R gets corrupted in the first corruption,
the corresponding simulator S can be constructed as
follows.
• Step 1: S picks g
i,0
∈
U
G, g
i,1
∈
U
G, sk
0
∈
U
Z
q
and sk
1
∈
U
Z
q
, and then computes h
i,0
= g
sk
0
i,0
mod p, h
i,1
= g
sk
1
i,1
mod p, i =1,
2. Let e
0
=(g
1,0
, g
2,0
, h
1,0
, h
2,0
) and e
1
=
(g
1,1
, g
2,1
, h
1,1
, h
2,1
). S keeps the auxiliary strings
sk
0
and sk
1
secret.
UNIVERSALLY COMPOSABLE NON-COMMITTING ENCRYPTIONS IN THE PRESENCE OF ADAPTIVE
ADVERSARIES
397
Following Step 1 above, S corrupts the corre-
sponding dummy party
e
R in the ideal world and re-
veals R’s internal state r
R
to A . If S gets corrupted in
the second corruption, we further consider subcases
below:
• if S gets corrupted before R generates ( f
′
0
, f
′
1
), or
if S gets corrupted after R has generated ( f
′
0
, f
′
1
),
but before S receives ( f
′
0
, f
′
1
), S corrupts the cor-
responding dummy party
e
S in the ideal world and
obtains m. S picks a random bit γ ∈ {0, 1} uni-
formly at random and sets α =γ. S invokes the
faking algorithm fake which takes r
S
as input and
interprets e
γ
as a Diffie-Hellman quadruple r
e
γ
as-
sociated with the auxiliary string sk
γ
and inter-
prets e
1−γ
as a garbled quadruple r
e
1−γ
. S reveals
(r
e
0
, r
e
1
), sk
γ
and m to A .
• if S gets corrupted after S has received ( f
′
0
, f
′
1
), we
further consider the following two cases:
- 1) if ( f
′
0
, f
′
1
) is not well-defined, S picks a ran-
dom bit γ ∈
U
{0, 1} and sets α =γ. S then invokes
the faking algorithm fake which takes r
S
as input
and interprets e
γ
as a Diffie-Hellman quadruple r
e
γ
associated with the auxiliary string sk
γ
and inter-
prets e
1−γ
as a garbled quadruple r
e
1−γ
. S reveals
m, (r
e
0
, r
e
1
) and sk
γ
to A .
- 2) if ( f
′
0
, f
′
1
) is well-defined, S further checks v
′
i
?
= u
′
i
sk
i
for i =0, 1. If both indices are invalid,
S does the same procedure in the above case and
reveals m, (r
e
0
, r
e
1
) and sk
γ
to A . If there exists
an index i satisfied with the check condition, S
picks a bit b ∈ {0, 1} uniformly at random. If
b=1, then let α =i. S invokes the faking algorithm
fake which takes r
S
as input and interprets e
γ
as a
Diffie-Hellman quadruple r
e
γ
associated with the
auxiliary string sk
γ
and interprets e
1−γ
as a garbled
quadruple r
e
1−γ
. S reveals m, (r
e
0
, r
e
1
) and sk
γ
to
A . If b = 0, let α =1 − i. S invokes the faking
algorithm fake which takes r
S
as input and inter-
prets e
1−γ
as a random Diffie-Hellman quadruple
r
e
1−γ
associated with the auxiliary string sk
1−γ
and
interprets e
γ
as a garbled quadruple. S reveals m,
(r
e
0
, r
e
1
) and sk
1−γ
to A .
By the DDH assumption, we know that the distribu-
tion of random variable e
γ
is computationally indis-
tinguishable from that of e
1−γ
. Due to the random-
ness of Naor-Pinkas randomizer, the distribution of
random variable f
γ
is computationally indistinguish-
able from that of f
1−γ
. This means that REAL
π,A ,Z
and IDEAL
F ,S ,Z
are computationally indistinguish-
able in all cases. As a result, the real-world protocol
π realizes F
N
SC
.
5 CONCLUSIONS
In this paper, a new implementation of non-
committing encryptions has been presented and an-
alyzed. We have shown that the proposed non-
committing encryption scheme realizes the UC-
security in the presence of adaptive adversary as-
suming that the decisional Diffie-Hellman problem is
hard.
REFERENCES
Beaver, D. (1997). Plug and play encryption. In CRYPTO.
Springer.
Beaver, D. and Haber, S. (1992). Cryptographic protocols
provably secure against dynamic adversaries. In EU-
ROCRYPT. Springer.
Canetti, R. (2001). a new paradigm for cryptographic pro-
tocols. In FOC. IEEE.
Canetti, R. (2005). Universally composable security: A
new paradigm for cryptographic protocols. In ePrint.
eprinter.iacr.org.
Canetti, R., Feige, U., Goldreich, O., and Naor, M. (1996).
Adaptively secure multi-party computation. In STOC.
IEEE.
Canetti, R. and Fischlin, M. (2001). a new paradigm for
cryptographic protocols. In CRYPTO. Springer.
Damg˚ard, I. and Nielsen, J. (2000). Improved non-
committing encryption schemes based on a general
complexity assumption. In CRYPTO. Springer.
Garay, J., Wichs, D., and Zhou, H. (2009). Somewhat non-
committing encryption and efficient adaptively secure
oblivious transfer. In CRYPTO. Springer.
Moni Naor, B. P. (2001). Efficient oblivious transfer proto-
cols. In SODA. ACM.
Nielsen, J. (2002). Separating random oracle proofs from
complexity theoretic proofs: The non-committing en-
cryption case. In CRYPTO. Springer.
Nielsen, J. (2003). On protocol security in the cryptographic
model. In thesis. www.brics.dk/ jbn/thesis.pdf.
S.Choi, Dachman-Soled, D., Malkin, T., and Wee, H.
(2009). Adaptively secure multi-party computation.
In Asiacrypt. Springer.
SECRYPT 2010 - International Conference on Security and Cryptography
398
