Highly-Efficient Universally-Composable Commitments Based on the DDH Assumption
Yehuda Lindell
Department of Computer Science Bar-Ilang University, Israel [email protected]
Abstract. Universal composability (a.k.a. UC security) provides very strong security guarantees for protocols that run in complex real-world environments. In particular, security is guaranteed to hold when the pro- tocol is run concurrently many times with other secure and possibly inse- cure protocols. Commitment schemes are a basic building block in many cryptographic constructions, and as such universally composable com- mitments are of great importance in constructing UC-secure protocols. In this paper, we construct highly efficient UC-secure commitments from the standard DDH assumption, in the common reference string model. Our commitment stage is non-interactive, has a common reference string with O(1) group elements, and has complexity of O(1) exponentiations for committing to a group element (to be more exact, the effective cost is 1 that of 23 3 exponentiations overall, for both the commit and decommit stages). We present a construction that is secure in the presence of static adversaries, and a construction that is secure in the presence of adaptive adversaries with erasures, where the latter construction has an effective 1 additional cost of just 5 3 exponentiations.
1 Introduction
Background – universal composability and efficiency. Modern crypto- graphic protocols are run in complex environments. Many different secure and insecure protocols are executed concurrently, and some protocols may have been designed specifically to attack others [13]. The classic definitions of security that consider stand-alone executions only do not guarantee security in mod- ern real-world setting. Universal composability (or UC security) is a definitional framework that guarantees security even if the protocol is run concurrently with arbitrarily many other secure and insecure protocols, and even if related inputs are used. More specifically, a UC-secure protocol behaves like an ideal execution (where an incorruptible trusted party carries out the computation for the par- ties) no matter what other protocols are being run by the honest parties at the time.