TY - GEN
T1 - Universally composable commitments
AU - Canetti, Ran
AU - Fischlin, Marc
PY - 2001
Y1 - 2001
N2 - We propose a new security measure for commitment protocols, called Universally Composable (UC) Commitment. The measure guarantees that commitment protocols behave like an "ideal commitment service," even when concurrently composed with an arbitrary set of protocols. This is a strong guarantee: it implies that security is maintained even when an unbounded number of copies of the scheme are running concurrently, it implies non-malleability (not only with respect to other copies of the same protocol but even with respect to other protocols), it provides resilience to selective decommitment, and more. Unfortunately, two-party UC commitment protocols do not exist in the plain model. However, we construct two-party UC commitment protocols, based on general complexity assumptions, in the common reference string model where all parties have access to a common string taken from a predetermined distribution. The protocols are non-interactive, in the sense that both the commitment and the opening phases consist of a single message from the committer to the receiver.
AB - We propose a new security measure for commitment protocols, called Universally Composable (UC) Commitment. The measure guarantees that commitment protocols behave like an "ideal commitment service," even when concurrently composed with an arbitrary set of protocols. This is a strong guarantee: it implies that security is maintained even when an unbounded number of copies of the scheme are running concurrently, it implies non-malleability (not only with respect to other copies of the same protocol but even with respect to other protocols), it provides resilience to selective decommitment, and more. Unfortunately, two-party UC commitment protocols do not exist in the plain model. However, we construct two-party UC commitment protocols, based on general complexity assumptions, in the common reference string model where all parties have access to a common string taken from a predetermined distribution. The protocols are non-interactive, in the sense that both the commitment and the opening phases consist of a single message from the committer to the receiver.
KW - Commitment schemes
KW - Concurrent composition
KW - Non-malleability
KW - Security analysis of protocols
UR - http://www.scopus.com/inward/record.url?scp=84880897758&partnerID=8YFLogxK
U2 - 10.1007/3-540-44647-8_2
DO - 10.1007/3-540-44647-8_2
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:84880897758
SN - 3540424563
SN - 9783540424567
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 19
EP - 40
BT - Advances in Cryptology, CRYPTO 2001 - 21st Annual International Cryptology Conference, Proceedings
A2 - Kilian, Joe
PB - Springer Verlag
T2 - 21st Annual International Cryptology Conference, CRYPTO 2001
Y2 - 19 August 2001 through 23 August 2001
ER -