Cryptology ePrint Archive: Report 2012/379

All-But-Many Encryptions: A New Framework for Fully-Equipped UC Commitments

Eiichiro Fujisaki

Abstract: We present a general framework for constructing non-interactive universally composable (UC) commitment schemes that are secure against adaptive adversaries in the non-erasure model under a re-usable common reference string. Previously, such ``fully-equipped'' UC commitment schemes have been known only in [Canetti-Fischlin: CRYPTO 2001] and [CLOS: STOC2002], with a strict overhead of O(k); meaning that to commit n bits, the communication and computational costs strictly require O(nk), where k denotes the security parameter.

Efficient construction of a fully-equipped UC commitment scheme is a long-standing open problem.

We introduce the notion of all-but-many encryption (ABME), and prove that it is a translation of fully-equipped UC commitment in the primitive level. We propose a compact ABME scheme from the DCR based assumptions and thereby the first fully-equipped UC commitment scheme with optimal expansion factor Omega(1) in communication and computational costs. We also construct a ABME scheme from the DDH assumption with overhead O(k/(logk)). We further present a fully-equipped UC commitment scheme from a weak ABME scheme under the general assumption (where trapdoor permutations exist), which is far more efficient than the previous work under the same assumption.

As a side result, we present an all-but-many lossy trapdoor function (ABM-LTF) from our DCR-based ABME scheme, with a better lossy rate than [Hofheinz: Eurocrypt 2012].

Category / Keywords: public-key cryptography / bit commitment, universal composability

Date: received 5 Jul 2012, last revised 2 Jun 2014

Contact author: fujisaki eiichiro at lab ntt co jp

Available format(s): PDF | BibTeX Citation

Note: Added informative explanation. Corrected security proofs, and replaced a DL based candidate with one with short public key.

Version: 20140602:060033 (All versions of this report)

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]