Cryptology ePrint Archive: Report 2013/588

SPHF-Friendly Non-Interactive Commitments

Michel Abdalla and Fabrice Benhamouda and Olivier Blazy and CÚline Chevalier and David Pointcheval

Abstract: In 2009, Abdalla et al. proposed a reasonably practical password-authenticated key exchange (PAKE) secure against adaptive adversaries in the universal composability (UC) framework. It exploited the Canetti-Fischlin methodology for commitments and the Cramer-Shoup smooth projective hash functions (SPHFs), following the Gennaro-Lindell approach for PAKE. In this paper, we revisit the notion of non-interactive commitments, with a new formalism that implies UC security. In addition, we provide a quite efficient instantiation. We then extend our formalism to SPHF-friendly commitments. We thereafter show that it allows a blackbox application to one-round PAKE and oblivious transfer (OT), still secure in the UC framework against adaptive adversaries, assuming reliable erasures and a single global common reference string, even for multiple sessions. Our instantiations are more efficient than the Abdalla et al. PAKE in Crypto 2009 and the recent OT protocol proposed by Choi~et al. in PKC 2013. Furthermore, the new PAKE instantiation is the first one-round scheme achieving UC security against adaptive adversaries.

Category / Keywords: cryptographic protocols / Commitment, Universal Composability, Password Authentication, Oblivious Transfer, Smooth Projective Hashing

Original Publication (with major differences): IACR-ASIACRYPT-2013

Date: received 11 Sep 2013, last revised 17 Feb 2014

Contact author: fabrice ben hamouda at ens fr

Available format(s): PDF | BibTeX Citation

Note: 2014-02-17: This version provides a more detailed description of our PAKE scheme and its proof. In particular, we describe an additional property of our SPHF-friendly commitment scheme, called strong pseudo-randomness, which is required for the security proof of our PAKE scheme.

Version: 20140217:130030 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]