A Framework for Efficient Fully-Equipped UC Commitments

We present a general framework for constructing non-interactive universally composable (UC) commitmentschemes that are secure against adaptive adversaries in the non-erasure setting under a single re-usable commonreference string. Previously, such “fully-equipped” UC commitment schemes are only known in [8, 9], with anunavoidable overhead of O(κ) in the sense of communication and computational complexities; meaning that tocommit λ bits, the communication and computational costs require O(λκ), where κ denotes the security parame-ter. Efficient construction of a fully-equipped UC commitment scheme was a long-standing open problem. Weintroduce a cryptographic primitive, called all-but-many encryptions (ABMEs), and prove that it is a translation offully-equipped UC commitment in the primitive level. We then construct ABMEs from cryptographic primitivesthat we call a probabilistic pseudo random function family and extractable sigma protocols – the former is a prob-abilistic version of a pseudo random function family and the latter is a special kind of sigma (i.e., canonical 3-roundpublic-coin HVSZK) protocols with some extractability. We provide fully-equipped UC commitment schemes fromABMEs under DDH and DCR-based assumptions, respectively. In particular, the DCR-based scheme is the firstfully-equipped UC commitment scheme with optimal expansion factor Ω(1); to commit κ bits, the communicationand computational costs are Ω(κ). We further construct a fully-equipped UC commitment scheme from a generalassumption (in which trap-door permutations exist), which is far more efficient than the previous construction [9],because, unlike [9], our construction does not require non-interactive zero-knowledge proof systems.