At Eurocrypt 2011, Lindell presented practical static and adaptively UC-secure commitment schemes based on the DDH assumption. Later, Blazy et al. (at ACNS 2013) improved the efficiency of the Lindell's commitment schemes. In this paper, we present static and adaptively UC-secure commitment schemes based on the same assumption and further improve the communication and computational complexity, as well as the size of the common reference string.

This paper presents a new non-interactive string-commitment scheme that achieves universally composable security. Security is proven under the decisional composite residuosity (DCR) assumption (or the decisional Diffie-Hellman (DDH) assumption) in the common reference string (CRS) model. The universal composability (UC) is a very strong security notion. If cryptographic protocols are proven secure in the UC framework, then they remain secure even if they are composed with arbitrary protocols and polynomially many copies of the protocols are run concurrently. Many UC commitment schemes in the CRS model have been proposed, but they are either interactive commitment or bit-commitment (not string-commitment) schemes. We note, however, that although our scheme is the first non-interactive UC string-commitment scheme, a CRS is not reusable. We use an extension of all-but-one trapdoor functions (ABO-TDFs) proposed by Peikert and Waters at STOC 2008 as an essential building block. Our main idea is to extend (original deterministic) ABO-TDFs to probabilistic ones by using the homomorphic properties of their function indices. The function indices of ABO-TDFs consist of ciphertexts of homomorphic encryption schemes (such as ElGamal, and Damgåd-Jurik encryption). Therefore we can re-randomize the output of ABO-TDFs by re-randomization of ciphertexts. This is a new application of ABO-TDFs.

Fair exchange is an important tool to achieve “fairness” of electronic commerce. Several previous schemes satisfy universally composable security which provides security preserving property under complex networks like the Internet. In recent years, as the demand for electronic commerce increases, fair exchange for electronic vouchers (e.g., electronic tickets, moneys, etc.) to obtain services or contents is in the spotlight. The definition of fairness for electronic vouchers is different from that for general electronic items (e.g., the sender must not do duplicate use of exchanged electronic vouchers). However, although there are universally composable schemes for electronic items, there is no previous study for electronic vouchers. In this paper, we introduce a universally composable definition of fair voucher exchange, that is, an ideal functionality of fair voucher exchange. Also, we prove the equivalence between our universally composable definition and the conventional definition for electronic vouchers. Thus, our formulation of the ideal functionality is justified. Finally, we propose a new fair voucher exchange scheme from non-blocking atomic commitment as black-box, which satisfies our security definition and is adequate for mobile environments. By instantiating general building blocks with known practical ones, our scheme can be also practical because it is implemented without trusted third party in usual executions.

KEM (Key Encapsulation Mechanism) and DEM (Data Encapsulation Mechanism) were introduced by Shoup to formalize the asymmetric encryption specified for key distribution and the symmetric encryption specified for data exchange in ISO standards on public-key encryption. Shoup defined the "semantic security (IND) against adaptive chosen ciphertext attacks (CCA2)" as a desirable security notion of KEM and DEM, that is, IND-CCA2 KEM and IND-CCA2 DEM. This paper defines "non-malleability (NM)" for KEM, which is a stronger security notion than IND. We provide three definitions of NM for KEM, and show that these three definitions are equivalent. We then show that NM-CCA2 KEM is equivalent to IND-CCA2 KEM. That is, we show that NM is equivalent to IND for KEM under CCA2 attacks, although NM is stronger than IND in the definition (or under some attacks like CCA1). In addition, this paper defines the universally composable (UC) security of KEM and DEM, and shows that IND-CCA2 KEM (or NM-CCA2 KEM) is equivalent to UC KEM and that "IND against adaptive chosen plaintext/ciphertext attacks (IND-P2-C2)" DEM is equivalent to UC DEM.

Password-based authenticated key exchange protocols are more convenient and practical, since users employ human-memorable passwords that are simpler to remember than cryptographic secret keys or public/private keys. Abdalla, Fouque, and Pointcheval proposed the password-based authenticated key exchange protocol in a 3-party model (GPAKE) in which clients trying to establish a secret do not share a password between themselves but only with a trusted server. On the other hand, Canetti presented a general framework, which is called universally composable (UC) framework, for representing cryptographic protocols and analyzing their security. In this framework, the security of protocols is maintained under a general protocol composition operation called universal composition. Canetti also proved a UC composition theorem, which states that the definition of UC-security achieves the goal of concurrent general composition. A server must manage all the passwords of clients when the 3-party password-based authenticated key exchange protocols are realized in large-scale networks. In order to resolve this problem, we propose a hierarchical hybrid authenticated key exchange protocol (H2AKE). In H2AKE, forwarding servers are located between each client and a distribution server, and the distribution server sends the client an authentication key via the forwarding servers. In H2AKE, public/private keys are used between servers, while passwords are also used between clients and forwarding servers. Thus, in H2AKE, the load on the distribution server can be distributed to the forwarding servers concerning password management. In this paper, we define hierarchical hybrid authenticated key exchange functionality. H2AKE is the universal form of the hierarchical (hybrid) authenticated key exchange protocol, which includes a 3-party model, and it has the characteristic that the construction of the protocol can flexibly change according to the situation. We also prove that H2AKE is secure in the UC framework with the security-preserving composition property.