1 / 24

Reducing Complexity Assumptions for Statistically-Hiding Commitment

This paper presents a protocol for a statistically-hiding bit commitment, where the sender commits to a bit value without revealing it to the receiver. The protocol is based on the use of approximable-size one-way functions and provides computational binding guarantees. The implementation relies on the concept of balanced one-way functions on range and the construction of universal hash functions.

karenjpatterson
Download Presentation

Reducing Complexity Assumptions for Statistically-Hiding Commitment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen KooRuggero Morselli Ronen Shaltiel

  2. Bit-Commitment (BC) A two-phase protocol between the sender, S,and the receiver, R. Commit-phase – Scommits to a bit value, b, without revealing its value to R. Reveal-phase – Sreveals bto R and proves that this is the value he had committed to (in the commit-phase).

  3. Bit-Commitment cont. Commit-phase S R b

  4. Bit-Commitment cont. Reveal-phase R S b

  5. Bit-Commitment cont. Hiding – Rdoes not learn the value of b during the commit-phase. Binding – Scannot prove (in the reveal-phase) that he had committed to a different value than the one he had really committed to.

  6. Different Types Of Bit-Commitment. Computationally-hiding perfectly-bindingBC: Rdoes not get (through the commit-phase) any computational-knowledge about b. Scannot(whatsoever) “cheat” in the reveal-phase. Statistically-hiding computationally-bindingBC: Rdoes not get anynoticeable information about b. A computationally-boundedScannot “cheat” in the reveal-phase. Perfectly-hiding computationally-bindingBC:Rdoes not get anyinformation about b. …

  7. Different Types Of Bit-Commitment (comparison). In order to break the Computationally-hiding perfectly-bindingprotocol,R needs to get super-polynomialpowers anytime after the commit-phase. In order to break the Statistically-hiding computationally-bindingprotocol,S needs to get super-polynomial powers before the end of the reveal-phase.

  8. The importance of stat. – hiding comp. binding BC • Building block in constructions of Statistically Zero-Knowledge arguments. • Other cryptographic applications(e.g., Coin-flipping protocols).

  9. Previous Implementations • What are the minimal general hardness assumptions that yield Statistically-hiding computationally-binding BC? • Do one-way functions suffice? • Number theoretic assumptions* (BKK, BCC). • Claw-free permutations* (GK). • Collision resistance hash functions (DPP, HM). • One-way permutations* (NOVY). * : Perfectly-hiding.

  10. Our Result Statistically-hiding computationally-binding BC usingapproximable-sizeone-way functions. Approx.-size OWF – a OWF f is an approx.- size if we can efficiently approximate the number of pre-images of any y2Im(f). Anyregular OWF is an approx.- size one. Regular OWF - a OWF f is regular if there exists a constantr s.t. the number of pre-images of any y2Im(f) is r.

  11. The NOVY protocol A BC protocol based on an underlying function f:{0,1}n!{0,1}n • If f is a permutation then the protocol is perfectly-hiding. • If fis a permutation and one-way then the protocol iscomputationally-binding. Perfectly-hiding computationally-binding BC based on one-way permutations.

  12. One–Way Functions • One–way function (OWF):f:{0,1}n!{0,1}mis a OWF if for any ppt A, PrxÃ{0,1}n[A(f(x)) 2f-1(f(x))] = neg(n) • One–way function on range:for any ppt A, PryÃImage(f)[A(y)2f-1(y)] = neg(n) • Any regular-OWF is also one-way on range.

  13. (,)-balanced Distribution. D is (,)-balanced • For all zBad : |PryÃD[y = z ] - 1/2n| ·/2n. {0,1}n • |Bad| ·2n. • PryÃD[y2Bad] ·. Bad f:{0,1}n!{0,1}m is(,)-balanced if f(Un) is (,)-balanced.

  14. {0,1}n {0,1}n Bad D Example… • D is (1/4, 1/3)-balanced

  15. -hiding Bit-Commitment -hiding BC: A BC is -hiding iffrom R’s point of view, after the commit-phase, the statistical-difference between the cases when b=0 and b=1 is at most . • Astatistically-hiding BC is a neg-hiding BC (negis a negligible function of n).

  16. The NOVY protocol (restated) A generic scheme of BC protocol based on an underlying function f:{0,1}n!{0,1}m • If f is a one-way function on rangethenthe protocol is computationally-binding. • If fis (,)-balancedthen the protocol is(+)-hiding. • The task: Implementing a balanced one-way function on range using approximable-sizeOWF.

  17. Universal-Hashing Let Hbe a family of functions from {0,1}n!{0,1}m. His a k-universal hash family, if the output of a uniformly chosen h2H over kdistinct elements in {0,1}n,are k independent random variables in {0,1}m.

  18. {0,1}n h-1(z) z S Hashing Lemma h {0,1}m Each element in {0,1}m has about the expected number of pre-images w.r.t. h(i.e., |S|¢2-m) in S. Where the estimation gets better as k and |S| get bigger and m gets smaller. • hÃH, where H isk-universal

  19. {0,1}l(n) {0,1}n {0,1}m g-1(z) Im(f) h-1(z) h-1(z) z z Danger! Balanced One-Way Function On Range From Regular OWF g(h,x) ≡ h(f(x)),h f h m=? m=n-log(r)–log(cn) • 3n-universality of H - each z2{0,1}m has about the same number of pre-images, w.r.t. h, in Im(f). • r-regularity of f - each z2{0,1}m has about the same number of pre-images, w.r.t. g, in {0,1}n. • g is “rather” balanced.. • hÃH where H • 3n-universal • r-regular OWF If m is too small g is not guaranteed to be one-way. g(Un) g is (2-n,1/2)-balanced one-way on range function. m = n-log(r) (|{0,1}m| = |Im(f)|) m m m • universal constant {0,1}m

  20. Claim: g is (2-n,1/2)-balancedone-way on range function. • g is (2-n,1/2)-balanced. • g is one-way – (by our choice of m) a given output element in {0,1}m does not have “too-many” (up to polynomially many) pre-images, w.r.t. h2H, in Im(f). We can reduce the hardness of g to the hardness of f. • g is one-wayon range- there are about the same number of pre-images per output element. Similar to the regular OWF case.

  21. Getting Statiscally–Hiding Computationally-Binding BC When using g with the NOVY protocol we achieve 1/2-hidingcomputationally-binding BC. The amplification into statistically-hidingcomputationally-bindingBC is done through a standard secret-sharing technique.

  22. f x f(x) h(x)1…D(f(x))+2 h 0(n-D(f(x)-2) h Balanced One-Way Function On Range From Approx.-Size OWF The following construction was given by [Häastad, Impagliazzo, Levin & Luby]. Let f:{0,1}n!{0,1}m be an approx.-size OWF and let for y2{0,1}m, D(y) ≡ log(|f-1(y)|). g(h,x) ≡ f(x),h(x)1...D(f(x)),h,0(n-D(f(x)))

  23. From Approx.-Size OWF cont. Thm [HILL]:g is “almost” 1-1 one-way function. Hence by plugging g in the construction for regular OWF we get (2-n,1/2)-balancedone-way functionon range. Usingsecret-sharing we get statiscally–hiding computationally-binding BC.

  24. Open Problems • Stat-hiding comp.-binding BC from any OWF? It suffices to give a construction for semi-honest R. • Black-Box separation between Stat-hiding comp.-binding BC and OWF? • Efficient round complexity?

More Related