1

Reducing Complexity Assumptions for Statistically-Hiding Commitment

Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo

Ruggero Morselli Ronen Shaltiel

2

Bit-Commitment (BC)

A two-phase protocol between the sender, S,S, and the receiver, RR.

Commit-phase – SS commits to a bit value, b, without revealing its value to RR.

Reveal-phase – SS reveals b to R R and proves that this is the value he had committed to (in the commit-phase).

3

Bit-Commitment cont.

SS RR

Commit-phase

bb

4

Bit-Commitment cont.

Reveal-phase

bb

SS RR

5

Bit-Commitment cont.

Hiding – RR does not learn the value of b during the commit-phase.

Binding – SS cannot prove (in the reveal-phase) that he had committed to a different value than the one he had really committed to.

6

Different Types Of Bit-Commitment.

Computationally-hiding perfectly-binding BC: RR does not get (through the commit-phase) any computational-knowledge about b. SS cannot (whatsoever) “cheat” in the reveal-phase.

Statistically-hiding computationally-binding BC: RR does not get any noticeable information about b. A computationally-bounded SS cannot “cheat” in the reveal-phase.

Perfectly-hiding computationally-binding BC:RR does not get any information about b. …

7

Different Types Of Bit-Commitment (comparison).

In order to In order to breakbreak the the Computationally-hiding perfectly-binding protocol,protocol, RR needs to get needs to get super-polynomialsuper-polynomial powers anytime powers anytime afterafter the commit- the commit-phase..

In order to In order to breakbreak the the Statistically-hiding computationally-binding protocol,protocol, SS needs to get super- needs to get super-polynomial powers polynomial powers before the endbefore the end of of the reveal-the reveal-phase..

8

The importance of stat. – hiding comp. binding BC

Building block in constructions of Statistically Zero-Knowledge arguments. Other cryptographic applications(e.g., Coin-flipping protocols).

9

Previous Implementations

Number theoretic assumptions* (BKK, BCC).

Claw-free permutations* (GK). Collision resistance hash functions

(DPP, HM). One-way permutations* (NOVY).* : Perfectly-hiding.

What are the minimal general hardness assumptions that yield Statistically-hiding computationally-binding BC?

Do one-way functions suffice?

10

Our ResultStatistically-hiding

computationally-binding BC using approximable-size one-way functions.

Approx.-size OWF – a OWF f is an approx.- size if we can efficiently approximate the number of pre-images of any y2 Im(f).

Any regular OWF is an approx.- size one.Regular OWF - a OWF f is regular if there

exists a constant r s.t. the number of pre-images of any y2 Im(f) is r.

11

The NOVY protocol

A BC protocol based on an underlying function f:{0,1}n ! {0,1}n

I. If f is a permutation then the protocol is perfectly-hiding.

II. If f is a permutation and one-way then the protocol is computationally-binding.

Perfectly-hiding computationally-binding

BC based on one-way permutations.

12

One–Way Functions One–way function (OWF):

f:{0,1}n!{0,1}m is a OWF if for any ppt A, PrxÃ{0,1}n[A(f(x)) 2 f-1(f(x))] = neg(n)

One–way function on range:for any ppt A, PryÃImage(f) [A(y)2 f-1(y)] = neg(n)

Any regular-OWF is also one-way on range.

13

(,)-balanced Distribution.

{0,1}n

Bad •|Bad| · 2n.• PryÃD[y2 Bad] ·.

For all zBad : |PryÃD[y = z ] - 1/2n| · /2n.

f:{0,1}n !{0,1}m is (,)-balanced if

f(Un) is (,)-balanced.

D is (,)-balanced

14

{0,1}n{0,1}n

D

Example…

Bad D is (1/4, 1/3)-

balanced

15

-hiding Bit-Commitment-hiding BC: A BC is -hiding if

from RR’s point of view, after the commit-phase, the statistical-difference between the cases when b=0 and b=1 is at most .

A statistically-hiding BC is a neg-hiding BC (negis a negligible function of n).

16

The NOVY protocol (restated)

A generic scheme of BC protocol based on an underlying function f:{0,1}n ! {0,1}m

I. If f is a one-way function on range then the protocol is computationally-binding.

II. If f is (,)-balanced then the protocol is (+)-hiding.

The task: Implementing a balanced one-way function on range using approximable-size OWF.

17

Universal-Hashing

Let H be a family of functions from {0,1}n!{0,1}m. H is a k-universal hash family, if the output of a uniformly chosen h2H over k distinct elements in {0,1}n, are k independent random variables in {0,1}m.

18

Each element in {0,1}m has about the expected number of pre-images w.r.t. h(i.e., |S|¢2-m) in S. Where the estimation gets better as k and |S| get bigger and m gets smaller.

hÃH, where H is k-universal

{0,1}n

S zh-1(z)

Hashing Lemma

{0,1}m

h

19

3n-universality of H - each z2{0,1}m has about the same number of pre-images, w.r.t. h, in Im(f).

r-regularity of f - each z2{0,1}m has about the same number of pre-images, w.r.t. g, in {0,1}n.

g is “rather” balanced..

universal constant

g is (2-n,1/2)-balanced one-way on range function.

m=n-log(r)–log(cn)If m is too

small g is not guaranteed to be one-way.

g(h,x) ≡ h(f(x)),h

{0,1}mh

Balanced One-Way Function On Range From Regular OWF

{0,1}n f

{0,1}l(

n)

Im(f)

m=?

{0,1}m

g(Un) m = n-log(r)

(|{0,1}m| = |Im(f)|)

mmm

Danger!

r-regular OWF

hÃH where H 3n-universal

zh-1(z)g-1(z) zh-1(z)

20

Claim: g is (2-n,1/2)-balanced one-way on range function.

g is (2-n,1/2)-balanced. g is one-way – (by our choice of m) a given

output element in {0,1}m does not have “too-many” (up to polynomially many) pre-images, w.r.t. h2H, in Im(f). We can reduce the hardness of g to the hardness of f.

g is one-way on range- there are about the same number of pre-images per output element. Similar to the regular OWF case.

21

Getting Statiscally–Hiding Computationally-Binding BC

When using g with the NOVY protocol we achieve 1/2-hiding computationally-binding BC.

The amplification into statistically-hiding computationally-binding BC is done through a standard secret-sharing technique.

22

Balanced One-Way Function On Range From Approx.-Size OWF

The following construction was given by [Häastad, Impagliazzo, Levin & Luby].

Let f:{0,1}n!{0,1}m be an approx.-size OWF and let for y2{0,1}m, D(y) ≡ log(|f-1(y)|).

f x f(x)

h

h(x)1…D(f(x))+2 h 0(n-D(f(x)-2)

g(h,x) ≡ f(x),h(x)1...D(f(x)),h,0(n-D(f(x)))

23

From Approx.-Size OWF cont.

Thm [HILL]: g is “almost” 1-1 one-way function.

Hence by plugging g in the construction for regular OWF we get (2-n,1/2)-balanced one-way function on range.

Using secret-sharing we get statiscally–hiding computationally-binding BC.

24

Open Problems

Stat-hiding comp.-binding BC from any OWF?It suffices to give a construction for

semi-honest R.R. Black-Box separation between

Stat-hiding comp.-binding BC and OWF?

Efficient round complexity?