Statistically-Hiding
Commitment from
Any One-Way Function
Iftach Haitner and Omer Reingold
WEIZMANN
INSTITUTE
OF SCIENCE
2
Talk Plan
• The quest for the minimal hardness
assumptions
• Commitment schemes
• The new construction Statistically-hiding commitment from
any one-way function
3
The quest for the
minimal hardness
assumptions
Finding the minimal hardness
assumptions
• What are the minimal hardness assumptions
required for constructing different
cryptographic primitives? e.g., key agreement.
• “Cryptography” implies one-way functions.
Def: f:{0,1}n!{0,1}n is a one-way function if
– Efficiently computable
– Hard to invert: hard to find an inverse
f-1(f(x)) for a random f(x).
• Does OWF imply “Cryptography” ?
4
5
OWF based cryptography
Statistically-hiding
commitment
SZK arguments
NOV 06`
Implied by OWF
Pseudorandom
generator
Digital signature
PRF/PRP
Private-key enc.
Universal one-way
hash functions
Computationally-hiding
commitment
CZK proofs
“Notresult
implied” by
Our
OWF
Key agreement
Oblivious transfer
Trapdoor permutations
Public-key encryption
Collision-resistant hash
functions
6
Commitment schemes
7
Commitment Scheme
S
x
Commit-stage
R
8
Commitment Scheme cont.
S
Reveal-stage
R
x
9
Commitment Scheme cont.
Hiding – R does not learn x during
the commit stage.
Binding – S cannot “cheat” in the
reveal stage - decommit to two
different values.
10
Different Types of Commitment.
• Perfectly-binding commitment:
A polynomially-bounded R does not get any
computational-knowledge about x (through the
commit stage). Unbounded S cannot cheat in
the reveal stage.
• Statistically-hiding commitment:
Unbounded R does not get any noticeable
information about x. Polynomially-bounded
cannot cheat in the reveal stage.
S
Assume that
P is Pros
provablyof
secure
if the commitment
The
Statistical
is.
Commitment
What if the commitment is broken?
• The adversary
gains additional
powers (Quantum
Construction
of primitive
P
computers?)
• The hardness assumption is broken
Breaking the commitment is useful only if it is done
before the protocol ends- everlasting security
R
S
x1
1
x22
x33
4x
4
5
x5
6
x6
x1
Please open 1 and 3
x3
11
12
Applications of
Statistical Commitment
• Building block in constructions of
statistical zero-knowledge arguments.
• Coin-flipping protocols.
• A general transformation (that leaks
no further information!) of (many
types of) protocols secure against
semi-honest parties into ones secure
against malicious parties.
Previous Constructions of
Statistical Commitment
• [BCC ‘88, BKK ‘90] Number-theoretic
assumptions
• [NY ’89, DPP '93] Collision-resistant hash
functions
• [GK ‘96] Claw-free permutations
• [NOVY ‘91] One-way permutations
• [HHKKMS ‘05] Regular/approximable
preimage-size one-way functions
• [HR ’06] Exponentially-hard one-way
functions
• Here - Any one-way function
13
OWF based
Cryptography
14
OWF
PRG
[HILL ‘91]
UOWHF
[Rompel ‘90]
PRF/PRP
[GGM ‘86]
Two-phase Comt.
[NOV ‘06]
SZK
Argument
[NOV ‘06]
Signatures
[NY ‘89]
Comp. Comt.
[Naor ‘90]
Private key
Encryption
[GGM ‘86]
CZK Proofs
[GMW ‘87]
Statistical
Comt.
15
Our Construction
Commitment Scheme Revisited
Commit-Phase
16
R (rR)
S (rS,x)
Reveal-phase (x,trans):
S (rS)
R
Accepts or Rejects
Commitment Scheme Revisited
A
B
x
commit
x
Reveal (x)
17
Two-phase
commitment
18
19
Two-phase commitment
[NOV
‘06] commit, there
1-2 Binding: After
the first-phase
existsbefore
a single
value
x* that
revealing
firstHiding:
each
of the
reveal
stages,the
R does
phase commitment to this value does not make
not get information
about the committed string.
(x1,x2)
the second-phase
commitment binding.
S
x1
First-phase
commit
First-phase
reveal
transcript
x2
R
Second-phase
commit
Second-phase
reveal
The transcript of the
first-phase
commitment is used
as an input for the
second-phase
commitment
Two-phase commitment cont.
[NOV ‘06] One-way function implies a
collection of polynomial many two-phase
commitments s.t.
• All are 1-2 binding
• At least one is statistically hiding
For the sake of this talk:
“One-way functions imply a 1-2 binding,
statistically-hiding two-phase commitment”.
We will use two-phase commitment to get
weakly-binding statistically-hiding
commitment
20
21
First Attempt
22
Statistical commitment (first att.)
Commit-Phase
R
S (b2{0,1})
x1Ã{0,1}
First-phase commit
Bit–commitment
implies
brc Ã{first,second}
general commitment
brc==first
second
if ifbrc
c = b©x1
First-phase reveal (x1)
b
Second-phase commit
Reveal-phase
Reveal-phase (b):
(b):
bb
Second-phase
Second-phase
reveal
reveal
Second-phase
First-phase
reveal(
reveal(
x1b
))
?
c = b©x1
 Statistical
Correctness
commitment (first att.)
 Hiding
Commit-Phase
Problem: the
decision of S in which phase
? Binding
to cheat
may be taken during the first- R
S (b2{0,1})
phase
-- after seeing brc!
x1Ãreveal
{0,1}
23
First-phase commit
brc Ã{first,second}
brc = first
brc = second
c = b©x1
First-phase reveal(x1)
b
Second-phase commit
Reveal-phase (b):
Reveal-phase (b):
First-phase reveal (x1)
Second-phase reveal (b)
?
c = b©x1
24
Our Approach
We will try to force S to decide in
which phase to cheat before seeing
the value of brc
Main tool: Universal One-Way Hash
Functions
Universal One-Way Hash Functions
[NY ‘89]
• Collision resistant hash functions (CRHF):
A function family H:{0,1}n!{0,1}m(n)
– Compressing: m(n) < n
– Hardness: Negligible for any efficient A:
PrhÃH[x,x’ÃA(h): x≠x’
Æ h(x)= h(x’)]
• Universal one-way hash functions (UOWHF):
– Compressing: m(n) < n
– Hardness: Negligible for any efficient A:
PrhÃH[xÃA(1n), x’ÃA(x,h) : x≠x’ Æ h(x)= h(x’)]
• [Rompel ’91, NY ’89]: If OWFs exist then
there exist
h with m(n)= n/2
xX UOWHF
x’
25
26
The Actual Protocol
Statistical commitment
S
27
H is a UOWHF from
Commit-Phase
n to {0,1}n/2
{0,1}
(b2{0,1})
x1Ã{0,1}n
G is a family of
R
First-phase commit
pairwisehÃH
independent Boolean hash
z = h(x1)
functions
brc Ã{first,second}
ififbrc
brc==second
first
g à G, c = b©g(x1)
First-phase reveal(x1)
Reveal-phase (b): b
Reveal-phase (b):
?
z = h(x1)
Second-phase commit
First-phase reveal(x1)
? b)
Second-phase reveal(
?
c = b©g(x1) Æ z = h(x1)
 Correctness
Statistical commitment
 Hiding
Commit-Phase
? BindingS (b2{0,1})
x1Ã{0,1}n
28
R
First-phase commit
hÃH
z = h(x1)
brc Ã{first,second}
brc = first
brc = second
g à G, c= b©g(x1)
First-phase reveal(x1)
b
Second-phase commit
Reveal-phase (b):
Reveal-phase (b):
First-phase reveal(x1)
?
?
c = b©g(x1) Æ z = h(x1)
Second-phase reveal(b)
?
z=h(x1)
29
The Protocol is Binding
Claim: If the two-phase commitment is 1-2
binding then the new scheme is ⅛binding.
Proof: Otherwise there exists an algorithm A
that breaks the binding for both values of
brc with probability at least ¾.
We will use A to find collisions in H.
Cheating when brc = first
Commit-Phase
) Cheating
A outputs x10 ≠ x11 s.t.
h(x10) = h(x11) = z
A
30
R
First-phase commit
h
z = h(x1)
brc = first
g à G, c= b©g(x1)
Reveal-phase (b = 0)
First-phase reveal(x10)
c = 0©g(x10) Æ z = h(x10)
Reveal-phase (b = 1)
First-phase reveal(x11)
c = 1©g(x11) Æ z = h(x11)
Cheating when brc = second
A
x1
Commit-Phase
x1 = x *
) h(x*) = z
R
First-phase commit
hÃH
z = h(x1)
brc = second
First-phase reveal(x1)
b
Reveal-phase:
Second-phase commit
Second-phase reveal(b)
31
?
z = h(x1)
Breaking H
• Announce x
• Given h à H, find x’ ≠ x such
that h(x) = h(x’)
32
•
•
•
Breaking H cont.
h’(x
) *= z ! h’(x) = z
x1 =*x
0 *)Commit
h(x
=xz11 -phase
x
1 ≠
h’(x
A 10) = h’(x11) = z R
First-phase commit
• Simulate the commitment
with brc = second
• Announce x1 (as x)
z = h’(x
h(x11)
Finding collision for h’ÃH
•Rewind the protocol
c= b©g(x1)
x1 g à G,First-phase
b=1
Announcing x
h Ãh’H
brc
brc
= second
= first
b=0 b
33
reveal(x1)
Reveal-phase
z = h(x1)
First-phase reveal(x10)
Second-phase
0)
commit
0 g(x
z = h’(x 0)
c= ©
1
Æ
1
First-phase reveal(x11)
c = 1©g(x11) Æ z = h’(x11)
•Continue with brc = first
and h sets to h’
• Do the reveal-phase for
b = 0 and for b = 1
• Output
x1j ≠ x
34
Further issues
• Simplify the construction of SZK and
statistical commitment.
• Find optimal constructions w.r.t
efficiency and security
35
Thanks