Unconditionally Secure Commitment and Oblivious Transfer Schemes

Home , Commitment scheme, Oblivious transfer

Unconditionally Secure Commitment and Oblivious

Transfer Schemes Using Private Channels and a

Trusted Initializer

Ronald L Rivest

Lab oratory for Computer Science

Massachusetts Institute of Technology

Cambridge MA

rivestmitedu

November

Abstract

We present a new and very simple commitmentscheme that do es

not dep end on any assumptions ab out computational complexity the

Sender and Receiver may both be computationally unb ounded In

stead the scheme utilizes a trusted initializer who participates only

in an initial setup phase The scheme also utilizes private channels

between each pair of parties The Sender is able to easily commit to a

large value the scheme is not just a bitcommitment scheme

We also observe that outofn oblivious transfer is easily handled

in the same mo del using a simple OT proto col due to Bennett et al

Keywords bitcommitment commitmentscheme unconditional secu

rity trusted third party trusted initializer oblivious transfer

Intro duction

A commitment scheme must sp ecify a Commit proto col and a Reveal

proto col involving a Sender Alice and a Receiver Bob Alice has a

secret value x that she commits to in the Commit proto col although Bob

learns nothing ab out x then Later Alice discloses x in the Reveal

proto col Bob may reject the value Alice reveals if it is inconsistent with

the information he received during Commit Alice may not change her

mind ab out the value to be revealed once Commit is nished Thus a

commitmentscheme must satisfy the following requirements

Correctness If b oth parties are honest and follow the proto cols then dur

ing the Reveal proto col Bob will learn the value x that Alice wished

to commit to

Privacy Bob learns nothing ab out x during the Commit proto col

Binding After the Commit proto col has nished there is only one value

of x that Bob will accept during the Reveal proto col

If x is required to b e a single bit wesay that the commitmentscheme

is a bit commitment scheme otherwise we use the more general term

commitmentscheme

There are many applications for commitment schemes Sealedbid auc

tions are one obvious example x represents Alices bid Commitment

schemes are useful for identication schemes multiparty proto cols

and are an an essential comp onent of many zeroknowledge pro of schemes

Previous Work on Commitment Schemes

Since commitmentschemes were rst intro duced by Blum in for the

problem of coin ipping by telephone commitmentschemes have b een an

active area of research

However one must face the facts of life

It is wel l known and easy to see that in a twoplayer scenario

with only noiseless communication OT Oblivous Transfer and

BC Bit Commitment with informationtheoretic security is not

possible even if only passive cheating is assuming and players

are al lowed innite computing power page

Therefore researchers have fo cussed primarily on

commitmentschemes based on computational assumptions where bind

ing or privacy dep ends on the Sender or Receiver resp ectively b eing

computationally b ounded or

commitmentschemes based on other mo dels of communication involv

ing noisy channels or quantum mechanics

If the scheme requires that the Sender be computationally b ounded in

order to achieve binding we say that it is computational ly binding other

wise it is unconditional ly binding some authors would call this information

theoretical ly binding

Similarly if the scheme requires that the Receiver be computational

bounded in order to achieve privacy we say that it is computational ly pri

vate otherwise it is unconditional ly private some authors would call this

informationtheoretical ly privateorunconditional ly hidingoruncondition

al ly concealing

It is typically enough to assume that only one of the Sender or Receiver

be computationally b ounded so that one achieves an asymmetric result

either computational binding and unconditional privacy or unconditional

binding and computational privacy

Commitment schemes that are computationally binding and uncondi

tionally private have b een prop osed bymany researchers including Blum

Goldwasser Micali and Rivest implicit in their signature scheme

Brassard Chaum and Crep eau Brassard Crep eau and Yung Halevi

and Micali and Halevi Brassard and Yung develop a very gen

eral framework and theory for all bit commitment schemes having uncon

ditional privacy based on oneway group actions Damgard Pedersen

and Ptzmann show that the existence of statistically hiding bit com

mitment schemes which provide nearly p erfect unconditional privacy is

equivalent to the existence of failstop signature schemes

Naor presents a commitment scheme that is unconditionally bind

ing and computationally private based on any pseudorandom generator

or equivalently based on any oneway function Ohta Okamoto and

Fujioka show that Naors scheme is secure against divertibility and

note that the nonmalleable bitcommitment scheme of Dolev Dwork and

Naor can also b e used to provide such protection OstrovskyVenkatesan

and Yung examine in some detail bit commitmentschemes when at least

one of the SenderReceiver is computationally unb ounded and in particular

show that when the Sender is computationally unb ounded a commitment

scheme may b e based on any hardonaverage problem in PSPACE

Some researchers have explored informationtheoretic mo dels based on

the assumption of noisy communication channels For example Crep eau

improves on his earlier work with Kilianby giving ecient algorithms for

bit commitment and oblivious transfer over a binary symmetric channel

Later Damgard Kilian and Salvail explore such questions further based

on unfair noisy channels and related assumptions

Other researchers have explored bit commitment in mo dels of quan

tum computation Brassard et al prop osed a quantum bit commitment

scheme but a subtle aw was discovered Mayers proved general quan

tum bit commitment to be imp ossible as did Lo and Chau More re

cently Salvail shows that under certain restricted assumptions ab out

the Senders ability to make measurements quantum bit commitment is

still p ossible

Bit commitmentschemes o ccur within a wide variety of mo dels and ap

plications not all of whichare mentioned ab ove or whicht in the ab ove

taxonomy Just to pick one interesting example BenOr Goldwasser Kil

ian and Wigderson utilize a bit commitment scheme in a multiprover

mo del of twoprovers who cant communicate with each other one com

mits a bit to a verier and the other reveals it

Our Mo del

We b elieve it is of interest to lo ok for practical commitment schemes that

work when b oth the Sender and the Receiver are computationally unb ounded

What would one use for a commitmentscheme for example if it turns out

that P NP

The normal mo del twoparty proto col with noiseless channel do es not

admit a solution How can one most simply extend the mo del to permit a

solution

In this pap er we make the following assumptions which suce

There is a trusted third party Ted Ted is honest and b oth Alice

and Bob trust that Ted will execute his role correctly

There are private channels between each pair of parties Alice and

Bob can each communicate privately with Ted and with each other

We desire that if p ossible Ted should never nd out the value of x

Alice and Bob trust Ted to be honest but the value of x is none of Teds

business and Alice and Bob prefer that he never learns x This requirement

rules out the obvious solution wherein Alice gives x to Ted during Commit

and Ted gives x to Bob during Reveal

We further desire that if p ossible Ted should not participate in the

Commit and Reveal proto cols We prefer a solution wherein Ted only

participates in an initial Setup proto col In such a scheme Ted is done

b efore Alice may even have decided which x to commit to This rules

out the obvious solution wherein Ted gives Alice a random string r during

Setup Alice gives Bob r x during CommitandTed gives Bob r during

Reveal

We call a trusted third party who participates only in a setup phase

b efore the other parties may even have their inputs a trusted initializer

Proto cols using trusted initializers are much easier to implement than more

typical proto cols using trusted third parties since the initialization can be

p erformed wellinadvance of the actual proto col and the trusted partydoes

not need to b e available to participate in the actual heart of the proto col

Our commitment scheme

Our commitmentscheme is illustrated in Figure

All computations are p erformed mo dulo p for some xed suitably large

globally known prime number p We assume that Alices secret value x

satises x p

The communications patterns are very simple during Setup Ted sends

some dierent information to Alice and Bob During Commit Alice sends

one number to Bob During Reveal Alice sends three numbers to Bob

Each proto col is thus minimal just one pass

and For the Setup phase Ted randomly cho oses twonumb ers a Z

b Z These numb ers dene a line

R p

y ax b mo d p

Ted sends the values a and b privately to Alice Ted also picks another value

x uniformly at random from Z and computes the value

y ax b mo d p

Ted privately sends Bob the pair x y this is a p oint on the line

For the Commit phase Alice computes the value

y ax b mo d p

and privately sends the value y to Bob

For the Reveal phase Alice privately sends Bob her secret value x and

also the pair a b Bob checks that x y andx y satisfy equations

and If so he accepts x otherwise he rejects

Setup

a Z

b Z

R p

x y a b

x Z

R p

y ax b mo d p

A B

Commit

x is Alices secret

A B

y ax b mo d p

Reveal

Bob checks that

A B

y ax b mo d p

and that

a b

y ax b mo d p

Figure Our commitment scheme Alice commits the value x to Bob

using the assistance of a trusted initializer Ted

Analysis

Theorem The proposed commitment scheme is unconditional ly private

Pro of Obvious since all Bob learns during Setup and Commit is x y

and y There is no way to infer x from this information More precisely

every value in Z is equally likely to b e x given what he has seen If Bob

has unlimited p owers of computation it do esnt help him

Theorem The proposed commitment scheme is unconditional ly binding

Pro of After Commit Alice knows a b x and y but not Bobs values

x and y

Supp ose Alice then changes her mind and wishes reveal some value x

that is dierent than x For Bob to accept she needs to nd values x a

and b such that y a x b and y a x b The new line y a x b

must b e dierent than the old line y ax b otherwise nothing has changed

and she reveals x Either this new line do esnt intersect the old line at all

in which case Bob rejects b ecause x y should b e on the new line or else

the new and old lines intersect at a point x y Alice only succeeds at

cheating if x y x y however the chance that x y x y is

precisely p so Alices chances of cheating are at most p

Theorem Ted never learns the value of x

Pro of Obvious since Ted only participates in the Setup phase

Discussion Extensions and Op en Problems

Relation to Check Vectors

Our scheme is very close but not identical to the use of check vectors

by Rabin and BenOr in their classic pap er on multiparty proto cols

In their scheme the trusted third party supplies a secret s to Alice and a

corresp onding checkvector to Bob Later Alice can forward the secret s to

Bob and Bob can check that Alice has not mo died the secret Our scheme

is qualitatively dierent b ecause the p oint here is for Alice to send Bob her

own secret not the trusted third partys secret Indeed Alices secret can

be anything and her secret is not known bythe trusted third party at all

But one can also view our scheme as an extension of theirs since we are

eectively using their scheme to reliably transmit a b from Ted to Bob

through Alice but also using a b to allow Alice to commit a new value x

to Bob

Trusted Initializers

We b elieve that proto cols based on our notion of a trusted initializer as

formalized here are worth further exploration Our notion is somewhat

like the notion of a KDC key distribution center the notion of having a

common random reference string or the notion of the creator of global

system parameters except that our trusted initializer may supply dierent

but related random parameters to each party It is more like the notion of a

trusted dealer except that it emb o dies the restriction that the initialization

deal should be completed b efore the other parties have their inputs and

with the restriction that the initializer dealer should not participate at

all in the subsequent p ortion of the proto cols Where else can trusted

initializers b e used Where else have they b een used

Nonmalleability

It is p erhaps worth noting that our commitmentscheme is nonmalleable

an adversary intercepting Alices commitment to Bob cant change it

to another commitmenttoavalue x having a known relationship to x

Zeroknowledge pro ofs

One can easily show that any language L NP has a p erfect zeroknowledge

pro of in the trusted initializer mo del this follows directly from Goldreich

et al Of course this is unlikely to be worth b othering ab out since

trusted initializers were intro duced to deal with the case when b oth Sender

and Receiver are b oth computationally unb ounded For what it is worth

we note that our bit commitments are chameleonAlice can change her

mind if she p ossesses extra information what Bob has

Multiple trusted initializers

If there is no single party that both Alice and Bob trust to serve as a

trusted initializer then they may decide to utilize several trusted initializers

and mo dify the commitment scheme accordingly Alice wishes to maintain

unconditional privacy of x even if one of the trusted initializers is actually

controlled byBob Similarly Bob wishes to maintain unconditional binding

even if one of the trusted initializers is actually controlled by Alice

For example one can have unconditional privacy with two trusted ini

tializers as follows Alice commits to a random z to Bob using Ted as

initializer and commits z z x to Bob using Ted as initializer

Achieving unconditional binding when one of the initializers may be

controlled by Alice seems a bit harder but still doable They can utilize four

initializers as follows Alice cho oses a random value c and denes z ci x

She commits to z using Ted as initializer After the Reveal phases are

i i

over Bob can discard any single z that Alice has managed to change with

the co op eration of her initializer since that z is not on the line formed by

the other three Knowing the correct line allows him to infer x

It is straightforward to generalize these approaches using appropriate

secretsharing schemes to handle higher thresholds of initializers controlled

by Alice or Bob Supp ose that as manyas initializers mightbecorrupted

by Alice and that as many as initializers might be corrupted by Bob

Then to preserve unconditional privacy Alice should dene z as a random

p olynomial with constant term x of degree in i instead of the linear

p olynomial used ab ove And to prevent Alice from cheating the total num

ber of initializers should be at least Analysis details omitted

here

Oblivious Transfer

The notion of oblivious transfer was invented by Rabin the related

notion of a outof Oblivious Transfer was later devised by Even Gol

dreich and Lemp el There are wellknown close connections between

commitmentschemes and oblivious transfer

We note that a outof oblivious transfer proto col invented by Bennett

et al for use in a quantum communication mo del actually works well in

our trusted initializer mo del

We assume that Alice has two values m m f g The proto col

ensures that Bob will obtain m where he gets to cho ose c c or

But Alice will have no idea as to which message he got and Bob will have

learned nothing ab out m

The BBCS oblivious transfer proto col

The BBCS oblivious transfer proto col is illustrated in Figure

Setup Ted privately gives Alice two random k bit strings r r Ted ips a

bit d and privately gives Bob d and r Ted is now done and can go home

Request Bob determines somehow a bit c he wants to obtain m He

privately sends Alice the bit e c d

Reply Alice privately sends Bob the values f m r f m r

e e

Bob now computes m f r

c c

Setup

r r f g

d f g

r r d r

A B

Request

e c d

A B

Alices secrets are m m

A B

Alice computes

f f

f m r f m r

e e

Bob computes

m f r

c c

Figure The BBCS oblivious transfer scheme mo died to use a trusted

initializer Alice has two secrets m and m in f g Bob obtains the

value of m where c is his choice Alice learns nothing ab out c and Bob

learns nothing ab out m

Analysis and discussion

It is clear that Alice has no information ab out c and that Bob has no

information ab out m The scheme clearly generalizes to outofn in an

easy manner using n random strings r r r

Acknowledgments

I would like to thank Victor BoykoSha Goldwasser Stas Jarecki Silvio

Micali and Zulkar Ramzan for helpful discussions

References

Michael BenOr Sha Goldwasser Jo e Kilian and Avi Wigderson

Multiprover interactive pro ofs How to remove intractability assump

tions In Proc th Annual ACM Symposium on Theory of Computing

pages ACM

Charles H Bennett Gilles Brassard Claude Crep eau and Marie

Helene Skubiszewska Practical quantum oblivious transfer In

J Feigeanbaum editor Proc CRYPTO pages Springer

Lecture Notes in Computer Science No

M Blum Coin ipping by telephone In Proc IEEE Spring COMP

COM pages IEEE

M Blum P Feldman and S Micali Noninteractive zeroknowledge

and its applications In Proc th Annual ACM Symposium on Theory

of Computing pages ACM

G Brassard D Chaum and C Crep eau Minimum disclosure pro ofs of

knowledge Journal of Computer and System Sciences

G Brassard C Crep eau R Jozsa and D Langlois A quantum bit

commitment scheme provably unbreakable by both parties In Pro

ceedings of the th Annual IEEE Symposium on the Foundations of

Computer Science pages Nov

G Brassard and M Yung Oneway group actions In AJ Menezes and

S A Vanstone editors Proc CRYPTO pages Springer

Verlag Lecture Notes in Computer Science No

Gilles Brassard Claude Crep eau and Moti Yung Constantround p er

fect zeroknowledge computationally convincing proto cols Theoretical

Computer Science July

C Crep eau and J Kilian Achieving oblivious transfer using weakened

security assumptions In Proc th FOCS Conference pages

IEEE

Claude Crep eau Ecient cryptographic proto cols based on noisy chan

nels In Walter Fumy editor Proc EUROCRYPT pages

Paris Springer Lecture Notes in Computer Science No

Ivan Damgard On the existence of bit commitmentschemes and zero

knowledge pro ofs In G Brassard editor Proc CRYPTO pages

SpringerVerlag Lecture Notes in Computer Science No

Ivan Damgard Jo e Kilian and Louis Salvail On the imp ossibility

of basing oblivious transfer and bit commitmentonweakened security

assumptions In Jacques Stern editor Proc CRYPTO pages

Springer Lecture Notes in Computer Science No

Ivan Damgard Torb en P Pedersen and Birgit Ptzmann On the

existence of statistically hiding bit commitment schemes and failstop

signatures Journal of Cryptology

D Dolev C Dwork and M Naor Nonmalleable cryptography In

Proc STOC pages ACM

S Even O Goldreich and A Lemp el A randomized proto col for

signing contracts In R L Rivest A Sherman and D Chaum editors

Proc CRYPTO pages New York Plenum Press

A Fiat and A Shamir How to prove yourself practical solutions

to identication and signature problems In A M Odlyzko editor

Proc CRYPTO pages Springer Lecture Notes in

Computer Science No

O Goldreich S Micali and A Wigderson How to play any mental

game In Proc th ACM Symposium on Theory of Computing pages

ACM

Oded Goldreich Silvio Micali and Avi Wigderson Pro ofs that yield

nothing but their validityor all languages in NP have zeroknowledge

pro of systems Journal of the ACM

Sha Goldwasser Silvio Micali and Ronald L Rivest A digital signa

ture scheme secure against adaptivechosenmessage attacks SIAM J

Computing April

Shai Halevi Ecient commitment schemes with b ounded sender and

unb ounded receiver In Don Copp ersmith editor Proc CRYPTO

pages Springer Lecture Notes in Computer Science No

Shai Halevi and Silvio Micali Practical and provablysecure commit

mentschemes from collisionfree hashing In Neal Koblitz editor Proc

CRYPTO pages Springer Lecture Notes in Com

puter Science No

Jo e Kilian Founding cryptography on oblivious transfer In Proc th

Annual ACM Conference on Theory of Computing pages ACM

HK Lo and H F Chau Is quantum bit com

mitment really p ossible Mar Preprint archive

httpxxxlanlgovpsquantph

D Mayers Unconditionally secure quantum bit commitment is imp os

sible Physical Review Letters

Moni Naor Bit commitment using pseudorandomness Journal of Cryp

tology

Kazuo Ohta Tatsuaki Okamoto and Atsushi Fujioka Secure bit com

mitment function against divertibility In RA Ruepp el editor Ad

vances in Cryptology Eurocrypt pages Berlin

SpringerVerlag

Rafail Ostrovsky Ramarathnam Venkatesan and Moti Yung Secure

commitment against a p owerful adversaryInAFinkel and M Jantzen

editors Proceedings of STACS pages SpringerVerlag

Lecture Notes in Computer Science No

M Rabin How to exchange secrets by oblivious transfer Technical

Rep ort TR Harvard Aiken Computation Lab oratory

Tal Rabin and Michael BenOr Veriable secret sharing and multiparty

proto cols with honest ma jority In Proc st Annual ACM Symposium

on Theory of Computing pages May

Louis Salvail Quantum bit commitmentfromaphysical assumption In

Hugo Krawczyk editor Proc CRYPTO pages Springer

Verlag Lecture Notes in Computer Science No