Commitment

Claude Cre´peau ∗

1 Commitment [B] Unveiling the content of the envelope is achieved by opening it and extracting the piece of paper inside (see A is a two-phase cryptographic pro- Figure 2). tocol between two parties, a sender and a receiver, satis- The terminology of commitments, influenced by the le- fying the following constraints. At the end of the Com- gal vocabulary, first appeared in the contract signing pro- mit phase the sender is committed to a specific value (of- tocols of Shimon Even [Eve82], although it seems fair to ten a single bit) that he cannot change later on (Commit- attribute the concept to Manuel Blum [Blu82] who im- ments are binding) and the receiver should have no in- plicitly uses it for coin flipping around the same time. In formation about the committed value, other than what he his Crypto 81 paper, Even refers to Blums contribution already knew before the protocol (Commitments are con- saying: “In the summer of 1980, in a conversation, M. cealing). In the Unveil phase, the sender sends extra in- Blum suggested the use of randomization for such pro- formation to the receiver that allows him to determine the tocols”. So apparently Blum introduced the idea of us- value that was concealed by the commitment. Bit commit- ing random hard problems to commit to something (coin, ments are important components of zero-knowledge pro- contract, etc). However, one can also argue that the earlier tocols [GMW91, BCC88], and other more general two- work of Shamir, Rivest and Adleman [SRA81] on “men- party cryptographic protocols [Kil88]. tal poker” implicitly used commitments as well, since in A natural intuitive implementation of a commitment is order to generate a fair deal of cards, Alice encrypts the performed using an envelope (see Figure 1). Some in- card names under her own encryption , which is the formation written on a piece of paper may be commit- basic idea for implementing commitments. ted to by sealing it inside an envelope. The value inside Under such computational assumptions, commitments the sealed envelope cannot be guessed (envelopes are con- come in two dual flavours : binding but computation- cealing) without modifying the envelope (opening it) nor ally concealing commitments and concealing but compu- the content may be modified (envelopes are binding). tationally binding commitments.

I o w e y o u $ 1 0 0 .

B o b

Figure 1: Committing with an envelope.

∗ School of Computer Science, McGill University, Montre´al (Qc), Canada H3A 2A7. e-mail: [email protected].

1 . I o w e y o u $ 1 0 0 .

B o b

Figure 2: Unveiling from an envelope. Unconditionally binding and concealing commitments can also be obtained under the assumption of the exis- Commitments of the first type may be achieved from tence of a binary symmetric channel [Cre´97] and under any one-way function [Nao91, HILL98] while those the assumption that the receiver owns a bounded amount of the second type may be achieved from any claw- of memory [CCM98]. In multiparty scenarios [GMW91, free permutation [Cha86, GK96], any one-way permu- BOGW88, CCD88], commitments are usually achieved tation [NOVY98] or any collision-free hash function through Verifiable Secret Sharing Schemes [CGMA85]. [HM96]. Recently, these results were extended to rely However, the two-prover case [BOGKW88] does not re- on the weaker assumptions of regular one-way func- + quire the verifiable property because the provers are phys- tion [HHK 05], or fully exponential one-way function ically isolated from each other during the life span of the [HR06a]. A new closely related primitive known as one- commitments. out-of-two binding bit commitment was acheived from In a quantum computation model it was first believed any one-way function [NOV06]. The new primitive may that commitment schemes could be implemented with un- be used in contexts were standard bit commitments were conditional security for both parties [BCJL93] but it was used previously. Finally, the construction of computation- later demonstrated that if the sender is equipped with a ally binding and statistically concealing Bit Commitments quantum computer, then any unconditionally concealing from any one-way function was solved by [HR06b] using commitment cannot be binding [May97, LH97]. Com- the notion of one-out-of-two binding bit commitment and putationally binding Quantum Bit Commitments may be universal one-way hash function [NY89, Rom90, KK05]. constructed using one-way permutations [DMS00]. Com- A simple example of a bit commitment of the first type putationally Concealing Quantum Bit Commitments are is obtained using the Goldwasser-Micali probabilistic en- obtained by reversing the previous one [CLS01]. cryption scheme with ones own pair of public keys (n, q) Commitments exist with various extra properties: such that n is an RSA modulus and q a random quadratic chameleon/trapdoor commitments [BCC88, FS89], com- non-residue modulo n with Jacobi symbol +1. Unveiling mitments with equality (attributed to Bennett and Rudich is achieved by providing a square root of each quadratic in [BCC88, Kil92, CGT95]), non-malleable commitments residue and of quadratic non-residue multiplied by q. A [DDN91] (with respect to unveiling [CIO98]), mutually similar example of a bit commitment of the second type is independent commitments [LLM+01], universally com- constructed from someone else’s pair of public keys (n, r) posable commitments [CF01]. such that n is an RSA modulus and r a random quadratic residue modulo n. A zero bit is committed using a random quadratic residue mod n while a one bit is committed us- ing a random quadratic residue multiplied by r modulo n. Unveiling is achieved by providing a square root of quadratic residues committing to a zero and of quadratic residues multiplied by r used to commit to a one.

2 References [CGMA85] Benny Chor, Shafi Goldwasser, Silvio Mi- cali, and Baruch Awerbuch. Verifiable se- [BCC88] G. Brassard, D. Chaum, and C. Cre´peau. cret sharing and achieving simultaneity in Minimum disclosure proofs of knowledge. the presence of faults (extended abstract). JCSS, 37:156–189, 1988. In Proc. of 26th FOCS, pages 383–395, Portland, Oregon, 21–23 October 1985. [BCJL93] G. Brassard, C. Cre´peau, R. Jozsa, and IEEE. D. Langlois. A quantum bit commitment scheme provably unbreakable by both par- th [CGT95] C. Cre´peau, J. van de Graaf, and A. Tapp. ties. In 29 Symp. on Found. of Computer Committed and private Sci., pages 42–52. IEEE, 1993. multi-party computation. In Don Copper- smith, editor, Advances in Cryptology - [Blu82] M. Blum. Coin flipping by telephone. In Crypto ’95, pages 110–123, Berlin, 1995. Allen Gersho, editor, Advances in Cryp- Springer-Verlag. Lecture Notes in Com- tography, pages 11–15, Santa Barbara, puter Science Volume 963. California, USA, 1982. University of Cali- fornia, Santa Barbara. [Cha86] D. Chaum. Demonstrating that a public [BOGKW88] M. Ben-Or, S. Goldwasser, J. Kilian, and predicate can be satisfied without reveal- A. Wigderson. Multi-prover interactiev ing any information about how. In A. M. proofs: How to remove intractability as- Odlyzko, editor, Advances in Cryptology - sumptions. In Proceedings of 20th Annual Crypto ’86, pages 195–199, Berlin, 1986. AMC Symposium on Theory of Computing Springer-Verlag. Lecture Notes in Com- 1988, pages 113–122, 1988. puter Science Volume 263.

[BOGW88] M. Ben-Or, S. Goldwasser, and A. Wigder- [CIO98] Giovanni Di Crescenzo, Yuval Ishai, and son. Completeness theorems for fault- Rafail Ostrovsky. Non-interactive and non- tolerant distributed computing. In Proc. malleable commitment. In 30th Sympo- 20th ACM Symposium on Theory of Com- sium on the Theory Of Computing, pages puting, pages 1–10, Chicago, 1988. ACM. 141–150, 1998.

[CCD88] David Chaum, Claude Cre´peau, and Ivan [CLS01] C. Cre´epeau, F. Le´gare´, and L. Salvail. Damga˚rd. Multiparty unconditionally se- How to convert the flavor of a quantum bit cure protocols. In STOC ’88: Proceed- commitment. In Advances in Cryptology - ings of the twentieth annual ACM sympo- Eurocrypt ’01, pages 60–77, Berlin, 2001. sium on Theory of computing, pages 11– Springer-Verlag. Lecture Notes in Com- 19, New York, NY, USA, 1988. ACM puter Science Volume 2045. Press. [Cre´97] C. Cre´peau. Efficient cryptographic pro- [CCM98] C. Cachin, C. Cre´peau, and J. Mar- tocols based on noisy channels. In Wal- cil. Oblivious transfer with a memory- ter Fumy, editor, Advances in Cryptology bounded receiver. In IEEE, editor, 39th An- - EuroCrypt ’97, pages 306–317, Berlin, nual Symposium on Foundations of Com- 1997. Springer-Verlag. Lecture Notes in puter Science: proceedings, pages 493– Computer Science Volume 1233. 502. IEEE Computer Society Press, 1998. [DDN91] D. Dolev, C. Dwork, and M. Naor. Non- [CF01] Ran Canetti and Marc Fischlin. Univer- malleable . In ACM, edi- sally composable commitments. In Joe tor, Proceedings of the twenty third an- Kilian, editor, Advances in Cryptology – nual ACM Symposium on Theory of Com- CRYPTO ’ 2001, volume 2139 of Lec- puting, New Orleans, Louisiana, May 6– ture Notes in Computer Science, pages 8, 1991, 1109 Spring Street, Suite 300, 19–40. International Association for Cryp- Silver Spring, MD 20910, USA, 1991. tologic Research, Springer-Verlag, Berlin IEEE Computer Society Press. Full ver- Germany, 2001. sion available from authors.

3 [DMS00] P. Dumais, D. Mayers, and L. Salvail. [HR06a] I. Haitner and O. Reingold. A new inter- Perfectly concealing quantum bit commit- active hashing theorem. Electronic Col- ment from any quantum one-way permu- loquium on Computational Complexity, tation. In Advances in Cryptology - Eu- 2006. roCrypt ’00, pages 300–315, Berlin, 2000. Springer-Verlag. Lecture Notes in Com- [HR06b] I. Haitner and O. Reingold. Statistically- puter Science Volume 1807. hiding commitment from any one-way function. Cryptology ePrint Archive, Re- [Eve82] S. Even. Protocol for signing contracts. In port 2006/436, 2006. http://eprint.iacr.org/. Allen Gersho, editor, Advances in Cryp- tography, pages 148–153, Santa Barbara, [Kil88] J. Kilian. Founding cryptography on obliv- California, USA, 1982. University of Cali- ious transfer. In Proc. 20th ACM Sympo- fornia, Santa Barbara. sium on Theory of Computing, pages 20– 31, Chicago, 1988. ACM. [FS89] U. Feige and A. Shamir. Zero knowl- edge proofs of knowledge in two rounds. [Kil92] Joe Kilian. A note on efficient zero- In Gilles Brassard, editor, Advances in knowledge proofs and arguments (ex- Cryptology - Crypto ’89, pages 526–544, tended abstract). In Proceedings of the Berlin, 1989. Springer-Verlag. Lecture Twenty-Fourth Annual ACM Symposium Notes in Computer Science Volume 435. on the Theory of Computing, pages 723– 732, Victoria, British Columbia, Canada, [GK96] O. Goldreich and A. Kahan. How to 4–6 May 1992. construct constant-round zero-knowledge proof systems for np. Journal of Cryptol- [KK05] J. Katz and C. Koo. On constructing uni- ogy, 9(2):167–189, 1996. versal one-way hash functions from ar- bitrary one-way functions. Cryptology [GMW91] Oded Goldreich, , and Avi ePrint Archive, Report 2005/328, 2005. Wigderson. Proofs that yield nothing but http://eprint.iacr.org/. their validity or all languages in NP have zero-knowledge proof systems. Journal of [LH97] H.-K. Lo and F. Chau H.˙ Is quantum the Association for Computing Machinery, bit commitment really possible. Physical 38(3):691–729, July 1991. Review Letters, 78(17):3410–3413, April 1997. [HHK+05] I. Haitner, O. Horvitz, J. Katz, C.-Y. Koo, R. Morselli, and R. Shaltiel. Reducing [LLM+01] Moses Liskov, Anna Lysyanskaya, Silvio complexity assumptions for statistically- Micali, Leonid Reyzin, and Adam Smith. hiding commitment. In R. Cramer, edi- Mutually independent commitments. In tor, Advances in Cryptology - Eurocrypt Advances in Cryptology - Asiacrypt ’01, ’05, pages 58–77, Berlin, 2005. Springer- pages 385–401, 2001. Lecture Notes in Verlag. Lecture Notes in Computer Sci- Computer Science Volume 2248. ence Volume 3494. [May97] Dominic Mayers. Unconditionally secure [HILL98] Ha˚stad, Impagliazzo, Levin, and Luby. A quantum bit commitment is impossible. pseudorandom generator from any one- Physical Review Letters, 78(17):3414– way function. SICOMP: SIAM Journal on 3417, April 1997. Computing, 28, 1998. [Nao91] Moni Naor. Bit commitment using pseu- [HM96] S. Halevi and S. Micali. Practical dorandomness. Journal of Cryptology, and provably-secure commitment schemes 4(2):151–158, 1991. from collision-free hashing. In Neal Koblitz, editor, Advances in Cryptology - [NOV06] Minh-Huyen Nguyen, Shien Jin Ong, and Crypto ’96, pages 201–215, Berlin, 1996. Salil Vadhan. Statistical zero-knowledge Springer-Verlag. Lecture Notes in Com- arguments for np from any one-way func- puter Science Volume 1109. tion. In FOCS ’06: Proceedings of the

4 47rd Symposium on Foundations of Com- puter Science, pages N–N+11. IEEE Com- puter Society, 2006. [NOVY98] Moni Naor, Rafail Ostrovsky, Ramarath- nam Venkatesan, and Moti Yung. Per- fect zero-knowledge arguments for NP us- ing any one-way permutation. Journal of Cryptology, 11(2):87–108, Spring 1998. [NY89] Moni Naor and Moti Yung. Universal one- way hash functions and their cryptographic applications. In Proceedings of the Twenty First Annual ACM Symposium on Theory of Computing. (May 15–17 1989: Seattle, WA, USA), pages 33–43, New York, NY 10036, USA, 1989. ACM Press. [Rom90] J. Rompel. One-way functions are nec- essary and sufficient for secure signatures. In STOC ’90: Proceedings of the twenty- second annual ACM symposium on Theory of computing, pages 387–394, New York, NY, USA, 1990. ACM Press. [SRA81] A. Shamir, R. L. Rivest, and L. M. Adle- man. Mental poker. In D. Klarner, editor, The Mathematical Gardner, pages 37–43. Wadsworth, Belmont, California, 1981.

5