Perfectly Hiding Commitment Scheme with Two-Round from Any One-Way Permutation ∗

Perfectly Hiding Commitment Scheme with Two-Round from Any One-Way Permutation ∗

Perfectly Hiding Commitment Scheme with Two-Round from Any One-Way Permutation ¤ Chunming Tang1;y Dingyi Pei1 Zhuojun Liu2 Zheng-an Yao3 Mingsheng Wang4 1 School of Mathematics and Information Sciences, Guangzhou University, China(510006) 2 Key Laboratory of Mathematics Mechanization, AMSS, CAS, China(100080) 3 School of Mathematics and Statistics, Zhongshan University, China(510006) 4 State Key Laboratory of Information Security, Institute of Software, CAS China(100080) Abstract Commitment schemes are arguably among the most important and useful primitives in cryp- tography. According to the computational power of receivers, commitments can be classi¯ed into three possible types: computational hiding commitments, statistically hiding commitments and perfect computational commitments. The ¯st commitment with constant rounds had been constructed from any one-way functions in last centuries, and the second with non-constant rounds were constructed from any one-way functions in FOCS2006, STOC2006 and STOC2007 respectively, furthermore, the lower bound of round complexity of statistically hiding commit- n ments has been proven to be logn rounds under the existence of one-way function. Perfectly hiding commitments implies statistically hiding, hence, it is also infeasible to con- struct a practically perfectly hiding commitments with constant rounds under the existence of one-way function. In order to construct a perfectly hiding commitments with constant rounds, we have to relax the assumption that one-way functions exist. In this paper, we will construct a practically perfectly hiding commitment with two-round from any one-way permutation. To the best of our knowledge, these are the best results so far. Keywords: Cryptography, perfectly hiding commitments, one-way permutation, §-protocol. 1 Background and Motivation Commitment schemes are arguably among the most important and useful primitives in cryptogra- phy. Intuitively a commitment scheme is a two-party(interactive) protocol between a sender P and a receiver V in which after the sender P commits to a value b at hand, (1) the sender P cannot change his mind(this is known as the binding property); and (2) the receiver V learns nothing about the value of the bit b (this is known as the hiding property). Commitments have diverse applica- tions to cryptographic protocols, such as zero-knowledge proofs, multi-party computation, digital auctions and electronic commerce[5, 8, 9, 10]. According to the computational power of senders and receivers, commitments can be classi¯ed into the four possible types shown in following Table[14]. Table 1. Classi¯cation of commitments. Type Computational power of sender P Computational power of receiver V Type A Polynomial-time bounded Polynomial-time bounded Type B Polynomial-time bounded Computationally unbounded Type C Computationally unbounded Polynomial-time bounded Type D Computationally unbounded Computationally unbounded ¤Partially supported by National Science Foundation of China (90604034(key project), 10726012) and 973 Project (2007CB311201) yEmail: [email protected] 1 Usually, if the binding property holds with respect to a computationally unbounded algorithm sender, the commitment scheme is said to be unconditionally binding, else to be computation- ally binding; if instead, the hiding property holds with respect to a computationally unbounded algorithm receiver, the commitment scheme is said to be unconditionally hiding, else to be computa- tionally hiding. Where "unconditionally binding (or hiding)" means "perfectly binding (or hiding)" or "statistically binding (or hiding)". Feige and Shamir[6] constructed a commitment of Type A under the existence of one-way functions, and Goldreich et al. [9] also constructed the commitment scheme of Type C from any one-way functions. In [21], Ostrovsky et al. showed that it is impossible to implement the commitment scheme of Type D. The early construction of commitment schemes of Type B were based on speci¯c number- theoretic complexity assumptions [1, 2], and were later generalized to any family of claw-free per- mutations [7], and then to any family of collision-resistant hash function [19]. In 1992, Naor et al. [17] showed that the collision resistance criterion is not necessary by giving a beautiful construction of perfectly hiding commitments with non-constant rounds from any one-way permutation, which is an 1-1 and length preserving one-way function. it is left as an open question whether these primitives could be based on arbitrary one-way functions, which could again be essentially minimal by [20, 22]. The progress in the past decade came in 2005 when Haitner et al. [12] showed how to construct statistically hiding commitments from any "approximable preim- age size" one-way function, which is an one-way function where we can e±ciently approximate the pre-image size of points in the range. Nguyen et al. [16, 18] in 2006 and Haitner et al. [11] in 2007 constructed statistically hiding commitment from any one-way function respectively, however, their schemes need polynomial number of rounds complexity. Especially, Haitner et al.[11] gave the n lower bound of round complexity of statistically hiding commitments which is logn rounds under the existence of one-way function. Perfectly hiding commitments implies statistically hiding, hence, it is also infeasible to construct a practically perfectly hiding commitments with constant rounds under the existence of one-way function. In order to construct a practically perfectly hiding commitments with constant rounds, we have to relax the assumption that one-way functions exist. In this paper, we will construct a practically perfectly hiding commitment with two-round from any one-way permutation, which is di®erent from commitment with non-constant rounds from one-way permutation in [17]. We will make use of §-protocol as a main tool. §-protocol is a three-move interactive protocol between the prover and the veri¯er which the veri¯er is only required to send random bits as a challenge to the prover. §-protocol has become an important cryptographic primitive because of its following excellent characters: 1)validity; 2) special soundness; 3) honest-veri¯er zero-knowledge. The term §-protocol was introduced by Cramer for the reason that he called these protocols §-protocols is that the shape of the letter §[3]. So far, lots of cryptographic protocols have been constructed based on §-protocols, such as, identi¯cation schemes, digital signature schemes, secret sharing schemes[3]. Based on §-protocol, a new method to construct a commitment scheme was proposed in [13], furthermore, Damgard proved that these commitment are perfectly hiding. However, we ¯nd that these commitment scheme based on §-protocols are perfectly hiding only when §-protocols satisfy some special conditions. In this paper, we use §-protocol as a main tool to construct a perfectly hiding commitment with two-round from any one-way permutation. 1.1 Our Contribution We ¯rstly construct a perfectly hiding and computationally binding commitment scheme with two-round under the existence of one-way permutation. 2 1.2 Related Works Perfectly hiding commitments can be constructed from speci¯c number-theoretic complexity as- sumptions [1, 2, 13]. In 1992, Naor et al. gave a beautiful construction of perfecly hiding com- mitments from any one-way permutation [17], however, their commitment has non-constant round complexisy. Haitner et al. constructed statistically hiding commitment from any one-way function [11], however, they also gave the lower bound of round complexity of statistically hiding commit- n ments which is logn rounds under the existence of any one-way function. 1.3 Organization We start with some basic de¯nitions and properties on §-protocol and commitment scheme. Then, we introduce a perfectly hiding commitment based on §-protocol in section 3, and construct a perfectly hiding commitment from any one-way function in section 4. 2 Preliminaries NP relations We say that a binary relation R ⊆ f0; 1g¤ £ f0; 1g¤ is an NP relation if there exists a polynomial p(¢) such that for any (x; w) 2 R; jwj · p(jxj) and in addition there exists a polynomial time Turing machine for deciding membership in R. We denote by LR the following language: LR = fxj9w s:t: (x; w) 2 Rg. We say that L 2 NP if L = LR for some NP relation R. A negligible function is a function that grows slower that inverse of any polynomial. That is, º : N ! N is negligible if for any positive polynomial p(¢) there exists a number n0 such that 1 º(n) < p(n) for all n > n0. We will sometimes use negl(¢) to denote some unspeci¯ed negligible function. One-Way Function A function f : f0; 1g¤ ! f0; 1g¤ is called one-way if the following conditions hold: 1. there exists a deterministic polynomial-time algorithm A such that on input x, A outputs f(x); 2. for every non-uniform probabilistic polynomial-time algorithm A0 there exists a negligible func- tion º such that for all su±ciently large k, it holds that P rob(x à f0; 1g¤; A0(f(x)) 2 f ¡1(f(x))) < º(k): Consider the case where f is an one-way permutation which is an 1-1 and length preserving one-way function We call each sending of a message by a party a move, and say a round is two consecutive moves. 2.1 Commitment scheme Commitment scheme is a basic building block and has diverse applications to cryptographic pro- tocols, especially to zero-knowledge proofs[9, 14]. Informally, a commitment scheme is a two-stage protocol between a sender and a receiver. In the ¯rst stage, the sender commits to a value b, and in the second, the sender 'reveal' this value to the receiver. We want two security properties from a commitment scheme. The hiding property says that the receiver does not learn anything about the value b during the commit stage. And the binding property says that after the commit stage, there is at most one value that the sender can successfully open.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    12 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us