StatisticallyHiding Commitment from Any OneWay Function - PowerPoint PPT Presentation

1 / 35
About This Presentation
Title:

StatisticallyHiding Commitment from Any OneWay Function

Description:

Hiding R does not learn x during the commit stage. ... 'One-way functions imply a 1-2 binding, statistically-hiding two-phase commitment' ... – PowerPoint PPT presentation

Number of Views:35
Avg rating:3.0/5.0
Slides: 36
Provided by: ifta
Category:

less

Transcript and Presenter's Notes

Title: StatisticallyHiding Commitment from Any OneWay Function


1
Statistically-Hiding Commitment from Any One-Way
Function
  • Iftach Haitner and Omer Reingold

2
Talk Plan
  • The quest for the minimal hardness assumptions
  • Commitment schemes
  • The new construction - Statistically-hiding
    commitment from any one-way function

3
The quest for the minimal hardness assumptions
4
Finding the minimal hardness assumptions
  • What are the minimal hardness assumptions
    required for constructing different cryptographic
    primitives? e.g., key agreement.
  • Cryptography implies one-way functions.Def
    f0,1n!0,1n is a one-way function if
  • Efficiently computable
  • Hard to invert hard to find an inverse
    f-1(f(x)) for a random f(x).
  • Does OWF imply Cryptography ?

5
OWF based cryptography
SZK arguments
Statistically-hiding commitment
NOV 06
Implied by OWF
Not implied by OWF
Our result
Pseudorandom generator
Digital signature
Key agreement
PRF/PRP
Oblivious transfer
Universal one-way hash functions
Private-key enc.
Trapdoor permutations
Computationally-hiding commitment
Public-key encryption
Collision-resistant hash functions
CZK proofs
6
Commitment schemes
7
Commitment Scheme
Commit-stage
S
R
x
8
Commitment Scheme cont.
Reveal-stage
S
R
x
9
Commitment Scheme cont.
  • Hiding R does not learn x during the commit
    stage.
  • Binding S cannot cheat in the reveal stage -
    decommit to two different values.

10
Different Types of Commitment.
  • Perfectly-binding commitment A
    polynomially-bounded R does not get any
    computational-knowledge about x (through the
    commit stage). Unbounded S cannot cheat in the
    reveal stage.
  • Statistically-hiding commitment Unbounded R does
    not get any noticeable information about x.
    Polynomially-bounded S cannot cheat in the reveal
    stage.

11
The Pros of Statistical Commitment
  • Assume that P is provably secure if the
    commitment is.
  • What if the commitment is broken?
  • The adversary gains additional powers (Quantum
    computers?)
  • The hardness assumption is broken
  • Breaking the commitment is useful only if it is
    done before the protocol ends- everlasting
    security

Construction of primitive P
R
S
Please open 1 and 3
12
Applications of Statistical Commitment
  • Building block in constructions of statistical
    zero-knowledge arguments.
  • Coin-flipping protocols.
  • A general transformation (that leaks no further
    information!) of (many types of) protocols secure
    against semi-honest parties into ones secure
    against malicious parties.

13
Previous Constructions of Statistical Commitment
  • BCC 88, BKK 90 Number-theoretic assumptions
  • NY 89, DPP '93 Collision-resistant hash
    functions
  • GK 96 Claw-free permutations
  • NOVY 91 One-way permutations
  • HHKKMS 05 Regular/approximable preimage-size
    one-way functions
  • HR 06 Exponentially-hard one-way functions
  • Here - Any one-way function

14
OWF based Cryptography
OWF
Statistical Comt.
Private key Encryption GGM 86
CZK ProofsGMW 87
15
Our Construction
16
Commitment Scheme Revisited
Commit-Phase
R (rR)
S (rS,x)
17
Commitment Scheme Revisited
A
B
Reveal (x)
18
Two-phase commitment
19
Two-phase commitment NOV 06
1-2 Binding After the first-phase commit, there
exists a single value x that revealing the
first-phase commitment to this value does not
make the second-phase commitment binding.
Hiding before each of the reveal stages, R does
not get information about the committed string.
The transcript of the first-phase commitment is
used as an input for the second-phase commitment
20
Two-phase commitment cont.
  • NOV 06 One-way function implies a collection
    of polynomial many two-phase commitments s.t.
  • All are 1-2 binding
  • At least one is statistically hiding
  • For the sake of this talkOne-way functions
    imply a 1-2 binding, statistically-hiding
    two-phase commitment.
  • We will use two-phase commitment to get
    weakly-binding statistically-hiding commitment

21
First Attempt
22
Statistical commitment (first att.)
Commit-Phase
Bitcommitment implies general commitment
if brc second
if brc first
First-phase reveal (x1)
23
Statistical commitment (first att.)
  • Correctness
  • Hiding
  • Binding

Problem the decision of S in which phase to
cheat may be taken during the first-phase reveal
-- after seeing brc!
Commit-Phase
brc second
brc first
First-phase reveal(x1)
Reveal-phase (b)
Reveal-phase (b)
First-phase reveal (x1)
Second-phase reveal (b)
?
24
Our Approach
  • We will try to force S to decide in which phase
    to cheat before seeing the value of brc
  • Main tool Universal One-Way Hash Functions

25
Universal One-Way Hash Functions NY 89
  • Collision resistant hash functions (CRHF) A
    function family H0,1n!0,1m(n)
  • Compressing m(n) lt n
  • Hardness Negligible for any efficient
    APrhÃHx,xÃA(h) x?x Æ h(x) h(x)
  • Universal one-way hash functions (UOWHF)
  • Compressing m(n) lt n
  • Hardness Negligible for any efficient
    APrhÃHxÃA(1n), xÃA(x,h) x?x Æ h(x) h(x)
  • Rompel 91, NY 89 If OWFs exist then there
    exist UOWHF with m(n) n/2

X
26
The Actual Protocol
27
Statistical commitment
H is a UOWHF from 0,1n to 0,1n/2
Commit-Phase
G is a family of pairwise-independent Boolean
hash functions
28
Statistical commitment
  • Correctness
  • Hiding
  • Binding

Commit-Phase
S (b20,1)
x1Ã0,1n
First-phase commit
z h(x1)
brc second
brc first
First-phase reveal(x1)
?
zh(x1)
Reveal-phase (b)
Reveal-phase (b)
First-phase reveal(x1)
Second-phase reveal(b)
?
?
29
The Protocol is Binding
  • Claim If the two-phase commitment is 1-2 binding
    then the new scheme is ?-binding.
  • Proof Otherwise there exists an algorithm A that
    breaks the binding for both values of brc with
    probability at least ¾.
  • We will use A to find collisions in H.

30
Cheating when brc first
Commit-Phase
A
) Cheating A outputs x10 ? x11 s.t. h(x10)
h(x11) z
First-phase commit
31
Cheating when brc second
Commit-Phase
x1 x ) h(x) z
A
First-phase commit
First-phase reveal(x1)
Reveal-phase
Second-phase reveal(b)
32
Breaking H
  • Announce x
  • Given h à H, find x ? x such that h(x) h(x)

33
Breaking H cont.
  • x1 x
  • h(x) z
  • h(x) z ! h(x) z
  • x10 ? x11
  • h(x10) h(x11) z

Commit -phase
  • Announcing x
  • Simulate the commitment with brc second
  • Announce x1 (as x)
  • Finding collision for hÃH
  • Rewind the protocol
  • Continue with brc first and h sets to h
  • Do the reveal-phase for b 0 and for b 1
  • Output x1j ? x

A
First-phase commit
Reveal-phase
34
Further issues
  • Simplify the construction of SZK and statistical
    commitment.
  • Find optimal constructions w.r.t efficiency and
    security

35
Thanks
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "StatisticallyHiding Commitment from Any OneWay Function" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!