Bit Commitment, Fair Coin Flips, and One-Way Accumulators

1
Bit Commitment, Fair Coin Flips, and One-Way
Accumulators

• Matt Ashoff
• 11/9/2004
• Cryptographic Protocols

2
Outline

• Bit Commitment
• Definition
• Properties
• Applications
• Implementations
• Fair Coin Flips
• Definition
• Implementations
• One-Way Accumulators
• Definition
• Example
• Motivation
• Applications
• References

3
Definition
Bit Commitment

• Goal is to ensure bit commitment.
• Simplest example
• Decide who goes first in a game
• If Bob guesses correctly, he goes
• Alice picks a bit (0 or 1) and locks it in a box
• Bob guesses a bit
• The box is opened to see if he is right
• Two parts
• Commitment
• Unveiling
• Must ensure that
• Alice cannot change her bit after Bob guesses
• Bob cannot know what Alices bit is until she
  unveils it
• Assume no trusted third-party

4
Properties
Bit Commitment

• Ideally, bit commitment has two interesting
  properties
• It is unconditionally secure if implemented
  correctly
• As opposed to computationally secure, which is a
  requirement for most algorithms
• It requires only a noisy channel
• However, implementing the algorithm ideally is
  the key

5
Applications
Bit Commitment

• Zero-Knowledge Protocols
• Identification Schemes
• Multi-party Computation
• Fair Coin Flips
• Electronic Voting

6
Implementations
Bit Commitment

• Symmetric Cryptography
• Alice encrypts her bit with a random key
• Sends to Bob
• At a later time, she sends Bob the key
• He can then verify the bit
• Disadvantage
• Alice may be able to generate another key so that
  the bit is changed once she knows the result.
• Solution
• Have Bob send her a random string to concatenate
  with her bit, then encrypt, makes generation of
  changed bit unlikely.
• Disadvantage Bob must send random string

7
Implementations (cont.)
Bit Commitment

• One-way hash functions
• Alice generates two random strings R1,R2
• Sends h(R1,R2,b) and R1 to Bob
• At a later time, Alice sends Bob (R1,R2,b)
• Bob checks h(R1,R2,b) and R1
• Advantage Bob sends nothing
• Disadvantage Alice must not be able to find
  collisions on the hash function such that
• h(R1,R2,b) h(R1,R2,b)
• Note Even more secure if Bob sends R1

8
Implementations (cont.)
Bit Commitment

• Could also use random number generators, many,
  many other protocols
• A quantum bit commitment scheme is supposedly
  computationally secure
• Although not proven to be so

9
Definition
Fair Coin Flips

• Goal is to flip a coin over the phone
• Original protocol went like this
• Alice flips a coin and tells Bob the result
• Bob then flips his own coin, XORs his result with
  Alices, and this is the result
• but this only prevents Alice from cheating. Bob
  can still make up his coin flip.
• Ideally, Alice and Bob would send their results
  simultaneously
• Note If either party lies and just makes up
  heads or tails, the other parties result will
  cancel it out
• This allows for one distrustful party

10
Implementations
Fair Coin Flips

• Alice flips her coin
• Alice generates a random key and encrypts My
  coin toss returned head, tails and sends this
  to Bob
• Bob does exactly the same thing
• They then swap keys and decrypt
• Note If one receives the key before the other
  (and thus, the others flip), they will not be
  able to generate another key that will change
  their coin flip
• Note This is just bit commitment using symmetric
  encryption (e.g., Heads ? 0, Tails ? 1)

11
Implementations (cont.)
Fair Coin Flips

• Using a one-way hash function
• Alice selects a random number x and computes y
  h(x), sends this to Bob
• Bob guesses if x is heads (even) or tails (odd),
  sends guess to Alice
• If Bob is correct, he wins
• Alice announces the result of the flip and sends
  x to Bob
• Bob verifies that y h(x)
• Notes
• The output of h(x) must have nothing to do with
  the parity of x.
• Alice must not be able to find a x and x such
  that x is odd and x is even, and h(x) h(x) y

12
Definition
One-Way Accumulators

• Given a one-way hash function with the property
  that
• h A x B ? C where A B C
• i.e., the size is not mapped down
• Given the definition of a quasi-commutative
  function
• f(f(x,y1),y2) f(f(x,y2),y1)
• A one-way accumulators is defined as
• h(h(x,y1),y2) h(h(x,y2),y1)
• A family of one-way accumulators is a family of
  one-way hash functions each of which is
  quasi-commutative.

13
Definition (cont.)
One-Way Accumulators

• For the one-way function to be secure, it must
  satisfy the property that
• Given x,y,y, it is hard to find a x such that
  h(x,y) h(x,y)
• It is not necessary for it to be hard to find a
  (x,y) pair such that h(x,y) h(x,y)

14
Example
One-Way Accumulators

• Most obvious example is modulo n math
• Given an(x,y) (xy) mod n
• an(an(x,y1),y2) ((xy1) mod n)y2 mod n
  (xy1y2) mod n ((xy2) mod n)y1 mod n
  an(an(x,y2),y1)
• Easy to invert ? Unsuitable
• Given en(x,y) xy mod n
• en(en(x,y1),y2) (xy1 mod n)y2 mod n x(y1y2)
  mod n (xy2 mod n)y1 mod n en(en(x,y2),y1)
• Hard to invert ? Suitable (e.g., RSA)

15
Motivation
One-Way Accumulators

• The quasi-commutative property can be extended to
  m users
• Start with an initial value x,
• Set of values y1,y2,,ym
• To compute z such that
• z h(h(h(h(x,y1),y2),,ym-1),ym)
• Notice that z is unchanged by the order of the yi

16
App Digital Signatures
One-Way Accumulators

• All parties in m choose their own yj
• The total hash z is computed given all of the yi
  and some initial value x
• Each party in m computes their own zj given every
  yi except their own yj
• They can later authenticate themselves to any
  other party in the group by presenting yj and zj,
  such that z h(zj,yj)

17
More Applications
One-Way Accumulators

• The digital signature application can easily be
  extended/modified to support
• Time Stamping
• Membership Testing
• Etc.

18
References

• J. Benaloh, M. de Mare. One-Way Accumulators A
  Decentralized Alternative to Digital Signatures.
  Advances in Cryptology--EUROCRYPT'93. LNCS,
  vol.765, pp.274--285, Springer--Verlag, 1994
• M. Blum, "Coin flipping by telephone a protocol
  for solving impossible problems, Proc. IEEE
  Computer Conference, pp. 133-137, 1982.
• J. Kilian. Uses of Randomness in Algorithms and
  Protocols, MIT Press, 1990.
• Nayak, Ashwin and Shor, Peter (2002) On
  bit-commitment based quantum coin flipping.
  Technical Report. California Institute of
  Technology.
• M. Naor, "Bit commitment using pseudo-randomness",
  J. Cryptology, vol. 2, no. 2, pp. 151-158, 1991.
• H.F. Chau, Hoi-Kwong Lo, Making an Empty Promise
  with a Quantum Computer, Fortschr. Phys. 46
  (1998) 4-5, 507-519.
• http//www.disappearing-inc.com/F/faircointoss.htm
  l
• http//www.cs.mcgill.ca/crepeau/CRYPTO/BCDemo/BCb
  ackground.html
• http//www.cs.rochester.edu/users/faculty/nelson/c
  ourses/cryptology/notes/lecture_16.txt