![Page 1: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/1.jpg)
Commitment Schemes
Section 1
Commitment Schemes
![Page 2: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/2.jpg)
Commitment Schemes
Commitment Schemes
Digital analogue of a safe.
Definition 1 (Commitment scheme)
An efficient two-stage protocol (S,R) .Commit The sender S has private input b ∈ {0,1}∗ and the
common input is 1n. The commitment stage resultin a joint output c, the commitment, and a privateoutput d to S, the decommitment.
Reveal S sends the pair (d ,b) to R, and R either acceptsor rejects.
Completeness: R always accepts in an honest execution.
Hiding:. In commit stage: ∀ R∗, m ∈ N and b 6= b′ ∈ {0,1}m,{ViewR∗(S(b),R∗)(1n)}n∈N ≈c {ViewR∗(S(b′),R∗)(1n)}n∈N.
![Page 3: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/3.jpg)
Commitment Schemes
Commitment Schemes
Digital analogue of a safe.
Definition 1 (Commitment scheme)
An efficient two-stage protocol (S,R) .Commit The sender S has private input b ∈ {0,1}∗ and the
common input is 1n. The commitment stage resultin a joint output c, the commitment, and a privateoutput d to S, the decommitment.
Reveal S sends the pair (d ,b) to R, and R either acceptsor rejects.
Completeness: R always accepts in an honest execution.
Hiding:. In commit stage: ∀ R∗, m ∈ N and b 6= b′ ∈ {0,1}m,{ViewR∗(S(b),R∗)(1n)}n∈N ≈c {ViewR∗(S(b′),R∗)(1n)}n∈N.
![Page 4: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/4.jpg)
Commitment Schemes
Commitment Schemes
Digital analogue of a safe.
Definition 1 (Commitment scheme)
An efficient two-stage protocol (S,R) .Commit The sender S has private input b ∈ {0,1}∗ and the
common input is 1n. The commitment stage resultin a joint output c, the commitment, and a privateoutput d to S, the decommitment.
Reveal S sends the pair (d ,b) to R, and R either acceptsor rejects.
Completeness: R always accepts in an honest execution.
Hiding:. In commit stage: ∀ R∗, m ∈ N and b 6= b′ ∈ {0,1}m,{ViewR∗(S(b),R∗)(1n)}n∈N ≈c {ViewR∗(S(b′),R∗)(1n)}n∈N.
![Page 5: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/5.jpg)
Commitment Schemes
Commitment Schemes cont.
Binding: “Any" S∗ succeeds in the following game withnegligible probability in n:
On security parameter 1n, S∗ interacts with R in thecommit stage resulting in a commitment c, and thenoutput two pairs (d ,b) and (d ′,b′) with b 6= b′ suchthat R(c,d ,b) = R(c,d ′,b′) = Accept
![Page 6: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/6.jpg)
Commitment Schemes
Commitment Schemes cont.
wlg. we can think of d as the random coin of S, and c asthe transcript
Hiding: Perfect, statistical, computationalBinding: Perfect, statistical. computationalCannot achieve both properties to be statisticalsimultaneously.For computational security, we will assume non-uniformentities:On security parameter n, the adversary gets an auxiliaryinput zn (length of auxiliary input does not count for therunning time)Suffices to construct “bit commitments"(non-uniform) OWFs imply statistically binding, andstatistically hiding commitments
![Page 7: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/7.jpg)
Commitment Schemes
Commitment Schemes cont.
wlg. we can think of d as the random coin of S, and c asthe transcriptHiding: Perfect, statistical, computational
Binding: Perfect, statistical. computationalCannot achieve both properties to be statisticalsimultaneously.For computational security, we will assume non-uniformentities:On security parameter n, the adversary gets an auxiliaryinput zn (length of auxiliary input does not count for therunning time)Suffices to construct “bit commitments"(non-uniform) OWFs imply statistically binding, andstatistically hiding commitments
![Page 8: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/8.jpg)
Commitment Schemes
Commitment Schemes cont.
wlg. we can think of d as the random coin of S, and c asthe transcriptHiding: Perfect, statistical, computationalBinding: Perfect, statistical. computational
Cannot achieve both properties to be statisticalsimultaneously.For computational security, we will assume non-uniformentities:On security parameter n, the adversary gets an auxiliaryinput zn (length of auxiliary input does not count for therunning time)Suffices to construct “bit commitments"(non-uniform) OWFs imply statistically binding, andstatistically hiding commitments
![Page 9: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/9.jpg)
Commitment Schemes
Commitment Schemes cont.
wlg. we can think of d as the random coin of S, and c asthe transcriptHiding: Perfect, statistical, computationalBinding: Perfect, statistical. computationalCannot achieve both properties to be statisticalsimultaneously.
For computational security, we will assume non-uniformentities:On security parameter n, the adversary gets an auxiliaryinput zn (length of auxiliary input does not count for therunning time)Suffices to construct “bit commitments"(non-uniform) OWFs imply statistically binding, andstatistically hiding commitments
![Page 10: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/10.jpg)
Commitment Schemes
Commitment Schemes cont.
wlg. we can think of d as the random coin of S, and c asthe transcriptHiding: Perfect, statistical, computationalBinding: Perfect, statistical. computationalCannot achieve both properties to be statisticalsimultaneously.For computational security, we will assume non-uniformentities:On security parameter n, the adversary gets an auxiliaryinput zn (length of auxiliary input does not count for therunning time)
Suffices to construct “bit commitments"(non-uniform) OWFs imply statistically binding, andstatistically hiding commitments
![Page 11: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/11.jpg)
Commitment Schemes
Commitment Schemes cont.
wlg. we can think of d as the random coin of S, and c asthe transcriptHiding: Perfect, statistical, computationalBinding: Perfect, statistical. computationalCannot achieve both properties to be statisticalsimultaneously.For computational security, we will assume non-uniformentities:On security parameter n, the adversary gets an auxiliaryinput zn (length of auxiliary input does not count for therunning time)Suffices to construct “bit commitments"
(non-uniform) OWFs imply statistically binding, andstatistically hiding commitments
![Page 12: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/12.jpg)
Commitment Schemes
Commitment Schemes cont.
wlg. we can think of d as the random coin of S, and c asthe transcriptHiding: Perfect, statistical, computationalBinding: Perfect, statistical. computationalCannot achieve both properties to be statisticalsimultaneously.For computational security, we will assume non-uniformentities:On security parameter n, the adversary gets an auxiliaryinput zn (length of auxiliary input does not count for therunning time)Suffices to construct “bit commitments"(non-uniform) OWFs imply statistically binding, andstatistically hiding commitments
![Page 13: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/13.jpg)
Commitment Schemes
OWP to commitments
Perfectly Binding Commitment from OWP
Let f : {0,1}n 7→ {0,1}n be a permutation and let b be a(non-uniform) hardcore predicate for f .
Protocol 2 ((S,R))
Commit:S’s input: b ∈ {0,1}S chooses a random x ∈ {0,1}n, and sendsc = (f (x),b(x)⊕ b) to R
Reveal:S sends (x ,b) to R, and R accepts iff (x ,b) is consistent with c(i.e., b(x)⊕ b = c)
![Page 14: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/14.jpg)
Commitment Schemes
OWP to commitments
Perfectly Binding Commitment from OWP
Let f : {0,1}n 7→ {0,1}n be a permutation and let b be a(non-uniform) hardcore predicate for f .
Protocol 2 ((S,R))
Commit:S’s input: b ∈ {0,1}S chooses a random x ∈ {0,1}n, and sendsc = (f (x),b(x)⊕ b) to R
Reveal:S sends (x ,b) to R, and R accepts iff (x ,b) is consistent with c(i.e., b(x)⊕ b = c)
![Page 15: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/15.jpg)
Commitment Schemes
OWP to commitments
Claim 3Protocol 2 is perfectly binding and computationally hidingcommitment scheme.
Proof:
Correctness and binding are clear.Hiding: for any (possibly non-uniform) algorithm A, let
∆An = |Pr[A(f (Un),b(Un)⊕ 0) = 1]− Pr[A(f (Un),b(Un)⊕ 1) = 1]|
It follows that
|Pr[A(f (Un),b(Un)⊕ 0) = 1]− Pr[A(f (Un),b(Un)⊕ U) = 1]| = ∆An/2
Hence,
|Pr[A(f (Un),b(Un)) = 1]− Pr[A(f (Un),U) = 1]| = ∆An/2 (1)
Thus, ∆An is negligible for any PPT
![Page 16: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/16.jpg)
Commitment Schemes
OWP to commitments
Claim 3Protocol 2 is perfectly binding and computationally hidingcommitment scheme.
Proof: Correctness and binding are clear.
Hiding: for any (possibly non-uniform) algorithm A, let
∆An = |Pr[A(f (Un),b(Un)⊕ 0) = 1]− Pr[A(f (Un),b(Un)⊕ 1) = 1]|
It follows that
|Pr[A(f (Un),b(Un)⊕ 0) = 1]− Pr[A(f (Un),b(Un)⊕ U) = 1]| = ∆An/2
Hence,
|Pr[A(f (Un),b(Un)) = 1]− Pr[A(f (Un),U) = 1]| = ∆An/2 (1)
Thus, ∆An is negligible for any PPT
![Page 17: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/17.jpg)
Commitment Schemes
OWP to commitments
Claim 3Protocol 2 is perfectly binding and computationally hidingcommitment scheme.
Proof: Correctness and binding are clear.Hiding: for any (possibly non-uniform) algorithm A, let
∆An = |Pr[A(f (Un),b(Un)⊕ 0) = 1]− Pr[A(f (Un),b(Un)⊕ 1) = 1]|
It follows that
|Pr[A(f (Un),b(Un)⊕ 0) = 1]− Pr[A(f (Un),b(Un)⊕ U) = 1]| = ∆An/2
Hence,
|Pr[A(f (Un),b(Un)) = 1]− Pr[A(f (Un),U) = 1]| = ∆An/2 (1)
Thus, ∆An is negligible for any PPT
![Page 18: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/18.jpg)
Commitment Schemes
OWP to commitments
Claim 3Protocol 2 is perfectly binding and computationally hidingcommitment scheme.
Proof: Correctness and binding are clear.Hiding: for any (possibly non-uniform) algorithm A, let
∆An = |Pr[A(f (Un),b(Un)⊕ 0) = 1]− Pr[A(f (Un),b(Un)⊕ 1) = 1]|
It follows that
|Pr[A(f (Un),b(Un)⊕ 0) = 1]− Pr[A(f (Un),b(Un)⊕ U) = 1]| = ∆An/2
Hence,
|Pr[A(f (Un),b(Un)) = 1]− Pr[A(f (Un),U) = 1]| = ∆An/2 (1)
Thus, ∆An is negligible for any PPT
![Page 19: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/19.jpg)
Commitment Schemes
OWP to commitments
Claim 3Protocol 2 is perfectly binding and computationally hidingcommitment scheme.
Proof: Correctness and binding are clear.Hiding: for any (possibly non-uniform) algorithm A, let
∆An = |Pr[A(f (Un),b(Un)⊕ 0) = 1]− Pr[A(f (Un),b(Un)⊕ 1) = 1]|
It follows that
|Pr[A(f (Un),b(Un)⊕ 0) = 1]− Pr[A(f (Un),b(Un)⊕ U) = 1]| = ∆An/2
Hence,
|Pr[A(f (Un),b(Un)) = 1]− Pr[A(f (Un),U) = 1]| = ∆An/2 (1)
Thus, ∆An is negligible for any PPT
![Page 20: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/20.jpg)
Commitment Schemes
OWP to commitments
Claim 3Protocol 2 is perfectly binding and computationally hidingcommitment scheme.
Proof: Correctness and binding are clear.Hiding: for any (possibly non-uniform) algorithm A, let
∆An = |Pr[A(f (Un),b(Un)⊕ 0) = 1]− Pr[A(f (Un),b(Un)⊕ 1) = 1]|
It follows that
|Pr[A(f (Un),b(Un)⊕ 0) = 1]− Pr[A(f (Un),b(Un)⊕ U) = 1]| = ∆An/2
Hence,
|Pr[A(f (Un),b(Un)) = 1]− Pr[A(f (Un),U) = 1]| = ∆An/2 (1)
Thus, ∆An is negligible for any PPT
![Page 21: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/21.jpg)
Commitment Schemes
OWF to commitments.
Statistically Binding Commitment from OWF.
Let g : {0,1}n 7→ {0,1}3n be a (non-uniform) PRG
Protocol 4 ((S,R))
CommitCommon input: 1n
S’s input: b ∈ {0,1}Commit: 1 R chooses a random r ← {0,1}3n to S
2 S chooses a random x ∈ {0,1}n, and sendg(x) to S in case b = 0 and c = g(x)⊕ rotherwise.
Reveal: S sends (b, x) to R, and R accepts iff (b, x) isconsistent with r and c
Correctness is clear. Hiding and biding HW
![Page 22: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/22.jpg)
Commitment Schemes
OWF to commitments.
Statistically Binding Commitment from OWF.
Let g : {0,1}n 7→ {0,1}3n be a (non-uniform) PRG
Protocol 4 ((S,R))
CommitCommon input: 1n
S’s input: b ∈ {0,1}Commit: 1 R chooses a random r ← {0,1}3n to S
2 S chooses a random x ∈ {0,1}n, and sendg(x) to S in case b = 0 and c = g(x)⊕ rotherwise.
Reveal: S sends (b, x) to R, and R accepts iff (b, x) isconsistent with r and c
Correctness is clear.
Hiding and biding HW
![Page 23: Foundation of Cryptography (0368-4162-01), Lecture 6 ...iftachh/Courses/FOC/Fall11/... · Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment](https://reader034.vdocument.in/reader034/viewer/2022042408/5f23a0c2e7dec91bc971e85e/html5/thumbnails/23.jpg)
Commitment Schemes
OWF to commitments.
Statistically Binding Commitment from OWF.
Let g : {0,1}n 7→ {0,1}3n be a (non-uniform) PRG
Protocol 4 ((S,R))
CommitCommon input: 1n
S’s input: b ∈ {0,1}Commit: 1 R chooses a random r ← {0,1}3n to S
2 S chooses a random x ∈ {0,1}n, and sendg(x) to S in case b = 0 and c = g(x)⊕ rotherwise.
Reveal: S sends (b, x) to R, and R accepts iff (b, x) isconsistent with r and c
Correctness is clear. Hiding and biding HW