Content deleted Content added
m i wouldnt consider O(n) inefficient by any means, but as there is better runtimes its still worth a mention |
Link suggestions feature: 3 links added. Tags: Visual edit Mobile edit Mobile web edit Newcomer task Suggested: add links |
||
| (46 intermediate revisions by 35 users not shown) | |||
Line 1:
{{short description|Cryptographic scheme
{{more citations needed|date=October 2014}}
A '''commitment scheme''' is a [[cryptographic primitive]] that allows one to commit to a chosen value (or chosen statement) while keeping it hidden to others, with the ability to reveal the committed value later.<ref name="Goldreich">[[Oded Goldreich]] (2001).
A way to visualize a commitment scheme is to think of a sender as putting a message in a locked box, and giving the box to a receiver. The message in the box is hidden from the receiver, who cannot open the lock themselves. Since the receiver has the box, the message inside cannot be changed—merely revealed if the sender chooses to give them the key at some later time.
Line 13:
In the above metaphor, the commit phase is the sender putting the message in the box, and locking it. The reveal phase is the sender giving the key to the receiver, who uses it to open the box and verify its contents. The locked box is the commitment, and the key is the proof.
In simple protocols, the commit phase consists of a single message from the sender to the receiver. This message is called ''the commitment''. It is essential that the specific value chosen cannot be
The concept of commitment schemes was perhaps first formalized by [[Gilles Brassard]], [[David Chaum]], and [[Claude
==Applications==
Line 21:
===Coin flipping===
Suppose [[Alice and Bob]] want to resolve some dispute via '''[[coin flipping]]'''. If they are physically in the same place, a typical procedure might be:
# Alice "calls" the coin flip,
# Bob flips the coin,
# If Alice's call is correct, she wins, otherwise Bob wins.
If Alice and Bob are not in the same place a problem arises. Once Alice has "called" the coin flip, Bob can stipulate the flip "results" to be whatever is most desirable for him. Similarly, if Alice doesn't announce her "call" to Bob, after Bob flips the coin and announces the result, Alice can report that she called whatever result is most desirable for her. Alice and Bob can use commitments in a procedure that will allow both to trust the outcome:
Line 33:
# Alice reveals what she committed to,
# Bob verifies that Alice's call matches her commitment,
# If Alice's revelation matches the coin result Bob reported, Alice wins.
For Bob to be able to skew the results to his favor, he must be able to understand the call hidden in Alice's commitment. If the commitment scheme is a good one, Bob cannot skew the results.
A real-life application of this problem exists, when people (often in media) commit to a decision or give an answer in a "sealed envelope", which is then opened later. "Let's find out if that's what the candidate answered", for example on a game show, can serve as a model of this system.
Line 45:
===Signature schemes===
The [[Lamport signature]] scheme is a [[digital signature]] system that relies on maintaining two sets of secret [[network packet|data packets]], publishing [[Cryptographic hash function|verifiable hashes]] of the data packets, and then selectively revealing partial secret data packets in a manner that conforms specifically to the data to be signed. In this way, the prior public commitment to the secret values becomes a critical part of the functioning of the system.
Because the
=== Verifiable secret sharing ===
Line 56:
Formal definitions of commitment schemes vary strongly in notation and in flavour. The first such flavour is whether the commitment scheme provides perfect or computational security with respect to the hiding or binding properties. Another such flavour is whether the commitment is interactive, i.e. whether both the commit phase and the reveal phase can be seen as being executed by a [[cryptographic protocol]] or whether they are non-interactive, consisting of two algorithms ''Commit'' and ''CheckReveal''. In the latter case ''CheckReveal'' can often be seen as a derandomised version of ''Commit'', with the randomness used by ''Commit'' constituting the opening information.
If the commitment ''C'' to a value ''x'' is computed as ''C:=Commit(x,open)'' with ''open'' being the randomness used for computing the commitment, then ''CheckReveal (C,x,open)''
Using this notation and some knowledge about [[mathematical function]]s and [[probability theory]] we formalise different versions of the binding and hiding properties of commitments. The two most important combinations of these properties are perfectly binding and computationally hiding commitment schemes and computationally binding and perfectly hiding commitment schemes. Note that no commitment scheme can be at the same time perfectly binding and perfectly hiding – a computationally unbounded adversary can simply generate ''Commit(x,open)'' for every value of ''x'' and ''open'' until finding a pair that outputs ''C'', and in a perfectly binding scheme this uniquely identifies ''x''.
===Computational binding===
Let ''open'' be chosen from a set of size <math>2^k</math>, i.e., it can be represented as a ''k'' bit string, and let <math>\text{Commit}_k</math> be the corresponding commitment scheme. As the size of ''k'' determines the security of the commitment scheme it is called the [[security parameter]].
Then for all [[Uniformity (complexity)|non-uniform]] [[PP (complexity)|probabilistic polynomial time algorithms]] that output <math>x,x'</math> and <math>open, open'</math> of increasing length ''k'', the probability that <math>x \neq x'</math> and <math>\text{Commit}_k(x,open)=\text{Commit}_k(x',open')</math> is a [[negligible function]] in ''k''.
This is a form of [[asymptotic analysis]]. It is also possible to state the same requirement using [[concrete security]]: A commitment scheme ''Commit'' is <math>(t,\epsilon)</math> secure, if for all algorithms that run in time ''t'' and output <math>x,x',open,open'</math> the probability that <math>x \neq x'</math> and <math>\text{Commit}(x,open)=\text{Commit}(x',open')</math> is at most <math>\epsilon</math>.
Line 88:
environment that, instead of corrupting ''C'', corrupts ''R'' instead. Additionally it runs a copy of ''S''. Messages received from ''C'' are fed into ''S'', and replies from ''S'' are forwarded to ''C''.
The environment initially tells ''C'' to commit to a message ''m''. At some point in the interaction, ''S'' will commit to a value ''m′''. This message is handed to ''R'', who outputs ''m′''. Note that by assumption we have ''m' = m'' [[with high probability]]. Now in the ideal process the simulator has to come up with ''m''. But this is impossible, because at this point the commitment has not been opened yet, so the only message ''R'' can have received in the ideal process is a "receipt" message. We thus have a contradiction.
==Construction==
A commitment scheme can either be perfectly binding (it is impossible for Alice to alter her commitment after she has made it, even if she has unbounded computational resources); or perfectly concealing (it is impossible for Bob to find out the commitment without Alice revealing it, even if he has unbounded computational resources); or formulated as an instance-dependent commitment scheme, which is either hiding or binding depending on the solution to another problem.<ref>Shien Hin Ong and Salil Vadhan (1990). Perfect zero knowledge in constant round, In Proc. STOC, p.
===Bit-commitment in the random oracle model===
Bit-commitment schemes are trivial to construct in the [[random oracle]] model. Given a [[cryptographic hash function|hash function]] H with a 3''k'' bit output, to commit the ''k''-bit message ''m'', Alice generates a random ''k'' bit string ''R'' and sends Bob H(''R'' || ''m''). The probability that any ''R′'', ''m′'' exist where ''m′'' ≠ ''m'' such that H(''R′'' || ''m′'') = H(''R'' || ''m'') is ≈ 2<sup>−''k''</sup>, but to test any guess at the message ''m'' Bob will need to make 2<sup>''k''</sup> (for an incorrect guess) or 2<sup>''k''-1</sup> (on average, for a correct guess) queries to the random oracle.<ref>{{Citation
| last = Wagner
| first = David
Line 108:
===Bit-commitment from any one-way permutation===
One can create a bit-commitment scheme from any [[one-way function]] that is [[Injective function|injective]]. The scheme relies on the fact that every one-way function can be modified (via the [[Goldreich-Levin theorem]]) to possess a computationally [[hard-core predicate]] (while retaining the injective property).
Let ''f'' be an injective one-way function, with ''h'' a hard-core predicate. Then to commit to a bit ''b'' Alice picks a random input ''x'' and sends the triple :<math>(h,f(x),b \oplus h(x))</math>
to Bob, where <math>\oplus</math> denotes XOR, ''i.e.'', bitwise addition modulo 2. To decommit, Alice simply sends ''x'' to Bob. Bob verifies by computing ''f''(''x'') and comparing to the committed value. This scheme is concealing because for Bob to recover ''b'' he must recover ''h''(''x''). Since ''h'' is a computationally hard-core predicate, recovering ''h''(''x'') from ''f''(''x'') with probability greater than one-half is as hard as inverting ''f''. Perfect binding follows from the fact that ''f'' is injective and thus ''f''(''x'') has exactly one preimage.
Line 116 ⟶ 118:
Note that since we do not know how to construct a one-way permutation from any one-way function, this section reduces the strength of the cryptographic assumption necessary to construct a bit-commitment protocol.
In 1991 [[Moni Naor]] showed how to create a bit-commitment scheme from a [[cryptographically secure pseudorandom number generator]].<ref>{{cite web|url=http://citeseer.ist.psu.edu/context/22544/0 |title=Citations: Bit Commitment using Pseudorandom Generators - Naor (ResearchIndex) |publisher=Citeseer.ist.psu.edu |access-date=2014-06-07 |url-access=registration}}</ref> The construction is as follows. If ''G'' is a pseudo-random generator such that ''G'' takes ''n'' bits to 3''n'' bits, then if Alice wants to commit to a bit ''b'':
*Bob selects a random 3''n''-bit vector ''R'' and sends ''R'' to Alice.
Line 136 ⟶ 138:
This scheme isn't perfectly concealing as someone could find the commitment if he manages to solve the [[discrete logarithm problem]]. In fact, this scheme isn't hiding at all with respect to the standard hiding game, where an adversary should be unable to guess which of two messages he chose were committed to - similar to the [[IND-CPA]] game. One consequence of this is that if the space of possible values of ''x'' is small, then an attacker could simply try them all and the commitment would not be hiding.
A better example of a perfectly binding commitment scheme is one where the commitment is the encryption of ''x'' under a [[semantically secure]], public-key encryption scheme with perfect completeness, and the decommitment is the string of random bits used to encrypt ''x''. An example of an information-theoretically hiding commitment scheme is the Pedersen commitment scheme,<ref name="Pedersen pp. 129–140">{{cite book | last=Pedersen | first=Torben Pryds | title=Advances in Cryptology – CRYPTO '91 | chapter=Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing | series=Lecture Notes in Computer Science | date=1992 | volume=576 | publisher=Springer Berlin Heidelberg | publication-place=Berlin, Heidelberg | isbn=978-3-540-55188-1 | doi=10.1007/3-540-46766-1_9 | pages=129–140}}</ref> which is computationally binding under the discrete logarithm assumption.
<ref name="metere2017automated" >{{cite conference
| title = Automated cryptographic analysis of the pedersen commitment scheme
Line 152 ⟶ 154:
These constructions are tightly related to and based on the algebraic properties of the underlying groups, and the notion originally seemed to be very much related to the algebra. However, it was shown that basing statistically binding commitment schemes on general unstructured assumption is possible, via the notion of interactive hashing
for commitments from general complexity assumptions (specifically and originally, based on any one way permutation) as in.<ref>Moni Naor, Rafail Ostrovsky, Ramarathnam Venkatesan, Moti Yung:
Perfect Zero-Knowledge Arguments for NP Using Any One-Way Permutation. J. Cryptology 11(2):
===A perfectly hiding commitment scheme based on RSA===
Line 174 ⟶ 176:
}}</ref>
===Additive and
The Pedersen commitment scheme introduces an interesting homomorphic property that allows performing addition between two commitments. More specifically, given two messages <math>m_1</math> and <math>m_2</math> and randomness <math>r_1</math> and <math>r_2</math>, respectively,
<math>C(m_1, r_1) \cdot C(m_2, r_2) = g^{m_1} h^{r_1} \cdot g^{m_2} h^{r_2} = g^{m_1+m_2} h^{r_1+r_2} = C(m_1 + m_2, r_1 + r_2)</math>
Line 190 ⟶ 192:
Some commitment schemes permit a proof to be given of only a portion of the committed value. In these schemes, the secret value <math>X</math> is a vector of many individually separable values.
:<math>X = (x_1, x_2, ..., x_n)</math>
The commitment <math>C</math> is computed from <math>X</math> in the commit phase. Normally, in the reveal phase, the prover would reveal all of <math>X</math> and some additional proof data (such as <math>R</math> in [[#Bit-commitment in the random oracle model|simple bit-commitment]]). Instead, the prover is able to reveal any single value from the <math>X</math> vector, and create an efficient proof that it is the authentic <math>i</math>th element of the original vector that created the commitment <math>C</math>. The proof does not require any values of <math>X</math> other than <math>x_i</math> to be revealed, and it is impossible to create valid proofs that reveal different values for any of the <math>x_i</math> than the true one.<ref>{{cite
===Vector hashing===
Line 202 ⟶ 204:
===Merkle tree===
A common example of a practical partial reveal scheme is a [[Merkle tree]], in which a binary hash tree is created of the elements of <math>X</math>. This scheme creates commitments that are <math>O(1)</math> in size, and proofs that are <math>O(\log_2{n})</math> in size and verification time. The root hash of the tree is the commitment <math>C</math>. To prove that a revealed <math>x_i</math> is part of the original tree, only <math>\log_2{n}</math> hash values from the tree, one from each level, must be revealed as the proof. The verifier is able to follow the path from the claimed leaf node all the way up to the root, hashing in the sibling nodes at each level, and eventually arriving at a root node value that must equal <math>C</math>.<ref>{{Cite web |url=http://www.emsec.rub.de/media/crypto/attachments/files/2011/04/becker_1.pdf |title=Merkle Signature Schemes, Merkle Trees and Their Cryptanalysis |last=Becker |first=Georg
===KZG commitment===
Line 219 ⟶ 221:
====Reveal====
A KZG proof must demonstrate that the revealed data is the authentic value of <math>x_i</math> when <math>C</math> was computed. Let <math>y=x_i</math>, the revealed value we must prove. Since the vector of <math>x_i</math> was reformulated into a polynomial, we really need to prove that the polynomial <math>p</math>, when evaluated at <math>i</math>, takes on the value <math>y</math>. Simply, we just need to prove that <math>p(i)=y</math>. We will do this by demonstrating that subtracting <math>y</math> from <math>p</math> yields a root at <math>i</math>. Define the polynomial <math>q</math> as
:<math>q(x)=\frac{p(x)-y}{x-i}</math>
This polynomial is itself the proof that <math>p(i)=y</math>, because if <math>q</math> exists, then <math>p(x)-y</math> is divisible by <math>x-i</math>, meaning it has a root at <math>i</math>, so <math>p(i)-y=0</math> (or, in other words, <math>p(i)=y</math>). The KZG proof will demonstrate that <math>q</math> exists and has this property.
Line 235 ⟶ 237:
where <math>e</math> is the bilinear map function as above. <math>H \cdot t</math> is a precomputed constant, <math>H \cdot i</math> is computed based on <math>i</math>.
By rewriting the computation in the pairing group <math>\mathbb{G}_T</math>, substituting in <math>\pi=q(t) \cdot G</math> and <math>C=p(t) \cdot G</math>, and letting <math>\tau(x)=e(G,H)^x</math> be a helper function for lifting into the pairing group, the proof verification is more clear.
:<math>e(\pi, H \cdot t - H \cdot i) = e(C - G \cdot y, H)</math>
:<math>e(G \cdot q(t), H \cdot t - H \cdot i) = e(G \cdot p(t) - G \cdot y, H)</math>
Line 246 ⟶ 249:
{{hidden
| Why the bilinear map pairing is used |
The utility of the bilinear map pairing is to allow the multiplication of <math>q(x)</math> by <math>x-i</math> to happen securely. These values truly lie in <math>\mathbb{G}_1</math>, where division is assumed to be computationally hard. For example, <math>\mathbb{G}_1</math> might be an [[elliptic curve]] over a finite field, as is common in [[elliptic-curve cryptography]]. Then, the division assumption is called the [[Elliptic-curve cryptography#Rationale|elliptic curve discrete logarithm problem]]{{Broken anchor|date=2024-07-20|bot=User:Cewbot/log/20201008/configuration|target_link=Elliptic-curve cryptography#Rationale|reason= The anchor (Rationale) [[Special:Diff/1148439344|has been deleted]].}}, and this assumption is also what guards the trapdoor value from being computed, making it also a foundation of KZG commitments. In that case, we want to check if <math>q(x)(x-i) = p(x)-y</math>. This cannot be done without a pairing, because with values on the curve of <math>G \cdot q(x)</math> and <math>G \cdot (x-i)</math>, we cannot compute <math>G \cdot (q(x)(x-i))</math>. That would violate the [[computational Diffie–Hellman assumption]], a foundational assumption in [[elliptic-curve cryptography]].
|style = border: 1px solid lightgray; <!-- copied from the Navier–Stokes equations page -->
|headerstyle = text-align:left
Line 254 ⟶ 257:
==Quantum bit commitment==
It is an interesting question in [[quantum cryptography]] if ''unconditionally secure'' bit commitment protocols exist on the quantum level, that is, protocols which are (at least asymptotically) binding and concealing even if there are no restrictions on the computational resources. One could hope that there might be a way to exploit the intrinsic properties of [[quantum mechanics]], as in the protocols for [[Quantum key distribution|unconditionally secure key distribution]].
However, this is impossible, as Dominic Mayers showed in 1996 {{xref|(see this citation:<ref>Brassard, Crépeau, Mayers, Salvail: [https://arxiv.org/abs/quant-ph/9712023 A brief review on the impossibility of quantum bit commitment]</ref> for the original proof)}}. Any such protocol can be reduced to a protocol where the system is in one of two pure states after the commitment phase, depending on the bit Alice wants to commit. If the protocol is unconditionally concealing, then Alice can unitarily transform these states into each other using the properties of the [[Schmidt decomposition]], effectively defeating the binding property.
One subtle assumption of the proof is that the commit phase must be finished at some point in time. This leaves room for protocols that require a continuing information flow until the bit is unveiled or the protocol is cancelled, in which case it is not binding anymore.<ref>A. Kent: [https://arxiv.org/abs/quant-ph/9906103 Secure classical Bit Commitment using Fixed Capacity Communication Channels]</ref> More generally,
==Commitments based on physical unclonable functions==
Line 269 ⟶ 272:
* [[Web of trust]]
* [[Zerocoin]]
* [[Anagram#
==References==
| |||