Commitment scheme: Difference between revisions

{{short description|Cryptographic scheme that allows commitment to a chosen value}}

In simple protocols, the commit phase consists of a single message from the sender to the receiver. This message is called ''the commitment''. It is essential that the specific value chosen cannot be knownextracted from the message by the receiver at that time (this is called the ''hiding'' property). A simple reveal phase would consist of a single message, ''the opening'', from the sender to the receiver, followed by a check performed by the receiver. The value chosen during the commit phase must be the only one that the sender can compute and that validates during the reveal phase (this is called the ''binding'' property).

The concept of commitment schemes was perhaps first formalized by [[Gilles Brassard]], [[David Chaum]], and [[Claude Crépeau]] in 1988,<ref name="BCC">Gilles Brassard, David Chaum, and Claude Crépeau, ''[http://crypto.cs.mcgill.ca/~crepeau/PDF/BCC88-jcss.pdf Minimum Disclosure Proofs of Knowledge]'', Journal of Computer and System Sciences, vol. 37, pp. 156–189, 1988.</ref> as part of various zero-knowledge protocols for [[NP (complexity)|NP]], based on various types of commitment schemes.<ref>{{cite journal |last1=Goldreich |first1=Oded |last2=Micali |first2=Silvio |last3=Wigderson |first3=Avi |year=1991 |title=Proofs that yield nothing but their validity |journal=Journal of the ACM |volume=38 |issue=3 |pages=690–728 |citeseerx=10.1.1.420.1478 |doi=10.1145/116825.116852 |s2cid=2389804 |doi-access=free}}</ref><ref>Russell Impagliazzo, Moti Yung: Direct Minimum-Knowledge Computations. CRYPTO 1987: 40-51</ref> But the concept was used prior to that without being treated formally.<ref name="Naor">{{cite journal | doi=10.1007/BF00196774 | title=Bit commitment using pseudorandomness | date=1991 | last1=Naor | first1=Moni | journal=Journal of Cryptology | volume=4 | issue=2 | pages=151–158 | s2cid=15002247 | doi-access=free }}</ref><ref name="Crepeau">Claude Crépeau, ''[http://crypto.cs.mcgill.ca/~crepeau/PDF/Commit.pdf Commitment]'', Cryptography and Quantum Information Lab, [[McGill University School of Computer Science]], accessed April 11, 2008</ref> The notion of commitments appeared earliest in works by [[Manuel Blum]],<ref name="Blum">Manuel Blum, ''[https://www.cs.cmu.edu/~mblum/research/pdf/coin/in4.html Coin Flipping by Telephone]'', Proceedings of [[CRYPTO]] 1981, pp. 11–15, 1981, reprinted in SIGACT News vol. 15, pp. 23–27, 1983, [[Carnegie Mellon School of Computer Science]].</ref> [[Shimon Even]],<ref name="Even">Shimon Even. ''Protocol for signing contracts.'' In [[Allen Gersho]], ed., ''Advances in Cryptography'' (proceedings of CRYPTO '82), pp. 148–153, Santa Barbara, CA, US, 1982.</ref> and [[Adi Shamir]] et al.<ref name="SRA81">A. Shamir, [[R. L. Rivest]], and L. Adleman, "[[Mental Poker]]"''.'' In [[David A. Klarner]], ed., ''[https://books.google.com/books?id=DhgGCAAAQBAJ&pg=PA37 The Mathematical Gardner]'' ({{ISBN|978-1-4684-6686-7}}), pp. 37–43. Wadsworth, Belmont, California, 1981.</ref> The terminology seems to have been originated by Blum,<ref name="Crepeau" /> although commitment schemes can be interchangeably called '''bit commitment schemes'''—sometimes reserved for the special case where the committed value is a [[bit]]. EarlierPrior to that, commitment via one-way hash functions was considered, e.g., as part of, say, [[Lamport signature]], the original one-time one-bit signature scheme.

Suppose [[Alice and Bob]] want to resolve some dispute via '''[[coin flipping]]'''. If they are physically in the same place, a typical procedure might be:

The environment initially tells ''C'' to commit to a message ''m''. At some point in the interaction, ''S'' will commit to a value ''m′''. This message is handed to ''R'', who outputs ''m′''. Note that by assumption we have ''m' = m'' [[with high probability]]. Now in the ideal process the simulator has to come up with ''m''. But this is impossible, because at this point the commitment has not been opened yet, so the only message ''R'' can have received in the ideal process is a "receipt" message. We thus have a contradiction.

A commitment scheme can either be perfectly binding (it is impossible for Alice to alter her commitment after she has made it, even if she has unbounded computational resources); or perfectly concealing (it is impossible for Bob to find out the commitment without Alice revealing it, even if he has unbounded computational resources); or formulated as an instance-dependent commitment scheme, which is either hiding or binding depending on the solution to another problem.<ref>Shien Hin Ong and Salil Vadhan (1990). Perfect zero knowledge in constant round, In Proc. STOC, p. 482-493482–493, cited in Shien Hin Ong and Salil Vadhan (2008). An Equivalence between Zero Knowledge and Commitments, Theory of Cryptography.</ref><ref>Toshiya Itoh, Yiji Ohta, Hiroki Shizuya (1997). A language dependent cryptographic primitive, In J. Cryptol., 10(1):37-49, cited in Shien Hin Ong and Salil Vadhan (2008). An Equivalence between Zero Knowledge and Commitments, Theory of Cryptography.</ref> A commitment scheme cannot be both perfectly hiding and perfectly binding at the same time.

Bit-commitment schemes are trivial to construct in the [[random oracle]] model. Given a [[cryptographic hash function|hash function]] H with a 3''k'' bit output, to commit the ''k''-bit message ''m'', Alice generates a random ''k'' bit string ''R'' and sends Bob H(''R'' || ''m''). The probability that any ''R′'', ''m′'' exist where ''m′'' ≠ ''m'' such that H(''R′'' || ''m′'') = H(''R'' || ''m'') is ≈ 2^−''k'', but to test any guess at the message ''m'' Bob will need to make 2^''k'' (for an incorrect guess) or 2^''k''-1 (on average, for a correct guess) queries to the random oracle.<ref>{{Citation

In 1991 [[Moni Naor]] showed how to create a bit-commitment scheme from a [[cryptographically secure pseudorandom number generator]].<ref>{{cite web|url=http://citeseer.ist.psu.edu/context/22544/0 |title=Citations: Bit Commitment using Pseudorandom Generators - Naor (ResearchIndex) |publisher=Citeseer.ist.psu.edu |access-date=2014-06-07 |url-access=registration}}</ref> The construction is as follows. If ''G'' is a pseudo-random generator such that ''G'' takes ''n'' bits to 3''n'' bits, then if Alice wants to commit to a bit ''b'':

Perfect Zero-Knowledge Arguments for NP Using Any One-Way Permutation. J. Cryptology 11(2): 87-10887–108 (1998)[https://link.springer.com/article/10.1007%2Fs001459900037]</ref>

A KZG proof must demonstrate that the revealed data is the authentic value of <math>x_i</math> when <math>C</math> was computed. Let <math>y=x_i</math>, the revealed value we must prove. Since the vector of <math>x_i</math> was reformulated into a polynomial, we really need to prove that the polynomial <math>p</math>, when evaluated at <math>i</math>, takes on the value <math>y</math>. Simply, we just need to prove that <math>p(i)=y</math>. We will do this by demonstrating that subtracting <math>y</math> from <math>p</math> yields a root at <math>i</math>. Define the polynomial <math>q</math> as

The utility of the bilinear map pairing is to allow the multiplication of <math>q(x)</math> by <math>x-i</math> to happen securely. These values truly lie in <math>\mathbb{G}_1</math>, where division is assumed to be computationally hard. For example, <math>\mathbb{G}_1</math> might be an [[elliptic curve]] over a finite field, as is common in [[elliptic-curve cryptography]]. Then, the division assumption is called the [[Elliptic-curve cryptography#Rationale|elliptic curve discrete logarithm problem]]{{Broken anchor|date=2024-07-20|bot=User:Cewbot/log/20201008/configuration|target_link=Elliptic-curve cryptography#Rationale|reason= The anchor (Rationale) [[Special:Diff/1148439344|has been deleted]].}}, and this assumption is also what guards the trapdoor value from being computed, making it also a foundation of KZG commitments. In that case, we want to check if <math>q(x)(x-i) = p(x)-y</math>. This cannot be done without a pairing, because with values on the curve of <math>G \cdot q(x)</math> and <math>G \cdot (x-i)</math>, we cannot compute <math>G \cdot (q(x)(x-i))</math>. That would violate the [[computational Diffie–Hellman assumption]], a foundational assumption in [[elliptic-curve cryptography]]. We instead use a [[pairing]] to sidestep this problem. <math>q(x)</math> is still multiplied by <math>G</math> to get <math>G \cdot q(x)</math>, but the other side of the multiplication is done in the paired group <math>\mathbb{G}_2</math>, so, <math>H \cdot (t-i)</math>. We compute <math>e(G \cdot q(t), H \cdot (t-i))</math>, which, due to the [[bilinear map|bilinearity]] of the map, is equal to <math>e(G, H)^{q(t)\cdot(t-i)}</math>. In this output group <math>\mathbb{G}_T</math> we still have the [[Discrete logarithm#Cryptography|discrete logarithm problem]], so even though we know that value and <math>e(G, H)</math>, we cannot extract the exponent <math>q(t)\cdot(t-i)</math>, preventing any contradiction with discrete logarithm earlier. This value can be compared to <math>e(G \cdot (p(t) - y), H)=e(G, H)^{p(t) - y}</math> though, and if <math>e(G, H)^{q(t)\cdot(t-i)} = e(G, H)^{p(t) - y}</math> we are able to conclude that <math>q(t) \cdot (t-i) = p(t)-y</math>, without ever knowing what the actual value of <math>t</math> is, let alone <math>q(t)(t-i)</math>.

However, this is impossible, as Dominic Mayers showed in 1996 {{xref|(see this citation:<ref>Brassard, Crépeau, Mayers, Salvail: [https://arxiv.org/abs/quant-ph/9712023 A brief review on the impossibility of quantum bit commitment]</ref> for the original proof)}}. Any such protocol can be reduced to a protocol where the system is in one of two pure states after the commitment phase, depending on the bit Alice wants to commit. If the protocol is unconditionally concealing, then Alice can unitarily transform these states into each other using the properties of the [[Schmidt decomposition]], effectively defeating the binding property.