MosesLiskov,AnnaLysyanskaya,SilvioMicali,LeoReyzin, Adam Smith
mliskov@,anna@,silvio@,reyzin@,[email protected]
MITLabforComputer Science
Abstract
Wedescribeanewkindofcommitmentschemeinwhichtwoparties
committo valuesin acommitmentstage,at theend ofwhichweare
assuredthatthevaluestheyhavecommittedtocannotbecorrelatedto
oneanother. Wecallthisnewprimitivemutuallyindependentcommit-
ments. We presentthree mutuallyindependentcommitment schemes
which handlesinglebitcommitments,andwhich arecomputationally
hidingandperfectlybinding.
1 Introduction
Commitment schemes. A commitment scheme consists of a method C
which produces \commitments" to an inputx based on some randomness.
ThecommitmentisdenotedC(x)thoughwenotethatCmaynotbeatradi-
tionalfunction,ratherC(x)maybearrivedatthroughaprotocol. (Forthe
immediatediscussion, we will consideronlynon-interactive commitments.)
Duringthisprotocol, thecommittingpartylearnssome sideinformationp,
which together with x can verify that the commitment C(x) is indeed a
commitment to x. Commitment schemesneed thefollowingtwo properties
inorder to be secure.
Hiding It should be hard, seeing onlythe output C(x), to learn any-
thingaboutx.
Binding It should be hard to nd a quadruple (x;x 0
;p;p 0
) such that
y = C(x) can be shown to be a commitment to x with proof p, and
can be shown to be acommitmentto x 0
with proofp 0
where x6=x 0
.
A simple correlation attack. These properties are not suÆcient to
inferthatanyoneseeingacommitmentcannotextractanyusefulinformation
from it. Indeed, someone seeing a commitment cannot extract information
about the secret value x, but information can be gleaned in other ways.
As a simple example, suppose Alice and Bob each wish to commit to two
values,and Alicewillcommittohersrst. However, Bobmaysecretlywant
a
Alice'scommitment,Bobcanjustgivec
a
ashisowncommitment. Now,the
value Bob has committed to is the same as the value Alice hascommitted
to. Later,whenthecommitmentsareopened,ifAlicegoesrst,shereveals
herproofp andhersecretvaluea. Then,Bobcan claimthat pwasalso his
proofand that he committedto aas well.
A stronger correlation attack. Some may notndthis attack very
compelling,becauseBob'scommitmentisexactlythesameasAlice's,which
meansthatcheckingforthiswouldbeveryeasy. Sotomotivatetheproblem
further,considerthefollowingscheme forcommitting to abit [P91]:
Public Parameters: p;q;g such thatp=2q+1,p and q arebothprime,
andg2Z
q
,andseparaterandomvalueh2Z
q
(wherethediscretelogarithm
ofh to thebase g isnotknownto anyone).
Commitment Phase: When a is a bit, Alice computes C(a;r) = g r
h a
mod p.
Revealing Phase: Alicereveals aand r. Anyonecan checkthatg r
h a
was
herpublishedcommitment.
In this scheme, suppose that Bob sees that Alice's commitment is x.
Bobcan committothesamevalueasAlicebycomputingarandomvaluer 0
and publishingashis commitment thevaluexg r
0
. Now, when Alicereveals
aand r,Bobcan reveal aand r+r 0
. Moreover, Bob'scopiedcommitment
looks like atotally randomcommitment.
Motivation. Itisnotclearimmediatelythatthisisanimportantproblem,
so we consider the following example. SupposeAlice and Bob are bidding
in an auction, but in this auction they each only get one chance to bid,
andacommitmentschemeisusedtopreventthemfromchangingtheirbids
later. The rules are that whoever bids more for the item buys it at their
committed-to price, and anyone refusing to open their commitment pays
a large penalty. If Bob, seeing only Alice's commitment to her bid, can
produceacommitment toa bidof onecent more thanAlice's commitment,
thenhewillcertainlywintheauction,anddosoatthelowestpossibleprice.
An inadequate solution. The straightforward solution to this problem
is somewhat inadequate for protocol design. That solution is that during
commitment, Alice commits rst and Bob commits second, but during re-
vealing, Bob reveals rst and Alice reveals second. Once Bob opens his
ofAlice'scommitted value. (Otherwise,thehidingpropertyof thecommit-
ment scheme would be violated.) Thisprotocol, taken all at once, forms a
scheme forproducingmutuallyindependent announcements. That is,once
the reveal stage is completed, the revealed values are independent of one
another. However, at the end of the commitment stage, there is no such
guarantee.
In protocol design, however, it may be important to have a guarantee
that, ifthe commitment stage is successfully completed, the committed-to
valuesareguaranteedtobeindependentatthatpoint,regardlessofwhether
therevealingprotocolis everrun.
Note that any mutually independent commitment scheme gives a mu-
tually independent announcement protocol; once the committed-to values
areknownto beindependent,theparties simplyrevealtheircommitments.
Bythebindingproperty,these plaintextsarethesame asthecommitted-to
values, and sothey mustalso bemutuallyindependent.
1.1 Structure of this paper
First, we describe the denition of a mutually independent commitment
scheme. In this paper, we are concerned only with the (1) schemes for
committing to a single bit and (2) schemes which are perfectly binding /
computationallyhiding. Finally,weareof courseconcerned witha commu-
nicationmodelthatdoesnotallowperfect synchronization(orthe problem
could be trivially solved by having each party publishtheir commitments
simultaneously).
Next,wegoonto describeamutuallyindependentcommitmentscheme
basedontheassumptionofdense,semanticallysecurepublickeycryptosys-
temswitha 3-roundcommitment protocol.
1
Next,wedescribeastrongerpropertythatmaybedesirable,andpresent
two mutually independent commitment schemes with that property. The
rstoftheseschemeswillbebasedonthediscretelogarithmassumptionand
willhave a4-roundcommitment protocol, whilethe otherwillbe basedon
theexistence ofone-waypermutationsbutwillhavea 7-roundcommitment
protocol.
Finally,wegiveapreliminarydiscussionabouttheissuesthatarisewhen
1
Inour schemes, therewill be twoseparate phases: the commitment phaseand the
reveal phase. We will measure the eÆciency of the protocol by the number of rounds
neededinthecommitmentprotocol,sinceinmanycasestherevealprotocolisverysimple,
andsincewemaysometimeshavecommitmentswhichareneveropened.
strings.
2 Prior Work
3 Acknowledgements
4 Denitions
Amutuallyindependent commitment schemeisascheme involvingtwo par-
ties,AandB,whichwillbemodeledbyinteractiveprobabilisticpolynomial-
time Turing machines. The scheme consists of two protocols, commitment
and revealing.
For easeof notation, wewilluse thenotation A 0
to denote anarbitrary
PPT TM taking the place of machine A in the protocol, and similarly B 0
forB.
Let ussay that (T;p
A
;p
B
)=AB(`commit 0
;a;b) 2
be the output of the
commitment protocol, where T is the transcript, a public output, and p
A
and p
B
are privateoutputs ofA and B,respectively.
Letussaythat(c
A
;c
B
;v
A
;v
B
)=AB((`reveal 0
;T);(a;p
A );(b;p
B
))isthe
output of the revealing protocol. Here, v
A and v
B
are the revealed values
thatAandB committedto,respectively,andc
A andc
B
arebooleanvalues
thatsaywhether A (orB)accepts B's(or A's)value,respectively.
The scheme shouldhavethe followingproperties:
Completeness: IfAandBarebothhonest,thenthecommitmentpro-
tocolproduces anoutput,and if(T;p
A
;p
B
)=AB(`commit 0
;a;b),the
probabilitythat if (c
A
;c
B
;v
A
;v
B
= AB((`reveal 0
;T);(a;p
A );(b;p
B )),
thenwithprobability1,c
A
=c
B
=1 andv
A
=a andv
B
=b.
Perfect A-Binding: No TM A 0
can succeedinproducingatranscript
T withthehonest B such thatinthereveal stage withthehonest B,
A 0
can causeB to accept eitherof two dierentvalues. Formally,
8A 0
;8B;Pr[b B;(T;p
A
;p
B
) A
0
B(`commit 0
;;b);(c
A
;c
B
;v
A
;v
B )
A 0
B((`reveal 0
;T);(p
A
;0);(b;p
B ));(c
0
A
;c 0
B
;v 0
A
;v 0
B
) A
0
B((`reveal 0
;T);(p
A
;1);(b;p
B ):
v
A
=0^v 0
A
=1^c
B
=c 0
B
=1]=0
2
Ournotational convention here will be that the output of M
1 M
2 (P;S
1
;S
2
) will be
theoutputsoftheprotocolrunbetweenM1 andM2,two(randomized)TMs,whereP is
inputgiventobothM
1 andM
2 ,S
1
isprivateinputgivenonlytoM
1 ,andS
2
issimilarly
givenonlytoM2.
dishonestparty.
Computational A-Hiding: For all B 0
, if after participating in a com-
mitment protocol with A, then produces a value z, the probability
thata=zis at worst negligiblylargerthan 1/2.
Computational B-Hiding: Similarlyfor theabove denition, butwith
Abeingthe dishonestparty.
Non-A-correlation: For all binary relations R on pairs of bits, for
all distributions A, and for all B 0
, if a is generated from A, and
(T;p
A
;p
B
) is the output of AB 0
(`commit 0
;a;) and b is a bit such
that(c
A
;c
B
;v
A
;b) is theoutput of AB 0
((`reveal 0
;T);p
A
;p
B
) thenthe
probabilitythat R (a;b) and c
a
=1 is only negligiblybetter than the
probabilitythatR (a 0
;b)wherea 0
isgeneratedindependentlyofafrom
thedistributionA.
Non-B-correlation: As for Non-A-correlation, but with A being the
dishonestparty instead of B. We should note that in our protocols,
Non-B-correlationistrivialtoshowsinceAwillcommittotheirvalue
inthecommitment protocolbeforeB does.
Note that the schemes we present are only set up for commitments to
single-bitvalues, butthe dentionswe present are exibleand are capable
ofhandling largervalues.
5 First Protocol
Forthisprotocol, werequirea semanticallysecurepublickeycryptosystem
whichisdense, 3
thatis,thata randomlychosenstringoftherightlengthis
avalidpublickey.
The commitment protocol consistsof three rounds:
Step 1. B generates a randomvalueR
1
and sendsa commitment to R
1 to A.
Step 2. Asendsa commitment C(a),and arandom value R
2 .
3
What we want, specically, is that any stringof the appropriatelength be a valid
public key, and moreoverthat the distribution on public keys chosen through the key
generationprotocolbetheuniformdistributiononstringsoftheappropriatelength. This
seemslikeadenitionthatwouldhavecomeup before, butwehavenotfound itinthe
literature. Itissimilartothedenitiongivenin[DP92],butdierent.
B 1 2 1 B
The revealing protocol simply consists of B opening his commitment
E
B
(b);providingtherandombitsused,andof Aand Bopeningtheircom-
mitmentsC(a) and C(R
1 ).
In order to show the security of thisscheme, we need only assume the
securityofthecryptosystemandthe(perfectlybinding)commitmentscheme
usedinit.
That this scheme is complete, binding, and hiding is fairly straightfor-
ward. Furthermore,Non-B correlationistrivial. ToshowthatithasNon-A
correlation,supposetherewasaB 0
thatsucceededincreatingacommitment
toa value correlatedtoa, thenwecan create analgorithm forbreakingthe
GM security of the cryptosystem. The primary trick in the proof is that
thisalgorithmC interacts withB untilitsees R
1
,then itrewindsthepro-
tocol and sendsa dierent R
2
sothat R
1 R
2
is a publickeyfor which C
knows the secret key. Then, C simply decrypts the value E
B
(b), and uses
this informationto recover informationabout a, thus violating the hiding
propertyofthecommitmentschemeused byA.
However, thisprotocollacksone propertywhichwemaysometimeswish
to have. That is, when the commitment stage of the protocol completes,
we know that the values A and B committed to are independent of one
another,butwedon'tknowforsurewhetherAandB knowhowtoactually
open them. Ifthey proceedhonestlytheywillactuallysucceedinthereveal
stage. However, if they are dishonest, they might not. Thus, we propose
additionalsecuritypropertieswhich we maydesire.
A-Extractibility: ThereexistsanextractorE
A
suchthatforanyA 0
,A 0
andE
A
engagingtogetherinthecommitmentprotocol(withE
A play-
ingthepartofB,and withE
A
capableof \rewinding"A 0
,)producea
transcriptT andprivateoutputp
B
suchthat(1)T isdistributedjust
asit would be if A 0
were interacting with an honest B, and that (2)
withoverwhelmingprobability,thevalue p
B
issuchthat ifA 0
chooses
to open its commitment at all in a validway, p
B
is the value it can
opento.
B-Extractibility: Similar to A-Extractibility, except that we use an
extractor E
B
in place of the A party, and a dishonestB 0
in place of
B.
We call any mutually independent commitment scheme with these two
properties a mutually independent and aware commitment scheme, since
these properties ensurethattheparties areaware oftheir commitments.
We now exhibit therst of the two mutually independent and aware com-
mitment schemes. The rst scheme requires only a 4-round commitment
stage,butrelieson thehardness ofthediscretelogarithm problem.
Public parameters: a largeprime p=2q+1where q is also prime,and
agenerator g of Z
q .
STEP 1. A privatelygenerates a value k 2 Z
q
such thatif A wants to commit
to0,k 2f1;::: ;(q 1)=2gand otherwise,k 2f(q+1)=2;::: ;q 1g.
Then, A generates n values r
A
1
;:::;r
An
, and sends the 2n values
g k r
A
1
;g r
A
1
;:::;g k r
An
;g r
An
. Callthesevalues
1;0
;
1;1
;:::;
n;0
;
n;1 .
STEP 2. B similarly generates a value k 0
and n values r
B1
;:::;r
Bn
, and gen-
erates
1;0
;:::;
n;1
as A does in step 1. During this step, B also
producesa challenge bitstring oflengthn: S
B
1 S
B
2 :::S
B
N .
STEP 3. A checks that forall i2 [1;n], the value
i;0
i;1
is the same. A also
produces a challenge string S
A
of length n, and for each i 2 [1;n]
producesthe discretelogarithmof
i;S
B
i
,and sendsthese to B.
STEP 4. B checks thatforalli2[1;n],the value
i;0
i;1
isthesame, andver-
iesthediscretelogarithmsprovidedbyA,andanswersA's challenge
similarly.
STEP 5. Achecks thatB answered thechallenge correctly.
In the revealing protocol, A and B reveal their secret values k and k 0
and theseare veried, andv
A and v
B
are calculatedbasedon k andk 0
.
The ideahere isthatwhether thesecretdiscretelogarithm of
i;0
i;1 is
inthetop orbottom halfof Z
q
isa hard-core predicateof thediscretelog-
arithmfunction,whichprovidesthehidingpropertyandthenoncorrelation
properties. The discrete logarithm problemitself provides the property of
perfect binding we require. Finally, the "cut-and-choose" structure of the
protocol makestheA-and B-extractibilityfairlyeasy to demonstrate.
Oneissuewewillbringtolightintheextractibilityproofisthis. Suppose
thatA 0
is justlikeA except thatit willnever reveal thediscrete logarithm
of
i;j
for some specic i;j (until the revealing protocol, if A 0
chooses to
open hercommitment). Thenwithprobability1=2,A 0
makesitthroughthe
protocol, andthecanonicalextractorE
A
wouldrunintoproblemswhenthe
second time around, A 0
refusedto open the challenge. However, E
A could
just try new random challenges until it got A 0
to respond to its challenge
A
k,which reveals a.
ThisprotocoliseÆcient (only4roundsinthecommitmentphase,since
step5doesnotnecessarilyhavetotakeplace,asitcanbeveriedbyanyone),
butreliesonafairlystrongsecurityassumption. Next,wewilldemonstrate
a protocol which relies on weaker assumptions, but which requires more
rounds.
7 Third Protocol
Thisprotocol isa bitmore complicated thantheprevious two. It involves,
in the commitment protocol, a zero knowledge proof of knowledge. The
best scheme we know of to give a zero-knowledge proof of knowledge in
constant rounds depends on the existence of a perfectly hiding commit-
ment scheme, so we assume that in addition to the existence of one-way
permutations (whichis suÆcient forperfectlybindingcommitments). This
zero-knowledge proofofknowledgerequires5rounds,andtheproverspeaks
rst. For brevity, we will call the rounds of communication in the proof
< BA >
1
;< BA >
2
, et cetera. In [FS89] the authors show how to give
a zero knowledge argument of knowledge in 5 rounds based on one-way
functions. Thedierencebetweena\proof"andan\argument"isthatina
proof,theprovermaybeunboundedcomputationally,whileinanargument,
the prover need not be. Since in our scheme we assume both players are
computationallybounded,itsuÆces to relyona zero-knowledgeargument.
Here istheprotocol.
STEP 1. A generates 2n values a
1;0
;:::;a
n;1
such that for all i2[1;n], a
i;0
a
i;1
=aand computes
i;j
=C(x
i;j
), whereC is theperfectlyhiding
commitment scheme.
STEP 2. BpublishesacommitmentC(b)tob. BandAstartthezeroknowledge
proof of knowledge that B knows his commitment b and knows how
to open it. B sendsC(b)and <BA>
1 to A.
STEP 3. Asends<BA>
2 to B.
STEP 4. B sends<BA>
3 to A.
STEP 5. Asends<BA>
4 to B.
STEP 6. B sends<BA>
5
toA and sendsa challengesto A,where sisa bit
stringof lengthn.
i;si
STEP 8. B checks thatA's openedvaluesfromstep 7 werevalid.
In the revealing protocol, A opens all the remaining commitments and
B openshis commitment C(b).
Thecompletenessandbindingpropertiesforthisprotocolareclear. The
hidingpropertiesare not soobvious: to prove that A's value ishidden, we
employ a hybrid argument. To prove that B's value is hidden, we use the
simulator from the zero-knowledge proof. Extractibility is fairly easy; to
extract B'svalue we simplyusethe extractorfrom theproof of knowledge.
To extract A's value, we need only rewind B's challenge and provide a
dierentrandomone. Withagoodprobability,Awillprovidebotha
i;0 and
a
i;1
and then we can XORthese to geta. Provingthat A cannot correlate
hisvalueto B'sistrivial. ProvingthatB cannotcorrelatetoA'sisdoneby
usinghis abilityto do thiswith a hybridargument to construct a machine
thatbreaks thehidingpropertyofthe underlyingcommitment scheme.
Invalid commitments. One important dierence between the discrete
logarithm protocol (the\second protocol") and thisproocol is that inthis
protocol it is possible forA to get through thecommitment stage withan
invalidcommitment. In this protocol, A's commitment is only valid if for
every i,a
i;0 a
i;1
produces asingle value a. Ifsome produceone valueand
someproduceanother,thecommitmentisinvalid. Thispossiblyundesirable
propertyof the protocol can be xed by havingA simply commit to C(a)
and perform a ZKPOK that A knows how to decommit that value. It is
notobvious that we can interleave that proof with the other proof, sothis
wouldadd roundsto theprotocol.
However, we have an intuitiveargument thatsuggests thatthiskind of
behavior on the part of A is not reallya matter forconcern. We start by
remarkingthat regardless of the scheme involved, either player always has
theoptionofrefusing to cooperate intherevealstage of thescheme,which
eectivelygivestheplayersthreeoptions: committo0andrevealit,commit
to1andrevealit,orrefusetoreveal. Ifweaddto thisthepossibilitythata
playercanalsocommitinaninvalidwayandrevealit,wehavefouroptions,
butwecantreataninvalidcommitmentandtherefusaltorevealasthesame
result foranyplayer. The onlyproblemwiththis is thatit seems asif the
two situations are dierent, but in a sense, every situation boils down to
this: each player is asked to pick a value, 0 or 1, and commit to it, and
thenopen it later. Anydeviation from thisis a refusal to cooperate inthe
protocol, and furthermore is only detected during the reveal stage. Thus,
oftheiroptions,and we arenotrelaxingthe abilityof thescheme to notice
thislackof cooperation.
8 Conclusion
Wehavedescribedaprotocolformutuallyindependentcommitmentswhich
has a 3-round commitment phase, the security of which is based on the
existenceof a securepublickey cryptosystem.
We have also described two protocols for mutually independent and
aware commitments, one which is a four-round protocol based on the dis-
crete logarithmassumption,and onewhichisa seven-roundprotocol based
onlyonaperfectlybindingcommitmentschemeandgeneralzero-knowledge
proofsof knowledge.
9 References
[DP92]A.DeSantisandG.Persiano. ZeroKnowledgeProofsofKnowledge
Without Interaction(Exended Abstract). In FOCS1992.
[FS89] U. Feige and A. Shamir. Zero Knowledge Proofs of Knowledge in
Two Rounds. In Advances in Cryptology { CRYPTO'89, 1990.
[P91] T. Pedersen. Non-Interactive andInformation-Theoretic Secure Veri-
ableSecret Sharing. InAdvances in Cryptology { CRYPTO '91,1991.
