Bit Commitment, Fair Coin Flips, and One-Way Accumulators Matt Ashoff 11/9/2004 Cryptographic Protocols

Outline Bit Commitment  Definition  Properties  Applications  Implementations Fair Coin Flips  Definition  Implementations One-Way Accumulators  Definition  Example  Motivation  Applications References

Definition Bit Commitment Goal is to ensure bit commitment. Simplest example:  Decide who goes first in a game  If Bob guesses correctly, he goes  Alice picks a bit (0 or 1) and locks it in a box  Bob guesses a bit  The box is opened to see if he is right Two parts:  Commitment  Unveiling Must ensure that:  Alice cannot change her bit after Bob guesses  Bob cannot know what Alice’s bit is until she unveils it Assume no trusted third-party

Properties Bit Commitment Ideally, bit commitment has two interesting properties:  It is unconditionally secure if implemented correctly As opposed to computationally secure, which is a requirement for most algorithms  It requires only a noisy channel However, implementing the algorithm ideally is the key

Applications Bit Commitment Zero-Knowledge Protocols Identification Schemes Multi-party Computation Fair Coin Flips Electronic Voting

Implementations Bit Commitment Symmetric Cryptography  Alice encrypts her bit with a random key  Sends to Bob  At a later time, she sends Bob the key  He can then verify the bit Disadvantage:  Alice may be able to generate another key so that the bit is changed once she knows the result. Solution:  Have Bob send her a random string to concatenate with her bit, then encrypt, makes generation of changed bit unlikely. Disadvantage: Bob must send random string

Implementations (cont.) Bit Commitment One-way hash functions  Alice generates two random strings R 1,R 2  Sends h(R 1,R 2,b) and R 1 to Bob  At a later time, Alice sends Bob (R 1,R 2,b)  Bob checks h(R 1,R 2,b) and R 1 Advantage: Bob sends nothing Disadvantage: Alice must not be able to find collisions on the hash function such that:  h(R 1,R 2,b) = h(R 1,R 2 ’,b’) Note: Even more secure if Bob sends R 1

Implementations (cont.) Bit Commitment Could also use random number generators, many, many other protocols… A “quantum” bit commitment scheme is supposedly computationally secure  Although not proven to be so

Definition Fair Coin Flips Goal is to flip a coin “over the phone” Original protocol went like this:  Alice flips a coin and tells Bob the result  Bob then flips his own coin, XORs his result with Alice’s, and this is the result …but this only prevents Alice from cheating. Bob can still make up his coin flip. Ideally, Alice and Bob would send their results simultaneously Note: If either party lies and just makes up heads or tails, the other parties result will “cancel it out”  This allows for one distrustful party

Implementations Fair Coin Flips Alice flips her coin Alice generates a random key and encrypts “My coin toss returned [head, tails]” and sends this to Bob Bob does exactly the same thing They then swap keys and decrypt Note: If one receives the key before the other (and thus, the others’ flip), they will not be able to generate another key that will change their coin flip Note: This is just bit commitment using symmetric encryption (e.g., Heads  0, Tails  1)

Implementations (cont.) Fair Coin Flips Using a one-way hash function:  Alice selects a random number x and computes y = h(x), sends this to Bob  Bob guesses if x is heads (even) or tails (odd), sends guess to Alice  If Bob is correct, he wins  Alice announces the result of the flip and sends x to Bob  Bob verifies that y = h(x) Notes:  The output of h(x) must have nothing to do with the parity of x.  Alice must not be able to find a x and x’ such that x is odd and x’ is even, and h(x) = h(x’) = y

Definition One-Way Accumulators Given a one-way hash function with the property that:  h: A x B  C where |A| ~ |B| ~ |C|  i.e., the size is not mapped down Given the definition of a quasi-commutative function:  f(f(x,y 1 ),y 2 ) = f(f(x,y 2 ),y 1 ) A one-way accumulators is defined as:  h(h(x,y 1 ),y 2 ) = h(h(x,y 2 ),y 1 ) “A family of one-way accumulators is a family of one-way hash functions each of which is quasi-commutative.”

Definition (cont.) One-Way Accumulators For the one-way function to be secure, it must satisfy the property that:  Given x,y,y’, it is hard to find a x’ such that h(x,y) = h(x’,y’) It is not necessary for it to be hard to find a (x’,y’) pair such that h(x,y) = h(x’,y’)

Example One-Way Accumulators Most obvious example is modulo n math:  Given a n (x,y) = (x*y) mod n  a n (a n (x,y1),y2) = ((x*y1) mod n)*y2 mod n = (x*y1*y2) mod n = ((x*y2) mod n)*y1 mod n = a n (a n (x,y2),y1)  Easy to invert  Unsuitable  Given e n (x,y) = x y mod n  e n (e n (x,y1),y2) = (x y1 mod n) y2 mod n = x (y1+y2) mod n = (x y2 mod n) y1 mod n = e n (e n (x,y2),y1)  Hard to invert  Suitable (e.g., RSA)

Motivation One-Way Accumulators The quasi-commutative property can be extended to m users:  Start with an initial value x,  Set of values {y 1,y 2,…,y m }  To compute z such that:  z = h(h(…h(h(x,y 1 ),y 2 ),…,y m-1 ),y m ) Notice that z is unchanged by the order of the y i

App: Digital Signatures One-Way Accumulators All parties in m choose their own y j The total hash z is computed given all of the y i and some initial value x Each party in m computes their own z j given every y i except their own y j They can later authenticate themselves to any other party in the group by presenting y j and z j, such that z = h(z j,y j )

More Applications One-Way Accumulators The digital signature application can easily be extended/modified to support:  Time Stamping  Membership Testing  Etc.

References J. Benaloh, M. de Mare. One-Way Accumulators: A Decentralized Alternative to Digital Signatures. Advances in Cryptology--EUROCRYPT'93. LNCS, vol.765, pp , Springer--Verlag, 1994 M. Blum, "Coin flipping by telephone: a protocol for solving impossible problems”, Proc. IEEE Computer Conference, pp , J. Kilian. Uses of Randomness in Algorithms and Protocols, MIT Press, Nayak, Ashwin and Shor, Peter (2002) On bit-commitment based quantum coin flipping. Technical Report. California Institute of Technology. M. Naor, "Bit commitment using pseudo-randomness", J. Cryptology, vol. 2, no. 2, pp , H.F. Chau, Hoi-Kwong Lo, “Making an Empty Promise with a Quantum Computer”, Fortschr. Phys. 46 (1998) 4-5,