1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel

2 Bit-Commitment (BC) S,R A two-phase protocol between the sender, S, and the receiver, R. S R Commit-phase – S commits to a bit value, b, without revealing its value to R. SR Reveal-phase – S reveals b to R and proves that this is the value he had committed to (in the commit-phase).

3 Bit-Commitment cont. SR Commit-phase b

4 Bit-Commitment cont. Reveal-phase b S R

5 Bit-Commitment cont. R Hiding – R does not learn the value of b during the commit-phase. S Binding – S cannot prove (in the reveal- phase) that he had committed to a different value than the one he had really committed to.

6 Different Types Of Bit- Commitment. R S Computationally-hiding perfectly-binding BC: R does not get (through the commit-phase) any computational-knowledge about b. S cannot (whatsoever) “cheat” in the reveal-phase. R S Statistically-hiding computationally-binding BC: R does not get any noticeable information about b. A computationally-bounded S cannot “cheat” in the reveal-phase. R Perfectly-hiding computationally-binding BC: R does not get any information about b. …

7 Different Types Of Bit- Commitment (comparison). In order to break the protocol, R needs to get super-polynomialpowers anytime after the commit-. In order to break the Computationally- hiding perfectly-binding protocol, R needs to get super-polynomial powers anytime after the commit-phase. In order to break the protocol, S needs to get super-polynomial powers before the end of the reveal-. In order to break the Statistically-hiding computationally-binding protocol, S needs to get super-polynomial powers before the end of the reveal-phase.

8 The importance of stat. – hiding comp. binding BC Building block in constructions of Statistically Zero-Knowledge arguments. Other cryptographic applications (e.g., Coin-flipping protocols).

9 Previous Implementations Number theoretic assumptions* (BKK, BCC). Claw-free permutations* (GK). Collision resistance hash functions (DPP, HM). One-way permutations* (NOVY). * : Perfectly-hiding. What are the minimal general hardness assumptions that yield Statistically-hiding computationally-binding BC? Do one-way functions suffice?

10 Our Result Statistically-hiding computationally- binding BC using approximable-size one-way functions. Approx.-size OWF – a OWF f is an approx.- size if we can efficiently approximate the number of pre-images of any y 2 Im(f). Any regular OWF is an approx.- size one. Regular OWF - a OWF f is regular if there exists a constant r s.t. the number of pre- images of any y 2 Im(f) is r.

11 The NOVY protocol A BC protocol based on an underlying function f :{0,1} n ! {0,1} n I.If f is a permutation then the protocol is perfectly-hiding. II.If f is a permutation and one-way then the protocol is computationally- binding. Perfectly-hiding computationally-binding BC based on one-way permutations.

12 One–Way Functions One–way function (OWF): f :{0,1} n ! {0,1} m is a OWF if for any ppt A, Pr x à {0,1} n [ A ( f (x)) 2 f -1 ( f (x))] = neg( n ) One–way function on range: for any ppt A, Pr y à Image( f ) [ A (y) 2 f -1 ( y )] = neg( n )  Any regular-OWF is also one-way on range.

13 ( ,  )-balanced Distribution. {0,1} n Bad | Bad | ·  2 n. Pr y à D [y 2 Bad ] · . For all z  Bad : |Pr y à D [y = z ] - 1/2 n | ·  /2 n. f:{0,1} n ! {0,1} m is ( ,  ) -balanced if f(U n ) is ( ,  ) -balanced. D is ( ,  )-balanced

14 {0,1} n D Example… Bad  D is ( 1/4, 1/3 ) - balanced

15  -hiding Bit-Commitment R  -hiding BC: A BC is  -hiding if from R ’s point of view, after the commit- phase, the statistical-difference between the cases when b=0 and b=1 is at most .  A statistically-hiding BC is a neg -hiding BC ( neg  is a negligible function of n ).

16 The NOVY protocol (restated) A generic scheme of BC protocol based on an underlying function f :{0,1} n ! {0,1} m I.If f is a one-way function on range then the protocol is computationally- binding. II.If f is ( ,  )-balanced then the protocol is (  +  )-hiding. The task: Implementing a balanced one-way function on range using approximable-size OWF.

17 Universal-Hashing Let H be a family of functions from {0,1} n ! {0,1} m. H is a k -universal hash family, if the output of a uniformly chosen h 2 H over k distinct elements in {0,1} n, are k independent random variables in {0,1} m.

18 Each element in {0,1} m has about the expected number of pre-images w.r.t. h (i.e., | S | ¢ 2 -m ) in S. Where the estimation gets better as k and |S| get bigger and m gets smaller. h à H, where H is k - universal {0,1} n S z h -1 (z) Hashing Lemma {0,1} m h

19  3n -universality of H - each z 2 {0,1} m has about the same number of pre-images, w.r.t. h, in Im(f).  r -regularity of f - each z 2 {0,1} m has about the same number of pre-images, w.r.t. g, in {0,1} n.  g is “rather” balanced.. universal constant g is (2 -n,1/2)-balanced one-way on range function. m=n-log(r)–log(cn) If m is too small g is not guaranteed to be one-way. g(h,x) ≡ h(f(x)),h {0,1} m h Balanced One-Way Function On Range From Regular OWF {0,1} n f {0,1} l(n) Im(f) m=? m=? {0,1} m g(U n ) m = n-log(r) (|{0,1} m | = |Im(f)|) m m m Danger! r-regular OWF h à H where H 3n -universal z h -1 (z) g -1 (z) z h -1 (z)

20 Claim: g is (2 -n,1/2) -balanced one-way on range function. g is (2 -n,1/2) -balanced. g is one-way – ( by our choice of m) a given output element in {0,1} m does not have “too-many” (up to polynomially many) pre-images, w.r.t. h 2 H, in Im(f). We can reduce the hardness of g to the hardness of f. g is one-way on range- there are about the same number of pre-images per output element. Similar to the regular OWF case.

21 Getting Statiscally–Hiding Computationally-Binding BC When using g with the NOVY protocol we achieve 1/2 -hiding computationally-binding BC. The amplification into statistically-hiding computationally-binding BC is done through a standard secret-sharing technique.

22 Balanced One-Way Function On Range From Approx.-Size OWF The following construction was given by [Häastad, Impagliazzo, Levin & Luby]. Let f:{0,1} n ! {0,1} m be an approx.-size OWF and let for y 2 {0,1} m, D(y) ≡ log(|f -1 (y)|). f xf(x) h h(x) 1…D(f(x))+2 h 0 (n-D(f(x)-2) g(h,x) ≡ f(x),h(x) 1...D(f(x)),h,0 (n-D(f(x)))

23 From Approx.-Size OWF cont. Thm [HILL]: g is “almost” 1-1 one-way function. Hence by plugging g in the construction for regular OWF we get ( 2 -n, 1/2 )-balanced one-way function on range. Using secret-sharing we get statiscally–hiding computationally-binding BC.

24 Open Problems Stat-hiding comp.-binding BC from any OWF? R. It suffices to give a construction for semi- honest R. Black-Box separation between Stat- hiding comp.-binding BC and OWF? Efficient round complexity?