Equation of time: Difference between revisions
en>Cherkash |
en>朝彦 |
||
Line 1: | Line 1: | ||
In [[cryptography]], a '''commitment scheme''' allows one to commit to a chosen value (or chosen statement) while keeping it hidden to others, with the ability to reveal the committed value later.<ref name=Goldreich>[[Oded Goldreich]] (2001). Foundations of Cryptography: Volume 1, Basic Tools, ([http://www.wisdom.weizmann.ac.il/~oded/PSBookFrag/part2N.ps draft available] from author's site). Cambridge University Press. ISBN 0-521-79172-3. (see also http://www.wisdom.weizmann.ac.il/~oded/foc-book.html) {{rp|224}}</ref> Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are ''binding''. Commitment schemes have important applications in a number of [[cryptographic protocol]]s including secure [[coin flipping#Coin flipping in telecommunications|coin flipping]], [[zero-knowledge proof]]s, and [[secure computation]]. | |||
We demonstrate the idea of commitment schemes and their possible applications with a simple example: Say that two people want to play [[rock-paper-scissors]] by email. The problem with trying to do so, is that one player may simply wait until they receive the other's email of, say, "rock" and then quickly reply with, say, "paper", winning the game. This problem can be overcome by commitment schemes. At the beginning of the game, each player commits to rock, paper, or scissors. After they have done so, each reveals the choice that they committed to earlier. It is not possible to cheat because as mentioned, commitment schemes are binding. | |||
Interactions in a commitment scheme take place in two phases: | |||
# the ''commit phase'' during which a value is chosen and specified | |||
# the ''reveal phase'' during which the value is revealed and checked | |||
In simple protocols, the commit phase consists of a single message from the sender to the receiver. This message is called ''the commitment''. It is essential that the specific value chosen cannot be known by the receiver at that time (this is called the ''hiding'' property). A simple reveal phase would consist of a single message, ''the opening'', from the sender to the receiver, followed by a check performed by the receiver. The value chosen during the commit phase must be the only one that the sender can compute and that validates during the reveal phase (this is called the ''binding'' property). | |||
The concept of commitment schemes was first formalized by [[Gilles Brassard]], [[David Chaum]], and [[Claude Crepeau]] in 1988,<ref name="BCC">Gilles Brassard, David Chaum, and Claude Crepeau, ''[http://crypto.cs.mcgill.ca/~crepeau/PDF/BCC88-jcss.pdf Minimum Disclosure Proofs of Knowledge]'', Journal of Computer and System Sciences, vol. 37, pp. 156–189, 1988.</ref> but the concept was used without being treated formally prior to that.<ref name="Naor" /><ref name="Crepeau">Claude Crépeau, ''Commitment'', [http://crypto.cs.mcgill.ca/~crepeau/PDF/Commit.pdf MCgill.ca], accessed April 11, 2008</ref> The notion of commitments appeared earliest in works by [[Manuel Blum]],<ref name="Blum" /> [[Shimon Even]],<ref name="Even">Shimon Even. ''Protocol for signing contracts.'' In Allen Gersho, ed., ''Advances in Cryptography'' (proceedings of CRYPTO '82), pp. 148–153, Santa Barbara, CA, USA, 1982.</ref> and Shamir et al.<ref name="SRA81">A. Shamir, R. L. Rivest, and L. Adleman, ''[[Mental Poker]].'' In D. Klarner, ed., ''The Mathematical Gardner'', pp. 37–43. Wadsworth, Belmont, California, 1981.</ref> The terminology seems to have been originated by Blum,<ref name="Crepeau" /> although commitment schemes can be interchangeably called '''bit commitment schemes'''—sometimes reserved for the special case where the committed value is a binary [[bit]]. | |||
==Applications== | |||
===Coin flipping=== | |||
Suppose [[Alice and Bob]] want to resolve some [[dilemma]] via [[coin flipping]]. If they are physically in the same place, a typical procedure might be: | |||
# Alice "calls" the coin flip | |||
# Bob flips the coin | |||
# If Alice's call is correct, she wins, otherwise Bob wins | |||
If they are not in the same place, this procedure is faulty. Alice would have to [[web of trust|trust]] Bob's report of how the coin flip turned out, whereas Bob knows what result is more desirable for him. Using commitments, a similar procedure is: | |||
# Alice "calls" the coin flip and tells Bob only a ''commitment'' to her call, | |||
# Bob flips the coin and reports the result, | |||
# Alice reveals what she committed to | |||
# If Alice's revelation matches the coin result Bob reported, Alice wins | |||
For Bob to be able to skew the results to his favor, he must be able to understand the call hidden in Alice's commitment. If the commitment scheme is a good one, Bob cannot skew the results. Similarly, Alice cannot affect the result if she cannot change the value she commits to.<ref name="Naor">Moni Naor, ''[http://citeseer.ist.psu.edu/naor91bit.html Bit Commitment Using Pseudorandomness]'', Journal of Cryptology 4: 2 pp. 151–158, 1991.</ref><ref name="Blum">Manuel Blum, ''[http://www.cs.cmu.edu/~mblum/research/pdf/coin/in4.html Coin Flipping by Telephone]'', Proceedings of [[CRYPTO]] 1981, pp. 11–15, 1981, reprinted in SIGACT News vol. 15, pp. 23–27, 1983.</ref> | |||
A way to visualize a commitment scheme is to think of the sender as putting the value in a locked box, and giving the box to the receiver. The value in the box is hidden from the receiver, who cannot open the lock themselves. Since the receiver has the box, the value inside cannot be changed—merely revealed if the sender chooses to give them the key at some later time. | |||
===Zero-knowledge proofs=== | |||
One particular motivating example is the use of commitment schemes in [[zero-knowledge proof]]s. | |||
Commitments are used in zero-knowledge proofs for two main purposes: first, to allow the prover to participate in "cut and choose" proofs where the verifier will be presented with a choice of what to learn, and the prover will reveal only what corresponds to the verifier's choice. Commitment schemes allow the prover to specify all the information in advance in a commitment, and only reveal what should be revealed later in the proof.<ref name="GMW">[[Oded Goldreich]], [[Silvio Micali]], and [[Avi Wigderson]], ''[http://portal.acm.org/citation.cfm?id=116825.116852 Proofs that yield nothing but their validity, or all languages in NP have zero-knowledge proof systems],'' [[Journal of the ACM]], 38: 3, pp. 690–728, 1991</ref> Commitments are also used in zero-knowledge proofs by the verifier, who will often specify their choices ahead of time in a commitment. This allows zero-knowledge proofs to be composed in parallel without revealing additional information.<ref name="GK">Oded Goldreich and [[Hugo Krawczyk]], ''[http://citeseer.ist.psu.edu/goldreich90composition.html On the Composition of Zero-Knowledge Proof Systems]'', [[SIAM Journal on Computing]], 25: 1, pp. 169–192, 1996</ref> | |||
===Signature schemes=== | |||
The [[Lamport signature|Lamport signature scheme]] is a [[digital signature]] system that relies on maintaining two sets of secret data packets, publishing [[Cryptographic hash function|verifiable hashes]] of the data packets, and then selectively revealing partial secret data packets in a manner that conforms specifically to the data to be signed. In this way, the prior public commitment to the secret values becomes a critical part of the functioning of the system. | |||
Because the [[Lamport signature]] system cannot be used more than once (see the [[Lamport signature|relevant article]] for details), a system to combine many Lamport Key-sets under a single public value that can be tied to a person and verified by others was developed. This system uses trees of [[Cryptographic hash function|hashes]] to compress many published lamport-key-commitments sets into a single hash value that can be associated with the prospective author of later verified data. | |||
===Verifiable secret sharing=== | |||
Another important application of commitments is in [[verifiable secret sharing]], a critical building block of [[secure multiparty computation]]. In a [[secret sharing]] scheme, each of several parties receive "shares" of a value that is meant to be hidden from everyone. If enough parties get together, their shares can be used to reconstruct the secret, but even a malicious [[cabal]] of insufficient size should learn nothing. Secret sharing is at the root of many protocols for [[secure computation]]: in order to securely compute a function of some shared input, the secret shares are manipulated instead. However, if shares are to be generated by malicious parties, it may be important that those shares can be checked for correctness. In a verifiable secret sharing scheme, the distribution of a secret is accompanied by commitments to the individual shares. The commitments reveal nothing that can help a dishonest cabal, but the shares allow each individual party to check to see if their shares are correct. | |||
==Defining the security of commitment schemes== | |||
Formal definitions of commitment schemes vary strongly in notation and in flavour. The first such flavour is whether the commitment scheme provides perfect or computational security with respect to the hiding or binding properties. Another such flavour is whether the commitment is interactive, i.e. whether both the commit phase and the reveal phase can be seen as being executed by a [[cryptographic protocol]] or whether they are non-interactive, consisting of two algorithms ''Commit'' and ''CheckReveal''. In the latter case ''CheckReveal'' can often be seen as a derandomised version of ''Commit'', with the randomness used by ''Commit'' constituting the opening information. | |||
If the commitment ''C'' to a value ''x'' is computed as ''C:=Commit(x,open)'' with ''open'' the randomness used for computing the commitment, then ''CheckReveal(C,x,open)'' simply consists in verifying the equation ''C=Commit(x,open)''. | |||
Using this notation and some knowledge about [[mathematical function]]s and [[probability theory]] we formalise different versions of the binding and hiding properties of commitments. The two most important combinations of these properties are perfectly binding and computationally hiding commitment schemes and computationally binding and perfectly hiding commitment schemes. Note that no commitment scheme can be at the same time perfectly binding and perfectly hiding - a computationally unbounded adversary can simply generate ''Commit(x,open)'' for every value of ''x'' and ''open'' until finding a pair that outputs ''C'', and in a perfectly binding scheme this uniquely identifies ''x''. | |||
===Computational binding=== | |||
Let ''open'' be chosen from a set of size <math>2^k</math>, i.e., it can represented as a ''k'' bit string, and let <math>Commit_k</math> be the corresponding commitment scheme. As the size of ''k'' determines the security of the commitment scheme it is called the security parameter. | |||
Then for all [[Uniformity (complexity)|non-uniform]] probabilistic polynomial time algorithms that output <math>x,x'</math> and <math>open,open'</math> of increasing length ''k'', the probability that <math>x \neq x'</math> and <math>Commit_k(x,open)=Commit_k(x',open')</math> is a [[negligible function]] in ''k''. | |||
This is a form of [[asymptotic analysis]]. It is also possible to state the same requirement using [[concrete security]]: A commitment scheme ''Commit'' is <math>(t,\epsilon)</math> secure, if for all algorithms that run in time ''t'' and output <math>x,x',open,open'</math> the probability that <math>x \neq x'</math> and <math>Commit(x,open)=Commit(x',open')</math> is at most <math>\epsilon</math>. | |||
===Perfect, statistical and computational hiding=== | |||
Let <math>U_k</math> be the uniform distribution over the <math>2^k</math> opening values for security parameter ''k''. | |||
A commitment scheme is perfect, statistical, computational hiding, if for all <math>x\neq x'</math> the [[probability ensemble]]s <math>\{Commit_k(x,U_k)\}_{k\in\N}</math> and <math>\{Commit_k(x',U_k)\}_{k\in\N}</math> are [[equal]], [[statistically close]], or [[computationally indistinguishable]]. | |||
==Constructing commitment schemes== | |||
A commitment scheme can either be perfectly binding (it is impossible for Alice to alter her commitment after she has made it, even if she has unbounded computational resources) or perfectly concealing (it is impossible for Bob to find out the commitment without Alice revealing it, even if he has unbounded computational resources) but not both. | |||
===Bit-commitment from any one-way permutation=== | |||
One can create a bit-commitment scheme from any [[one-way function]] that is injective. The scheme relies on the fact that every one-way function can be modified (via the [[Goldreich-Levin theorem]]) to possess a computationally [[hard-core predicate]] (while retaining the injective property). Let ''f'' be an injective one-way function, with ''h'' a hard-core predicate. Then to commit to a bit ''b'' Alice picks a random input ''x'' and sends the triple | |||
:<math>(h,f(x),b \oplus h(x))</math> | |||
to Bob, where <math>\oplus</math> denotes XOR, i.e. addition modulo 2. To decommit Alice simply sends ''x'' to Bob. Bob verifies by computing ''f(x)'' and comparing to the committed value. This scheme is concealing because for Bob to recover ''b'' he must recover ''h(x)''. Since ''h'' is a computationally hard-core predicate, recovering ''h(x)'' from ''f(x)'' with probability greater than one-half is as hard as inverting ''f''. Perfect binding follows from the fact that ''f'' is injective and thus ''f(x)'' has exactly one preimage. | |||
===Bit-commitment from a pseudo-random generator=== | |||
Note that since we do not know how to construct a one-way permutation from any one-way function, this section reduces the strength of the cryptographic assumption necessary to construct a bit-commitment protocol. | |||
In 1991 Moni Naor<ref>[http://citeseer.ist.psu.edu/context/22544/0 Citations: Bit Commitment using Pseudorandom Generators - Naor (ResearchIndex)<!-- Bot generated title -->]</ref> showed how to create a bit-commitment scheme from a [[cryptographically secure pseudorandom number generator]]. The construction is as follows. If ''G'' is pseudo-random generator such that ''G'' takes ''n'' bits to ''3n'' bits, then if Alice wants to commit to a bit ''b'' | |||
*Bob selects a random ''3n''-bit vector ''R'' and sends ''R'' to Alice. | |||
*Alice selects a random ''n''-bit vector ''Y'' and computes the ''3n''-bit vector ''G(Y)''. | |||
*If ''b''=1 Alice sends ''G(Y)'' to Bob, otherwise she sends the bitwise [[Exclusive disjunction|exclusive-or]] of ''G(Y)'' and ''R'' to Bob. | |||
To decommit Alice sends ''Y'' to Bob, who can then check whether he initially received ''G(Y)'' or <math>G(Y) \oplus R</math>. | |||
This scheme is statistically binding, meaning that even if Alice is computationally unbounded she cannot cheat with probability greater than 2<sup>-''n''</sup>. For Alice to cheat, she would need to find a ''Y''', such that <math>G(Y') = G(Y) \oplus R</math>. If she could find such a value, she could decommit by sending the truth and Y, or send the opposite answer and Y'. However, G(Y) and G(Y') are only able to produce 2<sup>n</sup> possible values while R and the commitment are both picked out of 2<sup>3n</sup> values in the set of possible ''3n''-bit values. She does not pick R, so there is a strong probability that a Y' satisfying the equation required to cheat will not exist. | |||
The concealing property follows from a standard reduction, if Bob can tell whether Alice committed to a zero or one, he can also distinguish the output of the pseudo-random generator ''G'' from true-random, which contradicts the cryptographic security of ''G''. | |||
===A perfectly binding scheme based on the discrete log problem=== | |||
Alice chooses a [[group (mathematics)|group]] of prime order ''p'', with generator ''g''. | |||
Alice randomly picks a secret value ''x'' from ''0'' to ''p'' − 1 to commit to and calculates ''c'' = ''g''<sup>''x''</sup> and publishes ''c''. The [[discrete logarithm problem]] dictates that from ''c'', it is computationally infeasible to compute ''x'', so under this assumption, Bob cannot compute ''x''. On the other hand, Alice cannot compute a ''x''' <> ''x'', such that ''g''<sup>''x'''</sup> = ''c'', so the scheme is binding. | |||
This scheme isn't perfectly concealing as someone could find the commitment if he manages to solve the [[discrete logarithm problem]]. In fact, this scheme isn't hiding at all with respect to the standard hiding game, where an adversary should be unable to guess which of two messages he chose were committed to - similar to the [[IND-CPA]] game. One consequence of this is that if the space of possible values of ''x'' is small, then an attacker could simply try them all and the commitment would not be hiding. | |||
A better example of a perfectly binding commitment scheme is one where the commitment is the encryption of ''x'' under a [[semantically secure]], public-key encryption scheme with perfect completeness, and the decommitment is the string of random bits used to encrypt ''x''. An example of an information-theoretically hiding commitment scheme is the Pedersen commitment scheme, which is binding under the discrete logarithm assumption. Additionally to the scheme above, it uses another generator ''h'' of the prime group and a random number ''r''. The commitment is set <math>c=g^x h^r</math>.<ref>Pedersen: Non-interactive and information-theoretic secure verifiable secret sharing. Advances in Cryptology CRYPTO '91 Springer</ref> | |||
==Quantum bit commitment== | |||
It is an interesting question in [[quantum cryptography]] if ''unconditionally secure'' bit commitment protocols exist on the quantum level, that is, protocols which are (at least asymptotically) binding and concealing even if there are no restrictions on the computational resources. One could hope that there might be a way to exploit the intrinsic properties of quantum mechanics, as in the protocols for [[Quantum key distribution|unconditionally secure key distribution]]. | |||
However, this is impossible, as Dominic Mayers showed in 1996 (see <ref>Brassard, Crépeau, Mayers, Salvail: [http://arxiv.org/abs/quant-ph/9712023 A brief review on the impossibility of quantum bit commitment]</ref> for the original proof). Any such protocol can be reduced to a protocol where the system is in one of two pure states after the commitment phase, depending on the bit Alice wants to commit. If the protocol is unconditionally concealing, then Alice can unitarily transform these states into each other using the properties of the [[Schmidt decomposition]], effectively defeating the binding property. | |||
One subtle assumption of the proof is that the commit phase must be finished at some point in time. This leaves room for protocols that require a continuing information flow until the bit is unveiled or the protocol is cancelled, in which case it is not binding anymore.<ref>A. Kent: [http://arxiv.org/abs/quant-ph/9906103 Secure classical Bit Commitment using Fixed Capacity Communication Channels]</ref> | |||
== See also == | |||
* [[Key signing party]] | |||
* [[Web of trust]] | |||
* [[Accumulator (cryptography)]] | |||
* [[Zerocoin]] | |||
==References== | |||
{{reflist|30em}} | |||
==External links== | |||
*[http://xstructure.inr.ac.ru/x-bin/theme3.py?level=1&index1=355717 Quantum bit commitment on arxiv.org] | |||
{{DEFAULTSORT:Commitment Scheme}} | |||
[[Category:Public-key cryptography]] | |||
[[Category:Zero-knowledge protocols]] | |||
[[Category:Secret sharing]] | |||
[[Category:Cryptographic primitives]] |
Revision as of 17:06, 28 January 2014
In cryptography, a commitment scheme allows one to commit to a chosen value (or chosen statement) while keeping it hidden to others, with the ability to reveal the committed value later.[1] Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding. Commitment schemes have important applications in a number of cryptographic protocols including secure coin flipping, zero-knowledge proofs, and secure computation.
We demonstrate the idea of commitment schemes and their possible applications with a simple example: Say that two people want to play rock-paper-scissors by email. The problem with trying to do so, is that one player may simply wait until they receive the other's email of, say, "rock" and then quickly reply with, say, "paper", winning the game. This problem can be overcome by commitment schemes. At the beginning of the game, each player commits to rock, paper, or scissors. After they have done so, each reveals the choice that they committed to earlier. It is not possible to cheat because as mentioned, commitment schemes are binding.
Interactions in a commitment scheme take place in two phases:
- the commit phase during which a value is chosen and specified
- the reveal phase during which the value is revealed and checked
In simple protocols, the commit phase consists of a single message from the sender to the receiver. This message is called the commitment. It is essential that the specific value chosen cannot be known by the receiver at that time (this is called the hiding property). A simple reveal phase would consist of a single message, the opening, from the sender to the receiver, followed by a check performed by the receiver. The value chosen during the commit phase must be the only one that the sender can compute and that validates during the reveal phase (this is called the binding property).
The concept of commitment schemes was first formalized by Gilles Brassard, David Chaum, and Claude Crepeau in 1988,[2] but the concept was used without being treated formally prior to that.[3][4] The notion of commitments appeared earliest in works by Manuel Blum,[5] Shimon Even,[6] and Shamir et al.[7] The terminology seems to have been originated by Blum,[4] although commitment schemes can be interchangeably called bit commitment schemes—sometimes reserved for the special case where the committed value is a binary bit.
Applications
Coin flipping
Suppose Alice and Bob want to resolve some dilemma via coin flipping. If they are physically in the same place, a typical procedure might be:
- Alice "calls" the coin flip
- Bob flips the coin
- If Alice's call is correct, she wins, otherwise Bob wins
If they are not in the same place, this procedure is faulty. Alice would have to trust Bob's report of how the coin flip turned out, whereas Bob knows what result is more desirable for him. Using commitments, a similar procedure is:
- Alice "calls" the coin flip and tells Bob only a commitment to her call,
- Bob flips the coin and reports the result,
- Alice reveals what she committed to
- If Alice's revelation matches the coin result Bob reported, Alice wins
For Bob to be able to skew the results to his favor, he must be able to understand the call hidden in Alice's commitment. If the commitment scheme is a good one, Bob cannot skew the results. Similarly, Alice cannot affect the result if she cannot change the value she commits to.[3][5]
A way to visualize a commitment scheme is to think of the sender as putting the value in a locked box, and giving the box to the receiver. The value in the box is hidden from the receiver, who cannot open the lock themselves. Since the receiver has the box, the value inside cannot be changed—merely revealed if the sender chooses to give them the key at some later time.
Zero-knowledge proofs
One particular motivating example is the use of commitment schemes in zero-knowledge proofs. Commitments are used in zero-knowledge proofs for two main purposes: first, to allow the prover to participate in "cut and choose" proofs where the verifier will be presented with a choice of what to learn, and the prover will reveal only what corresponds to the verifier's choice. Commitment schemes allow the prover to specify all the information in advance in a commitment, and only reveal what should be revealed later in the proof.[8] Commitments are also used in zero-knowledge proofs by the verifier, who will often specify their choices ahead of time in a commitment. This allows zero-knowledge proofs to be composed in parallel without revealing additional information.[9]
Signature schemes
The Lamport signature scheme is a digital signature system that relies on maintaining two sets of secret data packets, publishing verifiable hashes of the data packets, and then selectively revealing partial secret data packets in a manner that conforms specifically to the data to be signed. In this way, the prior public commitment to the secret values becomes a critical part of the functioning of the system.
Because the Lamport signature system cannot be used more than once (see the relevant article for details), a system to combine many Lamport Key-sets under a single public value that can be tied to a person and verified by others was developed. This system uses trees of hashes to compress many published lamport-key-commitments sets into a single hash value that can be associated with the prospective author of later verified data.
Verifiable secret sharing
Another important application of commitments is in verifiable secret sharing, a critical building block of secure multiparty computation. In a secret sharing scheme, each of several parties receive "shares" of a value that is meant to be hidden from everyone. If enough parties get together, their shares can be used to reconstruct the secret, but even a malicious cabal of insufficient size should learn nothing. Secret sharing is at the root of many protocols for secure computation: in order to securely compute a function of some shared input, the secret shares are manipulated instead. However, if shares are to be generated by malicious parties, it may be important that those shares can be checked for correctness. In a verifiable secret sharing scheme, the distribution of a secret is accompanied by commitments to the individual shares. The commitments reveal nothing that can help a dishonest cabal, but the shares allow each individual party to check to see if their shares are correct.
Defining the security of commitment schemes
Formal definitions of commitment schemes vary strongly in notation and in flavour. The first such flavour is whether the commitment scheme provides perfect or computational security with respect to the hiding or binding properties. Another such flavour is whether the commitment is interactive, i.e. whether both the commit phase and the reveal phase can be seen as being executed by a cryptographic protocol or whether they are non-interactive, consisting of two algorithms Commit and CheckReveal. In the latter case CheckReveal can often be seen as a derandomised version of Commit, with the randomness used by Commit constituting the opening information.
If the commitment C to a value x is computed as C:=Commit(x,open) with open the randomness used for computing the commitment, then CheckReveal(C,x,open) simply consists in verifying the equation C=Commit(x,open).
Using this notation and some knowledge about mathematical functions and probability theory we formalise different versions of the binding and hiding properties of commitments. The two most important combinations of these properties are perfectly binding and computationally hiding commitment schemes and computationally binding and perfectly hiding commitment schemes. Note that no commitment scheme can be at the same time perfectly binding and perfectly hiding - a computationally unbounded adversary can simply generate Commit(x,open) for every value of x and open until finding a pair that outputs C, and in a perfectly binding scheme this uniquely identifies x.
Computational binding
Let open be chosen from a set of size , i.e., it can represented as a k bit string, and let be the corresponding commitment scheme. As the size of k determines the security of the commitment scheme it is called the security parameter.
Then for all non-uniform probabilistic polynomial time algorithms that output and of increasing length k, the probability that and is a negligible function in k.
This is a form of asymptotic analysis. It is also possible to state the same requirement using concrete security: A commitment scheme Commit is secure, if for all algorithms that run in time t and output the probability that and is at most .
Perfect, statistical and computational hiding
Let be the uniform distribution over the opening values for security parameter k. A commitment scheme is perfect, statistical, computational hiding, if for all the probability ensembles and are equal, statistically close, or computationally indistinguishable.
Constructing commitment schemes
A commitment scheme can either be perfectly binding (it is impossible for Alice to alter her commitment after she has made it, even if she has unbounded computational resources) or perfectly concealing (it is impossible for Bob to find out the commitment without Alice revealing it, even if he has unbounded computational resources) but not both.
Bit-commitment from any one-way permutation
One can create a bit-commitment scheme from any one-way function that is injective. The scheme relies on the fact that every one-way function can be modified (via the Goldreich-Levin theorem) to possess a computationally hard-core predicate (while retaining the injective property). Let f be an injective one-way function, with h a hard-core predicate. Then to commit to a bit b Alice picks a random input x and sends the triple
to Bob, where denotes XOR, i.e. addition modulo 2. To decommit Alice simply sends x to Bob. Bob verifies by computing f(x) and comparing to the committed value. This scheme is concealing because for Bob to recover b he must recover h(x). Since h is a computationally hard-core predicate, recovering h(x) from f(x) with probability greater than one-half is as hard as inverting f. Perfect binding follows from the fact that f is injective and thus f(x) has exactly one preimage.
Bit-commitment from a pseudo-random generator
Note that since we do not know how to construct a one-way permutation from any one-way function, this section reduces the strength of the cryptographic assumption necessary to construct a bit-commitment protocol.
In 1991 Moni Naor[10] showed how to create a bit-commitment scheme from a cryptographically secure pseudorandom number generator. The construction is as follows. If G is pseudo-random generator such that G takes n bits to 3n bits, then if Alice wants to commit to a bit b
- Bob selects a random 3n-bit vector R and sends R to Alice.
- Alice selects a random n-bit vector Y and computes the 3n-bit vector G(Y).
- If b=1 Alice sends G(Y) to Bob, otherwise she sends the bitwise exclusive-or of G(Y) and R to Bob.
To decommit Alice sends Y to Bob, who can then check whether he initially received G(Y) or .
This scheme is statistically binding, meaning that even if Alice is computationally unbounded she cannot cheat with probability greater than 2-n. For Alice to cheat, she would need to find a Y', such that . If she could find such a value, she could decommit by sending the truth and Y, or send the opposite answer and Y'. However, G(Y) and G(Y') are only able to produce 2n possible values while R and the commitment are both picked out of 23n values in the set of possible 3n-bit values. She does not pick R, so there is a strong probability that a Y' satisfying the equation required to cheat will not exist.
The concealing property follows from a standard reduction, if Bob can tell whether Alice committed to a zero or one, he can also distinguish the output of the pseudo-random generator G from true-random, which contradicts the cryptographic security of G.
A perfectly binding scheme based on the discrete log problem
Alice chooses a group of prime order p, with generator g.
Alice randomly picks a secret value x from 0 to p − 1 to commit to and calculates c = gx and publishes c. The discrete logarithm problem dictates that from c, it is computationally infeasible to compute x, so under this assumption, Bob cannot compute x. On the other hand, Alice cannot compute a x' <> x, such that gx' = c, so the scheme is binding.
This scheme isn't perfectly concealing as someone could find the commitment if he manages to solve the discrete logarithm problem. In fact, this scheme isn't hiding at all with respect to the standard hiding game, where an adversary should be unable to guess which of two messages he chose were committed to - similar to the IND-CPA game. One consequence of this is that if the space of possible values of x is small, then an attacker could simply try them all and the commitment would not be hiding.
A better example of a perfectly binding commitment scheme is one where the commitment is the encryption of x under a semantically secure, public-key encryption scheme with perfect completeness, and the decommitment is the string of random bits used to encrypt x. An example of an information-theoretically hiding commitment scheme is the Pedersen commitment scheme, which is binding under the discrete logarithm assumption. Additionally to the scheme above, it uses another generator h of the prime group and a random number r. The commitment is set .[11]
Quantum bit commitment
It is an interesting question in quantum cryptography if unconditionally secure bit commitment protocols exist on the quantum level, that is, protocols which are (at least asymptotically) binding and concealing even if there are no restrictions on the computational resources. One could hope that there might be a way to exploit the intrinsic properties of quantum mechanics, as in the protocols for unconditionally secure key distribution.
However, this is impossible, as Dominic Mayers showed in 1996 (see [12] for the original proof). Any such protocol can be reduced to a protocol where the system is in one of two pure states after the commitment phase, depending on the bit Alice wants to commit. If the protocol is unconditionally concealing, then Alice can unitarily transform these states into each other using the properties of the Schmidt decomposition, effectively defeating the binding property.
One subtle assumption of the proof is that the commit phase must be finished at some point in time. This leaves room for protocols that require a continuing information flow until the bit is unveiled or the protocol is cancelled, in which case it is not binding anymore.[13]
See also
References
43 year old Petroleum Engineer Harry from Deep River, usually spends time with hobbies and interests like renting movies, property developers in singapore new condominium and vehicle racing. Constantly enjoys going to destinations like Camino Real de Tierra Adentro.
External links
- ↑ Oded Goldreich (2001). Foundations of Cryptography: Volume 1, Basic Tools, (draft available from author's site). Cambridge University Press. ISBN 0-521-79172-3. (see also http://www.wisdom.weizmann.ac.il/~oded/foc-book.html) Primarily based on the most recent URA personal property value index (PPPI) flash estimates, we know that the PPPI, which represents the overall real property price development, has dipped in 2013Q4. That is the first dip the market has seen within the final 2 years.
To give you some perspective, the entire number of personal properties in Singapore (together with govt condominiums) is 297,689 in 2013Q3. Primarily based on the projection that there will be 19,302 units accomplished in 2014, the rise in residential models works out to be more than 6%. With a lot New Ec Launch Singapore provide, buyers might be spoilt for alternative and this in flip will lead to their reluctance to pay a premium for potential models. The complete textual content of the Copyright Act (Cap sixty three) and different statutes regarding IPR might be found on the Singapore Statutes Online Website online The Group's income jumped forty.1 p.c to $324.5 million from $231.6 million in FY 2013, lifted by increased development income and sales of growth properties in Singapore and China. Actual Estate Shopping for
One factor we've on this nation is a big group of "economists," and "market analysts." What's interesting about this group of real property market-watchers is that there are two very other ways wherein they predict Boomers will affect housing markets over the subsequent decade. Let's check out those two opposites and see how every can change the best way real property investors strategy their markets. The good news is that actual property buyers are prepared for either state of affairs, and there's profit in being ready. I'm excited and searching ahead to the alternatives both or each of these conditions will supply; thank you Boomers! Mapletree to further broaden past Asia Why fortune will favour the brave in Asia's closing real property frontier
The story of the 23.2 home begins with a stack of Douglas fir beams salvaged from varied demolished warehouses owned by the consumer's household for a number of generations. Design and structure innovator Omer Arbel, configured them to type a triangulated roof, which makes up one of the placing features of the home. The transient from the entrepreneur-proprietor was not solely to design a house that integrates antique wood beams, however one which erases the excellence between inside and exterior. Built on a gentle slope on a large rural acreage surrounded by two masses of previous-development forests, the indoors movement seamlessly to the outdoors and, from the within looking, one enjoys unobstructed views of the existing natural panorama which is preserved
First, there are typically extra rental transactions than gross sales transactions, to permit AV to be decided for each property primarily based on comparable properties. Second, movements in sale costs are more unstable than leases. Hence, utilizing rental transactions to derive the AV helps to maintain property tax more steady for property homeowners. If you're buying or trying to lease a property. It's tiring to call up individual property agent, organize appointments, coordinate timing and to go for particular person property viewing. What most individuals do is to have a property agent representing them who will arrange and coordinate the viewings for all the properties out there based mostly on your necessities & most well-liked timing. Rent Property District 12 Rent Property District thirteen
The Annual Worth of a property is mostly derived based mostly on the estimated annual hire that it may well fetch if it have been rented out. In determining the Annual Worth of a property, IRAS will think about the leases of similar properties within the vicinity, dimension and condition of the property, and different relevant components. The Annual Worth of a property is determined in the identical method regardless of whether the property is let-out, proprietor-occupied or vacant. The Annual Worth of land is determined at 5% of the market price of the land. When a constructing is demolished, the Annual Worth of the land is assessed by this method. Property Tax on Residential Properties Buyer Stamp Responsibility on Buy of Properties – Business and residential properties Rent House District 01
Within the event the Bank's valuation is decrease than the acquisition price, the purchaser has to pay the distinction between the purchase value and the Bank's valuation utilizing money. As such, the money required up-front might be increased so it's at all times essential to know the valuation of the property before making any offer. Appoint Lawyer The Bank will prepare for a proper valuation of the property by way of physical inspection The completion statement will present you the balance of the acquisition price that you must pay after deducting any deposit, pro-rated property tax and utility costs, upkeep prices, and different relevant expenses in addition to any fees payable to the agent and the lawyer. Stamp Responsibility Primarily based on the Purchase Price or Market Value, whichever is larger - ↑ Gilles Brassard, David Chaum, and Claude Crepeau, Minimum Disclosure Proofs of Knowledge, Journal of Computer and System Sciences, vol. 37, pp. 156–189, 1988.
- ↑ 3.0 3.1 Moni Naor, Bit Commitment Using Pseudorandomness, Journal of Cryptology 4: 2 pp. 151–158, 1991.
- ↑ 4.0 4.1 Claude Crépeau, Commitment, MCgill.ca, accessed April 11, 2008
- ↑ 5.0 5.1 Manuel Blum, Coin Flipping by Telephone, Proceedings of CRYPTO 1981, pp. 11–15, 1981, reprinted in SIGACT News vol. 15, pp. 23–27, 1983.
- ↑ Shimon Even. Protocol for signing contracts. In Allen Gersho, ed., Advances in Cryptography (proceedings of CRYPTO '82), pp. 148–153, Santa Barbara, CA, USA, 1982.
- ↑ A. Shamir, R. L. Rivest, and L. Adleman, Mental Poker. In D. Klarner, ed., The Mathematical Gardner, pp. 37–43. Wadsworth, Belmont, California, 1981.
- ↑ Oded Goldreich, Silvio Micali, and Avi Wigderson, Proofs that yield nothing but their validity, or all languages in NP have zero-knowledge proof systems, Journal of the ACM, 38: 3, pp. 690–728, 1991
- ↑ Oded Goldreich and Hugo Krawczyk, On the Composition of Zero-Knowledge Proof Systems, SIAM Journal on Computing, 25: 1, pp. 169–192, 1996
- ↑ Citations: Bit Commitment using Pseudorandom Generators - Naor (ResearchIndex)
- ↑ Pedersen: Non-interactive and information-theoretic secure verifiable secret sharing. Advances in Cryptology CRYPTO '91 Springer
- ↑ Brassard, Crépeau, Mayers, Salvail: A brief review on the impossibility of quantum bit commitment
- ↑ A. Kent: Secure classical Bit Commitment using Fixed Capacity Communication Channels