Commitment Schemes A commitment scheme CS = ( P , C , V ) is a triple - - PowerPoint PPT Presentation

commitment schemes
SMART_READER_LITE
LIVE PREVIEW

Commitment Schemes A commitment scheme CS = ( P , C , V ) is a triple - - PowerPoint PPT Presentation

Apr 09, 2024 1.11k likes •1.22k views

Commitment Schemes A commitment scheme CS = ( P , C , V ) is a triple of algorithms P COMMITMENT SCHEMES EXAMPLE M C C K V 0/1 Parameter generation algorithm P is run once by a trusted party to produce public parameters . Mihir

slide-1
SLIDE 1

COMMITMENT SCHEMES EXAMPLE

Mihir Bellare UCSD 1

Commitment Schemes

A commitment scheme CS = (P, C, V) is a triple of algorithms C C P π V K M 0/1 Parameter generation algorithm P is run once by a trusted party to produce public parameters π.

Mihir Bellare UCSD 2

Security properties

  • Hiding: A commital C generated via (C, K)

$

C(π, M) should not reveal information about M. = C does not reveal M.

  • Binding: It should be hard to find C, M0, M1, K0, K1 such that

M0 6= M1 but V(π, C, M0, K0) = V(π, C, M1, K1) = 1. K0 C C K1 M0 M1

Mihir Bellare UCSD 3

Hiding Formally

Let CS = (P, C, V) be a commitment scheme and A an adversary. Game HIDECS procedure Initialize π

$

P; b

$

{0, 1} return π procedure LR(M0, M1) (C, K)

$

C(π, Mb) return C procedure Finalize(b0) return (b = b0) The hiding-advantage of A is Advhide

CS (A) = 2 · Pr

h HIDEA

CS ) true

i 1.

Mihir Bellare UCSD 4

slide-2
SLIDE 2

Binding Formally

Let CS = (P, C, V) be a commitment scheme and A an adversary. Game BINDCS procedure Initialize π

$

P return π procedure Finalize(C, M0, M1, K0, K1) v0 V(π, C, M0, K0) v1 V(π, C, M1, K1) return (v0 = v1 = 1 and M0 6= M1) The binding-advantage of A is Advbind

CS (A) = Pr

h BINDA

CS ) true

i .

Mihir Bellare UCSD 5

Recall: PS9

Let p be a prime of bit length k 8 such that (p 1)/2 is also prime. Let g, h be two, different generators of the group G = Z⇤

  • p. Let CS = (P, C, V)

be the commitment scheme whose constituent algorithms are as follows, where the message M is in Zp1: Alg P π (g, h) Return π Alg C((g, h), M) K

$

Zp1 C1 (gK · hM) mod p C2 (M + K) mod (p 1) Return ((C1, C2), K) Alg V((g, h), (C1, C2), M, K) If ({K, M} 6✓ Zp1) then return 0 C 0

1 (gK · hM) mod p

C 0

2 (M + K) mod (p 1)

If ((C1 = C 0

1) and (C2 = C 0 2))

then return 1 Return 0

Mihir Bellare UCSD 6

Recall: PS9

For each of the following, clearly circle either YES or NO below:

  • If your answer is YES, prove that any adversary A for the security

game in question has advantage 0.

  • If it is NO, specify in pseudocode an O(k3 + TH)-time adversary A

achieving advantage 1 for the security game in question: 1. Does CS provide hiding security? YES NO 2. Does CS provide binding security? YES NO

Mihir Bellare UCSD 7

PS9 Solution

For each of the following, clearly circle either YES or NO below:

  • If your answer is YES, prove that any adversary A for the security

game in question has advantage 0.

  • If it is NO, specify in pseudocode an O(k3 + TH)-time adversary A

achieving advantage 1 for the security game in question: 1. Does CS provide hiding security? YES NO 2. Does CS provide binding security? YES NO

Mihir Bellare UCSD 8

slide-3
SLIDE 3

The hiding adversary

Alg C((g, h), M) K

$

Zp1 ; C1 (gK ·hM) mod p ; C2 (M+K) mod (p1) Return ((C1, C2), K) adversary A((g, h)) (C1, C2)

$

LR(1, 0) ; X MOD-EXP(g, C2, p) If (X = C1) then return 1 else return 0 C1 C2 X M0 = 1 gKh0 mod p K gK mod p M1 = 0 gKh1 mod p (K + 1) mod (p 1) gK+1 mod p In the second case X 6= C1 because g 6= h.

Mihir Bellare UCSD 9

The binding adversary

Alg V((g, h), (C1, C2), M, K) If ({K, M} 6✓ Zp1) then return 0 C 0

1 (gK · hM) mod p ; C 0 2 (M + K) mod (p 1)

If ((C1 = C 0

1) and (C2 = C 0 2)) then return 1 else return 0

adversary A((g, h)) / / q = (p 1)/2 K0 0 ; M0 0 ; K1 q ; M1 q ; C1 1 ; C2 0 Return ((C1, C2), M0, M1, K0, K1) This works because g0h0 mod p = 1 gqhq mod p = (1)(1) mod p = 1 (0 + 0) mod (p 1) = 0 (q + q) mod (p 1) = 0

Mihir Bellare UCSD 10

Recall: PS9

Let p be a prime of bit length k 8 such that (p 1)/2 is also prime. Let g, h be two, different generators of the group G = Z⇤

  • p. Let CS = (P, C, V)

be the commitment scheme whose constituent algorithms are as follows, where the message M is in Zp1: Alg P π (g, h) Return π Alg C((g, h), M) K

$

Zp1 C1 (gK · hM) mod p C2 (M + K) mod (p 1) Return ((C1, C2), K) Alg V((g, h), (C1, C2), M, K) If ({K, M} 6✓ Zp1) then return 0 C 0

1 (gK · hM) mod p

C 0

2 (M + K) mod (p 1)

If ((C1 = C 0

1) and (C2 = C 0 2))

then return 1 Return 0

Mihir Bellare UCSD 11

Exercise: Scheme

Let p be a prime of bit length k 8 such that (p 1)/2 is also prime. Let g, h be two, different generators of the group G = Z⇤

  • p. Let CS = (P, C, V)

be the commitment scheme whose constituent algorithms are as follows, where the message M is in Zp1: Alg P π (g, h) Return π Alg C((g, h), M) K

$

Zp1 C (gK · hM) mod p Return (C, K) Alg V((g, h), C, M, K) If ({K, M} 6✓ Zp1) then return 0 C 0 (gK · hM) mod p If (C = C 0) then return 1 Return 0

Mihir Bellare UCSD 12

slide-4
SLIDE 4

Exercise: Questions

For each of the following, clearly circle either YES or NO below:

  • If your answer is YES, prove that any adversary A for the security

game in question has advantage 0.

  • If it is NO, specify in pseudocode an O(k3 + TH)-time adversary A

achieving advantage 1 for the security game in question: 1. Does CS provide hiding security? YES NO 2. Does CS provide binding security? YES NO

Mihir Bellare UCSD 13

Exercise: Scheme

In the new scheme, the committing algorithm drops the C2 part of the committal (C1, C2), leaving just C = C1. Correspondingly, the verification algorithm drops the second check. Do these changes make it EASIER or HARDER to attack the two properties?

  • Attacking HIDING should get
  • Attacking BINDING should get

Mihir Bellare UCSD 14

Exercise: Scheme

In the new scheme, the committing algorithm drops the C2 part of the committal (C1, C2), leaving just C = C1. Correspondingly, the verification algorithm drops the second check. Do these changes make it EASIER or HARDER to attack the two properties?

  • Attacking HIDING should get HARDER
  • Attacking BINDING should get EASIER

Mihir Bellare UCSD 15

Exercise: Binding, the answer

For each of the following, clearly circle either YES or NO below:

  • If your answer is YES, prove that any adversary A for the security

game in question has advantage 0.

  • If it is NO, specify in pseudocode an O(k3 + TH)-time adversary A

achieving advantage 1 for the security game in question: 1. Does CS provide hiding security? YES NO 2. Does CS provide binding security? YES NO The same adversary strategy as before works except C2 is not needed.

Mihir Bellare UCSD 16

slide-5
SLIDE 5

Exercise: Hiding, the answer

For each of the following, clearly circle either YES or NO below:

  • If your answer is YES, prove that any adversary A for the security

game in question has advantage 0.

  • If it is NO, specify in pseudocode an O(k3 + TH)-time adversary A

achieving advantage 1 for the security game in question: 1. Does CS provide hiding security? YES NO

Mihir Bellare UCSD 17

Hiding, intuition

Alg C((g, h), M) K

$

Zp1 C (gK · hM) mod p Return (C, K) Regardless of the choice of message M, the random choice of K means that C is a random element of the group Z⇤

p.

Since the distribution of C does not depend on M, seeing C does not give any information about M. This is a start, but is not a proof.

Mihir Bellare UCSD 18

Hiding, example

Let p = 7. Let g = 3 and h = 5, which are generators of Z⇤

7 = {1, 2, 3, 4, 5, 6}.

Adversary A picks messages M0 = 2 and M1 = 4 in Z6 = {0, 1, 2, 3, 4, 5}. Row M, column K entry of table is T[M, K] = gKhM mod p: 1 2 3 4 5 2 4 5 1 3 2 6 4 2 6 4 5 1 3 Hiding game picks b

$

{0, 1} and K

$

Z6. Adversary A gets C = T[Mb, K] and asks, what is b?

Mihir Bellare UCSD 19

Hiding, example

Let p = 7. Let g = 3 and h = 5, which are generators of Z⇤

7 = {1, 2, 3, 4, 5, 6}.

Adversary A picks messages M0 = 2 and M1 = 4 in Z6 = {0, 1, 2, 3, 4, 5}. Row M, column K entry of table is T[M, K] = gKhM mod p: 1 2 3 4 5 2 4 5 1 3 2 6 4 2 6 4 5 1 3 Hiding game picks b

$

{0, 1} and K

$

Z6. Adversary A gets C = T[Mb, K] and asks, what is b? Suppose for example C = 5. Then

  • Either M = 2 (b = 0) and K = 1
  • Or M = 4 (b = 1) and K = 3

and adversary has no idea which.

Mihir Bellare UCSD 20

slide-6
SLIDE 6

Hiding, example

Let p = 7. Let g = 3 and h = 5, which are generators of Z⇤

7 = {1, 2, 3, 4, 5, 6}.

Adversary A picks messages M0 = 2 and M1 = 4 in Z6 = {0, 1, 2, 3, 4, 5}. Row M, column K entry of table is T[M, K] = gKhM mod p: 1 2 3 4 5 2 4 5 1 3 2 6 4 2 6 4 5 1 3 Hiding game picks b

$

{0, 1} and K

$

Z6. Adversary A gets C = T[Mb, K] and outputs a bit b0. But, regardless of the value of b, committal C is equally likely to be any value in Z⇤

  • 7. So we have Pr[b0 = b] = 1/2 and thus Advhide

CS (A) = 0.

Mihir Bellare UCSD 21

Hiding, the general case

Let T[M, K] = gKhM mod p. Claim: Let M 2 Zp1 be any message and C 2 Z⇤

p any possible

  • committal. Then for K

$

Zp1 we have Pr[T[M, K] = C] = 1 p 1 . Since the probability does not depend on M, the adversary A given C has no information about M and thus Advhide

CS (A) = 0.

Mihir Bellare UCSD 22

Hiding, the general case

Let T[M, K] = gKhM mod p. Claim: Let M 2 Zp1 be any message and C 2 Z⇤

p any possible

  • committal. Then for K

$

Zp1 we have Pr[T[M, K] = C] = 1 p 1 . Proof: With M, C fixed, consider the equation gKhM mod p = C . There is exactly one solution K 2 Zp1 to this equation, namely KM,C = DLogZ∗

p,g(C · hM mod p) ,

and the probability that K = KM,C is exactly 1/(p 1).

Mihir Bellare UCSD 23