A commitment is a string c sent by a committer Peggy to a receiver Vic to commit to a message m. A commitment scheme enables Peggy to commit to m while keeping it secret. Later on, Peggy can open c by providing an additional information. It is guaranteed that after committing to m, the value m cannot be changed.
There are many applications for commitment schemes. Sealed-bid auctions are one obvious example: the committed value represents the committer’s bid. Commitment schemes are useful for identification schemes [90, 203], multiparty protocols [104], and are an essential component of many zero-knowledge schemes [27, 64, 105]. Goldreich, Micali, and Wigderson use them to construct zero-knowledge proofs for all languages in NP [105]. Ben-Or et al. extends this result to the larger class of all languages in IP [10].
In a commitment scheme, there are two participants, the committer and the re-ceiver. Overall, a commitment scheme consists of two phases.
• Commit: The committer sends the message m he wants to commit to, in en-crypted form c, to the receiver. Let f : {0, 1}|m|× X → Y be a function, where X and Y are finite sets. Often the commitment c is any value f (m, w), w ∈ X.
• Reveal (or open): The committer opens the commitment c by sending an open-ing stropen-ing (m, w) to the receiver.
A commitment scheme must satisfy the following properties.
• Correctness: If both the committer and the receiver follow the protocol, the receiver will always recover the message m.
• Hiding: No matter what the receiver does, he cannot learn anything about the message m. This is very similar to what we have seen before in encryption schemes.
• Binding: The committer cannot open c to different messages after the com-mit phase, that is, the comcom-mitter cannot find legal opening strings (m, w) and (m0, w0).
If the hiding or the binding property depends on any assumption about computa-tional complexity, we refer to computacomputa-tional hiding or computacomputa-tional binding. If the hiding or the binding property does not depend on any assumption about computa-tional complexity, we refer to uncondicomputa-tional hiding or uncondicomputa-tional binding.
Commitment schemes that are unconditionally hiding and computationally bind-ing have been proposed by many researchers, includbind-ing Blum [14], Brassard, Chaum, and Cr´epeau [27], Brassard, Cr´epeau, and Yung [30], Halevi and Micali [115], and Halevi [114]. Brassard and Yung use “one-way group actions” to develop a very gen-eral framework and theory for all bit commitments having unconditional hiding [31].
Damg˚ard, Pedersen, and Pfitzmann show that the existence of statistically hiding bit commitment schemes (which provide nearly perfect unconditional hiding) is equiva-lent to the existence of fail-stop signature schemes [66]. Ostrovsky, Venkatesan, and Yung investigate the feasibility of bit commitment when one of the committer/receiver is computationally unbounded, and in particular show that the existence of uncon-ditionally hiding bit commitment is equivalent to the existence of oblivious transfer between a computationally bounded and a computationally unbounded party [176].
This implies that bit commitment that is unconditionally hiding and computationally binding is “as hard” as any other protocol because oblivious transfer is complete [129].
We remark that oblivious transfer (OT) is a two-party protocol introduced by Rabin [188]. Rabin’s oblivious transfer assumes that the sender Alice possesses a value x, after the transfer the receiver Bob gets x with probability 1/2 and Bob knows whether or not he got x. Alice does not know whether Bob gets x. A similar notion of 1-2-OT is introduced by [86]. In 1-2-OT, Alice has two bits b0 and b1 and Bob has a selection
bit i. After the transfer, Bob obtains only bi, while Alice does not know the value of i. Equivalently, Bob may obtain a random bit in {b0, b1}, or the protocol can be played on strings rather than bits. Further, there are many other flavors of oblivious transfer [29, 60, 61, 86, 129] all of which are shown to be information-theoretically equivalent. That is, given any one of these protocols, one can implement the other ones. Thus, by “oblivious transfer” we can denote any one of them.
On the other hand, commitment schemes that are computationally hiding and unconditionally binding have also been studied by many authors, such as Brassard, Chaum, and Cr´epeau [27], Naor [168], Ohta, Okamoto, and Fujioka [173], and Os-trovsky, Venkatesan, and Yung [176]. Naor [168] presents a bit commitment protocol that is computationally hiding and unconditionally binding, using any one-way func-tion; when both parties are computationally bounded, this is the best possible because such a protocol implies a one-way function [121]. Ostrovsky, Venkatesan, and Yung show that when the committer is computationally unbounded, a commitment scheme may be based on any hard-on-average problem in PSPACE [176].
It may be desirable that a commitment scheme be unconditionally hiding and un-conditionally binding. However, this is impossible as the following discussion shows [68]. Suppose that f : {0, 1}|m| × X → Y defines a scheme with both uncondi-tional hiding and uncondiuncondi-tional binding. Then when Peggy sends a commitment c = f (m, w) to Vic, there must exist a w0 such that c = f (m0, w0). Otherwise, com-putationally unbounded Vic could compute (m, w), contradicting the unconditionally hiding property. However, if Peggy is also computationally unbounded, then she can also find (m0, w0) and open the commitment as m0, thus contradicting the uncondition-ally binding property. We remark that this reasoning follows from the basic reason that the normal commitment scenario (two-party with noiseless channel) ensures each party sees everything the other party sends. There are several scenarios, however, in which the reasoning does not apply. In a distributed scenario with many parties, or in a two-party case where communication is noisy, it is no longer true that each party sees exactly what the other party sends. In such cases, unconditional hiding and binding can in fact be obtained simultaneously. For commitment schemes in such scenarios, see e.g. [11, 42, 61, 62, 65]. In addition, some researchers have explored bit commitment in models of quantum computation. Brassard et al. [28] propose a
quantum bit commitment scheme, but a subtle flaw is discovered; Mayers [156] proves secure quantum bit commitment to be impossible, as do Lo and Chau [142]. We note that despite the fact that the reasoning does not apply to quantum communication either, bit commitment with unconditional security is not possible with quantum com-munication alone. Salvail shows that under certain restricted assumptions about the committer’s ability to make measurements, quantum bit commitment is still possible [198]. More discussions about quantum cryptography for two-party computation can be found in [199].
3.2.1 A Bit Commitment Scheme
A bit commitment scheme allows Peggy to commit to a single bit to Vic. In the scheme described below, the hiding property depends on the quadratic residuosity assumption, while the binding property is unconditional. The present scheme can be found in [27]. As usual, let QRn = {a ∈ Z∗n|a is a quadratic residue modulo n}, QNRn = {a ∈ Z∗n|a is a quadratic nonresidue modulo n}, and Jn+1 = {a ∈ Z∗n|(an) = 1}
where (an) is the Jacobi symbol of a mod n. Suppose Peggy would like to commit to a bit b.
• System setup: Peggy chooses n = pq, where p and q are primes, and u ∈ Jn+1∩ QNRn. The integer n and u are public, and the factorization n = pq is known only to Peggy.
• Commit: Peggy chooses r ∈ Z∗n at random, computes c = r2ub mod n, and sends c to Vic.
• Reveal: Peggy sends b and r to Vic. Then Vic can verify whether c = r2ub mod n.
Let us think about the computational hiding property. The commitment is a Goldwasser-Micali probabilistic encryption [111] of 0 or of 1, and it reveals no infor-mation about the plaintext value b by the quadratic residuosity assumption. Consider the unconditional binding property. Let us suppose the property does not hold. Then r12u ≡ r22 (mod n) for some r1, r2 ∈ Z∗n. But then
u ≡ (r2r1−1)2 (mod n),
which is a contradiction because u ∈ Jn+1∩ QNRn.
3.2.2 A Number Commitment Scheme
We now give a commitment scheme that enable Peggy to commit to a message m ∈ Zq. The scheme described below is similar to those in [69, 95]. In the scheme, the hiding property is unconditional, while the binding property depends on the discrete logarithm assumption. Suppose that Peggy would like to commit to m ∈ Zq to Vic.
• System setup: Vic picks large primes p, q such that q | (p − 1). Then Vic randomly chooses two numbers g1, g2 ∈ Z∗p of order q. Vic sends p, q, g1 and g2 to Peggy.
• Commit: Peggy checks that p and q are primes, that q divides p − 1, and that g1, g2 ∈ Z∗p are elements of order q. Then she chooses a random exponent r ∈ {0, . . . , q − 1}, computes c = g1rg2m mod p, and sends c to Vic.
• Reveal: Peggy sends m and r to Vic. Vic verifies that c = g1rg2m mod p.
To obtain an element a ∈ Z∗p of order q, Vic selects elements b ∈ Z∗p at random until he obtains a = b(p−1)/q mod p 6= 1. Then a has order q. Let Gq be the subgroup of order q in Z∗p. By Fact 2.2.10(3), there is a unique subgroup Gq of order q in Z∗p, Gq is cyclic, and each element a ∈ Z∗p of order q is a generator of Gq. So g1 and g2 are generators of Gq.
Let us think about the unconditional hiding property. As r ∈R{0, . . . , q − 1}, gr1 is a uniformly chosen random element in Gq, perfectly hiding g2m and thus m in g1rgm2 . Hence, the unconditional hiding property holds. Consider the computational binding property. Suppose that it does not hold. Then g1rg2m ≡ g1r0g2m0 (mod n) for some m, r, m0, r0 ∈ Zq, where m 6= m0. So logg1(g2) = (r − r0)/(m0 − m). Thus Peggy can compute logg1(g2) of a randomly chosen element g2 ∈ Gq, contradicting the discrete logarithm assumption. Note that Vic has no advantage if he knows logg1(g2).