On the Efficiency of Bit Commitment Reductions

Two fundamental building blocks of secure two-party computation are oblivious transfer and bit commitment. While there exist unconditionally secure implementations of oblivious transfer from noisy correlations or channels that achieve constant rates, similar constructions are not known for bit commitment. In this paper, we show that any protocol that implements n instances of bit commitment with an error of at most 2−k needs at least Ω(kn) instances of a given resource such as oblivious transfer or a noisy channel. This implies in particular that it is impossible to achieve a constant rate. We then show that it is possible to circumvent the above lower bound by restricting the way in which the bit commitments can be opened. We present a protocol that achieves a constant rate in the special case where only a constant number of instances can be opened, which is optimal. Our protocol implements these restricted bit commitments from string commitments and is universally composable. The protocol provides significant speed-up over individual commitments in situations where restricted commitments are sufficient.

[1]  Tal Malkin,et al.  A Quantitative Approach to Reductions in Secure Computation , 2004, TCC.

[2]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[3]  Hideki Imai,et al.  Unconditionally Secure Homomorphic Pre-distributed Commitments , 2003, AAECC.

[4]  Joe Kilian More general completeness theorems for secure two-party computation , 2000, STOC '00.

[5]  Yuval Ishai,et al.  Founding Cryptography on Oblivious Transfer - Efficiently , 2008, CRYPTO.

[6]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[7]  Kirill Morozov,et al.  Efficient Unconditional Oblivious Transfer from Almost Any Noisy Channel , 2004, SCN.

[8]  Stephen Wiesner,et al.  Conjugate coding , 1983, SIGA.

[9]  韓 太舜,et al.  Mathematics of information and coding , 2002 .

[10]  Rafail Ostrovsky,et al.  Constant-Rate Oblivious Transfer from Noisy Channels , 2011, CRYPTO.

[11]  Rafail Ostrovsky,et al.  Extracting Correlations , 2009, 2009 50th Annual IEEE Symposium on Foundations of Computer Science.

[12]  Annalisa De Bonis,et al.  Constructions of generalized superimposed codes with applications to group testing and conflict resolution in multiple access channels , 2003, Theor. Comput. Sci..

[13]  Richard C. Singleton,et al.  Nonrandom binary superimposed codes , 1964, IEEE Trans. Inf. Theory.

[14]  Yuval Ishai,et al.  OT-Combiners via Secure Computation , 2008, TCC.

[15]  Joe Kilian,et al.  Founding crytpography on oblivious transfer , 1988, STOC '88.

[16]  T. Han,et al.  Mathematics of information and coding , 2001 .

[17]  Jürg Wullschleger Oblivious Transfer from Weak Noisy Channels , 2009, TCC.

[18]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[19]  Michael O. Rabin,et al.  How To Exchange Secrets with Oblivious Transfer , 2005, IACR Cryptol. ePrint Arch..

[20]  Barbara Masucci,et al.  Constructions and Bounds for Unconditionally Secure Non-Interactive Commitment Schemes , 2002, Des. Codes Cryptogr..

[21]  Claude Crépeau,et al.  Equivalence Between Two Flavours of Oblivious Transfers , 1987, CRYPTO.

[22]  Ivan Damgård,et al.  On the (Im)possibility of Basing Oblivious Transfer and Bit Commitment on Weakened Security Assumptions , 1998, EUROCRYPT.

[23]  Joe Kilian,et al.  Achieving Oblivious Transfer Using Weakened Security Assumptions (Extended Abstract) , 1988, FOCS 1988.

[24]  Jürg Wullschleger Oblivious-transfer amplification , 2007, Ausgezeichnete Informatikdissertationen.

[25]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[26]  Erik Ordentlich,et al.  A distribution dependent refinement of Pinsker's inequality , 2005, IEEE Transactions on Information Theory.

[27]  Claude Crépeau,et al.  Efficient Cryptographic Protocols Based on Noisy Channels , 1997, EUROCRYPT.

[28]  Ivan Damgård,et al.  Unfair Noisy Channels and Oblivious Transfer , 2003, TCC.

[29]  Manuel Blum,et al.  Coin flipping by telephone a protocol for solving impossible problems , 1983, SIGA.

[30]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[31]  Donald Beaver,et al.  Precomputing Oblivious Transfer , 1995, CRYPTO.

[32]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[33]  Hideki Imai,et al.  Commitment Capacity of Discrete Memoryless Channels , 2003, IMACC.

[34]  Joe Kilian,et al.  Achieving oblivious transfer using weakened security assumptions , 1988, [Proceedings 1988] 29th Annual Symposium on Foundations of Computer Science.

[35]  P. Erdös,et al.  Families of finite sets in which no set is covered by the union ofr others , 1985 .

[36]  Severin Winkler,et al.  On the Efficiency of Classical and Quantum Oblivious Transfer Reductions , 2010, IACR Cryptol. ePrint Arch..

[37]  Stefan Wolf,et al.  New Monotones and Lower Bounds in Unconditional Two-Party Computation , 2008, IEEE Transactions on Information Theory.

[38]  Gilles Brassard,et al.  Practical Quantum Oblivious Transfer , 1991, CRYPTO.

[39]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[40]  Rafail Ostrovsky,et al.  Minimum resource zero knowledge proofs , 1989, 30th Annual Symposium on Foundations of Computer Science.

[41]  E. Sperner Ein Satz über Untermengen einer endlichen Menge , 1928 .

[42]  Silvio Micali,et al.  Lower Bounds for Oblivious Transfer Reductions , 1999, EUROCRYPT.

[43]  Jeroen van de Graaf,et al.  Committed Oblivious Transfer and Private Multi-Party Computation , 1995, CRYPTO.

[44]  Lie Zhu,et al.  Some New Bounds for Cover-Free Families , 2000, J. Comb. Theory, Ser. A.