Unconditionally secure homomorphic pre-distributed commitments
暂无分享,去创建一个
We deal with commitment schemes where two players (Alice and Bob) receive data from a trusted authority at the beginning of the protocol. By using information theoretical techniques, we bound the minimum amount of data that has to be transmitted to Alice and Bob during a setting phase. We also propose a new construction of unconditionally secure non-interactive commitment schemes based on modules of mappings and show that this construction yields homomorphic commitment schemes. Finally, we demonstrate an application of our construction by showing concrete protocols implementing non-interactive information theoretically secure zero knowledge proofs of any polynomial relation among commit ment s. In our model there are three parties, a trusted initializer, Ted, a sender of the commitment, Alice, and a receiver, Bob. At the beginning of the protocol, Alice and Bob receive some secret data from Ted. We designate Alice’s and Bob’s secret data and theirs respective random variables by U, and ub, respectively. w e assume that Ted chooses U, and ub from the same domain U. The domain where the committed values are chosen is denoted by B. The value that Alice wants to commit to as well as its random variable is represented by S. The commit algorithm consists of Alice using a publicly known algorithm C o m m i t ( S , U,) = C which generates an output value which is sent t o Bob. The domain where the commitments are taken from is denoted by C. We denote the random variable associated to the output of the algorithm C o m m i t by C. The opening phase consists of Alice announcing the secret data received from Ted, U,, and the value of the commitment, s to Bob. Bob performs a test by using a publicly known algorithm Test(U,, ub, S, C) and depending on the result accepts Alice’s commitment or not. The protocol is concealing if the information sent in the committing phase, C , reveals nothing about the committed value s. Mathematically, I ( c : SI&) = 0 , where I ( . : . I . ) is the Shannon conditional mutual information. The protocol is /3-binding if the probability that a dishonest Alice is not caught is at most p, that is: P ( T e s t ( U a , Ub, s, c) =accept A Tes t (Ua, ub, s‘, c) =accept; s‘ # s) < p. Finally, the protocol is correct if an honest Alice cannot have her commitment rejected, P(Test(U,, ub, s, C ) =reject1 Alice is honest) = 0. I n any p-secure bit commitment scheme based on pre-distributed data the following inequalities hold: IubI 2 ( $ I 2 > Iual 2 ($)(lBl)