M. Naor. Bit Commitment using Pseudorandom Generators. Jour. of Cryptology, Vol. 4, pages 151--158, 1991.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....commitments that were sent earlier in the simulation) See details in [13] Finally, we note that the commitment scheme aHCG can be implemented using one way functions only. In order for this to be the case, the underlying Com commitment used in aHCG is replaced by the commitment scheme of [41], that can be based on any one way function. Indeed, the [41] scheme produces random looking commitments, as required by aHCG . In addition, we modify the protocol so that B also sends the receiver message from the [41] commitment in Step 1. 7. MULTI PARTY UC COMPUTATION We discuss how the ....

....See details in [13] Finally, we note that the commitment scheme aHCG can be implemented using one way functions only. In order for this to be the case, the underlying Com commitment used in aHCG is replaced by the commitment scheme of [41] that can be based on any one way function. Indeed, the [41] scheme produces random looking commitments, as required by aHCG . In addition, we modify the protocol so that B also sends the receiver message from the [41] commitment in Step 1. 7. MULTI PARTY UC COMPUTATION We discuss how the two party construction of Theorem 3 is extended to the setting of ....

[Article contains additional citation context not shown here]

M. Naor, Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages 151-158, 1991.

....value x, the committer presents x and w to F zk again but this time the relation used by F zk asserts two properties: rst that R(x; w) holds, and second that w is the same value that was previously committed to. To guarantee security against static adversaries, the commitment scheme of Naor [n91] is suf cient as an instantiation of the scheme C. We thus obtain a protocol for securely realizing F cp in the F zk hybrid model, based on any one way function. To guarantee security against adaptive adversaries we need adaptively secure commitment schemes, namely commitment schemes where a ....

....a perfectly binding commitment scheme, and denote by C(w; r) a commitment to a string w using a random string r. For simplicity, we use a non interactive commitment scheme. Such schemes exist assuming the existence of 1 1 one way functions, see [g01] Alternatively, we could use the Naor scheme [n91] that can be based on any one way function, rather than requiring 1 1 one way functions. In this scheme, the receiver sends an initial message and then the committer commits. This changes the protocol and analysis only slightly. We note that in fact, the use of perfect binding is not essential ....

[Article contains additional citation context not shown here]

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, 4(2):151-158, 1991.

.... k (x 1 ; r 1 ) commit k (x 2 ; r 2 ) That is, for every polynomial size circuit C = fC n g n2N P r[C n (k) x 1 ; r 1 ) x 2 ; r 2 ) commit k (x 1 ; r 1 ) commit k (x 2 ; r 2 ) negl(n) where the probability is over a uniformly chosen k KEY n ) It was proven by Naor in [Na91] that commitment schemes exist, assuming the existence of one way function ensembles. For the purposes of this paper, we need a special commitment scheme, which we denote by COMM = fCOMM n g n2N . For any polynomial m( COMM is a commitment scheme that for every n 2 N and for every k 2 KEY n ....

M. Naor. Bit commitment using pseudorandom generators. Journal of Cryptology, Vol.4, pages 151-158, 1991. 46

....the bounded honest but curious model. Third, T g applies to protocol (A OT ) the construction of [IL89] to obtain a one way function F . Fourth, T g uses the result of [HILL99] to transform F into a pseudo random (in the sense of [BM82, Yao82] generator G. Fifth, T g uses the result of [Nao89] to transform G into a bit commitment protocol BC. Finally, due to Fact 3, T g uses BC and the compiler of [GMW87] to transform (A g ) into a protocol (A g ; B g ) that securely computes g in the bounded malicious model. This completes the proof of Claim 4. Claims 3 and 4 together yield ....

M. Naor. Bit commitment using pseudorandom generators. J. of Cryptology, 4:151-158, 1991. Preliminary version in Advances in Cryptology { CRYPTO '89, 1989.

....almost uniformly (cf. 44] by itself) however, what we seek is zero knowledge proofs for statements that the verifier cannot decide by itself. 4. 1 Constructing Zero Knowledge Proofs for NP sets Assuming the existence of commitment schemes , which in turn exist if one way functions exist [76, 68], there exist (auxiliary input) zero knowledge proofs of membership in any NP set (i.e. sets having efficiently verifiable static proofs of membership) These zero knowledge proofs, first constructed by Goldreich, Micali and Wigderson [57] and depicted in Figure 2) have the following important ....

.... proofs, first constructed by Goldreich, Micali and Wigderson [57] and depicted in Figure 2) have the following important property: the prescribed prover strategy is efficient, provided it is given as auxiliary input an NP witness to the assertion (to be proven) That is: Theorem 5 ( 57] using [68, 76]) If one way functions exist then every set S 2 NP has a zeroknowledge interactive proof. Furthermore, the prescribed prover strategy can be implemented in probabilistic polynomial time, provided it is given as auxiliary input an NP witness for membership of the common input in S. Theorem 5 ....

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages 151--158, 1991.

....x, the committer presents x and w to zk again but this time the relation used by zk asserts two properties: first that R(x, w) holds, and second that w is the same value that was previously committed to. To guarantee security against static adversaries, the commitment scheme of Naor [n91] is sufficient as an instantiation of the scheme C. We thus obtain a protocol for securely realizing zk hybrid model, based on any one way function. To guarantee security against adaptive adversaries we need adaptively secure commitment schemes, namely commitment schemes where a simulator ....

....a perfectly binding commitment scheme, and denote by C(w; r) a commitment to a string w using a random string r. For simplicity, we use a non interactive commitment scheme. Such schemes exist assuming the existence of 1 1 one way functions, see [g01] Alternatively, we could use the Naor scheme [n91] that can be based on any one way function, rather than requiring 1 1 one way functions. In this scheme, the receiver sends an initial message and then the committer commits. This changes the protocol and analysis only slightly. We note that in fact, the use of perfect binding is not essential ....

[Article contains additional citation context not shown here]

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, 4(2):151--158, 1991.

....one, and thus choose to send a message in the second interaction as a function of messages received in the first. We stress that, in each of these interleaved interactions, the prover (i.e. each prover clone) is not aware of any other interaction, nor of having been cloned. Or, equivalently [36, 32], that one way functions exist. Zero knowledge proofs in which the prover is deterministic exist only for BPP languages (cf. 26] For instance, in [17] it suffices to repeat the protocol twice with the same prover coins to be able to extract the prover s secret. In a preliminary ....

....such (two round) commitment schemes in the above protocol. Recall that the existence of such a scheme implies the existence of one way functions [33] which suffices for constructing pseudorandom generators [32] pseudorandom functions [20] and (two round) perfectly binding commitment schemes [36]. Our description can be easily modified to utilize the latter, rather than a one round perfectly binding scheme which may be constructed assuming that one way permutations exist. Clearly, the above protocol constitutes an interactive proof system for 3 colorability (since as far as cheating ....

M. Naor. Bit Commitment using Pseudorandom Generators. Jour. of Cryptology, Vol. 4, pages 151--158, 1991.

....By now, zero knowledge is the accepted way to define and prove security of various cryptographic tasks. Its generality was demonstrated by Goldreich, Micali and Wigderson [18] who showed that any NP statement can be proven in zero knowledge, provided commitment schemes exist (or, equivalently [26, 24], one way functions exist) An important application of zero knowledge proposed by Fiat and Shamir [11] was proving identity. Alongside many applications, the notion of zero knowledge raises a few important questions. Parallel composition. The first question is whether zero knowledge is ....

M. Naor. Bit Commitment using Pseudorandom Generators. Jour. of Cryptology, Vol. 4, pages 151--158, 1991.

....scheme based on one way permutations, by requiring that any commitment to s is preceded by a commitment to . That is, define C (s) Commit(0 ) Commit(s) where each bit is separately committed to using C(oe) f(U n ) b(U n ) Phi oe) We note that the Naor commitment scheme [11] as is, has both of these above properties. Although the [11] commitment scheme is interactive, the receiver message can be hardwired into the common reference string, and so suffices for our needs here. Strong one time signature schemes. Loosely speaking, a one time signature scheme is an ....

....any commitment to s is preceded by a commitment to . That is, define C (s) Commit(0 ) Commit(s) where each bit is separately committed to using C(oe) f(U n ) b(U n ) Phi oe) We note that the Naor commitment scheme [11] as is, has both of these above properties. Although the [11] commitment scheme is interactive, the receiver message can be hardwired into the common reference string, and so suffices for our needs here. Strong one time signature schemes. Loosely speaking, a one time signature scheme is an existentially unforgeable signature scheme (secure against a ....

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages 151--158, 1991.

....perfectly binding commitment schemes can be constructed using any 1 1 one way function (see Section 4.4. 1 of [17] Allowing some minimal interaction (in which the receiver first sends a single message) almost perfectly binding) commitment schemes can be obtained from any one way function [25]. 3.1.2 Perfectly hiding commitment schemes We now informally describe the requirements for a perfectly hiding commitment scheme. In such a scheme, the binding property is guaranteed to hold only with respect to a polynomial time bounded sender. On the other hand, the hiding property is ....

....the committing party send a perfectly binding commitment of its input to the other party, followed by a zero knowledge proof of knowledge of the committed value. Both constant round commitment schemes and constant round zero knowledge arguments of knowledge are known to exist by the works of Naor [25] and Feige and Shamir [15] respectively (these constructions can also be based on any one way function) Thus the input commitment phase can be implemented as required for Proposition 4.1. 2 Next, we recall that a secure implementation of the protocol emulation phase requires zero knowledge ....

[Article contains additional citation context not shown here]

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages 151--158, 1991.

....this was a conceptual mistake. We comment that parallel composition is problematic also in the context of reducing the soundness error of arguments (cf. 3] but our focus here is on the zero knowledge aspect of protocols regardless if they are proofs, arguments or neither. 1 Or, equivalently [25, 22], that one way functions exist. 2 3. Concurrent composition: This notion generalizes both the previous ones. Here (polynomially) many instances of the protocol are invoked at arbitrary times and proceed at arbitrary pace. That is, we assume an asynchronous (rather than synchronous) model of ....

....sends c 1;1 ; c n;t to the verifier. 14 Non interactive perfectly binding commitment schemes can be constructed using any one way permutation. In case one wishes to rely here only on the existence of one way functions, one may need to use Naor s two round perfectly binding commitment scheme [25]. This calls for minor modification of the description below. 11 Verifier s decommitment step (V2) The verifier decommits the sequence e = u 1 ; v 1 ) u t ; v t ) to the prover. Namely, the verifier send (s; e) to the prover. Motivating Remark: At this point the entire commitment of ....

M. Naor. Bit Commitment using Pseudorandom Generators. J. of Crypto., Vol. 4, pages 151--158, 1991.

....By now, zero knowledge is the accepted way to define and prove security of various cryptographic tasks. Its generality was demonstrated by Goldreich, Micali and Wigderson [18] who showed that any NP statement can be proven in zero knowledge, provided commitment schemes exist (or, equivalently [26, 24], one way functions exist) An important application of zero knowledge proposed by Fiat and Shamir [11] was proving identity. Alongside many applications, the notion of zero knowledge raises a few important questions. Parallel composition. The first question is whether zero knowledge is ....

M. Naor. Bit Commitment using Pseudorandom Generators. Jour. of Cryptology, Vol. 4, pages 151--158, 1991.

....a major open problem (which in fact may be considered unprovable using current tools) Below we shortly elaborate on some of the implications shown in Fig. 2 1. For 32 extensive background and formal treatment of some of the major primitives and the relations between them we refer the reader to [Nao91, IL89, HILL99, Gol95, Gol98] and references therein, and for the PIR related results in the gure we refer the reader to Chapter 4. Primitives that are equivalent to one way functions Pseudorandom Generators Functions. Informally, a pseudorandom generator is a deterministic algorithm which expands a short truly random ....

....b semantically secure [GM84] and Binding For any probabilistic polynomial time (possibly dishonest) Alice , only with negligible probability can Alice cheat by coming up, following the commit phase, with decommitment strings dec 0 ; dec 1 that are opened by Bob as di erent bits. Naor [Nao91] proved that commitment schemes can be constructed based on pseudorandom generators (and thus based on any one way function) Primitives that require a stronger assumption Oblivious Transfer. The oblivious transfer primitive was described in a previous section. Kilian [Kil88] showed that ....

[Article contains additional citation context not shown here]

M. Naor. Bit commitment using pseudorandom generators. J. of Cryptology, 4:151-158, 1991.

....one, and thus choose to send a message in the second interaction as a function of messages received in the first. We stress that, in each of these interleaved interactions, the prover (i.e. each prover clone) is not aware of any other interaction, nor of having been cloned. 1 Or, equivalently [40, 35], that one way functions exist. 2 Zero knowledge proofs in which the prover is deterministic exist only for BPP languages (cf. 29] 3 For instance, in [20] it suffices to repeat the protocol twice with the same prover coins to be able to extract the prover s secret. 4 In a preliminary ....

....first message, and the verifier sends a single message) but is not witness indistinguishable in the hybrid model (since the verifier can obtain a full coloring of the graph by invoking the prover many times on the same r1 . In case the prover s commitment is via a two round commitment scheme (cf. [40], the proof system is not admissible (since the verifier has total freedom in selecting the edges) 16 See discussion following this abstract presentation. 18 There is one problem, however, with the above presentation. In Step (V1) we have assumed the existence of a 1 round (i.e. ....

M. Naor. Bit Commitment using Pseudorandom Generators. Jour. of Cryptology, Vol. 4, pages 151--158, 1991.

....functionality) lies in the heart of Modern Cryptography. However, gaps as required for Modern Cryptography are not known to exist they are only widely believed to exist. Indeed, almost all of Modern Cryptography rises or falls with the question of whether one way functions exist (e.g. see [79, 63, 115, 99, 68] for positive results and [90, 115, 107] for negative ones) One way functions are functions which are easy to evaluate but hard (on the average) to invert. Definition 1 (one way functions [46] A function f : f0; 1g 7 f0; 1g is called one way if ffl easy direction: there is an efficient ....

....the problem at hand. Further simplification is achieved by identifying efficient computations with polynomial time computations, and more importantly by identifying infeasible computations with 13 Consequently, it was shown how to construct commitment schemes based on any pseudorandom generator [99], and that the latter exists if one way functions exist [79] 21 ones which are not implementable in polynomial time. However, none of these conventions is really essential for the theory discussed in this essay. 14 As stated in Section 2, all know results (referring to computational ....

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages 151--158, 1991.

....digital signatures, bit commitment, exchanging secrets, coin flipping over the telephone, etc. For a variety of cryptographic applications it is known that a secure protocol can be constructed from a pseudorandom generator, e.g. the work of [GGM86] LR88] GMR89] [Naor88], GMW91] show that applications ranging from private key encryption to zero knowledge proofs can be based on a pseudorandom generator. The results presented in this paper show that these same protocols can be based on any one way function. The paper [NY89] gives a signature scheme that can be ....

Naor, M., Bit Commitment using Pseudorandom Generators, J. of Cryptology, 4 (1991), pp. 151--158.

....functionality) lies in the heart of Modern Cryptography. However, gaps as required for Modern Cryptography are not known to exist they are only widely believed to exist. Indeed, almost all of Modern Cryptography rises or falls with the question of whether one way functions exist (e.g. see [109, 91, 157, 134, 97] for positive results and [122, 157, 144] for negative ones) One way functions are functions which are easy to evaluate but hard (on the average) to invert. Definition 1 (one way functions [61] A function f : f0; 1g 7 f0; 1g is called one way if ffl easy direction: there is an efficient ....

....parties. In contrast, information theoretically secure multi party computation is possible when assuming the existence of perfect private channels between each pair of honest users [18, 45] 17 Consequently, it was shown how to construct commitment schemes based on any pseudorandom generator [134], and that the latter exists if one way functions exist [109] 23 primitive which, being well known, typically has several candidate implementations. More on this subject below. On the meaning of asymptotic results. Asymptotic analysis is a major simplifying convention. It allows to disregard ....

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages 151--158, 1991.

.... falls in two categories: either one way functions are necessary and sufficient, or stronger assumptions are necessary (i.e. one way functions with some additional properties like trapdoor may be required) For example, pseudo random generators [20] signature schemes [32, 36] commitment schemes [20, 30] and zero knowledge proofs for NP [20, 30, 18, 34] are all equivalent to the existence of a one way function. On the other hand there is a class of primitives that probably needs additional assumptions, including, for example, public key cryptosystems, key exchange, oblivious transfer [22] ....

.... are necessary and sufficient, or stronger assumptions are necessary (i.e. one way functions with some additional properties like trapdoor may be required) For example, pseudo random generators [20] signature schemes [32, 36] commitment schemes [20, 30] and zero knowledge proofs for NP [20, 30, 18, 34] are all equivalent to the existence of a one way function. On the other hand there is a class of primitives that probably needs additional assumptions, including, for example, public key cryptosystems, key exchange, oblivious transfer [22] non interactive zero knowledge proofs of knowledge for ....

[Article contains additional citation context not shown here]

M. Naor. Bit Commitment Using Pseudorandom Generators. Journal of Cryptology, 4:151--158, 1991.

....Transfer in this context. proofs and proofs of knowledge (POK) commitment schemes, verifiable secret sharing (VSS) and secure coin flipping. Commitment Commitment schemes are implicit in [10] and later papers such as [40] It seems that an explicit definition was first given in [51], which shows how to construct such schemes based on and one way functions. The construction of commitment schemes based on 1 1 oneway functions is folklore (cf. 36] The latter construction suffices for the current text, which anyhow assumes the existence of trapdoor permutations. ....

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages 151--158, 1991. Preliminary version in Crypto89, pages 123--132.

....is guaranteed that the sender cannot reveal a value other than the one committed. Such commitment schemes can be implemented assuming the existence of one way functions (i.e. loosely speaking, functions that are easy to compute but hard to invert, such as the multiplication of two large primes) [44, 37]. Using the fact that 3 colorability is NP complete, one gets zero knowledge proofs for any NP set. Theorem 2 [28] Assuming the existence of one way functions, any NP proof can be efficiently transformed into a (computational) zero knowledge interactive proof. Theorem 2 has a dramatic effect on ....

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages 151--158, 1991.

....one way functions from PIR protocols. The second proof is somewhat stronger as it works also for PIR protocols with larger communication complexity (and with reconstruction errors) Together with the previously known fact that one way functions imply the existence of bit commitment protocols [26, 18], our second proof (indirectly) shows how to construct bit commitment protocols from PIR protocols. However, the direct construction given in the first proof is much more efficient. Our result continues a series of works showing that the existence of one way functions is a minimal assumption for ....

M. Naor. Bit commitment using pseudorandom generators. J. of Cryptology, 4:151--158, 1991.

....it is guaranteed that the sender cannot reveal a value other than the one committed. Such commitment schemes can be implemented assuming the existence of one way functions (i.e. loosely speaking, functions that are easy to compute but hard to invert, such as multiplication of two large primes) [39, 32]. Using the fact that 3 colorability is NP complete, one gets zero knowledge proofs for any NP set. Theorem 2 [24] Assuming the existence of one way functions, any NP proof can be efficiently transformed into a (computational) zero knowledge interactive proof. Thm. 2 has a dramatic effect on ....

M. Naor. Bit Commitment using Pseudorandom Generators. In Crypto89, pages 123--132, 1990

.... (i.e. failure of any efficient procedure to tell the two distributions apart) The most important result concerning zero knowledge is that, assuming the existence of one way functions, each language in NP (and actually even in IP) has a zero knowledge interactive proof system; see [43, 64, 50] (and [19] respectively) This result should be contrasted with the results regarding the complexity of almost perfect zero knowledge proof systems, namely, that such proof systems exist only for languages in IP(2) coIP(2) 2, 35] 4 Also, a recent result indicates that one way functions are ....

....has been demonstrated by Goldreich, Micali and Wigderson [43] Most importantly, they showed how to construct zero knowledge proof systems for any language in NP. 22 Their construction uses a cryptographic primitive called a commitment scheme that may be implemented using any one way function [50, 64]. Actually, under the same assumption, zero knowledge proofs exists for any language in IP [51, 19] but the latter elegant result has almost no applications. Subsequently, zero knowledge proofs have become the focus of much attention in cryptographic circles and, as one may expect, many ....

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages 151--158, 1991.

No context found.

M. Naor. Bit Commitment using Pseudorandom Generators. Jour. of Cryptology, Vol. 4, pages 151--158, 1991.

No context found.

M. Naor. Bit Commitment Using Pseudorandom Generators. Journal of Cryptology, 4:151--158, 1991.

No context found.

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, 4(2):151--158, 1991.

No context found.

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages 151--158, 1991. Preliminary version in Crypto89, pages 123--132.

No context found.

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages 151-158, 1991.

No context found.

M. Naor. Bit Commitment Using Pseudorandom Generators. J. Crypto. 4(2): 151--158, 1991.

No context found.

M. Naor. Bit Commitment Using Pseudorandom Generators. J. Crypto. 4(2): 151--158, 1991.

No context found.

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages 151--158, 1991. Preliminary version in Crypto89, pages 123--132.

No context found.

M. Naor. Bit Commitment Using Pseudorandom Generators. Journal of Cryptology, 4:151--158, 1991.

No context found.

Moni Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, 4(2):151--158, 1991.

No context found.

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, 4(2):151--158, 1991.

No context found.

M. Naor. Bit Commitment using Pseudorandom Generators. Jour. of Crypto., Vol. 4, pages 151--158, 1991.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC