Biased Bit Commitment and Applications - Institute of Information ...
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 24, 441-452 (2008)
Biased Bit Commitment and Applications* LI-CHENG WANG, ZHEN-FU CAO, FENG CAO, HAI-FENG QIAN AND HAI-YONG BAO Department of Computer Science and Engineering Shanghai Jiao Tong University Shanghai, 200030, P.R.C. We bring forward the primitive of biased bit commitment, define the security of the model, and present a concrete biased bit commitment scheme based on the braid conjugator search problem. The presented scheme is proved to be information-theoretically hiding and computationally binding in the defined model. Finally, to argue the usefulness of this work, we also sketch out some new applications based on this new primitive. Keywords: biased bit commitment, braid group, conjugactor search problem, coin tossing, lot-casting
1. INTRODUCTION The bit commitment scheme allows a party, Alice, to send a proof to another party, Bob, that commits to a bit b ∈ {0, 1} of her choice in such a way that Bob cannot tell what b is, but such that Alice can later open the commitment and prove to Bob what b originally was [1, 2]. A bit commitment scheme is said to be binding if the promisee (Alice) has no chance to cheat, i.e. to open the opposite of her original commitment; while it is said to be hiding if the commitment acceptant (Bob) has no chance to practise fraud, i.e. to extract commitment information before the open phase. We say a bit commitment scheme is secure if the binding and hiding properties are both satisfied. Due to its binding and hiding properties, the bit commitment scheme has been widely considered as a useful building block in the design of more elaborate cryptographic protocols. Over the past two decades, a bulk of excellent protocols based upon bit commitment has been proposed [2-11]. Followed by the first constructions on bit commitment [2-4], many improvements have been proposed [12-17]. In 1988, Goldreich et al. [12] presented another factoringbased bit commitment scheme which is more efficient than Blum’s [3]. In 1989, Naor [13] reduced the properties of bit commitment schemes on information-theoretically binding and computationally hiding to pseduo-randomness. Shortly afterwards, Naor et al. [14] also reduced the properties of bit commitment schemes on computationally binding and information-theoretically hiding to one-way permutation. In 1992, Pedersen [15] proposed a bit commitment scheme based on discrete logarithm problem. In 1996, Halevi and Micali [16] also put forward a new bit commitment scheme by using a collision-free Received January 9, 2006; revised May 18 & July 26, 2006; accepted August 28, 2006. Communicated by Tzong-Chen Wu. * This work was supported in part by the National Science Fund for Distinguished Young Scholars under grant No. 60225007, the National Research Fund for the Doctoral Program of Higher Education of China under grant No. 20020248024, and the Science and Technology Research Project of Shanghai under grants No. 04JC14055 and 046407067.
441
442
LI-CHENG WANG, ZHEN-FU CAO, FENG CAO, HAI-FENG QIAN AND HAI-YONG BAO
one-way hash function. In 2000, employing the subset sum problem, Zheng et al. [17] also gave a new bit commitment scheme. Another important branch of bit commitment, quantum bit commitment, has come into being since the discoveries of quantum cryptography and information theoretically secure quantum key distribution in 1984 [6]. The implementation of information theoretically secure key agreement in quantum channel has led to much interest in precisely understanding which cryptographic tasks can be guaranteed secure by physical principles [18]. The problem of whether we can implement an information theoretically secure bit commitment based on quantum channel arises. Various kinds of quantum bit commitment schemes have been brought forth one after another during the last decade [6, 19, 20]. Many of them have even been “claimed” to be information theoretically secure. However, in 1996, Mayers [21] published his general theorem of “impossibility on unconditionally secure quantum bit commitment”. Mayers’ belief has always been challenged since its birth. New kinds of ideas have been proposed with the hope of implementing information theoretically secure quantum bit commitment [22, 23]. Even today, new quantum bit commitment scheme that is “claimed” to be information theoretically secure is proposed [24, 25]. All these attempts contribute to enhance our understanding of what is going on with bit commitment and quantum bit commitment. Recently, some variants of bit commitment have previously been studied [26, 27]. This paper considers a different non-trivial generalization, biased bit commitment, in which Alice commits a number to Bob with a given, fixed bias 1/k, while the basic bit commitment can be viewed as a special case of setting bias value to 1/2. At first, the primitive of the biased bit commitment and its security are defined. Then, a concrete 1/kbiased bit commitment scheme is constructed based on braid groups. This is not only the first bit commitment with bias value different to 1/2, but also the first biased bit commitment based on braid groups. Finally, some new kind of applications based on the proposed primitive are sketched out. The rest of the paper is organized as follows: Related preliminaries are given in section 2, including the background on braids and cryptographic problems on braid groups; the braid-based biased bit commitment scheme as well as the correctness and the security proofs are given in section 3. In section 4, we describe some new applications based on the proposed primitive. Finally, concluding remarks are presented in section 5.
2. PRELIMINARIES In 1999, Anshel et al. [28] proposed an algebraic method for public key cryptography. In their pioneering paper, braid groups go upon the arena of modern cryptography. Also, Ko et al. [29] published their work on braid-based PKC in 2000. Since then, the subject has met with a quick success. The security of these braid-based systems is based on the difficulty of the conjugacy problem in braid groups. Shortly afterwards, several attacks [30-32] lowered the initial enthusiasm and some authors even indiscreetly announced the premature death of the subject. In 2004, Dehornoy [33] gave a systematical survey on braid-based schemes and an analysis of why these attacks do not condemn the subject. Finally, he called for further investigation on braid-based PKC. In addition, people have already constructed several groups whose word problem and conjugacy problem
BIASED BIT COMMITMENT
443
are algorithmically unsolvable [34]. Therefore, braid-based PKC just gives us an understandable description formation, which does never confine our research to braid groups. 2.1 Braid Groups Intuitively, a braid is obtained by laying down a number of parallel strands and intertwining them so that they run in the same direction. The number of strands is called the braid index. The set Bn of isotopy classes of braids of index n is naturally equipped with a group structure, called the n-braid group, where the product of two braids x and y is nothing more than laying down the two braids in a row and then matching the end of x to the beginning of y [31]. In formal, the n-braid group Bn is defined by the group presentation [35]
σ1 , … , σ n −1
σ iσ j = σ j σ i ,
if |i − j| ≥ 2
σ iσ jσ i = σ jσ iσ j , if |i − j| = 1
(1)
where σi (1 ≤ i ≤ n − 1) is called Artin generators. 1 Every braid is expressed as a product of σi± (1 ≤ i ≤ n − 1). In geometric interpretation, each generator σi represents the process of swapping the ith strand with the next 1 strand (with ith strand going under the (i + 1)th one), and σi− can be obtained from σi by switching the over-strand and under-strand. The identity e is the braid consisting of n straight vertical strands, while the inverse of the braid x is the reflection of x with respect to a horizontal line. Two braids are equivalent if one can deformed to the other continuously in the set of braids. Two braids x and y are conjugate, if there exists another braid z such that y = zxz-1, denoted by x~y or x~zy (when the conjugator z needs to be specified). In general, if x~y, their conjugators are not unique. Bn is infinite and non-commutative. So the conjugacy problems on braid groups are non-trivial. 2.2 Conjugator Search Problem (CSP)
The conjugator search problem (CSP) over braid groups can be described as: Given x~y, find a conjugator a ∈ Bn such that y = axa-1. The CSP problem is very important because there are many topologically important problems defined up to conjugacy. But it is so difficult that there is no known polynomial time algorithm to solve it. At present, the main attacks on the CSP problem can be divided three categories: (1) Attacks based on length; (2) Attacks based on linear representations; (3) Attacks using the super summit set (SSS) and the ultra summit set (USS). Most recently, Dehornoy [33] gives a systematic analysis on these attacks. He concludes that these attacks do not condemn the braid-based cryptography. He also points out that the success of these attacks only reflects the way keys are generated [33]. He also introduces two processes, i.e. handle reduction and scrambling, to make braid-based cryptographic schemes invulnerable to these attacks [33].
444
LI-CHENG WANG, ZHEN-FU CAO, FENG CAO, HAI-FENG QIAN AND HAI-YONG BAO
3. PROPOSED PRIMITIVE 3.1 Biased Bit Commitment Scenario
The scenario of the 1/k-biased bit commitment primitive is a two-parties, says Alice and Bob, interactive procedure which includes two phases as follows: (1) Commit Phase. In this phase, Alice is allowed to commit a number b ∈ {0, …, k − 1} of her choice to Bob in such a way that Bob can tell what b is with exactly the probability of 1/k; (2) Open Phase. In this phase, Alice can open the commitment and prove to Bob what b originally was. The commit phase must be finished before the beginning of the corresponding open phase. And, the interval between these two phases could be arbitrary long. A 1/k-biased bit commitment scheme is said to be binding if the promisee (Alice) has no chance to cheat, i.e. to open the different number from her original commitment without being detected; while the scheme is said to be hiding if the acceptant (Bob) has no chance to practise fraud, i.e. to tell what the commitment number is with the probability more than 1/k. A biased bit commitment scheme is secure if and only if it is binding and hiding. 3.2 Biased Bit Commitment Protocol Based on Braid Groups
Suppose Alice want to commit a number b ∈ {0, …, k − 1} to Bob. At first, the interactive procedures of the 1/k-biased bit commitment based on braid groups are illustrated in Fig. 1, and then the protocol is described in detail.
Fig. 1. The interactive procedures of the biased bit commitment. The biased bit commitment protocol consists of two sub-protocols as follows: Sub-Protocol 1 Commit(b) − Bob chooses k random braids p0, …, pk-1, and sends them to Alice.
BIASED BIT COMMITMENT
445
− Alice chooses a random braid r, computes x = rpbr-1, and sends x to Bob, while keeps b and r secret until (and if) she later opens her commitment. − After receiving x, Bob announces the end of the commit phase. Sub-protocol 2 Open(b, r) − Alice sends b and r to Bob. − After receiving b and r, Bob checks Alice’s computation, and outputs “accept” if and only if x = rpbr-1 holds. Remark: (1) To avoid that a large prefix of the normal form of u be read directly from the normal form of uwu-1, a scrambling process [33] will be adopted before sending uwu-1 via network; (2) In [33], a collision-free one-way hash function h is used in computing the proof of commitments. However, it is trivial if we employ such a hash function in our scheme because of three reasons: (1) The only effect of h is to prevent from reading r from rpr-1. This can be done by scrambling process; (2) Bit commitment schemes can be derived from any collision-free one-way hash function [16]. Thus, combining a trapdoor one-way function and a collision-free one-way hash function to implement bit commitment is meaningless; (3) There exists efficient algorithms for various required braid operations [36]. 3.3 Correctness Theorem 1 The proposed scheme in section 3.2 is correct. Proof: The correctness of a 1/k-biased bit commitment means: (1) Alice’s commitment will be accepted if she opens the original committed number; (2)Alice’s commitment will be rejected if she opens a number which is different from the original committed number; (3) Alice’s commitment is concealed before open phase. If Alice commits a number b ∈ {0, …, k − 1} in the commit phase, she sets x = rpbr-1 and sends x to Bob. First, suppose that in the open phase she wants to open the original committed number, i.e. b, she sends (b, r) to Bob. Then, Bob will output “Yes” when he checks whether x = rpbr-1. Therefore, he will accept Alice’s commitment. Second, suppose that in the open phase she wants to open another number b′ ≠ b, she sends (b′, r) to Bob. Now, Bob will output “No” when he checks whether x = rpb′r-1, since pb ≠ pb′. Therefore, he will reject Alice’s commitment. Before the open phase, Bob knows p0, …, pk-1 and x, which are not enough to reveal b, since for each pi, there maybe exists ri such that x = ripiri-1. So, Alice’s committed number b is concealed before the open phase. By guessing, Bob has exactly 1/k probability to reveal the committed number. Therefore, the proposed scheme is a correct 1/k-biased bit commitment protocol. 3.4 Security Theorem 2 The proposed scheme in section 3.2 is computationally binding. Proof: Can Alice find a way to commit a number and later reveal another number to Bob
446
LI-CHENG WANG, ZHEN-FU CAO, FENG CAO, HAI-FENG QIAN AND HAI-YONG BAO
without being detected? In order to cheat successfully, Alice has to find a pair of collisions, i.e. two elements r1, r2 ∈ Bn such that r1pir1-1 = r2pjr2-1, (i ≠ j).
(2)
Suppose that she can indeed find such a pair of collisions. Then she can get the following formula easily: r2-1r1pir1-1r2 = pj, (i ≠ j).
(3)
This suggests that she can find the conjugator s = r2-1r1 for the pair (pi, pj) ∈ Bn × Bn. However, under the assumption that the conjugator search problem is intractable, the probability that Alice can find a conjugator for the pair (pi, pj) ∈ Bn × Bn is negligible, i.e, the probability that she can find such a pair of collisions is negligible. Therefore, under the assumption that the conjugator search problem is intractable, Alice has no way to cheat, i.e. the proposed protocol is computationally binding. Theorem 3 The proposed scheme in section 3.2 is information theoretically hiding. Proof: Can Bob find a way to practise fraud, i.e. extract Alice’s commitment before the open phase? Seemingly, if Bob can find r, which is the conjugator of the pair (x; pb) for some b before the commence of the open phase, he will reveal b by checking which of the following equation holds:
x = rpir-1, i = 0, …, k − 1.
(4)
But, in the commit phase, Alice chooses r at random. As a consequence, rs is also a random element with some distribution as r. Both of r and rs are at Alice’s choice with the same probability. Bob has no any clue to deduce that Alice picks r instead of rs; and vice verse. Further, for each pi, there maybe exists ri such that x = ripiri-1. Thus, even if Bob has the capability to find all conjugators for (x, p0), …, (x, pk-1), he still has no any clue to deduce which i is the commitment number b, since he still can not decide which conjugator is Alice’s choice of r. In fact, Bob has no chance to practise fraud no matter how powerful computation ability he possesses, i.e. the proposed protocol is information theoretically hiding. 3.5 Comparisons and Advantages
There are some differences and relations among our proposal and the concepts of the basic bit commitment, the bit string commitment and the oblivious transfer: (1) Basic bit commitment versus 1/k-biased bit commitment. We know that bit commitment has been studied extensively. But all previously published bit commitment protocols focus on the basic scenario, i.e., unbiased bit commitment. When the bias value 1/k is set to 1/2, our proposal results in the basic bit commitment primitive. In each running, the basic bit commitment protocol commits exactly one bit (i.e., − log2
BIASED BIT COMMITMENT
447
(1/2) = 1) information. However, the information entropy committed in each running of a 1/k-biased bit commitment is more than one bit (i.e., − log2 (1/k) > 1, k > 2). This suggests that the biased bit commitment is more efficient than the basic bit commitment. Meanwhile, when k = 2m for some integer m, the 1/k-biased bit commitment would be implemented by running any basic bit commitment protocol k times. However, it is impossible to implement the 1/k-biased bit commitment using the basic bit commitment when k ≠ 2m for any positive integer m. Under this meaning, we say that the 1/k-biased bit commitment is a non-trivial generalization of the basic bit commitment. (2) String commitment versus 1/k-biased bit commitment. The primitive of string commitment, which allows Alice to commit n bits simultaneously to Bob, is another generalization of the basic bit commitment. The information entropy committed in each running of (n-bits) string commitment is exactly n bits. We have no concept of partial bit until the birth of 1/k-biased bit commitment. If k = 3, then the information entropy committed in each running of a 1/k-biased bit commitment is about 1.6 bits (i.e., − log2 (1/3) = 1.5850 ≈ 1.6). Of course, partial bit may be a weird concept. But this is a natural abstraction and generalization of the basic bit commitment. We have no serious reason to reject its appearance. Similarly, when k = 2m for some integer m, the 1/k-biased bit commitment can be implemented by running any (m-bits) string commitment scheme 1 times, but it is impossible to implement the 1/k-biased bit commitment using any (m-bits) string commitment when k ≠ 2m for any positive integer m. (3) 1-out-of-k oblivious transfer versus 1/k-biased bit commitment. Firstly, the main difference between 1-out-of-k oblivious transfer and 1/k-biased bit commitment lies in the purposes and the functionalities of these two primitives. The primitive of 1/kbiased bit commitment focuses on making a commitment (in a hiding-and-binding way), which is a number from 0 to k − 1. To implement a 1/k-biased bit commitment, the contents of the messages being transferred via the channel are not our main concern. Thus, these messages are semantic-irrelevant and can be looked as random numbers. However, the primitive of 1-out-of-k oblivious transfer focuses on transferring a message (in an oblivious mode), which is meaningful and semantic-related, instead of a random number. Secondly, the interactive procedures are much different. In a bit commitment protocol, either biased or unbiased, 2 phases and 3 passes are required. However, in a 1-out-of-k oblivious transfer protocol, we need only 2 passes [39]. Of course, by neglecting all semantic information of the messages transferred via the channel and then adding an additional opening pass, we can implement a 1/kbiased bit commitment by using a 1-out-of-k oblivious transfer protocol. Obviously, this method is trivial and wastes one’s talent on a petty job.
4. APPLICATIONS Now, we will use the proposed primitive to sketch out some applications. Maybe, some of them cannot be implemented conveniently using the basic bit commitment primitive.
448
LI-CHENG WANG, ZHEN-FU CAO, FENG CAO, HAI-FENG QIAN AND HAI-YONG BAO
4.1 Case I: Biased Coin Tossing Protocol
In general, whenever we propose a bit commitment scheme, we can also obtain a coin tossing scheme; and vice versa. In the basic coin tossing protocol, we assume that the two sides of the coin have the same weight. How would happen if one side of the coin is much heavier than the other side? Can we implement this kind of unbalanced digital coin tossing protocol through network? Employing the proposed 1/k-biased bit commitment primitive, we can construct a biased telephone coin tossing protocol by which the probability of successful guessing is precisely 1/k. This is the exact simulation of a coin that the weight of one side is k − 1 times of the other side, while the heavier side is not fixed ⎯ Or, one can always guesses the heavier side and the probability of successful guessing is (k − 1)/k. The above results are very interesting, since such an unbalanced coin cannot be implemented in reality, while it is possible to be simulated by the proposed primitive. 4.2 Case II: Lot-Casting Scheme
Lot and lottery are related but different. Lot is an object used in making a determination or choice at random, while lottery is a game or contest in which tokens are distributed or sold, the winning token or tokens being secretly predetermined or ultimately selected in a random drawing. Some lottery systems based on the basic bit commitment primitive have been previously studied [37, 38]. As we know, however, there is no published digital lot-casting scheme, yet. Therefore, we will describe a lot-casting scheme using the proposed biased bit commitment primitive. Suppose that k candidates want to determine only one of them as the chairman by casting lots through networks. At first, they randomly designate a candidate as the dealer. Then, the dealer launches the 1/k-biased bit commitment interactive procedures with the other candidates respectively. If some candidate guesses the commitment number b ∈ {0, …, k − 1} successfully, then the winner will be elected as the chairman and abort all other interactive procedures; otherwise, if all the other candidates lose the biased coin tossing games, the dealer will be elected as the chairman. Since the proposed protocol is information theoretically hiding and computationally binding, all these k candidates have no way to practice fraud. Meanwhile, for every candidate, including the dealer, the probability to be elected is precisely 1/k. Thus, this lot-casting scheme is fair. 4.3 Case III: A Fair Gambling Scheme
Let us conceive a two party gambling scheme: The banker, Alice, launches the 1/kbiased bit commitment interactive procedures with a player, Bob. After sending her commitment proof to Bob, Alice requests Bob to wager on the commitment number. Finally, Alice opens her commitment. If Bob loses the biased coin tossing game, then Alice possesses Bob’s wager; otherwise, if Bob wins the game, Alice must pay Bob k − 1 times of his wager. Clearly, this is a fair gambling scheme. Of course, in order to prevent players from collusion, the banker cannot play this game with two or more players simultaneously.
BIASED BIT COMMITMENT
449
5. CONCLUSIONS Bit commitment is a very fundamental building block in the design of more elaborate cryptographic protocols. In this paper, we bring forth a new type of generalization of bit commitment, i.e., the primitive of the biased bit commitment. Using the new primitive, one party is allowed to commit a number to another party with a given, fixed bias while the basic bit commitment can be viewed as a special case when the bias value is set to 1/2. Then, based on the braid conjugator search problems, we propose the first 1/kbiased bit commitment scheme. The proposed scheme is information theoretically hiding and computationally binding. Additionally, some new kinds of application based on the proposed primitive are also described.
REFERENCES 1. G. Brassard, C. Crepeau, D. Mayers, and L. Salvail, “A brief review on the impossibility of quantum bit commitment,” (ePrint) arXiv Report quant-ph/9712023, Cornell University Library, New York, 1997. 2. M. Rabin, “How to exchange secrets by oblivious transfer,” Technical Report No. TR-81, Harvard Aiken Computation Laboratory, Cambridge, 1981. 3. M. Blum, “Coin flipping by telephone: a protocol for solving impossible problems,” in Proceedings of the 24th IEEE Computer Conference, 1981, pp. 133-137. 4. A. Shamir, R. L. Rivest, and L. M. Adleman, “Mental poker,” in D. Klarner ed., The Mathematical Gardner, Wadsworth, Belmont, California, 1981, pp. 37-43. 5. C. Crepeau, “Cryptographic primitives and quantum theory,” in Proceedings of Physics and Computation, 1992, pp. 200-204. 6. C. H. Bennett and G. Brassard, “Quantum cryptography: public key distribution and coin tossing,” in Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, 1984, pp. 175-179. 7. D. Chaum, “Demonstrating that a public predicate can be satisfied without revealing any information about how,” in Proceedings on Advances in Cryptology − CRYPTO, LNCS 263, Springer, 1987, pp. 95-199. 8. X. Chen, J. Mao, and Y. Wang, “A new secure vickrey auction protocol,” Acta Electronica Sinica, Vol. 30, 2002, pp. 471-472. 9. D. Zheng, T. Zhang, K. Chen, and Y. Wang, “Lottery scheme based on bit commitment,” Acta Electronica Sinica, Vol. 28, 2000, pp. 141-142. 10. M. Zhong and Y. Yang, “A partial blind signature scheme based on bit commitment,” Journal of China Institute of Communications, Vol. 22, 2001, pp. 1-6. 11. J. Chou and Y. Yeh, “Mental poker game based on a bit commitment scheme through network,” Computer Networks, Vol. 38, 2002, pp. 247-255. 12. S. Goldreich, S. Micali, and R. Rivest, “A digital signature scheme secure against adaptive chosen message attacks,” SIAM Journal of Computing, Vol. 17, 1988, pp. 281-308. 13. M. Naor, “Bit Commitment using pseduo-randomness (extended abstract),” in Proceedings on Advances in Cryptology − CRYPTO, LNCS 435, Springer, 1990, pp. 128136.
450
LI-CHENG WANG, ZHEN-FU CAO, FENG CAO, HAI-FENG QIAN AND HAI-YONG BAO
14. M. Naor, R. Ostroverky, R. Venkatesan, and M. Yung, “Perfect zero-knowledge arguments for NP can be based on general complexity assumptions,” in Proceedings on Advances in Cryptology − CRYPTO, LNCS 740, Springer, 1993, pp. 196-214. 15. T. P. Pedersen, “Non-interactive and information theoretic secure verifiable secret sharing,” in Proceedings on Advances in Cryptology − CRYPTO, LNCS 576, Springer, 1992, pp. 129-140. 16. S. Halevi and S. Micali, “Practical and provably secure commitment schemes from collision free hashing,” in Proceedings on Advances in Cryptology − CRYPTO, LNCS 1109, Springer, 1996, pp. 201-215. 17. D. Zheng, K. Chen, D. Gu, and J. You, “Efficient bit-commitment schemes,” Journal of China Institute of communications, Vol. 21, 2000, pp. 78-80. 18. L. Hardy and A. Kent, “Cheat sensitive quantum bit commitment,” (ePrint) arXiv Report quant-ph/9911043, Cornell University Library, New York, 1999. 19. G. Brassard and C. Crepeau, “Quantum bit commitment and coin tossing protocols,” in Proceedings on Advances in Cryptology − CYRPTO, LNCS 537, Springer, 1991, pp. 49-61. 20. G. Brassard, C. Crepeau, R. Jozsa, and D. Langlois, “A quantum bit commitment scheme provably unbreakable by both parties,” in Proceeding of the 34th Annual Symposium on Foundations of Computer Science, 1993, pp. 362-371. 21. D. Mayers, “The trouble with quantum bit commitment,” (ePrint) arXiv Report quant-ph/9603015, Cornell University Library, New York, 1996. 22. B. Yu, Z. W. Zhou, J. Li, and G. C. Guo, “Secure bit commitment based on quantum one-way function,” in Proceeding of SPIE, Vol. 4917, 2002, pp. 92-96. 23. K. Tanaka, “Quantum bit-commitment for small storage based on quantum one-way permutations,” New Generation Computing, Vol. 21, 2003, pp. 339-345. 24. R. Srikanth, “Quantum bit commitment with a composite evidence,” Physica Scripta Vol. 70, 2004, pp. 343-346. 25. T. Tsurumaru, “Implementable quantum-bit-string commitment protocol,” Physical Review A − Atomic, Molecular, and Optical Physics, Vol. 71, 2005, pp. 1-8. 26. D. Aharonov, A. Ta-Shma, U. Vazirani, and A. Yao, “Quantum bit escrow,” in Proceeding of the 32nd Annual ACM Symposium on Theory of Computing, 2000, pp. 705-714. 27. A. Kent, “Quantum bit string commitment,” Physical Review Letters Vol. 90, 2003, pp. 1-4. 28. I. Anshel, M. Anshel, and D. Goldfeld, “An algebraic method for public-key cryptography,” Mathematical Research Letters, Vol. 6, 1999, pp. 287-291. 29. K. H. Ko, S. J. Lee, J. H. Cheon, J. W. Han, J. S. Kang, and C. Park, “New publickey cryptosystem using braid groups,” in Proceedings on Advances in Cryptology − CRYPTO, LNCS 1880, Springer, 2000, pp. 166-183. 30. D. Helheinz and R. Steinwandt, “A practical attack on some braid group based cryptographic primitives,” in Proceedings of the 6th International Workshop on Theory and Practice in Public Key Cryptography, LNCS 2567, 2003, pp. 187-198. 31. J. H. Cheon and B. Jun, “A polynomial time algorithm for the Braid diffie-hellman conjugacy problem,” in Proceedings on Advances in Cryptology − CRYPTO, LNCS 2729, Springer, 2003, pp. 212-225. 32. S. J. Lee and E. K. Lee, “Potential weakness of the commutator key agreement pro-
BIASED BIT COMMITMENT
33. 34. 35. 36. 37. 38. 39.
451
tocol based on braid groups,” in Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology, LNCS 2332, Springer, 2002, pp. 14-28. P. Dehornoy, “Braid-based cryptography,” Contemporary Mathematics, Vol. 360, 2004, pp. 5-33. I. Anshel, M. Anshel, and D. Goldfeld, “Non-abelian key agreement protocols,” Discrete Applied Mathematics, Vol. 130, 2003, pp. 3-12. J. S. Birman and T. E. Brendle, “Braids: a survey,” (ePrint) arXiv Report math/ 0409205, Cornell University Library, 2004. M. J. Campagna, “Algorithms in braid groups,” Advances in Mathematics, Vol. 167, 2002, pp. 142-159. P. Syverson, “Weakly secret bit commitment: applications to lotteries and fair exchange,” in Proceeding of the 11th IEEE on Computer Security Foundations Workshop, 1998, pp. 2-13. K. Kobayashi, H. Morita, M. Hakuta, and T. Nakanowatari, “An electronic soccer lottery system that uses bit commitment,” IEICE Transactions on Information and Systems, Vol. E83-D, 2000, pp. 980-987. C. K. Chu and W. G. Tzeng, “Efficient k-out-of-n oblivious transfer schemes with adaptive and non-adaptive queries,” in Proceedings of the 8th International Workshop on Theory and Practice in Public Key Cryptography, LNCS 3386, Springer, 2005, pp. 172-183. Li-Cheng Wang (王励成) received his B.S. in Computer Science degree from North-West Normal University in 1995 and M.S. degree in Mathematics from Nan Jing University in 2001, respectively. Currently, he is a Ph.D. candidate in the Department of Computer Science and Engineering, Shanghai Jiao Tong University. His current research interests lie in cryptography and network security.
Zhen-Fu Cao (曹珍富) is the professor and the doctoral supervisor of Computer Software and Theory at Department of Computer Science of Shanghai Jiao Tong University. His main research areas are number theory and modern cryptography, theory and technology of information security etc. He is the gainer of Ying-Tung Fok Young Teacher Award (1989), the First Ten Outstanding Youth in Harbin (1996), Best Ph.D. thesis award in Harbin Institute of Technology (2001) and the National Outstanding Youth Fund in 2002.
452
LI-CHENG WANG, ZHEN-FU CAO, FENG CAO, HAI-FENG QIAN AND HAI-YONG BAO
Feng Cao (曹峰) received his B.S. and Master degrees (on Algebra) in Mathematic department from West Guang Xi Normal University, China, in 2000 and 2003, respectively, and now is a Ph.D. candidate in the Department of Computer Science and Engineering, Shanghai Jiao Tong University. His main research interests include network security, cryptography and number theory.
Hai-Feng Qian (钱海峰) was awarded a B.S. degree and a Master degree (on Algebraic Geometry) in Mathematic department from East China Normal University, China, in 2000 and 2003, respectively, and now is a Ph.D. candidate in the Department of Computer Science and Engineering, Shanghai Jiao Tong University. His main research interests include network security, cryptography and algebraic geometry.
Hai-Yong Bao (鲍海勇) received his B.S. degree and M.S. degree in Automation and Controlling Theory and Controlling Engineering from China University of Mining and Technology in 2000 and 2003, respectively. And he is now a Ph.D. candidate of Computer Science and Technology in Shanghai Jiaotong university. His major research area is in cryptography, electronic commerce, etc.
Biased Bit Commitment and Applications* LI-CHENG WANG, ZHEN-FU CAO, FENG CAO, HAI-FENG QIAN AND HAI-YONG BAO Department of Computer Science and Engineering Shanghai Jiao Tong University Shanghai, 200030, P.R.C. We bring forward the primitive of biased bit commitment, define the security of the model, and present a concrete biased bit commitment scheme based on the braid conjugator search problem. The presented scheme is proved to be information-theoretically hiding and computationally binding in the defined model. Finally, to argue the usefulness of this work, we also sketch out some new applications based on this new primitive. Keywords: biased bit commitment, braid group, conjugactor search problem, coin tossing, lot-casting
1. INTRODUCTION The bit commitment scheme allows a party, Alice, to send a proof to another party, Bob, that commits to a bit b ∈ {0, 1} of her choice in such a way that Bob cannot tell what b is, but such that Alice can later open the commitment and prove to Bob what b originally was [1, 2]. A bit commitment scheme is said to be binding if the promisee (Alice) has no chance to cheat, i.e. to open the opposite of her original commitment; while it is said to be hiding if the commitment acceptant (Bob) has no chance to practise fraud, i.e. to extract commitment information before the open phase. We say a bit commitment scheme is secure if the binding and hiding properties are both satisfied. Due to its binding and hiding properties, the bit commitment scheme has been widely considered as a useful building block in the design of more elaborate cryptographic protocols. Over the past two decades, a bulk of excellent protocols based upon bit commitment has been proposed [2-11]. Followed by the first constructions on bit commitment [2-4], many improvements have been proposed [12-17]. In 1988, Goldreich et al. [12] presented another factoringbased bit commitment scheme which is more efficient than Blum’s [3]. In 1989, Naor [13] reduced the properties of bit commitment schemes on information-theoretically binding and computationally hiding to pseduo-randomness. Shortly afterwards, Naor et al. [14] also reduced the properties of bit commitment schemes on computationally binding and information-theoretically hiding to one-way permutation. In 1992, Pedersen [15] proposed a bit commitment scheme based on discrete logarithm problem. In 1996, Halevi and Micali [16] also put forward a new bit commitment scheme by using a collision-free Received January 9, 2006; revised May 18 & July 26, 2006; accepted August 28, 2006. Communicated by Tzong-Chen Wu. * This work was supported in part by the National Science Fund for Distinguished Young Scholars under grant No. 60225007, the National Research Fund for the Doctoral Program of Higher Education of China under grant No. 20020248024, and the Science and Technology Research Project of Shanghai under grants No. 04JC14055 and 046407067.
441
442
LI-CHENG WANG, ZHEN-FU CAO, FENG CAO, HAI-FENG QIAN AND HAI-YONG BAO
one-way hash function. In 2000, employing the subset sum problem, Zheng et al. [17] also gave a new bit commitment scheme. Another important branch of bit commitment, quantum bit commitment, has come into being since the discoveries of quantum cryptography and information theoretically secure quantum key distribution in 1984 [6]. The implementation of information theoretically secure key agreement in quantum channel has led to much interest in precisely understanding which cryptographic tasks can be guaranteed secure by physical principles [18]. The problem of whether we can implement an information theoretically secure bit commitment based on quantum channel arises. Various kinds of quantum bit commitment schemes have been brought forth one after another during the last decade [6, 19, 20]. Many of them have even been “claimed” to be information theoretically secure. However, in 1996, Mayers [21] published his general theorem of “impossibility on unconditionally secure quantum bit commitment”. Mayers’ belief has always been challenged since its birth. New kinds of ideas have been proposed with the hope of implementing information theoretically secure quantum bit commitment [22, 23]. Even today, new quantum bit commitment scheme that is “claimed” to be information theoretically secure is proposed [24, 25]. All these attempts contribute to enhance our understanding of what is going on with bit commitment and quantum bit commitment. Recently, some variants of bit commitment have previously been studied [26, 27]. This paper considers a different non-trivial generalization, biased bit commitment, in which Alice commits a number to Bob with a given, fixed bias 1/k, while the basic bit commitment can be viewed as a special case of setting bias value to 1/2. At first, the primitive of the biased bit commitment and its security are defined. Then, a concrete 1/kbiased bit commitment scheme is constructed based on braid groups. This is not only the first bit commitment with bias value different to 1/2, but also the first biased bit commitment based on braid groups. Finally, some new kind of applications based on the proposed primitive are sketched out. The rest of the paper is organized as follows: Related preliminaries are given in section 2, including the background on braids and cryptographic problems on braid groups; the braid-based biased bit commitment scheme as well as the correctness and the security proofs are given in section 3. In section 4, we describe some new applications based on the proposed primitive. Finally, concluding remarks are presented in section 5.
2. PRELIMINARIES In 1999, Anshel et al. [28] proposed an algebraic method for public key cryptography. In their pioneering paper, braid groups go upon the arena of modern cryptography. Also, Ko et al. [29] published their work on braid-based PKC in 2000. Since then, the subject has met with a quick success. The security of these braid-based systems is based on the difficulty of the conjugacy problem in braid groups. Shortly afterwards, several attacks [30-32] lowered the initial enthusiasm and some authors even indiscreetly announced the premature death of the subject. In 2004, Dehornoy [33] gave a systematical survey on braid-based schemes and an analysis of why these attacks do not condemn the subject. Finally, he called for further investigation on braid-based PKC. In addition, people have already constructed several groups whose word problem and conjugacy problem
BIASED BIT COMMITMENT
443
are algorithmically unsolvable [34]. Therefore, braid-based PKC just gives us an understandable description formation, which does never confine our research to braid groups. 2.1 Braid Groups Intuitively, a braid is obtained by laying down a number of parallel strands and intertwining them so that they run in the same direction. The number of strands is called the braid index. The set Bn of isotopy classes of braids of index n is naturally equipped with a group structure, called the n-braid group, where the product of two braids x and y is nothing more than laying down the two braids in a row and then matching the end of x to the beginning of y [31]. In formal, the n-braid group Bn is defined by the group presentation [35]
σ1 , … , σ n −1
σ iσ j = σ j σ i ,
if |i − j| ≥ 2
σ iσ jσ i = σ jσ iσ j , if |i − j| = 1
(1)
where σi (1 ≤ i ≤ n − 1) is called Artin generators. 1 Every braid is expressed as a product of σi± (1 ≤ i ≤ n − 1). In geometric interpretation, each generator σi represents the process of swapping the ith strand with the next 1 strand (with ith strand going under the (i + 1)th one), and σi− can be obtained from σi by switching the over-strand and under-strand. The identity e is the braid consisting of n straight vertical strands, while the inverse of the braid x is the reflection of x with respect to a horizontal line. Two braids are equivalent if one can deformed to the other continuously in the set of braids. Two braids x and y are conjugate, if there exists another braid z such that y = zxz-1, denoted by x~y or x~zy (when the conjugator z needs to be specified). In general, if x~y, their conjugators are not unique. Bn is infinite and non-commutative. So the conjugacy problems on braid groups are non-trivial. 2.2 Conjugator Search Problem (CSP)
The conjugator search problem (CSP) over braid groups can be described as: Given x~y, find a conjugator a ∈ Bn such that y = axa-1. The CSP problem is very important because there are many topologically important problems defined up to conjugacy. But it is so difficult that there is no known polynomial time algorithm to solve it. At present, the main attacks on the CSP problem can be divided three categories: (1) Attacks based on length; (2) Attacks based on linear representations; (3) Attacks using the super summit set (SSS) and the ultra summit set (USS). Most recently, Dehornoy [33] gives a systematic analysis on these attacks. He concludes that these attacks do not condemn the braid-based cryptography. He also points out that the success of these attacks only reflects the way keys are generated [33]. He also introduces two processes, i.e. handle reduction and scrambling, to make braid-based cryptographic schemes invulnerable to these attacks [33].
444
LI-CHENG WANG, ZHEN-FU CAO, FENG CAO, HAI-FENG QIAN AND HAI-YONG BAO
3. PROPOSED PRIMITIVE 3.1 Biased Bit Commitment Scenario
The scenario of the 1/k-biased bit commitment primitive is a two-parties, says Alice and Bob, interactive procedure which includes two phases as follows: (1) Commit Phase. In this phase, Alice is allowed to commit a number b ∈ {0, …, k − 1} of her choice to Bob in such a way that Bob can tell what b is with exactly the probability of 1/k; (2) Open Phase. In this phase, Alice can open the commitment and prove to Bob what b originally was. The commit phase must be finished before the beginning of the corresponding open phase. And, the interval between these two phases could be arbitrary long. A 1/k-biased bit commitment scheme is said to be binding if the promisee (Alice) has no chance to cheat, i.e. to open the different number from her original commitment without being detected; while the scheme is said to be hiding if the acceptant (Bob) has no chance to practise fraud, i.e. to tell what the commitment number is with the probability more than 1/k. A biased bit commitment scheme is secure if and only if it is binding and hiding. 3.2 Biased Bit Commitment Protocol Based on Braid Groups
Suppose Alice want to commit a number b ∈ {0, …, k − 1} to Bob. At first, the interactive procedures of the 1/k-biased bit commitment based on braid groups are illustrated in Fig. 1, and then the protocol is described in detail.
Fig. 1. The interactive procedures of the biased bit commitment. The biased bit commitment protocol consists of two sub-protocols as follows: Sub-Protocol 1 Commit(b) − Bob chooses k random braids p0, …, pk-1, and sends them to Alice.
BIASED BIT COMMITMENT
445
− Alice chooses a random braid r, computes x = rpbr-1, and sends x to Bob, while keeps b and r secret until (and if) she later opens her commitment. − After receiving x, Bob announces the end of the commit phase. Sub-protocol 2 Open(b, r) − Alice sends b and r to Bob. − After receiving b and r, Bob checks Alice’s computation, and outputs “accept” if and only if x = rpbr-1 holds. Remark: (1) To avoid that a large prefix of the normal form of u be read directly from the normal form of uwu-1, a scrambling process [33] will be adopted before sending uwu-1 via network; (2) In [33], a collision-free one-way hash function h is used in computing the proof of commitments. However, it is trivial if we employ such a hash function in our scheme because of three reasons: (1) The only effect of h is to prevent from reading r from rpr-1. This can be done by scrambling process; (2) Bit commitment schemes can be derived from any collision-free one-way hash function [16]. Thus, combining a trapdoor one-way function and a collision-free one-way hash function to implement bit commitment is meaningless; (3) There exists efficient algorithms for various required braid operations [36]. 3.3 Correctness Theorem 1 The proposed scheme in section 3.2 is correct. Proof: The correctness of a 1/k-biased bit commitment means: (1) Alice’s commitment will be accepted if she opens the original committed number; (2)Alice’s commitment will be rejected if she opens a number which is different from the original committed number; (3) Alice’s commitment is concealed before open phase. If Alice commits a number b ∈ {0, …, k − 1} in the commit phase, she sets x = rpbr-1 and sends x to Bob. First, suppose that in the open phase she wants to open the original committed number, i.e. b, she sends (b, r) to Bob. Then, Bob will output “Yes” when he checks whether x = rpbr-1. Therefore, he will accept Alice’s commitment. Second, suppose that in the open phase she wants to open another number b′ ≠ b, she sends (b′, r) to Bob. Now, Bob will output “No” when he checks whether x = rpb′r-1, since pb ≠ pb′. Therefore, he will reject Alice’s commitment. Before the open phase, Bob knows p0, …, pk-1 and x, which are not enough to reveal b, since for each pi, there maybe exists ri such that x = ripiri-1. So, Alice’s committed number b is concealed before the open phase. By guessing, Bob has exactly 1/k probability to reveal the committed number. Therefore, the proposed scheme is a correct 1/k-biased bit commitment protocol. 3.4 Security Theorem 2 The proposed scheme in section 3.2 is computationally binding. Proof: Can Alice find a way to commit a number and later reveal another number to Bob
446
LI-CHENG WANG, ZHEN-FU CAO, FENG CAO, HAI-FENG QIAN AND HAI-YONG BAO
without being detected? In order to cheat successfully, Alice has to find a pair of collisions, i.e. two elements r1, r2 ∈ Bn such that r1pir1-1 = r2pjr2-1, (i ≠ j).
(2)
Suppose that she can indeed find such a pair of collisions. Then she can get the following formula easily: r2-1r1pir1-1r2 = pj, (i ≠ j).
(3)
This suggests that she can find the conjugator s = r2-1r1 for the pair (pi, pj) ∈ Bn × Bn. However, under the assumption that the conjugator search problem is intractable, the probability that Alice can find a conjugator for the pair (pi, pj) ∈ Bn × Bn is negligible, i.e, the probability that she can find such a pair of collisions is negligible. Therefore, under the assumption that the conjugator search problem is intractable, Alice has no way to cheat, i.e. the proposed protocol is computationally binding. Theorem 3 The proposed scheme in section 3.2 is information theoretically hiding. Proof: Can Bob find a way to practise fraud, i.e. extract Alice’s commitment before the open phase? Seemingly, if Bob can find r, which is the conjugator of the pair (x; pb) for some b before the commence of the open phase, he will reveal b by checking which of the following equation holds:
x = rpir-1, i = 0, …, k − 1.
(4)
But, in the commit phase, Alice chooses r at random. As a consequence, rs is also a random element with some distribution as r. Both of r and rs are at Alice’s choice with the same probability. Bob has no any clue to deduce that Alice picks r instead of rs; and vice verse. Further, for each pi, there maybe exists ri such that x = ripiri-1. Thus, even if Bob has the capability to find all conjugators for (x, p0), …, (x, pk-1), he still has no any clue to deduce which i is the commitment number b, since he still can not decide which conjugator is Alice’s choice of r. In fact, Bob has no chance to practise fraud no matter how powerful computation ability he possesses, i.e. the proposed protocol is information theoretically hiding. 3.5 Comparisons and Advantages
There are some differences and relations among our proposal and the concepts of the basic bit commitment, the bit string commitment and the oblivious transfer: (1) Basic bit commitment versus 1/k-biased bit commitment. We know that bit commitment has been studied extensively. But all previously published bit commitment protocols focus on the basic scenario, i.e., unbiased bit commitment. When the bias value 1/k is set to 1/2, our proposal results in the basic bit commitment primitive. In each running, the basic bit commitment protocol commits exactly one bit (i.e., − log2
BIASED BIT COMMITMENT
447
(1/2) = 1) information. However, the information entropy committed in each running of a 1/k-biased bit commitment is more than one bit (i.e., − log2 (1/k) > 1, k > 2). This suggests that the biased bit commitment is more efficient than the basic bit commitment. Meanwhile, when k = 2m for some integer m, the 1/k-biased bit commitment would be implemented by running any basic bit commitment protocol k times. However, it is impossible to implement the 1/k-biased bit commitment using the basic bit commitment when k ≠ 2m for any positive integer m. Under this meaning, we say that the 1/k-biased bit commitment is a non-trivial generalization of the basic bit commitment. (2) String commitment versus 1/k-biased bit commitment. The primitive of string commitment, which allows Alice to commit n bits simultaneously to Bob, is another generalization of the basic bit commitment. The information entropy committed in each running of (n-bits) string commitment is exactly n bits. We have no concept of partial bit until the birth of 1/k-biased bit commitment. If k = 3, then the information entropy committed in each running of a 1/k-biased bit commitment is about 1.6 bits (i.e., − log2 (1/3) = 1.5850 ≈ 1.6). Of course, partial bit may be a weird concept. But this is a natural abstraction and generalization of the basic bit commitment. We have no serious reason to reject its appearance. Similarly, when k = 2m for some integer m, the 1/k-biased bit commitment can be implemented by running any (m-bits) string commitment scheme 1 times, but it is impossible to implement the 1/k-biased bit commitment using any (m-bits) string commitment when k ≠ 2m for any positive integer m. (3) 1-out-of-k oblivious transfer versus 1/k-biased bit commitment. Firstly, the main difference between 1-out-of-k oblivious transfer and 1/k-biased bit commitment lies in the purposes and the functionalities of these two primitives. The primitive of 1/kbiased bit commitment focuses on making a commitment (in a hiding-and-binding way), which is a number from 0 to k − 1. To implement a 1/k-biased bit commitment, the contents of the messages being transferred via the channel are not our main concern. Thus, these messages are semantic-irrelevant and can be looked as random numbers. However, the primitive of 1-out-of-k oblivious transfer focuses on transferring a message (in an oblivious mode), which is meaningful and semantic-related, instead of a random number. Secondly, the interactive procedures are much different. In a bit commitment protocol, either biased or unbiased, 2 phases and 3 passes are required. However, in a 1-out-of-k oblivious transfer protocol, we need only 2 passes [39]. Of course, by neglecting all semantic information of the messages transferred via the channel and then adding an additional opening pass, we can implement a 1/kbiased bit commitment by using a 1-out-of-k oblivious transfer protocol. Obviously, this method is trivial and wastes one’s talent on a petty job.
4. APPLICATIONS Now, we will use the proposed primitive to sketch out some applications. Maybe, some of them cannot be implemented conveniently using the basic bit commitment primitive.
448
LI-CHENG WANG, ZHEN-FU CAO, FENG CAO, HAI-FENG QIAN AND HAI-YONG BAO
4.1 Case I: Biased Coin Tossing Protocol
In general, whenever we propose a bit commitment scheme, we can also obtain a coin tossing scheme; and vice versa. In the basic coin tossing protocol, we assume that the two sides of the coin have the same weight. How would happen if one side of the coin is much heavier than the other side? Can we implement this kind of unbalanced digital coin tossing protocol through network? Employing the proposed 1/k-biased bit commitment primitive, we can construct a biased telephone coin tossing protocol by which the probability of successful guessing is precisely 1/k. This is the exact simulation of a coin that the weight of one side is k − 1 times of the other side, while the heavier side is not fixed ⎯ Or, one can always guesses the heavier side and the probability of successful guessing is (k − 1)/k. The above results are very interesting, since such an unbalanced coin cannot be implemented in reality, while it is possible to be simulated by the proposed primitive. 4.2 Case II: Lot-Casting Scheme
Lot and lottery are related but different. Lot is an object used in making a determination or choice at random, while lottery is a game or contest in which tokens are distributed or sold, the winning token or tokens being secretly predetermined or ultimately selected in a random drawing. Some lottery systems based on the basic bit commitment primitive have been previously studied [37, 38]. As we know, however, there is no published digital lot-casting scheme, yet. Therefore, we will describe a lot-casting scheme using the proposed biased bit commitment primitive. Suppose that k candidates want to determine only one of them as the chairman by casting lots through networks. At first, they randomly designate a candidate as the dealer. Then, the dealer launches the 1/k-biased bit commitment interactive procedures with the other candidates respectively. If some candidate guesses the commitment number b ∈ {0, …, k − 1} successfully, then the winner will be elected as the chairman and abort all other interactive procedures; otherwise, if all the other candidates lose the biased coin tossing games, the dealer will be elected as the chairman. Since the proposed protocol is information theoretically hiding and computationally binding, all these k candidates have no way to practice fraud. Meanwhile, for every candidate, including the dealer, the probability to be elected is precisely 1/k. Thus, this lot-casting scheme is fair. 4.3 Case III: A Fair Gambling Scheme
Let us conceive a two party gambling scheme: The banker, Alice, launches the 1/kbiased bit commitment interactive procedures with a player, Bob. After sending her commitment proof to Bob, Alice requests Bob to wager on the commitment number. Finally, Alice opens her commitment. If Bob loses the biased coin tossing game, then Alice possesses Bob’s wager; otherwise, if Bob wins the game, Alice must pay Bob k − 1 times of his wager. Clearly, this is a fair gambling scheme. Of course, in order to prevent players from collusion, the banker cannot play this game with two or more players simultaneously.
BIASED BIT COMMITMENT
449
5. CONCLUSIONS Bit commitment is a very fundamental building block in the design of more elaborate cryptographic protocols. In this paper, we bring forth a new type of generalization of bit commitment, i.e., the primitive of the biased bit commitment. Using the new primitive, one party is allowed to commit a number to another party with a given, fixed bias while the basic bit commitment can be viewed as a special case when the bias value is set to 1/2. Then, based on the braid conjugator search problems, we propose the first 1/kbiased bit commitment scheme. The proposed scheme is information theoretically hiding and computationally binding. Additionally, some new kinds of application based on the proposed primitive are also described.
REFERENCES 1. G. Brassard, C. Crepeau, D. Mayers, and L. Salvail, “A brief review on the impossibility of quantum bit commitment,” (ePrint) arXiv Report quant-ph/9712023, Cornell University Library, New York, 1997. 2. M. Rabin, “How to exchange secrets by oblivious transfer,” Technical Report No. TR-81, Harvard Aiken Computation Laboratory, Cambridge, 1981. 3. M. Blum, “Coin flipping by telephone: a protocol for solving impossible problems,” in Proceedings of the 24th IEEE Computer Conference, 1981, pp. 133-137. 4. A. Shamir, R. L. Rivest, and L. M. Adleman, “Mental poker,” in D. Klarner ed., The Mathematical Gardner, Wadsworth, Belmont, California, 1981, pp. 37-43. 5. C. Crepeau, “Cryptographic primitives and quantum theory,” in Proceedings of Physics and Computation, 1992, pp. 200-204. 6. C. H. Bennett and G. Brassard, “Quantum cryptography: public key distribution and coin tossing,” in Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, 1984, pp. 175-179. 7. D. Chaum, “Demonstrating that a public predicate can be satisfied without revealing any information about how,” in Proceedings on Advances in Cryptology − CRYPTO, LNCS 263, Springer, 1987, pp. 95-199. 8. X. Chen, J. Mao, and Y. Wang, “A new secure vickrey auction protocol,” Acta Electronica Sinica, Vol. 30, 2002, pp. 471-472. 9. D. Zheng, T. Zhang, K. Chen, and Y. Wang, “Lottery scheme based on bit commitment,” Acta Electronica Sinica, Vol. 28, 2000, pp. 141-142. 10. M. Zhong and Y. Yang, “A partial blind signature scheme based on bit commitment,” Journal of China Institute of Communications, Vol. 22, 2001, pp. 1-6. 11. J. Chou and Y. Yeh, “Mental poker game based on a bit commitment scheme through network,” Computer Networks, Vol. 38, 2002, pp. 247-255. 12. S. Goldreich, S. Micali, and R. Rivest, “A digital signature scheme secure against adaptive chosen message attacks,” SIAM Journal of Computing, Vol. 17, 1988, pp. 281-308. 13. M. Naor, “Bit Commitment using pseduo-randomness (extended abstract),” in Proceedings on Advances in Cryptology − CRYPTO, LNCS 435, Springer, 1990, pp. 128136.
450
LI-CHENG WANG, ZHEN-FU CAO, FENG CAO, HAI-FENG QIAN AND HAI-YONG BAO
14. M. Naor, R. Ostroverky, R. Venkatesan, and M. Yung, “Perfect zero-knowledge arguments for NP can be based on general complexity assumptions,” in Proceedings on Advances in Cryptology − CRYPTO, LNCS 740, Springer, 1993, pp. 196-214. 15. T. P. Pedersen, “Non-interactive and information theoretic secure verifiable secret sharing,” in Proceedings on Advances in Cryptology − CRYPTO, LNCS 576, Springer, 1992, pp. 129-140. 16. S. Halevi and S. Micali, “Practical and provably secure commitment schemes from collision free hashing,” in Proceedings on Advances in Cryptology − CRYPTO, LNCS 1109, Springer, 1996, pp. 201-215. 17. D. Zheng, K. Chen, D. Gu, and J. You, “Efficient bit-commitment schemes,” Journal of China Institute of communications, Vol. 21, 2000, pp. 78-80. 18. L. Hardy and A. Kent, “Cheat sensitive quantum bit commitment,” (ePrint) arXiv Report quant-ph/9911043, Cornell University Library, New York, 1999. 19. G. Brassard and C. Crepeau, “Quantum bit commitment and coin tossing protocols,” in Proceedings on Advances in Cryptology − CYRPTO, LNCS 537, Springer, 1991, pp. 49-61. 20. G. Brassard, C. Crepeau, R. Jozsa, and D. Langlois, “A quantum bit commitment scheme provably unbreakable by both parties,” in Proceeding of the 34th Annual Symposium on Foundations of Computer Science, 1993, pp. 362-371. 21. D. Mayers, “The trouble with quantum bit commitment,” (ePrint) arXiv Report quant-ph/9603015, Cornell University Library, New York, 1996. 22. B. Yu, Z. W. Zhou, J. Li, and G. C. Guo, “Secure bit commitment based on quantum one-way function,” in Proceeding of SPIE, Vol. 4917, 2002, pp. 92-96. 23. K. Tanaka, “Quantum bit-commitment for small storage based on quantum one-way permutations,” New Generation Computing, Vol. 21, 2003, pp. 339-345. 24. R. Srikanth, “Quantum bit commitment with a composite evidence,” Physica Scripta Vol. 70, 2004, pp. 343-346. 25. T. Tsurumaru, “Implementable quantum-bit-string commitment protocol,” Physical Review A − Atomic, Molecular, and Optical Physics, Vol. 71, 2005, pp. 1-8. 26. D. Aharonov, A. Ta-Shma, U. Vazirani, and A. Yao, “Quantum bit escrow,” in Proceeding of the 32nd Annual ACM Symposium on Theory of Computing, 2000, pp. 705-714. 27. A. Kent, “Quantum bit string commitment,” Physical Review Letters Vol. 90, 2003, pp. 1-4. 28. I. Anshel, M. Anshel, and D. Goldfeld, “An algebraic method for public-key cryptography,” Mathematical Research Letters, Vol. 6, 1999, pp. 287-291. 29. K. H. Ko, S. J. Lee, J. H. Cheon, J. W. Han, J. S. Kang, and C. Park, “New publickey cryptosystem using braid groups,” in Proceedings on Advances in Cryptology − CRYPTO, LNCS 1880, Springer, 2000, pp. 166-183. 30. D. Helheinz and R. Steinwandt, “A practical attack on some braid group based cryptographic primitives,” in Proceedings of the 6th International Workshop on Theory and Practice in Public Key Cryptography, LNCS 2567, 2003, pp. 187-198. 31. J. H. Cheon and B. Jun, “A polynomial time algorithm for the Braid diffie-hellman conjugacy problem,” in Proceedings on Advances in Cryptology − CRYPTO, LNCS 2729, Springer, 2003, pp. 212-225. 32. S. J. Lee and E. K. Lee, “Potential weakness of the commutator key agreement pro-
BIASED BIT COMMITMENT
33. 34. 35. 36. 37. 38. 39.
451
tocol based on braid groups,” in Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology, LNCS 2332, Springer, 2002, pp. 14-28. P. Dehornoy, “Braid-based cryptography,” Contemporary Mathematics, Vol. 360, 2004, pp. 5-33. I. Anshel, M. Anshel, and D. Goldfeld, “Non-abelian key agreement protocols,” Discrete Applied Mathematics, Vol. 130, 2003, pp. 3-12. J. S. Birman and T. E. Brendle, “Braids: a survey,” (ePrint) arXiv Report math/ 0409205, Cornell University Library, 2004. M. J. Campagna, “Algorithms in braid groups,” Advances in Mathematics, Vol. 167, 2002, pp. 142-159. P. Syverson, “Weakly secret bit commitment: applications to lotteries and fair exchange,” in Proceeding of the 11th IEEE on Computer Security Foundations Workshop, 1998, pp. 2-13. K. Kobayashi, H. Morita, M. Hakuta, and T. Nakanowatari, “An electronic soccer lottery system that uses bit commitment,” IEICE Transactions on Information and Systems, Vol. E83-D, 2000, pp. 980-987. C. K. Chu and W. G. Tzeng, “Efficient k-out-of-n oblivious transfer schemes with adaptive and non-adaptive queries,” in Proceedings of the 8th International Workshop on Theory and Practice in Public Key Cryptography, LNCS 3386, Springer, 2005, pp. 172-183. Li-Cheng Wang (王励成) received his B.S. in Computer Science degree from North-West Normal University in 1995 and M.S. degree in Mathematics from Nan Jing University in 2001, respectively. Currently, he is a Ph.D. candidate in the Department of Computer Science and Engineering, Shanghai Jiao Tong University. His current research interests lie in cryptography and network security.
Zhen-Fu Cao (曹珍富) is the professor and the doctoral supervisor of Computer Software and Theory at Department of Computer Science of Shanghai Jiao Tong University. His main research areas are number theory and modern cryptography, theory and technology of information security etc. He is the gainer of Ying-Tung Fok Young Teacher Award (1989), the First Ten Outstanding Youth in Harbin (1996), Best Ph.D. thesis award in Harbin Institute of Technology (2001) and the National Outstanding Youth Fund in 2002.
452
LI-CHENG WANG, ZHEN-FU CAO, FENG CAO, HAI-FENG QIAN AND HAI-YONG BAO
Feng Cao (曹峰) received his B.S. and Master degrees (on Algebra) in Mathematic department from West Guang Xi Normal University, China, in 2000 and 2003, respectively, and now is a Ph.D. candidate in the Department of Computer Science and Engineering, Shanghai Jiao Tong University. His main research interests include network security, cryptography and number theory.
Hai-Feng Qian (钱海峰) was awarded a B.S. degree and a Master degree (on Algebraic Geometry) in Mathematic department from East China Normal University, China, in 2000 and 2003, respectively, and now is a Ph.D. candidate in the Department of Computer Science and Engineering, Shanghai Jiao Tong University. His main research interests include network security, cryptography and algebraic geometry.
Hai-Yong Bao (鲍海勇) received his B.S. degree and M.S. degree in Automation and Controlling Theory and Controlling Engineering from China University of Mining and Technology in 2000 and 2003, respectively. And he is now a Ph.D. candidate of Computer Science and Technology in Shanghai Jiaotong university. His major research area is in cryptography, electronic commerce, etc.
