Bit commitment using pseudorandomness

Moni Naor
1991 Journal of Cryptology  
We show how a pseudo-random generator can provide a bit commitment protocol. We also analyze the number of bits communicated when parties commit to many bits simultaneously, and show that the assumption of the existence of pseudo-random generators su ces to assure amortized O(1) bits of communication per bit commitment. A current research program in cryptography is to base the security on as general assumptions as possible. Past successes of the program had been in establishing various
more » ... s on the existence of one-way functions or permutations or on the existence of trapdoor functions. The most general (computational complexity) assumption under which bit commitment was known to be possible is that one way permutations exist GMW1]. In this paper we show that given any pseudo-random generator, a bit commitment protocol can be constructed. This is a weaker condition, since Yao Yao] has shown that pseudo-random generators can be based on one-way permutations. A pseudo-random generator is a function that maps a string (the seed) to a longer one, such that if the seed is chosen at random, then the output is indistinguishable from a truly random distribution for all polynomial time machines. Very recently, Impagliazzo, Levin and Luby ILL] have shown that given any one way function (not necessary a permutation), a pseudo-random generator can be constructed (under non-uniform assumptions) and Hastad H] has shown the same under uniform assumptions. On the other hand, Impagliazzo and Luby IL] have argued that the existence of one-way functions is a prerequisite for any protocol that must rely on computational complexity. Thus we can conclude that if any computational complexity based cryptography is possible, then bit commitment protocols exist, and so do the protocols that rely on bit commitment, such as zero-knowledge proofs and identi cation schemes. What is the communication complexity of a bit commitment protocol (i.e. how many bits must be transferred during the execution of the protocol)? It cannot be the case that only a xed number of bits will be exchanged during the execution of the protocol, otherwise after the commit stage Bob can guess with non negligible probability what Alice would send in the revealing stage, and can verify that the guess is consistent with what she sent so far and deduce the value of the bit. However, in many applications Alice wants to commit to a collection of bits b 1 ; b 2 ; : : : b m and they are to be revealed at the same time. These applications include coin ipping over the phone and zero-knowledge protocols such as Impagliazzo and Yung IY]. Furthermore, Kilian, Micali and Ostrovsky KMO] have shown that many of the known protocols for zero knowledge can be converted to ones that have this property. Therefore it is desirable to amortize the communication complexity of bit commitment. We show that if m is large enough, at least linear in the security parameter n, then Alice can commit to b 1 ; b 2 ; : : : b m while exchanging only O(1) bits per bit commitment. The total computational complexity of the protocol is the same as the complexity of the
doi:10.1007/bf00196774 fatcat:g7gchwuq7ff2zbb3anhhmbtqby