CS 647B Advanced Cryptography
Problem set #2
due on Tuesday February 29, 2000
Design a perfectly concealing bit commitment scheme that allows Peggy or Piggy to commit to bits in a statistically binding way with respect to Vic.
Vic picks a random n=p*q, where p,q are secret large primes.
Vic sends n and y, a random quadratic residue mod n.
Vic proves to Peggy, in Zero-Knowledge, that y is in QRn.
Peggy commits to b as r2yb mod n for a random r.
Peggy unveils by disclosing b,r.
Suppose, Peggy uses these bit commitments to run the zero-knowledge proof we have seen for graph 3-COL. We have argued in class that the resulting protocol is statistical zero-knowledge. Explain why this protocol CANNOT be perfect zero-knowledge.
Show how Alice and Bob can implement OTk(m) given the binary primitive OT as a subroutine.
Show how Alice can commit to a bit using OT as a subroutine.
Show how Bob can commit to a bit using OT as a subroutine.
In each case, count the total number of OTs necessary.
Show that if MAJ(B0)<>MAJ(B1) then the probability of successfully proving B0=B1 is exponentially small in n.
Let B2 be the SUPER-BC remaining after proving B0=B1.
Show that if MAJ(B0)=MAJ(B1)=b then the probability that MAJ(B2)<>b and successfully proving B0=B1 is exponentially small in n.
Conclude that Rudichs construction is a valid implementation of Bit Commitment with Equality regardless of the Provers behavior.