%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%
%% LECTURE 8: BIT COMMITMENT SCHEMES WITH POLYNOMIAL TIME PROVER %%
%% %%
%% ISABELLE DECHENE %%
%% %%
%% ADVANCED CRYPTOGRAPHY %%
%% 308-647 B %%
%% %%
%% JANUARY 28th, 2000 %%
%% %%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% DOCUMENT SETTING %%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\documentclass[12pt,twoside]{article}
\usepackage{amssymb}
\usepackage{amsmath}
\pagestyle{headings}
\setlength{\baselineskip}{0.7cm}
\setlength{\parskip}{0.3cm}
\newcounter{numero}[section]
\begin{document}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% PERSONNALIZED COMMANDS %%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\def\N{{\mathbb{N}}}
\def\Z{{\mathbb{Z}}}
\def\Q{{\mathbb{Q}}}
\def\R{{\mathbb{R}}}
\def\C{{\mathbb{C}}}
\def\P{{\bf{P}}}
\def\V{{\bf{V}}}
\def\L{{\cal{L}}}
\def\ssi{\Longleftrightarrow}
\def\mod{\mbox{ mod }}
\def\tmod{{\tiny{\mod}}}
\newcommand{\tmbox}[1]{\mbox{{\tiny{#1}}}}
\newcommand{\stackl}[1]{\stackrel{#1}{\longleftarrow}}
\newcommand{\stackr}[1]{\stackrel{#1}{\longrightarrow}}
\newcommand{\no}[0]{\stepcounter{numero}\arabic{section}.\arabic{numero}\ }
\newcommand{\defn}[2]{\par\noindent{{\bf Definition \no :} \\}#2 \par}
\newcommand{\example}[1]{\par\noindent{{\bf Example \no :} \\}{#1}\par}
\newcommand{\examplename}[2]{\par\noindent{{\bf Example \no :} #1\\}{#2}\par}
\newcommand{\note}[1]{\par\noindent{{\bf Note \no :} \ }{#1}\par}
\newcommand{\notes}[1]{\par\noindent{{\bf Notes \no :} \ }{#1}\par}
\newcommand{\remark}[1]{\par\noindent{{\bf Remark \no :} \ }{#1}\par}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% SECTION: BIT COMMITMENT SCHEMES WITH POLYNOMIAL TIME PROVER %%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\setcounter{section}{7}
\section[B.C. Schemes with Polynomial Time Prover]
{Bit Commitment Schemes with Polynomial Time Prover}
So far, it was really practical to assume that Peggy (\P), the prover,
had an infinite computational power.
We will now put ourselves in a different context by restricting
the power of \P.
As we will see, this also has its advantages...
So, we now seek the following:
\begin{center}
\begin{tabular}{ll}
Binding: & Computational \\
Concealing: & Perfect/Statistical \\
\end{tabular}
\end{center}
Here, the game will be quite different since we will
no longer assume that the prover has infinite power, but
rather that he is only {\bf{probabilistic polynomial time}} bounded,
just as the verifier, {\it{Vic}} (\V), is.
That is, the prover is no more powerful than the verifier.
Therefore, \P may know the solution of a particular problem,
but be unable to write a solution for it from scratch (!)
\examplename{Factoring}
{
Say Peggy picks two large prime numbers $p$ and $q$
and then let $n:=p \cdot q$,
BUT she can no longer factor a given $n'$ easily
if she has no prior knowledge about it.
}
\examplename{Graph Isomorphism}
{
\begin{center}
\fbox{
\begin{tabular}{lcl}
\P & $G_0 \approx G_1$ & \V \\
& & \\
& $\stackl{ZK(G_0 \approx G_1)}$ & \\
$commit(b)$ & & \\
$G \approx G_b$ & $\stackr{G}$ & \\
$unveil(b)$ & $\stackr{b,\pi}$ & $G=\pi(G_b)$ \\
\end{tabular}
}
\end{center}
This is perfectly concealing, but
here Peggy is unable to find by herself an isomorphism between the graphs.
}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% BASED ON FACTORING %%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Based on Factoring}
\begin{center}
\fbox{
\begin{tabular}{lcl}
\P & & \V \\
& & Pick large primes $p$,$q$. \\
& & Let $n:=p \cdot q$. \\
& & Let $z:=x^2 \mod n$. \\
& $\stackl{n,z}$ & \\
& $\stackl{ZK(z \in QR_n)}$ & \\
$commit(b)$ & & \\
Pick $r \in_R \Z_n$ & $\stackr{r^2 \cdot z^b \tmod n}$ & \\
$unveil(b)$ & $\stackr{r,b}$ & \\
\end{tabular}
}
\end{center}
\notes{
\begin{itemize}
\item You don't need an infinite powerful prover for the $QR_n$ decision problem,
so \V {\it{can}} show here in ZK that $z \in QR_n$.
\item $b$ is not uniquely defined.
Indeed, it is possible that $r_0^2 \cdot z^0=r_1^2 \cdot z^1$.
If so, $r_0^2=r_1^2 \cdot z$ and then $(r_0/r_1)^2=z$.
That is, $r_0/r_1$ is a square root of $z$,
which is, as we know, equivalent to factoring.
\item For $r$ chosen randomly, the distribution of $r^2 \mod n$ is the same
as the distribution of $r^2 \cdot z \mod n$.
Hence, the quantity $r^2 \cdot z^b \mod n$ is meaningless to \V.
\item Concealing, here, is only statistical.
Indeed, suppose that we have a $z \in QNR_n$.
If \P becomes convinced that $z \in QR_n$
even if the truth is that $z \in QNR_n$
(recall that this could happen with an exponentially small probability),
then the above process won't be concealing.
On the other hand, the concealing will be perfect if we really have $z \in QR_n$.
\item \V can determine easily if some element is or isn't a quadratic residue
since he knows the factors $p$ and $q$ !
\end{itemize}
}
\noindent
Now, let $b_1$ and $b_2$ be two bits involved in the above process.\\
Then, $(r^2 \cdot z^{b_1}) \cdot (s^2 \cdot z^{b_2}) = (rs)^2 \cdot z^{b_1+b_2}$.
So we have:
$$\begin{array}{|c|c|}
\hline
\mbox{If} & \mbox{Then} \\ \hline\hline
& \\
b_1=b_2=0 & \sqrt{(rs)^2 \cdot z^{b_1+b_2}}=rs \\[0.9ex]
b_1=b_2=1 & \sqrt{(rs)^2 \cdot z^{b_1+b_2}}=rs \cdot z \\[0.9ex]
b_1\not=b_2 & \sqrt{(rs)^2 \cdot z}=rs \cdot \underbrace{\sqrt{z}}_{\tmbox{We don't know it!}} \\ \hline
\end{array}$$
Finally, we get:
$$b_1=b_2 \ssi \mbox{ \P knows } \ \sqrt{(rs)^2 \cdot z^{b_1+b_2}}$$
Furthermore, we can introduce the following modifications in order
to be able to commit to several bits at the same time:
\begin{center}
\fbox{
\begin{tabular}{lcl}
\P & & \V \\
& & Pick large primes $p$,$q$. \\
& & Let $n:=p \cdot q$. \\
& & Pick $z_1, \ldots, z_k \in QR_n$. \\
& $\stackl{n,z_1, \ldots, z_k}$ & \\
& $\stackl{\tmbox{For each }i,\ ZK(z_i \in QR_n)}$ & \\
$commit(b_1 \ldots b_k)$ & & \\
Pick $r \in_R \Z_n$ & $\stackr{r^2 \cdot z_1^{b_1} \ldots z_k^{b_k} \tmod n}$ & \\
$unveil(b_1 \ldots b_k)$ & $\stackr{r,b_1,\ldots, b_k}$ & \\
\end{tabular}
}
\end{center}
As above, for $r$ chosen randomly, the quantity $(r^2 \cdot z_1^{b_1} \ldots z_k^{b_k} \mod n)$
is a random quadratic residue.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% BASED ON DISCRETE LOG (DLP) %%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Based on Discrete Log (DLP)}
Let $p$ be a (strong) prime, $g$ a generator of $\Z_p^*$ and
$\alpha:=g^s \mod p$, for some power $s$.
\begin{center}
\fbox{
\begin{tabular}{lcl}
\P & & \V \\
$commit(b)$ & & \\
Pick a random $r$ & $\stackr{g^r \cdot \alpha^b \tmod p}$ & \\
$unveil(b)$ & $\stackr{r,b}$ & \\
\end{tabular}
}
\end{center}
\noindent
The task of Vic is to convince Peggy that he {\it{knows}} the discrete logarithm of $\alpha$.
\note{In order to test whether $p$ is prime or not, one can use
Rabin's test\footnote{One could also use the probabilistic
algorithm of Goldwasser-Killian that
works in polynomial time ($\approx n^{32}$).
}.
In this case, it would be statistically concealing.
We can make it perfectly concealing by simply requesting that
{\it{``\P is willing to participate''}}\footnote{Meaning that \P will
collaborate (or be forced by an external judge to collaborate!) until
the end of the protocol is reached.}.
}
For given $r_0$ and $r_1$, we have that:
$$g^{r_0} \cdot \alpha^0 = g^{r_1} \cdot \alpha^1
\Longrightarrow
g^{r_0} = g^{r_1} \cdot \alpha
\Longrightarrow
g^{r_0-r_1} \equiv \alpha\ (\mod p)
$$
Therefore,
\begin{center}
Break the binding property \\
{\it{is equivalent to}} \\
Find the discrete logarithm of $\alpha$ \\
\end{center}
Hence, the protocol is computationally binding.
Finally, one can do a similar generalization as in the preceding case (factoring)
by replacing the single value $\alpha$ by, say, $\alpha_1,\alpha_2, \ldots, \alpha_k$.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% INTERACTIVE ARGUMENTS %%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Interactive Arguments}
Although so far we did not have any trouble going from
an infinite power prover to a probabilistic polynomial time one,
it is not always the case.
\example{
For the three colorability of a graph, $3-COL$,
if we would follow the same approach as before,
it would {\it{still}} be zero-knowledge,
but would not be an interactive {\it{proof}} anymore.
Indeed, an evil {\it{all powerful}} \P' could prove false statements to \V.
However, an evil {\it{polynomial time}} \P' cannot succeed to
prove false statements to \V with high probability (because of the {\it{bit
commitment}} on the coloring of the graph).
}
\noindent
This motivates the following definition:
\defn{Interactive Argument OR Computationally Sound Interactive Proof}
{Let $\L$ be a language.
A {\sl{question-answer}} protocol satisfying:
\begin{itemize}
\item $\forall x \in \L$, Pr[(\P,\V)(x) accepts] $> 2/3$
\item $\forall x \notin \L$,
$\forall$ \P' {\it{probabilistic polynomial time}},
Pr[(\P',\V)(x) accepts] $< 1/3$
\end{itemize}
\noindent
is called an {\it{interactive argument}} or
a {\it{computationally sound interactive proof}}.
}
\remark{Although the terminology {\it{interactive argument}} is much used
in the litterature, we will here prefer {\it{computationally sound
interactive proof}} since in our exposition, we first started with
interactive proofs and {\sl{then}}, weakened the concept.}
\note{With computationally sound interactive proofs,
breaking of the commitment {\it{has}} to be done ``on line''.
So, unlike interactive proofs, we cannot come back after the protocol
is over and work off line.
Hence, if we want to cheat, it has to be done in {\it{real time}}.
}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% END %%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\end{document}