Академический Документы
Профессиональный Документы
Культура Документы
by General Assumptions
TatsuakiOkamoto* Kazuo Ohta
NTT Laboratories
l-2356, Take, Yokosuka-shi, Kanagawa-ken, 238-03 Japan
185
change protocol is based on constrained secret releasing protocol based on a one-to-one one-
assump-tions such as specific number theoretic way function (Protocol 2) is presented, and in section
problems and the existence of oblivious transfer 6, a weak gradual secret releasing protocol based on
primitives (or trap-door one-way permutations). a regu-lar one-way function (Protocol 3) is presented.
Section 7 compares the characteristics of Protocols 1,
l In addition to the above-mentioned assumptions,
2 and 3, and the applicability of these protocols to
any existing simultaneous secret exchange proto- contract sign-ing and certified mail protocols.
col requires the other assumption that the under-
lying commit (encryption) function is “ideal” (or
“uniformly secure” [EGL]). 2 Notations
Therefore, no secret exchange protocol which is ef- . x ELI D denotes that x is selected from set D
ficient and provably secure under a general assumption randomly and uniformly.
such as the existence of one-way permutations and one-
way functions has been proposed. 0 ~117~denotes the concatenation of string z and
string y.
1.3 Results of this paper
This paper proposes the first secret exchange (gradual secret . 1x1 = [log, xl. When A is a set, #A denotes the
releasing) protocols that solve these problems. That is, the number of the elements of A.
proposed protocols are efficient and prov-ably secure under . [xl, denotes the least a bits of x, [xc]= denotes
general assumptions such as the exis-tence of one-way the most a bits of 5.
permutations and one-way functions2.
WC propose three protocols. The first one (Proto-col 0 207~ denotes the binary inner product of x and
1) is based on one-way permutations, and is the most y. That is, when x and 1~are n bit strings such
practical of the three. The second (Protocol 2) is based that x= (Xl,..., x,) and Y = (~l,...,yd,
on one-to-one one-way functions, and is slightly less
practical than the first one. Protocols 1 and 2 are x 0 y = sly1 c3 x2y2 @ . . . cl3x*y,.
applicable to both contract signing and certified mail. The
third (Protocol 3) is based on regular one-way func- . Let function f : D + C. D is called the do-main, and
t.ions, and is almost as efficient as the first one but is denoted by Dom( f ), and C is called the codomain.
applicable only to contract signing and not to certified Im(f) denotes the image of function f of D (Im(f) g
mail (since Protocol 3 is a “weak” gradual secret releas- C). If C = Im(f), f is called onto.
ing protocol, while Protocols 1 and 2 are gradual secret For Y E Im(f), f-l(y) = {x I x E D,f (x) = ~1 is called
releasing protocols). the preimage of y. If for any y E Im(f),
The key technique in our schemes is to utilize many #f-‘(y) = 1, then f is called one-to-one.
one-way functions with series of security parameters
which are selected from the same one-way function fam-
.
f O 54.) = f (d.)).
ily. Informally, our schemes have the following feature:
first, 7~ bit secret a is committed to, and when (n - i) bits of 3 Definitions
a have been released (i = n, n - 1,. . . , l), the problem of
revealing the remaining i-bits is the same as the problem 3.1 One-Way Functions and One-Way Per-
of inverting a function F; selected from a
mutations
family of one-way permutations/functions .F, where i is
the security parameter of this function. Definition 3.1 A set of functions 3 is a family of one-
way functions if
1.4 Organization of this paper
3 = {fc,: D,, --t cu,}g,,EIl
This paper is organized as follows. Section 3 gives the
definitions of one-way functions/permutations and “se- where I is an infinite set (of indices), Vu,,, D,,, is a finite
cure” gradual secret releasing protocols (and simultane- set (the domain of fb,,), and t/u,, C,, is a finite set (the
ous secret exchange protocols). In section 4, a gradual codomain of fbn), and the following conditions are
secret releasing protocol based on a one-way permuta- satisfied.
tion (Protocol 1) is presented, in section 5, a gradual
l There exists probabilistic polynomial time a&o-
“Note that the efficiency of the underlying one-way function is rithms Si and Sz such that Si, input l”, samples
trivially required for any .protocol which is efficient. u, E I, and Sz, input u, E I, samples x E D,,.
Here we caI1 n the security parameter of fv, .
186
There exists a deterministic polynomial time al- additional information (witness) wi. After completion
gorithm, which, input u,, E I, and 2 E D,,, com- of the (n - i + 1)-th step (i = n - 1,. . . ,O), B outputs pi,
putes fbn (~1. the most (n - i) bits of sn (say [s~]“-~) along with
(%z-l,...,Wi)-
For any probabilistic polynomial time algorithm A gradual secret releasing protocol, (A, B), is
A, t/c > 0, 3iV0, Vn > No, secure if the following properties are satisfied:
Completeness: If both parties, A and B, follow the
protocol, then B outputs sn aJong with w =
The probability is taken over the coin flips of A
(wb-1,. . . , ~0) with probabi1it.y 1.
and the sample distributions of u, and x.
Soundness: Assume that B follows the pro-tocol.
Definition 3.2 A family of one-way functions 3 is called
For any A*, for any i(0 5 i 5 n - l), if (A*, B)
regular if, for all f E 3 and all ~1, ~2 E 1m(f), #f-l(~~)
completes the first (n - i + 1) steps, then B outputs
= #f-‘(Y2).
[s,lnmi along with (~~-1,. . . , Wi). Here, there
Definition 3.3 A family of one-way functions 3 is called with exists a polynomial time predicate P such that P(i,
recognizable image if, for all f E 3, Im( f) (the im-age off) C,, X,, pi) = 1 if and only if pi = ([Sn]“-i7 (Wn-19..
.,Wi)).
is polynomial time recognizable (or Im( f) E PI.
Fairness: P is a family of ‘(one-way”
permuta-
Definition 3.4 A family of one-way functions 3 is called a tions/functions. Assume that A follows the pro-
family of one-way permutations if, for all f E 3, f is one- tocol. At the (IL -i + 1)-th step (i = n - 1,. . . ,O),
to-one, and its domain and image are equiv- when i bits of s,~ are unreleased, the information
alent (D = Dom( f) = Im(f)), where D is polynomial (distribution), Hi, which B is given from the be-
time recognizable (or D E P,) and there exists a con- ginning through the (n - i + 1)-th step, includes Xi
stant c such that, for all f E 3, c 5 #D/2”. Here, = Fci(si), where si is the least i bits of s,, (or the
M = min{m / D & {O,l}“}. unreleased bits of s,, at this step), and Ci (i:
Definition 3.5 A family of one-way permutations 3 is security parameter) is a part of C,. Then, there
exists a probabilistic polynomial time ma-chine
called tight if, for all f E 3, its domain and image are M (simulator) such that, for any B*, for any i E
(0, l},,. (0,. . . ,n - l}, for any Ci, for any Xi,
Hi 1 (i, Ci, Xi) is perfectly indistinguishable to (or
equivalent to) M”‘(i, Ci, Xi). Here, Hi 1(i, Ci, Xi)
denotes the conditional distribution under that Hi
3.2 Simultaneous Secret Exchange and includes (i, Ci, Xi), where the probability is taken
Gradual Secret Releasing Protocols over A’s coin flips.
always uniquely revenled. That is, after s,, is committed Step 2 Asends(ai,az,..., cm), and X to B to com-mit to
to in the commitment stage, st which is dif-ferent from s, A’s secret x.
can be revealed, if si is verified as the committed value.
In other words, multiple values can be valid for one Step 3 When B receives them, B checks whether
committed value in the “weak” gradual secret releasing (arg2,... ,u,,) are valid for the parameters
protocol. Note that, however, an honest party releases of 3, and whether X E {O,l}“. If they do not
the vaZue which (s)he committed to. hold, B halts the protocol. Otherwise, B
A weak gradual secret releasing protocol, (A, B), is writes(oi,a2,..., un), X on the output tape.
secure if the following properties are satisfied:
[End of commitment stage]
l Completeness: Same as Definition 3.6.
l Soundness: Assume that B follows the proto-col. Step 4 For i = n, . . . , 1, repeat the following proce-
For any A*, for any i(1 5 i 5 n), if (A*, B) completes dures sequentially.
the first (n - i + 1) steps, then B out-puts [.s;]“-~ A sends xt to B.
along with (wz-i, . . . , wz). Here, sz is one of the
Step 5 When i = n, B checks whether X = fO,(xz)
valid revealing values of A*% com-mitment to sn,
holds or not.
and (wz-i,. . . , UT) is the corre-sponding witness.
Wheni=n-l,...,l, Bcheckswhether
There exists a polynomial time predicate P such
that P(i, C,, X,, ,&) = 1 if and only if pi = ( [s,*,lnmi,
[X:+;l]i = fb; (X2).
(wc-1, . . . , wf ).
l Fairness: Same as Definition 3.6. If it does not hold, B halts the protocol. Oth-
erwise, B writes xi and xf on the output tape.
Note: Generally, more than 1 bit of secret information
can be released (e.g., Protocol 3 in this paper). Xi = [X:1’.
188
Note: probability is clearly constructed. If there exists a
prob-abilistic polynomial time algorithm P2 of inverting
1. fO; can be commonly shared by many users. If so, Fi with nonnegligible probability, then a probabilistic
the procedures for generating the parameters can poly-nomial time algorithm of inverting fUi with
be omitted from the above protocol. nonnegligi-ble probability is also constructed. First, g;,
2. SA corresponds to s,, in Definition 3.6, and z = fUi (y) is given. Then, generate Uj (J’ = 1,. . . ,i -
[~t]~-i corresponds to w;. 1). Here, Fi is defined by (ai,. . . , a;). Then, run P2 for
inputs,
cm,...
Theorem 4.1 If 3 is a family of tight one-way per- , gi), and Z, and obtain (1~i,. . . , yi). So,
Y = (Yillfoi-ICYi-111 ...fct(Y2llfo1(Yl)) ...))).
mutations, then Gradual secret releasing protocol 1 is
secure.
Thus, to invert Fi is at least as difficult as to invert fgi.
Since 3 = {ffli} is a family of one-way permutations, 3*
Sketch of Proof: is also a family of one-way permutations.
Completeness: This is trivial. Next, we show that the major part of the fairness
Soundness: Assume that B follows the protocol, and that condition. Let Hi = (i, ((~1,. . . ,(T,,), X, (z:, . . . , ~r+i))
(A*, B) completes the first (n - i + 1) steps. Then, for any which B is given from the beginning through the (n-i +
strategy of A*, the following are true (confirmed by B): 1)-th step. (x,, . . . , zi+i) can be calculated from
(xi, . . . , xT+i) (or Hi). Clearly, Hi includes
l The parameters of 3, aj (j = 1,. . . , n), are valid, [X,‘+lli = fr7i(zillfa;-1(Xi-lII “’ Il.fq(Xl) “‘))
Then, Fi is a permutation from (0, l}i to (0, l}i, and Fi(X,, . is exactly equivalent to the distribution of
. . , :ri) = fO; (z,*). Therefore, for any X E (0, l}n, there
(b:+l?.~ . ,uL), wn+1, (Wm.. ., Wi+1)) I (i, (Ul). . . ,Ui), Z).
exists a unique n-bit string, (z,,, . . . ,x1), such
that X = F,(z,,, . . . ,2i). Therefore, aunique sA = 0
(x72,. . . , ~1) is determined from the value X. Since
f o,, 3. . . , are also permutations over (0, l}“, . . .,
(0, l)‘+lfcz+I Proposition 4.2 The computational complexity of Grad-ual
respectively, there exists a unique vector of
secret releasingprotocol I is O(n]]-T]]), and the com-
strings (.2.:, . . ., z:+, ) satisfying the following equations. munication complexity is O(n2), where 11311denotes the
x = fo,K),
complexity of computing fU,, in 3. If 11311= O(n3), then
O(n~~3~~) = O(n4).
[xj*+l]j = fbj(xcj*) (i 5 n - 2,i + 1 2 j 5 IL - 1).
189
Proof: Protocol: (Gradual Secret Releasing Pro-
From the definition of a one-way permutation, g tocol 2)
has the same domain and image, D, and there exists
a constant c (0 < c 5 1) such that for all g E 0 Step 1 A randomly generates the parameters (indices)
c 5 #D/2n, where n = min{m 1 D C {O,l}“}. Let hi of a family of one-to-one one-way functions with
(i = 1,...,2dn) be 2d n independently selected random recognizable images 3, ~1~~2,. . . ,u,,. A also
permutations (e.g., exclusive oring by a selects i-bit random strings Z: (i = n, . . . , l), (or
random string) sz, zL_i,. . . , xi), and an n-bit random string p
from {O,l}” to (0, l}“, where d = l/(log(l/(l - c))), which is uniformly (or zr EU Dom(fv;)
also a constant. g* : (0, 1)” + {O,l}” is de-fined as g*(s) = (0, l}i, p EU (0, l}n). Then A calculates n
= g(s) if 5 E D and g*(x) = z if z $! D. Let f strings X,, X,-i, . . . , Xi as follows:
=g”ohlog*ohzog*ohgo...og*oh2dnog*.
f is clearly a tight permutation, since g* and hi are Xi = foi (XT)
tight permutations. The probability that there exists 5 E
A also calculates n-bit string sA =.
(0, 1)” such that f(x) = hl o h2 o h3 0.. . o hmn(x) is (a,,, . . . , ai)
negligible, since for a value 5, the probability that (hl, (f& E (0, 1)) as fOllOWS:
ha,. . . , hzdn) are selected such that f(x) = hl ohs o
h3 o. . . o hZdn(x) is at most (1 - c)2dn = (l/2)‘“. Hence, f a n- -x:,op,
is one-way with overwhelming probability, since for all 5
E (0, l}“, g* is operated at least once to calaculate f(x) Ui = (a,, *. .) U++IyXt) @p (1 5 i 5 n - 1).
with overwhelming probability. Thus, f is a tight one-way
permutation with overwhelming probability. Step 2 A sends (c~,cQ,..., 4, P, and (-L-L--l,
0 to B to commit to A’s secret SA.
. . ., Xi)
When a one-way permutation, g, is specific, the Step 3 When B receivesthem, B checks whether
con-version from g to a tight one-way permutation, f, (cn,(TZ,...r a,) are valid for the parameters of
is more efficient. We show two typical examples: gi : 3, and whether p E {O,l}n, and Xi E
x E 2,-l H (2 modp) - 1 E Z&-l, and g2 : z E ZN H xe lm(fO,)(i = 1,. . .,n). If they do not hold, B
mod N E ZN. Here, p is a prime and a iS halts the protocol. Otherwise, B writes
a generator of Zi, and gcd(4(l\r),e) = 1 (4(N) is Eu- (m,gz,*.., crn),p,and(X,,Xn-i ,..., Xi)on the
ler’s toticnt function). Now let n = Ip - 11 for gi and output tape.
71. = INI for ~2. we define h = {O,l}”+
{O,l}”as [End of commitment stage]
ing Protocol Based on a Reg- Theorem 6.1 If 3 is a family of regular one-way func-
ular One-Way Function tions, then the weak gradual secret releasing protocol
(Protocol 3) is secure.
This section introduces a “weak” gradual secret releas-
ing protocol based on regular one-way functions. Proposition 6.2 The computational complexity ofPro-tocol
This protocol is almost as efficient as Protocol 1. Let 3 is O(nll3ll), and the communication complexity is
3 be a family of regular one-way functions, and O(n2), if I(n) = cn (c: constant).
fU, E 3, where i denotes the security parameter. For
simplicity of description, we assume that fbi : (0, l}‘(‘)
I+ (0, l};, where l(i) 2 i. 7 Applicability to Contract Sign-
ing and Certified Mail Proto-cols
Protocol: (Weak Gradual Secret Releas-ing
Protocol)
This section compares the characteristics of
Step 1 A randomly generates the parameters (indices) Protocols 1, 2 and 3, and the applicability of these
of a family of regular one-way functions 3, protocols.
(~1,~72,. . . , un. Here
The assumption for Protocol 1, one-way permuta-
fOi : {O,l}l(i) -+{O,l}~, (i=1,2 )..., n). tions, is more constrained than those for Protocols
2 and 3, i.e., one-to-one one-way functions and
A also selects (Z(i) -i + l)-bit random strings regular one-way functions respectively. It cannot
(i = n,. . . , l), (zn,2,-1,. . .,x1), (or 5; EU (03 11‘(i)--
be determined which assumption is more general
i+l). Then A calculates n-bit string x as follows: between those for Protocols 2 and 3.
191
First, we show an example of one-way 1Cl4 R. Cleve, “Controlled Gradual Disclosure
permutation family based on the discrete logarithm. Schemes for Random Bits and Their Appli-
This function family is one-way if the discrete cations,” Proc. of CRYPT0’89, pp.573-588
logarithm problem is intractable. (1989)
In the first step, n primes, pi (i = 1,2,. . . ,n), are
selected such that Ipi 1 = i (~1 = 2 and p:! = 3) and pi - 1 PamI
I. Damgbrd, “Practical and Provably Secure
has at least one big prime factor (e.g., y; is a prime factor
Exchange of Digital Signatures (Extended
of pi - 1 and ]qi 1 > Ipil/2). Let ai be a generator of Zli,
Abstract),” to appear in Proc. of EURO-
and gi : 5 E ,&.-I H (aiz mod pi) - 1 E ,&-I, Then, one-
CRYPT’93
way permutation family F = { fi I i = 1,2, . . . , } is FL1
defined as follows: fi = gi o ho gi, where h : (0, l}i + (0, S. Even, 0. Goldreich, and A.Lempel, “A
l}i is defined as h(z) = x + 2i-1 mod 2i. Randomized Protocol for Signing Contracts,”
Example 2: Regular one-way function (Protocol
Communication of the ACM, Volume 28,
Number 6, pp.637-647 (1985)
3) WSI
Next, we show an example of ‘Lpseudo” regular one- U. Feige, A. Fiat, and A. Shamir, “Zero-
way function families, based on a practical hash func- Knowledge Proofs of Identity,” Journal of
tion. This function family does not seem to be regular, CRYPTOLOGY, Vol. 1, Number 2 (1988)
but, it seems to be sufficient for our practical purpose to WJI
construct Protocol 3. This is because the cardinal-ity of 0. Goldreich, and L. Levin, “A Hard-Core
the preimagc of any element in the image seems to be Predicate for any One-way Function,” I’roc.
almost cquivalcnt to that of other element with of STOC’89, pp.25-32 (1989)
[GwLl
high probability. (The definition of “pseudo” regular S. Goldwasser, and L. Levin, “Fair Computa-
one-way function families and their sufficiency for our tion of General Functions in Presence of Im-
purpose will be shown in the final paper.) moral Majority”, in Advances in Cryptology
Let H be a practical hash function (such as SHA - CRYPT0 ‘90, Lecture Notes in Computer
and MD5): {O,l}* + (0, l}N. Then, f,,; : {O,l}‘(i) H {O,l}i Science 537, Springer-Verlag,Berlin, pp.77-
is defined as fO,(z) = [H(x)]~, where Z(i) = N + i + C. 93 (1990).
(C is a constant factor. e.g., C = 80.) WWI
0. Goldreich, S. Micali, and A. Wigderson,
“Proof that Yield Nothing but their Validity
9 Conclusions and a Methodilogy of Cryptographic
Protocol Design,” Proc. of FOCS’86 (1986)
This paper proposed the efficient simultaneous secret Pw
exchange protocols (or gradual secret releasing proto- J.HBstad, “Pseudo-Random Generators
cols) that solves the problems of the existing simultane- under Uniform Assumptions,” Proceedings
ous secret exchange protocols. The proposed protocols of STOC (1990)
are efficient and are proven to be secure under general
[ILL1
R. Impagliazzo, L. Levin, M. Luby, “ Pseudo-
assumptions such as the cxistcnce of one-way permuta- Random Number Generation from One-Way
tions and one-way functions. Functions,” Proceedings of STOC, pp.12-24
(1989)
WRI
References M. Luby, S. Micali, and C. Rackoff, “How to
Simultaneously Exchange Secret Bit by Flip-
[BCDG] E. F. Brickell, D. Chaum, I. Damgkd, J. and ping a Symmetrically-Biased Coin,” Proc. of
van de Graaf: “Gradual and Veriable FOCS’83, pp.23-30 (1983)
Release of a Secret,” Proc. of CRYPT0’87, P4 M.Naor, “Bit Commitment Using Pseudo-
pp.156-166 (1987)
Randomness,” in Advances in Cryptology
[BGMR] M. Ben-Or, 0. Goldreich, S. Micah, and R. - Crypt0 ‘89, proceedings, Lecture Notes
Rivcst , “A Fair Protocol for Signing Con- in Computer Science 435, Springer-Verlag,
tracts,” IEEE Tran. on IT, Vol. 36, Number 1, Berlin, (1990).
pp.40-46 (1990) Pabl M. Rabin, “How to Exchange Secrets by
[Blu] M. Blum, “How to Exchange (Secret) Keys,” Oblivious Transfer,” Tech. Memo, TR-81, Aiken
Proc. of STOC’83, pp.440-447 (1983) Camp. Lab., Harvard University (1981)
Wol A. Yao, lLHow to Generate and Exchange Se-
crets,” Proc. of FOCS’86, pp.162-167 (1986)
192