Non-interactive Commitment from Non-transitive Group Actions

Abstract

Group actions are becoming a viable option for post-quantum cryptography assumptions. Indeed, in recent years some works have shown how to construct primitives from assumptions based on isogenies of elliptic curves, such as CSIDH, on tensors or on code equivalence problems. This paper presents a bit commitment scheme, built on non-transitive group actions, which is shown to be secure in the standard model, under the decisional Group Action Inversion Problem. In particular, the commitment is computationally hiding and perfectly binding, and is obtained from a novel and general framework that exploits the properties of some orbit-invariant functions, together with group actions. Previous constructions depend on an interaction between the sender and the receiver in the commitment phase, which results in an interactive bit commitment. We instead propose the first non-interactive bit commitment based on group actions. Then we show that, when the sender is honest, the constructed commitment enjoys an additional feature, i.e., it is possible to tell whether two commitments were obtained from the same input, without revealing the input. We define the security properties that such a construction must satisfy, and we call this primitive linkable commitment. Finally, as an example, an instantiation of the scheme using tensors with coefficients in a finite field is provided. In this case, the invariant function is the computation of the rank of a tensor, and the cryptographic assumption is related to the Tensor Isomorphism problem.

Appendices

A 2GA-PR Reduces to \(\textrm{Hiding}(\varPi _{\textsf{Com}})\)

The reduction used to prove the hiding property under the 2GA-PR assumption is exactly the same given in the proof of Theorem 2, and the main difference between the proof of the hiding property under the dGA-IP assumption and the following is that the outcome of the adversaries of the \(\textrm{Hiding}(\varPi _{\textsf{Com}})\) game \(\mathcal {A}_1\) and \(\mathcal {A}_2\) are not independent anymore, but are only conditionally independent once the input values (s and t) are fixed.

In fact, in the 2GA-PR game \({\textrm{Pr}}{\left[ {O(s)=O(t)}\right] }=\frac{3}{4}\) which means that the selection of the value of t, input to \(\mathcal {A}_2\) depends on the selection of s, given in input to \(\mathcal {A}_1\).

Theorem 5

The bit commitment scheme in Fig. 4 instantiated with two orbits of similar size is computationally hiding under the 2GA-PR assumption.

For simplicity, in the following proof we assume that the cardinality of the two orbits is the same, that is, the probability of picking an element at random inside any orbit is \(\frac{1}{2}\). The proof can be easily generalized to the case where the probability of falling into one orbit is negligibly greater than the probability of falling into the other. In other words, the proof holds whenever there exists a negligible function \(\nu (\lambda )\) such that, given the two orbits \(O_0\) and \(O_1\),

$$ \left|{\textrm{Pr}}{\left[ {x \in O_0}\right] } - {\textrm{Pr}}{\left[ {x \in O_1}\right] } \right|= \nu (\lambda ) $$

for a randomly chosen x in \(O_0\cup O_1\). This assumption seems admissible and not too strict for cryptographic purposes.

Proof

We must prove that the hiding property holds for \(\varPi _{\textsf{Com}}\). We show that, given an adversary of the \(\textrm{Hiding}(\varPi _{\textsf{Com}})\) game with non-negligible advantage, we can build an adversary of the 2GA-PR game with non-negligible advantage (recall that the advantage of \(\mathcal {A}\) is defined as \(\textbf{Adv}(\mathcal {A},\text {2GA-PR}(\texttt{pp}))={\textrm{Pr}}{\left[ {\mathcal {A}\text { wins 2GA-PR}(\texttt{pp})}\right] }-\frac{1}{2}\)).

1. 1.

   Reduction description.

   To define \(\mathcal {A}\), we use two independent instances of the same adversary \(\mathcal {A}_1, \mathcal {A}_2\) of the hiding game as we did in the proof of Theorem 2; then, we perform the same reduction, as it is presented in Fig. 10.

2. 2.

   \(\mathcal {A}\) correctly simulates the \(\textrm{Hiding}(\varPi _{\textsf{Com}})\) challenger.

   The adversary \(\mathcal {A}\) correctly simulates the challenger of \(\textrm{Hiding}(\varPi _{\textsf{Com}})\) with respect to the adversaries \(\mathcal {A}_1\) and \(\mathcal {A}_2\) separately, in fact both s and t are uniformly sampled from the set of commitment to 0 and 1. Therefore, \(\mathcal {A}_1\) and \(\mathcal {A}_2\) will output the right bit with advantage \(\epsilon (\lambda )\).

3. 3.

   Measurement of \(\mathcal {A}\)’s advantage.

   From now on, when we consider the orbits O(s) and O(t) of s and t respectively, they will assume binary values according to the relation used in the bit commitment scheme \(\varPi _{\textsf{Com}}\): \(O(s)=1\) if s lives in the orbit of commitments to 1, and \(O(s)=0\) if s lives in the orbit of commitments to 0. The same holds for O(t).

Fig. 10.

Reduction from 2GA-PR to the hiding game for the bit commitment scheme.

Before computing the lower bound of the advantage of the adversary \(\mathcal {A}\), we state the following remark.

Remark 2

The outcomes of the games performed by \(\mathcal {A}_1\) and \(\mathcal {A}_2\) in the reduction of Fig. 10 are not independent since the values given as inputs to them are dependent values (note that t is in the same orbit of s with probability \(\frac{3}{4}\)). However, it is still true that the outcomes of the adversaries \(\mathcal {A}_1\) and \(\mathcal {A}_2\) are independent if conditioned to fixed input values.

For the sake of generality, we need to consider the case in which the advantage of the adversaries \(\mathcal {A}_1\) and \(\mathcal {A}_2\) in playing \(\textrm{Hiding}(\varPi _{\textsf{Com}})\) game is not uniformly distributed on the possible outputs. That is, it is possible that

$$\begin{aligned} {\textrm{Pr}}{\left[ {\mathcal {A}_1\,\texttt { wins}\,\mid O(s)=1}\right] }=\frac{1}{2}+\epsilon (\lambda )+\varDelta , \end{aligned}$$

$$\begin{aligned} {\textrm{Pr}}{\left[ {\mathcal {A}_1\,\texttt { wins}\,\mid O(s)=0}\right] }=\frac{1}{2}+\epsilon (\lambda )-\varDelta , \end{aligned}$$

with \(\varDelta \) possibly a negative value. The same holds for \({\textrm{Pr}}{\left[ {\mathcal {A}_2~ \texttt { wins}\mid O(t)=b}\right] }\), with \(b\in \{0,1\}\).

Now, we can start with the computation of the lower bound of the advantage of \(\mathcal {A}\) in winning the 2GA-PR game.

The probability that \(\mathcal {A}\) wins the 2GA-PR game can be computed as follows, partitioning the event in three disjoint events:

$$\begin{aligned} {\textrm{Pr}}{\left[ {\mathcal {A}\,\texttt { wins}}\right] }&= {\textrm{Pr}}{\left[ {b'=b}\right] } = \\ &{\textrm{Pr}}{\left[ {\underbrace{(b=0\wedge O(s)\ne O(t))\wedge b'=b}_{\text {Event A}}}\right] }+\\ &{\textrm{Pr}}{\left[ {\underbrace{(b=0\wedge O(s)=O(t))\wedge b'=b}_{\text {Event B}}}\right] }+\\ &{\textrm{Pr}}{\left[ {\underbrace{b=1 \wedge b'=b}_{\text {Event C}}}\right] }. \end{aligned}$$

We now separately quantify the three probabilities as follows. We recall that according to the event we are considering, the event \(b=b'\) can be translated in terms of success of the adversaries \(\mathcal {A}_1\) and \(\mathcal {A}_2\)

• Event A: when \(b=0\) and \(O(s)\ne O(t)\), then \(b=b'\) when both \(\mathcal {A}_1\) and \(\mathcal {A}_2\) win or when both of them lose. Therefore, it holds that

  $$\begin{aligned} \begin{aligned} &{\textrm{Pr}}{\left[ {b=0\wedge O(s)\ne O(t)\wedge b'=b}\right] }=\\ &\quad {\textrm{Pr}}{\left[ {b=0\wedge O(s)\ne O(t)\wedge \mathcal {A}_1\,\texttt { wins}\,\wedge \,\mathcal {A}_2\,\texttt { wins}}\right] }+\\ &\quad {\textrm{Pr}}{\left[ {b=0\wedge O(s)\ne O(t)\wedge \mathcal {A}_1\,\texttt { loses}\,\wedge \,\mathcal {A}_2\,\texttt { loses}}\right] }. \end{aligned} \end{aligned}$$

  (2)

  We can compute this probability by considering the general case

  \({\textrm{Pr}}{\left[ {b=0\wedge O(s)\ne O(t)\wedge \mathcal {A}_1\,\texttt { outcome}\, \wedge \, \mathcal {A}_2\,\texttt { outcome}}\right] }\) and then substituting \(\texttt {outcome}\) with \(\texttt {wins}\) or \(\texttt {loses}\) accordingly with the formula above.

  It holds that

  $$\begin{aligned} &{\textrm{Pr}}{\left[ {b=0\wedge O(s)\ne O(t)\wedge \mathcal {A}_1\,\texttt { outcome}\, \wedge \, \mathcal {A}_2\,\texttt { outcome}}\right] }=\\ &\sum _{c=0}^{1} {\textrm{Pr}}{\left[ {b=0\wedge O(s)=c\wedge O(t)=1-c\wedge \mathcal {A}_1\,\texttt { outcome}\, \wedge \, \mathcal {A}_2\,\texttt { outcome}}\right] }=\\ &\sum _{c=0}^{1}\Big ({\textrm{Pr}}{\left[ {\mathcal {A}_1\,\texttt { outcome}\wedge \mathcal {A}_2\,\texttt { outcome}\mid b=0 \wedge O(s)=c \wedge O(t)=1-c}\right] }\cdot \\ &\qquad \cdot {\textrm{Pr}}{\left[ {b=0 \wedge O(s)=c \wedge O(t)=1-c}\right] }\Big ). \end{aligned}$$

  Since the outcomes of \(\mathcal {A}_1\) and \(\mathcal {A}_2\) are independent once their input values are fixed, we have that

  $$\begin{aligned} &{\textrm{Pr}}{\left[ {\mathcal {A}_1\, \texttt { outcome}\, \wedge \, \mathcal {A}_2\, \texttt { outcome}\mid b=0 \wedge O(s)=c \wedge O(t)=1-c}\right] }=\\ &\quad \prod _{i=1}^2{\textrm{Pr}}{\left[ {\mathcal {A}_i\, \texttt { outcome} \mid b=0 \wedge O(s)=c \wedge O(t)=1-c}\right] }, \end{aligned}$$

  with \(c\in \{0,1\}\). Since the outcome of \(\mathcal {A}_1\) only depends on the value of O(s) and the outcome of \(\mathcal {A}_2\) depends only on O(t), then

  $$\begin{aligned} &{\textrm{Pr}}{\left[ {\mathcal {A}_1\, \texttt { outcome}\, \wedge \, \mathcal {A}_2\, \texttt { outcome} \mid b=0 \wedge O(s)=c \wedge O(t)=1-c}\right] }=\\ &\quad {\textrm{Pr}}{\left[ {\mathcal {A}_1\, \texttt { outcome} \mid O(s)=c}\right] }{\textrm{Pr}}{\left[ {\mathcal {A}_2\, \texttt { outcome} \mid O(t)=1-c}\right] } \end{aligned}$$

  Therefore, since \({\textrm{Pr}}{\left[ {b=0\wedge O(s)=\bar{b} \wedge O(t)=1-\bar{b}}\right] }=\frac{1}{8}\) with \(\bar{b}\in \{0,1\}\) then

  $$\begin{aligned} &{\textrm{Pr}}{\left[ {b=0\wedge O(s)\ne O(t)\wedge \mathcal {A}_1\,\texttt { outcome}\, \wedge \, \mathcal {A}_2\,\texttt { outcome}}\right] }=\\ &\quad \frac{1}{8}\biggl ({\textrm{Pr}}{\left[ {\mathcal {A}_1\, \texttt { outcome}\mid O(s)=1}\right] }\cdot {\textrm{Pr}}{\left[ {\mathcal {A}_2\, \texttt { outcome}\mid O(t)=0}\right] }+\\ &\quad {\textrm{Pr}}{\left[ {\mathcal {A}_1\, \texttt { outcome}\mid O(s)=0}\right] }\cdot {\textrm{Pr}}{\left[ {\mathcal {A}_2\, \texttt { outcome}\mid O(t)=1}\right] }\biggl ). \end{aligned}$$

  We can finally compute the initial probability given in Eq. (2), by substituting \(\texttt {outcome}\) with \(\texttt {wins}\) and \(\texttt {loses}\) and obtaining

  $$\begin{aligned} {\textrm{Pr}}{\left[ {b=0\wedge O(s)\ne O(t)\wedge b'=b}\right] }= \frac{1}{8}+\frac{1}{2}\epsilon ^2(\lambda )-\frac{1}{2}\varDelta ^2. \end{aligned}$$

  (3)

• Event B: when \(b=0\) and \(O(s)= O(t)\), then \(b=b'\) when either \(\mathcal {A}_1\) wins and \(\mathcal {A}_2\) loses or when \(\mathcal {A}_1\) loses and \(\mathcal {A}_2\) wins. Therefore, it holds that

  $$\begin{aligned} \begin{aligned} &{\textrm{Pr}}{\left[ {b=0\wedge O(s)=O(t)\wedge b'=b}\right] }=\\ &\quad {\textrm{Pr}}{\left[ {b=0\wedge O(s)=O(t)\wedge \mathcal {A}_1\, \texttt { wins}\, \wedge \, \mathcal {A}_2\, \texttt { loses}}\right] } +\\ &\quad {\textrm{Pr}}{\left[ {b=0\wedge O(s)=O(t)\wedge \mathcal {A}_1\, \texttt { loses}\, \wedge \, \mathcal {A}_2\, \texttt { wins}}\right] }. \end{aligned} \end{aligned}$$

  (4)

  Since in this case the input of \(\mathcal {A}_1\) and \(\mathcal {A}_2\) are in the same orbit, then we can state

  $$\begin{aligned} &{\textrm{Pr}}{\left[ {b=0\wedge O(s)=O(t)\wedge b'=b}\right] }=\\ &\quad 2{\textrm{Pr}}{\left[ {b=0\wedge O(s)=O(t)\wedge \mathcal {A}_1\, \texttt { wins}\, \wedge \, \mathcal {A}_2\, \texttt { loses}}\right] }=\\ &\quad 2\sum _{c=0}^1{\textrm{Pr}}{\left[ {b=0\wedge O(s)=c \wedge O(t)=c \wedge \mathcal {A}_1\, \texttt { wins}\, \wedge \, \mathcal {A}_2\, \texttt { loses}}\right] }. \end{aligned}$$

  Using arguments similar to the ones used for Event A, that is the conditional independence of the outcomes of the adversaries once the inputs are fixed, the fact that the output of \(\mathcal {A}_1\) (resp. \(\mathcal {A}_2\)) depends only on O(s) (resp. on O(t)) and finally that \({\textrm{Pr}}{\left[ {b=0\wedge O(s)=c \wedge O(t)=c}\right] }=\frac{1}{8}\), for \(c\in \{0,1\}\), we can write the Eq. (4) as follows

  $$\begin{aligned} {\textrm{Pr}}{\left[ {b=0\wedge O(s)=O(t)\wedge b'=b}\right] } =\frac{1}{8}-\frac{1}{2}\epsilon ^2(\lambda )-\frac{1}{2}\varDelta ^2. \end{aligned}$$

  (5)

• Event C: when \(b=1\), \(O(s)=O(t)\), then \(b=b'\) when both \(\mathcal {A}_1\) and \(\mathcal {A}_2\) win or when both of them lose. Therefore, it holds that

  $$\begin{aligned} \begin{aligned} &{\textrm{Pr}}{\left[ {b=1 \wedge b'=b}\right] }=\\ &\quad {\textrm{Pr}}{\left[ {b=1 \wedge \mathcal {A}_1\,\texttt { wins}\, \wedge \, \mathcal {A}_2\,\texttt { wins}}\right] } + \\ &\quad {\textrm{Pr}}{\left[ {b=1 \wedge \mathcal {A}_1\, \texttt { loses}\, \wedge \, \mathcal {A}_2\, \texttt { loses}}\right] }. \end{aligned} \end{aligned}$$

  (6)

  As in the computation of the probability of Event A, we must compute \({\textrm{Pr}}{\left[ {b=1 \wedge \mathcal {A}_1\,\texttt { outcome}\, \wedge \, \mathcal {A}_2\,\texttt { outcome}}\right] }\). Using similar arguments as before, and noticing that \({\textrm{Pr}}{\left[ {b=1 \wedge O(s)=c \wedge O(t)=c}\right] }=\frac{1}{4}\) with \(c\in \{0,1\}\), it can be shown that

  $$\begin{aligned} &{\textrm{Pr}}{\left[ {b=1 \wedge \mathcal {A}_1\,\texttt { outcome}\, \wedge \, \mathcal {A}_2\,\texttt { outcome}}\right] }=\\ &\quad \frac{1}{4}\sum _{c=0}^1 {\textrm{Pr}}{\left[ {\mathcal {A}_1\, \texttt { outcome}\mid O(s)=c}\right] }{\textrm{Pr}}{\left[ {\mathcal {A}_2\, \texttt { outcome}\mid O(t)=c}\right] } \end{aligned}$$

  Therefore, substituting \(\texttt {outcome}\) with \(\texttt {loses}\) and \(\texttt {wins}\), and using the probabilities of success of adversaries \(\mathcal {A}_1\) and \(\mathcal {A}_2\), from Eq. (6) we obtain

  $$\begin{aligned} {\textrm{Pr}}{\left[ {b=1\wedge b'=b}\right] } = \frac{1}{4}+\epsilon ^2(\lambda )+\varDelta ^2. \end{aligned}$$

  (7)

Combining the partial results derived analysing Event A, Event B and Event C from Equations (3),(5) and (7) respectively, we obtain the final result

$$\begin{aligned} {\textrm{Pr}}{\left[ {\mathcal {A}\, \texttt { wins}}\right] }=\frac{1}{2}+\epsilon ^2(\lambda ), \end{aligned}$$

which proves that we have built an adversary for the 2GA-PR game which wins with non-negligible advantage. Therefore, an adversary who wins the hiding game with non-negligible advantage does not exist due to the 2GA-PR assumption. This means that the binary commitment scheme we have described results to be perfectly binding and computationally hiding.

B \(\textrm{Hiding}(\varPi _{\textsf{Com}})\) Reduces to dGA-IP

Theorem 6

The \(\textrm{Hiding}(\varPi _{\textsf{Com}})\) game reduces to dGA-IP game.

Proof

We show how the existence of an adversary of dGA-IP problem with non-negligible advantage allows the creation of an adversary of the \(\textrm{Hiding}(\varPi _{\textsf{Com}})\) game with non-negligible advantage.

1. 1.

   Reduction description.

   The adversary \(\mathcal {A}\) of the \(\textrm{Hiding}(\varPi _{\textsf{Com}})\) game (see Fig. 11) receives from the challenger a commitment c to a randomly generated bit b. \(\mathcal {A}\) generates a commitment \(c'\) to a random bit \(b'\) and sends \(c,c'\) to \(\mathcal {A}'\), the adversary to the dGA-IP game with non-negligible advantage. \(\mathcal {A}\) receives a response \(b_0\) from \(\mathcal {A}'\) and returns to the \(\textrm{Hiding}(\varPi _{\textsf{Com}})\) challenger the bit \(b'\) if \(b_0=1\) (i.e. \(\mathcal {A}'\) has guessed that c and \(c'\) are in the same orbit), otherwise \(\mathcal {A}\) returns \(1-b'\).

2. 2.

   \(\mathcal {A}\) correctly simulates the dGA-IP challenger.

   The adversary \(\mathcal {A}\) receives a commitment to a random unknown bit b. Therefore, in order to simulate the dGA-IP challenger, it generates a random bit \(b'\) and a commitment to such bit. In this way, \(\mathcal {A}\) generates couples of elements in X that live in the same orbit with probability \(\frac{1}{2}\) as it does the dGA-IP challenger.

3. 3.

   Measurement of \(\mathcal {A}\)’s advantage.

   The adversary \(\mathcal {A}\) wins exactly with the same probability of \(\mathcal {A}'\), since every time \(\mathcal {A}'\) guesses the right answer to the dGA-IP game, \(\mathcal {A}\) learns the orbit in which the element c lies since it knows the orbit of \(c'\). Therefore, if \(\mathcal {A}'\) wins the dGA-IP game with non-negligible advantage, also \(\mathcal {A}\) wins the \(\textrm{Hiding}(\varPi _{\textsf{Com}})\) game with non negligible advantage.

Fig. 11.

Reduction from the hiding game for the bit commitment scheme to dGA-IP.