(Nearly) Round-Optimal Black-Box Constructions of Commitments Secure against Selective Opening Attacks

  • David Xiao
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6597)


Selective opening attacks against commitment schemes occur when the commitment scheme is repeated in parallel (or concurrently) and an adversary can choose depending on the commit-phase transcript to see the values and openings to some subset of the committed bits. Commitments are secure under such attacks if one can prove that the remaining, unopened commitments stay secret.

We prove the following black-box constructions and black-box lower bounds for commitments secure against selective opening attacks:

  1. 1

    For parallel composition, 4 (resp. 5) rounds are necessary and sufficient to build computationally (resp. statistically) binding and computationally hiding commitments. Also, there are no perfectly binding commitments.

  2. 2

    For parallel composition, O(1)-round statistically-hiding commitments are equivalent to O(1)-round statistically-binding commitments.

  3. 3

    For concurrent composition, ω(logn) rounds are sufficient to build statistically binding commitments and are necessary even to build computationally binding and computationally hiding commitments, up to loglogn factors.


Our lower bounds improve upon the parameters obtained by the impossibility results of Bellare et al. (EUROCRYPT ’09), and are proved in a fundamentally different way, by observing that essentially all known impossibility results for black-box zero-knowledge can also be applied to the case of commitments secure against selective opening attacks.


commitments black-box lower bounds zero knowledge selective opening attacks parallel composition concurrent composition 


  1. 1.
    Barak, B.: How to go beyond the black-box simulation barrier. In: Proc. 42nd FOCS, pp. 106–115. IEEE, Los Alamitos (2001)Google Scholar
  2. 2.
    Beaver, D.: Adaptive zero knowledge and computational equivocation (extended abstract). In: Proc. STOC 1996, pp. 629–638. ACM, New York (1996)Google Scholar
  3. 3.
    Bellare, M., Hofheinz, D., Yilek, S.: Possibility and impossibility results for encryption and commitment secure under selective opening. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 1–35. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    Brassard, G., Crépeau, C.: Zero-knowledge simulation of boolean circuits. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 223–233. Springer, Heidelberg (1987)Google Scholar
  5. 5.
    Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)CrossRefMATHGoogle Scholar
  6. 6.
    Brassard, G., Crépeau, C., Yung, M.: Everything in NP can be argued in perfect zero-knowledge in a bounded number of rounds. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 192–195. Springer, Heidelberg (1990)Google Scholar
  7. 7.
    Canetti, R., Kilian, J., Petrank, E., Rosen, A.: Black-box concurrent zero-knowledge requires (almost) logarithmically many rounds. SIAM J. Comput. 32(1), 1–47 (2003)CrossRefMathSciNetGoogle Scholar
  8. 8.
    Di Crescenzo, G., Ostrovsky, R.: On concurrent zero-knowledge with pre-processing (Extended abstract). In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 485–502. Springer, Heidelberg (1999)Google Scholar
  9. 9.
    Di Crescenzo, G., Ishai, Y., Ostrovsky, R.: Non-interactive and non-malleable commitment. In: Proc. STOC 1998, pp. 141–150. ACM, New York (1998)Google Scholar
  10. 10.
    Dwork, C., Naor, M., Reingold, O., Stockmeyer, L.: Magic functions. J. ACM 50(6), 852–921 (2003)CrossRefMathSciNetGoogle Scholar
  11. 11.
    Fischlin, M.: Trapdoor Commitment Schemes and Their Applications. Ph.D. Thesis (Doktorarbeit), Department of Mathematics, Goethe-University, Frankfurt, Germany (2001)Google Scholar
  12. 12.
    Goldreich, O., Kahan, A.: How to construct constant-round zero-knowledge proof systems for NP. Journal of Cryptology 9(3), 167–189 (1996)CrossRefMATHMathSciNetGoogle Scholar
  13. 13.
    Goldreich, O., Krawczyk, H.: On the composition of zero-knowledge proof systems. SIAM J. of Com. 25(1), 169–192 (1996); Preliminary version appeared In: Paterson, M. (ed.) ICALP 1990. LNCS, vol. 443. Springer, Heidelberg (1990)Google Scholar
  14. 14.
    Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. Journal of the ACM 38(3), 691–729 (1991); Preliminary version in FOCS 1986CrossRefMATHMathSciNetGoogle Scholar
  15. 15.
    Haitner, I., Hoch, J.J., Reingold, O., Segev, G.: Finding collisions in interactive protocols - a tight lower bound on the round complexity of statistically-hiding commitments. In: Proc. FOCS 2007, pp. 669–679 (2007)Google Scholar
  16. 16.
    Haitner, I., Reingold, O., Vadhan, S., Wee, H.: Inaccessible entropy. In: Proc. STOC 2009, pp. 611–620. ACM, New York (2009)Google Scholar
  17. 17.
    Katz, J.: Which languages have 4-round zero-knowledge proofs? In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 73–88. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Naor, M.: Bit commitment using pseudorandomness. Journal of Cryptology 4(2), 151–158 (1991); Preliminary version In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 128–136. Springer, Heidelberg (1990)Google Scholar
  19. 19.
    Pass, R., Wee, H.: Black-box constructions of two-party protocols from one-way functions. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 403–418. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  20. 20.
    Pass, R., Tseng, W.-L.D., Wikström, D.: On the composition of public-coin zero-knowledge protocols. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 160–176. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. 21.
    Prabhakaran, M., Rosen, A., Sahai, A.: Concurrent zero knowledge with logarithmic round-complexity. In: Proc. 43rd FOCS, pp. 366–375. IEEE, Los Alamitos (2002)Google Scholar
  22. 22.
    Rosen, A.: Concurrent Zero-Knowledge - With Additional Background by Oded Goldreich. Information Security and Cryptography. Springer, Heidelberg (2006)MATHGoogle Scholar
  23. 23.
    Wee, H.: On statistically binding trapdoor commitments from one-way functions (2008) (manuscript)Google Scholar
  24. 24.
    Zhang, Z., Cao, Z., Zhu, H.: Constant-round adaptive zero knowledge proofs for NP (2009) (manuscript)Google Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • David Xiao
    • 1
    • 2
  1. 1.LIAFAUniversité Paris 7Paris Cedex 13France
  2. 2.Université Paris-SudOrsay CedexFrance

Personalised recommendations