0

Consider the commitment scheme defined as Commit(X, r) = C with $C = g^r \cdot X$, where $r \in \mathbb{Z}_p$ and $X \in \mathbb{G} = \langle g\rangle$, where $\mathbb{G}$ is a multiplicative group of large prime order $p$, and $g$ is one of its generators.

I want to figure out of the commitment scheme is hiding? Is it binding?

I will attempt to reason about these questions below. Note that I am not actually answering the questions as I do not know the answer.

Is it hiding?

For a commitment scheme to be hiding, we require that we are able to produce identical commits but with non-equal inputs. I.e. given $(r, X)$ and $(r', X')$ where $r \neq r'$ and $X \neq X'$ we have that $Commit(X, r) = C = Commit(X', r')$. This essentially means that any such input pair could have produced that specific commit. Thus, it would be hiding because we can't distinguish the commits from each other and therefore can't figure out the input. This is similar in spirit to how we would reason about semantic security of an encryption scheme in the sense that ciphertexts should be indistinguishable from each other and thus don't leak anything.

With all of this said, I actually do not know how I could find a new input pair that yields the same commit. I would like to learn of ways to reason in these kind of problems. Perhaps there's some commonly used "strategy" to attack this?

Is it binding?

A commitment scheme being binding must mean that we can't find another input that produces the same commit as that would mean that we could change our initial message yet have the commit look like the original one. Thus, it would not be binding and a malicious person could utilize this to cause problems.

If I knew the answer to previous question, then I could argue that if it is hiding then it can't simultaneously be hiding. This can easily be proven by reasoning by reduction to absurd. I.e. suppose it is both hiding and binding, then we can find two different inputs that produce the same commitment, but that would imply that it is not binding. Thus, the original assumption can't possibly be true.

In the case the answer to the previous question is "no", then I can no longer reason about the binding using the fact that it is not hiding. It not being hiding does not say anything about the commitment being binding. It could very well be a lousy scheme that is neither.

Again, with that said, I do not know how to move on.

Any guidance is appreciated. Thank you.

KSI
  • 31
  • 3

1 Answers1

0

Is it binding?

No, it is not (but not because it is perfectly hiding, as you argued). Instead, here is the reason:

Given a commitment $C = g^r \cdot X$, Alice can select an arbitrary $r'$ and compute $X' = g^{-r'} \cdot C$. Note that this computation is quite feasible (and that is a critical piece; if it were not, this argument would not hold).

Then, Alice can then open $C$ by revealing the pair $< X', r' >$, and thus (assuming $r \ne r'$) opening the commitment a second way, thus violating the binding property.

Now, assuming the DLog problem is hard, Alice cannot open it up to an $X'$ of her choosing (because she cannot find the corresponding $r'$), however what I have shown is sufficient to show that the binding property does not hold. That property demands that it is infeasible for Alice to open up the commitment to two distinct values (and in this case, she can by using two distinct $r, r'$ values).

poncho
  • 154,064
  • 12
  • 239
  • 382