 by Dominic Huro. Dominic is giving the talk. Hello everyone. So this talk is again about commitments but in a somewhat different setting. So we will look at the number of different properties. So let me first tell you about the scope of which talk. So what kind what properties and variants of commitments do we intend to investigate here? So the first question is well commitments have two properties. One is called hiding and the other binding. Hiding means you can't tell what I'm committing to and binding is I can't change my mind. And both are important if you lose one it's pointless. But in this talk we will be focusing on the binding property. Not because hiding is unimportant but because hiding seems well understood. So there isn't so much to talk at least if we ask ourselves what the good definitions are. But everything that I show you their binding works out fine. So don't worry about that but we will only think about binding. Then the next question is with the commitment do we want statistically or computationally binding commitments? So do we want the binding property to hold against unlimited adversaries or under computational assumptions? In the talk just before we wanted statistically binding commitments while here we will look at computationally binding commitments. Why is this interesting? Well there can be two reasons why you would want computationally binding commitments. Either because you might need weaker I mean if you want if you are willing to make both directions hiding and binding computational then you may need weaker assumptions possibly than if you want to or simpler protocols then if you want to make one of them statistical. Or the other thing is you might want to make the protocol computationally binding because you want to make it statistically hiding and you don't get both at the same time. And statistically hiding is probably more important than statistically binding because that gives you everlasting security. Because 10 years later someone might want to break your commitment it's pointless to break the binding property but they may still want to extract the data. So this is why computationally binding statistically hiding probably better than the other way around in many applications. Then you can ask interactive versus non-interactive. Well we study non-interactive ones not because it's a necessity but because it's a simpler so for now any commitment I will talk about will be implicitly assumed to be non-interactive. And then the crucial point here is that we will look at security against quantum attacks. So we want that our protocols are not just secure if the adversary has a classical computer but we want to be sure secure in the future when there may be quantum computers available and we want that our protocol will not be broken by the presence of a quantum computer. However we do consider only classical protocols here again because it's a bit simpler so the protocol we talk about will be classical but we assume that the adversary is quantum. So this is kind of the background on which the rest of the talk will take place and now let's have a look since we want to invest we want computational binding as I said let's have a look at the definition. So how is computationally binding usually defined in a purely classical setting as a warm-up? So you have a commitment the sender sends a commitment C in the commit phase and then later when he reveals he will send some message M and some opening information U. This was called the randomness in the talk before doesn't really make a big difference whether we talk about randomness or some arbitrary information here and usually when we talk about computational binding the binding property is formulated as follows we require that it is hard to find for an adversary for a polynomial time adversary a single commitment C that he sends here and two different messages M and M prime and opening informations for M and M prime respectively so that he opens the commitment both as M and as M prime successfully so if the adversary finds such values here he has obviously broken the commitment because he can open into two values and we call it computationally binding if the adversary cannot do that and intuitively this means that the adversary cannot change his mind if he cannot find two different values M to which he could open the commitment it seems pretty obvious that he will be stuck with one value M from the very start and that's why this definition is actually a good definition and in classical cryptography it has turned out to be a good definition it's pretty commonly used and this is why I call it classical style computationally binding so I can say how to find for quantum adversaries which gives me a definition in the quantum realm but I will call it then classical style computationally binding against quantum adversaries because as we'll show you this definition is not a good idea in the quantum setting so what's bad about it in the quantum setting well this we can show it's far from trivial and I will not tell you how but we can show that there is a collision-resistant hash function h so a hash function where we cannot computationally find two inputs with the same output which is even securing one's quantum adversaries so even quantum adversaries cannot find a collision for that function the construction is relative to an oracle would be nicer if it weren't but it's enough to show that there are problems so there is such a collision-resistant hash function and then we can build a very simple commitment protocol from it we pick some random value u and then to commit to a message m we send the hash of m concatenated u and that is easy to see that it's classical style binding because if you could find two openings you would have a collision for the hash function so it's classical style binding and we're even against quantum adversaries and we think that would be fine however in this particular setting for this weird hash function it is possible possible to construct an adversary that achieves the following the adversary first sends some commitment c some fake value that he makes up in a complex way using a quantum algorithm then we tell him a random message and say please open as this particular message and then the adversary says oh yeah I have a u so that hash of m u is c and this we don't want I mean this means he commits to something and then later he changes in his mind what should be inside now we can be very surprised about this because don't we say that he can find only one m that does this so how can he do it for a random one it will probably be not the one well actually the classical style binding definition guarantees that he cannot find two m's and valid opening information at the same time but this adversary may have some quantum state inside uh so he creates a c together with a quantum state and then for any m he can find the corresponding u but this will ruin his quantum state and he cannot do it twice so he can't pick any m but he cannot pick two of them and the existence of such an adversary even though the scheme is classical style binding shows us that classical style binding is pretty useless in the quantum setting so the question is what do we do instead we seem to need new definitions and this is what my talk will be mainly about so what definition could we use for computationally binding commitments in the quantum setting because it's not sufficient to just replace adversary by quantum adversary in existing definitions so we have seen the classical definition of computationally binding is not useful if we want to do post quantum cryptography we also have seen by this example that collision resistance in a quantum setting seems to be not as good as as we would have expected so i'm not saying collision resistance is useless so for example if we make a signature scheme hashing the message before signing it seems to be still a reasonable thing but it seems to be a weaker property than expected doesn't have this property that if i have a hash i cannot change my mind about what is the input to the hash function so collision resistance might also need an update so perhaps we should expect something stronger from hash functions and since there is supposed to be some nist post quantum competition upcoming um perhaps we should also wonder whether collision resistance is too weak a property that we should require from um the hash functions there and because of that i propose two new definitions first i will propose one which is called collapse binding commitments i will mention later why they have this funny name um and that's a strengthening of the computational binding property in the quantum setting and very similarly i will define collapsing hash functions and those are a strengthening of collision resistant hash functions that seems to be more more to capture the what hash functions should do in the quantum setting before i come to that let me say a little word about existing definitions um if i would tell you all the approaches that have been in the literature so far on uh dealing with the question why we do find them in the um quantum setting uh i would not do anything else in this talk so i just listed alphabetically ordered uh the names of all the authors of the papers that i would have cited here uh but all the definitions i can't go in detail have at least one of the following problems uh either they need some kind of trap door in in their construction somewhere in there or they even need to be universally composable commitments once you have them they're fine but it comes as a price at the price of having more complex protocols having more complex more stronger definitions needing a common reference string etc many of the definitions do not support parallel composition so committing to two values in parallel we may not have a guarantee that those two values are well that it is a the same as committing on the pair of those values not all definitions have that problem but some um then it seems to be common to also most of them not the uc style ones um that proves that involve rewinding are very problematic so if you want to use those definitions for example in the construction of a zero knowledge protocol then you run into trouble because once you rewind today behave you don't get any guarantees rewinding in the quantum case is very difficult and also many of them do not imply the knowledge of the message in a certain sense so although you can show that you cannot change your mind about what message to do there is no well often for in classically with commitments we have this fact that in certain sense you know what the commitment is because by rewinding you i could get out of your mind what the messages you're committed to so they usually capture in some way that the message i'm committing to is already there in the beginning when i commit to it and this property is also lacking with many of the existing definitions so all these problems i would like to solve and preferably simultaneously so without further ado let me tell you the uh definition and then i will discuss why this is a good definition so um i define this by a certain game that a quantum adversary plays so the definition is only makes sense with quantum adversaries but it implies classical definitions also so if we satisfy this we also have that it's secure in classical crypto so what the adversary does is the adversary outputs some commitment given by this arrow c and this commitment is a classical value so that's so far and surprising he just commits to a message by outputting a classical value and additionally he outputs an open a message and a corresponding opening information but the crucial point is he doesn't just output one message m and one opening u he puts these messages on quantum registers so these two wires could be in a superposition of many different pairs of message and opening so he could for example if he manages uh output like a message zero with a corresponding opening and a message one with a corresponding opening in superposition which does not directly contradict the classical binding property because it doesn't mean that he could do both at the same time so that's the i mean he it doesn't mean that he could put them on two wires as classical values he can only put them possibly as a position so that's the game he plays he outputs a classical commitment and in super a superposition between different possible values that he would open it to and he promises and we trust him on that that whatever is on this wire is a valid opening we don't know what it is it may be many openings at the same time but it's certainly valid openings and then we give this message back to the adversary that's one game and now we make a little variation of that game the adversary does the same thing but before we give the state back to the adversary we measure what the message is so classically this doesn't make any sense i mean whether we give it to him or whether we give it to him after looking at it doesn't make a difference but quantumly there's a big difference namely if there's a superposition of many messages here and i measure it this will change the message so this game and this game are not the same unless the adversary has only one message here if there's only one possible message then measuring would certainly not uh open it and the goal of the adversary is to tell whether he's in this game and or this game and recall a commitment to collapse binding if the adversary cannot guess whether he's in this game or in this game so why is this so why what does this have to do with binding let's see so the intuition is roughly that here's the picture just for remembering that the adversary cannot produce several openings openings to different messages i mean in superposition why well if he would produce several openings in superposition then he would notice that we are measuring which one he did and if there are several openings and we measure which then they are afterwards not several anymore and when he gets the state back he just looks whether there are several openings and that's that means in a sense that there can be only for every commitment there can be only one message m on this wire that's the intuition and it's kind of true but not really because technically speaking he can very easily produce superpositions here he could for example just perform all his operate like commit to a random message but doing all his operations quantumly in superposition and just measuring what the resulting commitment is and then he will be in a superposition of many possible messages that give that commitment at least if the commitment is statistically hiding but the point is it still kind of holds because he can't tell that there are many many messages on it so this thing holds but only in a certain kind in the sense that perhaps there is a superposition of many messages but not one that the adversary would actually notice in having that means if we try to make formal where this definition likes we can only say it is weaker than saying there are no possible two openings yeah so the perfect binding definition says there are no two openings it is clearly weaker because if there are no two openings then certainly he cannot tell the difference because there can be only one message here and he will notice if we are not noticing measure and it is stronger than just requiring that it's hard to find two openings because well if he finds two openings he can just put them here in superposition and like I checked whether these two values are still there so it's somewhere in between which shows already the definition at least makes some sense it is between two definitions that make at least classically sense so that's a good sign but that's not enough to endear this definition to us but fortunately this definition has a lot of nice properties so well this I kind of already implied it is between perfect binding and classical style binding so that's good probably um what's more important is that the problem we had with classical style binding that the adversary can change his mind after committing is not there anymore so this definition we can prove avoids the I commit to something and later I open it to ever to whatever I want so fortunately that problem is solved which already makes it a definition well it seems to be a reasonable definition then also it composes in parallel that's nice it's not so easy to achieve with commitment definitions um what's even nicer is it is rewinding friendly what do I mean by that well I mean I took an existing proof of zero knowledge arguments of knowledge uh no of zero knowledge proofs of knowledge replaced all this perfectly binding commitments that were in that construction by uh class uh by collapse binding months and the proof goes through almost unmodified so I'm not saying that rewinding proofs are simple in the quantum case but they don't seem to get harder by using these commitments and that's uh very good news because you can then just replace one by uh you can just do this plug and play um I had a perfectly binding commitment now I replace it by weaker one my proofs still go through etc so that's good but all of this doesn't really help us much if there might be no such schemes could it be that collapse binding commitments are just impossible well they can't be impossible because we kind of even bind construct perfectly binding once and they would be collapsed binding but of course we would like to have collapsed binding commitments that are for example at the same time statistically hiding and that's not something we could do if we just go for perfectly binding and use this error and it turns out um yes we can bind collapse we can construct construct collapse binding commitments from something like from collapsing hash functions that's good we will see in a moment what they actually are but that's a good start and actually the constructions are very simple we I didn't need to make up new constructions actually the the most simple natural constructions that you would want to use with collision resistant hash functions they also work then with collapsing hash functions and then give us collapse binding commitments uh yes so there are so the one called construction was the one I had uh uh on this picture that's not guaranteed to be statistically hiding but slightly more complex ones uh Halivi um Mikali commitments uh they go through and they are statistically hiding okay so what are collapsing hash functions collapsing hash functions are a strengthening of collision resistance in the quantum setting and the way we define them is actually very similar to collapse binding commitments actually I never said why I call them collapse binding uh it's because when we do this measurement it's kind of just committing or in this case hashing is already kind of collapsing the state so it doesn't get further collapsed by measuring that is why we call it that way so the definition of collapsing hash functions is very similar we say the adversary outputs a hash it's supposed to output a hash value h like this classically and pre-images of that hash in superposition and intuitively we want that he cannot find two pre-images but again we have seen that not being able to find two pre-images is not sufficient instead we do the same game he can put a superposition of pre-images here and she should not be able to tell whether we measure this pre-image in this case we measure which one it is or we leave it in superposition and then we define it's yeah it's collapsing if the adversary cannot tell whether we measure the pre-image as he suggests or not and we get the following effects about collapsing hash functions we can make simple commitment schemes once we have a collapsing hash function so they are statistically hiding we use the existing simple constructions so this gives some indication that collapse collapsing hash function is kind of a drop in replacement for collision resistant hash functions when we go to the quantum setting and collision resistance is not enough I mean it's a weak I mean having one case where it works is a weak indication but it's something now we have just shifted the question because we may still ask do collapsing hash functions actually exist and the answer is well at least in the random oracle model they do exist so the random oracle itself is a hash function and it turns out it is collapsing so all this thing is possible and that gives us well depending on how much you like the random oracle it either says either solves the problem or you can see it at least as some indication that real world hash functions that are pretty random might have that property so if it wouldn't hold for the random oracle we certainly wouldn't want to make us an assumption that existing hash functions like char three or something are collapsing so that's a kind of a minimal check I have further work now which also can explicitly construct collapsing hashes based on let us assumption but that's not part of this work and not fully written up yet so because of this because they are these kind of drop in replacement and they are property that at least the random oracle has my suggestion is that collapsing should actually be a property that we expect from hash function so if we are asking like shall we let's find a new hash function that is post quantum secure a post yeah post quantum secure then we should put on the list of required properties also the collapsing property so for example for the up plant nist post quantum crypto competition would be cool if this would be in the list of properties that a hash function should satisfy um yeah and let me conclude with um some open problems so one interesting question is what are the minimal assumptions for building collapse binding commitments can we do it with one way functions I have no indication pro contra so far um I mean let us assumptions are pretty strong one but perhaps we can weaken this perhaps by making it non-jective so that's from my view the most interesting one also implications between the different definitions we have some of the definitions that exist I implied but for some it's not clear so I have some results now but um there's still open questions then a good question is our chart two and chart three and other existing hash functions collapsing so let's assuming the round the compression function for each round is collapsing do Merkel-Dumgaard or sponge construction give us collapsing hash functions uh well Merkel-Dumgaard does I uh sponge I don't know yet and then more protocols where we actually use these commitments to show what they can do and where they fail and that's it thank you be time for one quick does your does your definition handle non-uniform attackers yes you can use both variant works the same so it always uses the all reductions and all proofs are kind of black boxish so if the attacker has like non-uniform quantum advice is still your suggestion is still could remain secure because the reason I think the first attack that you showed yeah so the guy kind of given a random thing it can open into that challenge yes so if he has like two copies of the current state even if it's quantum he can then open into zero and one both well the thing is that it depends which commitment I mean the definitions you can certainly state that way very easily the question is the existing result existence result because if he had I mean even classically if you make a commitment scheme and you have an auxiliary input that may depend on the commitment scheme then you can always just give the interaction so non-interactive commitment cannot perfectly binding yeah but but if you but if you have for example an auxiliary input that cannot depend on some random choices done either by in some public parameter or something then non-uniform is no problem so basically non-uniformity here has the same problems and non-problems as in the classical setting and which ones that are we could discuss on each specific case but probably not right now take it offline okay let's thanks speaker again