Abstract
Low output locality is a property of functions, in which every output bit depends on a small number of input bits. In IoT devices with only a fragile CPU, it is important for many IoT devices to cooperate to execute a single function. In such IoT’s collaborative work, a feature of low output locality is very useful. This is why it is desirable to reconstruct cryptographic primitives with low output locality. However, until now, commitment with a constant low output locality has been constructed by using strong randomness extractors from a nonconstant-output-locality collision-resistant hash function. In this paper, we construct a commitment scheme with output locality-3 from a constant-output-locality collision-resistant hash function for the first time. We prove the computational hiding property of our commitment by the decisional M , δ -bSVP assumption and prove the computational binding property by the M , δ -bSVP assumption, respectively. Furthermore, we prove that the M , δ -bSVP assumption can be reduced to the decisional M , δ -bSVP assumption. We also give a parameter suggestion for our commitment scheme with the 128 bit security.
Highlights
E output locality is a natural complexity measure of computational efficiency for Boolean functions
We describe what we have achieved in this paper in the following: (i) Prove that the (M, δ)-bSVP assumption can be reduced to the decisional (M, δ)-bSVP assumption (ii) Prove that our commitment scheme satisfies the computational binding property based on the (M, δ)-bSVP assumption and satisfies the computational hiding property based on the decisional (M, δ)-bSVP assumption (iii) Compare our commitment scheme with other previous studies
We introduce a new notion of decisional (M, δ)-bSVP assumption, which is a decisional version of the (M, δ)-bSVP assumption defined in Definition 4
Summary
We summarize the notations used in this paper. (1) 1k: security parameter (2) a: message string (3) r: random string (4) com: commitment string (5) dec: decommitment string (6) ε(k): negligible function in k (7) ex: expand function (8) pp: public parameters (9) S(1k, pp): probabilistic polynomial-time party (10) R(com, dec): probabilistic polynomial-time party which executes in the decommitment phase. (11) Rcom(pp, com): probabilistic polynomial-time party which executes in the commitment phase (12) c, d: output locality in the ex function (13) ⊥: rejection symbol output by R for invalid inputs (14) Hw(x): Hamming weight of x (15) Δ(x): the ratio of “1”s in x (16) HMex: the hash function we used in this paper (17) CommMex(S, R): our proposed commitment scheme (18) N: set of natural numbers (19) m < n ∈ N (20) M(1n): matrix sampler that generates a uniformly random m × n matrix. A commitment scheme Comm(S, R) is computationally hiding if for every Pry probabilistic Rcom pp, y1 polynomial-time party 1 − Pry2Rcom pp, Rcom, y2. We define the collision resistance of a hash function in Definition 5. We have an arbitrary probabilistic polynomial algorithm, Adv, given a description of the hash function and length parameter as inputs. (iii) Balanced simulation: the distribution S(y) induced by choosing y←R {0, 1}l is identical to the uniform distribution over {0, 1}s (iv) Length preserving: the difference between the output length and the total input length of the encoding s − (n + m) is equal to the difference l − n between the output length and the input length of f
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
