One-way group actions

Abstract

Bit commitment schemes are central to all zero-knowledge protocols [GMR89] for NP-complete problems [GMW86, BC86a, BC86b, BCC88, BCY89, FS89, etc.]. One-way group actions is a natural and powerful primitive for the implementation of bit commitment schemes. It is a generalization of the one-way group homomorphism [IY88], which was not powerful enough to capture the bit commitment scheme based on graph isomorphism [BC86b]. It provides a unified theory for all the known bit commitment schemes that offer unconditional protection for the originator of the commitments, and for many of those that offer her statistical protection. (Unconditional protection means that the value of the bit committed to is always perfectly concealed. Statistical protection either means that this is almost always the case, or that only an arbitrarily small probabilistic bias about this bit can leak; in either cases, statistical protection must hold even against unlimited computing power.) Bit commitment schemes based on one-way group actions automatically have the chameleon property [BCC88] (also called trap-door [FS89]), which is useful for the parallelization of zero-knowledge protocols [BCY89, FS89]. Moreover, these bit commitment schemes allow the originator of two commitments to convince the receiver that they are commitments to the same bit, provided that this is so, without disclosing any information about which bit this is. In addition, one-way group actions are also a natural primitive for the implementation of claw-free pairs of functions [GMRi88].