Possibility and impossibility results for selective decommitments

Abstract

The selective decommitment problem can be described as follows: assume that an adversary receives a number of commitments and then may request openings of, say, half of them. Do the unopened commitments remain secure? Although this question arose more than twenty years ago, no satisfactory answer could be presented so far. We answer the question in several ways: 1. If simulation-based security is desired (i.e., if we demand that the adversary's output can be simulated by a machine that does not see the unopened commitments), then security is not provable for noninteractive or perfectly binding commitment schemes via black-box reductions to standard cryptographic assumptions. However, we show how to achieve security in this sense with interaction and a non-black-box reduction to one-way permutations. 2. If only indistinguishability of the unopened commitments from random commitments is desired, then security is not provable for (interactive or noninteractive) perfectly binding commitment schemes, via black-box reductions to standard cryptographic assumptions. However, any statistically hiding scheme does achieve security in this sense. Our results give an almost complete picture when and how security under selective openings can be achieved. Applications of our results include: - Essentially, an encryption scheme must be non-committing in order to achieve provable security against an adaptive adversary. - When implemented with our secure commitment scheme, the interactive proof for graph 3-coloring due to [28] becomes zero-knowledge under parallel composition. On the technical side, we develop a technique to show very general impossibility results for black-box proofs. © International Association for Cryptologic Research 2009.