A Fuzzy Commitment Scheme

A FUZZY COMMITMENT SCHEME Alawi A. Al-sa ggaf Computer Science and E ngineering Colle ge Al-Ahgaff Univ ersity – Hadhramout Republi c of Yemen alwiduh@ yahoo.co m Acharya H. S. Symbiosis Institute of Com puter Studie s and Research Symbiosis In ternational Uni versity – Pune-India haridas.acharya @symbiosiscomputer s.com ABSTRACT This paper attempt has been made to expl ain a fuzzy commitment scheme. In t he conventional Commi tment schemes, both commit ted string m and vali d opening key are required to e nable the sende r to prove the commitment. However the re could be ma ny instance s where the transmissio n involves no ise or minor errors arising p urely because of the factors ove r which ne ither the s ender nor t he receiv er have an y cont rol. The fuzzy commitm ent scheme pre sented in th is paper is to accept the ope ning key that is close to the origin al one in sui table dis tance metr ic, but not necess arily identical. The conce pt itself is illustrated with the help of simple situ ation. KEY WORDS Cryptography, Error Correcting C odes, Fuzzy log ic and Commitment scheme. 1. Introduction The notion of Commitment schem e is at the heart of most the constructions of m odern Cryptography protocols. P rotocols are essentially a set of rules associated with a process or a scheme de fining the process. Commitment schemes are the processes in which the interests of the parties involved in a process are safe guarded and the process itself is made as fair as possible. Commitment protocols were first introduced by Blum [1] in 1982; many more Commitment Schem es were later developed with improved features [5, 6, 7, 8, 12, 13]. Moreover in the conventional Commitment schemes, ope ning key are required to enable the sender to prove the com mitment. However there could be many instances where the transm ission involves noise or minor errors arising purely beca use of the factors over w hich neither the sende r nor the receiver have a ny control. Our aim in this paper to describe commitment sc hemes, which use algorithms to counter possible uncertainness. Uncertainty leads to introduction of fuzzy sets and fuzzy logic[2] in to the protocol itself. Fuzzy commitment scheme was first introduced by Juels and Martin [3] , fuzziness also introduced later in [4, 14,15] for generating cryptographic ke ys. They add new property called " fuzziness " in the open phase to allow, acceptanc e of the commitment using corrupted opening key that is close to the or iginal one in appropriate metric or distance. In this paper we have attempted a more form al and mathematical definition of fuzzy commitment sche mes. An overview of commitme nt schemes and description of related work is also incorporated. A brief introduction of error correcting codes, w ith real life situation to illustrate is attempted. 2. Crisp Commitment Schemes In a conventional commitment schem e, one party, whom we denote the sender namely Alice, aim to e ntrust a concealed m essage m to the second party nam ely Bob. Intuitively a commitment scheme ca n be seen as the digital equivalent of a sealed envelope. If Alice wants to commit to some m essage m she just puts it into the sealed envelope, so that whene ver Ali ce want s to reve al the message to Bob, she opens the envelope. Clearly, such a me chanism can be useful only if it meets some basic requirements. First of all the digital envelope should hide the message fr om: Bob should be able to learn m from the commitment (this is often referred in the literature a s the hiding property). Second, the digital envelope should be binding, meaning w ith this that Alice can not change her mind about m , and by checking the opening of the commitment one can verify that the obtained value is actually the one Alice had in mind originally (this is often referred to as the binding property). Definition 1: A Commitment scheme is a tuple { P, E,M } Where M ={0,1} n is a message space, P is a set of individuals , ge nerally with three elem ents A as the committing party, B as the pa rty to whi ch Commitment i s made and TC as the trusted par ty , E = { ( t i , e i ) } are call ed the events occu rring at times t i , i = 1,2,3 , as per algorithms e i , i = 1,2,3. The scheme always culmi nates in ei ther acceptance or rejection by A and B. The environm ent is se tup init ially, accor ding to the algorithm Setupalg (e 1 ) and publishe d to the parties A and B a t time t 1 . During the Commit phase, A uses algorithm Commitalg (e 2 ), which enc apsulates a message m  M, along with s ecret stri ng S  R {0,1} k in to a string c. The open ing key (secret key) cou ld be formed using both m and S. A se nds the result c to B( at tim e t 2 ). In the Open phase, A sends the procedure for revealing the hidden Comm itment at tim e t 3 , and B uses this. Openalg (e 3 ): B constructs c’ using Commitalg , message m and opening ke y, and chec ks weather the resul t is same as the commitm ent c . Decision making: If ( c = c' ) Then A is bound to act as in m Else he is free to not act as m 3 - Fuzzy Commitment Formally Defined: When w oul d a co mmitm ent s cheme as in def initi on 1 become fuzzy? At the stag e of decision making. This result of unc ertainties tha t make cr op up dur ing transmi ssion noi se. We may fo rmalize t he whole process by properl y defining it. Definition 2 : A Fuzzy Commitment sch eme is a tuple {P, E, M, f } Where M  {0,1} k is a me ssage space w hich cons ider as a code, P is a se t of individ uals , generally w ith three eleme nts A as the committin g party, B as the party to whic h Commitmen t is made a nd TC as the trusted party , f is er ror correction fu nction ( def. 5) and E = { ( t i , e i ) } are call ed the events occu rring at times t i , i = 1,2,3 , as per algorithms e i , i = 1,2,3. The scheme always culmi nates in ei ther acceptance or rejection by A and B. In the setup ph ase, the enviro nment is se tup initial ly and public comm itment key CK generated, according to t he algorithm Setupalg (e 1 ) and publi shed to the par ties A and B at time t 1 . During the Com mit phase, Alice commi ts to a mess age m  M according t o the algorithm Commitalg ( e 2 ) into st ring c. In th e Open phas e, A sends the procedure for reveali ng the hidden Commitment at time t 3 and B use this. Openalg (e 3 ): B constructs c ’ using Commitalg , message t(m) and opening key, and chec ks weather the re sult is same as the received comm itment t(c), where t is the transmission f unction. Fuzzy decision m aking: If (nearest(t(c), f (c') ) ≤ z 0 ) T hen A is b ound t o a ct as i n m Else he is free to not act as m 4-Numerical example: Let P = { Alice, Bob} i.e. we conside r a situat ion where there is not truste d party. Message spac e : Let M ={0000, 1 011, 0101, 1110, 1010, 1100, 1111} ⊂ {0,1} 4 . Message : let m= 1011 Encoding functi on : Let g: M → {0,1} 7 be one to one function de fined as : g(M) = C ={0000000 = g(0000), 0 100101 = g(1011) , 0010011= g(0101), 0 110110=g(1 110), 1011010=g (1010), 110 1100 =g (1100) ,1111111 = g(1111)} ⊂ {0,1} 7 The image set C under g is a code se t, which is sa tisfies the closure pr operty under XOR operatio n, an element of C is also called a codeword . Setup ph ase : At time t 1 , it is agreed between all that CK ≅ XOR f ≅ nearest ne ighbou r in set C. z 0 =0,20. Commit phase : A t time 2 Alice comm itted to her massage m =1011. She know s that g(m)= g(1011)=010 0101 For sake of secrecy she selects S  R C at random, Suppose S=10 11010. Then her com mitment c = Commitalg (CK, g(m ), S) = g(m) XOR S= 1111111 Alice sends c to Bob, w hich Bob wil l receive as t(c), where t is the tr ansmission funct ion. Let the transm itted value t(c) = 1011111, which includes noise. Open ph ase : At time t3 Alice disc loses the proce dure g(m) and S to Bob t o open the commitment. Suppose Bob gets t(g(m))= 1100101 and t (s)=1011010. Bob compute c’= Commitalg (CK,t(g(m)),t(s))=t(g(m))XORt(S)=0111 111. Bob check tha t dist(t(c), c’)=2, he will re alize that there is an error occur during t he transmission. Bob apply the error corre ction function f to c’: f (c’)=111111 1 (the nearest neig hbour of c’=01 11111 is 1111111). Then Bob will c ompute nearness(t(c),f(c’))=dist(t(c),f( c’))/n =1/7 =0.14. (de f.6) Sine 0.14  z 0 =0,20. Then FUZZ(f(c’=0111111))=0 (def.7). Bob accepted t(c)=f(c’ )=111111 1. Finally Bob c alculate g -1 (1111111)=1011. 5- Error Correcting Codes: Definition 3: A metric space is a set C with a distance function dist:C  C  R + =[0, ∞ ), which obe ys the usua l properties (sym metric, trian gle inequalit y, zero distance between equa l points). Definition 4: Le t C {0,1} n be a code set which c onsists of a set of codewords c i of length n . The distan ce metri c between any t wo codewor ds c i and c j in C is defined by dist(c i ,c j )= c i ,c j  C. This known as Hamming dista nce[16] Definition 5: An error correction function f fo r a code C is defined as f (c i )={c j │ dist(c i ,c j ) is the minimum, over C-{c i }} Here c j =f(c i ) is called the nea rest neighb or of c i . Definition 6: The measure ment of near ness between two codewords c and c’ is defined by nearness(c,c’)=dist(c,c’)/n, it is obvious t hat 0  nearness(c, c’)  1. Definition 7: The fu zzy membership function f or a codeword c’ to be equal to a give n c is define d as FUZZ(c’)= 0 if ne arness(c,c’)=z  z 0  1 =z other wise 6- Real Life Situation :(Testament ): Alice wants to write a tes tament to declare she passes all her fortune to he r son Bob after her death. Of co urse, the Alice's attorney is play ing the role of the authori ty. Setup phase: at time t 1 Attorney publishe d to Alice and Bob an enve lope as a pub lic comm itment key, error correction function f and z 0 Commit phase: a t time t 2 Alice write s her testam ent m and put it in a sealed envel ope (comm itment c) and gives to her son Bob. Durin g the time pass some letters of the testam ent corrupte d we assume that i t is t(c). Open phas e: at time t 3 (death time of Alice ) Attorney on behalf of Alice meet Bob and reveal to h im the origin al testament (a lso during the time m ay be some let ters corrupted of the original testame nt i.e. t(m)), they open the envel ope to obtain the testamen t m’, a nd they cal culate • nearness(t(m), f (m’)) • If (FUZZ(m’)=0) Then m’=m Else m’  m 7- Fuzzy Commitment Schemes from Literature: Name of the paper Name of the autho r Year of publishing Concepts used A fuzzy commitment scheme A. Juels and Martin W. Sixth ACM Con fer enc e on Computer a nd Communications Sec urit y, pages 28-36, ACM Press. 1999. Cryptography, Error correcting codes an d commitment schemes, fuzzy logic Error- Tolerant password recovery N.Frykholm and A. Juels Eighth ACM Confere nce on Computer and Communications Security , page s 1-8. ACM P ress. 2001 Error correcting cod es, Cryptography and fuzzy commitment scheme 8- Concluding remarks: We have atte mpted to form alize defi nition of a fuzzy commitmen t scheme by intro ducing a fuzzy membership function at the openin g algorithm stage. Intr oduction of error correc tion functio n was intro duced by ma ny research wor kers earlier [16,17,19]. Introductio n of the Fuzzy mem ber ship function m akes the use o f word fuzzy more expl icit. References [1] Manuel Blu m, Coin fli pping by te lephone. Advances in Cryp tology: A Report on CR YPTO ’81 , pp. 11–15, 1981, http://www.cs.cm u.edu/~mblum/resear ch/pdf/coin / [2] George J. Klir a nd Bo Yuan, Fuzzy Sets and Fuzzy Logic theory and applica tions, Pr entice Hall of India private l imited, Ne w Delhi 2000. [3] A. Juels and M. Wa ttenberg. A fuzzy Commitment Scheme . In Proceedings of the 6th ACM Conference on Computer and Communication Security , pages 28–36, Nove mber 1999. [4] A. Juels and M. Sudan, “ A fuzzy vault scheme ,” Proceedings of IEEE Internation Symposium on Information Theory , p.408, IEEE Press, Lausanne, Switzerland, 2002.. [5] Torben Pryds P edersen, Non-Inter active and Information- Theoretic Se cure Verifiable Secret Sharing. Advances in Cryp tology - CRYPT O ’91, 11th Annual Internatio nal Cryptology Confere nce , pp. 129–140,1 991, http://www .cs.cornell.edu/co urses/cs754/2001 fa/12 9.PDF . [6] M.Naor: Bit C ommitment usi ng pseudo- randomness, J. of Cryptology, Volume 4 , pp. 151- 158 http://www .wisdom.weizm ann.ac.il/~ naor/topic.h t ml [7] Shai Halevi, Silvio Mica li, Practica l and Provably- Secure Commitment Scheme s from Collision-Fr ee Hashing. Adv ances in Cryptolo gy - CRYPTO ’96, 16th An nual Int ernational Cryptology Conf erence , pp. 201–215, 1 996, http://cobl itz.codee n.org:31 25/citese er.ist.p su.edu/c ache/papers/cs/ 778/ftp:zSzz Sztheory.lcs.m it.eduzSz pubzSzpeop lezSzshaihzS zcomitmnt 2.pdf/ha levi96p ractical .pdf . [8] Shai Halevi, Eff icient Commitm ent Schemes w ith Bounded sender and Un bounded Receiver, Proceedings of C rypto '95 LNCS. Vol .963 Springer- Verlag 1995 pa ges 84-9 6. http://citeseer. ist.psu.edu/ halevi96efficie nt.html [9] Hans Delfs a nd Helmu t Knebl: I ntroduc tion to Cryptogr aphy principle an d applicati ons Springer- Verlag Berlin He idelberg 2002. [10] William Stal lings, 2001: Network Security Essentials applications and standards, Wesley Longman (Singapore) Ptd. Ltd. Indian branch. [11] Alfred Menez es, Paul V an Oorschot and Scott Vanstone: Handb ook of App lied Crypt ography CRC press 1996. [12] Ivan Damg°ard, Jesper Buus Nielsen, Comm itment Schemes and Zero-Kno wledge Protoco ls , 2006, http://www .daimi.au.dk/~ ivan/ComZ K06.pdf . [13] Eiichiro Fujis aki, Tatsua ki Okamot o, Statistical Zero Knowl edge Protocols t o Prove Modula r Polynomial Rel ations. Advanc es in Cryptolog y - CRYPTO ’97, 17t h Annual Int ernational Cryptology C onference, pp. 16–30, 1997, http:// dsns.csie.nctu.edu .tw/research/ crypto/HTML/ PDF/C97/16.PDF [14] Xavier Boye n. Reusable Crypt ographic F uzzy Extractors. In 11t h ACM Conference on Computer and Comm unications Security (CCS 20 04) , pages 82-91. ACM Press, 2004.. [15] Yevgeniy D odis, Le onid Reyzin, and Ada m Sm ith, Fuzzy extracto rs: How to ge nerate stron g keys from biometrics a nd other noisy data, In Proceeding s of the Inte rnational Conference on Advances in Cryptology (E UROCRYPT ’04), Le cture Notes in Computer Scie nce . pp. 523-540, Springer Verlag, 2004. [16] V.Pless, Introduction to theory of Er ror Correcting Codes Wiley, New York 1982. [17] G.A. Jone s and J.M. Jo nes: Informatio n and Coding Theor y Springer-Ve rlag London Lim ited 2000. [18] N. Frykholm and A. Juels, Er ror-Tolerant Passw ord Recovery. In P. Samarati, ed., Eighth ACM Conference on Computer a nd Communications Security , pages 1-8. ACM Press. 2001. [19] R.J. McEliece , The The ory of Information and Coding. Camb ridge Univ. Press, 2002.