Commitment protocols. Consider the case of first-price sealed-bid auctions: the participants place their bids in sealed envelopes that are later on opened to determine the winner and how much he will pay. The sealed envelopes play a crucial role in this protocol since they protect the secrecy of each bid during the bidding process but at the same time they preclude the winner from changing his bid after the first phase. In the digital world, commitment protocols have a role similar to that of the sealed envelopes. They are cryptographic protocols involving two mutually distrustful parties, Alice and Bob. The idea of the protocol is very simple: in a first phase Alice commits to a value by sending some information to Bob which commits her to without revealing it. Later on, Alice can execute with Bob a second phase of the protocol in order to reveal the value . From Alice’s point of view the protocol should guarantee that after the first phase no information about is leaked to Bob. From Bob’s point of view the protocol should guarantee that Alice cannot change her mind after the first phase, i.e., there is at most one value that Alice can successfully open in an eventual execution of the second phase.
Commitment was introduced by Blum  and is one of the most fundamental cryptographic protocols, widely used as sub-protocol in applications such as secure multi-party computation [2, 3, 4], contract signing  and zero-knowledge proofs [6, 7, 8]. In this work we are interested in commitment protocols that are information-theoretically secure, i.e., both security guarantees should hold even against (computationally) unbounded adversaries.
Noise-based cryptography. The potential of noisy channels for cryptographic purposes was first noticed by Wyner  who proposed a scheme for exchanging a secret-key in the presence of an eavesdropper (henceforth denote Eve). Wyner considered a model in which Eve receives the transmitted symbols over a degraded channel with respect to the legitimate receiver ’s channel. This possibility result was later extended to the class of general (non-degraded) broadcast channels by Csiszár and Körner . Both models did not consider public communication. Maurer  proved that public communication can improve the parties’ ability of generating a secret. Ahlswede and Csiszár  also improved the previous results.
In the case of commitment protocols, the first solution based on noisy channels was developed by Crépeau and Kilian . The efficiency of the commitment protocols based on noisy channels was later improved by Crépeau .
In all these pioneering works, the case where an adversary can control the characteristics of the channel was not considered.
Unfair noisy channels. Damgård et al. 
proposed a more realistic model, called unfair noisy channels (UNC), in which the error probability of the channel is not exactly known by the protocol participants and can be influenced by malicious parties. The honest parties only know that the crossover probability is betweenand (for ), and an adversary can set the crossover probability to any value in this range. Damgård et al.  proved that using UNC with certain parameters it is possible to implement an information-theoretically secure commitment protocol.
Recently a variant of UNC known as elastic channel has been studied. On one hand, it has two restrictions with relation to UNC: (1) only a corrupt receiver can manipulate the crossover probability to any value in the range ; (2) when both parties are honest the crossover probability is always . On the other hand, commitment (and even oblivious transfer) can be obtained for all parameters [16, 17].
Commitment capacity. Since noisy channels are valuable resources for cryptography, an important question is determining the optimal rate in which they can be used to implement the diverse cryptographic primitives. In the case of commitment this amounts to determining the optimal ratio between the length of the committed values and the number of uses of the noisy channel (i.e., the commitment capacity of the channel). This problem was first raised by Winter et al. , who also answered the question for the case of discrete memoryless channels. After that, the commitment capacity of Gaussian channels was obtained by Nascimento et al. . The question of determining the optimal way of using noisy channels was also studied for other cryptographic tasks, for instance in the vast literature on secrecy capacity [9, 10, 20, 21, 11, 12, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33] and also in the works that deal with the oblivious transfer capacity [34, 35, 36, 37, 38].
Our contribution in this work is determining the commitment capacity of unfair noisy channels. The work is organized as follows. In section II we establish our notation and present some existing results that will be used thereafter. In section III, we introduce the model and the security definitions, and also state our main theorem. In section IV we prove the direct part of the theorem and in section V the converse. We finish with some concluding remarks in section VI.
We will denote by calligraphic letters the domains of random variables, by upper case letters the random variables and by lower case letters the realizations of the random variables. Other sets are also denoted by calligraphic letters and the cardinality of a setis denoted by . For a random variable over
, we denote its probability distribution bywith . For a joint probability distribution , let denote the marginal probability distribution and let
denote the conditional probability distribution if. We write
for a random variable uniformly distributed over.
If an algorithm (or a function) is randomized, we denote by the result of computing on input with randomness . If and are two strings of bits of the same length, we denote by their bitwise XOR and by their Hamming distance. The logarithm used in this paper are in base 2.
The binary entropy function of is denoted by . For finite alphabets and random variables , the entropy of is denoted by and the mutual information between and by . The min-entropy is given by
Its conditional version is defined as
The max-entropy is defined as
and its conditional version is given by
The statistical distance between two probability distributions and over the same domain is
For the -smooth versions of the above entropies are defined as
Ii-C Strong Extractors and the Leftover-Hash Lemma
In the direct part of our proof we will use strong randomness extractors, therefore we present here the relevant definitions and properties.
Let be a probabilistic polynomial time function which uses bits of randomness. We say that is an efficient if for all probability distributions with and such that , for random variables uniformly distributed in the bit-strings of length and uniformly distributed in the bit-strings of length , we have that .
Definition II.2 (-Universal Hash Functions)
A class of functions is -universal if, for any distinct , when is chosen uniformly at random from , the induced distribution on is uniform over .
Lemma II.3 (Leftover-hash lemma)
Assume that a class of functions is 2-universal. Then for selected uniformly at random from we have that
In particular, universal hash functions are whenever .
The following lemma by Rompel will be also useful.
Lemma II.4 ()
Suppose is a positive even integer, are -wise independent random variables taking values in the range , , , and . Then
Iii Problem Statement
Iii-a Unfair Noisy Channels
Since commitment protocols that are information-theoretically secure cannot be implemented from scratch, the efforts were focused on obtaining such protocols based on physical assumptions. One of these assumptions is the existence of noisy channels that can be used by the parties. Binary symmetric channels are known to allow the implementation of commitment schemes [13, 14]. But these protocols have the disadvantage that they rely on the assumption that a malicious party do not interfere with the channel to try to modify its error probability.
Damgård et al.  introduced a more realistic assumption, namely unfair noisy channels, that is a modification of the binary symmetric channel. In this model, a channel is specified by two parameters: and (with ); and the channel is denoted as -UNC. The error probability of the channel is guaranteed to fall into the interval , but is not known by the honest parties. Therefore any protocol based on a -UNC should work for any error probability in the range . On the other hand, a malicious party can set the error probability to any value in the range .
Definition III.1 (Unfair Noisy Channels)
The -UNC receives as input a bit and outputs a bit . The transition probability of the -UNC is determined by an auxiliary parameter whose alphabet are the real numbers in the interval . If the transmitter or the receiver is malicious, he can choose the value of ; otherwise it is randomly chosen and is not revealed to the parties. The transition probability is given by if and if .
Damgård et al.  proved that, on one hand, if then the -UNC is trivial (i.e., secure commitment protocols cannot be based on this channel). On the other hand, if then there is a commitment protocol based on the -UNC.
Remark: Note that a -UNC can equivalently be seen as the concatenation of two binary symmetric channels, with error probability and with error probability for . The error probability of the channel can be controlled by a malicious party and it is unknown in the case that both parties are honest.
We say that two strings and are -compatible with an -Unfair Noisy Channel if, for , the Hamming distance () of and is at most . Similarly, two random variables and are said to be compatible with an -Unfair Noisy Channel if is negligible in .
Iii-B Commitment Capacity
Since -UNC are valuable resources, one would like to use them in the most efficient way. Hence the important question of determining the commitment capacity of these channels arises. Our goal in this work is to determine the commitment capacity of unfair noisy channels in the same way that Winter et al.  did for the discrete memoryless channels and Nascimento et al.  did for the Gaussian channels. Let us begin by defining the concept of commitment protocols and recalling its security notions.
A commitment protocol has two phases: called commitment and opening. There are two parties involved in the protocol: the committer (also denoted Alice) and the verifier (also denoted Bob). The protocol works as follows. In the commitment phase, Alice commits to a value , but without revealing anything about it to Bob. Later on, Alice can execute the opening phase to disclose the value to Bob. The security guarantee that Alice expects from the protocol is that nothing about should be learned by Bob in the first phase, while the security guarantee that Bob expects is that Alice should not be able to change the value committed to after the first phase. We proceed with a more detailed description of these definitions and of the resources available to the parties in our model.
Alice and Bob have two channels available between them:
a bidirectional authenticated noiseless channel, and
-UNC from Alice to Bob
Note that this model allows multiple uses of the -UNC within a protocol in an interactive manner. Let denote the number of times that the parties use the -UNC channel.
A commitment protocol is a family of protocols indexed by the security parameter . Each protocol uses the -UNC times and proceeds in two phases as described below. For the sake of simplicity in the notation we will not explicitly mention the dependence on the security parameter. Both parties have access to local randomness. Note that all the messages generated by Alice and Bob are well-defined random variables, depending on the value that Alice wants to commit to, , and the local randomness of the parties. As usual, we assume that the noiseless messages exchanged by the players and their personal randomness are taken from .
Alice has an input (from the message space ) that she wants to commit to. There are rounds of communication through the -UNC and in each of these rounds Alice inputs a symbol to the -UNC and an output is delivered to Bob. Let be the random variable denoting the bitstring sent through the -UNC and the bitstring received through the -UNC. The parties can use the bidirectional authenticated noiseless channel at any time, with the messages possibly depending on , and the local randomness. Let be the random variable denoting all the noiseless messages exchanged between the players,
The parties only exchange messages over
the noiseless channel. Alice announces the value and the bitstring that she claims that she used during the
first phase. Finally Bob executes a test
in order to decide if he accepts the value or not.
We call Bob’s view all the data in his possession after the completion of the commitment phase and denote it by .
A commitment protocol is -sound if for honest Alice and Bob executing the protocol and for all and for any compatible with for the -UNC,
A commitment protocol is -concealing if for any possible behavior of Bob in the commitment phase,
A protocol is -binding, if for all such that and for any strategy of (a dishonest) Alice to pick the random variable that is sent through the -UNC channel, and the random variables and that are presented during the opening phase
We call a commitment protocol secure if there exists a function that is negligible in the security parameter and is such that the protocol is -sound, -concealing and -binding.111For easy of presentation the security of the constructions is argued in the stand-alone model (as usual in cryptography) in which case there is only one execution of the protocol. But the security of the commitment protocols based on noisy channels can be extended to the UC framework  in which the protocols can be composed and arbitrary protocols can be executed in parallel [50, 51].
Remark: We restrict our model to protocols where the public conversation does not depend on the channel output given , that is . This is indeed the case for all the protocols in the literature. Moreover, the public communication is used solely to prevent Alice from cheating, thus we see no reason for a commitment protocol based on noisy channels to have its public communication depending on the channel output for a given input .
The commitment rate of the protocol is given by
A commitment rate is said to be achievable if there exists a secure commitment protocol that achieves this rate. The commitment capacity of a -UNC is the supremum of the achievable rates.
The commitment capacity of any non-trivial -Unfair Noisy Channel is given by
Iv Protocol - Direct Part
We first prove the direct part of the theorem, i.e., we describe the protocol that achieves the commitment capacity and prove its security. The protocol follows the approach of Damgård et al.  and uses two rounds of hash challenge-response in order to guarantee the binding property: the intuition is that the first round reduces the number of inputs that Alice can successfully open to be polynomial in the security parameter. The second round then binds Alice to one specific input. The concealing condition is achieved using a 2-universal hash function
chosen by Alice that is used to generate a secure key which is then applied as a one-time pad to cipher.
Let and let be a parameter of the protocol. Let , , be parameters such that , , and , and are integers. In the following commitment protocol the message space is .
Commitment Phase: Alice wants to commit to the binary string . The parties proceed as follows:
Alice chooses a random binary string of dimension and for sends the bit to Bob over the -UNC.
Bob receives the string sent over the -UNC, chooses uniformly at random a function of the class of -universal hash functions , and sends the description of to Alice over the noiseless channel.
Alice computes and sends it to Bob.
Bob chooses uniformly at random a function of the class of -universal hash functions , and sends its description to Alice over the noiseless channel.
Alice chooses uniformly at random a function of the class of two-universal hash functions, computes and , and sends , and the description of to Bob over the noiseless channel.
Opening Phase: Alice wants to reveal the value of to Bob. The parties proceeds as follow:
Alice sends to Bob over the noiseless channel the values and .
Bob checks if , if , and if . Bob accepts if there are no problems in the tests.
The protocol is secure and can achieve the commitment rate for any and sufficiently large.
Proof: We proof that the protocol is binding, concealing and sound, and furthermore achieves the desired commitment rate.
The protocol fails for honest Alice and Bob only if or . We have that the expectation of is less than or equal to , because the -UNC has error probability less than or equal to . So the Chernoff bound guarantees that the probability that is a negligible function of . Similarly we can prove that the probability that is a negligible function of .
For any and sufficiently large, we have that
where the first inequality follows from the chain rule for smooth entropy, the first equality from the fact that are functions of , and , the second equality from the fact that is independent of , given and the last inequality follows from the facts that the error probability of the channel is at least , the range of has cardinality and the range of has cardinality .
Setting (with ), for sufficiently large, the security of the key obtained by applying the hash function to follows from the leftover-hash lemma since and and can be arbitrarily small for sufficiently large. Note that having a negligible statistical distance is equivalent to having a negligible mutual information .
A dishonest Alice can cheat successfully only if she finds two different strings and such that , , and both pass the sequentially performed hash challenge-response tests, for arbitrarily small and sufficiently large . We can assume without loss of generality that Alice sets the error probability of the channel to when she sends . In the typicality test an honest Bob accepts any string that is jointly typical with for any error probability . So Alice can cheat only if she finds two strings and so that both pass the hash tests and are jointly typical with for binary symmetric channels with error probabilities and . The number of such jointly typical strings is upper bounded by for any and sufficiently large. We fix .
Let the viable set denote the channel inputs that Alice can possibly open to Bob and he would accept. If there were no hash checks, the viable set would have at most elements. Lets consider this initial viable set. The goal of the first round of hash challenge-response is to, with overwhelming probability, reduce the number of elements of the viable set to at most . In this first round, Alice has to commit to one arbitrary value for the output of the hash function . Considering the -th viable string before this first round, we define as if that string is mapped to by ; and otherwise. Let . Clearly as . Let be considered bad if is bigger than . Given that is -wise independent, by applying Lemma II.4 with and , we get
Then the probability that any is bad is upper bounded by
But if the viable set contains at most elements after the first hash challenge-response round, the probability that some of those collide in the second hash challenge-response round is upper bounded by
which is negligible in .
For sufficiently large, and can be made arbitrarily small, and thus can also be made arbitrarily small while preserving the security of the protocol. Therefore it is possible to achieve the commitment rate for any .
For proving the converse, we will assume a specific cheating behavior for Alice. As we are interested in proving an upper bound in the commitment capacity, restricting Alice’s behavior will only strength our result. Let and be uniformly random over . Let be a random variable representing the data Alice inputs into the unfair noisy channel. Assume, Alice sets the noise level of the unfair noisy channel connecting her to Bob to . Let be a random variable obtained by passing through the unfair noisy channel (Channel 1). Let be a random variable obtained by passing through a binary symmetric channel with error probability equal to with (Channel 2). Denote the conversation over the public authenticated and noiseless channel by .
In the case of commitments based on fair noisy channels, it was proved in  that after the commit phase is finished, if Bob is presented with Alice’s inputs to the channel, , he is able to obtain almost complete knowledge on the committed value . Here we will prove that in the case of unfair noisy channels if Bob is presented with a noisy version of he is still able to compute the committed value with high probability.
for negligible in .
Proof: Let and be defined as above. We first give a procedure so that the commitment
can be estimated with high probability fromand .
The procedure is as follows: given and , compute the value that maximizes , breaking ties in an arbitrary way. Because of the bindingness condition, we know that no two different values of will be accepted with high probability
for all and compatible with .
Moreover, from the correctness property of the protocol and from the fact that and are compatible for the unfair noisy channel in question, we know that for the correct value we have
Thus, with high probability this procedure will give us the right committed value . Let be the probability that this procedure returns a wrong value. Using Fano’s inequality we get
One can prove that the output of the channel is not needed in the above described procedure. The intuition is that is a “less noisy” version of and thus can be used (instead of ) for retrieving the value of the commitment. In order to formalize this result, we need to use the assumed independence of the public conversation and given , i.e., . First, we pass (or simulate the passing of) through a binary symmetric channel with error probability . Denote the output of the simulated channel by . Note that and are compatible. Moreover, given the fact that the public conversation is independent of given , we have that the public communication of the protocol using Channel 1 (), and are a valid transcript of a commitment protocol (the correctness, binding and concealing properties should apply). Thus, one has from the correctness property that
From bindingness we have that
for all and compatible with .
Again, using Fano’s inequality we get
Because the Markov chainholds, we have that , which proves our result.
We have that
where inequality 1 comes from the -concealing requirement and inequality 2 from the previous lemma.
Now we develop the expression using the same steps used on the Section V of the seminal work of Csiszár and Körner ; the details are included for the sake of completeness. Let denote and denote . We expand starting from and starting from
Similarly we obtain
We have that
Similarly we can get that
Letting be a random variable uniformly distributed in and independent of , and setting , , , and we get that form a Markov chain and
Putting everything together, for any secure commitment protocol, there are such that
where goes to 0 for sufficiently large.
We now set . In our case channel 2 is less noisy than channel 1, therefore maximizing over all we get
where inequality 4 comes from the fact that both expressions in the brackets are non-negative since channel 2 is less noisy than channel 1 and inequality 5 follows taking the maximum over . Hence
where goes to 0 for sufficiently large. This completes the proof of the converse.
Vi Final Remarks
In this paper we obtained the commitment capacity of the unfair noisy channels. A similar notion of capacity for oblivious transfer was defined in . We state as an open problem to obtain the oblivious transfer capacity of unfair noisy channels. Another open question is to derive the commitment capacity of weak channels . In the case of elastic channels, for commitments from Alice to Bob, the channel is essentially degraded to a binary symmetric channel with crossover probability and therefore the commitment capacity is . On the other hand, we conjecture that the commitment capacity for commitments from Bob to Alice is