Efficient String-Commitment from Weak Bit-Commitment and Full-Spectrum Theorem for Puzzles

We study security amplification for weak bit-commitment schemes and improve the efficiency of (black-box) transformations in both the information-theoretic and computational settings. Let Com0 be a (weak) bit-commitment scheme that is p-hiding in the sense that no cheating receiver can guess the committed bit correctly with probability better than (1 + p)/2, and q- binding in the sense that no cheating sender can open in two ways with probability better than q, for some constants p, q with p + q < 1. The task is to transform Com0 efficiently to a commitment scheme Com that is 2 k-hiding and 2 k-binding, where the efficiency is measured by the number of black-box calls to Com0. Our transformation uses only O(k) calls to Com0 and moreover, we can commit to an Ω(k)- bit string instead of one bit. These results improve on previous work of Damgard et al. (DKS99) and Halevi and Rabin (HR08), whose transformations require Ω(k2) black-box calls to Com0 and commit to only one bit. To obtain our efficiency improvements, we use error-correcting codes and randomness extractors. Similar methods have previously been applied to information-theoretic settings or computational but non-interactive settings. Our main technical contribution is to carry out the analysis in the interactive and computa- tional setting of commitment schemes. In particular, we prove a "Full-Spectrum Theorem" for puzzle systems which says that the hardness of solving at least r puzzles out of n puzzles, where each puzzle can be solved with probability at most δ, amplifies/degrades at the essentially op- timal, information-theoretic rate, namely, the probability that n independent Bernoulli random variables with expectation δ have sum at least r. (Independently, Holenstein and Schoenebeck (HS09) obtained similar results about amplification of puzzle systems.) On the other hand, we provide a way to extract computational entropy in an interactive setting. It is known that in a non-interactive setting, one can extract many bits of computa- tional entropy out using Goldreich-Levin theorem (GL89). By applying the Halevi-Rabin (HR08) Direct Product Theorem of "sequentially" interactive weakly verifiable puzzles, we carry out the analysis in the interactive setting.