TY - GEN
T1 - On the necessity of collapsing for post-quantum and quantum commitments
AU - Dall'Agnol, Marcel
AU - Spooner, Nicholas
N1 - Publisher Copyright:
© 2023 Schloss Dagstuhl- Leibniz-Zentrum fur Informatik GmbH, Dagstuhl Publishing. All rights reserved.
PY - 2023/7
Y1 - 2023/7
N2 - Collapse binding and collapsing were proposed by Unruh (Eurocrypt '16) as post-quantum strengthenings of computational binding and collision resistance, respectively. These notions have been very successful in facilitating the "lifting" of classical security proofs to the quantum setting. A basic and natural question remains unanswered, however: Are they the weakest notions that suffice for such lifting? In this work we answer this question in the affirmative by giving a classical commit-And-open protocol which is post-quantum secure if and only if the commitment scheme (resp. hash function) used is collapse binding (resp. collapsing). We also generalise the definition of collapse binding to quantum commitment schemes, and prove that the equivalence carries over when the sender in this commit-And-open protocol communicates quantum information. As a consequence, we establish that a variety of "weak" binding notions (sum binding, CDMS binding and unequivocality) are in fact equivalent to collapse binding, both for post-quantum and quantum commitments. Finally, we prove a "win-win" result, showing that a post-quantum computationally binding commitment scheme that is not collapse binding can be used to build an equivocal commitment scheme (which can, in turn, be used to build one-shot signatures and other useful quantum primitives). This strengthens a result due to Zhandry (Eurocrypt '19) showing that the same object yields quantum lightning.
AB - Collapse binding and collapsing were proposed by Unruh (Eurocrypt '16) as post-quantum strengthenings of computational binding and collision resistance, respectively. These notions have been very successful in facilitating the "lifting" of classical security proofs to the quantum setting. A basic and natural question remains unanswered, however: Are they the weakest notions that suffice for such lifting? In this work we answer this question in the affirmative by giving a classical commit-And-open protocol which is post-quantum secure if and only if the commitment scheme (resp. hash function) used is collapse binding (resp. collapsing). We also generalise the definition of collapse binding to quantum commitment schemes, and prove that the equivalence carries over when the sender in this commit-And-open protocol communicates quantum information. As a consequence, we establish that a variety of "weak" binding notions (sum binding, CDMS binding and unequivocality) are in fact equivalent to collapse binding, both for post-quantum and quantum commitments. Finally, we prove a "win-win" result, showing that a post-quantum computationally binding commitment scheme that is not collapse binding can be used to build an equivocal commitment scheme (which can, in turn, be used to build one-shot signatures and other useful quantum primitives). This strengthens a result due to Zhandry (Eurocrypt '19) showing that the same object yields quantum lightning.
KW - Commitment schemes
KW - Hash functions
KW - Quantum cryptography
KW - Quantum rewinding
UR - http://www.scopus.com/inward/record.url?scp=85168328824&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85168328824&partnerID=8YFLogxK
U2 - 10.4230/LIPIcs.TQC.2023.2
DO - 10.4230/LIPIcs.TQC.2023.2
M3 - Conference contribution
AN - SCOPUS:85168328824
T3 - Leibniz International Proceedings in Informatics, LIPIcs
BT - 18th Conference on the Theory of Quantum Computation, Communication and Cryptography, TQC 2023
A2 - Fawzi, Omar
A2 - Walter, Michael
PB - Schloss Dagstuhl- Leibniz-Zentrum fur Informatik GmbH, Dagstuhl Publishing
T2 - 18th Conference on the Theory of Quantum Computation, Communication and Cryptography, TQC 2023
Y2 - 24 July 2023 through 28 July 2023
ER -