Abstract
Low output locality is a property of functions, in which every output bit depends on a small number of input bits. In IoT devices with only a fragile CPU, it is important for many IoT devices to cooperate to execute a single function. In such IoT’s collaborative work, a feature of low output locality is very useful. This is why it is desirable to reconstruct cryptographic primitives with low output locality. However, until now, commitment with a constant low output locality has been constructed by using strong randomness extractors from a nonconstantoutputlocality collisionresistant hash function. In this paper, we construct a commitment scheme with output locality3 from a constantoutputlocality collisionresistant hash function for the first time. We prove the computational hiding property of our commitment by the decisional bSVP assumption and prove the computational binding property by the bSVP assumption, respectively. Furthermore, we prove that the bSVP assumption can be reduced to the decisional bSVP assumption. We also give a parameter suggestion for our commitment scheme with the 128 bit security.
1. Introduction
The computational complexity of cryptographic primitives is a fundamental problem in the construction of highly efficient and secure protocols [1, 2]. In ITCS 2017, Applebaum et al. achieved pioneering results for lowcomplexity cryptographic constructions of fundamental primitives [3]. Their technique provides a general framework for converting relatively highcomplexity cryptographic functions to lowcomplexity ones, including oneway and pseudorandom functions of low output localities. Furthermore, Applebaum et al. proposed constructions for collisionresistant hash functions of a constant output locality from computationally hard problems of lattices and multivariate polynomials [4]. Interestingly, one of their collisionresistant hash functions with low output locality relies on the hardness assumption of the lattice problem called bSVP assumption.
The output locality is a natural complexity measure of computational efficiency for Boolean functions. It is known that a Boolean function has output locality if each output bit depends on a maximum of input bits. It is obvious that lowoutput locality functions are implementable by lowdepth circuits, implying high parallelizability. In extreme cases, if a function has a constant output locality, it can be decomposed into smaller functions computed using constantdepth circuits in parallel. In IoT devices with only a fragile CPU, it is difficult to execute a single rather large function. For this reason, it is important for many IoT devices to cooperate to execute a single function. In such IoT’s collaborative work, the decomposition property into smaller functions is very useful. Lowdepth cryptographic functions play crucial roles in certain protocols as well as IoT devices. For example, the bootstrapping method requires a lowdepth decryption function as in latticebased fully homomorphic publickey encryption [5].
There are several quantumresistant cryptosystems, such as homogeneous cryptosystems and lattice cryptosystems. Output locality is a technology that encourages collaborative work on cryptography. In particular, the construction of cryptographic primitives that are secure against quantum cryptography and satisfy output locality is significant for the widespread use of IoT devices. This paper aims to construct cryptographic primitives that have output locality and are secure against quantum cryptography.
On the contrary, a commitment scheme is a fundamental protocol and a key building block of basic cryptographic tasks such as zeroknowledge identification [6]. The scheme is conducted between two parties (i.e., a sender and a receiver) through commitment and decommitment phases. In the commitment phase, the sender converts a message into a commitment string and sends it to the receiver. Then, in the decommitment phase, the sender sends the decommitment string where the message is embedded, which allows the receiver to verify if the commitment string was indeed generated from the message or not. A commitment scheme’s security is formalized based on two properties: the hiding property and the binding property. The hiding property guarantees that no receiver can receive partial information of messages before the decommitment phase. Simultaneously, the binding property ensures that no sender can choose one of more than two candidate messages by switching the decommitment strings in the decommitment phase.
The related work is as follows. Note that neither standard commitment schemes such as Pedersen [7] nor HaleviMicali [8] have low output localities. To achieve a commitment scheme with low output locality, two approaches have been investigated until now. One is proposed in [3], where a transformation from collisionresistant hash functions to commitment schemes that preserve low output locality by using strong randomness extractors in order to obtain the hiding property is provided. Their commitment schemes using this general transformation satisfy the output locality of four.
Another one is to avoid using such strong randomness extractors and to construct a commitment scheme directly from a hash function [9, 10], which are our preliminary works. Remark that, in [9], it only proves that the output locality is smaller than the input length, and in [10], it is only claimed that the hiding property is based on the decisional bSVP assumption, whereas no concrete proof was given nor the relation between the decisional bSVP assumption and bSVP assumption was shown. In other words, no secure commitment with output locality3 has been proposed so far without using strong randomness extractors.
Our contributions are as follows. In this paper, we propose a commitment scheme with an output locality of three for the first time. Our construction does not use strong randomness extractors. We construct a commitment scheme directly from a collisionresistant hash function in without using a strong randomness extractor. We prove its computational hiding property and its computational binding property by using the decisional bSVP assumption and bSVP assumption, respectively. Furthermore, we prove that the bSVP assumption can be reduced to the decisional bSVP assumption.
To construct such a commitment scheme, we focus on two primitives. The first is a commitment scheme from the short integer solution (SIS) problem [11]. This scheme makes use of a latticebased collisionresistant hash function of a “matrixvector multiplication” form, i.e., for a matrix , and a vector . Our commitment also follows such a simple construction. As for the latticebased collisionresistant hash function of low output locality, we use the next primitive of a function , where is an expanding function that dilutes the Hamming weight on the input to achieve collisionresistant properties from the intractability of bSVP [3]. Then, a randomized encoding technique [4] is applied to the function to achieve low output locality. Here, a randomized encoding of is a randomized mapping that generates an output distribution dependent only on .
Compared to previous works [10] in CANDAR 2020, this paper is the full version of the paper presented at CANDAR 2020. In our preliminary work [10], we have constructed a commitment scheme with output locality3. However, it does not include any security consideration. In this article, we reconstruct a commitment scheme with output locality3 based on the bSVP assumption and decisional bSVP assumption. We describe what we have achieved in this paper in the following:(i)Prove that the bSVP assumption can be reduced to the decisional bSVP assumption(ii)Prove that our commitment scheme satisfies the computational binding property based on the bSVP assumption and satisfies the computational hiding property based on the decisional bSVP assumption(iii)Compare our commitment scheme with other previous studies
Roadmap: the remainder of this paper is organized as follows. Section 2 summarizes the commitment scheme, the hash function, and the output locality. Section 3 describes the building blocks of our construction. Then, we present our commitment scheme in Section 4. In Section 5, we suggest the parameter of our commitment scheme. Finally, we conclude our work in Section 6.
2. Preliminaries
First, we summarize the notations used in this paper.(1): security parameter(2): message string(3): random string(4): commitment string(5): decommitment string(6): negligible function in (7): expand function(8): public parameters(9): probabilistic polynomialtime party(10): probabilistic polynomialtime party which executes in the decommitment phase(11): probabilistic polynomialtime party which executes in the commitment phase(12): output locality in the function(13): rejection symbol output by for invalid inputs(14): Hamming weight of (15): the ratio of “1”s in (16): the hash function we used in this paper(17): our proposed commitment scheme(18): set of natural numbers(19)(20): matrix sampler that generates a uniformly random matrix.(21) denotes the binary entropy function, where (22): a negligible function throughout this paper
Next, we define the commitment scheme, which is as follows [12].
Definition 1 (commitment scheme). A commitment scheme, , is a twophase protocol between two probabilistic polynomialtime parties and , which are called the sender and receiver, respectively.
During the first phase (commitment phase), commits string to a pair of keys by executing . Then, sends (commitment string) to .
During the second phase (decommitment phase), sends the keys (decommitment string) with to . Then, verifies whether the decommitment string is valid by executing . If invalid, outputs a special string, , meaning that rejects the decommitment of . Otherwise, can efficiently compute the string revealed by and verifies whether was indeed chosen by during the first phase.
In the following discussion, we provide the security notions of the commitment scheme .
Definition 2 (computational binding property; see [8]). We state that is computationally binding if it is computationally infeasible to generate a commitment string and two decommitment strings, , such that will compute a message from and a different message from . In detail, for every probabilistic polynomialtime adversary , the following occurs:where is a negligible function of . We then say that the commitment scheme is computationally binding.
Definition 3 (computational hiding property). A commitment scheme is computationally hiding if for every probabilistic polynomialtime party , it satisfieswhere is a public parameter generated randomly according to the commitment scheme and is a commitment string generated from and by for random sampled from an unknown distribution to .
The computational security of a commitment scheme in this study uses the following assumption.
Definition 4 (bSVP assumption; see [3]). For a weight parameter, , and an efficient sampler that samples binary matrices, the bSVP assumption asserts that, for every efficient algorithm , the probability is given byWe introduce a feature of the output locality. We start from the definition of a hash function. A hash function converts input bits of arbitrary length into compressed output bits of shorter lengths. We define the collision resistance of a hash function in Definition 5.
Definition 5 (collision resistance). We have an arbitrary probabilistic polynomial algorithm, , given a description of the hash function and length parameter as inputs. If the probability of that outputs satisfying is negligible, the function is a collisionresistant hash function.Next, we define the output locality.
Definition 6 (output locality). We say that the function has output locality if each of the output bits depends on at most input bits.
Finally, we define perfect randomized encoding (PRE). PRE is a technique that can make the output locality a constant.
Definition 7 (perfect randomized encoding; see [3]). Let be a function. We say that a function is a PRE of if there exist an efficient decoding algorithm and a randomized simulator that satisfy the following:(i)Perfect correctness: for every input and , holds(ii)Perfect privacy: for every , the distribution induced by a uniform choice of is identical to the distribution of (iii)Balanced simulation: the distribution induced by choosing is identical to the uniform distribution over (iv)Length preserving: the difference between the output length and the total input length of the encoding is equal to the difference between the output length and the input length of
3. Building Blocks
In this section, we first define an expanding function [3] in Section 3.1. The expanding function is created for the function to apply the bSVP assumption. We then show an example of PRE and how to make the output locality constant by using PRE in Section 3.2. We also show how to gain from encoded function , which is called perfect correctness in PRE.
3.1. Expand Function
We give one expanding function used in Theorem 4, where is a function of that dilutes the relative Hamming weight of the input bits. In order to satisfy the bSVP assumption, the relative Hamming weight of the outputs of has to satisfy .
Next, we will explain how the function expands the input bits. First, we divide bit blocks to bit blocks, in which each bit block has bits, as shown in Figure 1. We execute a function to each of the bit blocks, where expands bit blocks to bit blocks, shown in Algorithm 1. Then, every block of the output of is concatenated as an output of . The whole algorithm of is given in Algorithm 2. The feature of is given in Lemma 1.


Lemma 1 (expand function with low output locality; see [3]). For , let be the relative Hamming weight of . Set and for the natural numbers . Then, there exists an efficiently computable function such that (1) is injective, (2) for every , and (3) has output locality .
In this study, the hash function uses an expanding function defined in Lemma 1.
3.2. Construction of PRE
We give one construction of PRE for a given function in 1.
Construction 1 (see [1]). Let be a function . Then, we separate to functions as follows:where can be written by monomial . For , we define a function by1 satisfies PRE in Definition 7. Let where and . Then, can be encoded as the following equation:Equation (7) is an example of 1. Denote by adding all bits in over . Then, we can gain from by using as follows:It satisfies “perfect correctness” since . From the example of equation (7), the output locality of function can be reduced to a constant by using PRE. A quantitative evaluation of the output locality is given in Lemma 2.
Lemma 2 (see [1]). Let be a function. Then, let be given as in 1. In particular, if is a degree polynomial written as a sum of monomials, then is a PRE of with degree and output locality 1.
4. Proposed Commitment Scheme
In this section, we propose a commitment scheme which is constructed by using and . The hash function is PRE of . We define the decisional bSVP assumption and show that the bSVP assumption can be reduced to the decisional bSVP assumption. Furthermore, we show that our proposed commitment scheme satisfies the binding property and hiding property.
4.1. Difference between and the Commitment in [3]
In [3], Applebaum et al. showed how to construct a statistically hiding commitment scheme with output locality4 from their collisionresistant hash function under the bSVP assumption. Their commitment scheme executes a hash function based on a randomness extractor and an ordinary hash function with output locality4. As a result, two hash functions are required. Furthermore, the randomness extractor is the universal hash function family, so it requires additional random bits to choose a function from the function family. Here, additional bits correspond to the input of the hash function.
On the contrary, our commitment scheme has to only execute an ordinary hash function once. Compared with their commitment scheme, our scheme is more efficient. Furthermore, our commitment scheme achieves output locality3 by introducing the new notion of decisional bSVP assumption.
4.2. Decisional bSVP Assumption
We introduce a new notion of decisional bSVP assumption, which is a decisional version of the bSVP assumption defined in Definition 4.
Definition 8 (decisional bSVP assumption). For a weight parameter , a uniform distribution , and an efficient sampler that samples binary matrices, the decisional bSVP assumption asserts that, for any polynomial algorithm and for every where ,We show that the bSVP assumption can be reduced to the decisional bSVP assumption by referring to the methodology presented in Lemma 4.2 of [13], where Decision LWE is reduced to Search LWE.
Theorem 1. Let be a function, and define bSVP distribution on bit strings obtained by choosing and outputting . Assume that we have an access to a procedure which distinguishes the input sampled from the distribution of bSVP or sampled from a uniform distribution with nonnegligible probability. Then, there exists a polynomialtime algorithm such that given samples from bSVP distribution, can output with nonnegligible probability.
Proof. Let be a distinguisher which distinguishes an element sampled from the bSVP distribution or sampled from a uniform distribution . Then, we construct which finds of . We first show how finds which denotes the first coordinate of . The remaining coordinates can be recovered by the same way.
Given an input of , , where is selected from an bSVP distribution. The input of can be defined as follows. Let be denoted as and be denoted by the following equation:Then, can be written asFor randomly chosen and , compute a pairDenote the value obtained in equation (12) as . Now, sends to . If , then can be written as the following equation:Since equation (13) can be expressed in the form , can distinguish that equation (13) is contained in the bSVP distribution. Then, can distinguish that is in the bSVP distribution. In contrast, if , then will be expressed aswhich is clearly not a sample from the bSVP distribution. Then, can distinguish that is in the uniform distribution.
Finally, outputs if outputs bSVP distribution. On the contrary, outputs if outputs uniform distribution.
All other remaining coordinates in can be recovered in the same way. Therefore, can output by using with nonnegligible probability.
From the contraposition of Theorem 1, we can get Corollary 1.
Corollary 1. There is no polynomial algorithm that can break the decisional bSVP assumption under the hardness of the bSVP assumption.
4.3. Proposed Commitment Scheme
We analyze the hash function in Section 4.3.1 and show our commitment scheme in Section 4.3.2.
4.3.1. A Hash Function for the Commitment Scheme
We first explain a hash function [3], containing a matrix and an expand function , as shown in Algorithm 3.

Then, we show the hash function which is PRE of .
We consider the matrix as follows:for and . Also, we define the random number as where is taken over uniform in any . Furthermore, define as where is taken over in any . Note that we write the first coordinate of as . An algorithm of is shown in Algorithm 4. Note that a matrix is treated as a part of the description of the algorithm.

The hash function is PRE of since the construction of is as same as 1. Here, we only give a theorem about PRE of and .
Theorem 2. satisfies perfect correctness, perfect privacy, balanced simulation, and length preserving for .
We show the output locality of in Theorem 3.
Theorem 3. has 3 output localities.
Proof. Let us investigate the output locality of . From the structure of Algorithm 4, the maximum number of input bits on which the output bits depend is 3. Therefore, the output locality of is 3.
Next, let us discuss the collision resistance of . If a function satisfies the collision resistance, then its PRE also satisfies the collision resistance [1]. Applebaum et al. proved the collision resistance of . Therefore, the collision resistance of follows from [1]. The collision resistance of is described in Lemma 3.
Lemma 3 (collision resistance of ; see [3]). Let the hash function be a perfectly randomized encoding of . Then, has a collision resistance under the bSVP assumption.
4.3.2. Commitment Scheme
We show the commitment scheme based on , which consists of initialization, a commitment phase, and a decommitment phase. In this construction, we use the same matrix , but we can also refresh a matrix in a certain period, and the computational binding property and computational hiding property also hold using refreshed matrix . : Initialization: Before the commitment phase, both and share the following information:(i)Algorithm of (ii)Matrix (iii): security parameter Commitment phase by :(1)Choose a random number as the key of the hash functions(2)Choose a message string , and concatenate and as (3)Choose a random number which is used for PRE(4)Compute (5)Compute (6)Send as a commitment string Decommitment phase from to : executes the following:(1) sends and to as a decommitment string executes the following:(1)Compute from .(2)Compute .(3)Compute the commitment string and check whether . If this is satisfied, outputs . Otherwise, outputs .
Next, we prove the computational binding property and computational hiding property of . We first show the computational binding property.
Theorem 4. satisfies the computational binding property under the bSVP assumption.
Proof. We assume that there exists a probabilistic polynomialtime (PPT) adversary Adv that breaks the computational binding property of the commitment scheme . Then, Adv can derive the following equation, with nonnegligible function from Definition 2.From equation (17), , and another PPT adversary Adv’, we can lead the following equation:This shows that if PPT Adv can break the computational binding property, it can also break the collision resistance of from equation (18). However, we showed that has a collision resistance under the bSVP assumption in Lemma 3. Therefore, the commitment scheme satisfies the computational binding property under the bSVP assumption based on the contradiction.
Next, we will prove the computational hiding property of .
Theorem 5. satisfies the computational hiding property under the decisional bSVP assumption for a constant .
Proof. We assume that there exists a probabilistic polynomialtime adversary Adv that breaks the computational hiding property of . For some distinct , , , and some nonnegligible function , we can derive the following equation:Since the decoding procedure of PRE is a polynomialtime algorithm, there exists a polynomialtime adversary Adv′, which is a composition of the decoding procedure and Adv such thatBy the hybrid argument, for some ,Since is uniformly random over , for every , we have , and hence, for a constant with probability from the Chernoff bounds. This contradicts the decisional bSVP assumption.
4.4. Comparison
We compare our proposed commitment scheme with related works of [BDLOP18] and [KTX08] in Table 1. Both [BDLOP18] and [KTX08] are also based on latticebased functions and consist of “matrixvector multiplication” in the same way as us.
A commitment scheme [KTX08] can prove its hiding property statistically and its binding property by the SIS problem. However, it did not achieve constant output locality. A commitment scheme [BDLOP18] can prove its hiding property and binding property by DKS and SKS problems, respectively. Nevertheless, it also did not achieve constant output locality.
On the contrary, the commitment scheme [AHIKV17] has achieved output locality4 with its statistically hiding property and its binding property based on the bSVP assumption (bSVP). However, their commitment scheme was to execute hash functions twice with a randomness extractor. It was also difficult to construct a commitment scheme with output locality3 by using a randomness extractor.
Our commitment scheme satisfies output locality3 by proving its hiding property and binding property by the decisional bSVP assumption (DbSVP) and bSVP assumption (bSVP), respectively. Our commitment scheme only executes the hash function once and does not use a randomness extractor.
5. Parameter Suggestion for
This section suggests some parameter settings of under evaluation based on the short integer solution (SIS) problem in Definition 9.
Definition 9 (; see [11]). Given a prime , a positive number , and a matrix , the short integer solution problem is to find a nonzero vector such that and .
Let be a matrix in . Under the condition of , the bSVP can be reduced to a problem in the lattice spanned by vectors in , where and , namely, to solve our scheme is reduced to find a short vector in a lattice . Denote the norm of the shortest nonzero vector in and the second shortest vector independent with by and , respectively. We estimate parameters as follows:(1)Estimation of :(a).(b) by Gaussian heuristic, where the volume of lattice is and is the mathematical constant.(c)Denote by and because of the algebraic attack due to [3]. shows the ratio between input length and output length. Therefore, we can get a bound of and by according to the definition of and above.(2)Evaluate the asymptotic complexity to solve a SVP by using Alkim et al.’s estimate proposed in [15], and it had been experimentally verified in [16]. We heuristically set , , and . Then, we input the parameters of ; Alkim et al.’s estimate can evaluate the minimal which means the target block size used in the lattice reduction algorithm BKZ [17].Please refer to [18] for a lucid explanation of Alkim et al.’s estimate. We consider the scenario that one hashes 128 bit information, namely, we fix in the estimate.
Table 2 shows parameter suggestions of our scheme with respect to security levels of NIST AES128, AES192, and AES256, where is the required block size when using the BKZ algorithm to solve bSVP. The security levels of “AES128,” “AES192,” and “AES256” refer to three categories in the NIST PQC standardization project [19] in that the brute force attack on AES key search requires at least , , and classical computing gates, respectively.
6. Concluding Remarks
In this paper, we achieved the following:(i)We proposed a new output locality3 commitment scheme(ii)We proved that the bSVP assumption is reduced to the decisional bSVP assumption(iii)We proved that its computational binding property and computational hiding property are reduced to the bSVP assumption and decisional bSVP assumption, respectively(iv)We evaluated a secure parameter set against the short integer solution (SIS) problem
Generally, it is easy to build protocols based on the decisional bSVP assumption compared with the bSVP assumption. Therefore, our proof would shed light on the new construction of protocols whose security is based on the decisional bSVP assumption. Also, our method can be used with IoT devices with small CPUs since our method satisfies constant output locality and can be achieved in smaller CPUs. However, it is expected to achieve an output locality3 commitment scheme with statistical hiding, which is considered an open problem in this work.
Data Availability
No data were used to support this study.
Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this article.
Acknowledgments
This work was partially supported by enPiT (Education Network for Practical Information Technologies) at MEXT, JSPS KAKENHI (Grant no. JP21H03443) and Ovation Platform for Society 5.0 at MEXT. This work was also supported by JSPS KAKENHI (Grant no. JP21K11751), Japan, JSPS GrantinAid for Scientific Research (A) (nos. 16H01705 and 21H04879), (B) (no. 17H01695), and (C) (no. 21K11887), JSPS GrantinAid for Young Scientists (B) (no. 17K12640), and MEXT Quantum Leap Flagship Program (MEXT QLEAP) (Grant no. JPMXS0120319794).