New Commitment Schemes Based on Conjugacy Problems over Rubik’s Groups

: Commitment schemes are important tools in cryptography and used as building blocks in many cryptographic protocols. We propose two commitment schemes by using Rubik’s groups. Our proposals do not lay the security on the taken-for-granted hardness of the word problem over Rubik’s groups. Instead, our ﬁrst proposal is based on a symmetric encryption algorithm that is secure based on the hardness of the conjugacy search problem over Rubik’s groups, while our second proposal is based on the hardness of a newly derived problem—the functional towering conjugacy search problem over Rubik’s groups. The former is proved secure in the sense of both computational hiding and binding, while the latter is proved even secure in the sense of perfect hiding and computational binding. Furthermore, the proposed schemes have a remarkable performance advantage: a linear commitment/opening speed. We also evaluate the efﬁciency of the commitment schemes and show that they are considerably fast.


Introduction
The commitment scheme is one of the most important cryptographic primitives and has been widely used as an essential building block in many cryptographic protocols, such as the verifiable secret sharing scheme [1] and zero-knowledge protocols [2]. Meanwhile, the commitment scheme itself can be used in many privacy-preserving scenarios such as e-voting [3], e-auction [4], GIS-supported location services [5], etc. Over the last two decades, many commitment schemes have been developed. To the best of our knowledge, the security of almost all explicit constructions for commitment schemes is based on number-theoretic hardness assumptions, such as the IFP-based scheme due to Goldreich [6] and the DLP-based scheme due to Pedersen [1], which imposes heavy computational burdens. Recently, the Rubik's cube, as a mechanical puzzle game tool, has been used by researchers to construct many cryptographic schemes, such as Cayley hash functions [7], key agreement protocols [8], and encryption schemes [9]. However, some of them establish their security on a taken-for-granted hardness assumption: the recovery of a Rubik's cube with a random configuration. Today, computer programs can solve Rubik's cubes instantaneously, and even human champions can solve them within 20 steps under a 3 × 3 × 3 configuration. Therefore, designing new Rubik's cryptographic protocols by using falsifiable intractability assumptions is of interest.
This paper proposes two new fast commitment schemes that use Rubik's cube rotation operations. To the best of our knowledge, one of them is the first commitment scheme based on a symmetric encryption algorithm from a non-Abelian group. The other scheme can be regarded as a non-Abelian variant of the Pedersen commitment scheme, the security of which depends on the intractability assumption of the FT-CSP problem over the Rubik's group. Furthermore, we evaluate the efficiency of the schemes and show that they are more efficient than the Pedersen commitment scheme in terms of the computational cost.
The rest of the paper is organized as follows: in Section 2, we introduce necessary notations and preliminaries, including the relevant concepts of commitment scheme, Rubik's group, and intractability assumptions. In Section 3, we briefly review two building blocks: the encoding/decoding methods and the encryption/decryption algorithms. Two commitment schemes are presented in Section 4. Performance evaluations are provided in Section 5, and concluding remarks are given in Section 6.

Notations
We adopt the following notations from [10]. The notation y = A(x; r) indicates an algorithm A on input x, and randomness r outputs y. We use y ← A(x) to represent the process of picking randomness r at random and setting y = A(x; r) and write y ← S for sampling y uniformly at random from the set S. Without loss of generality, all algorithms in this paper take as input a security parameter λ (that is usually written in unary as 1 λ ), and sometimes we do not explicitly write λ, but we always need to assume that it is implicitly available, and the larger the λ, the more secure the cryptographic protocols. Finally, given two functions f , g :

Commitment Scheme
A commitment scheme is a two-party scheme between a committer and a receiver and runs in two phases: In the commitment phase, the committer computes a confidential commitment value c ← Com(s; r) and sends c to the receiver, where s is the corresponding plaintext commitment, and r is a random salt used for ensuring the freshness of the commitment; In the opening phase, the committer reveals (s; r), and the receiver verifies and accepts the commitment only if c = Com(s; r) holds. The commitment scheme is said to be consistent if for each run of the above two-phase commitment protocol, the committed value s is accepted (with overwhelming probability), assuming that both the committer and the receiver are honest. The commitment protocol requires the following two security properties: • Hiding (against an adversarial receiver). The receiver cannot learn any non-trivial information of s from c before the opening phrase. • Binding (against an adversarial committer). The committer cannot open another commitment value s 1 = s without being detected by the receiver, or equivalently, s is uniquely bound to c.
Furthermore, a commitment protocol is said to be perfect hiding (resp. perfect binding) if no adversarial receiver (resp. committer) can break the hiding (resp. binding) property, while it is said to be computational hiding (resp. computational binding) if no probabilistic polynomial-time (PPT for short) adversarial receiver (resp. committer) can break the hiding (resp. binding) property with non-negligible probability.

Rubik's Group and the Intractability Assumptions
Let us take a 3 × 3 × 3 Rubik's cube as an example. The Rubik's cube surface is divided into 54 small facets, numbered from 1 to 54, located on its six faces. All the possible configurations of a Rubik's cube comprise a group, denoted by R, with identity 1 that indicates an empty rotation or, equivalently, doing nothing. That is, one finite-generated representation of R is given by According to [9], we know that the cardinality of this group is approximated by 2 27 · 3 14 · 5 3 · 7 2 · 11 ≈ 4.3 × 10 19 . Apparently, R is a non-Abelian group, and thus, the following problems over R are non-trivial. Definition 1 (Conjugacy Decision Problem, CDP). Given a group G and two elements x, y ∈ G, decide whether x and y are conjugate to each other, denoted by x ∼ y, i.e., ∃z ∈ G such that x = y z z −1 yz. Definition 2 (Conjugator Search Problem, CSP). Given a group G and two elements x, y ∈ G with x ∼ y, find z ∈ G such that x = y z . Now, in this paper, we would like to propose the following problem: Definition 3 (Functional Towering Conjugacy Search Problem, FT-CSP). Given a group G, a function v : G → G, and three elements x, y, z ∈ G with y ∼ z, find u ∈ G such that z = (y v(u) ) x u , assuming such u ∈ G exists.

Remark 1 (Hardness of CDP and CSP).
Note that for any Abelian group G, all the above problems are trivial: we can answer all CDP instances with YES since every pair (x, y) ∈ G 2 is conjugated and answers all CSP instances with arbitrary z ∈ G, while any FT-CSP instance (x, y, z) ∈ G 3 with z = xy admits solutions for arbitrary u ∈ G. However, for non-Abelian groups, the above problems are non-trivial. In fact, in the generic group model, the CDP problem is unsolvable [11]. On the one hand, we know that for the permutation group, the CDP problem has no corresponding polynomial time method [12]. On the other hand, over the last few years, several cryptographic schemes based on the intractability assumption of the CSP problem and CDP problem over braid groups have been proposed [13,14]. Considering that the Rubik's group is a subgroup of the permutation group S 48 , which is in turn a subgroup of the braid group B 48 , this progress gives us the confidence to establish the security of our new encryption scheme on the intractability assumptions of the conjugacy problems, including the CDP problem and CSP problem, over the Rubik's groups.
Remark 2 (Hardness of FT-CSP). As for the FT-CSP problem, we have the following consideration: • Suppose the conjugator, denoted by c, of the pair (z, y) ∈ G 2 is unique. Then, we have cv(u) = x u . Now, one possible way that we can conceive is to pick u ∈ G at random and Suppose the conjugators of the pair (z, y) ∈ G 2 are not unique. Then, for each conjugator c j , we face a similar group equation c j v(u) = x u . That is, in both the above cases, solving an FT-CSP instance would be observably harder than solving a CSP instance.
Moreover, the hardness of FT-CSP might be tightly related to the choices of function v. Say, the simplest case is to set v(u) = 1 for ∀u ∈ G, then the FT-CSP problem is nothing but the socalled double conjugator search problem (DCSP) that aims to find u ∈ G so that z = u −1 xuyu −1 xu for given (x, y, z) ∈ G 3 . On the contrary, a much more complex case might be to set v : G → G as an unpredictable function, say a random oracle that in practice could be instantiated by a collisionresistant hash (CRH for short) function or a pseudo-random function (PRF for short). Then, for solving the FT-CSP problem, we face two obstacles simultaneously: solving the CSP problem, and guessing the output of v(u) in advance. Thus, in this case, the unpredictability of the function v suggests that the success probability for solving the given FT-CSP instance is negligible. Now, let us consider another trick, called after sampling, for defeating an FT-CSP solver S: if the function v : G → G is undetermined, say v is sampled from a CHF or PRF family but kept unrevealed to S in advance. Then, after S outputs their answer u ∈ G for a partially given FT-CSP instance (G, * , x, y, z), let us sample v at random and then check whether u is a correct solution towards the fully given FT-CSP instance (G, v, x, y, z). Clearly, before specifying v, it is totally undetermined whether S's answer is correct. Therefore, we conclude as follows: Claim 1. The FT-CSP problem, with the after-sampling trick on v, is intractable even for a solver with unbounded computational power.
This enhanced hardness would play the underlying security basis of our second proposal given later in this paper.
Remark 3 (Rubik's group vs. Braid group). As aforementioned, the Rubik's group R can be viewed as a special subgroup of the braid group B 48 . However, in this work, we use the term of rotating Rubik's cubes, instead of weaving braids, in describing our proposals, considering the following advantages of doing so:

•
Even secure encoding method. For cryptographic applications, the involved group elements should be represented in an unambiguous way, i.e., the so-called canonical form that can be viewed as an encoding method on group elements. For braid-based cryptographic applications, typical canonical forms reveal partial information of the word length of the involved braids, suffering from to the so-called length-based attacks [15]. As for the Rubik's cube given in Figure 1, no matter how many rotations are done, its canonical form is always a permutation in S 48 . Thus, each element in a Rubik's group admits a fixed-length canonical form, and this property makes the length-based attacks useless. • Even fast implementation. The typical implementation of Rubik-based cryptosystems can be finished approximately in microseconds [9], while the reported braid-based cryptosystems require milliseconds [16].

Reviewing of Building Blocks: Encoding and Encryption Using Rubik's Cubes
To proceed, let us review the encoding/decoding methods and encryption/decryption algorithms given in [9] (See Figure 2). They are the building blocks of our proposal given in the next section.

Encoding/Decoding over Rubik's Cubes
To commit messages by using the Rubik's cube, we need to introduce a method for encoding/decoding messages on a Rubik's cube, which is different from the traditional method of describing message letters directly on the Rubik's cube facets. The key idea of the encoding/decoding methods is to map two bits to four arrows with different directions as follows [9]: • Encode. Assume that each message is a 108-bit string and can be divided into 54 pairs. Then, each pair of bits can be translated to one of four arrows. For example, let 00, 01, 10, and 11 be translated to ↑, →, ↓ and ←, respectively. Next, the translated 54 arrows are assigned to the 54 facets one by one. Finally, the 54 facets are assigned to the six faces of Rubik's cube as if they were the original configuration. • Decode. The reverse process of encoding: given a configuration with 54 faces assigned with arrows, at first, each arrow is translated back to a 2-bit pair accordingly. Furthermore, then, output a 108-bit string by piecing together all these 2-bit pairs in the 54 facets one by one.
More formal descriptions on the encoding/decoding methods can be found in [9].

Encryption/Decryption over Rubik's Cubes
The first encryption scheme in [9] is used as a building block in our first construction of the commitment protocol. The scheme consists of the following four algorithms: In [9], the above encryption scheme is proved to be indistinguishable against chosen plaintext attack (IND-CPA for short), assuming that the CDP problem is intractable over the Rubik's group R.

Our Proposals: The Commitment Schemes Using Rubik's Cubes
Now, let us propose two commitment schemes, one of which is based on an enhanced version of the above symmetric encryption algorithm, and the other of which can be viewed as a non-Abelian analog of the Pedersen commitment scheme [1].

Commitment Scheme Based on the CDP Problem
Over a 3 × 3 × 3 Rubik's cube R, let M = {0, 1} 108 be the space of messages to commit to and a cryptographic hash function H : M × R → M. Then, the first commitment scheme, denoted by C 1 , involves the following two phases: • Commitment phase. The committer commits to a message s ∈ M as follows: -Choose a random rotation sequence r; - Compute h = H(s, r); -Randomly choose a secret key k, i.e., a random rotating sequence with the proper word length; -(s * , r) ← Encrypt k (s; r), i.e., encrypt s with secret key k and random rotation r; -(h * , r) ← Encrypt k (h; r), i.e., encrypt h with k and r; -Send the commitment value c = (s * , h * ) to the receiver. • Opening phase. To open a commitment c = (s * , h * ) to the receiver, the committer sends (k, r) to the receiver directly. Furthermore, upon receiving (k, r) sent by the committer, the receiver performs the following steps: Check whether h = H(s, r) holds: if not, reject the commitment and return ⊥; otherwise, accept the commitment and return s.
CONSISTENCY. Note that the commitment process consists of two encryption algorithms; thus, the commitment value c = (s * , h * ) is encoded in the two configurations (k · r · k) s and (k · r · k) h . The opening process consists of two decryption algorithms. Therefore, we obtain the confirmation as, respectively, (k · r · k) s · (k · r · k) s = 1 (k · r · k) h · (k · r · k) h = 1 which are just the original configurations for encoding message s and hash value h during the commitment process. SECURITY. Our proposal is based on an enhanced version of the aforementioned probabilistic encryption algorithm. Note that the commitment process is nothing but two encryption processes, the security of which are based on the intractable assumption of the CDP problem over the Rubik's group, and that the commitment value c = (s * , h * ) is two ciphertext components in (s * , r) and (h * , r) where another ciphertext component r is a public random. The receiver would like to learn any non-trivial information of s from c before the opening phrase; then, the receiver has to operate a decryption process. Therefore, to break the hiding property of the commitment is nothing but solving the CDP problem that is kept unrevealed to the receiver. Thus, no receiver can learn information from the commitment about the message s. This suggests that the above commitment scheme C 1 is computational hiding.
Now, let us consider the binding property. Suppose that an adversarial committer A wants to open a commitment Com(s; r) with another value, say Com(s 1 ; r 1 ), without being detected. That is, Com(s, r) = c = Com(s 1 , r 1 ) and (s, r) = (s 1 , r 1 ).
Or equivalently, (c s , r) ← Encrypt k (s; r), where c = (c s , c h ). According to Theorem 3 in [9], if the committer A extracts a valid message s from the ciphertext c or the commitment c, then the committer can solve the CDP problem over the Rubik's group that is kept unrevealed to the committer. Therefore, the commitment scheme C 1 is computational binding.

Commitment Scheme Based on the FT-CSP Problem
Since the rotation sequence is composed of 12 basic operations {U, L, F, R, D, B, U , L , F , R , D , B } and is well-known to be suitable for the transformation between binary and 12-adic numbers, a bit string message can be converted into a rotation sequence accordingly. Now, for a 3 × 3 × 3 Rubik's cube R, let g, h ∈ R be two random public rotation sequences. Let M = {0, 1} 108 be the space of messages to be committed. Then, our second commitment scheme, denoted by C 2 , involves the following two phases: • Commitment phase.The committer commits to a message s ∈ M as follows: (1) Encode the message s to the 54 facets of the Rubik's cube; (2) Convert s into a rotation sequence t; (3) Choose a random rotation sequence r; (4) Perform the rotation t g tr hrt gt; (5) Decode the arrows on the 54 facets of the Rubik's cube to a 108-bit string c; (6) Send commitment value c to the receiver.
• Opening phase. To open a commitment c ∈ M to the receiver, the committer sends (s, r) to the receiver directly. Furthermore, upon receiving (s, r) sent by the committer, the receiver performs the following steps: (1)∼(4) Same as (1)∼(4) in the commitment phase; (5) Decode the arrows on the 54 facets of the Rubik's cube to a 108-bit string c * ; (6) Check whether c = c * holds: if not, reject the commitment and return ⊥; otherwise, accept the commitment and return s.
CONSISTENCY. The consistency of the commitment protocol is straightforward, since the main body of the opening phase is nothing but a repeat of the corresponding steps of the commitment phase.
SECURITY. The key point is that the rotation sequence specified in step (4) is nothing but a functional towering conjugate action z = (h r ) g t . For mapping this action to an FT-CSP instance, we need to regard g, h, t as x, y, u, respectively, where r, picked at random, could be looked at as r = v(u), i.e., a one-time output of a PRF function v that is independent of u. Therefore, breaking the hiding property of the commitment is nothing but solving the FT-CSP instance (R, v, g, h, z) where v : R → R is a PRF function that is kept unrevealed to the receiver. This suggests that the above commitment scheme C 2 is perfect hiding according to Claim 1.
Now, let us consider the binding property. Suppose an adversarial committer A wants to open a commitment Com(s; r) with another value, say Com(s 1 ; r 1 ), without being detected. That is, Com(s, r) = c = Com(s 1 , r 1 ) and (s, r) = (s 1 , r 1 ).
Or equivalently, (h r ) g t = z = (h r 1 ) g t 1 and (t, r) = (t 1 , r 1 ) where t 1 should be a valid encoding of s 1 . Unlike the adversarial receiver who faces an FT-CSP instance with the after-sampling trick on v, the committer A has the freedom to choose t, t 1 , r, r 1 . To proceed, let us consider the following four cases: (1) Given t, r, t 1 , finding r 1 is to solve the CSP instance (R, x, y) with the setting x = ((h r ) g t ) g t 1 and y = h. (2) Given t, r, r 1 , finding t 1 is to solve the FT-CSP instance (R, v, x, y, z) with the setting x = g, y = h, z = (h r ) g t and v(u) = r for ∀u ∈ R. (3) Given t 1 , r 1 , t, finding r is similar to case (1). (4) Given t 1 , r 1 , r, finding t is similar to case (2).
At this point, we can safely conclude that the commitment protocol C 2 is computational binding, assuming that the FT-CSP problem over the Rubik's group R is intractable.

Performance Evaluation
Let us proceed to evaluate the performance of our proposal based on the asymptotic complexity and the running time.
The asymptotic performance with respect to the system security parameter λ is summarized in Table 1. Our commitment scheme C 1 is based on the symmetric encryption algorithms from the Rubik's group, which have linear encryption/decryption speeds. Regarding the commitment scheme C 2 , we note that the commitment value is the result of performing a series of rotations t g tr hrt gt. Therefore, our proposals have a remarkable performance advantage: a linear commitment/opening speed.
According to [9], we find that the average running time for each basic rotation is approximately 0.015 microseconds (or equivalently, 15 nanoseconds). Thus, with the suggested parameter settings, i.e., = 28 to ensure 100-bit entropy in the involved random rotations, the main workload of commitment/opening of our commitment scheme C 1 (resp.C 2 ) can be completed within 2.52 (resp. 3.78) microseconds.
Recalling the Pedersen commitment scheme based on the discrete logarithm problem over the finite field F q , we find that the best computational complexities of the commitment/opening phases are O(log 2 q log log q), where q is the length of the modulus. Therefore, our two commitment schemes are considerably fast.

Conclusions
We propose new commitment schemes that achieve secure computational/perfect hiding and computational binding assuming the difficulty of the CDP problem or the FT-CSP problem over Rubik's group, respectively. To the best of our knowledge, one of them is the first commitment scheme based on the symmetric encryption algorithm over a Rubik's group. The other is regarded as a non-Abelian variant of the Pedersen commitment scheme. Furthermore, we evaluate the efficiency of the schemes. Our proposals are highly efficient in terms of the computational cost and have a linear commitment/opening speed.