Information-Theoretically Secure String Commitments Based on Packet Reordering Channels

Realizing fundamental cryptographic primitives with unconditional security is a central topic in information-theoretic cryptography. These primitives can be realized based on physical assumptions, such as the existence of noisy channels, an upper bound on the storage capacity, or the laws of quantum mechanics. Palmieri and Pereira [1] demonstrated that delays in communication channels can be used as a reasonable and effective assumption to obtain an unconditionally secure oblivious transfer protocol against honest-but-curious adversaries. While any oblivious transfer protocol secure against malicious adversaries can be used to implement commitment, the reduction does not work if the oblivious transfer protocol is only secure against honest-but-curious adversaries. Thus, the question of obtaining a secure commitment protocol based on channel delays is still open. In this paper, we provide a concrete protocol for implementing string commitments based on packet reordering – a consequence of channel delays in packet networks.

A commitment scheme consists of two phases, commit and reveal, performed by two parties, a sender (or committer) and a receiver. We will denote these parties henceforth by Alice and Bob, respectively. In the commit phase, Alice commits to a value v and sends an evidence of her commitment to Bob. This evidence should unveil no information to Bob about the original value v. This is the security guarantee for Alice, also known as hiding. In the reveal phase, Alice sends some extra information to Bob, such that he can determine the value that was concealed by the commitment. In order to prevent Alice's malicious behavior, Bob may accept or reject the disclosed value after verifying its consistency with the evidence that was previously received. The protocol should guarantee that Alice is not able to reveal two different values, v and v, successfully. This is the security guarantee for Bob, also known as binding. Commitment schemes are the digital equivalent of a sealed envelope. Alice puts the value v inside the envelope in the commit phase. If the protocol is hiding, Bob should not be able to read the value before the opening phase. During the opening phase, Alice should be able to open at most one value (the binding property).

A. RELATED WORK
Computational and unconditional security are two security notions usually considered in cryptography. Computational security makes use of unproven intractability assumptions on the hardness of certain computational problems and imposes an upper bound on the computing power available to an adversary in order to guarantee the security. Unconditional (or information-theoretic) security, on the other hand, neither requires computational intractability assumptions nor imposes any bounds on the adversary's computing power, whether in processing time, memory space, or technology available. In many scenarios, particularly when long term secrecy is required, it is desirable to achieve unconditional security.
Secure commitment schemes are known to be impossible to achieve from scratch: as a consequence of the so-called symmetry condition on what the parties know about each other's data [8], assumptions are needed to obtain a secure commitment scheme. According to this condition, after the realization of a two-party protocol over a noiseless channel and without further assumptions, Alice is able to determine exactly what Bob knows about her input, and vice-versa. Such impossibility result is known to hold even when the parties have access to a quantum channel [9] and [10]. A common assumption used to overcome the symmetry condition (while achieving unconditional security) is the existence of noisy channels.
The seminal work of Wyner [11] demonstrated that noisy channels can be useful for cryptographic purposes by showing that these channels can be used as a resource for obtaining secret key agreement. Numerous subsequent works extended this line of research to cover other types of noisy channels, protocols and applications. Crépeau and Kilian [12] proposed the first commitment and oblivious transfer protocols based on noisy channels. Crépeau [13] proposed an efficient unconditionally secure bit commitment protocol based on a binary symmetric channel. Since then, other physical assumptions have been used to obtain unconditionally secure commitment schemes, such as bounded storage capacity [14]- [16], the existence of tamper-proof hardware tokens [17]- [19], nonsignaling correlations [20] and the impossibility of superluminal communications [21]. The universal composability of statistically secure protocols based on noisy channels has been investigated [22]- [24].
Winter, Nascimento and Imai [8] introduced the concept of commitment capacity. They characterised the optimal rate at which a discrete memoryless channel can be used for obtaining commitment, calculated as the maximum equivocation of the channel after removing trivial redundancy (even when unlimited authenticated bidirectional noiseless side communication is allowed). Nascimento et al. [25] proved that the commitment capacity of a Gaussian channel is infinite. Crépeau et al. obtained the commitment capacity of unfair noisy channels [26]. Several papers also studied the related notions of secrecy key capacity (e.g., [11], [27]- [35]) and of oblivious transfer capacity (e.g., [36]- [40]).
Palmieri and Pereira [41] proposed a new channel, the Binary Discrete-time Delaying Channel (BDDC), and used it to obtain an oblivious transfer protocol that is unconditionally secure against honest-but-curious adversaries (this kind of adversary tries to obtain unauthorized information, but strictly follows the protocol instructions; while a malicious adversary, on the other hand, can cheat in an arbitrary way). Later, Palmieri and Pereira [42] demonstrated the practicality of their assumption by providing an implementation of an oblivious transfer protocol based on IP networks. They also claimed [1] that a BDDC is related to a Packet Reordering Noisy Channel (PRNC). In this work, we build a new scheme motivated by the model proposed in [1] and show that the existence of a transmission reordering effect in communication channels can also be leveraged to break the symmetry condition and obtain unconditionally secure commitment schemes.
The permutation concept behind the PRNC model is a powerful tool for constructing cryptographic protocols and has been similarly used in the controlled order rearrangement technique in Quantum Key Distribution (QKD) [43] and Quantum Secure Direct Communication (QSDC) [44]. We notice that the channel performs the permutation of the packets in the PRNC model, but the players perform the permutation of the particles in the quantum protocols.
It is known that oblivious transfer protocols secure against malicious adversaries imply secure commitment schemes [45]. However, this result does not hold in the case of oblivious transfer protocols secure solely against honest-butcurious adversaries. Therefore, the known oblivious transfer protocols cannot be used to directly argue that commitment is possible based on the assumption that time-delaying channels exist. Moreover, Palmieri and Pereira [42] argue that their result can be reduced via black-box combiners and/or compilers to a malicious adversarial security model, based on results of Haitner [46] and Ishai et al. [47]. However, these results make use of a commitment primitive that is still not defined neither proposed based on this specific model/channel. Finally, direct constructions of commitment schemes are often much more efficient than protocols derived from oblivious transfer.

B. OUR CONTRIBUTIONS
In this work we propose a novel protocol that implements a commitment scheme based on a packet reordering noisy channel. Our scheme has attractive features: • It is unconditionally binding and hiding and, consequently, does not rely on any unproven intractability assumption; • It is the first commitment scheme based on the reordering effect; • It is a direct construction that does not use oblivious transfer as a building block; • It introduces a new formal definition of reordering noisy channels. This definition captures the behavior of packet networks and makes it easy to compute entropic measures and conditional probabilities associated with the channel.

C. ORGANIZATION
Section II briefly reviews some information-theoretic measures and results that are used in this work. In Section III, we introduce the new definition of a packet reordering noisy channel. Section IV formally defines the security model that we consider. In Section V, we present our protocol. Finally, we prove the correctness and the security of the proposed protocol in Section VI.

A. NOTATION
We use calligraphic letters X , Y, . . . to denote the domain of random variables, upper case letters X, Y, . . . to denote random variables, lower case letters x, y, . . . to denote realizations of random variables, and bold upper case letters X, Y, . . . to denote sets. The cardinality of a set X is denoted by |X|. We use the notation x ← X to denote a realization x of the random variable X. We also use the notation x ∈ R X to denote sampling an element x uniformly from a set X. We write U r for a random variable uniformly distributed over {0, 1} r . Except where stated otherwise, we work with discrete random variables. For a random variable X over the arbitrary alphabet X , we denote its probability mass function by P X : X → [0, 1] with x∈X P X (x) = 1. For a joint probability mass function P XY : X × Y → [0, 1], let P X (x) := y∈Y P XY (x, y) denote the marginal probability mass function and let P X|Y (x|y) := P XY (x, y)/P Y (y) denote the conditional probability mass function when P Y (y) = 0. The statistical distance between two probability distributions P X and P Y over the same domain V is given by

B. ENTROPY AND EXTRACTORS
The logarithms used in this paper are taken to the base 2 unless stated otherwise. The entropy of a random variable X is denoted by H(X), the entropy of a random variable X conditioned on a random variable Y by H(X|Y ), and the joint entropy of two random variables X and Y by H(X; Y ). We denote the binary entropy function by H b (·). For random variables X ∈ X and Y ∈ Y with finite alphabets, the minentropy and its conditional version are defined as and the max-entropy and its conditional version as Strong extractors are algorithms that can extract nearly uniform bits from a source of correlated and biased bits, using as input a short seed of uniformly distributed bits: Definition 1 (Strong Extractor [48]). A probabilistic polynomial time function Ext : {0, 1} u × {0, 1} r → {0, 1} k which uses r bits of randomness is an efficient (u, m, k, )strong extractor if for all probability distributions P X over {0, 1} u with H ∞ (X) ≥ m, and for random variables R and K independently and uniformly distributed in {0, 1} r and {0, 1} k , respectively, it holds that SD P Ext(X,R),R ; P K,R ≤ .
In this work we use a hash function from a family of universal hash functions as a strong extractor. A family of universal hash functions [49] is defined as follows: Definition 2 (Universal Hash Function [49]). A family G of hash functions g : X → Y is 2-universal if, for any distinct x 1 , x 2 ∈ X , the probability that g(x 1 ) = g(x 2 ) is at most |Y| −1 when g is chosen uniformly at random from G.
We also use the following lemma by Cachin et al. [56]. It bounds the remaining uncertainty on a random variable X given that a realization of an arbitrary random variable Z is known.

Lemma 2 ( [56]
). Let X be a random variable with alphabet X , let Z be an arbitrary random variable defined over Z and let s > 0. Then, with probability at least 1 − 2 −s , Z takes on a value z for which

III. PACKET REORDERING NOISY CHANNELS -A NEW DEFINITION
This work considers a noisy channel that models the packet reordering effect that is so common on the Internet nowadays. The Packet Reordering Noisy Channel (PRNC), as we denote it, models the effect of packet forwarding in high-speed, complex networks, which causes delays and, consequently, permutations in the order that the packets are received [57]. This packet reordering happens due to a number of factors, such as the physical distance between the nodes, number of intermediate hops in the network, transmission medium quality, speed of point-to-point links, traffic and congestion level on the network, multipath routing, route fluttering, packet size, inter-packet spacing and retransmissions.
Palmieri and Pereira [41] proposed the first cryptographic protocol based on the effects of packet forwarding in a network, but they focused on the delays that the packets suffer. They defined the Binary Discrete-time Delaying Channel (BDDC) that captures the probability that a packet is delayed by a given discrete amount of time. In their model, each packet admitted into the channel at input time t i ∈ T is VOLUME ?, 2020 output once by the channel, with probability of being output at time u j ∈ U given by P (u j ) = p j−i − p j−i+1 .
Delay channels and reordering channels are related but distinct as the different delays of the packets might or might not be enough to cause a reordering of the packets. We argue that for practical purposes reordering channels are a more natural choice than delay channels as the reordering effect is easier to quantify and measure in the Internet than the delay. Our definition of PRNC is based solely on the probability of the channel outputting a permutation of packets given an arbitrary sequence of packets as input. This definition captures the behavior of packet networks and makes it easy to compute entropic measures associated with the channel.
Before presenting a formal definition, we will try to give an intuition behind the behavior of our proposed channel. We model the collective behavior of routers, communication delays and multiple routes by a black box channel containing an input queue and an output queue. The sender transmits an arbitrarily ordered sequence of n distinct packets through the packet reordering noisy channel, modeled by the random variable X n , and the channel outputs to the receiver a permuted version of the original sequence, modeled by Y n .
To do so, the channel receives the sequence of n packets sent by Alice, forming an input queue x n = [x 1 , x 2 , . . . , x n ]. The channel then generates the output permutation moving packets from the input to the output queue -packet reordering potentially happening in the process.
The packet x 1 is placed directly in the output queue without permutation with probability 1. Each one of the packets x i , with i ∈ [2, n], in the input queue is either placed just behind all the other packets already moved to the output queue, from x 1 to x i−1 (and no permutation happens), or may perform pairwise adjacent data packet transpositions (swaps) with them, landing in one of the possible i − 1 positions.
Let each K i , for all i ∈ [1, n], be the random variable that represents the amount of swaps performed by each packet x i when moved by the channel from the input to the output queue, where 0 ≤ K i ≤ i − 1. Notice that the random variables {K 1 , . . . , K n } are independent but not identically distributed.
In more details, if the packet x i is placed in the output queue behind all others, then K i = 0 and x i becomes the last packet in the output queue. If the packet x i swaps with the last packet already in the queue, then K i = 1 and x i becomes the second to last packet in the output queue by now. If it swaps with the last two packets already in the output queue, then K i = 2 and x i becomes the third from last packet in the output queue, and so on.
The procedure above is repeated by the channel until every packet is moved from the input to the output queue. Finally, the permutation formed in the output queue is represented by y n = [y 1 , y 2 , . . . , y n ], where for some bijective mapping f , which is the random variable representing the total amount of pairwise adjacent transpositions performed by the channel to generate the output permutation. Such distance is known as the Kendall tau distance.

Definition 3 (Kendall tau distance)
. Let x n be a sequence of n distinct elements and y n be a sequence obtained by a permutation of the elements of x n . The Kendall tau distance K(x n , y n ) between x n and y n is defined as the minimum number of transpositions of pairwise adjacent elements that are necessary to change x n into y n .
For any such sequences x n and y n of n elements, the Kendall tau distance between them is at least 0 and at most For a given sequence x n , the Mahonian number M (n, k) represents the amount of permutations y n such that K(x n , y n ) = k. The Mahonian triangle is defined as follows: In the Mahonian triangle, the sum of the elements of the n-th row is n!. There is no simple, general formula for the terms, mainly in case when k > n. Janjić [58] presented a complex closed form. Now, let S i (ρ) denote the geometric series The probability mass function of each random variable K i will be defined using a constant parameter 0 < ρ < 1 that characterizes the channel. In practice, it is observed that the probability Pr[K i = k i ] decreases exponentially with the number k i of pairwise adjacent transpositions performed when a new packet is inserted in the output queue. Normalizing to get a probability mass function, we set The conditional probability of the channel outputting Y n given the input X n is just the intersection of the probabilities of each packet x i being reordered, thus Pr[Y n = y n |X n = . . , n} is the number of pairwise adjacent transpositions that happened when x i was moved from the input to the output queue and [y 1 , . . . , y n ] is the final output. Since the random variables K i are independent, we can further develop this conditional probability as follows: where k is a realization of the random variable K(X n , Y n ). We will henceforth use the shorthand σ n (ρ) for denoting where the penultimate equation follows from the well-known generating function for the numbers M (n, k) [59] and the last equation from the fact that for a fixed n, the numbers M (n, k) are non-zero only for 0 ≤ k ≤ N.
We define the Packet Reordering Noisy Channel as follows: Definition 4 (Packet Reordering Noisy Channel). Let 0 < ρ < 1 be a fixed parameter of the channel. The Packet Reordering Noisy Channel (PRNC) takes as input a sequence x n = (x 1 , x 2 , . . . , x n ) of n distinct data packets distributed according to a random variable X n = {X 1 , X 2 , . . . , X n } with arbitrary probability distribution and where the data packets have domain X i = {0, 1} . It outputs a sequence y n = (y 1 , y 2 , . . . , y n ) such that there exists a bijective function f : {1, . . . n} → {1, . . . n} with x i = y f (i) for all i ∈ {1, . . . n}, and the conditional probability mass function of Y n is given by

IV. SECURITY MODEL
A commitment scheme based on a packet reordering noisy channel consists of two phases: the Commit and Reveal phases. In the Commit phase packets x n are transmitted from Alice to Bob through the packet reordering noisy channel, who gets y n . Alice and Bob can also exchange messages through an authenticated bidirectional noiseless channel. We will denote all messages exchanged by t. At the end of this phase, Alice should be committed to a value v. If the Reveal phase takes place, Alice sends x n and v to Bob. After receiving the disclosed information, he performs a test using the variables {x n , y n , t, v} and accepts or rejects the value v based on this test. Let X n , Y n , T , V be the random variables corresponding to the respective values described above. We assume that V is a uniformly random bit-string of length m. Moreover, let View A and View B be random variables representing all the values (and randomness) known by Alice and Bob, respectively, at the end of the Commit phase. Let R be a uniformly random bit-string of length m that is independent from the parties' views. Let Test : {0, 1} n· ×{0, 1} n· ×T × {0, 1} m → {ACC, REJ} be a public test function used by Bob to verify the validity of the value that Alice tries to open in the Reveal phase. The security of a commitment scheme is defined as follows.
Definition 5. A commitment scheme based on a PRNC is (ϕ, κ, θ)-secure if, and only if, the following conditions are satisfied: • ϕ-Correctness: If Alice and Bob are honest, then any value v ∈ {0, 1} m committed to and then revealed by Alice will be accepted with probability • κ-Concealing: If Alice is honest, then the amount of information about v leaked to Bob in the Commit phase is bounded: • θ-Binding: If Bob is honest, then for any v, v ∈ {0, 1} m such v = v, and for any strategy of (a potentially malicious) Alice for choosing X n that is sent through the PRNC during the Commit phase, and any random variables X n , X n that Alice potentially presents during the Reveal phase, we have that: The probabilities are taken over the private randomness of Alice and Bob, and the channel. A commitment scheme is said to be unconditionally secure when ϕ, κ and θ are negligible functions of n and s, security parameters previously agreed upon by both parties.
Note that our definition of security implicitly assumes that the committed value is uniformly distributed. While this assumptions simplifies our definitions and security proofs, it does not affect the generality of our results, since random commitments can always be transformed into commitments to a specific value [60].

V. PROTOCOL
In this section, we present our commitment protocol. The parties have access to a PRNC with parameters ρ and n. The constant 0 < ε < 1 and the length ≥ log(n) are parameters of the protocol. Our protocol works for PRNCs that have a parameter ρ such that 0 ≤ ρ ≤ 1/(5 + 8ε). Let G be a family of 2-universal hash functions g : {0, 1} n → {0, 1} m and F be another family of 2-universal hash functions f : COMMIT PHASE: C.1. Alice creates a sequence of n distinct binary strings (data packets), each one with a fixed length . We define the random variable X n as: The data packets X i 's are chosen uniformly at random conditioned on being distinct, and are used both as content and identifier. We denote by x n ← X n a realization of X n : Alice sends x n to Bob through the PRNC. R.2. Bob executes the Test function, which performs the following checks: (ii) If y n consists of a permutation of the data packets in x n and if R.3. If all checks are satisfied, then return ACC; otherwise, return REJ.

VI. SECURITY
We prove the unconditional security of the scheme by showing that it is (ϕ, κ, θ)-secure for ϕ, κ, and θ that are negligible in the security parameters.

A. CORRECTNESS
When the players are honest, the protocol fails if, and only if, the Kendall tau distance between the random variables X n and Y n falls outside the range around the expected distance.
To prove the correctness of the protocol, we show that this case occurs only with negligible probability in the security parameter n.
Adopting the shorthand K for K(X n , Y n ), we have that These tails probabilities can be bounded using Chernoff inequalities. Let which goes to 1 when n → ∞. It holds that The computation of these inequalities is presented in Appendix A. Then, For ∀ x ≥ 0 it holds that x 2 2 ≥ x − ln (1 + x) and thus Therefore we get that Finally, for honest Alice and Bob, The protocol fails with probability at most ϕ = 2 exp [−(n − 1)(ερβ − ln (1 + ερ))], which is negligible in n.

B. BINDING CONDITION
When Bob is honest, Alice should not be able to successfully open two different commitments v and v. Let x n be the sequence of data packets that Alice sends through the noisy channel and y n the permutation received by Bob. In our protocol, Bob can detect Alice's malicious behavior due to his knowledge of characteristics of the channel (the noisy parameter ρ) and the hash value f (·) received from Alice. A malicious Alice can open two distinct commitment values only if she can find distinct permutations x n = x n of the data packets (possibly one of them is equal to x n ) such that We show that the probability of such permutations existing is negligible in the security parameters. There are two steps to be proved. In the first step, we show that for any permutation x n with K(x n , x n ) > τ (for a certain threshold value τ to be determined later), we have that |K(x n , y n ) − E[K]| ≥ εE[K] with overwhelming probability. Next, we show that the probability of existing permutations x n = x n such that is negligible. In the remaining of this proof, we assume that K(x n , y n ) − E[K] < εE [K], which happens with probability at least 1 − ϕ, for ϕ negligible in the security parameter n, as demonstrated in the previous subsection.
The probability of a malicious Alice being detected depends on the distance between x n (the sequence announced to Bob during the opening phase) and y n (the actual permutation Bob receives from the channel). This distance depends on the swaps performed by channel to map x n (the sequence originally sent down the channel by Alice) into y n and the swaps performed by Alice to map x n into x n . We observe that there exists a threshold τ for the swaps that Alice introduces such that Bob can detect them. The check performed by Bob in step R.2 (ii) fails when Some of the swaps introduced by Alice will increase the distance between x n and y n . However, it is possible that Alice chooses to introduce swaps that will reduce the distance between x n and y n . That happens when Alice and the channel swap the same pair of adjacent data packets. We call this event a swap collision. Let the random variable C(x n , y n ) represent the number of swap collisions that happened. Adopting the shorthand C for C(x n , y n ) and assuming that a malicious Alice introduces q = K(x n , x n ) swaps to forge x n , then C swaps will favor her, reducing the Kendall tau distance between x n and y n , and q −C will harm her, increasing the distance. Adopting the shorthand E[K] for E[K(x n , y n )], the check performed in step R.2 (ii) will catch her in the case , the check will detect a malicious Alice whenever We observe that C must always be a fraction of K since it is impossible to happen more collisions than the number of swaps performed by the channel.
Given that K < (1+ε)E[K], we have the following lower bound on q: such that a malicious Alice is always detected whether she performs more than 2(1 + 2ε)E[K] swaps. Now, it is necessary take C into account to determine the appropriate value of the threshold τ . There are N = n(n − 1)/2 distinct possible pairwise adjacent transpositions (swaps), where k = K(x n , y n ) of them are performed by channel and q = K(x n , x n ) by malicious Alice.
We define the order of a swap as the minimum number of pairwise adjacent transpositions that need to be performed toward implement it. In general, there are n−j distinct orderj swaps in any permutation with n elements. Moreover, the order of a specific swap is relative to the original permutation. We note that the swaps above are not order-1 when the original permutation is the identity. Also, it is convenient to assume that µ (1,3) = µ (3,1) , since both are swap operations over the same elements. So, to avoid confusion, we agreed henceforth in relabeling the order of the packets in X n as the identity permutation without loss of generality. Thereby, an order-j swap will always be of the form µ (i+j,i) . So, the 3 distinct order-2 swaps when n = 5 are µ (3,1) , µ (4,2) and µ (5,3) ; the 2 distinct order-3 swaps are µ (4,1) and µ (5,2) ; and the only order-4 swap is µ (5,1) .

Order-1
Order-2 Order-3 Order-4 The order of a swap does not depend of the relative position where the swap occurs. The permutations {µ (3,2) , µ (3,1) } = [3, 1, 2, 4, 5] and {µ (2,1) , µ (3,1) , µ (4,1) } = [2, 3, 4, 1, 5] both have the same order-2 swap µ (3,1) , which is the intersection of the sets and represents a swap collision between the permutations. This means that the permutations y n and x n can be represented by sets of swap operations over packets of x n , treated as the identity permutation. We assume henceforth that X and Y are the sets of swaps that constitute x n and y n respectively.
We assume that Alice only performs µ (i+1,i) order-1 swaps to forge X n . Although the number of possible order-1 swaps is n − 1, there are at most (n − 1)/2 disjoint order-1 swaps that Alice can perform at once to map x n into x n , which upper bounds q. In order not to restrict the capabilities of a malicious Alice, we need a bound over the noisy parameter to reach this condition. Combining the upper bound above and the lower bound on q derived previously, we show that ρ must be We choose the restriction above because order-1 swaps of disjoint pairs of elements are independent and identically distributed. Moreover, the probability of channel performing an order-1 swap in the output is greater, since the occurrence of any swap of higher order depends of some order-1 swap occurs first. Given Alice's malicious strategy of always perform the most probable swaps to forge x n , the restriction in ρ implies that Alice will just perform order-1 swaps.
As demonstrated in appendix C, the probability of each order-1 swap occurs is equal to We note that C = n−1 i=1 C µ (i+1,i) the swap collision random variable can be obtained as the summation of indicator random variables, where C µ (i+1,i) = 1 when both Alice and the channel perform the swap µ (i+1,i) and C µ (i+1,i) = 0 otherwise. Furthermore, the swaps performed by Alice in X and by channel in Y are also independent. Remembering that malicious Alice performs |X| = q swaps arbitrarily, the expected number of swap collisions can be calculated as: We can obtain a concentration bound for C. To do this, we first observe that: where we set δ = (e t − 1) above. So, remembering that Alice performs arbitrarily independent order-1 swaps, it follows that: Observing that t = ln (1 + δ), we bound E[C] by means of the following Chernoff bound: We remember that q ≥ τ . So, it follows that: which goes to zero in τ .
Finally, we have: Therefore, our threshold τ is set as: such that for all q ≥ τ Alice's malicious behavior is detected by Bob in the test performed during the Reveal Phase. Now, to complete the proof, we show that when cheating Alice performs q ≤ τ permutations, Bob detects her malicious behavior since she cannot find two distinct permutations having the same hash with overwhelming probability.
where s is the security parameter. Then the probability that there are two permutations of the data packets x n = x n such that f (x n ) = f ( x n ), K(x n , x n ) ≤ τ and K( x n , x n ) ≤ τ is at most 2 −s .
Proof of Lemma 3: Let x n ← X n be a sequence as defined in step C.1 of the Commit Phase. Let W be the set of permutations of data packets with Kendall tau distance at most τ from x n . We know that the number of sequences with Kendall tau distance k from x n is given by the Mahonian triangle term M (n, k). Then, we just need to add every Mahonian term for 0 ≤ k ≤ τ to calculate the volume of the hypersphere with center in the arbitrary sequence x n . A well-known property of the Mahonian triangle is M (n + 1, τ ) ≤ n − 1 + τ τ .
Thus, we get that We apply the Stirling's approximation and some other simplifications in the expression above, obtaining Taking the logarithm of the cardinality of the set W we have Using the definition of 2-universal hash functions and the union bound, the success probability of Alice finding a VOLUME ?, 2020 hash collision between two distinct permutations of the data packets x n , x n ∈ W is upper bounded by This means that Alice succeeds in cheating Bob only when one of the following cases occurs: the channel permutes less than (1 − ε)E[K] pairwise adjacent data packets of x n ; the number of swap collisions exceeds (1 + δ)E [C] or the hashes In light of the arguments above, when Bob follows the protocol, the probability of a malicious Alice successfully cheating is upper bounded by θ, which goes exponentially to zero in the security parameters n and s: which concludes the proof.

C. HIDING CONDITION
The protocol is secure for Alice if, before the reveal phase, a dishonest Bob can obtain at most a negligible amount of information about the string v that Alice commits to in the commit phase.
Alice extracts an one-time pad key from her string x n and uses it to encrypt the value v that she commits to. As evidence of the commitment, Bob has a random variable Y n correlated with X n (obtained through the noisy channel) and an output f (x n ) of a universal hash function (based on a seed chosen by him) computed by Alice. To show that Bob has almost no knowledge on Alice's commitment v, we must show that the key extracted by Alice and used to one-time pad v is almost uniformly distributed given all information in possession of Bob -this result will follow from the Leftover Hash Lemma. In order to apply this lemma, we will need to bound the uncertainty Bob has on X n . When Bob receives Y n his uncertainty about X n is given by the behavior of the noisy channel, which randomly permutes the data packets in X n with the following conditional probability mass function p(x n |y n ) = ρ K(x n ,y n ) σ n (ρ) .
As ρ K(x n ,y n ) is maximized when y n = x n , the minentropy of X n given Y n is such that: The Taylor Series of ln(1 + x) is given by Replacing x by −ρ i in the expression above and making the substitution of the natural logarithm function, we have

Now, we get that
Using Lemma 2, we bound the reduction on the uncertainty of Bob about X n due to the universal hash computed by Alice, whose size is given by ω = 2(n − 1 + τ )H b τ n−1+τ + s. So, we have: Lemma 1 establishes that 2-universal hash functions can extract m ≤ δn − 2 log( −1 ) + 2 random bits, where δn is the min-entropy of the source. Letting = 2 −s , in our case it is possible to extract random bits such that the statistical distance between the output of the hash function G applied by Alice over X n and truly random bits is at most 2 −s in Bob's view, given that G is randomly chosen over a family G of 2-universal hash functions.
As Alice does the exclusive-or of her commitment v with g(x n ), we get that SD (P V,View B ; P Um,View B ) ≤ SD P G(X n ),G ; P Um,G ≤ 2 −s = κ and the proof follows.

VII. CONCLUSIONS
In this work, we built upon the pioneering work of Palmieri and Pereira and proposed the first efficient string commitment protocol based on the packet reordering effect. Our commitment scheme is unconditionally hiding and binding. It has a restriction, since it works only when 0 ≤ ρ ≤ 1/(5 + 8ε). We have also introduced a new definition of packet reordering channels that naturally follows from the behavior of packet switching networks such as the Internet. There are several interesting sequels to this work: • designing a protocol that works for all 0 < ρ < 1; • proposing protocols that are optimal in terms of commitment rate and failure probabilities; • showing the possibility of obtaining commitment and oblivious transfer protocols when the channel parameters are influenced by the adversary, in the stronger adversarial model known as unfair noisy channel; • extend our model to combine the packet reordering with other noisy channels, such as the binary symmetric and the erasure channels; • investigating secret key agreement protocols based on packet reordering channels as defined in this work. .

APPENDIX A -OBTAINING THE CONCENTRATION INEQUALITIES
In this section, we derive the bounds presented in Subsection VI-A. At first, we obtain the expected Kendall tau distance between X n and Y n . Adopting the shorthand of E[K(X n , Y n )] = E[K] and n(n − 1)/2 = N, we have that The first derivative of the generating function σ n can be calculated as follows Here, we are interested in the upper and lower bounds for the first derivative of the function σ n (ρ). First, we obtain the upper bound: Now, we derive the lower bound. Let u(ρ) be any function in ρ. Remembering that In the last step above (as done in Subsection VI-C), we replaced the natural logarithm function by the Taylor series expansion. So, where we use in the last step the fact that Using Lemma 4 (presented in Appendix B) to bound the summation above, we have , which goes to 1 when n → ∞. Then, by the Squeeze Theorem, ∀ 0 < ρ < 1, the first derivative of the function σ n (ρ) is such that The expected Kendall tau distance between X n and Y n is given by The Chernoff bound for an arbitrary random variable K is achieved by means of Markov's inequality applied to e tK . For every t > 0, we have that The inequality above can be minimized in t as follows: Now, we observe that For n → ∞, The goal is to choose a t > 0 such that Then, Let α = ε(1 − ρ)/(1 + ερ) and let the notation σ (i) n (ρ) denote the i-th derivative of the function σ n (ρ). Considering where the last expansion above is just the Taylor series of σ n (ρe t ) = σ n (ρ + αρ).
Let n − 1 i = (n − 1)n(n + 1)(n + 2) · · · (n − 1 + i − 1) be the rising factorial. We obtain the upper bound for the derivatives of higher order of the function σ n (ρ) as follows: Hence, by the principle of mathematical induction, having shown all the inequalities above, we need to demonstrate the validity for i + 1 to prove that it holds for all i ≥ 1. So, Replacing the derivatives above in the previous concentration bound inequality we have: Using the identity (5.56) presented in [62], it follows that which goes exponentially to zero for n sufficiently large.

B. LOWER TAIL
The lower tail of the concentration inequality is given by Here, we use a different approach. Let ψ K (t) be defined as It's easy to see that ψ K (0) = 0. The first derivative of the function is The second derivative is given by Then, and also With this, we conclude that: The variance of K is defined as We observe that Remembering that It follows: Hence, we claim that Now, by the Taylor theorem, we have ψ K (t) = ψ K (0) + ψ K (0)t + ψ K (c) t 2 2 for some c between 0 and t. We notice that, We can bound the desired probability as Since the exponential is monotonic, we just need minimize the function φ(t) defined as Finally, it follows that which goes exponentially to zero when n → ∞.

VOLUME ?, 2020
Now we observe that it is possible to develop the recurrence above for ρ as follows: We claim that each term in the expansion of ρ is greater than each term with the same numerator in the proposed series. It is easy to verify the correctness of the claim since the difference between the term of the expansion and the term of the series, both with the same numerator, is always positive: which is a simple consequence of the fact that the denominator of the terms of the expansion are smaller than those of the terms of the series.
Finally, in light of argumentation above, we have that Let T (n, k) be the number of permutations containing any given µ (i+1,i) order-1 swap between all possible M (n, k) permutations at a Kendall tau distance k of the identity permutation.
We remember that a swap is a pairwise adjacent data packet transposition. Also, an order-1 swap is a pairwise adjacent data packet transposition that can be performed independent of any other swap occurs.
Trivially, no order-1 swap occurs when k = 0 and it is easy to see that, for k = 1, every order-1 swap appears only once between all M (n, 1) possible permutations, so T (n, 0) = 0 and T (n, 1) = M (n, 0) = 1 for all n ≥ 2.
To obtain the probability p = Pr[µ (i+1,i) ∈ Y] of a given order-1 swap be in the set of swaps performed by channel to map x n into y n , we apply the law of total probability, calculating first Pr[µ (i+1,i) ∈ Y : |Y| = k], multiplying by the probability Pr[|Y| = k] and sum over all possible k. For any fixed k, the probability of any order-1 swap occurs is given by the ratio between the number of permutations containing a given order-1 swap, i.e. T (n, k), and the number of permutations at Kendall tau distance k, i.e. M (n, k). The probability Pr[|Y| = k] is given by the probability of y n have Kendall tau distance k, ρ k /σ n (ρ), multiplied by the total number of permutations with Kendall tau distance k. So, it follows that: We claim that the polynomial N k=0 T (n, k)ρ k can also be written as a product of polynomials, in the same way of σ n (ρ) = n i=1 S i (ρ). We notice that there is no reason to limit the sum in the definition of the polynomials. Assuming that ∀ k < 0 ∨ k > N, T (n, k) = M (n, k) = 0, we have: And now it is easy to check that the coefficients T (n, k) of the polynomial above indeed form the triangle specified in the OEIS A307429 sequence and reproduced previously. Moreover, we can see that the product by ρ is the cause of the shift of one column to the right in this triangle when compared with the Mahonian triangle. Finally, we have: He has developed research in cyber, information and network security, distributed data services and machine learning for intrusion and fraud detection, as well as signal processing, energy harvesting and security at the physical layer. Nascimento has supervised over 20 master thesis and 3 Ph.D. thesis. He was a panelist and reviewer for the National Science Foundation, the European Science Foundation, CAPES and CNPq. VOLUME ?, 2020