Results 1  10
of
15
ConstantSize Commitments to Polynomials and Their Applications
 In Proceedings of ASIACRYPT 2010
, 2010
"... Abstract. We introduce and formally define polynomial commitment schemes, and provide two efficient constructions. A polynomial commitment scheme allows a committer to commit to a polynomial with a short string that can be used by a verifier to confirm claimed evaluations of the committed polynomial ..."
Abstract

Cited by 28 (9 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce and formally define polynomial commitment schemes, and provide two efficient constructions. A polynomial commitment scheme allows a committer to commit to a polynomial with a short string that can be used by a verifier to confirm claimed evaluations of the committed polynomial. Although the homomorphic commitment schemes in the literature can be used to achieve this goal, the sizes of their commitments are linear in the degree of the committed polynomial. On the other hand, polynomial commitments in our schemes are of constant size (single elements). The overhead of opening a commitment is also constant; even opening multiple evaluations requires only a constant amount of communication overhead. Therefore, our schemes are useful tools to reduce the communication cost in cryptographic protocols. On that front, we apply our polynomial commitment schemes to four problems in cryptography: verifiable secret sharing, zeroknowledge sets, credentials and content extraction signatures.
Vector Commitments and their Applications
"... Abstract. We put forward the study of a new primitive that we call Vector Commitment (VC, for short). Informally, VCs allow to commit to an ordered sequence of q values (m1,..., mq) in such a way that one can later open the commitment at specific positions (e.g., prove that mi is the ith committed ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Abstract. We put forward the study of a new primitive that we call Vector Commitment (VC, for short). Informally, VCs allow to commit to an ordered sequence of q values (m1,..., mq) in such a way that one can later open the commitment at specific positions (e.g., prove that mi is the ith committed message). For security, Vector Commitments are required to satisfy a notion that we call position binding which states that an adversary should not be able to open a commitment to two different values at the same position. Moreover, what makes our primitive interesting is that we require VCs to be concise, i.e. the size of the commitment string and of its openings has to be independent of the vector length. We show two realizations of VCs based on standard and well established assumptions, such as RSA, and Computational DiffieHellman (in bilinear groups). Next, we turn our attention to applications and we show that Vector Commitments are useful in a variety of contexts, as they allow for compact and efficient solutions which significantly improve previous works either in terms of efficiency of the resulting solutions, or in terms of ”quality ” of the underlying assumption, or both. These applications
Polynomial Commitments
"... We introduce and formally define polynomial commitment schemes, and provide two efficient constructions. A polynomial commitment scheme allows a committer to commit to a polynomial with a short string that can be used by a verifier to confirm claimed evaluations of the committed polynomial. Although ..."
Abstract

Cited by 4 (4 self)
 Add to MetaCart
We introduce and formally define polynomial commitment schemes, and provide two efficient constructions. A polynomial commitment scheme allows a committer to commit to a polynomial with a short string that can be used by a verifier to confirm claimed evaluations of the committed polynomial. Although the homomorphic commitment schemes in the literature can be used to achieve this goal, the sizes of their commitments are linear in the degree of the committed polynomial. On the other hand, polynomial commitments in our schemes are of constant size (single elements). The overhead of opening a commitment is also constant; even opening multiple evaluations requires only a constant amount of communication overhead. Therefore, our schemes are useful tools to reduce the communication cost in cryptographic protocols. On that front, we apply our polynomial commitment schemes to four problems in cryptography: verifiable secret sharing, zeroknowledge sets, credentials and content extraction signatures. 1
Allbutk Mercurial Commitments and their Applications †
"... Abstract — We introduce and formally define allbutk mercurial commitments, a new kind cryptographic commitment that generalizes standard mercurial and nonmercurial (vector) commitments. We provide two concrete constructions for allbutk mercurial commitments: the first is for committing to unord ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Abstract — We introduce and formally define allbutk mercurial commitments, a new kind cryptographic commitment that generalizes standard mercurial and nonmercurial (vector) commitments. We provide two concrete constructions for allbutk mercurial commitments: the first is for committing to unordered lists (i.e., to multisets) and the second is for committing to ordered lists (i.e., to vectors). Both of our constructions build on Kate et al.’s polynomial commitments, leveraging the algebraic structure of polynomials to fine tune the ordinary binding property of mercurial commitments. To facilitate these constructions, we give novel zeroknowledge protocols for 1) proving knowledge of a point on a committed polynomial, 2) arguing knowledge of the committed polynomial itself, and 3) arguing that a committed polynomial has degree at most k.
Verifiable Member and Order Queries on a List in ZeroKnowledge
"... We introduce a formal model for order queries on lists in zero knowledge in the traditional authenticated data structure model. We call this model PrivacyPreserving Authenticated List (PPAL). In this model, the queries are performed on the list stored in the (untrusted) cloud where data integrity a ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
We introduce a formal model for order queries on lists in zero knowledge in the traditional authenticated data structure model. We call this model PrivacyPreserving Authenticated List (PPAL). In this model, the queries are performed on the list stored in the (untrusted) cloud where data integrity and privacy have to be maintained. To realize an efficient authenticated data structure, we first adapt consistent data query model. To this end we introduce a formal model called ZeroKnowledge List (ZKL) scheme which generalizes consistent membership queries in zeroknowledge to consistent membership and order queries on a totally ordered set in zero knowledge. We present a construction of ZKL based on zeroknowledge set and homomorphic integer commitment scheme. Then we discuss why this construction is not as efficient as desired in cloud applications and present an efficient construction of PPAL based on bilinear accumulators and bilinear maps which is provably secure and zeroknowledge.
Batch Proofs of Partial Knowledge
"... We present a practical attack on soundness in Peng and Bao’s ‘batch zeroknowledge proof and verification’ protocol for proving knowledge and equality of oneoutofn pairs of discrete logarithms. Fixing the protocol seems to require a commitment scheme with a nonstandard, mercurialesque binding pr ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
We present a practical attack on soundness in Peng and Bao’s ‘batch zeroknowledge proof and verification’ protocol for proving knowledge and equality of oneoutofn pairs of discrete logarithms. Fixing the protocol seems to require a commitment scheme with a nonstandard, mercurialesque binding property: the prover commits to just n − 1 values, but later opens the commitment to n values without revealing which one out of the n values was not in the original commitment. With this requirement as a motivator, we propose and formally define allbutk commitment schemes, and give a concrete construction based on polynomial commitments. We use the special case of “allbutone ” commitments to fix the above zeroknowledge protocol and then we describe a variant of the protocol that uses the more general allbutk commitments to implement a batch zeroknowledge proof of knowledge and equality of koutofn pairs of discrete logarithms, for arbitrary (public) k ∈ [1, n]. This latter protocol is asymptotically efficient, and it naturally yields batch “OR ” proofs (oneoutofn) and batch “AND ” proofs (noutofn) as two special cases; for all intermediate 1 < k < n, it is entirely novel.
PrimarySecondaryResolver Membership Proof Systems
, 2014
"... We consider PrimarySecondaryResolver Membership Proof Systems (PSR for short) and show different constructions of that primitive. A PSR system is a 3party protocol, where we have a primary, which is a trusted party which commits to a set of members and their values, then generates a public and se ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
We consider PrimarySecondaryResolver Membership Proof Systems (PSR for short) and show different constructions of that primitive. A PSR system is a 3party protocol, where we have a primary, which is a trusted party which commits to a set of members and their values, then generates a public and secret keys in order for secondaries (provers with knowledge of both keys) and resolvers (verifiers who only know the public key) to engage in interactive proof sessions regarding elements in the universe and their values. The motivation for such systems is for constructing a secure Domain Name System (DNSSEC) that does not reveal any unnecessary information to its clients. We require our systems to be complete, so honest executions will result in correct conclusions by the resolvers, sound, so malicious secondaries cannot cheat resolvers, and zeroknowledge, so resolvers will not learn additional information about elements they did not query explicitly. Providing proofs of membership is easy, as the primary can simply precompute signatures over all the members of the set. Providing proofs of nonmembership, i.e. a denialofexistence mechanism, is trickier and is the main issue in constructing PSR systems.
R.: Fullydynamic verifiable zeroknowledge order queries for network data. Cryptology ePrint Archive, Report 2015/283
, 2015
"... We show how to provide privacypreserving (zeroknowledge) answers to order queries on network data that is organized in lists, trees, and partiallyordered sets of bounded dimension. Our methods are efficient and dynamic, in that they allow for updates in the ordering information while also providi ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
We show how to provide privacypreserving (zeroknowledge) answers to order queries on network data that is organized in lists, trees, and partiallyordered sets of bounded dimension. Our methods are efficient and dynamic, in that they allow for updates in the ordering information while also providing for quick and verifiable answers to queries that reveal no information besides the answers to the queries themselves. 1
1ZeroKnowledge Sets with Short Proofs
"... and Kilian in 2003, allow a prover to commit to a secret set S in a way such that it can later prove, non interactively, statements of the form x ∈ S (or x / ∈ S), without revealing any further information (on top of what explicitly revealed by the inclusion/exclusion statements above) on S, not ev ..."
Abstract
 Add to MetaCart
and Kilian in 2003, allow a prover to commit to a secret set S in a way such that it can later prove, non interactively, statements of the form x ∈ S (or x / ∈ S), without revealing any further information (on top of what explicitly revealed by the inclusion/exclusion statements above) on S, not even its size. Later, Chase et al. abstracted away the Micali, Rabin and Kilian’s construction by introducing an elegant new variant of commitments that they called (trapdoor) mercurial commitments. Using this primitive, it was shown how to construct zero knowledge sets from a variety of assumptions (both general and number theoretic). This paper introduces the notion of trapdoor qmercurial commitments (qTMCs), a notion of mercurial commitment that allows the sender to commit to an ordered sequence of exactly q messages, rather than to a single one. Following the previous work it is shown how to construct ZKS from qTMCs and collision resistant hash functions. Then, it is presented an efficient realization of qTMCs that is secure under the so called Strong Diffie Hellman assumption, a number theoretic conjecture recently introduced by Boneh and Boyen. Using such scheme as basic building block, it is obtained a construction of ZKS that allows for proofs that are much shorter with respect to the best previously known implementations. In particular, for an appropriate choice of the parameters, our proofs are up to 33 % shorter for the case of proofs of membership, and up to 73 % shorter for the case of proofs of non membership. Experimental tests confirm practical time performances. Index Terms—Security, integrity and protection, Public Key Cryptosystems.
PROFESOR COGUÍA:
"... Se estudian funciones de hash resistentes a colisiones (FHRC) que permiten validar eficientemente predicados sobre las entradas, usando solamente los valores de hash y certificados cortos. Para los predicados, consideramos conjuntos y cadenas de caracteres. La idea de computar el valor de hash de u ..."
Abstract
 Add to MetaCart
Se estudian funciones de hash resistentes a colisiones (FHRC) que permiten validar eficientemente predicados sobre las entradas, usando solamente los valores de hash y certificados cortos. Para los predicados, consideramos conjuntos y cadenas de caracteres. La idea de computar el valor de hash de un conjunto con el fin de demostrar (no)pertenencia aparece en la literatura bajo el nombre de acumuladores criptográficos (Benaloh y De Mare, CRYPTO 1993). En esa tesis se propone primero un acumulador criptográfico que permite manipular conjuntos dinámicos (es decir donde es posible insertar y borrar elementos) y cuya seguridad no depende de ninguna autoridad de confianza. Luego mostramos que no existe ningún acumulador criptográfico que permite la actualización de todos los certificados en tiempo constante después de varias modificaciones. Este resultado resuelve un problema abierto propuesto por Nicolisi y Fazio en su estado del arte sobre acumuladores criptográficos (2002). La siguiente contribución de esa tesis es una FHRC que permite la comparación de cadenas largas según el orden lexicográfico. Usamos esa FHRC para construir un esquema