Results 1 
6 of
6
ConstantSize Commitments to Polynomials and Their Applications
 In Proceedings of ASIACRYPT 2010
, 2010
"... Abstract. We introduce and formally define polynomial commitment schemes, and provide two efficient constructions. A polynomial commitment scheme allows a committer to commit to a polynomial with a short string that can be used by a verifier to confirm claimed evaluations of the committed polynomial ..."
Abstract

Cited by 16 (6 self)
 Add to MetaCart
Abstract. We introduce and formally define polynomial commitment schemes, and provide two efficient constructions. A polynomial commitment scheme allows a committer to commit to a polynomial with a short string that can be used by a verifier to confirm claimed evaluations of the committed polynomial. Although the homomorphic commitment schemes in the literature can be used to achieve this goal, the sizes of their commitments are linear in the degree of the committed polynomial. On the other hand, polynomial commitments in our schemes are of constant size (single elements). The overhead of opening a commitment is also constant; even opening multiple evaluations requires only a constant amount of communication overhead. Therefore, our schemes are useful tools to reduce the communication cost in cryptographic protocols. On that front, we apply our polynomial commitment schemes to four problems in cryptography: verifiable secret sharing, zeroknowledge sets, credentials and content extraction signatures.
Polynomial Commitments
"... We introduce and formally define polynomial commitment schemes, and provide two efficient constructions. A polynomial commitment scheme allows a committer to commit to a polynomial with a short string that can be used by a verifier to confirm claimed evaluations of the committed polynomial. Although ..."
Abstract

Cited by 4 (4 self)
 Add to MetaCart
We introduce and formally define polynomial commitment schemes, and provide two efficient constructions. A polynomial commitment scheme allows a committer to commit to a polynomial with a short string that can be used by a verifier to confirm claimed evaluations of the committed polynomial. Although the homomorphic commitment schemes in the literature can be used to achieve this goal, the sizes of their commitments are linear in the degree of the committed polynomial. On the other hand, polynomial commitments in our schemes are of constant size (single elements). The overhead of opening a commitment is also constant; even opening multiple evaluations requires only a constant amount of communication overhead. Therefore, our schemes are useful tools to reduce the communication cost in cryptographic protocols. On that front, we apply our polynomial commitment schemes to four problems in cryptography: verifiable secret sharing, zeroknowledge sets, credentials and content extraction signatures. 1
Allbutk Mercurial Commitments and their Applications †
"... Abstract — We introduce and formally define allbutk mercurial commitments, a new kind cryptographic commitment that generalizes standard mercurial and nonmercurial (vector) commitments. We provide two concrete constructions for allbutk mercurial commitments: the first is for committing to unord ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Abstract — We introduce and formally define allbutk mercurial commitments, a new kind cryptographic commitment that generalizes standard mercurial and nonmercurial (vector) commitments. We provide two concrete constructions for allbutk mercurial commitments: the first is for committing to unordered lists (i.e., to multisets) and the second is for committing to ordered lists (i.e., to vectors). Both of our constructions build on Kate et al.’s polynomial commitments, leveraging the algebraic structure of polynomials to fine tune the ordinary binding property of mercurial commitments. To facilitate these constructions, we give novel zeroknowledge protocols for 1) proving knowledge of a point on a committed polynomial, 2) arguing knowledge of the committed polynomial itself, and 3) arguing that a committed polynomial has degree at most k.
Batch Proofs of Partial Knowledge
"... We present a practical attack on soundness in Peng and Bao’s ‘batch zeroknowledge proof and verification’ protocol for proving knowledge and equality of oneoutofn pairs of discrete logarithms. Fixing the protocol seems to require a commitment scheme with a nonstandard, mercurialesque binding pr ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
We present a practical attack on soundness in Peng and Bao’s ‘batch zeroknowledge proof and verification’ protocol for proving knowledge and equality of oneoutofn pairs of discrete logarithms. Fixing the protocol seems to require a commitment scheme with a nonstandard, mercurialesque binding property: the prover commits to just n − 1 values, but later opens the commitment to n values without revealing which one out of the n values was not in the original commitment. With this requirement as a motivator, we propose and formally define allbutk commitment schemes, and give a concrete construction based on polynomial commitments. We use the special case of “allbutone ” commitments to fix the above zeroknowledge protocol and then we describe a variant of the protocol that uses the more general allbutk commitments to implement a batch zeroknowledge proof of knowledge and equality of koutofn pairs of discrete logarithms, for arbitrary (public) k ∈ [1, n]. This latter protocol is asymptotically efficient, and it naturally yields batch “OR ” proofs (oneoutofn) and batch “AND ” proofs (noutofn) as two special cases; for all intermediate 1 < k < n, it is entirely novel.
Vector Commitments and their Applications
"... Abstract. We put forward the study of a new primitive that we call Vector Commitment (VC, for short). Informally, VCs allow to commit to an ordered sequence of q values (m1,..., mq) in such a way that one can later open the commitment at specific positions (e.g., prove that mi is the ith committed ..."
Abstract
 Add to MetaCart
Abstract. We put forward the study of a new primitive that we call Vector Commitment (VC, for short). Informally, VCs allow to commit to an ordered sequence of q values (m1,..., mq) in such a way that one can later open the commitment at specific positions (e.g., prove that mi is the ith committed message). For security, Vector Commitments are required to satisfy a notion that we call position binding which states that an adversary should not be able to open a commitment to two different values at the same position. Moreover, what makes our primitive interesting is that we require VCs to be concise, i.e. the size of the commitment string and of its openings has to be independent of the vector length. We show two realizations of VCs based on standard and well established assumptions, such as RSA, and Computational DiffieHellman (in bilinear groups). Next, we turn our attention to applications and we show that Vector Commitments are useful in a variety of contexts, as they allow for compact and efficient solutions which significantly improve previous works either in terms of efficiency of the resulting solutions, or in terms of ”quality ” of the underlying assumption, or both. These applications
Université catholique de Louvain (Belgium)
"... Abstract. Anonymous credentials are protocols in which users obtain certificates from organizations and subsequently demonstrate their possession in such a way that transactions carried out by the same user cannot be linked. We present an anonymous credential scheme with noninteractive proofs of cre ..."
Abstract
 Add to MetaCart
Abstract. Anonymous credentials are protocols in which users obtain certificates from organizations and subsequently demonstrate their possession in such a way that transactions carried out by the same user cannot be linked. We present an anonymous credential scheme with noninteractive proofs of credential possession where credentials are associated with a number of attributes. Following recent results of Camenisch and Groß (CCS 2008), the proof simultaneously convinces the verifier that certified attributes satisfy a certain predicate. Our construction relies on a new kind of Psignature, termed blockwise Psignature, that allows a user to obtain a signature on a committed vector of messages and makes it possible to generate a short witness that serves as a proof that the signed vector satisfies the predicate. A noninteractive anonymous credential is obtained by combining our blockwise Psignature scheme with the GrothSahai proof system. It allows efficiently proving possession of a credential while simultaneously demonstrating that underlying attributes satisfy a predicate corresponding to the evaluation of inner products (and therefore disjunctions or polynomial evaluations). The security of our scheme is proved in the standard model under noninteractive assumptions.