## Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing (1996)

Venue: | in Advances in Cryptology - CRYPTO96, Lecture Notes in Computer Science 1109 |

Citations: | 67 - 6 self |

### BibTeX

@INPROCEEDINGS{Halevi96practicaland,

author = {Shai Halevi and Silvio Micali},

title = {Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing},

booktitle = {in Advances in Cryptology - CRYPTO96, Lecture Notes in Computer Science 1109},

year = {1996},

pages = {201--215},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

. We present a very practical string-commitment scheme which is provably secure based solely on collision-free hashing. Our scheme enables a computationally bounded party to commit strings to an unbounded one, and is optimal (within a small constant factor) in terms of interaction, communication, and computation. Our result also proves that constant round statistical zero-knowledge arguments and constant-round computational zero-knowledge proofs for NP exist based on the existence of collision-free hash functions. 1 Introduction String commitment is a fundamental primitive for cryptographic protocols. A commitment scheme is an electronic way to temporarily hide a value that cannot be changed. Such a scheme emulates by means of a protocol the following twostage process. In Stage 1 (the Commit stage), a party called the Sender locks a message in a box, and sends the locked box to another party called the receiver. In Stage 2 (the De-commit stage), the Sender provides the Receiver with ...

### Citations

863 | A Digital Signature Scheme Secure Against Adaptive ChosenMessage Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...fficiency parameters was later described by Brassard and Cr'epeau [4]. A more efficient construction, which is also based on the hardness of factoring, was introduced by Goldwasser, Micali and Rivest =-=[12]-=-. Their collision-free permutation-pairs enables one to commit to long messages using about the same amount of local computation as in Blum's scheme, but to send only a k-bit commitment string, regard... |

646 |
Quantum Cryptography: Public-key Distribution and Coin Tossing
- Bennett, Brassard
- 1984
(Show Context)
Citation Context ...e work, Several researchers showed that a commitment scheme for a single bit can be implemented using "quantum computing devices". The first such scheme was the (flawed) scheme by Bennet and=-= Brassard [1]-=-. Better schemes were later suggested by Brassard and Cr'epeau [5] and Brassard, Cr'epeau, Jozsa and Langlois [6]. 1.2 Our result We present a commitment scheme which is provably secure under a standa... |

408 |
Non-interactive and information-theoretic secure verifiable secret sharing
- Pedersen
- 1992
(Show Context)
Citation Context ...GMR construction but avoids the need for this initialization step. Several other constructions in the literature are based on the difficulty of extracting discrete-logarithms. In particular, Pedersen =-=[18]-=- and Chaum, vanHeijst and Pfitzmann [8], described a scheme in which the Sender can commit to a string of length k (where k is the size of the prime modulus) by performing two modular exponentiations,... |

321 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ...roblems An interesting open problem is to reduce the assumptions needed for a commitment scheme. In particular, it is not known whether universal one-way hash functions (in the sense of Naor and Yung =-=[17]-=-) are sufficient for commitment schemes in the unbounded receiver model. 6 Another open problem is to design efficient commitment schemes which have nice homomorphism properties. In particular, in som... |

244 | Bit commitment using pseudorandomness
- Naor
- 1991
(Show Context)
Citation Context ... modulus) by performing two modular exponentiations, and sending a k-bit commitment string. There were also a few implementations of commitment-schemes using more generic complexity assumptions. Naor =-=[15]-=- presented a commitment scheme in the bounded receiver (and unbounded sender) model, which can be implemented 2 Moreover, such schemes still protect the Receiver in case the underlying cryptographic a... |

163 | How to Construct Constant-Round Zero-Knowledge Proof Systems for NP
- Goldreich, Kahan
- 1996
(Show Context)
Citation Context ... applications in which one must use bounded-to-unbounded commitment schemes to yield the desired result; for instance, to obtain constant-round computational zero-knowledge proofs for NP (as shown in =-=[11]-=-), or to obtain statistical zero-knowledge arguments for NP (as shown by [13, 16]). 1.1 Previous Work Many commitment schemes in the unbounded-receiver model are known based on number-theoretic constr... |

92 |
Coin flipping by telephone
- Blum
- 1982
(Show Context)
Citation Context ...for NP (as shown by [13, 16]). 1.1 Previous Work Many commitment schemes in the unbounded-receiver model are known based on number-theoretic constructions. The first such scheme was suggested by Blum =-=[3]-=- in the context of flipping coins over the phone. Blum described a commitment scheme for one bit, which is based on the hardness of factoring. Blum's scheme calls for one or two modular multiplication... |

86 |
Universal Hash Functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ... and MD is a message-digest function. The first scheme. The first scheme uses universal hashing as a tool for "adding randomness" to the message. Universal hashing was introduced by Carter a=-=nd Wegman [7] and it pl-=-ays a very important role in many areas of computer-science. Intuitively, a family of hash functions H = fh : A ! Bg is universal if picking a function at random from H "has the same effect"... |

74 | Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer
- Chaum, Heijst, et al.
- 1991
(Show Context)
Citation Context ...mputation as in Blum's scheme, but to send only a k-bit commitment string, regardless of the length of the message being committed to. Since then, this construction was used in many other works (e.g. =-=[2, 8, 9, 10, 14]-=-). One common problem of all these constructions is that they all rely on composite numbers of a special form (i.e., product of two primes which are both 3 mod 4). Thus they require a special initiali... |

73 | On the existence of statistically hiding bit commitment schemes and fail-stop signatures
- Damgård, Pedersen, et al.
- 1997
(Show Context)
Citation Context ...mputation as in Blum's scheme, but to send only a k-bit commitment string, regardless of the length of the message being committed to. Since then, this construction was used in many other works (e.g. =-=[2, 8, 9, 10, 14]-=-). One common problem of all these constructions is that they all rely on composite numbers of a special form (i.e., product of two primes which are both 3 mod 4). Thus they require a special initiali... |

70 | A Quantum Bit Commitment Scheme Provably Unbreakable by Both Parties
- Brassard, Crépeau, et al.
- 1993
(Show Context)
Citation Context ...mputing devices". The first such scheme was the (flawed) scheme by Bennet and Brassard [1]. Better schemes were later suggested by Brassard and Cr'epeau [5] and Brassard, Cr'epeau, Jozsa and Lang=-=lois [6]-=-. 1.2 Our result We present a commitment scheme which is provably secure under a standard assumption in the model in which the Sender is computationally bounded and the Receiver is all-powerful. Moreo... |

60 |
Practical and provably secure release of a secret and exchange of signatures
- Damgård
- 1995
(Show Context)
Citation Context ...mputation as in Blum's scheme, but to send only a k-bit commitment string, regardless of the length of the message being committed to. Since then, this construction was used in many other works (e.g. =-=[2, 8, 9, 10, 14]-=-). One common problem of all these constructions is that they all rely on composite numbers of a special form (i.e., product of two primes which are both 3 mod 4). Thus they require a special initiali... |

57 | Non-transitive transfer of confidence: A perfect zero-knowledge interactive protocol for SAT and beyond
- Brassard, Crepeau
- 1986
(Show Context)
Citation Context ...tring for every bit which is being committed to (where k is the size of the composite modulus). A similar construction with the same efficiency parameters was later described by Brassard and Cr'epeau =-=[4]-=-. A more efficient construction, which is also based on the hardness of factoring, was introduced by Goldwasser, Micali and Rivest [12]. Their collision-free permutation-pairs enables one to commit to... |

42 |
Direct Minimum-Knowledge Computations
- Impagliazzo, Yung
- 1988
(Show Context)
Citation Context ...o yield the desired result; for instance, to obtain constant-round computational zero-knowledge proofs for NP (as shown in [11]), or to obtain statistical zero-knowledge arguments for NP (as shown by =-=[13, 16]-=-). 1.1 Previous Work Many commitment schemes in the unbounded-receiver model are known based on number-theoretic constructions. The first such scheme was suggested by Blum [3] in the context of flippi... |

42 | Perfect zeroknowledge arguments for NP can be based on general complexity assumptions
- Naor, Ostrovsky, et al.
- 1998
(Show Context)
Citation Context ...o yield the desired result; for instance, to obtain constant-round computational zero-knowledge proofs for NP (as shown in [11]), or to obtain statistical zero-knowledge arguments for NP (as shown by =-=[13, 16]-=-). 1.1 Previous Work Many commitment schemes in the unbounded-receiver model are known based on number-theoretic constructions. The first such scheme was suggested by Blum [3] in the context of flippi... |

37 | Quantum Bit Commitment and Coin Tossing Protocols
- Brassard, Crépeau
- 1991
(Show Context)
Citation Context ...single bit can be implemented using "quantum computing devices". The first such scheme was the (flawed) scheme by Bennet and Brassard [1]. Better schemes were later suggested by Brassard and=-= Cr'epeau [5]-=- and Brassard, Cr'epeau, Jozsa and Langlois [6]. 1.2 Our result We present a commitment scheme which is provably secure under a standard assumption in the model in which the Sender is computationally ... |

19 | A remark on signature scheme where forgery can be proved
- Bleumer, Pfitzmann, et al.
(Show Context)
Citation Context |

2 |
Efficient commitment with bounded sender and unbounded receiver
- Halevi
- 1995
(Show Context)
Citation Context |