#### DMCA

## Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing (1996)

Venue: | in Advances in Cryptology - CRYPTO96, Lecture Notes in Computer Science 1109 |

Citations: | 76 - 5 self |

### Citations

960 |
Quantum Cryptography: Public Key Distribution and Coin Tossing
- Bennett, Brassard
- 1984
(Show Context)
Citation Context ...e work, Several researchers showed that a commitment scheme for a single bit can be implemented using "quantum computing devices". The first such scheme was the (flawed) scheme by Bennet and=-= Brassard [1]-=-. Better schemes were later suggested by Brassard and Cr'epeau [5] and Brassard, Cr'epeau, Jozsa and Langlois [6]. 1.2 Our result We present a commitment scheme which is provably secure under a standa... |

952 | A digital signature scheme secure against adaptive chosen message attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...fficiency parameters was later described by Brassard and Cr'epeau [4]. A more efficient construction, which is also based on the hardness of factoring, was introduced by Goldwasser, Micali and Rivest =-=[12]-=-. Their collision-free permutation-pairs enables one to commit to long messages using about the same amount of local computation as in Blum's scheme, but to send only a k-bit commitment string, regard... |

488 |
Non-interactive and information-theoretic secure verifiable secret sharing
- Pedersen
- 1991
(Show Context)
Citation Context ...GMR construction but avoids the need for this initialization step. Several other constructions in the literature are based on the difficulty of extracting discrete-logarithms. In particular, Pedersen =-=[18]-=- and Chaum, vanHeijst and Pfitzmann [8], described a scheme in which the Sender can commit to a string of length k (where k is the size of the prime modulus) by performing two modular exponentiations,... |

347 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ...roblems An interesting open problem is to reduce the assumptions needed for a commitment scheme. In particular, it is not known whether universal one-way hash functions (in the sense of Naor and Yung =-=[17]-=-) are sufficient for commitment schemes in the unbounded receiver model. 6 Another open problem is to design efficient commitment schemes which have nice homomorphism properties. In particular, in som... |

271 | Bit commitment using pseudorandomness
- Naor
- 1991
(Show Context)
Citation Context ... modulus) by performing two modular exponentiations, and sending a k-bit commitment string. There were also a few implementations of commitment-schemes using more generic complexity assumptions. Naor =-=[15]-=- presented a commitment scheme in the bounded receiver (and unbounded sender) model, which can be implemented 2 Moreover, such schemes still protect the Receiver in case the underlying cryptographic a... |

162 | How to Construct Constant-Round Zero-Knowledge Proof Systems for NP
- Goldreich, Kahan
- 1996
(Show Context)
Citation Context ... applications in which one must use bounded-to-unbounded commitment schemes to yield the desired result; for instance, to obtain constant-round computational zero-knowledge proofs for NP (as shown in =-=[11]-=-), or to obtain statistical zero-knowledge arguments for NP (as shown by [13, 16]). 1.1 Previous Work Many commitment schemes in the unbounded-receiver model are known based on number-theoretic constr... |

115 |
Coin flipping by telephone
- Blum
- 1982
(Show Context)
Citation Context ...for NP (as shown by [13, 16]). 1.1 Previous Work Many commitment schemes in the unbounded-receiver model are known based on number-theoretic constructions. The first such scheme was suggested by Blum =-=[3]-=- in the context of flipping coins over the phone. Blum described a commitment scheme for one bit, which is based on the hardness of factoring. Blum's scheme calls for one or two modular multiplication... |

93 |
Universal hash functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ... and MD is a message-digest function. The first scheme. The first scheme uses universal hashing as a tool for "adding randomness" to the message. Universal hashing was introduced by Carter a=-=nd Wegman [7] and it pl-=-ays a very important role in many areas of computer-science. Intuitively, a family of hash functions H = fh : A ! Bg is universal if picking a function at random from H "has the same effect"... |

78 | Cryptographically strong undeniable signatures, unconditionally secure for the signer. Interner Bericht, Fakultät für Informatik
- Chaum, Heijst, et al.
- 1990
(Show Context)
Citation Context ...mputation as in Blum's scheme, but to send only a k-bit commitment string, regardless of the length of the message being committed to. Since then, this construction was used in many other works (e.g. =-=[2, 8, 9, 10, 14]-=-). One common problem of all these constructions is that they all rely on composite numbers of a special form (i.e., product of two primes which are both 3 mod 4). Thus they require a special initiali... |

76 | A quantum bit commitment scheme provably unbreakable by both parties
- Brassard, Crepeau, et al.
- 1993
(Show Context)
Citation Context ...mputing devices". The first such scheme was the (flawed) scheme by Bennet and Brassard [1]. Better schemes were later suggested by Brassard and Cr'epeau [5] and Brassard, Cr'epeau, Jozsa and Lang=-=lois [6]-=-. 1.2 Our result We present a commitment scheme which is provably secure under a standard assumption in the model in which the Sender is computationally bounded and the Receiver is all-powerful. Moreo... |

71 | On the existence of statistically hiding bit commitment schemes and fail-stop signatures
- Damg˚ard, Pedersen, et al.
- 1993
(Show Context)
Citation Context ...mputation as in Blum's scheme, but to send only a k-bit commitment string, regardless of the length of the message being committed to. Since then, this construction was used in many other works (e.g. =-=[2, 8, 9, 10, 14]-=-). One common problem of all these constructions is that they all rely on composite numbers of a special form (i.e., product of two primes which are both 3 mod 4). Thus they require a special initiali... |

64 |
Practical and provably secure release of a secret and exchange of signatures
- Damg̊ard
- 1993
(Show Context)
Citation Context ...mputation as in Blum's scheme, but to send only a k-bit commitment string, regardless of the length of the message being committed to. Since then, this construction was used in many other works (e.g. =-=[2, 8, 9, 10, 14]-=-). One common problem of all these constructions is that they all rely on composite numbers of a special form (i.e., product of two primes which are both 3 mod 4). Thus they require a special initiali... |

60 | Non-Transitive Transfer of Confidence: A Perfect the Work of Madhu Sudan
- Brassard, Creapau
- 1986
(Show Context)
Citation Context ...tring for every bit which is being committed to (where k is the size of the composite modulus). A similar construction with the same efficiency parameters was later described by Brassard and Cr'epeau =-=[4]-=-. A more efficient construction, which is also based on the hardness of factoring, was introduced by Goldwasser, Micali and Rivest [12]. Their collision-free permutation-pairs enables one to commit to... |

45 |
Direct minimum-knowledge computations
- Impagliazzo, Yung
- 1988
(Show Context)
Citation Context ...o yield the desired result; for instance, to obtain constant-round computational zero-knowledge proofs for NP (as shown in [11]), or to obtain statistical zero-knowledge arguments for NP (as shown by =-=[13, 16]-=-). 1.1 Previous Work Many commitment schemes in the unbounded-receiver model are known based on number-theoretic constructions. The first such scheme was suggested by Blum [3] in the context of flippi... |

42 | Zero-Knowledge Arguments for NP can be Based on General Complexity Assumptions, manuscript
- Naor, Ostrovsky, et al.
(Show Context)
Citation Context ...o yield the desired result; for instance, to obtain constant-round computational zero-knowledge proofs for NP (as shown in [11]), or to obtain statistical zero-knowledge arguments for NP (as shown by =-=[13, 16]-=-). 1.1 Previous Work Many commitment schemes in the unbounded-receiver model are known based on number-theoretic constructions. The first such scheme was suggested by Blum [3] in the context of flippi... |

39 | Quantum bit commitment and coin tossing protocols
- Brassard, Crepeau
- 1991
(Show Context)
Citation Context ...single bit can be implemented using "quantum computing devices". The first such scheme was the (flawed) scheme by Bennet and Brassard [1]. Better schemes were later suggested by Brassard and=-= Cr'epeau [5]-=- and Brassard, Cr'epeau, Jozsa and Langlois [6]. 1.2 Our result We present a commitment scheme which is provably secure under a standard assumption in the model in which the Sender is computationally ... |

19 | A remark on signature scheme where forgery can be proved
- Bleumer, Pfitzmann, et al.
(Show Context)
Citation Context |

3 |
Efficient commitment with bounded sender and unbounded receiver
- Halevi
- 1995
(Show Context)
Citation Context |