Results 1  10
of
16
ConstantSize Commitments to Polynomials and Their Applications
 In Proceedings of ASIACRYPT 2010
, 2010
"... Abstract. We introduce and formally define polynomial commitment schemes, and provide two efficient constructions. A polynomial commitment scheme allows a committer to commit to a polynomial with a short string that can be used by a verifier to confirm claimed evaluations of the committed polynomial ..."
Abstract

Cited by 29 (9 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce and formally define polynomial commitment schemes, and provide two efficient constructions. A polynomial commitment scheme allows a committer to commit to a polynomial with a short string that can be used by a verifier to confirm claimed evaluations of the committed polynomial. Although the homomorphic commitment schemes in the literature can be used to achieve this goal, the sizes of their commitments are linear in the degree of the committed polynomial. On the other hand, polynomial commitments in our schemes are of constant size (single elements). The overhead of opening a commitment is also constant; even opening multiple evaluations requires only a constant amount of communication overhead. Therefore, our schemes are useful tools to reduce the communication cost in cryptographic protocols. On that front, we apply our polynomial commitment schemes to four problems in cryptography: verifiable secret sharing, zeroknowledge sets, credentials and content extraction signatures.
Zeroknowledge sets with short proofs
 In EUROCRYPT 2008, LNCS
, 2008
"... Abstract. Zero Knowledge Sets, introduced by Micali, Rabin and Kilian in ..."
Abstract

Cited by 17 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Zero Knowledge Sets, introduced by Micali, Rabin and Kilian in
Vector Commitments and their Applications
"... Abstract. We put forward the study of a new primitive that we call Vector Commitment (VC, for short). Informally, VCs allow to commit to an ordered sequence of q values (m1,..., mq) in such a way that one can later open the commitment at specific positions (e.g., prove that mi is the ith committed ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Abstract. We put forward the study of a new primitive that we call Vector Commitment (VC, for short). Informally, VCs allow to commit to an ordered sequence of q values (m1,..., mq) in such a way that one can later open the commitment at specific positions (e.g., prove that mi is the ith committed message). For security, Vector Commitments are required to satisfy a notion that we call position binding which states that an adversary should not be able to open a commitment to two different values at the same position. Moreover, what makes our primitive interesting is that we require VCs to be concise, i.e. the size of the commitment string and of its openings has to be independent of the vector length. We show two realizations of VCs based on standard and well established assumptions, such as RSA, and Computational DiffieHellman (in bilinear groups). Next, we turn our attention to applications and we show that Vector Commitments are useful in a variety of contexts, as they allow for compact and efficient solutions which significantly improve previous works either in terms of efficiency of the resulting solutions, or in terms of ”quality ” of the underlying assumption, or both. These applications
Polynomial Commitments
"... We introduce and formally define polynomial commitment schemes, and provide two efficient constructions. A polynomial commitment scheme allows a committer to commit to a polynomial with a short string that can be used by a verifier to confirm claimed evaluations of the committed polynomial. Although ..."
Abstract

Cited by 4 (4 self)
 Add to MetaCart
We introduce and formally define polynomial commitment schemes, and provide two efficient constructions. A polynomial commitment scheme allows a committer to commit to a polynomial with a short string that can be used by a verifier to confirm claimed evaluations of the committed polynomial. Although the homomorphic commitment schemes in the literature can be used to achieve this goal, the sizes of their commitments are linear in the degree of the committed polynomial. On the other hand, polynomial commitments in our schemes are of constant size (single elements). The overhead of opening a commitment is also constant; even opening multiple evaluations requires only a constant amount of communication overhead. Therefore, our schemes are useful tools to reduce the communication cost in cryptographic protocols. On that front, we apply our polynomial commitment schemes to four problems in cryptography: verifiable secret sharing, zeroknowledge sets, credentials and content extraction signatures. 1
Allbutk Mercurial Commitments and their Applications †
"... Abstract — We introduce and formally define allbutk mercurial commitments, a new kind cryptographic commitment that generalizes standard mercurial and nonmercurial (vector) commitments. We provide two concrete constructions for allbutk mercurial commitments: the first is for committing to unord ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Abstract — We introduce and formally define allbutk mercurial commitments, a new kind cryptographic commitment that generalizes standard mercurial and nonmercurial (vector) commitments. We provide two concrete constructions for allbutk mercurial commitments: the first is for committing to unordered lists (i.e., to multisets) and the second is for committing to ordered lists (i.e., to vectors). Both of our constructions build on Kate et al.’s polynomial commitments, leveraging the algebraic structure of polynomials to fine tune the ordinary binding property of mercurial commitments. To facilitate these constructions, we give novel zeroknowledge protocols for 1) proving knowledge of a point on a committed polynomial, 2) arguing knowledge of the committed polynomial itself, and 3) arguing that a committed polynomial has degree at most k.
Verifiable Member and Order Queries on a List in ZeroKnowledge
"... We introduce a formal model for order queries on lists in zero knowledge in the traditional authenticated data structure model. We call this model PrivacyPreserving Authenticated List (PPAL). In this model, the queries are performed on the list stored in the (untrusted) cloud where data integrity a ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
We introduce a formal model for order queries on lists in zero knowledge in the traditional authenticated data structure model. We call this model PrivacyPreserving Authenticated List (PPAL). In this model, the queries are performed on the list stored in the (untrusted) cloud where data integrity and privacy have to be maintained. To realize an efficient authenticated data structure, we first adapt consistent data query model. To this end we introduce a formal model called ZeroKnowledge List (ZKL) scheme which generalizes consistent membership queries in zeroknowledge to consistent membership and order queries on a totally ordered set in zero knowledge. We present a construction of ZKL based on zeroknowledge set and homomorphic integer commitment scheme. Then we discuss why this construction is not as efficient as desired in cloud applications and present an efficient construction of PPAL based on bilinear accumulators and bilinear maps which is provably secure and zeroknowledge.
Blockwise Psignatures and noninteractive anonymous . . .
"... Anonymous credentials are protocols in which users obtain certificates from organizations and subsequently demonstrate their possession in such a way that transactions carried out by the same user cannot be linked. We present an anonymous credential scheme with noninteractive proofs of credential ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Anonymous credentials are protocols in which users obtain certificates from organizations and subsequently demonstrate their possession in such a way that transactions carried out by the same user cannot be linked. We present an anonymous credential scheme with noninteractive proofs of credential possession where credentials are associated with a number of attributes. Following recent results of Camenisch and Groß (CCS 2008), the proof simultaneously convinces the verifier that certified attributes satisfy a certain predicate. Our construction relies on a new kind of Psignature, termed blockwise Psignature, that allows a user to obtain a signature on a committed vector of messages and makes it possible to generate a short witness that serves as a proof that the signed vector satisfies the predicate. A noninteractive anonymous credential is obtained by combining our blockwise Psignature scheme with the GrothSahai proof system. It allows efficiently proving possession of a credential while simultaneously demonstrating that underlying attributes satisfy a predicate corresponding to the evaluation of inner products (and therefore disjunctions or polynomial evaluations). The security of our scheme is proved in the standard model under noninteractive assumptions.
Batch Proofs of Partial Knowledge
"... We present a practical attack on soundness in Peng and Bao’s ‘batch zeroknowledge proof and verification’ protocol for proving knowledge and equality of oneoutofn pairs of discrete logarithms. Fixing the protocol seems to require a commitment scheme with a nonstandard, mercurialesque binding pr ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
We present a practical attack on soundness in Peng and Bao’s ‘batch zeroknowledge proof and verification’ protocol for proving knowledge and equality of oneoutofn pairs of discrete logarithms. Fixing the protocol seems to require a commitment scheme with a nonstandard, mercurialesque binding property: the prover commits to just n − 1 values, but later opens the commitment to n values without revealing which one out of the n values was not in the original commitment. With this requirement as a motivator, we propose and formally define allbutk commitment schemes, and give a concrete construction based on polynomial commitments. We use the special case of “allbutone ” commitments to fix the above zeroknowledge protocol and then we describe a variant of the protocol that uses the more general allbutk commitments to implement a batch zeroknowledge proof of knowledge and equality of koutofn pairs of discrete logarithms, for arbitrary (public) k ∈ [1, n]. This latter protocol is asymptotically efficient, and it naturally yields batch “OR ” proofs (oneoutofn) and batch “AND ” proofs (noutofn) as two special cases; for all intermediate 1 < k < n, it is entirely novel.
PrimarySecondaryResolver Membership Proof Systems
, 2014
"... We consider PrimarySecondaryResolver Membership Proof Systems (PSR for short) and show different constructions of that primitive. A PSR system is a 3party protocol, where we have a primary, which is a trusted party which commits to a set of members and their values, then generates a public and se ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
We consider PrimarySecondaryResolver Membership Proof Systems (PSR for short) and show different constructions of that primitive. A PSR system is a 3party protocol, where we have a primary, which is a trusted party which commits to a set of members and their values, then generates a public and secret keys in order for secondaries (provers with knowledge of both keys) and resolvers (verifiers who only know the public key) to engage in interactive proof sessions regarding elements in the universe and their values. The motivation for such systems is for constructing a secure Domain Name System (DNSSEC) that does not reveal any unnecessary information to its clients. We require our systems to be complete, so honest executions will result in correct conclusions by the resolvers, sound, so malicious secondaries cannot cheat resolvers, and zeroknowledge, so resolvers will not learn additional information about elements they did not query explicitly. Providing proofs of membership is easy, as the primary can simply precompute signatures over all the members of the set. Providing proofs of nonmembership, i.e. a denialofexistence mechanism, is trickier and is the main issue in constructing PSR systems.
Fullydynamic verifiable zeroknowledge order queries for network data
, 2015
"... We show how to provide privacypreserving (zeroknowledge) answers to order queries on network data that is organized in lists, trees, and partiallyordered sets of bounded dimension. Our methods are efficient and dynamic, in that they allow for updates in the ordering information while also providi ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
We show how to provide privacypreserving (zeroknowledge) answers to order queries on network data that is organized in lists, trees, and partiallyordered sets of bounded dimension. Our methods are efficient and dynamic, in that they allow for updates in the ordering information while also providing for quick and verifiable answers to queries that reveal no information besides the answers to the queries themselves.