Results 1  10
of
17
ConstantSize Commitments to Polynomials and Their Applications
 In Proceedings of ASIACRYPT 2010
, 2010
"... Abstract. We introduce and formally define polynomial commitment schemes, and provide two efficient constructions. A polynomial commitment scheme allows a committer to commit to a polynomial with a short string that can be used by a verifier to confirm claimed evaluations of the committed polynomial ..."
Abstract

Cited by 29 (9 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce and formally define polynomial commitment schemes, and provide two efficient constructions. A polynomial commitment scheme allows a committer to commit to a polynomial with a short string that can be used by a verifier to confirm claimed evaluations of the committed polynomial. Although the homomorphic commitment schemes in the literature can be used to achieve this goal, the sizes of their commitments are linear in the degree of the committed polynomial. On the other hand, polynomial commitments in our schemes are of constant size (single elements). The overhead of opening a commitment is also constant; even opening multiple evaluations requires only a constant amount of communication overhead. Therefore, our schemes are useful tools to reduce the communication cost in cryptographic protocols. On that front, we apply our polynomial commitment schemes to four problems in cryptography: verifiable secret sharing, zeroknowledge sets, credentials and content extraction signatures.
Concise Mercurial Vector Commitments and Independent ZeroKnowledge Sets with Short Proofs
"... Abstract. Introduced by Micali, Rabin and Kilian (MRK), the basic primitive of zeroknowledge sets (ZKS) allows a prover to commit to a secret set S so as to be able to prove statements such as x ∈ S or x ̸ ∈ S. Chase et al. showed that ZKS protocols are underlain by a cryptographic primitive termed ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
Abstract. Introduced by Micali, Rabin and Kilian (MRK), the basic primitive of zeroknowledge sets (ZKS) allows a prover to commit to a secret set S so as to be able to prove statements such as x ∈ S or x ̸ ∈ S. Chase et al. showed that ZKS protocols are underlain by a cryptographic primitive termed mercurial commitment. A (trapdoor) mercurial commitment has two commitment procedures. At committing time, the committer can choose not to commit to a specific message and rather generate a dummy value which it will be able to softly open to any message without being able to completely open it. Hard commitments, on the other hand, can be hardly or softly opened to only one specific message. At Eurocrypt 2008, Catalano, Fiore and Messina (CFM) introduced an extension called trapdoor qmercurial commitment (qTMC), which allows committing to a vector of q messages. These qTMC schemes are interesting since their openings w.r.t. specific vector positions can be short (ideally, the opening length should not depend on q), which provides zeroknowledge sets with much shorter proofs when such a commitment is combined with a Merkle tree of arity q. The CFM construction notably features short proofs of nonmembership as it makes use of a qTMC scheme with short soft openings. A problem left open is that hard openings still have size O(q), which prevents proofs of membership from being as compact as those of nonmembership. In this paper, we solve this open problem and describe a new qTMC scheme where hard and soft positionwise openings, both, have constant size. We then show how our scheme is amenable to constructing independent zeroknowledge sets (i.e., ZKS schemes that prevent adversaries from correlating their set to the sets of honest provers, as defined by Gennaro and Micali). Our solution retains the short proof property for this important primitive as well. Keywords. Zeroknowledge databases, mercurial commitments, efficiency, independence. 1
Statistically hiding sets
 In Proceedings of the The Cryptographers’ Track at the RSA Conference 2009, CTRSA 2009
, 2009
"... Zeroknowledge set is a primitive introduced by Micali, Rabin, and Kilian (FOCS 2003) which enables a prover to commit a set to a verifier, without revealing even the size of the set. Later the prover can give zeroknowledge proofs to convince the verifier of membership/nonmembership of elements in/ ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
(Show Context)
Zeroknowledge set is a primitive introduced by Micali, Rabin, and Kilian (FOCS 2003) which enables a prover to commit a set to a verifier, without revealing even the size of the set. Later the prover can give zeroknowledge proofs to convince the verifier of membership/nonmembership of elements in/not in the committed set. We present a new primitive called Statistically Hiding Sets (SHS), similar to zeroknowledge sets, but providing an information theoretic hiding guarantee, rather than one based on efficient simulation. This is comparable to relaxing zeroknowledge proofs to witness independent proofs. More precisely, we continue to use the simulation paradigm for our definition, but do not require the simulator (nor the distinguisher) to be efficient. We present a new scheme for statistically hiding sets, which does not fit into the “Merkletree/mercurialcommitment” paradigm that has been used for all zeroknowledge set constructions so far. This not only provides efficiency gains compared to the best schemes in that paradigm, but also lets us provide statistical hiding; previous approaches required the prover to maintain growing amounts of state with each new proof for this.
Vector Commitments and their Applications
"... Abstract. We put forward the study of a new primitive that we call Vector Commitment (VC, for short). Informally, VCs allow to commit to an ordered sequence of q values (m1,..., mq) in such a way that one can later open the commitment at specific positions (e.g., prove that mi is the ith committed ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Abstract. We put forward the study of a new primitive that we call Vector Commitment (VC, for short). Informally, VCs allow to commit to an ordered sequence of q values (m1,..., mq) in such a way that one can later open the commitment at specific positions (e.g., prove that mi is the ith committed message). For security, Vector Commitments are required to satisfy a notion that we call position binding which states that an adversary should not be able to open a commitment to two different values at the same position. Moreover, what makes our primitive interesting is that we require VCs to be concise, i.e. the size of the commitment string and of its openings has to be independent of the vector length. We show two realizations of VCs based on standard and well established assumptions, such as RSA, and Computational DiffieHellman (in bilinear groups). Next, we turn our attention to applications and we show that Vector Commitments are useful in a variety of contexts, as they allow for compact and efficient solutions which significantly improve previous works either in terms of efficiency of the resulting solutions, or in terms of ”quality ” of the underlying assumption, or both. These applications
Polynomial Commitments
"... We introduce and formally define polynomial commitment schemes, and provide two efficient constructions. A polynomial commitment scheme allows a committer to commit to a polynomial with a short string that can be used by a verifier to confirm claimed evaluations of the committed polynomial. Although ..."
Abstract

Cited by 4 (4 self)
 Add to MetaCart
We introduce and formally define polynomial commitment schemes, and provide two efficient constructions. A polynomial commitment scheme allows a committer to commit to a polynomial with a short string that can be used by a verifier to confirm claimed evaluations of the committed polynomial. Although the homomorphic commitment schemes in the literature can be used to achieve this goal, the sizes of their commitments are linear in the degree of the committed polynomial. On the other hand, polynomial commitments in our schemes are of constant size (single elements). The overhead of opening a commitment is also constant; even opening multiple evaluations requires only a constant amount of communication overhead. Therefore, our schemes are useful tools to reduce the communication cost in cryptographic protocols. On that front, we apply our polynomial commitment schemes to four problems in cryptography: verifiable secret sharing, zeroknowledge sets, credentials and content extraction signatures. 1
Allbutk Mercurial Commitments and their Applications †
"... Abstract — We introduce and formally define allbutk mercurial commitments, a new kind cryptographic commitment that generalizes standard mercurial and nonmercurial (vector) commitments. We provide two concrete constructions for allbutk mercurial commitments: the first is for committing to unord ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
(Show Context)
Abstract — We introduce and formally define allbutk mercurial commitments, a new kind cryptographic commitment that generalizes standard mercurial and nonmercurial (vector) commitments. We provide two concrete constructions for allbutk mercurial commitments: the first is for committing to unordered lists (i.e., to multisets) and the second is for committing to ordered lists (i.e., to vectors). Both of our constructions build on Kate et al.’s polynomial commitments, leveraging the algebraic structure of polynomials to fine tune the ordinary binding property of mercurial commitments. To facilitate these constructions, we give novel zeroknowledge protocols for 1) proving knowledge of a point on a committed polynomial, 2) arguing knowledge of the committed polynomial itself, and 3) arguing that a committed polynomial has degree at most k.
Verifiable Member and Order Queries on a List in ZeroKnowledge
"... We introduce a formal model for order queries on lists in zero knowledge in the traditional authenticated data structure model. We call this model PrivacyPreserving Authenticated List (PPAL). In this model, the queries are performed on the list stored in the (untrusted) cloud where data integrity a ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
We introduce a formal model for order queries on lists in zero knowledge in the traditional authenticated data structure model. We call this model PrivacyPreserving Authenticated List (PPAL). In this model, the queries are performed on the list stored in the (untrusted) cloud where data integrity and privacy have to be maintained. To realize an efficient authenticated data structure, we first adapt consistent data query model. To this end we introduce a formal model called ZeroKnowledge List (ZKL) scheme which generalizes consistent membership queries in zeroknowledge to consistent membership and order queries on a totally ordered set in zero knowledge. We present a construction of ZKL based on zeroknowledge set and homomorphic integer commitment scheme. Then we discuss why this construction is not as efficient as desired in cloud applications and present an efficient construction of PPAL based on bilinear accumulators and bilinear maps which is provably secure and zeroknowledge.
Batch Proofs of Partial Knowledge
"... We present a practical attack on soundness in Peng and Bao’s ‘batch zeroknowledge proof and verification’ protocol for proving knowledge and equality of oneoutofn pairs of discrete logarithms. Fixing the protocol seems to require a commitment scheme with a nonstandard, mercurialesque binding pr ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
We present a practical attack on soundness in Peng and Bao’s ‘batch zeroknowledge proof and verification’ protocol for proving knowledge and equality of oneoutofn pairs of discrete logarithms. Fixing the protocol seems to require a commitment scheme with a nonstandard, mercurialesque binding property: the prover commits to just n − 1 values, but later opens the commitment to n values without revealing which one out of the n values was not in the original commitment. With this requirement as a motivator, we propose and formally define allbutk commitment schemes, and give a concrete construction based on polynomial commitments. We use the special case of “allbutone ” commitments to fix the above zeroknowledge protocol and then we describe a variant of the protocol that uses the more general allbutk commitments to implement a batch zeroknowledge proof of knowledge and equality of koutofn pairs of discrete logarithms, for arbitrary (public) k ∈ [1, n]. This latter protocol is asymptotically efficient, and it naturally yields batch “OR ” proofs (oneoutofn) and batch “AND ” proofs (noutofn) as two special cases; for all intermediate 1 < k < n, it is entirely novel.
PrimarySecondaryResolver Membership Proof Systems
, 2014
"... We consider PrimarySecondaryResolver Membership Proof Systems (PSR for short) and show different constructions of that primitive. A PSR system is a 3party protocol, where we have a primary, which is a trusted party which commits to a set of members and their values, then generates a public and se ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
We consider PrimarySecondaryResolver Membership Proof Systems (PSR for short) and show different constructions of that primitive. A PSR system is a 3party protocol, where we have a primary, which is a trusted party which commits to a set of members and their values, then generates a public and secret keys in order for secondaries (provers with knowledge of both keys) and resolvers (verifiers who only know the public key) to engage in interactive proof sessions regarding elements in the universe and their values. The motivation for such systems is for constructing a secure Domain Name System (DNSSEC) that does not reveal any unnecessary information to its clients. We require our systems to be complete, so honest executions will result in correct conclusions by the resolvers, sound, so malicious secondaries cannot cheat resolvers, and zeroknowledge, so resolvers will not learn additional information about elements they did not query explicitly. Providing proofs of membership is easy, as the primary can simply precompute signatures over all the members of the set. Providing proofs of nonmembership, i.e. a denialofexistence mechanism, is trickier and is the main issue in constructing PSR systems.
Fullydynamic verifiable zeroknowledge order queries for network data
, 2015
"... We show how to provide privacypreserving (zeroknowledge) answers to order queries on network data that is organized in lists, trees, and partiallyordered sets of bounded dimension. Our methods are efficient and dynamic, in that they allow for updates in the ordering information while also providi ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
We show how to provide privacypreserving (zeroknowledge) answers to order queries on network data that is organized in lists, trees, and partiallyordered sets of bounded dimension. Our methods are efficient and dynamic, in that they allow for updates in the ordering information while also providing for quick and verifiable answers to queries that reveal no information besides the answers to the queries themselves.