Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [commitments]

A commitment scheme is a protocol where one party commits themselves to a secret value without revealing it. At a later point, the value can be revealed.

A commitment scheme is a protocol where one party commits themselves to a secret value without revealing it. At a later point, the value can be revealed.

Commitment schemes should be hiding and binding. That is, the output of the commitment should not reveal any information about the secret value, and once the commitment is completed, the party should not be able to reveal any value except the one they committed to.

Additional properties may include non-determinism and non-malleability.

Commitments are typically made to either a single bit or to an integer value. In the case bit commitments, non-determinism is strictly necessary for hiding.

249 questions
4
votes
0 answers

Statistically Binding Commitments

Is it possible to ever have a commitment scheme that is statistically binding but not perfectly binding? The sender would be computationally unbounded, hence could always computationally trudge through all potential (message,key) pairs.…
Buals
  • 41
  • 2
4
votes
1 answer

Which groups to use for Pedersen Commitments

I have been reading about Pedersen Commitments, and have come across some contradictory examples, which is confusing. Just focusing on simple commitment of scalars (not EC points or vectors), then I have read this: Why is the Pedersen commitment…
simbro
  • 263
  • 1
  • 9
4
votes
2 answers

What type of commitment scheme is it?

I am having a task where I have to evaluate a commitment scheme. I checked already a few questions here, but they have not helped me :( I hope someone is able to help me out in that. What do I have? $commit_H$ - perfectly hiding and computationally…
Donut
  • 395
  • 3
  • 13
2
votes
0 answers

Difference between a key value commitment and authenticated dictionary

I was wondering about the difference between an authenticated dictionary and a key value commitment scheme like KVac. Are they the same thing or they have different model or definitions? Thanks
Sam Smith
  • 105
  • 5
2
votes
0 answers

Commitment to a degree of a polynomial

Is there a way to commit to a degree of a polynomial without committing to every single one of its coefficients? The problem I am trying to solve is to prove that two polynomials are the same in a more efficient way than to prove that every…
Fiono
  • 567
  • 2
  • 12
2
votes
1 answer

Are Fujisaki commitments binding if the factorization of the group is known?

If I understand correctly, a Fujisaki commitment is as follows: $g^m \cdot h^r $ mod $n$, where $m$ is a message, $r$ is a random number, there exists $a$ such that $h^a = g$, and $n$ is an RSA modulus. Usually, when I read discussions about this…
Zarquan
  • 313
  • 1
  • 8
2
votes
1 answer

How many bits are needed to commit one bit non-interactively in the standard model?

I'm wondering the state-of-art result about how many bits are needed to commit a single-bit non-interactively? I noticed in the paper of Naor's bit commitment: http://www.wisdom.weizmann.ac.il/~naor/PAPERS/bit.pdf this paper says assured amortized…
CryptoLover
  • 932
  • 1
  • 6
  • 19
2
votes
1 answer

Cheating in a commitment scheme based on discrete log

Question: Consider the following commitment scheme: Public parameters: large primes $q$ and $p$ such that $p = 2\cdot q + 1$, and two generators $g, g'$ of a $q$-order subgroup of $\mathbb Z_p^*$. Alice commits to $t$ in $\mathbb Z_q$ by…
Bar
  • 23
  • 2
2
votes
1 answer

Pedersen commitments equivalence

Is there a zero-knowledge proof that proves that two Pedersen commitments commit the same value?
Fiono
  • 567
  • 2
  • 12
2
votes
1 answer

How to multiply the Pedersen Commitment of two numbers?

Given two numbers $x_1$, $x_2$ and their respective binding numbers, $b_1$ and $b_2$, let's take their Pedersen Commitment to be $C(x_n, b_n)$ $\forall n=1,2$. What is $C(x_1 * x_2, b_1 * b_2)$?
Jim
  • 123
  • 3
1
vote
1 answer

What does it mean for g and h to be indendent in pedersen commitments?

I'm looking at a research paper about the insecurity of a specific (wrong) usage of Pedersen commitments. First, I'll go through the steps of Pedersen commitments, so that it can be shown if I have a basic misunderstanding. My understanding of…
NotQuiteSo1337
  • 33
  • 4
1
vote
1 answer

Why must s be kept secret in pedersen commitments?

I was reading up on Pedersen commitment over at this website: https://asecuritysite.com/encryption/ped, where they calculate $h=g^s \bmod p$, and they say that $s$ must be a secret. I wonder why this is a requirement? Since verifiers will know the…
Sequinex
  • 13
  • 2
1
vote
1 answer

Constant size commitment to a membership of a fixed size of elements

Suppose there is a global set of $n$ elements, out of which I want to commit to $2n/3$ elements, i.e., anyone can take my commitment and test what $2n/3$ of the possible $n$ elements I committed to. Is there any way to do so with a constant size…
Od Na
  • 13
  • 2
1
vote
1 answer

Constant size commitment to a bivariate polynomial

In this paper by Kate et al, a constant size polynomial commitment scheme is described. The commitment scheme assumes a public reference string: \begin{align*} \Big\{ \{ g^{ \tau^i }, g^{ \alpha \tau^i } \}_{i=-d}^{d} \}, \ \ \{ h^{ \tau^i },…
Snoop Catt
  • 1,297
  • 7
  • 14
1
vote
1 answer

Can 2 bit commitment protocols be secure when sent together with the same bit

Suppose I have 2 bit commitment schemes, C1 and C2 which are computationally hiding.Suppose I commit the same bit using both and send them to an adversary who knows that the same bit was committed. Is the scheme still computationally hiding, or are…
shafi
  • 11
  • 2
1
2