Questions tagged [commitments]
A commitment scheme is a protocol where one party commits themselves to a secret value without revealing it. At a later point, the value can be revealed.
270 questions
0
votes
0
answers
24
views
Proving knowledge of message encrypted using Elgamal which is also committed in another "commitment"
I need help with building a Sigma protocol (or any other efficient protocol for proving knowledge) of a committed message encrypted with Elgamal (regular Elgamal, not its exponent variation).
I have a ...
- 558
1
vote
1
answer
81
views
Can anyone give an example to describe the VOLE-ZK protocol?
Recently I'm watching Baum's video to learn about VOLE. In a slide, the lecturer gave us a flowchart to describe what ALice and Bob send to each other if they are going to do a deg-2 VOLE-ZK(in pic 1) ...
2
votes
0
answers
33
views
Can ElGamal public key be reused for Pedersen commitment's key?
I encrypt data using ElGamal public key $y=g^x$, so nobody knows $x$, being a private key. Also during my service lifetime I perform many Pedersen commitment operations. It is known that Pedersen ...
- 33
0
votes
0
answers
33
views
Is there any vector commitment with $O(\log{n})$-size public parameters and $O(1)$-time verification?
Vector commitments ($\mathsf{VC}$) [CF13] allow to commit to a sequence of $n$ values and later on reveal $m<n$ values at a specific position(s) and prove it consistent with the initial commitment. ...
0
votes
1
answer
69
views
Is the following commitment scheme hiding? Is it binding?
Consider the commitment scheme defined as Commit(X, r) = C with $C = g^r \cdot X$, where $r \in \mathbb{Z}_p$ and $X \in \mathbb{G} = \langle g\rangle$, where $\mathbb{G}$ is a multiplicative group of ...
- 31
3
votes
2
answers
442
views
Is the Paillier cryptosystem key-committing?
Can a Paillier ciphertext serve as a commitment to the plaintext? In other words, is it computationally feasible to generate two different plaintexts that encrypt to the same ciphertext under ...
- 155
2
votes
1
answer
99
views
Why is unconditional classical bit commitment impossible?
It is well-known that unconditional quantum bit commitment is impossible [1, 2, 3]. So I wonder if there is a direct proof for the classical case.
Note that any classical protocol can be treated as a ...
- 35
3
votes
0
answers
68
views
Sigma Protocol for commitment to m ∈ {0,1}
I am confused about the sigma protocol presented in this paper: One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin (enter link description here). I wonder how to understand each step of ...
- 31
0
votes
1
answer
37
views
size of pedersen commitment
May I ask that the parameter requirement of Pedersen commitment?
For $g^{x~modq}h^{r~modq}mod p$, does p depends on q? Or does it only depend on the security parameter desired? How large will the p ...
- 381
0
votes
1
answer
76
views
Verifier running polynomial commitment
Context : SNARK and zero knowledge, and here polynomial commitment
Spartan: Efficient and general-purpose zkSNARKs
without trusted setup (7.2.2)
the Spartan verifier runs the
Commit algorithm (of the ...
0
votes
0
answers
77
views
What's the simplest and most instructive polynomial interactive oracle proof?
I'm writing my thesis about Zero-Knowledge Proofs and I'm trying to write a short and instructive introduction to zk-SNARKs at the moment (I have to stay within a certain limit of pages).
I introduced ...
- 111
0
votes
0
answers
63
views
How can a cryptographic primitive make a SNARK a zk-SNARK?
I'm currently reading this book by Justin Thaler that describes the process of constructing a zk-SNARK:
"Argument systems are typically developed in a two-step process.
First, an information-...
- 111
0
votes
0
answers
66
views
Soundness check: Set commitment using KZG and polynomial of form (x - e_1)(x - e_2)...(x - e_n)
We wish to create a commitment scheme to a set of at most $n$ unique elements, $\{ e_1, e_2, ... e_n\}$. Is a KZG commitment of max degree $n$ to the following degree $n$ polynomial, where each ...
- 101
0
votes
0
answers
46
views
Vector Commitments vs Accumulators vs Lookups
What is the difference between these primitives. It seems like you can use any of these primitives as a stand in for the other.
To my understanding, accumulators and lookup tables commit to an ...
- 69
1
vote
1
answer
132
views
Linear commitments for groups beyond $\mathbb{Z}_p$
I need a construction for the following: Given a group $\mathbb{G}$ of order $p$, enable a party to commit to a vector $(x_1,\ldots,x_N)\in\mathbb{G}^n$ in a way that, in a later phase, the party can ...
- 4,072