All Questions
Tagged with commitments discrete-logarithm
20 questions
2
votes
0
answers
119
views
Cryptographic accumulator via function composition
I am looking for an alternative to RSA accumulators, and I am wondering if the following option based on function composition might fit the bill. It seems like an obvious tweak on RSA accumulators, ...
- 131
1
vote
1
answer
181
views
Interpolating polynomial discrete log
This is taken from page 16 of Stacking Sigmas
Essentially, let $0<t<\ell$ be integer values smaller than a certain prime modulus $q$. We have a set $\mathcal{X}$ with $|\mathcal{X}|=\ell-t+1$, $[...
- 217
0
votes
2
answers
224
views
Hiding property of Elgamal-like bit commitment
An Elgamal-like bit commitment scheme:
Let $\langle g \rangle$ be a group of order $n$, where $n$ is a large prime.
Let $h\in_{R}\langle g \rangle\setminus\{1\}$ denotes a random group element such ...
- 654
1
vote
1
answer
127
views
Proof of knowledge of constant discrete log in the bilinear setting
Consider a pairing $\mathbb{e}: \mathbb{G}_1\times \mathbb{G}_2\longrightarrow \mathbb{G}_T$ with generators $g_1$, $g_2$ for $\mathbb{G}_1$, $\mathbb{G}_2$ respectively. The groups $\mathbb{G}_1$, $\...
- 310
4
votes
2
answers
1k
views
Finding an elliptic curve of specific order
I wish to use elliptic curves for cryptographic operations like commitments etc. I see that most standard elliptic curves like $\operatorname{secp256k1, sect571r1}$ have a certain specific and fixed ...
- 159
2
votes
2
answers
374
views
Solution to Discrete Log as a Commitment
Is the solution to a discrete logarithm a reasonable commitment scheme?
By my analysis, the following scheme is a reasonable commitment scheme:
Let $p$ and $q$ be large primes such that $q∣(p−1)$, let ...
1
vote
0
answers
134
views
Does resuing pederson commitment preserve the hiding property?
Assume you have a pedersen commitment scheme where the commitment is:
$$\mathcal C_1 =C(m,r)=g^m\cdot h^r$$
with $g,h$ being public generators in a public group $(G,\cdot)$ in which the discrete ...
1
vote
0
answers
66
views
Question about hiding commitment scheme for integers
Given a generic group $\mathbb{G}$ of an unknown order (such as a $3000$-bit RSA group) and a randomly generated element $g \in \mathbb{G}$, is the commitment scheme $\mathrm{Com}(x)= g^x$ not ...
- 310
0
votes
0
answers
108
views
A card game (for mental poker or any other card game)
I thought of a way to produce trustless card game in a flexible way. One feature that I want is it should be flexible (It should work for any type of card game, though I indeed started it as a ...
- 661
0
votes
0
answers
151
views
Is there a concept of Pedersen commitment "in the base"?
This question Can Elgamal be made additively homomorphic and how could it be used for E-voting?
says ElGamal can be made homomorphic over multiplication. So you can have $(g^r, h^r g^m)$ (i.e., ...
- 395
0
votes
0
answers
175
views
Zero Knowledge Set Membership proof
ZK set membership:
I am trying to create my own zero knowledge set membership proof for a commitment to an element in the set for small sets. I am a beginner in such works, so can someone help me find ...
- 661
4
votes
1
answer
221
views
What information does $g^x$ reveal about $x$?
Let $p$ be a large prime number. Let $G$ be a subgroup of $\mathbb{Z}_p^*$ with order $q$ - again a large prime. Let $g$ be a generator of $G$.
Consider the following standard protocol for ...
- 1,307
1
vote
0
answers
224
views
Prove that two commitments are commitments to the same value
Let $x$ be the secret value, $(n,a,b,c)$ a public key, $(n_C, g, h)$ the commitment public key. Furthermore let $r, r_C$ be two random numbers.
Define $C = g^x h^{r_C} \bmod n_C$, $C_x = a^x b^r \...
- 123
2
votes
1
answer
331
views
Pedersen commitments, what happens if I choose $H$ such that $H = a\times G$?
For Pedersen commitments of the form $C = x\times G + r\times H$, what is the worst thing I can do if I already know $H$ such that $H = a\times G$ ?
For standard curves, there are specifications for ...
- 175
7
votes
2
answers
3k
views
Using Pedersen commitment for a vector
I'm reading Bootle/Groth. I'm trying to understand how they are committing to a vector using Pedersen commitment. Here's my understanding of Pedersen commitment in the context of this paper:
We have a ...
- 395