Hybrid commitments and their applications to zero-knowledge proof systems

We introduce the notion of hybrid trapdoor commitment schemes. Intuitively a hybrid trapdoor commitment scheme is a primitive which can be either an unconditionally binding commitment scheme or a trapdoor commitment scheme depending on the distribution of commitment parameters. Moreover, such two possible distributions are computationally indistinguishable. Hybrid trapdoor commitments are related but different with respect to mixed commitments (introduced by Damg̊ard and Nielsen at Crypto 2002). In particular hybrid trapdoor commitments can either be polynomially trapdoor commitments or unconditionally binding commitments, while mixed commitment can be either trapdoor commitments or extractable commitments. In this paper we show that strong notions (e.g., simulation sound, multi trapdoor) of hybrid trapdoor commitments admit constructions based on the sole assumption that one-way functions exist as well as efficient constructions based on standard number-theoretic assumptions. To further stress the difference between hybrid and mixed commitments, we remark here that mixed commitments seem to require stronger theoretical assumptions (and the known number-theoretic constructions are less efficient). Our main result, is to show how to construct concurrent and simulation-sound zero-knowledge proof systems (in contrast to the arguments recently presented in [Damg̊ard, Eurocrypt 2000], [MacKenzie and Yang, Eurocrypt 2004], [Gennaro, Crypto 2004]) in the common reference string model. We crucially use hybrid trapdoor commitments since we present general constructions based on the sole assumption that one-way functions exists and very efficient constructions based on number-theoretic assumptions.