Minimal Assumptions for Efficient Mercurial Commitments

نویسنده

  • Yevgeniy Dodis
چکیده

Mercurial commitments were introduced by Chase et al. [8] and form a key building block for constructing zero-knowledge sets (introduced by Micali, Rabin and Kilian [27]). Unlike regular commitments, which are strictly binding, mercurial commitments allow for certain amount of (limited) freedom. The notion of [8] also required that mercurial commitments should be equivocable given a certain trapdoor, although the notion is interesting even without this condition. While trivially implying regular (trapdoor) commitments, it was not clear from the prior work if the converse was true: Chase et al. [8] gave several constructions of mercurial commitments from various incompatible assumptions, leaving open if they can be built from any (trapdoor) commitment scheme, and, in particular, from any one-way function. We give an affirmative answer to this question, by giving two simple constructions of mercurial commitments from any trapdoor bit commitment scheme. By plugging in various (trapdoor) bit commitment schemes, we get all the efficient constructions from [27, 8], as well as several immediate new constructions. Our results imply that (a) mercurial commitments can be viewed as surprisingly simple variations of regular (trapdoor) commitments (and, thus, can be built from one-way functions and, more efficiently, from a variety of other assumptions); and (b) the existence of zero-knowledge sets is equivalent to the existence of collisionresistant hash functions (moreover, the former can be efficiently built from the latter and trapdoor commitments). Of independent interest, we also give a stronger and yet much simpler definition of mercurial commitments than that of [8] (which is also met by our constructions). Overall, we believe that our results eludicate the notion of mercurial commitments, and better explain the rational following the previous constructions of [27, 8]. ∗This is an independent part of the joint paper with Dario Catalano and Ivan Visconti from TCC’06 [6]. †Department of Computer Science, New York University, 251 Mercer Street, New York, NY 10012, USA. Email: [email protected]

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Mercurial Commitments: Minimal Assumptions and Efficient Constructions

(Non-interactive) Trapdoor Mercurial Commitments (TMCs) were introduced by Chase et al. [8] and form a key building block for constructing zero-knowledge sets (introduced by Micali, Rabin and Kilian [28]). TMCs are quite similar and certainly imply ordinary (noninteractive) trapdoor commitments (TCs). Unlike TCs, however, they allow for some additional freedom in the way the message is opened: ...

متن کامل

All-but-k Mercurial Commitments and their Applications

We introduce and formally define all-but-k mercurial commitments, a new kind cryptographic commitment that generalizes standard mercurial and non-mercurial (vector) commitments. We provide two concrete constructions for all-but-k mercurial commitments: the first is for committing to unordered lists (i.e., to multisets) and the second is for committing to ordered lists (i.e., to vectors). Both o...

متن کامل

Batch Proofs of Partial Knowledge

We present a practical attack on the soundness of Peng and Bao’s ‘batch zero-knowledge proof and verification’ protocol for proving knowledge and equality of one-out-of-n pairs of discrete logarithms. Fixing the protocol seems to require a commitment scheme with a nonstandard, mercurial-esque binding property: the prover commits to just n− 1 values, but later opens the commitment to n values wi...

متن کامل

Independent Zero-Knowledge Sets

We define and construct Independent Zero-Knowledge Sets (ZKS) protocols. In a ZKS protocols, a Prover commits to a set S, and for any x, proves non-interactively to a Verifier if x ∈ S or x / ∈ S without revealing any other information about S. In the independent ZKS protocols we introduce, the adversary is prevented from successfully correlate her set to the one of a honest prover. Our notion ...

متن کامل

Hybrid commitments and their applications to zero-knowledge proof systems

We introduce the notion of hybrid trapdoor commitment schemes. Intuitively a hybrid trapdoor commitment scheme is a primitive which can be either an unconditionally binding commitment scheme or a trapdoor commitment scheme depending on the distribution of commitment parameters. Moreover, such two possible distributions are computationally indistinguishable. Hybrid trapdoor commitments are relat...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:
  • IACR Cryptology ePrint Archive

دوره 2005  شماره 

صفحات  -

تاریخ انتشار 2005