Questions tagged [commitments]

A commitment scheme is a protocol where one party commits themselves to a secret value without revealing it. At a later point, the value can be revealed.

Commitment schemes should be hiding and binding. That is, the output of the commitment should not reveal any information about the secret value, and once the commitment is completed, the party should not be able to reveal any value except the one they committed to.

Additional properties may include non-determinism and non-malleability.

Commitments are typically made to either a single bit or to an integer value. In the case bit commitments, non-determinism is strictly necessary for hiding.

268 questions

votes

2 answers

What is a Pedersen commitment?

I couldn't find any answer providing a high-level overview on what Pedersen commitments are or what they are used for.

terminology commitments

asked Nov 30 '18 at 12:25

Paul Razvan Berg

votes

4 answers

How to fairly select a random number for a game without trusting a third party?

Several people are playing a game with random events and require a way to produce a random number. (Such as dice rolls or a lottery.) Can this be done such that each player has the power to be reasonably sure that the random number was fairly…

protocol-design random-number-generator commitments

asked Sep 23 '11 at 23:45

billpg

votes

3 answers

Why can't the commitment schemes have both information theoretic hiding and binding properties?

The commitment schemes like Pedersen's or Hash based, either have information theoretic hiding and computational binding or computational hiding and information theoretic binding. So can we ever get both information theoretic hiding and binding? Is…

cryptanalysis multiparty-computation commitments threshold-cryptography

asked Nov 26 '16 at 04:50

7sujit

votes

1 answer

Why is the Pedersen commitment computationally binding?

This is how the Pedersen commitment seems to work: Let $p$ and $q$ be large primes such that $q \mid (p-1)$, let $g$ be a generator of the order-$q$ subgroup of $Z_p^{\star}$. Let $a$ be a random secret from $Z_q$, and $h=g^a \bmod p$. The values…

discrete-logarithm commitments

asked Aug 13 '13 at 14:25

LRM

1,406
12
24

votes

1 answer

Overview of relations between cryptographic primitives?

Is there a web page that gives a graphical (or, alternatively, a textual) overview of known implications and separations between cryptographic primitives? More specifically, I am looking for something like the following, but more comprehensive and…

collision-resistance pseudo-random-generator one-way-function commitments

asked Oct 17 '17 at 14:26

mti

votes

1 answer

Commitment scheme using hash functions

Let's say Alice and Bob are playing a game where Bob is trying to guess a number Alice has chosen. Alice chooses a key $K$ and a number $N$ at random and performs $C=Commit(K, N)$ where $Commit(K, N)=h(h(K) \| h(N))$. $h()$ is a collision-resistant…

hash commitments

asked Mar 22 '13 at 07:37

rath

2,598
3
27
40

votes

1 answer

Difference between Pedersen commitment and commitment based on ElGamal

Does any of you know what is the difference between the Pedersen commitment and the commitment that uses the ElGamal encryption scheme? For the sake of completeness, I recall what both of them look like. Given two public and large primes $p$ and…

discrete-logarithm elgamal-encryption commitments

asked Nov 24 '13 at 19:19

LRM

1,406
12
24

votes

2 answers

What are the pros and cons of Pedersen commitments vs hash-based commitments?

Obviously, it's possible to create a commitment scheme comm(r, S) by using a hash function H and computing H(S||r). This scheme is secure under the assumption that H is collision and preimage resistant, which (IMO) is a lighter cryptographic…

hash commitments

asked Jan 15 '18 at 19:46

Ian MathWiz

votes

1 answer

What's the difference among Vector Commitment, Zero-knowledge Set, Zero-knowledge Accumulator, and Zero-knowledge Elementary Database?

Vector commitment allows one to commit to an ordered sequence of $q$ value ($m_1,\cdots,m_q$) in such a way that one can later open the commitment at specific positions (e.g., prove that $m_i$ is the $i$-th committed message). A Zero-knowledge set…

zero-knowledge-proofs commitments accumulators

asked Apr 07 '19 at 16:39

Qiang Wang

votes

6 answers

Mutual verification of shared secret

Is it possible to develop a scheme where two parties, unsure if they have the same secret, can verify that the other does or does not share the same secret, without one party being able to cheat and come away with more knowledge than the other? (Or…

zero-knowledge-proofs commitments

asked May 06 '15 at 11:04

codebeard

votes

2 answers

Have I understood pedersen commitment correctly?

I want to do a one-sided integer commitment scheme. I.e. the whole process must be non-interactive where I at one point first publicly reveal some data and then at a later time reveal the committed integer which then can be verified. In the pedersen…

protocol-design commitments

asked May 01 '13 at 22:09

Zeta Two

votes

2 answers

Can I prove set membership and uniqueness without revealing the element?

Assuming a publicly known set $\Psi$ with $N$ unique elements. I have a set $\Sigma=\{\sigma_1,\sigma_2,...,\sigma_m\}$ where $m\leqslant N$. I would like to publicly prove that all the elements in $\Sigma$ are unique and are also elements of…

zero-knowledge-proofs commitments

asked Apr 22 '14 at 19:45

Deiwin

votes

1 answer

MuSig: could the rogue key attack be mitigated by using commitments instead of key transformations?

Background MuSig is an extension of/derivation from Schnorr signatures using cyclic groups on elliptic curves. In the original paper, the authors point out that naive multi-Schnorr is vulnerable to a rogue key attack: Given $\Bbb G$ is a cyclic…

public-key commitments schnorr-signature birthday-attack

asked Aug 31 '21 at 16:46

Jonathan Voss

votes

1 answer

Why is the Pedersen commitment perfectly hiding?

I learned today about the Pedersen commitment scheme. A quick reminder (I know there are some variants of this scheme, so I will present the one I learned about): Public parameters - 2 primes $p,q$ such that $p=2q+1$, and 2 elements $g_1, g_2 \in…

zero-knowledge-proofs commitments

asked Jan 03 '18 at 15:27

noamgot

votes

4 answers

Are deterministic adversaries as powerful as probabilistic adversaries?

SOURCE states the following in the proof of Theorem 2: Without loss of generality, I will assume that A is deterministic. If A is randomized, we can determinize it by fixing a sequence of coins that maximizes A’s conditional success probability; it…

provable-security commitments

asked Jul 06 '18 at 15:57

mti

2 3

…

17 18 Next