![]() ![]() In a secret sharing scheme, each of several parties receive "shares" of a value that is meant to be hidden from everyone. Verifiable secret sharing Īnother important application of commitments is in verifiable secret sharing, a critical building block of secure multiparty computation. This allows zero-knowledge proofs to be composed in parallel without revealing additional information. Commitments are also used in zero-knowledge proofs by the verifier, who will often specify their choices ahead of time in a commitment. Commitment schemes allow the prover to specify all the information in advance in a commitment, and only reveal what should be revealed later in the proof. One particular motivating example is the use of commitment schemes in zero-knowledge proofs.Ĭommitments are used in zero-knowledge proofs for two main purposes: first, to allow the prover to participate in "cut and choose" proofs where the verifier will be presented with a choice of what to learn, and the prover will reveal only what corresponds to the verifier's choice. Since the receiver has the box, the value inside cannot be changed-merely revealed if the sender chooses to give them the key at some later time. The value in the box is hidden from the receiver, who cannot open the lock themselves. Ī way to visualize a commitment scheme is to think of the sender as putting the value in a locked box, and giving the box to the receiver. Similarly, Alice cannot affect the result if she cannot change the value she commits to. If the commitment scheme is a good one, Bob cannot skew the results. If Alice's revelation matches the coin result Bob reported, Alice winsįor Bob to be able to skew the results to his favor, he must be able to understand the call hidden in Alice's commitment.Bob flips the coin and reports the result,.Alice "calls" the coin flip and tells Bob only a commitment to her call,.Using commitments, a similar procedure is: Alice would have to trust Bob's report of how the coin flip turned out, whereas Bob knows what result is more desirable for him. If they are not in the same place, this procedure is faulty. If Alice's call is correct, she wins, otherwise Bob wins.If they are physically in the same place, a typical procedure might be: Suppose Alice and Bob want to resolve some dilemma via coin flipping. 3.3 A perfectly binding scheme based on the discrete log problem.3.2 Bit-commitment from a pseudo-random generator.3.1 Bit-commitment from any one-way permutation (or injective one way function).2.2 Perfect, statistical and computational hiding.2 Defining the security of commitment schemes.The terminology seems to have been originated by Blum, although commitment schemes can be interchangeably called bit commitment schemes-sometimes reserved for the special case where the committed value is a binary bit. ![]() The notion of commitments appeared earliest in works by Manuel Blum, Shimon Even, and Shamir et al. The concept of commitment schemes was first formalized by Gilles Brassard, David Chaum, and Claude Crepeau in 1988, but the concept was used without being treated formally prior to that. The value chosen during the commit phase must be the only one that the sender can compute and that validates during the reveal phase (this is called the binding property). A simple reveal phase would consist of a single message, the opening, from the sender to the receiver, followed by a check performed by the receiver. It is essential that the specific value chosen cannot be known by the receiver at that time (this is called the hiding property). In simple protocols, the commit phase consists of a single message from the sender to the receiver. the " reveal phase" during which the value is revealed and checked.the " commit phase" during which a value is chosen and specified.Interactions in a commitment scheme take place in two phases: They are important to a variety of cryptographic protocols including secure coin flipping, zero-knowledge proofs, and secure computation. Commitments are used to bind a party to a value so that they cannot adapt to other messages in order to gain some kind of inappropriate advantage. In cryptography, a commitment scheme allows one to commit to a value while keeping it hidden, with the ability to reveal the committed value later.
0 Comments
Leave a Reply. |