Homomorphic Commitment - Practical zero-knowledge Protocols based on the discrete logarithm Ass

A commitment scheme is a way to commit to a value or a vector without revealing these values. Given an opening it is later possible to reveal the original message.

A commitment scheme consists of

• a probabilistic key generation algorithm G • a commitment algorithm comck

• an opening algorithm op_ck.

On input of the security parameter 1λ_{the key generation algorithm produces}

• a public commitment key ck • a message space Mck

• a randomizer space Rck

• a commitment space Cck

3.3. Homomorphic Commitment 41 The commitment space Cckis determined by the choices of the commitment key, the message and

randomizer space, and the commitment algorithm. The commitment algorithm takes an m ∈ Mckand

an r ∈ Rck as input and computes cm = comck(m; r), the commitment of m. Given the opening

d ∈ Ockand commitment cmthe opening algorithm can reveal the original message m = opck(cm, d).

In many commitment schemes the opening d contains the message m and the randomness r.

We require the commitment scheme to be binding and hiding. Informally, binding means it is not possible to find two messages m1, m2∈ Mck, m16= m2and r1, r2∈ Rcksuch that c = comck(m1, r1)

is also a commitment to m2, r2. Hiding requires that the commitment reveals no information about the

message.

Definition 4 (Binding). A commitment scheme is (computationally) binding if for any probabilistic polynomial time adversary A

Pr[ck ← G(1λ); (m1, r1, m2, r2) ← A(ck) :

m1, m2∈ Mck, r1, r2∈ Rck, m16= m2 ∧ comck(m1; r1) = comck(m2; r2)]

is negligible in λ.

If this holds for unbounded adversary A the commitment scheme is unconditionally binding or perfectly binding.

Definition 5 (Hiding). A commitment scheme is (computationally) hiding if for any probabilistic polynomial time adversary A

Pr[ck ← G(1λ); (m1, r1, m2, r2) ← A(ck); m1, m2∈ Mck, r1, r2∈ Rck; c ← comck(m1, r1) : A(c) = 1] − Pr[ck ← G(1λ); ((m1, r1, m2, r2) ← A(ck); m1, m2∈ Mck, r1, r2∈ Rck; c ← comck(m2, r2) : A(c) = 1] is negligible in λ.

A commitment scheme is unconditionally or perfectly hiding if this condition also holds for unbounded A.

In addition, a commitment scheme may fulfill the trapdoor property. In this case the generator G also outputs a trapdoor t, which allows us to open a commitment cm= comck(m; r) to any message m0.

In other words, without knowledge of the trapdoor t the commitment scheme is binding, but given the trapdoor it is possible to cheat arbitrarily.

The trapdoor property seems to contradict the task of a commitment scheme, which is to allow a prover to bind themselves to a value and later reveal exactly this value. However, as long as the prover does not know the trapdoor, the commitment scheme is binding. Therefore, trapdoor commitments can be used as normal commitment schemes. Furthermore, the trapdoor property is important for some pro-

42 Chapter 3. Preliminaries

tocols. For instance, it can be used to convert honest verifier zero-knowledge arguments into arguments which are zero-knowledge with respect to any verifier, see also Section 3.5.

We will require for our work that the commitment scheme is homomorphic.

Definition 6 (Homomorphic). A commitment scheme is homomorphic if for ck ← G(1λ_{) the message}

space Mck, the randomizer space Rck, and the commitment space Cckare additive abelian groups and

comck(a + b; r + s) = comck(a; r)comck(b; s), ∀a, b ∈ Mck, r, s ∈ Rck.

In addition we also require for some of our arguments that it is possible to calculate a commitment to n elements in Zq, where q is a large prime, at the same time. Many homomorphic commitments

schemes with this property can be used, but for convenience we just focus on a generalization of the Pedersen commitment scheme [Ped91].

3.3.1 Generalized Pedersen Commitment

The general Pedersen commitment scheme allows commitment to n elements at the same time and works for cyclic groups. More precisely, on input of 1λand 1nthe key generation algorithm G outputs

• a cyclic group G with prime order q and security level λ, and Mck= Znq, Rck= Zqand Cck= G

• a commitment key ck = (G, G1, . . . , Gn, H) where G1, . . . , Gn, H are random generators of the

group G

• the opening space Ock= Mck× Rck

To conceal n elements (a1, . . . , an) ∈ Znq we pick randomness r ∈ Zqand compute

comck(a1, . . . , an; r) = Hr n Y i=1 Gai i .

Calculating a commitment to less than n elements is possible, this is done by setting the remaining entries aito 0 and the special case n = 1 corresponds to the standard Pedersen commitment. For instance, if

the commitment key is ck = (G, G1, . . . , Gn, H) and the commitment should be calculated to m < n

elements (a1, . . . , am), we set aj = 0 for mj ≤ n.

The commitment is computationally binding under the discrete logarithm assumption, i.e a probabilistic polynomial time adversary has negligible probability of finding two different openings of the same commitment c. To find one opening, the adversary can choose a randomness r at random and then try to find suitable message m. This yields to the equation Gm _{= cH}−r _{= H}

1. Since the discrete

logarithm assumption holds in the underlying group, the probability of finding m is negligible. Fur- thermore, since the randomness r is picked uniformly from the randomizer space Rck, the commitment

is uniformly distributed in G no matter what the messages are. Therefore, the commitment scheme is considered to be perfectly hiding.

3.3. Homomorphic Commitment 43 The general Pedersen commitment has a trapdoor, this trapdoor consists of x = (x1, . . . , xn) ∈ Znq

such that

Gi= Hxi, for i = 1, . . . , n.

Given a commitment c = comck(m; r) and the trapdoor x we can open c to m0 ∈ Znq, r0 ∈ Zq by

setting mi= mi+ m0i for mi∈ Zq, i = i, . . . , n and r = r0− n X i=1 mixi. In this case c = Gm1 1 G m2 2 G m3 3 · . . . · G mn n H r = Gm1+m01 1 G m2+m02 2 · . . . · G mn+m0n n Hr 0₋Pn i=1mixi = Gm1+m01−m1 1 G m2+m02−m2 2 · . . . · G mn+m0n−mn n Hr 0 = Gm 0 1 1 G m0₂ 2 · . . . · G m0_n n Hr 0 .

The generalized Pedersen commitment scheme is homomorphic, for all a, b ∈ Znq and r, s ∈ Zq

we have

comck(a; r)comck(b; s) = Hr n Y i=1 Gai i · H s n Y i=1 Gbi i = H r+s n Y i=1 Gai+bi i = comck(a + b; r + s).

We stress that a commitment consists of a single group element no matter how big n is, as the product of n group elements is a group element. This means the commitment scheme is length reducing and we can commit to n elements with a single small commitment. This property is crucial to get sublinear communication cost.

We use the generalized Pedersen commitment scheme in the work because of its elegance and its security resting on the discrete logarithm assumption. However, our protocols could also work with other homomorphic commitment schemes which allows to calculate a commitment to n elements at the same time. We will describe our protocols in a way such that it would be easy to plug in another homomorphic commitment scheme.

Notation: For a commitment to a value a we will write ca = comck(a; r). Moreover, for a

matrix A ∈ Zn×m

q with columns a1, . . . , am we shorten notation by defining comck(A; r) =

44 Chapter 3. Preliminaries mitment to a ∈ ZNq where N = mn as

comck(a; r) = comck(a1, . . . , an; r1), . . . , comck(a((m−1)n+1), . . . , aN; rm).

We define a bilinear map

Gn× Znq → G by c b_{= (c} 1, . . . , cm)(b1,...,bm) T = m Y j=1 cbj j

and for a matrix B with columns b1, . . . , bm we define cB = cb1, . . . , cbm. It is useful to ob-

serve that the underlying linear algebra behaves nicely, i.e. comck(A; r)b = comck(Ab; r · b) and

comck(A; r)B = comck(AB; rB).

In document Practical zero-knowledge Protocols based on the discrete logarithm Assumption (Page 40-44)