Advances in Cryptology - ASIACRYPT 2010

Volume 6477 of the series Lecture Notes in Computer Science pp 177-194

Constant-Size Commitments to Polynomials and Their Applications

  • Aniket KateAffiliated withLancaster UniversityMax Planck Institute for Software Systems (MPI-SWS)
  • , Gregory M. ZaveruchaAffiliated withLancaster UniversityCerticom Research
  • , Ian GoldbergAffiliated withLancaster UniversityUniversity of Waterloo


We introduce and formally define polynomial commitment schemes, and provide two efficient constructions. A polynomial commitment scheme allows a committer to commit to a polynomial with a short string that can be used by a verifier to confirm claimed evaluations of the committed polynomial. Although the homomorphic commitment schemes in the literature can be used to achieve this goal, the sizes of their commitments are linear in the degree of the committed polynomial. On the other hand, polynomial commitments in our schemes are of constant size (single elements). The overhead of opening a commitment is also constant; even opening multiple evaluations requires only a constant amount of communication overhead. Therefore, our schemes are useful tools to reduce the communication cost in cryptographic protocols. On that front, we apply our polynomial commitment schemes to four problems in cryptography: verifiable secret sharing, zero-knowledge sets, credentials and content extraction signatures.


Polynomial Commitments Verifiable Secret Sharing Zero-Knowledge Sets Credentials