Skip to main content

Mercurial Commitments with Applications to Zero-Knowledge Sets


We introduce a new flavor of commitment schemes, which we call mercurial commitments. Informally, mercurial commitments are standard commitments that have been extended to allow for soft decommitment. Soft decommitments, on the one hand, are not binding but, on the other hand, cannot be in conflict with true decommitments.

We then demonstrate that a particular instantiation of mercurial commitments has been implicitly used by Micali, Rabin and Kilian to construct zero-knowledge sets. (A zero-knowledge set scheme allows a Prover to (1) commit to a set S in a way that reveals nothing about S and (2) prove to a Verifier, in zero-knowledge, statements of the form xS and xS.) The rather complicated construction of Micali et al. becomes easy to understand when viewed as a more general construction with mercurial commitments as an underlying building block.

By providing mercurial commitments based on various assumptions, we obtain several different new zero-knowledge set constructions.


  1. M. Bellare, M. Yung, Certifying permutations: non-interactive zero-knowledge based on any trapdoor permutation. J. Cryptol. 9(3), 149–166 (1996)

    MathSciNet  MATH  Article  Google Scholar 

  2. M. Blum, A. De Santis, S. Micali, G. Persiano, Non-interactive zero-knowledge. SIAM J. Comput. 20(6), 1084–1118 (1991)

    MathSciNet  MATH  Article  Google Scholar 

  3. G. Brassard, D. Chaum, C. Crépeau, Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)

    MATH  Article  Google Scholar 

  4. D. Catalano, Y. Dodis, I. Visconti, Mercurial commitments: minimal assumptions and efficient constructions, in Third Theory of Cryptography Conference, TCC 2006, ed. by S. Halevi, T. Rabin. Lecture Notes in Computer Science, vol. 3876 (Springer, Berlin, 2006), pp. 120–144

    Google Scholar 

  5. D. Catalano, D. Fiore, M. Messina, Zero-knowledge sets with short proofs, in Advances in Cryptology—EUROCRYPT 2008, ed. by N.P. Smart. Lecture Notes in Computer Science, vol. 4965 (Springer, Berlin, 2008), pp. 433–450

    Chapter  Google Scholar 

  6. M. Chase, A. Healy, A. Lysyanskaya, T. Malkin, L. Reyzin, Mercurial commitments with applications to zero-knowledge sets, in Advances in Cryptology—EUROCRYPT 2005, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 422–439

    Chapter  Google Scholar 

  7. U. Feige, D. Lapidot, A. Shamir, Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1–28 (1999)

    MathSciNet  MATH  Article  Google Scholar 

  8. M. Fischlin, Trapdoor commitment schemes and their applications. PhD thesis, University of Frankfurt am Main, December 2001

  9. M. Fischlin, R. Fischlin, The representation problem based on factoring, in RSA Security 2002 Cryptographer’s Track. Lecture Notes in Computer Science, vol. 2271 (Springer, Berlin, 2002)

    Google Scholar 

  10. R. Gennaro, S. Micali, Independent zero-knowledge sets, in 33rd International Colloquium on Automata, Languages and Programming (ICALP) (2006)

    Google Scholar 

  11. S. Goldwasser, R. Ostrovsky, Invariant signatures and non-interactive zero-knowledge proofs are equivalent, in Advances in Cryptology—CRYPTO’92, ed. by E.F. Brickell. Lecture Notes in Computer Science, vol. 740 (Springer, Berlin, 1992), pp. 228–244

    Google Scholar 

  12. S. Goldwasser, S. Micali, R. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)

    MathSciNet  MATH  Article  Google Scholar 

  13. J. Håstad, R. Impagliazzo, L.A. Levin, M. Luby, A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)

    MathSciNet  MATH  Article  Google Scholar 

  14. C.H. Lim, P.J. Lee, More flexible exponentiation with precomputation, in Advances in Cryptology—CRYPTO’94, 21–25 August, ed. by Y.G. Desmedt. Lecture Notes in Computer Science, vol. 839 (Springer, Berlin, 1994), pp. 95–107

    Google Scholar 

  15. M. Liskov, Updatable zero-knowledge databases, in Advances in Cryptology—ASIACRYPT 2005. Lecture Notes in Computer Science, vol. 3788 (Springer, Berlin, 2005), pp. 174–198

    Chapter  Google Scholar 

  16. A. Lysyanskaya, Unique signatures and verifiable random functions from the DH-DDH separation, in Advances in Cryptology—CRYPTO 2002, ed. by M. Yung. Lecture Notes in Computer Science (Springer, Berlin, 2002), pp. 597–612

    Chapter  Google Scholar 

  17. A. Lysyanskaya, Signature schemes and applications to cryptographic protocol design. PhD thesis, Massachusetts Institute of Technology, Cambridge, Massachusetts, September 2002

  18. S. Micali, 6.875: Introduction to Cryptography. MIT course taught in Fall 1997

  19. S. Micali, M. Rabin, S. Vadhan, Verifiable random functions, in Proc. 40th IEEE Symposium on Foundations of Computer Science (FOCS) (IEEE Computer Society Press, Los Alamitos, 1999), pp. 120–130

    Google Scholar 

  20. S. Micali, M. Rabin, J. Kilian, Zero-knowledge sets, in Proc. 44th IEEE Symposium on Foundations of Computer Science (FOCS) (IEEE Computer Society Press, Los Alamitos, 2003), pp. 80–91

    Google Scholar 

  21. M. Naor, Bit commitment using pseudorandomness. J. Cryptol. 4(2), 51–158 (1991)

    Article  Google Scholar 

  22. R. Ostrovsky, C. Rackoff, A. Smith, Efficient consistency proof on a committed database, in Automata, Languages and Programming: 31st International Colloquium, ICALP 2004, Turku, Finland, July 12–16, 2004. Lecture Notes in Computer Science, vol. 3142 (Springer, Berlin, 2004), pp. 1041–1053

    Chapter  Google Scholar 

  23. T.P. Pedersen, Non-interactive and information-theoretic secure verifiable secret sharing, in Advances in Cryptology—CRYPTO’91, ed. by J. Feigenbaum. Lecture Notes in Computer Science, vol. 576 (Springer, Berlin, 1992), pp. 129–140

    Google Scholar 

  24. M. Prabhakaran, R. Xue, Statistically hiding sets. Cryptology ePrint Archive, Report 2007/349, 2007.

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Leonid Reyzin.

Additional information

Communicated by Moti Yung

A preliminary version of this work appeared in Eurocrypt 2005 [6].

Most of the M. Chase work done while at Brown University.

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Chase, M., Healy, A., Lysyanskaya, A. et al. Mercurial Commitments with Applications to Zero-Knowledge Sets. J Cryptol 26, 251–279 (2013).

Download citation

  • Received:

  • Published:

  • Issue Date:

  • DOI:

Key words

  • Commitments
  • Zero-knowledge sets
  • Database privacy
  • Verifiable queries
  • Outsourced databases