Mercurial Commitments: Minimal Assumptions and Efficient Constructions

  • Dario Catalano
  • Yevgeniy Dodis
  • Ivan Visconti
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3876)


(Non-interactive) Trapdoor Mercurial Commitments (TMCs) were introduced by Chase et al. [8] and form a key building block for constructing zero-knowledge sets (introduced by Micali, Rabin and Kilian [28]). TMCs are quite similar and certainly imply ordinary (non-interactive) trapdoor commitments (TCs). Unlike TCs, however, they allow for some additional freedom in the way the message is opened: informally, by allowing one to claim that “if this commitment can be opened at all, then it would open to this message”. Prior to this work, it was not clear if this addition is critical or not, since all the constructions of TMCs presented in [8] and [28] used strictly stronger assumptions than TCs. We give an affirmative answer to this question, by providing simple constructions of TMCs from any trapdoor bit commitment scheme. Moreover, by plugging in various trapdoor bit commitment schemes, we get, in the trusted parameters (TP) model, all the efficient constructions from [28] and [8], as well as several immediate new (either generic or efficient) constructions. In particular, we get a construction of TMCs from any one-way function in the TP model, and, by using a special flavor of TCs, called hybrid TCs [6], even in the (weaker) shared random string (SRS) model.

Our results imply that (a) mercurial commitments can be viewed as surprisingly simple variations of trapdoor commitments; and (b) the existence of non-interactive zero-knowledge sets is equivalent to the existence of collision-resistant hash functions. Of independent interest, we also give a stronger and yet much simpler definition of mercurial commitments than that of [8], which is also met by our constructions in the TP model.


Commitment Scheme Honest Party Cryptology ePrint Archive Ideal Game Hybrid Argument 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abdalla, M., Reyzin, L.: A new forward-secure digital signature scheme. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 116–129. Springer, Heidelberg (2000); Full version available from the Cryptology ePrint Archive, record 2000/002, CrossRefGoogle Scholar
  2. 2.
    Blum, M., Santis, A.D., Micali, S., Persiano, G.: Noninteractive zero-knowledge. SIAM Journal of Computing 20(6) (1991)Google Scholar
  3. 3.
    Boyar, J., Kurtz, S.A., Krentel, M.W.: A Discrete Logarithm Implementation of Perfect Zero-Knowledge Blobs. J. of Cryptology 2(2), 63–76 (1990)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. Journal of Computer and System Sciences 37(2), 156–189 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Catalano, D., Gennaro, R., Howgrave-Graham, N., Nguyen, P.Q.: Paillier’s cryptosystem revisited. In: ACM Conference on Computer and Communications Security 2001, pp. 206–214 (2001)Google Scholar
  6. 6.
    Catalano, D., Visconti, I.: Hybrid Trapdoor Commitments and Their Applications. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 298–310. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Catalano, D., Visconti, I.: Non-Interactive Mercurial Commitments from One- Way Functions. Cryptology ePrint Archive (2005)Google Scholar
  8. 8.
    Chase, M., Healy, A., Lysysanskaya, A., Malkin, T., Reyzin, L.: Mercurial Commitments with Applications to Zero-Knowledge Sets. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 422–439. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Damgård, I., Fujisaki, E.: A statistically-hiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Damgård, I., Jurik, M.: A Generalisation, a Simplification and Some Applications of Paillier’s Probabilistic Public-Key System. In: Public Key Cryptography 2001, pp. 119–136 (2001)Google Scholar
  11. 11.
    Damgård, I., Nielsen, J.B.: Perfect hiding and perfect binding universally composable commitment schemes with constant expansion factor. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 581. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Damgård, I.B., Pedersen, T.P., Pfitzmann, B.: On the existence of statistically hiding bit commitment schemes and fail-stop signatures. Journal of Cryptology 10(3), 163–194 (summer 1997)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Dodis, Y.: Minimal Assumptions for Efficient Mercurial Commitments. Cryptology ePrint Archive, Report 2005/438Google Scholar
  14. 14.
    Dodis, Y., Reyzin, L.: On the power of claw-free permutations. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 55–73. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Feige, U., Lapidot, D., Shamir, A.: Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Computing 29(1) (1999)Google Scholar
  16. 16.
    Feige, U., Shamir, A.: Zero knowledge proofs of knowledge in two rounds. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 526–544. Springer, Heidelberg (1990)Google Scholar
  17. 17.
    Feige, U., Shamir, A.: Witness indistinguishability and witness hiding protocols. In: Proceedings of the Twenty Second Annual ACM Symposium on Theory of Computing, Baltimore, Maryland, May 14–16, pp. 416–426 (1990)Google Scholar
  18. 18.
    Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)CrossRefGoogle Scholar
  19. 19.
    Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  20. 20.
    Goldreich, O.: Foundations of Cryptography: Basic Tools. Cambridge University Press, Cambridge (2001)CrossRefzbMATHGoogle Scholar
  21. 21.
    Goldwasser, S., Micali, S., Rackoff, C.: Knowledge complexity of interactive proofs. In: Proceedings of the Seventeenth Annual ACM Symposium on Theory of Computing, Providence, Rhode Island, May 6–8, pp. 291–304 (1985)Google Scholar
  22. 22.
    Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Computing 17(2) (1988)Google Scholar
  23. 23.
    Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. Journal of the ACM 38(1), 691–729 (1991)MathSciNetzbMATHGoogle Scholar
  24. 24.
    Guillou, L.C., Quisquater, J.-J.: A “paradoxical” identity-based signature scheme resulting from zero-knowledge. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 216–231. Springer, Heidelberg (1990)CrossRefGoogle Scholar
  25. 25.
    Halevi, S., Micali, S.: Practical and provably-secure commitment schemes from collision-free hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 201–215. Springer, Heidelberg (1996)Google Scholar
  26. 26.
    Håstad, J., Impagliazzo, R., Levin, L., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Computing 28(4) (1999)Google Scholar
  27. 27.
    Krawczyk, H., Rabin, T.: Chameleon signatures. In: Network and Distributed System Security Symposium, pp. 143–154. The Internet Society (2000)Google Scholar
  28. 28.
    Micali, S., Rabin, M., Kilian, J.: Zero-knowledge sets. In: Proc. 44th IEEE Symposium on Foundations of Computer Science (FOCS) (2003)Google Scholar
  29. 29.
    Naor, M.: Bit commitment using pseudorandomness. Journal of Cryptology 4(2), 51–158 (1991)CrossRefzbMATHGoogle Scholar
  30. 30.
    Ong, H., Schnorr, C.P.: Fast signature generation with a Fiat Shamir-like scheme. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 432–440. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  31. 31.
    Ostrovsky, R., Rackoff, C., Smith, A.: Efficient consistency proofs for generalized queries on a committed database. In: Díaz, J., Karhumäki, J., Lepistö, A., Sannella, D. (eds.) ICALP 2004. LNCS, vol. 3142, pp. 1041–1053. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  32. 32.
    Paillier, P.: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, p. 223. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  33. 33.
    Shamir, A., Tauman, Y.: Improved online/offline signature schemes. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 355–367. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  34. 34.
    Schnorr, C.-P.: Efficient signature generation by smart cards. Journal of Cryptology 4(3), 161–174 (1991)CrossRefzbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Dario Catalano
    • 1
  • Yevgeniy Dodis
    • 2
  • Ivan Visconti
    • 3
  1. 1.CNRS-Ecole Normale Supérieure, Laboratoire d’InformatiqueParisFrance
  2. 2.Department of Computer ScienceNew York UniversityNew YorkUSA
  3. 3.Facoltà di Scienze Matematiche, Fisiche e NaturaliUniversità di SalernoBaronissi (SA)Italy

Personalised recommendations