Commitment Schemes #
This file defines non-interactive commitment schemes and their standard security properties: correctness, hiding, and binding.
Main Definitions #
CommitmentScheme PP M C D— a commitment scheme with public parametersPP, message spaceM, commitment spaceC, and opening (decommitment) spaceD.CommitmentScheme.PerfectlyCorrect— honestly generated parameters and commitments always verify.CommitmentScheme.PerfectlyHiding— under honestly generated parameters, commitment distribution is independent of the message.CommitmentScheme.hidingExp— computational hiding experiment (IND-style).CommitmentScheme.bindingExp— computational binding experiment.TrapdoorExtractor PP TD C M— trapdoor-based message extraction algorithm.CommitmentScheme.extractExp— extraction experiment (game-based, allows error).
A non-interactive commitment scheme with public parameters PP, message space M,
commitment space C, and opening (decommitment) space D.
- setup : ProbComp PP
Generate public parameters (e.g. a common reference string).
Commit to a message, producing a commitment and an opening.
Deterministic verification that an opening is valid.
Instances For
A commitment scheme is perfectly correct if every honestly generated public parameter and commitment-opening pair passes verification.
Instances For
A commitment scheme is perfectly hiding if, for every honestly generated public parameter, the commitment (first component) has the same distribution regardless of the committed message.
Instances For
Computational hiding #
Hiding experiment: the adversary chooses two messages, the challenger commits to one at random, and the adversary tries to guess which.
Instances For
Instances For
Computational binding #
A binding adversary outputs a commitment with two openings to different messages.
Instances For
Binding experiment: the adversary tries to open a single commitment to two distinct messages. Succeeds iff both openings verify and the messages differ.
Instances For
Instances For
Trapdoor extractability #
A trapdoor extractor for a commitment scheme: bundles an alternative setup that produces a trapdoor alongside the public parameters, and a (potentially probabilistic) extraction algorithm that recovers the committed message from the commitment using the trapdoor.
Named TrapdoorExtractor specifically to leave room for other extraction
paradigms (e.g. rewinding-based extraction).
- extract : TD → C → ProbComp M
Instances For
The extraction setup produces the same public parameter distribution as the scheme's normal setup. Required for reductions that swap in the trapdoor setup without the adversary noticing.
Instances For
Extraction experiment: generate parameters with trapdoor, honestly commit
to message m, then check whether the extractor recovers m from the commitment.
Downstream code decides how much error to tolerate:
- Perfect extraction:
∀ m, Pr[= true | extractExp cs ext m] = 1 - Computational: bound
1 - Pr[= true | extractExp cs ext m]