FREE Trial

The Pedersen commitment scheme is a commitment scheme in the Diffie-Hellman universe. It is a two...

Fantastic news! We've Found the answer you've been seeking!

Question:

The Pedersen commitment scheme is a commitment scheme in the
Transcribed Image Text:

The Pedersen commitment scheme is a commitment scheme in the "Diffie-Hellman universe". It is a two round protocol which works as follows. Inputs: A has an exponent m as input; B has no input. 1. B→ A: B chooses g~ G and a $ and sends (g, h) to A where h = g. 2. AB: A chooses r~ $ and sends z = g.h" to B. Decommitment and Output: To decommit, A sends (m, r) to B. On receiving (m, r), B checks that gh" = 2, the value sent in Round 2. If so, B outputs m, otherwise L. Problem 3. Do both of the following. (a) Prove that the Pedersen commitment is hiding. (b) Consider now the predicament of an adversarial A* upon receiving B's message h. Show that if A* is able to produce a z E G and two distinct decommitments (m₁, r1₁) and (m2, 72) which are both accepted by B (i.e. both which cause B to output m, rather than 1), then A* can output x. In other words, show that if A* is able to break hiding of the Pedersen commitment, then A* can solve the discrete log problem. Go to Settin The Pedersen commitment scheme is a commitment scheme in the "Diffie-Hellman universe". It is a two round protocol which works as follows. Inputs: A has an exponent m as input; B has no input. 1. B→ A: B chooses g~ G and a $ and sends (g, h) to A where h = g. 2. AB: A chooses r~ $ and sends z = g.h" to B. Decommitment and Output: To decommit, A sends (m, r) to B. On receiving (m, r), B checks that gh" = 2, the value sent in Round 2. If so, B outputs m, otherwise L. Problem 3. Do both of the following. (a) Prove that the Pedersen commitment is hiding. (b) Consider now the predicament of an adversarial A* upon receiving B's message h. Show that if A* is able to produce a z E G and two distinct decommitments (m₁, r1₁) and (m2, 72) which are both accepted by B (i.e. both which cause B to output m, rather than 1), then A* can output x. In other words, show that if A* is able to break hiding of the Pedersen commitment, then A* can solve the discrete log problem. Go to Settin

Expert Answer:

Answer rating: 100% (QA)

a Proof that the Pedersen commitment is hiding The Pedersen commitment is hiding because it is impossible to compute the committed value from the commitment without knowing the blinding factorThe comm... View the full answer


answer-question-section
Related Book For  answer-question
Linear Algebra A Modern Introduction

Linear Algebra A Modern Introduction

ISBN: 978-0538735452

3rd edition

Authors: David Poole

See More Books
Posted Date:
See More Questions

Students also viewed these computer network questions

Starting Out With Python 4th Edition - ISBN: 9353066883 - Free Book