CINXE.COM

<!DOCTYPE html> <html class="client-nojs vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-toc-available" lang="en" dir="ltr"> <head> <meta charset="UTF-8"> <title>Commitment scheme - Wikipedia</title> <script>(function(){var className="client-js vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-toc-available";var cookie=document.cookie.match(/(?:^|; )enwikimwclientpreferences=([^;]+)/);if(cookie){cookie[1].split('%2C').forEach(function(pref){className=className.replace(new RegExp('(^| )'+pref.replace(/-clientpref-\w+$|[^\w-]+/g,'')+'-clientpref-\\w+( |$)'),'$1'+pref+'$2');});}document.documentElement.className=className;}());RLCONF={"wgBreakFrames":false,"wgSeparatorTransformTable":["",""],"wgDigitTransformTable":["",""],"wgDefaultDateFormat":"dmy", "wgMonthNames":["","January","February","March","April","May","June","July","August","September","October","November","December"],"wgRequestId":"87f39ea8-3ca5-4bad-9aa8-060cc9130576","wgCanonicalNamespace":"","wgCanonicalSpecialPageName":false,"wgNamespaceNumber":0,"wgPageName":"Commitment_scheme","wgTitle":"Commitment scheme","wgCurRevisionId":1249656446,"wgRevisionId":1249656446,"wgArticleId":439489,"wgIsArticle":true,"wgIsRedirect":false,"wgAction":"view","wgUserName":null,"wgUserGroups":["*"],"wgCategories":["CS1: long volume value","Articles with short description","Short description is different from Wikidata","Articles needing additional references from October 2014","All articles needing additional references","Pages with broken anchors","Public-key cryptography","Zero-knowledge protocols","Secret sharing","Cryptographic primitives"],"wgPageViewLanguage":"en","wgPageContentLanguage":"en","wgPageContentModel":"wikitext","wgRelevantPageName":"Commitment_scheme", "wgRelevantArticleId":439489,"wgIsProbablyEditable":true,"wgRelevantPageIsProbablyEditable":true,"wgRestrictionEdit":[],"wgRestrictionMove":[],"wgNoticeProject":"wikipedia","wgCiteReferencePreviewsActive":false,"wgFlaggedRevsParams":{"tags":{"status":{"levels":1}}},"wgMediaViewerOnClick":true,"wgMediaViewerEnabledByDefault":true,"wgPopupsFlags":0,"wgVisualEditor":{"pageLanguageCode":"en","pageLanguageDir":"ltr","pageVariantFallbacks":"en"},"wgMFDisplayWikibaseDescriptions":{"search":true,"watchlist":true,"tagline":false,"nearby":true},"wgWMESchemaEditAttemptStepOversample":false,"wgWMEPageLength":50000,"wgRelatedArticlesCompat":[],"wgCentralAuthMobileDomain":false,"wgEditSubmitButtonLabelPublish":true,"wgULSPosition":"interlanguage","wgULSisCompactLinksEnabled":false,"wgVector2022LanguageInHeader":true,"wgULSisLanguageSelectorEmpty":false,"wgWikibaseItemId":"Q1115684","wgCheckUserClientHintsHeadersJsApi":["brands","architecture","bitness","fullVersionList","mobile","model","platform", "platformVersion"],"GEHomepageSuggestedEditsEnableTopics":true,"wgGETopicsMatchModeEnabled":false,"wgGEStructuredTaskRejectionReasonTextInputEnabled":false,"wgGELevelingUpEnabledForUser":false};RLSTATE={"ext.globalCssJs.user.styles":"ready","site.styles":"ready","user.styles":"ready","ext.globalCssJs.user":"ready","user":"ready","user.options":"loading","ext.cite.styles":"ready","ext.math.styles":"ready","skins.vector.search.codex.styles":"ready","skins.vector.styles":"ready","skins.vector.icons":"ready","jquery.makeCollapsible.styles":"ready","ext.wikimediamessages.styles":"ready","ext.visualEditor.desktopArticleTarget.noscript":"ready","ext.uls.interlanguage":"ready","wikibase.client.init":"ready","ext.wikimediaBadges":"ready"};RLPAGEMODULES=["ext.cite.ux-enhancements","site","mediawiki.page.ready","jquery.makeCollapsible","mediawiki.toc","skins.vector.js","ext.centralNotice.geoIP","ext.centralNotice.startUp","ext.gadget.ReferenceTooltips","ext.gadget.switcher", "ext.urlShortener.toolbar","ext.centralauth.centralautologin","mmv.bootstrap","ext.popups","ext.visualEditor.desktopArticleTarget.init","ext.visualEditor.targetLoader","ext.echo.centralauth","ext.eventLogging","ext.wikimediaEvents","ext.navigationTiming","ext.uls.interface","ext.cx.eventlogging.campaigns","ext.cx.uls.quick.actions","wikibase.client.vector-2022","ext.checkUser.clientHints","ext.growthExperiments.SuggestedEditSession","wikibase.sidebar.tracking"];</script> <script>(RLQ=window.RLQ||[]).push(function(){mw.loader.impl(function(){return["user.options@12s5i",function($,jQuery,require,module){mw.user.tokens.set({"patrolToken":"+\\","watchToken":"+\\","csrfToken":"+\\"}); }];});});</script> <link rel="stylesheet" href="/w/load.php?lang=en&modules=ext.cite.styles%7Cext.math.styles%7Cext.uls.interlanguage%7Cext.visualEditor.desktopArticleTarget.noscript%7Cext.wikimediaBadges%7Cext.wikimediamessages.styles%7Cjquery.makeCollapsible.styles%7Cskins.vector.icons%2Cstyles%7Cskins.vector.search.codex.styles%7Cwikibase.client.init&only=styles&skin=vector-2022"> <script async="" src="/w/load.php?lang=en&modules=startup&only=scripts&raw=1&skin=vector-2022"></script> <meta name="ResourceLoaderDynamicStyles" content=""> <link rel="stylesheet" href="/w/load.php?lang=en&modules=site.styles&only=styles&skin=vector-2022"> <meta name="generator" content="MediaWiki 1.44.0-wmf.4"> <meta name="referrer" content="origin"> <meta name="referrer" content="origin-when-cross-origin"> <meta name="robots" content="max-image-preview:standard"> <meta name="format-detection" content="telephone=no"> <meta name="viewport" content="width=1120"> <meta property="og:title" content="Commitment scheme - Wikipedia"> <meta property="og:type" content="website"> <link rel="preconnect" href="//upload.wikimedia.org"> <link rel="alternate" media="only screen and (max-width: 640px)" href="//en.m.wikipedia.org/wiki/Commitment_scheme"> <link rel="alternate" type="application/x-wiki" title="Edit this page" href="/w/index.php?title=Commitment_scheme&action=edit"> <link rel="apple-touch-icon" href="/static/apple-touch/wikipedia.png"> <link rel="icon" href="/static/favicon/wikipedia.ico"> <link rel="search" type="application/opensearchdescription+xml" href="/w/rest.php/v1/search" title="Wikipedia (en)"> <link rel="EditURI" type="application/rsd+xml" href="//en.wikipedia.org/w/api.php?action=rsd"> <link rel="canonical" href="https://en.wikipedia.org/wiki/Commitment_scheme"> <link rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/deed.en"> <link rel="alternate" type="application/atom+xml" title="Wikipedia Atom feed" href="/w/index.php?title=Special:RecentChanges&feed=atom"> <link rel="dns-prefetch" href="//meta.wikimedia.org" /> <link rel="dns-prefetch" href="//login.wikimedia.org"> </head> <body class="skin--responsive skin-vector skin-vector-search-vue mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-0 ns-subject mw-editable page-Commitment_scheme rootpage-Commitment_scheme skin-vector-2022 action-view"><a class="mw-jump-link" href="#bodyContent">Jump to content</a> <div class="vector-header-container"> <header class="vector-header mw-header"> <div class="vector-header-start"> <nav class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-dropdown" class="vector-dropdown vector-main-menu-dropdown vector-button-flush-left vector-button-flush-right" > <input type="checkbox" id="vector-main-menu-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-main-menu-dropdown" class="vector-dropdown-checkbox " aria-label="Main menu" > <label id="vector-main-menu-dropdown-label" for="vector-main-menu-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" > Main menu </label> <div class="vector-dropdown-content"> <div id="vector-main-menu-unpinned-container" class="vector-unpinned-container"> <div id="vector-main-menu" class="vector-main-menu vector-pinnable-element"> <div class="vector-pinnable-header vector-main-menu-pinnable-header vector-pinnable-header-unpinned" data-feature-name="main-menu-pinned" data-pinnable-element-id="vector-main-menu" data-pinned-container-id="vector-main-menu-pinned-container" data-unpinned-container-id="vector-main-menu-unpinned-container" > <div class="vector-pinnable-header-label">Main menu</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-main-menu.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-main-menu.unpin">hide</button> </div> <div id="p-navigation" class="vector-menu mw-portlet mw-portlet-navigation" > <div class="vector-menu-heading"> Navigation </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-mainpage-description" class="mw-list-item"><a href="/wiki/Main_Page" title="Visit the main page [z]" accesskey="z">Main page</a></li><li id="n-contents" class="mw-list-item"><a href="/wiki/Wikipedia:Contents" title="Guides to browsing Wikipedia">Contents</a></li><li id="n-currentevents" class="mw-list-item"><a href="/wiki/Portal:Current_events" title="Articles related to current events">Current events</a></li><li id="n-randompage" class="mw-list-item"><a href="/wiki/Special:Random" title="Visit a randomly selected article [x]" accesskey="x">Random article</a></li><li id="n-aboutsite" class="mw-list-item"><a href="/wiki/Wikipedia:About" title="Learn about Wikipedia and how it works">About Wikipedia</a></li><li id="n-contactpage" class="mw-list-item"><a href="//en.wikipedia.org/wiki/Wikipedia:Contact_us" title="How to contact Wikipedia">Contact us</a></li> </ul> </div> </div> <div id="p-interaction" class="vector-menu mw-portlet mw-portlet-interaction" > <div class="vector-menu-heading"> Contribute </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-help" class="mw-list-item"><a href="/wiki/Help:Contents" title="Guidance on how to use and edit Wikipedia">Help</a></li><li id="n-introduction" class="mw-list-item"><a href="/wiki/Help:Introduction" title="Learn how to edit Wikipedia">Learn to edit</a></li><li id="n-portal" class="mw-list-item"><a href="/wiki/Wikipedia:Community_portal" title="The hub for editors">Community portal</a></li><li id="n-recentchanges" class="mw-list-item"><a href="/wiki/Special:RecentChanges" title="A list of recent changes to Wikipedia [r]" accesskey="r">Recent changes</a></li><li id="n-upload" class="mw-list-item"><a href="/wiki/Wikipedia:File_upload_wizard" title="Add images or other media for use on Wikipedia">Upload file</a></li> </ul> </div> </div> </div> </div> </div> </div> </nav> <a href="/wiki/Main_Page" class="mw-logo"> <img class="mw-logo-icon" src="/static/images/icons/wikipedia.png" alt="" aria-hidden="true" height="50" width="50"> <img class="mw-logo-wordmark" alt="Wikipedia" src="/static/images/mobile/copyright/wikipedia-wordmark-en.svg" style="width: 7.5em; height: 1.125em;"> <img class="mw-logo-tagline" alt="The Free Encyclopedia" src="/static/images/mobile/copyright/wikipedia-tagline-en.svg" width="117" height="13" style="width: 7.3125em; height: 0.8125em;"> </a> </div> <div class="vector-header-end"> <div id="p-search" role="search" class="vector-search-box-vue vector-search-box-collapses vector-search-box-show-thumbnail vector-search-box-auto-expand-width vector-search-box"> <a href="/wiki/Special:Search" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only search-toggle" title="Search Wikipedia [f]" accesskey="f"> Search </a> <div class="vector-typeahead-search-container"> <div class="cdx-typeahead-search cdx-typeahead-search--show-thumbnail cdx-typeahead-search--auto-expand-width"> <form action="/w/index.php" id="searchform" class="cdx-search-input cdx-search-input--has-end-button"> <div id="simpleSearch" class="cdx-search-input__input-wrapper" data-search-loc="header-moved"> <div class="cdx-text-input cdx-text-input--has-start-icon"> <input class="cdx-text-input__input" type="search" name="search" placeholder="Search Wikipedia" aria-label="Search Wikipedia" autocapitalize="sentences" title="Search Wikipedia [f]" accesskey="f" id="searchInput" > </div> <input type="hidden" name="title" value="Special:Search"> </div> <button class="cdx-button cdx-search-input__end-button">Search</button> </form> </div> </div> </div> <nav class="vector-user-links vector-user-links-wide" aria-label="Personal tools"> <div class="vector-user-links-main"> <div id="p-vector-user-menu-preferences" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-userpage" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-dropdown" class="vector-dropdown " title="Change the appearance of the page's font size, width, and color" > <input type="checkbox" id="vector-appearance-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-appearance-dropdown" class="vector-dropdown-checkbox " aria-label="Appearance" > <label id="vector-appearance-dropdown-label" for="vector-appearance-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" > Appearance </label> <div class="vector-dropdown-content"> <div id="vector-appearance-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <div id="p-vector-user-menu-notifications" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-overflow" class="vector-menu mw-portlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="https://donate.wikimedia.org/wiki/Special:FundraiserRedirector?utm_source=donate&utm_medium=sidebar&utm_campaign=C13_en.wikipedia.org&uselang=en" class="">Donate</a> </li> <li id="pt-createaccount-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:CreateAccount&returnto=Commitment+scheme" title="You are encouraged to create an account and log in; however, it is not mandatory" class="">Create account</a> </li> <li id="pt-login-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:UserLogin&returnto=Commitment+scheme" title="You're encouraged to log in; however, it's not mandatory. [o]" accesskey="o" class="">Log in</a> </li> </ul> </div> </div> </div> <div id="vector-user-links-dropdown" class="vector-dropdown vector-user-menu vector-button-flush-right vector-user-menu-logged-out" title="Log in and more options" > <input type="checkbox" id="vector-user-links-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-user-links-dropdown" class="vector-dropdown-checkbox " aria-label="Personal tools" > <label id="vector-user-links-dropdown-label" for="vector-user-links-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" > Personal tools </label> <div class="vector-dropdown-content"> <div id="p-personal" class="vector-menu mw-portlet mw-portlet-personal user-links-collapsible-item" title="User menu" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport" class="user-links-collapsible-item mw-list-item"><a href="https://donate.wikimedia.org/wiki/Special:FundraiserRedirector?utm_source=donate&utm_medium=sidebar&utm_campaign=C13_en.wikipedia.org&uselang=en">Donate</a></li><li id="pt-createaccount" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:CreateAccount&returnto=Commitment+scheme" title="You are encouraged to create an account and log in; however, it is not mandatory"> Create account</a></li><li id="pt-login" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:UserLogin&returnto=Commitment+scheme" title="You're encouraged to log in; however, it's not mandatory. [o]" accesskey="o"> Log in</a></li> </ul> </div> </div> <div id="p-user-menu-anon-editor" class="vector-menu mw-portlet mw-portlet-user-menu-anon-editor" > <div class="vector-menu-heading"> Pages for logged out editors <a href="/wiki/Help:Introduction" aria-label="Learn more about editing">learn more</a> </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-anoncontribs" class="mw-list-item"><a href="/wiki/Special:MyContributions" title="A list of edits made from this IP address [y]" accesskey="y">Contributions</a></li><li id="pt-anontalk" class="mw-list-item"><a href="/wiki/Special:MyTalk" title="Discussion about edits from this IP address [n]" accesskey="n">Talk</a></li> </ul> </div> </div> </div> </div> </nav> </div> </header> </div> <div class="mw-page-container"> <div class="mw-page-container-inner"> <div class="vector-sitenotice-container"> <div id="siteNotice"></div> </div> <div class="vector-column-start"> <div class="vector-main-menu-container"> <div id="mw-navigation"> <nav id="mw-panel" class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-pinned-container" class="vector-pinned-container"> </div> </nav> </div> </div> <div class="vector-sticky-pinned-container"> <nav id="mw-panel-toc" aria-label="Contents" data-event-name="ui.sidebar-toc" class="mw-table-of-contents-container vector-toc-landmark"> <div id="vector-toc-pinned-container" class="vector-pinned-container"> <div id="vector-toc" class="vector-toc vector-pinnable-element"> <div class="vector-pinnable-header vector-toc-pinnable-header vector-pinnable-header-pinned" data-feature-name="toc-pinned" data-pinnable-element-id="vector-toc" > <h2 class="vector-pinnable-header-label">Contents</h2> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-toc.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-toc.unpin">hide</button> </div> <ul class="vector-toc-contents" id="mw-panel-toc-list"> <li id="toc-mw-content-text" class="vector-toc-list-item vector-toc-level-1"> <a href="#" class="vector-toc-link"> <div class="vector-toc-text">(Top)</div> </a> </li> <li id="toc-Applications" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#Applications"> <div class="vector-toc-text"> 1 Applications </div> </a> <button aria-controls="toc-Applications-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> Toggle Applications subsection </button> <ul id="toc-Applications-sublist" class="vector-toc-list"> <li id="toc-Coin_flipping" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Coin_flipping"> <div class="vector-toc-text"> 1.1 Coin flipping </div> </a> <ul id="toc-Coin_flipping-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Zero-knowledge_proofs" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Zero-knowledge_proofs"> <div class="vector-toc-text"> 1.2 Zero-knowledge proofs </div> </a> <ul id="toc-Zero-knowledge_proofs-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Signature_schemes" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Signature_schemes"> <div class="vector-toc-text"> 1.3 Signature schemes </div> </a> <ul id="toc-Signature_schemes-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Verifiable_secret_sharing" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Verifiable_secret_sharing"> <div class="vector-toc-text"> 1.4 Verifiable secret sharing </div> </a> <ul id="toc-Verifiable_secret_sharing-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Defining_the_security" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#Defining_the_security"> <div class="vector-toc-text"> 2 Defining the security </div> </a> <button aria-controls="toc-Defining_the_security-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> Toggle Defining the security subsection </button> <ul id="toc-Defining_the_security-sublist" class="vector-toc-list"> <li id="toc-Computational_binding" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Computational_binding"> <div class="vector-toc-text"> 2.1 Computational binding </div> </a> <ul id="toc-Computational_binding-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Perfect,_statistical,_and_computational_hiding" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Perfect,_statistical,_and_computational_hiding"> <div class="vector-toc-text"> 2.2 Perfect, statistical, and computational hiding </div> </a> <ul id="toc-Perfect,_statistical,_and_computational_hiding-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Impossibility_of_universally_composable_commitment_schemes" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Impossibility_of_universally_composable_commitment_schemes"> <div class="vector-toc-text"> 2.3 Impossibility of universally composable commitment schemes </div> </a> <ul id="toc-Impossibility_of_universally_composable_commitment_schemes-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Construction" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#Construction"> <div class="vector-toc-text"> 3 Construction </div> </a> <button aria-controls="toc-Construction-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> Toggle Construction subsection </button> <ul id="toc-Construction-sublist" class="vector-toc-list"> <li id="toc-Bit-commitment_in_the_random_oracle_model" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Bit-commitment_in_the_random_oracle_model"> <div class="vector-toc-text"> 3.1 Bit-commitment in the random oracle model </div> </a> <ul id="toc-Bit-commitment_in_the_random_oracle_model-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Bit-commitment_from_any_one-way_permutation" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Bit-commitment_from_any_one-way_permutation"> <div class="vector-toc-text"> 3.2 Bit-commitment from any one-way permutation </div> </a> <ul id="toc-Bit-commitment_from_any_one-way_permutation-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Bit-commitment_from_a_pseudo-random_generator" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Bit-commitment_from_a_pseudo-random_generator"> <div class="vector-toc-text"> 3.3 Bit-commitment from a pseudo-random generator </div> </a> <ul id="toc-Bit-commitment_from_a_pseudo-random_generator-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-A_perfectly_binding_scheme_based_on_the_discrete_log_problem_and_beyond" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#A_perfectly_binding_scheme_based_on_the_discrete_log_problem_and_beyond"> <div class="vector-toc-text"> 3.4 A perfectly binding scheme based on the discrete log problem and beyond </div> </a> <ul id="toc-A_perfectly_binding_scheme_based_on_the_discrete_log_problem_and_beyond-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-A_perfectly_hiding_commitment_scheme_based_on_RSA" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#A_perfectly_hiding_commitment_scheme_based_on_RSA"> <div class="vector-toc-text"> 3.5 A perfectly hiding commitment scheme based on RSA </div> </a> <ul id="toc-A_perfectly_hiding_commitment_scheme_based_on_RSA-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Additive_and_multiplicative_homomorphic_properties_of_commitments" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Additive_and_multiplicative_homomorphic_properties_of_commitments"> <div class="vector-toc-text"> 3.6 Additive and multiplicative homomorphic properties of commitments </div> </a> <ul id="toc-Additive_and_multiplicative_homomorphic_properties_of_commitments-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Partial_reveal" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#Partial_reveal"> <div class="vector-toc-text"> 4 Partial reveal </div> </a> <button aria-controls="toc-Partial_reveal-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> Toggle Partial reveal subsection </button> <ul id="toc-Partial_reveal-sublist" class="vector-toc-list"> <li id="toc-Vector_hashing" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Vector_hashing"> <div class="vector-toc-text"> 4.1 Vector hashing </div> </a> <ul id="toc-Vector_hashing-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Merkle_tree" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Merkle_tree"> <div class="vector-toc-text"> 4.2 Merkle tree </div> </a> <ul id="toc-Merkle_tree-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-KZG_commitment" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#KZG_commitment"> <div class="vector-toc-text"> 4.3 KZG commitment </div> </a> <ul id="toc-KZG_commitment-sublist" class="vector-toc-list"> <li id="toc-Commit" class="vector-toc-list-item vector-toc-level-3"> <a class="vector-toc-link" href="#Commit"> <div class="vector-toc-text"> 4.3.1 Commit </div> </a> <ul id="toc-Commit-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Reveal" class="vector-toc-list-item vector-toc-level-3"> <a class="vector-toc-link" href="#Reveal"> <div class="vector-toc-text"> 4.3.2 Reveal </div> </a> <ul id="toc-Reveal-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Verify" class="vector-toc-list-item vector-toc-level-3"> <a class="vector-toc-link" href="#Verify"> <div class="vector-toc-text"> 4.3.3 Verify </div> </a> <ul id="toc-Verify-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> </ul> </li> <li id="toc-Quantum_bit_commitment" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#Quantum_bit_commitment"> <div class="vector-toc-text"> 5 Quantum bit commitment </div> </a> <ul id="toc-Quantum_bit_commitment-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Commitments_based_on_physical_unclonable_functions" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#Commitments_based_on_physical_unclonable_functions"> <div class="vector-toc-text"> 6 Commitments based on physical unclonable functions </div> </a> <ul id="toc-Commitments_based_on_physical_unclonable_functions-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-See_also" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#See_also"> <div class="vector-toc-text"> 7 See also </div> </a> <ul id="toc-See_also-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-References" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#References"> <div class="vector-toc-text"> 8 References </div> </a> <ul id="toc-References-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-External_links" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#External_links"> <div class="vector-toc-text"> 9 External links </div> </a> <ul id="toc-External_links-sublist" class="vector-toc-list"> </ul> </li> </ul> </div> </div> </nav> </div> </div> <div class="mw-content-container"> <main id="content" class="mw-body"> <header class="mw-body-header vector-page-titlebar"> <nav aria-label="Contents" class="vector-toc-landmark"> <div id="vector-page-titlebar-toc" class="vector-dropdown vector-page-titlebar-toc vector-button-flush-left" > <input type="checkbox" id="vector-page-titlebar-toc-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-titlebar-toc" class="vector-dropdown-checkbox " aria-label="Toggle the table of contents" > <label id="vector-page-titlebar-toc-label" for="vector-page-titlebar-toc-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" > Toggle the table of contents </label> <div class="vector-dropdown-content"> <div id="vector-page-titlebar-toc-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <h1 id="firstHeading" class="firstHeading mw-first-heading">Commitment scheme</h1> <div id="p-lang-btn" class="vector-dropdown mw-portlet mw-portlet-lang" > <input type="checkbox" id="p-lang-btn-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-p-lang-btn" class="vector-dropdown-checkbox mw-interlanguage-selector" aria-label="Go to an article in another language. Available in 11 languages" > <label id="p-lang-btn-label" for="p-lang-btn-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--action-progressive mw-portlet-lang-heading-11" aria-hidden="true" > 11 languages </label> <div class="vector-dropdown-content"> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li class="interlanguage-link interwiki-ar mw-list-item"><a href="https://ar.wikipedia.org/wiki/%D9%85%D8%AE%D8%B7%D8%B7_%D8%A7%D9%84%D8%A7%D9%84%D8%AA%D8%B2%D8%A7%D9%85" title="مخطط الالتزام – Arabic" lang="ar" hreflang="ar" data-title="مخطط الالتزام" data-language-autonym="العربية" data-language-local-name="Arabic" class="interlanguage-link-target">العربية</a></li><li class="interlanguage-link interwiki-de mw-list-item"><a href="https://de.wikipedia.org/wiki/Commitment-Verfahren" title="Commitment-Verfahren – German" lang="de" hreflang="de" data-title="Commitment-Verfahren" data-language-autonym="Deutsch" data-language-local-name="German" class="interlanguage-link-target">Deutsch</a></li><li class="interlanguage-link interwiki-es mw-list-item"><a href="https://es.wikipedia.org/wiki/Esquema_de_compromiso" title="Esquema de compromiso – Spanish" lang="es" hreflang="es" data-title="Esquema de compromiso" data-language-autonym="Español" data-language-local-name="Spanish" class="interlanguage-link-target">Español</a></li><li class="interlanguage-link interwiki-fa mw-list-item"><a href="https://fa.wikipedia.org/wiki/%D8%B7%D8%B1%D8%AD_%D8%AA%D8%B9%D9%87%D8%AF%DB%8C" title="طرح تعهدی – Persian" lang="fa" hreflang="fa" data-title="طرح تعهدی" data-language-autonym="فارسی" data-language-local-name="Persian" class="interlanguage-link-target">فارسی</a></li><li class="interlanguage-link interwiki-fr mw-list-item"><a href="https://fr.wikipedia.org/wiki/Mise_en_gage" title="Mise en gage – French" lang="fr" hreflang="fr" data-title="Mise en gage" data-language-autonym="Français" data-language-local-name="French" class="interlanguage-link-target">Français</a></li><li class="interlanguage-link interwiki-ja mw-list-item"><a href="https://ja.wikipedia.org/wiki/%E3%83%93%E3%83%83%E3%83%88%E3%82%B3%E3%83%9F%E3%83%83%E3%83%88%E3%83%A1%E3%83%B3%E3%83%88" title="ビットコミットメント – Japanese" lang="ja" hreflang="ja" data-title="ビットコミットメント" data-language-autonym="日本語" data-language-local-name="Japanese" class="interlanguage-link-target">日本語</a></li><li class="interlanguage-link interwiki-pl mw-list-item"><a href="https://pl.wikipedia.org/wiki/Zobowi%C4%85zanie_bitowe" title="Zobowiązanie bitowe – Polish" lang="pl" hreflang="pl" data-title="Zobowiązanie bitowe" data-language-autonym="Polski" data-language-local-name="Polish" class="interlanguage-link-target">Polski</a></li><li class="interlanguage-link interwiki-ru mw-list-item"><a href="https://ru.wikipedia.org/wiki/%D0%A1%D1%85%D0%B5%D0%BC%D0%B0_%D0%BE%D0%B1%D1%8F%D0%B7%D0%B0%D1%82%D0%B5%D0%BB%D1%8C%D1%81%D1%82%D0%B2%D0%B0" title="Схема обязательства – Russian" lang="ru" hreflang="ru" data-title="Схема обязательства" data-language-autonym="Русский" data-language-local-name="Russian" class="interlanguage-link-target">Русский</a></li><li class="interlanguage-link interwiki-simple mw-list-item"><a href="https://simple.wikipedia.org/wiki/Commitment_scheme" title="Commitment scheme – Simple English" lang="en-simple" hreflang="en-simple" data-title="Commitment scheme" data-language-autonym="Simple English" data-language-local-name="Simple English" class="interlanguage-link-target">Simple English</a></li><li class="interlanguage-link interwiki-sv mw-list-item"><a href="https://sv.wikipedia.org/wiki/Commitment_scheme" title="Commitment scheme – Swedish" lang="sv" hreflang="sv" data-title="Commitment scheme" data-language-autonym="Svenska" data-language-local-name="Swedish" class="interlanguage-link-target">Svenska</a></li><li class="interlanguage-link interwiki-tr mw-list-item"><a href="https://tr.wikipedia.org/wiki/%C3%9Cstlenme_%C5%9Femas%C4%B1" title="Üstlenme şeması – Turkish" lang="tr" hreflang="tr" data-title="Üstlenme şeması" data-language-autonym="Türkçe" data-language-local-name="Turkish" class="interlanguage-link-target">Türkçe</a></li> </ul> <div class="after-portlet after-portlet-lang"><a href="https://www.wikidata.org/wiki/Special:EntityPage/Q1115684#sitelinks-wikipedia" title="Edit interlanguage links" class="wbc-editpage">Edit links</a></div> </div> </div> </div> </header> <div class="vector-page-toolbar"> <div class="vector-page-toolbar-container"> <div id="left-navigation"> <nav aria-label="Namespaces"> <div id="p-associated-pages" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-associated-pages" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-nstab-main" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Commitment_scheme" title="View the content page [c]" accesskey="c">Article</a></li><li id="ca-talk" class="vector-tab-noicon mw-list-item"><a href="/wiki/Talk:Commitment_scheme" rel="discussion" title="Discuss improvements to the content page [t]" accesskey="t">Talk</a></li> </ul> </div> </div> <div id="vector-variants-dropdown" class="vector-dropdown emptyPortlet" > <input type="checkbox" id="vector-variants-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-variants-dropdown" class="vector-dropdown-checkbox " aria-label="Change language variant" > <label id="vector-variants-dropdown-label" for="vector-variants-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" >English </label> <div class="vector-dropdown-content"> <div id="p-variants" class="vector-menu mw-portlet mw-portlet-variants emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> </div> </div> </nav> </div> <div id="right-navigation" class="vector-collapsible"> <nav aria-label="Views"> <div id="p-views" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-views" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-view" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Commitment_scheme">Read</a></li><li id="ca-edit" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Commitment_scheme&action=edit" title="Edit this page [e]" accesskey="e">Edit</a></li><li id="ca-history" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Commitment_scheme&action=history" title="Past revisions of this page [h]" accesskey="h">View history</a></li> </ul> </div> </div> </nav> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-dropdown" class="vector-dropdown vector-page-tools-dropdown" > <input type="checkbox" id="vector-page-tools-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-tools-dropdown" class="vector-dropdown-checkbox " aria-label="Tools" > <label id="vector-page-tools-dropdown-label" for="vector-page-tools-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" >Tools </label> <div class="vector-dropdown-content"> <div id="vector-page-tools-unpinned-container" class="vector-unpinned-container"> <div id="vector-page-tools" class="vector-page-tools vector-pinnable-element"> <div class="vector-pinnable-header vector-page-tools-pinnable-header vector-pinnable-header-unpinned" data-feature-name="page-tools-pinned" data-pinnable-element-id="vector-page-tools" data-pinned-container-id="vector-page-tools-pinned-container" data-unpinned-container-id="vector-page-tools-unpinned-container" > <div class="vector-pinnable-header-label">Tools</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-page-tools.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-page-tools.unpin">hide</button> </div> <div id="p-cactions" class="vector-menu mw-portlet mw-portlet-cactions emptyPortlet vector-has-collapsible-items" title="More options" > <div class="vector-menu-heading"> Actions </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-more-view" class="selected vector-more-collapsible-item mw-list-item"><a href="/wiki/Commitment_scheme">Read</a></li><li id="ca-more-edit" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Commitment_scheme&action=edit" title="Edit this page [e]" accesskey="e">Edit</a></li><li id="ca-more-history" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Commitment_scheme&action=history">View history</a></li> </ul> </div> </div> <div id="p-tb" class="vector-menu mw-portlet mw-portlet-tb" > <div class="vector-menu-heading"> General </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="t-whatlinkshere" class="mw-list-item"><a href="/wiki/Special:WhatLinksHere/Commitment_scheme" title="List of all English Wikipedia pages containing links to this page [j]" accesskey="j">What links here</a></li><li id="t-recentchangeslinked" class="mw-list-item"><a href="/wiki/Special:RecentChangesLinked/Commitment_scheme" rel="nofollow" title="Recent changes in pages linked from this page [k]" accesskey="k">Related changes</a></li><li id="t-upload" class="mw-list-item"><a href="/wiki/Wikipedia:File_Upload_Wizard" title="Upload files [u]" accesskey="u">Upload file</a></li><li id="t-specialpages" class="mw-list-item"><a href="/wiki/Special:SpecialPages" title="A list of all special pages [q]" accesskey="q">Special pages</a></li><li id="t-permalink" class="mw-list-item"><a href="/w/index.php?title=Commitment_scheme&oldid=1249656446" title="Permanent link to this revision of this page">Permanent link</a></li><li id="t-info" class="mw-list-item"><a href="/w/index.php?title=Commitment_scheme&action=info" title="More information about this page">Page information</a></li><li id="t-cite" class="mw-list-item"><a href="/w/index.php?title=Special:CiteThisPage&page=Commitment_scheme&id=1249656446&wpFormIdentifier=titleform" title="Information on how to cite this page">Cite this page</a></li><li id="t-urlshortener" class="mw-list-item"><a href="/w/index.php?title=Special:UrlShortener&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FCommitment_scheme">Get shortened URL</a></li><li id="t-urlshortener-qrcode" class="mw-list-item"><a href="/w/index.php?title=Special:QrCode&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FCommitment_scheme">Download QR code</a></li> </ul> </div> </div> <div id="p-coll-print_export" class="vector-menu mw-portlet mw-portlet-coll-print_export" > <div class="vector-menu-heading"> Print/export </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="coll-download-as-rl" class="mw-list-item"><a href="/w/index.php?title=Special:DownloadAsPdf&page=Commitment_scheme&action=show-download-screen" title="Download this page as a PDF file">Download as PDF</a></li><li id="t-print" class="mw-list-item"><a href="/w/index.php?title=Commitment_scheme&printable=yes" title="Printable version of this page [p]" accesskey="p">Printable version</a></li> </ul> </div> </div> <div id="p-wikibase-otherprojects" class="vector-menu mw-portlet mw-portlet-wikibase-otherprojects" > <div class="vector-menu-heading"> In other projects </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="t-wikibase" class="wb-otherproject-link wb-otherproject-wikibase-dataitem mw-list-item"><a href="https://www.wikidata.org/wiki/Special:EntityPage/Q1115684" title="Structured data on this page hosted by Wikidata [g]" accesskey="g">Wikidata item</a></li> </ul> </div> </div> </div> </div> </div> </div> </nav> </div> </div> </div> <div class="vector-column-end"> <div class="vector-sticky-pinned-container"> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-pinned-container" class="vector-pinned-container"> </div> </nav> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-pinned-container" class="vector-pinned-container"> <div id="vector-appearance" class="vector-appearance vector-pinnable-element"> <div class="vector-pinnable-header vector-appearance-pinnable-header vector-pinnable-header-pinned" data-feature-name="appearance-pinned" data-pinnable-element-id="vector-appearance" data-pinned-container-id="vector-appearance-pinned-container" data-unpinned-container-id="vector-appearance-unpinned-container" > <div class="vector-pinnable-header-label">Appearance</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-appearance.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-appearance.unpin">hide</button> </div> </div> </div> </nav> </div> </div> <div id="bodyContent" class="vector-body" aria-labelledby="firstHeading" data-mw-ve-target-container> <div class="vector-body-before-content"> <div class="mw-indicators"> </div> <div id="siteSub" class="noprint">From Wikipedia, the free encyclopedia</div> </div> <div id="contentSub"><div id="mw-content-subtitle"></div></div> <div id="mw-content-text" class="mw-body-content"><div class="mw-content-ltr mw-parser-output" lang="en" dir="ltr"><div class="shortdescription nomobile noexcerpt noprint searchaux" style="display:none">Cryptographic scheme</div> <style data-mw-deduplicate="TemplateStyles:r1251242444">.mw-parser-output .ambox{border:1px solid #a2a9b1;border-left:10px solid #36c;background-color:#fbfbfb;box-sizing:border-box}.mw-parser-output .ambox+link+.ambox,.mw-parser-output .ambox+link+style+.ambox,.mw-parser-output .ambox+link+link+.ambox,.mw-parser-output .ambox+.mw-empty-elt+link+.ambox,.mw-parser-output .ambox+.mw-empty-elt+link+style+.ambox,.mw-parser-output .ambox+.mw-empty-elt+link+link+.ambox{margin-top:-1px}html body.mediawiki .mw-parser-output .ambox.mbox-small-left{margin:4px 1em 4px 0;overflow:hidden;width:238px;border-collapse:collapse;font-size:88%;line-height:1.25em}.mw-parser-output .ambox-speedy{border-left:10px solid #b32424;background-color:#fee7e6}.mw-parser-output .ambox-delete{border-left:10px solid #b32424}.mw-parser-output .ambox-content{border-left:10px solid #f28500}.mw-parser-output .ambox-style{border-left:10px solid #fc3}.mw-parser-output .ambox-move{border-left:10px solid #9932cc}.mw-parser-output .ambox-protection{border-left:10px solid #a2a9b1}.mw-parser-output .ambox .mbox-text{border:none;padding:0.25em 0.5em;width:100%}.mw-parser-output .ambox .mbox-image{border:none;padding:2px 0 2px 0.5em;text-align:center}.mw-parser-output .ambox .mbox-imageright{border:none;padding:2px 0.5em 2px 0;text-align:center}.mw-parser-output .ambox .mbox-empty-cell{border:none;padding:0;width:1px}.mw-parser-output .ambox .mbox-image-div{width:52px}@media(min-width:720px){.mw-parser-output .ambox{margin:0 10%}}@media print{body.ns-0 .mw-parser-output .ambox{display:none!important}}</style><table class="box-More_citations_needed plainlinks metadata ambox ambox-content ambox-Refimprove" role="presentation"><tbody><tr><td class="mbox-image"><div class="mbox-image-div"><a href="/wiki/File:Question_book-new.svg" class="mw-file-description"><img alt="" src="//upload.wikimedia.org/wikipedia/en/thumb/9/99/Question_book-new.svg/50px-Question_book-new.svg.png" decoding="async" width="50" height="39" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/en/thumb/9/99/Question_book-new.svg/75px-Question_book-new.svg.png 1.5x, //upload.wikimedia.org/wikipedia/en/thumb/9/99/Question_book-new.svg/100px-Question_book-new.svg.png 2x" data-file-width="512" data-file-height="399" /></a></div></td><td class="mbox-text"><div class="mbox-text-span">This article needs additional citations for <a href="/wiki/Wikipedia:Verifiability" title="Wikipedia:Verifiability">verification</a>. Please help <a href="/wiki/Special:EditPage/Commitment_scheme" title="Special:EditPage/Commitment scheme">improve this article</a> by <a href="/wiki/Help:Referencing_for_beginners" title="Help:Referencing for beginners">adding citations to reliable sources</a>. Unsourced material may be challenged and removed. Find sources: <a rel="nofollow" class="external text" href="https://www.google.com/search?as_eq=wikipedia&q=%22Commitment+scheme%22">"Commitment scheme"</a> – <a rel="nofollow" class="external text" href="https://www.google.com/search?tbm=nws&q=%22Commitment+scheme%22+-wikipedia&tbs=ar:1">news</a> · <a rel="nofollow" class="external text" href="https://www.google.com/search?&q=%22Commitment+scheme%22&tbs=bkt:s&tbm=bks">newspapers</a> · <a rel="nofollow" class="external text" href="https://www.google.com/search?tbs=bks:1&q=%22Commitment+scheme%22+-wikipedia">books</a> · <a rel="nofollow" class="external text" href="https://scholar.google.com/scholar?q=%22Commitment+scheme%22">scholar</a> · <a rel="nofollow" class="external text" href="https://www.jstor.org/action/doBasicSearch?Query=%22Commitment+scheme%22&acc=on&wc=on">JSTOR</a> (October 2014) (<a href="/wiki/Help:Maintenance_template_removal" title="Help:Maintenance template removal">Learn how and when to remove this message</a>)</div></td></tr></tbody></table> A commitment scheme is a <a href="/wiki/Cryptographic_primitive" title="Cryptographic primitive">cryptographic primitive</a> that allows one to commit to a chosen value (or chosen statement) while keeping it hidden to others, with the ability to reveal the committed value later.<a href="#cite_note-Goldreich-1">[1]</a> Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding. Commitment schemes have important applications in a number of <a href="/wiki/Cryptographic_protocol" title="Cryptographic protocol">cryptographic protocols</a> including secure coin flipping, <a href="/wiki/Zero-knowledge_proof" title="Zero-knowledge proof">zero-knowledge proofs</a>, and <a href="/wiki/Secure_computation" class="mw-redirect" title="Secure computation">secure computation</a>. A way to visualize a commitment scheme is to think of a sender as putting a message in a locked box, and giving the box to a receiver. The message in the box is hidden from the receiver, who cannot open the lock themselves. Since the receiver has the box, the message inside cannot be changed—merely revealed if the sender chooses to give them the key at some later time. Interactions in a commitment scheme take place in two phases: <ol><li>the commit phase during which a value is chosen and committed to</li> <li>the reveal phase during which the value is revealed by the sender, then the receiver verifies its authenticity</li></ol> In the above metaphor, the commit phase is the sender putting the message in the box, and locking it. The reveal phase is the sender giving the key to the receiver, who uses it to open the box and verify its contents. The locked box is the commitment, and the key is the proof. In simple protocols, the commit phase consists of a single message from the sender to the receiver. This message is called the commitment. It is essential that the specific value chosen cannot be extracted from the message by the receiver at that time (this is called the hiding property). A simple reveal phase would consist of a single message, the opening, from the sender to the receiver, followed by a check performed by the receiver. The value chosen during the commit phase must be the only one that the sender can compute and that validates during the reveal phase (this is called the binding property). The concept of commitment schemes was perhaps first formalized by <a href="/wiki/Gilles_Brassard" title="Gilles Brassard">Gilles Brassard</a>, <a href="/wiki/David_Chaum" title="David Chaum">David Chaum</a>, and <a href="/wiki/Claude_Cr%C3%A9peau" title="Claude Crépeau">Claude Crépeau</a> in 1988,<a href="#cite_note-BCC-2">[2]</a> as part of various zero-knowledge protocols for <a href="/wiki/NP_(complexity)" title="NP (complexity)">NP</a>, based on various types of commitment schemes.<a href="#cite_note-3">[3]</a><a href="#cite_note-4">[4]</a> But the concept was used prior to that without being treated formally.<a href="#cite_note-Naor-5">[5]</a><a href="#cite_note-Crepeau-6">[6]</a> The notion of commitments appeared earliest in works by <a href="/wiki/Manuel_Blum" title="Manuel Blum">Manuel Blum</a>,<a href="#cite_note-Blum-7">[7]</a> <a href="/wiki/Shimon_Even" title="Shimon Even">Shimon Even</a>,<a href="#cite_note-Even-8">[8]</a> and <a href="/wiki/Adi_Shamir" title="Adi Shamir">Adi Shamir</a> et al.<a href="#cite_note-SRA81-9">[9]</a> The terminology seems to have been originated by Blum,<a href="#cite_note-Crepeau-6">[6]</a> although commitment schemes can be interchangeably called bit commitment schemes—sometimes reserved for the special case where the committed value is a <a href="/wiki/Bit" title="Bit">bit</a>. Earlier to that, commitment via one-way hash functions was considered, e.g., as part of, say, <a href="/wiki/Lamport_signature" title="Lamport signature">Lamport signature</a>, the original one-time one-bit signature scheme. <meta property="mw:PageProp/toc" /> <div class="mw-heading mw-heading2"><h2 id="Applications">Applications</h2>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=1" title="Edit section: Applications">edit</a>]</div> <div class="mw-heading mw-heading3"><h3 id="Coin_flipping">Coin flipping</h3>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=2" title="Edit section: Coin flipping">edit</a>]</div> Suppose Alice and Bob want to resolve some dispute via <a href="/wiki/Coin_flipping" title="Coin flipping">coin flipping</a>. If they are physically in the same place, a typical procedure might be: <ol><li>Alice "calls" the coin flip,</li> <li>Bob flips the coin,</li> <li>If Alice's call is correct, she wins, otherwise Bob wins.</li></ol> If Alice and Bob are not in the same place a problem arises. Once Alice has "called" the coin flip, Bob can stipulate the flip "results" to be whatever is most desirable for him. Similarly, if Alice doesn't announce her "call" to Bob, after Bob flips the coin and announces the result, Alice can report that she called whatever result is most desirable for her. Alice and Bob can use commitments in a procedure that will allow both to trust the outcome: <ol><li>Alice "calls" the coin flip but only tells Bob a commitment to her call,</li> <li>Bob flips the coin and reports the result,</li> <li>Alice reveals what she committed to,</li> <li>Bob verifies that Alice's call matches her commitment,</li> <li>If Alice's revelation matches the coin result Bob reported, Alice wins.</li></ol> For Bob to be able to skew the results to his favor, he must be able to understand the call hidden in Alice's commitment. If the commitment scheme is a good one, Bob cannot skew the results. Similarly, Alice cannot affect the result if she cannot change the value she commits to. A real-life application of this problem exists, when people (often in media) commit to a decision or give an answer in a "sealed envelope", which is then opened later. "Let's find out if that's what the candidate answered", for example on a game show, can serve as a model of this system. <div class="mw-heading mw-heading3"><h3 id="Zero-knowledge_proofs">Zero-knowledge proofs</h3>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=3" title="Edit section: Zero-knowledge proofs">edit</a>]</div> One particular motivating example is the use of commitment schemes in <a href="/wiki/Zero-knowledge_proof" title="Zero-knowledge proof">zero-knowledge proofs</a>. Commitments are used in zero-knowledge proofs for two main purposes: first, to allow the prover to participate in "cut and choose" proofs where the verifier will be presented with a choice of what to learn, and the prover will reveal only what corresponds to the verifier's choice. Commitment schemes allow the prover to specify all the information in advance, and only reveal what should be revealed later in the proof.<a href="#cite_note-GMW-10">[10]</a> Second, commitments are also used in zero-knowledge proofs by the verifier, who will often specify their choices ahead of time in a commitment. This allows zero-knowledge proofs to be composed in parallel without revealing additional information to the prover.<a href="#cite_note-GK-11">[11]</a> <div class="mw-heading mw-heading3"><h3 id="Signature_schemes">Signature schemes</h3>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=4" title="Edit section: Signature schemes">edit</a>]</div> The <a href="/wiki/Lamport_signature" title="Lamport signature">Lamport signature</a> scheme is a <a href="/wiki/Digital_signature" title="Digital signature">digital signature</a> system that relies on maintaining two sets of secret <a href="/wiki/Network_packet" title="Network packet">data packets</a>, publishing <a href="/wiki/Cryptographic_hash_function" title="Cryptographic hash function">verifiable hashes</a> of the data packets, and then selectively revealing partial secret data packets in a manner that conforms specifically to the data to be signed. In this way, the prior public commitment to the secret values becomes a critical part of the functioning of the system. Because the Lamport signature system cannot be used more than once, a system to combine many Lamport key-sets under a single public value that can be tied to a person and verified by others was developed. This system uses trees of <a href="/wiki/Cryptographic_hash_function" title="Cryptographic hash function">hashes</a> to compress many published Lamport-key-commitment sets into a single hash value that can be associated with the prospective author of later-verified data. <div class="mw-heading mw-heading3"><h3 id="Verifiable_secret_sharing">Verifiable secret sharing</h3>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=5" title="Edit section: Verifiable secret sharing">edit</a>]</div> Another important application of commitments is in <a href="/wiki/Verifiable_secret_sharing" title="Verifiable secret sharing">verifiable secret sharing</a>, a critical building block of <a href="/wiki/Secure_multiparty_computation" class="mw-redirect" title="Secure multiparty computation">secure multiparty computation</a>. In a <a href="/wiki/Secret_sharing" title="Secret sharing">secret sharing</a> scheme, each of several parties receive "shares" of a value that is meant to be hidden from everyone. If enough parties get together, their shares can be used to reconstruct the secret, but even a malicious cabal of insufficient size should learn nothing. Secret sharing is at the root of many protocols for <a href="/wiki/Secure_computation" class="mw-redirect" title="Secure computation">secure computation</a>: in order to securely compute a function of some shared input, the secret shares are manipulated instead. However, if shares are to be generated by malicious parties, it may be important that those shares can be checked for correctness. In a verifiable secret sharing scheme, the distribution of a secret is accompanied by commitments to the individual shares. The commitments reveal nothing that can help a dishonest cabal, but the shares allow each individual party to check to see if their shares are correct.<a href="#cite_note-12">[12]</a> <div class="mw-heading mw-heading2"><h2 id="Defining_the_security">Defining the security</h2>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=6" title="Edit section: Defining the security">edit</a>]</div> Formal definitions of commitment schemes vary strongly in notation and in flavour. The first such flavour is whether the commitment scheme provides perfect or computational security with respect to the hiding or binding properties. Another such flavour is whether the commitment is interactive, i.e. whether both the commit phase and the reveal phase can be seen as being executed by a <a href="/wiki/Cryptographic_protocol" title="Cryptographic protocol">cryptographic protocol</a> or whether they are non-interactive, consisting of two algorithms Commit and CheckReveal. In the latter case CheckReveal can often be seen as a derandomised version of Commit, with the randomness used by Commit constituting the opening information. If the commitment C to a value x is computed as C:=Commit(x,open) with open being the randomness used for computing the commitment, then CheckReveal (C,x,open) reduces to simply verifying the equation C=Commit (x,open). Using this notation and some knowledge about <a href="/wiki/Mathematical_function" class="mw-redirect" title="Mathematical function">mathematical functions</a> and <a href="/wiki/Probability_theory" title="Probability theory">probability theory</a> we formalise different versions of the binding and hiding properties of commitments. The two most important combinations of these properties are perfectly binding and computationally hiding commitment schemes and computationally binding and perfectly hiding commitment schemes. Note that no commitment scheme can be at the same time perfectly binding and perfectly hiding – a computationally unbounded adversary can simply generate Commit(x,open) for every value of x and open until finding a pair that outputs C, and in a perfectly binding scheme this uniquely identifies x. <div class="mw-heading mw-heading3"><h3 id="Computational_binding">Computational binding</h3>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=7" title="Edit section: Computational binding">edit</a>]</div> Let open be chosen from a set of size <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle 2^{k}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msup> <mn>2</mn> <mrow class="MJX-TeXAtom-ORD"> <mi>k</mi> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle 2^{k}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/2d82641ae2702b0db07dd11830af27b9ee0cd196" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:2.251ex; height:2.676ex;" alt="{\displaystyle 2^{k}}">, i.e., it can be represented as a k bit string, and let <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle {\text{Commit}}_{k}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mtext>Commit</mtext> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>k</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle {\text{Commit}}_{k}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/74ccbeb53d623ca13d6e4f6c40d67ed1bcd6521d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:9.352ex; height:2.509ex;" alt="{\displaystyle {\text{Commit}}_{k}}"> be the corresponding commitment scheme. As the size of k determines the security of the commitment scheme it is called the <a href="/wiki/Security_parameter" title="Security parameter">security parameter</a>. Then for all <a href="/wiki/Uniformity_(complexity)" class="mw-redirect" title="Uniformity (complexity)">non-uniform</a> <a href="/wiki/PP_(complexity)" title="PP (complexity)">probabilistic polynomial time algorithms</a> that output <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x,x'}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>x</mi> <mo>,</mo> <msup> <mi>x</mi> <mo>′</mo> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x,x'}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/868106c4dab7e143519d80dfb0ce9ca91f367330" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:4.378ex; height:2.843ex;" alt="{\displaystyle x,x'}"> and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle open,open'}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>o</mi> <mi>p</mi> <mi>e</mi> <mi>n</mi> <mo>,</mo> <mi>o</mi> <mi>p</mi> <mi>e</mi> <msup> <mi>n</mi> <mo>′</mo> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle open,open'}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/8ebdb7aa33a2bc284bac5a44da91b5b460a0337a" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:11.269ex; height:2.843ex;" alt="{\displaystyle open,open'}"> of increasing length k, the probability that <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x\neq x'}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>x</mi> <mo>≠</mo> <msup> <mi>x</mi> <mo>′</mo> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x\neq x'}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/2c6cfab4b1bd197bfe3d7b6ff190cd3ae73f0368" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:6.443ex; height:3.009ex;" alt="{\displaystyle x\neq x'}"> and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle {\text{Commit}}_{k}(x,open)={\text{Commit}}_{k}(x',open')}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mtext>Commit</mtext> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>k</mi> </mrow> </msub> <mo stretchy="false">(</mo> <mi>x</mi> <mo>,</mo> <mi>o</mi> <mi>p</mi> <mi>e</mi> <mi>n</mi> <mo stretchy="false">)</mo> <mo>=</mo> <msub> <mrow class="MJX-TeXAtom-ORD"> <mtext>Commit</mtext> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>k</mi> </mrow> </msub> <mo stretchy="false">(</mo> <msup> <mi>x</mi> <mo>′</mo> </msup> <mo>,</mo> <mi>o</mi> <mi>p</mi> <mi>e</mi> <msup> <mi>n</mi> <mo>′</mo> </msup> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle {\text{Commit}}_{k}(x,open)={\text{Commit}}_{k}(x',open')}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/62f1b312bce16abbebedf82512b3f2a8c35bd00c" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:41.069ex; height:3.009ex;" alt="{\displaystyle {\text{Commit}}_{k}(x,open)={\text{Commit}}_{k}(x',open')}"> is a <a href="/wiki/Negligible_function" title="Negligible function">negligible function</a> in k. This is a form of <a href="/wiki/Asymptotic_analysis" title="Asymptotic analysis">asymptotic analysis</a>. It is also possible to state the same requirement using <a href="/wiki/Concrete_security" title="Concrete security">concrete security</a>: A commitment scheme Commit is <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle (t,\epsilon )}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mo stretchy="false">(</mo> <mi>t</mi> <mo>,</mo> <mi>ϵ</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle (t,\epsilon )}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/0661eb28dd8be643476824c8bdc857e8fed026dd" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:4.627ex; height:2.843ex;" alt="{\displaystyle (t,\epsilon )}"> secure, if for all algorithms that run in time t and output <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x,x',open,open'}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>x</mi> <mo>,</mo> <msup> <mi>x</mi> <mo>′</mo> </msup> <mo>,</mo> <mi>o</mi> <mi>p</mi> <mi>e</mi> <mi>n</mi> <mo>,</mo> <mi>o</mi> <mi>p</mi> <mi>e</mi> <msup> <mi>n</mi> <mo>′</mo> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x,x',open,open'}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/1f37eefcd1071178adfd7ea83cb83d145497f14b" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:16.681ex; height:2.843ex;" alt="{\displaystyle x,x',open,open'}"> the probability that <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x\neq x'}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>x</mi> <mo>≠</mo> <msup> <mi>x</mi> <mo>′</mo> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x\neq x'}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/2c6cfab4b1bd197bfe3d7b6ff190cd3ae73f0368" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:6.443ex; height:3.009ex;" alt="{\displaystyle x\neq x'}"> and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle {\text{Commit}}(x,open)={\text{Commit}}(x',open')}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mrow class="MJX-TeXAtom-ORD"> <mtext>Commit</mtext> </mrow> <mo stretchy="false">(</mo> <mi>x</mi> <mo>,</mo> <mi>o</mi> <mi>p</mi> <mi>e</mi> <mi>n</mi> <mo stretchy="false">)</mo> <mo>=</mo> <mrow class="MJX-TeXAtom-ORD"> <mtext>Commit</mtext> </mrow> <mo stretchy="false">(</mo> <msup> <mi>x</mi> <mo>′</mo> </msup> <mo>,</mo> <mi>o</mi> <mi>p</mi> <mi>e</mi> <msup> <mi>n</mi> <mo>′</mo> </msup> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle {\text{Commit}}(x,open)={\text{Commit}}(x',open')}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/073179b70b410f98b45a88d983472dc740caed22" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:38.892ex; height:3.009ex;" alt="{\displaystyle {\text{Commit}}(x,open)={\text{Commit}}(x',open')}"> is at most <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \epsilon }"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>ϵ</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \epsilon }</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/c3837cad72483d97bcdde49c85d3b7b859fb3fd2" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:0.944ex; height:1.676ex;" alt="{\displaystyle \epsilon }">. <div class="mw-heading mw-heading3"><h3 id="Perfect,_statistical,_and_computational_hiding">Perfect, statistical, and computational hiding</h3>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=8" title="Edit section: Perfect, statistical, and computational hiding">edit</a>]</div> Let <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle U_{k}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>U</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>k</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle U_{k}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/924cf85ae48192ae1c1ce15c109032e0a69b1014" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.676ex; height:2.509ex;" alt="{\displaystyle U_{k}}"> be the uniform distribution over the <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle 2^{k}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msup> <mn>2</mn> <mrow class="MJX-TeXAtom-ORD"> <mi>k</mi> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle 2^{k}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/2d82641ae2702b0db07dd11830af27b9ee0cd196" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:2.251ex; height:2.676ex;" alt="{\displaystyle 2^{k}}"> opening values for security parameter k. A commitment scheme is respectively perfect, statistical, or computational hiding, if for all <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x\neq x'}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>x</mi> <mo>≠</mo> <msup> <mi>x</mi> <mo>′</mo> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x\neq x'}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/2c6cfab4b1bd197bfe3d7b6ff190cd3ae73f0368" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:6.443ex; height:3.009ex;" alt="{\displaystyle x\neq x'}"> the <a href="/wiki/Probability_ensemble" class="mw-redirect" title="Probability ensemble">probability ensembles</a> <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \{{\text{Commit}}_{k}(x,U_{k})\}_{k\in \mathbb {N} }}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mo fence="false" stretchy="false">{</mo> <msub> <mrow class="MJX-TeXAtom-ORD"> <mtext>Commit</mtext> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>k</mi> </mrow> </msub> <mo stretchy="false">(</mo> <mi>x</mi> <mo>,</mo> <msub> <mi>U</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>k</mi> </mrow> </msub> <mo stretchy="false">)</mo> <msub> <mo fence="false" stretchy="false">}</mo> <mrow class="MJX-TeXAtom-ORD"> <mi>k</mi> <mo>∈</mo> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">N</mi> </mrow> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \{{\text{Commit}}_{k}(x,U_{k})\}_{k\in \mathbb {N} }}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/17e720639250e8208c50233ee6c149b44ffebf13" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:21.898ex; height:2.843ex;" alt="{\displaystyle \{{\text{Commit}}_{k}(x,U_{k})\}_{k\in \mathbb {N} }}"> and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \{{\text{Commit}}_{k}(x',U_{k})\}_{k\in \mathbb {N} }}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mo fence="false" stretchy="false">{</mo> <msub> <mrow class="MJX-TeXAtom-ORD"> <mtext>Commit</mtext> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>k</mi> </mrow> </msub> <mo stretchy="false">(</mo> <msup> <mi>x</mi> <mo>′</mo> </msup> <mo>,</mo> <msub> <mi>U</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>k</mi> </mrow> </msub> <mo stretchy="false">)</mo> <msub> <mo fence="false" stretchy="false">}</mo> <mrow class="MJX-TeXAtom-ORD"> <mi>k</mi> <mo>∈</mo> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">N</mi> </mrow> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \{{\text{Commit}}_{k}(x',U_{k})\}_{k\in \mathbb {N} }}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/1189f7d2a52e3688d1d32327821e857b8da59ef6" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:22.583ex; height:3.009ex;" alt="{\displaystyle \{{\text{Commit}}_{k}(x',U_{k})\}_{k\in \mathbb {N} }}"> are equal, <a href="/wiki/Statistically_close" class="mw-redirect" title="Statistically close">statistically close</a>, or <a href="/wiki/Computationally_indistinguishable" class="mw-redirect" title="Computationally indistinguishable">computationally indistinguishable</a>. <div class="mw-heading mw-heading3"><h3 id="Impossibility_of_universally_composable_commitment_schemes">Impossibility of universally composable commitment schemes</h3>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=9" title="Edit section: Impossibility of universally composable commitment schemes">edit</a>]</div> It is impossible to realize commitment schemes in the <a href="/wiki/Universal_composability" title="Universal composability">universal composability</a> (UC) framework. The reason is that UC commitment has to be extractable, as shown by Canetti and Fischlin<a href="#cite_note-13">[13]</a> and explained below. The ideal commitment functionality, denoted here by F, works roughly as follows. Committer C sends value m to F, which stores it and sends "receipt" to receiver R. Later, C sends "open" to F, which sends m to R. Now, assume we have a protocol π that realizes this functionality. Suppose that the committer C is corrupted. In the UC framework, that essentially means that C is now controlled by the environment, which attempts to distinguish protocol execution from the ideal process. Consider an environment that chooses a message m and then tells C to act as prescribed by π, as if it has committed to m. Note here that in order to realize F, the receiver must, after receiving a commitment, output a message "receipt". After the environment sees this message, it tells C to open the commitment. The protocol is only secure if this scenario is indistinguishable from the ideal case, where the functionality interacts with a simulator S. Here, S has control of C. In particular, whenever R outputs "receipt", F has to do likewise. The only way to do that is for S to tell C to send a value to F. However, note that by this point, m is not known to S. Hence, when the commitment is opened during protocol execution, it is unlikely that F will open to m, unless S can extract m from the messages it received from the environment before R outputs the receipt. However a protocol that is extractable in this sense cannot be statistically hiding. Suppose such a simulator S exists. Now consider an environment that, instead of corrupting C, corrupts R instead. Additionally it runs a copy of S. Messages received from C are fed into S, and replies from S are forwarded to C. The environment initially tells C to commit to a message m. At some point in the interaction, S will commit to a value m′. This message is handed to R, who outputs m′. Note that by assumption we have m' = m with high probability. Now in the ideal process the simulator has to come up with m. But this is impossible, because at this point the commitment has not been opened yet, so the only message R can have received in the ideal process is a "receipt" message. We thus have a contradiction. <div class="mw-heading mw-heading2"><h2 id="Construction">Construction</h2>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=10" title="Edit section: Construction">edit</a>]</div> A commitment scheme can either be perfectly binding (it is impossible for Alice to alter her commitment after she has made it, even if she has unbounded computational resources); or perfectly concealing (it is impossible for Bob to find out the commitment without Alice revealing it, even if he has unbounded computational resources); or formulated as an instance-dependent commitment scheme, which is either hiding or binding depending on the solution to another problem.<a href="#cite_note-14">[14]</a><a href="#cite_note-15">[15]</a> A commitment scheme cannot be both perfectly hiding and perfectly binding at the same time. <div class="mw-heading mw-heading3"><h3 id="Bit-commitment_in_the_random_oracle_model">Bit-commitment in the random oracle model</h3>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=11" title="Edit section: Bit-commitment in the random oracle model">edit</a>]</div> Bit-commitment schemes are trivial to construct in the <a href="/wiki/Random_oracle" title="Random oracle">random oracle</a> model. Given a <a href="/wiki/Cryptographic_hash_function" title="Cryptographic hash function">hash function</a> H with a 3k bit output, to commit the k-bit message m, Alice generates a random k bit string R and sends Bob H(R || m). The probability that any R′, m′ exist where m′ ≠ m such that H(R′ || m′) = H(R || m) is ≈ 2−k, but to test any guess at the message m Bob will need to make 2k (for an incorrect guess) or 2k-1 (on average, for a correct guess) queries to the random oracle.<a href="#cite_note-16">[16]</a> We note that earlier schemes based on hash functions, essentially can be thought of schemes based on idealization of these hash functions as random oracle. <div class="mw-heading mw-heading3"><h3 id="Bit-commitment_from_any_one-way_permutation">Bit-commitment from any one-way permutation</h3>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=12" title="Edit section: Bit-commitment from any one-way permutation">edit</a>]</div> One can create a bit-commitment scheme from any <a href="/wiki/One-way_function" title="One-way function">one-way function</a> that is <a href="/wiki/Injective_function" title="Injective function">injective</a>. The scheme relies on the fact that every one-way function can be modified (via the <a href="/wiki/Goldreich-Levin_theorem" class="mw-redirect" title="Goldreich-Levin theorem">Goldreich-Levin theorem</a>) to possess a computationally <a href="/wiki/Hard-core_predicate" title="Hard-core predicate">hard-core predicate</a> (while retaining the injective property). Let f be an injective one-way function, with h a hard-core predicate. Then to commit to a bit b Alice picks a random input x and sends the triple <dl><dd><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle (h,f(x),b\oplus h(x))}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mo stretchy="false">(</mo> <mi>h</mi> <mo>,</mo> <mi>f</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> <mo>,</mo> <mi>b</mi> <mo>⊕</mo> <mi>h</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle (h,f(x),b\oplus h(x))}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/cbf6699da90f362b16e81134802fe3be1d3d6379" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:17.95ex; height:2.843ex;" alt="{\displaystyle (h,f(x),b\oplus h(x))}"></dd></dl> to Bob, where <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \oplus }"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mo>⊕</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \oplus }</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/8b16e2bdaefee9eed86d866e6eba3ac47c710f60" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.505ex; width:1.808ex; height:2.176ex;" alt="{\displaystyle \oplus }"> denotes XOR, i.e., bitwise addition modulo 2. To decommit, Alice simply sends x to Bob. Bob verifies by computing f(x) and comparing to the committed value. This scheme is concealing because for Bob to recover b he must recover h(x). Since h is a computationally hard-core predicate, recovering h(x) from f(x) with probability greater than one-half is as hard as inverting f. Perfect binding follows from the fact that f is injective and thus f(x) has exactly one preimage. <div class="mw-heading mw-heading3"><h3 id="Bit-commitment_from_a_pseudo-random_generator">Bit-commitment from a pseudo-random generator</h3>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=13" title="Edit section: Bit-commitment from a pseudo-random generator">edit</a>]</div> Note that since we do not know how to construct a one-way permutation from any one-way function, this section reduces the strength of the cryptographic assumption necessary to construct a bit-commitment protocol. In 1991 Moni Naor showed how to create a bit-commitment scheme from a <a href="/wiki/Cryptographically_secure_pseudorandom_number_generator" title="Cryptographically secure pseudorandom number generator">cryptographically secure pseudorandom number generator</a>.<a href="#cite_note-17">[17]</a> The construction is as follows. If G is a pseudo-random generator such that G takes n bits to 3n bits, then if Alice wants to commit to a bit b: <ul><li>Bob selects a random 3n-bit vector R and sends R to Alice.</li> <li>Alice selects a random n-bit vector Y and computes the 3n-bit vector G(Y).</li> <li>If b=1 Alice sends G(Y) to Bob, otherwise she sends the bitwise <a href="/wiki/Exclusive_disjunction" class="mw-redirect" title="Exclusive disjunction">exclusive-or</a> of G(Y) and R to Bob.</li></ul> To decommit Alice sends Y to Bob, who can then check whether he initially received G(Y) or G(Y) <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \oplus }"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mo>⊕</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \oplus }</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/8b16e2bdaefee9eed86d866e6eba3ac47c710f60" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.505ex; width:1.808ex; height:2.176ex;" alt="{\displaystyle \oplus }"> R. This scheme is statistically binding, meaning that even if Alice is computationally unbounded she cannot cheat with probability greater than 2−n. For Alice to cheat, she would need to find a Y', such that G(Y') = G(Y) <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \oplus }"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mo>⊕</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \oplus }</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/8b16e2bdaefee9eed86d866e6eba3ac47c710f60" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.505ex; width:1.808ex; height:2.176ex;" alt="{\displaystyle \oplus }"> R. If she could find such a value, she could decommit by sending the truth and Y, or send the opposite answer and Y'. However, G(Y) and G(Y') are only able to produce 2n possible values each (that's 22n) while R is picked out of 23n values. She does not pick R, so there is a 22n/23n = 2−n probability that a Y' satisfying the equation required to cheat will exist. The concealing property follows from a standard reduction, if Bob can tell whether Alice committed to a zero or one, he can also distinguish the output of the pseudo-random generator G from true-random, which contradicts the cryptographic security of G. <div class="mw-heading mw-heading3"><h3 id="A_perfectly_binding_scheme_based_on_the_discrete_log_problem_and_beyond">A perfectly binding scheme based on the discrete log problem and beyond</h3>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=14" title="Edit section: A perfectly binding scheme based on the discrete log problem and beyond">edit</a>]</div> Alice chooses a <a href="/wiki/Ring_(mathematics)" title="Ring (mathematics)">ring</a> of prime order p, with multiplicative generator g. Alice randomly picks a secret value x from 0 to p − 1 to commit to and calculates c = gx and publishes c. The <a href="/wiki/Discrete_logarithm_problem" class="mw-redirect" title="Discrete logarithm problem">discrete logarithm problem</a> dictates that from c, it is computationally infeasible to compute x, so under this assumption, Bob cannot compute x. On the other hand, Alice cannot compute a x′ <> x, such that gx′ = c, so the scheme is binding. This scheme isn't perfectly concealing as someone could find the commitment if he manages to solve the <a href="/wiki/Discrete_logarithm_problem" class="mw-redirect" title="Discrete logarithm problem">discrete logarithm problem</a>. In fact, this scheme isn't hiding at all with respect to the standard hiding game, where an adversary should be unable to guess which of two messages he chose were committed to - similar to the <a href="/wiki/IND-CPA" class="mw-redirect" title="IND-CPA">IND-CPA</a> game. One consequence of this is that if the space of possible values of x is small, then an attacker could simply try them all and the commitment would not be hiding. A better example of a perfectly binding commitment scheme is one where the commitment is the encryption of x under a <a href="/wiki/Semantically_secure" class="mw-redirect" title="Semantically secure">semantically secure</a>, public-key encryption scheme with perfect completeness, and the decommitment is the string of random bits used to encrypt x. An example of an information-theoretically hiding commitment scheme is the Pedersen commitment scheme,<a href="#cite_note-Pedersen_pp._129–140-18">[18]</a> which is computationally binding under the discrete logarithm assumption. <a href="#cite_note-metere2017automated-19">[19]</a> Additionally to the scheme above, it uses another generator h of the prime group and a random number r. The commitment is set <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle c=g^{x}h^{r}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>c</mi> <mo>=</mo> <msup> <mi>g</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>x</mi> </mrow> </msup> <msup> <mi>h</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>r</mi> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle c=g^{x}h^{r}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/9ac63175a05939b977fa62abcb65a59ec1804e0b" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:8.709ex; height:2.676ex;" alt="{\displaystyle c=g^{x}h^{r}}">.<a href="#cite_note-20">[20]</a> These constructions are tightly related to and based on the algebraic properties of the underlying groups, and the notion originally seemed to be very much related to the algebra. However, it was shown that basing statistically binding commitment schemes on general unstructured assumption is possible, via the notion of interactive hashing for commitments from general complexity assumptions (specifically and originally, based on any one way permutation) as in.<a href="#cite_note-21">[21]</a> <div class="mw-heading mw-heading3"><h3 id="A_perfectly_hiding_commitment_scheme_based_on_RSA">A perfectly hiding commitment scheme based on RSA</h3>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=15" title="Edit section: A perfectly hiding commitment scheme based on RSA">edit</a>]</div> Alice selects <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle N}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>N</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle N}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/f5e3890c981ae85503089652feb48b191b57aae3" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:2.064ex; height:2.176ex;" alt="{\displaystyle N}"> such that <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle N=p\cdot q}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>N</mi> <mo>=</mo> <mi>p</mi> <mo>⋅</mo> <mi>q</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle N=p\cdot q}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/36e46a18a8492c3e55b7fefa9cc832a734fb413e" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:9.08ex; height:2.509ex;" alt="{\displaystyle N=p\cdot q}">, where <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/81eac1e205430d1f40810df36a0edffdc367af36" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; margin-left: -0.089ex; width:1.259ex; height:2.009ex;" alt="{\displaystyle p}"> and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/06809d64fa7c817ffc7e323f85997f783dbdf71d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:1.07ex; height:2.009ex;" alt="{\displaystyle q}"> are large secret prime numbers. Additionally, she selects a prime <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle e}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>e</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle e}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/cd253103f0876afc68ebead27a5aa9867d927467" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.083ex; height:1.676ex;" alt="{\displaystyle e}"> such that <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle e>N^{2}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>e</mi> <mo>></mo> <msup> <mi>N</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle e>N^{2}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/1ca537dd0626c41c9c06ac1ce877b7e78716b89f" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:7.359ex; height:2.676ex;" alt="{\displaystyle e>N^{2}}"> and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle gcd(e,\phi (N^{2}))=1}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>g</mi> <mi>c</mi> <mi>d</mi> <mo stretchy="false">(</mo> <mi>e</mi> <mo>,</mo> <mi>ϕ</mi> <mo stretchy="false">(</mo> <msup> <mi>N</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msup> <mo stretchy="false">)</mo> <mo stretchy="false">)</mo> <mo>=</mo> <mn>1</mn> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle gcd(e,\phi (N^{2}))=1}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/3fec2e0353f0fcca6d8cb0f360cc77fa532b85c5" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:17.898ex; height:3.176ex;" alt="{\displaystyle gcd(e,\phi (N^{2}))=1}">. Alice then computes a public number <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle g_{m}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>g</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>m</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle g_{m}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/28dbe49b383cddeba92dfccc07b285a189b443a4" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.784ex; height:2.009ex;" alt="{\displaystyle g_{m}}"> as an element of maximum order in the <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {Z} _{N^{2}}^{*}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msubsup> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">Z</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <msup> <mi>N</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msup> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mo>∗</mo> </mrow> </msubsup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {Z} _{N^{2}}^{*}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/1d19d27f5baefc3d1c3b2066b6a5f203b3d5946e" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.171ex; width:4.115ex; height:3.176ex;" alt="{\displaystyle \mathbb {Z} _{N^{2}}^{*}}"> group.<a href="#cite_note-menezes2018handbook-22">[22]</a> Finally, Alice commits to her secret <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle m}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>m</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle m}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/0a07d98bb302f3856cbabc47b2b9016692e3f7bc" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:2.04ex; height:1.676ex;" alt="{\displaystyle m}"> by first generating a random number <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle r}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>r</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle r}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/0d1ecb613aa2984f0576f70f86650b7c2a132538" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.049ex; height:1.676ex;" alt="{\displaystyle r}"> from <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {Z} _{N^{2}}^{*}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msubsup> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">Z</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <msup> <mi>N</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msup> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mo>∗</mo> </mrow> </msubsup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {Z} _{N^{2}}^{*}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/1d19d27f5baefc3d1c3b2066b6a5f203b3d5946e" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.171ex; width:4.115ex; height:3.176ex;" alt="{\displaystyle \mathbb {Z} _{N^{2}}^{*}}"> and then by computing <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle c=m^{e}g_{m}^{r}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>c</mi> <mo>=</mo> <msup> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>e</mi> </mrow> </msup> <msubsup> <mi>g</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>m</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>r</mi> </mrow> </msubsup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle c=m^{e}g_{m}^{r}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/33f17dde19ea12cbf8e2fe8732c384c6f5fba301" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:9.928ex; height:2.676ex;" alt="{\displaystyle c=m^{e}g_{m}^{r}}">. The security of the above commitment relies on the hardness of the RSA problem and has perfect hiding and computational binding.<a href="#cite_note-masquerade2022-23">[23]</a> <div class="mw-heading mw-heading3"><h3 id="Additive_and_multiplicative_homomorphic_properties_of_commitments">Additive and multiplicative homomorphic properties of commitments</h3>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=16" title="Edit section: Additive and multiplicative homomorphic properties of commitments">edit</a>]</div> The Pedersen commitment scheme introduces an interesting homomorphic property that allows performing addition between two commitments. More specifically, given two messages <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle m_{1}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle m_{1}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/31aafa60e48d39ccce922404c0b80340b2cc777a" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:3.095ex; height:2.009ex;" alt="{\displaystyle m_{1}}"> and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle m_{2}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle m_{2}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/0ecebe334d5cadc3ffcf245eb02919034d7a2ec8" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:3.095ex; height:2.009ex;" alt="{\displaystyle m_{2}}"> and randomness <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle r_{1}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle r_{1}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/ea214f2b31fb3869344bb9311da41c5cc38a99e1" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.103ex; height:2.009ex;" alt="{\displaystyle r_{1}}"> and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle r_{2}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle r_{2}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/4cbe9b0b294fdd6fadbf9a7249813f016dcbc44f" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.103ex; height:2.009ex;" alt="{\displaystyle r_{2}}">, respectively, it is possible to generate a new commitment such that: <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle C(m_{1},r_{1})\cdot C(m_{2},r_{2})=C(m_{1}+m_{2},r_{1}+r_{2})}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>C</mi> <mo stretchy="false">(</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>,</mo> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo stretchy="false">)</mo> <mo>⋅</mo> <mi>C</mi> <mo stretchy="false">(</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo>,</mo> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo stretchy="false">)</mo> <mo>=</mo> <mi>C</mi> <mo stretchy="false">(</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>+</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo>,</mo> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>+</mo> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle C(m_{1},r_{1})\cdot C(m_{2},r_{2})=C(m_{1}+m_{2},r_{1}+r_{2})}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/130ee16f09ab66dff808e6531f066bda46e4d847" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:45.077ex; height:2.843ex;" alt="{\displaystyle C(m_{1},r_{1})\cdot C(m_{2},r_{2})=C(m_{1}+m_{2},r_{1}+r_{2})}">. Formally: <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle C(m_{1},r_{1})\cdot C(m_{2},r_{2})=g^{m_{1}}h^{r_{1}}\cdot g^{m_{2}}h^{r_{2}}=g^{m_{1}+m_{2}}h^{r_{1}+r_{2}}=C(m_{1}+m_{2},r_{1}+r_{2})}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>C</mi> <mo stretchy="false">(</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>,</mo> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo stretchy="false">)</mo> <mo>⋅</mo> <mi>C</mi> <mo stretchy="false">(</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo>,</mo> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo stretchy="false">)</mo> <mo>=</mo> <msup> <mi>g</mi> <mrow class="MJX-TeXAtom-ORD"> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> </mrow> </msup> <msup> <mi>h</mi> <mrow class="MJX-TeXAtom-ORD"> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> </mrow> </msup> <mo>⋅</mo> <msup> <mi>g</mi> <mrow class="MJX-TeXAtom-ORD"> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> </mrow> </msup> <msup> <mi>h</mi> <mrow class="MJX-TeXAtom-ORD"> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> </mrow> </msup> <mo>=</mo> <msup> <mi>g</mi> <mrow class="MJX-TeXAtom-ORD"> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>+</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> </mrow> </msup> <msup> <mi>h</mi> <mrow class="MJX-TeXAtom-ORD"> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>+</mo> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> </mrow> </msup> <mo>=</mo> <mi>C</mi> <mo stretchy="false">(</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>+</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo>,</mo> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>+</mo> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle C(m_{1},r_{1})\cdot C(m_{2},r_{2})=g^{m_{1}}h^{r_{1}}\cdot g^{m_{2}}h^{r_{2}}=g^{m_{1}+m_{2}}h^{r_{1}+r_{2}}=C(m_{1}+m_{2},r_{1}+r_{2})}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/730fc635b8c686d3d546a50840460832dee6a098" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:79.665ex; height:3.009ex;" alt="{\displaystyle C(m_{1},r_{1})\cdot C(m_{2},r_{2})=g^{m_{1}}h^{r_{1}}\cdot g^{m_{2}}h^{r_{2}}=g^{m_{1}+m_{2}}h^{r_{1}+r_{2}}=C(m_{1}+m_{2},r_{1}+r_{2})}"> To open the above Pedersen commitment to a new message <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle m_{1}+m_{2}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>+</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle m_{1}+m_{2}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/648effd88b01ad99e59e69e7b60809ea505ea337" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:9.03ex; height:2.343ex;" alt="{\displaystyle m_{1}+m_{2}}">, the randomness <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle r_{1}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle r_{1}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/ea214f2b31fb3869344bb9311da41c5cc38a99e1" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.103ex; height:2.009ex;" alt="{\displaystyle r_{1}}"> and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle r_{2}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle r_{2}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/4cbe9b0b294fdd6fadbf9a7249813f016dcbc44f" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.103ex; height:2.009ex;" alt="{\displaystyle r_{2}}"> has to be added. Similarly, the RSA-based commitment mentioned above has a homomorphic property with respect to the multiplication operation. Given two messages <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle m_{1}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle m_{1}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/31aafa60e48d39ccce922404c0b80340b2cc777a" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:3.095ex; height:2.009ex;" alt="{\displaystyle m_{1}}"> and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle m_{2}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle m_{2}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/0ecebe334d5cadc3ffcf245eb02919034d7a2ec8" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:3.095ex; height:2.009ex;" alt="{\displaystyle m_{2}}"> with randomness <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle r_{1}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle r_{1}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/ea214f2b31fb3869344bb9311da41c5cc38a99e1" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.103ex; height:2.009ex;" alt="{\displaystyle r_{1}}"> and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle r_{2}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle r_{2}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/4cbe9b0b294fdd6fadbf9a7249813f016dcbc44f" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.103ex; height:2.009ex;" alt="{\displaystyle r_{2}}">, respectively, one can compute: <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle C(m_{1},r_{1})\cdot C(m_{2},r_{2})=C(m_{1}\cdot m_{2},r_{1}+r_{2})}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>C</mi> <mo stretchy="false">(</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>,</mo> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo stretchy="false">)</mo> <mo>⋅</mo> <mi>C</mi> <mo stretchy="false">(</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo>,</mo> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo stretchy="false">)</mo> <mo>=</mo> <mi>C</mi> <mo stretchy="false">(</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>⋅</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo>,</mo> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>+</mo> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle C(m_{1},r_{1})\cdot C(m_{2},r_{2})=C(m_{1}\cdot m_{2},r_{1}+r_{2})}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/bbd5560b112bea1adc5c6cd13df81bc3c1a8b0d3" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:43.916ex; height:2.843ex;" alt="{\displaystyle C(m_{1},r_{1})\cdot C(m_{2},r_{2})=C(m_{1}\cdot m_{2},r_{1}+r_{2})}">. Formally: <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle C(m_{1},r_{1})\cdot C(m_{2},r_{2})=m_{1}^{e}g_{m}^{r_{1}}\cdot m_{2}^{e}g_{m}^{r_{2}}=(m_{1}\cdot m_{2})^{e}g_{m}^{r_{1}+r_{2}}=C(m_{1}\cdot m_{2},r_{1}+r_{2})}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>C</mi> <mo stretchy="false">(</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>,</mo> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo stretchy="false">)</mo> <mo>⋅</mo> <mi>C</mi> <mo stretchy="false">(</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo>,</mo> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo stretchy="false">)</mo> <mo>=</mo> <msubsup> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>e</mi> </mrow> </msubsup> <msubsup> <mi>g</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>m</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> </mrow> </msubsup> <mo>⋅</mo> <msubsup> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>e</mi> </mrow> </msubsup> <msubsup> <mi>g</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>m</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> </mrow> </msubsup> <mo>=</mo> <mo stretchy="false">(</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>⋅</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <msup> <mo stretchy="false">)</mo> <mrow class="MJX-TeXAtom-ORD"> <mi>e</mi> </mrow> </msup> <msubsup> <mi>g</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>m</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>+</mo> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> </mrow> </msubsup> <mo>=</mo> <mi>C</mi> <mo stretchy="false">(</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>⋅</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo>,</mo> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>+</mo> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle C(m_{1},r_{1})\cdot C(m_{2},r_{2})=m_{1}^{e}g_{m}^{r_{1}}\cdot m_{2}^{e}g_{m}^{r_{2}}=(m_{1}\cdot m_{2})^{e}g_{m}^{r_{1}+r_{2}}=C(m_{1}\cdot m_{2},r_{1}+r_{2})}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/d79ea92ff09e20dc4e7535b8eb59928479fbab9f" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.005ex; width:80.279ex; height:3.343ex;" alt="{\displaystyle C(m_{1},r_{1})\cdot C(m_{2},r_{2})=m_{1}^{e}g_{m}^{r_{1}}\cdot m_{2}^{e}g_{m}^{r_{2}}=(m_{1}\cdot m_{2})^{e}g_{m}^{r_{1}+r_{2}}=C(m_{1}\cdot m_{2},r_{1}+r_{2})}">. To open the above commitment to a new message <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle m_{1}\cdot m_{2}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>⋅</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle m_{1}\cdot m_{2}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/a7e23bafcd9afe4b7092628109999b988675d7f3" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:7.868ex; height:2.009ex;" alt="{\displaystyle m_{1}\cdot m_{2}}">, the randomness <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle r_{1}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle r_{1}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/ea214f2b31fb3869344bb9311da41c5cc38a99e1" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.103ex; height:2.009ex;" alt="{\displaystyle r_{1}}"> and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle r_{2}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>r</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle r_{2}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/4cbe9b0b294fdd6fadbf9a7249813f016dcbc44f" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.103ex; height:2.009ex;" alt="{\displaystyle r_{2}}"> has to be added. This newly generated commitment is distributed similarly to a new commitment to <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle m_{1}\cdot m_{2}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>⋅</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle m_{1}\cdot m_{2}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/a7e23bafcd9afe4b7092628109999b988675d7f3" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:7.868ex; height:2.009ex;" alt="{\displaystyle m_{1}\cdot m_{2}}">. <div class="mw-heading mw-heading2"><h2 id="Partial_reveal">Partial reveal</h2>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=17" title="Edit section: Partial reveal">edit</a>]</div> Some commitment schemes permit a proof to be given of only a portion of the committed value. In these schemes, the secret value <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle X}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>X</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle X}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/68baa052181f707c662844a465bfeeb135e82bab" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.98ex; height:2.176ex;" alt="{\displaystyle X}"> is a vector of many individually separable values. <dl><dd><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle X=(x_{1},x_{2},...,x_{n})}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>X</mi> <mo>=</mo> <mo stretchy="false">(</mo> <msub> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>,</mo> <msub> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msub> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>n</mi> </mrow> </msub> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle X=(x_{1},x_{2},...,x_{n})}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/c81d3963c9f0d511ffe709f18c9d0b9e453e1884" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:20.407ex; height:2.843ex;" alt="{\displaystyle X=(x_{1},x_{2},...,x_{n})}"></dd></dl> The commitment <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle C}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>C</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle C}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/4fc55753007cd3c18576f7933f6f089196732029" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.766ex; height:2.176ex;" alt="{\displaystyle C}"> is computed from <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle X}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>X</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle X}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/68baa052181f707c662844a465bfeeb135e82bab" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.98ex; height:2.176ex;" alt="{\displaystyle X}"> in the commit phase. Normally, in the reveal phase, the prover would reveal all of <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle X}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>X</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle X}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/68baa052181f707c662844a465bfeeb135e82bab" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.98ex; height:2.176ex;" alt="{\displaystyle X}"> and some additional proof data (such as <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle R}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>R</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle R}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/4b0bfb3769bf24d80e15374dc37b0441e2616e33" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.764ex; height:2.176ex;" alt="{\displaystyle R}"> in <a href="#Bit-commitment_in_the_random_oracle_model">simple bit-commitment</a>). Instead, the prover is able to reveal any single value from the <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle X}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>X</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle X}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/68baa052181f707c662844a465bfeeb135e82bab" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.98ex; height:2.176ex;" alt="{\displaystyle X}"> vector, and create an efficient proof that it is the authentic <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle i}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>i</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle i}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/add78d8608ad86e54951b8c8bd6c8d8416533d20" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:0.802ex; height:2.176ex;" alt="{\displaystyle i}">th element of the original vector that created the commitment <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle C}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>C</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle C}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/4fc55753007cd3c18576f7933f6f089196732029" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.766ex; height:2.176ex;" alt="{\displaystyle C}">. The proof does not require any values of <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle X}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>X</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle X}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/68baa052181f707c662844a465bfeeb135e82bab" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.98ex; height:2.176ex;" alt="{\displaystyle X}"> other than <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x_{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x_{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/e87000dd6142b81d041896a30fe58f0c3acb2158" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.129ex; height:2.009ex;" alt="{\displaystyle x_{i}}"> to be revealed, and it is impossible to create valid proofs that reveal different values for any of the <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x_{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x_{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/e87000dd6142b81d041896a30fe58f0c3acb2158" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.129ex; height:2.009ex;" alt="{\displaystyle x_{i}}"> than the true one.<a href="#cite_note-24">[24]</a> <div class="mw-heading mw-heading3"><h3 id="Vector_hashing">Vector hashing</h3>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=18" title="Edit section: Vector hashing">edit</a>]</div> Vector hashing is a naive vector commitment partial reveal scheme based on bit-commitment. Values <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle m_{1},m_{2},...m_{n}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>,</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>n</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle m_{1},m_{2},...m_{n}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/a45e563c9abe587730733a81ebffc36423b11250" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:14.618ex; height:2.009ex;" alt="{\displaystyle m_{1},m_{2},...m_{n}}"> are chosen randomly. Individual commitments are created by hashing <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle y_{1}=H(x_{1}||m_{1}),y_{2}=H(x_{2}||m_{2}),...}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>y</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>=</mo> <mi>H</mi> <mo stretchy="false">(</mo> <msub> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mrow class="MJX-TeXAtom-ORD"> <mo stretchy="false">|</mo> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mo stretchy="false">|</mo> </mrow> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo stretchy="false">)</mo> <mo>,</mo> <msub> <mi>y</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo>=</mo> <mi>H</mi> <mo stretchy="false">(</mo> <msub> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mrow class="MJX-TeXAtom-ORD"> <mo stretchy="false">|</mo> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mo stretchy="false">|</mo> </mrow> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo stretchy="false">)</mo> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle y_{1}=H(x_{1}||m_{1}),y_{2}=H(x_{2}||m_{2}),...}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/9eec2edb0000dfe60581fdc5dc33af5750e54761" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:36.657ex; height:2.843ex;" alt="{\displaystyle y_{1}=H(x_{1}||m_{1}),y_{2}=H(x_{2}||m_{2}),...}">. The overall commitment is computed as <dl><dd><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle C=H(y_{1}||y_{2}||...||y_{n})}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>C</mi> <mo>=</mo> <mi>H</mi> <mo stretchy="false">(</mo> <msub> <mi>y</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mrow class="MJX-TeXAtom-ORD"> <mo stretchy="false">|</mo> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mo stretchy="false">|</mo> </mrow> <msub> <mi>y</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mrow class="MJX-TeXAtom-ORD"> <mo stretchy="false">|</mo> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mo stretchy="false">|</mo> </mrow> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mrow class="MJX-TeXAtom-ORD"> <mo stretchy="false">|</mo> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mo stretchy="false">|</mo> </mrow> <msub> <mi>y</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>n</mi> </mrow> </msub> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle C=H(y_{1}||y_{2}||...||y_{n})}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/5839e98624516f0f5cb0436c0ccb71f5fb320381" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:22.465ex; height:2.843ex;" alt="{\displaystyle C=H(y_{1}||y_{2}||...||y_{n})}"></dd></dl> In order to prove one element of the vector <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle X}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>X</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle X}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/68baa052181f707c662844a465bfeeb135e82bab" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.98ex; height:2.176ex;" alt="{\displaystyle X}">, the prover reveals the values <dl><dd><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle (i,y_{1},y_{2},...,y_{i-1},x_{i},m_{i},y_{i+1},...,y_{n})}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mo stretchy="false">(</mo> <mi>i</mi> <mo>,</mo> <msub> <mi>y</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>,</mo> <msub> <mi>y</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msub> <mi>y</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> <mo>−</mo> <mn>1</mn> </mrow> </msub> <mo>,</mo> <msub> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msub> <mo>,</mo> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msub> <mo>,</mo> <msub> <mi>y</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msub> <mi>y</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>n</mi> </mrow> </msub> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle (i,y_{1},y_{2},...,y_{i-1},x_{i},m_{i},y_{i+1},...,y_{n})}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/693c0b656ef290bcad664c8fab5bfb7d46c3ca19" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:37.914ex; height:2.843ex;" alt="{\displaystyle (i,y_{1},y_{2},...,y_{i-1},x_{i},m_{i},y_{i+1},...,y_{n})}"></dd></dl> The verifier is able to compute <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle y_{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>y</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle y_{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/67d30d30b6c2dbe4d6f150d699de040937ecc95f" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:1.939ex; height:2.009ex;" alt="{\displaystyle y_{i}}"> from <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x_{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x_{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/e87000dd6142b81d041896a30fe58f0c3acb2158" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.129ex; height:2.009ex;" alt="{\displaystyle x_{i}}"> and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle m_{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>m</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle m_{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/95ec8e804f69706d3f5ad235f4f983220c8df7c2" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.84ex; height:2.009ex;" alt="{\displaystyle m_{i}}">, and then is able to verify that the hash of all <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle y}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>y</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle y}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/b8a6208ec717213d4317e666f1ae872e00620a0d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:1.155ex; height:2.009ex;" alt="{\displaystyle y}"> values is the commitment <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle C}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>C</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle C}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/4fc55753007cd3c18576f7933f6f089196732029" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.766ex; height:2.176ex;" alt="{\displaystyle C}">. Unfortunately the proof is <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle O(n)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>O</mi> <mo stretchy="false">(</mo> <mi>n</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle O(n)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/34109fe397fdcff370079185bfdb65826cb5565a" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:4.977ex; height:2.843ex;" alt="{\displaystyle O(n)}"> in size and verification time. Alternately, if <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle C}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>C</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle C}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/4fc55753007cd3c18576f7933f6f089196732029" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.766ex; height:2.176ex;" alt="{\displaystyle C}"> is the set of all <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle y}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>y</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle y}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/b8a6208ec717213d4317e666f1ae872e00620a0d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:1.155ex; height:2.009ex;" alt="{\displaystyle y}"> values, then the commitment is <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle O(n)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>O</mi> <mo stretchy="false">(</mo> <mi>n</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle O(n)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/34109fe397fdcff370079185bfdb65826cb5565a" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:4.977ex; height:2.843ex;" alt="{\displaystyle O(n)}"> in size, and the proof is <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle O(1)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>O</mi> <mo stretchy="false">(</mo> <mn>1</mn> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle O(1)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/e66384bc40452c5452f33563fe0e27e803b0cc21" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:4.745ex; height:2.843ex;" alt="{\displaystyle O(1)}"> in size and verification time. Either way, the commitment or the proof scales with <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle O(n)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>O</mi> <mo stretchy="false">(</mo> <mi>n</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle O(n)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/34109fe397fdcff370079185bfdb65826cb5565a" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:4.977ex; height:2.843ex;" alt="{\displaystyle O(n)}"> which is not optimal. <div class="mw-heading mw-heading3"><h3 id="Merkle_tree">Merkle tree</h3>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=19" title="Edit section: Merkle tree">edit</a>]</div> A common example of a practical partial reveal scheme is a <a href="/wiki/Merkle_tree" title="Merkle tree">Merkle tree</a>, in which a binary hash tree is created of the elements of <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle X}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>X</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle X}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/68baa052181f707c662844a465bfeeb135e82bab" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.98ex; height:2.176ex;" alt="{\displaystyle X}">. This scheme creates commitments that are <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle O(1)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>O</mi> <mo stretchy="false">(</mo> <mn>1</mn> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle O(1)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/e66384bc40452c5452f33563fe0e27e803b0cc21" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:4.745ex; height:2.843ex;" alt="{\displaystyle O(1)}"> in size, and proofs that are <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle O(\log _{2}{n})}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>O</mi> <mo stretchy="false">(</mo> <msub> <mi>log</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo>⁡</mo> <mrow class="MJX-TeXAtom-ORD"> <mi>n</mi> </mrow> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle O(\log _{2}{n})}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/57f7ecfbc8bb146c07ac0e4c03677ceac63c5c49" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:9.39ex; height:2.843ex;" alt="{\displaystyle O(\log _{2}{n})}"> in size and verification time. The root hash of the tree is the commitment <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle C}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>C</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle C}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/4fc55753007cd3c18576f7933f6f089196732029" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.766ex; height:2.176ex;" alt="{\displaystyle C}">. To prove that a revealed <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x_{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x_{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/e87000dd6142b81d041896a30fe58f0c3acb2158" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.129ex; height:2.009ex;" alt="{\displaystyle x_{i}}"> is part of the original tree, only <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \log _{2}{n}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>log</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo>⁡</mo> <mrow class="MJX-TeXAtom-ORD"> <mi>n</mi> </mrow> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \log _{2}{n}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/16fa1f359e8bbe6bcffefe05c75c46d5778179bb" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:5.808ex; height:2.676ex;" alt="{\displaystyle \log _{2}{n}}"> hash values from the tree, one from each level, must be revealed as the proof. The verifier is able to follow the path from the claimed leaf node all the way up to the root, hashing in the sibling nodes at each level, and eventually arriving at a root node value that must equal <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle C}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>C</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle C}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/4fc55753007cd3c18576f7933f6f089196732029" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.766ex; height:2.176ex;" alt="{\displaystyle C}">.<a href="#cite_note-25">[25]</a> <div class="mw-heading mw-heading3"><h3 id="KZG_commitment">KZG commitment</h3>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=20" title="Edit section: KZG commitment">edit</a>]</div> A Kate-Zaverucha-Goldberg commitment uses <a href="/wiki/Pairing-based_cryptography" title="Pairing-based cryptography">pairing-based cryptography</a> to build a partial reveal scheme with <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle O(1)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>O</mi> <mo stretchy="false">(</mo> <mn>1</mn> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle O(1)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/e66384bc40452c5452f33563fe0e27e803b0cc21" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:4.745ex; height:2.843ex;" alt="{\displaystyle O(1)}"> commitment sizes, proof sizes, and proof verification time. In other words, as <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle n}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>n</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle n}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/a601995d55609f2d9f5e233e36fbe9ea26011b3b" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.395ex; height:1.676ex;" alt="{\displaystyle n}">, the number of values in <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle X}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>X</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle X}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/68baa052181f707c662844a465bfeeb135e82bab" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.98ex; height:2.176ex;" alt="{\displaystyle X}">, increases, the commitments and proofs do not get larger, and the proofs do not take any more effort to verify. A KZG commitment requires a predetermined set of parameters to create a <a href="/wiki/Pairing" title="Pairing">pairing</a>, and a trusted trapdoor element. For example, a <a href="/wiki/Tate_pairing" title="Tate pairing">Tate pairing</a> can be used. Assume that <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {G} _{1},\mathbb {G} _{2}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">G</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>,</mo> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">G</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {G} _{1},\mathbb {G} _{2}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/81b6e145c31fc414d8b5990a6fd6401fb16a67b0" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:6.759ex; height:2.509ex;" alt="{\displaystyle \mathbb {G} _{1},\mathbb {G} _{2}}"> are the additive groups, and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {G} _{T}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">G</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>T</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {G} _{T}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/0897b2beaf6721f43453d63f48f8e5ddf706036f" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:3.197ex; height:2.509ex;" alt="{\displaystyle \mathbb {G} _{T}}"> is the multiplicative group of the pairing. In other words, the pairing is the map <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle e:\mathbb {G} _{1}\times \mathbb {G} _{2}\rightarrow \mathbb {G} _{T}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>e</mi> <mo>:</mo> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">G</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>×</mo> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">G</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo stretchy="false">→</mo> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">G</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>T</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle e:\mathbb {G} _{1}\times \mathbb {G} _{2}\rightarrow \mathbb {G} _{T}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/b0b233c58cab33f6b1f1b263299919fe0d433fed" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:18.397ex; height:2.509ex;" alt="{\displaystyle e:\mathbb {G} _{1}\times \mathbb {G} _{2}\rightarrow \mathbb {G} _{T}}">. Let <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle t\in \mathbb {F} _{p}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>t</mi> <mo>∈</mo> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">F</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>p</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle t\in \mathbb {F} _{p}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/ef4e0a0c5b5e2d32ba96e5c74dcf54f9417d80d8" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.005ex; width:6.16ex; height:2.843ex;" alt="{\displaystyle t\in \mathbb {F} _{p}}"> be the trapdoor element (if <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/81eac1e205430d1f40810df36a0edffdc367af36" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; margin-left: -0.089ex; width:1.259ex; height:2.009ex;" alt="{\displaystyle p}"> is the prime order of <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {G} _{1}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">G</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {G} _{1}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/726aefa2fe8762775a4d0e21d8fbc75371e631e6" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.862ex; height:2.509ex;" alt="{\displaystyle \mathbb {G} _{1}}"> and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {G} _{2}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">G</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {G} _{2}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/77759bcf62cde320f8f721c589d438906aaf9e13" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.862ex; height:2.509ex;" alt="{\displaystyle \mathbb {G} _{2}}">), and let <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle G}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>G</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle G}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/f5f3c8921a3b352de45446a6789b104458c9f90b" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.827ex; height:2.176ex;" alt="{\displaystyle G}"> and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle H}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>H</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle H}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/75a9edddcca2f782014371f75dca39d7e13a9c1b" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:2.064ex; height:2.176ex;" alt="{\displaystyle H}"> be the generators of <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {G} _{1}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">G</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {G} _{1}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/726aefa2fe8762775a4d0e21d8fbc75371e631e6" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.862ex; height:2.509ex;" alt="{\displaystyle \mathbb {G} _{1}}"> and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {G} _{2}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">G</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {G} _{2}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/77759bcf62cde320f8f721c589d438906aaf9e13" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.862ex; height:2.509ex;" alt="{\displaystyle \mathbb {G} _{2}}"> respectively. As part of the parameter setup, we assume that <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle G\cdot t^{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>G</mi> <mo>⋅</mo> <msup> <mi>t</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle G\cdot t^{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/2d27b2c7a3488e5eb89367047e7a213d0bc8d8c1" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:5.145ex; height:2.676ex;" alt="{\displaystyle G\cdot t^{i}}"> and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle H\cdot t^{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>H</mi> <mo>⋅</mo> <msup> <mi>t</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle H\cdot t^{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/f4c3c1da94a05466fd886ce352efdd44adfe565c" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:5.382ex; height:2.676ex;" alt="{\displaystyle H\cdot t^{i}}"> are known and shared values for arbitrarily many positive integer values of <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle i}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>i</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle i}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/add78d8608ad86e54951b8c8bd6c8d8416533d20" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:0.802ex; height:2.176ex;" alt="{\displaystyle i}">, while the trapdoor value <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle t}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>t</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle t}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/65658b7b223af9e1acc877d848888ecdb4466560" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:0.84ex; height:2.009ex;" alt="{\displaystyle t}"> itself is discarded and known to no one. <div class="mw-heading mw-heading4"><h4 id="Commit">Commit</h4>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=21" title="Edit section: Commit">edit</a>]</div> A KZG commitment reformulates the vector of values to be committed as a polynomial. First, we calculate a polynomial such that <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p(i)=x_{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> <mo stretchy="false">(</mo> <mi>i</mi> <mo stretchy="false">)</mo> <mo>=</mo> <msub> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p(i)=x_{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/73f7a4c8e6fcd9b0a7f739388f37f87a81acfcbf" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; margin-left: -0.089ex; width:9.098ex; height:2.843ex;" alt="{\displaystyle p(i)=x_{i}}"> for all values of <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x_{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x_{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/e87000dd6142b81d041896a30fe58f0c3acb2158" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.129ex; height:2.009ex;" alt="{\displaystyle x_{i}}"> in our vector. <a href="/wiki/Lagrange_interpolation" class="mw-redirect" title="Lagrange interpolation">Lagrange interpolation</a> allows us to compute that polynomial <dl><dd><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p(x)=\sum _{i=0}^{n-1}x_{i}\prod _{0\leq j<n,j\neq i}{\frac {x-j}{i-j}}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> <mo>=</mo> <munderover> <mo>∑</mo> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> <mo>=</mo> <mn>0</mn> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>n</mi> <mo>−</mo> <mn>1</mn> </mrow> </munderover> <msub> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msub> <munder> <mo>∏</mo> <mrow class="MJX-TeXAtom-ORD"> <mn>0</mn> <mo>≤</mo> <mi>j</mi> <mo><</mo> <mi>n</mi> <mo>,</mo> <mi>j</mi> <mo>≠</mo> <mi>i</mi> </mrow> </munder> <mrow class="MJX-TeXAtom-ORD"> <mfrac> <mrow> <mi>x</mi> <mo>−</mo> <mi>j</mi> </mrow> <mrow> <mi>i</mi> <mo>−</mo> <mi>j</mi> </mrow> </mfrac> </mrow> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p(x)=\sum _{i=0}^{n-1}x_{i}\prod _{0\leq j<n,j\neq i}{\frac {x-j}{i-j}}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/86f49d763e10e8733553176cef3e75b8c5066268" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -3.505ex; margin-left: -0.089ex; width:28.13ex; height:7.843ex;" alt="{\displaystyle p(x)=\sum _{i=0}^{n-1}x_{i}\prod _{0\leq j<n,j\neq i}{\frac {x-j}{i-j}}}"></dd></dl> Under this formulation, the polynomial now encodes the vector, where <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p(0)=x_{0},p(1)=x_{1},...}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> <mo stretchy="false">(</mo> <mn>0</mn> <mo stretchy="false">)</mo> <mo>=</mo> <msub> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>0</mn> </mrow> </msub> <mo>,</mo> <mi>p</mi> <mo stretchy="false">(</mo> <mn>1</mn> <mo stretchy="false">)</mo> <mo>=</mo> <msub> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p(0)=x_{0},p(1)=x_{1},...}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/37c8b8061f79285e06f86eca6b23fa942c66a32d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; margin-left: -0.089ex; width:24.119ex; height:2.843ex;" alt="{\displaystyle p(0)=x_{0},p(1)=x_{1},...}">. Let <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p_{0},p_{1},...,p_{n-1}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>p</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>0</mn> </mrow> </msub> <mo>,</mo> <msub> <mi>p</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> <mo>,</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>,</mo> <msub> <mi>p</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>n</mi> <mo>−</mo> <mn>1</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p_{0},p_{1},...,p_{n-1}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/478fabc7dd97f91b948612e82359787a5e6e6dd5" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; margin-left: -0.089ex; width:15.229ex; height:2.009ex;" alt="{\displaystyle p_{0},p_{1},...,p_{n-1}}"> be the coefficients of <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/81eac1e205430d1f40810df36a0edffdc367af36" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; margin-left: -0.089ex; width:1.259ex; height:2.009ex;" alt="{\displaystyle p}">, such that <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\textstyle p(x)=\sum _{i=0}^{n-1}p_{i}x^{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="false" scriptlevel="0"> <mi>p</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> <mo>=</mo> <munderover> <mo>∑</mo> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> <mo>=</mo> <mn>0</mn> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>n</mi> <mo>−</mo> <mn>1</mn> </mrow> </munderover> <msub> <mi>p</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msub> <msup> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\textstyle p(x)=\sum _{i=0}^{n-1}p_{i}x^{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/4f26c91c860df1faf4368663ab0117951d7c3ab4" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.005ex; margin-left: -0.089ex; width:17.755ex; height:3.509ex;" alt="{\textstyle p(x)=\sum _{i=0}^{n-1}p_{i}x^{i}}">. The commitment is calculated as <dl><dd><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle C=\sum _{i=0}^{n-1}p_{i}Gt^{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>C</mi> <mo>=</mo> <munderover> <mo>∑</mo> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> <mo>=</mo> <mn>0</mn> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>n</mi> <mo>−</mo> <mn>1</mn> </mrow> </munderover> <msub> <mi>p</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msub> <mi>G</mi> <msup> <mi>t</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle C=\sum _{i=0}^{n-1}p_{i}Gt^{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/0c5d935cd50f558db0fab0e77401c53de594a754" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -3.005ex; width:14.042ex; height:7.343ex;" alt="{\displaystyle C=\sum _{i=0}^{n-1}p_{i}Gt^{i}}"></dd></dl> This is computed simply as a <a href="/wiki/Dot_product" title="Dot product">dot product</a> between the predetermined values <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle G\cdot t^{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>G</mi> <mo>⋅</mo> <msup> <mi>t</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle G\cdot t^{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/2d27b2c7a3488e5eb89367047e7a213d0bc8d8c1" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:5.145ex; height:2.676ex;" alt="{\displaystyle G\cdot t^{i}}"> and the polynomial coefficients <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p_{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>p</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p_{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/5bab39399bf5424f25d957cdc57c84a0622626d2" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; margin-left: -0.089ex; width:2.059ex; height:2.009ex;" alt="{\displaystyle p_{i}}">. Since <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {G} _{1}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">G</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {G} _{1}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/726aefa2fe8762775a4d0e21d8fbc75371e631e6" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.862ex; height:2.509ex;" alt="{\displaystyle \mathbb {G} _{1}}"> is an additive group with associativity and commutativity, <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle C}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>C</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle C}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/4fc55753007cd3c18576f7933f6f089196732029" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.766ex; height:2.176ex;" alt="{\displaystyle C}"> is equal to simply <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle G\cdot p(t)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>G</mi> <mo>⋅</mo> <mi>p</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle G\cdot p(t)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/ab88ada53368b2d525be15d164b7f8c29ac66dc3" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:7.324ex; height:2.843ex;" alt="{\displaystyle G\cdot p(t)}">, since all the additions and multiplications with <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle G}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>G</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle G}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/f5f3c8921a3b352de45446a6789b104458c9f90b" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.827ex; height:2.176ex;" alt="{\displaystyle G}"> can be distributed out of the evaluation. Since the trapdoor value <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle t}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>t</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle t}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/65658b7b223af9e1acc877d848888ecdb4466560" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:0.84ex; height:2.009ex;" alt="{\displaystyle t}"> is unknown, the commitment <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle C}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>C</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle C}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/4fc55753007cd3c18576f7933f6f089196732029" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.766ex; height:2.176ex;" alt="{\displaystyle C}"> is essentially the polynomial evaluated at a number known to no one, with the outcome obfuscated into an opaque element of <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {G} _{1}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">G</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {G} _{1}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/726aefa2fe8762775a4d0e21d8fbc75371e631e6" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.862ex; height:2.509ex;" alt="{\displaystyle \mathbb {G} _{1}}">. <div class="mw-heading mw-heading4"><h4 id="Reveal">Reveal</h4>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=22" title="Edit section: Reveal">edit</a>]</div> A KZG proof must demonstrate that the revealed data is the authentic value of <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x_{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x_{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/e87000dd6142b81d041896a30fe58f0c3acb2158" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.129ex; height:2.009ex;" alt="{\displaystyle x_{i}}"> when <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle C}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>C</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle C}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/4fc55753007cd3c18576f7933f6f089196732029" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.766ex; height:2.176ex;" alt="{\displaystyle C}"> was computed. Let <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle y=x_{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>y</mi> <mo>=</mo> <msub> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle y=x_{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/480208be374db35ca5430afab6813a076ffb41ba" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:6.383ex; height:2.009ex;" alt="{\displaystyle y=x_{i}}">, the revealed value we must prove. Since the vector of <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x_{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x_{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/e87000dd6142b81d041896a30fe58f0c3acb2158" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.129ex; height:2.009ex;" alt="{\displaystyle x_{i}}"> was reformulated into a polynomial, we really need to prove that the polynomial <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/81eac1e205430d1f40810df36a0edffdc367af36" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; margin-left: -0.089ex; width:1.259ex; height:2.009ex;" alt="{\displaystyle p}">, when evaluated at <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle i}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>i</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle i}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/add78d8608ad86e54951b8c8bd6c8d8416533d20" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:0.802ex; height:2.176ex;" alt="{\displaystyle i}">, takes on the value <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle y}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>y</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle y}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/b8a6208ec717213d4317e666f1ae872e00620a0d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:1.155ex; height:2.009ex;" alt="{\displaystyle y}">. Simply, we just need to prove that <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p(i)=y}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> <mo stretchy="false">(</mo> <mi>i</mi> <mo stretchy="false">)</mo> <mo>=</mo> <mi>y</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p(i)=y}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/1c058cd022cf0f8d661deb0b1b2f094b034cc2fa" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; margin-left: -0.089ex; width:8.125ex; height:2.843ex;" alt="{\displaystyle p(i)=y}">. We will do this by demonstrating that subtracting <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle y}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>y</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle y}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/b8a6208ec717213d4317e666f1ae872e00620a0d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:1.155ex; height:2.009ex;" alt="{\displaystyle y}"> from <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/81eac1e205430d1f40810df36a0edffdc367af36" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; margin-left: -0.089ex; width:1.259ex; height:2.009ex;" alt="{\displaystyle p}"> yields a root at <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle i}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>i</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle i}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/add78d8608ad86e54951b8c8bd6c8d8416533d20" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:0.802ex; height:2.176ex;" alt="{\displaystyle i}">. Define the polynomial <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/06809d64fa7c817ffc7e323f85997f783dbdf71d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:1.07ex; height:2.009ex;" alt="{\displaystyle q}"> as <dl><dd><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q(x)={\frac {p(x)-y}{x-i}}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> <mo>=</mo> <mrow class="MJX-TeXAtom-ORD"> <mfrac> <mrow> <mi>p</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> <mo>−</mo> <mi>y</mi> </mrow> <mrow> <mi>x</mi> <mo>−</mo> <mi>i</mi> </mrow> </mfrac> </mrow> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q(x)={\frac {p(x)-y}{x-i}}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/4cc6fab66085ca7604bb7a2d4284e6574db7b640" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -2.005ex; width:16.447ex; height:5.843ex;" alt="{\displaystyle q(x)={\frac {p(x)-y}{x-i}}}"></dd></dl> This polynomial is itself the proof that <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p(i)=y}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> <mo stretchy="false">(</mo> <mi>i</mi> <mo stretchy="false">)</mo> <mo>=</mo> <mi>y</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p(i)=y}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/1c058cd022cf0f8d661deb0b1b2f094b034cc2fa" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; margin-left: -0.089ex; width:8.125ex; height:2.843ex;" alt="{\displaystyle p(i)=y}">, because if <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/06809d64fa7c817ffc7e323f85997f783dbdf71d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:1.07ex; height:2.009ex;" alt="{\displaystyle q}"> exists, then <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p(x)-y}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> <mo>−</mo> <mi>y</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p(x)-y}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/47178b352a165ce12aa32e69668186900f47e210" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; margin-left: -0.089ex; width:8.394ex; height:2.843ex;" alt="{\displaystyle p(x)-y}"> is divisible by <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x-i}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>x</mi> <mo>−</mo> <mi>i</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x-i}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/08c6415ec45d76965789b24add7cd20817617a4a" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.505ex; width:4.973ex; height:2.343ex;" alt="{\displaystyle x-i}">, meaning it has a root at <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle i}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>i</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle i}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/add78d8608ad86e54951b8c8bd6c8d8416533d20" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:0.802ex; height:2.176ex;" alt="{\displaystyle i}">, so <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p(i)-y=0}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> <mo stretchy="false">(</mo> <mi>i</mi> <mo stretchy="false">)</mo> <mo>−</mo> <mi>y</mi> <mo>=</mo> <mn>0</mn> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p(i)-y=0}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/18a48a96ce528086665d1544ae9d883341b19d79" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; margin-left: -0.089ex; width:12.127ex; height:2.843ex;" alt="{\displaystyle p(i)-y=0}"> (or, in other words, <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p(i)=y}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> <mo stretchy="false">(</mo> <mi>i</mi> <mo stretchy="false">)</mo> <mo>=</mo> <mi>y</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p(i)=y}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/1c058cd022cf0f8d661deb0b1b2f094b034cc2fa" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; margin-left: -0.089ex; width:8.125ex; height:2.843ex;" alt="{\displaystyle p(i)=y}">). The KZG proof will demonstrate that <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/06809d64fa7c817ffc7e323f85997f783dbdf71d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:1.07ex; height:2.009ex;" alt="{\displaystyle q}"> exists and has this property. The prover computes <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/06809d64fa7c817ffc7e323f85997f783dbdf71d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:1.07ex; height:2.009ex;" alt="{\displaystyle q}"> through the above polynomial division, then calculates the KZG proof value <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \pi }"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>π</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \pi }</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/9be4ba0bb8df3af72e90a0535fabcc17431e540a" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.332ex; height:1.676ex;" alt="{\displaystyle \pi }"> <dl><dd><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \pi =\sum _{i=0}^{n-1}q_{i}Gt^{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>π</mi> <mo>=</mo> <munderover> <mo>∑</mo> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> <mo>=</mo> <mn>0</mn> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>n</mi> <mo>−</mo> <mn>1</mn> </mrow> </munderover> <msub> <mi>q</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msub> <mi>G</mi> <msup> <mi>t</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \pi =\sum _{i=0}^{n-1}q_{i}Gt^{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/8fefa2d81f0a365857bd322733a2e8af92eb8282" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -3.005ex; width:13.475ex; height:7.343ex;" alt="{\displaystyle \pi =\sum _{i=0}^{n-1}q_{i}Gt^{i}}"></dd></dl> This is equal to <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle G\cdot q(t)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>G</mi> <mo>⋅</mo> <mi>q</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle G\cdot q(t)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/e5526669086cbe9581161f4222b8f3d798710350" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:7.224ex; height:2.843ex;" alt="{\displaystyle G\cdot q(t)}">, as above. In other words, the proof value is the polynomial <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/06809d64fa7c817ffc7e323f85997f783dbdf71d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:1.07ex; height:2.009ex;" alt="{\displaystyle q}"> again evaluated at the trapdoor value <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle t}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>t</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle t}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/65658b7b223af9e1acc877d848888ecdb4466560" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:0.84ex; height:2.009ex;" alt="{\displaystyle t}">, hidden in the generator <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle G}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>G</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle G}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/f5f3c8921a3b352de45446a6789b104458c9f90b" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.827ex; height:2.176ex;" alt="{\displaystyle G}"> of <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {G} _{1}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">G</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {G} _{1}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/726aefa2fe8762775a4d0e21d8fbc75371e631e6" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.862ex; height:2.509ex;" alt="{\displaystyle \mathbb {G} _{1}}">. This computation is only possible if the above polynomials were evenly divisible, because in that case the quotient <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/06809d64fa7c817ffc7e323f85997f783dbdf71d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:1.07ex; height:2.009ex;" alt="{\displaystyle q}"> is a polynomial, not a <a href="/wiki/Rational_function" title="Rational function">rational function</a>. Due to the construction of the trapdoor, it is not possible to evaluate a rational function at the trapdoor value, only to evaluate a polynomial using linear combinations of the precomputed known constants of <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle G\cdot t^{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>G</mi> <mo>⋅</mo> <msup> <mi>t</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle G\cdot t^{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/2d27b2c7a3488e5eb89367047e7a213d0bc8d8c1" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:5.145ex; height:2.676ex;" alt="{\displaystyle G\cdot t^{i}}">. This is why it is impossible to create a proof for an incorrect value of <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x_{i}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mi>x</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x_{i}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/e87000dd6142b81d041896a30fe58f0c3acb2158" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.129ex; height:2.009ex;" alt="{\displaystyle x_{i}}">. <div class="mw-heading mw-heading4"><h4 id="Verify">Verify</h4>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=23" title="Edit section: Verify">edit</a>]</div> To verify the proof, the bilinear map of the <a href="/wiki/Pairing" title="Pairing">pairing</a> is used to show that the proof value <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \pi }"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>π</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \pi }</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/9be4ba0bb8df3af72e90a0535fabcc17431e540a" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.332ex; height:1.676ex;" alt="{\displaystyle \pi }"> summarizes a real polynomial <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/06809d64fa7c817ffc7e323f85997f783dbdf71d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:1.07ex; height:2.009ex;" alt="{\displaystyle q}"> that demonstrates the desired property, which is that <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p(x)-y}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> <mo>−</mo> <mi>y</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p(x)-y}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/47178b352a165ce12aa32e69668186900f47e210" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; margin-left: -0.089ex; width:8.394ex; height:2.843ex;" alt="{\displaystyle p(x)-y}"> was evenly divided by <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x-i}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>x</mi> <mo>−</mo> <mi>i</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x-i}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/08c6415ec45d76965789b24add7cd20817617a4a" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.505ex; width:4.973ex; height:2.343ex;" alt="{\displaystyle x-i}">. The verification computation checks the equality <dl><dd><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle e(\pi ,H\cdot t-H\cdot i)\ {\stackrel {?}{=}}\ e(C-G\cdot y,H)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>e</mi> <mo stretchy="false">(</mo> <mi>π</mi> <mo>,</mo> <mi>H</mi> <mo>⋅</mo> <mi>t</mi> <mo>−</mo> <mi>H</mi> <mo>⋅</mo> <mi>i</mi> <mo stretchy="false">)</mo> <mtext> </mtext> <mrow class="MJX-TeXAtom-ORD"> <mrow class="MJX-TeXAtom-REL"> <mover> <mrow class="MJX-TeXAtom-OP MJX-fixedlimits"> <mo>=</mo> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mo>?</mo> </mrow> </mover> </mrow> </mrow> <mtext> </mtext> <mi>e</mi> <mo stretchy="false">(</mo> <mi>C</mi> <mo>−</mo> <mi>G</mi> <mo>⋅</mo> <mi>y</mi> <mo>,</mo> <mi>H</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle e(\pi ,H\cdot t-H\cdot i)\ {\stackrel {?}{=}}\ e(C-G\cdot y,H)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/c4fd0d08f9e0e1698fe5ca9f862432fbe6f4a89b" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:35.454ex; height:3.843ex;" alt="{\displaystyle e(\pi ,H\cdot t-H\cdot i)\ {\stackrel {?}{=}}\ e(C-G\cdot y,H)}"></dd></dl> where <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle e}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>e</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle e}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/cd253103f0876afc68ebead27a5aa9867d927467" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.083ex; height:1.676ex;" alt="{\displaystyle e}"> is the bilinear map function as above. <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle H\cdot t}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>H</mi> <mo>⋅</mo> <mi>t</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle H\cdot t}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/c0f8e161cc6844834897caa66664d418575b28d1" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:4.582ex; height:2.176ex;" alt="{\displaystyle H\cdot t}"> is a precomputed constant, <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle H\cdot i}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>H</mi> <mo>⋅</mo> <mi>i</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle H\cdot i}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/644b70a8399efbfb2643665e1fef7e430b33ffe6" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:4.545ex; height:2.176ex;" alt="{\displaystyle H\cdot i}"> is computed based on <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle i}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>i</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle i}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/add78d8608ad86e54951b8c8bd6c8d8416533d20" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:0.802ex; height:2.176ex;" alt="{\displaystyle i}">. By rewriting the computation in the pairing group <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {G} _{T}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">G</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>T</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {G} _{T}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/0897b2beaf6721f43453d63f48f8e5ddf706036f" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:3.197ex; height:2.509ex;" alt="{\displaystyle \mathbb {G} _{T}}">, substituting in <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \pi =q(t)\cdot G}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>π</mi> <mo>=</mo> <mi>q</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>⋅</mo> <mi>G</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \pi =q(t)\cdot G}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/ca6d77dd701245580e65d79c3445dc155fbc8b8a" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:11.655ex; height:2.843ex;" alt="{\displaystyle \pi =q(t)\cdot G}"> and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle C=p(t)\cdot G}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>C</mi> <mo>=</mo> <mi>p</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>⋅</mo> <mi>G</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle C=p(t)\cdot G}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/2fc8d06e151fe4c5f3f130167b7de4a675ce2c37" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:12.189ex; height:2.843ex;" alt="{\displaystyle C=p(t)\cdot G}">, and letting <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \tau (x)=e(G,H)^{x}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>τ</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> <mo>=</mo> <mi>e</mi> <mo stretchy="false">(</mo> <mi>G</mi> <mo>,</mo> <mi>H</mi> <msup> <mo stretchy="false">)</mo> <mrow class="MJX-TeXAtom-ORD"> <mi>x</mi> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \tau (x)=e(G,H)^{x}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/eebd8ef71d64cd46141ac6f6fad610d231ac0c8b" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:16.429ex; height:2.843ex;" alt="{\displaystyle \tau (x)=e(G,H)^{x}}"> be a helper function for lifting into the pairing group, the proof verification is more clear. <dl><dd><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle e(\pi ,H\cdot t-H\cdot i)=e(C-G\cdot y,H)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>e</mi> <mo stretchy="false">(</mo> <mi>π</mi> <mo>,</mo> <mi>H</mi> <mo>⋅</mo> <mi>t</mi> <mo>−</mo> <mi>H</mi> <mo>⋅</mo> <mi>i</mi> <mo stretchy="false">)</mo> <mo>=</mo> <mi>e</mi> <mo stretchy="false">(</mo> <mi>C</mi> <mo>−</mo> <mi>G</mi> <mo>⋅</mo> <mi>y</mi> <mo>,</mo> <mi>H</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle e(\pi ,H\cdot t-H\cdot i)=e(C-G\cdot y,H)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/b9fc571ea7cef893400a53273054f05f66934fb1" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:35.583ex; height:2.843ex;" alt="{\displaystyle e(\pi ,H\cdot t-H\cdot i)=e(C-G\cdot y,H)}"></dd> <dd><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle e(G\cdot q(t),H\cdot t-H\cdot i)=e(G\cdot p(t)-G\cdot y,H)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>e</mi> <mo stretchy="false">(</mo> <mi>G</mi> <mo>⋅</mo> <mi>q</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>,</mo> <mi>H</mi> <mo>⋅</mo> <mi>t</mi> <mo>−</mo> <mi>H</mi> <mo>⋅</mo> <mi>i</mi> <mo stretchy="false">)</mo> <mo>=</mo> <mi>e</mi> <mo stretchy="false">(</mo> <mi>G</mi> <mo>⋅</mo> <mi>p</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>−</mo> <mi>G</mi> <mo>⋅</mo> <mi>y</mi> <mo>,</mo> <mi>H</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle e(G\cdot q(t),H\cdot t-H\cdot i)=e(G\cdot p(t)-G\cdot y,H)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/dec3d7e66c2be04e5fa9e2bebe232d80f766d221" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:47.034ex; height:2.843ex;" alt="{\displaystyle e(G\cdot q(t),H\cdot t-H\cdot i)=e(G\cdot p(t)-G\cdot y,H)}"></dd> <dd><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle e(G\cdot q(t),H\cdot (t-i))=e(G\cdot (p(t)-y),H)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>e</mi> <mo stretchy="false">(</mo> <mi>G</mi> <mo>⋅</mo> <mi>q</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>,</mo> <mi>H</mi> <mo>⋅</mo> <mo stretchy="false">(</mo> <mi>t</mi> <mo>−</mo> <mi>i</mi> <mo stretchy="false">)</mo> <mo stretchy="false">)</mo> <mo>=</mo> <mi>e</mi> <mo stretchy="false">(</mo> <mi>G</mi> <mo>⋅</mo> <mo stretchy="false">(</mo> <mi>p</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>−</mo> <mi>y</mi> <mo stretchy="false">)</mo> <mo>,</mo> <mi>H</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle e(G\cdot q(t),H\cdot (t-i))=e(G\cdot (p(t)-y),H)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/21f68b98600fcd15dbed2e4c64886b4e237fca55" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:43.404ex; height:2.843ex;" alt="{\displaystyle e(G\cdot q(t),H\cdot (t-i))=e(G\cdot (p(t)-y),H)}"></dd> <dd><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle e(G,H)^{q(t)\cdot (t-i)}=e(G,H)^{p(t)-y}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>e</mi> <mo stretchy="false">(</mo> <mi>G</mi> <mo>,</mo> <mi>H</mi> <msup> <mo stretchy="false">)</mo> <mrow class="MJX-TeXAtom-ORD"> <mi>q</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>⋅</mo> <mo stretchy="false">(</mo> <mi>t</mi> <mo>−</mo> <mi>i</mi> <mo stretchy="false">)</mo> </mrow> </msup> <mo>=</mo> <mi>e</mi> <mo stretchy="false">(</mo> <mi>G</mi> <mo>,</mo> <mi>H</mi> <msup> <mo stretchy="false">)</mo> <mrow class="MJX-TeXAtom-ORD"> <mi>p</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>−</mo> <mi>y</mi> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle e(G,H)^{q(t)\cdot (t-i)}=e(G,H)^{p(t)-y}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/05dca2ca9a8f29be2e02f5f0f532bc1ffd1904dc" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:30.798ex; height:3.343ex;" alt="{\displaystyle e(G,H)^{q(t)\cdot (t-i)}=e(G,H)^{p(t)-y}}"></dd> <dd><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \tau (q(t)\cdot (t-i))=\tau (p(t)-y)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>τ</mi> <mo stretchy="false">(</mo> <mi>q</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>⋅</mo> <mo stretchy="false">(</mo> <mi>t</mi> <mo>−</mo> <mi>i</mi> <mo stretchy="false">)</mo> <mo stretchy="false">)</mo> <mo>=</mo> <mi>τ</mi> <mo stretchy="false">(</mo> <mi>p</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>−</mo> <mi>y</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \tau (q(t)\cdot (t-i))=\tau (p(t)-y)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/23ccbb490f84f9fbe9163b6afe4b6026049420d3" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:28.624ex; height:2.843ex;" alt="{\displaystyle \tau (q(t)\cdot (t-i))=\tau (p(t)-y)}"></dd></dl> Assuming that the bilinear map is validly constructed, this demonstrates that <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q(x)(x-i)=p(x)-y}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> <mo stretchy="false">(</mo> <mi>x</mi> <mo>−</mo> <mi>i</mi> <mo stretchy="false">)</mo> <mo>=</mo> <mi>p</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> <mo>−</mo> <mi>y</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q(x)(x-i)=p(x)-y}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/df1c5265fa800b0df3bd82b16db59068d8ba6ffd" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:22.393ex; height:2.843ex;" alt="{\displaystyle q(x)(x-i)=p(x)-y}">, without the validator knowing what <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/81eac1e205430d1f40810df36a0edffdc367af36" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; margin-left: -0.089ex; width:1.259ex; height:2.009ex;" alt="{\displaystyle p}"> or <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/06809d64fa7c817ffc7e323f85997f783dbdf71d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:1.07ex; height:2.009ex;" alt="{\displaystyle q}"> are. The validator can be assured of this because if <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \tau (q(t)\cdot (t-i))=\tau (p(t)-y)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>τ</mi> <mo stretchy="false">(</mo> <mi>q</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>⋅</mo> <mo stretchy="false">(</mo> <mi>t</mi> <mo>−</mo> <mi>i</mi> <mo stretchy="false">)</mo> <mo stretchy="false">)</mo> <mo>=</mo> <mi>τ</mi> <mo stretchy="false">(</mo> <mi>p</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>−</mo> <mi>y</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \tau (q(t)\cdot (t-i))=\tau (p(t)-y)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/23ccbb490f84f9fbe9163b6afe4b6026049420d3" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:28.624ex; height:2.843ex;" alt="{\displaystyle \tau (q(t)\cdot (t-i))=\tau (p(t)-y)}">, then the polynomials evaluate to the same output at the trapdoor value <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x=t}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>x</mi> <mo>=</mo> <mi>t</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x=t}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/f6c0426ebd38c267805e4308c63f11cb976e4963" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:5.268ex; height:2.009ex;" alt="{\displaystyle x=t}">. This demonstrates the polynomials are identical, because, if the parameters were validly constructed, the trapdoor value is known to no one, meaning that engineering a polynomial to have a specific value at the trapdoor is impossible (according to the <a href="/wiki/Schwartz%E2%80%93Zippel_lemma" title="Schwartz–Zippel lemma">Schwartz–Zippel lemma</a>). If <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q(x)(x-i)=p(x)-y}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> <mo stretchy="false">(</mo> <mi>x</mi> <mo>−</mo> <mi>i</mi> <mo stretchy="false">)</mo> <mo>=</mo> <mi>p</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> <mo>−</mo> <mi>y</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q(x)(x-i)=p(x)-y}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/df1c5265fa800b0df3bd82b16db59068d8ba6ffd" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:22.393ex; height:2.843ex;" alt="{\displaystyle q(x)(x-i)=p(x)-y}"> is now verified to be true, then <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/06809d64fa7c817ffc7e323f85997f783dbdf71d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:1.07ex; height:2.009ex;" alt="{\displaystyle q}"> is verified to exist, therefore <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p(x)-y}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> <mo>−</mo> <mi>y</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p(x)-y}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/47178b352a165ce12aa32e69668186900f47e210" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; margin-left: -0.089ex; width:8.394ex; height:2.843ex;" alt="{\displaystyle p(x)-y}"> must be polynomial-divisible by <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle (x-i)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mo stretchy="false">(</mo> <mi>x</mi> <mo>−</mo> <mi>i</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle (x-i)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/31e93651a8f09f03475c64fb06d69350527e15c2" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:6.782ex; height:2.843ex;" alt="{\displaystyle (x-i)}">, so <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle p(i)-y=0}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>p</mi> <mo stretchy="false">(</mo> <mi>i</mi> <mo stretchy="false">)</mo> <mo>−</mo> <mi>y</mi> <mo>=</mo> <mn>0</mn> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle p(i)-y=0}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/18a48a96ce528086665d1544ae9d883341b19d79" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; margin-left: -0.089ex; width:12.127ex; height:2.843ex;" alt="{\displaystyle p(i)-y=0}"> due to the <a href="/wiki/Factor_theorem" title="Factor theorem">factor theorem</a>. This proves that the <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle i}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>i</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle i}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/add78d8608ad86e54951b8c8bd6c8d8416533d20" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:0.802ex; height:2.176ex;" alt="{\displaystyle i}">th value of the committed vector must have equaled <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle y}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>y</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle y}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/b8a6208ec717213d4317e666f1ae872e00620a0d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:1.155ex; height:2.009ex;" alt="{\displaystyle y}">, since that is the output of evaluating the committed polynomial at <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle i}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>i</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle i}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/add78d8608ad86e54951b8c8bd6c8d8416533d20" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:0.802ex; height:2.176ex;" alt="{\displaystyle i}">. <style data-mw-deduplicate="TemplateStyles:r1214851843">.mw-parser-output .hidden-begin{box-sizing:border-box;width:100%;padding:5px;border:none;font-size:95%}.mw-parser-output .hidden-title{font-weight:bold;line-height:1.6;text-align:left}.mw-parser-output .hidden-content{text-align:left}@media all and (max-width:500px){.mw-parser-output .hidden-begin{width:auto!important;clear:none!important;float:none!important}}</style><div class="hidden-begin mw-collapsible mw-collapsed" style="border: 1px solid lightgray;"><div class="hidden-title skin-nightmode-reset-color" style="text-align:center; text-align:left">Why the bilinear map pairing is used</div><div class="hidden-content mw-collapsible-content" style=""> The utility of the bilinear map pairing is to allow the multiplication of <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q(x)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q(x)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/c38bbafe34a043d284f19231b946a76c0a4b16b4" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:4.209ex; height:2.843ex;" alt="{\displaystyle q(x)}"> by <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x-i}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>x</mi> <mo>−</mo> <mi>i</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x-i}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/08c6415ec45d76965789b24add7cd20817617a4a" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.505ex; width:4.973ex; height:2.343ex;" alt="{\displaystyle x-i}"> to happen securely. These values truly lie in <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {G} _{1}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">G</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {G} _{1}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/726aefa2fe8762775a4d0e21d8fbc75371e631e6" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.862ex; height:2.509ex;" alt="{\displaystyle \mathbb {G} _{1}}">, where division is assumed to be computationally hard. For example, <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {G} _{1}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">G</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mn>1</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {G} _{1}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/726aefa2fe8762775a4d0e21d8fbc75371e631e6" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.862ex; height:2.509ex;" alt="{\displaystyle \mathbb {G} _{1}}"> might be an <a href="/wiki/Elliptic_curve" title="Elliptic curve">elliptic curve</a> over a finite field, as is common in <a href="/wiki/Elliptic-curve_cryptography" title="Elliptic-curve cryptography">elliptic-curve cryptography</a>. Then, the division assumption is called the <a href="/wiki/Elliptic-curve_cryptography#Rationale" title="Elliptic-curve cryptography">elliptic curve discrete logarithm problem</a>[<a href="/wiki/MOS:BROKENSECTIONLINKS" class="mw-redirect" title="MOS:BROKENSECTIONLINKS">broken anchor</a>], and this assumption is also what guards the trapdoor value from being computed, making it also a foundation of KZG commitments. In that case, we want to check if <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q(x)(x-i)=p(x)-y}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> <mo stretchy="false">(</mo> <mi>x</mi> <mo>−</mo> <mi>i</mi> <mo stretchy="false">)</mo> <mo>=</mo> <mi>p</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> <mo>−</mo> <mi>y</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q(x)(x-i)=p(x)-y}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/df1c5265fa800b0df3bd82b16db59068d8ba6ffd" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:22.393ex; height:2.843ex;" alt="{\displaystyle q(x)(x-i)=p(x)-y}">. This cannot be done without a pairing, because with values on the curve of <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle G\cdot q(x)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>G</mi> <mo>⋅</mo> <mi>q</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle G\cdot q(x)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/1c12c944dc0745f2814bcddfa2bf2b1efb0b90ad" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:7.714ex; height:2.843ex;" alt="{\displaystyle G\cdot q(x)}"> and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle G\cdot (x-i)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>G</mi> <mo>⋅</mo> <mo stretchy="false">(</mo> <mi>x</mi> <mo>−</mo> <mi>i</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle G\cdot (x-i)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/3a89b573f24fdb5ecfd685033a3340e3cfe2edda" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:10.288ex; height:2.843ex;" alt="{\displaystyle G\cdot (x-i)}">, we cannot compute <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle G\cdot (q(x)(x-i))}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>G</mi> <mo>⋅</mo> <mo stretchy="false">(</mo> <mi>q</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> <mo stretchy="false">(</mo> <mi>x</mi> <mo>−</mo> <mi>i</mi> <mo stretchy="false">)</mo> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle G\cdot (q(x)(x-i))}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/45b26ebc233d704dd40325c90b727fb54b1cb011" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:16.305ex; height:2.843ex;" alt="{\displaystyle G\cdot (q(x)(x-i))}">. That would violate the <a href="/wiki/Computational_Diffie%E2%80%93Hellman_assumption" title="Computational Diffie–Hellman assumption">computational Diffie–Hellman assumption</a>, a foundational assumption in <a href="/wiki/Elliptic-curve_cryptography" title="Elliptic-curve cryptography">elliptic-curve cryptography</a>. We instead use a <a href="/wiki/Pairing" title="Pairing">pairing</a> to sidestep this problem. <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q(x)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q(x)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/c38bbafe34a043d284f19231b946a76c0a4b16b4" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:4.209ex; height:2.843ex;" alt="{\displaystyle q(x)}"> is still multiplied by <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle G}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>G</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle G}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/f5f3c8921a3b352de45446a6789b104458c9f90b" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.827ex; height:2.176ex;" alt="{\displaystyle G}"> to get <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle G\cdot q(x)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>G</mi> <mo>⋅</mo> <mi>q</mi> <mo stretchy="false">(</mo> <mi>x</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle G\cdot q(x)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/1c12c944dc0745f2814bcddfa2bf2b1efb0b90ad" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:7.714ex; height:2.843ex;" alt="{\displaystyle G\cdot q(x)}">, but the other side of the multiplication is done in the paired group <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {G} _{2}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">G</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {G} _{2}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/77759bcf62cde320f8f721c589d438906aaf9e13" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:2.862ex; height:2.509ex;" alt="{\displaystyle \mathbb {G} _{2}}">, so, <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle H\cdot (t-i)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>H</mi> <mo>⋅</mo> <mo stretchy="false">(</mo> <mi>t</mi> <mo>−</mo> <mi>i</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle H\cdot (t-i)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/55726f0fa39fbec250bfebc1e44175f2f85da344" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:10.034ex; height:2.843ex;" alt="{\displaystyle H\cdot (t-i)}">. We compute <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle e(G\cdot q(t),H\cdot (t-i))}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>e</mi> <mo stretchy="false">(</mo> <mi>G</mi> <mo>⋅</mo> <mi>q</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>,</mo> <mi>H</mi> <mo>⋅</mo> <mo stretchy="false">(</mo> <mi>t</mi> <mo>−</mo> <mi>i</mi> <mo stretchy="false">)</mo> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle e(G\cdot q(t),H\cdot (t-i))}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/c75478b7a362c0f6380fa3927e2fc63c2e619841" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:21.185ex; height:2.843ex;" alt="{\displaystyle e(G\cdot q(t),H\cdot (t-i))}">, which, due to the <a href="/wiki/Bilinear_map" title="Bilinear map">bilinearity</a> of the map, is equal to <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle e(G,H)^{q(t)\cdot (t-i)}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>e</mi> <mo stretchy="false">(</mo> <mi>G</mi> <mo>,</mo> <mi>H</mi> <msup> <mo stretchy="false">)</mo> <mrow class="MJX-TeXAtom-ORD"> <mi>q</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>⋅</mo> <mo stretchy="false">(</mo> <mi>t</mi> <mo>−</mo> <mi>i</mi> <mo stretchy="false">)</mo> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle e(G,H)^{q(t)\cdot (t-i)}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/5262da30c445b6e63cbb4c151d63cbddf792f91f" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:14.855ex; height:3.343ex;" alt="{\displaystyle e(G,H)^{q(t)\cdot (t-i)}}">. In this output group <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \mathbb {G} _{T}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <msub> <mrow class="MJX-TeXAtom-ORD"> <mi mathvariant="double-struck">G</mi> </mrow> <mrow class="MJX-TeXAtom-ORD"> <mi>T</mi> </mrow> </msub> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \mathbb {G} _{T}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/0897b2beaf6721f43453d63f48f8e5ddf706036f" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:3.197ex; height:2.509ex;" alt="{\displaystyle \mathbb {G} _{T}}"> we still have the <a href="/wiki/Discrete_logarithm#Cryptography" title="Discrete logarithm">discrete logarithm problem</a>, so even though we know that value and <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle e(G,H)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>e</mi> <mo stretchy="false">(</mo> <mi>G</mi> <mo>,</mo> <mi>H</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle e(G,H)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/234f59b180bf75400ceb09c83a92be0cd6ecb7ee" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:7.817ex; height:2.843ex;" alt="{\displaystyle e(G,H)}">, we cannot extract the exponent <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q(t)\cdot (t-i)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>⋅</mo> <mo stretchy="false">(</mo> <mi>t</mi> <mo>−</mo> <mi>i</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q(t)\cdot (t-i)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/bb9fb3dbeb12aa0100c24afba5a7d16452024e97" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:11.689ex; height:2.843ex;" alt="{\displaystyle q(t)\cdot (t-i)}">, preventing any contradiction with discrete logarithm earlier. This value can be compared to <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle e(G\cdot (p(t)-y),H)=e(G,H)^{p(t)-y}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>e</mi> <mo stretchy="false">(</mo> <mi>G</mi> <mo>⋅</mo> <mo stretchy="false">(</mo> <mi>p</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>−</mo> <mi>y</mi> <mo stretchy="false">)</mo> <mo>,</mo> <mi>H</mi> <mo stretchy="false">)</mo> <mo>=</mo> <mi>e</mi> <mo stretchy="false">(</mo> <mi>G</mi> <mo>,</mo> <mi>H</mi> <msup> <mo stretchy="false">)</mo> <mrow class="MJX-TeXAtom-ORD"> <mi>p</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>−</mo> <mi>y</mi> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle e(G\cdot (p(t)-y),H)=e(G,H)^{p(t)-y}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/c6467f61f6f607ec35eb209557b1457e582f8738" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:35.063ex; height:3.343ex;" alt="{\displaystyle e(G\cdot (p(t)-y),H)=e(G,H)^{p(t)-y}}"> though, and if <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle e(G,H)^{q(t)\cdot (t-i)}=e(G,H)^{p(t)-y}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>e</mi> <mo stretchy="false">(</mo> <mi>G</mi> <mo>,</mo> <mi>H</mi> <msup> <mo stretchy="false">)</mo> <mrow class="MJX-TeXAtom-ORD"> <mi>q</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>⋅</mo> <mo stretchy="false">(</mo> <mi>t</mi> <mo>−</mo> <mi>i</mi> <mo stretchy="false">)</mo> </mrow> </msup> <mo>=</mo> <mi>e</mi> <mo stretchy="false">(</mo> <mi>G</mi> <mo>,</mo> <mi>H</mi> <msup> <mo stretchy="false">)</mo> <mrow class="MJX-TeXAtom-ORD"> <mi>p</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>−</mo> <mi>y</mi> </mrow> </msup> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle e(G,H)^{q(t)\cdot (t-i)}=e(G,H)^{p(t)-y}}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/05dca2ca9a8f29be2e02f5f0f532bc1ffd1904dc" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:30.798ex; height:3.343ex;" alt="{\displaystyle e(G,H)^{q(t)\cdot (t-i)}=e(G,H)^{p(t)-y}}"> we are able to conclude that <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q(t)\cdot (t-i)=p(t)-y}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>⋅</mo> <mo stretchy="false">(</mo> <mi>t</mi> <mo>−</mo> <mi>i</mi> <mo stretchy="false">)</mo> <mo>=</mo> <mi>p</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo>−</mo> <mi>y</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q(t)\cdot (t-i)=p(t)-y}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/c084f43c824f5828bcb37b59e2be9e120008abec" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:22.602ex; height:2.843ex;" alt="{\displaystyle q(t)\cdot (t-i)=p(t)-y}">, without ever knowing what the actual value of <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle t}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>t</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle t}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/65658b7b223af9e1acc877d848888ecdb4466560" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:0.84ex; height:2.009ex;" alt="{\displaystyle t}"> is, let alone <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle q(t)(t-i)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>q</mi> <mo stretchy="false">(</mo> <mi>t</mi> <mo stretchy="false">)</mo> <mo stretchy="false">(</mo> <mi>t</mi> <mo>−</mo> <mi>i</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle q(t)(t-i)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/03bb536917e9e88a42680e6e5bbccaf0c7925b87" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:10.01ex; height:2.843ex;" alt="{\displaystyle q(t)(t-i)}">. </div></div> Additionally, a KZG commitment can be extended to prove the values of any arbitrary <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle k}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>k</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle k}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/c3c9a2c7b599b37105512c5d570edc034056dd40" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.211ex; height:2.176ex;" alt="{\displaystyle k}"> values of <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle X}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>X</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle X}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/68baa052181f707c662844a465bfeeb135e82bab" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.338ex; width:1.98ex; height:2.176ex;" alt="{\displaystyle X}"> (not just one value), with the proof size remaining <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle O(1)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>O</mi> <mo stretchy="false">(</mo> <mn>1</mn> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle O(1)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/e66384bc40452c5452f33563fe0e27e803b0cc21" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:4.745ex; height:2.843ex;" alt="{\displaystyle O(1)}">, but the proof verification time scales with <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle O(k)}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>O</mi> <mo stretchy="false">(</mo> <mi>k</mi> <mo stretchy="false">)</mo> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle O(k)}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/f5ec39041121b14e8c2b1a986c9b04547b223e3c" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:4.794ex; height:2.843ex;" alt="{\displaystyle O(k)}">. The proof is the same, but instead of subtracting a constant <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle y}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>y</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle y}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/b8a6208ec717213d4317e666f1ae872e00620a0d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.671ex; width:1.155ex; height:2.009ex;" alt="{\displaystyle y}">, we subtract a polynomial that causes multiple roots, at all the locations we want to prove, and instead of dividing by <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle x-i}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>x</mi> <mo>−</mo> <mi>i</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle x-i}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/08c6415ec45d76965789b24add7cd20817617a4a" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.505ex; width:4.973ex; height:2.343ex;" alt="{\displaystyle x-i}"> we divide by <math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\textstyle \prod _{i}x-i}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="false" scriptlevel="0"> <munder> <mo>∏</mo> <mrow class="MJX-TeXAtom-ORD"> <mi>i</mi> </mrow> </munder> <mi>x</mi> <mo>−</mo> <mi>i</mi> </mstyle> </mrow> <annotation encoding="application/x-tex">{\textstyle \prod _{i}x-i}</annotation> </semantics> </math><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/b986715c473d365c7575efd721b8a0c023c704dc" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -1.005ex; width:8.353ex; height:3.009ex;" alt="{\textstyle \prod _{i}x-i}"> for those same locations.<a href="#cite_note-26">[26]</a> <div class="mw-heading mw-heading2"><h2 id="Quantum_bit_commitment">Quantum bit commitment</h2>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=24" title="Edit section: Quantum bit commitment">edit</a>]</div> It is an interesting question in <a href="/wiki/Quantum_cryptography" title="Quantum cryptography">quantum cryptography</a> if unconditionally secure bit commitment protocols exist on the quantum level, that is, protocols which are (at least asymptotically) binding and concealing even if there are no restrictions on the computational resources. One could hope that there might be a way to exploit the intrinsic properties of <a href="/wiki/Quantum_mechanics" title="Quantum mechanics">quantum mechanics</a>, as in the protocols for <a href="/wiki/Quantum_key_distribution" title="Quantum key distribution">unconditionally secure key distribution</a>. However, this is impossible, as Dominic Mayers showed in 1996 (see<a href="#cite_note-27">[27]</a> for the original proof). Any such protocol can be reduced to a protocol where the system is in one of two pure states after the commitment phase, depending on the bit Alice wants to commit. If the protocol is unconditionally concealing, then Alice can unitarily transform these states into each other using the properties of the <a href="/wiki/Schmidt_decomposition" title="Schmidt decomposition">Schmidt decomposition</a>, effectively defeating the binding property. One subtle assumption of the proof is that the commit phase must be finished at some point in time. This leaves room for protocols that require a continuing information flow until the bit is unveiled or the protocol is cancelled, in which case it is not binding anymore.<a href="#cite_note-28">[28]</a> More generally, Mayers' proof applies only to protocols that exploit <a href="/wiki/Quantum_physics" class="mw-redirect" title="Quantum physics">quantum physics</a> but not <a href="/wiki/Special_relativity" title="Special relativity">special relativity</a>. Kent has shown that there exist unconditionally secure protocols for bit commitment that exploit the principle of <a href="/wiki/Special_relativity" title="Special relativity">special relativity</a> stating that information cannot travel faster than light.<a href="#cite_note-29">[29]</a> <div class="mw-heading mw-heading2"><h2 id="Commitments_based_on_physical_unclonable_functions">Commitments based on physical unclonable functions</h2>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=25" title="Edit section: Commitments based on physical unclonable functions">edit</a>]</div> <a href="/wiki/Physical_unclonable_function" title="Physical unclonable function">Physical unclonable functions</a> (PUFs) rely on the use of a physical key with internal randomness, which is hard to clone or to emulate. Electronic, optical and other types of PUFs<a href="#cite_note-30">[30]</a> have been discussed extensively in the literature, in connection with their potential cryptographic applications including commitment schemes.<a href="#cite_note-31">[31]</a><a href="#cite_note-32">[32]</a> <div class="mw-heading mw-heading2"><h2 id="See_also">See also</h2>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=26" title="Edit section: See also">edit</a>]</div> <ul><li><a href="/wiki/Oblivious_transfer" title="Oblivious transfer">Oblivious transfer</a></li> <li><a href="/wiki/Accumulator_(cryptography)" title="Accumulator (cryptography)">Accumulator (cryptography)</a></li> <li><a href="/wiki/Key_signing_party" title="Key signing party">Key signing party</a></li> <li><a href="/wiki/Web_of_trust" title="Web of trust">Web of trust</a></li> <li><a href="/wiki/Zerocoin" class="mw-redirect" title="Zerocoin">Zerocoin</a></li> <li><a href="/wiki/Anagram#Establishment_of_priority" title="Anagram">Anagrams</a> — used by 17th-century natural philosophers to establish priority of a discovery without revealing it to others</li></ul> <div class="mw-heading mw-heading2"><h2 id="References">References</h2>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=27" title="Edit section: References">edit</a>]</div> <style data-mw-deduplicate="TemplateStyles:r1239543626">.mw-parser-output .reflist{margin-bottom:0.5em;list-style-type:decimal}@media screen{.mw-parser-output .reflist{font-size:90%}}.mw-parser-output .reflist .references{font-size:100%;margin-bottom:0;list-style-type:inherit}.mw-parser-output .reflist-columns-2{column-width:30em}.mw-parser-output .reflist-columns-3{column-width:25em}.mw-parser-output .reflist-columns{margin-top:0.3em}.mw-parser-output .reflist-columns ol{margin-top:0}.mw-parser-output .reflist-columns li{page-break-inside:avoid;break-inside:avoid-column}.mw-parser-output .reflist-upper-alpha{list-style-type:upper-alpha}.mw-parser-output .reflist-upper-roman{list-style-type:upper-roman}.mw-parser-output .reflist-lower-alpha{list-style-type:lower-alpha}.mw-parser-output .reflist-lower-greek{list-style-type:lower-greek}.mw-parser-output .reflist-lower-roman{list-style-type:lower-roman}</style><div class="reflist"> <div class="mw-references-wrap mw-references-columns"><ol class="references"> <li id="cite_note-Goldreich-1"><a href="#cite_ref-Goldreich_1-0">^</a> <a href="/wiki/Oded_Goldreich" title="Oded Goldreich">Oded Goldreich</a> (2001). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20230323175232/https://www.wisdom.weizmann.ac.il/~oded/foc-book.html">Foundations of Cryptography</a>: Volume 1, Basic Tools. Cambridge University Press. <style data-mw-deduplicate="TemplateStyles:r1238218222">.mw-parser-output cite.citation{font-style:inherit;word-wrap:break-word}.mw-parser-output .citation q{quotes:"\"""\"""'""'"}.mw-parser-output .citation:target{background-color:rgba(0,127,255,0.133)}.mw-parser-output .id-lock-free.id-lock-free a{background:url("//upload.wikimedia.org/wikipedia/commons/6/65/Lock-green.svg")right 0.1em center/9px no-repeat}.mw-parser-output .id-lock-limited.id-lock-limited a,.mw-parser-output .id-lock-registration.id-lock-registration a{background:url("//upload.wikimedia.org/wikipedia/commons/d/d6/Lock-gray-alt-2.svg")right 0.1em center/9px no-repeat}.mw-parser-output .id-lock-subscription.id-lock-subscription a{background:url("//upload.wikimedia.org/wikipedia/commons/a/aa/Lock-red-alt-2.svg")right 0.1em center/9px no-repeat}.mw-parser-output .cs1-ws-icon a{background:url("//upload.wikimedia.org/wikipedia/commons/4/4c/Wikisource-logo.svg")right 0.1em center/12px no-repeat}body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-free a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-limited a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-registration a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-subscription a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .cs1-ws-icon a{background-size:contain;padding:0 1em 0 0}.mw-parser-output .cs1-code{color:inherit;background:inherit;border:none;padding:inherit}.mw-parser-output .cs1-hidden-error{display:none;color:var(--color-error,#d33)}.mw-parser-output .cs1-visible-error{color:var(--color-error,#d33)}.mw-parser-output .cs1-maint{display:none;color:#085;margin-left:0.3em}.mw-parser-output .cs1-kern-left{padding-left:0.2em}.mw-parser-output .cs1-kern-right{padding-right:0.2em}.mw-parser-output .citation .mw-selflink{font-weight:inherit}@media screen{.mw-parser-output .cs1-format{font-size:95%}html.skin-theme-clientpref-night .mw-parser-output .cs1-maint{color:#18911f}}@media screen and (prefers-color-scheme:dark){html.skin-theme-clientpref-os .mw-parser-output .cs1-maint{color:#18911f}}</style><a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/0-521-79172-3" title="Special:BookSources/0-521-79172-3">0-521-79172-3</a>.: 224  </li> <li id="cite_note-BCC-2"><a href="#cite_ref-BCC_2-0">^</a> Gilles Brassard, David Chaum, and Claude Crépeau, <a rel="nofollow" class="external text" href="http://crypto.cs.mcgill.ca/~crepeau/PDF/BCC88-jcss.pdf">Minimum Disclosure Proofs of Knowledge</a>, Journal of Computer and System Sciences, vol. 37, pp. 156–189, 1988. </li> <li id="cite_note-3"><a href="#cite_ref-3">^</a> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFGoldreichMicaliWigderson1991" class="citation journal cs1">Goldreich, Oded; Micali, Silvio; Wigderson, Avi (1991). <a rel="nofollow" class="external text" href="https://doi.org/10.1145%2F116825.116852">"Proofs that yield nothing but their validity"</a>. Journal of the ACM. 38 (3): 690–728. <a href="/wiki/CiteSeerX_(identifier)" class="mw-redirect" title="CiteSeerX (identifier)">CiteSeerX</a> <a rel="nofollow" class="external text" href="https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.420.1478">10.1.1.420.1478</a>. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1145%2F116825.116852">10.1145/116825.116852</a>. <a href="/wiki/S2CID_(identifier)" class="mw-redirect" title="S2CID (identifier)">S2CID</a> <a rel="nofollow" class="external text" href="https://api.semanticscholar.org/CorpusID:2389804">2389804</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Journal+of+the+ACM&rft.atitle=Proofs+that+yield+nothing+but+their+validity&rft.volume=38&rft.issue=3&rft.pages=690-728&rft.date=1991&rft_id=https%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fsummary%3Fdoi%3D10.1.1.420.1478%23id-name%3DCiteSeerX&rft_id=https%3A%2F%2Fapi.semanticscholar.org%2FCorpusID%3A2389804%23id-name%3DS2CID&rft_id=info%3Adoi%2F10.1145%2F116825.116852&rft.aulast=Goldreich&rft.aufirst=Oded&rft.au=Micali%2C+Silvio&rft.au=Wigderson%2C+Avi&rft_id=https%3A%2F%2Fdoi.org%2F10.1145%252F116825.116852&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACommitment+scheme" class="Z3988"> </li> <li id="cite_note-4"><a href="#cite_ref-4">^</a> Russell Impagliazzo, Moti Yung: Direct Minimum-Knowledge Computations. CRYPTO 1987: 40-51 </li> <li id="cite_note-Naor-5"><a href="#cite_ref-Naor_5-0">^</a> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFNaor1991" class="citation journal cs1">Naor, Moni (1991). <a rel="nofollow" class="external text" href="https://doi.org/10.1007%2FBF00196774">"Bit commitment using pseudorandomness"</a>. Journal of Cryptology. 4 (2): 151–158. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1007%2FBF00196774">10.1007/BF00196774</a>. <a href="/wiki/S2CID_(identifier)" class="mw-redirect" title="S2CID (identifier)">S2CID</a> <a rel="nofollow" class="external text" href="https://api.semanticscholar.org/CorpusID:15002247">15002247</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Journal+of+Cryptology&rft.atitle=Bit+commitment+using+pseudorandomness&rft.volume=4&rft.issue=2&rft.pages=151-158&rft.date=1991&rft_id=info%3Adoi%2F10.1007%2FBF00196774&rft_id=https%3A%2F%2Fapi.semanticscholar.org%2FCorpusID%3A15002247%23id-name%3DS2CID&rft.aulast=Naor&rft.aufirst=Moni&rft_id=https%3A%2F%2Fdoi.org%2F10.1007%252FBF00196774&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACommitment+scheme" class="Z3988"> </li> <li id="cite_note-Crepeau-6">^ <a href="#cite_ref-Crepeau_6-0">a</a> <a href="#cite_ref-Crepeau_6-1">b</a> Claude Crépeau, <a rel="nofollow" class="external text" href="http://crypto.cs.mcgill.ca/~crepeau/PDF/Commit.pdf">Commitment</a>, Cryptography and Quantum Information Lab, <a href="/wiki/McGill_University_School_of_Computer_Science" title="McGill University School of Computer Science">McGill University School of Computer Science</a>, accessed April 11, 2008 </li> <li id="cite_note-Blum-7"><a href="#cite_ref-Blum_7-0">^</a> Manuel Blum, <a rel="nofollow" class="external text" href="https://www.cs.cmu.edu/~mblum/research/pdf/coin/in4.html">Coin Flipping by Telephone</a>, Proceedings of <a href="/wiki/CRYPTO" class="mw-redirect" title="CRYPTO">CRYPTO</a> 1981, pp. 11–15, 1981, reprinted in SIGACT News vol. 15, pp. 23–27, 1983, <a href="/wiki/Carnegie_Mellon_School_of_Computer_Science" title="Carnegie Mellon School of Computer Science">Carnegie Mellon School of Computer Science</a>. </li> <li id="cite_note-Even-8"><a href="#cite_ref-Even_8-0">^</a> Shimon Even. Protocol for signing contracts. In <a href="/wiki/Allen_Gersho" title="Allen Gersho">Allen Gersho</a>, ed., Advances in Cryptography (proceedings of CRYPTO '82), pp. 148–153, Santa Barbara, CA, US, 1982. </li> <li id="cite_note-SRA81-9"><a href="#cite_ref-SRA81_9-0">^</a> A. Shamir, <a href="/wiki/R._L._Rivest" class="mw-redirect" title="R. L. Rivest">R. L. Rivest</a>, and L. Adleman, "<a href="/wiki/Mental_Poker" class="mw-redirect" title="Mental Poker">Mental Poker</a>". In <a href="/wiki/David_A._Klarner" title="David A. Klarner">David A. Klarner</a>, ed., <a rel="nofollow" class="external text" href="https://books.google.com/books?id=DhgGCAAAQBAJ&pg=PA37">The Mathematical Gardner</a> (<link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-1-4684-6686-7" title="Special:BookSources/978-1-4684-6686-7">978-1-4684-6686-7</a>), pp. 37–43. Wadsworth, Belmont, California, 1981. </li> <li id="cite_note-GMW-10"><a href="#cite_ref-GMW_10-0">^</a> <a href="/wiki/Oded_Goldreich" title="Oded Goldreich">Oded Goldreich</a>, <a href="/wiki/Silvio_Micali" title="Silvio Micali">Silvio Micali</a>, and <a href="/wiki/Avi_Wigderson" title="Avi Wigderson">Avi Wigderson</a>, <a rel="nofollow" class="external text" href="http://portal.acm.org/citation.cfm?id=116825.116852">Proofs that yield nothing but their validity, or all languages in NP have zero-knowledge proof systems</a>, <a href="/wiki/Journal_of_the_ACM" title="Journal of the ACM">Journal of the ACM</a>, 38: 3, pp. 690–728, 1991 </li> <li id="cite_note-GK-11"><a href="#cite_ref-GK_11-0">^</a> Oded Goldreich and <a href="/wiki/Hugo_Krawczyk" title="Hugo Krawczyk">Hugo Krawczyk</a>, <a rel="nofollow" class="external text" href="http://citeseer.ist.psu.edu/goldreich90composition.html">On the Composition of Zero-Knowledge Proof Systems</a>, <a href="/wiki/SIAM_Journal_on_Computing" title="SIAM Journal on Computing">SIAM Journal on Computing</a>, 25: 1, pp. 169–192, 1996 </li> <li id="cite_note-12"><a href="#cite_ref-12">^</a> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFGennaroRosarioRabinRabin" class="citation journal cs1 cs1-prop-long-vol">Gennaro; Rosario; Rabin, Michael O.; Rabin, Tal. "Simplified VSS and fast-track multiparty computations with applications to threshold cryptography". Proceedings of the Seventeenth Annual ACM Symposium on Principles of Distributed Computing. 1998, June.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Proceedings+of+the+Seventeenth+Annual+ACM+Symposium+on+Principles+of+Distributed+Computing.&rft.atitle=Simplified+VSS+and+fast-track+multiparty+computations+with+applications+to+threshold+cryptography&rft.volume=1998%2C+June&rft.au=Gennaro&rft.au=Rosario&rft.au=Rabin%2C+Michael+O.&rft.au=Rabin%2C+Tal&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACommitment+scheme" class="Z3988"> </li> <li id="cite_note-13"><a href="#cite_ref-13">^</a> R. Canetti and M. Fischlin. <a rel="nofollow" class="external text" href="https://eprint.iacr.org/2001/055">Universally Composable Commitments.</a> </li> <li id="cite_note-14"><a href="#cite_ref-14">^</a> Shien Hin Ong and Salil Vadhan (1990). Perfect zero knowledge in constant round, In Proc. STOC, p. 482–493, cited in Shien Hin Ong and Salil Vadhan (2008). An Equivalence between Zero Knowledge and Commitments, Theory of Cryptography. </li> <li id="cite_note-15"><a href="#cite_ref-15">^</a> Toshiya Itoh, Yiji Ohta, Hiroki Shizuya (1997). A language dependent cryptographic primitive, In J. Cryptol., 10(1):37-49, cited in Shien Hin Ong and Salil Vadhan (2008). An Equivalence between Zero Knowledge and Commitments, Theory of Cryptography. </li> <li id="cite_note-16"><a href="#cite_ref-16">^</a> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFWagner2006" class="citation cs2">Wagner, David (2006), <a rel="nofollow" class="external text" href="http://www.cs.berkeley.edu/~daw/teaching/cs276-s06/mtsol.ps">Midterm Solution</a>, p. 2, retrieved 26 October 2015</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Midterm+Solution&rft.pages=2&rft.date=2006&rft.aulast=Wagner&rft.aufirst=David&rft_id=http%3A%2F%2Fwww.cs.berkeley.edu%2F~daw%2Fteaching%2Fcs276-s06%2Fmtsol.ps&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACommitment+scheme" class="Z3988"> </li> <li id="cite_note-17"><a href="#cite_ref-17">^</a> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://citeseer.ist.psu.edu/context/22544/0">"Citations: Bit Commitment using Pseudorandom Generators - Naor (ResearchIndex)"</a>. Citeseer.ist.psu.edu. Retrieved 2014-06-07.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Citations%3A+Bit+Commitment+using+Pseudorandom+Generators+-+Naor+%28ResearchIndex%29&rft.pub=Citeseer.ist.psu.edu&rft_id=http%3A%2F%2Fciteseer.ist.psu.edu%2Fcontext%2F22544%2F0&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACommitment+scheme" class="Z3988"> </li> <li id="cite_note-Pedersen_pp._129–140-18"><a href="#cite_ref-Pedersen_pp._129–140_18-0">^</a> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFPedersen1992" class="citation book cs1">Pedersen, Torben Pryds (1992). "Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing". Advances in Cryptology – CRYPTO '91. Lecture Notes in Computer Science. Vol. 576. Berlin, Heidelberg: Springer Berlin Heidelberg. pp. 129–140. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1007%2F3-540-46766-1_9">10.1007/3-540-46766-1_9</a>. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-3-540-55188-1" title="Special:BookSources/978-3-540-55188-1"><bdi>978-3-540-55188-1</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.atitle=Non-Interactive+and+Information-Theoretic+Secure+Verifiable+Secret+Sharing&rft.btitle=Advances+in+Cryptology+%E2%80%93+CRYPTO+%2791&rft.place=Berlin%2C+Heidelberg&rft.series=Lecture+Notes+in+Computer+Science&rft.pages=129-140&rft.pub=Springer+Berlin+Heidelberg&rft.date=1992&rft_id=info%3Adoi%2F10.1007%2F3-540-46766-1_9&rft.isbn=978-3-540-55188-1&rft.aulast=Pedersen&rft.aufirst=Torben+Pryds&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACommitment+scheme" class="Z3988"> </li> <li id="cite_note-metere2017automated-19"><a href="#cite_ref-metere2017automated_19-0">^</a> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFMetereDong2017" class="citation conference cs1">Metere, Roberto; Dong, Changyu (2017). "Automated cryptographic analysis of the pedersen commitment scheme". International Conference on Mathematical Methods, Models, and Architectures for Computer Network Security. Springer. pp. 275–287.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=conference&rft.atitle=Automated+cryptographic+analysis+of+the+pedersen+commitment+scheme&rft.btitle=International+Conference+on+Mathematical+Methods%2C+Models%2C+and+Architectures+for+Computer+Network+Security&rft.pages=275-287&rft.pub=Springer&rft.date=2017&rft.aulast=Metere&rft.aufirst=Roberto&rft.au=Dong%2C+Changyu&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACommitment+scheme" class="Z3988"> </li> <li id="cite_note-20"><a href="#cite_ref-20">^</a> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFTangPeiLiuHe2004" class="citation journal cs1">Tang, Chunming; Pei, Dingyi; Liu, Zhuojun; He, Yong (16 August 2004). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20170811001441/https://eprint.iacr.org/2004/201.pdf">"Pedersen: Non-interactive and information-theoretic secure verifiable secret sharing"</a> (PDF). Cryptology ePrint Archive. Advances in Cryptology CRYPTO 1991 Springer. Archived from <a rel="nofollow" class="external text" href="https://eprint.iacr.org/2004/201.pdf">the original</a> (PDF) on 11 August 2017. Retrieved 2 February 2019.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Cryptology+ePrint+Archive&rft.atitle=Pedersen%3A+Non-interactive+and+information-theoretic+secure+verifiable+secret+sharing&rft.date=2004-08-16&rft.aulast=Tang&rft.aufirst=Chunming&rft.au=Pei%2C+Dingyi&rft.au=Liu%2C+Zhuojun&rft.au=He%2C+Yong&rft_id=https%3A%2F%2Feprint.iacr.org%2F2004%2F201.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACommitment+scheme" class="Z3988"> </li> <li id="cite_note-21"><a href="#cite_ref-21">^</a> Moni Naor, Rafail Ostrovsky, Ramarathnam Venkatesan, Moti Yung: Perfect Zero-Knowledge Arguments for NP Using Any One-Way Permutation. J. Cryptology 11(2): 87–108 (1998)<a rel="nofollow" class="external autonumber" href="https://link.springer.com/article/10.1007%2Fs001459900037">[1]</a> </li> <li id="cite_note-menezes2018handbook-22"><a href="#cite_ref-menezes2018handbook_22-0">^</a> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFMenezesVan_OorschotVanstone2018" class="citation book cs1">Menezes, Alfred J; Van Oorschot, Paul C; Vanstone, Scott A (2018). Handbook of applied cryptography. CRC press.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Handbook+of+applied+cryptography&rft.pub=CRC+press&rft.date=2018&rft.aulast=Menezes&rft.aufirst=Alfred+J&rft.au=Van+Oorschot%2C+Paul+C&rft.au=Vanstone%2C+Scott+A&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACommitment+scheme" class="Z3988"> </li> <li id="cite_note-masquerade2022-23"><a href="#cite_ref-masquerade2022_23-0">^</a> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFMourisTsoutsos2022" class="citation journal cs1">Mouris, Dimitris; Tsoutsos, Nektarios Georgios (26 January 2022). <a rel="nofollow" class="external text" href="https://eprint.iacr.org/2021/1370.pdf">"Masquerade: Verifiable Multi-Party Aggregation with Secure Multiplicative Commitments"</a> (PDF). Cryptology ePrint Archive.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Cryptology+ePrint+Archive&rft.atitle=Masquerade%3A+Verifiable+Multi-Party+Aggregation+with+Secure+Multiplicative+Commitments&rft.date=2022-01-26&rft.aulast=Mouris&rft.aufirst=Dimitris&rft.au=Tsoutsos%2C+Nektarios+Georgios&rft_id=https%3A%2F%2Feprint.iacr.org%2F2021%2F1370.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACommitment+scheme" class="Z3988"> </li> <li id="cite_note-24"><a href="#cite_ref-24">^</a> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFCatalanoFiore2013" class="citation book cs1">Catalano, Dario; Fiore, Dario (2013). <a rel="nofollow" class="external text" href="https://link.springer.com/chapter/10.1007/978-3-642-36362-7_5">"Vector Commitments and Their Applications"</a>. Public-Key Cryptography – PKC 2013. Lecture Notes in Computer Science. Vol. 7778. Springer Berlin Heidelberg. pp. 55–72. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1007%2F978-3-642-36362-7_5">10.1007/978-3-642-36362-7_5</a>. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-3-642-36362-7" title="Special:BookSources/978-3-642-36362-7"><bdi>978-3-642-36362-7</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.atitle=Vector+Commitments+and+Their+Applications&rft.btitle=Public-Key+Cryptography+%E2%80%93+PKC+2013&rft.series=Lecture+Notes+in+Computer+Science&rft.pages=55-72&rft.pub=Springer+Berlin+Heidelberg&rft.date=2013&rft_id=info%3Adoi%2F10.1007%2F978-3-642-36362-7_5&rft.isbn=978-3-642-36362-7&rft.aulast=Catalano&rft.aufirst=Dario&rft.au=Fiore%2C+Dario&rft_id=https%3A%2F%2Flink.springer.com%2Fchapter%2F10.1007%2F978-3-642-36362-7_5&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACommitment+scheme" class="Z3988"> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFCatalanoFiore2013" class="citation journal cs1">Catalano, Dario; Fiore, Dario (2013). <a rel="nofollow" class="external text" href="https://www.iacr.org/archive/pkc2013/77780054/77780054.pdf">"Vector Commitments and Their Applications"</a> (PDF). International Association for Cryptologic Research.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=International+Association+for+Cryptologic+Research&rft.atitle=Vector+Commitments+and+Their+Applications&rft.date=2013&rft.aulast=Catalano&rft.aufirst=Dario&rft.au=Fiore%2C+Dario&rft_id=https%3A%2F%2Fwww.iacr.org%2Farchive%2Fpkc2013%2F77780054%2F77780054.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACommitment+scheme" class="Z3988"> </li> <li id="cite_note-25"><a href="#cite_ref-25">^</a> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFBecker2008" class="citation web cs1">Becker, Georg (2008-07-18). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20141222120036/http://www.emsec.rub.de/media/crypto/attachments/files/2011/04/becker_1.pdf">"Merkle Signature Schemes, Merkle Trees and Their Cryptanalysis"</a> (PDF). Ruhr-Universität Bochum. p. 16. Archived from <a rel="nofollow" class="external text" href="http://www.emsec.rub.de/media/crypto/attachments/files/2011/04/becker_1.pdf">the original</a> (PDF) on 2014-12-22. Retrieved 2013-11-20.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Merkle+Signature+Schemes%2C+Merkle+Trees+and+Their+Cryptanalysis&rft.pages=16&rft.pub=Ruhr-Universit%C3%A4t+Bochum&rft.date=2008-07-18&rft.aulast=Becker&rft.aufirst=Georg&rft_id=http%3A%2F%2Fwww.emsec.rub.de%2Fmedia%2Fcrypto%2Fattachments%2Ffiles%2F2011%2F04%2Fbecker_1.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACommitment+scheme" class="Z3988"> </li> <li id="cite_note-26"><a href="#cite_ref-26">^</a> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFKateZaveruchaGoldberg2010" class="citation journal cs1">Kate, Aniket; Zaverucha, Gregory; Goldberg, Ian (2010). <a rel="nofollow" class="external text" href="https://www.iacr.org/archive/asiacrypt2010/6477178/6477178.pdf">"Constant-size commitments to polynomials and their applications"</a> (PDF). International Conference on the Theory and Application of Cryptology and Information Security.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=International+Conference+on+the+Theory+and+Application+of+Cryptology+and+Information+Security&rft.atitle=Constant-size+commitments+to+polynomials+and+their+applications.&rft.date=2010&rft.aulast=Kate&rft.aufirst=Aniket&rft.au=Zaverucha%2C+Gregory&rft.au=Goldberg%2C+Ian&rft_id=https%3A%2F%2Fwww.iacr.org%2Farchive%2Fasiacrypt2010%2F6477178%2F6477178.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACommitment+scheme" class="Z3988"> </li> <li id="cite_note-27"><a href="#cite_ref-27">^</a> Brassard, Crépeau, Mayers, Salvail: <a rel="nofollow" class="external text" href="https://arxiv.org/abs/quant-ph/9712023">A brief review on the impossibility of quantum bit commitment</a> </li> <li id="cite_note-28"><a href="#cite_ref-28">^</a> A. Kent: <a rel="nofollow" class="external text" href="https://arxiv.org/abs/quant-ph/9906103">Secure classical Bit Commitment using Fixed Capacity Communication Channels</a> </li> <li id="cite_note-29"><a href="#cite_ref-29">^</a> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFKent1999" class="citation journal cs1">Kent, A. (1999). "Unconditionally Secure Bit Commitment". Phys. Rev. Lett. 83 (7): 1447–1450. <a href="/wiki/ArXiv_(identifier)" class="mw-redirect" title="ArXiv (identifier)">arXiv</a>:<a rel="nofollow" class="external text" href="https://arxiv.org/abs/quant-ph/9810068">quant-ph/9810068</a>. <a href="/wiki/Bibcode_(identifier)" class="mw-redirect" title="Bibcode (identifier)">Bibcode</a>:<a rel="nofollow" class="external text" href="https://ui.adsabs.harvard.edu/abs/1999PhRvL..83.1447K">1999PhRvL..83.1447K</a>. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1103%2FPhysRevLett.83.1447">10.1103/PhysRevLett.83.1447</a>. <a href="/wiki/S2CID_(identifier)" class="mw-redirect" title="S2CID (identifier)">S2CID</a> <a rel="nofollow" class="external text" href="https://api.semanticscholar.org/CorpusID:8823466">8823466</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Phys.+Rev.+Lett.&rft.atitle=Unconditionally+Secure+Bit+Commitment&rft.volume=83&rft.issue=7&rft.pages=1447-1450&rft.date=1999&rft_id=info%3Aarxiv%2Fquant-ph%2F9810068&rft_id=https%3A%2F%2Fapi.semanticscholar.org%2FCorpusID%3A8823466%23id-name%3DS2CID&rft_id=info%3Adoi%2F10.1103%2FPhysRevLett.83.1447&rft_id=info%3Abibcode%2F1999PhRvL..83.1447K&rft.aulast=Kent&rft.aufirst=A.&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACommitment+scheme" class="Z3988"> </li> <li id="cite_note-30"><a href="#cite_ref-30">^</a> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFMcGrathBagciWangRoedig2019" class="citation journal cs1">McGrath, Thomas; Bagci, Ibrahim E.; Wang, Zhiming M.; Roedig, Utz; Young, Robert J. (2019-02-12). <a rel="nofollow" class="external text" href="https://doi.org/10.1063%2F1.5079407">"A PUF taxonomy"</a>. Applied Physics Reviews. 6 (1): 011303. <a href="/wiki/Bibcode_(identifier)" class="mw-redirect" title="Bibcode (identifier)">Bibcode</a>:<a rel="nofollow" class="external text" href="https://ui.adsabs.harvard.edu/abs/2019ApPRv...6a1303M">2019ApPRv...6a1303M</a>. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1063%2F1.5079407">10.1063/1.5079407</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Applied+Physics+Reviews&rft.atitle=A+PUF+taxonomy&rft.volume=6&rft.issue=1&rft.pages=011303&rft.date=2019-02-12&rft_id=info%3Adoi%2F10.1063%2F1.5079407&rft_id=info%3Abibcode%2F2019ApPRv...6a1303M&rft.aulast=McGrath&rft.aufirst=Thomas&rft.au=Bagci%2C+Ibrahim+E.&rft.au=Wang%2C+Zhiming+M.&rft.au=Roedig%2C+Utz&rft.au=Young%2C+Robert+J.&rft_id=https%3A%2F%2Fdoi.org%2F10.1063%252F1.5079407&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACommitment+scheme" class="Z3988"> </li> <li id="cite_note-31"><a href="#cite_ref-31">^</a> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFRührmairvan_Dijk2013" class="citation journal cs1">Rührmair, Ulrich; van Dijk, Marten (2013-04-01). "On the practical use of physical unclonable functions in oblivious transfer and bit commitment protocols". Journal of Cryptographic Engineering. 3 (1): 17–28. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1007%2Fs13389-013-0052-8">10.1007/s13389-013-0052-8</a>. <a href="/wiki/Hdl_(identifier)" class="mw-redirect" title="Hdl (identifier)">hdl</a>:<a rel="nofollow" class="external text" href="https://hdl.handle.net/1721.1%2F103985">1721.1/103985</a>. <a href="/wiki/ISSN_(identifier)" class="mw-redirect" title="ISSN (identifier)">ISSN</a> <a rel="nofollow" class="external text" href="https://search.worldcat.org/issn/2190-8516">2190-8516</a>. <a href="/wiki/S2CID_(identifier)" class="mw-redirect" title="S2CID (identifier)">S2CID</a> <a rel="nofollow" class="external text" href="https://api.semanticscholar.org/CorpusID:15713318">15713318</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Journal+of+Cryptographic+Engineering&rft.atitle=On+the+practical+use+of+physical+unclonable+functions+in+oblivious+transfer+and+bit+commitment+protocols&rft.volume=3&rft.issue=1&rft.pages=17-28&rft.date=2013-04-01&rft_id=info%3Ahdl%2F1721.1%2F103985&rft_id=https%3A%2F%2Fapi.semanticscholar.org%2FCorpusID%3A15713318%23id-name%3DS2CID&rft.issn=2190-8516&rft_id=info%3Adoi%2F10.1007%2Fs13389-013-0052-8&rft.aulast=R%C3%BChrmair&rft.aufirst=Ulrich&rft.au=van+Dijk%2C+Marten&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACommitment+scheme" class="Z3988"> </li> <li id="cite_note-32"><a href="#cite_ref-32">^</a> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFNikolopoulos2019" class="citation journal cs1">Nikolopoulos, Georgios M. (2019-09-30). "Optical scheme for cryptographic commitments with physical unclonable keys". Optics Express. 27 (20): 29367–29379. <a href="/wiki/ArXiv_(identifier)" class="mw-redirect" title="ArXiv (identifier)">arXiv</a>:<a rel="nofollow" class="external text" href="https://arxiv.org/abs/1909.13094">1909.13094</a>. <a href="/wiki/Bibcode_(identifier)" class="mw-redirect" title="Bibcode (identifier)">Bibcode</a>:<a rel="nofollow" class="external text" href="https://ui.adsabs.harvard.edu/abs/2019OExpr..2729367N">2019OExpr..2729367N</a>. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1364%2FOE.27.029367">10.1364/OE.27.029367</a>. <a href="/wiki/ISSN_(identifier)" class="mw-redirect" title="ISSN (identifier)">ISSN</a> <a rel="nofollow" class="external text" href="https://search.worldcat.org/issn/1094-4087">1094-4087</a>. <a href="/wiki/PMID_(identifier)" class="mw-redirect" title="PMID (identifier)">PMID</a> <a rel="nofollow" class="external text" href="https://pubmed.ncbi.nlm.nih.gov/31684673">31684673</a>. <a href="/wiki/S2CID_(identifier)" class="mw-redirect" title="S2CID (identifier)">S2CID</a> <a rel="nofollow" class="external text" href="https://api.semanticscholar.org/CorpusID:203593129">203593129</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Optics+Express&rft.atitle=Optical+scheme+for+cryptographic+commitments+with+physical+unclonable+keys&rft.volume=27&rft.issue=20&rft.pages=29367-29379&rft.date=2019-09-30&rft_id=https%3A%2F%2Fapi.semanticscholar.org%2FCorpusID%3A203593129%23id-name%3DS2CID&rft_id=info%3Abibcode%2F2019OExpr..2729367N&rft_id=info%3Aarxiv%2F1909.13094&rft.issn=1094-4087&rft_id=info%3Adoi%2F10.1364%2FOE.27.029367&rft_id=info%3Apmid%2F31684673&rft.aulast=Nikolopoulos&rft.aufirst=Georgios+M.&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACommitment+scheme" class="Z3988"> </li> </ol></div></div> <div class="mw-heading mw-heading2"><h2 id="External_links">External links</h2>[<a href="/w/index.php?title=Commitment_scheme&action=edit&section=28" title="Edit section: External links">edit</a>]</div> <ul><li><a rel="nofollow" class="external text" href="http://xstructure.inr.ac.ru/x-bin/theme3.py?level=1&index1=355717">Quantum bit commitment on arxiv.org</a></li> <li><a rel="nofollow" class="external text" href="https://alinush.github.io/2020/05/06/kzg-polynomial-commitments.html">Kate-Zaverucha-Goldberg (KZG) Constant-Sized Polynomial Commitments - Alin Tomescu</a></li> <li><a rel="nofollow" class="external text" href="https://dankradfeist.de/ethereum/2020/06/16/kate-polynomial-commitments.html">Kate polynomial commitments</a></li></ul>    </div><noscript><img src="https://login.wikimedia.org/wiki/Special:CentralAutoLogin/start?type=1x1" alt="" width="1" height="1" style="border: none; position: absolute;"></noscript> <div class="printfooter" data-nosnippet="">Retrieved from "<a dir="ltr" href="https://en.wikipedia.org/w/index.php?title=Commitment_scheme&oldid=1249656446">https://en.wikipedia.org/w/index.php?title=Commitment_scheme&oldid=1249656446</a>"</div></div> <div id="catlinks" class="catlinks" data-mw="interface"><div id="mw-normal-catlinks" class="mw-normal-catlinks"><a href="/wiki/Help:Category" title="Help:Category">Categories</a>: <ul><li><a href="/wiki/Category:Public-key_cryptography" title="Category:Public-key cryptography">Public-key cryptography</a></li><li><a href="/wiki/Category:Zero-knowledge_protocols" title="Category:Zero-knowledge protocols">Zero-knowledge protocols</a></li><li><a href="/wiki/Category:Secret_sharing" title="Category:Secret sharing">Secret sharing</a></li><li><a href="/wiki/Category:Cryptographic_primitives" title="Category:Cryptographic primitives">Cryptographic primitives</a></li></ul></div><div id="mw-hidden-catlinks" class="mw-hidden-catlinks mw-hidden-cats-hidden">Hidden categories: <ul><li><a href="/wiki/Category:CS1:_long_volume_value" title="Category:CS1: long volume value">CS1: long volume value</a></li><li><a href="/wiki/Category:Articles_with_short_description" title="Category:Articles with short description">Articles with short description</a></li><li><a href="/wiki/Category:Short_description_is_different_from_Wikidata" title="Category:Short description is different from Wikidata">Short description is different from Wikidata</a></li><li><a href="/wiki/Category:Articles_needing_additional_references_from_October_2014" title="Category:Articles needing additional references from October 2014">Articles needing additional references from October 2014</a></li><li><a href="/wiki/Category:All_articles_needing_additional_references" title="Category:All articles needing additional references">All articles needing additional references</a></li><li><a href="/wiki/Category:Pages_with_broken_anchors" title="Category:Pages with broken anchors">Pages with broken anchors</a></li></ul></div></div> </div> </main> </div> <div class="mw-footer-container"> <footer id="footer" class="mw-footer" > <ul id="footer-info"> <li id="footer-info-lastmod"> This page was last edited on 6 October 2024, at 03:26 (UTC).</li> <li id="footer-info-copyright">Text is available under the <a href="/wiki/Wikipedia:Text_of_the_Creative_Commons_Attribution-ShareAlike_4.0_International_License" title="Wikipedia:Text of the Creative Commons Attribution-ShareAlike 4.0 International License">Creative Commons Attribution-ShareAlike 4.0 License</a>; additional terms may apply. By using this site, you agree to the <a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Terms_of_Use" class="extiw" title="foundation:Special:MyLanguage/Policy:Terms of Use">Terms of Use</a> and <a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy" class="extiw" title="foundation:Special:MyLanguage/Policy:Privacy policy">Privacy Policy</a>. Wikipedia® is a registered trademark of the <a rel="nofollow" class="external text" href="https://wikimediafoundation.org/">Wikimedia Foundation, Inc.</a>, a non-profit organization.</li> </ul> <ul id="footer-places"> <li id="footer-places-privacy"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy">Privacy policy</a></li> <li id="footer-places-about"><a href="/wiki/Wikipedia:About">About Wikipedia</a></li> <li id="footer-places-disclaimers"><a href="/wiki/Wikipedia:General_disclaimer">Disclaimers</a></li> <li id="footer-places-contact"><a href="//en.wikipedia.org/wiki/Wikipedia:Contact_us">Contact Wikipedia</a></li> <li id="footer-places-wm-codeofconduct"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Universal_Code_of_Conduct">Code of Conduct</a></li> <li id="footer-places-developers"><a href="https://developer.wikimedia.org">Developers</a></li> <li id="footer-places-statslink"><a href="https://stats.wikimedia.org/#/en.wikipedia.org">Statistics</a></li> <li id="footer-places-cookiestatement"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Cookie_statement">Cookie statement</a></li> <li id="footer-places-mobileview"><a href="//en.m.wikipedia.org/w/index.php?title=Commitment_scheme&mobileaction=toggle_view_mobile" class="noprint stopMobileRedirectToggle">Mobile view</a></li> </ul> <ul id="footer-icons" class="noprint"> <li id="footer-copyrightico"><a href="https://wikimediafoundation.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><img src="/static/images/footer/wikimedia-button.svg" width="84" height="29" alt="Wikimedia Foundation" loading="lazy"></a></li> <li id="footer-poweredbyico"><a href="https://www.mediawiki.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><img src="/w/resources/assets/poweredby_mediawiki.svg" alt="Powered by MediaWiki" width="88" height="31" loading="lazy"></a></li> </ul> </footer> </div> </div> </div> <div class="vector-settings" id="p-dock-bottom"> <ul></ul> </div><script>(RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgHostname":"mw-web.codfw.main-f69cdc8f6-cbh7h","wgBackendResponseTime":155,"wgPageParseReport":{"limitreport":{"cputime":"0.656","walltime":"0.877","ppvisitednodes":{"value":3658,"limit":1000000},"postexpandincludesize":{"value":55631,"limit":2097152},"templateargumentsize":{"value":3796,"limit":2097152},"expansiondepth":{"value":18,"limit":100},"expensivefunctioncount":{"value":2,"limit":500},"unstrip-depth":{"value":1,"limit":20},"unstrip-size":{"value":90529,"limit":5000000},"entityaccesscount":{"value":0,"limit":400},"timingprofile":["100.00% 511.978 1 -total"," 55.27% 282.956 1 Template:Reflist"," 24.03% 123.024 11 Template:Cite_journal"," 17.89% 91.607 1 Template:Short_description"," 14.94% 76.471 1 Template:More_citations_needed"," 14.08% 72.084 1 Template:Ambox"," 12.49% 63.927 2 Template:Pagetype"," 11.55% 59.158 2 Template:ISBN"," 9.59% 49.077 2 Template:Catalog_lookup_link"," 5.88% 30.110 1 Template:Hidden"]},"scribunto":{"limitreport-timeusage":{"value":"0.271","limit":"10.000"},"limitreport-memusage":{"value":7451354,"limit":52428800}},"cachereport":{"origin":"mw-web.codfw.main-f69cdc8f6-vz5zt","timestamp":"20241122143154","ttl":2592000,"transientcontent":false}}});});</script> <script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"Article","name":"Commitment scheme","url":"https:\/\/en.wikipedia.org\/wiki\/Commitment_scheme","sameAs":"http:\/\/www.wikidata.org\/entity\/Q1115684","mainEntity":"http:\/\/www.wikidata.org\/entity\/Q1115684","author":{"@type":"Organization","name":"Contributors to Wikimedia projects"},"publisher":{"@type":"Organization","name":"Wikimedia Foundation, Inc.","logo":{"@type":"ImageObject","url":"https:\/\/www.wikimedia.org\/static\/images\/wmf-hor-googpub.png"}},"datePublished":"2004-01-23T00:05:20Z","dateModified":"2024-10-06T03:26:04Z","headline":"cryptographic concept"}</script> </body> </html>