精华内容
下载资源
问答
  • commitment

    2010-09-10 09:36:51
    Successful weight management requires a long-term commitment.[@more@] Normal 0 false ...
    Successful weight management requires a long-term commitment.
    [@more@]Normal0falsefalsefalseEN-USZH-CNX-NONE
    The research showed that a large percentage of women start noticing the pounds creeping back on just 21 days after reaching their ideal weight.

    来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/60325/viewspace-1038155/,如需转载,请注明出处,否则将追究法律责任。

    转载于:http://blog.itpub.net/60325/viewspace-1038155/

    展开全文
  • commitment control

    2017-11-04 13:43:36
    IBM 开发技术最新文档- commitment control 最新文档 V7
  • Commitment Schemas

    2020-06-23 21:13:28
    Two-pharse commitment Pros The existance of commitment is public, the sender must reveal it, or will be punished. Can hide the value. Cons: Can not hide ether sending. Can not hide the existence ...

    学习笔记

    Two-pharse commitment

    • Pros
      • The existance of commitment is public, the sender must reveal it, or will be punished.
      • Can hide the value.
    • Cons:
      • Can not hide ether sending.
      • Can not hide the existence of this commitment
      • It may be vulnerable to front-runnig attack, if no nonce in the commitment.

    Multi-pharse commitment

    A extension of two-pharse commitment. The key idea is to add a index in the commitment

    • Pros
      • It provides a solution for a long-time-running commit-reveal activity.
    • Cons
      • Can not hide the existence of this commitment
      • Can not hide ether sending.
      • It may be vulnerable to front-runnig attack if no nonce in the commitment.
      • Compute the commitment with index and preimage, and then compared the result with the commitment to guess the preimage of the commitment.

    Submarine commitment

    https://hackingdistributed.com/2017/08/28/submarine-sends/
    https://libsubmarine.org/
    https://github.com/lorenzb/libsubmarine

    Key idea: Send ether to a fresh address, such as X=Hash(senderAddress, data, initial(Code))

    Example code:

    contract Forwarder {
        address constant addrContract = 0x123;
        function () {
            if (msg.sender == addrContract)
                addrContract.send(this.balance);
        }
    }
    // 依赖Create2 op code. contractAddress = Hash(callerAddress, nonce, initial(Code))
    // Send ether to a fresh address which is a contract, so we can retrieve the money in the address.
    
    • Pros:
      • Can hide the commitment (even the ether) by hide the tx in all of the similar tx in the commit pharse, this is a k-anoymity privacy.
    • Cons:
      • The existance of commitment is not public, the sender can choose to not reveal it and will not be punished.
    展开全文
  • A classical problem in scheduling and integer programming is the unit commitment problem. In this problem
  • commitment, 我使用的提交消息生成器 承诺是一个小的Tornado 应用程序,它生成随机提交消息。http://whatthecommit.com/承诺还提供了提供纯文本输出的 http://whatthecommit.com/index.txt 。一
  • 1. commitment scheme commitment scheme是密码学中必不可少的primitive,存在2个角色——committer和receiver: committer 将a value put in a locked box,将该locked box给receiver,因此除committer外无人知道...

    1. commitment scheme

    commitment scheme是密码学中必不可少的primitive,存在2个角色——committer和receiver:
    committer 将a value put in a locked box,将该locked box给receiver,因此除committer外无人知道具体的value值(即hiding属性),由于locked box已在receiver手上,该committer不能open出2个不同的value值for the same commitment(即binding属性)。

    同时,可以在不泄露具体value值的情况下,证明relations between committed values。

    通常,a non-interactive commitment scheme中包含3个基本算法:

    • S e t u p ( 1 k ) Setup(1^k) Setup(1k):输入为security parameter k k k,输出为系统需要的public parameters。
    • C o m m i t ( m , r ) Commit(m,r) Commit(m,r):输入为待commit的message m m m,随机值 r r r,输出为commitment c c c和an opening value d d d
    • V e r i f y ( c , m , d ) Verify(c,m,d) Verify(c,m,d):输入为commitment c c c、message m m m 和 an opening value d d d,输出为yes or no,即表示验证是否通过。

    其中,commitment c c c is sent to the receiver at the commit time,而opening value d d d is sent together with the message m m m at the opening time to allow verification。

    • hiding 属性:是指commitment c c c不会泄露 m m m (either perfect secrecy, or computational indistinguishability)。
    • binding 属性:是指no adversary (either powerful or computationally bounded) can generate c , m ≠ m ′ , d , d ′ c,m\neq m',d,d' c,m=m,d,d使得 V e r i f y ( c , m , d ) Verify(c,m,d) Verify(c,m,d) V e r i f y ( c , m ′ , d ′ ) Verify(c,m',d') Verify(c,m,d)都成立。

    接下来将介绍2个简单的commitment schemes,二者具有互补特性,可结合使用形成powerful commitment scheme:

    • Pedersen Commitment
    • EIGamal Commitment

    2. Pedersen commitment

    考虑 G = < g > \mathbb{G}=<g> G=<g> 为a cyclic group of prime order q q q,2个随机generators g , h ∈ G g,h\in\mathbb{G} g,hG
    Pedersen commitment允许commit to scalar elements from Z q \mathbb{Z}_q Zq

    • Commitment:
      为了commit to a scalar m ∈ Z q m\in\mathbb{Z}_q mZq,one 选择a random r ← Z q r \leftarrow \mathbb{Z}_q rZq,设置 c ← g m h r c\leftarrow g^mh^r cgmhr,相应的opening value为 r r r

    • Opening:
      为了open a commitment c ∈ G c\in\mathbb{G} cG,one reveal the pair ( m , r ) (m,r) (m,r)。若 c = g m h r c=g^mh^r c=gmhr成立,则receiver accepts the opening to m m m,否则拒绝。

    Q-1: Pedersen commitment具有perfectly hiding属性——even a powerful adversary cannot have any idea about the committed value。
    Q-2: Pedersen commitment具有computationally binding属性——除非one can break a problem (to be specified), 否则 adversary can not open a commitment in two different ways。
    Q-3: Pedersen commitment 是equivocal 模棱两可的:simulator 使用a trapdoor (仅simulator本人知道) 来生成 parameters ( g , h ) (g,h) (g,h)时(与Setup算法无法区分),该simulator可生成a commitment c ∈ G c\in\mathbb{G} cG,然后open成任意的值。【其实应该就是指若simulator知道 g a = h g^a=h ga=h,其中 a a a为trapdoor,则该simulator可生成a commitment c c c,并将其open为任意值。】
    Q-4: 何时可在a security proof中使用Pedersen commitment的binding属性 和 equivocality 模棱两可?
    Q-5: 何时可在a security proof中使用Pedersen commitment的hiding属性 和 equivocality 模棱两可?

    3. EIGamal commitment

    考虑 G = < g > \mathbb{G}=<g> G=<g> 为a cyclic group of prime order q q q,2个随机generators g , h ∈ G g,h\in\mathbb{G} g,hG
    EIGamal commitment允许commit to group elements from G \mathbb{G} G

    • Commitment:
      为了commit to a group element M ∈ G M\in\mathbb{G} MG,one 选择a random r ← Z q r\leftarrow \mathbb{Z}_q rZq,设置 c ← ( c 0 = g r , c 1 = M h r ) c\leftarrow (c_0=g^r,c_1=Mh^r) c(c0=gr,c1=Mhr),相应的opening value为 r r r
    • Opening:
      为了open a commitment c ∈ G c\in\mathbb{G} cG,one reveal the pair ( M , r ) (M,r) (M,r)。若 c = ( g r , M h r ) c=(g^r, Mh^r) c=(gr,Mhr)成立,则receiver accepts the opening to M M M,否则拒绝。

    Q-6: EIGamal commitment具有perfectly binding属性——even a powerful adversary cannot open a commitment in two different ways。【对于group order q q q,若存在 r ≠ r ′ m o d    q r\neq r'\mod q r=rmodq,则 g r ≠ g r ′ g^r\neq g^{r'} gr=gr,对应的 x = r ′ − r m o d    q x=r'-r\mod q x=rrmodq x x x为non-zero modulo q q q。因此有 g r ′ = g r + x = g r ⋅ g x g^{r'}=g^{r+x}=g^r\cdot g^x gr=gr+x=grgx,若 x x x为not zero or a multiple of the group order,则不存在 r ≠ r ′ m o d    q r\neq r'\mod q r=rmodq,使得 g r = g r ′ g^r=g^{r'} gr=gr成立。因此,EIGamal具有perfectly binding属性。】
    Q-7: EIGamal commitment具有computationally hiding属性——除非one can break a problem (to be specified), 否则 adversary can not distinguish commitments to M 0 M_0 M0 or M 1 M_1 M1 of its choice。【即an unbounded adversary can simply try all possible r ∈ Z q r\in\mathbb{Z}_q rZq till it matches g r g^r gr,然后根据已知的 r r r 可找到 M ∈ G M\in\mathbb{G} MG matches M h r Mh^r Mhr。】
    Q-8: EIGamal commitment 是extractable可提取的:simulator 使用a trapdoor (仅simulator本人知道) 来生成 parameters ( g , h ) (g,h) (g,h)时(与Setup算法无法区分),则该simulator可extract the committed value in any c ∈ G c\in\mathbb{G} cG。【其实应该就是指若simulator知道 g a = h g^a=h ga=h,其中 a a a为trapdoor,则该simulator可extract M = B / A a M=B/A^a M=B/Aa。】
    Q-9: 何时可在a security proof中使用EIGamal commitment的binding属性 和 extractability可提取?
    Q-10: 何时可在a security proof中使用EIGamal commitment的hiding属性 和 extractability可提取?
    Q-11: EIGamal commitment之所以称为”EIGamal” commitment,是因为这其实就是EIGamal encryption。(具体可参见博客 EIGamal encryption VS Pairing encryption
    How one could make the hiding property and the extractability compatible without any limitation?

    4. Non-interactive commitments (Pedersen commitment + EIGamal commitment)

    Pedersen commitment:

    • perfectly hiding
    • computationally binding

    EIGamal commitment:

    • computationally hiding
    • perfectly binding

    Q-12: 由此可知,a non-interactive commitment 不可能同时具有perfectly hiding和perfectly binding属性。(which would mean both hiding and binding against powerful adversaries。)

    an efficient construction in the random oracle model为:
    c = C o m m i t ( m , r ) = H ( m , r ) c=Commit(m,r)=H(m,r) c=Commit(m,r)=H(m,r)
    其中 H H H为hash函数 H : { 0 , 1 } ∗ → { 0 , 1 } 2 k H: \{0,1\}^*\rightarrow \{0,1\}^{2k} H:{0,1}{0,1}2k,on the message m ∈ { 0 , 1 } ∗ m\in\{0,1\}^* m{0,1} to commit, with random coins r ∈ { 0 , 1 , } 3 k r\in\{0,1,\}^{3k} r{0,1,}3k,for security parameter k k k,相应的opening value为 r r r
    Q-13: 以上random oracle model下的构建确实是a non-interactive commitment scheme (具有hiding和binding属性),and say under which assumptions (some limit or not on the number of queries to the random oracle)。
    Q-14: Show that it is also extractable and equivocal for a simulator that can access the list of query-answer pairs and that can program the random oracle in an indistinguishable way。

    为了在standard model(而不是random oracle model)情况下,实现类似以上的具有equivocal和extractable的commitment scheme,具体的构建思路为:

    • an equivocal bit-commitment scheme C o m m i t e q ( b , r ) Commit_{eq}(b,r) Commiteq(b,r),for a bit b ∈ { 0 , 1 } b\in\{0,1\} b{0,1} and random coins r r r,输出为a commitment c c c,和 opening value d ∈ { 0 , 1 } 2 k d\in\{0,1\}^{2k} d{0,1}2k。(可参见博客 水银承诺mercurial commitment 中的chameleon hash function。其本质可为Pedersen commitment。)
    • an extractable commitment scheme C o m m i t e x t ( D , r ′ ) Commit_{ext}(D,r') Commitext(D,r), for a bitstring D ∈ { 0 , 1 } 2 k D\in \{0,1\}^{2k} D{0,1}2k 安定random coins r ′ r' r,输出为commitment c ′ c' c和opening value O O O

    注意以上两种commitment scheme中, C o m m i t e q Commit_{eq} Commiteq的输出opening value d d d C o m m i t e x t Commit_{ext} Commitext 的输入 D D D,两者都在the same space { 0 , 1 } 2 k \{0,1\}^{2k} {0,1}2k

    On a message m = ( m 1 , ⋯   , m l ) ∈ { 0 , 1 } l m=(m_1,\cdots,m_l)\in\{0,1\}^l m=(m1,,ml){0,1}l ,整个commitment 算法 C o m m i t ( m , ( ( r i ) i , ( D i ′ ) i , ( r i , b ′ ) i , b ) ) Commit(m, ((r_i)_i, (D'_i)_i, (r'_{i,b})_{i,b})) Commit(m,((ri)i,(Di)i,(ri,b)i,b))流程为:

    • for random coins r i r_i ri for i = 1 , ⋯   , l i=1,\cdots,l i=1,,l,设置 ( c i , D i ) ← C o m m i t e q ( m i , r i ) (c_i,D_i)\leftarrow Commit_{eq}(m_i,r_i) (ci,Di)Commiteq(mi,ri)
    • for random coins D i ′ ← { 0 , 1 } 2 k D'_i \leftarrow \{0,1\}^{2k} Di{0,1}2k,设置 d i , m i ← D i , d i , 1 − m i ← D i ′ d_{i,m_i}\leftarrow D_i,d_{i,1-m_i}\leftarrow D'_i di,miDi,di,1miDi for i = 1 , ⋯   , l i=1,\cdots, l i=1,,l
    • for random coins r i , b ′ r'_{i,b} ri,b,设置 ( c i , b ′ , O i , b ) ← C o m m i t e x t ( d i , b , r i , b ′ ) (c'_{i,b},O_{i,b})\leftarrow Commit_{ext}(d_{i,b}, r'_{i,b}) (ci,b,Oi,b)Commitext(di,b,ri,b) for i = 1 , ⋯   , l i=1,\cdots,l i=1,,l and b = 0 , 1 b=0,1 b=0,1
    • output the commitment ( c i , ( c i , b ′ ) b ) i (c_i, (c'_{i,b})_b)_i (ci,(ci,b)b)i,opening value ( d i , m , O i , m i ) i (d_{i,m}, O_{i,m_i})_i (di,m,Oi,mi)i

    Q-15: Explain how works the Verify 算法。
    Q-16: Show this is indeed a commitment scheme: with both hiding and binding properties。
    Q-17: Show this commitment scheme is also both equivocal and extractable。

    参考资料:

    [1] Difference between Pedersen commitment and commitment based on ElGamal
    [2] David Pointcheval 的课件Commiments Schemes
    [3] Why is the El Gamal commitment scheme information theoretically binding?

    展开全文
  • Pedersen commitment

    千次阅读 2019-04-04 10:50:49
    reference:https://crypto.stackexchange.com/questions/9704/why-is-the-pedersen-commitment-computationally-binding
    展开全文
  • 1. 椭圆曲线下的Pedersen commitment 椭圆曲线下Pedersen commitment可用scalar multiplication of curve points来表示: C=rH+aGC=rH+aGC=rH+aG 其中,CCC为椭圆曲线上的一个点curve point,作为commitment;aaa...
  • Unit commitment

    2012-05-21 14:33:55
    Unit commitment The problem of unit commitment involves finding the least-cost dispatch of available generation resources to meet the electrical load. Generating resources can include a wide ran
  • 寻找赞助商 喜欢吗? 考虑成为该项目的赞助商。 您的贡献使网站保持运行。 关于WTC(承诺事项) ...或使用 vscode扩展 执照 版权所有(c)2010-2017 Nick Gerakines 该项目及其内容在MIT许可下是开源的。
  • Loan Commitment

    2012-02-09 15:54:35
    http://www.investopedia.com/terms/l/loan-commitment.asp#axzz1lnDvrq00 ...Definition of 'Loan Commitment' A loan amount that may be drawn down, or is due to be contractually funded in the future. Loa
  • vector commitment

    2020-01-29 22:33:07
    2016年论文《Functional Commitment Schemes: From Polynomial Commitments to Pairing-Based Accumulators from Simple Assumptions》 2016年论文《Functional Commitment Schemes: From Polynomial Commitments ...
  • unit commitment in matlab
  • 随机单位承诺 公式和双重优化算法主要借鉴了Anthony Papavasiliou的工作: 将可再生能源与需求延缓耦合 作者:帕帕瓦西里乌(Papavasiliou),安东尼(Anthony)博士,加利福尼亚大学伯克利分校,2011,99;...
  • mixed integer unit commitment
  • 1. 陷门承诺(trapdoor commitment) 陷门承诺方案(trapdoor commitment)是一种特殊的承诺方案,该概念由Brassard等人于1988年首先提出。陷门承诺方案一个特有的性质是它允许拥有陷门信息的人可以以不同的方式打开...
  • 本博文主要研究的是 Benedikt Bünz 等人(standford,ethereum,berkeley) 2019年论文《Proofs for Inner Pairing Products and Applications》中的Pairing-based polynomial commitment schemes,其本质为 a ...
  • 1. Zexe中的pedersen commitment Zexe中基于的是pairing based曲线。 Zexe中的pedersen commitment 为Pedersen CRH,当做Com(a1∗m1,a1∗r1)=a1∗Com(m1,r1)Com(a_1*m_1,a_1*r_1)=a_1* Com(m_1,r_1)Com(a1​∗m1​,...
  • Timed Commitment的实现

    2021-01-07 19:11:08
    教程:定时承诺的实现 定时承诺介绍 承诺过程包括两个阶段:承诺阶段和开启阶段。...每个诚实的接受者都可以确信,无论恶意承诺者的行为如何,承诺都可以以一种方式公开,即承诺者既不能反悔也不能使用x
  • 比特承诺 Bit Commitment

    千次阅读 2016-10-20 16:42:46
    Definition of Bit Commitment   比特承诺 (Bit Commitment,BC)是密码学中的重要基 础协议,其概念最早由1995 年 图灵奖 得主Blum 提出。比特承诺方案可用于构建零知识证明、可验证秘密 ...
  • polynomial commitment及实现方式对比

    千次阅读 2019-09-20 19:10:26
    1. commitment 具体参见博客密码学上的commitment和Pedersen Commitment扫盲及sage和python脚本。 commitment一般分为commit和reveal两个阶段,具有binding特性,即某个值commit后,将不可修改。 2. vector ...
  • 电力系统机组组合模型的建立和求解,包含节点导纳矩阵的建立
  • Alice在第(3)步使用单向函数阻止 Bob对函数求逆并确定这个比特。 当到了要Alice出示她的比特的时候,协议继续: (4)Alice将原消息发给Bob。 (R1,R2,b) (5)Bob计算消息的单向函数值,并将该值...
  • Trading Pyramid - Commitment

    2009-10-30 10:29:00
    Gieno Trading Pyramid - Commitment To many traders the market is a generator of random sequences. In many cases it will drive you round the bend. Commitment is a very necessa...
  • 密码学上的commitment

    千次阅读 2019-06-12 11:07:28
    A commitment scheme is a cryptographic primitive that allows one to commit to a chosen value (or chosen statement) while keeping it hidden to others, with the ability to reveal the committed va...
  • Git-Commitment-源码

    2021-06-12 16:21:35
    Git承诺 科林·斯特德曼
  • Zcash中的commitment

    2021-04-09 12:23:27
    1. 引言 commitment scheme为a function,其输入为: random commitment trapdoor r r r input value s s s 其输出为: commitment c m cm cm commitment scheme 的属性有: hiding属性,即不知道 r r r的情况下,...
  • re-send `commitment_signed`

    2020-12-08 22:26:21
    <ul><li>if next_local_commitment_number is equal to the commitment number of the last commitment_signed message the receiving node has sent:<ul><li>MUST reuse the same commitment number for its next ...

空空如也

空空如也

1 2 3 4 5 ... 20
收藏数 7,543
精华内容 3,017
关键字:

commitment的使用