1. 引言
在博客 Pointproofs: Aggregating Proofs for Multiple Vector Commitments 学习笔记1中,主要对 Algorand团队Gorbunov等人2020年论文《Pointproofs: Aggregating Proofs for Multiple Vector Commitments》做了一个总体的梳理。该论文在 Libert和Yung 2010年论文《Concise mercurial vector commitments and independent zero-knowledge sets with short proofs》的基础上,做了以下改进:
- 采用了非对称bilinear pairing group,并针对
G
1
\mathbb{G}_1
G1域内的运算效率>
G
2
\mathbb{G}_2
G2>
G
T
\mathbb{G}_T
GT,对Verify算法做了优化(计算
r
=
(
∑
i
∈
S
m
i
t
i
)
−
1
m
o
d
p
r=(\sum_{i\in S}m_it_i)^{-1}\ mod\ p
r=(∑i∈Smiti)−1 mod p,将
G
T
\mathbb{G}_T
GT域内的运算转移到
G
1
\mathbb{G}_1
G1域内):
- 采用Random Oracle Model,基于hash函数 H H H引入了随机参数 t i = H ( i , C , S , m ⃗ [ S ] ) t_i=H(i,C,S,\vec{m}[S]) ti=H(i,C,S,m[S])来实现same-commitment aggregation;基于hash函数 H H H和 H ′ H' H′引入了随机参数 t j , i = H ( i , C j , S j , m ⃗ j [ S j ] ) t_{j,i}=H(i,C_j,S_j,\vec{m}_j[S_j]) tj,i=H(i,Cj,Sj,mj[Sj])和 t j ′ = H ′ ( j , { C j , S j , m ⃗ j [ S j ] } j ∈ [ l ] ) t_j'=H'(j,\{C_j,S_j,\vec{m}_j[S_j]\}_{j\in[l]}) tj′=H′(j,{Cj,Sj,mj[Sj]}j∈[l])来实现cross-commitment aggregation。
本博客将重点关注:
- proof of correctness/binding for same-commitment aggregation
- proof of correctness/binding for cross-commitment aggregation
- same-commitment aggregation from CDH-like assumption
- weak binding and realization
- cross-commitment aggregation from polynomial commitments
- https://github.com/algorand/pointproofs 代码解析
该论文实现的binding属性是基于AGW+ROM model under the
l
l
l-wBDHE assumption:(详细定义参见博客 Pointproofs: Aggregating Proofs for Multiple Vector Commitments 学习笔记1 1.1节内容)
2. proof of correctness/binding for same-commitment aggregation
2.1 same commitment aggregation
具体的实现为:
-
Setup( 1 λ , 1 N 1^{\lambda},1^N 1λ,1N):取随机值 α ← Z p \alpha\leftarrow \mathbb{Z}_p α←Zp,输出:【其中 a ⃗ = ( α , α 2 , ⋯ , α N ) \vec{a}=(\alpha,\alpha^2,\cdots,\alpha^N) a=(α,α2,⋯,αN)】
g 1 a ⃗ = ( g 1 α , ⋯ , g 1 α N ) g_1^{\vec{a}}=(g_1^\alpha,\cdots,g_1^{\alpha^N}) g1a=(g1α,⋯,g1αN)
g 1 α N a ⃗ [ − 1 ] = ( g 1 α N + 2 , ⋯ , g 1 α 2 N ) g_1^{\alpha^N\vec{a}[-1]}=(g_1^{\alpha^{N+2}},\cdots,g_1^{\alpha^{2N}}) g1αNa[−1]=(g1αN+2,⋯,g1α2N)
g 2 a ⃗ = ( g 2 α , ⋯ , g 2 α N ) g_2^{\vec{a}}=(g_2^\alpha,\cdots,g_2^{\alpha^N}) g2a=(g2α,⋯,g2αN)
g T α N + 1 = e ( g 1 α , g 2 α N ) g_T^{\alpha^{N+1}}=e(g_1^{\alpha},g_2^{\alpha^N}) gTαN+1=e(g1α,g2αN)
Prove key为: g 1 a ⃗ , g 1 α N a ⃗ [ − 1 ] g_1^{\vec{a}},g_1^{\alpha^N\vec{a}[-1]} g1a,g1αNa[−1]
Verify key为: g 2 a ⃗ , g T α N + 1 g_2^{\vec{a}},g_T^{\alpha^{N+1}} g2a,gTαN+1
而 α \alpha α为有毒垃圾,trusted setup后应直接丢弃,must never be known to the adversary。 -
Commit( m ⃗ \vec{m} m) for m ⃗ ∈ Z p N \vec{m}\in \mathbb{Z}_p^N m∈ZpN:
C = g 1 m ⃗ T a ⃗ = g 1 ∑ i ∈ N m i α i C=g_1^{\vec{m}^T\vec{a}}=g_1^{\sum_{i\in N}m_i\alpha^i} C=g1mTa=g1∑i∈Nmiαi -
UpdateCommit( C , S , m ⃗ [ S ] , m ⃗ ′ [ S ] C,S,\vec{m}[S],\vec{m}'[S] C,S,m[S],m′[S]):
C ′ = C ⋅ g 1 ( m ⃗ ′ [ S ] − m ⃗ [ S ] ) T a ⃗ [ S ] = C ⋅ g 1 ∑ i ∈ S ( m i ′ − m i ) α i C'=C\cdot g_1^{(\vec{m}'[S]-\vec{m}[S])^T\vec{a}[S]}=C\cdot g_1^{\sum_{i\in S}(m_i'-m_i)\alpha^i} C′=C⋅g1(m′[S]−m[S])Ta[S]=C⋅g1∑i∈S(mi′−mi)αi -
Prove( i , m ⃗ i,\vec{m} i,m):open第 i i i个位置。
π i = g 1 α N + 1 − i m ⃗ [ − i ] T a ⃗ [ − i ] = g 1 ∑ j ∈ [ N ] − { i } m j α N + 1 − i + j \pi_i=g_1^{\alpha^{N+1-i}\vec{m}[-i]^T\vec{a}[-i]}=g_1^{\sum_{j\in [N]-\{i\}}m_j\alpha^{N+1-i+j}} πi=g1αN+1−im[−i]Ta[−i]=g1∑j∈[N]−{i}mjαN+1−i+j
其中 g 1 α N + 1 − i a ⃗ [ − i ] g_1^{\alpha^{N+1-i}\vec{a}[-i]} g1αN+1−ia[−i]均已包含在了Prove key中了。
若 m j m_j mj at index j ≠ i j\neq i j=i changes to m j ′ m_j' mj′,则 π i ′ = π ⋅ g 1 ( m j ′ − m j ) α N + 1 − i + j \pi_i'=\pi\cdot g_1^{(m_j'-m_j)\alpha^{N+1-i+j}} πi′=π⋅g1(mj′−mj)αN+1−i+j,若 m i m_i mi changes to m i ′ m_i' mi′,则proof 不变 π i ′ = π i \pi_i'=\pi_i πi′=πi。但是两种情况下,commitment C C C均需要更新为 C ′ C' C′。 -
Aggregate( C , S , m ⃗ [ S ] , { π i : i ∈ S } C,S,\vec{m}[S],\{\pi_i:i\in S\} C,S,m[S],{πi:i∈S}):
π ^ = ∏ i ∈ S π i t i \hat{\pi}=\prod_{i\in S}\pi_i^{t_i} π^=∏i∈Sπiti
其中 t i = H ( i , C , S , m ⃗ [ S ] ) t_i=H(i,C,S,\vec{m}[S]) ti=H(i,C,S,m[S]) -
Verify( C , S , m ⃗ [ S ] , π ^ C,S,\vec{m}[S],\hat{\pi} C,S,m[S],π^):
验证 e ( C , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i t i e(C,g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i} e(C,g2∑i∈SαN+1−iti)=e(π^,g2)⋅gTαN+1∑i∈Smiti 是否成立。
其中 t i = H ( i , C , S , m ⃗ [ S ] ) t_i=H(i,C,S,\vec{m}[S]) ti=H(i,C,S,m[S])
2.2 proof of correctness for same-commitment aggregation
对于任意的
i
∈
[
N
]
,
π
i
=
P
r
o
v
e
(
i
,
m
⃗
)
=
g
1
α
N
+
1
−
i
m
⃗
[
−
i
]
T
a
⃗
[
−
i
]
i\in [N],\pi_i=Prove(i,\vec{m})=g_1^{\alpha^{N+1-i}\vec{m}[-i]^T\vec{a}[-i]}
i∈[N],πi=Prove(i,m)=g1αN+1−im[−i]Ta[−i],对Commit
/Prove
/Aggregate
/Verify
整个流程,可分两步证明:
- 1)证明 e ( C , g 2 α N + 1 − i ) = e ( π i , g 2 ) ⋅ g T α N + 1 m i e(C,g_2^{\alpha^{N+1-i}})=e(\pi_i,g_2)\cdot g_T^{\alpha^{N+1}m_i} e(C,g2αN+1−i)=e(πi,g2)⋅gTαN+1mi
- 2)证明 e ( C , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i t i e(C,g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i} e(C,g2∑i∈SαN+1−iti)=e(π^,g2)⋅gTαN+1∑i∈Smiti
具体为:
1)有
m
⃗
T
a
⃗
=
m
⃗
[
−
i
]
T
a
⃗
[
−
i
]
+
α
i
m
i
\vec{m}^T\vec{a}=\vec{m}[-i]^T\vec{a}[-i]+\alpha^im_i
mTa=m[−i]Ta[−i]+αimi
等式左右两边同时乘以
α
N
+
1
−
i
\alpha^{N+1-i}
αN+1−i,有:
(
m
⃗
T
a
⃗
)
α
N
+
1
−
i
=
α
N
+
1
−
i
m
⃗
[
−
i
]
T
a
⃗
[
−
i
]
+
α
N
+
1
m
i
(\vec{m}^T\vec{a})\alpha^{N+1-i}=\alpha^{N+1-i}\vec{m}[-i]^T\vec{a}[-i]+\alpha^{N+1}m_i
(mTa)αN+1−i=αN+1−im[−i]Ta[−i]+αN+1mi
转换为pairing计算,有:
e
(
g
1
m
⃗
T
a
⃗
,
g
2
α
N
+
1
−
i
)
=
e
(
g
1
α
N
+
1
−
i
m
⃗
[
−
i
]
T
a
⃗
[
−
i
]
,
g
2
)
⋅
g
T
α
N
+
1
m
i
e(g_1^{\vec{m}^T\vec{a}},g_2^{\alpha^{N+1-i}})=e(g_1^{\alpha^{N+1-i}\vec{m}[-i]^T\vec{a}[-i]},g_2)\cdot g_T^{\alpha^{N+1}m_i}
e(g1mTa,g2αN+1−i)=e(g1αN+1−im[−i]Ta[−i],g2)⋅gTαN+1mi
从而证明了
e
(
C
,
g
2
α
N
+
1
−
i
)
=
e
(
π
i
,
g
2
)
⋅
g
T
α
N
+
1
m
i
e(C,g_2^{\alpha^{N+1-i}})=e(\pi_i,g_2)\cdot g_T^{\alpha^{N+1}m_i}
e(C,g2αN+1−i)=e(πi,g2)⋅gTαN+1mi 成立。
2)在
e
(
C
,
g
2
α
N
+
1
−
i
)
=
e
(
π
i
,
g
2
)
⋅
g
T
α
N
+
1
m
i
e(C,g_2^{\alpha^{N+1-i}})=e(\pi_i,g_2)\cdot g_T^{\alpha^{N+1}m_i}
e(C,g2αN+1−i)=e(πi,g2)⋅gTαN+1mi的基础上,等式左右两侧均进行
t
i
t_i
ti次幂乘,则有:
e
(
C
,
g
2
α
N
+
1
−
i
t
i
)
=
e
(
π
i
t
i
,
g
2
)
⋅
g
T
α
N
+
1
m
i
t
i
e(C,g_2^{\alpha^{N+1-i}t_i})=e(\pi_i^{t_i},g_2)\cdot g_T^{\alpha^{N+1}m_it_i}
e(C,g2αN+1−iti)=e(πiti,g2)⋅gTαN+1miti
将要open的
S
S
S集合内的所有公式均乘一块,有(for all
i
∈
S
i\in S
i∈S):
e
(
C
,
g
2
∑
i
∈
S
α
N
+
1
−
i
t
i
)
=
e
(
∏
i
∈
S
π
i
t
i
,
g
2
)
⋅
g
T
α
N
+
1
∑
i
∈
S
m
i
t
i
=
e
(
π
^
,
g
2
)
⋅
g
T
α
N
+
1
∑
i
∈
S
m
i
t
i
e(C,g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(\prod_{i\in S}\pi_i^{t_i},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i}=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i}
e(C,g2∑i∈SαN+1−iti)=e(∏i∈Sπiti,g2)⋅gTαN+1∑i∈Smiti=e(π^,g2)⋅gTαN+1∑i∈Smiti 成立。
证明UpdateCommit
算法正确性的思路为:
m
⃗
′
T
a
⃗
=
(
m
⃗
′
[
S
]
−
m
⃗
[
S
]
)
T
a
⃗
[
S
]
+
m
⃗
T
a
⃗
\vec{m}'^T\vec{a}=(\vec{m}'[S]-\vec{m}[S])^T\vec{a}[S]+\vec{m}^T\vec{a}
m′Ta=(m′[S]−m[S])Ta[S]+mTa 等式恒成立。
2.3 proof of binding for same-commitment aggregation
采用归谬法来证明,假设adversary 可计算
C
=
g
1
z
⃗
T
a
⃗
C=g_1^{\vec{z}^T\vec{a}}
C=g1zTa,并为
(
S
,
m
⃗
[
S
]
)
(S,\vec{m}[S])
(S,m[S])提供proof
π
^
\hat{\pi}
π^【其中
m
⃗
[
S
]
≠
z
⃗
[
S
]
\vec{m}[S]\neq \vec{z}[S]
m[S]=z[S]】,使得
π
^
\hat{\pi}
π^可被Verify通过。
e
(
g
1
z
⃗
T
a
⃗
,
g
2
∑
i
∈
S
α
N
+
1
−
i
t
i
)
=
e
(
π
^
,
g
2
)
⋅
g
T
α
N
+
1
∑
i
∈
S
z
i
t
i
=
e
(
π
^
,
g
2
)
⋅
g
T
α
N
+
1
∑
i
∈
S
m
i
t
i
e(g_1^{\vec{z}^T\vec{a}},g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}z_it_i}=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i}
e(g1zTa,g2∑i∈SαN+1−iti)=e(π^,g2)⋅gTαN+1∑i∈Sziti=e(π^,g2)⋅gTαN+1∑i∈Smiti
注意adversary也不知道
g
1
α
N
+
1
g_1^{\alpha^{N+1}}
g1αN+1,即
log
g
1
π
^
\log_{g_1}\hat{\pi}
logg1π^ 中
α
N
+
1
\alpha^{N+1}
αN+1 项的系数应为
0
0
0。
比较上述等式中
g
T
α
N
+
1
g_T^{\alpha^{N+1}}
gTαN+1的系数应满足:
∑
i
∈
S
m
i
t
i
≡
p
∑
i
∈
S
z
i
t
i
\sum_{i\in S}m_it_i\equiv_p \sum_{i \in S}z_it_i
∑i∈Smiti≡p∑i∈Sziti
用向量表示,应满足:
z
⃗
[
S
]
T
t
⃗
≡
p
m
⃗
[
S
]
T
t
⃗
\vec{z}[S]^T\vec{t}\equiv_p \vec{m}[S]^T\vec{t}
z[S]Tt≡pm[S]Tt
其中
t
⃗
=
(
H
(
i
,
C
,
S
,
m
⃗
[
S
]
)
,
i
∈
S
)
\vec{t}=(H(i,C,S,\vec{m}[S]),i\in S)
t=(H(i,C,S,m[S]),i∈S)
假设当
(
S
,
z
⃗
[
S
]
,
m
⃗
[
S
]
)
(S,\vec{z}[S],\vec{m}[S])
(S,z[S],m[S])确定后,
t
⃗
←
Z
p
∣
S
∣
\vec{t}\leftarrow \mathbb{Z}_p^{|S|}
t←Zp∣S∣为chosen uniformly at random 时,则有:
Pr
t
⃗
[
z
⃗
[
S
]
̸
≡
p
m
⃗
[
S
]
a
n
d
z
⃗
[
S
]
T
t
⃗
≡
p
m
⃗
[
S
]
T
t
⃗
]
=
1
/
p
\Pr_{\vec{t}}[\vec{z}[S]\not\equiv_p \vec{m}[S]\ and\ \vec{z}[S]^T\vec{t}\equiv_p \vec{m}[S]^T\vec{t}]=1/p
Prt[z[S]≡pm[S] and z[S]Tt≡pm[S]Tt]=1/p
即相应的概率可忽略。
因此问题的关键在于:ensure the uniform choice of
t
⃗
\vec{t}
t for any fixed
(
S
,
z
⃗
[
S
]
,
m
⃗
[
S
]
)
(S,\vec{z}[S],\vec{m}[S])
(S,z[S],m[S])。
注意有:
- C C C determines z ⃗ \vec{z} z in AGM;
- C , S , m ⃗ [ S ] C,S,\vec{m}[S] C,S,m[S]为random oracle H ( i , ⋅ , ⋅ , ⋅ ) H(i,\cdot,\cdot,\cdot) H(i,⋅,⋅,⋅) 的input,输出为 t i t_i ti。
若adversary可以找到相应的
m
i
≠
z
i
m_i\neq z_i
mi=zi值,使得:
∑
i
∈
S
z
i
t
i
≡
p
∑
i
∈
S
m
i
t
i
\sum_{i\in S}z_it_i\equiv_p \sum_{i \in S}m_it_i
∑i∈Sziti≡p∑i∈Smiti
成立,则binding属性不成立。
2.3.1 为何需要将 C , S , m ⃗ [ S ] C,S,\vec{m}[S] C,S,m[S]作为 H H H的input?
t i = H ( i , ⋅ , ⋅ , ⋅ ) t_i=H(i,\cdot,\cdot,\cdot) ti=H(i,⋅,⋅,⋅),为什么需要将 C , S , m ⃗ [ S ] C,S,\vec{m}[S] C,S,m[S]作为 H H H的input?
- 若 t i t_i ti与 m i m_i mi无关,则adversary可指定 ∣ S ∣ − 1 |S|-1 ∣S∣−1个 m i m_i mi的值,并根据 ∑ i ∈ S z i t i ≡ p ∑ i ∈ S m i t i \sum_{i\in S}z_it_i\equiv_p \sum_{i \in S}m_it_i ∑i∈Sziti≡p∑i∈Smiti等式计算最后一个 m i m_i mi的值。从而破坏了binding属性。
- 若 t i = H ( i , C ) t_i=H(i,C) ti=H(i,C),Wanger’s attack可产生a 2 log p 2^{\sqrt{\log p}} 2logp algorithm that given { z i t i , m i t i } i ∈ [ N ] \{z_it_i,m_it_i\}_{i \in [N]} {ziti,miti}i∈[N],从而计算a set S S S of size 2 log p 2^{\sqrt{\log p}} 2logp 使得 ∑ i ∈ S z i t i ≡ p ∑ i ∈ S m i t i \sum_{i\in S}z_it_i\equiv_p \sum_{i \in S}m_it_i ∑i∈Sziti≡p∑i∈Smiti 等式成立。对于128-bit security level for the curve(如 log p ≈ 256 \log p\approx 256 logp≈256), 2 log p ≈ 2 16 2^{\sqrt{\log p}}\approx 2^{16} 2logp≈216,which makes for a very pratical attack。
- 若 t i = H ( i , C , S ) t_i=H(i,C,S) ti=H(i,C,S),可能存在与 t i = H ( i , C ) t_i=H(i,C) ti=H(i,C)类似的攻击。【It seems plausible that the attack also extends to the setting of t i = H ( i , C , S ) t_i = H(i, C, S) ti=H(i,C,S): it would suffice to extend Wagner’s algorithm to finding values that sum to a given constant, because the values of the elements of S are not committed, and thus, although ∑ i ∈ S z i t i \sum_{i\in S} z_it_i ∑i∈Sziti is fixed, the attacker can choose from a list of random m i m_i mi for each i ∈ S i \in S i∈S.】
2.3.2 binding for same-commitment aggregation 分析
分为两步来分析:
1)bounding “lucky” queries。
相当于对于固定
C
,
S
,
m
⃗
[
S
]
C,S,\vec{m}[S]
C,S,m[S],寻找符合要求的
z
⃗
和
y
⃗
\vec{z}和\vec{y}
z和y,满足
C
=
g
1
z
⃗
T
a
⃗
+
α
N
y
⃗
T
a
⃗
[
−
1
]
C=g_1^{\vec{z}^T\vec{a}+\alpha^N\vec{y}^T\vec{a}[-1]}
C=g1zTa+αNyTa[−1],同时满足
m
⃗
[
S
]
̸
≡
p
z
⃗
[
S
]
且
(
m
⃗
[
S
]
−
z
⃗
[
S
]
)
T
t
⃗
≡
p
0
\vec{m}[S]\not\equiv_p\vec{z}[S]且(\vec{m}[S]-\vec{z}[S])^T\vec{t}\equiv_p 0
m[S]≡pz[S]且(m[S]−z[S])Tt≡p0。若能找到相应的
z
⃗
和
y
⃗
\vec{z}和\vec{y}
z和y,则称为“H-lucky”。
正常open为 { z i } i ∈ [ S ] \{z_i\}_{i\in [S]} {zi}i∈[S]的话,则 e ( C , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( g 1 z ⃗ T a ⃗ , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S z i t i e(C,g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(g_1^{\vec{z}^T\vec{a}},g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}z_it_i} e(C,g2∑i∈SαN+1−iti)=e(g1zTa,g2∑i∈SαN+1−iti)=e(π^,g2)⋅gTαN+1∑i∈Sziti 等式是恒成立的。若想作弊open为 { m i } i ∈ [ S ] , 其 中 m ⃗ [ S ] ≠ z ⃗ [ S ] \{m_i\}_{i\in [S]},其中\vec{m}[S]\neq \vec{z}[S] {mi}i∈[S],其中m[S]=z[S]的话,则在等式两边都乘以 e ( g 1 ∑ j ∈ [ N − 1 ] y j α N + 1 + j , g 2 ∑ i ∈ S α N + 1 − i t i ) e(g_1^{\sum_{j\in[N-1]}y_j\alpha^{N+1+j}},g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i}) e(g1∑j∈[N−1]yjαN+1+j,g2∑i∈SαN+1−iti)的话,则有:
-
等式左边为: e ( g 1 z ⃗ T a ⃗ , g 2 ∑ i ∈ S α N + 1 − i t i ) ⋅ e ( g 1 ∑ j ∈ [ N − 1 ] y j α N + 1 + j , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( g 1 ∑ i ∈ [ N ] z i α i + ∑ j ∈ [ N − 1 ] y j α N + 1 + j , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( C ′ , g 2 ∑ i ∈ S α N + 1 − i t i ) e(g_1^{\vec{z}^T\vec{a}},g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})\cdot e(g_1^{\sum_{j\in[N-1]}y_j\alpha^{N+1+j}},g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(g_1^{\sum_{i\in[N]}z_i\alpha^i+\sum_{j\in[N-1]}y_j\alpha^{N+1+j}},g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(C',g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i}) e(g1zTa,g2∑i∈SαN+1−iti)⋅e(g1∑j∈[N−1]yjαN+1+j,g2∑i∈SαN+1−iti)=e(g1∑i∈[N]ziαi+∑j∈[N−1]yjαN+1+j,g2∑i∈SαN+1−iti)=e(C′,g2∑i∈SαN+1−iti)
-
等式右边为: e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S z i t i ⋅ e ( g 1 ∑ j ∈ [ N − 1 ] y j α N + 1 + j , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S z i t i ⋅ e ( g 1 , g 2 ) α N + 1 ∑ j ∈ [ N − 1 ] y j α j ⋅ ∑ i ∈ [ S ] α N + 1 − i t i e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}z_it_i}\cdot e(g_1^{\sum_{j\in[N-1]}y_j\alpha^{N+1+j}},g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}z_it_i}\cdot e(g_1,g_2)^{\alpha^{N+1}\sum_{j\in[N-1]}y_j\alpha^j\cdot\sum_{i\in[S]}\alpha^{N+1-i}t_i} e(π^,g2)⋅gTαN+1∑i∈Sziti⋅e(g1∑j∈[N−1]yjαN+1+j,g2∑i∈SαN+1−iti)=e(π^,g2)⋅gTαN+1∑i∈Sziti⋅e(g1,g2)αN+1∑j∈[N−1]yjαj⋅∑i∈[S]αN+1−iti
其中 ∑ j ∈ [ N − 1 ] y j α j ⋅ ∑ i ∈ [ S ] α N + 1 − i t i = ∑ i ∈ [ S ] ( t i ⋅ ∑ j ∈ [ N − 1 ] y j α N + 1 − i + j ) = ∑ i ∈ [ S ] t i x i \sum_{j\in[N-1]}y_j\alpha^j\cdot\sum_{i\in[S]}\alpha^{N+1-i}t_i=\sum_{i\in [S]}(t_i\cdot \sum_{j\in[N-1]}y_j\alpha^{N+1-i+j})=\sum_{i\in[S]}t_ix_i ∑j∈[N−1]yjαj⋅∑i∈[S]αN+1−iti=∑i∈[S](ti⋅∑j∈[N−1]yjαN+1−i+j)=∑i∈[S]tixi, x i = ∑ j ∈ [ N − 1 ] y j α N + 1 − i + j x_i=\sum_{j\in[N-1]}y_j\alpha^{N+1-i+j} xi=∑j∈[N−1]yjαN+1−i+j。
这样就有
e
(
C
′
,
g
2
∑
i
∈
S
α
N
+
1
−
i
t
i
)
=
e
(
π
^
,
g
2
)
⋅
g
T
α
N
+
1
∑
i
∈
S
z
i
t
i
⋅
g
T
α
N
+
1
∑
i
∈
[
S
]
t
i
x
i
=
e
(
π
^
,
g
2
)
⋅
g
T
α
N
+
1
∑
i
∈
S
(
z
i
+
x
i
)
t
i
=
e
(
π
^
,
g
2
)
⋅
g
T
α
N
+
1
∑
i
∈
S
m
i
t
i
e(C',g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}z_it_i}\cdot g_T^{\alpha^{N+1}\sum_{i\in[S]}t_ix_i}=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}(z_i+x_i)t_i}=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i}
e(C′,g2∑i∈SαN+1−iti)=e(π^,g2)⋅gTαN+1∑i∈Sziti⋅gTαN+1∑i∈[S]tixi=e(π^,g2)⋅gTαN+1∑i∈S(zi+xi)ti=e(π^,g2)⋅gTαN+1∑i∈Smiti
其中:
m
i
=
z
i
+
x
i
=
z
i
+
∑
j
∈
[
N
−
1
]
y
j
α
N
+
1
−
i
+
j
m_i=z_i+x_i=z_i+\sum_{j\in[N-1]}y_j\alpha^{N+1-i+j}
mi=zi+xi=zi+∑j∈[N−1]yjαN+1−i+j
C
′
=
g
1
∑
i
∈
[
N
]
z
i
α
i
+
∑
j
∈
[
N
−
1
]
y
j
α
N
+
1
+
j
C'=g_1^{\sum_{i\in[N]}z_i\alpha^i+\sum_{j\in[N-1]}y_j\alpha^{N+1+j}}
C′=g1∑i∈[N]ziαi+∑j∈[N−1]yjαN+1+j
C
=
g
1
∑
i
∈
[
N
]
z
i
α
i
C=g_1^{\sum_{i\in[N]}z_i\alpha^i}
C=g1∑i∈[N]ziαi
也就是说,若adversary可找到相应的
C
′
C'
C′,使得
H
(
i
,
C
,
S
,
m
⃗
[
S
]
)
=
H
(
i
,
C
′
,
S
,
m
⃗
[
S
]
)
H(i,C,S,\vec{m}[S])=H(i,C',S,\vec{m}[S])
H(i,C,S,m[S])=H(i,C′,S,m[S])成立且
C
′
=
g
1
∑
i
∈
[
N
]
z
i
α
i
+
∑
j
∈
[
N
−
1
]
y
j
α
N
+
1
+
j
且
C
=
g
1
∑
i
∈
[
N
]
z
i
α
i
C'=g_1^{\sum_{i\in[N]}z_i\alpha^i+\sum_{j\in[N-1]}y_j\alpha^{N+1+j}}且C=g_1^{\sum_{i\in[N]}z_i\alpha^i}
C′=g1∑i∈[N]ziαi+∑j∈[N−1]yjαN+1+j且C=g1∑i∈[N]ziαi,则可作弊成功。即: 【这段话理解有问题,不应在于Hash碰撞,而在于,应该是对于固定
C
,
S
,
m
⃗
[
S
]
C,S,\vec{m}[S]
C,S,m[S],寻找符合要求的
z
⃗
和
y
⃗
\vec{z}和\vec{y}
z和y,满足
C
=
g
1
z
⃗
T
a
⃗
+
α
N
y
⃗
T
a
⃗
[
−
1
]
C=g_1^{\vec{z}^T\vec{a}+\alpha^N\vec{y}^T\vec{a}[-1]}
C=g1zTa+αNyTa[−1],同时满足
m
⃗
[
S
]
̸
≡
p
z
⃗
[
S
]
且
(
m
⃗
[
S
]
−
z
⃗
[
S
]
)
T
t
⃗
≡
p
0
\vec{m}[S]\not\equiv_p\vec{z}[S]且(\vec{m}[S]-\vec{z}[S])^T\vec{t}\equiv_p 0
m[S]≡pz[S]且(m[S]−z[S])Tt≡p0。若能找到相应的
z
⃗
和
y
⃗
\vec{z}和\vec{y}
z和y,则称为“H-lucky”。】
e
(
C
,
g
2
∑
i
∈
S
α
N
+
1
−
i
t
i
)
=
(
e
(
π
^
,
g
2
)
/
e
(
g
1
∑
j
∈
[
N
−
1
]
y
j
α
N
+
1
+
j
,
g
2
∑
i
∈
S
α
N
+
1
−
i
t
i
)
)
⋅
g
T
α
N
+
1
∑
i
∈
S
m
i
t
i
=
e
(
g
1
,
π
^
∗
)
⋅
g
T
α
N
+
1
∑
i
∈
S
m
i
t
i
e(C,g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=(e(\hat{\pi},g_2)/e(g_1^{\sum_{j\in[N-1]}y_j\alpha^{N+1+j}},g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i}))\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i}=e(g_1,\hat{\pi}^*)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i}
e(C,g2∑i∈SαN+1−iti)=(e(π^,g2)/e(g1∑j∈[N−1]yjαN+1+j,g2∑i∈SαN+1−iti))⋅gTαN+1∑i∈Smiti=e(g1,π^∗)⋅gTαN+1∑i∈Smiti
其中
e
(
g
1
∑
j
∈
[
N
−
1
]
y
j
α
N
+
1
+
j
,
g
2
∑
i
∈
S
α
N
+
1
−
i
t
i
)
e(g_1^{\sum_{j\in[N-1]}y_j\alpha^{N+1+j}},g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})
e(g1∑j∈[N−1]yjαN+1+j,g2∑i∈SαN+1−iti) 可根据现有的public parameter计算出来。
从而,对于
C
C
C,adversary可通过提供proof
π
^
∗
\hat{\pi}^*
π^∗ 作弊成功——将本应为
z
⃗
[
S
]
\vec{z}[S]
z[S] open 为了
m
⃗
[
S
]
\vec{m}[S]
m[S]。
由于 Pr t ⃗ [ z ⃗ [ S ] ̸ ≡ p m ⃗ [ S ] a n d z ⃗ [ S ] T t ⃗ ≡ p m ⃗ [ S ] T t ⃗ ] = 1 / p , 其 中 t ⃗ = ( H ( i , C , S , m ⃗ [ S ] ) : i ∈ S ) \Pr_{\vec{t}}[\vec{z}[S]\not\equiv_p \vec{m}[S]\ and\ \vec{z}[S]^T\vec{t}\equiv_p \vec{m}[S]^T\vec{t}]=1/p,其中\vec{t}=(H(i,C,S,\vec{m}[S]):i\in S) Prt[z[S]≡pm[S] and z[S]Tt≡pm[S]Tt]=1/p,其中t=(H(i,C,S,m[S]):i∈S),也就是说,对于固定的 ( S , m ⃗ [ S ] , z ⃗ [ S ] ) (S,\vec{m}[S],\vec{z}[S]) (S,m[S],z[S]),找到相应的 C ′ C' C′使得 H ( i , C , S , m ⃗ [ S ] ) = H ( i , C ′ , S , m ⃗ [ S ] ) H(i,C,S,\vec{m}[S])=H(i,C',S,\vec{m}[S]) H(i,C,S,m[S])=H(i,C′,S,m[S])成立,且存在 z ⃗ ∈ Z p N , y ⃗ ∈ Z p N − 1 \vec{z}\in \mathbb{Z}_p^N,\vec{y}\in\mathbb{Z}_p^{N-1} z∈ZpN,y∈ZpN−1使得 C ′ = g 1 ∑ i ∈ [ N ] z i α i + ∑ j ∈ [ N − 1 ] y j α N + 1 + j , C = g 1 ∑ i ∈ [ N ] z i α i C'=g_1^{\sum_{i\in[N]}z_i\alpha^i+\sum_{j\in[N-1]}y_j\alpha^{N+1+j}},C=g_1^{\sum_{i\in[N]}z_i\alpha^i} C′=g1∑i∈[N]ziαi+∑j∈[N−1]yjαN+1+j,C=g1∑i∈[N]ziαi的概率不高于 1 / p 1/p 1/p。
By the union bound, the probability that an adversary makes an H-lucky query is at most q H / p q_H/p qH/p, where q H q_H qH is the number of queries to H H H. Below, we assume this never happens。
2)若可extracting g 1 α N + 1 g_1^{\alpha^{N+1}} g1αN+1,则可破坏本论文 l l l-wBDHE security assumption。
若对于
C
=
g
1
z
⃗
T
a
⃗
+
α
N
y
⃗
T
a
⃗
[
−
1
]
=
g
1
∑
i
∈
[
N
]
z
i
α
i
+
∑
j
∈
[
N
−
1
]
y
j
α
N
+
1
+
j
C=g_1^{\vec{z}^T\vec{a}+\alpha^N\vec{y}^T\vec{a}[-1]}=g_1^{\sum_{i\in[N]}z_i\alpha^i+\sum_{j\in[N-1]}y_j\alpha^{N+1+j}}
C=g1zTa+αNyTa[−1]=g1∑i∈[N]ziαi+∑j∈[N−1]yjαN+1+j,存在
(
S
∗
,
m
⃗
∗
,
π
^
∗
)
(S^*,\vec{m}^*,\hat{\pi}^*)
(S∗,m∗,π^∗) 使得:
m
⃗
∗
[
S
∗
]
≠
z
⃗
[
S
∗
]
且
V
e
r
i
f
y
(
C
,
S
∗
,
m
⃗
∗
[
S
∗
]
,
π
^
∗
)
\vec{m}^*[S^*]\neq \vec{z}[S^*] 且 Verify(C,S^*,\vec{m}^*[S^*],\hat{\pi}^*)
m∗[S∗]=z[S∗]且Verify(C,S∗,m∗[S∗],π^∗) 成立。
即有 e ( C , g 2 ∑ i ∈ S ∗ α N + 1 − i t i ) = e ( π ^ ∗ , g 2 ) ⋅ g T α N + 1 m ⃗ ∗ [ S ∗ ] T t ⃗ e(C,g_2^{\sum_{i\in S^*}\alpha^{N+1-i}t_i})=e(\hat{\pi}^*,g_2)\cdot g_T^{\alpha^{N+1}\vec{m}^*[S^*]^T\vec{t}} e(C,g2∑i∈S∗αN+1−iti)=e(π^∗,g2)⋅gTαN+1m∗[S∗]Tt成立,其中 t i = H ( i , C , S ∗ , m ⃗ ∗ [ S ∗ ] ) t_i=H(i,C,S^*,\vec{m}^*[S^*]) ti=H(i,C,S∗,m∗[S∗])。
于是有: C ∑ i ∈ S ∗ α N + 1 − i t i = π ^ ∗ ⋅ g 1 α N + 1 m ⃗ ∗ [ S ∗ ] T t ⃗ C^{\sum_{i\in S^*}\alpha^{N+1-i}t_i}=\hat{\pi}^*\cdot g_1^{\alpha^{N+1}\vec{m}^*[S^*]^T\vec{t}} C∑i∈S∗αN+1−iti=π^∗⋅g1αN+1m∗[S∗]Tt 成立。
上述等式左侧展开为含
g
1
α
N
+
1
g_1^{\alpha^{N+1}}
g1αN+1的项和不含
g
1
α
N
+
1
g_1^{\alpha^{N+1}}
g1αN+1的项表示:
C
∑
i
∈
S
∗
α
N
+
1
−
i
t
i
=
g
1
(
z
⃗
T
a
⃗
+
α
N
y
⃗
T
a
⃗
[
−
1
]
)
⋅
∑
i
∈
S
∗
α
N
+
1
−
i
t
i
C^{\sum_{i\in S^*}\alpha^{N+1-i}t_i}=g_1^{(\vec{z}^T\vec{a}+\alpha^N\vec{y}^T\vec{a}[-1])\cdot \sum_{i\in S^*}\alpha^{N+1-i}t_i}
C∑i∈S∗αN+1−iti=g1(zTa+αNyTa[−1])⋅∑i∈S∗αN+1−iti
The smallest i i i value is 1 1 1.
(1)
z
⃗
T
a
⃗
∑
i
∈
S
∗
α
N
+
1
−
i
t
i
=
∑
i
∈
S
∗
z
⃗
T
a
⃗
α
N
+
1
−
i
t
i
=
∑
i
∈
S
∗
(
z
i
α
i
+
z
⃗
[
−
i
]
a
⃗
[
−
i
]
)
α
N
+
1
−
i
t
i
=
α
N
+
1
∑
i
∈
S
∗
z
i
t
i
+
∑
i
∈
S
∗
α
N
+
1
−
i
z
⃗
[
−
i
]
a
⃗
[
−
i
]
t
i
\vec{z}^T\vec{a}\sum_{i\in S^*}\alpha^{N+1-i}t_i=\sum_{i\in S^*}\vec{z}^T\vec{a}\alpha^{N+1-i}t_i =\sum_{i\in S^*}(z_i\alpha^i+\vec{z}[-i]\vec{a}[-i])\alpha^{N+1-i}t_i=\alpha^{N+1}\sum_{i\in S^*}z_it_i+\sum_{i\in S^*}\alpha^{N+1-i}\vec{z}[-i]\vec{a}[-i]t_i
zTa∑i∈S∗αN+1−iti=∑i∈S∗zTaαN+1−iti=∑i∈S∗(ziαi+z[−i]a[−i])αN+1−iti=αN+1∑i∈S∗ziti+∑i∈S∗αN+1−iz[−i]a[−i]ti
其中 ∑ i ∈ S ∗ α N + 1 − i z ⃗ [ − i ] a ⃗ [ − i ] t i \sum_{i\in S^*}\alpha^{N+1-i}\vec{z}[-i]\vec{a}[-i]t_i ∑i∈S∗αN+1−iz[−i]a[−i]ti depends on g 1 α , g 1 α 2 , ⋯ , g 1 α N , g 1 α N + 2 , ⋯ , g 1 α 2 N g_1^{\alpha},g_1^{\alpha^2},\cdots,g_1^{\alpha^N},g_1^{\alpha^{N+2}},\cdots,g_1^{\alpha^{2N}} g1α,g1α2,⋯,g1αN,g1αN+2,⋯,g1α2N。
(2)
α
N
y
⃗
T
a
⃗
[
−
1
]
)
⋅
∑
i
∈
S
∗
α
N
+
1
−
i
t
i
\alpha^N\vec{y}^T\vec{a}[-1])\cdot \sum_{i\in S^*}\alpha^{N+1-i}t_i
αNyTa[−1])⋅∑i∈S∗αN+1−iti depends on
g
1
α
N
+
3
,
⋯
,
g
1
α
3
N
g_1^{\alpha^{N+3}},\cdots,g_1^{\alpha^{3N}}
g1αN+3,⋯,g1α3N.
For :
C
∑
i
∈
S
∗
α
N
+
1
−
i
t
i
=
π
^
∗
⋅
g
1
α
N
+
1
m
⃗
∗
[
S
∗
]
T
t
⃗
C^{\sum_{i\in S^*}\alpha^{N+1-i}t_i}=\hat{\pi}^*\cdot g_1^{\alpha^{N+1}\vec{m}^*[S^*]^T\vec{t}}
C∑i∈S∗αN+1−iti=π^∗⋅g1αN+1m∗[S∗]Tt
Then:
(
g
1
∑
i
∈
S
∗
,
j
∈
S
∗
,
i
≠
j
z
j
t
i
α
N
+
1
−
i
+
j
)
⋅
(
g
1
z
⃗
[
−
S
∗
]
T
a
⃗
[
−
S
∗
]
⋅
∑
i
∈
S
∗
α
N
+
1
−
i
t
i
)
⋅
(
g
1
α
N
y
⃗
T
a
⃗
[
−
1
]
)
⋅
∑
i
∈
S
∗
α
N
+
1
−
i
t
i
)
⋅
(
π
^
∗
)
−
1
=
g
1
α
N
+
1
∑
i
∈
S
∗
(
m
i
−
z
i
)
t
i
(g_1^{\sum_{i\in S^*,j\in S^*,i\neq j}z_jt_i\alpha^{N+1-i+j}})\cdot(g_1^{\vec{z}[-S^*]^T\vec{a}[-S^*]\cdot{\sum_{i\in S^*}\alpha^{N+1-i}t_i}})\cdot(g_1^{\alpha^N\vec{y}^T\vec{a}[-1])\cdot \sum_{i\in S^*}\alpha^{N+1-i}t_i})\cdot (\hat{\pi}^*)^{-1}=g_1^{\alpha^{N+1}\sum_{i \in S^*}(m_i-z_i)t_i}
(g1∑i∈S∗,j∈S∗,i=jzjtiαN+1−i+j)⋅(g1z[−S∗]Ta[−S∗]⋅∑i∈S∗αN+1−iti)⋅(g1αNyTa[−1])⋅∑i∈S∗αN+1−iti)⋅(π^∗)−1=g1αN+1∑i∈S∗(mi−zi)ti …<1>
当不存在H-lucky queries,且adversary可成功将
z
⃗
[
S
∗
]
\vec{z}[S^*]
z[S∗] open 为不同的
m
⃗
[
S
∗
]
\vec{m}[S^*]
m[S∗],则该adversary亦可根据上述公式成功计算等式右侧的
g
1
α
N
+
1
g_1^{\alpha^{N+1}}
g1αN+1值。
因为:
z
⃗
[
S
∗
]
≠
m
⃗
[
S
∗
]
\vec{z}[S^*]\neq \vec{m}[S^*]
z[S∗]=m[S∗]
所以:
∑
i
∈
S
∗
(
m
i
−
z
i
)
t
i
̸
≡
p
0
\sum_{i \in S^*}(m_i-z_i)t_i\not\equiv_p 0
∑i∈S∗(mi−zi)ti≡p0
令:
r
=
1
/
(
∑
i
∈
S
∗
(
m
i
−
z
i
)
t
i
)
m
o
d
p
r=1/(\sum_{i \in S^*}(m_i-z_i)t_i)\mod p
r=1/(∑i∈S∗(mi−zi)ti)modp
公式<1>左右两侧同时进行
r
r
r幂乘即可求得
g
1
α
N
+
1
g_1^{\alpha^{N+1}}
g1αN+1值。
⇒ \Rightarrow ⇒ The winning algebraic adversary can be used to compute g 1 α N + 1 g_1^{\alpha^{N+1}} g1αN+1, CONTRADICTING l l l-wBDHE.
3. proof of correctness/binding for cross-commitment aggregation
3.1 cross commitment aggregation
Aggregation of proofs across
l
l
l commitments,在2.1 same commitment aggregation算法的基础上,增加了AggregateAcross
和VerifyAcross
算法,具体的实现为:
-
AggregateAcross( { C j , S j , m ⃗ j [ S j ] , π ^ j } j ∈ [ l ] \{C_j,S_j,\vec{m}_j[S_j],\hat{\pi}_j\}_{j\in [l]} {Cj,Sj,mj[Sj],π^j}j∈[l]):
π = ∏ j = 1 l π ^ j t j ′ \pi=\prod_{j=1}^{l}\hat{\pi}_j^{t_j'} π=∏j=1lπ^jtj′
其中:
t j ’ = H ’ ( j , { C j , S j , m ⃗ j [ S j ] } j ∈ [ l ] ) t_j’=H’(j,\{C_j,S_j,\vec{m}_j[S_j]\}_{j\in[l]}) tj’=H’(j,{Cj,Sj,mj[Sj]}j∈[l]) -
VerifyAcross( { C j , S j , m ⃗ j } j ∈ [ l ] , π \{C_j,S_j,\vec{m}_j\}_{j\in[l]},\pi {Cj,Sj,mj}j∈[l],π):
验证 ∏ j = 1 l e ( C j , g 2 ∑ i ∈ S j α N + 1 − i t j , i ) t j ′ = e ( π , g 2 ) ⋅ g T α N + 1 ∑ j ∈ [ l ] , i ∈ S j m j , i t j , i t j ′ \prod_{j=1}^{l}e(C_j,g_2^{\sum_{i\in S_j}\alpha^{N+1-i}t_{j,i}})^{t_j'}=e(\pi,g_2)\cdot g_T^{\alpha^{N+1}\sum_{j\in[l],i\in S_j}m_{j,i}t_{j,i}t_j'} ∏j=1le(Cj,g2∑i∈SjαN+1−itj,i)tj′=e(π,g2)⋅gTαN+1∑j∈[l],i∈Sjmj,itj,itj′ 等式是否成立。
其中:
t j , i = H ( i , C j , S j , m ⃗ j [ S j ] ) t_{j,i}=H(i,C_j,S_j,\vec{m}_j[S_j]) tj,i=H(i,Cj,Sj,mj[Sj])
t j ′ = H ′ ( j , { C j , S j , m ⃗ j [ S j ] } j ∈ [ l ] ) t_j'=H'(j,\{C_j,S_j,\vec{m}_j[S_j]\}_{j\in[l]}) tj′=H′(j,{Cj,Sj,mj[Sj]}j∈[l])
m ⃗ j = ( m j , 1 , ⋯ , m j , N ) \vec{m}_j=(m_{j,1},\cdots,m_{j,N}) mj=(mj,1,⋯,mj,N)
3.2 proof of correctness for cross-commitment aggregation
采用2.2类似的方式,证明 π ^ j \hat{\pi}_j π^j的正确性——each π ^ j \hat{\pi}_j π^j satisfies its verification equation,然后raising j j jth verification equation to t j ′ t_j' tj′ and multiplying over all j ∈ [ l ] j\in[l] j∈[l] yields the desired equality。
3.3 proof of binding for cross-commitment aggregation
分三步实现:
1)bounding “H-lucky” queries:
相当于对于固定
C
,
S
,
m
⃗
[
S
]
C,S,\vec{m}[S]
C,S,m[S],寻找符合要求的
z
⃗
和
y
⃗
\vec{z}和\vec{y}
z和y,满足
C
=
g
1
z
⃗
T
a
⃗
+
α
N
y
⃗
T
a
⃗
[
−
1
]
C=g_1^{\vec{z}^T\vec{a}+\alpha^N\vec{y}^T\vec{a}[-1]}
C=g1zTa+αNyTa[−1],同时满足
m
⃗
[
S
]
̸
≡
p
z
⃗
[
S
]
且
(
m
⃗
[
S
]
−
z
⃗
[
S
]
)
T
t
⃗
≡
p
0
\vec{m}[S]\not\equiv_p\vec{z}[S]且(\vec{m}[S]-\vec{z}[S])^T\vec{t}\equiv_p 0
m[S]≡pz[S]且(m[S]−z[S])Tt≡p0。若能找到相应的
z
⃗
和
y
⃗
\vec{z}和\vec{y}
z和y,则称为“H-lucky”。
采用与2.3.2 节第一步类似的方式,对于固定的
(
S
,
m
⃗
[
S
]
,
z
⃗
[
S
]
)
(S,\vec{m}[S],\vec{z}[S])
(S,m[S],z[S]),证明存在不同
m
⃗
[
S
]
≡
p
z
⃗
[
S
]
\vec{m}[S]\equiv_p \vec{z}[S]
m[S]≡pz[S],使得
(
m
⃗
[
S
]
−
z
⃗
[
S
]
)
T
t
⃗
≡
p
0
(\vec{m}[S]-\vec{z}[S])^T\vec{t}\equiv_p 0
(m[S]−z[S])Tt≡p0的概率不高于
1
/
p
1/p
1/p。
2)bounding “H’-lucky” queries:
在
l
l
l cross-commitment中,对于固定的
{
(
S
j
,
m
⃗
j
[
S
j
]
,
z
⃗
j
[
S
j
]
)
j
∈
[
l
]
}
\{(S_j,\vec{m}_j[S_j],\vec{z}_j[S_j])_{j\in[l]}\}
{(Sj,mj[Sj],zj[Sj])j∈[l]},存在任意一个
∃
j
:
(
m
⃗
j
[
S
j
]
−
z
⃗
j
[
S
j
]
)
T
t
⃗
j
̸
≡
p
0
\exists j: (\vec{m}_j[S_j]-\vec{z}_j[S_j])^T\vec{t}_j\not\equiv_p 0
∃j:(mj[Sj]−zj[Sj])Ttj≡p0,使得
∑
j
=
1
l
(
m
⃗
j
[
S
j
]
−
z
⃗
j
[
S
j
]
)
T
t
⃗
j
t
j
’
≡
p
0
\sum_{j=1}^{l}(\vec{m}_j[S_j]-\vec{z}_j[S_j])^T\vec{t}_jt_j’\equiv_p 0
∑j=1l(mj[Sj]−zj[Sj])Ttjtj’≡p0的概率不高于
1
/
p
1/p
1/p。
3)extracting
g
1
α
N
+
1
g_1^{\alpha^{N+1}}
g1αN+1:
当
l
=
1
l=1
l=1时,设置
t
1
’
=
1
t_1’=1
t1’=1,只验证Verify
算法即可,extracting
g
1
α
N
+
1
g_1^{\alpha^{N+1}}
g1αN+1论证参见2.3.2节第二步。
若adversary 可成功将
l
l
l commitments中的某一个open为
m
⃗
j
∗
∗
[
S
j
∗
∗
]
\vec{m}_{j^*}^*[S_{j^*}^*]
mj∗∗[Sj∗∗]而不是
z
⃗
j
∗
∗
[
S
j
∗
∗
]
\vec{z}_{j^*}^*[S_{j^*}^*]
zj∗∗[Sj∗∗],并使得VerifyAcross
算法验证通过,基本思路与2.3.2节第二步类似。
不存在H-lucky queries,则有:
(
m
⃗
j
∗
∗
[
S
j
∗
∗
]
−
z
⃗
j
∗
∗
[
S
j
∗
∗
]
)
T
t
⃗
j
∗
̸
≡
p
0
(\vec{m}_{j^*}^*[S_{j^*}^*]-\vec{z}_{j^*}^*[S_{j^*}^*])^T\vec{t}_{j*}\not\equiv_p 0
(mj∗∗[Sj∗∗]−zj∗∗[Sj∗∗])Ttj∗≡p0
不存在 H‘-lucky queries,则有:
∑
h
=
1
l
∗
(
m
⃗
j
∗
[
S
j
∗
]
−
z
⃗
j
∗
[
S
j
∗
]
)
T
t
⃗
j
t
j
’
̸
≡
p
0
\sum_{h=1}^{l^*}(\vec{m}_j^*[S_j^*]-\vec{z}_j^*[S_j^*])^T\vec{t}_jt_j’\not\equiv_p 0
∑h=1l∗(mj∗[Sj∗]−zj∗[Sj∗])Ttjtj’≡p0
则该adversary可采用2.3.2节第二步类似的方式计算出相应的 g 1 α N + 1 g_1^{\alpha^{N+1}} g1αN+1,从而破坏了 l l l-wBDHE的安全假设。
4. 基于CDH-like assumption构建的same-commitment aggregation
采用Dario Catalano 和 Dario Fiore 2013年论文《Vector Commitments and their Applications》类似思路(可参见博客Vector Commitments and their Applications学习笔记 第2.1节“基于CDH的Vector Commitment实现”内容)以及 Russell W. F. Lai 和 Giulio Malavolta 在Crypto 2019上发表的论文《Subvector Commitments with Application to Succinct Arguments》(参见博客 subvector commitment based on CubeDH assumption over pairing group 第4节“”内容),本文使用的是非对称pairing bilinear group。
采用CDH assumption,所需要的public parameter size为 O ( N 2 ) O(N^2) O(N2)。
在非对称pairing bilinear group中,本文用到的CDH-like static assumption为:
已知
{
g
1
u
i
,
g
2
v
i
}
i
∈
[
N
]
,
{
g
1
u
j
v
i
}
i
≠
j
\{g_1^{u_i},g_2^{v_i}\}_{i\in [N]},\{g_1^{u_jv_i}\}_{i\neq j}
{g1ui,g2vi}i∈[N],{g1ujvi}i=j,计算
g
T
u
i
v
i
2
g_T^{u_iv_i^2}
gTuivi2很难。
具体的实现为:
-
Setup( 1 λ , 1 N 1^{\lambda},1^N 1λ,1N):选择 N N N个随机数 u i , v i ← Z p u_i,v_i\leftarrow \mathbb{Z}_p ui,vi←Zp,输出:
{ g 1 u i , g 2 v i } i ∈ [ N ] , { g 1 u j v i } i ≠ j \{g_1^{u_i},g_2^{v_i}\}_{i\in [N]},\{g_1^{u_jv_i}\}_{i\neq j} {g1ui,g2vi}i∈[N],{g1ujvi}i=j -
Commit( m ⃗ \vec{m} m):输出:
C = g 1 ∑ i ∈ [ N ] m i u i C=g_1^{\sum_{i\in[N]}m_iu_i} C=g1∑i∈[N]miui -
UpdateCommit( C , S , m ⃗ [ S ] , m ⃗ ’ [ S ] C,S,\vec{m}[S],\vec{m}’[S] C,S,m[S],m’[S]):输出:
C ’ = C ⋅ g 1 ∑ i ∈ S ( m i ’ − m i ) u i C’=C\cdot g_1^{\sum_{i\in S}(m_i’-m_i)u_i} C’=C⋅g1∑i∈S(mi’−mi)ui -
Prove( i , m ⃗ i,\vec{m} i,m):输出:
π i = g 1 ∑ j ≠ i m j u j v i \pi_i=g_1^{\sum_{j\neq i}m_ju_jv_i} πi=g1∑j=imjujvi -
Aggregate( C , S , m ⃗ [ S ] , { π i : i ∈ S } C,S,\vec{m}[S],\{\pi_i:i\in S\} C,S,m[S],{πi:i∈S}):输出:
π ^ = ∏ i ∈ S π i \hat{\pi}=\prod_{i\in S}\pi_i π^=∏i∈Sπi -
Verify( C , S , m ⃗ [ S ] , π ^ C,S,\vec{m}[S],\hat{\pi} C,S,m[S],π^):验证
e ( C , g 2 ∑ i ∈ S v i ) = e ( π ^ , g 2 ) ⋅ g T ∑ i ∈ S m i u i v i e(C,g_2^{\sum_{i\in S}v_i})=e(\hat{\pi},g_2)\cdot g_T^{\sum_{i\in S}m_iu_iv_i} e(C,g2∑i∈Svi)=e(π^,g2)⋅gT∑i∈Smiuivi 等式是否成立。
注意:
在Russell W. F. Lai 和 Giulio Malavolta 在Crypto 2019上发表的论文《Subvector Commitments with Application to Succinct Arguments》(参见博客 subvector commitment based on CubeDH assumption over pairing group 第4节“”内容)中,所采用的是
u
i
=
v
i
u_i=v_i
ui=vi,在本论文中无法实现。【We do not know how to support aggregation in LM-CDH (which corresponds to the special case
u
i
=
v
i
u_i=v_i
ui=vi).】
4.1 proof of correctness for same-commitment aggregation based on CDH-like assumption
verify公式为:
e
(
C
,
g
2
∑
i
∈
S
v
i
)
=
e
(
π
^
,
g
2
)
⋅
g
T
∑
i
∈
S
m
i
u
i
v
i
e(C,g_2^{\sum_{i\in S}v_i})=e(\hat{\pi},g_2)\cdot g_T^{\sum_{i\in S}m_iu_iv_i}
e(C,g2∑i∈Svi)=e(π^,g2)⋅gT∑i∈Smiuivi
直观地,有:
(
∑
j
∈
[
N
]
m
j
u
j
)
⋅
v
i
=
m
i
u
i
v
i
+
∑
j
≠
i
m
j
u
j
v
i
(\sum_{j\in[N]}m_ju_j)\cdot v_i=m_iu_iv_i+\sum_{j\neq i}m_ju_jv_i
(∑j∈[N]mjuj)⋅vi=miuivi+∑j=imjujvi
从而open单个位置verify成功。
对所有的位置
i
∈
S
i\in S
i∈S,将所有的等式相加亦成立,所以aggregation verify成功。
4.2 proof of binding for same-commitment aggregation based on CDH-like assumption
若对于 C , { S b , m ⃗ b [ S b ] , π ^ b } b = 0 , 1 C,\{S^b,\vec{m}^b[S^b],\hat{\pi}^b\}_{b=0,1} C,{Sb,mb[Sb],π^b}b=0,1,存在 i ∗ i^* i∗,使得 m i ∗ 0 ≠ m i ∗ 1 m_{i^*}^0\neq m_{i^*}^1 mi∗0=mi∗1,则adversary作弊成功,相应的binding属性被破坏。
verify公式为:
e
(
C
,
g
2
∑
i
∈
S
v
i
)
=
e
(
π
^
,
g
2
)
⋅
g
T
∑
i
∈
S
m
i
u
i
v
i
e(C,g_2^{\sum_{i\in S}v_i})=e(\hat{\pi},g_2)\cdot g_T^{\sum_{i\in S}m_iu_iv_i}
e(C,g2∑i∈Svi)=e(π^,g2)⋅gT∑i∈Smiuivi
将
∑
i
∈
S
v
i
\sum_{i\in S}v_i
∑i∈Svi表示为
v
S
v_S
vS。
则上述作弊情况可表示为:
e
(
C
,
g
2
v
S
0
)
=
e
(
π
^
0
,
g
2
)
⋅
g
T
∑
i
∈
S
0
m
i
0
u
i
v
i
e(C,g_2^{v_{S^0}})=e(\hat{\pi}^0,g_2)\cdot g_T^{\sum_{i\in S^0}m_i^0u_iv_i}
e(C,g2vS0)=e(π^0,g2)⋅gT∑i∈S0mi0uivi…<1>
e
(
C
,
g
2
v
S
1
)
=
e
(
π
^
1
,
g
2
)
⋅
g
T
∑
i
∈
S
1
m
i
1
u
i
v
i
e(C,g_2^{v_{S^1}})=e(\hat{\pi}^1,g_2)\cdot g_T^{\sum_{i\in S^1}m_i^1u_iv_i}
e(C,g2vS1)=e(π^1,g2)⋅gT∑i∈S1mi1uivi…<2>
将等式<1>幂乘
v
S
1
v_{S^1}
vS1,将等式<2>幂乘
v
S
0
v_{S^0}
vS0,则有:
e
(
π
^
0
,
g
2
v
S
1
)
⋅
g
T
v
S
1
∑
i
∈
S
0
m
i
0
u
i
v
i
=
e
(
π
^
1
,
g
2
v
S
0
)
⋅
g
T
v
S
0
∑
i
∈
S
1
m
i
1
u
i
v
i
e(\hat{\pi}^0,g_2^{v_{S^1}})\cdot g_T^{v_{S^1}\sum_{i\in S^0}m_i^0u_iv_i}= e(\hat{\pi}^1,g_2^{v_{S^0}})\cdot g_T^{v_{S^0}\sum_{i\in S^1}m_i^1u_iv_i}
e(π^0,g2vS1)⋅gTvS1∑i∈S0mi0uivi=e(π^1,g2vS0)⋅gTvS0∑i∈S1mi1uivi
将有冲突的位置
i
∗
i^*
i∗拆出来,有:
由于
m
i
∗
1
−
m
i
∗
0
≠
0
m_{i^*}^1 - m_{i^*}^0\neq 0
mi∗1−mi∗0=0,于是根据上图公式可计算
g
t
u
i
∗
v
i
∗
2
g_t^{u_{i^*}v_{i^*}^2}
gtui∗vi∗2的值,从而违背了CDH-like static assumption。
5. Weak binding
weak binding是指adversary (输入任意消息)honestly执行了Commit
运算来生成commitment
C
C
C,而不是任意选择了
C
C
C值。
满足AGM模式的叫做algebraic adversary。
对于 C , m ⃗ , r , ( π ^ , S , m ⃗ ∗ [ S ] ) C,\vec{m},r,(\hat{\pi},S,\vec{m}^*[S]) C,m,r,(π^,S,m∗[S]):
- C = C o m m i t ( m ⃗ ; r ) C=Commit(\vec{m};r) C=Commit(m;r)
- V e r i f y ( C , S , m ⃗ ∗ [ S ] , π ^ ) = 1 Verify(C,S,\vec{m}^*[S],\hat{\pi})=1 Verify(C,S,m∗[S],π^)=1
-
m
⃗
[
S
]
≠
m
⃗
∗
[
S
]
\vec{m}[S]\neq\vec{m}^*[S]
m[S]=m∗[S]
Weak binding是指以上三个条件都成立的概率可忽略。
Challenger与Adversary之间相互交互:【借助same-commitment aggregation中proof of binding思路】
6. Cross-Commitment Aggregation from Polynomial Commitments
在Boneh, Drake, Fisch, and Gabizon 2020年论文《Efficient polynomial commitment schemes for multiple points and polynomials》 (基于Kate等人2010年论文《Constant-size commitments to polynomials and their applications》和Maller等人2019年论文《Sonic: Zero-knowledge SNARKs from linear-size universal and updatable structured reference strings》)的第3节算法的基础上,本文利用polynomial commitment 实现了支持cross-commitment aggregation 的vector commitment。
本文也采用Fiat-Shamir transform,同时做了如下改进:
- a commitment to a polynomial P P P of degree N − 1 N-1 N−1 can be thought of as commitment to the vector ( P ( 1 ) , ⋯ , P ( N ) ) (P(1),\cdots,P(N)) (P(1),⋯,P(N))。
- 将在Boneh, Drake, Fisch, and Gabizon 2020年论文《Efficient polynomial commitment schemes for multiple points and polynomials》论文中的batch open算法分解为了single openings+aggregation。
- 将cross-commitment的verification方程式中的powers of a single random value γ \gamma γ 改为了independent random t j t_j tj。【其实两个都可以,只是为了保持一致性做了该修改调整。—— 依据Gabizon等人2019年论文《PLONK: Permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge》】
[Gab20] 中指出,polynomial commitment初始设计时并不支持efficient updates,在本文中,可通过a bit of precomputation 来支持efficient update。其它算法的执行效率基本相当(up to constant factors),除了VerifyAcross
算法,需要额外增加
Θ
(
l
N
)
\Theta(lN)
Θ(lN)个exponentiations运算(depending on the exact subsets being aggregated)。
Boneh, Drake, Fisch, and Gabizon [BDFG20] 2020年论文《Efficient polynomial commitment schemes for multiple points and polynomials》第4节的算法执行效率更高,但是该算法似乎无法支持cross-commitment aggregation。【because the second element of the proof (denoted
W
’
W’
W’ in [BDFG20]) depends on a random value that itself depends on the first element of the aggregated proof (denote
π
\pi
π the description of AggregateAcross
below and
W
W
W in [BDFG20]).】
6.1 基于polynomial commitment实现same-commitment aggregation
6.2 基于polynomial commitment实现cross-commitment aggregation
6.2.1 proof of correctness for the cross-commitment aggregation based on polynomial commitment
6.2.2 proof of binding for the cross-commitment aggregation based on polynomial commitment
Binding holds under a q q q-type assumption in the AGM+ROM model。具体参见Boneh, Drake, Fisch, and Gabizon 2020年论文《Efficient polynomial commitment schemes for multiple points and polynomials》第3节内容。