1. 引言
Stephanie Bayer 2013年博士论文 《Practical Zero-Knowledge Protocols Based on the Discrete Logarithm Assumption》。
要点:
1)Lagrange polynomials 具有如下关键特性:
l
i
(
X
)
=
{
1
m
o
d
X
−
w
i
0
m
o
d
l
(
X
)
X
−
w
i
for
i
=
1
,
⋯
,
m
l_i(X)= \left\{\begin{matrix} 1 & \mod X-w_i\\ 0& \mod \frac{l(X)}{X-w_i} \end{matrix}\right.\ \text{for}\ i=1,\cdots,m
li(X)={10modX−wimodX−wil(X) for i=1,⋯,m
因此Hadamard product argument可转为证明:【相比于multi Hadamard product argument,在保持communication complexity不变的情况下,round complexity由 7 降为了 3 。】
(
∑
i
=
1
m
l
i
(
X
)
a
⃗
i
)
∘
(
∑
j
=
1
m
l
j
(
X
)
b
⃗
j
)
−
∑
i
=
1
m
l
i
(
X
)
c
⃗
i
=
Δ
⃗
(
X
)
l
(
X
)
(\sum_{i=1}^{m}l_i(X)\vec{a}_i)\circ (\sum_{j=1}^{m}l_j(X)\vec{b}_j)-\sum_{i=1}^{m}l_i(X)\vec{c}_i=\vec{\Delta}(X)l(X)
(i=1∑mli(X)ai)∘(j=1∑mlj(X)bj)−i=1∑mli(X)ci=Δ(X)l(X) (5.2)
for some
Δ
⃗
(
X
)
∈
(
Z
q
[
X
]
)
n
\vec{\Delta}(X)\in(\mathbb{Z}_q[X])^n
Δ(X)∈(Zq[X])n。
其中
l
(
X
)
=
∏
j
=
1
m
(
X
−
w
j
)
l(X)=\prod_{j=1}^{m}(X-w_j)
l(X)=∏j=1m(X−wj),
l
i
(
X
)
=
∏
j
≠
i
(
X
−
w
j
)
∏
j
≠
i
(
w
i
−
w
j
)
for
i
=
1
,
⋯
,
m
l_i(X)=\frac{\prod_{j\neq i}(X-w_j)}{\prod_{j\neq i}(w_i-w_j)}\ \text{for}\ i=1,\cdots,m
li(X)=∏j=i(wi−wj)∏j=i(X−wj) for i=1,⋯,m。还有:
- l i ( X ) ≡ 1 m o d X − w i l_i(X)\equiv 1\mod X-w_i li(X)≡1modX−wi
- l i ( X ) ≡ 0 m o d X − w k for i ≠ k l_i(X)\equiv 0\mod X-w_k\ \text{for}\ i\neq k li(X)≡0modX−wk for i=k
- l ( X ) ≡ 0 m o d X − w k for ∀ k l(X)\equiv 0\mod X-w_k \ \text{for}\ \forall k l(X)≡0modX−wk for ∀k
- l i ( X ) ( X − w i ) ≡ 0 m o d l ( X ) for ∀ i l_i(X)(X-w_i)\equiv 0 \mod l(X)\ \text{for}\ \forall i li(X)(X−wi)≡0modl(X) for ∀i
zero-knowledge proof允许prover来demonstrate knowledge of some information,如:
- know an element is a member of a list or is not a member of a list, without disclosing any further information about that element。【其实即为membership proof和non-membership proof。】
由于communication complexity和computational complexity 的原因,目前暂无适于所有NP languages 的实用的zero-knowledge proof 构建,但是存在针对特定问题的实用zero-knowledge protocol实现。(如1988年的Guillou and Quisquater’s identification protocol 以及 1991年的Schnorr’s identification protocol。)
本文重点关注的是基于discrete logarithm assumption的相关实现。
本文实现了:
- 单变量polynomial的polynomial evaluation argument;
- 多变量polynomial的polynomial evaluation argument;
- a batch of 单变量polynomial的 batch polynomial evaluation argument;
- 基于polynomial evaluation argument构建了实用的membership argument和non-membership argument。
- 基于polynomial evaluation argument实现了shuffle证明。
以上实现从run-time 和 communication cost两个维度评估了其实用性。经过论证,对于中等量级的参数,本文的实现具有足够的实用性。
- non-membership proof可用于blcaklist 黑名单证明;(如Tor 黑名单访问控制,避免粗暴的IP封锁影响其它无辜的users。)
- membership proof 可用于whitlist access 白名单访问控制或 group signature schemes,也可用于电子拍卖 where users want to prove that their bids belong to a set of approved values,也可用于e-voting(选民需证明其their vote belongs to a certain set and therefore their vote is valid and be counted correctly。同时还需保证无法通过电子选票关联到相应的投票人,及保证选票的匿名性,通常的e-voting protocol都是基于mix-nets的。所谓的mix-net为a multi-party protocol,允许a group of senders to input a number of encrypted messages to the mix-net, which then outputs them in random order。)
通常构建mix-nets可通过shuffles来实现,let mix-servers take turns in shuffling the ciphertexts,即 a shuffle of ciphertexts
C
1
,
⋯
,
C
n
C_1,\cdots,C_n
C1,⋯,Cn is a list of ciphertexts
C
1
′
,
⋯
,
C
n
′
C_1',\cdots,C_n'
C1′,⋯,Cn′ which contain the same plaintexts in permuted order。只要the shuffle为 permutation hiding的,则没有人可link input and output of a shuffle operation,从而可保证mix-net中的匿名性。
permutation hiding可通过re-encrypting the permuted ciphertexts来实现,但是这些ciphertexts存在无法探知是否被替换的问题。因此,需要保证the ouput ciphertexts包含了the same plaintexts as the input ciphertexts,目前实现方式主要有2大类:
- 基于permutation matrices [FS01, Fur05, GL07, Wik09];
- 基于the invariance of polynomials under permutation of roots [Nef01, GI08, Gro10]。
评估zero-knowledge proof system的维度有:
- round complexity [FS89, BCY91];
- computational complexity [Sch91];
- communication complexity。
同时具有efficient communication complexity 和 efficient computational complexity 对于构建zero-knowledge proof systems是有挑战性的。
1.1 本文主要贡献
本文的主要贡献有:
- 1)基于 Groth 2009年论文《Linear algebra with sub-linear zero-knowledge arguments》中的zero-knowledge argument for linear algebra relation构建了a product arggument to show ∏ i = 1 N a i = b \prod_{i=1}^{N}a_i=b ∏i=1Nai=b for secret a i a_i ai and public known b b b。这部分研究成果发表在Eurocrypt 2012年论文《Efficient zero-knowledge argument for correctness of a shuffle》。
- 2)基于 Groth 2009年论文《Linear algebra with sub-linear zero-knowledge arguments》中的zero-knowledge argument for linear algebra relation构建了a product arggument to show ∏ i = 1 N a i = b \prod_{i=1}^{N}a_i=b ∏i=1Nai=b for secret a i a_i ai and secret b b b。
- 3)实现了multi Hadamard product argument to show for secret vectors a ⃗ i , b ⃗ \vec{a}_i,\vec{b} ai,b that a ⃗ 1 ∘ ⋯ ∘ a ⃗ n = b ⃗ \vec{a}_1\circ \cdots \circ \vec{a}_n=\vec{b} a1∘⋯∘an=b with sublinear complexity。这部分研究成果发表在Eurocrypt 2012年论文《Efficient zero-knowledge argument for correctness of a shuffle》。
- 4)实现了an argument to show that for secret vectors a ⃗ i , b ⃗ i \vec{a}_i,\vec{b}_i ai,bi that ∑ i = 1 m a ⃗ i ∗ b ⃗ i = 0 \sum_{i=1}^{m}\vec{a}_i*\vec{b}_i=0 ∑i=1mai∗bi=0, for a bilinear map ∗ : Z q Z q → Z q *: \mathbb{Z}_q\mathbb{Z}_q\rightarrow \mathbb{Z}_q ∗:ZqZq→Zq,with sublinear complexity。这部分研究成果发表在Eurocrypt 2012年论文《Efficient zero-knowledge argument for correctness of a shuffle》。
- 5)实现了a zero-knowledge argument for committed vectors a ⃗ i , b ⃗ i , c ⃗ i ∈ Z q n \vec{a}_i,\vec{b}_i,\vec{c}_i\in\mathbb{Z}_q^n ai,bi,ci∈Zqn 满足 a ⃗ i ∘ b ⃗ i = c ⃗ i \vec{a}_i\circ \vec{b}_i=\vec{c}_i ai∘bi=ci,其中 ∘ \circ ∘ 表示the entry-wise product。该Hadamard product argument是与Jens Groth一起完成的。
- 6)实现的zero-knowledge polynomial evaluation argument 具有 logarithmic communication and computational complexity。这部分研究成果发表在Eurocrypt 2013年论文《Zero-knowledge argument for polynomial evaluation with application to blacklists》。
- 7)指出了如何将单变量polynomial evaluation argument调整为适于多变量polynomial。相应的多变量polynomial evaluation argument具有polylogarithmic communication and computational complexity。
- 8)实现了prove evaluation of L L L polynomials efficiently at the same time。即batch polynomial evaluation argument。与Jens Groth一起完成的。
- 9)使用polynomial evaluation argument,实现了zero-knowledge non-membership argument to show that a secret value u u u is not contained in a list L L L。这部分研究成果发表在Eurocrypt 2013年论文《Zero-knowledge argument for polynomial evaluation with application to blacklists》。
- 10)实现了zero-knowledge membership argument to show that a secret value u u u is contained in a list L L L。这部分研究成果发表在Eurocrypt 2013年论文《Zero-knowledge argument for polynomial evaluation with application to blacklists》。
- 11)实现了batch prove non-membership or membership of multiple lists。
- 12)实现了zero-knowledge argument for shuffle。这部分研究成果发表在Eurocrypt 2012年论文《Efficient zero-knowledge argument for correctness of a shuffle》。
1.2 安全假设
1)discrete logarithm assumption:
discrete logarithm assumption在现代密码学和密码学工具中有重要作用,如可用于EIGamal encryption、Pedersen commitment等。
discrete logarithm assumption 定义为:
group
G
\mathbb{G}
G的order为
n
n
n,即存在a generator
G
∈
G
G\in\mathbb{G}
G∈G使得
G
=
{
G
,
G
2
,
⋯
,
G
n
−
1
,
G
n
=
1
}
\mathbb{G}=\{G,G^2,\cdots,G^{n-1},G^n=1\}
G={G,G2,⋯,Gn−1,Gn=1} 且
G
x
≠
1
G^x\neq 1
Gx=1 for
x
<
n
x<n
x<n。The discrete logarithm of
H
H
H is an element
x
∈
Z
n
x\in\mathbb{Z}_n
x∈Zn for which
H
=
G
x
H=G^x
H=Gx holds。
discrete logarithm assumption成立的group类型有:
- certain prime order groups,如an order q q q subgroup of Z p ∗ \mathbb{Z}_p^* Zp∗ where p p p and q q q are large primes。
- a group of points on an elliptic curve or on a hyper-elliptic curve。
破解discrete logarithm assumption的算法主要有三类:
- 第一类为generic alogrithms,即不区分具体待破解对象;【即暴力破解法,当group order n n n很大时,很难破解。Baby Step-Giant Step [Sha71] 改进了破解run time为 O ( n ) O(\sqrt{n}) O(n),且需要 O ( n ) O(\sqrt{n}) O(n) space;Pollard’s ρ \rho ρ method [Pol78] 则对space无要求,Pollard’s ρ \rho ρ can be set up with constant size space;Shoup [Sho97] 中指出the lower bound of group operations to perform 不少于 Ω ( p ) \Omega(\sqrt{p}) Ω(p),其中 p p p is prime and divides the group order n n n and for all primes q q q, q ∣ n q|n q∣n and it holds q ≤ p q\leq p q≤p,即意味着for groups with prime order p p p it is not possible to improve on the runtime of Ω ( p ) \Omega(\sqrt{p}) Ω(p) using genric algorithms。】
- 第二类为适于具有smooth group order的group (即a group order is smooth if it is the product of small primes);【Pohlig-Hellman [PH78]的算法效率最该,需执行 O ( ∑ i = 1 k c i ( log n + p i ) ) O(\sum_{i=1}^{k}c_i(\log n+p_i)) O(∑i=1kci(logn+pi)) 次group operations for n = ∏ i = 1 k p i c i n=\prod_{i=1}^{k}p_i^{c_i} n=∏i=1kpici。因此实际因避免使用order具有small prime factors 的group。】
- 第三类为适于存在smooth group elements,即其可表示为products of primes smaller than a certain boundary α \alpha α。【具有subexponential run-time。】
2)Schwartz-Zippel Lemma:
1.3 一些约定
-
本文的encryption scheme和commitment scheme可使用不同的underlying groups,但是要求这两个group具有相同的primer order q q q。
在本文,以 G \mathbb{G} G表示commitment scheme中的group,以 H \mathbb{H} H表示ciphertext space。 -
X ⃗ ∘ Y ⃗ = ( X 1 Y 1 , ⋯ , X n Y n ) \vec{X}\circ\vec{Y}=(X_1Y_1,\cdots,X_nY_n) X∘Y=(X1Y1,⋯,XnYn) 表示the entry-wise product。
X ⃗ z = ( X 1 z , ⋯ , X n z ) \vec{X}^z=(X_1^z,\cdots,X_n^z) Xz=(X1z,⋯,Xnz)
x ⃗ π \vec{x}_{\pi} xπ 表示the entries of vector x ⃗ \vec{x} x are permuted by the permutation π \pi π,即 x ⃗ π = ( x π ( 1 ) , ⋯ , x π ( n ) ) \vec{x}_{\pi}=(x_{\pi(1)},\cdots,x_{\pi(n)}) xπ=(xπ(1),⋯,xπ(n))
x ⃗ ⋅ y ⃗ = ∑ i = 1 n x i y i \vec{x}\cdot \vec{y}=\sum_{i=1}^{n}x_iy_i x⋅y=∑i=1nxiyi为标准的inner product。
2. Commitment scheme
commitment scheme通常由3个算法组成:
-
probabilistic key generation algorithm G \mathcal{G} G:输入为security parameter 1 λ 1^{\lambda} 1λ,输出为:
– public commitment key c k ck ck
– message space M c k \mathcal{M}_{ck} Mck
– randomizer space R c k \mathcal{R}_{ck} Rck
– commitment space C c k \mathcal{C}_{ck} Cck
– opener space O c k \mathcal{O}_{ck} Ock -
commitment alogrithm c o m c k com_{ck} comck:输入为 m ∈ M c k m\in\mathcal{M}_{ck} m∈Mck和 r ∈ R c k r\in\mathcal{R}_{ck} r∈Rck,输出为 c m = c o m c k ( m ; r ) c_m=com_{ck}(m;r) cm=comck(m;r),即为the commitment of m m m。
-
opening algorithm o p c k op_{ck} opck:输入为 d ∈ O c k d\in\mathcal{O}_{ck} d∈Ock和commitment c m c_m cm,输出为the original message m = o p c k ( c m , d ) m=op_{ck}(c_m,d) m=opck(cm,d)。在很多commitment schemes中,the opening d d d通常包含了the message m m m和the randomness r r r。
要求commitment scheme 具有hiding和binding属性。
此外,commitment scheme也可具有trapdoor属性(如chameleon commitment),此时,probabilistic key generation algorithm
G
\mathcal{G}
G 额外再输出 trapdoor
t
t
t信息,从而允许open a commitment
c
m
=
c
o
m
c
k
(
m
;
r
)
c_m=com_{ck}(m;r)
cm=comck(m;r) to any message
m
′
m'
m′。换句话说,就是 without knowledge of the trapdoor
t
t
t the commitment scheme is binding, but given the trapdoor it is possible to cheat arbitrarily。
Pedersen commitment具有加法同态属性:
3. encryption scheme
public key encryption scheme 通常由3个算法组成:
-
key generation algorithm G \mathcal{G} G:输入为security parameter 1 λ 1^{\lambda} 1λ,输出为:
– public key p k pk pk
– secret key s k sk sk
– message space M p k \mathcal{M}_{pk} Mpk
– randomizer space R p k \mathcal{R}_{pk} Rpk
– cipher space C p k \mathcal{C}_{pk} Cpk -
encryption algorithm ε \varepsilon ε:输入为 M ∈ M p k , r ∈ R p k M\in\mathcal{M}_{pk},r\in\mathcal{R}_{pk} M∈Mpk,r∈Rpk 和 public key p k pk pk,输出为 C = ε ( M , r , p k ) ∈ C p k C=\varepsilon(M,r,pk)\in\mathcal{C}_{pk} C=ε(M,r,pk)∈Cpk。以下表示为 ε ( M , r , p k ) = ε p k ( M , r ) \varepsilon(M,r,pk)=\varepsilon_{pk}(M,r) ε(M,r,pk)=εpk(M,r)。
-
decryption algorithm D \mathcal{D} D:输入为 C ∈ C p k C\in\mathcal{C}_{pk} C∈Cpk 和 secret key s k sk sk,输出为 M = D ( C , s k ) ∈ M p k M=\mathcal{D}(C,sk)\in\mathcal{M}_{pk} M=D(C,sk)∈Mpk or ⊥ \perp ⊥ for failure。以下表示为 D ( C , s k ) = D s k ( C ) \mathcal{D}(C,sk)=\mathcal{D}_{sk}(C) D(C,sk)=Dsk(C)。
encryption scheme应具有IND-CPA属性,即 indistinguishable under chosen plaintext attack (IND-CPA)。
EIGamal encryption具有乘法同态属性:
与SHVZK (special honest verifier zero-knowledge) 对应的是 malicious verifier,malicious verifier提供的是non-random challenges。
4. 相应实现
采用C++,基于NTL libaray provided by Shoup [Sho09] 和 GMP [GMP11] 做了相应的代码实现。
- modular group 选型:
– 不同primes p p p with different bit-sizes对用的安全等级:
– group generation:
- 乘法优化:
在polynomial evaluation argument和blacklist argument中,需要multiply many big polynomials,可通过Fast Fourier Transform (FFT) [CT65] 实现性能优化。the multiplication of two degree D D D polynomials costs Ω ( D log D ) \Omega(D\log D) Ω(DlogD) multiplications。
而对于如下计算可通过binary tree来实现性能优化:
- multi-exponentiation 优化:
对于 c o m c k ( a 1 , ⋯ , a n ; r ) = H r ∏ i = 1 n G i a i com_{ck}(a_1,\cdots,a_n;r)=H^r\prod_{i=1}^{n}G_i^{a_i} comck(a1,⋯,an;r)=Hr∏i=1nGiai,若直接计算需要 n + 1 n+1 n+1个single exponentiations。当 n n n很大时,计算量很大,可借助Lim [Lim00]中提到的Brickell’s precomputation alogrithm [BGMW98] 来进行优化,当 n ≤ 1000 n\leq 1000 n≤1000时,可使用Lim-Lee’s algorithm [Lim00],当 n = 2 n=2 n=2时,可选择the sliding window algorithm [Lim00]。
– Sliding Window Alogirhtm:
当 n n n值很小时(2~4),sliding window algorithm可提供最优的性能。
– Lim-Lee’s Pre-computation技术:
当 n n n为中等规模大时,可使用Lim-Lee‘s pre-computation技术,其性能要优于 the sliding window technique和Brickell’s technique。
– Brickell’s pre-computation algorithm:
当 n n n很大时,适于用Brickell’s pre-computation algorithm来实现multi-exponentiation。
5. 基础协议
5.1 simple product argument
详细的证明思路与博客 基于Sigma protocol实现的零知识证明protocol集锦
中第 “2.9 knowledge of commitment opening product relation or multiplication relation”一样。
整个proof size为 3 group elements和 5 field elements。
- Prover:需6次exponentiations in G \mathbb{G} G和6次multiplications。
- Verifier:需9次exponentiations in G \mathbb{G} G和4次multiplications。
5.2 Invertible argument
详细的证明思路与博客 基于Sigma protocol实现的零知识证明protocol集锦
中第 “2.14 commitment to 非0”一样。
即commitment的值
v
v
v为非0值,存在倒数
v
−
1
v^{-1}
v−1。
5.3 product argument
在 Groth 2009年论文《Linear algebra with sub-linear zero-knowledge arguments》的基础上进行了改进,详细参见Eurocrypt 2012年论文《Efficient zero-knowledge argument for correctness of a shuffle》,针对的场景为:
- public info:commitments c ⃗ A \vec{c}_A cA 和 value b b b;
- witness: A = { a i , j } i , j = 1 n , m = ( a ⃗ 1 , a ⃗ 2 , ⋯ , a ⃗ m ) A=\{a_{i,j}\}_{i,j=1}^{n,m}=(\vec{a}_1,\vec{a}_2,\cdots,\vec{a}_m) A={ai,j}i,j=1n,m=(a1,a2,⋯,am) 和 r ⃗ = ( r 1 , r 2 , ⋯ , r m ) \vec{r}=(r_1,r_2,\cdots,r_m) r=(r1,r2,⋯,rm)
- relation: b = ∏ i = 1 n ∏ j = 1 m a i j = ∏ i = 1 n ( ∏ j = 1 m a i j ) b=\prod_{i=1}^{n}\prod_{j=1}^{m}a_{ij}=\prod_{i=1}^{n}(\prod_{j=1}^{m}a_{ij}) b=∏i=1n∏j=1maij=∏i=1n(∏j=1maij) 且 c ⃗ A = c o m c k ( A ; r ⃗ ) = ( c o m c k ( a ⃗ 1 ; r 1 ) , ⋯ , c o m c k ( a ⃗ m ; r m ) ) \vec{c}_A=com_{ck}(A;\vec{r})=(com_{ck}(\vec{a}_1;r_1),\cdots,com_{ck}(\vec{a}_m;r_m)) cA=comck(A;r)=(comck(a1;r1),⋯,comck(am;rm))
详细的证明思路可参见博客 Efficient Zero-Knowledge Argument for Correctness of a Shuffle学习笔记(2)
。
其证明过程由以下三组argument组成:
- Multi Hadamard product argument
- zero argument
- single value product argument
5.3.1 Multi Hadamard product argument
Multi Hadamard product argument针对的场景为:
Multi Hadamard product argument为:
5.3.2 zero argument
zero argument为:
可使用FFT对Prover的计算压力进行优化:
5.3.3 single value product argument for public b b b
single value product argument for public
b
b
b 为:
5.3.4 single value product argument for secret b b b
相比于single value product argument for public
b
b
b,不再限制
δ
n
=
0
\delta_n=0
δn=0,需单独对
δ
n
\delta_n
δn进行commit,并在验证环节中由验证
b
~
=
x
b
\tilde{b}=xb
b~=xb改为验证
c
b
x
c
δ
n
=
c
o
m
c
k
(
b
ˉ
n
;
s
ˉ
)
c_b^xc_{\delta_n}=com_{ck}(\bar{b}_n;\bar{s})
cbxcδn=comck(bˉn;sˉ)。
5.4 Hadamard Product Argument
针对的场景为:
knowledge for committed vectors
a
⃗
1
,
b
⃗
1
,
c
⃗
1
,
⋯
,
a
⃗
m
,
b
⃗
m
,
c
⃗
m
∈
Z
q
n
\vec{a}_1,\vec{b}_1,\vec{c}_1,\cdots,\vec{a}_m,\vec{b}_m,\vec{c}_m\in\mathbb{Z}_q^n
a1,b1,c1,⋯,am,bm,cm∈Zqn
satisfying
a
⃗
i
∘
b
⃗
i
=
c
⃗
i
\vec{a}_i\circ \vec{b}_i=\vec{c}_i
ai∘bi=ci
若采用5.3.1节中的multi Hadamard product argument来证明的花,则需要7 rounds of interaction,详细见[Gro09] 博客 Linear Algebra with Sub-linear Zero-Knowledge Arguments学习笔记
。
本文改进为仅需要 3 round 且 communication complexity与Groth’s Hadamard product相同。
核心思想为:
借鉴 [GGPR13] Gennaro等人2013年论文《 Quadratic span programs and succinct nizks without pcps》第4章中 quadratic arithmetic programs 的构建,本文使用了Lagrange interpolation polynomials。
针对a set of values
Ω
=
{
w
1
,
⋯
,
w
m
}
⊂
Z
q
\Omega=\{w_1,\cdots,w_m\}\subset\mathbb{Z}_q
Ω={w1,⋯,wm}⊂Zq,相应的Langrange interpolation polynomials为:
l
i
(
X
)
=
∏
j
≠
i
(
X
−
w
j
)
∏
j
≠
i
(
w
i
−
w
j
)
for
i
=
1
,
⋯
,
m
l_i(X)=\frac{\prod_{j\neq i}(X-w_j)}{\prod_{j\neq i}(w_i-w_j)}\ \text{for}\ i=1,\cdots,m
li(X)=∏j=i(wi−wj)∏j=i(X−wj) for i=1,⋯,m
可定义 l ( X ) = ∏ j = 1 m ( X − w j ) l(X)=\prod_{j=1}^{m}(X-w_j) l(X)=∏j=1m(X−wj)。本文只要求 w 1 , ⋯ , w m w_1,\cdots,w_m w1,⋯,wm为不同的,不过为了效率,通常选择为 n n n-th root of unity值。当为 n n n-th root of unity时,可借助FFT来加速相关计算。
Lagrange polynomials具有如下关键特性:
l
i
(
X
)
=
{
1
m
o
d
X
−
w
i
0
m
o
d
l
(
X
)
X
−
w
i
for
i
=
1
,
⋯
,
m
l_i(X)= \left\{\begin{matrix} 1 & \mod X-w_i\\ 0& \mod \frac{l(X)}{X-w_i} \end{matrix}\right.\ \text{for}\ i=1,\cdots,m
li(X)={10modX−wimodX−wil(X) for i=1,⋯,m
则Prover需要证明的内容变为了:
(
∑
i
=
1
m
l
i
(
X
)
a
⃗
i
)
∘
(
∑
j
=
1
m
l
j
(
X
)
b
⃗
j
)
−
∑
i
=
1
m
l
i
(
X
)
c
⃗
i
=
Δ
⃗
(
X
)
l
(
X
)
(\sum_{i=1}^{m}l_i(X)\vec{a}_i)\circ (\sum_{j=1}^{m}l_j(X)\vec{b}_j)-\sum_{i=1}^{m}l_i(X)\vec{c}_i=\vec{\Delta}(X)l(X)
(i=1∑mli(X)ai)∘(j=1∑mlj(X)bj)−i=1∑mli(X)ci=Δ(X)l(X) (5.2)
for some Δ ⃗ ( X ) ∈ ( Z q [ X ] ) n \vec{\Delta}(X)\in(\mathbb{Z}_q[X])^n Δ(X)∈(Zq[X])n。
以上证明内容具有knowledge soundness和completeness,因为:
for all
k
=
1
,
⋯
,
m
k=1,\cdots,m
k=1,⋯,m,由于
l
i
(
X
)
≡
1
m
o
d
X
−
w
i
l_i(X)\equiv 1\mod X-w_i
li(X)≡1modX−wi 且
l
i
(
X
)
≡
0
m
o
d
X
−
w
k
for
i
≠
k
l_i(X)\equiv 0\mod X-w_k\ \text{for}\ i\neq k
li(X)≡0modX−wk for i=k,因此有:
(
∑
i
=
1
m
l
i
(
X
)
a
⃗
i
)
∘
(
∑
j
=
1
m
l
j
(
X
)
b
⃗
j
)
−
∑
i
=
1
m
l
i
(
X
)
c
⃗
i
≡
a
⃗
k
∘
b
⃗
k
−
c
⃗
k
m
o
d
X
−
w
k
(\sum_{i=1}^{m}l_i(X)\vec{a}_i)\circ (\sum_{j=1}^{m}l_j(X)\vec{b}_j)-\sum_{i=1}^{m}l_i(X)\vec{c}_i\equiv \vec{a}_k\circ \vec{b}_k-\vec{c}_k \mod X-w_k
(i=1∑mli(X)ai)∘(j=1∑mlj(X)bj)−i=1∑mli(X)ci≡ak∘bk−ckmodX−wk
由于 l ( X ) ≡ 0 m o d X − w k l(X)\equiv 0\mod X-w_k l(X)≡0modX−wk,因此对于公式(5.2)成立的条件为确实 a ⃗ k ∘ b ⃗ k − c ⃗ k = 0 ⃗ \vec{a}_k\circ \vec{b}_k-\vec{c}_k=\vec{0} ak∘bk−ck=0 for all k = 1 , ⋯ , m k=1,\cdots,m k=1,⋯,m 。
completeness的考量如下,若
a
⃗
k
∘
b
⃗
k
−
c
⃗
k
=
0
⃗
\vec{a}_k\circ\vec{b}_k-\vec{c}_k=\vec{0}
ak∘bk−ck=0成立,则有:
(
∑
i
=
1
m
l
i
(
X
)
a
⃗
i
)
∘
(
∑
j
=
1
m
l
j
(
X
)
b
⃗
j
)
−
∑
i
=
1
m
l
i
(
X
)
c
⃗
i
≡
a
⃗
k
∘
b
⃗
k
−
c
⃗
k
m
o
d
X
−
w
1
(\sum_{i=1}^{m}l_i(X)\vec{a}_i)\circ (\sum_{j=1}^{m}l_j(X)\vec{b}_j)-\sum_{i=1}^{m}l_i(X)\vec{c}_i\equiv \vec{a}_k\circ \vec{b}_k-\vec{c}_k \mod X-w_1
(i=1∑mli(X)ai)∘(j=1∑mlj(X)bj)−i=1∑mli(X)ci≡ak∘bk−ckmodX−w1
⋮
\vdots
⋮
(
∑
i
=
1
m
l
i
(
X
)
a
⃗
i
)
∘
(
∑
j
=
1
m
l
j
(
X
)
b
⃗
j
)
−
∑
i
=
1
m
l
i
(
X
)
c
⃗
i
≡
a
⃗
k
∘
b
⃗
k
−
c
⃗
k
m
o
d
X
−
w
m
(\sum_{i=1}^{m}l_i(X)\vec{a}_i)\circ (\sum_{j=1}^{m}l_j(X)\vec{b}_j)-\sum_{i=1}^{m}l_i(X)\vec{c}_i\equiv \vec{a}_k\circ \vec{b}_k-\vec{c}_k \mod X-w_m
(i=1∑mli(X)ai)∘(j=1∑mlj(X)bj)−i=1∑mli(X)ci≡ak∘bk−ckmodX−wm
由于
w
i
≠
w
j
w_i\neq w_j
wi=wj for
i
≠
j
i\neq j
i=j,因此所有的
X
−
w
i
X-w_i
X−wi为coprime的,根据Chinese Remainder Theorem有:
(
∑
i
=
1
m
l
i
(
X
)
a
⃗
i
)
∘
(
∑
j
=
1
m
l
j
(
X
)
b
⃗
j
)
−
∑
i
=
1
m
l
i
(
X
)
c
⃗
i
≡
0
⃗
m
o
d
l
(
X
)
(\sum_{i=1}^{m}l_i(X)\vec{a}_i)\circ (\sum_{j=1}^{m}l_j(X)\vec{b}_j)-\sum_{i=1}^{m}l_i(X)\vec{c}_i\equiv \vec{0} \mod l(X)
(i=1∑mli(X)ai)∘(j=1∑mlj(X)bj)−i=1∑mli(X)ci≡0modl(X)
这就意味着存在 Δ ⃗ ( X ) \vec{\Delta}(X) Δ(X),Prover可计算出来,从而证明了completeness。
为了证明公式公式(5.2)成立,Prover需发送commitments
c
Δ
0
,
⋯
,
c
Δ
m
c_{\Delta_0},\cdots,c_{\Delta_m}
cΔ0,⋯,cΔm to
Δ
⃗
i
∈
Z
q
n
\vec{\Delta}_i\in\mathbb{Z}_q^n
Δi∈Zqn such that
Δ
⃗
(
X
)
=
∑
i
=
0
m
Δ
⃗
i
X
i
\vec{\Delta}(X)=\sum_{i=0}^{m}\vec{\Delta}_iX^i
Δ(X)=∑i=0mΔiXi。
On random challenge
x
←
Z
q
∗
∖
Ω
x\leftarrow \mathbb{Z}_q^*\setminus \Omega
x←Zq∗∖Ω the prover opens
∏
i
=
1
m
c
a
i
l
i
(
x
)
∏
i
=
1
m
c
b
i
l
i
(
x
)
∏
i
=
1
m
c
c
i
l
i
(
x
)
∏
i
=
1
m
c
Δ
i
x
i
\prod_{i=1}^{m}c_{a_i}^{l_i(x)}\ \prod_{i=1}^{m}c_{b_i}^{l_i(x)}\ \prod_{i=1}^{m}c_{c_i}^{l_i(x)}\ \prod_{i=1}^{m}c_{\Delta_i}^{x^i}
i=1∏mcaili(x) i=1∏mcbili(x) i=1∏mccili(x) i=1∏mcΔixi
to
a ⃗ ˉ = ∑ i = 1 m a ⃗ i l i ( x ) b ⃗ ˉ = ∑ i = 1 m b ⃗ i l i ( x ) c ⃗ ˉ = ∑ i = 1 m c ⃗ i l i ( x ) Δ ⃗ ˉ = ∑ i = 1 m Δ ⃗ i x i \bar{\vec{a}}=\sum_{i=1}^{m}\vec{a}_il_i(x)\ \bar{\vec{b}}=\sum_{i=1}^{m}\vec{b}_il_i(x)\ \bar{\vec{c}}=\sum_{i=1}^{m}\vec{c}_il_i(x)\ \bar{\vec{\Delta}}=\sum_{i=1}^{m}\vec{\Delta}_ix^i aˉ=i=1∑maili(x) bˉ=i=1∑mbili(x) cˉ=i=1∑mcili(x) Δˉ=i=1∑mΔixi
Verifier 仅需验证 a ⃗ ˉ ∘ b ⃗ ˉ − c ⃗ ˉ = Δ ⃗ ˉ ⋅ l ( x ) \bar{\vec{a}}\circ\bar{\vec{b}}-\bar{\vec{c}}=\bar{\vec{\Delta}}\cdot l(x) aˉ∘bˉ−cˉ=Δˉ⋅l(x) 是否成立即可。
以上证明过程不具有zero-knowledge属性,为了防止
a
⃗
ˉ
,
b
⃗
ˉ
,
c
⃗
ˉ
\bar{\vec{a}},\bar{\vec{b}},\bar{\vec{c}}
aˉ,bˉ,cˉ 泄露信息,Prover会选择随机向量
a
⃗
0
,
b
⃗
0
,
c
⃗
0
←
Z
q
n
\vec{a}_0,\vec{b}_0,\vec{c}_0\leftarrow \mathbb{Z}_q^n
a0,b0,c0←Zqn,然后定义:
a
⃗
ˉ
=
a
⃗
0
l
(
x
)
+
∑
i
=
1
m
a
⃗
i
l
i
(
x
)
b
⃗
ˉ
=
b
⃗
0
l
(
x
)
+
∑
i
=
1
m
b
⃗
i
l
i
(
x
)
c
⃗
ˉ
=
c
⃗
0
l
(
x
)
+
∑
i
=
1
m
c
⃗
i
l
i
(
x
)
\bar{\vec{a}}=\vec{a}_0l(x)+\sum_{i=1}^{m}\vec{a}_il_i(x)\ \bar{\vec{b}}=\vec{b}_0l(x)+\sum_{i=1}^{m}\vec{b}_il_i(x)\ \bar{\vec{c}}=\vec{c}_0l(x)+\sum_{i=1}^{m}\vec{c}_il_i(x)
aˉ=a0l(x)+i=1∑maili(x) bˉ=b0l(x)+i=1∑mbili(x) cˉ=c0l(x)+i=1∑mcili(x)
由于 a ⃗ 0 , b ⃗ 0 , c ⃗ 0 \vec{a}_0,\vec{b}_0,\vec{c}_0 a0,b0,c0为随机选择的,以此以上求和操作不会泄露任何关于 a ⃗ i , b ⃗ i , c ⃗ i \vec{a}_i,\vec{b}_i,\vec{c}_i ai,bi,ci的信息,除非 l ( x ) = 0 l(x)=0 l(x)=0。而当challenges不在 Ω \Omega Ω内时, l ( x ) l(x) l(x)不可能为0。同时有 l ( X ) ≡ 0 m o d X − w i l(X)\equiv 0\mod X-w_i l(X)≡0modX−wi for all i = 1 , ⋯ , m i=1,\cdots,m i=1,⋯,m 使得存在 Δ ⃗ ( X ) ∈ ( Z q [ X ] ) n \vec{\Delta}(X)\in(\mathbb{Z}_q[X])^n Δ(X)∈(Zq[X])n 使 a ⃗ ˉ ∘ b ⃗ ˉ − c ⃗ ˉ = Δ ⃗ ˉ ( X ) l ( X ) \bar{\vec{a}}\circ\bar{\vec{b}}-\bar{\vec{c}}=\bar{\vec{\Delta}}(X)l(X) aˉ∘bˉ−cˉ=Δˉ(X)l(X) 成立。
详细的证明过程为:
相应的communication complexity和computation complexity为: